NAME

rest - define REST web APIs and call them inline or asychronously

SYNOPSIS

package require Tcl 8.5

package require rest ?1.5?

::rest::simple url query ?config? ?body?

::rest::get url query ?config? ?body?

::rest::post url query ?config? ?body?

::rest::patch url query ?config? ?body?

::rest::head url query ?config? ?body?

::rest::put url query ?config? ?body?

::rest::delete url query ?config? ?body?

::rest::save name file

::rest::describe name

::rest::parameters url ?key?

::rest::parse_opts static required optional words

::rest::substitute string var

::rest::create_interface name

DESCRIPTION

There are two types of usage this package supports: simple calls, and complete interfaces. In an interface you specify a set of rules and then the package builds the commands which correspond to the REST methods. These commands can have many options such as input and output transformations and data type specific formatting. This results in a cleaner and simpler script. On the other hand, while a simple call is easier and quicker to implement it is also less featureful. It takes the url and a few options about the command and returns the result directly. Any formatting or checking is up to rest of the script.

SIMPLE USAGE

In simple usage you make calls using the http method procedures and then check or process the returned data yourself

::rest::simple url query ?config? ?body?

::rest::get url query ?config? ?body?

::rest::post url query ?config? ?body?

::rest::patch url query ?config? ?body?

::rest::head url query ?config? ?body?

::rest::put url query ?config? ?body?

::rest::delete url query ?config? ?body?

These commands are all equivalent except for the http method used. If you use simple then the method should be specified as an option in the config dictionary. If that is not done it defaults to get. If a body is needed then the config dictionary must be present, however it is allowed to be empty.

The config dictionary supports the following keys

auth
content-type
cookie
error-body
format
headers
method

Two quick examples:

Example 1, Yahoo Boss:

    set appid APPID
    set search tcl
    set res [rest::get http://boss.yahooapis.com/ysearch/web/v1/$search [list appid $appid]]
    set res [rest::format_json $res]

Example 2, Twitter:

    set url   http://twitter.com/statuses/update.json
    set query [list status $text]
    set res [rest::simple $url $query {
        method post
        auth   {basic user password}
        format json
    }]

INTERFACE USAGE

An interface to a REST API consists of a series of definitions of REST calls contained in an array. The name of that array becomes a namespace containing the defined commands. Each key of the array specifies the name of the call, with the associated configuration a dictionary, i.e. key/value pairs. The acceptable keys, i.e. legal configuration options are described below. After creating the definitions in the array simply calling rest::create_interface with the array as argument will then create the desired commands.

Example, Yahoo Weather:

    package require rest
    set yweather(forecast) {
       url      http://weather.yahooapis.com/forecastrss
       req_args { p: }
       opt_args { u: }
    }
    rest::create_interface yweather
    puts [yweather::forecast -p 94089]

::rest::save name file: This command saves a copy of the dynamically created procedures for all the API calls specified in the array variable name to the file, for later loading.
The result of the command is the empty string
::rest::describe name: This command prints a description of all API calls specified in the array variable name to the channel stdout.
The result of the command is the empty string.
::rest::parameters url ?key?: This command parses an url query string into a dictionary and returns said dictionary as its result.
If key is specified the command will not return the entire dictionary, but only the value of that key.
::rest::parse_opts static required optional words: This command implements a custom parserfor command options.

dict static: A dictionary of options and their values that are always present in the output.
list required: A list of options that must be supplied by words
list optional: A list of options that may appear in the words, but are not required. The elements must be in one of three forms:

name: The option may be present or not, no default.
name:: When present the option requires an argument.
name:value: When not present use value as default.

list words: The words to parse into options and values.

The result of the command is a list containing two elements. The first element is a dictionary containing the parsed options and their values. The second element is a list of the remaining words.

::rest::substitute string var

This command takes a string, substitutes values for any option identifiers found inside and returns the modified string as its results.

