MongoDb CheatSheet

CRUD Operations:

Create: 

db.products.insert({item:"TV",aqty:200,soldqty:1200,avail:true})

db.createCollection("Name")

Read:

db.products.find({<Condition>},{<Projection>})

Get single document - db.products.findOne()

Get all documents - db.products.find()

Get documents based on filters - db.products.find({aqty:0})

Get documents with particular fields - db.products.find({aqty:0},{item:1,soldqty:1})

Reading the data with limit(), sort(), skip() functions:

db.products.find().sort({aqty:1}).limit(5)

db.products.find().sort({aqty:1}).skip(5)

Operators: in, ne, nin, lt, gt, lte, gte, or, and

IN -  db.products.find({aqty:{$in:[0,200]}})

Less Than & And - db.products.find({aqty:{$lt:200},soldqty:1800})

OR - db.products.find({$or:[{aqty:200},{soldqty:3000}]}) 

        db.products.find({$or:[{aqty:{$lt:200}},{soldqty:{$gt:1800}}]})

Update:

add/update property - db.products.updateMany({},{$set:{price:100}})

remove property - db.products.updateMany({}, {$unset: {price: 0}})

Delete:

collection - db.test.drop()

single row - db.products.deleteOne({item:'TV'})

multiple row - db.products.deleteMany({prices:{$lt: 200}})

all rows - db.products.deleteMany({})

Indexes:

db.products.createIndex({price:1})

Aggregation:

https://www.mongodb.com/developer/products/mongodb/cheat-sheet/

Deep Dive in Asynchronous Programming in Javascript

JavaScript is single threaded language. 

Synchronous programming is execution of functions in order.

Asynchronous programming is executing a long running process outside the main thread. It does not block code execution on main thread. Although it is achieved usually by running asynchronous function on separate thread. Though javascript is a single threaded language it supports aysnchronous behaviour, to understand how we need to understand JS runtime.

 

What is makefile and how to use it.

A Makefile is a special file used in Unix and Unix-like operating systems to automate the building and compilation of programs or projects. It contains a set of rules and dependencies that specify how to build a target, typically an executable program or a collection of files.

.SILENT:

all: first second last

# .DEFAULT_GOAL:= last

first:

    echo "hello world"

second:

    echo "hello Gaurav"

last:

    echo "hello world Gaurav"

 

Refer here for more details

Setup Minikube on Windows using WSL

 curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64

sudo install minikube-linux-amd64 /usr/local/bin/minikube

Start a cluster - 

minikube start

Start second cluster -

minikube start -p cluster2

List all minikube cluster running:

minikube profile list

Set second cluster as current profile-

Kubectl:

Set kubectl alias to run kubectl commands for minikube if kubectl is not installed locally:

alias kubectl="minikube kubectl --"

View kubernetes config:

kubectl config view

To access minikube from windows command prompt - 

Update kube config file as per config on WSL running minikube

apiVersion: v1

clusters:

- cluster:

    certificate-authority: \\wsl.localhost\Ubuntu\home\gaugupta\.minikube\ca.crt

    server: https://127.0.0.1:49159

  name: cluster2

- cluster:

    certificate-authority: \\wsl.localhost\Ubuntu\home\gaugupta\.minikube\ca.crt

    server: https://127.0.0.1:49154

  name: minikube

contexts:

- context:

    cluster: cluster2

    user: cluster2

  name: cluster2

- context:

    cluster: minikube

    user: minikube

  name: minikube

current-context: cluster2

kind: Config

preferences: {}

users:

- name: cluster2

  user:

    client-certificate: \\wsl.localhost\Ubuntu\home\gaugupta\.minikube\profiles\cluster2\client.crt

    client-key: \\wsl.localhost\Ubuntu\home\gaugupta\.minikube\profiles\cluster2\client.key

- name: minikube

  user:

    client-certificate: \\wsl.localhost\Ubuntu\home\gaugupta\.minikube\profiles\minikube\client.crt

    client-key: \\wsl.localhost\Ubuntu\home\gaugupta\.minikube\profiles\minikube\client.key

Then

>kubectl config use-context minikube

>kubectl get pods

Setup Docker Engine on Windows using WSL2

Steps to setup docker on Windows 10/11 system without installing Docker Desktop application, which is just a GUI for docker.

