apache · praveenc7 · Oct 13, 2024 · Oct 24, 2024 · Nov 5, 2024 · Nov 5, 2024
diff --git a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/AuthenticationFilter.java b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/AuthenticationFilter.java
@@ -37,11 +37,13 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.pinot.broker.api.AccessControl;
 import org.apache.pinot.broker.api.HttpRequesterIdentity;
+import org.apache.pinot.common.auth.AuthProviderUtils;
 import org.apache.pinot.core.auth.FineGrainedAuthUtils;
 import org.apache.pinot.core.auth.ManualAuthorization;
 import org.apache.pinot.spi.auth.AuthorizationResult;
 import org.glassfish.grizzly.http.server.Request;
 
+
 /**
  * A container filter class responsible for automatic authentication of REST endpoints. Any rest endpoints not annotated
  * with {@link org.apache.pinot.core.auth.ManualAuthorization} annotation, will go through authentication.
@@ -73,7 +75,8 @@ public void filter(ContainerRequestContext requestContext)
     UriInfo uriInfo = requestContext.getUriInfo();
 
     // exclude public/unprotected paths
-    if (isBaseFile(uriInfo.getPath()) || UNPROTECTED_PATHS.contains(uriInfo.getPath())) {
+    if (isBaseFile(AuthProviderUtils.stripMatrixParams(uriInfo.getPath()))
+        || UNPROTECTED_PATHS.contains(AuthProviderUtils.stripMatrixParams(uriInfo.getPath()))) {
       return;
     }
 

diff --git a/pinot-common/src/main/java/org/apache/pinot/common/auth/AuthProviderUtils.java b/pinot-common/src/main/java/org/apache/pinot/common/auth/AuthProviderUtils.java
@@ -226,4 +226,17 @@ public static AuthProvider makeAuthProvider(@Nullable AuthProvider provider, Str
 
     return new NullAuthProvider();
   }
+
+  /**
+   * Strips everything after the first matrix/semicolon character in a path.
+   * @param path the path to strip
+   * @return the stripped path
+   */
+  public static String stripMatrixParams(String path) {
+    int matrixIndex = path.indexOf(';');
+    if (matrixIndex != -1) {
+      return path.substring(0, matrixIndex);
+    }
+    return path;
+  }
 }
diff --git a/...controller/src/main/java/org/apache/pinot/controller/api/access/AuthenticationFilter.java b/...controller/src/main/java/org/apache/pinot/controller/api/access/AuthenticationFilter.java
@@ -37,6 +37,7 @@
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.UriInfo;
+import org.apache.pinot.common.auth.AuthProviderUtils;
 import org.apache.pinot.common.utils.DatabaseUtils;
 import org.apache.pinot.core.auth.FineGrainedAuthUtils;
 import org.apache.pinot.core.auth.ManualAuthorization;
@@ -77,7 +78,8 @@ public void filter(ContainerRequestContext requestContext)
     UriInfo uriInfo = requestContext.getUriInfo();
 
     // exclude public/unprotected paths
-    if (isBaseFile(uriInfo.getPath()) || UNPROTECTED_PATHS.contains(uriInfo.getPath())) {
+    if (isBaseFile(AuthProviderUtils.stripMatrixParams(uriInfo.getPath()))
+        || UNPROTECTED_PATHS.contains(AuthProviderUtils.stripMatrixParams(uriInfo.getPath()))) {
       return;
     }
 

diff --git a/...roller/src/test/java/org/apache/pinot/controller/api/access/AuthenticationFilterTest.java b/...roller/src/test/java/org/apache/pinot/controller/api/access/AuthenticationFilterTest.java
@@ -26,10 +26,11 @@
 import javax.ws.rs.PUT;
 import javax.ws.rs.core.MultivaluedHashMap;
 import javax.ws.rs.core.MultivaluedMap;
+import org.apache.pinot.common.auth.AuthProviderUtils;
+import org.testng.annotations.DataProvider;
 import org.testng.annotations.Test;
 
-import static org.testng.Assert.assertEquals;
-import static org.testng.Assert.assertNull;
+import static org.testng.Assert.*;
 
 
 public class AuthenticationFilterTest {
@@ -123,6 +124,23 @@ public void testExtractAccessTypeWithMissingAuthAnnotation() throws Exception {
     assertEquals(AccessType.DELETE, _authFilter.extractAccessType(method));
   }
 
+  // DataProvider supplying test cases
+  @DataProvider(name = "pathProvider")
+  public Object[][] pathProvider() {
+    return new Object[][] {
+        {"/path/to/resource;param1=value1;param2=value2", "/path/to/resource"}, // with matrix params
+        {"/path/to/resource", "/path/to/resource"},                             // no matrix params
+        {"", ""},                                                               // empty path
+        {";param1=value1/path/to/resource", ""},                                // matrix at beginning
+        {"/path;param1=value1;param2=value2/to/resource", "/path"}              // multiple semicolons
+    };
+  }
+
+  @Test(dataProvider = "pathProvider")
+  public void testStripMatrixParams(String input, String expected) {
+    assertEquals(AuthProviderUtils.stripMatrixParams(input), expected);
+  }
+
   @Authenticate(AccessType.UPDATE)
   public void methodWithAuthAnnotation() {
   }