synapse 2.201.0__py311-none-any.whl → 2.203.0__py311-none-any.whl

synapse/lib/json.py

@@ -0,0 +1,224 @@
+import io
+import os
+import json
+import logging
+
+from typing import Any, BinaryIO, Callable, Iterator, Optional
+
+from synapse.vendor.cpython.lib.json import detect_encoding
+
+import orjson
+
+import synapse.exc as s_exc
+
+logger = logging.getLogger(__name__)
+
+def _fallback_loads(s: str | bytes) -> Any:
+
+    try:
+        return json.loads(s)
+    except json.JSONDecodeError as exc:
+        raise s_exc.BadJsonText(mesg=exc.args[0])
+
+def loads(s: str | bytes) -> Any:
+    '''
+    Deserialize a JSON string.
+
+    Similar to the standard library json.loads().
+
+    Arguments:
+        s (str | bytes): The JSON data to be deserialized.
+
+    Returns:
+        (object): The deserialized JSON data.
+
+    Raises:
+        synapse.exc.BadJsonText: This exception is raised when there is an error
+            deserializing the provided data.
+    '''
+    try:
+        return orjson.loads(s)
+    except orjson.JSONDecodeError as exc:
+        extra = {'synapse': {'fn': 'loads', 'reason': str(exc)}}
+        logger.warning('Using fallback JSON deserialization. Please report this to Vertex.', extra=extra)
+        return _fallback_loads(s)
+
+def load(fp: BinaryIO) -> Any:
+    '''
+    Deserialize JSON data from a file.
+
+    Similar to the standard library json.load().
+
+    Arguments:
+        fp (file): The python file pointer to read the data from.
+
+    Returns:
+        (object): The deserialized JSON data.
+
+    Raises:
+        synapse.exc.BadJsonText: This exception is raised when there is an error
+            deserializing the provided data.
+    '''
+    return loads(fp.read())
+
+def _fallback_dumps(obj: Any, sort_keys: bool = False, indent: bool = False, default: Optional[Callable] = None) -> bytes:
+    indent = 2 if indent else None
+
+    try:
+        ret = json.dumps(obj, sort_keys=sort_keys, indent=indent, default=default)
+        return ret.encode()
+    except TypeError as exc:
+        raise s_exc.MustBeJsonSafe(mesg=exc.args[0])
+
+def dumps(obj: Any, sort_keys: bool = False, indent: bool = False, default: Optional[Callable] = None, newline: bool = False) -> bytes:
+    '''
+    Serialize a python object to byte string.
+
+    Similar to the standard library json.dumps().
+
+    Arguments:
+        obj (object): The python object to serialize.
+        sort_keys (bool): Sort dictionary keys. Default: False.
+        indent (bool): Include 2 spaces of indentation. Default: False.
+        default (Optional[Callable]): Callback for serializing unknown object types. Default: None.
+        newline (bool): Append a newline to the end of the serialized data. Default: False.
+
+    Returns:
+        (bytes): The JSON serialized python object.
+
+    Raises:
+        synapse.exc.MustBeJsonSafe: This exception is raised when a python object cannot be serialized.
+    '''
+    opts = 0
+
+    if indent:
+        opts |= orjson.OPT_INDENT_2
+
+    if sort_keys:
+        opts |= orjson.OPT_SORT_KEYS
+
+    if newline:
+        opts |= orjson.OPT_APPEND_NEWLINE
+
+    try:
+        return orjson.dumps(obj, option=opts, default=default)
+
+    except orjson.JSONEncodeError as exc:
+        if not isinstance(exc.__cause__, UnicodeEncodeError):
+            raise s_exc.MustBeJsonSafe(mesg=exc.args[0])
+
+        extra = {'synapse': {'fn': 'dumps', 'reason': str(exc)}}
+        logger.warning('Using fallback JSON serialization. Please report this to Vertex.', extra=extra)
+
+        ret = _fallback_dumps(obj, sort_keys=sort_keys, indent=indent, default=default)
