From ac0f597e5b1ff14bdc5dbf0d1da9e319625e037a Mon Sep 17 00:00:00 2001 From: Vladimir Tsirushkin Date: Sat, 14 Dec 2019 15:51:56 -0800 Subject: [PATCH] Validate $ref correctly (#23) --- pom.xml | 27 +++- .../cloudformation/resource/Validator.java | 133 +++++++++++++++--- .../exceptions/ValidationException.java | 9 ++ .../schema/provider.definition.schema.v1.json | 2 +- src/main/resources/schema/schema | 2 +- .../resource/ValidatorRefResolutionTests.java | 126 +++++++++++++++++ .../resource/ValidatorTest.java | 48 +++++-- src/test/resources/common.types.v1.json | 34 +++++ src/test/resources/invalid-bad-ref.json | 21 +++ src/test/resources/valid-with-refs.json | 22 +++ .../resources/valid-with-relative-ref.json | 14 -- 11 files changed, 393 insertions(+), 45 deletions(-) create mode 100644 src/test/java/software/amazon/cloudformation/resource/ValidatorRefResolutionTests.java create mode 100644 src/test/resources/common.types.v1.json create mode 100644 src/test/resources/invalid-bad-ref.json create mode 100644 src/test/resources/valid-with-refs.json delete mode 100644 src/test/resources/valid-with-relative-ref.json diff --git a/pom.xml b/pom.xml index 66fe36e..521b03c 100644 --- a/pom.xml +++ b/pom.xml @@ -56,11 +56,32 @@ 3.12.2 test - + + + org.mockito + mockito-junit-jupiter + 2.22.0 + test + + + + org.junit.jupiter + junit-jupiter-api + 5.1.1 + test + + + + org.junit.jupiter + junit-jupiter-params + 5.1.1 + test + + org.junit.jupiter - junit-jupiter - 5.5.1 + junit-jupiter-engine + 5.1.1 test diff --git a/src/main/java/software/amazon/cloudformation/resource/Validator.java b/src/main/java/software/amazon/cloudformation/resource/Validator.java index 09e6439..3ee761d 100644 --- a/src/main/java/software/amazon/cloudformation/resource/Validator.java +++ b/src/main/java/software/amazon/cloudformation/resource/Validator.java @@ -20,7 +20,11 @@ import lombok.Builder; import org.everit.json.schema.Schema; +import org.everit.json.schema.loader.SchemaClient; import org.everit.json.schema.loader.SchemaLoader; +import org.everit.json.schema.loader.SchemaLoader.SchemaLoaderBuilder; +import org.everit.json.schema.loader.internal.DefaultSchemaClient; +import org.json.JSONException; import org.json.JSONObject; import org.json.JSONTokener; @@ -28,35 +32,52 @@ public class Validator implements SchemaValidator { - private static final String JSON_SCHEMA_ID = "https://json-schema.org/draft-07/schema"; + private static final String ID_KEY = "$id"; private static final String JSON_SCHEMA_PATH = "/schema/schema"; - private static final String METASCHEMA_PATH = "/schema/provider.definition.schema.v1.json"; + private static final String RESOURCE_DEFINITION_SCHEMA_PATH = "/schema/provider.definition.schema.v1.json"; + /** + * resource definition schema ("resource schema schema"). All resource schemas + * are validated against this one and JSON schema draft v7 below. + */ private final JSONObject definitionSchemaJsonObject; + /** + * locally cached draft-07 JSON schema. All resource schemas are validated + * against it + */ private final JSONObject jsonSchemaObject; + /** + * this is what SchemaLoader uses to download remote $refs. Not necessarily an + * HTTP client, see the docs for details. We override the default SchemaClient + * client in unit tests to be able to control how remote refs are resolved. + */ + private final SchemaClient downloader; + + Validator(SchemaClient downloader) { + this(loadResourceAsJSON(JSON_SCHEMA_PATH), loadResourceAsJSON(RESOURCE_DEFINITION_SCHEMA_PATH), downloader); + } + + private Validator(JSONObject jsonSchema, + JSONObject definitionSchema, + SchemaClient downloader) { + this.jsonSchemaObject = jsonSchema; + this.definitionSchemaJsonObject = definitionSchema; + this.downloader = downloader; + } @Builder public Validator() { - // local copy of the draft-07 schema used to avoid remote reference calls - jsonSchemaObject = new JSONObject(new JSONTokener(this.getClass().getResourceAsStream(JSON_SCHEMA_PATH))); - definitionSchemaJsonObject = new JSONObject(new JSONTokener(this.getClass().getResourceAsStream(METASCHEMA_PATH))); + this(new DefaultSchemaClient()); } @Override public void validateObject(final JSONObject modelObject, final JSONObject definitionSchemaObject) throws ValidationException { + final SchemaLoaderBuilder loader = getSchemaLoader(definitionSchemaObject); + try { - final URI schemaURI = new URI(JSON_SCHEMA_ID); - final SchemaLoader loader = SchemaLoader.builder().schemaJson(definitionSchemaObject) - // registers the local schema with the draft-07 url - .registerSchemaByURI(schemaURI, jsonSchemaObject).draftV7Support().build(); - final Schema schema = loader.load().build(); - - try { - schema.validate(modelObject); // throws a ValidationException if this object is invalid - } catch (final org.everit.json.schema.ValidationException e) { - throw ValidationException.newScrubbedException(e); - } - } catch (final URISyntaxException e) { - throw new RuntimeException("Invalid URI format for JSON schema."); + final Schema schema = loader.build().load().build(); + schema.validate(modelObject); // throws a ValidationException if this object is invalid + } catch (final org.everit.json.schema.ValidationException e) { + throw ValidationException.newScrubbedException(e); } } @@ -69,6 +90,82 @@ public void validateObject(final JSONObject modelObject, final JSONObject defini */ public void validateResourceDefinition(final JSONObject definition) throws ValidationException { validateObject(definition, definitionSchemaJsonObject); + // validateObject cannot validate schema-specific attributes. For example if definition + // contains "propertyA": { "$ref":"./some-non-existent-location.json#definitions/PropertyX"} + // validateObject will succeed, because all it cares about is that "$ref" is a URI + // In order to validate that $ref points at an existing location in an existing document + // we have to "load" the schema + loadResourceSchema(definition); + } + + public Schema loadResourceSchema(final JSONObject resourceDefinition) { + return getResourceSchemaBuilder(resourceDefinition).build(); + } + + /** + * returns Schema.Builder with pre-loaded JSON draft-07 meta-schema and resource definition meta-schema + * (resource.definition.schema.v1.json). Resulting Schema.Builder can be used to build a schema that + * can be used to validate parts of CloudFormation template. + * + * @param resourceDefinition - actual resource definition (not resource definition schema) + * @return + */ + public Schema.Builder getResourceSchemaBuilder(final JSONObject resourceDefinition) { + final SchemaLoaderBuilder loaderBuilder = getSchemaLoader(resourceDefinition); + registerMetaSchema(loaderBuilder, definitionSchemaJsonObject); + + final SchemaLoader loader = loaderBuilder.build(); + try { + return loader.load(); + } catch (org.everit.json.schema.SchemaException e) { + throw new ValidationException(e.getMessage(), e.getSchemaLocation(), e); + } + } + + /** + * Convenience method - creates a SchemaLoaderBuilder with cached JSON draft-07 meta-schema + * + * @param schemaObject + * @return + */ + private SchemaLoaderBuilder getSchemaLoader(JSONObject schemaObject) { + final SchemaLoaderBuilder builder = SchemaLoader + .builder() + .schemaJson(schemaObject) + .draftV7Support() + .schemaClient(downloader); + // registers the local schema with the draft-07 url + registerMetaSchema(builder, jsonSchemaObject); + return builder; } + /** + * Register a meta-schema with the SchemaLoaderBuilder. The meta-schema $id is used to generate schema URI + * This has the effect of caching the meta-schema. When SchemaLoaderBuilder is used to build the Schema object, + * the cached version will be used. No calls to remote URLs will be made. + * Validator caches JSON schema (/resources/schema) and Resource Definition Schema + * (/resources/provider.definition.schema.v1.json) + * + * @param loaderBuilder + * @param schema meta-schema JSONObject to be cached. Must have a valid $id property + */ + void registerMetaSchema(final SchemaLoaderBuilder loaderBuilder, JSONObject schema) { + try { + String id = schema.getString(ID_KEY); + if (id.isEmpty()) { + throw new ValidationException("Invalid $id value", "$id", "[empty string]"); + } + final URI uri = new URI(id); + loaderBuilder.registerSchemaByURI(uri, schema); + } catch (URISyntaxException e) { + throw new ValidationException("Invalid $id value", "$id", e); + } catch (JSONException e) { + // $id is missing or not a string + throw new ValidationException("Invalid $id value", "$id", e); + } + } + + private static JSONObject loadResourceAsJSON(String path) { + return new JSONObject(new JSONTokener(Validator.class.getResourceAsStream(path))); + } } diff --git