varnish-frontend invalidation logic

namedgraph · namedgraph · commit 434b2d085cee · 2025-12-09T12:29:09.000+01:00
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -285,6 +285,7 @@ configs:
 
       acl local {
           "localhost";
+          "linkeddatahub";
       }
 
       acl remote {
diff --git a/http-tests/document-hierarchy/GET-children.sh b/http-tests/document-hierarchy/GET-children.sh
@@ -15,6 +15,21 @@ add-agent-to-group.sh \
   --agent "$AGENT_URI" \
   "${ADMIN_BASE_URL}acl/groups/writers/"
 
+# execute SPARQL query to retrieve children of the end-user base URL to prime the Varnish cache
+
+query="DESCRIBE * WHERE { SELECT DISTINCT ?child ?thing WHERE { GRAPH ?childGraph { { ?child <http://rdfs.org/sioc/ns#has_parent> <${END_USER_BASE_URL}>. } UNION { ?child <http://rdfs.org/sioc/ns#has_container> <${END_USER_BASE_URL}>. } ?child <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> ?Type. OPTIONAL { ?child <http://purl.org/dc/terms/title> ?title. } OPTIONAL { ?child <http://xmlns.com/foaf/0.1/primaryTopic> ?thing. } } } ORDER BY (?title) LIMIT 20 }"
+
+# URL-encode query with uppercase hex digits (matching Java's UriComponent.encode())
+# Note: We must construct the URL manually instead of using curl's -G --data-urlencode because curl normalizes percent-encoding to lowercase,
+# which won't match the uppercase percent-encoding that Java produces in cache invalidation BAN requests
+encoded_query=$(python -c "import urllib.parse; print(urllib.parse.quote('''$query''', safe=''))")
+
+curl -k -f -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H "Accept: application/n-triples" \
+  "${END_USER_BASE_URL}sparql?query=$encoded_query" \
+  > /dev/null
+
 # create container
 
 slug="test-children-query"
@@ -27,14 +42,10 @@ container=$(create-container.sh \
   --slug "$slug" \
   --parent "$END_USER_BASE_URL")
 
-# execute SPARQL query to retrieve children of the end-user base URL
-
-query="DESCRIBE * WHERE { SELECT DISTINCT ?child ?thing WHERE { GRAPH ?childGraph { { ?child <http://rdfs.org/sioc/ns#has_parent> <${END_USER_BASE_URL}>. } UNION { ?child <http://rdfs.org/sioc/ns#has_container> <${END_USER_BASE_URL}>. } ?child <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> ?Type. OPTIONAL { ?child <http://purl.org/dc/terms/title> ?title. } OPTIONAL { ?child <http://xmlns.com/foaf/0.1/primaryTopic> ?thing. } } } ORDER BY (?title) LIMIT 20 }"
+# execute SPARQL query again - the new container should appear (verifies cache invalidation)
 
 curl -k -f -s \
-  -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
-  -H 'Accept: application/n-triples' \
-  --data-urlencode "query=$query" \
-  "${END_USER_BASE_URL}sparql" \
+  -H "Accept: application/n-triples" \
+  "${END_USER_BASE_URL}sparql?query=$encoded_query" \
 | grep -q "<${container}>"
diff --git a/src/main/java/com/atomgraph/linkeddatahub/Application.java b/src/main/java/com/atomgraph/linkeddatahub/Application.java
@@ -106,7 +106,7 @@
 import com.atomgraph.linkeddatahub.server.filter.request.auth.ProxiedWebIDFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.CORSFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.ResponseHeadersFilter;
-import com.atomgraph.linkeddatahub.server.filter.response.BackendInvalidationFilter;
+import com.atomgraph.linkeddatahub.server.filter.response.CacheInvalidationFilter;
 import com.atomgraph.linkeddatahub.server.filter.response.XsltExecutableFilter;
 import com.atomgraph.linkeddatahub.server.interceptor.RDFPostMediaTypeInterceptor;
 import com.atomgraph.linkeddatahub.server.mapper.auth.oauth2.TokenExpiredExceptionMapper;
@@ -1033,7 +1033,7 @@ protected void registerContainerResponseFilters()
         register(new CORSFilter());
         register(new ResponseHeadersFilter());
         register(new XsltExecutableFilter());
-        if (isInvalidateCache()) register(new BackendInvalidationFilter());
+        if (isInvalidateCache()) register(new CacheInvalidationFilter());
 //        register(new ProvenanceFilter());
     }
     