+
+        if newline:
+            ret += b'\n'
+
+        return ret
+
+def dump(obj: Any, fp: BinaryIO, sort_keys: bool = False, indent: bool = False, default: Optional[Callable] = None, newline: bool = False) -> None:
+    '''
+    Serialize a python object to a file-like object opened in binary mode.
+
+    Similar to the standard library json.dump().
+
+    Arguments:
+        obj (object): The python object to serialize.
+        fp (file): The python file pointer to write the serialized data to.
+        sort_keys (bool): Sort dictionary keys. Default: False.
+        indent (bool): Include 2 spaces of indentation. Default: False.
+        default (Optional[Callable]): Callback for serializing unknown object types. Default: None.
+        newline (bool): Append a newline to the end of the serialized data. Default: False.
+
+    Returns: None
+
+    Raises:
+        synapse.exc.MustBeJsonSafe: This exception is raised when a python object cannot be serialized.
+    '''
+    data = dumps(obj, sort_keys=sort_keys, indent=indent, default=default, newline=newline)
+    fp.write(data)
+
+def jsload(*paths: str) -> Any:
+    '''
+    Deserialize the JSON data at *paths.
+
+    Arguments:
+        *paths: The file path parts to load the data from.
+
+    Returns:
+        (object): The deserialized JSON data.
+
+    Raises:
+        synapse.exc.BadJsonText: This exception is raised when there is an error
+            deserializing the provided data.
+    '''
+    import synapse.common as s_common # Avoid circular import
+    with s_common.genfile(*paths) as fd:
+        if os.fstat(fd.fileno()).st_size == 0:
+            return None
+
+        return load(fd)
+
+def jslines(*paths: list[str]) -> Iterator[Any]:
+    '''
+    Deserialize the JSON lines data at *paths.
+
+    Arguments:
+        *paths: The file path parts to load the data from.
+
+    Yields:
+        (object): The deserialized JSON data from each line.
+
+    Raises:
+        synapse.exc.BadJsonText: This exception is raised when there is an error
+            deserializing the provided data.
+    '''
+    import synapse.common as s_common # Avoid circular import
+    with s_common.genfile(*paths) as fd:
+        for line in fd:
+            yield loads(line)
+
+def jssave(js: Any, *paths: list[str]) -> None:
+    '''
+    Serialize the python object to a file.
+
+    Arguments:
+        js: The python object to serialize.
+        *paths: The file path parts to save the data to.
+
+    Returns: None
+
+    Raises:
+        synapse.exc.MustBeJsonSafe: This exception is raised when a python
+        object cannot be serialized.
+    '''
+    import synapse.common as s_common # Avoid circular import
+    path = s_common.genpath(*paths)
+    with io.open(path, 'wb') as fd:
+        dump(js, fd, sort_keys=True, indent=True)
+
+def reqjsonsafe(item: Any, strict: bool = False) -> None:
+    '''
+    Check if a python object is safe to be serialized to JSON.
+
+    Uses default type coercion from synapse.lib.json.dumps.
+
+    Arguments:
+        item (any): The python object to check.
+        strict (bool): If specified, do not fallback to python json library which is
+                more permissive of unicode strings. Default: False
+
+    Returns: None if item is json serializable, otherwise raises an exception.
+
+    Raises:
+        synapse.exc.MustBeJsonSafe: This exception is raised when the item
+        cannot be serialized.
+    '''
+    if strict:
+        try:
+            orjson.dumps(item)
+        except Exception as exc:
+            raise s_exc.MustBeJsonSafe(mesg=exc.args[0])
+    else:
+        dumps(item)

