daniduong
diff --git a/‎packages/automl/api/openapi/automl.yaml‎
Lines changed: 136 additions & 187 deletions b/‎packages/automl/api/openapi/automl.yaml‎
Lines changed: 136 additions & 187 deletions
diff --git a/‎packages/automl/bff/internal/api/app.go‎
Lines changed: 9 additions & 8 deletions b/‎packages/automl/bff/internal/api/app.go‎
Lines changed: 9 additions & 8 deletions
diff --git a/‎packages/automl/bff/internal/api/middleware.go‎
Lines changed: 17 additions & 0 deletions b/‎packages/automl/bff/internal/api/middleware.go‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎packages/automl/bff/internal/api/middleware_test.go‎
Lines changed: 80 additions & 0 deletions b/‎packages/automl/bff/internal/api/middleware_test.go‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎packages/automl/bff/internal/api/s3_declared_limit_test.go‎
Lines changed: 2 additions & 2 deletions b/‎packages/automl/bff/internal/api/s3_declared_limit_test.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/automl/bff/internal/api/s3_handler.go‎
Lines changed: 33 additions & 29 deletions b/‎packages/automl/bff/internal/api/s3_handler.go‎
Lines changed: 33 additions & 29 deletions
@@ -36,8 +36,7 @@ const (
 	UserPath                = ApiPathPrefix + "/user"
 	NamespacePath           = ApiPathPrefix + "/namespaces"
 	SecretsPath             = ApiPathPrefix + "/secrets"
-	S3FilePath              = ApiPathPrefix + "/s3/file"
-	S3FileSchemaPath        = ApiPathPrefix + "/s3/file/schema"
+	S3FilePath              = ApiPathPrefix + "/s3/files/:key"
 	S3FilesPath             = ApiPathPrefix + "/s3/files"
 	PipelineRunsPath        = ApiPathPrefix + "/pipeline-runs"
 	ModelRegistriesPath     = ApiPathPrefix + "/model-registries"
@@ -259,11 +258,10 @@ func (app *App) Routes() http.Handler {
 
 	// S3 operations — DSPA discovery is skipped when the caller supplies an explicit
 	// secretName (the handler resolves credentials directly in that case).
-	apiRouter.GET(S3FileSchemaPath, app.AttachNamespace(app.RequireAccessToPipelineServers(app.attachPipelineClientIfNeeded(app.GetS3FileSchemaHandler))))
 	apiRouter.GET(S3FilePath, app.AttachNamespace(app.RequireAccessToPipelineServers(app.attachPipelineClientIfNeeded(app.GetS3FileHandler))))
 	apiRouter.GET(S3FilesPath, app.AttachNamespace(app.RequireAccessToPipelineServers(app.attachPipelineClientIfNeeded(app.GetS3FilesHandler))))
-	// POST /s3/file deliberately omits attachPipelineClientIfNeeded: secretName is required; there is
-	// no DSPA fallback (creation flow uses an explicitly chosen input/target data secret).
+	// POST /s3/files/:key deliberately omits attachPipelineClientIfNeeded: secretName is required;
+	// there is no DSPA fallback (creation flow uses an explicitly chosen input/target data secret).
 	apiRouter.POST(S3FilePath, app.AttachNamespace(app.rejectDeclaredOversizedS3Post(app.RequireAccessToPipelineServers(app.PostS3FileHandler))))
 
 	// Model Registry - register model binary (target registry via path param + discovered ServerURL)
@@ -276,9 +274,12 @@ func (app *App) Routes() http.Handler {
 	// App Router
 	appMux := http.NewServeMux()
 
-	// handler for api calls
-	appMux.Handle(ApiPathPrefix+"/", apiRouter)
-	appMux.Handle(PathPrefix+ApiPathPrefix+"/", http.StripPrefix(PathPrefix, apiRouter))
+	// handler for api calls — preserveRawPath ensures percent-encoded path parameters
+	// (e.g., S3 keys containing %2F) are forwarded to the router without decoding,
+	// so :key matches the full encoded segment rather than splitting on /.
+	rawPathRouter := preserveRawPath(apiRouter)
+	appMux.Handle(ApiPathPrefix+"/", rawPathRouter)
+	appMux.Handle(PathPrefix+ApiPathPrefix+"/", http.StripPrefix(PathPrefix, rawPathRouter))
 
 	// file server for the frontend file and SPA routes
 	staticDir := http.Dir(app.config.StaticAssetsDir)
 
