summaryrefslogtreecommitdiffstats
path: root/services/request.esp
blob: 03226f975d02be42339a8cc0cad2dca290cc0236 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
<%

/*
 * Copyright:
 *   (C) 2006 by Derrell Lipman
 *       All rights reserved
 *
 * License:
 *   LGPL 2.1: http://creativecommons.org/licenses/LGPL/2.1/
 */

/*
 * This is a simple JSON-RPC server.
 */

/* Bring in the json format/parse functions */
jsonrpc_include("json.esp");

/* Bring in the date class */
jsonrpc_include("jsondate.esp");

/* Load the authentication script */
jsonrpc_include("json_auth.esp");


/* bring the string functions into the global frame */
string_init(global);

/* Bring the system functions into the global frame */
sys_init(global);

/* Bring the session functions into the global frame */
system_session(global);


function printf()
{
	print(vsprintf(arguments));
}


/*
 * All of our manipulation of JSON RPC methods will be through this object.
 * Each class of methods will assign to here, and all of the constants will
 * also be in this object.
 */
jsonrpc = new Object();
jsonrpc.Constant = new Object();
jsonrpc.Constant.ErrorOrigin = new Object(); /* error origins */
jsonrpc.Constant.ServerError = new Object(); /* server-generated error codes */
jsonrpc.method = new Object();       /* methods available in requested class */

/*
 * ScriptTransport constants
 */
jsonrpc.Constant.ScriptTransport = new Object();
jsonrpc.Constant.ScriptTransport.NotInUse        = -1;


/*
 * JSON-RPC error origin constants
 */
jsonrpc.Constant.ErrorOrigin.Server              = 1;
jsonrpc.Constant.ErrorOrigin.Application         = 2;
jsonrpc.Constant.ErrorOrigin.Transport           = 3;
jsonrpc.Constant.ErrorOrigin.Client              = 4;



/*
 * JSON-RPC server-generated error code constants
 */

/**
 * Error code, value 0: Unknown Error
 *
 * The default error code, used only when no specific error code is passed to
 * the JsonRpcError constructor.  This code should generally not be used.
 */
jsonrpc.Constant.ServerError.Unknown               = 0;

/**
 * Error code, value 1: Illegal Service
 *
 * The service name contains illegal characters or is otherwise deemed
 * unacceptable to the JSON-RPC server.
 */
jsonrpc.Constant.ServerError.IllegalService        = 1;

/**
 * Error code, value 2: Service Not Found
 *
 * The requested service does not exist at the JSON-RPC server.
 */
jsonrpc.Constant.ServerError.ServiceNotFound       = 2;

/**
 * Error code, value 3: Class Not Found
 *
 * If the JSON-RPC server divides service methods into subsets (classes), this
 * indicates that the specified class was not found.  This is slightly more
 * detailed than "Method Not Found", but that error would always also be legal
 * (and true) whenever this one is returned. (Not used in this implementation)
 */
jsonrpc.Constant.ServerError.ClassNotFound         = 3;

/**
 * Error code, value 4: Method Not Found
 *
 * The method specified in the request is not found in the requested service.
 */
jsonrpc.Constant.ServerError.MethodNotFound        = 4;

/*
 * Error code, value 5: Parameter Mismatch
 *
 * If a method discovers that the parameters (arguments) provided to it do not
 * match the requisite types for the method's parameters, it should return
 * this error code to indicate so to the caller.
 *
 * This error is also used to indicate an illegal parameter value, in server
 * scripts.
 */
jsonrpc.Constant.ServerError.ParameterMismatch     = 5;

/**
 * Error code, value 6: Permission Denied
 *
 * A JSON-RPC service provider can require authentication, and that
 * authentication can be implemented such the method takes authentication
 * parameters, or such that a method or class of methods requires prior
 * authentication.  If the caller has not properly authenticated to use the
 * requested method, this error code is returned.
 */
jsonrpc.Constant.ServerError.PermissionDenied      = 6;

/*** Errors generated by this server which are not qooxdoo-standard ***/

/*
 * Error code, value 1000: Unexpected Output
 *
 * The called method illegally generated output to the browser, which would
 * have preceeded the JSON-RPC data.
 */
jsonrpc.Constant.ServerError.UnexpectedOutput      = 1000;

/*
 * Error code, value 1001: Resource Error
 *
 * Too many resources were requested, a system limitation on the total number
 * of resources has been reached, or a resource or resource id was misused.
 */
jsonrpc.Constant.ServerError.ResourceError         = 1001;

/*
 * Error code, value 1002: Not Logged In
 *
 * The user has logged out and must re-authenticate, or this is a brand new
 * session and the user must log in.
 *
 */
jsonrpc.Constant.ServerError.NotLoggedIn           = 1002;

/*
 * Error code, value 1003: Session Expired
 *
 * The session has expired and the user must re-authenticate.
 *
 */
jsonrpc.Constant.ServerError.SessionExpired        = 1003;