synapse/lib/lmdbslab.py

@@ -870,7 +870,7 @@ class Slab(s_base.Base):
 
         initial_mapsize = opts.get('map_size')
         if initial_mapsize is None:
-            raise s_exc.BadArg('Slab requires map_size')
+            raise s_exc.BadArg(mesg='Slab requires map_size')
 
         mdbpath = s_common.genpath(path, 'data.mdb')
         if os.path.isfile(mdbpath):

synapse/lib/oauth.py

@@ -1,3 +1,4 @@
+import os
 import copy
 import heapq
 import asyncio
@@ -10,7 +11,7 @@ import synapse.common as s_common
 
 import synapse.lib.coro as s_coro
 import synapse.lib.nexus as s_nexus
-import synapse.lib.config as s_config
+import synapse.lib.schemas as s_schemas
 import synapse.lib.lmdbslab as s_lmdbslab
 
 logger = logging.getLogger(__name__)
@@ -19,51 +20,11 @@ KEY_LEN = 32          # length of a provider/user iden in a key
 REFRESH_WINDOW = 0.5  # refresh in REFRESH_WINDOW * expires_in
 DEFAULT_TIMEOUT = 10  # secs
 
-reqValidProvider = s_config.getJsValidator({
-    'type': 'object',
-    'properties': {
-        'iden': {'type': 'string', 'pattern': s_config.re_iden},
-        'name': {'type': 'string'},
-        'flow_type': {'type': 'string', 'default': 'authorization_code', 'enum': ['authorization_code']},
-        'auth_scheme': {'type': 'string', 'default': 'basic', 'enum': ['basic']},
-        'client_id': {'type': 'string'},
-        'client_secret': {'type': 'string'},
-        'scope': {'type': 'string'},
-        'ssl_verify': {'type': 'boolean', 'default': True},
-        'auth_uri': {'type': 'string'},
-        'token_uri': {'type': 'string'},
-        'redirect_uri': {'type': 'string'},
-        'extensions': {
-            'type': 'object',
-            'properties': {
-                'pkce': {'type': 'boolean'},
-            },
-            'additionalProperties': False,
-        },
-        'extra_auth_params': {
-            'type': 'object',
-            'additionalProperties': {'type': 'string'},
-        },
-    },
-    'additionalProperties': False,
-    'required': ['iden', 'name', 'client_id', 'client_secret', 'scope', 'auth_uri', 'token_uri', 'redirect_uri'],
-})
-
-reqValidTokenResponse = s_config.getJsValidator({
-    'type': 'object',
-    'properties': {
-        'access_token': {'type': 'string'},
-        'expires_in': {'type': 'number', 'exclusiveMinimum': 0},
-    },
-    'additionalProperties': True,
-    'required': ['access_token', 'expires_in'],
-})
-
 def normOAuthTokenData(issued_at, data):
     '''
     Normalize timestamps to be in epoch millis and set expires_at/refresh_at.
     '''
-    reqValidTokenResponse(data)
+    s_schemas.reqValidOauth2TokenResponse(data)
     expires_in = data['expires_in']
     return {
         'access_token': data['access_token'],
@@ -73,6 +34,29 @@ def normOAuthTokenData(issued_at, data):
         'refresh_token': data.get('refresh_token'),
     }
 
+az_tfile_envar = 'AZURE_FEDERATED_TOKEN_FILE'
+def _getAzureTokenFile() -> tuple[bool, str]:
+    fp = os.getenv(az_tfile_envar, None)
+    if fp is None:
+        return False, f'{az_tfile_envar} environment variable is not set.'
+    if os.path.exists(fp):
+        with open(fp, 'r') as fd:
+            assertion = fd.read()
+            return True, assertion
+    else:
+        return False, f'{az_tfile_envar} file does not exist {fp}'
+
+az_clientid_envar = 'AZURE_CLIENT_ID'
+def _getAzureClientId() -> tuple[bool, str]:
+    valu = os.getenv(az_clientid_envar, None)
+    if valu is None:
+        return False, f'{az_clientid_envar} environment variable is not set.'
+    if valu:
+        return True, valu
+    else:
+        return False, f'{az_clientid_envar} is set to an empty string.'
+
+
 class OAuthMixin(s_nexus.Pusher):
     '''
     Mixin for Cells to organize and execute OAuth token refreshes.
@@ -175,7 +159,7 @@ class OAuthMixin(s_nexus.Pusher):
                     logger.debug(f'OAuth V2 client does not exist for provider={provideriden} user={useriden}')
                     continue
 
