Merge pull request #3727 from akto-api-security/feature/support_auth_types_filter_explore_mode

Feature/support auth types filter explore mode

Author: Ark2307

apps/dashboard/web/polaris_web/web/src/apps/dashboard/components/CollectionComponent.jsx

@@ -22,16 +22,32 @@ const HTTP_METHODS = [
     {'label': 'TRACK', 'value': 'TRACK'}
 ]
 
+// Auth types matching ApiInfo.AuthType enum
+const AUTH_TYPES = [
+    { label: 'Unauthenticated', value: 'UNAUTHENTICATED' },
+    { label: 'Basic', value: 'BASIC' },
+    { label: 'Authorization Header', value: 'AUTHORIZATION_HEADER' },
+    { label: 'JWT', value: 'JWT' },
+    { label: 'API Token', value: 'API_TOKEN' },
+    { label: 'Bearer', value: 'BEARER' },
+    { label: 'Custom', value: 'CUSTOM' },
+    { label: 'API Key', value: 'API_KEY' },
+    { label: 'MTLS', value: 'MTLS' },
+    { label: 'Session Token', value: 'SESSION_TOKEN' }
+]
+
 function CollectionComponent(props) {
 
     const { condition, index, dispatch, operatorComponent } = props
     const [apiEndpoints, setApiEndpoints] = useState({})
     const initialRegexText = (condition && condition?.type === 'REGEX') ? (condition?.data?.regex || '') : ''
     const initialHostRegexText = (condition && condition?.type === 'HOST_REGEX') ? (condition?.data?.host_regex || '') : ''
     const initialTagsText = (condition && condition?.type === 'TAGS') ? (condition?.data?.query || '') : ''
+    const initialAuthTypes = (condition && condition?.type === 'AUTH_TYPE') ? (condition?.data?.authTypes || []) : []
     const [regexText, setRegexText] = useState(initialRegexText)
     const [hostRegexText, setHostRegexText] = useState(initialHostRegexText)
     const [tagsText, setTagsText] = useState(initialTagsText)
+    const [selectedAuthTypes, setSelectedAuthTypes] = useState(initialAuthTypes)
     const dashboardCategory = PersistStore(state => state.dashboardCategory)
 
     useEffect(() => {
@@ -159,6 +175,8 @@ function CollectionComponent(props) {
                 return {}
             case "TAGS":
                 return {}
+            case "AUTH_TYPE":
+                return {authTypes:[]}
             default:
                 return {}
         }
@@ -186,6 +204,10 @@ function CollectionComponent(props) {
             {
                 label: 'Tags',
                 value: 'TAGS'
+            },
+            {
+                label: 'Auth Type',
+                value: 'AUTH_TYPE'
             }
         ]}
             initial={condition.type}
@@ -210,6 +232,11 @@ function CollectionComponent(props) {
         dispatch({ type: "overwrite", index: index, key: "data", obj: {"query":val } })
     }
 
+    const handleAuthTypesSelected = (authTypes) => {
+        setSelectedAuthTypes(authTypes)
+        dispatch({ type: "overwrite", index: index, key: "data", obj: {"authTypes": authTypes } })
+    }
+
     const component = (condition, index) => {
         switch (condition.type) {
             case "CUSTOM":
@@ -238,6 +265,18 @@ function CollectionComponent(props) {
                 return(
                     <TextField onChange={(val) => handleTagsText(val)} value={tagsText} />
                 )
+            case "AUTH_TYPE":
+                return(
+                    <DropdownSearch
+                        id={`auth-type-${index}`}
+                        placeholder="Select auth types"
+                        optionsList={AUTH_TYPES}
+                        setSelected={(authTypes) => handleAuthTypesSelected(authTypes)}
+                        preSelected={selectedAuthTypes}
+                        value={selectedAuthTypes.length > 0 ? `${selectedAuthTypes.length} auth type${selectedAuthTypes.length === 1 ? '' : 's'} selected` : undefined}
+                        allowMultiple
+                    />
+                )
             default:
                 break;
         }

