Implement @security reply command for mailing list responses

Add MailSender to send threaded Gmail replies that target both the
original vulnerability reporter and the keycloak-security mailing list.

Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>

Author: abstractj

src/main/java/org/keycloak/gh/bot/security/command/MailingListCommand.java

@@ -1,19 +1,37 @@
 package org.keycloak.gh.bot.security.command;
 
 import com.github.rvesse.airline.annotations.Command;
+import jakarta.inject.Inject;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
 import org.jboss.logging.Logger;
+import org.keycloak.gh.bot.security.common.Constants;
+import org.keycloak.gh.bot.security.email.MailSender;
 import org.kohsuke.github.GHEventPayload;
+import org.kohsuke.github.GHIssueComment;
 
 import java.io.IOException;
+import java.util.Optional;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
+/**
+ * Replies to the keycloak-security mailing list and the original sender when invoked via @security reply.
+ */
 @Command(name = "reply", description = "Reply to e-mails received from the keycloak-security mailing list and the sender")
-public class MailingListCommand extends CommandParser implements BotCommand { //Required due to a bug on Airline
+public class MailingListCommand extends CommandParser implements BotCommand {
 
     private static final Logger LOGGER = Logger.getLogger(MailingListCommand.class);
+    private static final Pattern THREAD_ID_PATTERN = Pattern.compile(
+            Pattern.quote(Constants.GMAIL_THREAD_ID_PREFIX) + "\\s*([a-f0-9]+)");
+
+    @Inject
+    MailSender mailSender;
+
+    @ConfigProperty(name = "google.group.target")
+    String targetGroup;
 
     @Override
     protected void execute(GHEventPayload.IssueComment payload) throws IOException {
-        LOGGER.infof("Replying to the keycloak security: %s", payload.getRepository().getFullName());
         ParsedMessage msg = extractMessage(payload);
         if (msg == null) return;
 
@@ -22,6 +40,31 @@ protected void execute(GHEventPayload.IssueComment payload) throws IOException {
             return;
         }
 
-        success(payload);
+        Optional<String> threadId = findGmailThreadId(payload);
+        if (threadId.isEmpty()) {
+            fail(payload, "Gmail Thread ID not found in issue comments. Cannot reply without a linked email thread.");
+            return;
+        }
+
+        LOGGER.infof("Sending reply to Gmail thread %s for issue #%d", threadId.get(), payload.getIssue().getNumber());
+
+        if (mailSender.sendReply(threadId.get(), msg.body(), targetGroup)) {
+            success(payload);
+        } else {
+            fail(payload, "Failed to send reply via Gmail API.");
+        }
+    }
+
+    private Optional<String> findGmailThreadId(GHEventPayload.IssueComment payload) throws IOException {
+        for (GHIssueComment comment : payload.getIssue().queryComments().list()) {
+            String body = comment.getBody();
+            if (body == null) continue;
+
+            Matcher matcher = THREAD_ID_PATTERN.matcher(body);
+            if (matcher.find()) {
+                return Optional.of(matcher.group(1));
+            }
+        }
+        return Optional.empty();
     }
-}
+}

src/main/java/org/keycloak/gh/bot/security/email/GmailAdapter.java

@@ -7,8 +7,11 @@
 import com.google.api.services.gmail.model.ModifyMessageRequest;
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Inject;
+import jakarta.mail.MessagingException;
+import jakarta.mail.internet.MimeMessage;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 
+import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
@@ -38,6 +41,26 @@ public Message getMessage(String id) throws IOException {
         return gmail.users().messages().get("me", id).execute();
     }
 
+    public com.google.api.services.gmail.model.Thread getThread(String threadId) throws IOException {
+        return gmail.users().threads().get("me", threadId).setFormat("METADATA").execute();
+    }
+
+    public Message sendMessage(String threadId, MimeMessage email) throws IOException {
+        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+        try {
+            email.writeTo(buffer);
+        } catch (MessagingException e) {
+            throw new IOException("Failed to serialize MimeMessage", e);
+        }
+
+        String encodedEmail = Base64.getUrlEncoder().withoutPadding().encodeToString(buffer.toByteArray());
+        Message message = new Message().setRaw(encodedEmail);
+        if (threadId != null) {
+            message.setThreadId(threadId);
+        }
+        return gmail.users().messages().send("me", message).execute();
+    }
+
     public void markAsRead(String messageId) throws IOException {
         var mods = new ModifyMessageRequest().setRemoveLabelIds(List.of("UNREAD"));
         gmail.users().messages().modify("me", messageId, mods).execute();

