fix(rest-api): forward path params in ESIndexResource create/mod endpoints (#35635)

[fabrizzio-dotCMS]

Proposed Changes

Fixes the TC-005 blocker reported in #35635: PUT /api/v1/esindex/create/{params:.*} returned HTTP 500 on every call, making it impossible for QA to validate the threadSafeTimestampFormatter thread-safety work.

Note on scope — deprecated endpoints. All six endpoints touched here are @Deprecated and superseded by the modern routes (PUT /api/v1/esindex/{indexName}?action=..., which bind the index name via @PathParam/@QueryParam and are unaffected). They normally see no traffic. The issue surfaced only because the deprecated path-param endpoints are still present in the codebase and AI detected the latent defect while investigating TC-005 — createIndex in particular still 500s on every call. The fix restores correct behavior for these legacy endpoints with a minimal change; it does not revive or re-promote them.

Root cause

createIndex captures the URL into @PathParam("params") String params, but invokes the 2-argument auth(request, response) overload, which forwards null instead of params to WebResource. As a result getParamsMap() is built over BLANK and is always empty → getParamsMap().get("shards") is null → Integer.parseInt(null) throws NumberFormatException → HTTP 500. The captured params was effectively dead code.

The five sibling @Deprecated PUT endpoints (clearIndex, activateIndex, deactivateIndex, closeIndex, openIndex) share the identical defect — they read the index name from getParamsMap(), which always arrived empty, so they silently operated on a null index (returning 404 / erroring instead of acting).

Fix

• createIndex and the five sibling endpoints now forward the captured params to the 3-arg auth(request, response, params) overload (the same pattern already used by getActive).
• createIndex now returns HTTP 400 with a clear message when shards is missing or non-numeric, instead of an opaque 500.

Issue

• [QA-G1] OpenSearch Migration — Safe Startup When OpenSearch Is Unavailable (TC-001, TC-003–TC-005) #35635

This PR fixes a defect

How to test

Manual (TC-005):

seq 20 | xargs -P 20 -I{} curl -s -o /tmp/idx_{}.json -w "%{http_code}\n" \
  -u admin:admin -X PUT http://localhost:8082/api/v1/esindex/create/shards/1

Expected: 20× HTTP 200, 20 unique well-formed index names. A missing/invalid shards now yields HTTP 400 (not 500).

🤖 Generated with Claude Code

This PR fixes: #35635

[github-actions]

❌ Linked Issue Needs Team Label

This PR is linked to issue #35635, but that issue has no Team : * label. Every linked issue must be owned by a team for tracking and triage.

How to fix this:

Apply a Team : * label to the linked issue (e.g., Team : Scout, Team : Platform, Team : Falcon, Team : Maintenance). Then push a new commit or edit the PR description to re-run this check.

---

This comment was automatically generated by the issue linking workflow

[claude]

Claude finished @fabrizzio-dotCMS's task in 1m 4s —— View job

---

Rollback Safety Analysis

• Read rollback-unsafe categories reference
• Get full PR diff
• Analyze diff against all unsafe categories
• Apply label: AI: Safe To Rollback

---

Result: ✅ Safe to Roll Back

The diff touches exactly one file: dotCMS/src/main/java/com/dotcms/rest/api/v1/index/ESIndexResource.java

Checked against every category in the rollback-unsafe reference:

Category	Verdict
C-1 Structural Data Model Change	✅ No DB schema changes
C-2 Elasticsearch Mapping Change	✅ No mapping code touched (ESMappingAPIImpl, ESMappingUtilHelper, ESMappingConstants all untouched)
C-3 Content JSON Model Version Bump	✅ No ImmutableContentlet or CURRENT_MODEL_VERSION changes
C-4 DROP TABLE / DROP COLUMN	✅ No DDL
H-1 One-Way Data Migration	✅ No runonce task, no data transformation
H-2 RENAME TABLE / RENAME COLUMN	✅ None
H-3 PK Restructuring	✅ None
H-4 New Content Type Field	✅ None
H-5 Binary Storage Provider Change	✅ None
H-6 DROP PROCEDURE / FUNCTION	✅ None
H-7 NOT NULL Column Without Default	✅ No schema changes
H-8 VTL Viewtool Contract Change	✅ ESIndexResource is not a VTL viewtool
M-1 Non-Broadening Column Type Change	✅ No DB changes
M-2 Push Publishing Bundle Format Change	✅ Not touched
M-3 REST / GraphQL Contract Change	✅ Bug fix — same endpoints, same paths, same HTTP methods. The only behavior change is: a call that previously returned 500 now correctly returns 400 for missing shards, and previously broken endpoints now work as documented. No field renames, no response shape changes, no required parameter additions.
M-4 OSGi Plugin API Breakage	✅ No interface or public API changes

Summary: All changes are pure Java application logic corrections — forwarding params to the correct auth() overload and adding an input validation guard. No storage, mapping, or public contract changes are introduced. Rolling back to the previous release would simply restore the original broken behavior (500 on create, silent null index on the sibling endpoints), with no data loss or persistent side effects.

[github-actions]

🤖 Bedrock Review — deepseek.v3.2

[🟠 High] dotCMS/src/main/java/com/dotcms/rest/api/v1/index/ESIndexResource.java:268 — The auth method signature changed to accept params, but the existing auth method may not support this overload, potentially causing a NoSuchMethodError at runtime. This is a breaking change.

[🟡 Medium] dotCMS/src/main/java/com/dotcms/rest/api/v1/index/ESIndexResource.java:271 — Logging the full request URI could expose sensitive path parameters if they are present in the URI. This may leak internal data.

[🟡 Medium] dotCMS/src/main/java/com/dotcms/rest/api/v1/index/ESIndexResource.java:272 — The error response entity returns a raw string message. This could expose internal validation logic; consider a generic error message for security.

[🟠 High] dotCMS/src/main/java/com/dotcms/rest/api/v1/index/ESIndexResource.java:303, 411, 428, 444, 461 — Same as line 268: the auth method calls now pass params, but the method signature change is not shown in the diff. This could cause compilation errors or runtime failures if the auth method does not exist with that signature.

---

_{Run: #27966511889 · tokens: in: 1613 · out: 284 · total: 1897}

[mergify]

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

• Queue this pull request