log4j 2 implementation for logging

Rankesh · Rankesh · commit 9baee5896d6c · 2025-12-22T05:27:57.000+05:30
diff --git a/pom.xml b/pom.xml
@@ -75,6 +75,16 @@
             <scope>test</scope>
         </dependency>
 
+    <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-api</artifactId>
+        <version>2.20.0</version> </dependency>
+    <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-core</artifactId>
+        <version>2.20.0</version>
+    </dependency>
+
     </dependencies>
 
     <dependencyManagement>
diff --git a/src/main/java/com/ayedata/simault/controller/AdminController.java b/src/main/java/com/ayedata/simault/controller/AdminController.java
@@ -5,6 +5,8 @@
 import com.ayedata.simault.repository.AppRegistryRepository;
 import com.mongodb.client.MongoClient;
 import com.mongodb.client.MongoCollection;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.bson.Document;
 import org.bson.types.Binary;
 import org.springframework.beans.factory.annotation.Value;
@@ -21,6 +23,9 @@
 @RequestMapping("/api/admin")
 public class AdminController {
 
+    // 1. Initialize Log4j 2 Logger
+    private static final Logger logger = LogManager.getLogger(AdminController.class);
+
     private final AppRegistryRepository registry;
     private final MongoClient mongoClient;
 
@@ -35,8 +40,18 @@ public AdminController(AppRegistryRepository registry, MongoClient mongoClient)
         this.mongoClient = mongoClient;
     }
 
+    /**
+     * Helper to check authorization and log failures.
+     */
     private boolean isUnauthorized(String requestKey) {
-        return requestKey == null || !requestKey.equals(adminApiKey);
+        // Log the key with "token=" prefix so the Regex Replacement picks it up and redacts it.
+        logger.debug("Validating admin access for token={}", requestKey);
+
+        if (requestKey == null || !requestKey.equals(adminApiKey)) {
+            logger.warn("Unauthorized access attempt. Invalid or missing API key.");
+            return true;
+        }
+        return false;
     }
 
     // --- KEY ENDPOINT ---
@@ -52,38 +67,51 @@ public ResponseEntity<VaultKey> findKey(
 
         // 1. Determine which key name to search for
         String searchName = (altName != null && !altName.isBlank()) ? altName : defaultKeyAltName;
-
-        // 2. Query MongoDB
-        MongoCollection<Document> keyVault = mongoClient.getDatabase("encryption").getCollection("__keyVault");
-        Document keyDoc = keyVault.find(new Document("keyAltNames", searchName)).first();
-
-        if (keyDoc == null) {
-            return ResponseEntity.notFound().build();
+        logger.info("Admin requesting key details for alias: '{}'", searchName);
+
+        try {
+            // 2. Query MongoDB
+            MongoCollection<Document> keyVault = mongoClient.getDatabase("encryption").getCollection("__keyVault");
+            Document keyDoc = keyVault.find(new Document("keyAltNames", searchName)).first();
+
+            if (keyDoc == null) {
+                logger.warn("Key not found for alias: '{}'", searchName);
+                return ResponseEntity.notFound().build();
+            }
+
+            // 3. Map BSON to Java Model (VaultKey)
+            Binary bsonBinary = keyDoc.get("_id", Binary.class);
+            ByteBuffer buffer = ByteBuffer.wrap(bsonBinary.getData());
+            UUID keyId = new UUID(buffer.getLong(), buffer.getLong());
+
+            String provider = keyDoc.get("masterKey", Document.class).getString("provider");
+
+            VaultKey response = new VaultKey(
+                searchName,
+                keyId.toString(),
+                "Active",
+                provider
+            );
+
+            logger.info("Key details retrieved successfully for alias: '{}'", searchName);
+            return ResponseEntity.ok(response);
+
+        } catch (Exception e) {
+            logger.error("Database error while retrieving key for alias: '{}'", searchName, e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
         }
-
-        // 3. Map BSON to Java Model (VaultKey)
-        Binary bsonBinary = keyDoc.get("_id", Binary.class);
-        ByteBuffer buffer = ByteBuffer.wrap(bsonBinary.getData());
-        UUID keyId = new UUID(buffer.getLong(), buffer.getLong());
-
-        String provider = keyDoc.get("masterKey", Document.class).getString("provider");
-
-        VaultKey response = new VaultKey(
-            searchName,
-            keyId.toString(),
-            "Active",
-            provider
-        );
-
-        return ResponseEntity.ok(response);
     }
 
     // --- APP ENDPOINTS ---
 
     @GetMapping("/apps")
     public ResponseEntity<List<AllowedApp>> listApps(@RequestHeader(value = "X-ADMIN-KEY", required = false) String apiKey) {
         if (isUnauthorized(apiKey)) return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+        
+        logger.info("Fetching list of all allowed apps.");
         List<AllowedApp> apps = registry.findAll();
+        logger.debug("Found {} registered apps.", apps.size());
+        
         return ResponseEntity.ok(apps);
     }
 
@@ -95,10 +123,24 @@ public ResponseEntity<String> registerApp(
         if (isUnauthorized(apiKey)) return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("⛔ Unauthorized");
         