src/main/java/org/keycloak/gh/bot/security/email/MailSender.java

@@ -0,0 +1,105 @@
+package org.keycloak.gh.bot.security.email;
+
+import com.google.api.services.gmail.model.Message;
+import jakarta.annotation.PostConstruct;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import jakarta.mail.Session;
+import jakarta.mail.internet.InternetAddress;
+import jakarta.mail.internet.MimeMessage;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.jboss.logging.Logger;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+/**
+ * Sends threaded replies via the Gmail API, preserving conversation threading headers.
+ */
+@ApplicationScoped
+public class MailSender {
+
+    private static final Logger LOG = Logger.getLogger(MailSender.class);
+
+    @ConfigProperty(name = "gmail.user.email")
+    String botEmail;
+
+    @Inject
+    GmailAdapter gmail;
+
+    private Session mailSession;
+
+    @PostConstruct
+    public void init() {
+        this.mailSession = Session.getDefaultInstance(new Properties(), null);
+    }
+
+    public boolean sendReply(String threadId, String body, String ccTarget) {
+        try {
+            com.google.api.services.gmail.model.Thread thread = gmail.getThread(threadId);
+            if (thread == null || thread.getMessages() == null || thread.getMessages().isEmpty()) return false;
+
+            Message lastMsg = thread.getMessages().get(thread.getMessages().size() - 1);
+            Map<String, String> threadingHeaders = gmail.getHeadersMap(lastMsg);
+
+            Message lastHumanMsg = findLastHumanMessage(thread.getMessages());
+            if (lastHumanMsg == null) return false;
+
+            Map<String, String> recipientHeaders = gmail.getHeadersMap(lastHumanMsg);
+            String sender = recipientHeaders.getOrDefault("Reply-To", recipientHeaders.get("From"));
+
+            MimeMessage email = createBaseMessage();
+            setupThreadingHeaders(email, threadingHeaders);
+
+            if (sender != null) email.addRecipient(jakarta.mail.Message.RecipientType.TO, new InternetAddress(sender));
+            if (ccTarget != null) email.addRecipient(jakarta.mail.Message.RecipientType.CC, new InternetAddress(ccTarget));
+
+            setSubjectFromOriginal(email, threadingHeaders);
+            email.setText(body);
+
+            gmail.sendMessage(threadId, email);
+            LOG.infof("Reply sent to thread %s (TO: %s, CC: %s)", threadId, sender, ccTarget);
+            return true;
+        } catch (Exception e) {
+            LOG.errorf(e, "Failed to send reply to thread %s", threadId);
+            return false;
+        }
+    }
+
+    private MimeMessage createBaseMessage() throws Exception {
+        MimeMessage email = new MimeMessage(mailSession);
+        email.setFrom(new InternetAddress(botEmail));
+        return email;
+    }
+
+    private void setSubjectFromOriginal(MimeMessage email, Map<String, String> headers) throws Exception {
+        String originalSubject = headers.getOrDefault("Subject", "No Subject");
+        String newSubject = originalSubject.toLowerCase().startsWith("re:")
+                ? originalSubject
+                : "Re: " + originalSubject;
+        email.setSubject(newSubject);
+    }
+
+    private void setupThreadingHeaders(MimeMessage email, Map<String, String> headers) throws Exception {
+        String parentId = headers.get("Message-ID");
+        String refs = headers.get("References");
+        if (parentId != null && !parentId.isEmpty()) {
+            email.setHeader("In-Reply-To", parentId);
+            email.setHeader("References", (refs == null || refs.isEmpty() ? "" : refs + " ") + parentId);
+        }
+    }
+
+    Message findLastHumanMessage(List<Message> history) {
+        for (int i = history.size() - 1; i >= 0; i--) {
+            Message msg = history.get(i);
+            Map<String, String> headers = gmail.getHeadersMap(msg);
+            String from = headers.get("From");
+
+            if (from != null && !from.toLowerCase().contains(botEmail.toLowerCase())) {
+                return msg;
+            }
+        }
+        return history.get(history.size() - 1);
+    }
+}