libs/dao/src/main/java/com/akto/DaoInit.java

@@ -258,6 +258,7 @@ public static CodecRegistry createCodecRegistry(){
         ClassModel<RegexTestingEndpoints> regexTestingEndpointsClassModel = ClassModel.builder(RegexTestingEndpoints.class).enableDiscriminator(true).build();
         ClassModel<HostRegexTestingEndpoints> hostRegexTestingEndpointsClassModel = ClassModel.builder(HostRegexTestingEndpoints.class).enableDiscriminator(true).build();
         ClassModel<TagsTestingEndpoints> tagsTestingEndpointsClassModel = ClassModel.builder(TagsTestingEndpoints.class).enableDiscriminator(true).build();
+        ClassModel<AuthTypeTestingEndpoints> authTypeTestingEndpointsClassModel = ClassModel.builder(AuthTypeTestingEndpoints.class).enableDiscriminator(true).build();
         ClassModel<DependencyNode> dependencyNodeClassModel = ClassModel.builder(DependencyNode.class).enableDiscriminator(true).build();
         ClassModel<ParamInfo> paramInfoClassModel = ClassModel.builder(ParamInfo.class).enableDiscriminator(true).build();
         ClassModel<Node> nodeClassModel = ClassModel.builder(Node.class).enableDiscriminator(true).build();
@@ -336,7 +337,7 @@ public static CodecRegistry createCodecRegistry(){
                 setupClassModel,
                 cronTimersClassModel, connectionInfoClassModel, testLibraryClassModel,
                 methodConditionClassModel, regexTestingEndpointsClassModel, hostRegexTestingEndpointsClassModel,
-                tagsTestingEndpointsClassModel, allTestingEndpointsClassModel,
+                tagsTestingEndpointsClassModel, authTypeTestingEndpointsClassModel, allTestingEndpointsClassModel,
                 UsageMetricClassModel, UsageMetricInfoClassModel, UsageSyncClassModel, OrganizationClassModel,
                 yamlNodeDetails, multiExecTestResultClassModel, workflowTestClassModel, dependencyNodeClassModel,
                 paramInfoClassModel,

libs/dao/src/main/java/com/akto/dto/ApiCollectionUsers.java

@@ -28,6 +28,7 @@
 import com.akto.dao.demo.VulnerableRequestForTemplateDao;
 import com.akto.dao.testing_run_findings.TestingRunIssuesDao;
 import com.akto.dto.rbac.UsersCollectionsList;
+import com.akto.dto.testing.AuthTypeTestingEndpoints;
 import com.akto.dto.testing.CustomTestingEndpoints;
 import com.akto.dto.testing.SensitiveDataEndpoints;
 import com.akto.dto.testing.TestingEndpoints;
@@ -48,6 +49,8 @@ public class ApiCollectionUsers {
     private static final ScheduledExecutorService executorService = Executors.newSingleThreadScheduledExecutor();
     private static final Logger logger = LoggerFactory.getLogger(ApiCollectionUsers.class);
 
+    private static final int MAX_ALLOWED_API_COUNT = 10000;  
+
     public enum CollectionType {
         ApiCollectionId, Id_ApiCollectionId, Id_ApiInfoKey_ApiCollectionId
     }
@@ -76,6 +79,14 @@ public static List<BasicDBObject> getSingleTypeInfoListFromConditions(List<Testi
             return new ArrayList<>();
         }
         List<Bson> filterList = SingleTypeInfoDao.filterForHostHostHeaderRaw();
+        boolean hasAuthFilter = checkAuthTypeFilter(conditions);
+        if (hasAuthFilter) {
+            int apiInfoCount = getApisCountFromConditions(conditions, deactivatedCollections);
+            if (apiInfoCount >= MAX_ALLOWED_API_COUNT) {
+                Bson apiInfoFilter = getFilters(conditions,CollectionType.Id_ApiCollectionId);
+                return findAllAsBasicDBObject(apiInfoFilter, skip, limit, Projections.include("_id"));
+            }
+        }
         Bson singleTypeInfoFilters = getFilters(conditions, CollectionType.ApiCollectionId);
         Bson filters = Filters.and(filterList);
         singleTypeInfoFilters = Filters.and(filters, singleTypeInfoFilters);
@@ -104,6 +115,14 @@ public static int getApisCountFromConditionsWithStis(List<TestingEndpoints> cond
             return 0;
         }
 