@@ -1168,3 +1168,20 @@ func (app *App) AttachDiscoveredPipeline(next func(http.ResponseWriter, *http.Re
 		next(w, r, psParams)
 	}
 }
+
+// preserveRawPath wraps an http.Handler so that percent-encoded path segments
+// (e.g. %2F inside an S3 key) survive exactly one level of decoding in the
+// handler. For S3 file endpoints it replaces Path with EscapedPath(), which
+// re-encodes any percent-literal characters that Go's url.Parse already
+// decoded (e.g. %252F → Path has %2F → EscapedPath re-encodes to %252F).
+// The handler then calls url.PathUnescape once to recover the real key.
+func preserveRawPath(next http.Handler) http.Handler {
+	s3FilesPrefix := ApiPathPrefix + "/s3/files/"
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if escaped := r.URL.EscapedPath(); strings.HasPrefix(escaped, s3FilesPrefix) {
+			r.URL.Path = escaped
+		}
+		next.ServeHTTP(w, r)
+	})
+}
@@ -0,0 +1,80 @@
+package api
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPreserveRawPath(t *testing.T) {
+	tests := []struct {
+		name           string
+		path           string
+		rawPath        string
+		useStripPrefix bool
+		expectedPath   string
+	}{
+		{
+			name:         "s3 files path with percent-encoded key swaps Path for RawPath",
+			path:         "/api/v1/s3/files/docs/file.csv",
+			rawPath:      "/api/v1/s3/files/docs%2Ffile.csv",
+			expectedPath: "/api/v1/s3/files/docs%2Ffile.csv",
+		},
+		{
+			name:         "s3 files path without encoding is unchanged",
+			path:         "/api/v1/s3/files/simple.csv",
+			rawPath:      "",
+			expectedPath: "/api/v1/s3/files/simple.csv",
+		},
+		{
+			name:         "double-encoded key preserves %25 literal via RawPath",
+			path:         "/api/v1/s3/files/docs%2Ffile.csv",
+			rawPath:      "/api/v1/s3/files/docs%252Ffile.csv",
+			expectedPath: "/api/v1/s3/files/docs%252Ffile.csv",
+		},
+		{
+			name:         "double-encoded key re-encodes when RawPath is empty",
+			path:         "/api/v1/s3/files/docs%2Ffile.csv",
+			rawPath:      "",
+			expectedPath: "/api/v1/s3/files/docs%252Ffile.csv",
+		},
+		{
+			name:         "non-s3 path with RawPath is unchanged",
+			path:         "/api/v1/models",
+			rawPath:      "/api/v1/models",
+			expectedPath: "/api/v1/models",
+		},
+		{
+			name:           "prefixed path is matched after StripPrefix removes prefix",
+			path:           "/automl/api/v1/s3/files/docs/file.csv",
+			rawPath:        "/automl/api/v1/s3/files/docs%2Ffile.csv",
+			useStripPrefix: true,
+			expectedPath:   "/api/v1/s3/files/docs%2Ffile.csv",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var capturedPath string
+			inner := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
+				capturedPath = r.URL.Path
+			})
+
+			handler := preserveRawPath(inner)
+			if tt.useStripPrefix {
+				handler = http.StripPrefix(PathPrefix, handler)
+			}
+
+			req := httptest.NewRequest(http.MethodGet, tt.path, nil)
+			req.URL = &url.URL{Path: tt.path, RawPath: tt.rawPath}
+			rr := httptest.NewRecorder()
+
+			handler.ServeHTTP(rr, req)
+
+			assert.Equal(t, tt.expectedPath, capturedPath)
+		})
+	}
+}
@@ -58,7 +58,7 @@ func TestPostS3FileHandler_ContentLengthTooLarge(t *testing.T) {
 	smallBody := []byte("--b\r\nContent-Disposition: form-data; name=\"file\"; filename=\"x\"\r\n\r\nx\r\n--b--\r\n")
 	req, err := http.NewRequest(
 		http.MethodPost,
-		"/api/v1/s3/file?namespace=ns&secretName=sec&bucket=bkt&key=k",
+		"/api/v1/s3/files/k?namespace=ns&secretName=sec&bucket=bkt",
 		bytes.NewReader(smallBody),
 	)
 	require.NoError(t, err)
@@ -88,7 +88,7 @@ func TestPostS3FileHandler_UnknownContentLength_PassesDeclaredSizeMiddleware(t *
 	smallBody := []byte("--b\r\nContent-Disposition: form-data; name=\"file\"; filename=\"data.csv\"\r\nContent-Type: text/csv\r\n\r\nx\r\n--b--\r\n")
 	req, err := http.NewRequest(
 		http.MethodPost,
-		"/api/v1/s3/file?namespace=test-namespace&secretName=non-existent&bucket=my-bucket&key=file.csv",
+		"/api/v1/s3/files/file.csv?namespace=test-namespace&secretName=non-existent&bucket=my-bucket",
 		bytes.NewReader(smallBody),
 	)
 	require.NoError(t, err)
 
@@ -9,6 +9,7 @@ import (
 	"mime/multipart"
 	"net"
 	"net/http"
+	"net/url"
 	"path"
 	"regexp"
 	"strconv"
@@ -218,12 +219,14 @@ func s3ConnectivityErrorMessage(bucket string) string {
 }
 
 // GetS3FileHandler retrieves a file from S3 storage.
+// Path parameters:
+//   - key (required): S3 object key to retrieve.
+//
 // Query parameters:
 //   - secretName (optional): Kubernetes secret with S3 credentials.
 //     If omitted, credentials are taken from the DSPA associated with the namespace.
 //   - bucket (optional): S3 bucket; ignored on the DSPA path.
-//   - key (required): S3 object key to retrieve.
-func (app *App) GetS3FileHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+func (app *App) GetS3FileHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	queryParams := r.URL.Query()
 
 	secretName := queryParams.Get("secretName")
@@ -232,9 +235,23 @@ func (app *App) GetS3FileHandler(w http.ResponseWriter, r *http.Request, _ httpr
 		return
 	}
 
