Mercurial > p > roundup > code

view doc/xmlrpc.txt @ 5201:a9ace22e0a2f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue 2550690 - Adding anti-csrf measures to roundup following https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet and https://seclab.stanford.edu/websec/csrf/csrf.pdf Basically implement Synchronizer (CSRF) Tokens per form on a page. Single use (destroyed once used). Random input data for the token includes: system random implementation in python using /dev/urandom (fallback to random based on timestamp as the seed. Not as good, but should be ok for the short lifetime of the token??) the id (in cpython it's the memory address) of the object requesting a token. In theory this depends on memory layout, the history of the process (how many previous objects have been allocated from the heap etc.) I claim without any proof that for long running processes this is another source of randomness. For short running processes with little activity it could be guessed. last the floating point time.time() value is added. This may only have 1 second resolution so may be guessable. Hopefully for a short lived (2 week by default) token this is sufficient. Also in the current implementation the user is notified when validation fails and is told why. This allows the roundup admin to find the log entry (at error level) and try to resolve the issue. In the future user notification may change but for now this is probably best.
author John Rouillard <rouilj@ieee.org>
date Sat, 18 Mar 2017 16:59:01 -0400
parents 47cc50617e19
children ade4bbc2716d
line wrap: on
line source

=========================
XML-RPC access to Roundup
=========================

.. contents::
   :local:

Introduction
------------
Version 1.4 of Roundup includes an XML-RPC frontend for remote access. The
XML-RPC interface allows a limited subset of commands similar to those found in
local `roundup-admin` tool.

By default XML-RPC is accessible from ``/xmlrpc`` endpoint:

    http://username:password@localhost:8000/xmlrpc

For demo tracker the URL would be:

    http://localhost:8917/demo/xmlrpc

Enabling XML-RPC server 
-----------------------
There are two ways to run the XML-RPC interface:

  stand alone roundup-xmlrpc-server

  through roundup itself

stand alone roundup-xmlrpc-server
---------------------------------
The Roundup XML-RPC standalone server must be started before remote clients can access the
tracker via XML-RPC. ``roundup-xmlrpc-server`` is installed in the scripts
directory alongside ``roundup-server`` and roundup-admin``. When invoked, the
location of the tracker instance must be specified.

	roundup-xmlrpc-server -i ``/path/to/tracker``

The default port is ``8000``. An alternative port can be specified with the
``--port`` switch.

through roundup
---------------
In addition to running a stand alone server described above, the
XML-RPC service is available from the roundup HTTP server.

security consideration
----------------------
Note that the current ``roundup-xmlrpc-server`` implementation does not
support SSL. This means that usernames and passwords will be passed in
cleartext unless the server is being proxied behind another server (such as
Apache or lighttpd) that provide SSL.


Client API
----------
The server currently implements four methods. Each method requires that the
user provide a username and password in the HTTP authorization header in order
to authenticate the request against the tracker.

======= ====================================================================
Command Description
======= ====================================================================
schema

        Fetch tracker schema.

list    arguments: *classname, [property_name]*

        List all elements of a given ``classname``. If ``property_name`` is
        specified, that is the property that will be displayed for each
        element. If ``property_name`` is not specified the default label
        property will be used.

display arguments: *designator, [property_1, ..., property_N]*

        Display a single item in the tracker as specified by ``designator``
        (e.g. issue20 or user5). The default is to display all properties
        for the item. Alternatively, a list of properties to display can be
        specified.

create  arguments: *classname, arg_1 ... arg_N*

        Create a new instance of ``classname`` with ``arg_1`` through
        ``arg_N`` as the values of the new instance. The arguments are
        name=value pairs (e.g. ``status='3'``).

set     arguments: *designator, arg_1 ... arg_N*

        Set the values of an existing item in the tracker as specified by
        ``designator``. The new values are specified in ``arg_1`` through
        ``arg_N``. The arguments are name=value pairs (e.g. ``status='3'``).

lookup  arguments: *classname, key_value*

        looks up the key_value for the given class. The class needs to
        have a key and the user needs search permission on the key
        attribute and id for the given classname.

filter  arguments: *classname, list or None, attributes*
        
        ``list`` is a list of ids to filter. It can be set to None to run
        filter over all values (requires ``allow_none=True`` when
        instantiating the ServerProxy). The ``attributes`` are given as a 
        dictionary of name value pairs to search for. See also :ref:`query-tracker`.
======= ====================================================================

sample python client
====================
::

        >>> import xmlrpclib
        >>> roundup_server = xmlrpclib.ServerProxy('http://admin:admin@localhost:8917/demo/xmlrpc', allow_none=True)
        >>> roundup_server.schema()
        {'user': [['username', '<roundup.hyperdb.String>'], ...], 'issue': [...]}
        >>> roundup_server.list('user')
        ['admin', 'anonymous', 'demo']
        >>> roundup_server.list('issue', 'id')
        ['1']
        >>> roundup_server.display('issue1')
        {'assignedto' : None, 'files' : [], 'title' = 'yes, ..... }
        >>> roundup_server.display('issue1', 'priority', 'status')
        {'priority' : '1', 'status' : '2'}
        >>> roundup_server.set('issue1', 'status=3')
        >>> roundup_server.display('issue1', 'status')
        {'status' : '3' }
        >>> roundup_server.create('issue', "title='another bug'", "status=2")
        '2'
        >>> roundup_server.filter('user',None,{'username':'adm'})
        ['1']
        >>> roundup_server.filter('user',['1','2'],{'username':'adm'})
        ['1']
        >>> roundup_server.filter('user',['2'],{'username':'adm'})
        []
        >>> roundup_server.filter('user',[],{'username':'adm'})
        []
        >>> roundup_server.lookup('user','admin')
        '1'
Roundup Issue Tracker: http://roundup-tracker.org/