DGS-22343 Fix transformation of union of JSON refs (#2074)

Author: rayokota

src/confluent_kafka/schema_registry/common/json_schema.py

@@ -83,17 +83,17 @@ def transform(
             schema["type"] = original_type  # restore original type
     all_of = schema.get("allOf")
     if all_of is not None:
-        subschema = _validate_subschemas(all_of, message, ref_registry)
+        subschema = _validate_subschemas(all_of, message, ref_registry, ref_resolver)
         if subschema is not None:
             return transform(ctx, subschema, ref_registry, ref_resolver, path, message, field_transform)
     any_of = schema.get("anyOf")
     if any_of is not None:
-        subschema = _validate_subschemas(any_of, message, ref_registry)
+        subschema = _validate_subschemas(any_of, message, ref_registry, ref_resolver)
         if subschema is not None:
             return transform(ctx, subschema, ref_registry, ref_resolver, path, message, field_transform)
     one_of = schema.get("oneOf")
     if one_of is not None:
-        subschema = _validate_subschemas(one_of, message, ref_registry)
+        subschema = _validate_subschemas(one_of, message, ref_registry, ref_resolver)
         if subschema is not None:
             return transform(ctx, subschema, ref_registry, ref_resolver, path, message, field_transform)
     items = schema.get("items")
@@ -133,13 +133,14 @@ def _transform_field(
             get_type(prop_schema),
             get_inline_tags(prop_schema)
         )
-        value = message[prop_name]
-        new_value = transform(ctx, prop_schema, ref_registry, ref_resolver, full_name, value, field_transform)
-        if ctx.rule.kind == RuleKind.CONDITION:
-            if new_value is False:
-                raise RuleConditionError(ctx.rule)
-        else:
-            message[prop_name] = new_value
+        value = message.get(prop_name)
+        if value is not None:
+            new_value = transform(ctx, prop_schema, ref_registry, ref_resolver, full_name, value, field_transform)
+            if ctx.rule.kind == RuleKind.CONDITION:
+                if new_value is False:
+                    raise RuleConditionError(ctx.rule)
+            else:
+                message[prop_name] = new_value
     finally:
         ctx.exit_field()
 
@@ -163,11 +164,16 @@ def _validate_subtypes(
 def _validate_subschemas(
     subschemas: List[JsonSchema],
     message: JsonMessage,
-    registry: Registry
+    registry: Registry,
+    resolver: Resolver,
 ) -> Optional[JsonSchema]:
     for subschema in subschemas:
         try:
-            validate(instance=message, schema=subschema, registry=registry)
+            ref = subschema.get("$ref")
+            if ref is not None:
+                # resolve $ref before validating
+                subschema = resolver.lookup(ref).contents
+            validate(instance=message, schema=subschema, registry=registry, resolver=resolver)
             return subschema
         except ValidationError:
             pass
@@ -202,6 +208,11 @@ def get_type(schema: JsonSchema) -> FieldType:
         return FieldType.BOOLEAN
     if schema_type == "null":
         return FieldType.NULL
+
+    props = schema.get("properties")
+    if props is not None:
+        return FieldType.RECORD
+
     return FieldType.NULL
 
 

tests/schema_registry/_async/test_json_serdes.py

@@ -1209,6 +1209,129 @@ async def test_json_encryption_with_union():
     assert obj == obj2
 
 
+async def test_json_encryption_with_union_of_refs():
+    executor = FieldEncryptionExecutor.register_with_clock(FakeClock())
+
+    conf = {'url': _BASE_URL}
+    client = AsyncSchemaRegistryClient.new_client(conf)
+    ser_conf = {'auto.register.schemas': False, 'use.latest.version': True}
+    rule_conf = {'secret': 'mysecret'}
+    schema = {
+        "type": "object",
+        "properties": {
+            "messageType": {
+                "type": "string"
+            },
+            "version": {
+                "type": "string"
+            },
+            "payload": {
+                "type": "object",
+                "oneOf": [
+                    {
+                        "$ref": "#/$defs/authentication_request"
+                    },
+                    {
+                        "$ref": "#/$defs/authentication_status"
+                    }
+                ]
+            }
+        },
+        "required": [
+            "payload",
+            "messageType",
+            "version"
+        ],
+        "$defs": {
+            "authentication_request": {
+                "properties": {
+                    "messageId": {
+                        "type": "string",
+                        "confluent:tags": ["PII"]
+                    },
+                    "timestamp": {
+                        "type": "integer",
+                        "minimum": 0
+                    },
+                    "requestId": {
+                        "type": "string"
+                    }
+                },
+                "required": [
+                    "messageId",
+                    "timestamp"
+                ]
+            },
+            "authentication_status": {
+                "properties": {
+                    "messageId": {
+                        "type": "string",
+                        "confluent:tags": ["PII"]
+                    },
+                    "authType": {
+                        "type": [
+                            "string",
+                            "null"
+                        ]
+                    }
+                },
+                "required": [
+                    "messageId",
+                    "authType"
+                ]
+            }
+        }
+    }
+
+    rule = Rule(
+        "test-encrypt",
+        "",
+        RuleKind.TRANSFORM,
+        RuleMode.WRITEREAD,
+        "ENCRYPT",
+        ["PII"],
+        RuleParams({
+            "encrypt.kek.name": "kek1",
+            "encrypt.kms.type": "local-kms",
+            "encrypt.kms.key.id": "mykey"
+        }),
+        None,
+        None,
+        "ERROR,NONE",
+        False
+    )
+    await client.register_schema(_SUBJECT, Schema(
+        json.dumps(schema),
+        "JSON",
+        [],
+        None,
+        RuleSet(None, [rule])
+    ))
+
+    obj = {
+        "messageType": "authentication_request",
+        "version": "1.0",
+        "payload": {
+            "messageId": "12345",
+            "timestamp": 1757410647
+        }
+    }
+
+    ser = await AsyncJSONSerializer(json.dumps(schema), client, conf=ser_conf, rule_conf=rule_conf)
+    dek_client = executor.executor.client
+    ser_ctx = SerializationContext(_TOPIC, MessageField.VALUE)
+    obj_bytes = await ser(obj, ser_ctx)
+
+    # reset encrypted fields
+    assert obj['payload']['messageId'] != '12345'
+    obj['payload']['messageId'] = '12345'
+
+    deser = await AsyncJSONDeserializer(None, schema_registry_client=client, rule_conf=rule_conf)
+    executor.executor.client = dek_client
+    obj2 = await deser(obj_bytes, ser_ctx)
+    assert obj == obj2
+
+
 async def test_json_encryption_with_references():
     executor = FieldEncryptionExecutor.register_with_clock(FakeClock())
 