a/src/main/java/software/amazon/cloudformation/resource/exceptions/ValidationException.java b/src/main/java/software/amazon/cloudformation/resource/exceptions/ValidationException.java index 0b553b3..6209804 100644 --- a/src/main/java/software/amazon/cloudformation/resource/exceptions/ValidationException.java +++ b/src/main/java/software/amazon/cloudformation/resource/exceptions/ValidationException.java @@ -48,6 +48,15 @@ public ValidationException(final String message, this(message, Collections.emptyList(), keyword, schemaPointer); } + public ValidationException(final String message, + final String schemaPointer, + final Exception cause) { + super(message, cause); + this.causingExceptions = Collections.emptyList(); + this.keyword = ""; + this.schemaPointer = schemaPointer; + } + public ValidationException(final String message, final List causingExceptions, final String keyword, diff --git a/src/main/resources/schema/provider.definition.schema.v1.json b/src/main/resources/schema/provider.definition.schema.v1.json index a656626..12174ba 100644 --- a/src/main/resources/schema/provider.definition.schema.v1.json +++ b/src/main/resources/schema/provider.definition.schema.v1.json @@ -1,6 +1,6 @@ { "$schema": "https://json-schema.org/draft-07/schema#", - "$id": "provider.definition.schema.v1.json", + "$id": "https://schema.cloudformation.us-east-1.amazonaws.com/provider.definition.schema.v1.json", "title": "CloudFormation Resource Provider Definition MetaSchema", "description": "This schema validates a CloudFormation resource provider definition.", "definitions": { diff --git a/src/main/resources/schema/schema b/src/main/resources/schema/schema index 2261e0d..33627e9 100644 --- a/src/main/resources/schema/schema +++ b/src/main/resources/schema/schema @@ -1,6 +1,6 @@ { "$schema": "https://json-schema.org/draft-07/schema#", - "$id": "https://json-schema.org/draft-07/schema#", + "$id": "https://json-schema.org/draft-07/schema", "title": "Core schema meta-schema", "definitions": { "schemaArray": { diff --git a/src/test/java/software/amazon/cloudformation/resource/ValidatorRefResolutionTests.java b/src/test/java/software/amazon/cloudformation/resource/ValidatorRefResolutionTests.java new file mode 100644 index 0000000..9a8147f --- /dev/null +++ b/src/test/java/software/amazon/cloudformation/resource/ValidatorRefResolutionTests.java @@ -0,0 +1,126 @@ +/* +* Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. +* +* Licensed under the Apache License, Version 2.0 (the "License"). +* You may not use this file except in compliance with the License. +* A copy of the License is located at +* +* http://aws.amazon.com/apache2.0 +* +* or in the "license" file accompanying this file. This file is distributed +* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either +* express or implied. See the License for the specific language governing +* permissions and limitations under the License. +*/ +package software.amazon.cloudformation.resource; + +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.when; +import static software.amazon.cloudformation.resource.ValidatorTest.loadJSON; + +import org.everit.json.schema.Schema; +import org.everit.json.schema.loader.SchemaClient; +import org.json.JSONObject; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.junit.jupiter.MockitoExtension; +import org.mockito.verification.VerificationMode; + +import software.amazon.cloudformation.resource.exceptions.ValidationException; + +/** + * + */ +@ExtendWith(MockitoExtension.class) +public class ValidatorRefResolutionTests { + + public static final String RESOURCE_DEFINITION_PATH = "/valid-with-refs.json"; + private final static String COMMON_TYPES_PATH = "/common.types.v1.json"; + private final String expectedRefUrl = "https://schema.cloudformation.us-east-1.amazonaws.com/common.types.v1.json"; + + @Mock + private SchemaClient downloader; + private Validator validator; + + @BeforeEach + public void beforeEach() { + when(downloader.get(expectedRefUrl)).thenAnswer(x -> ValidatorTest.getResourceAsStream(COMMON_TYPES_PATH)); + + this.validator = new Validator(downloader); + } + + @Test + public void loadResourceSchema_validRelativeRef_shouldSucceed() { + + JSONObject schema = loadJSON(RESOURCE_DEFINITION_PATH); + validator.validateResourceDefinition(schema); + + // valid-with-refs.json contains two refs pointing at locations inside + // common.types.v1.json + // Everit will attempt to