         String appId = payload.get("appId");
-        if (appId == null || appId.isBlank()) return ResponseEntity.badRequest().body("appId is required");
+        
+        // Log the payload safely. If payload contained "key":"..." or "token=...", 
+        // Log4j would automatically redact those specific fields.
+        logger.info("Attempting to register app. Payload: {}", payload);
+
+        if (appId == null || appId.isBlank()) {
+            logger.warn("Registration failed: Missing appId in payload.");
+            return ResponseEntity.badRequest().body("appId is required");
+        }
 
-        registry.registerApp(appId, payload.get("description"));
-        return ResponseEntity.ok("✅ App registered: " + appId);
+        try {
+            registry.registerApp(appId, payload.get("description"));
+            logger.info("✅ App registered successfully: {}", appId);
+            return ResponseEntity.ok("✅ App registered: " + appId);
+        } catch (Exception e) {
+            logger.error("Failed to register app: {}", appId, e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("Registration failed");
+        }
     }
 
     @DeleteMapping("/apps/{appId}")
@@ -107,7 +149,16 @@ public ResponseEntity<String> removeApp(
             @PathVariable String appId) {
         
         if (isUnauthorized(apiKey)) return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("⛔ Unauthorized");
-        registry.removeApp(appId);
-        return ResponseEntity.ok("🚫 Access revoked for: " + appId);
+
+        logger.info("Attempting to revoke access for app: {}", appId);
+
+        try {
+            registry.removeApp(appId);
+            logger.info("🚫 Access revoked successfully for: {}", appId);
+            return ResponseEntity.ok("🚫 Access revoked for: " + appId);
+        } catch (Exception e) {
+            logger.error("Failed to revoke app: {}", appId, e);
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body("Revocation failed");
+        }
     }
 }
diff --git a/src/main/java/com/ayedata/simault/controller/SecretController.java b/src/main/java/com/ayedata/simault/controller/SecretController.java
@@ -2,13 +2,18 @@
 
 import com.ayedata.simault.model.AppSecret;
 import com.ayedata.simault.service.SecretVaultService;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 
 @RestController
 @RequestMapping("/api/secrets")
 public class SecretController {
 
+    // 1. Initialize Log4j 2 Logger
+    private static final Logger logger = LogManager.getLogger(SecretController.class);
+
     private final SecretVaultService vaultService;
 
     // Notice: We DO NOT inject AppRegistryRepository here. 
@@ -24,9 +29,22 @@ public SecretController(SecretVaultService vaultService) {
      */
     @GetMapping("/{appId}")
     public ResponseEntity<AppSecret> getSecret(@PathVariable String appId) {
-        // The service performs the "isAppAllowed()" check immediately.
-        AppSecret secret = vaultService.getAppSecret(appId);
-        return ResponseEntity.ok(secret);
+        logger.info("Request received to retrieve secret for appId: {}", appId);
+
+        try {
+            // The service performs the "isAppAllowed()" check immediately.
+            AppSecret secret = vaultService.getAppSecret(appId);
+            
+            // We log success, but we avoid logging the 'secret' object itself to prevent
+            // accidental leakage, even though our Log4j regex would likely catch it.
+            logger.info("Secret successfully retrieved for appId: {}", appId);
+            
+            return ResponseEntity.ok(secret);
+        } catch (Exception e) {
+            // Log the error. If the error message contains sensitive info, Log4j will redact it.
+            logger.error("Failed to retrieve secret for appId: {}", appId, e);
+            throw e; // Re-throw to let Spring handle the error response (e.g., 403 or 500)
+        }
     }
 
     /**
@@ -36,8 +54,18 @@ public ResponseEntity<AppSecret> getSecret(@PathVariable String appId) {
      */
     @PostMapping("/{appId}/rotate")
     public ResponseEntity<AppSecret> rotateSecret(@PathVariable String appId) {
-        // The service performs the "isAppAllowed()" check immediately.
-        AppSecret secret = vaultService.rotateSecret(appId);
-        return ResponseEntity.ok(secret);
+        logger.warn("Manual secret rotation requested for appId: {}", appId);
+
+        try {
+            // The service performs the "isAppAllowed()" check immediately.
+            AppSecret secret = vaultService.rotateSecret(appId);
+            
+            logger.info("Secret successfully rotated for appId: {}", appId);
+            
+            return ResponseEntity.ok(secret);
+        } catch (Exception e) {
+            logger.error("Failed to rotate secret for appId: {}", appId, e);
+            throw e;
+        }
     }
 }
diff --git a/src/main/resources/log4j2.xml b/src/main/resources/log4j2.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration status="WARN">
+    <Appenders>
+        <Console name="Console" target="SYSTEM_OUT">
+            <PatternLayout>
+                <Pattern>%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %replace{%msg}{(?i)(Bearer\s+|token=|password=|key":")([a-zA-Z0-9\._-]+)}{$1*****REDACTED*****}%n</Pattern>
+            </PatternLayout>
+        </Console>
+
+        <File name="File" fileName="logs/app.log">
+            <PatternLayout>
+                <Pattern>%d{yyyy-MM-dd HH:mm:ss} [%t] %-5level %logger{36} - %replace{%msg}{(?i)(Bearer\s+|token=|password=|key":")([a-zA-Z0-9\._-]+)}{$1*****REDACTED*****}%n</Pattern>
+            </PatternLayout>
+        </File>
+    </Appenders>
+
+    <Loggers>
+        <Root level="info">
+            <AppenderRef ref="Console"/>
+            <AppenderRef ref="File"/>
+        </Root>
+    </Loggers>
+</Configuration>
