Skip to content

Commit

Permalink
Add spec validation on save to producer API
Browse files Browse the repository at this point in the history
Signed-off-by: Evan Lezar <[email protected]>
  • Loading branch information
elezar committed Oct 15, 2024
1 parent b67d046 commit 1282f64
Show file tree
Hide file tree
Showing 10 changed files with 366 additions and 158 deletions.
30 changes: 16 additions & 14 deletions pkg/cdi/cache.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ import (

"github.com/fsnotify/fsnotify"
oci "github.com/opencontainers/runtime-spec/specs-go"
"tags.cncf.io/container-device-interface/pkg/cdi/producer"
cdi "tags.cncf.io/container-device-interface/specs-go"
)

Expand Down Expand Up @@ -280,30 +281,31 @@ func (c *Cache) highestPrioritySpecDir() (string, int) {
// priority Spec directory. If name has a "json" or "yaml" extension it
// choses the encoding. Otherwise the default YAML encoding is used.
func (c *Cache) WriteSpec(raw *cdi.Spec, name string) error {
var (
specDir string
path string
prio int
spec *Spec
err error
)

specDir, prio = c.highestPrioritySpecDir()
specDir, _ := c.highestPrioritySpecDir()
if specDir == "" {
return errors.New("no Spec directories to write to")
}

path = filepath.Join(specDir, name)
if ext := filepath.Ext(path); ext != ".json" && ext != ".yaml" {
path += defaultSpecExt
// Ideally we would like to pass the configured spec validator to the
// producer, but we would need to handle the synchronisation.
// Instead we call `validateSpec` here which is a no-op if no validator is
// configured.
if err := validateSpec(raw); err != nil {
return err
}

spec, err = newSpec(raw, path, prio)
p, err := producer.New(
producer.WithOverwrite(true),
)
if err != nil {
return err
}

return spec.write(true)
path := filepath.Join(specDir, name)
if _, err := p.SaveSpec(raw, path); err != nil {
return err
}
return nil
}

// RemoveSpec removes a Spec with the given name from the highest
Expand Down
112 changes: 6 additions & 106 deletions pkg/cdi/container-edits.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (

oci "github.com/opencontainers/runtime-spec/specs-go"
ocigen "github.com/opencontainers/runtime-tools/generate"
"tags.cncf.io/container-device-interface/pkg/cdi/producer/validator"
cdi "tags.cncf.io/container-device-interface/specs-go"
)

Expand Down Expand Up @@ -167,32 +168,7 @@ func (e *ContainerEdits) Validate() error {
if e == nil || e.ContainerEdits == nil {
return nil
}

if err := ValidateEnv(e.Env); err != nil {
return fmt.Errorf("invalid container edits: %w", err)
}
for _, d := range e.DeviceNodes {
if err := (&DeviceNode{d}).Validate(); err != nil {
return err
}
}
for _, h := range e.Hooks {
if err := (&Hook{h}).Validate(); err != nil {
return err
}
}
for _, m := range e.Mounts {
if err := (&Mount{m}).Validate(); err != nil {
return err
}
}
if e.IntelRdt != nil {
if err := (&IntelRdt{e.IntelRdt}).Validate(); err != nil {
return err
}
}

return nil
return validator.Default.ValidateAny(e.ContainerEdits)
}

// Append other edits into this one. If called with a nil receiver,
Expand Down Expand Up @@ -220,71 +196,14 @@ func (e *ContainerEdits) Append(o *ContainerEdits) *ContainerEdits {
return e
}

// isEmpty returns true if these edits are empty. This is valid in a
// global Spec context but invalid in a Device context.
func (e *ContainerEdits) isEmpty() bool {
if e == nil {
return false
}
if len(e.Env) > 0 {
return false
}
if len(e.DeviceNodes) > 0 {
return false
}
if len(e.Hooks) > 0 {
return false
}
if len(e.Mounts) > 0 {
return false
}
if len(e.AdditionalGIDs) > 0 {
return false
}
if e.IntelRdt != nil {
return false
}
return true
}