The values to substitute are found in the variable var, which is expected to contain a dictionary mapping from the option identifiers to replace to their values. Note that option identifiers which have no key in var are replaced with the empty string.

The option identifiers in string have to follow the syntax %...% where ... may contain any combination of lower-case alphanumeric characters, plus underscore, colon and dash.

::rest::create_interface name

This command creates procedures for all the API calls specified in the array variable name.

The name of that array becomes a namespace containing the defined commands. Each key of the array specifies the name of the call, with the associated configuration a dictionary, i.e. key/value pairs. The legal keys and their meanings are:

url: The value of this required option must be the target of the http request.
description: The value of this option must be a short string describing the call. Default to the empty string, if not specified. Used only by ::rest::describe.
body: The value of this option indicates if arguments are required for the call's request body or not. The acceptable values are listed below. Defaults to optional if not specified.

none: The call has no request body, none must be supplied.
optional: A request body can be supplied, but is not required.
required: A request body must be supplied.
argument: This value must be followed by the name of an option, treating the entire string as a list. The request body will be used as the value of that option.
mime_multipart: A request body must be supplied and will be interpreted as each argument representing one part of a mime/multipart document. Arguments must be lists containing 2 elements, a list of header keys and values, and the mime part body, in this order.
mime_multipart/<value>: Same as mime_multipart, but the Content-Type header is set to multipart/<value>.

method: The value of this option must be the name of the HTTP method to call on the url. Defaults to GET, if not specified. The acceptable values are GET, POST, and PUT, regardless of letter-case.
copy: When present the value of this option specifies the name of a previously defined call. The definition of that call is copied to the current call, except for the options specified by the current call itself.
unset: When present the value of this option contains a list of options in the current call. These options are removed from the definition. Use this after copying an existing definition to remove options, instead of overriding their value.
headers: Specification of additional header fields. The value of this option must be a dictionary, interpreted to contain the new header fields and their values. The default is to not add any additional headers.
content-type: The value of this option specifies the content type for the request data.
req_args: The value of this option is a list naming the required arguments of the call. Names ending in a colon will require a value.
opt_args: The value of this option a list naming the arguments that may be present for a call but are not required.
static_args: The value of this option a list naming the arguments that are always the same. No sense in troubling the user with these. A leading dash (-) is allowed but not required to maintain consistency with the command line.
auth: The value of this option specifies how to authenticate the calls. No authentication is done if the option is not specified.

basic: The user may configure the basic authentication by overriding the procedure basic_auth in the namespace of interface. This procedure takes two arguments, the username and password, in this order.
bearer: The user may configure a bearer token as authentication. The value is the token passed to the HTTP authorization header.
sign: The value must actually be a list with the second element the name of a procedure which will be called to perform request signing.

callback

If this option is present then the method will be created as an async call. Such calls will return immediately with the value of the associated http token instead of the call's result. The event loop must be active to use this option.

The value of this option is treated as a command prefix which is invoked when the HTTP call is complete. The prefix will receive at least two additional arguments, the name of the calling procedure and the status of the result (one of OK or ERROR), in this order.

In case of OK a third argument is added, the data associated with the result.

If and only if the ERROR is a redirection, the location redirected to will be added as argument. Further, if the configuration key error-body is set to true the data associated with the result will be added as argument as well.

The http request header will be available in that procedure via upvar token token.

cookie

The value of this option is a list of cookies to be passed in the http header. This is a shortcut to the headers option.

input_transform

The value of this option is a command prefix or script to perform a transformation on the query before invoking the call. A script transform is wrapped into an automatically generated internal procedure.

If not specified no transformation is done.

