Address static code analysis recommendations from IntelliJ (AthenZ#549)

clients/java/zpe/src/main/java/com/yahoo/athenz/zpe/AuthZpeClient.java

@@ -305,7 +305,7 @@ public static AccessCheckStatus allowAccess(X509Certificate cert, String angReso
             }
             return AccessCheckStatus.DENY_CERT_MISSING_DOMAIN;
         }
-        String roleName = subject.substring(idx + ROLE_SEARCH.length(), subject.length());
+        String roleName = subject.substring(idx + ROLE_SEARCH.length());
         if (roleName.isEmpty()) {
             if (LOG.isDebugEnabled()) {
                 LOG.debug("AUTHZPECLT:allowAccess: missing role name");

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/FilePrivateKeyStore.java

@@ -18,6 +18,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
 import java.security.PrivateKey;
 
 import org.slf4j.Logger;
@@ -76,7 +77,7 @@ private String retrieveKeyFromResource(String resourceName) {
         try (InputStream is = getClass().getResourceAsStream(resourceName)) {
             String resourceData = getString(is);
             if (resourceData != null) {
-                key = Crypto.ybase64(resourceData.getBytes("UTF-8"));
+                key = Crypto.ybase64(resourceData.getBytes(StandardCharsets.UTF_8));
             }
         } catch (IOException e) {
             if (LOG.isDebugEnabled()) {

libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/SimpleServiceIdentityProvider.java

@@ -35,8 +35,8 @@ public class SimpleServiceIdentityProvider implements ServiceIdentityProvider {
 
     private String domain;
     private String service;
-    private PrivateKey key = null;
-    private long tokenTimeout = 3600;
+    private PrivateKey key;
+    private long tokenTimeout;
     private String keyId;
     private String host = null;
     private Authority authority;

libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/FilePrivateKeyStoreTest.java

@@ -20,6 +20,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
 import java.security.PrivateKey;
 
 import org.testng.annotations.Test;
@@ -95,7 +96,7 @@ public void testGetString() throws IOException {
 
         FilePrivateKeyStoreFactory factory = new FilePrivateKeyStoreFactory();
         FilePrivateKeyStore store = (FilePrivateKeyStore) factory.create();
-        try (InputStream is = new ByteArrayInputStream(str.getBytes("UTF-8"))) {
+        try (InputStream is = new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))) {
             String getStr = store.getString(is);
             assertEquals(getStr, str);
         }

libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/InstanceProviderClient.java

@@ -91,7 +91,7 @@ private String responseText(final Response response) {
     public InstanceConfirmation postInstanceConfirmation(InstanceConfirmation confirmation) {
         WebTarget target = base.path("/instance");
         Invocation.Builder invocationBuilder = target.request(MediaType.APPLICATION_JSON);
-        Response response = null;
+        Response response;
         try {
             response = invocationBuilder.post(Entity.entity(confirmation, MediaType.APPLICATION_JSON));
         } catch (Exception ex) {
@@ -111,7 +111,7 @@ public InstanceConfirmation postInstanceConfirmation(InstanceConfirmation confir
     public InstanceConfirmation postRefreshConfirmation(InstanceConfirmation confirmation) {
         WebTarget target = base.path("/refresh");
         Invocation.Builder invocationBuilder = target.request(MediaType.APPLICATION_JSON);
-        Response response = null;
+        Response response;
         try {
             response = invocationBuilder.post(Entity.entity(confirmation, MediaType.APPLICATION_JSON));
         } catch (Exception ex) {

servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java

@@ -2373,7 +2373,7 @@ Policy updateTemplatePolicy(Policy policy, String domainName, List<TemplateParam
     ServiceIdentity updateTemplateServiceIdentity(ServiceIdentity serviceIdentity,
             String domainName, List<TemplateParam> params) {
 
-        String templateServiceName = serviceIdentity.getName().replace(TEMPLATE_DOMAIN_NAME, domainName);;
+        String templateServiceName = serviceIdentity.getName().replace(TEMPLATE_DOMAIN_NAME, domainName);
         if (params != null) {
             for (TemplateParam param : params) {
                 final String paramKey = "_" + param.getName() + "_";

servers/zms/src/main/java/com/yahoo/athenz/zms/store/file/FileConnection.java

@@ -512,6 +512,7 @@ public List<String> listPrincipals(String domainName) {
         return new ArrayList<>(principals);
     }
 
+    @SuppressWarnings("SuspiciousListRemoveInLoop")
     @Override
     public boolean deletePrincipal(String principalName, boolean subDomains) {
 

servers/zms/src/main/java/com/yahoo/athenz/zms/utils/ZMSUtils.java

@@ -194,14 +194,15 @@ public static void validateRoleMembers(final Role role, final String caller,
         }
     }
 
+    @SuppressWarnings("SuspiciousListRemoveInLoop")
     public static void removeMembers(List<RoleMember> originalRoleMembers,
-            List<RoleMember> removeRoleMembers) {
+                                     List<RoleMember> removeRoleMembers) {
         if (removeRoleMembers == null || originalRoleMembers == null) {
             return;
         }
         for (RoleMember removeMember : removeRoleMembers) {
             String removeName = removeMember.getMemberName();
-            for (int j = 0; j < originalRoleMembers.size(); j ++) {
+            for (int j = 0; j < originalRoleMembers.size(); j++) {
                 if (removeName.equalsIgnoreCase(originalRoleMembers.get(j).getMemberName())) {
                     originalRoleMembers.remove(j);
                 }

servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java

@@ -18,6 +18,7 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
@@ -6896,27 +6897,16 @@ public void testGetPublicKeyZMS() {
 
         String publicKey = zms.getPublicKey("sys.auth", "zms", "0");
         assertNotNull(publicKey);
-        try {
-            assertEquals(pubKey, Crypto.ybase64(publicKey.getBytes("UTF-8")));
-        } catch (UnsupportedEncodingException e) {
-            fail();
-        }
+        assertEquals(pubKey, Crypto.ybase64(publicKey.getBytes(StandardCharsets.UTF_8)));
+
 
         publicKey = zms.getPublicKey("sys.auth", "zms", "1");
         assertNotNull(publicKey);
-        try {
-            assertEquals(pubKeyK1, Crypto.ybase64(publicKey.getBytes("UTF-8")));
-        } catch (UnsupportedEncodingException e) {
-            fail();
-        }
-
+        assertEquals(pubKeyK1, Crypto.ybase64(publicKey.getBytes(StandardCharsets.UTF_8)));
+
         publicKey = zms.getPublicKey("sys.auth", "zms", "2");
         assertNotNull(publicKey);
-        try {
-            assertEquals(pubKeyK2, Crypto.ybase64(publicKey.getBytes("UTF-8")));
-        } catch (UnsupportedEncodingException e) {
-            fail();
-        }
+        assertEquals(pubKeyK2, Crypto.ybase64(publicKey.getBytes(StandardCharsets.UTF_8)));
     }
 
     @Test

servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java

@@ -80,10 +80,10 @@ public class ZTSImpl implements KeyStore, ZTSHandler {
 
     private static String ROOT_DIR;
 
-    protected DataStore dataStore = null;
-    protected CloudStore cloudStore = null;
-    protected InstanceCertManager instanceCertManager = null;
-    protected InstanceProviderManager instanceProviderManager = null;
+    protected DataStore dataStore;
+    protected CloudStore cloudStore;
+    protected InstanceCertManager instanceCertManager;
+    protected InstanceProviderManager instanceProviderManager;
     protected Metric metric = null;
     protected Schema schema = null;
     protected PrivateKey privateKey = null;
@@ -92,7 +92,6 @@ public class ZTSImpl implements KeyStore, ZTSHandler {
     protected int roleTokenDefaultTimeout;
     protected int roleTokenMaxTimeout;
     protected long x509CertRefreshResetTime;
-    protected boolean traceAccess = true;
     protected long signedPolicyTimeout;
     protected static String serverHostName = null;
     protected String ostkHostSignerDomain = null;
@@ -1754,7 +1753,7 @@ X509CertRecord insertX509CertRecord(ResourceContext ctx, final String cn, final
         }
 