// ValidateEnv validates the given environment variables.
func ValidateEnv(env []string) error {
for _, v := range env {
if strings.IndexByte(v, byte('=')) <= 0 {
return fmt.Errorf("invalid environment variable %q", v)
}
}
return nil
}

// DeviceNode is a CDI Spec DeviceNode wrapper, used for validating DeviceNodes.
type DeviceNode struct {
*cdi.DeviceNode
}

// Validate a CDI Spec DeviceNode.
func (d *DeviceNode) Validate() error {
validTypes := map[string]struct{}{
"": {},
"b": {},
"c": {},
"u": {},
"p": {},
}

if d.Path == "" {
return errors.New("invalid (empty) device path")
}
if _, ok := validTypes[d.Type]; !ok {
return fmt.Errorf("device %q: invalid type %q", d.Path, d.Type)
}
for _, bit := range d.Permissions {
if bit != 'r' && bit != 'w' && bit != 'm' {
return fmt.Errorf("device %q: invalid permissions %q",
d.Path, d.Permissions)
}
}
return nil
return validator.Default.ValidateAny(d.DeviceNode)
}

// Hook is a CDI Spec Hook wrapper, used for validating hooks.
Expand All @@ -294,16 +213,7 @@ type Hook struct {

// Validate a hook.
func (h *Hook) Validate() error {
if _, ok := validHookNames[h.HookName]; !ok {
return fmt.Errorf("invalid hook name %q", h.HookName)
}
if h.Path == "" {
return fmt.Errorf("invalid hook %q with empty path", h.HookName)
}
if err := ValidateEnv(h.Env); err != nil {
return fmt.Errorf("invalid hook %q: %w", h.HookName, err)
}
return nil
return validator.Default.ValidateAny(h.Hook)
}

// Mount is a CDI Mount wrapper, used for validating mounts.
Expand All @@ -313,13 +223,7 @@ type Mount struct {

// Validate a mount.
func (m *Mount) Validate() error {
if m.HostPath == "" {
return errors.New("invalid mount, empty host path")
}
if m.ContainerPath == "" {
return errors.New("invalid mount, empty container path")
}
return nil
return validator.Default.ValidateAny(m.Mount)
}

// IntelRdt is a CDI IntelRdt wrapper.
Expand All @@ -337,11 +241,7 @@ func ValidateIntelRdt(i *cdi.IntelRdt) error {

// Validate validates the IntelRdt configuration.
func (i *IntelRdt) Validate() error {
// ClosID must be a valid Linux filename
if len(i.ClosID) >= 4096 || i.ClosID == "." || i.ClosID == ".." || strings.ContainsAny(i.ClosID, "/\n") {
return errors.New("invalid ClosID")
}
return nil
return validator.Default.ValidateAny(i.IntelRdt)
}

// Ensure OCI Spec hooks are not nil so we can add hooks.
Expand Down
23 changes: 2 additions & 21 deletions pkg/cdi/device.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,8 @@
package cdi

import (
"fmt"

oci "github.com/opencontainers/runtime-spec/specs-go"
"tags.cncf.io/container-device-interface/internal/validation"
"tags.cncf.io/container-device-interface/pkg/cdi/producer/validator"
"tags.cncf.io/container-device-interface/pkg/parser"
cdi "tags.cncf.io/container-device-interface/specs-go"
)
Expand Down Expand Up @@ -67,22 +65,5 @@ func (d *Device) edits() *ContainerEdits {