tests/schema_registry/_sync/test_json_serdes.py

@@ -1209,6 +1209,129 @@ def test_json_encryption_with_union():
     assert obj == obj2
 
 
+def test_json_encryption_with_union_of_refs():
+    executor = FieldEncryptionExecutor.register_with_clock(FakeClock())
+
+    conf = {'url': _BASE_URL}
+    client = SchemaRegistryClient.new_client(conf)
+    ser_conf = {'auto.register.schemas': False, 'use.latest.version': True}
+    rule_conf = {'secret': 'mysecret'}
+    schema = {
+        "type": "object",
+        "properties": {
+            "messageType": {
+                "type": "string"
+            },
+            "version": {
+                "type": "string"
+            },
+            "payload": {
+                "type": "object",
+                "oneOf": [
+                    {
+                        "$ref": "#/$defs/authentication_request"
+                    },
+                    {
+                        "$ref": "#/$defs/authentication_status"
+                    }
+                ]
+            }
+        },
+        "required": [
+            "payload",
+            "messageType",
+            "version"
+        ],
+        "$defs": {
+            "authentication_request": {
+                "properties": {
+                    "messageId": {
+                        "type": "string",
+                        "confluent:tags": ["PII"]
+                    },
+                    "timestamp": {
+                        "type": "integer",
+                        "minimum": 0
+                    },
+                    "requestId": {
+                        "type": "string"
+                    }
+                },
+                "required": [
+                    "messageId",
+                    "timestamp"
+                ]
+            },
+            "authentication_status": {
+                "properties": {
+                    "messageId": {
+                        "type": "string",
+                        "confluent:tags": ["PII"]
+                    },
+                    "authType": {
+                        "type": [
+                            "string",
+                            "null"
+                        ]
+                    }
+                },
+                "required": [
+                    "messageId",
+                    "authType"
+                ]
+            }
+        }
+    }
+
+    rule = Rule(
+        "test-encrypt",
+        "",
+        RuleKind.TRANSFORM,
+        RuleMode.WRITEREAD,
+        "ENCRYPT",
+        ["PII"],
+        RuleParams({
+            "encrypt.kek.name": "kek1",
+            "encrypt.kms.type": "local-kms",
+            "encrypt.kms.key.id": "mykey"
+        }),
+        None,
+        None,
+        "ERROR,NONE",
+        False
+    )
+    client.register_schema(_SUBJECT, Schema(
+        json.dumps(schema),
+        "JSON",
+        [],
+        None,
+        RuleSet(None, [rule])
+    ))
+
+    obj = {
+        "messageType": "authentication_request",
+        "version": "1.0",
+        "payload": {
+            "messageId": "12345",
+            "timestamp": 1757410647
+        }
+    }
+
+    ser = JSONSerializer(json.dumps(schema), client, conf=ser_conf, rule_conf=rule_conf)
+    dek_client = executor.executor.client
+    ser_ctx = SerializationContext(_TOPIC, MessageField.VALUE)
+    obj_bytes = ser(obj, ser_ctx)
+
+    # reset encrypted fields
+    assert obj['payload']['messageId'] != '12345'
+    obj['payload']['messageId'] = '12345'
+
+    deser = JSONDeserializer(None, schema_registry_client=client, rule_conf=rule_conf)
+    executor.executor.client = dek_client
+    obj2 = deser(obj_bytes, ser_ctx)
+    assert obj == obj2
+
+
 def test_json_encryption_with_references():
     executor = FieldEncryptionExecutor.register_with_clock(FakeClock())