Rework proxy Accept regression tests, simplify q-rank bypass

ProxyRequestFilter:

- Drop the `quality(MediaType)` helper and the topQ/filter pipeline. Per the
  JAX-RS spec, `getAcceptableMediaTypes()` is sorted by q descending (Jersey:
  `HttpHeaderReader.readQualifiedList` → `AcceptableMediaType.COMPARATOR`), so
  the first non-wildcard type is the top-ranked one. Replace with a single
  loop that returns on (X)HTML and breaks otherwise.

Tests:

- Add `GET-proxied-accept-forwarded.sh` regressing 708edfc: send a single
  specific RDF type as `Accept` and assert the response `Content-Type` matches.
  Pre-fix, ProxyRequestFilter substituted its own readable-types list for the
  client's `Accept`, so upstream could pick any RDF format (e.g. rdf-thrift).
- Rework `GET-proxied-accept-html-not-preferred.sh` to use HTTP status as the
  bypass-vs-forward discriminator. The previous content-type assertion was
  unreachable in a symmetric admin/end-user setup — both paths negotiate the
  same media type. A UUID-named non-existent path produces 200 on bypass
  (`ApplicationFilter` strips `?uri=` → admin root) and 404 on forward.
- Silence `DEBUG:` echoes in `HEAD-proxied-etag.sh` to match the convention of
  the other proxy tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: namedgraph

http-tests/proxy/GET-proxied-accept-forwarded.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the readers group to be able to read documents
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/readers/"
+
+# Regression: ProxyRequestFilter must forward the client's Accept header verbatim to the
+# upstream, NOT substitute its own readable-types list. Previously the filter built its
+# outbound Accept from MediaTypes.getReadable(Model.class) + getReadable(ResultSet.class)
+# (everything Jena could ingest, all q=1.0), discarding what the client actually asked for.
+# The upstream then content-negotiated against that broad list and could legally pick any
+# RDF format — e.g. application/rdf+thrift — even when the client (e.g. SaxonJS document())
+# explicitly requested application/rdf+xml or application/xml.
+#
+# Verify by requesting one specific RDF type and asserting the response matches it.
+
+for accept in 'application/rdf+xml' 'text/turtle' 'application/n-triples'; do
+    content_type=$(curl -k -f -s -G -w "%{content_type}" -o /dev/null \
+      -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+      -H "Accept: $accept" \
+      --data-urlencode "uri=${END_USER_BASE_URL}" \
+      "$ADMIN_BASE_URL")
+
+    case "$content_type" in
+        "$accept"*) ;;
+        *) exit 1 ;;
+    esac
+done

http-tests/proxy/GET-proxied-accept-html-not-preferred.sh

@@ -20,19 +20,21 @@ add-agent-to-group.sh \
 # API-client intent and forward — not as browser navigation that wants the app shell.
 # Previously, ProxyRequestFilter bypassed on anyMatch(HTML or XHTML in Accept) without
 # checking q-rank, so it false-fired on any Accept that mentioned HTML at all and
-# returned the local XHTML shell instead of the proxied response.
+# returned the local app shell instead of the proxied response.
+#
+# Discriminator is HTTP status — content-type cannot tell bypass from forward because
+# admin and end-user share writer configs (same Accept → same negotiated type on both).
+# A UUID-named path that doesn't exist on either origin disambiguates:
+#   - bypass: ApplicationFilter strips ?uri= → request URI becomes admin root → 200
+#   - forward: proxy forwards the actual UUID path to end-user → 404
 
 accept_header='application/xml, text/xml;q=0.9, application/xhtml+xml;q=0.8, */*;q=0.7'
+non_existing_uri="${END_USER_BASE_URL}$(cat /proc/sys/kernel/random/uuid 2>/dev/null || uuidgen)/"
 
-content_type=$(curl -k -f -s -G -w "%{content_type}" -o /dev/null \
+status=$(curl -k -s -G -o /dev/null -w "%{http_code}" \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: $accept_header" \
-  --data-urlencode "uri=${END_USER_BASE_URL}" \
-  "$END_USER_BASE_URL")
+  --data-urlencode "uri=${non_existing_uri}" \
+  "$ADMIN_BASE_URL")
 
-echo "DEBUG: Accept:        $accept_header"
-echo "DEBUG: Content-Type:  $content_type"
-echo "DEBUG: Expected:      not application/xhtml+xml or text/html (proxy must forward, not return local app shell)"
-
-# fail (exit 1) if the response is the local app shell instead of the proxied content
-echo "$content_type" | grep -qvE '^(application/xhtml\+xml|text/html)\b'
+[ "$status" = "$STATUS_NOT_FOUND" ] || exit 1

http-tests/proxy/HEAD-proxied-etag.sh

@@ -38,15 +38,5 @@ proxied_etag=$(curl -G --head -k -f -s \
   "$ADMIN_BASE_URL" \
 | extract_etag)
 