// Validate the device.
func (d *Device) validate() error {
if err := parser.ValidateDeviceName(d.Name); err != nil {
return err
}
name := d.Name
if d.spec != nil {
name = d.GetQualifiedName()
}
if err := validation.ValidateSpecAnnotations(name, d.Annotations); err != nil {
return err
}
edits := d.edits()
if edits.isEmpty() {
return fmt.Errorf("invalid device, empty device edits")
}
if err := edits.Validate(); err != nil {
return fmt.Errorf("invalid device %q: %w", d.Name, err)
}
return nil
return validator.Default.ValidateAny(d.Device)
}
7 changes: 7 additions & 0 deletions pkg/cdi/producer/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@

package producer

import cdi "tags.cncf.io/container-device-interface/specs-go"

type specFormat string

const (
Expand All @@ -27,3 +29,8 @@ const (
// SpecFormatYAML defines a CDI spec formatted as YAML.
SpecFormatYAML = specFormat(".yaml")
)

// a specValidator is used to validate a CDI spec.
type specValidator interface {
Validate(*cdi.Spec) error
}
17 changes: 16 additions & 1 deletion pkg/cdi/producer/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,11 @@

package producer

import "fmt"
import (
"fmt"

"tags.cncf.io/container-device-interface/pkg/cdi/producer/validator"
)

// An Option defines a functional option for constructing a producer.
type Option func(*Producer) error
Expand All @@ -34,6 +38,17 @@ func WithSpecFormat(format specFormat) Option {
}
}

// WithSpecValidator sets a validator to be used when writing an output spec.
func WithSpecValidator(v specValidator) Option {
return func(p *Producer) error {
if v == nil {
v = validator.Disabled
}
p.validator = v
return nil
}
}

// WithOverwrite specifies whether a producer should overwrite a CDI spec when
// saving to file.
func WithOverwrite(overwrite bool) Option {
Expand Down
20 changes: 18 additions & 2 deletions pkg/cdi/producer/producer.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,21 +17,25 @@
package producer

import (
"fmt"
"path/filepath"

"tags.cncf.io/container-device-interface/pkg/cdi/producer/validator"
cdi "tags.cncf.io/container-device-interface/specs-go"
)

// A Producer defines a structure for outputting CDI specifications.
type Producer struct {
format specFormat
failIfExists bool
validator specValidator
}

// New creates a new producer with the supplied options.
func New(opts ...Option) (*Producer, error) {
p := &Producer{
format: DefaultSpecFormat,
format: DefaultSpecFormat,
validator: validator.Default,
}
for _, opt := range opts {
err := opt(p)
Expand All @@ -47,8 +51,11 @@ func New(opts ...Option) (*Producer, error) {
// extension takes precedence over the format with which the Producer was
// configured.
func (p *Producer) SaveSpec(s *cdi.Spec, filename string) (string, error) {
filename = p.normalizeFilename(filename)
if err := p.Validate(s); err != nil {
return "", fmt.Errorf("spec validation failed: %w", err)
}

filename = p.normalizeFilename(filename)
sp := spec{
Spec: s,
format: p.specFormatFromFilename(filename),
Expand All @@ -61,6 +68,15 @@ func (p *Producer) SaveSpec(s *cdi.Spec, filename string) (string, error) {
return filename, nil
}

// Validate performs a validation on a CDI spec using the configured validator.
// If no validator is configured, the spec is considered unconditionaly valid.

Check failure on line 72 in pkg/cdi/producer/producer.go

View workflow job for this annotation

GitHub Actions / Check for spelling errors

unconditionaly ==> unconditionally
func (p *Producer) Validate(s *cdi.Spec) error {
if p == nil || p.validator == nil {
return nil
}
return p.validator.Validate(s)
}

// specFormatFromFilename determines the CDI spec format for the given filename.
func (p *Producer) specFormatFromFilename(filename string) specFormat {
switch filepath.Ext(filename) {
Expand Down
23 changes: 23 additions & 0 deletions pkg/cdi/producer/validator/api.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
/*
Copyright © 2024 The CDI Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package validator

// Validators as constants.
const (
Default = defaultValidator("default")
Disabled = disabledValidator("disabled")
)
Loading

0 comments on commit 1282f64

Please sign in to comment.