-	key := strings.TrimSpace(queryParams.Get("key"))
+	key, err := url.PathUnescape(ps.ByName("key"))
+	if err != nil {
+		app.badRequestResponse(w, r, fmt.Errorf("invalid URL encoding in path parameter 'key': %w", err))
+		return
+	}
 	if key == "" {
-		app.badRequestResponse(w, r, errors.New("query parameter 'key' is required and cannot be empty"))
+		app.badRequestResponse(w, r, errors.New("path parameter 'key' is required and cannot be empty"))
+		return
+	}
+
+	if v := queryParams.Get("view"); v != "" && v != "schema" {
+		app.badRequestResponse(w, r, fmt.Errorf("unsupported view: %q (supported: schema)", v))
+		return
+	}
+
+	if queryParams.Get("view") == "schema" {
+		app.handleS3FileSchemaView(w, r, key, queryParams)
 		return
 	}
 
@@ -300,14 +317,15 @@ func (app *App) effectivePostS3CollisionAttempts() int {
 }
 
 // PostS3FileHandler uploads a CSV file to S3 storage using credentials from a Kubernetes secret.
-// Query parameters: namespace, secretName, key (required); bucket (optional, uses AWS_S3_BUCKET from secret if not provided).
+// Path parameters: key (required).
+// Query parameters: namespace, secretName (required); bucket (optional, uses AWS_S3_BUCKET from secret if not provided).
 // Request body: multipart/form-data with a file part named "file". Only CSV uploads are allowed: Content-Type
 // text/csv, or application/octet-stream with a .csv filename (or empty Content-Type with a .csv filename).
 // Candidate keys are chosen via HeadObject; the file is streamed to S3 once with If-None-Match (no full-file buffer).
 // If HeadObject and PUT disagree (concurrent writer), the handler returns 409 Conflict without retrying.
 //
 // Note: namespace is provided via the AttachNamespace middleware
-func (app *App) PostS3FileHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+func (app *App) PostS3FileHandler(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	queryParams := r.URL.Query()
 
 	secretName := queryParams.Get("secretName")
@@ -320,9 +338,13 @@ func (app *App) PostS3FileHandler(w http.ResponseWriter, r *http.Request, _ http
 		return
 	}
 
-	key := strings.TrimSpace(queryParams.Get("key"))
+	key, err := url.PathUnescape(ps.ByName("key"))
+	if err != nil {
+		app.badRequestResponse(w, r, fmt.Errorf("invalid URL encoding in path parameter 'key': %w", err))
+		return
+	}
 	if key == "" {
-		app.badRequestResponse(w, r, errors.New("query parameter 'key' is required and cannot be empty"))
+		app.badRequestResponse(w, r, errors.New("path parameter 'key' is required and cannot be empty"))
 		return
 	}
 
@@ -595,26 +617,8 @@ func s3GetResponseTypeAllowsInlineViewing(sanitizedContentType string) bool {
 	}
 }
 
-// GetS3FileSchemaHandler retrieves the schema (column names and types) from a CSV file in S3.
-// Query parameters:
-//   - secretName (optional): Kubernetes secret with S3 credentials.
-//     If omitted, credentials are taken from the DSPA associated with the namespace.
-//   - bucket (optional): S3 bucket; ignored on the DSPA path.
-//   - key (required): S3 object key (must be a .csv file).
-func (app *App) GetS3FileSchemaHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	queryParams := r.URL.Query()
-
-	secretName := queryParams.Get("secretName")
-	if secretName != "" && !isValidDNS1123Subdomain(secretName) {
-		app.badRequestResponse(w, r, errors.New("invalid secretName: must be a valid DNS-1123 subdomain (lowercase alphanumeric, '-', or '.', start/end with alphanumeric, max 253 chars)"))
-		return
-	}
-
-	key := strings.TrimSpace(queryParams.Get("key"))
-	if key == "" {
-		app.badRequestResponse(w, r, errors.New("query parameter 'key' is required and cannot be empty"))
-		return
-	}
+func (app *App) handleS3FileSchemaView(w http.ResponseWriter, r *http.Request, key string, queryParams url.Values) {
+	secretName := strings.TrimSpace(queryParams.Get("secretName"))
 
 	s3, ok := app.resolveS3Client(w, r, secretName, queryParams.Get("bucket"))
 	if !ok {
@@ -679,7 +683,7 @@ func (app *App) GetS3FileSchemaHandler(w http.ResponseWriter, r *http.Request, _
 	}
 }
 
-// S3FilesEnvelope is the response envelope for GET /s3/files.
+// S3FilesEnvelope is the response envelope for GET /api/v1/s3/files.
 type S3FilesEnvelope Envelope[models.S3ListObjectsResponse, None]
 
 // GetS3FilesHandler lists objects in an S3 bucket.