mirror of
https://github.com/samba-team/samba.git
synced 2025-01-14 19:24:43 +03:00
9639836022
- Add authentication. The Web Application Framework can now be called directly and it will rqeuire authentication if required, and should re-query the user to log in when the session expires. - General clean-up (This used to be commit 27c5d7dca6fa4e0811c1b8bb52d1db3d1824462c)
541 lines
14 KiB
Plaintext
541 lines
14 KiB
Plaintext
<%
|
|
|
|
/*
|
|
* Copyright:
|
|
* (C) 2006 by Derrell Lipman
|
|
* All rights reserved
|
|
*
|
|
* License:
|
|
* LGPL 2.1: http://creativecommons.org/licenses/LGPL/2.1/
|
|
*/
|
|
|
|
/*
|
|
* This is a simple JSON-RPC server.
|
|
*/
|
|
|
|
/* Bring in the json format/parse functions */
|
|
jsonrpc_include("json.esp");
|
|
|
|
/* Bring in the date class */
|
|
jsonrpc_include("jsondate.esp");
|
|
|
|
/* Load the authentication script */
|
|
jsonrpc_include("json_auth.esp");
|
|
|
|
|
|
/* bring the string functions into the global frame */
|
|
string_init(global);
|
|
|
|
/* Bring the system functions into the global frame */
|
|
sys_init(global);
|
|
|
|
/* Bring the session functions into the global frame */
|
|
system_session(global);
|
|
|
|
|
|
function printf()
|
|
{
|
|
print(vsprintf(arguments));
|
|
}
|
|
|
|
|
|
/*
|
|
* All of our manipulation of JSON RPC methods will be through this object.
|
|
* Each class of methods will assign to here, and all of the constants will
|
|
* also be in this object.
|
|
*/
|
|
jsonrpc = new Object();
|
|
jsonrpc.Constant = new Object();
|
|
jsonrpc.Constant.ErrorOrigin = new Object(); /* error origins */
|
|
jsonrpc.Constant.ServerError = new Object(); /* server-generated error codes */
|
|
jsonrpc.method = new Object(); /* methods available in requested class */
|
|
|
|
/*
|
|
* ScriptTransport constants
|
|
*/
|
|
jsonrpc.Constant.ScriptTransport = new Object();
|
|
jsonrpc.Constant.ScriptTransport.NotInUse = -1;
|
|
|
|
|
|
/*
|
|
* JSON-RPC error origin constants
|
|
*/
|
|
jsonrpc.Constant.ErrorOrigin.Server = 1;
|
|
jsonrpc.Constant.ErrorOrigin.Application = 2;
|
|
jsonrpc.Constant.ErrorOrigin.Transport = 3;
|
|
jsonrpc.Constant.ErrorOrigin.Client = 4;
|
|
|
|
|
|
|
|
/*
|
|
* JSON-RPC server-generated error code constants
|
|
*/
|
|
|
|
/**
|
|
* Error code, value 0: Unknown Error
|
|
*
|
|
* The default error code, used only when no specific error code is passed to
|
|
* the JsonRpcError constructor. This code should generally not be used.
|
|
*/
|
|
jsonrpc.Constant.ServerError.Unknown = 0;
|
|
|
|
/**
|
|
* Error code, value 1: Illegal Service
|
|
*
|
|
* The service name contains illegal characters or is otherwise deemed
|
|
* unacceptable to the JSON-RPC server.
|
|
*/
|
|
jsonrpc.Constant.ServerError.IllegalService = 1;
|
|
|
|
/**
|
|
* Error code, value 2: Service Not Found
|
|
*
|
|
* The requested service does not exist at the JSON-RPC server.
|
|
*/
|
|
jsonrpc.Constant.ServerError.ServiceNotFound = 2;
|
|
|
|
/**
|
|
* Error code, value 3: Class Not Found
|
|
*
|
|
* If the JSON-RPC server divides service methods into subsets (classes), this
|
|
* indicates that the specified class was not found. This is slightly more
|
|
* detailed than "Method Not Found", but that error would always also be legal
|
|
* (and true) whenever this one is returned. (Not used in this implementation)
|
|
*/
|
|
jsonrpc.Constant.ServerError.ClassNotFound = 3;
|
|
|
|
/**
|
|
* Error code, value 4: Method Not Found
|
|
*
|
|
* The method specified in the request is not found in the requested service.
|
|
*/
|
|
jsonrpc.Constant.ServerError.MethodNotFound = 4;
|
|
|
|
/*
|
|
* Error code, value 5: Parameter Mismatch
|
|
*
|
|
* If a method discovers that the parameters (arguments) provided to it do not
|
|
* match the requisite types for the method's parameters, it should return
|
|
* this error code to indicate so to the caller.
