Add request filter for early user and query parsing

Author: vishalya

gateway-ha/src/main/java/io/trino/gateway/baseapp/BaseApp.java

@@ -39,6 +39,8 @@
 import io.trino.gateway.ha.router.RoutingRulesManager;
 import io.trino.gateway.ha.router.StochasticRoutingManager;
 import io.trino.gateway.ha.security.AuthorizedExceptionMapper;
+import io.trino.gateway.ha.security.QueryMetadataParser;
+import io.trino.gateway.ha.security.QueryUserInfoParser;
 import io.trino.gateway.proxyserver.ForProxy;
 import io.trino.gateway.proxyserver.ProxyRequestHandler;
 import io.trino.gateway.proxyserver.RouteToBackendResource;
@@ -187,6 +189,8 @@ private static void registerProxyResources(Binder binder)
     {
         jaxrsBinder(binder).bind(RouteToBackendResource.class);
         jaxrsBinder(binder).bind(RouterPreMatchContainerRequestFilter.class);
+        jaxrsBinder(binder).bind(QueryUserInfoParser.class);
+        jaxrsBinder(binder).bind(QueryMetadataParser.class);
         jaxrsBinder(binder).bind(ProxyRequestHandler.class);
         httpClientBinder(binder).bindHttpClient("proxy", ForProxy.class);
         httpClientBinder(binder).bindHttpClient("monitor", ForMonitor.class);

gateway-ha/src/main/java/io/trino/gateway/ha/config/HaGatewayConfiguration.java

@@ -20,8 +20,17 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-
+import java.util.regex.Pattern;
+
+import static com.google.common.collect.ImmutableList.toImmutableList;
+import static io.trino.gateway.ha.handler.HttpUtils.OAUTH_PATH;
+import static io.trino.gateway.ha.handler.HttpUtils.TRINO_UI_PATH;
+import static io.trino.gateway.ha.handler.HttpUtils.UI_API_STATS_PATH;
+import static io.trino.gateway.ha.handler.HttpUtils.V1_INFO_PATH;
+import static io.trino.gateway.ha.handler.HttpUtils.V1_NODE_PATH;
+import static io.trino.gateway.ha.handler.HttpUtils.V1_QUERY_PATH;
 import static io.trino.gateway.ha.handler.HttpUtils.V1_STATEMENT_PATH;
+import static java.util.Objects.requireNonNull;
 
 public class HaGatewayConfiguration
 {
@@ -289,6 +298,19 @@ private void validateStatementPath(String statementPath, List<String> statementP
         }
     }
 
+    public boolean isPathWhiteListed(String path)
+    {
+        List<Pattern> extraWhitelistPaths = requireNonNull(this.getExtraWhitelistPaths()).stream().map(Pattern::compile).collect(toImmutableList());
+        return statementPaths.stream().anyMatch(path::startsWith)
+                || path.startsWith(V1_QUERY_PATH)
+                || path.startsWith(TRINO_UI_PATH)
+                || path.startsWith(V1_INFO_PATH)
+                || path.startsWith(V1_NODE_PATH)
+                || path.startsWith(UI_API_STATS_PATH)
+                || path.startsWith(OAUTH_PATH)
+                || extraWhitelistPaths.stream().anyMatch(pattern -> pattern.matcher(path).matches());
+    }
+
     public static class HaGatewayConfigurationException
             extends RuntimeException
     {

gateway-ha/src/main/java/io/trino/gateway/ha/handler/HttpUtils.java

@@ -25,6 +25,8 @@ public class HttpUtils
     public static final String TRINO_UI_PATH = "/ui";
     public static final String OAUTH_PATH = "/oauth2";
     public static final String USER_HEADER = "X-Trino-User";
+    public static final String TRINO_REQUEST_USER = "trinoRequestUser";
+    public static final String TRINO_QUERY_PROPERTIES = "trinoQueryProperties";
 
     private HttpUtils() {}
 }

gateway-ha/src/main/java/io/trino/gateway/ha/handler/ProxyUtils.java

@@ -28,6 +28,7 @@
 import java.util.regex.Pattern;
 