The command (prefix) must accept a single argument, the query (a dictionary) to transform, and must return the modified query (again as dictionary) as its result. The request body is accessible in the transform command via upvar body body.

format

result

The value of this option specifies the format of the returned data. Defaults to auto if not specified. The acceptable values are:

auto: Auto detect between xml and json.
discard
json
raw
rss: This is formatted as a special case of xml.
tdom
xml

pre_transform

The value of this option is a command prefix or script to perform a transformation on the result of a call (before the application of the output transform as per format). A script transform is wrapped into an automatically generated internal procedure.

If not specified no transformation is done.

The command (prefix) must accept a single argument, the result to transform, and must return the modified result as its result.

The http request header is accessible in the transform command via upvar token token

post_transform

The value of this option is a command prefix or script to perform a transformation on the result of a call (after the application of the output transform as per format). A script transform is wrapped into an automatically generated internal procedure.

If not specified no transformation is done.

The command (prefix) must accept a single argument, the result to transform, and must return the modified result as its result.

The http request header is accessible in the transform command via upvar token token

check_result

The value of this option must be list of two expressions, either of which may be empty.

The first expression is checks the OK condition, it must return true when the result is satisfactory, and false otherwise.

The second expression is the ERROR condition, it must return false unless there is an error, then it has to return true.

error_body

The value of this option determines whether to return the response when encountering an HTTP error, or not. The default is to not return the response body on error.

See callback above for more information.

EXAMPLES

Yahoo Geo:

set ygeo(parse) {
    url http://wherein.yahooapis.com/v1/document
    method post
    body { arg documentContent }
}
ygeo::parse "san jose ca"
# "san jose ca" will be interpreted as if it were specified as the -documentContent option

Google Docs:

set gdocs(upload) {
    url http://docs.google.com/feeds/default/private/full
    body mime_multipart
}
gdocs::upload [list {Content-Type application/atom+xml} $xml] [list {Content-Type image/jpeg} $filedata]

Delicious:

set delicious(updated) {
    url https://api.del.icio.us/v1/posts/update
    auth basic
}
rest::create_interface flickr
flickr::basic_auth username password

Flickr:

set flickr(auth.getToken) {
   url http://api.flickr.com/services/rest/
   req_args { api_key: secret: }
   auth { sign do_signature }
}
rest::create_interface flickr
proc ::flickr::do_signature {query} {
    # perform some operations on the query here
    return $query
}

INCLUDED

The package provides functional but incomplete implementations for the following services:

del.icio.us
facebook
flickr
twitter
google calendar
yahoo boss
yahoo weather

Please either read the package's implementation, or use rest::describe after loading it for their details.

Do not forget developers' documentation on the respective sites either.

TLS

The rest package can be used with https-secured services, by requiring the TLS package and then registering it with the http package it is sitting on top of. Example

    package require tls
    http::register https 443 ::tls::socket

TLS SECURITY CONSIDERATIONS

This package uses the TLS package to handle the security for https urls and other socket connections.

Policy decisions like the set of protocols to support and what ciphers to use are not the responsibility of TLS, nor of this package itself however. Such decisions are the responsibility of whichever application is using the package, and are likely influenced by the set of servers the application will talk to as well.

For example, in light of the recent POODLE attack [http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html] discovered by Google many servers will disable support for the SSLv3 protocol. To handle this change the applications using TLS must be patched, and not this package, nor TLS itself. Such a patch may be as simple as generally activating tls1 support, as shown in the example below.

    package require tls
    tls::init -tls1 1 ;# forcibly activate support for the TLS1 protocol
    ... your own application code ...

BUGS, IDEAS, FEEDBACK

This document, and the package it describes, will undoubtedly contain bugs and other problems. Please report such in the category rest of the Tcllib Trackers [http://core.tcl.tk/tcllib/reportlist]. Please also report any ideas for enhancements you may have for either package and/or documentation.

When proposing code changes, please provide unified diffs, i.e the output of diff -u.

Note further that attachments are strongly preferred over inlined patches. Attachments can be made by going to the Edit form of the ticket immediately after its creation, and then using the left-most button in the secondary navigation bar.