diff options
author | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-04-22 11:52:45 -0700 |
---|---|---|
committer | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-04-22 11:52:45 -0700 |
commit | 5bb84b3c6efc503652a14e59efbe2b7c548608dd (patch) | |
tree | c75323c210888cc942678f892dc0b84cbf868410 /Bugzilla/WebService | |
parent | d8e899bace75e1f4bd99443baaeaebac8b819251 (diff) | |
download | bugs-5bb84b3c6efc503652a14e59efbe2b7c548608dd.tar bugs-5bb84b3c6efc503652a14e59efbe2b7c548608dd.tar.gz bugs-5bb84b3c6efc503652a14e59efbe2b7c548608dd.tar.bz2 bugs-5bb84b3c6efc503652a14e59efbe2b7c548608dd.tar.xz bugs-5bb84b3c6efc503652a14e59efbe2b7c548608dd.zip |
Bug 550732: Allow read-only JSON-RPC methods to be called with GET
r=dkl, a=mkanat
Diffstat (limited to 'Bugzilla/WebService')
-rw-r--r-- | Bugzilla/WebService/Bug.pm | 10 | ||||
-rw-r--r-- | Bugzilla/WebService/Bugzilla.pm | 7 | ||||
-rw-r--r-- | Bugzilla/WebService/Constants.pm | 9 | ||||
-rw-r--r-- | Bugzilla/WebService/Product.pm | 7 | ||||
-rw-r--r-- | Bugzilla/WebService/Server/JSONRPC.pm | 177 | ||||
-rw-r--r-- | Bugzilla/WebService/User.pm | 4 |
6 files changed, 187 insertions, 27 deletions
diff --git a/Bugzilla/WebService/Bug.pm b/Bugzilla/WebService/Bug.pm index 240eee91e..58a39bf21 100644 --- a/Bugzilla/WebService/Bug.pm +++ b/Bugzilla/WebService/Bug.pm @@ -48,6 +48,16 @@ use constant DATE_FIELDS => { search => ['last_change_time', 'creation_time'], }; +use constant READ_ONLY => qw( + attachments + comments + fields + get + history + legal_values + search +); + ###################################################### # Add aliases here for old method name compatibility # ###################################################### diff --git a/Bugzilla/WebService/Bugzilla.pm b/Bugzilla/WebService/Bugzilla.pm index c14cc7dea..2501fe60c 100644 --- a/Bugzilla/WebService/Bugzilla.pm +++ b/Bugzilla/WebService/Bugzilla.pm @@ -31,6 +31,13 @@ use constant LOGIN_EXEMPT => { version => 1, }; +use constant READ_ONLY => qw( + extensions + timezone + time + version +); + sub version { my $self = shift; return { version => $self->type('string', BUGZILLA_VERSION) }; diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm index 19d230759..0ada98ba4 100644 --- a/Bugzilla/WebService/Constants.pm +++ b/Bugzilla/WebService/Constants.pm @@ -120,10 +120,11 @@ use constant WS_ERROR_CODE => { user_access_by_id_denied => 505, user_access_by_match_denied => 505, - # RPC Server Errors. See the following URL: - # http://xmlrpc-epi.sourceforge.net/specs/rfc.fault_codes.php - xmlrpc_invalid_value => -32600, - unknown_method => -32601, + # Errors thrown by the WebService itself. The ones that are negative + # conform to http://xmlrpc-epi.sourceforge.net/specs/rfc.fault_codes.php + xmlrpc_invalid_value => -32600, + unknown_method => -32601, + json_rpc_post_only => 32610, }; # These are the fallback defaults for errors not in ERROR_CODE. diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm index eaec012a4..90c81dcc0 100644 --- a/Bugzilla/WebService/Product.pm +++ b/Bugzilla/WebService/Product.pm @@ -23,6 +23,13 @@ use Bugzilla::Product; use Bugzilla::User; use Bugzilla::WebService::Util qw(validate); +use constant READ_ONLY => qw( + get + get_accessible_products + get_enterable_products + get_selectable_products +); + ################################################## # Add aliases here for method name compatibility # ################################################## diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index 3ec64c6bc..ae479ff5e 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -28,6 +28,12 @@ use Bugzilla::Error; use Bugzilla::WebService::Constants; use Bugzilla::WebService::Util qw(taint_data); +use Bugzilla::Util