From bf28c53f440139a3ed25988ad5ca8ca8da2ca0fb Mon Sep 17 00:00:00 2001 From: Vladimir Tsirushkin Date: Mon, 6 Jan 2020 09:29:16 -0800 Subject: [PATCH] Validate ref (#69) * Validate $ref correctly (#23) * Inject $schema value into resource definitions during validation --- pom.xml | 27 +++- .../cloudformation/resource/Validator.java | 128 +++++++++++++++--- .../exceptions/ValidationException.java | 9 ++ .../schema/provider.definition.schema.v1.json | 2 +- src/main/resources/schema/schema | 2 +- .../resource/ValidatorRefResolutionTests.java | 114 ++++++++++++++++ .../resource/ValidatorTest.java | 20 +-- src/test/resources/common.types.v1.json | 34 +++++ src/test/resources/invalid-bad-ref.json | 21 +++ src/test/resources/valid-with-refs.json | 22 +++ .../resources/valid-with-relative-ref.json | 14 -- 11 files changed, 348 insertions(+), 45 deletions(-) create mode 100644 src/test/java/software/amazon/cloudformation/resource/ValidatorRefResolutionTests.java create mode 100644 src/test/resources/common.types.v1.json create mode 100644 src/test/resources/invalid-bad-ref.json create mode 100644 src/test/resources/valid-with-refs.json delete mode 100644 src/test/resources/valid-with-relative-ref.json diff --git a/pom.xml b/pom.xml index 66fe36e..521b03c 100644 --- a/pom.xml +++ b/pom.xml @@ -56,11 +56,32 @@ 3.12.2 test - + + + org.mockito + mockito-junit-jupiter + 2.22.0 + test + + + + org.junit.jupiter + junit-jupiter-api + 5.1.1 + test + + + + org.junit.jupiter + junit-jupiter-params + 5.1.1 + test + + org.junit.jupiter - junit-jupiter - 5.5.1 + junit-jupiter-engine + 5.1.1 test diff --git a/src/main/java/software/amazon/cloudformation/resource/Validator.java b/src/main/java/software/amazon/cloudformation/resource/Validator.java index 09e6439..cb845fa 100644 --- a/src/main/java/software/amazon/cloudformation/resource/Validator.java +++ b/src/main/java/software/amazon/cloudformation/resource/Validator.java @@ -20,7 +20,10 @@ import lombok.Builder; import org.everit.json.schema.Schema; +import org.everit.json.schema.loader.SchemaClient; import org.everit.json.schema.loader.SchemaLoader; +import org.everit.json.schema.loader.SchemaLoader.SchemaLoaderBuilder; +import org.everit.json.schema.loader.internal.DefaultSchemaClient; import org.json.JSONObject; import org.json.JSONTokener; @@ -28,35 +31,59 @@ public class Validator implements SchemaValidator { - private static final String JSON_SCHEMA_ID = "https://json-schema.org/draft-07/schema"; + private static final URI JSON_SCHEMA_URI_HTTPS = newURI("https://json-schema.org/draft-07/schema"); + private static final URI JSON_SCHEMA_URI_HTTP = newURI("http://json-schema.org/draft-07/schema"); + private static final URI RESOURCE_DEFINITION_SCHEMA_URI = newURI( + "https://schema.cloudformation.us-east-1.amazonaws.com/provider.definition.schema.v1.json"); + private static final String JSON_SCHEMA_PATH = "/schema/schema"; - private static final String METASCHEMA_PATH = "/schema/provider.definition.schema.v1.json"; + private static final String RESOURCE_DEFINITION_SCHEMA_PATH = "/schema/provider.definition.schema.v1.json"; + + /** + * resource definition schema ("resource schema schema"). All resource schemas + * are validated against this one and JSON schema draft v7 below. + */ private final JSONObject definitionSchemaJsonObject; + + /** + * locally cached draft-07 JSON schema. All resource schemas are validated + * against it + */ private final JSONObject jsonSchemaObject; + /** + * this is what SchemaLoader uses to download remote $refs. Not necessarily an + * HTTP client, see the docs for details. We override the default SchemaClient + * client in unit tests to be able to control how remote refs are resolved. + */ + private final SchemaClient downloader; + + Validator(SchemaClient downloader) { + this(loadResourceAsJSON(JSON_SCHEMA_PATH), loadResourceAsJSON(RESOURCE_DEFINITION_SCHEMA_PATH), downloader); + } + + private Validator(JSONObject jsonSchema, + JSONObject definitionSchema, + SchemaClient downloader) { + this.jsonSchemaObject = jsonSchema; + this.definitionSchemaJsonObject = definitionSchema; + this.downloader = downloader; + } + @Builder public Validator() { - // local copy of the draft-07 schema used to avoid remote reference calls - jsonSchemaObject = new JSONObject(new JSONTokener(this.getClass().getResourceAsStream(JSON_SCHEMA_PATH))); - definitionSchemaJsonObject = new JSONObject(new JSONTokener(this.getClass().getResourceAsStream(METASCHEMA_PATH))); + this(new DefaultSchemaClient()); } @Override public void validateObject(final JSONObject modelObject, final JSONObject definitionSchemaObject) throws ValidationException { + final SchemaLoaderBuilder loader = getSchemaLoader(definitionSchemaObject); + try { - final URI schemaURI = new URI(JSON_SCHEMA_ID); - final SchemaLoader loader = SchemaLoader.builder().schemaJson(definitionSchemaObject) - // registers the local schema with the draft-07 url - .registerSchemaByURI(schemaURI, jsonSchemaObject).draftV7Support().build(); - final Schema schema = loader.load().build(); - - try { - schema.validate(modelObject); // throws a ValidationException if this object is invalid - } catch (final org.everit.json.schema.ValidationException e) { - throw ValidationException.newScrubbedException(e); - } - } catch (final URISyntaxException e) { - throw new RuntimeException("Invalid URI format for JSON schema."); + final Schema schema = loader.build().load().build(); + schema.validate(modelObject); // throws a ValidationException if this object is invalid + } catch (final org.everit.json.schema.ValidationException e) { + throw ValidationException.newScrubbedException(e); } } @@ -68,7 +95,72 @@ public void validateObject(final JSONObject modelObject, final JSONObject defini * @throws ValidationException Thrown for any schema validation errors */ public void validateResourceDefinition(final JSONObject definition) throws ValidationException { + // inject/replace $schema URI to ensure that provider definition schema is used + definition.put("$schema", RESOURCE_DEFINITION_SCHEMA_URI.toString()); validateObject(definition, definitionSchemaJsonObject); + // validateObject cannot validate schema-specific attributes. For example if definition + // contains "propertyA": { "$ref":"./some-non-existent-location.json#definitions/PropertyX"} + // validateObject will succeed, because all it cares about is that "$ref" is a URI + // In order to validate that $ref points at an existing location in an existing document + // we have to "load" the schema + loadResourceSchema(definition); } + public Schema loadResourceSchema(final JSONObject resourceDefinition) { + return getResourceSchemaBuilder(resourceDefinition).build(); + } + + /** + * returns Schema.Builder with pre-loaded JSON draft-07 meta-schema and resource definition meta-schema + * (resource.definition.schema.v1.json). Resulting Schema.Builder can be used to build a schema that + * can be used to validate parts of CloudFormation template. + * + * @param resourceDefinition - actual resource definition (not resource definition schema) + * @return + */ + public Schema.Builder getResourceSchemaBuilder(final JSONObject resourceDefinition) { + final SchemaLoaderBuilder loaderBuilder = getSchemaLoader(resourceDefinition); + loaderBuilder.registerSchemaByURI(RESOURCE_DEFINITION_SCHEMA_URI, definitionSchemaJsonObject); + + final SchemaLoader loader = loaderBuilder.build(); + try { + return loader.load(); + } catch (org.everit.json.schema.SchemaException e) { + throw new ValidationException(e.getMessage(), e.getSchemaLocation(), e); + } + } + + /** + * Convenience method - creates a SchemaLoaderBuilder with cached JSON draft-07 meta-schema + * + * @param schemaObject + * @return + */ + private SchemaLoaderBuilder getSchemaLoader(JSONObject schemaObject) { + final SchemaLoaderBuilder builder = SchemaLoader + .builder() + .schemaJson(schemaObject) + .draftV7Support() + .schemaClient(downloader); + + // registers the local schema with the draft-07 url + // registered twice because we've seen some confusion