Add controllers

Author: misonijnik

build.gradle.kts

@@ -19,6 +19,9 @@ repositories {
 dependencies {
     implementation("org.springframework.boot:spring-boot-starter-web")
     implementation("org.springframework.boot:spring-boot-starter-thymeleaf")
+    implementation("org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0")
+    implementation("org.xerial:sqlite-jdbc:3.47.1.0")
+    implementation("org.dom4j:dom4j:2.1.4")
     testImplementation("org.springframework.boot:spring-boot-starter-test")
     testImplementation(platform("org.junit:junit-bom:5.10.0"))
     testImplementation("org.junit.jupiter:junit-jupiter")

src/main/java/org/seqra/controllers/config/OpenApiConfig.java

@@ -0,0 +1,25 @@
+package org.example.config;
+
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.info.Contact;
+import io.swagger.v3.oas.models.info.Info;
+import io.swagger.v3.oas.models.servers.Server;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import java.util.List;
+
+@Configuration
+public class OpenApiConfig {
+
+    @Bean
+    public OpenAPI customOpenAPI() {
+        return new OpenAPI()
+                .info(new Info()
+                        .title("Monitoring Platform API")
+                        .version("1.0.0")
+                        .description("API for system monitoring, alerts, notifications, and reporting")
+                        .contact(new Contact().name("API Support").email("support@example.com")))
+                .servers(List.of(new Server().url("http://localhost:8081").description("Development")));
+    }
+}

