wireproto: require POST for all HTTPv2 requests
authorGregory Szorc <gregory.szorc@gmail.com>
Tue, 13 Mar 2018 11:57:43 -0700
changeset 37048 fc5e261915b9
parent 37047 fddcb51b5084
child 37049 55e901396005
wireproto: require POST for all HTTPv2 requests Wire protocol version 1 transfers argument data via request headers by default. This has historically caused problems because servers institute limits on the length of individual HTTP headers as well as the total size of all request headers. Mercurial servers can advertise the maximum length of an individual header. But there's no guarantee any intermediate HTTP agents will accept headers up to that length. In the existing wire protocol, server operators typically also key off the HTTP request method to implement authentication. For example, GET requests translate to read-only requests and can be allowed. But read-write commands must use POST and require authentication. This has typically worked because the only wire protocol commands that use POST modify the repo (e.g. the "unbundle" command). There is an experimental feature to enable clients to transmit argument data via POST request bodies. This is technically a better and more robust solution. But we can't enable it by default because of servers assuming POST means write access. In version 2 of the wire protocol, the permissions of a request are encoded in the URL. And with it being a new protocol in a new URL space, we're not constrained by backwards compatibility requirements. This commit adopts the technically superior mechanism of using HTTP request bodies to send argument data by requiring POST for all commands. Strictly speaking, it may be possible to send request bodies on GET requests. But my experience is that not all HTTP stacks support this. POST pretty much always works. Using POST for read-only operations does sacrifice some RESTful design purity. But this API cares about practicality, not about being in Roy T. Fielding's REST ivory tower. There's a chance we may relax this restriction in the future. But for now, I want to see how far we can get with a POST only API. Differential Revision: https://phab.mercurial-scm.org/D2837
mercurial/help/internals/wireprotocol.txt
mercurial/wireprotoserver.py
tests/test-http-api-httpv2.t
--- a/mercurial/help/internals/wireprotocol.txt	Mon Mar 19 16:43:47 2018 -0700
+++ b/mercurial/help/internals/wireprotocol.txt	Tue Mar 13 11:57:43 2018 -0700
@@ -152,11 +152,14 @@
 Version 2 of the HTTP protocol is exposed under the ``/api/*`` URL space.
 It's final API name is not yet formalized.
 
-Commands are triggered by sending HTTP requests against URLs of the
+Commands are triggered by sending HTTP POST requests against URLs of the
 form ``<permission>/<command>``, where ``<permission>`` is ``ro`` or
 ``rw``, meaning read-only and read-write, respectively and ``<command>``
 is a named wire protocol command.
 
+Non-POST request methods MUST be rejected by the server with an HTTP
+405 response.
+
 Commands that modify repository state in meaningful ways MUST NOT be
 exposed under the ``ro`` URL prefix. All available commands MUST be
 available under the ``rw`` URL prefix.
--- a/mercurial/wireprotoserver.py	Mon Mar 19 16:43:47 2018 -0700
+++ b/mercurial/wireprotoserver.py	Tue Mar 13 11:57:43 2018 -0700
@@ -299,6 +299,12 @@
         res.setbodybytes(_('unknown permission: %s') % permission)
         return
 
+    if req.method != 'POST':
+        res.status = b'405 Method Not Allowed'
+        res.headers[b'Allow'] = b'POST'
+        res.setbodybytes(_('commands require POST requests'))
+        return
+
     # At some point we'll want to use our own API instead of recycling the
     # behavior of version 1 of the wire protocol...
     # TODO return reasonable responses - not responses that overload the
--- a/tests/test-http-api-httpv2.t	Mon Mar 19 16:43:47 2018 -0700
+++ b/tests/test-http-api-httpv2.t	Tue Mar 13 11:57:43 2018 -0700
@@ -63,11 +63,11 @@
 Request to read-only command works out of the box
 
   $ send << EOF
-  > httprequest GET api/$HTTPV2/ro/customreadonly
+  > httprequest POST api/$HTTPV2/ro/customreadonly
   >     user-agent: test
   > EOF
   using raw connection to peer
-  s>     GET /api/exp-http-v2-0001/ro/customreadonly HTTP/1.1\r\n
+  s>     POST /api/exp-http-v2-0001/ro/customreadonly HTTP/1.1\r\n
   s>     Accept-Encoding: identity\r\n
   s>     user-agent: test\r\n
   s>     host: $LOCALIP:$HGPORT\r\n (glob)
@@ -84,11 +84,11 @@
 Request to unknown command yields 404
 