         return x509CertRecord;
-    };
+    }
 
     @Override
     public void postInstanceRegisterInformation(ResourceContext ctx, InstanceRegisterInformation info,
@@ -2198,19 +2197,8 @@ InstanceIdentity processProviderX509RefreshRequest(ResourceContext ctx, final Pr
             x509CertRecord.setPrevSerial(x509CertRecord.getCurrentSerial());
 
         } else if (!x509CertRecord.getPrevSerial().equals(serialNumber)) {
-
-            // we have a mismatch for both current and previous serial
-            // numbers so we're going to revoke it
-
-            LOGGER.error("Revoking certificate refresh for cn: {} instance id: {}," +
-                    " current serial: {}, previous serial: {}, cert serial: {}",
-                    principalName, x509CertRecord.getInstanceId(), x509CertRecord.getCurrentSerial(),
-                    x509CertRecord.getPrevSerial(), serialNumber);
-
-            x509CertRecord.setPrevSerial("-1");
-            x509CertRecord.setCurrentSerial("-1");
-
-            instanceCertManager.updateX509CertRecord(x509CertRecord);
+
+            revokeCertificateRefresh(principalName, serialNumber, x509CertRecord);
             throw forbiddenError("Certificate revoked", caller, domain);
         }
 
@@ -2297,19 +2285,8 @@ InstanceIdentity processProviderSSHRefreshRequest(ResourceContext ctx, final Pri
         String serialNumber = cert.getSerialNumber().toString();
         if (!x509CertRecord.getCurrentSerial().equals(serialNumber) &&
                 !x509CertRecord.getPrevSerial().equals(serialNumber)) {
-
-            // we have a mismatch for both current and previous serial
-            // numbers so we're going to revoke it
-
-            LOGGER.error("Revoking certificate refresh for cn: {} instance id: {}," +
-                    " current serial: {}, previous serial: {}, cert serial: {}",
-                    principalName, x509CertRecord.getInstanceId(), x509CertRecord.getCurrentSerial(),
-                    x509CertRecord.getPrevSerial(), serialNumber);
-
-            x509CertRecord.setPrevSerial("-1");
-            x509CertRecord.setCurrentSerial("-1");
-
-            instanceCertManager.updateX509CertRecord(x509CertRecord);
+
+            revokeCertificateRefresh(principalName, serialNumber, x509CertRecord);
             throw forbiddenError("Certificate revoked", caller, domain);
         }
 
@@ -2343,7 +2320,23 @@ InstanceIdentity processProviderSSHRefreshRequest(ResourceContext ctx, final Pri
 
         return identity;
     }
-
+
+    void revokeCertificateRefresh(final String principalName, final String serialNumber,
+            X509CertRecord x509CertRecord) {
+
+        // we have a mismatch for both current and previous serial
+        // numbers so we're going to revoke it
+
+        LOGGER.error("Revoking certificate refresh for cn: {} instance id: {}, current serial: {}, previous serial: {}, cert serial: {}",
+                principalName, x509CertRecord.getInstanceId(), x509CertRecord.getCurrentSerial(),
+                x509CertRecord.getPrevSerial(), serialNumber);
+
+        x509CertRecord.setPrevSerial("-1");
+        x509CertRecord.setCurrentSerial("-1");
+
+        instanceCertManager.updateX509CertRecord(x509CertRecord);
+    }
+
     @Override
     public void deleteInstanceIdentity(ResourceContext ctx, String provider,
             String domain, String service, String instanceId) {
@@ -2618,7 +2611,7 @@ public SSHCertificates postSSHCertRequest(ResourceContext ctx, SSHCertRequest ce
         // generate our certificate. the ssh signer interface throws
         // rest ResourceExceptions so we'll catch and log those
 
