Page MenuHomePhabricator
Create Task
Maniphest T314771

Implement a compatibility layer between RESTBase and native PCS responses
Closed, ResolvedPublic
Actions

Description

Background Information

Other than providing a storage layer, RESTBase implements some logic for the services that it proxies the requests.
Specifically:

  • lib/access_check_filter.js
    • Checks if a page is restriced and returns a redirect instead
  • lib/security_response_header_filter.js
    • Adds security related headers to responses
      • CSP
      • CORS
      • x-content-type-options, x-frame-options
      • referrer-policy
      • x-xss-protection
  • lib/language_variants_filter.js
    • Checks MW API for language variants for each request and adds language headers
  • lib/ensure_content_type.js
    • Enforces the response content type
      1. compares the returned content-type with the first entry of the produces array in the route spec, and
      2. repeats the request with no-cache header set if:
        • the profile parameter does not match, and
        • either the path (without version) differs, or the expected version is higher than the returned version, and
        • the page has not been re-rendered within the last two minutes.

What

We need to make sure that all of them are still needed and provide compatibility on mobileapps level when serving requests without RESTBase

Acceptance Criteria

  • PCS applies lib/access_check_filter.js logic without RESTBase T321195
  • PCS applies lib/security_response_header_filter.js logic without RESTBase T321194
  • PCS applies lib/ensure_content_type.js logic without RESTBase T321199
  • PCS applies lib/language_variants_filter.js logic without RESTBase T317019
    • Ensure PCS does not need a compatibility layer
In T314771#8327342, @daniel wrote:
  • lib/language_variants_filter.js
    • Checks MW API for language variants for each request and adds language headers

The v1/page/{title} endpoint will soon have support for this, see T317019

Related Objects
Search...

Event Timeline

Jgiannelos created this task.Aug 8 2022, 10:54 AM
Jgiannelos moved this task from Needs triage to PCS/RESTBase sunset on the Product-Infrastructure-Team-Backlog-Deprecated board.Sep 22 2022, 2:25 PM
MSantos added a comment.Oct 18 2022, 11:51 AM

Can we create automated smoke tests to perform these checks before implementing the compatibility layer? That might be useful for future services as well.

MSantos added a subscriber: Joe.Oct 18 2022, 11:52 AM
daniel added a project: Platform Team Workboards (MW Expedition).Oct 18 2022, 3:01 PM
daniel added a comment.Oct 18 2022, 9:14 PM
  • lib/access_check_filter.js
    • Checks if a page is restriced and returns a redirect instead

MW core endpoints always perform access checks.

  • lib/security_response_header_filter.js
  • Adds security related headers to responses
    • CSP
    • CORS
    • x-content-type-options, x-frame-options
    • referrer-policy
    • x-xss-protection

MW core handles some of these, but it's unclear whether it does so comprehensively and consistency. E.g.

  • The ContentSercurityPolicy handles CSP and CORS, and is used by OutputPage
  • ResourceLoader's ClientHtml seems to have it's own CSP handling
  • There is a ReferrerPolicy setting, but it doesn't seem to be used to set HTTP headers
  • lib/language_variants_filter.js
    • Checks MW API for language variants for each request and adds language headers

The v1/page/{title} endpoint will soon have support for this, see T317019

  • lib/ensure_content_type.js
    • Enforces the response content type

It's not clear whether this is needed at all. If it is, it should probably be implemented in the v1/page/{title} endpoint .

MSantos mentioned this in T321195: Implement Access Check Filter outside RESTBase for PCS.Oct 19 2022, 1:47 PM
MSantos updated the task description. (Show Details)Oct 19 2022, 1:58 PM
MSantos mentioned this in T321199: Implement Ensure Content Type Filter logic outside RESTBase for PCS.Oct 19 2022, 2:01 PM
MSantos updated the task description. (Show Details)
MSantos updated the task description. (Show Details)Oct 19 2022, 2:20 PM
daniel moved this task from Unsorted pile to PCS Service Pile on the Platform Team Workboards (MW Expedition) board.Oct 19 2022, 3:06 PM
daniel triaged this task as Medium priority.Nov 22 2022, 6:40 PM
daniel added a project: RESTBase Sunsetting.Dec 6 2022, 3:15 PM
daniel moved this task from Unsorted to PCS Service Pile on the RESTBase Sunsetting board.Dec 6 2022, 3:17 PM
Jgiannelos changed the status of subtask T321194: Implement Security Response Header Filter logic outside RESTBase for PCS from Open to In Progress.Dec 13 2022, 4:16 PM
Jgiannelos changed the status of subtask T321195: Implement Access Check Filter outside RESTBase for PCS from Open to In Progress.
Jgiannelos changed the status of subtask T321199: Implement Ensure Content Type Filter logic outside RESTBase for PCS from Open to In Progress.
VirginiaPoundstone added subscribers: BPirkle, VirginiaPoundstone.Dec 16 2022, 5:57 PM

@BPirkle have a peek at this. Any red flags here for successfully deploying T263489: AQS 2.0?

daniel added a project: Epic.Jan 17 2023, 10:44 AM
daniel moved this task from PCS Service Pile to Doing on the RESTBase Sunsetting board.
MSantos changed the status of subtask T321199: Implement Ensure Content Type Filter logic outside RESTBase for PCS from In Progress to Open.Jan 18 2023, 12:31 AM
MSantos closed subtask T321194: Implement Security Response Header Filter logic outside RESTBase for PCS as Resolved.Jan 31 2023, 1:25 PM
Jgiannelos closed subtask T321195: Implement Access Check Filter outside RESTBase for PCS as Resolved.Feb 1 2023, 4:48 PM
VirginiaPoundstone added a project: API Platform.Feb 11 2023, 9:32 AM

@daniel what are your thoughts here? is this something you can drive as owner?

VirginiaPoundstone mentioned this in T329419: Architect potential API Gateway Patterns in preparation for services migrated off RESTbase.Feb 11 2023, 9:34 AM
daniel added a comment.Feb 11 2023, 5:29 PM
In T314771#8607033, @VirginiaPoundstone wrote:

@daniel what are your thoughts here? is this something you can drive as owner?

This is really just a tracking ticket, the meat is in thje subtasks. @Jgiannelos and @MSantos are working on them.

Jgiannelos updated the task description. (Show Details)Feb 13 2023, 12:59 PM
VirginiaPoundstone moved this task from Incoming to Radar on the API Platform board.Feb 16 2023, 11:17 PM
VirginiaPoundstone moved this task from Radar to RESTBase Deprecation Roadmap on the API Platform board.Apr 26 2023, 1:23 PM
VirginiaPoundstone edited projects, added API Platform (RESTBase Deprecation Roadmap); removed API Platform.
MSantos closed this task as Resolved.Nov 21 2024, 11:27 AM
MSantos claimed this task.

The last task is considered a nice-to-have and also not part of PCS layer. The conversations can continue in that task and I'll be bold and close this one for now, please re-open in case I'm missing something.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits