daniduong
diff --git a/‎packages/automl/api/openapi/automl.yaml‎
Lines changed: 165 additions & 4 deletions b/‎packages/automl/api/openapi/automl.yaml‎
Lines changed: 165 additions & 4 deletions
diff --git a/‎packages/automl/bff/internal/api/app.go‎
Lines changed: 12 additions & 3 deletions b/‎packages/automl/bff/internal/api/app.go‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎packages/automl/bff/internal/api/errors.go‎
Lines changed: 22 additions & 0 deletions b/‎packages/automl/bff/internal/api/errors.go‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎packages/automl/bff/internal/api/middleware.go‎
Lines changed: 7 additions & 0 deletions b/‎packages/automl/bff/internal/api/middleware.go‎
Lines changed: 7 additions & 0 deletions
@@ -182,14 +182,18 @@ paths:
         - 'description': Extracted from 'openshift.io/description' annotation if present
 
   /api/v1/s3/file:
-    summary: Path used to get a file from S3.
+    summary: Path used to get or upload a file in S3.
     description: >-
-      The REST endpoint/path used to retrieve an arbitrary file from S3 storage.
-      Uses the credentials from a specified Kubernetes secret to access the S3 bucket.
-      Returns the file with transfer-encoding: chunked for efficient streaming.
+      The REST endpoint/path used to retrieve or upload files in S3 storage.
+      GET returns an arbitrary file with transfer-encoding: chunked for efficient streaming.
+      POST uploads a CSV file using multipart/form-data (part name `file`) and credentials
+      from a required Kubernetes secret; the stored object key may differ from the requested
+      `key` when a name collision is resolved (numeric suffix).
     get:
       tags:
         - S3Operation
+      security:
+        - Bearer: []
       parameters:
         - name: namespace
           in: query
@@ -227,6 +231,7 @@ paths:
           description: The S3 object key to retrieve
           schema:
             type: string
+            pattern: '^\S(.*\S)?$'
           example: documents/myfile.pdf
       responses:
         "200":
@@ -275,6 +280,106 @@ paths:
         **Explicit mode (override)** — when secretName is supplied, the specified Kubernetes
         secret must contain AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION,
         and AWS_S3_ENDPOINT using those exact field names.
+    post:
+      tags:
+        - S3Operation
+      security:
+        - Bearer: []
+      parameters:
+        - name: namespace
+          in: query
+          required: true
+          description: The Kubernetes namespace containing the secret
+          schema:
+            type: string
+            maxLength: 63
+            pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
+          example: default
+        - name: secretName
+          in: query
+          required: true
+          description: >-
+            Name of the Kubernetes secret containing S3 credentials (required for POST).
+            The secret must provide AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION,
+            and AWS_S3_ENDPOINT using those exact field names. Bucket may come from this secret
+            (e.g. AWS_S3_BUCKET) when the bucket query parameter is omitted.
+          schema:
+            type: string
+            maxLength: 253
+            pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
+          example: aws-secret-1
+        - name: bucket
+          in: query
+          required: false
+          description: >-
+            The S3 bucket name. When omitted, the bucket is resolved from the secret (e.g. AWS_S3_BUCKET).
+            Leading and trailing whitespace is trimmed.
+          schema:
+            type: string
+            pattern: '^\S(.*\S)?$'
+          example: my-bucket
+        - name: key
+          in: query
+          required: true
+          description: >-
+            Requested S3 object key for the upload. If an object already exists at this key,
+            the server may store the file under a non-colliding key (e.g. `file-1.csv`); see the
+            response body `key` field for the actual object key.
+          schema:
+            type: string
+            pattern: '^\S(.*\S)?$'
+          example: data/training.csv
+      requestBody:
+        required: true
+        content:
+          multipart/form-data:
+            schema:
+              type: object
+              required:
+                - file
+              properties:
+                file:
+                  type: string
+                  format: binary
+                  description: >-
+                    CSV file to upload. Accepted as text/csv, or application/octet-stream / empty
+                    Content-Type when the filename ends with .csv.
+      responses:
+        "201":
+          description: File uploaded successfully
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/S3UploadSuccess"
+        "400":
+          $ref: "#/components/responses/BadRequest"
+        "401":
+          $ref: "#/components/responses/Unauthorized"
+        "403":
+          $ref: "#/components/responses/Forbidden"
+        "404":
+          $ref: "#/components/responses/NotFound"
+        "413":
+          $ref: "#/components/responses/PayloadTooLarge"
+        "409":
+          $ref: "#/components/responses/Conflict"
+        "500":
+          $ref: "#/components/responses/InternalServerError"
+      operationId: uploadS3CsvFile
+      summary: Upload CSV file to S3
+      description: >-
+        Uploads a CSV file to S3 using credentials from the specified Kubernetes secret.
+        The request must be multipart/form-data with a part named `file`.
+
+        Only CSV uploads are allowed: Content-Type `text/csv`, or `application/octet-stream` (or empty)
+        when the part filename ends with `.csv`. The body is size-limited (declared Content-Length
+        and total multipart size caps; file part max 1 GiB). Rejects with 413 when limits are exceeded.
+
+        On success, returns JSON with `uploaded: true` and the resolved `key` (which may differ
+        from the requested key if a collision was avoided by probing existing keys).
+
+        Returns 409 if the object key chosen after collision resolution still conflicts at upload time
+        (e.g. concurrent writer); the client should retry the upload.
 