|
|
*
|
|
* This error is also used to indicate an illegal parameter value, in server
|
|
* scripts.
|
|
*/
|
|
jsonrpc.Constant.ServerError.ParameterMismatch = 5;
|
|
|
|
/**
|
|
* Error code, value 6: Permission Denied
|
|
*
|
|
* A JSON-RPC service provider can require authentication, and that
|
|
* authentication can be implemented such the method takes authentication
|
|
* parameters, or such that a method or class of methods requires prior
|
|
* authentication. If the caller has not properly authenticated to use the
|
|
* requested method, this error code is returned.
|
|
*/
|
|
jsonrpc.Constant.ServerError.PermissionDenied = 6;
|
|
|
|
/*** Errors generated by this server which are not qooxdoo-standard ***/
|
|
|
|
/*
|
|
* Error code, value 1000: Unexpected Output
|
|
*
|
|
* The called method illegally generated output to the browser, which would
|
|
* have preceeded the JSON-RPC data.
|
|
*/
|
|
jsonrpc.Constant.ServerError.UnexpectedOutput = 1000;
|
|
|
|
/*
|
|
* Error code, value 1001: Resource Error
|
|
*
|
|
* Too many resources were requested, a system limitation on the total number
|
|
* of resources has been reached, or a resource or resource id was misused.
|
|
*/
|
|
jsonrpc.Constant.ServerError.ResourceError = 1001;
|
|
|
|
/*
|
|
* Error code, value 1002: Not Logged In
|
|
*
|
|
* The user has logged out and must re-authenticate, or this is a brand new
|
|
* session and the user must log in.
|
|
*
|
|
*/
|
|
jsonrpc.Constant.ServerError.NotLoggedIn = 1002;
|
|
|
|
/*
|
|
* Error code, value 1003: Session Expired
|
|
*
|
|
* The session has expired and the user must re-authenticate.
|
|
*
|
|
*/
|
|
jsonrpc.Constant.ServerError.SessionExpired = 1003;
|
|
|
|
/*
|
|
* Error code, value 1004: Login Failed
|
|
*
|
|
* An attempt to log in failed.
|
|
*
|
|
*/
|
|
jsonrpc.Constant.ServerError.LoginFailed = 1004;
|
|
|
|
|
|
|
|
|
|
|
|
function sendReply(reply, scriptTransportId)
|
|
{
|
|
/* If not using ScriptTransport... */
|
|
if (scriptTransportId == jsonrpc.Constant.ScriptTransport.NotInUse)
|
|
{
|
|
/* ... then just output the reply. */
|
|
write(reply);
|
|
}
|
|
else
|
|
{
|
|
/* Otherwise, we need to add a call to a qooxdoo-specific function */
|
|
reply =
|
|
"qx.io.remote.ScriptTransport._requestFinished(" +
|
|
scriptTransportId + ", " + reply +
|
|
");";
|
|
write(reply);
|
|
}
|
|
}
|
|
|
|
|
|
function _jsonValidRequest(req)
|
|
{
|
|
if (req == undefined)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
if (typeof(req) != "object")
|
|
{
|
|
return false;
|
|
}
|
|
|
|
if (req["id"] == undefined)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
if (req["service"] == undefined)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
if (req["method"] == undefined)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
if (req["params"] == undefined)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
jsonrpc.validRequest = _jsonValidRequest;
|
|
_jsonValidRequest = null;
|
|
|
|
/*
|
|
* class JsonRpcError
|
|
*
|
|
* This class allows service methods to easily provide error information for
|
|
* return via JSON-RPC.
|
|
*/
|
|
function _JsonRpcError_create(origin, code, message)
|
|
{
|
|
var o = new Object();
|
|
|
|
o.data = new Object();
|
|
o.data.origin = origin;
|
|
o.data.code = code;
|
|
o.data.message = message;
|
|
o.scriptTransportId = jsonrpc.Constant.ScriptTransport.NotInUse;
|
|
o.__type = "_JsonRpcError";
|
|
|
|
function _origin(origin)
|
|
{
|
|
this.data.origin = origin;
|
|
}
|
|
o.setOrigin = _origin;
|
|
|
|
function _setError(code, message)
|
|
{
|
|
this.data.code = code;
|
|
this.data.message = message;
|
|
}
|
|
o.setError = _setError;
|
|
|
|
function _setId(id)
|
|
{
|
|
this.id = id;
|
|
}
|
|
o.setId = _setId;
|
|
|
|
function _setScriptTransportId(id)
|
|
{
|
|
this.scriptTransportId = id;
|
|
}
|
|
o.setScriptTransportId = _setScriptTransportId;
|
|
|
|
function _setInfo(info)
|
|
{
|
|
// Add the info field only if info is actually provided.
