Document tabs

http-tests/proxy/GET-proxied-accept-forwarded.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the readers group to be able to read documents
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/readers/"
+
+# Regression: ProxyRequestFilter must forward the client's Accept header verbatim to the
+# upstream, NOT substitute its own readable-types list. Previously the filter built its
+# outbound Accept from MediaTypes.getReadable(Model.class) + getReadable(ResultSet.class)
+# (everything Jena could ingest, all q=1.0), discarding what the client actually asked for.
+# The upstream then content-negotiated against that broad list and could legally pick any
+# RDF format — e.g. application/rdf+thrift — even when the client (e.g. SaxonJS document())
+# explicitly requested application/rdf+xml or application/xml.
+#
+# Verify by requesting one specific RDF type and asserting the response matches it.
+
+for accept in 'application/rdf+xml' 'text/turtle' 'application/n-triples'; do
+    content_type=$(curl -k -f -s -G -w "%{content_type}" -o /dev/null \
+      -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+      -H "Accept: $accept" \
+      --data-urlencode "uri=${END_USER_BASE_URL}" \
+      "$ADMIN_BASE_URL")
+
+    case "$content_type" in
+        "$accept"*) ;;
+        *) exit 1 ;;
+    esac
+done

http-tests/proxy/GET-proxied-accept-html-not-preferred.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the readers group to be able to read documents
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/readers/"
+
+# Regression: when a client lists application/xhtml+xml (or text/html) in Accept at a
+# LOWER q-value than another supported type, the proxy must treat the request as
+# API-client intent and forward — not as browser navigation that wants the app shell.
+# Previously, ProxyRequestFilter bypassed on anyMatch(HTML or XHTML in Accept) without
+# checking q-rank, so it false-fired on any Accept that mentioned HTML at all and
+# returned the local app shell instead of the proxied response.
+#
+# Discriminator is HTTP status — content-type cannot tell bypass from forward because
+# admin and end-user share writer configs (same Accept → same negotiated type on both).
+# A UUID-named path that doesn't exist on either origin disambiguates:
+#   - bypass: ApplicationFilter strips ?uri= → request URI becomes admin root → 200
+#   - forward: proxy forwards the actual UUID path to end-user → 404
+
+accept_header='application/xml, text/xml;q=0.9, application/xhtml+xml;q=0.8, */*;q=0.7'
+non_existing_uri="${END_USER_BASE_URL}$(cat /proc/sys/kernel/random/uuid 2>/dev/null || uuidgen)/"
+
+status=$(curl -k -s -G -o /dev/null -w "%{http_code}" \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H "Accept: $accept_header" \
+  --data-urlencode "uri=${non_existing_uri}" \
+  "$ADMIN_BASE_URL")
+
+[ "$status" = "$STATUS_NOT_FOUND" ] || exit 1

http-tests/proxy/GET-proxied-external-502.sh

@@ -19,6 +19,7 @@ add-agent-to-group.sh \
 
 curl -k -w "%{http_code}\n" -o /dev/null -s \
   -G \
+  -H "Accept: application/n-triples" \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   --data-urlencode "uri=http://f1d2d4cf-90bb-4f5b-ae4b-921e584b6edd.org" \
   "$END_USER_BASE_URL" \

http-tests/proxy/HEAD-proxied-etag.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the readers group to be able to read documents
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/readers/"
+
+extract_etag() {
+    grep -i '^etag:' \
+    | tr -d '\r' \
+    | sed 's/^[Ee][Tt][Aa][Gg]:[[:space:]]*//'
+}
+
+# fetch the end-user root directly to capture its ETag
+
+direct_etag=$(curl --head -k -f -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H 'Accept: application/n-triples' \
+  "$END_USER_BASE_URL" \
+| extract_etag)
+
+# fetch the same document via the admin proxy
+
+proxied_etag=$(curl -G --head -k -f -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H 'Accept: application/n-triples' \
+  --data-urlencode "uri=${END_USER_BASE_URL}" \
+  "$ADMIN_BASE_URL" \
+| extract_etag)
+
+[ -n "$proxied_etag" ] || exit 1
+[ "$proxied_etag" = "$direct_etag" ] || exit 1

src/main/java/com/atomgraph/linkeddatahub/Application.java

@@ -842,7 +842,6 @@ protected PasswordAuthentication getPasswordAuthentication()
             xsltProc.registerExtensionFunction(new UUID());
             xsltProc.registerExtensionFunction(new DecodeURI());
             xsltProc.registerExtensionFunction(new com.atomgraph.linkeddatahub.writer.function.URLDecode());
-            xsltProc.registerExtensionFunction(new com.atomgraph.linkeddatahub.writer.function.Construct(xsltProc));
             xsltProc.registerExtensionFunction(new com.atomgraph.linkeddatahub.writer.function.SendHTTPRequest(xsltProc, client));
 
             Model mappingModel = locationMapper.toModel();