Rename after redirection

[dynamic-entropy]

Fix #2550

In 8ce935f, the desired goal is to add the CGI parameter authz to the "Destination" of the MOVE operation before it is evaluated for access permissions.

After a redirection. the authorization header takes the form of a CGI parameter and is no longer present in the redirected request.

Optionally, one can instruct curl to send the authorization header on redirect with --location-trusted; however, this is not the default behaviour.
Note that the way things are implemented currently, the use of --location-trusted will not work either after redirection, (as tested here #2550 (comment) since the presence of authz in the resource url will prevent its copying into the header2cgi string.

xrootd/src/XrdHttp/XrdHttpReq.cc

Lines 211 to 218 in 8ac19b1

	auto it = std::find_if(prot->hdr2cgimap.begin(), prot->hdr2cgimap.end(),[key](const auto & item) {
	return !strcasecmp(key,item.first.c_str());
	});
	if (it != prot->hdr2cgimap.end() && (opaque ? (0 == opaque->Get(it->second.c_str())) : true)) {
	std::string s;
	s.assign(val, line+len-val);
	trim(s);
	addCgi(it->second,s);

[dynamic-entropy]

Do we really mean "anything" here or do we only need authz cgi parameter.

xrootd/src/XrdHttp/XrdHttpReq.cc

Lines 981 to 985 in 8ac19b1

	// We assume that anything appended to the CGI str should also
	// apply to the destination in case of a MOVE.
	if (strchr(destination.c_str(), '?')) destination.append("&");
	else destination.append("?");
	destination.append(hdr2cgistrEncoded.c_str());

[dynamic-entropy]

@bbockelm made the requested changes for parsing.

Will defer to @amadio and @ccaffy for comments on options for handling multiple redirects through a manager node.

[ccaffy]

Is it actually OK that this goes to XrdHttpUtils so that unit tests are created with different cases? Including tests like authauthauthz= for example

[ccaffy]

All good, think about squashing your commits please before merging :)

[dynamic-entropy]

Thankyou!

I have squashed the unit test and related changes in a single commit. The rest of the commits include conceptually separate changes, and I would like to keep them as is.

[dynamic-entropy]

Also rebased on master.

[ccaffy]

I think we can discuss with @ccaffy about the more thorough fix for the host check issue outlined in one of my comments -- but that seems clearly out of scope for this one.

Yes, feel free to open a new issue if that is not been done already ;)

[dynamic-entropy]

Reworded commits and opened the issue from Brian's comments: #2572

[amadio]

I discussed this with @abh3 yesterday. The conclusion is that the simplest fix should be applied here, i.e., just move the lines added by commit 6e01c0d to where moves are processed (shown below):

xrootd/src/XrdHttp/XrdHttpReq.cc

Lines 1723 to 1754 in d9af49d

	case XrdHttpReq::rtMOVE:
	{
	// --------- MOVE
	memset(&xrdreq, 0, sizeof (ClientRequest));
	xrdreq.mv.requestid = htons(kXR_mv);
	std::string s = resourceplusopaque.c_str();
	s += " ";
	char buf[256];
	char *ppath;
	int port = 0;
	if (parseURL((char *) destination.c_str(), buf, port, &ppath)) {
	prot->SendSimpleResp(501, NULL, NULL, (char *) "Cannot parse destination url.", 0, false);
	return -1;
	}
	char buf2[256];
	strcpy(buf2, host.c_str());
	char *pos = strchr(buf2, ':');
	if (pos) *pos = '\0';
	// If we are a redirector we enforce that the host field is equal to
	// whatever was written in the destination url
	//
	// If we are a data server instead we cannot enforce anything, we will
	// just ignore the host part of the destination
	if ((prot->myRole == kXR_isManager) && strcmp(buf, buf2)) {
	prot->SendSimpleResp(501, NULL, NULL, (char *) "Only in-place renaming is supported for MOVE.", 0, false);
	return -1;
	}

Since we plan to support access_token as a synonym of authz in the future, the extra opaque from the source should be appended verbatim to the destination, as it's currently done, otherwise it will not work for access_token later.

[amadio]

I think we agreed to have the tests added in a separate pull request (i.e. #2575), so could you please leave here just the two commits with fixes? Thank you.

[dynamic-entropy]

We did revise that and agreed that it is good for the tests to go in with this PR and if we ever revist them they can buid / modify them.
The reason being that these tests already take care of cleanup as required for subsequent runs.

On a different note: Actually I find this better than the XRootD tests as they leave no files but only last X=20 lines for one to debug after.