around this in the past + builder.registerSchemaByURI(JSON_SCHEMA_URI_HTTP, jsonSchemaObject); + builder.registerSchemaByURI(JSON_SCHEMA_URI_HTTPS, jsonSchemaObject); + + return builder; + } + + private static JSONObject loadResourceAsJSON(String path) { + return new JSONObject(new JSONTokener(Validator.class.getResourceAsStream(path))); + } + + /** wrapper around new URI that throws an unchecked exception */ + static URI newURI(final String uri) { + try { + return new URI(uri); + } catch (URISyntaxException e) { + throw new RuntimeException(uri); + } + } } diff --git a/src/main/java/software/amazon/cloudformation/resource/exceptions/ValidationException.java b/src/main/java/software/amazon/cloudformation/resource/exceptions/ValidationException.java index 0b553b3..6209804 100644 --- a/src/main/java/software/amazon/cloudformation/resource/exceptions/ValidationException.java +++ b/src/main/java/software/amazon/cloudformation/resource/exceptions/ValidationException.java @@ -48,6 +48,15 @@ public ValidationException(final String message, this(message, Collections.emptyList(), keyword, schemaPointer); } + public ValidationException(final String message, + final String schemaPointer, + final Exception cause) { + super(message, cause); + this.causingExceptions = Collections.emptyList(); + this.keyword = ""; + this.schemaPointer = schemaPointer; + } + public ValidationException(final String message, final List causingExceptions, final String keyword, diff --git a/src/main/resources/schema/provider.definition.schema.v1.json b/src/main/resources/schema/provider.definition.schema.v1.json index a656626..12174ba 100644 --- a/src/main/resources/schema/provider.definition.schema.v1.json +++ b/src/main/resources/schema/provider.definition.schema.v1.json @@ -1,6 +1,6 @@ { "$schema": "https://json-schema.org/draft-07/schema#", - "$id": "provider.definition.schema.v1.json", + "$id": "https://schema.cloudformation.us-east-1.amazonaws.com/provider.definition.schema.v1.json", "title": "CloudFormation Resource Provider Definition MetaSchema", "description": "This schema validates a CloudFormation resource provider definition.", "definitions": { diff --git a/src/main/resources/schema/schema b/src/main/resources/schema/schema index 2261e0d..33627e9 100644 --- a/src/main/resources/schema/schema +++ b/src/main/resources/schema/schema @@ -1,6 +1,6 @@ { "$schema": "https://json-schema.org/draft-07/schema#", - "$id": "https://json-schema.org/draft-07/schema#", + "$id": "https://json-schema.org/draft-07/schema", "title": "Core schema meta-schema", "definitions": { "schemaArray": { diff --git a/src/test/java/software/amazon/cloudformation/resource/ValidatorRefResolutionTests.java b/src/test/java/software/amazon/cloudformation/resource/ValidatorRefResolutionTests.java new file mode 100644 index 0000000..38b09c0 --- /dev/null +++ b/src/test/java/software/amazon/cloudformation/resource/ValidatorRefResolutionTests.java @@ -0,0 +1,114 @@ +/* +* Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +* +* Licensed under the Apache License, Version 2.0 (the "License"). +* You may not use this file except in compliance with the License. +* A copy of the License is located at +* +* http://aws.amazon.com/apache2.0 +* +* or in the "license" file accompanying this file. This file is distributed +* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +* express or implied. See the License for the specific language governing +* permissions and limitations under the License. +*/ +package software.amazon.cloudformation.resource; + +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; +import static org.mockito.Mockito.times; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; +import static software.amazon.cloudformation.resource.ValidatorTest.loadJSON; + +import org.everit.json.schema.Schema; +import org.everit.json.schema.loader.SchemaClient; +import org.json.JSONObject; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; + +import software.amazon.cloudformation.resource.exceptions.ValidationException; + +@ExtendWith(MockitoExtension.class) +public