 import static com.google.common.base.Strings.isNullOrEmpty;
+import static io.trino.gateway.ha.handler.HttpUtils.TRINO_QUERY_PROPERTIES;
 import static io.trino.gateway.ha.handler.HttpUtils.TRINO_UI_PATH;
 import static io.trino.gateway.ha.handler.HttpUtils.V1_QUERY_PATH;
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -75,7 +76,7 @@ public static Optional<String> extractQueryIdIfPresent(
             throw new RuntimeException("Error reading request body", e);
         }
         if (!isNullOrEmpty(queryText) && queryText.toLowerCase(ENGLISH).contains("kill_query")) {
-            TrinoQueryProperties trinoQueryProperties = new TrinoQueryProperties(request, requestAnalyserClientsUseV2Format, requestAnalyserMaxBodySize);
+            TrinoQueryProperties trinoQueryProperties = (TrinoQueryProperties) request.getAttribute(TRINO_QUERY_PROPERTIES);
             return trinoQueryProperties.getQueryId();
         }
         return Optional.empty();

gateway-ha/src/main/java/io/trino/gateway/ha/router/ExternalRoutingGroupSelector.java

@@ -46,6 +46,8 @@
 import static io.airlift.http.client.JsonResponseHandler.createJsonResponseHandler;
 import static io.airlift.http.client.Request.Builder.preparePost;
 import static io.airlift.json.JsonCodec.jsonCodec;
+import static io.trino.gateway.ha.handler.HttpUtils.TRINO_QUERY_PROPERTIES;
+import static io.trino.gateway.ha.handler.HttpUtils.TRINO_REQUEST_USER;
 import static java.util.Collections.list;
 import static java.util.Objects.requireNonNull;
 
@@ -58,7 +60,6 @@ public class ExternalRoutingGroupSelector
     private final boolean propagateErrors;
     private final HttpClient httpClient;
     private final RequestAnalyzerConfig requestAnalyzerConfig;
-    private final TrinoRequestUser.TrinoRequestUserProvider trinoRequestUserProvider;
     private static final JsonCodec<RoutingGroupExternalBody> ROUTING_GROUP_EXTERNAL_BODY_JSON_CODEC = jsonCodec(RoutingGroupExternalBody.class);
     private static final JsonResponseHandler<ExternalRouterResponse> ROUTING_GROUP_EXTERNAL_RESPONSE_JSON_RESPONSE_HANDLER =
             createJsonResponseHandler(jsonCodec(ExternalRouterResponse.class));
@@ -74,7 +75,6 @@ public class ExternalRoutingGroupSelector
         propagateErrors = rulesExternalConfiguration.isPropagateErrors();
 
         this.requestAnalyzerConfig = requestAnalyzerConfig;
-        trinoRequestUserProvider = new TrinoRequestUser.TrinoRequestUserProvider(requestAnalyzerConfig);
         try {
             this.uri = new URI(requireNonNull(rulesExternalConfiguration.getUrlPath(),
                     "Invalid URL provided, using routing group header as default."));
@@ -143,8 +143,8 @@ private RoutingGroupExternalBody createRequestBody(HttpServletRequest request)
         TrinoQueryProperties trinoQueryProperties = null;
         TrinoRequestUser trinoRequestUser = null;
         if (requestAnalyzerConfig.isAnalyzeRequest()) {
-            trinoQueryProperties = new TrinoQueryProperties(request, requestAnalyzerConfig.isClientsUseV2Format(), requestAnalyzerConfig.getMaxBodySize());
-            trinoRequestUser = trinoRequestUserProvider.getInstance(request);
+            trinoQueryProperties = (TrinoQueryProperties) request.getAttribute(TRINO_QUERY_PROPERTIES);
+            trinoRequestUser = (TrinoRequestUser) request.getAttribute(TRINO_REQUEST_USER);
         }
 
         return new RoutingGroupExternalBody(

gateway-ha/src/main/java/io/trino/gateway/ha/router/FileBasedRoutingGroupSelector.java