qw(correct_urlbase); + +##################################### +# Public JSON::RPC Method Overrides # +##################################### + sub new { my $class = shift; my $self = $class->SUPER::new(@_); @@ -71,6 +77,81 @@ sub response { print $response->content; } +# The JSON-RPC 1.1 GET specification is not so great--you can't specify +# data structures as parameters. However, the JSON-RPC 2.0 "JSON-RPC over +# HTTP" spec is excellent, so we are using that for GET requests, instead. +# Spec: http://groups.google.com/group/json-rpc/web/json-rpc-over-http +# +# The one exception is that we don't require the "params" argument to be +# Base64 encoded, because that is ridiculous and obnoxious for JavaScript +# clients. +sub retrieve_json_from_get { + my $self = shift; + my $cgi = $self->cgi; + + my %input; + + # Both version and id must be set before any errors are thrown. + if ($cgi->param('version')) { + $self->version(scalar $cgi->param('version')); + $input{version} = $cgi->param('version'); + } + else { + $self->version('1.0'); + } + + # The JSON-RPC 2.0 spec says that any request that omits an id doesn't + # want a response. However, in an HTTP GET situation, it's stupid to + # expect all clients to specify some id parameter just to get a response, + # so we don't require it. + my $id; + if (defined $cgi->param('id')) { + $id = $cgi->param('id'); + } + # However, JSON::RPC does require that an id exist in most cases, in + # order to throw proper errors. We use the installation's urlbase as + # the id, in this case. + else { + $id = correct_urlbase(); + } + # Setting _bz_request_id here is required in case we throw errors early, + # before _handle. + $self->{_bz_request_id} = $input{id} = $id; + + if (!$cgi->param('method')) { + ThrowUserError('json_rpc_get_method_required'); + } + $input{method} = $cgi->param('method'); + + my $params; + if (defined $cgi->param('params')) { + local $@; + $params = eval { + $self->json->decode(scalar $cgi->param('params')) + }; + if ($@) { + ThrowUserError('json_rpc_invalid_params', + { params => scalar $cgi->param('params'), + err_msg => $@ }); + } + } + elsif (!$self->version or $self->version ne '1.1') { + $params = []; + } + else { + $params = {}; + } + + $input{params} = $params; + + my $json = $self->json->encode(\%input); + return $json; +} + +####################################### +# Bugzilla::WebService Implementation # +####################################### + sub type { my ($self, $type, $value) = @_; @@ -108,6 +189,35 @@ sub datetime_format_outbound { return $self->SUPER::datetime_format_outbound(@_) . 'Z'; } +sub handle_login { + my $self = shift; + + # If we're being called using GET, we don't allow cookie-based or Env + # login, because GET requests can be done cross-domain, and we don't + # want private data showing up on another site unless the user + # explicitly gives that site their username and password. (This is + # particularly important for JSONP, which would allow a remote site + # to use private data without the user's knowledge, unless we had this + # protection in place.) + if ($self->request->method ne 'POST') { + # XXX There's no particularly good way for us to get a parameter + # to Bugzilla->login at this point, so we pass this information + # around using request_cache, which is a bit of a hack. The + # implementation of it is in Bugzilla::Auth::Login::Stack. + Bugzilla->request_cache->{auth_no_automatic_login} = 1; + } + + my $path = $self->path_info; + my $class = $self->{dispatch_path}->{$path}; + my $full_method = $self->_bz_method_name; + $full_method =~ /^\S+\.