-                ok, data = await self._refreshOAuthAccessToken(providerconf, clientconf)
+                ok, data = await self._refreshOAuthAccessToken(providerconf, clientconf, useriden)
                 if not ok:
                     logger.warning(f'OAuth V2 token refresh failed provider={provideriden} user={useriden} data={data}')
 
@@ -185,12 +169,19 @@ class OAuthMixin(s_nexus.Pusher):
             self._oauth_sched_empty.set()
             await s_coro.event_wait(self._oauth_sched_wake)
             self._oauth_sched_wake.clear()
+            self._oauth_sched_ran.clear()
+
+    async def _getOAuthAccessToken(self, providerconf, useriden, authcode, code_verifier=None):
+
+        ok, data = await self._getAuthData(providerconf, useriden)
+        if not ok:
+            return ok, data
 
-    async def _getOAuthAccessToken(self, providerconf, authcode, code_verifier=None):
         token_uri = providerconf['token_uri']
         ssl_verify = providerconf['ssl_verify']
 
-        formdata = aiohttp.FormData()
+        auth, formdata = self._unpackAuthData(data)
+
         formdata.add_field('grant_type', 'authorization_code')
         formdata.add_field('scope', providerconf['scope'])
         formdata.add_field('redirect_uri', providerconf['redirect_uri'])
@@ -198,19 +189,23 @@ class OAuthMixin(s_nexus.Pusher):
         if code_verifier is not None:
             formdata.add_field('code_verifier', code_verifier)
 
-        auth = aiohttp.BasicAuth(providerconf['client_id'], password=providerconf['client_secret'])
         return await self._fetchOAuthToken(token_uri, auth, formdata, ssl_verify=ssl_verify)
 
-    async def _refreshOAuthAccessToken(self, providerconf, clientconf):
+    async def _refreshOAuthAccessToken(self, providerconf, clientconf, useriden):
+
+        ok, data = await self._getAuthData(providerconf, useriden)
+        if not ok:
+            return ok, data
+
         token_uri = providerconf['token_uri']
         ssl_verify = providerconf['ssl_verify']
         refresh_token = clientconf['refresh_token']
 
-        formdata = aiohttp.FormData()
+        auth, formdata = self._unpackAuthData(data)
+
         formdata.add_field('grant_type', 'refresh_token')
         formdata.add_field('refresh_token', refresh_token)
 
-        auth = aiohttp.BasicAuth(providerconf['client_id'], password=providerconf['client_secret'])
         ok, data = await self._fetchOAuthToken(token_uri, auth, formdata, ssl_verify=ssl_verify, retries=3)
         if ok and not data.get('refresh_token'):
             # if a refresh_token is not provided in the response persist the existing token
@@ -218,6 +213,77 @@ class OAuthMixin(s_nexus.Pusher):
 