diff --git a/src/main/java/com/atomgraph/linkeddatahub/resource/Generate.java b/src/main/java/com/atomgraph/linkeddatahub/resource/Generate.java
@@ -21,7 +21,7 @@
 import com.atomgraph.linkeddatahub.client.LinkedDataClient;
 import com.atomgraph.linkeddatahub.imports.QueryLoader;
 import com.atomgraph.linkeddatahub.model.Service;
-import com.atomgraph.linkeddatahub.server.filter.response.BackendInvalidationFilter;
+import com.atomgraph.linkeddatahub.server.filter.response.CacheInvalidationFilter;
 import com.atomgraph.linkeddatahub.server.model.impl.GraphStoreImpl;
 import com.atomgraph.linkeddatahub.server.security.AgentContext;
 import com.atomgraph.linkeddatahub.server.util.Skolemizer;
@@ -237,7 +237,7 @@ public Response ban(Resource proxy, String url)
         if (url == null) throw new IllegalArgumentException("Resource cannot be null");
         
         return getSystem().getClient().target(proxy.getURI()).request().
-            header(BackendInvalidationFilter.HEADER_NAME, UriComponent.encode(url, UriComponent.Type.UNRESERVED)). // the value has to be URL-encoded in order to match request URLs in Varnish
+            header(CacheInvalidationFilter.HEADER_NAME, UriComponent.encode(url, UriComponent.Type.UNRESERVED)). // the value has to be URL-encoded in order to match request URLs in Varnish
             method("BAN", Response.class);
     }
     
diff --git a/src/main/java/com/atomgraph/linkeddatahub/resource/admin/Clear.java b/src/main/java/com/atomgraph/linkeddatahub/resource/admin/Clear.java
@@ -19,7 +19,7 @@
 import com.atomgraph.linkeddatahub.apps.model.AdminApplication;
 import com.atomgraph.linkeddatahub.apps.model.EndUserApplication;
 import static com.atomgraph.linkeddatahub.server.filter.request.OntologyFilter.addDocumentModel;
-import com.atomgraph.linkeddatahub.server.filter.response.BackendInvalidationFilter;
+import com.atomgraph.linkeddatahub.server.filter.response.CacheInvalidationFilter;
 import com.atomgraph.linkeddatahub.server.util.OntologyModelGetter;
 import java.net.URI;
 import jakarta.inject.Inject;
@@ -131,7 +131,7 @@ public Response ban(Resource proxy, String url)
         if (url == null) throw new IllegalArgumentException("Resource cannot be null");
         
         return getSystem().getClient().target(proxy.getURI()).request().
-            header(BackendInvalidationFilter.HEADER_NAME, UriComponent.encode(url, UriComponent.Type.UNRESERVED)). // the value has to be URL-encoded in order to match request URLs in Varnish
+            header(CacheInvalidationFilter.HEADER_NAME, UriComponent.encode(url, UriComponent.Type.UNRESERVED)). // the value has to be URL-encoded in order to match request URLs in Varnish
             method("BAN", Response.class);
     }
     
diff --git a/src/main/java/com/atomgraph/linkeddatahub/resource/oauth2/google/Login.java b/src/main/java/com/atomgraph/linkeddatahub/resource/oauth2/google/Login.java
@@ -25,7 +25,7 @@
 import static com.atomgraph.linkeddatahub.resource.admin.SignUp.AGENT_PATH;
 import static com.atomgraph.linkeddatahub.resource.admin.SignUp.AUTHORIZATION_PATH;
 import com.atomgraph.linkeddatahub.server.filter.request.auth.IDTokenFilter;
-import com.atomgraph.linkeddatahub.server.filter.response.BackendInvalidationFilter;
+import com.atomgraph.linkeddatahub.server.filter.response.CacheInvalidationFilter;
 import com.atomgraph.linkeddatahub.server.util.MessageBuilder;
 import com.atomgraph.linkeddatahub.server.util.Skolemizer;
 import com.atomgraph.linkeddatahub.vocabulary.ACL;
@@ -477,7 +477,7 @@ public Response ban(Resource proxy, String url)
         if (url == null) throw new IllegalArgumentException("Resource cannot be null");
         
