Development: Move public endpoints from AthenaResource to PublicAthenaResource

[maximiliansoelch]

Checklist

General

• I tested all changes and their related features with all corresponding user types on a test server.
• Language: I followed the guidelines for inclusive, diversity-sensitive, and appreciative language.
• I chose a title conforming to the naming conventions for pull requests.

Server

• Important: I implemented the changes with a very good performance and prevented too many (unnecessary) and too complex database calls.
• I strictly followed the server coding and design guidelines.

Motivation and Context

Currently, the AthenaResource contains public endpoints, so Athena can retrieve the repositories as zip files.
However, to more easily highlight in the code that endpoints are public, we want to have them in a dedicated public resource.

Description

This PR moves the public endpoints from the AthenaResource to an additional PublicAthenaResource.

Steps for Testing

Prerequisites:

• 1 Instructor
• 1 Students
• 1 Programming Exercise with Athena enabled

1. Log in to Artemis as a student
2. Navigate to the course with the programming exercise, where preliminary feedback requests by Athena are enabled
3. Start the exercise and create a submission
4. Request Feedback and make sure it is displayed

Testserver States

You can manage test servers using Helios. Check environment statuses in the environment list. To deploy to a test server, go to the CI/CD page, find your PR or branch, and trigger the deployment.

Review Progress

Performance Review

Code Review

• Code Review 1
• Code Review 2

Manual Tests

• Test 1
• Test 2

Test Coverage

Unchanged

Summary by CodeRabbit

• New Features

  • Introduced new public API endpoints for securely downloading zipped programming exercise repositories, including student submissions, template, solution, and test repositories. Access requires a valid authorization token.

• Refactor

  • Moved repository export functionality to a new location, simplifying the previous interface and consolidating related endpoints. Existing feedback suggestion and module listing features remain unchanged.

[coderabbitai]

Walkthrough

The repository export REST endpoints and their related secret validation logic have been removed from AthenaResource and re-implemented in a new controller, PublicAthenaResource. This new controller provides public endpoints for downloading programming exercise repositories, secured by a secret validated via SHA-256 hashing. Existing feedback and module endpoints remain unchanged.

Changes

File(s)	Change Summary
src/main/java/de/tum/cit/aet/artemis/athena/web/AthenaResource.java	Removed all repository export endpoints and Athena secret validation; updated constructor accordingly.
src/main/java/de/tum/cit/aet/artemis/athena/web/open/PublicAthenaResource.java	Introduced new controller with public endpoints for repository export, secret validation, and logging.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant PublicAthenaResource
    participant AthenaRepositoryExportService

    Client->>PublicAthenaResource: GET /api/athena/public/programming-exercises/{exerciseId}/submissions/{submissionId}/repository (with Authorization header)
    PublicAthenaResource->>PublicAthenaResource: checkAthenaSecret(auth)
    alt Secret valid
        PublicAthenaResource->>AthenaRepositoryExportService: exportStudentSubmissionRepository(exerciseId, submissionId)
        AthenaRepositoryExportService-->>PublicAthenaResource: Resource (zip file)
        PublicAthenaResource-->>Client: ResponseEntity<Resource>
    else Secret invalid
        PublicAthenaResource-->>Client: AccessForbiddenException
    end

Loading

Suggested labels

server, athena, chore, ready for review

Suggested reviewers

• tobias-lippert
• jfr2102
• krusche

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

src/main/java/de/tum/cit/aet/artemis/athena/web/open/PublicAthenaResource.java (2)

31-48: Consider storing the secret hash computation result securely.

The constructor correctly uses dependency injection and computes the secret hash once for performance. However, consider the security implications of storing the hash in memory.

For enhanced security, consider clearing the original secret from memory after hashing:

 public PublicAthenaResource(AthenaRepositoryExportService athenaRepositoryExportService, @Value("${artemis.athena.secret}") String athenaSecret) {
     this.athenaRepositoryExportService = athenaRepositoryExportService;
     this.athenaSecretHash = hashSha256(athenaSecret);
+    // Clear the secret from memory for security
+    athenaSecret = null;
 }

---

55-60: Security implementation looks correct but consider timing attack protection.

The secret validation correctly uses MessageDigest.isEqual() which provides constant-time comparison to prevent timing attacks. The error handling is appropriate.

