feat(sdk): add linter and fix linter findings

relates to STACKITSDK-219

Author: rubenhoenle

build.gradle

@@ -3,6 +3,7 @@ plugins {
 	id 'signing'
 	id 'idea'
 	id 'eclipse'
+	id 'pmd'
 
 	id 'com.diffplug.spotless' version '6.21.0'
 
@@ -13,6 +14,7 @@ plugins {
 
 allprojects {
 	apply plugin: 'com.diffplug.spotless'
+	apply plugin: 'pmd'
 
 	repositories {
 		mavenCentral()
@@ -64,6 +66,32 @@ allprojects {
 			endWithNewline()
 		}
 	}
+
+	pmd {
+		consoleOutput = true
+		toolVersion = "7.12.0"
+
+		//rulesMinimumPriority = 5
+		//ruleSets = [
+		//	"category/java/bestpractices.xml",
+		//	"category/java/codestyle.xml",
+		//	"category/java/design.xml",
+		//	"category/java/documentation.xml",
+		//	"category/java/errorprone.xml",
+		//	"category/java/multithreading.xml",
+		//	"category/java/performance.xml",
+		//	"category/java/security.xml",
+
+		//	//"category/java/errorprone.xml",
+		//	//			"category/java/bestpractices.xml"
+		//]
+
+		// This tells PMD to use your custom ruleset file.
+		ruleSetFiles = rootProject.files("config/pmd/pmd-ruleset.xml")
+
+		// This is important: it prevents PMD from using its default rules.
+		ruleSets = []
+	}
 }
 
 def configureMavenCentralPublishing(Project project) {

config/pmd/pmd-ruleset.xml

@@ -0,0 +1,58 @@
+<?xml version="1.0"?>
+<ruleset name="Custom Ruleset"
+         xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
+
+    <description>
+        Custom ruleset that excludes generated code from PMD analysis.
+    </description>
+
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/model/.*</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/api/.*</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/ApiCallback.java</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/ApiClient.java</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/ApiResponse.java</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/GzipRequestInterceptor.java</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/JSON.java</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/Pair.java</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/ProgressRequestBody.java</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/ProgressResponseBody.java</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/ServerConfiguration.java</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/ServerVariable.java</exclude-pattern>
+    <exclude-pattern>.*/cloud/stackit/sdk/.*/StringUtil.java</exclude-pattern>
+
+    <rule ref="category/java/bestpractices.xml">
+        <exclude name="UnitTestContainsTooManyAsserts"/>
+        <exclude name="UnitTestAssertionsShouldIncludeMessage"/>
+    </rule>
+    
+    <rule ref="category/java/codestyle.xml">
+        <exclude name="LocalVariableCouldBeFinal"/>
+        <exclude name="MethodArgumentCouldBeFinal"/>
+        <exclude name="AtLeastOneConstructor"/>
+        <exclude name="LongVariable"/>
+        <exclude name="OnlyOneReturn"/>
+    </rule>
+    
+    <rule ref="category/java/design.xml">
+    </rule>
+    
+    <rule ref="category/java/documentation.xml">
+        <exclude name="CommentRequired"/>
+    </rule>
+    
+    <rule ref="category/java/errorprone.xml">
+        <exclude name="AvoidFieldNameMatchingMethodName"/>
+    </rule>
+    
+    <rule ref="category/java/multithreading.xml">
+    </rule>
+    
+    <rule ref="category/java/performance.xml">
+    </rule>
+    
+    <rule ref="category/java/security.xml">
+    </rule>
+
+</ruleset>

core/src/main/java/cloud/stackit/sdk/core/KeyFlowAuthenticator.java

@@ -19,14 +19,19 @@
 import java.security.interfaces.RSAPrivateKey;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Date;
-import java.util.HashMap;
 import java.util.Map;
 import java.util.UUID;
+import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantLock;
+
 import okhttp3.*;
 import org.jetbrains.annotations.NotNull;
 
-/* KeyFlowAuthenticator handles the Key Flow Authentication based on the Service Account Key. */
+/*
+ * KeyFlowAuthenticator handles the Key Flow Authentication based on the Service Account Key.
+ */
 public class KeyFlowAuthenticator implements Authenticator {
 	private static final String REFRESH_TOKEN = "refresh_token";
 	private static final String ASSERTION = "assertion";
@@ -44,6 +49,8 @@ public class KeyFlowAuthenticator implements Authenticator {
 	private final String tokenUrl;
 	private long tokenLeewayInSeconds = DEFAULT_TOKEN_LEEWAY;
 
+	Lock tokenRefreshLock = new ReentrantLock();
+
 	/**
 	 * Creates the initial service account and refreshes expired access token.
 	 *
@@ -140,19 +147,19 @@ public Request authenticate(Route route, @NotNull Response response) throws IOEx
 
 	protected static class KeyFlowTokenResponse {
 		@SerializedName("access_token")
-		private String accessToken;
+		private final String accessToken;
 
 		@SerializedName("refresh_token")
-		private String refreshToken;
+		private final String refreshToken;
 
