<% /* * Copyright: * (C) 2006 by Derrell Lipman * All rights reserved * * License: * LGPL 2.1: http://creativecommons.org/licenses/LGPL/2.1/ */ /* * This is a simple JSON-RPC server. */ /* Bring in the json format/parse functions */ jsonrpc_include("json.esp"); /* Bring in the date class */ jsonrpc_include("jsondate.esp"); /* Load the authentication script */ jsonrpc_include("json_auth.esp"); /* bring the string functions into the global frame */ string_init(global); /* Bring the system functions into the global frame */ sys_init(global); /* Bring the session functions into the global frame */ system_session(global); function printf() { print(vsprintf(arguments)); } /* * All of our manipulation of JSON RPC methods will be through this object. * Each class of methods will assign to here, and all of the constants will * also be in this object. */ jsonrpc = new Object(); jsonrpc.Constant = new Object(); jsonrpc.Constant.ErrorOrigin = new Object(); /* error origins */ jsonrpc.Constant.ServerError = new Object(); /* server-generated error codes */ jsonrpc.method = new Object(); /* methods available in requested class */ /* * ScriptTransport constants */ jsonrpc.Constant.ScriptTransport = new Object(); jsonrpc.Constant.ScriptTransport.NotInUse = -1; /* * JSON-RPC error origin constants */ jsonrpc.Constant.ErrorOrigin.Server = 1; jsonrpc.Constant.ErrorOrigin.Application = 2; jsonrpc.Constant.ErrorOrigin.Transport = 3; jsonrpc.Constant.ErrorOrigin.Client = 4; /* * JSON-RPC server-generated error code constants */ /** * Error code, value 0: Unknown Error * * The default error code, used only when no specific error code is passed to * the JsonRpcError constructor. This code should generally not be used. */ jsonrpc.Constant.ServerError.Unknown = 0; /** * Error code, value 1: Illegal Service * * The service name contains illegal characters or is otherwise deemed * unacceptable to the JSON-RPC server. */ jsonrpc.Constant.ServerError.IllegalService = 1; /** * Error code, value 2: Service Not Found * * The requested service does not exist at the JSON-RPC server. */ jsonrpc.Constant.ServerError.ServiceNotFound = 2; /** * Error code, value 3: Class Not Found * * If the JSON-RPC server divides service methods into subsets (classes), this * indicates that the specified class was not found. This is slightly more * detailed than "Method Not Found", but that error would always also be legal * (and true) whenever this one is returned. (Not used in this implementation) */ jsonrpc.Constant.ServerError.ClassNotFound = 3; /** * Error code, value 4: Method Not Found * * The method specified in the request is not found in the requested service. */ jsonrpc.Constant.ServerError.MethodNotFound = 4; /* * Error code, value 5: Parameter Mismatch * * If a method discovers that the parameters (arguments) provided to it do not * match the requisite types for the method's parameters, it should return * this error code to indicate so to the caller. * * This error is also used to indicate an illegal parameter value, in server * scripts. */ jsonrpc.Constant.ServerError.ParameterMismatch = 5; /** * Error code, value 6: Permission Denied * * A JSON-RPC service provider can require authentication, and that * authentication can be implemented such the method takes authentication * parameters, or such that a method or class of methods requires prior * authentication. If the caller has not properly authenticated to use the * requested method, this error code is returned. */ jsonrpc.Constant.ServerError.PermissionDenied = 6; /*** Errors generated by this server which are not qooxdoo-standard ***/ /* * Error code, value 1000: Unexpected Output * * The called method illegally generated output to the browser, which would * have preceeded the JSON-RPC data. */ jsonrpc.Constant.ServerError.UnexpectedOutput = 1000; /* * Error code, value 1001: Resource Error * * Too many resources were requested, a system limitation on the total number * of resources has been reached, or a resource or resource id was misused. */ jsonrpc.Constant.ServerError.ResourceError = 1001; /* * Error code, value 1002: Not Logged In * * The user has logged out and must re-authenticate, or this is a brand new * session and the user must log in. * */ jsonrpc.Constant.ServerError.NotLoggedIn = 1002; /* * Error code, value 1003: Session Expired * * The session has expired and