Fix Critical Security Issues

pom.xml

@@ -138,10 +138,18 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-smallrye-openapi</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-smallrye-health</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-smallrye-fault-tolerance</artifactId>
+    </dependency>
     <dependency>
       <groupId>nl.basjes.parse.useragent</groupId>
       <artifactId>yauaa</artifactId>
-      <version>7.23.0</version>
+      <version>7.32.0</version>
     </dependency>
     <dependency>
       <groupId>org.jboss.logmanager</groupId>
@@ -220,6 +228,9 @@
               <version>${lombok.mapstruct.binding.version}</version>
             </path>
           </annotationProcessorPaths>
+          <compilerArgs>
+            <compilerArg>-Amapstruct.unmappedTargetPolicy=IGNORE</compilerArg>
+          </compilerArgs>
         </configuration>
       </plugin>
       <plugin>
@@ -232,6 +243,25 @@
           </systemPropertyVariables>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.jacoco</groupId>
+        <artifactId>jacoco-maven-plugin</artifactId>
+        <version>0.8.11</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>prepare-agent</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>report</id>
+            <phase>test</phase>
+            <goals>
+              <goal>report</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
     </plugins>
   </build>
   <profiles>

src/main/java/io/shelang/aghab/domain/AuditLog.java

@@ -0,0 +1,42 @@
+package io.shelang.aghab.domain;
+
+import jakarta.persistence.*;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import org.hibernate.annotations.CreationTimestamp;
+
+import java.time.Instant;
+
+@Data
+@NoArgsConstructor
+@AllArgsConstructor
+@Builder
+@Entity
+@Table(name = "audit_log")
+public class AuditLog {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(name = "user_id")
+    private Long userId;
+
+    @Column(name = "workspace_id")
+    Long workspaceId;
+
+    @Column(name = "event_type")
+    private String eventType;
+
+    @Column(name = "event_data")
+    private String eventData;
+
+    @Column(name = "ip_address")
+    private String ipAddress;
+
+    @CreationTimestamp
+    @Column(name = "create_at", nullable = false, updatable = false)
+    private Instant createAt;
+}

src/main/java/io/shelang/aghab/domain/LinkAnalytics.java

@@ -4,15 +4,14 @@
 import java.util.UUID;
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
-import jakarta.persistence.GeneratedValue;
+
 import jakarta.persistence.Id;
 import jakarta.persistence.Table;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 import org.hibernate.annotations.CreationTimestamp;
-import org.hibernate.annotations.GenericGenerator;
 
 @Data
 @NoArgsConstructor
@@ -23,8 +22,7 @@
 public class LinkAnalytics {
 
   @Id
-  @GeneratedValue(generator = "UUID")
-  @GenericGenerator(name = "UUID", strategy = "org.hibernate.id.UUIDGenerator")
+  @org.hibernate.annotations.UuidGenerator
   @Column(name = "id", updatable = false, nullable = false)
   private UUID id;
 

src/main/java/io/shelang/aghab/domain/User.java

@@ -29,44 +29,42 @@
 @Table(name = "users")
 public class User {
 
-  @Id
-  @GeneratedValue(generator = "users_id_gen", strategy = GenerationType.SEQUENCE)
-  @SequenceGenerator(name = "users_id_gen", allocationSize = 1, sequenceName = "users_id_seq")
-  private Long id;
+    @Id
+    @GeneratedValue(generator = "users_id_gen", strategy = GenerationType.SEQUENCE)
+    @SequenceGenerator(name = "users_id_gen", allocationSize = 1, sequenceName = "users_id_seq")
+    private Long id;
 
-  private String username;
+    private String username;
 
-  private String password;
+    private String password;
 
-  private String token;
+    private String token;
 
-  @Column(name = "token_issue_at")
-  private Instant tokenIssueAt;
+    @Column(name = "token_issue_at")
+    private Instant tokenIssueAt;
 
-  @Column(name = "need_change_password")
-  private boolean needChangePassword;
+    @Column(name = "need_change_password")
+    private boolean needChangePassword;
 
-  @Builder.Default
-  @ManyToMany(fetch = FetchType.LAZY)
-  @JoinTable(
-      name = "script_user",
-      joinColumns = {@JoinColumn(name = "user_id")},
-      inverseJoinColumns = {@JoinColumn(name = "script_id")})
-  Set<Script> scripts = new HashSet<>();
+    @Builder.Default
+    @Column(name = "role")
+    private String role = "USER";
 