+        boolean hasAuthFilter = checkAuthTypeFilter(conditions);
+        if (hasAuthFilter) {
+            int apiInfoCount = getApisCountFromConditions(conditions, deactivatedCollections);
+            if (apiInfoCount >= MAX_ALLOWED_API_COUNT) {
+                return apiInfoCount;
+            }
+        }
+
         List<Bson> filterList = SingleTypeInfoDao.filterForHostHostHeaderRaw();
         Bson filters = Filters.and(filterList);
         Bson stiFiltes = getFilters(conditions, CollectionType.ApiCollectionId);
@@ -305,4 +324,22 @@ public static void reset(int apiCollectionId) {
         removeFromCollectionsForCollectionId(Collections.singletonList(ep), apiCollectionId);
     }
 
+    private static boolean checkAuthTypeFilter(List<TestingEndpoints> conditions) {
+        for (TestingEndpoints condition : conditions) {
+            if (condition instanceof AuthTypeTestingEndpoints) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private static List<BasicDBObject> findAllAsBasicDBObject(Bson filter,int skip,int limit,Bson projection) {
+        List<BasicDBObject> results = new ArrayList<>();
+        MongoCursor<BasicDBObject> cursor = ApiInfoDao.instance.getMCollection().find(filter, BasicDBObject.class).projection(projection).skip(skip).limit(limit).iterator();
+        while (cursor.hasNext()) {
+            results.add(cursor.next());
+        }
+
+        return results;
+    }
 }