the user must re-authenticate. * */ jsonrpc.Constant.ServerError.SessionExpired = 1003; /* * Error code, value 1004: Login Failed * * An attempt to log in failed. * */ jsonrpc.Constant.ServerError.LoginFailed = 1004; function sendReply(reply, scriptTransportId) { /* If not using ScriptTransport... */ if (scriptTransportId == jsonrpc.Constant.ScriptTransport.NotInUse) { /* ... then just output the reply. */ write(reply); } else { /* Otherwise, we need to add a call to a qooxdoo-specific function */ reply = "qx.io.remote.ScriptTransport._requestFinished(" + scriptTransportId + ", " + reply + ");"; write(reply); } } function _jsonValidRequest(req) { if (req == undefined) { return false; } if (typeof(req) != "object") { return false; } if (req["id"] == undefined) { return false; } if (req["service"] == undefined) { return false; } if (req["method"] == undefined) { return false; } if (req["params"] == undefined) { return false; } return true; } jsonrpc.validRequest = _jsonValidRequest; _jsonValidRequest = null; /* * class JsonRpcError * * This class allows service methods to easily provide error information for * return via JSON-RPC. */ function _JsonRpcError_create(origin, code, message) { var o = new Object(); o.data = new Object(); o.data.origin = origin; o.data.code = code; o.data.message = message; o.scriptTransportId = jsonrpc.Constant.ScriptTransport.NotInUse; o.__type = "_JsonRpcError"; function _origin(origin) { this.data.origin = origin; } o.setOrigin = _origin; function _setError(code, message) { this.data.code = code; this.data.message = message; } o.setError = _setError; function _setId(id) { this.id = id; } o.setId = _setId; function _setScriptTransportId(id) { this.scriptTransportId = id; } o.setScriptTransportId = _setScriptTransportId; function _setInfo(info) { // Add the info field only if info is actually provided. // This is an extension to qooxdoo's normal Error return value. this.data.info = info; } o.setInfo = _setInfo; function _Send() { var error = this; var id = this.id; var ret = new Object(); ret.error = this.data; ret.id = this.id; sendReply(Json.encode(ret), this.scriptTransportId); } o.Send = _Send; return o; } jsonrpc.createError = _JsonRpcError_create; _JsonRpcError_create = null; /* * 'input' is the user-provided json-encoded request * 'jsonInput' is that request, decoded into its object form */ var input; var jsonInput = null; /* Allocate a generic error object */ error = jsonrpc.createError(jsonrpc.Constant.ErrorOrigin.Server, jsonrpc.Constant.ServerError.Unknown, "Unknown error"); /* Assume (default) we're not using ScriptTransport */ scriptTransportId = jsonrpc.Constant.ScriptTransport.NotInUse; /* What type of request did we receive? */ if (request["REQUEST_METHOD"] == "POST" && request["CONTENT_TYPE"] == "application/json") { /* We found literal POSTed json-rpc data (we hope) */ input = request["POST_DATA"]; jsonInput = Json.decode(input); } else if (request["REQUEST_METHOD"] == "GET" && form["_ScriptTransport_id"] != undefined && form["_ScriptTransport_id"] != jsonrpc.Constant.ScriptTransport.NotInUse && form["_ScriptTransport_data"] != undefined) { /* We have what looks like a valid ScriptTransport request */ scriptTransportId = form["_ScriptTransport_id"]; error.setScriptTransportId(scriptTransportId); input = form["_ScriptTransport_data"]; jsonInput = Json.decode(input); } /* Ensure that this was a JSON-RPC service request */ if (! jsonrpc.validRequest(jsonInput)) { /* * This request was not issued with JSON-RPC so echo the error rather than * issuing a JsonRpcError response. */ write("JSON-RPC request expected; service, method or params missing
"); return; } /* * Ok, it looks like JSON-RPC, so we'll return an Error object if we encounter * errors from here on out. */ error.setId(jsonInput.id); /* Service and method names may contain these characters */ var nameChars = "_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890"; /* The first letter of service and method names must be a letter */ var nameFirstLetter = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; /* * Ensure the method name is kosher. A method name should be: * * - first character is in [a-zA-Z] * - other characters are in [_a-zA-Z0-9] */ /* First check for legal characters */ if (strspn(jsonInput.method, nameChars) != strlen(jsonInput.method)) { /* There's some illegal character