Merge pull request #53067 from geoand/#53030

Fix path templating issue for overlapping paths

Author: geoand

extensions/resteasy-reactive/rest/runtime/src/main/java/io/quarkus/resteasy/reactive/server/runtime/observability/ObservabilityIntegrationRecorder.java

@@ -8,6 +8,7 @@
 import org.jboss.resteasy.reactive.common.util.PathHelper;
 import org.jboss.resteasy.reactive.server.core.Deployment;
 import org.jboss.resteasy.reactive.server.handlers.ClassRoutingHandler;
+import org.jboss.resteasy.reactive.server.handlers.RestInitialHandler;
 import org.jboss.resteasy.reactive.server.mapping.RequestMapper;
 
 import io.quarkus.runtime.RuntimeValue;
@@ -54,24 +55,37 @@ private boolean shouldHandle(RoutingContext event) {
     public static void setTemplatePath(RoutingContext rc, Deployment deployment) {
         // do what RestInitialHandler does
         var initMappers = new RequestMapper<>(deployment.getClassMappers());
-        var requestMatch = initMappers.map(getPathWithoutPrefix(rc, deployment));
-        if (requestMatch == null) {
-            return;
+        var path = getPathWithoutPrefix(rc, deployment);
+        var requestMatch = initMappers.map(path);
+
+        // try each class-level match until we find one whose method-level mapper also matches
+        // this mirrors what ClassRoutingHandler does with restartWithNextInitialMatch()
+        while (requestMatch != null) {
+            var templatePath = tryMatchTemplatePath(rc, requestMatch);
+            if (templatePath != null) {
+                if (templatePath.endsWith("/")) {
+                    templatePath = templatePath.substring(0, templatePath.length() - 1);
+                }
+                setUrlPathTemplate(rc, templatePath);
+                return;
+            }
+            requestMatch = initMappers.continueMatching(path, requestMatch);
         }
+    }
+
+    private static String tryMatchTemplatePath(RoutingContext rc,
+            RequestMapper.RequestMatch<RestInitialHandler.InitialMatch> requestMatch) {
         var remaining = requestMatch.remaining.isEmpty() ? "/" : requestMatch.remaining;
 
         var serverRestHandlers = requestMatch.value.handlers;
         if (serverRestHandlers == null || serverRestHandlers.length < 1) {
-            // nothing we can do
-            return;
+            return null;
         }
         var firstHandler = serverRestHandlers[0];
-        if (!(firstHandler instanceof ClassRoutingHandler)) {
-            // nothing we can do
-            return;
+        if (!(firstHandler instanceof ClassRoutingHandler classRoutingHandler)) {
+            return null;
         }
 
-        var classRoutingHandler = (ClassRoutingHandler) firstHandler;
         var mappers = classRoutingHandler.getMappers();
 
         var requestMethod = rc.request().method().name();
@@ -86,8 +100,7 @@ public static void setTemplatePath(RoutingContext rc, Deployment deployment) {
                 mapper = mappers.get(null);
             }
             if (mapper == null) {
-                // can't match the path
-                return;
+                return null;
             }
         }
         var target = mapper.map(remaining);
@@ -100,17 +113,11 @@ public static void setTemplatePath(RoutingContext rc, Deployment deployment) {
             }
 
             if (target == null) {
-                // can't match the path
-                return;
+                return null;
             }
         }
 
-        var templatePath = requestMatch.template.template + target.template.template;
-        if (templatePath.endsWith("/")) {
-            templatePath = templatePath.substring(0, templatePath.length() - 1);
-        }
-
-        setUrlPathTemplate(rc, templatePath);
+        return requestMatch.template.template + target.template.template;
     }
 
     private static String getPathWithoutPrefix(RoutingContext rc, Deployment deployment) {

integration-tests/micrometer-security/src/main/java/io/quarkus/it/micrometer/security/SecuredResourceOverlapping.java

@@ -0,0 +1,20 @@
+package io.quarkus.it.micrometer.security;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+
+import io.smallrye.mutiny.Uni;
+
+@Path("/secured/{message}")
+public class SecuredResourceOverlapping {
+
+    @GET
+    @Path("/details")
+    @Produces(MediaType.TEXT_PLAIN)
+    public Uni<String> details(@PathParam("message") String message) {
+        return Uni.createFrom().item("details of " + message);
+    }
+}

integration-tests/micrometer-security/src/test/java/io/quarkus/it/micrometer/security/SecuredResourceTest.java

@@ -29,4 +29,27 @@ void testMetricsForUnauthorizedRequest() {
                 );
     }
 
+    @Test
+    void testMetricsForUnauthorizedRequestWithOverlappingPaths() {
+        // When two controllers have overlapping paths (e.g. /secured/{message} and /secured/{message}/details),
+        // the URI template should still be resolved correctly for unauthorized requests.
+        // See https://github.com/quarkusio/quarkus/issues/53030
+        when().get("/secured/foo")
+                .then()
+                .statusCode(403);
+
+        when().get("/secured/foo/details")
+                .then()
+                .statusCode(403);
+
+        when().get("/q/metrics")
+                .then()
+                .statusCode(200)
+                .body(
+                        allOf(
+                                not(containsString("/secured/foo")),
+                                containsString("/secured/{message}"),
+                                containsString("/secured/{message}/details")));
+    }
+
 }