/*
 * Error code, value 1004: Login Failed
 *
 * An attempt to log in failed.
 *
 */
jsonrpc.Constant.ServerError.LoginFailed           = 1004;





function sendReply(reply, scriptTransportId)
{
    /* If not using ScriptTransport... */
    if (scriptTransportId == jsonrpc.Constant.ScriptTransport.NotInUse)
    {
        /* ... then just output the reply. */
        write(reply);
    }
    else
    {
        /* Otherwise, we need to add a call to a qooxdoo-specific function */
        reply =
            "qx.io.remote.ScriptTransport._requestFinished(" +
            scriptTransportId + ", " + reply +
            ");";
        write(reply);
    }
}


function _jsonValidRequest(req)
{
    if (req == undefined)
    {
        return false;
    }

    if (typeof(req) != "object")
    {
        return false;
    }

    if (req["id"] == undefined)
    {
        return false;
    }

    if (req["service"] == undefined)
    {
        return false;
    }

    if (req["method"] == undefined)
    {
        return false;
    }

    if (req["params"] == undefined)
    {
        return false;
    }

    return true;
}
jsonrpc.validRequest = _jsonValidRequest;
_jsonValidRequest = null;

/*
 * class JsonRpcError
 *
 * This class allows service methods to easily provide error information for
 * return via JSON-RPC.
 */
function _JsonRpcError_create(origin, code, message)
{
    var o = new Object();

    o.data = new Object();
    o.data.origin = origin;
    o.data.code = code;
    o.data.message = message;
    o.scriptTransportId = jsonrpc.Constant.ScriptTransport.NotInUse;
    o.__type = "_JsonRpcError";

    function _origin(origin)
    {
        this.data.origin = origin;
    }
    o.setOrigin = _origin;

    function _setError(code, message)
    {
        this.data.code = code;
        this.data.message = message;
    }
    o.setError = _setError;

    function _setId(id)
    {
        this.id = id;
    }
    o.setId = _setId;

    function _setScriptTransportId(id)
    {
        this.scriptTransportId = id;
    }
    o.setScriptTransportId = _setScriptTransportId;

    function _setInfo(info)
    {
        // Add the info field only if info is actually provided.
        // This is an extension to qooxdoo's normal Error return value.
        this.data.info = info;
    }
    o.setInfo = _setInfo;

    function _Send()
    {
        var error = this;
        var id = this.id;
        var ret = new Object();
        ret.error = this.data;
        ret.id = this.id;
        sendReply(Json.encode(ret), this.scriptTransportId);
    }
    o.Send = _Send;

    return o;
}

jsonrpc.createError = _JsonRpcError_create;
_JsonRpcError_create = null;

/*
 * 'input' is the user-provided json-encoded request
 * 'jsonInput' is that request, decoded into its object form
 */
var input;
var jsonInput = null;

/* Allocate a generic error object */
error = jsonrpc.createError(jsonrpc.Constant.ErrorOrigin.Server,
                            jsonrpc.Constant.ServerError.Unknown,
                            "Unknown error");

/* Assume (default) we're not using ScriptTransport */
scriptTransportId = jsonrpc.Constant.ScriptTransport.NotInUse;

/* What type of request did we receive? */
if (request["REQUEST_METHOD"] == "POST" &&
    request["CONTENT_TYPE"] == "application/json")
{
    /* We found literal POSTed json-rpc data (we hope) */
    input = request["POST_DATA"];
    jsonInput = Json.decode(input);
}
else if (request["REQUEST_METHOD"] == "GET" &&
         form["_ScriptTransport_id"] != undefined &&
         form["_ScriptTransport_id"] !=
           jsonrpc.Constant.ScriptTransport.NotInUse &&
         form["_ScriptTransport_data"] != undefined)
{
    /* We have what looks like a valid ScriptTransport request */
    scriptTransportId = form["_ScriptTransport_id"];
    error.setScriptTransportId(scriptTransportId);
    input = form["_ScriptTransport_data"];
    jsonInput = Json.decode(input);
}

/* Ensure that this was a JSON-RPC service request */
if (! jsonrpc.validRequest(jsonInput))
{
    /*
     * This request was not issued with JSON-RPC so echo the error rather than
     * issuing a JsonRpcError response.
     */
    write("JSON-RPC request expected; service, method or params missing<br>");
    return;
}

/*
 * Ok, it looks like JSON-RPC, so we'll return an Error object if we encounter
 * errors from here on out.
 */
error.setId(jsonInput.id);

/* Service and method names may contain these characters */
var nameChars =
    "_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";

/* The first letter of service and method names must be a letter */
var nameFirstLetter =
    "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

/*
 * Ensure the method name is kosher.  A method name should be:
 *
 *   - first character is in [a-zA-Z] 
 *   - other characters are in [_a-zA-Z0-9]
 */