(\S+)/; + my $method = $1; + $self->SUPER::handle_login($class, $method, $full_method); +} + +###################################### +# Private JSON::RPC Method Overrides # +###################################### # Store the ID of the current call, because Bugzilla::Error will need it. sub _handle { @@ -154,21 +264,11 @@ sub _error { return $json; } -################## -# Login Handling # -################## - # This handles dispatching our calls to the appropriate class based on # the name of the method. sub _find_procedure { my $self = shift; - # This is also a good place to deny GET requests, since we can - # safely call ThrowUserError at this point. - if ($self->request->method ne 'POST') { - ThrowUserError('json_rpc_post_only'); - } - my $method = shift; $self->{_bz_method_name} = $method; @@ -217,6 +317,16 @@ sub _argument_type_check { Bugzilla->input_params($params); + if ($self->request->method ne 'POST') { + # When being called using GET, we don't allow calling + # methods that can change data. This protects us against cross-site + # request forgeries. + if (!grep($_ eq $method, $pkg->READ_ONLY)) { + ThrowUserError('json_rpc_post_only', + { method => $self->_bz_method_name }); + } + } + # This is the best time to do login checks. $self->handle_login(); @@ -235,17 +345,6 @@ sub _argument_type_check { return $params; } -sub handle_login { - my $self = shift; - - my $path = $self->path_info; - my $class = $self->{dispatch_path}->{$path}; - my $full_method = $self->_bz_method_name; - $full_method =~ /^\S+\.(\S+)/; - my $method = $1; - $self->SUPER::handle_login($class, $method, $full_method); -} - # _bz_method_name is stored by _find_procedure for later use. sub _bz_method_name { return $_[0]->{_bz_method_name}; @@ -285,8 +384,40 @@ your Bugzilla installation. For example, if your Bugzilla is at C<bugzilla.yourdomain.com>, then your JSON-RPC client would access the API via: C<http://bugzilla.yourdomain.com/jsonrpc.cgi> -Bugzilla only allows JSON-RPC requests over C<POST>. C<GET> requests -(or any other type of request, such as C<HEAD>) will be denied. +=head2 Connecting via GET + +The most powerful way to access the JSON-RPC interface is by HTTP POST. +However, for convenience, you can also access certain methods by using GET +(a normal webpage load). Methods that modify the database or cause some +action to happen in Bugzilla cannot be called over GET. Only methods that +simply return data can be used over GET. + +For security reasons, when you connect over GET, cookie authentication +is not accepted. If you want to authenticate using GET, you have to +use the C<Bugzilla_login> and C<Bugzilla_password> method described at +L<Bugzilla::WebService/LOGGING IN>. + +To connect over GET, simply send the values that you'd normally send for +each JSON-RPC argument as URL parameters, with the C<params> item being +a JSON string. + +The simplest example is a call to C<Bugzilla.time>: + + jsonrpc.cgi?method=Bugzilla.time + +Here's a call to C<User.get>, with several parameters: + + jsonrpc.cgi?method=User.get¶ms=[ { "ids": [1,2], "names": ["user@domain.com"] } ] + +Although in reality you would url-encode the C<params> argument, so it would +look more like this: + + jsonrpc.cgi?method=User.get¶ms=%5B+%7B+%22ids%22%3A+%5B1%2C2%5D%2C+%22names%22%3A+%5B%22user%40domain.com%22%5D+%7D+%5D + +You can also specify C<version> as a URL parameter, if you want to specify +what version of the JSON-RPC protocol you're using, and C<id> as a URL +parameter if you want there to be a specific C<id> value in the returned +JSON-RPC response. =head1 PARAMETERS diff --git a/Bugzilla/WebService/User.pm b/Bugzilla/WebService/User.pm index 76d4d3e37..4aa152969 100644 --- a/Bugzilla/WebService/User.pm +++ b/Bugzilla/WebService/User.pm @@ -36,6 +36,10 @@ use constant LOGIN_EXEMPT => { offer_account_by_email => 1, }; +use constant READ_ONLY => qw( + get +); + ############## # User Login # ############## |