class ValidatorRefResolutionTests { + + public static final String RESOURCE_DEFINITION_PATH = "/valid-with-refs.json"; + private final static String COMMON_TYPES_PATH = "/common.types.v1.json"; + private final String expectedRefUrl = "https://schema.cloudformation.us-east-1.amazonaws.com/common.types.v1.json"; + + @Mock + private SchemaClient downloader; + private Validator validator; + + @BeforeEach + public void beforeEach() { + when(downloader.get(expectedRefUrl)).thenAnswer(x -> ValidatorTest.getResourceAsStream(COMMON_TYPES_PATH)); + + this.validator = new Validator(downloader); + } + + @Test + public void loadResourceSchema_validRelativeRef_shouldSucceed() { + + JSONObject schema = loadJSON(RESOURCE_DEFINITION_PATH); + validator.validateResourceDefinition(schema); + + // valid-with-refs.json contains two refs pointing at locations inside + // common.types.v1.json + // Everit will attempt to download the remote schema once for each $ref - it + // doesn't cache remote schemas. Expect the downloader to be called twice + verify(downloader, times(2)).get(expectedRefUrl); + } + + /** + * expect a valid resource schema contains a ref to a non-existent property in a + * remote meta-schema + */ + @Test + public void loadResourceSchema_invalidRelativeRef_shouldThrow() { + + JSONObject badSchema = loadJSON("/invalid-bad-ref.json"); + + assertThatExceptionOfType(ValidationException.class) + .isThrownBy(() -> validator.validateResourceDefinition(badSchema)); + } + + /** example of using Validator to validate a json data files */ + @Test + public void validateTemplateAgainstResourceSchema_valid_shouldSucceed() { + + JSONObject resourceDefinition = loadJSON(RESOURCE_DEFINITION_PATH); + Schema schema = validator.loadResourceSchema(resourceDefinition); + + schema.validate(getSampleTemplate()); + } + + /** + * template that contains an invalid value in one of its properties fails + * validation + */ + @Test + public void validateTemplateAgainsResourceSchema_invalid_shoudThrow() { + JSONObject resourceDefinition = loadJSON(RESOURCE_DEFINITION_PATH); + Schema schema = validator.loadResourceSchema(resourceDefinition); + + final JSONObject template = getSampleTemplate(); + template.put("propertyB", "not.an.IP.address"); + + assertThatExceptionOfType(org.everit.json.schema.ValidationException.class) + .isThrownBy(() -> schema.validate(template)); + } + + /** + * resource schema located at RESOURCE_DEFINITION_PATH declares two properties: + * "Time" in ISO 8601 format (UTC only) and "propertyB" - an IP address Both + * fields are declares as refs to common.types.v1.json. "Time" is marked as + * required property getSampleTemplate constructs a JSON object with a single + * Time property. + */ + private JSONObject getSampleTemplate() { + return new JSONObject().put("Time", "2019-12-12T10:10:22.212Z"); + } +} diff --git a/src/test/java/software/amazon/cloudformation/resource/ValidatorTest.java b/src/test/java/software/amazon/cloudformation/resource/ValidatorTest.java index cee1a36..0461922 100644 --- a/src/test/java/software/amazon/cloudformation/resource/ValidatorTest.java +++ b/src/test/java/software/amazon/cloudformation/resource/ValidatorTest.java @@ -333,14 +333,6 @@ public void validateDefinition_validHandlerSection_shouldNotThrow() { validator.validateResourceDefinition(definition); } - @Test - public void validateDefinition_validRelativeRef_shouldNotThrow() { - final JSONObject definition = new JSONObject(new JSONTokener(this.getClass() - .getResourceAsStream("/valid-with-relative-ref.json"))); - - validator.validateResourceDefinition(definition); - } - @ParameterizedTest @ValueSource(strings = { "ftp://example.com", "http://example.com", "git://example.com", "https://", }) public void validateDefinition_nonMatchingDocumentationUrl_shouldThrow(final String documentationUrl) { @@ -418,4 +410,16 @@ public void validateExample_exampleResource_shouldBeValid() throws IOException { } } + static JSONObject loadJSON(String