MARP-1548 Suspicious installation counts

marketplace-service/pom.xml

@@ -73,7 +73,11 @@
       <artifactId>jaxb-api</artifactId>
       <version>2.3.1</version>
     </dependency>
-    <dependency>
+      <dependency>
+          <groupId>org.springframework.boot</groupId>
+          <artifactId>spring-boot-starter-aop</artifactId>
+      </dependency>
+      <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-validation</artifactId>
     </dependency>

marketplace-service/src/main/java/com/axonivy/market/constants/CommonConstants.java

@@ -6,6 +6,7 @@
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
 public class CommonConstants {
   public static final String REQUESTED_BY = "X-Requested-By";
+  public static final String USER_AGENT = "user-agent";
   public static final String SLASH = "/";
   public static final String DOT_SEPARATOR = ".";
   public static final String PLUS = "+";

marketplace-service/src/main/java/com/axonivy/market/controller/ProductMarketplaceDataController.java

@@ -3,13 +3,12 @@
 import com.axonivy.market.constants.GitHubConstants;
 import com.axonivy.market.enums.ErrorCode;
 import com.axonivy.market.github.service.GitHubService;
+import com.axonivy.market.logging.Loggable;
 import com.axonivy.market.model.Message;
 import com.axonivy.market.model.ProductCustomSortRequest;
 import com.axonivy.market.service.ProductMarketplaceDataService;
 import com.axonivy.market.util.AuthorizationUtils;
 import io.swagger.v3.oas.annotations.Operation;
-import io.swagger.v3.oas.annotations.Parameter;
-import io.swagger.v3.oas.annotations.enums.ParameterIn;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.validation.Valid;
 import lombok.AllArgsConstructor;
@@ -36,7 +35,7 @@
 public class ProductMarketplaceDataController {
   private final GitHubService gitHubService;
   private final ProductMarketplaceDataService productMarketplaceDataService;
-  
+
   @PostMapping(CUSTOM_SORT)
   @Operation(hidden = true)
   public ResponseEntity<Message> createCustomSortProducts(
@@ -51,15 +50,14 @@ public ResponseEntity<Message> createCustomSortProducts(
     return new ResponseEntity<>(message, HttpStatus.OK);
   }
 
+  @Loggable
+  @Operation(hidden = true)
   @PutMapping(INSTALLATION_COUNT_BY_ID)
-  @Operation(summary = "Update installation count of product",
-      description = "By default, increase installation count when click download product files by users")
   public ResponseEntity<Integer> syncInstallationCount(
-      @PathVariable(ID) @Parameter(description = "Product id (from meta.json)", example = "approval-decision-utils",
-          in = ParameterIn.PATH) String productId,
-      @RequestParam(name = DESIGNER_VERSION, required = false) @Parameter(in = ParameterIn.QUERY,
-          example = "v10.0.20") String designerVersion) {
+      @PathVariable(ID) String productId,
+      @RequestParam(name = DESIGNER_VERSION, required = false) String designerVersion) {
     int result = productMarketplaceDataService.updateInstallationCountForProduct(productId, designerVersion);
     return new ResponseEntity<>(result, HttpStatus.OK);
   }
+
 }

marketplace-service/src/main/java/com/axonivy/market/logging/Loggable.java

@@ -0,0 +1,11 @@
+package com.axonivy.market.logging;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.METHOD)
+public @interface Loggable {
+}