         return getSystem().getClient().target(proxy.getURI()).request().
-            header(BackendInvalidationFilter.HEADER_NAME, UriComponent.encode(url, UriComponent.Type.UNRESERVED)). // the value has to be URL-encoded in order to match request URLs in Varnish
+            header(CacheInvalidationFilter.HEADER_NAME, UriComponent.encode(url, UriComponent.Type.UNRESERVED)). // the value has to be URL-encoded in order to match request URLs in Varnish
             method("BAN", Response.class);
     }
     
diff --git a/src/main/java/com/atomgraph/linkeddatahub/server/filter/response/CacheInvalidationFilter.java b/src/main/java/com/atomgraph/linkeddatahub/server/filter/response/CacheInvalidationFilter.java
@@ -32,6 +32,7 @@
 import jakarta.ws.rs.core.HttpHeaders;
 import jakarta.ws.rs.core.Response;
 import java.util.Optional;
+import java.util.Set;
 import org.apache.jena.rdf.model.Resource;
 import org.glassfish.jersey.uri.UriComponent;
 
@@ -42,7 +43,7 @@
  * @author Martynas Jusevičius {@literal <martynas@atomgraph.com>}
  */
 @Priority(Priorities.USER + 400)
-public class BackendInvalidationFilter implements ContainerResponseFilter
+public class CacheInvalidationFilter implements ContainerResponseFilter
 {
     
     /**
@@ -59,58 +60,89 @@ public void filter(ContainerRequestContext req, ContainerResponseContext resp) t
         // If no application was matched (e.g., non-existent dataspace), skip cache invalidation
         if (!getApplication().isPresent()) return;
 
-        if (getAdminApplication().getService().getBackendProxy() == null) return;
-        
         if (req.getMethod().equals(HttpMethod.POST) && resp.getHeaderString(HttpHeaders.LOCATION) != null)
         {
             URI location = (URI)resp.getHeaders().get(HttpHeaders.LOCATION).get(0);
             URI parentURI = location.resolve("..").normalize();
+            URI relativeParentURI = getApplication().get().getBaseURI().relativize(parentURI);
 
-            ban(getApplication().get().getService().getBackendProxy(), location.toString()).close();
+            banIfNotNull(getApplication().get().getFrontendProxy(), location.toString());
+            banIfNotNull(getApplication().get().getService().getBackendProxy(), location.toString());
             // ban URI from authorization query results
-            ban(getAdminApplication().getService().getBackendProxy(), location.toString()).close();
+            banIfNotNull(getAdminApplication().getService().getBackendProxy(), location.toString());
+
             // ban parent resource URI in order to avoid stale children data in containers
-            ban(getApplication().get().getService().getBackendProxy(), parentURI.toString()).close();
-            ban(getApplication().get().getService().getBackendProxy(), getApplication().get().getBaseURI().relativize(parentURI).toString()).close(); // URIs can be relative in queries
+            banIfNotNull(getApplication().get().getFrontendProxy(), parentURI.toString());
+            banIfNotNull(getApplication().get().getService().getBackendProxy(), parentURI.toString());
+
+            if (!relativeParentURI.toString().isEmpty()) // URIs can be relative in queries
+            {
+                banIfNotNull(getApplication().get().getFrontendProxy(), relativeParentURI.toString());
+                banIfNotNull(getApplication().get().getService().getBackendProxy(), relativeParentURI.toString());
+            }
+
             // ban all results of queries that use forClass type
             if (req.getUriInfo().getQueryParameters().containsKey(AC.forClass.getLocalName()))
             {
                 String forClass = req.getUriInfo().getQueryParameters().getFirst(AC.forClass.getLocalName());
-                ban(getApplication().get().getService().getBackendProxy(), forClass).close();
+                banIfNotNull(getApplication().get().getFrontendProxy(), forClass);
+                banIfNotNull(getApplication().get().getService().getBackendProxy(), forClass);
             }
         }
         
