Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MicroService REST layer improvements #12240

Open
vkuznet opened this issue Jan 27, 2025 · 0 comments
Open

MicroService REST layer improvements #12240

vkuznet opened this issue Jan 27, 2025 · 0 comments
Labels
HTTP Microservices v2 web development

Comments

@vkuznet
Copy link
Contributor

vkuznet commented Jan 27, 2025
edited
Loading

Impact of the bug
As was discovered on MatterMost thread we have generic issue with all MicroServices which accept payloads in different end-points which are not suppose to support different HTTP methods.

Describe the bug
This bug it is very easy to describe with simple example:

# use POST method with payload on GET end-point returns valid HTTP response
scurl -v -X POST -H "Content-type: application/json" -d '{"foo":1}' https://cmsweb-testbed.cern.ch/ms-transferor/data/info
...
< response-status: 200 OK
...
{"result": [
]}

# use PUT method with payload on GET end-point returns valid HTTP response
scurl -v -X PUT -H "Content-type: application/json" -d '{"foo":1}' https://cmsweb-testbed.cern.ch/ms-transferor/data/info
...
< response-status: 200 OK
...
{"result": [
]}

# and using DELETE method with payload on GET end-point still returns valid HTTP response
scurl -v -X DELETE -H "Content-type: application/json" -d '{"foo":1}' https://cmsweb-testbed.cern.ch/ms-transferor/data/info
...
< response-status: 200 OK
...
{"result": [
]}

How to reproduce it
use PUT/POST/DELETE HTTP methods on GET end-point and all requests will go through with valid HTTP 200 OK status code.

Expected behavior
A proper behavior of the HTTP server is define end-points to supports its relevant method. If we only define GET method on /data/info or similar end-point all other HTTP method should not be allowed and return

StatusMethodNotAllowed             = 405 // RFC 9110, 15.5.6

Additional context and error message
NOTE: The described issue here is related to cumbersome addition of MSTransferor end-point discussed over here: #12241

Many modern web framework relies on explicit end-point registration, e.g. in Flask you must register end-point as following

from flask import Flask
app = Flask(__name__)

@app.route('/')
# ‘/’ URL is bound with hello_world() function.
def hello_world():
    return 'Hello World'

if __name__ == '__main__':
    app.run()

In WMCore REST framework the registration is done implicitly, e.g. we define def get and def post functions which are applied to all method. It is up to implementation of those functions to perform validation and routing and what I found is that we always have default routes, e.g. if request does not fall into if statement the empty results returns. This is THE ISSUE reported here, i.e. the data is not checked if it is appropriate for given HTTP method, e.g. we can send POST JSON payload to GET end-point. To fix this we should implement logic inside of those def get and def post function to check which HTTP method was called and reject request appropriately. Moreover, the REST interface is defined in different places like:

As such multiple places must be edited to declare appropriate HTTP method (in Data.py) and execute it (in MSManager.py)
@vkuznet vkuznet changed the title MicroService REST layer is not working properly MicroService REST layer improvements Jan 27, 2025
@vkuznet vkuznet mentioned this issue Jan 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
HTTP Microservices v2 web development
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vkuznet