|
|
// This is an extension to qooxdoo's normal Error return value.
|
|
this.data.info = info;
|
|
}
|
|
o.setInfo = _setInfo;
|
|
|
|
function _Send()
|
|
{
|
|
var error = this;
|
|
var id = this.id;
|
|
var ret = new Object();
|
|
ret.error = this.data;
|
|
ret.id = this.id;
|
|
sendReply(Json.encode(ret), this.scriptTransportId);
|
|
}
|
|
o.Send = _Send;
|
|
|
|
return o;
|
|
}
|
|
|
|
jsonrpc.createError = _JsonRpcError_create;
|
|
_JsonRpcError_create = null;
|
|
|
|
/*
|
|
* 'input' is the user-provided json-encoded request
|
|
* 'jsonInput' is that request, decoded into its object form
|
|
*/
|
|
var input;
|
|
var jsonInput = null;
|
|
|
|
/* Allocate a generic error object */
|
|
error = jsonrpc.createError(jsonrpc.Constant.ErrorOrigin.Server,
|
|
jsonrpc.Constant.ServerError.Unknown,
|
|
"Unknown error");
|
|
|
|
/* Assume (default) we're not using ScriptTransport */
|
|
scriptTransportId = jsonrpc.Constant.ScriptTransport.NotInUse;
|
|
|
|
/* What type of request did we receive? */
|
|
if (request["REQUEST_METHOD"] == "POST" &&
|
|
request["CONTENT_TYPE"] == "text/json")
|
|
{
|
|
/* We found literal POSTed json-rpc data (we hope) */
|
|
input = request["POST_DATA"];
|
|
jsonInput = Json.decode(input);
|
|
}
|
|
else if (request["REQUEST_METHOD"] == "GET" &&
|
|
form["_ScriptTransport_id"] != undefined &&
|
|
form["_ScriptTransport_id"] !=
|
|
jsonrpc.Constant.ScriptTransport.NotInUse &&
|
|
form["_ScriptTransport_data"] != undefined)
|
|
{
|
|
/* We have what looks like a valid ScriptTransport request */
|
|
scriptTransportId = form["_ScriptTransport_id"];
|
|
error.setScriptTransportId(scriptTransportId);
|
|
input = form["_ScriptTransport_data"];
|
|
jsonInput = Json.decode(input);
|
|
}
|
|
|
|
/* Ensure that this was a JSON-RPC service request */
|
|
if (! jsonrpc.validRequest(jsonInput))
|
|
{
|
|
/*
|
|
* This request was not issued with JSON-RPC so echo the error rather than
|
|
* issuing a JsonRpcError response.
|
|
*/
|
|
write("JSON-RPC request expected; service, method or params missing<br>");
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* Ok, it looks like JSON-RPC, so we'll return an Error object if we encounter
|
|
* errors from here on out.
|
|
*/
|
|
error.setId(jsonInput.id);
|
|
|
|
/* Service and method names may contain these characters */
|
|
var nameChars =
|
|
"_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890";
|
|
|
|
/* The first letter of service and method names must be a letter */
|
|
var nameFirstLetter =
|
|
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
|
|
|
|
/*
|
|
* Ensure the method name is kosher. A method name should be:
|
|
*
|
|
* - first character is in [a-zA-Z]
|
|
* - other characters are in [_a-zA-Z0-9]
|
|
*/
|
|
|
|
/* First check for legal characters */
|
|
if (strspn(jsonInput.method, nameChars) != strlen(jsonInput.method))
|
|
{
|
|
/* There's some illegal character in the service name */
|
|
error.setError(jsonrpc.Constant.ServerError.MethodNotFound,
|
|
"Illegal character found in method name.");
|
|
error.Send();
|
|
return;
|
|
}
|
|
|
|
/* Now ensure that it begins with a letter */
|
|
if (strspn(substr(jsonInput.method, 0, 1), nameFirstLetter) != 1)
|
|
{
|
|
error.setError(jsonrpc.Constant.ServerError.MethodNotFound,
|
|
"The method name does not begin with a letter");
|
|
error.Send();
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* Ensure the requested service name is kosher. A service name should be:
|
|
*
|
|
* - a dot-separated sequences of strings; no adjacent dots
|
|
* - first character of each string is in [a-zA-Z]
|
|
* - other characters are in [_a-zA-Z0-9]
|
|
*/
|
|
|
|
/* First check for legal characters */
|
|
if (strspn(jsonInput.service, "." + nameChars) != strlen(jsonInput.service))
|
|
{
|
|
/* There's some illegal character in the service name */
|
|
error.setError(jsonrpc.Constant.ServerError.IllegalService,
|
|
"Illegal character found in service name.");
|
|
error.Send();
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* Now ensure there are no double dots.