/* First check for legal characters */
if (strspn(jsonInput.method, nameChars) != strlen(jsonInput.method))
{
    /* There's some illegal character in the service name */
    error.setError(jsonrpc.Constant.ServerError.MethodNotFound,
                   "Illegal character found in method name.");
    error.Send();
    return;
}

/* Now ensure that it begins with a letter */
if (strspn(substr(jsonInput.method, 0, 1), nameFirstLetter) != 1)
{
    error.setError(jsonrpc.Constant.ServerError.MethodNotFound,
                   "The method name does not begin with a letter");
    error.Send();
    return;
}

/*
 * Ensure the requested service name is kosher.  A service name should be:
 *
 *   - a dot-separated sequences of strings; no adjacent dots
 *   - first character of each string is in [a-zA-Z] 
 *   - other characters are in [_a-zA-Z0-9]
 */

/* First check for legal characters */
if (strspn(jsonInput.service, "." + nameChars) != strlen(jsonInput.service))
{
    /* There's some illegal character in the service name */
    error.setError(jsonrpc.Constant.ServerError.IllegalService,
                   "Illegal character found in service name.");
    error.Send();
    return;
}

/*
 * Now ensure there are no double dots.
 *
 * Frustration with ejs.  Result must be NULL, but we can't use the ===
 * operator: strstr() === null so we have to use typeof.  If the result isn't
 * null, then it'll be a number and therefore not type "pointer".
 */
if (typeof(strstr(jsonInput.service, "..")) != "pointer")
{
    error.setError(jsonrpc.Constant.ServerError.IllegalService,
                   "Illegal use of two consecutive dots in service name");
    error.Send();
    return;
}

/* Explode the service name into its dot-separated parts */
var serviceComponents = split(".", jsonInput.service);

/* Ensure that each component begins with a letter */
for (var i = 0; i < serviceComponents.length; i++)
{
    if (strspn(substr(serviceComponents[i], 0, 1), nameFirstLetter) != 1)
    {
        error.setError(jsonrpc.Constant.ServerError.IllegalService,
                       "A service name component does not begin with a letter");
        error.Send();
        return;
    }
}

/*
 * Now replace all dots with slashes so we can locate the service script.  We
 * also retain the split components of the path, as the class name of the
 * service is the last component of the path.
 */
var servicePath = join("/", serviceComponents) + ".esp";

/* Load the requested class */
if (jsonrpc_include(servicePath))
{
    /* Couldn't find the requested service */
    error.setError(jsonrpc.Constant.ServerError.ServiceNotFound,
                   "Service class `" + servicePath + "` does not exist.");
    error.Send();
    return;
}

/*
 * Find the requested method.
 *
 * What we really want to do here, and could do in any reasonable language,
 * is:
 *
 *   method = jsonrpc.method[jsonInput.method];
 *   if (method && typeof(method) == "function") ...
 *
 * The following completely unreasonable sequence of commands is because:
 *
 *  (a) ejs evaluates all OR'ed expressions even if an early one is false, and
 *      barfs on the typeof(method) call if method is undefined
 *
 *  (b) ejs does not allow comparing against the string "function"!!!  What
 *      the hell is special about that particular string???
 *
 * E-gad.  What a mess.
 */
var method = jsonrpc.method[jsonInput.method];
var valid = (method != undefined);
if (valid)
{
    var type = typeof(method);
    if (substr(type, 0, 1) != 'f' || substr(type, 1) != "unction")
    {
        valid = false;
    }
}

if (! valid)
{
    error.setError(jsonrpc.Constant.ServerError.MethodNotFound,
                   "Method `" + jsonInput.method + "` not found.");
    error.Send();
    return;
}

/*
 * Ensure the logged-in user is allowed to issue the requested method.  We
 * provide the scriptTransportId as one of the determining factors because
 * accepting requests via ScriptTransport is dangerous.  Only methods which
 * one might allow when unauthenticated should be allowed via ScriptTransport
 * as it is easy for a rogue site to trick a user into bypassing
 * authentication.
 */
if (! json_authenticate(serviceComponents,
                        jsonInput.method,
                        scriptTransportId,
                        error))
{
    error.Send();
    return;
}

/* Most errors from here on out will be Application-generated */
error.setOrigin(jsonrpc.Constant.ErrorOrigin.Application);

/* Call the requested method passing it the provided params */
var retval = method(jsonInput.params, error);

/* See if the result of the function was actually an error object */
if (retval["__type"] == "_JsonRpcError")
{
    /* Yup, it was.  Return the error */
    retval.Send();
    return;
}

/* Give 'em what they came for! */
var ret = new Object();
ret.result = retval;
ret.id = jsonInput.id;
sendReply(Json.encode(ret), scriptTransportId);

/*
 * Local Variables:
 * mode: c
 * End:
 */
%>