         return ok, data
 
+    async def _getAuthData(self, providerconf, useriden):
+        isok = False
+        ret = {}
+        auth_scheme = providerconf['auth_scheme']
+
+        if auth_scheme == 'basic':
+            ret['auth'] = {'login': providerconf['client_id'], 'password': providerconf['client_secret']}
+            ret['formdata'] = {}
+            isok = True
+
+        elif auth_scheme == 'client_assertion':
+            assertion = None
+            client_id = providerconf.get('client_id', None)
+            client_assertion = providerconf['client_assertion']
+
+            if (info := client_assertion.get('cortex:callstorm')):
+                opts = {
+                    'view': info['view'],
+                    'vars': info.get('vars', {}),
+                    'user': useriden,
+                }
+                try:
+                    ok, info = await self.callStorm(info['query'], opts=opts)
+                except Exception as e:
+                    isok = False
+                    ret['error'] = f'Error executing callStorm: {e}'
+                else:
+                    if not ok:
+                        return ok, info
+                    assertion = info.get('token')
+
+            elif (info := client_assertion.get('msft:azure:workloadidentity')):
+                ok, valu = _getAzureTokenFile()
+                if not ok:
+                    return ok, {'error': valu}
+                assertion = valu
+                if info.get('client_id'):
+                    ok, valu = _getAzureClientId()
+                    if not ok:
+                        return ok, {'error': valu}
+                    client_id = valu
+
+            else:
+                isok = False
+                ret['error'] = f'Unknown client_assertions data: {client_assertion}'
+
+            if assertion:
+                formdata = {
+                    'client_id': client_id,
+                    'client_assertion': assertion,
+                    'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
+                }
+                ret['formdata'] = formdata
+                isok = True
+
+        else:
+            isok = False
+            ret['error'] = f'Unknown authorization scheme: {auth_scheme}'
+
+        return isok, ret
+
+    @staticmethod
+    def _unpackAuthData(data: dict) -> tuple[aiohttp.BasicAuth | None, aiohttp.FormData]:
+        auth = data.get('auth', None)  # type: dict | None
+        if auth:
+            auth = aiohttp.BasicAuth(auth.get('login'), password=auth.get('password'))
+        formdata = aiohttp.FormData()
+        for k, v in data.get('formdata', {}).items():
+            formdata.add_field(k, v)
+        return auth, formdata
+
     async def _fetchOAuthToken(self, url, auth, formdata, ssl_verify=True, retries=1):
 
         headers = {
@@ -269,12 +335,69 @@ class OAuthMixin(s_nexus.Pusher):
                 return retn
 
     async def addOAuthProvider(self, conf):
-        conf = reqValidProvider(conf)
 
+        conf = s_schemas.reqValidOauth2Provider(conf)
         iden = conf['iden']
         if self._getOAuthProvider(iden) is not None:
             raise s_exc.DupIden(mesg=f'Duplicate OAuth V2 client iden ({iden})', iden=iden)
 
+        # N.B. The schema ensures that the possible values in the conf are valid
+        # when they are provided. Since writing multi-path schemas in draft07 is
+        # overly complicated, some of the mutual exclusion values and logical
+        # "is this meaningful?" type checks are made here before pushing the
+        # nexus event to create the provider.
+
+        client_secret = conf.get('client_secret')
+        client_assertion = conf.get('client_assertion', {})
+
+        if client_assertion and client_secret:
+            mesg = 'client_assertion and client_secret provided. These are mutually exclusive options.'
+            raise s_exc.BadArg(mesg=mesg)
+        if not client_assertion and not client_secret:
+            mesg = 'client_assertion and client_secret missing. These are mutually exclusive options and one must be provided.'
+            raise s_exc.BadArg(mesg=mesg)
+
+        auth_scheme = conf.get('auth_scheme')
+        client_id = conf.get('client_id')
+        if auth_scheme == 'basic':
+            if not client_id:
+                raise s_exc.BadArg(mesg='Must provide client_id for auth_scheme=basic')
+            if not client_secret:
+                raise s_exc.BadArg(mesg='Must provide client_secret for auth_scheme=basic')
+
+        elif auth_scheme == 'client_assertion':
+            if (info := client_assertion.get('cortex:callstorm')) is not None:
+                if not hasattr(self, 'callStorm'):
+                    mesg = f'cortex:callstorm client assertion not supported by {self.__class__.__name__}'
+                    raise s_exc.BadArg(mesg=mesg)
+
+                if not client_id:
+                    raise s_exc.BadArg(mesg='Must provide client_id for with cortex:callstorm provider.')
+
+                text = info['query']
+                # Validate the query text
+                try:
+                    await self.reqValidStorm(text)
+                except s_exc.BadSyntax as e:
+                    raise s_exc.BadArg(mesg=f'Bad storm query: {e.get("mesg")}') from None
+                view = self.getView(info['view'])
+                if view is None:
+                    raise s_exc.BadArg(mesg=f'View {info["view"]} does not exist.')
+            elif (info := client_assertion.get('msft:azure:workloadidentity')) is not None:
+                if not info.get('token'):
+                    raise s_exc.BadArg(mesg='msft:azure:workloadidentity token key must be true')
+                ok, tknkvalu = _getAzureTokenFile()
+                if not ok:
+                    raise s_exc.BadArg(mesg=f'Failed to get the client_assertion data: {tknkvalu}')
+                if info.get('client_id'):
+                    if client_id:
+                        raise s_exc.BadArg(mesg='Cannot specify a fixed client_id and a dynamic client_id value.')
+                    ok, idvalu = _getAzureClientId()
+                    if not ok:
+                        raise s_exc.BadArg(mesg=f'Failed to get the client_id data: {idvalu}')
+        else:  # pragma: no cover
+            raise s_exc.BadArg(mesg=f'Unknown auth_scheme={auth_scheme}')
+
         await self._push('oauth:provider:add', conf)
 
