schema validation

Author: mmetc

go.mod

@@ -72,6 +72,7 @@ require (
 	github.com/prometheus/common v0.66.1
 	github.com/r3labs/diff/v2 v2.15.1
 	github.com/sanity-io/litter v1.5.8
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
 	github.com/segmentio/kafka-go v0.4.48
 	github.com/shirou/gopsutil/v4 v4.25.8
 	github.com/sirupsen/logrus v1.9.3

go.sum

@@ -148,6 +148,8 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
+github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
 github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -508,6 +510,8 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sanity-io/litter v1.5.8 h1:uM/2lKrWdGbRXDrIq08Lh9XtVYoeGtcQxk9rtQ7+rYg=
 github.com/sanity-io/litter v1.5.8/go.mod h1:9gzJgR2i4ZpjZHsKvUXIRQVk7P+yM3e+jAF7bU2UI5U=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ=
+github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/segmentio/kafka-go v0.4.48 h1:9jyu9CWK4W5W+SroCe8EffbrRZVqAOkuaLd/ApID4Vs=
 github.com/segmentio/kafka-go v0.4.48/go.mod h1:HjF6XbOKh0Pjlkr5GVZxt6CsjjwnmhVOfURM5KMd8qg=

pkg/acquisition/config_test.go

@@ -1,6 +1,8 @@
 package acquisition
 
 import (
+	"errors"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -11,13 +13,17 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/goccy/go-yaml"
 
 	"github.com/crowdsecurity/crowdsec/pkg/csconfig"
 	"github.com/crowdsecurity/crowdsec/pkg/cwhub"
 	"github.com/crowdsecurity/crowdsec/pkg/metrics"
 )
 
-var wantErrLineRE = regexp.MustCompile(`(?m)^\s*#\s*wantErr:\s*(.*?)\s*$`)
+var (
+	wantErrLineRE = regexp.MustCompile(`(?m)^\s*#\s*wantErr:\s*(.*?)\s*$`)
+	wantSchemaErrLineRE = regexp.MustCompile(`(?m)^[ \t]*#[ \t]*schemaErr:[ \t]*([^\r\n]*)[ \t]*$`)
+)
 
 func findYAMLFiles(t *testing.T, root string) []string {
 	t.Helper()
@@ -54,6 +60,17 @@ func wantErrFromYAML(t *testing.T, fileContent []byte) (want string, found bool)
 	return strings.TrimSpace(string(m[1])), true
 }
 
+func wantSchemaErrFromYAML(t *testing.T, fileContent []byte) (want string, found bool) {
+	t.Helper()
+
+	m := wantSchemaErrLineRE.FindSubmatch(fileContent)
+	if len(m) == 0 {
+		return "", false
+	}
+
+	return strings.TrimSpace(string(m[1])), true
+}
+
 func TestParseSourceConfig(t *testing.T) {
 	ctx := t.Context()
 
@@ -63,6 +80,10 @@ func TestParseSourceConfig(t *testing.T) {
 		expectValid bool
 	}
 
+	type source struct {
+		Source string
+	}
+
 	// load a configuration, appsec needs it
 	_, _, err := csconfig.NewConfig("./testdata/config.yaml", false, false, true)
 	require.NoError(t, err)
@@ -87,6 +108,15 @@ func TestParseSourceConfig(t *testing.T) {
 				require.NoError(t, err, "read %q", path)
 
 				t.Run(filepath.ToSlash(rel), func(t *testing.T) {
+					var (
+						so source
+						schema string
+					)
+
+					if err = yaml.Unmarshal(fileContent, &so); err == nil {
+						schema = filepath.Join("schemas", so.Source + ".yaml")
+					}
+
 					if runtime.GOOS == "windows" && strings.Contains(path, "journalctl") {
 						return
 					}
@@ -97,11 +127,20 @@ func TestParseSourceConfig(t *testing.T) {
 
 					wantErr, hasWant := wantErrFromYAML(t, fileContent)
 
+					wantSchemaErr, hasWantSchemaErr := wantSchemaErrFromYAML(t, fileContent)
+
 					if s.expectValid {
 						require.False(t, hasWant, "valid config must not include # wantErr: directive")
 						parsed, err := ParseSourceConfig(ctx, fileContent, metrics.AcquisitionMetricsLevelNone, &hub)
 						require.NoError(t, err)
 						require.NotNil(t, parsed)
+						if schema != "" {
+							err = ValidateYAML(fileContent, schema)
+							if !errors.Is(err, fs.ErrNotExist) {
+								// XXX: ignore missing schema
+								require.NoError(t, err)
+							}
+						}
 						return
 					}
 