marketplace-service/src/main/java/com/axonivy/market/logging/LoggableAspect.java

@@ -0,0 +1,94 @@
+package com.axonivy.market.logging;
+
+import com.axonivy.market.constants.CommonConstants;
+import com.axonivy.market.exceptions.model.MissingHeaderException;
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.extern.log4j.Log4j2;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Map;
+import java.util.Objects;
+
+import static com.axonivy.market.util.FileUtils.createFile;
+import static com.axonivy.market.util.FileUtils.writeToFile;
+import static com.axonivy.market.util.LoggingUtils.*;
+
+@Log4j2
+@Aspect
+@Component
+public class LoggableAspect {
+
+  @Value("${loggable.log-path:marketplace-service/logs}")
+  private String logFilePath;
+
+  private static final String REQUESTED_BY = "marketplace-website";
+
+  @Before("@annotation(com.axonivy.market.logging.Loggable)")
+  public void logMethodCall(JoinPoint joinPoint) throws MissingHeaderException {
+    MethodSignature signature = (MethodSignature) joinPoint.getSignature();
+    ServletRequestAttributes attributes =
+        (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+    if (attributes != null) {
+      HttpServletRequest request = attributes.getRequest();
+      Map<String, String> headersMap = extractHeaders(request, signature, joinPoint);
+      saveLogToDailyFile(headersMap);
+
+      // block execution if request isn't from Market or Ivy Designer
+      if (!Objects.equals(headersMap.get(CommonConstants.REQUESTED_BY), REQUESTED_BY)) {
+        throw new MissingHeaderException();
+      }
+    }
+  }
+
+  private Map<String, String> extractHeaders(HttpServletRequest request, MethodSignature signature,
+      JoinPoint joinPoint) {
+    return Map.of(
+        "method", escapeXml(String.valueOf(signature.getMethod())),
+        "timestamp", escapeXml(getCurrentTimestamp()),
+        "user-agent", escapeXml(request.getHeader(CommonConstants.USER_AGENT)),
+        "arguments", escapeXml(getArgumentsString(signature.getParameterNames(), joinPoint.getArgs())),
+        "x-requested-by", escapeXml(request.getHeader(CommonConstants.REQUESTED_BY))
+    );
+  }
+
+  // Use synchronized to prevent race condition
+  private synchronized void saveLogToDailyFile(Map<String, String> headersMap) {
+    try {
+      File logFile = createFile(generateFileName());
+
+      StringBuilder content = new StringBuilder();
+      if (logFile.exists()) {
+        content.append(new String(Files.readAllBytes(logFile.toPath())));
+      }
+      if (content.isEmpty()) {
+        content.append("<Logs>\n");
+      }
+      int lastLogIndex = content.lastIndexOf("</Logs>");
+      if (lastLogIndex != -1) {
+        content.delete(lastLogIndex, content.length());
+      }
+      content.append(buildLogEntry(headersMap));
+      content.append("</Logs>\n");
+
+      writeToFile(logFile, content.toString());
+    } catch (IOException e) {
+      log.error("Error writing log to file: {}", e.getMessage());
+    }
+  }
+
+  private String generateFileName() {
+    return Path.of(logFilePath, "log-" + getCurrentDate() + ".xml").toString();
+  }
+
+}

marketplace-service/src/main/java/com/axonivy/market/util/FileUtils.java

@@ -0,0 +1,27 @@
+package com.axonivy.market.util;
+
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+
+public class FileUtils {
+
+  public static File createFile(String fileName) throws IOException {
+    File file = new File(fileName);
+    File parentDir = file.getParentFile();
+    if (parentDir != null && !parentDir.exists() && !parentDir.mkdirs()) {
+      throw new IOException("Failed to create directory: " + parentDir.getAbsolutePath());
+    }
+    if (!file.exists() && !file.createNewFile()) {
+      throw new IOException("Failed to create file: " + file.getAbsolutePath());
+    }
+    return file;
+  }
+
+  public static void writeToFile(File file, String content) throws IOException {
+    try (FileWriter writer = new FileWriter(file, false)) {
+      writer.write(content);
+    }
+  }
+
+}

marketplace-service/src/main/java/com/axonivy/market/util/LoggingUtils.java

@@ -0,0 +1,46 @@
+package com.axonivy.market.util;
+
+import java.text.SimpleDateFormat;
+import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.IntStream;
+
+public class LoggingUtils {
+
+  public static String getCurrentDate() {
+    return new SimpleDateFormat("yyyy-MM-dd").format(System.currentTimeMillis());
+  }
+
+  public static String getCurrentTimestamp() {
+    return new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(System.currentTimeMillis());
+  }
+
+  public static String escapeXml(String value) {
+    if (value == null) {
+      return "";
+    }
+    return value.replace("&", "&")
+        .replace("<", "&lt;")
+        .replace(">", "&gt;")
+        .replace("\"", "&quot;")
+        .replace("'", "&apos;");
+  }
+
+  public static String getArgumentsString(String[] paramNames, Object[] args) {
+    if (paramNames == null || paramNames.length == 0 || args == null || args.length == 0) {
+      return "No arguments";
+    }
+    return IntStream.range(0, paramNames.length)
+        .mapToObj(i -> paramNames[i] + ": " + args[i])
+        .collect(Collectors.joining(", "));
+  }
+
+  public static String buildLogEntry(Map<String, String> headersMap) {
+    StringBuilder logEntry = new StringBuilder();
+    logEntry.append("  <LogEntry>\n");
+    headersMap.forEach((key, value) -> logEntry.append(String.format("    <%s>%s</%s>\n", key, value, key)));
+    logEntry.append("  </LogEntry>\n");
+    return logEntry.toString();
+  }
+
+}

marketplace-service/src/main/resources/application.properties

@@ -16,4 +16,5 @@ market.github.oauth2-clientSecret=${MARKET_GITHUB_OAUTH_APP_CLIENT_SECRET}
 jwt.secret=${MARKET_JWT_SECRET_KEY}
 jwt.expiration=365
 logging.level.org.springframework.data.mongodb.core.MongoTemplate=${MARKET_MONGO_LOG_LEVEL}
-spring.jackson.serialization.indent_output=true
+spring.jackson.serialization.indent_output=true
+loggable.log-path=${MARKET_LOG_PATH}