-if [ -z "$proxied_etag" ]; then
-    echo "DEBUG: Expected ETag header on proxied response, got none"
-    echo "DEBUG: Direct ETag: $direct_etag"
-    exit 1
-fi
-
-if [ "$proxied_etag" != "$direct_etag" ]; then
-    echo "DEBUG: Proxied ETag does not match direct ETag"
-    echo "DEBUG: Direct:   $direct_etag"
-    echo "DEBUG: Proxied:  $proxied_etag"
-    exit 1
-fi
+[ -n "$proxied_etag" ] || exit 1
+[ "$proxied_etag" = "$direct_etag" ] || exit 1

src/main/java/com/atomgraph/linkeddatahub/server/filter/request/ProxyRequestFilter.java

@@ -139,16 +139,15 @@ public void filter(ContainerRequestContext requestContext) throws IOException
         // lower q (e.g. SaxonJS document() sends application/xml q=1.0, application/xhtml+xml q=0.8)
         // must still reach the proxy.
         // (X)HTML is not offered for proxied documents — rendering external RDF as HTML server-side
-        // (SPARQL DESCRIBE + XSLT) is expensive and creates a resource-exhaustion attack vector
-        List<MediaType> nonWildcardAccepts = requestContext.getAcceptableMediaTypes().stream()
-            .filter(mt -> !mt.isWildcardType() && !mt.isWildcardSubtype())
-            .toList();
-        double topQ = nonWildcardAccepts.stream().mapToDouble(ProxyRequestFilter::quality).max().orElse(-1.0);
-        boolean clientAcceptsHtml = nonWildcardAccepts.stream()
-            .filter(mt -> quality(mt) == topQ)
-            .anyMatch(mt -> mt.isCompatible(MediaType.TEXT_HTML_TYPE) ||
-                            mt.isCompatible(MediaType.APPLICATION_XHTML_XML_TYPE));
-        if (clientAcceptsHtml) return;
+        // (SPARQL DESCRIBE + XSLT) is expensive and creates a resource-exhaustion attack vector.
+        // Per the JAX-RS spec, getAcceptableMediaTypes() is sorted by q descending, so the first
+        // non-wildcard type is the top-ranked one.
+        for (MediaType mt : requestContext.getAcceptableMediaTypes())
+        {
+            if (mt.isWildcardType() || mt.isWildcardSubtype()) continue;
+            if (mt.isCompatible(MediaType.TEXT_HTML_TYPE) || mt.isCompatible(MediaType.APPLICATION_XHTML_XML_TYPE)) return;
+            break; // first non-wildcard wasn't (X)HTML — proceed with proxy
+        }
 
         // strip #fragment (servers do not receive fragment identifiers)
         if (targetURI.getFragment() != null)
@@ -212,7 +211,6 @@ else if (agentContext instanceof IDTokenSecurityContext idTokenSecurityContext)
         }
 
         MediaType[] clientAcceptTypes = requestContext.getAcceptableMediaTypes().toArray(MediaType[]::new);
-
         if (log.isDebugEnabled()) log.debug("Proxying {} {} → {}", requestContext.getMethod(), requestContext.getUriInfo().getRequestUri(), targetURI);
 
         try
@@ -287,9 +285,9 @@ protected Response getResponse(Response clientResponse)
         clientResponse.bufferEntity();
         InputStream entity = clientResponse.readEntity(InputStream.class);
 
-        Response.ResponseBuilder rb = Response.status(clientResponse.getStatus())
-            .type(clientResponse.getMediaType())
-            .entity(entity);
+        Response.ResponseBuilder rb = Response.status(clientResponse.getStatus()).
+            type(clientResponse.getMediaType()).
+            entity(entity);
 
         // forward all Link headers from the external response so the client receives remote hypermedia
         // (e.g. sd:endpoint pointing to the remote SPARQL endpoint);
@@ -377,17 +375,4 @@ public Request getRequest()
         return request;
     }
 
-    /**
-     * Returns the q-value of a media type. Defaults to 1.0 if absent or unparseable.
-     *
-     * @param mt media type
-     * @return quality value in the range [0.0, 1.0]
-     */
-    private static double quality(MediaType mt)
-    {
-        String q = mt.getParameters().get("q");
-        if (q == null) return 1.0;
-        try { return Double.parseDouble(q); } catch (NumberFormatException e) { return 1.0; }
-    }
-
 }