     @s_nexus.Pusher.onPush('oauth:provider:add')
@@ -291,7 +414,7 @@ class OAuthMixin(s_nexus.Pusher):
     async def getOAuthProvider(self, iden):
         conf = self._getOAuthProvider(iden)
         if conf is not None:
-            conf.pop('client_secret')
+            conf.pop('client_secret', None)
         return conf
 
     async def listOAuthProviders(self):
@@ -309,7 +432,7 @@ class OAuthMixin(s_nexus.Pusher):
 
         conf = self._oauth_providers.pop(iden)
         if conf is not None:
-            conf.pop('client_secret')
+            conf.pop('client_secret', None)
 
         return conf
 
@@ -374,10 +497,9 @@ class OAuthMixin(s_nexus.Pusher):
 
         await self.clearOAuthAccessToken(provideriden, useriden)
 
-        ok, data = await self._getOAuthAccessToken(providerconf, authcode, code_verifier=code_verifier)
+        ok, data = await self._getOAuthAccessToken(providerconf, useriden, authcode, code_verifier=code_verifier)
         if not ok:
             raise s_exc.SynErr(mesg=f'Failed to get OAuth v2 token: {data["error"]}')
-
         await self._setOAuthTokenData(provideriden, useriden, data)
 
     @s_nexus.Pusher.onPushAuto('oauth:client:data:set')

synapse/lib/parser.py

@@ -75,7 +75,7 @@ terminalEnglishMap = {
     'MODSET': '+= or -=',
     'MODSETMULTI': '++= or --=',
     'NONQUOTEWORD': 'unquoted value',
-    'NOT': 'not',
+    'NOTOP': 'not',
     'NULL': 'null',
     'NUMBER': 'number',
     'OCTNUMBER': 'number',
@@ -134,6 +134,7 @@ terminalEnglishMap = {
     '_LPARNOSPACE': '(',
     '_MATCHHASH': '#',
     '_MATCHHASHWILD': '#',
+    '_NOT': 'not',
     '_RETURN': 'return',
     '_REVERSE': 'reverse',
     '_RIGHTJOIN': '-+>',

synapse/lib/rstorm.py

@@ -1,6 +1,5 @@
 import os
 import copy
-import json
 import pprint
 import logging
 import contextlib
@@ -15,6 +14,7 @@ import synapse.exc as s_exc
 import synapse.common as s_common
 
