NMControl, JSON-RPC, and REST
Re: NMControl, JSON-RPC, and REST
Should be human readable and machine readable. I would prefer to leave http status codes out of the API error messages.
I would always return a dict. One can quickly check whether there is an item "error" - if it is not there then everything is fine.
---> Variant #2
I would always return a dict. One can quickly check whether there is an item "error" - if it is not there then everything is fine.
---> Variant #2
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: NMControl, JSON-RPC, and REST
Sounds good, I'll see if I can have a pull request ready soon.phelix wrote:Should be human readable and machine readable. I would prefer to leave http status codes out of the API error messages.
I would always return a dict. One can quickly check whether there is an item "error" - if it is not there then everything is fine.
---> Variant #2
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: NMControl, JSON-RPC, and REST
Hello phelix (or anyone else interested),
I'm trying to figure out the most efficient way of making some plugin methods "privileged" (i.e. untrusted users can't execute them). For example, starting and stopping plugins should not be possible by untrusted users. (This is particularly an issue since malicious websites can call arbitrary NMControl methods by sending HTTP requests to localhost.)
The rough idea I have, is to have a list of "public" methods in each plugin, which the Bottle handler can check before calling a method. If the requested method is not in the list of public methods, then the HTTP request should fail.
This is a little bit intrusive since it involves adding one line of code to each plugin, and that line needs to be edited if any additional public methods are added later. Is there a better way that I'm not thinking of, or should we just go with that?
Cheers.
I'm trying to figure out the most efficient way of making some plugin methods "privileged" (i.e. untrusted users can't execute them). For example, starting and stopping plugins should not be possible by untrusted users. (This is particularly an issue since malicious websites can call arbitrary NMControl methods by sending HTTP requests to localhost.)
The rough idea I have, is to have a list of "public" methods in each plugin, which the Bottle handler can check before calling a method. If the requested method is not in the list of public methods, then the HTTP request should fail.
This is a little bit intrusive since it involves adding one line of code to each plugin, and that line needs to be edited if any additional public methods are added later. Is there a better way that I'm not thinking of, or should we just go with that?
Cheers.
Re: NMControl, JSON-RPC, and REST
I'm not quite sure I follow you... no websites should be able to call NMControl methods at all.biolizard89 wrote:Hello phelix (or anyone else interested),
I'm trying to figure out the most efficient way of making some plugin methods "privileged" (i.e. untrusted users can't execute them). For example, starting and stopping plugins should not be possible by untrusted users. (This is particularly an issue since malicious websites can call arbitrary NMControl methods by sending HTTP requests to localhost.)
The rough idea I have, is to have a list of "public" methods in each plugin, which the Bottle handler can check before calling a method. If the requested method is not in the list of public methods, then the HTTP request should fail.
This is a little bit intrusive since it involves adding one line of code to each plugin, and that line needs to be edited if any additional public methods are added later. Is there a better way that I'm not thinking of, or should we just go with that?
Cheers.
In Python private functions start with an underscore but it is purely a visual difference.
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: NMControl, JSON-RPC, and REST
Any website can issue an HTTP request to any REST service on any server; this is how web browsers work. In our case, the same-origin policy will prevent the website from seeing the content of the response. However, we need to make sure that NMControl will not do something stupid if it receives such a request. Most of the methods are safe, in that the worst they can do is trigger a DNS lookup (which websites can already do anyway). The main exception (in current method set) is starting/stopping plugins, but this may change if we add other methods to NMControl in the future.phelix wrote:I'm not quite sure I follow you... no websites should be able to call NMControl methods at all.biolizard89 wrote:Hello phelix (or anyone else interested),
I'm trying to figure out the most efficient way of making some plugin methods "privileged" (i.e. untrusted users can't execute them). For example, starting and stopping plugins should not be possible by untrusted users. (This is particularly an issue since malicious websites can call arbitrary NMControl methods by sending HTTP requests to localhost.)
The rough idea I have, is to have a list of "public" methods in each plugin, which the Bottle handler can check before calling a method. If the requested method is not in the list of public methods, then the HTTP request should fail.
This is a little bit intrusive since it involves adding one line of code to each plugin, and that line needs to be edited if any additional public methods are added later. Is there a better way that I'm not thinking of, or should we just go with that?
Cheers.
In Python private functions start with an underscore but it is purely a visual difference.
The underscore isn't really suitable, because right now NMControl already uses the underscore to indicate that a method isn't callable by the user at all. Also, we might want finer-grained control than a boolean in the future.
I think just storing a list of public methods for each plugin makes sense, unless you have a proposal for another method?
Re: NMControl, JSON-RPC, and REST
We could also use Python decorators http://thecodeship.com/patterns/guide-t ... ecorators/
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: NMControl, JSON-RPC, and REST
Good idea. I think I've got something working now; I'll send a PR shortly.phelix wrote:We could also use Python decorators http://thecodeship.com/patterns/guide-t ... ecorators/
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
-
- Posts: 2001
- Joined: Tue Jun 05, 2012 6:25 am
- os: linux
Re: NMControl, JSON-RPC, and REST
Sure, no worries. (Anyone else want to test?)phelix wrote:Nice trick using the func_dict. Will take a closer look and test but it will take me a while.