@@ -33,6 +33,8 @@
 import java.util.Map;
 
 import static com.google.common.base.Suppliers.memoizeWithExpiration;
+import static io.trino.gateway.ha.handler.HttpUtils.TRINO_QUERY_PROPERTIES;
+import static io.trino.gateway.ha.handler.HttpUtils.TRINO_REQUEST_USER;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.util.Collections.sort;
 
@@ -46,16 +48,10 @@ public class FileBasedRoutingGroupSelector
 
     private final Supplier<List<RoutingRule>> rules;
     private final boolean analyzeRequest;
-    private final boolean clientsUseV2Format;
-    private final int maxBodySize;
-    private final TrinoRequestUser.TrinoRequestUserProvider trinoRequestUserProvider;
 
     public FileBasedRoutingGroupSelector(String rulesPath, Duration rulesRefreshPeriod, RequestAnalyzerConfig requestAnalyzerConfig)
     {
         analyzeRequest = requestAnalyzerConfig.isAnalyzeRequest();
-        clientsUseV2Format = requestAnalyzerConfig.isClientsUseV2Format();
-        maxBodySize = requestAnalyzerConfig.getMaxBodySize();
-        trinoRequestUserProvider = new TrinoRequestUser.TrinoRequestUserProvider(requestAnalyzerConfig);
 
         rules = memoizeWithExpiration(() -> readRulesFromPath(Path.of(rulesPath)), rulesRefreshPeriod.toJavaTime());
     }
@@ -68,12 +64,9 @@ public RoutingSelectorResponse findRoutingDestination(HttpServletRequest request
 
         Map<String, Object> data;
         if (analyzeRequest) {
-            TrinoQueryProperties trinoQueryProperties = new TrinoQueryProperties(
-                    request,
-                    clientsUseV2Format,
-                    maxBodySize);
-            TrinoRequestUser trinoRequestUser = trinoRequestUserProvider.getInstance(request);
-            data = ImmutableMap.of("request", request, "trinoQueryProperties", trinoQueryProperties, "trinoRequestUser", trinoRequestUser);
+            TrinoQueryProperties trinoQueryProperties = (TrinoQueryProperties) request.getAttribute(TRINO_QUERY_PROPERTIES);
+            TrinoRequestUser trinoRequestUser = (TrinoRequestUser) request.getAttribute(TRINO_REQUEST_USER);
+            data = ImmutableMap.of("request", request, TRINO_QUERY_PROPERTIES, trinoQueryProperties, TRINO_REQUEST_USER, trinoRequestUser);
         }
         else {
             data = ImmutableMap.of("request", request);

gateway-ha/src/main/java/io/trino/gateway/ha/router/TrinoQueryProperties.java

@@ -65,13 +65,18 @@
 import io.trino.sql.tree.Table;
 import io.trino.sql.tree.TableFunctionInvocation;
 import io.trino.sql.tree.WithQuery;
-import jakarta.servlet.http.HttpServletRequest;
 import jakarta.ws.rs.HttpMethod;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.MediaType;
 
 import java.io.BufferedReader;
 import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.List;
@@ -142,30 +147,29 @@ public TrinoQueryProperties(
         maxBodySize = -1;
     }
 
-    public TrinoQueryProperties(HttpServletRequest request, boolean isClientsUseV2Format, int maxBodySize)
+    public TrinoQueryProperties(ContainerRequestContext requestContext, boolean isClientsUseV2Format, int maxBodySize)
     {
-        requireNonNull(request, "request is null");
+        requireNonNull(requestContext, "requestContext is null");
         this.isClientsUseV2Format = isClientsUseV2Format;
         this.maxBodySize = maxBodySize;
 
