Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add validation against schema for JSON #117

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

urxvtcd
Copy link

@urxvtcd urxvtcd commented Aug 1, 2024

Hi there.

We were having some problems with freeconf/yang and freeconf/restconf being a bit too lenient when it comes to accepting payloads, so I made a small change adding validation against YANG schema for JSON payloads. The validation only looks for expected and unexpected child nodes for containers and list, nothing too crazy. I'll be the first to admit I don't really grok all the abstractions you've come up with, so let me know if this approach is OK.

You might notice that I've made Validate a public JSONRdr method, to be called by code accepting the payload, and thus making it optional. I'm not sure this is good, but wanted to get to you with what I have coded so far. Obviously this is not used in freeconf/restconf. For testing purposes I made a small change to PATCH chandler:

diff --git a/browser_handler.go b/browser_handler.go
index 57cd0dc..84e2122 100644
--- a/browser_handler.go
+++ b/browser_handler.go
@@ -176,12 +176,12 @@ func (hndlr *browserHandler) ServeHTTP(compliance ComplianceOptions, ctx context
                case "PATCH":
                        // CRUD - Upsert
                        var input node.Node
-                       input, err = requestNode(r, contentType)
+                       editable, _ := target.Constrain("content=config")
+                       input, err = validatedRequestNode(r, editable)
                        if err != nil {
                                handleErr(compliance, err, r, w, acceptType)
                                return
                        }
-                       editable, _ := target.Constrain("content=config")
                        err = editable.UpsertFrom(input)
                case "PUT":
                        // CRUD - Remove and replace
@@ -320,6 +320,14 @@ func requestNode(r *http.Request, contentType MimeType) (node.Node, error) {
        return nodeRdr(contentType, r.Body)
 }

+func validatedRequestNode(r *http.Request, selection *node.Selection) (node.Node, error) {
+       reader := nodeutil.JSONRdr{In: r.Body}
+       if err := reader.Validate(selection); err != nil {
+               return nil, fmt.Errorf("invalid payload: %s", err)
+       }
+       return reader.Node()
+}
+
 func (m MimeType) IsXml() bool {
        return strings.HasSuffix(string(m), "xml")
 }

One final note: I have ignored the form uploads.

Hope you find the change useful. Let me know what you think.

Best regards.

@dhubler
Copy link
Collaborator

dhubler commented Aug 1, 2024 via email

@urxvtcd
Copy link
Author

urxvtcd commented Aug 6, 2024

Yeah, I guess I should have checked the RFCs first instead of just going straight for the code. Just glancing right now I see that RFC 6241 mentions validation capability. But I'm not sure how (and if) that influences restconf. RFC 8040 has a section about error handling. In particular, it mentions two error codes that seem to be of interest, that is unknown-attribute and missing-attribute.

I think I can do some reading about this if you feel this is necessary.

@dhubler
Copy link
Collaborator

dhubler commented Aug 6, 2024 via email

@urxvtcd
Copy link
Author

urxvtcd commented Aug 7, 2024

That sounds sensible. Let me know when you check out the PR. No pressure, of course. We have the workaround and this is open source after all.

@dhubler
Copy link
Collaborator

dhubler commented Aug 8, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants