Implement file storage plugin

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

src/main/java/org/dependencytrack/resources/v1/BomResource.java

@@ -531,7 +531,7 @@ private FileMetadata validateAndStoreBom(final byte[] bomBytes, final Project pr
         validate(bomBytes, project);
 
         try (final var fileStorage = PluginManager.getInstance().getExtension(FileStorage.class)) {
-            return fileStorage.store("bom-upload/%s/%s".formatted(project.getUuid(), UUID.randomUUID()), bomBytes);
+            return fileStorage.store("bom-upload/%s_%s".formatted(project.getUuid(), UUID.randomUUID()), bomBytes);
         }
     }
 

src/main/java/org/dependencytrack/storage/DefaultFileStoragePlugin.java renamed to src/main/java/org/dependencytrack/storage/FileStoragePlugin.java

@@ -28,7 +28,7 @@
 /**
  * @since 5.6.0
  */
-public final class DefaultFileStoragePlugin implements Plugin {
+public final class FileStoragePlugin implements Plugin {
 
     @Override
     public Collection<? extends ExtensionFactory<? extends ExtensionPoint>> extensionFactories() {

src/main/java/org/dependencytrack/storage/LocalFileStorage.java

@@ -32,7 +32,6 @@
 import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.HexFormat;
 
@@ -142,16 +141,9 @@ public boolean delete(final FileMetadata fileMetadata) throws IOException {
     }
 
     private Path resolveFilePath(final String filePath) {
-        Path resolvedFilePath = Paths.get(filePath).normalize();
-        if (resolvedFilePath.isAbsolute()) {
-            // Ensure that paths are relative such that they can be resolved
-            // using the configured base directory: /foo/bar -> foo/bar
-            resolvedFilePath = resolvedFilePath.subpath(0, resolvedFilePath.getNameCount());
-        }
-
-        resolvedFilePath = baseDirPath.resolve(resolvedFilePath).normalize().toAbsolutePath();
+        final Path resolvedFilePath = baseDirPath.resolve(filePath).normalize().toAbsolutePath();
         if (!resolvedFilePath.startsWith(baseDirPath)) {
-            throw new IllegalStateException("""
+            throw new IllegalArgumentException("""
                     The provided filePath %s does not resolve to a path within the \
                     configured base directory (%s)""".formatted(filePath, baseDirPath));
         }
@@ -170,12 +162,14 @@ Path resolveFilePath(final FileMetadata fileMetadata) {
             throw new IllegalArgumentException(
                     "%s: Host portion is not allowed for scheme %s".formatted(locationUri, EXTENSION_NAME));
         }
-        if (locationUri.getPath() == null) {
+        if (locationUri.getPath() == null || locationUri.getPath().equals("/")) {
             throw new IllegalArgumentException(
                     "%s: Path portion not set; Unable to determine file name".formatted(locationUri));
         }
 
-        return resolveFilePath(locationUri.getPath());
+        // The value returned by URI#getPath always has a leading slash.
+        // Remove it to prevent the path from erroneously be interpreted as absolute.
+        return resolveFilePath(locationUri.getPath().replaceFirst("^/", ""));
     }
 
 }

src/main/java/org/dependencytrack/storage/LocalFileStorageFactory.java

@@ -70,7 +70,7 @@ public Class<? extends FileStorage> extensionClass() {
 
     @Override
     public int priority() {
-        return 110;
+        return 100;
     }
 
     @Override

src/main/java/org/dependencytrack/storage/MemoryFileStorage.java

@@ -26,7 +26,6 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.nio.file.NoSuchFileException;
-import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.Arrays;
 import java.util.HexFormat;
@@ -113,12 +112,7 @@ public boolean delete(final FileMetadata fileMetadata) {
     }
 
     private static String normalizeFileName(final String fileName) {
-        Path filePath = Paths.get(fileName).normalize();
-        if (filePath.isAbsolute()) {
-            filePath = filePath.subpath(0, filePath.getNameCount());
-        }
-
-        return filePath.toString();
+        return Paths.get(fileName).normalize().toString();
     }
 
     private static String resolveFileName(final FileMetadata fileMetadata) {
@@ -136,7 +130,9 @@ private static String resolveFileName(final FileMetadata fileMetadata) {
                     "%s: Path portion not set; Unable to determine file name".formatted(locationUri));
         }
 
-        return normalizeFileName(locationUri.getPath());
+        // The value returned by URI#getPath always has a leading slash.
+        // Remove it to prevent the path from erroneously be interpreted as absolute.
+        return normalizeFileName(locationUri.getPath().replaceFirst("^/", ""));
     }
 
 }

src/main/java/org/dependencytrack/storage/MemoryFileStorageFactory.java

@@ -43,7 +43,7 @@ public Class<? extends FileStorage> extensionClass() {
 
     @Override
     public int priority() {
-        return 100;
+        return 110;
     }
 
     @Override

src/main/java/org/dependencytrack/storage/S3FileStorage.java

@@ -18,6 +18,7 @@
  */
 package org.dependencytrack.storage;
 
+import com.github.luben.zstd.Zstd;
 import io.minio.GetObjectArgs;
 import io.minio.GetObjectResponse;
 import io.minio.MinioClient;
@@ -51,10 +52,18 @@ final class S3FileStorage implements FileStorage {
 
     private final MinioClient s3Client;
     private final String bucketName;
-
-    S3FileStorage(final MinioClient s3Client, final String bucketName) {
+    private final int compressionThresholdBytes;
+    private final int compressionLevel;
+
+    S3FileStorage(
+            final MinioClient s3Client,
+            final String bucketName,
+            final int compressionThresholdBytes,
+            final int compressionLevel) {
         this.s3Client = s3Client;
         this.bucketName = bucketName;
+        this.compressionThresholdBytes = compressionThresholdBytes;
+        this.compressionLevel = compressionLevel;
     }
 
     private record S3FileLocation(String bucket, String object) {
@@ -74,7 +83,9 @@ private static S3FileLocation from(final FileMetadata fileMetadata) {
                         "Path portion of URI %s not set; Unable to determine object name".formatted(locationUri));
             }
 
-            return new S3FileLocation(locationUri.getHost(), locationUri.getPath());
+            // The value returned by URI#getPath always has a leading slash.
+            // Remove it to prevent the path from erroneously be interpreted as absolute.
+            return new S3FileLocation(locationUri.getHost(), locationUri.getPath().replaceFirst("^/", ""));
         }
 
         private URI asURI() {
@@ -99,13 +110,17 @@ public FileMetadata store(final String fileName, final byte[] content) throws IO
         final var fileLocation = new S3FileLocation(bucketName, fileName);
         final URI locationUri = fileLocation.asURI();
 
-        final byte[] contentDigest = DigestUtils.sha256(content);
+        final byte[] maybeCompressedContent = content.length >= compressionThresholdBytes
+                ? Zstd.compress(content, compressionLevel)
+                : content;
+
+        final byte[] contentDigest = DigestUtils.sha256(maybeCompressedContent);
 
         try {
             s3Client.putObject(PutObjectArgs.builder()
                     .bucket(fileLocation.bucket())
                     .object(fileLocation.object())
-                    .stream(new ByteArrayInputStream(content), content.length, -1)
+                    .stream(new ByteArrayInputStream(maybeCompressedContent), maybeCompressedContent.length, -1)
                     .build());
         } catch (Exception e) {
             if (e instanceof final IOException ioe) {
@@ -132,14 +147,14 @@ public byte[] get(final FileMetadata fileMetadata) throws IOException {
             throw new IllegalArgumentException("File metadata does not contain " + METADATA_KEY_SHA256_DIGEST);
         }
 
-        final byte[] fileContent;
+        final byte[] maybeCompressedContent;
         try {
             try (final GetObjectResponse response = s3Client.getObject(
                     GetObjectArgs.builder()
                             .bucket(fileLocation.bucket())
                             .object(fileLocation.object())
                             .build())) {
-                fileContent = response.readAllBytes();
+                maybeCompressedContent = response.readAllBytes();
             }
         } catch (ErrorResponseException e) {
             // https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#ErrorCodeList
@@ -156,15 +171,20 @@ public byte[] get(final FileMetadata fileMetadata) throws IOException {
             throw new IOException(e);
         }
 
-        final byte[] actualContentDigest = DigestUtils.sha256(fileContent);
+        final byte[] actualContentDigest = DigestUtils.sha256(maybeCompressedContent);
         final byte[] expectedContentDigest = HexFormat.of().parseHex(expectedContentDigestHex);
 
         if (!Arrays.equals(actualContentDigest, expectedContentDigest)) {
             throw new IOException("SHA256 digest mismatch: actual=%s, expected=%s".formatted(
                     HexFormat.of().formatHex(actualContentDigest), expectedContentDigestHex));
         }
 
-        return fileContent;
+        final long decompressedSize = Zstd.decompressedSize(maybeCompressedContent);
+        if (Zstd.decompressedSize(maybeCompressedContent) <= 0) {
+            return maybeCompressedContent; // Not compressed.
+        }
+
+        return Zstd.decompress(maybeCompressedContent, Math.toIntExact(decompressedSize));
     }
 
     @Override

src/main/java/org/dependencytrack/storage/S3FileStorageFactory.java

@@ -18,6 +18,7 @@
  */
 package org.dependencytrack.storage;
 
+import alpine.Config;
 import io.minio.BucketExistsArgs;
 import io.minio.MinioClient;
 import org.dependencytrack.plugin.api.ConfigDefinition;
@@ -61,9 +62,21 @@ public final class S3FileStorageFactory implements ExtensionFactory<FileStorage>
             ConfigSource.DEPLOYMENT,
             /* isRequired */ false,
             /* isSecret */ false);
+    static final ConfigDefinition CONFIG_COMPRESSION_THRESHOLD_BYTES = new ConfigDefinition(
+            "compression.threshold.bytes",
+            ConfigSource.DEPLOYMENT,
+            /* isRequired */ false,
+            /* isSecret */ false);
+    static final ConfigDefinition CONFIG_COMPRESSION_LEVEL = new ConfigDefinition(
+            "compression.level",
+            ConfigSource.DEPLOYMENT,
+            /* isRequired */ false,
+            /* isSecret */ false);
 
     private MinioClient s3Client;
     private String bucketName;
+    private int compressionThresholdBytes;
+    private int compressionLevel;
 