libs/dao/src/main/java/com/akto/dto/testing/AuthTypeTestingEndpoints.java

@@ -0,0 +1,143 @@
+package com.akto.dto.testing;
+
+import com.akto.dao.ApiInfoDao;
+import com.akto.dao.MCollection;
+import com.akto.dto.ApiCollectionUsers;
+import com.akto.dto.ApiInfo;
+import com.akto.dto.type.SingleTypeInfo;
+import com.mongodb.client.model.Filters;
+import org.bson.Document;
+import org.bson.conversions.Bson;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+public class AuthTypeTestingEndpoints extends TestingEndpoints {
+    private List<String> authTypes;
+
+    public AuthTypeTestingEndpoints(Operator operator, List<String> authTypes) {
+        super(Type.AUTH_TYPE, operator);
+        this.authTypes = authTypes;
+    }
+
+    public AuthTypeTestingEndpoints() {
+        super(Type.AUTH_TYPE, Operator.OR);
+    }
+
+    @Override
+    public List<ApiInfo.ApiInfoKey> returnApis() {
+        // Not used in filtering workflow, only for testing/policy contexts
+        return new ArrayList<>();
+    }
+
+    @Override
+    public boolean containsApi(ApiInfo.ApiInfoKey key) {
+        if (authTypes == null || authTypes.isEmpty()) {
+            return false;
+        }
+        
+        ApiInfo apiInfo = ApiInfoDao.instance.findOne(ApiInfoDao.getFilter(key));
+        if (apiInfo == null || apiInfo.getAllAuthTypesFound() == null) {
+            return false;
+        }
+        
+        // Check if any of the selected auth types exist in the API's auth types
+        Set<ApiInfo.AuthType> selectedAuthTypes = new HashSet<>();
+        for (String authTypeStr : authTypes) {
+            try {
+                selectedAuthTypes.add(ApiInfo.AuthType.valueOf(authTypeStr));
+            } catch (IllegalArgumentException e) {
+                // Skip invalid auth types
+            }
+        }
+        
+        // Check if any set in allAuthTypesFound contains any of our selected auth types
+        for (Set<ApiInfo.AuthType> authTypeSet : apiInfo.getAllAuthTypesFound()) {
+            for (ApiInfo.AuthType authType : authTypeSet) {
+                if (selectedAuthTypes.contains(authType)) {
+                    return true;
+                }
+            }
+        }
+        
+        return false;
+    }
+
+    private static Bson createApiFilters(ApiCollectionUsers.CollectionType type, ApiInfo.ApiInfoKey apiKey) {
+        String prefix = getFilterPrefix(type);
+        
+        return Filters.and(
+            Filters.eq(prefix + SingleTypeInfo._URL, apiKey.getUrl()),
+            Filters.eq(prefix + SingleTypeInfo._METHOD, apiKey.getMethod().toString()),
+            Filters.in(SingleTypeInfo._COLLECTION_IDS, apiKey.getApiCollectionId())
+        );
+    }
+
+    @Override
+    public Bson createFilters(ApiCollectionUsers.CollectionType type) {
+        if (authTypes == null || authTypes.isEmpty()) {
+            return MCollection.noMatchFilter;
+        }
+
+        // Convert string auth types to AuthType enum
+        List<ApiInfo.AuthType> authTypeEnums = new ArrayList<>();
+        for (String authTypeStr : authTypes) {
+            try {
+                authTypeEnums.add(ApiInfo.AuthType.valueOf(authTypeStr));
+            } catch (IllegalArgumentException e) {
+                // Skip invalid auth types
+            }
+        }
+
+        if (authTypeEnums.isEmpty()) {
+            return MCollection.noMatchFilter;
+        }
+
+        List<Bson> authTypeFilters = new ArrayList<>();
+        for (ApiInfo.AuthType authType : authTypeEnums) {
+            // Nested elemMatch: outer for array-of-arrays, inner for elements in sub-array
+            // Java Filters API doesn't support nested elemMatch, so use Document
+            authTypeFilters.add(
+                new Document(ApiInfo.ALL_AUTH_TYPES_FOUND,
+                    new Document("$elemMatch",
+                        new Document("$elemMatch",
+                            new Document("$eq", authType.name())
+                        )
+                    )
+                )
+            );
+        }
+        Bson authFilter = Filters.or(authTypeFilters);
+
+        // For ApiInfo-based collections, use the auth filter directly
+        if (type == ApiCollectionUsers.CollectionType.Id_ApiCollectionId) {
+            return authFilter;
+        }
+
+        // For SingleTypeInfo-based collections (ApiCollectionId), 
+        // fetch matching ApiInfos and create filters based on URL/method/collectionId
+        // This is necessary because SingleTypeInfo doesn't have allAuthTypesFound field
+        List<ApiInfo> matchedApis = ApiInfoDao.instance.findAll(authFilter);
+        
+        if (matchedApis.isEmpty()) {
+            return MCollection.noMatchFilter;
+        }
+
+        List<Bson> apiFilters = new ArrayList<>();
+        for (ApiInfo apiInfo : matchedApis) {
+            apiFilters.add(createApiFilters(type, apiInfo.getId()));
+        }
+
+        return Filters.or(apiFilters);
+    }
+
+    public List<String> getAuthTypes() {
+        return authTypes;
+    }
+
+    public void setAuthTypes(List<String> authTypes) {
+        this.authTypes = authTypes;
+    }
+}

libs/dao/src/main/java/com/akto/dto/testing/TestingEndpoints.java

@@ -39,7 +39,7 @@ public enum Operator {
 
 
     public enum Type {
-        CUSTOM, COLLECTION_WISE, WORKFLOW, LOGICAL_GROUP, METHOD, ALL, REGEX, RISK_SCORE, SENSITIVE_DATA, UNAUTHENTICATED, HOST_REGEX, TAGS
+        CUSTOM, COLLECTION_WISE, WORKFLOW, LOGICAL_GROUP, METHOD, ALL, REGEX, RISK_SCORE, SENSITIVE_DATA, UNAUTHENTICATED, HOST_REGEX, TAGS, AUTH_TYPE
     }
 
     public Type getType() {
@@ -87,6 +87,11 @@ public static TestingEndpoints generateCondition(Type type, Operator operator, B
                     String q = (data != null) ? data.getString("query") : null;
                     condition = new TagsTestingEndpoints(operator, q);
                     break;
+                case AUTH_TYPE:
+                    List<String> authTypes = (data != null && data.get("authTypes") != null) ? 
+                        (List<String>) data.get("authTypes") : new ArrayList<>();
+                    condition = new AuthTypeTestingEndpoints(operator, authTypes);
+                    break;
                 default:
                     break;
             }