-  @Builder.Default
-  @ManyToMany(fetch = FetchType.LAZY)
-  @JoinTable(
-      name = "webhook_user",
-      joinColumns = {@JoinColumn(name = "user_id")},
-      inverseJoinColumns = {@JoinColumn(name = "webhook_id")})
-  Set<Webhook> webhooks = new HashSet<>();
+    @Builder.Default
+    @ManyToMany(fetch = FetchType.LAZY)
+    @JoinTable(name = "script_user", joinColumns = { @JoinColumn(name = "user_id") }, inverseJoinColumns = {
+            @JoinColumn(name = "script_id") })
+    Set<Script> scripts = new HashSet<>();
 
-  @Builder.Default
-  @ManyToMany(fetch = FetchType.LAZY)
-  @JoinTable(
-      name = "workspace_user",
-      joinColumns = {@JoinColumn(name = "user_id")},
-      inverseJoinColumns = {@JoinColumn(name = "workspace_id")})
-  Set<Workspace> workspaces = new HashSet<>();
+    @Builder.Default
+    @ManyToMany(fetch = FetchType.LAZY)
+    @JoinTable(name = "webhook_user", joinColumns = { @JoinColumn(name = "user_id") }, inverseJoinColumns = {
+            @JoinColumn(name = "webhook_id") })
+    Set<Webhook> webhooks = new HashSet<>();
+
+    @Builder.Default
+    @ManyToMany(fetch = FetchType.LAZY)
+    @JoinTable(name = "workspace_user", joinColumns = { @JoinColumn(name = "user_id") }, inverseJoinColumns = {
+            @JoinColumn(name = "workspace_id") })
+    Set<Workspace> workspaces = new HashSet<>();
 }

src/main/java/io/shelang/aghab/event/consumer/WebhookCallConsumer.java

@@ -1,13 +1,11 @@
 package io.shelang.aghab.event.consumer;
 
-import io.quarkus.redis.client.RedisClient;
 import io.quarkus.vertx.ConsumeEvent;
 import io.shelang.aghab.domain.WebhookLink;
 import io.shelang.aghab.event.EventType;
 import io.shelang.aghab.event.dto.WebhookCallEvent;
 import io.shelang.aghab.repository.LinksRepository;
 import io.shelang.aghab.repository.WebhookLinkRepository;
-import io.shelang.aghab.repository.WebhookRepository;
 import io.shelang.aghab.service.webhook.WebhookService;
 import java.time.Instant;
 import jakarta.enterprise.context.ApplicationScoped;
@@ -17,11 +15,10 @@
 @ApplicationScoped
 public class WebhookCallConsumer {
 
-  private static final String LOCK_EXPIRE = "100";
+  private static final long LOCK_EXPIRE = 100;
 
-  @SuppressWarnings("CdiInjectionPointsInspection")
   @Inject
-  RedisClient redisClient;
+  io.quarkus.redis.datasource.RedisDataSource redisDataSource;
   @Inject
   LinksRepository linksRepository;
   @Inject
@@ -33,13 +30,13 @@ public class WebhookCallConsumer {
   @Transactional
   public void consumer(WebhookCallEvent event) {
     String key = event.getLinkId().toString();
-    String setNXResponse = redisClient.setnx(key, String.valueOf(Instant.now())).toString();
+    boolean setNXResponse = redisDataSource.value(String.class).setnx(key, String.valueOf(Instant.now()));
 
-    if (!setNXResponse.equals("1")) {
+    if (!setNXResponse) {
       return;
     }
 
-    redisClient.expire(key, LOCK_EXPIRE);
+    redisDataSource.key().expire(key, LOCK_EXPIRE);
 
     webhookService.call(event.getWebhookId(), event.getLinkId(), event.getHash());
 