path) { + try { + return new JSONObject(new JSONTokener(ValidatorTest.getResourceAsStream(path))); + } catch (Throwable ex) { + System.out.println("path: " + path); + throw ex; + } + } + + static InputStream getResourceAsStream(String path) { + return ValidatorRefResolutionTests.class.getResourceAsStream(path); + } } diff --git a/src/test/resources/common.types.v1.json b/src/test/resources/common.types.v1.json new file mode 100644 index 0000000..17b5319 --- /dev/null +++ b/src/test/resources/common.types.v1.json @@ -0,0 +1,34 @@ +{ + "$id": "https://schema.cloudformation.us-east-1.amazonaws.com/common.types.v1.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "description": "Common Resource Type Schemas", + "definitions": { + "cidrBlock": { + "$comment": "TODO: regex could be more strict, for example this allows the cidr 999.999.999.999 and 999.999.999.999/32", + "description": "Classless Inter-Domain Routing (CIDR) block", + "type": "string", + "pattern": "^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$" + }, + "ipV6CidrBlock": { + "$comment": "TODO: find sane regex for this", + "description": "IPV6 Classless Inter-Domain Routing (CIDR) block", + "type": "string" + }, + "iso8601UTC": { + "description": "The date value in ISO 8601 format. The timezone is always UTC. (YYYY-MM-DDThh:mm:ssZ)", + "type": "string", + "pattern": "^([0-2]\\d{3})-(0[0-9]|1[0-2])-([0-2]\\d|3[01])T([01]\\d|2[0-4]):([0-5]\\d):([0-6]\\d)((\\.\\d{3})?)Z$" + }, + "ipv4Address": { + "description": "IPV4 address", + "type": "string" + }, + "ipv6Address": { + "description": "IPV6 address", + "type": "string" + } + }, + "primaryIdentifier": [ + "#/" + ] +} diff --git a/src/test/resources/invalid-bad-ref.json b/src/test/resources/invalid-bad-ref.json new file mode 100644 index 0000000..09006e4 --- /dev/null +++ b/src/test/resources/invalid-bad-ref.json @@ -0,0 +1,21 @@ +{ + "$id": "https://schema.cloudformation.us-east-1.amazonaws.com/resource-definition-with-refs.json", + "typeName": "CFN::Test::Resource", + "description": "propertyB definition uses a ref pointer to a non-existent remote schema location", + "sourceUrl": "https://mycorp.com/my-repo.git", + "properties": { + "Time": { + "$ref": "./common.types.v1.json#/definitions/iso8601UTC" + }, + "propertyB": { + "type": "array", + "items": { + "$ref": "./common.types.v1.json#/definitions/badProperty" + } + } + }, + "primaryIdentifier": [ + "/properties/Time" + ], + "additionalProperties": false +} diff --git a/src/test/resources/valid-with-refs.json b/src/test/resources/valid-with-refs.json new file mode 100644 index 0000000..1cb1606 --- /dev/null +++ b/src/test/resources/valid-with-refs.json @@ -0,0 +1,22 @@ +{ + "$id": "https://schema.cloudformation.us-east-1.amazonaws.com/resource-definition-with-refs.json", + "$schema": "https://schema.cloudformation.us-east-1.amazonaws.com/provider.definition.schema.v1.json", + "typeName": "CFN::Test::Resource", + "description": "Simple resource definition with ref pointers to definitions in a remote schema", + "sourceUrl": "https://mycorp.com/my-repo.git", + "properties": { + "Time": { + "$ref": "./common.types.v1.json#/definitions/iso8601UTC" + }, + "propertyB": { + "type": "array", + "items": { + "$ref": "./common.types.v1.json#/definitions/ipv4Address" + } + } + }, + "primaryIdentifier": [ + "/properties/Time" + ], + "additionalProperties": false +} diff --git a/src/test/resources/valid-with-relative-ref.json b/src/test/resources/valid-with-relative-ref.json deleted file mode 100644 index 9c36a2b..0000000 --- a/src/test/resources/valid-with-relative-ref.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "$id": "https://schema.cloudformation.us-east-1.amazonaws.com/valid-with-relative-ref.json#", - "typeName": "AWS::Test::WithExternalRefs", - "description": "A test schema for unit tests.", - "properties": { - "StringProperty": { - "$ref": "aws-ecs-taskdefinition.json#/properties/blah" - } - }, - "additionalProperties": false, - "primaryIdentifier": [ - "/properties/StringProperty" - ] -}