Consider using a more descriptive log message for security monitoring:

-log.error("Athena secret does not match");
+log.warn("Unauthorized access attempt to Athena endpoint with invalid secret from request");

src/main/java/de/tum/cit/aet/artemis/athena/web/AthenaResource.java (1)

44-50: Class documentation should be updated to reflect the scope change.

The class comment still mentions "Athena feedback suggestions" but doesn't reflect that repository access has been moved elsewhere.

Consider updating the class documentation:

 /**
- * REST controller for Athena feedback suggestions.
+ * REST controller for Athena feedback suggestions and module management.
  */

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ee6d6e3 and bc40273.

📒 Files selected for processing (2)

• src/main/java/de/tum/cit/aet/artemis/athena/web/AthenaResource.java (1 hunks)
• src/main/java/de/tum/cit/aet/artemis/athena/web/open/PublicAthenaResource.java (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

`src/main/java/**/*.java`: naming:CamelCase; principles:{single_responsibility,small_methods,no_duplication}; db:{perf_queries,datetime_not_timestamp}; rest:{stateless,singleton,de...

src/main/java/**/*.java: naming:CamelCase; principles:{single_responsibility,small_methods,no_duplication}; db:{perf_queries,datetime_not_timestamp}; rest:{stateless,singleton,delegate_logic,http_only,minimal_dtos}; dtos:{java_records,no_entities,min_data,single_resp}; di:constructor_injection; kiss:simple_code; file_handling:os_indep_paths; practices:{least_access,avoid_transactions,code_reuse,static_member_ref,prefer_primitives}; sql:{param_annotation,uppercase,avoid_subqueries};java:avoid_star_imports

• src/main/java/de/tum/cit/aet/artemis/athena/web/AthenaResource.java
• src/main/java/de/tum/cit/aet/artemis/athena/web/open/PublicAthenaResource.java

⏰ Context from checks skipped due to timeout of 90000ms (9)

• GitHub Check: Codacy Static Code Analysis
• GitHub Check: Build and Push Docker Image / Build Docker Image for ls1intum/artemis
• GitHub Check: Build and Push Docker Image / Build Docker Image for ls1intum/artemis
• GitHub Check: Build .war artifact
• GitHub Check: Analyse
• GitHub Check: server-tests
• GitHub Check: server-style
• GitHub Check: client-tests
• GitHub Check: client-style

🔇 Additional comments (6)

src/main/java/de/tum/cit/aet/artemis/athena/web/open/PublicAthenaResource.java (5)

1-27: LGTM: Clean imports and package structure.

The imports follow best practices by avoiding star imports and the package structure appropriately places this in the web/open directory for public endpoints.

---

70-77: Endpoint implementation follows REST best practices.

The method signature, annotations, and delegation pattern are well-implemented. The security bypass annotations with manual secret checking is appropriate for this use case.

---

86-93: Consistent implementation with proper logging.

The template repository endpoint follows the same pattern as the submission endpoint with appropriate debug logging and parameter validation.

---

102-109: Solution repository endpoint is well-structured.

Maintains consistency with other endpoints and properly delegates to the service layer.

---

118-125: Test repository endpoint completes the CRUD pattern correctly.

The final endpoint maintains the established pattern and completes the repository type coverage needed for Athena integration.

src/main/java/de/tum/cit/aet/artemis/athena/web/AthenaResource.java (1)

77-91: Excellent refactoring that improves separation of concerns.

The constructor simplification removes the repository export dependencies, making this class focused solely on feedback suggestions and module management. This follows the single responsibility principle well.

[github-actions]

End-to-End (E2E) Test Results Summary

	Tests	Passed ☑️	Skipped ⚠️	Failed ❌️	Time ⏱
End-to-End (E2E) Test Report	201 ran	197 passed	3 skipped	1 failed	58m 1s 609ms

Test	Result	Time ⏱
End-to-End (E2E) Test Report
e2e/exercise/programming/ProgrammingExerciseStaticCodeAnalysis.spec.ts
ts.Static code analysis tests › Configures SCA grading and makes a successful submission with SCA errors	❌ failure	2m 17s 428ms

[github-actions]

There hasn't been any activity on this pull request recently. Therefore, this pull request has been automatically marked as stale and will be closed if no further activity occurs within seven days. Thank you for your contributions.