|
|
*
|
|
* Frustration with ejs. Result must be NULL, but we can't use the ===
|
|
* operator: strstr() === null so we have to use typeof. If the result isn't
|
|
* null, then it'll be a number and therefore not type "pointer".
|
|
*/
|
|
if (typeof(strstr(jsonInput.service, "..")) != "pointer")
|
|
{
|
|
error.setError(jsonrpc.Constant.ServerError.IllegalService,
|
|
"Illegal use of two consecutive dots in service name");
|
|
error.Send();
|
|
return;
|
|
}
|
|
|
|
/* Explode the service name into its dot-separated parts */
|
|
var serviceComponents = split(".", jsonInput.service);
|
|
|
|
/* Ensure that each component begins with a letter */
|
|
for (var i = 0; i < serviceComponents.length; i++)
|
|
{
|
|
if (strspn(substr(serviceComponents[i], 0, 1), nameFirstLetter) != 1)
|
|
{
|
|
error.setError(jsonrpc.Constant.ServerError.IllegalService,
|
|
"A service name component does not begin with a letter");
|
|
error.Send();
|
|
return;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Now replace all dots with slashes so we can locate the service script. We
|
|
* also retain the split components of the path, as the class name of the
|
|
* service is the last component of the path.
|
|
*/
|
|
var servicePath = join("/", serviceComponents) + ".esp";
|
|
|
|
/* Load the requested class */
|
|
if (jsonrpc_include(servicePath))
|
|
{
|
|
/* Couldn't find the requested service */
|
|
error.setError(jsonrpc.Constant.ServerError.ServiceNotFound,
|
|
"Service class `" + servicePath + "` does not exist.");
|
|
error.Send();
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* Find the requested method.
|
|
*
|
|
* What we really want to do here, and could do in any reasonable language,
|
|
* is:
|
|
*
|
|
* method = jsonrpc.method[jsonInput.method];
|
|
* if (method && typeof(method) == "function") ...
|
|
*
|
|
* The following completely unreasonable sequence of commands is because:
|
|
*
|
|
* (a) ejs evaluates all OR'ed expressions even if an early one is false, and
|
|
* barfs on the typeof(method) call if method is undefined
|
|
*
|
|
* (b) ejs does not allow comparing against the string "function"!!! What
|
|
* the hell is special about that particular string???
|
|
*
|
|
* E-gad. What a mess.
|
|
*/
|
|
var method = jsonrpc.method[jsonInput.method];
|
|
var valid = (method != undefined);
|
|
if (valid)
|
|
{
|
|
var type = typeof(method);
|
|
if (substr(type, 0, 1) != 'f' || substr(type, 1) != "unction")
|
|
{
|
|
valid = false;
|
|
}
|
|
}
|
|
|
|
if (! valid)
|
|
{
|
|
error.setError(jsonrpc.Constant.ServerError.MethodNotFound,
|
|
"Method `" + jsonInput.method + "` not found.");
|
|
error.Send();
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* Ensure the logged-in user is allowed to issue the requested method. We
|
|
* provide the scriptTransportId as one of the determining factors because
|
|
* accepting requests via ScriptTransport is dangerous. Only methods which
|
|
* one might allow when unauthenticated should be allowed via ScriptTransport
|
|
* as it is easy for a rogue site to trick a user into bypassing
|
|
* authentication.
|
|
*/
|
|
if (! json_authenticate(serviceComponents,
|
|
jsonInput.method,
|
|
scriptTransportId,
|
|
error))
|
|
{
|
|
error.Send();
|
|
return;
|
|
}
|
|
|
|
/* Most errors from here on out will be Application-generated */
|
|
error.setOrigin(jsonrpc.Constant.ErrorOrigin.Application);
|
|
|
|
/* Call the requested method passing it the provided params */
|
|
var retval = method(jsonInput.params, error);
|
|
|
|
/* See if the result of the function was actually an error object */
|
|
if (retval["__type"] == "_JsonRpcError")
|
|
{
|
|
/* Yup, it was. Return the error */
|
|
retval.Send();
|
|
return;
|
|
}
|
|
|
|
/* Give 'em what they came for! */
|
|
var ret = new Object();
|
|
ret.result = retval;
|
|
ret.id = jsonInput.id;
|
|
sendReply(Json.encode(ret), scriptTransportId);
|
|
|
|
/*
|
|
* Local Variables:
|
|
* mode: c
|
|
* End:
|
|
*/
|
|
%>
|