-        SSHCertificates certs = null;
+        SSHCertificates certs;
         try {
             certs = instanceCertManager.getSSHCertificates(principal,
                     certRequest, instanceId);

servers/zts/src/main/java/com/yahoo/athenz/zts/cert/impl/DynamoDBCertRecordStore.java

@@ -38,8 +38,7 @@ public DynamoDBCertRecordStore(AmazonDynamoDB client, final String tableName) {
     @Override
     public CertRecordStoreConnection getConnection() {
         try {
-            DynamoDBCertRecordStoreConnection dynamoConn = new DynamoDBCertRecordStoreConnection(dynamoDB, tableName);
-            return dynamoConn;
+            return new DynamoDBCertRecordStoreConnection(dynamoDB, tableName);
         } catch (Exception ex) {
             LOG.error("getConnection: {}", ex.getMessage());
             throw new ResourceException(ResourceException.SERVICE_UNAVAILABLE, ex.getMessage());

servers/zts/src/main/java/com/yahoo/athenz/zts/utils/ZTSUtils.java

@@ -114,7 +114,7 @@ public static SslContextFactory createSSLContextObject(final String[] clientProt
                 ZTS_DEFAULT_EXCLUDED_CIPHER_SUITES);
         String excludedProtocols = System.getProperty(ZTSConsts.ZTS_PROP_EXCLUDED_PROTOCOLS,
                 ZTS_DEFAULT_EXCLUDED_PROTOCOLS);
-        Boolean wantClientAuth = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_WANT_CLIENT_CERT, "false"));
+        boolean wantClientAuth = Boolean.parseBoolean(System.getProperty(ZTSConsts.ZTS_PROP_WANT_CLIENT_CERT, "false"));
 
         SslContextFactory sslContextFactory = new SslContextFactory();
         if (keyStorePath != null) {

servers/zts/src/test/java/com/yahoo/athenz/zts/InstanceProviderManagerTest.java

@@ -201,9 +201,8 @@ public void testGetHttpsProviderUnknownProvider() throws NoSuchAlgorithmExceptio
         store.processDomain(signedDomain, false);
 
         InstanceProviderManager provider = new InstanceProviderManager(store, SSLContext.getDefault(), null);
-        InstanceProvider client = provider.getProvider("coretech.weather");
-        assertNotNull(client);
-        client.close();
+        InstanceProvider client = provider.getProvider("coretech.weather2");
+        assertNull(client);
     }
 
     @Test

servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java

@@ -2478,8 +2478,8 @@ public void testGetAWSTemporaryCredentials() {
 
         Principal principal = SimplePrincipal.create("user_domain", "user101",
                 "v=U1;d=user_domain;n=user101;s=signature", 0, null);
-        CloudStore cloudStore = new MockCloudStore();
-        ((MockCloudStore) cloudStore).setMockFields("1234", "aws_role_name", "user_domain.user101");
+        MockCloudStore cloudStore = new MockCloudStore();
+        cloudStore.setMockFields("1234", "aws_role_name", "user_domain.user101");
         store.setCloudStore(cloudStore);
         zts.cloudStore = cloudStore;
 
@@ -2493,7 +2493,7 @@ public void testGetAWSTemporaryCredentials() {
         // now try a failure case
 
         try {
-            ((MockCloudStore) cloudStore).setMockFields("1234", "aws_role2_name", "user_domain.user101");
+            cloudStore.setMockFields("1234", "aws_role2_name", "user_domain.user101");
             zts.getAWSTemporaryCredentials(createResourceContext(principal), "athenz.product", "aws_role_name", null, null);
             fail();
         } catch (ResourceException ex) {