-        defaultCatalog = Optional.ofNullable(request.getHeader(TRINO_CATALOG_HEADER_NAME));
-        defaultSchema = Optional.ofNullable(request.getHeader(TRINO_SCHEMA_HEADER_NAME));
-        if (request.getMethod().equals(HttpMethod.POST)) {
+        defaultCatalog = Optional.ofNullable(requestContext.getHeaderString(TRINO_CATALOG_HEADER_NAME));
+        defaultSchema = Optional.ofNullable(requestContext.getHeaderString(TRINO_SCHEMA_HEADER_NAME));
+        if (requestContext.getMethod().equals(HttpMethod.POST)) {
             isNewQuerySubmission = true;
-            processRequestBody(request);
+            processRequestBody(requestContext);
         }
     }
 
-    private void processRequestBody(HttpServletRequest request)
+    private void processRequestBody(BufferedReader reader, Map<String, String> preparedStatements)
     {
-        try (BufferedReader reader = request.getReader()) {
+        try (reader) {
             if (reader == null) {
                 log.warn("HTTP request returned null reader");
                 body = "";
                 return;
             }
 
-            Map<String, String> preparedStatements = getPreparedStatements(request);
             SqlParser parser = new SqlParser();
             reader.mark(maxBodySize);
             char[] buffer = new char[maxBodySize];
@@ -238,11 +242,45 @@ else if (statement instanceof ExecuteImmediate executeImmediate) {
         }
     }
 
-    private Map<String, String> getPreparedStatements(HttpServletRequest request)
+    private void processRequestBody(ContainerRequestContext requestContext)
+    {
+        if (!requestContext.hasEntity()) {
+            return;
+        }
+
+        MediaType mediaType = requestContext.getMediaType();
+        if (mediaType == null) {
+            return;
+        }
+
+        String charset = mediaType.getParameters().get("charset");
+        if (!StandardCharsets.UTF_8.name().equalsIgnoreCase(charset)) {
+            return;
+        }
+
+        InputStream entityStream = requestContext.getEntityStream();
+        try (InputStreamReader entityReader = new InputStreamReader(entityStream, StandardCharsets.UTF_8);
+                BufferedReader reader = new BufferedReader(entityReader)) {
+            processRequestBody(reader, getPreparedStatements(requestContext));
+        }
+        catch (IOException e) {
+            log.warn("Error extracting request body for rules processing: %s", e.getMessage());
+            errorMessage = Optional.of(e.getMessage());
+        }
+        catch (ParsingException e) {
+            log.info("Could not parse request body as SQL: %s; Message: %s", body, e.getMessage());
+            errorMessage = Optional.of(e.getMessage());
+        }
+        catch (RequestParsingException e) {
+            log.warn(e, "Error parsing request for rules");
+            errorMessage = Optional.of(e.getMessage());
+        }
+    }
+
+    private Map<String, String> getPreparedStatements(Enumeration<String> headers)
             throws RequestParsingException
     {
         ImmutableMap.Builder<String, String> preparedStatementsMapBuilder = ImmutableMap.builder();
-        Enumeration<String> headers = request.getHeaders(TRINO_PREPARED_STATEMENT_HEADER_NAME);
         if (headers == null) {
             return preparedStatementsMapBuilder.build();
         }
@@ -259,6 +297,19 @@ private Map<String, String> getPreparedStatements(HttpServletRequest request)
         return preparedStatementsMapBuilder.build();
     }
 
+    private Map<String, String> getPreparedStatements(ContainerRequestContext requestContext)
+            throws RequestParsingException
+    {
+        if (requestContext.getHeaders() == null) {
+            return ImmutableMap.of();
+        }
+        List<String> headers = requestContext.getHeaders().get(TRINO_PREPARED_STATEMENT_HEADER_NAME);
+        if (headers == null || headers.isEmpty()) {
+            return ImmutableMap.of();
+        }
+        return getPreparedStatements(Collections.enumeration(headers));
+    }
+
     private String decodePreparedStatementFromHeader(String headerValue)
     {
         // From io.trino.server.protocol.PreparedStatementEncoder