   /api/v1/s3/file/schema:
     summary: Path used to get the schema (column names and types) of a CSV file from S3.
@@ -310,6 +415,8 @@ paths:
     get:
       tags:
         - S3Operation
+      security:
+        - Bearer: []
       parameters:
         - name: namespace
           in: query
@@ -347,6 +454,7 @@ paths:
           description: The S3 object key (CSV file) to retrieve schema from
           schema:
             type: string
+            pattern: '^\S(.*\S)?$'
           example: data/training.csv
       responses:
         "200":
@@ -781,6 +889,23 @@ components:
           description: Description from the 'openshift.io/description' annotation (if present)
           example: "S3 bucket for training data storage"
 
+    S3UploadSuccess:
+      description: Response body for successful S3 file upload (POST /api/v1/s3/file)
+      required:
+        - uploaded
+        - key
+      type: object
+      properties:
+        uploaded:
+          type: boolean
+          example: true
+        key:
+          type: string
+          description: >-
+            S3 object key where the file was stored. May differ from the requested `key`
+            when a collision was resolved (e.g. `data/file-1.csv` if `data/file.csv` existed).
+          example: data/training.csv
+
     # Pipeline Run Schemas
     CreateAutoMLRunRequestBase:
       type: object
@@ -1277,6 +1402,23 @@ components:
                     type: string
                     example: "Invalid request parameters"
 
+    PayloadTooLarge:
+      description: Request entity too large (e.g. declared Content-Length or file part exceeds limit)
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              error:
+                type: object
+                properties:
+                  code:
+                    type: string
+                    example: "413"
+                  message:
+                    type: string
+                    example: "request body exceeds maximum upload size (1 GiB plus allowance for multipart framing)"
+
     Unauthorized:
       description: Unauthorized
       content:
@@ -1311,6 +1453,25 @@ components:
                     type: string
                     example: "Resource not found"
 
+    Conflict:
+      description: >-
+        Conflict (e.g. S3 conditional upload failed because the object already exists at the
+        resolved key; client may retry the request)
+      content:
+        application/json:
+          schema:
+            type: object
+            properties:
+              error:
+                type: object
+                properties:
+                  code:
+                    type: string
+                    example: "409"
+                  message:
+                    type: string
+                    example: "object key \"data/file.csv\" already exists in S3 (upload conflict); retry with a different key"
+
     InternalServerError:
       description: Internal Server Error
       content:
 
@@ -49,6 +49,12 @@ type App struct {
 	pipelineServerClientFactory ps.PipelineServerClientFactory
 	s3ClientFactory             s3int.S3ClientFactory
 	repositories                *repositories.Repositories
+	// s3PostMaxFilePartBytes is for package api tests only (see PostS3FileHandler).
+	s3PostMaxFilePartBytes int64
+	// s3PostMaxRequestBodyBytes caps total POST body in tests (0 = file max + multipart envelope).
+	s3PostMaxRequestBodyBytes int64
+	// s3PostMaxCollisionAttempts limits HeadObject-based key suffix attempts in tests (0 = default cap).
+	s3PostMaxCollisionAttempts int
 	//used only on mocked k8s client
 	testEnv *envtest.Environment
 	// rootCAs used for outbound TLS connections to Client Service
@@ -202,9 +208,12 @@ func (app *App) Routes() http.Handler {
 