-        if (req.getMethod().equals(HttpMethod.POST) || req.getMethod().equals(HttpMethod.PUT) || req.getMethod().equals(HttpMethod.DELETE) || req.getMethod().equals(HttpMethod.PATCH))
+        if (Set.of(HttpMethod.POST, HttpMethod.PUT, HttpMethod.DELETE, HttpMethod.PATCH).contains(req.getMethod()))
         {
-            // ban all admin/ entries when the admin dataset is changed - not perfect, but works
+            // ban all admin. entries when the admin dataset is changed - not perfect, but works
             if (!getAdminApplication().getBaseURI().relativize(req.getUriInfo().getAbsolutePath()).isAbsolute()) // URL is relative to the admin app's base URI
             {
-                ban(getAdminApplication().getService().getBackendProxy(), getAdminApplication().getBaseURI().toString()).close();
-                ban(getAdminApplication().getService().getBackendProxy(), "foaf:Agent").close(); // queries use prefixed names instead of absolute URIs
-                ban(getAdminApplication().getService().getBackendProxy(), "acl:AuthenticatedAgent").close();
+                banIfNotNull(getAdminApplication().getService().getBackendProxy(), getAdminApplication().getBaseURI().toString());
+                banIfNotNull(getAdminApplication().getService().getBackendProxy(), "foaf:Agent"); // queries use prefixed names instead of absolute URIs
+                banIfNotNull(getAdminApplication().getService().getBackendProxy(), "acl:AuthenticatedAgent");
             }
-            
+
             if (req.getUriInfo().getAbsolutePath().toString().endsWith("/"))
             {
-                ban(getApplication().get().getService().getBackendProxy(), req.getUriInfo().getAbsolutePath().toString()).close();
+                banIfNotNull(getApplication().get().getFrontendProxy(), req.getUriInfo().getAbsolutePath().toString());
+                banIfNotNull(getApplication().get().getService().getBackendProxy(), req.getUriInfo().getAbsolutePath().toString());
                 // ban URI from authorization query results
-                ban(getAdminApplication().getService().getBackendProxy(), req.getUriInfo().getAbsolutePath().toString()).close();
+                banIfNotNull(getAdminApplication().getService().getBackendProxy(), req.getUriInfo().getAbsolutePath().toString());
 
                 // ban parent document URIs (those that have a trailing slash) in order to avoid stale children data in containers
                 if (!req.getUriInfo().getAbsolutePath().equals(getApplication().get().getBaseURI()))
                 {
                     URI parentURI = req.getUriInfo().getAbsolutePath().resolve("..").normalize();
+                    URI relativeParentURI = getApplication().get().getBaseURI().relativize(parentURI);
+
+                    // ban parent resource URI in order to avoid stale children data in containers
+                    banIfNotNull(getApplication().get().getFrontendProxy(), parentURI.toString());
+                    banIfNotNull(getApplication().get().getService().getBackendProxy(), parentURI.toString());
 
-                    ban(getApplication().get().getService().getBackendProxy(), parentURI.toString()).close();
-                    ban(getApplication().get().getService().getBackendProxy(), getApplication().get().getBaseURI().relativize(parentURI).toString()).close(); // URIs can be relative in queries
+                    if (!relativeParentURI.toString().isEmpty()) // URIs can be relative in queries
+                    {
+                        banIfNotNull(getApplication().get().getFrontendProxy(), relativeParentURI.toString());
+                        banIfNotNull(getApplication().get().getService().getBackendProxy(), relativeParentURI.toString());
+                    }
                 }
             }
         }
     }
     
+    /**
+     * Bans URL from proxy cache if proxy is not null.
+     * Null-safe wrapper that handles the common pattern of banning and closing the response.
+     *
+     * @param proxy proxy resource (can be null)
+     * @param url URL to be banned
+     */
+    public void banIfNotNull(Resource proxy, String url)
+    {
+        if (proxy != null)
+            ban(proxy, url).close();
+    }
+
     /**
      * Bans URL from proxy cache.
-     * 
+     *
      * @param proxy proxy resource
      * @param url URL to be banned
      * @return response from proxy
@@ -119,7 +151,7 @@ public Response ban(Resource proxy, String url)
     {
         if (proxy == null) throw new IllegalArgumentException("Proxy resource cannot be null");
         if (url == null) throw new IllegalArgumentException("Resource cannot be null");
-        
+
         return getClient().target(proxy.getURI()).request().
             header(HEADER_NAME, UriComponent.encode(url, UriComponent.Type.UNRESERVED)). // the value has to be URL-encoded in order to match request URLs in Varnish
             method("BAN", Response.class);

Original file line number	Diff line number	Diff line change
`@@ -285,6 +285,7 @@ configs:`
`285`	`285`
`286`	`286`	`acl local {`
`287`	`287`	`"localhost";`
	`288`	`+ "linkeddatahub";`
`288`	`289`	`}`
`289`	`290`
`290`	`291`	`acl remote {`