gateway-ha/src/main/java/io/trino/gateway/ha/router/TrinoRequestUser.java

@@ -33,14 +33,14 @@
 import com.nimbusds.openid.connect.sdk.claims.UserInfo;
 import io.airlift.log.Logger;
 import io.trino.gateway.ha.config.RequestAnalyzerConfig;
-import jakarta.servlet.http.Cookie;
-import jakarta.servlet.http.HttpServletRequest;
+import jakarta.ws.rs.container.ContainerRequestContext;
+import jakarta.ws.rs.core.HttpHeaders;
 
 import java.io.IOException;
 import java.net.URI;
 import java.nio.charset.StandardCharsets;
-import java.util.Arrays;
 import java.util.Base64;
+import java.util.Map;
 import java.util.Optional;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
@@ -62,7 +62,7 @@ public class TrinoRequestUser
 
     private final Optional<LoadingCache<String, UserInfo>> userInfoCache;
 
-    private TrinoRequestUser(HttpServletRequest request, String userField, Optional<LoadingCache<String, UserInfo>> userInfoCache)
+    private TrinoRequestUser(ContainerRequestContext request, String userField, Optional<LoadingCache<String, UserInfo>> userInfoCache)
     {
         this.userInfoCache = requireNonNull(userInfoCache);
         user = extractUser(request, userField);
@@ -106,15 +106,17 @@ public boolean userExistsAndEquals(String testUser)
         return user.filter(testUser::equals).isPresent();
     }
 
-    private Optional<String> extractUserFromCookies(HttpServletRequest request, String userField)
+    private Optional<String> extractUserFromCookies(ContainerRequestContext requestContext, String userField)
     {
-        if (request.getCookies() == null) {
+        Map<String, jakarta.ws.rs.core.Cookie> cookies = requestContext.getCookies();
+        if (cookies == null || cookies.isEmpty()) {
+            log.debug("cookies are empty");
             return Optional.empty();
         }
-        log.debug("Trying to get user from cookie");
-        Optional<Cookie> uiToken = Arrays.stream(request.getCookies())
-                .filter(cookie -> cookie.getName().equals(TRINO_UI_TOKEN_NAME) || cookie.getName().equals(TRINO_SECURE_UI_TOKEN_NAME))
-                .findAny();
+
+        log.debug("Trying to get user from cookie from ContainerRequestContext");
+        Optional<jakarta.ws.rs.core.Cookie> uiToken = Optional.ofNullable(cookies.get(TRINO_UI_TOKEN_NAME))
+                .or(() -> Optional.ofNullable(cookies.get(TRINO_SECURE_UI_TOKEN_NAME)));
 
         return uiToken.map(t -> {
             try {
@@ -129,20 +131,20 @@ private Optional<String> extractUserFromCookies(HttpServletRequest request, Stri
         });
     }
 
-    private Optional<String> extractUser(HttpServletRequest request, String userField)
+    private Optional<String> extractUser(ContainerRequestContext requestContext, String userField)
     {
         String header;
-        header = request.getHeader(TRINO_USER_HEADER_NAME);
+        header = requestContext.getHeaderString(TRINO_USER_HEADER_NAME);
         if (header != null) {
             return Optional.of(header);
         }
 
-        Optional<String> user = extractUserFromAuthorizationHeader(request.getHeader("Authorization"), userField);
+        Optional<String> user = extractUserFromAuthorizationHeader(requestContext.getHeaderString(HttpHeaders.AUTHORIZATION), userField);
         if (user.isPresent()) {
             return user;
         }
 
-        return extractUserFromCookies(request, userField);
+        return extractUserFromCookies(requestContext, userField);
     }
 
     private Optional<String> extractUserFromAuthorizationHeader(String header, String userField)
@@ -225,7 +227,7 @@ public TrinoRequestUserProvider(RequestAnalyzerConfig config)
             }
         }
 
-        public TrinoRequestUser getInstance(HttpServletRequest request)
+        public TrinoRequestUser getInstance(ContainerRequestContext request)
         {
             return new TrinoRequestUser(request, userField, userInfoCache);
         }