     @Override
     public String extensionName() {
@@ -77,7 +90,7 @@ public Class<? extends FileStorage> extensionClass() {
 
     @Override
     public int priority() {
-        return 130;
+        return 120;
     }
 
     @Override
@@ -95,13 +108,24 @@ public void init(final ConfigRegistry configRegistry) {
         optionalRegion.ifPresent(clientBuilder::region);
         s3Client = clientBuilder.build();
 
+        s3Client.setAppInfo(
+                Config.getInstance().getApplicationName(),
+                Config.getInstance().getApplicationVersion());
+
+        compressionThresholdBytes = configRegistry.getOptionalValue(CONFIG_COMPRESSION_THRESHOLD_BYTES)
+                .map(Integer::parseInt)
+                .orElse(1024);
+        compressionLevel = configRegistry.getOptionalValue(CONFIG_COMPRESSION_LEVEL)
+                .map(Integer::parseInt)
+                .orElse(5);
+
         LOGGER.debug("Verifying existence of bucket {}", bucketName);
         requireBucketExists(s3Client, bucketName);
     }
 
     @Override
     public FileStorage create() {
-        return new S3FileStorage(s3Client, bucketName);
+        return new S3FileStorage(s3Client, bucketName, compressionThresholdBytes, compressionLevel);
     }
 
     @Override

src/main/resources/META-INF/services/org.dependencytrack.plugin.api.Plugin

@@ -1 +1 @@
-org.dependencytrack.storage.DefaultFileStoragePlugin
+org.dependencytrack.storage.FileStoragePlugin

src/main/resources/application.properties

@@ -1527,7 +1527,7 @@ task.workflow.maintenance.lock.min.duration=PT1M
 #
 # @category: Storage
 # @type:     boolean
-file.storage.extension.local.enabled=false
+file.storage.extension.local.enabled=true
 
 # Defines the local directory where files shall be stored.
 # Has no effect unless file.storage.extension.local.enabled is `true`.
@@ -1559,7 +1559,7 @@ file.storage.extension.local.enabled=false
 #
 # @category: Storage
 # @type:     boolean
-file.storage.extension.memory.enabled=true
+file.storage.extension.memory.enabled=false
 
 # Whether the s3 file storage extension shall be enabled.
 #
@@ -1602,4 +1602,22 @@ file.storage.extension.s3.enabled=false
 #
 # @category: Storage
 # @type:     string
-# file.storage.extension.s3.region=
+# file.storage.extension.s3.region=
+
+# Defines the size threshold for files after which they will be compressed.
+# Compression is performed using the zstd algorithm.
+# Has no effect unless file.storage.extension.s3.enabled is `true`.
+#
+# @category: Storage
+# @default:  1024
+# @type:     integer
+# file.storage.extension.s3.compression.threshold.bytes=
+
+# Defines the zstd compression level to use.
+# Has no effect unless file.storage.extension.s3.enabled is `true`.
+#
+# @category:     Storage
+# @default:      5
+# @type:         integer
+# @valid-values: [-7..22]
+# file.storage.extension.s3.compression.level=

src/test/java/org/dependencytrack/plugin/PluginManagerTest.java

@@ -23,6 +23,7 @@
 import org.dependencytrack.plugin.api.ExtensionFactory;
 import org.dependencytrack.plugin.api.ExtensionPoint;
 import org.dependencytrack.plugin.api.Plugin;
+import org.dependencytrack.storage.FileStoragePlugin;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.contrib.java.lang.system.EnvironmentVariables;
@@ -45,7 +46,9 @@ interface UnknownExtensionPoint extends ExtensionPoint {
     @Test
     public void testGetLoadedPlugins() {
         final List<Plugin> loadedPlugins = PluginManager.getInstance().getLoadedPlugins();
-        assertThat(loadedPlugins).satisfiesExactly(plugin -> assertThat(plugin).isOfAnyClassIn(DummyPlugin.class));
+        assertThat(loadedPlugins).satisfiesExactlyInAnyOrder(
+                plugin -> assertThat(plugin).isOfAnyClassIn(DummyPlugin.class),
+                plugin -> assertThat(plugin).isInstanceOf(FileStoragePlugin.class));
         assertThat(loadedPlugins).isUnmodifiable();
     }
 

src/test/java/org/dependencytrack/policy/cel/CelPolicyEngineTest.java

@@ -1971,7 +1971,8 @@ private static FileMetadata storeBomFile(final String testFileName) throws Excep
         final byte[] bomBytes = Files.readAllBytes(bomFilePath);
 
         try (final var fileStorage = PluginManager.getInstance().getExtension(FileStorage.class)) {
-            return fileStorage.store("bom", bomBytes);
+            return fileStorage.store(
+                    "test/%s-%s".formatted(CelPolicyEngineTest.class.getSimpleName(), UUID.randomUUID()), bomBytes);
         }
     }