src/main/java/org/seqra/controllers/controller/AlertController.java

@@ -0,0 +1,138 @@
+package org.example.controller;
+
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.Parameter;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import org.example.service.AlertStorageService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.HashMap;
+import java.util.Map;
+
+@RestController
+@RequestMapping("/api/alerts")
+@Tag(name = "Alerts", description = "Alert definition management")
+public class AlertController {
+
+    private static final Logger log = LoggerFactory.getLogger(AlertController.class);
+    private final AlertStorageService storage;
+
+    public AlertController(AlertStorageService storage) {
+        this.storage = storage;
+    }
+
+    // VULNERABLE: Path traversal via filename
+    @GetMapping("/content")
+    @Operation(summary = "Get alert definition", description = "Read alert definition file")
+    public ResponseEntity<Map<String, Object>> getAlert(
+            @Parameter(description = "Alert filename") @RequestParam(defaultValue = "alert-cpu-high.yml") String filename) {
+
+        String filePath = storage.buildFilePath(filename);
+        File file = new File(filePath);
+
+        if (!file.exists()) {
+            return ResponseEntity.status(404).body(Map.of("error", "Alert not found", "filename", filename));
+        }
+
+        try {
+            String content = Files.readString(file.toPath(), StandardCharsets.UTF_8);
+            Map<String, Object> result = new HashMap<>();
+            result.put("filename", filename);
+            result.put("content", content);
+            result.put("path", filePath);
+            result.put("size", file.length());
+            return ResponseEntity.ok(result);
+        } catch (IOException e) {
+            return ResponseEntity.internalServerError().body(Map.of("error", "Failed to read alert"));
+        }
+    }
+
+    // VULNERABLE: Path traversal via filename
+    @PostMapping("/save")
+    @Operation(summary = "Save alert definition", description = "Create or update alert definition file")
+    public ResponseEntity<Map<String, Object>> saveAlert(
+            @Parameter(description = "Alert filename") @RequestParam(defaultValue = "alert-custom.yml") String filename,
+            @Parameter(description = "Alert content") @RequestParam(defaultValue = "name: Custom Alert\ntype: threshold") String content) {
+
+        String filePath = storage.buildFilePath(filename);
+        File file = new File(filePath);
+
+        try {
+            File parent = file.getParentFile();
+            if (parent != null && !parent.exists()) {
+                parent.mkdirs();
+            }
+            Files.writeString(file.toPath(), content, StandardCharsets.UTF_8);
+            return ResponseEntity.ok(Map.of("status", "saved", "filename", filename, "path", filePath, "size", file.length()));
+        } catch (IOException e) {
+            return ResponseEntity.internalServerError().body(Map.of("error", "Failed to save alert"));
+        }
+    }
+
+    // SECURE: Path validation
+    @GetMapping("/secureContent")
+    @Operation(summary = "Get alert definition (secure)", description = "Read alert with path validation")
+    public ResponseEntity<Map<String, Object>> getAlertSecure(
+            @Parameter(description = "Alert name") @RequestParam(defaultValue = "cpu-high") String alertName) {
+
+        if (!storage.isValidAlertName(alertName)) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Invalid alert name"));
+        }
+
+        Path alertPath = storage.buildSecurePath(alertName);
+        if (!storage.isPathWithinBase(alertPath)) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Invalid alert path"));
+        }
+
+        File file = alertPath.toFile();
+        if (!file.exists()) {
+            return ResponseEntity.status(404).body(Map.of("error", "Alert not found", "name", alertName));
+        }
+
+        try {
+            String content = Files.readString(alertPath, StandardCharsets.UTF_8);
+            return ResponseEntity.ok(Map.of("name", alertName, "content", content, "size", file.length()));
+        } catch (IOException e) {
+            return ResponseEntity.internalServerError().body(Map.of("error", "Failed to read alert"));
+        }
+    }
+
+    // SECURE: Path validation
+    @PostMapping("/secureSave")
+    @Operation(summary = "Save alert definition (secure)", description = "Save alert with path validation")
+    public ResponseEntity<Map<String, Object>> saveAlertSecure(
+            @Parameter(description = "Alert name") @RequestParam(defaultValue = "custom-alert") String alertName,
+            @Parameter(description = "Alert content") @RequestParam(defaultValue = "name: Custom Alert\ntype: threshold") String content) {
+
+        if (!storage.isValidAlertName(alertName)) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Invalid alert name"));
+        }
+
+        Path alertPath = storage.buildSecurePath(alertName);
+        if (!storage.isPathWithinBase(alertPath)) {
+            return ResponseEntity.badRequest().body(Map.of("error", "Invalid alert path"));
+        }
+
+        try {
+            Files.writeString(alertPath, content, StandardCharsets.UTF_8);
+            return ResponseEntity.ok(Map.of("status", "saved", "name", alertName, "size", Files.size(alertPath)));
+        } catch (IOException e) {
+            return ResponseEntity.internalServerError().body(Map.of("error", "Failed to save alert"));
+        }
+    }
+
+    @GetMapping("/list")
+    @Operation(summary = "List alerts", description = "Get all alert definitions")
+    public ResponseEntity<Map<String, Object>> listAlerts() {
+        var alerts = storage.listAlerts();
+        return ResponseEntity.ok(Map.of("alerts", alerts, "total", alerts.size(), "basePath", storage.getBasePath()));
+    }
+}