 import synapse.lib.base as s_base
+import synapse.lib.json as s_json
 import synapse.lib.output as s_output
 import synapse.lib.dyndeps as s_dyndeps
 import synapse.lib.stormhttp as s_stormhttp
@@ -104,11 +104,13 @@ class StormOutput(s_cmds_cortex.StormCmd):
             body = resp.get('body')
 
             if isinstance(body, (dict, list)):
-                body = json.dumps(body)
+                body = s_json.dumps(body)
+            elif isinstance(body, str):
+                body = body.encode()
 
             info = {
                 'code': resp.get('code', 200),
-                'body': body.encode(),
+                'body': body,
             }
 
         return s_stormhttp.HttpResp(info)
@@ -126,8 +128,8 @@ class StormOutput(s_cmds_cortex.StormCmd):
             # in any of those cases, default to using vcr
             try:
                 with open(path, 'r') as fd:
-                    byts = json.load(fd)
-            except (FileNotFoundError, json.decoder.JSONDecodeError):
+                    byts = s_json.load(fd)
+            except (FileNotFoundError, s_exc.BadJsonText):
                 byts = None
 
             if not byts:
@@ -247,11 +249,13 @@ class StormCliOutput(s_storm.StormCli):
             body = resp.get('body')
 
             if isinstance(body, (dict, list)):
-                body = json.dumps(body)
+                body = s_json.dumps(body)
+            elif isinstance(body, str):
+                body = body.encode()
 
             info = {
                 'code': resp.get('code', 200),
-                'body': body.encode(),
+                'body': body,
             }
 
         return s_stormhttp.HttpResp(info)
@@ -269,8 +273,8 @@ class StormCliOutput(s_storm.StormCli):
             # in any of those cases, default to using vcr
             try:
                 with open(path, 'r') as fd:
-                    byts = json.load(fd)
-            except (FileNotFoundError, json.decoder.JSONDecodeError):
+                    byts = s_json.load(fd)
+            except (FileNotFoundError, s_exc.BadJsonText):
                 byts = None
 
             if not byts:
@@ -459,7 +463,7 @@ class StormRst(s_base.Base):
 
         splts = text.split(' ', 2)
         ctor, svcname = splts[:2]
-        svcconf = json.loads(splts[2].strip()) if len(splts) == 3 else {}
+        svcconf = s_json.loads(splts[2].strip()) if len(splts) == 3 else {}
 
         svc = await self._getCell(ctor, conf=svcconf)
 
@@ -480,7 +484,7 @@ class StormRst(s_base.Base):
             raise s_exc.SynErr(mesg=f'Package onload failed to run for service {svcname}')
 
     async def _handleStormFail(self, text):
-        valu = json.loads(text)
+        valu = s_json.loads(text)
         assert valu in (True, False), f'storm-fail must be a boolean: {text}'
         self.context['storm-fail'] = valu
 
@@ -497,7 +501,7 @@ class StormRst(s_base.Base):
     async def _handleStormMultiline(self, text):
         key, valu = text.split('=', 1)
         assert key.isupper()
-        valu = json.loads(valu)
+        valu = s_json.loads(valu)
         assert isinstance(valu, str)
         multi = self.context.get('multiline', {})
         multi[key] = valu
@@ -510,7 +514,7 @@ class StormRst(s_base.Base):
         Args:
             text (str): JSON string, e.g. {"vars": {"foo": "bar"}}
         '''
-        item = json.loads(text)
+        item = s_json.loads(text)
         self.context['storm-opts'] = item
 
     async def _handleStormClearHttp(self, text):
@@ -578,7 +582,7 @@ class StormRst(s_base.Base):
         Args:
             text (str): JSON string, e.g. {"filter_query_args": true}
         '''
-        item = json.loads(text)
+        item = s_json.loads(text)
         self.context['storm-vcr-opts'] = item
 
     async def _handleStormVcrCallback(self, text):