in the service name */ error.setError(jsonrpc.Constant.ServerError.MethodNotFound, "Illegal character found in method name."); error.Send(); return; } /* Now ensure that it begins with a letter */ if (strspn(substr(jsonInput.method, 0, 1), nameFirstLetter) != 1) { error.setError(jsonrpc.Constant.ServerError.MethodNotFound, "The method name does not begin with a letter"); error.Send(); return; } /* * Ensure the requested service name is kosher. A service name should be: * * - a dot-separated sequences of strings; no adjacent dots * - first character of each string is in [a-zA-Z] * - other characters are in [_a-zA-Z0-9] */ /* First check for legal characters */ if (strspn(jsonInput.service, "." + nameChars) != strlen(jsonInput.service)) { /* There's some illegal character in the service name */ error.setError(jsonrpc.Constant.ServerError.IllegalService, "Illegal character found in service name."); error.Send(); return; } /* * Now ensure there are no double dots. * * Frustration with ejs. Result must be NULL, but we can't use the === * operator: strstr() === null so we have to use typeof. If the result isn't * null, then it'll be a number and therefore not type "pointer". */ if (typeof(strstr(jsonInput.service, "..")) != "pointer") { error.setError(jsonrpc.Constant.ServerError.IllegalService, "Illegal use of two consecutive dots in service name"); error.Send(); return; } /* Explode the service name into its dot-separated parts */ var serviceComponents = split(".", jsonInput.service); /* Ensure that each component begins with a letter */ for (var i = 0; i < serviceComponents.length; i++) { if (strspn(substr(serviceComponents[i], 0, 1), nameFirstLetter) != 1) { error.setError(jsonrpc.Constant.ServerError.IllegalService, "A service name component does not begin with a letter"); error.Send(); return; } } /* * Now replace all dots with slashes so we can locate the service script. We * also retain the split components of the path, as the class name of the * service is the last component of the path. */ var servicePath = join("/", serviceComponents) + ".esp"; /* Load the requested class */ if (jsonrpc_include(servicePath)) { /* Couldn't find the requested service */ error.setError(jsonrpc.Constant.ServerError.ServiceNotFound, "Service class `" + servicePath + "` does not exist."); error.Send(); return; } /* * Find the requested method. * * What we really want to do here, and could do in any reasonable language, * is: * * method = jsonrpc.method[jsonInput.method]; * if (method && typeof(method) == "function") ... * * The following completely unreasonable sequence of commands is because: * * (a) ejs evaluates all OR'ed expressions even if an early one is false, and * barfs on the typeof(method) call if method is undefined * * (b) ejs does not allow comparing against the string "function"!!! What * the hell is special about that particular string??? * * E-gad. What a mess. */ var method = jsonrpc.method[jsonInput.method]; var valid = (method != undefined); if (valid) { var type = typeof(method); if (substr(type, 0, 1) != 'f' || substr(type, 1) != "unction") { valid = false; } } if (! valid) { error.setError(jsonrpc.Constant.ServerError.MethodNotFound, "Method `" + jsonInput.method + "` not found."); error.Send(); return; } /* * Ensure the logged-in user is allowed to issue the requested method. We * provide the scriptTransportId as one of the determining factors because * accepting requests via ScriptTransport is dangerous. Only methods which * one might allow when unauthenticated should be allowed via ScriptTransport * as it is easy for a rogue site to trick a user into bypassing * authentication. */ if (! json_authenticate(serviceComponents, jsonInput.method, scriptTransportId, error)) { error.Send(); return; } /* Most errors from here on out will be Application-generated */ error.setOrigin(jsonrpc.Constant.ErrorOrigin.Application); /* Call the requested method passing it the provided params */ var retval = method(jsonInput.params, error); /* See if the result of the function was actually an error object */ if (retval["__type"] == "_JsonRpcError") { /* Yup, it was. Return the error */ retval.Send(); return; } /* Give 'em what they came for! */ var ret = new Object(); ret.result = retval; ret.id = jsonInput.id; sendReply(Json.encode(ret), scriptTransportId); /* * Local Variables: * mode: c * End: */ %>