 		@SerializedName("expires_in")
 		private long expiresIn;
 
 		@SerializedName("scope")
-		private String scope;
+		private final String scope;
 
 		@SerializedName("token_type")
-		private String tokenType;
+		private final String tokenType;
 
 		public KeyFlowTokenResponse(
 				String accessToken,
@@ -184,13 +191,21 @@ protected String getAccessToken() {
 	 * @throws IOException request for new access token failed
 	 * @throws ApiException response for new access token with bad status code
 	 */
-	public synchronized String getAccessToken()
+	public String getAccessToken()
 			throws IOException, ApiException, InvalidKeySpecException {
-		if (token == null) {
-			createAccessToken();
-		} else if (token.isExpired()) {
-			createAccessTokenWithRefreshToken();
+		try {
+			tokenRefreshLock.lock();
+
+			if (token == null) {
+				createAccessToken();
+			} else if (token.isExpired()) {
+				createAccessTokenWithRefreshToken();
+			}
+		}
+		finally {
+			tokenRefreshLock.unlock();
 		}
+
 		return token.getAccessToken();
 	}
 
@@ -204,7 +219,6 @@ public synchronized String getAccessToken()
 	 */
 	protected void createAccessToken()
 			throws InvalidKeySpecException, IOException, JsonSyntaxException, ApiException {
-		String grant = "urn:ietf:params:oauth:grant-type:jwt-bearer";
 		String assertion;
 		try {
 			assertion = generateSelfSignedJWT();
@@ -213,9 +227,11 @@ protected void createAccessToken()
 					"could not find required algorithm for jwt signing. This should not happen and should be reported on https://github.com/stackitcloud/stackit-sdk-java/issues",
 					e);
 		}
-		Response response = requestToken(grant, assertion).execute();
-		parseTokenResponse(response);
-		response.close();
+
+		String grant = "urn:ietf:params:oauth:grant-type:jwt-bearer";
+		try (Response response = requestToken(grant, assertion).execute()) {
+			parseTokenResponse(response);
+		}
 	}
 
 	/**
@@ -228,13 +244,13 @@ protected void createAccessToken()
 	protected synchronized void createAccessTokenWithRefreshToken()
 			throws IOException, JsonSyntaxException, ApiException {
 		String refreshToken = token.refreshToken;
-		Response response = requestToken(REFRESH_TOKEN, refreshToken).execute();
-		parseTokenResponse(response);
-		response.close();
+		try (Response response = requestToken(REFRESH_TOKEN, refreshToken).execute()) {
+			parseTokenResponse(response);
+		}
 	}
 
 	private synchronized void parseTokenResponse(Response response)
-			throws ApiException, JsonSyntaxException, IOException {
+			throws ApiException, JsonSyntaxException {
 		if (response.code() != HttpURLConnection.HTTP_OK) {
 			String body = null;
 			if (response.body() != null) {
@@ -256,10 +272,10 @@ private synchronized void parseTokenResponse(Response response)
 		response.body().close();
 	}
 
-	private Call requestToken(String grant, String assertionValue) throws IOException {
+	private Call requestToken(String grant, String assertionValue) {
 		FormBody.Builder bodyBuilder = new FormBody.Builder();
 		bodyBuilder.addEncoded("grant_type", grant);
-		String assertionKey = grant.equals(REFRESH_TOKEN) ? REFRESH_TOKEN : ASSERTION;
+		String assertionKey = REFRESH_TOKEN.equals(grant) ? REFRESH_TOKEN : ASSERTION;
 		bodyBuilder.addEncoded(assertionKey, assertionValue);
 		FormBody body = bodyBuilder.build();
 
@@ -289,7 +305,7 @@ private String generateSelfSignedJWT()
 		prvKey = saKey.getCredentials().getPrivateKeyParsed();
 		Algorithm algorithm = Algorithm.RSA512(prvKey);
 
-		Map<String, Object> jwtHeader = new HashMap<>();
+		Map<String, Object> jwtHeader = new ConcurrentHashMap<>();
 		jwtHeader.put("kid", saKey.getCredentials().getKid());
 
 		return JWT.create()

core/src/main/java/cloud/stackit/sdk/core/auth/SetupAuth.java

@@ -18,6 +18,7 @@
 import java.nio.file.Paths;
 import java.util.Map;
 import javax.swing.filechooser.FileSystemView;
+
 import okhttp3.Interceptor;
 
 public class SetupAuth {
@@ -40,9 +41,11 @@ public class SetupAuth {
 	 *     let it handle the rest. Will be removed in April 2026.
 	 */
 	@Deprecated
+	public SetupAuth() {
+		// deprecated
+	}
 	// TODO: constructor of SetupAuth should be private after deprecated constructors/methods are
 	// removed (only static methods should remain)
-	public SetupAuth() {}
 