 	// S3 operations — DSPA discovery is skipped when the caller supplies an explicit
 	// secretName (the handler resolves credentials directly in that case).
-	apiRouter.GET(S3FileSchemaPath, app.AttachNamespace(app.attachPipelineClientIfNeeded(app.GetS3FileSchemaHandler)))
-	apiRouter.GET(S3FilePath, app.AttachNamespace(app.attachPipelineClientIfNeeded(app.GetS3FileHandler)))
-	apiRouter.GET(S3FilesPath, app.AttachNamespace(app.attachPipelineClientIfNeeded(app.GetS3FilesHandler)))
+	apiRouter.GET(S3FileSchemaPath, app.AttachNamespace(app.RequireAccessToPipelineServers(app.attachPipelineClientIfNeeded(app.GetS3FileSchemaHandler))))
+	apiRouter.GET(S3FilePath, app.AttachNamespace(app.RequireAccessToPipelineServers(app.attachPipelineClientIfNeeded(app.GetS3FileHandler))))
+	apiRouter.GET(S3FilesPath, app.AttachNamespace(app.RequireAccessToPipelineServers(app.attachPipelineClientIfNeeded(app.GetS3FilesHandler))))
+	// POST /s3/file deliberately omits attachPipelineClientIfNeeded: secretName is required; there is
+	// no DSPA fallback (creation flow uses an explicitly chosen input/target data secret).
+	apiRouter.POST(S3FilePath, app.AttachNamespace(app.rejectDeclaredOversizedS3Post(app.RequireAccessToPipelineServers(app.PostS3FileHandler))))
 
 	// App Router
 	appMux := http.NewServeMux()
 
@@ -21,6 +21,17 @@ func (app *App) LogError(r *http.Request, err error) {
 	app.logger.Error(err.Error(), "method", method, "uri", uri)
 }
 
+func (app *App) payloadTooLargeResponse(w http.ResponseWriter, r *http.Request, message string) {
+	httpError := &integrations.HTTPError{
+		StatusCode: http.StatusRequestEntityTooLarge,
+		ErrorResponse: integrations.ErrorResponse{
+			Code:    strconv.Itoa(http.StatusRequestEntityTooLarge),
+			Message: message,
+		},
+	}
+	app.errorResponse(w, r, httpError)
+}
+
 func (app *App) badRequestResponse(w http.ResponseWriter, r *http.Request, err error) {
 	httpError := &integrations.HTTPError{
 		StatusCode: http.StatusBadRequest,
@@ -43,6 +54,17 @@ func (app *App) forbiddenResponse(w http.ResponseWriter, r *http.Request, messag
 	app.errorResponse(w, r, httpError)
 }
 
+func (app *App) conflictResponse(w http.ResponseWriter, r *http.Request, message string) {
+	httpError := &integrations.HTTPError{
+		StatusCode: http.StatusConflict,
+		ErrorResponse: integrations.ErrorResponse{
+			Code:    strconv.Itoa(http.StatusConflict),
+			Message: message,
+		},
+	}
+	app.errorResponse(w, r, httpError)
+}
+
 func (app *App) unauthorizedResponse(w http.ResponseWriter, r *http.Request, message string) {
 	// Log unauthorized access without sensitive details
 	app.logger.Warn("Unauthorized access attempt", "method", r.Method, "uri", r.URL.Path)
 
@@ -24,6 +24,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	k8svalidation "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/rest"
 )
@@ -44,6 +45,12 @@ func isValidDNS1123Label(label string) bool {
 	return dns1123LabelRegex.MatchString(label)
 }
 
+// isValidDNS1123Subdomain validates a string against DNS-1123 subdomain rules
+// using the Kubernetes apimachinery validation package.
+func isValidDNS1123Subdomain(name string) bool {
+	return len(k8svalidation.IsDNS1123Subdomain(name)) == 0
+}
+
 func (app *App) RecoverPanic(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		defer func() {