Major rework in rlm_rest

- Remove all synchronous expansions. data, uri, username, password are now passed in as a call_envs - Perform uri escaping within call_env evaluation for module section calls - Split config items into request/response sections, and document which config items can't be used as xlats - Remove legacy uri expansion and escaping - Have test json-api endpoints echo back headers, args, and body data, and fix up xlat tests to check what we sent over - Start of response header parsing and output - Support taking body data, and headers, from ANY tmpl type not just xlats
FreeRADIUS · Jan 20, 2024 · 25bf946 · 25bf946
1 parent 5baf858
commit 25bf946
Show file tree

Hide file tree

Showing 10 changed files with 587 additions and 440 deletions.
diff --git a/raddb/mods-available/rest b/raddb/mods-available/rest
@@ -190,34 +190,67 @@ rest {
 	#  For example, if you list `rest` in the `authorize` section of a `virtual server`,
 	#  the settings from the `authorize` section here will be used.
 	#
-	#  The following config items may be listed in any of the sections:
+	#  The following sections are supported:
+	#
+	#  - `authorize { ... }`
+	#  - `authenticate { ... }`
+	#  - `accounting { ... }`
+	#  - `post-auth { ... }`
+	#  - `xlat { ... }`
+	#
+	#  At the top level of each section, the following config items may be listed:
 	#
 	#  [options="header,autowidth"]
 	#  |===
-	#  | Option         | Description
-	#  | `uri`          | To send the request to.
-	#  | `proxy`        | The request via this server, supports `socks/http/https` uri and `:port`.
+	#  | Option        		| Description
+	#  | `request { ... }`          | How to create the HTTP request.
+	#  | `response { ... }`         | How to decode the response.
+	#  | `tls`          		| TLS settings for HTTPS.
+	#  | `timeout`      		| HTTP request timeout in seconds, defaults to 4.0.
+	#  |===
+	#
+	#  In the `request { ... }` subsection, the following config items may be listed:
+	#
+	#  [options="header,autowidth"]
+	#  |===
+	#  | Option         | Description								| Allowed in `xlat { ... }`
+	#  | `uri`          | To send the request to.							| no
+	#  | `proxy`        | The request via this server, supports `socks/http/https` uri and `:port`. | no
 	#                     May be set to "none" to disable proxying, overriding any environmental
 	#		      variables set like http_proxy.
-	#  | `method`       | HTTP method to use, one of 'get', 'post', 'put', 'patch',
+	#  | `method`       | HTTP method to use, one of 'get', 'post', 'put', 'patch',			| no
 	#                     'delete' or any custom HTTP method.
-	#  | `header`       | A custom header in the format '<header>: <value>'.
-	#  | `body`         | The format of the HTTP body sent to the remote server.
+	#  | `header`       | A custom header in the format '<header>: <value>'.			| yes
+	#		      May be specified multiple times.  Will be expanded.
+	#  | `body`         | The format of the HTTP body sent to the remote server.			| yes
 	#                     May be 'none', 'post' or 'json', defaults to 'none'.
-	#  | `data`         | Send custom freeform data in the HTTP body. `Content-type`
+	#  | `data`         | Send custom freeform data in the HTTP body. `Content-type`		| yes
 	#                     may be specified with `body`. Will be expanded.
 	#                     Values from expansion will not be escaped, this should be
-	#                     done using the appropriate `xlat` method e.g. `%urlquote(<attr>)`
-	#  | `force_to`     | Force the response to be decoded with this decoder.
-	#                     May be 'plain' (creates reply.REST-HTTP-Body), 'post' or 'json'.
-	#  | `tls`          | TLS settings for HTTPS.
-	#  | `auth`         | HTTP auth method to use, one of 'none', 'srp', 'basic',
+	#		      done using the appropriate `xlat` method e.g.
+	#		      `%url.quote(<attr>)`
+	#  | `auth`         | HTTP auth method to use, one of 'none', 'srp', 'basic',			| yes
 	#                     'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
 	#                     'ntlm-winbind', 'any', 'safe'. defaults to _'none'_.
-	#  | `username`     | User to authenticate as, will be expanded.
-	#  | `password`     | Password to use for authentication, will be expanded.
-	#  | `require_auth` | Require HTTP authentication.
-	#  | `timeout`      | HTTP request timeout in seconds, defaults to 4.0.
+	#  | `require_auth` | Require HTTP authentication or fail the request.				| yes
+	#  | `username`     | User to authenticate as.  Will be expanded.				| yes
+	#		      Defaults to `%{User-Name}` in the `authenticate { ... }` section.
+	#  | `password`     | Password to use for authentication.  Will be expanded.			| yes
+	#		      Defaults to `%{User-Password}` in the `authenticate { ... }` section.
+	#  |===
+	#
+	#
+	#  In the `response { ... }` subsection, the following config items may be listed:
+	#
+	#  [options="header,autowidth"]
+	#  |===
+	#  | Option         | Description
+	#  | `header`       | Where to write out HTTP headers included in the response.
+	#		      Must resolve to a leaf attribute i.e. &reply.REST-HTTP-Header.
+	#		      If unspecified, headers will be discarded.
+	#		      Values will be in the format '<header>: <value>'.
+	#  | `force_to`     | Force the response to be decoded with this decoder.
+	#                     May be 'plain' (creates reply.REST-HTTP-Body), 'post' or 'json'.
 	#  | `max_body_in`  | Maximum size of incoming HTTP body, defaults to 16k.
 	#  |===
 	#

diff --git a/scripts/ci/openresty/json-api.lua b/scripts/ci/openresty/json-api.lua
@@ -139,7 +139,26 @@ Api.endpoint('GET', '/user/<username>/mac/<client>',
 Api.endpoint('GET', '/user/<username>/reflect/',
     function(body, keyData)
         local returnData = {}
-        returnData["station"] = uriArgs.station
+
+        -- Return two Reply-Message attributes, the first with request headers, the second with arguments
+        returnData["reply.Reply-Message"] = {
+            op = ":=",
+            value = { ngx.encode_base64(cjson.encode(ngx.req.get_headers())), ngx.encode_base64(cjson.encode(uriArgs)) }
+        }
+        return ngx.say(cjson.encode(returnData))
+    end
+)
+
+-- Simple reflection of a URI argument
+Api.endpoint('POST', '/user/<username>/reflect/',
+    function(body, keyData)
+        local returnData = {}
+
+        -- Return three Reply-Message attributes, the first with request headers, the second with arguments, the third with the request body
+        returnData["reply.Reply-Message"] = {
+            op = ":=",
+            value = { ngx.encode_base64(cjson.encode(ngx.req.get_headers())), ngx.encode_base64(cjson.encode(uriArgs)), ngx.encode_base64(cjson.encode(body)) }
+        }
         return ngx.say(cjson.encode(returnData))
     end
 )