 	/**
 	 * Set up the KeyFlow Authentication and can be integrated in an OkHttp client, by adding
@@ -186,7 +189,7 @@ protected static void loadPrivateKey(
 			try {
 				String privateKey = getPrivateKey(cfg, env);
 				saKey.getCredentials().setPrivateKey(privateKey);
-			} catch (Exception e) {
+			} catch (CredentialsInFileNotFoundException | IOException e) {
 				throw new PrivateKeyNotFoundException("could not find private key", e);
 			}
 		}
@@ -216,6 +219,7 @@ protected static void loadPrivateKey(
 	 * </ol>
 	 *
 	 * @param cfg
+	 * @param env
 	 * @return found private key
 	 * @throws CredentialsInFileNotFoundException throws if no private key could be found
 	 * @throws IOException throws if the provided path can not be found or the file within the

core/src/main/java/cloud/stackit/sdk/core/config/CoreConfiguration.java

@@ -13,8 +13,6 @@ public class CoreConfiguration {
 	private String tokenCustomUrl;
 	private Long tokenExpirationLeeway;
 
-	public CoreConfiguration() {}
-
 	public Map<String, String> getDefaultHeader() {
 		return defaultHeader;
 	}

core/src/main/java/cloud/stackit/sdk/core/exception/ApiException.java

@@ -5,14 +5,16 @@
 
 /** ApiException class. */
 public class ApiException extends Exception {
-	private static final long serialVersionUID = 1L;
+	private static final long serialVersionUID = 8115526329759018011L;
 
-	private int code = 0;
-	private Map<String, List<String>> responseHeaders = null;
-	private String responseBody = null;
+	private int code;
+	private Map<String, List<String>> responseHeaders;
+	private String responseBody;
 
 	/** Constructor for ApiException. */
-	public ApiException() {}
+	public ApiException() {
+		super();
+	}
 
 	/**
 	 * Constructor for ApiException.
@@ -162,6 +164,7 @@ public String getResponseBody() {
 	 *
 	 * @return The exception message
 	 */
+	@Override
 	public String getMessage() {
 		return String.format(
 				"Message: %s%nHTTP response code: %s%nHTTP response body: %s%nHTTP response headers: %s",

core/src/main/java/cloud/stackit/sdk/core/exception/CredentialsInFileNotFoundException.java

@@ -1,6 +1,7 @@
 package cloud.stackit.sdk.core.exception;
 
 public class CredentialsInFileNotFoundException extends RuntimeException {
+	private static final long serialVersionUID = -3290974267932615412L;
 
 	public CredentialsInFileNotFoundException(String msg) {
 		super(msg);

core/src/main/java/cloud/stackit/sdk/core/exception/PrivateKeyNotFoundException.java

@@ -1,6 +1,7 @@
 package cloud.stackit.sdk.core.exception;
 
 public class PrivateKeyNotFoundException extends RuntimeException {
+	private static final long serialVersionUID = -81419539524374575L;
 
 	public PrivateKeyNotFoundException(String msg) {
 		super(msg);

core/src/main/java/cloud/stackit/sdk/core/utils/TestUtils.java

@@ -1,6 +1,9 @@
 package cloud.stackit.sdk.core.utils;
 
+@SuppressWarnings("PMD.TestClassWithoutTestCases")
 public class TestUtils {
 	public static final String MOCK_SERVICE_ACCOUNT_KEY =
 			"{\"id\":\"id\",\"publicKey\":\"publicKey\",\"createdAt\":\"2025-03-26T15:08:45.915+00:00\",\"keyType\":\"keyType\",\"keyOrigin\":\"keyOrigin\",\"keyAlgorithm\":\"keyAlgo\",\"active\":true,\"validUntil\":\"2025-03-26T15:08:45.915+00:00\",\"credentials\":{\"aud\":\"aud\",\"iss\":\"iss\",\"kid\":\"kid\",\"privateKey\":\"privateKey\",\"sub\":\"sub\"}}\n";
+
+	public static final String MOCK_SERVICE_ACCOUNT_PRIVATE_KEY = "privateKey";
 }

core/src/main/java/cloud/stackit/sdk/core/utils/Utils.java

@@ -1,7 +1,31 @@
 package cloud.stackit.sdk.core.utils;
 
 public final class Utils {
-	public static boolean isStringSet(String input) {
-		return input != null && !input.trim().isEmpty();
+	private Utils() {}
+
+	/*
+	 * Assert a string is not null and not empty
+	 *
+	 * @param input The string to check
+	 * @return check result
+	 * */
+	public static boolean isStringSet(final String input) {
+		return input != null && !checkTrimEmpty(input);
+	}
+
+	/*
+	 * Assert a string is not empty. Helper method because String.trim().length() == 0
+	 * / String.trim().isEmpty() is an inefficient way to validate a blank String.
+	 *
+	 * @param input The string to check
+	 * @return check result
+	 * */
+	private static boolean checkTrimEmpty(String input) {
+		for (int i = 0; i < input.length(); i++) {
+			if (!Character.isWhitespace(input.charAt(i))) {
+				return false;
+			}
+		}
+		return true;
 	}
 }