src/main/java/org/seqra/controllers/controller/AuditController.java

@@ -0,0 +1,153 @@
+package org.example.controller;
+
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.Parameter;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
+
+@RestController
+@RequestMapping("/api/audit")
+@Tag(name = "Audit", description = "Audit logging and history")
+public class AuditController {
+
+    @GetMapping("/logs")
+    @Operation(summary = "Get audit log detail", description = "Returns detailed audit log entry")
+    public ResponseEntity<Map<String, Object>> getLogDetail(
+            @Parameter(description = "Log ID") @RequestParam(required = false) String id,
+            @Parameter(description = "Page number") @RequestParam(defaultValue = "1") int page,
+            @Parameter(description = "Page size") @RequestParam(defaultValue = "20") int size,
+            @Parameter(description = "Filter by action") @RequestParam(required = false) String action) {
+
+        if (id != null) {
+            return ResponseEntity.ok(Map.of(
+                "id", id,
+                "timestamp", System.currentTimeMillis(),
+                "action", "update",
+                "resource", "monitor",
+                "resourceId", "mon-123",
+                "user", "admin",
+                "ip", "192.168.1.100",
+                "userAgent", "Mozilla/5.0",
+                "status", "success",
+                "details", Map.of(
+                    "before", Map.of("status", "inactive"),
+                    "after", Map.of("status", "active")
+                )
+            ));
+        }
+
+        int safePage = Math.max(page, 1);
+        int safeSize = Math.min(Math.max(size, 1), 100);
+
+        List<Map<String, Object>> logs = new ArrayList<>();
+        String[] actions = {"login", "logout", "create", "update", "delete", "view"};
+        String[] resources = {"monitor", "alert", "user", "config", "report"};
+
+        for (int i = 0; i < safeSize; i++) {
+            String logAction = actions[i % actions.length];
+            if (action == null || action.equals(logAction)) {
+                logs.add(Map.of(
+                    "id", UUID.randomUUID().toString().substring(0, 8),
+                    "timestamp", System.currentTimeMillis() - (i * 300000L),
+                    "action", logAction,
+                    "resource", resources[i % resources.length],
+                    "user", "admin",
+                    "ip", "192.168.1." + (100 + i % 50),
+                    "status", "success"
+                ));
+            }
+        }
+
+        return ResponseEntity.ok(Map.of(
+            "logs", logs,
+            "page", safePage,
+            "size", safeSize,
+            "total", 1000,
+            "totalPages", 50
+        ));
+    }
+
+
+
+    @GetMapping("/summary")
+    @Operation(summary = "Get audit summary", description = "Returns audit statistics summary")
+    public ResponseEntity<Map<String, Object>> getSummary(
+            @Parameter(description = "Time period") @RequestParam(defaultValue = "24h") String period) {
+        return ResponseEntity.ok(Map.of(
+            "period", period,
+            "totalEvents", 1523,
+            "byAction", Map.of(
+                "login", 245,
+                "logout", 230,
+                "create", 156,
+                "update", 489,
+                "delete", 45,
+                "view", 358
+            ),
+            "byStatus", Map.of(
+                "success", 1498,
+                "failure", 25
+            ),
+            "uniqueUsers", 12
+        ));
+    }
+
+    @GetMapping("/users")
+    @Operation(summary = "Get user audit history", description = "Returns audit logs for specific user")
+    public ResponseEntity<Map<String, Object>> getUserAudit(
+            @Parameter(description = "User ID") @RequestParam String userId,
+            @Parameter(description = "Limit") @RequestParam(defaultValue = "20") int limit) {
+
+        int safeLimit = Math.min(Math.max(limit, 1), 100);
+        List<Map<String, Object>> logs = new ArrayList<>();
+
+        for (int i = 0; i < safeLimit; i++) {
+            logs.add(Map.of(
+                "id", UUID.randomUUID().toString().substring(0, 8),
+                "timestamp", System.currentTimeMillis() - (i * 600000L),
+                "action", i % 2 == 0 ? "view" : "update",
+                "resource", "monitor",
+                "status", "success"
+            ));
+        }
+
+        return ResponseEntity.ok(Map.of("userId", userId, "logs", logs, "total", logs.size()));
+    }
+
+    @GetMapping("/actions")
+    @Operation(summary = "List audit actions", description = "Returns available audit action types")
+    public ResponseEntity<Map<String, Object>> listActions() {
+        return ResponseEntity.ok(Map.of(
+            "actions", List.of(
+                Map.of("id", "login", "name", "Login", "category", "auth"),
+                Map.of("id", "logout", "name", "Logout", "category", "auth"),
+                Map.of("id", "create", "name", "Create", "category", "crud"),
+                Map.of("id", "update", "name", "Update", "category", "crud"),
+                Map.of("id", "delete", "name", "Delete", "category", "crud"),
+                Map.of("id", "view", "name", "View", "category", "crud")
+            ),
+            "total", 6
+        ));
+    }
+
+    @PostMapping("/export")
+    @Operation(summary = "Export audit logs", description = "Exports audit logs in specified format")
+    public ResponseEntity<Map<String, Object>> exportLogs(
+            @Parameter(description = "Export format") @RequestParam(defaultValue = "json") String format,
+            @Parameter(description = "Start date") @RequestParam(required = false) String startDate,
+            @Parameter(description = "End date") @RequestParam(required = false) String endDate) {
+        return ResponseEntity.ok(Map.of(
+            "exportId", UUID.randomUUID().toString().substring(0, 8),
+            "format", format,
+            "status", "processing",
+            "estimatedRecords", 1523,
+            "requestedAt", System.currentTimeMillis()
+        ));
+    }
+}