src/main/java/io/shelang/aghab/filters/APITokenAuthenticationFilter.java

@@ -3,7 +3,6 @@
 import io.shelang.aghab.repository.UserRepository;
 import io.shelang.aghab.role.Roles;
 import io.smallrye.jwt.auth.principal.DefaultJWTCallerPrincipal;
-import java.io.IOException;
 import java.time.Instant;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.container.ContainerRequestContext;
@@ -22,8 +21,7 @@ public class APITokenAuthenticationFilter implements ContainerRequestFilter {
   public void filter(ContainerRequestContext ctx) {
     final SecurityContext securityContext = ctx.getSecurityContext();
     if (securityContext != null) {
-      DefaultJWTCallerPrincipal userPrincipal =
-          (DefaultJWTCallerPrincipal) securityContext.getUserPrincipal();
+      DefaultJWTCallerPrincipal userPrincipal = (DefaultJWTCallerPrincipal) securityContext.getUserPrincipal();
       if (userPrincipal == null || !securityContext.isUserInRole(Roles.API)) {
         return;
       }
@@ -32,9 +30,8 @@ public void filter(ContainerRequestContext ctx) {
           .findByUsername(userPrincipal.getName())
           .ifPresent(
               user -> {
-                boolean before =
-                    user.getTokenIssueAt()
-                        .isBefore(Instant.ofEpochSecond(userPrincipal.getIssuedAtTime()));
+                boolean before = user.getTokenIssueAt()
+                    .isBefore(Instant.ofEpochSecond(userPrincipal.getIssuedAtTime()));
                 if (!before) {
                   ctx.abortWith(Response.status(403).build());
                 }

src/main/java/io/shelang/aghab/health/AppLivenessCheck.java

@@ -0,0 +1,17 @@
+package io.shelang.aghab.health;
+
+import org.eclipse.microprofile.health.HealthCheck;
+import org.eclipse.microprofile.health.HealthCheckResponse;
+import org.eclipse.microprofile.health.Liveness;
+
+import jakarta.enterprise.context.ApplicationScoped;
+
+@Liveness
+@ApplicationScoped
+public class AppLivenessCheck implements HealthCheck {
+
+    @Override
+    public HealthCheckResponse call() {
+        return HealthCheckResponse.up("Aghab Application is live");
+    }
+}

src/main/java/io/shelang/aghab/health/AppReadinessCheck.java

@@ -0,0 +1,57 @@
+package io.shelang.aghab.health;
+
+import org.eclipse.microprofile.health.HealthCheck;
+import org.eclipse.microprofile.health.HealthCheckResponse;
+import org.eclipse.microprofile.health.HealthCheckResponseBuilder;
+import org.eclipse.microprofile.health.Readiness;
+
+import io.quarkus.redis.client.RedisClient;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import javax.sql.DataSource;
+import java.sql.Connection;
+
+@Readiness
+@ApplicationScoped
+@SuppressWarnings("deprecation")
+public class AppReadinessCheck implements HealthCheck {
+
+    @Inject
+    DataSource dataSource;
+
+    @Inject
+    RedisClient redisClient;
+
+    @Override
+    public HealthCheckResponse call() {
+        HealthCheckResponseBuilder responseBuilder = HealthCheckResponse.named("Aghab Application Readiness");
+
+        boolean databaseUp = checkDatabase();
+        boolean redisUp = checkRedis();
+
+        responseBuilder.withData("database", databaseUp ? "UP" : "DOWN")
+                .withData("redis", redisUp ? "UP" : "DOWN");
+
+        if (databaseUp && redisUp) {
+            return responseBuilder.up().build();
+        } else {
+            return responseBuilder.down().build();
+        }
+    }
+
+    private boolean checkDatabase() {
+        try (Connection connection = dataSource.getConnection()) {
+            return connection.isValid(3);
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
+    private boolean checkRedis() {
+        try {
+            return redisClient.ping(java.util.Collections.emptyList()).toString().equalsIgnoreCase("PONG");
+        } catch (Exception e) {
+            return false;
+        }
+    }
+}

src/main/java/io/shelang/aghab/job/ExpireLinkJob.java

@@ -35,7 +35,7 @@ public void expireLinks() {
     var hasData = true;
     while (hasData) {
       List<LinkExpiration> expired =
-          linkExpirationRepository.find("expireAt < now()").page(0, 20).list();
+          linkExpirationRepository.find("expireAt < ?1", java.time.Instant.now()).page(0, 20).list();
       if (!expired.isEmpty()) {
         log.info("{} expired links fetched", expired.size());
       }

src/main/java/io/shelang/aghab/repository/AuditLogRepository.java

@@ -0,0 +1,9 @@
+package io.shelang.aghab.repository;
+
+import io.quarkus.hibernate.orm.panache.PanacheRepository;
+import io.shelang.aghab.domain.AuditLog;
+import jakarta.enterprise.context.ApplicationScoped;
+
+@ApplicationScoped
+public class AuditLogRepository implements PanacheRepository<AuditLog> {
+}