src/test/java/org/keycloak/gh/bot/security/command/MailingListCommandTest.java

@@ -0,0 +1,158 @@
+package org.keycloak.gh.bot.security.command;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.keycloak.gh.bot.security.email.MailSender;
+import org.kohsuke.github.GHEventPayload;
+import org.kohsuke.github.GHIssue;
+import org.kohsuke.github.GHIssueComment;
+import org.kohsuke.github.GHIssueCommentQueryBuilder;
+import org.kohsuke.github.GHRepository;
+import org.kohsuke.github.PagedIterable;
+import org.kohsuke.github.PagedIterator;
+import org.kohsuke.github.ReactionContent;
+
+import java.io.IOException;
+import java.lang.reflect.Field;
+import java.util.List;
+
+import static org.mockito.ArgumentMatchers.*;
+import static org.mockito.Mockito.*;
+
+class MailingListCommandTest {
+
+    private MailSender mailSender;
+    private MailingListCommand command;
+    private GHEventPayload.IssueComment payload;
+    private GHIssueComment comment;
+    private GHIssue issue;
+
+    @BeforeEach
+    @SuppressWarnings("unchecked")
+    void setUp() throws Exception {
+        mailSender = mock(MailSender.class);
+        command = new MailingListCommand();
+
+        setField(command, "mailSender", mailSender);
+        setField(command, "targetGroup", "keycloak-security@googlegroups.com");
+
+        payload = mock(GHEventPayload.IssueComment.class);
+        comment = mock(GHIssueComment.class);
+        issue = mock(GHIssue.class);
+
+        GHRepository repository = mock(GHRepository.class);
+        when(repository.getFullName()).thenReturn("keycloak/keycloak-private");
+        when(payload.getRepository()).thenReturn(repository);
+        when(payload.getComment()).thenReturn(comment);
+        when(payload.getIssue()).thenReturn(issue);
+    }
+
+    @Test
+    void execute_sendsReplyAndReactsWithThumbsUp() throws Exception {
+        when(comment.getBody()).thenReturn("@security reply\n\nThis is my reply to the mailing list");
+        setupIssueComments("**Gmail-Thread-ID:** abc123def");
+        when(mailSender.sendReply("abc123def", "This is my reply to the mailing list", "keycloak-security@googlegroups.com"))
+                .thenReturn(true);
+
+        command.run(payload);
+
+        verify(mailSender).sendReply("abc123def", "This is my reply to the mailing list", "keycloak-security@googlegroups.com");
+        verify(comment).createReaction(ReactionContent.PLUS_ONE);
+    }
+
+    @Test
+    void execute_reactsWithThumbsDownWhenSendFails() throws Exception {
+        when(comment.getBody()).thenReturn("@security reply\n\nFailed reply");
+        setupIssueComments("**Gmail-Thread-ID:** abc123def");
+        when(mailSender.sendReply("abc123def", "Failed reply", "keycloak-security@googlegroups.com"))
+                .thenReturn(false);
+
+        command.run(payload);
+
+        verify(comment).createReaction(ReactionContent.MINUS_ONE);
+    }
+
+    @Test
+    void execute_reactsWithThumbsDownWhenNoThreadIdFound() throws Exception {
+        when(comment.getBody()).thenReturn("@security reply\n\nOrphan reply");
+        setupIssueComments("Just a regular comment with no thread ID");
+
+        command.run(payload);
+
+        verify(comment).createReaction(ReactionContent.MINUS_ONE);
+        verify(mailSender, never()).sendReply(anyString(), anyString(), anyString());
+    }
+
+    @Test
+    void execute_reactsWithThumbsDownOnInvalidCommandSignature() throws Exception {
+        when(comment.getBody()).thenReturn("@security reply extra-stuff\n\nBody text");
+
+        command.run(payload);
+
+        verify(comment).createReaction(ReactionContent.MINUS_ONE);
+        verify(mailSender, never()).sendReply(anyString(), anyString(), anyString());
+    }
+
+    @Test
+    void execute_reactsWithThumbsDownWhenNoBody() throws Exception {
+        when(comment.getBody()).thenReturn("@security reply");
+
+        command.run(payload);
+
+        verify(comment).createReaction(ReactionContent.MINUS_ONE);
+        verify(mailSender, never()).sendReply(anyString(), anyString(), anyString());
+    }
+
+    @Test
+    void execute_findsThreadIdAcrossMultipleComments() throws Exception {
+        when(comment.getBody()).thenReturn("@security reply\n\nMulti-comment reply");
+        setupIssueComments(
+                "First comment without thread ID",
+                "**Gmail-Thread-ID:** deadbeef42\nSubject: CVE report\nFrom: reporter@example.com"
+        );
+        when(mailSender.sendReply("deadbeef42", "Multi-comment reply", "keycloak-security@googlegroups.com"))
+                .thenReturn(true);
+
+        command.run(payload);
+
+        verify(mailSender).sendReply("deadbeef42", "Multi-comment reply", "keycloak-security@googlegroups.com");
+        verify(comment).createReaction(ReactionContent.PLUS_ONE);
+    }
+
+    @SuppressWarnings("unchecked")
+    private void setupIssueComments(String... commentBodies) throws IOException {
+        GHIssueCommentQueryBuilder queryBuilder = mock(GHIssueCommentQueryBuilder.class);
+        when(issue.queryComments()).thenReturn(queryBuilder);
+
+        List<GHIssueComment> comments = new java.util.ArrayList<>();
+        for (String body : commentBodies) {
+            GHIssueComment c = mock(GHIssueComment.class);
+            when(c.getBody()).thenReturn(body);
+            comments.add(c);
+        }
+
+        PagedIterable<GHIssueComment> pagedIterable = mock(PagedIterable.class);
+        when(queryBuilder.list()).thenReturn(pagedIterable);
+
+        PagedIterator<GHIssueComment> pagedIterator = mock(PagedIterator.class);
+        final int[] index = {0};
+        when(pagedIterator.hasNext()).thenAnswer(inv -> index[0] < comments.size());
+        when(pagedIterator.next()).thenAnswer(inv -> comments.get(index[0]++));
+        when(pagedIterable.iterator()).thenReturn(pagedIterator);
+    }
+
+    private static void setField(Object target, String fieldName, Object value) throws Exception {
+        Class<?> clazz = target.getClass();
+        while (clazz != null) {
+            try {
+                Field field = clazz.getDeclaredField(fieldName);
+                field.setAccessible(true);
+                field.set(target, value);
+                return;
+            } catch (NoSuchFieldException e) {
+                clazz = clazz.getSuperclass();
+            }
+        }
+        throw new NoSuchFieldException(fieldName);
+    }
+}