MGM: HTTP - Added opaque query to request object if access via gateway authentication

Only authz opaque is not passed.
Fixes EOS-6482

Author: ccaffy

mgm/http/HttpServer.cc

@@ -400,6 +400,12 @@ HttpServer::XrdHttpHandler(std::string& method,
     headers["client-real-host"] = client.host;
     headers["x-real-ip"] = client.host;
 
+    auto it = headers.find("xrd-http-fullresource");
+
+    if (it != headers.end()) {
+      extractOpaqueWithoutAuthz(it->second,query);
+    }
+
     if (client.moninfo && strlen(client.moninfo)) {
       headers["ssl_client_s_dn"] = client.moninfo;
     }
@@ -469,16 +475,8 @@ HttpServer::BuildPathAndEnvOpaque
     return false;
   }
 
-  path = it->second;
   std::string opaque;
-  size_t pos = path.find('?');
-
-  if ((pos != std::string::npos) && (pos != path.length())) {
-    opaque = path.substr(pos + 1);
-    path = path.substr(0, pos);
-    eos::common::Path canonical_path(path);
-    path = canonical_path.GetFullPath().c_str();
-  }
+  extractPathAndOpaque(it->second,path,opaque);
 
   // Check if there is an explicit authorization header
   std::string http_authz;
@@ -526,7 +524,34 @@ HttpServer::BuildPathAndEnvOpaque
   return true;
 }
 
+void HttpServer::extractPathAndOpaque(const std::string & fullpath, std::string & path, std::string & opaque)
+{
+  path = fullpath;
 
+  size_t pos = fullpath.find('?');
+  if ((pos != std::string::npos) && (pos != fullpath.length())) {
+    opaque = path.substr(pos + 1);
+    path = path.substr(0, pos);
+    eos::common::Path canonical_path(path);
+    path = canonical_path.GetFullPath().c_str();
+  }
+
+}
+
+void HttpServer::extractOpaqueWithoutAuthz(const std::string & fullpath, std::string & opaque) {
+  std::string path;
+  opaque.clear();
+  extractPathAndOpaque(fullpath,path,opaque);
+  if(opaque.size()) {
+    auto env_opaque = std::make_unique<XrdOucEnv>(opaque.c_str(), opaque.length());
+    int envTidyLen;
+    char * envTidy = env_opaque->EnvTidy(envTidyLen);
+    if(envTidyLen > 1) {
+      // Seen during unit tests, EnvTidy puts an ampersand at the beginning of the resulting string
+      opaque.assign(envTidy + 1, envTidyLen - 1);
+    }
+  }
+}
 
 //------------------------------------------------------------------------------
 // Handle clientDN specified using RFC2253 (and RFC4514) where the

mgm/http/HttpServer.hh

@@ -165,6 +165,24 @@ public:
   BuildPathAndEnvOpaque(const std::map<std::string, std::string>&
                         normalized_headers, std::string& path,
                         std::unique_ptr<XrdOucEnv>& env_opaque);
+
+  //----------------------------------------------------------------------------
+  //! Extract opaque query from the full path passed in parameter
+  //!
+  //! @param fullpath the path from which we extract the opaque infos
+  //! @param path, the extracted path
+  //! @param opaque, the extracted opaque without the '?'
+  //----------------------------------------------------------------------------
+  static void extractPathAndOpaque(const std::string & fullpath, std::string & path, std::string & opaque);
+
+  //----------------------------------------------------------------------------
+  //! Extract opaque query from the full path passed in parameter and remove everything
+  //! related to authz
+  //!
+  //! @param fullpath the path from which we extract the opaque infos
+  //! @param opaque, the extracted opaque without the '?' and without authz opaque query
+  //----------------------------------------------------------------------------
+  static void extractOpaqueWithoutAuthz(const std::string & fullpath, std::string & opaque);
 };
 
 EOSMGMNAMESPACE_END

unit_tests/mgm/http/HttpServerTests.cc

@@ -82,3 +82,40 @@ TEST(HttpServer, ParsePathAndToken)
   ASSERT_TRUE(HttpServer::BuildPathAndEnvOpaque(norm_hdrs, path, env_opaque));
   ASSERT_STREQ("http/wizz", env_opaque->Get("eos.app"));
 }
+
+static std::map<std::string,std::pair<std::string,std::string>> fullPathToPathAndOpaque = {
+    {"",{"",""}},
+    {"/eos/file.dat",{"/eos/file.dat",""}},
+    {"/eos/file.dat?",{"/eos/file.dat",""}},
+    {"/eos/file.dat?testopaque=1",{"/eos/file.dat","testopaque=1"}},
+    {"/eos/file.dat?testopaque=1&authz=qwerty&test=2",{"/eos/file.dat","testopaque=1&authz=qwerty&test=2"}},
+};
+
+TEST(HttpServer, ExtractPathAndOpaque) {
+  for(const auto & [fullpath, pathAndOpaquePair]: fullPathToPathAndOpaque) {
+    std::string extractedPath;
+    std::string extractedOpaque;
+    eos::mgm::HttpServer::extractPathAndOpaque(fullpath,extractedPath, extractedOpaque);
+    ASSERT_EQ(pathAndOpaquePair.first,extractedPath);
+    ASSERT_EQ(pathAndOpaquePair.second,extractedOpaque);
+  }
+}
+
+static std::map<std::string,std::string> fullPathToOpaque = {
+    {"",""},
+    {"/eos/lhcb/test/?eos.ruid=0","eos.ruid=0"},
+    {"/eos/lhcb/",""},
+    {"/eos/file.dat?",""},
+    {"/eos/lhcb/passwd.txt?eos.test=0&oss.test=18&test=3","eos.test=0&oss.test=18&test=3"},
+    {"/eos/lhcb/passwd.txt?authz=azerty&eos.test=0&oss.test=18&test=3","eos.test=0&oss.test=18&test=3"},
+    {"/eos/lhcb/passwd.txt?eos.test=0&oss.test=18&authz=azerty&test=3","eos.test=0&oss.test=18&test=3"},
+    {"/eos/lhcb/passwd.txt?eos.test=0&oss.test=18&test=3&authz=azerty","eos.test=0&oss.test=18&test=3"}
+};
+
+TEST(HttpServer, ExtractOpaqueWithoutAuthz) {
+  for (const auto & [fullpath,opaque]: fullPathToOpaque) {
+    std::string extractedOpaque;
+    eos::mgm::HttpServer::extractOpaqueWithoutAuthz(fullpath,extractedOpaque);
+    ASSERT_EQ(opaque,extractedOpaque);
+  }
+}