First, you need to install WSL (Windows subsystem for Linux) if not already installed -

wsl --install

Note: It will install ubuntu linux as default linux flavour. If you need to check and install any other use below command:

        wsl --list --online

        wsl --install kali-linux

Next, install docker using below commands

# Add Docker's official GPG key:

sudo apt-get update

sudo apt-get install ca-certificates curl gnupg

sudo install -m 0755 -d /etc/apt/keyrings

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

sudo chmod a+r /etc/apt/keyrings/docker.gpg

# Add the repository to Apt sources:

echo \

  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \

  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \

  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt-get update

          sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Last, verify docker is installed and running successfully.

        docker run hello-world

        docker run docker/getting-started

Verify all processes running on ubuntu machine.

Finally, to view and setup getting-started with docker code, download and install git using :

    sudo apt-get install git

Ref - https://medium.com/geekculture/run-docker-in-windows-10-11-wsl-without-docker-desktop-a2a7eb90556d

Ref - https://docs.docker.com/engine/install/ubuntu/#installation-methods

Setup MongoDB on Docker

Setup MongoDB community server as a single node.

$ docker pull mongodb/mongodb-community-server

Verify MongoDB image is downloaded successfully: 

$ docker images

Run docker image

$ docker run --name mongo -p 27017:27017 -d mongodb/mongodb-community-server:latest

Setup MongoDB 3 node cluster on docker

The steps to create a docker cluster are as follows.

1. Create a Docker network.

            $ docker network create mongoCluster

1. Start three instances of MongoDB.

docker run -d --rm -p 27017:27017 --name mongo1 --network mongoCluster mongo mongod --replSet myReplicaSet --bind_ip localhost,mongo1

docker run -d --rm -p 27018:27017 --name mongo2 --network mongoCluster mongo mongod --replSet myReplicaSet --bind_ip localhost,mongo2

 

docker run -d --rm -p 27019:27017 --name mongo3 --network mongoCluster mongo mongod --replSet myReplicaSet --bind_ip localhost,mongo3

1. Initiate the Replica Set.

docker exec -it mongo1 mongosh --eval "rs.initiate({

 _id: \"myReplicaSet\",

 members: [

   {_id: 0, host: \"mongo1\"},

   {_id: 1, host: \"mongo2\"},

   {_id: 2, host: \"mongo3\"}

 ]

})"

docker exec -it mongo1 mongosh --eval "rs.status()"

Detailed information on Replica set configuration can be found here.

Once you have a MongoDB cluster up and running, you will be able to experiment with it.

Ref: https://www.mongodb.com/compatibility/deploying-a-mongodb-cluster-with-docker

Using Docker Compose -

docker-compose -f config/docker-compose.yaml up -d


More details on cluster setup can be learned from Mongodb University here.

OWASP Security

 API Security

1. Broken Object Level Authorization
1. Aka IDOR (In-secured Direct Object Reference) - Accessing unauthorized objects using same token due to lack of authorization checks
2. Mitigation
• implement authorization checks with user policies and hierarchy
• dont rely on IDs sent from client. Use IDs from session
• Check authorization each time there is client request to access database
• Use random non guessable IDs (UUIDs)
2. Broken Authentication
1. Due to Lack of best practices. 
2. Mitigation
• Check all possible ways to authenticate to all APIs 
• Password reset APIs and one-time links also allow users to get authenticated and should be protected just as seriously 
• Use standard authentication, token generation, password storage, MFA 
• Use short-lived access tokens 
• Authenticate your apps (so you know who is talking to you) 
• OAuth token is not authentication (hotel key analogy)
• Use stricter rate-limiting for authentication, implement lockout policies and weak password checks 
3. Excessive Data Exposure
1. Exposing critical data to avoid regular updates ( eg. using * for db queries)
2. Mitigation:
• Never rely on client to filter data 
• Review all responses, only return what the API consumers really need 
• Define schemas of all the API responses 
• Don't forget about error responses 
• Identify all the sensitive or Pll info and justify its use 
• Enforce response checks to prevent accidental data and exception leaks 

1. Lack of Resources & Rate Limiting
1. Denial of service to overwhelm the server
2. Mitigation:
• Rate limiting 
• Payload size limits 
• Rate limits specific to API methods, clients, addresses 
• Checks on compression ratios 
• Limits on container resources 
• Check parsers on recursion vulnerabilities 
2. Missing Function Level Authorization
1. Similar to broken object level authorization
2. Mitigation:
• Don't rely on client app to enforce admin access 
• Deny all access by default 
• Only allow operation to users that belong to the appropriate group or role 
• Properly design and test authorization
3. Mass Assignment
4. Security Misconfiguration
5. Injection
6. Improper Assets Management
7. Insufficient Logging & Monitoring

OWASP API Security Seminar