download the remote schema once for each $ref - it + // doesn't cache + // remote schemas. Expect the downloader to be called twice + verify(downloader, twice()).get(expectedRefUrl); + } + + /** + * expect a valid resource schema contains a ref to a non-existent property in a + * remote meta-schema + */ + @Test + public void loadResourceSchema_invalidRelativeRef_shouldThrow() { + + JSONObject badSchema = loadJSON("/invalid-bad-ref.json"); + + assertThatExceptionOfType(ValidationException.class).isThrownBy(() -> { + validator.validateResourceDefinition(badSchema); + }); + } + + /** example of using Validator to validate a json data files */ + @Test + public void validateTemplateAgainstResourceSchema_valid_shouldSucceed() { + + JSONObject resourceDefinition = loadJSON(RESOURCE_DEFINITION_PATH); + Schema schema = validator.loadResourceSchema(resourceDefinition); + + schema.validate(getSampleTemplate()); + } + + /** + * template that contains an invalid value in one of its properties fails + * validation + */ + @Test + public void validateTemplateAgainsResourceSchema_invalid_shoudThrow() { + JSONObject resourceDefinition = loadJSON(RESOURCE_DEFINITION_PATH); + Schema schema = validator.loadResourceSchema(resourceDefinition); + + final JSONObject template = getSampleTemplate(); + template.put("propertyB", "not.an.IP.address"); + + assertThatExceptionOfType(org.everit.json.schema.ValidationException.class).isThrownBy(() -> schema.validate(template)); + } + + /** + * resource schema located at RESOURCE_DEFINITION_PATH declares two properties: + * "Time" in ISO 8601 format (UTC only) and "propertyB" - an IP address Both + * fields are declares as refs to common.types.v1.json. "Time" is marked as + * required property getSampleTemplate constructs a JSON object with a single + * Time property. + */ + private JSONObject getSampleTemplate() { + final JSONObject template = new JSONObject(); + template.put("Time", "2019-12-12T10:10:22.212Z"); + return template; + } + + private static VerificationMode twice() { + return Mockito.times(2); + } + +} diff --git a/src/test/java/software/amazon/cloudformation/resource/ValidatorTest.java b/src/test/java/software/amazon/cloudformation/resource/ValidatorTest.java index cee1a36..3bddefe 100644 --- a/src/test/java/software/amazon/cloudformation/resource/ValidatorTest.java +++ b/src/test/java/software/amazon/cloudformation/resource/ValidatorTest.java @@ -24,6 +24,7 @@ import java.util.Collections; import java.util.List; +import org.everit.json.schema.loader.SchemaLoader; import org.json.JSONObject; import org.json.JSONTokener; import org.junit.jupiter.api.BeforeEach; @@ -35,6 +36,7 @@ import software.amazon.cloudformation.resource.exceptions.ValidationException; public class ValidatorTest { + private static final String RESOURCE_DEFINITION_SCHEMA_PATH = "/schema/provider.definition.schema.v1.json"; private static final String TEST_SCHEMA_PATH = "/test-schema.json"; private static final String TEST_VALUE_SCHEMA_PATH = "/scrubbed-values-schema.json"; private static final String TYPE_NAME_KEY = "typeName"; @@ -333,14 +335,6 @@ public void validateDefinition_validHandlerSection_shouldNotThrow() { validator.validateResourceDefinition(definition); } - @Test - public void validateDefinition_validRelativeRef_shouldNotThrow() { - final JSONObject definition = new JSONObject(new JSONTokener(this.getClass() - .getResourceAsStream("/valid-with-relative-ref.json"))); - - validator.validateResourceDefinition(definition); - } - @ParameterizedTest @ValueSource(strings = { "ftp://example.com", "http://example.com", "git://example.com", "https://", }) public void validateDefinition_nonMatchingDocumentationUrl_shouldThrow(final String documentationUrl) { @@ -418,4 +412,42 @@ public void validateExample_exampleResource_shouldBeValid() throws IOException { } } + /** + * trivial coverage test: cannot cache a schema if it has an invalid $id + */ + @ParameterizedTest + @ValueSource(strings = { ":invalid/uri", "" }) + public void registerMetaSchema_invalidRelativeRef_shouldThrow(String uri) { + + JSONObject badSchema = loadJSON(RESOURCE_DEFINITION_SCHEMA_PATH); + badSchema.put("$id", uri); + assertThatExceptionOfType(ValidationException.class).isThrownBy(() -> { + validator.registerMetaSchema(SchemaLoader.builder(), badSchema); + }); + } + + /** + * trivial coverage test: cannot cache a schema if it has no $id + */ + @Test + public void registerMetaSchema_nullId_shouldThrow() { + JSONObject badSchema = loadJSON(RESOURCE_DEFINITION_SCHEMA_PATH); + badSchema.remove("$id"); + assertThatExceptionOfType(ValidationException.class).isThrownBy(() -> { + validator.registerMetaSchema(SchemaLoader.builder(), badSchema); + }); + } + + static JSONObject loadJSON(String path) { + try { + return new JSONObject(new JSONTokener(ValidatorTest.getResourceAsStream(path))); + } catch (Throwable ex) { + System.out.println("path: " + path); + throw ex; + } + } + + static InputStream getResourceAsStream(String path) { + return ValidatorRefResolutionTests.class.getResourceAsStream(path); + } } diff --git a/src/test/resources/common.types.v1.json b/src/test/resources/common.types.v1.json new file mode 100644 index 0000000..17b5319 --- /dev/null +++ b/src/test/resources/common.types.v1.json @@ -0,0 +1,34 @@ +{ + "$id": "https://schema.cloudformation.us-east-1.amazonaws.com/common.types.v1.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "description": "Common Resource Type Schemas", + "definitions": { + "cidrBlock": { + "$comment": "TODO: regex could be more strict, for example this allows the cidr 999.999.999.999 and 999.999.999.999/32", + "description": "Classless Inter-Domain Routing (CIDR) block", + "type": "string", + "pattern": "^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$" + }, + "ipV6CidrBlock": { + "$comment": "TODO: find sane regex for this", + "description": "IPV6 Classless Inter-Domain Routing (CIDR) block", + "type": "string" + }, + "iso8601UTC": { + "description": "The date value in ISO 8601 format. The timezone is always UTC. (YYYY-MM-DDThh:mm:ssZ)", + "type": "string", + "pattern": "^([0-2]\\d{3})-(0[0-9]|1[0-2])-([0-2]\\d|3[01])T([01]\\d|2[0-4]):([0-5]\\d):([0-6]\\d)((\\.\\d{3})?)Z$" + }, + "ipv4Address": { + "description": "IPV4 address", + "type": "string" + }, + "ipv6Address": { + "description": "IPV6 address", + "type": "string" + } + }, + "primaryIdentifier": [ + "#/" + ] +} diff --git a/src/test/resources/invalid-bad-ref.json b/src/test/resources/invalid-bad-ref.json new file mode 100644 index 0000000..09006e4 --- /dev/null +++ b/src/test/resources/invalid-bad-ref.json @@ -0,0 +1,21 @@ +{ + "$id": "https://schema.cloudformation.us-east-1.amazonaws.com/resource-definition-with-refs.json", + "typeName": "CFN::Test::Resource", + "description": "propertyB definition uses a ref pointer to a non-existent remote schema location", + "sourceUrl": "https://mycorp.com/my-repo.git", + "properties": { + "Time": { + "$ref": "./common.types.v1.json#/definitions/iso8601UTC" + }, + "propertyB": { + "type": "array", + "items": { + "$ref": "./common.types.v1.json#/definitions/badProperty" + } + } + }, + "primaryIdentifier": [ + "/properties/Time" + ], + "additionalProperties": false +} diff --git a/src/test/resources/valid-with-refs.json b/src/test/resources/valid-with-refs.json new file mode 100644 index 0000000..1cb1606 --- /dev/null +++ b/src/test/resources/valid-with-refs.json @@ -0,0 +1,22 @@ +{ + "$id": "https://schema.cloudformation.us-east-1.amazonaws.com/resource-definition-with-refs.json", + "$schema": "https://schema.cloudformation.us-east-1.amazonaws.com/provider.definition.schema.v1.json", + "typeName": "CFN::Test::Resource", + "description": "Simple resource definition with ref pointers to definitions in a remote schema", + "sourceUrl": "https://mycorp.com/my-repo.git", + "properties": { + "Time": { + "$ref": "./common.types.v1.json#/definitions/iso8601UTC" + }, + "propertyB": { + "type": "array", + "items": { + "$ref": "./common.types.v1.json#/definitions/ipv4Address" + } + } + }, + "primaryIdentifier": [ + "/properties/Time" + ], + "additionalProperties": false +} diff --git a/src/test/resources/valid-with-relative-ref.json b/src/test/resources/valid-with-relative-ref.json deleted file mode 100644 index 9c36a2b..0000000 --- a/src/test/resources/valid-with-relative-ref.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "$id": "https://schema.cloudformation.us-east-1.amazonaws.com/valid-with-relative-ref.json#", - "typeName": "AWS::Test::WithExternalRefs", - "description": "A test schema for unit tests.", - "properties": { - "StringProperty": { - "$ref": "aws-ecs-taskdefinition.json#/properties/blah" - } - }, - "additionalProperties": false, - "primaryIdentifier": [ - "/properties/StringProperty" - ] -}