   $ send << EOF
-  > httprequest GET api/$HTTPV2/ro/badcommand
+  > httprequest POST api/$HTTPV2/ro/badcommand
   >     user-agent: test
   > EOF
   using raw connection to peer
-  s>     GET /api/exp-http-v2-0001/ro/badcommand HTTP/1.1\r\n
+  s>     POST /api/exp-http-v2-0001/ro/badcommand HTTP/1.1\r\n
   s>     Accept-Encoding: identity\r\n
   s>     user-agent: test\r\n
   s>     host: $LOCALIP:$HGPORT\r\n (glob)
@@ -102,9 +102,30 @@
   s>     \r\n
   s>     unknown wire protocol command: badcommand\n
 
+GET to read-only command yields a 405
+
+  $ send << EOF
+  > httprequest GET api/$HTTPV2/ro/customreadonly
+  >     user-agent: test
+  > EOF
+  using raw connection to peer
+  s>     GET /api/exp-http-v2-0001/ro/customreadonly HTTP/1.1\r\n
+  s>     Accept-Encoding: identity\r\n
+  s>     user-agent: test\r\n
+  s>     host: $LOCALIP:$HGPORT\r\n (glob)
+  s>     \r\n
+  s> makefile('rb', None)
+  s>     HTTP/1.1 405 Method Not Allowed\r\n
+  s>     Server: testing stub value\r\n
+  s>     Date: $HTTP_DATE$\r\n
+  s>     Allow: POST\r\n
+  s>     Content-Length: 30\r\n
+  s>     \r\n
+  s>     commands require POST requests
+
 Request to read-write command fails because server is read-only by default
 
-GET to read-write request not allowed
+GET to read-write request yields 405
 
   $ send << EOF
   > httprequest GET api/$HTTPV2/rw/customreadonly
@@ -117,12 +138,13 @@
   s>     host: $LOCALIP:$HGPORT\r\n (glob)
   s>     \r\n
   s> makefile('rb', None)
-  s>     HTTP/1.1 405 push requires POST request\r\n
+  s>     HTTP/1.1 405 Method Not Allowed\r\n
   s>     Server: testing stub value\r\n
   s>     Date: $HTTP_DATE$\r\n
-  s>     Content-Length: 17\r\n
+  s>     Allow: POST\r\n
+  s>     Content-Length: 30\r\n
   s>     \r\n
-  s>     permission denied
+  s>     commands require POST requests
 
 Even for unknown commands
 
@@ -137,12 +159,13 @@
   s>     host: $LOCALIP:$HGPORT\r\n (glob)
   s>     \r\n
   s> makefile('rb', None)
-  s>     HTTP/1.1 405 push requires POST request\r\n
+  s>     HTTP/1.1 405 Method Not Allowed\r\n
   s>     Server: testing stub value\r\n
   s>     Date: $HTTP_DATE$\r\n
-  s>     Content-Length: 17\r\n
+  s>     Allow: POST\r\n
+  s>     Content-Length: 30\r\n
   s>     \r\n
-  s>     permission denied
+  s>     commands require POST requests
 
 SSL required by default
 
@@ -173,38 +196,6 @@
   > web.api.http-v2 = true
   > [web]
   > push_ssl = false
-  > EOF
-
-  $ hg -R server serve -p $HGPORT -d --pid-file hg.pid
-  $ cat hg.pid > $DAEMON_PIDS
-
-Server insists on POST for read-write commands
-
-  $ send << EOF
-  > httprequest GET api/$HTTPV2/rw/customreadonly
-  >     user-agent: test
-  > EOF
-  using raw connection to peer
-  s>     GET /api/exp-http-v2-0001/rw/customreadonly HTTP/1.1\r\n
-  s>     Accept-Encoding: identity\r\n
-  s>     user-agent: test\r\n
-  s>     host: $LOCALIP:$HGPORT\r\n (glob)
-  s>     \r\n
-  s> makefile('rb', None)
-  s>     HTTP/1.1 405 push requires POST request\r\n
-  s>     Server: testing stub value\r\n
-  s>     Date: $HTTP_DATE$\r\n
-  s>     Content-Length: 17\r\n
-  s>     \r\n
-  s>     permission denied
-
-  $ killdaemons.py
-  $ cat > server/.hg/hgrc << EOF
-  > [experimental]
-  > web.apiserver = true
-  > web.api.http-v2 = true
-  > [web]
-  > push_ssl = false
   > allow-push = *
   > EOF