@@ -114,6 +153,31 @@ func TestParseSourceConfig(t *testing.T) {
 					require.Error(t, err, "got no error, expected %q", wantErr)
 					require.Nil(t, parsed)
 					assert.Equal(t, wantErr, err.Error())
+					if schema == "" {
+						return
+					}
+
+					// schema validation
+
+					err = ValidateYAML(fileContent, schema)
+					if errors.Is(err, fs.ErrNotExist) {
+						// XXX: ignore missing schema, for now
+						return
+					}
+
+					// a "schemaErr" comment must be present, even if empty
+					require.True(t, hasWantSchemaErr, "invalid configurations require an exlicit schemaErr comment. it can be empty string if the schema cannot detect the issue")
+					switch {
+					case err == nil && wantSchemaErr != "":
+						require.Error(t, err, "got no schema error, expected %q", wantSchemaErr)
+					case err != nil && wantSchemaErr == "":
+						require.Error(t, err, "got schema error %q, expected nil", err)
+					case err != nil:
+						assert.Contains(t, err.Error(), wantSchemaErr)
+					default:
+						require.NoError(t, err)
+						assert.Empty(t, wantSchemaErr)
+					}
 				})
 			}
 		})

pkg/acquisition/configuration/configuration.go

@@ -19,4 +19,5 @@ const (
 	TAIL_MODE   = "tail"
 	CAT_MODE    = "cat"
 	SERVER_MODE = "server" // No difference with tail, just a bit more verbose
+	// XXX:
 )

pkg/acquisition/modules/kafka/config.go

@@ -49,7 +49,7 @@ func (s *Source) UnmarshalConfig(yamlConfig []byte) error {
 
 	err := yaml.UnmarshalWithOptions(yamlConfig, &s.Config, yaml.Strict())
 	if err != nil {
-		return fmt.Errorf("cannot parse %s datasource configuration: %s", s.GetName(), yaml.FormatError(err, false, false))
+		return fmt.Errorf("cannot parse: %s", yaml.FormatError(err, false, false))
 	}
 
 	if len(s.Config.Brokers) == 0 {

pkg/acquisition/schemaval_test.go

@@ -0,0 +1,102 @@
+package acquisition
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"sort"
+	"strings"
+
+	"github.com/santhosh-tekuri/jsonschema/v6"
+	"github.com/goccy/go-yaml"
+)
+
+// format a compact error without schema location for testing purposes.
+func compactSchemaErr(err error) error {
+	var ve *jsonschema.ValidationError
+	if !errors.As(err, &ve) {
+		return err
+	}
+
+	out := ve.BasicOutput()
+	if out == nil || len(out.Errors) == 0 {
+		// Fallback; this may include schema URL, but it's better than losing the error.
+		return err
+	}
+
+	msgs := make([]string, 0, len(out.Errors))
+	for _, u := range out.Errors {
+		if u.Error == nil {
+			continue
+		}
+		loc := u.InstanceLocation
+		if loc == "" {
+			loc = "/"
+		}
+		msgs = append(msgs, fmt.Sprintf("%s: %s", loc, u.Error.String()))
+	}
+
+	sort.Strings(msgs)
+	return fmt.Errorf("%s", strings.Join(msgs, "; "))
+}
+
+// ValidateYAML validates configYAML against schemaPath.
+func ValidateYAML(configYAML []byte, schemaPath string) error {
+	if schemaPath == "" {
+		return errors.New("no schema provided")
+	}
+
+	configJSON, err := yaml.YAMLToJSON(configYAML)
+	if err != nil {
+		return fmt.Errorf("config: YAML->JSON: %w", err)
+	}
+
+	configDoc, err := jsonschema.UnmarshalJSON(bytes.NewReader(configJSON))
+	if err != nil {
+		return fmt.Errorf("config: decode JSON: %w", err)
+	}
+
+	c := jsonschema.NewCompiler()
+	c.DefaultDraft(jsonschema.Draft2020)
+
+	schemaYAML, err := os.ReadFile(schemaPath)
+	if err != nil {
+		return fmt.Errorf("read schema %q: %w", schemaPath, err)
+	}
+
+	schemaJSON, err := yaml.YAMLToJSON(schemaYAML)
+	if err != nil {
+		return fmt.Errorf("schema %q: YAML->JSON: %w", schemaPath, err)
+	}
+
+	schemaDoc, err := jsonschema.UnmarshalJSON(bytes.NewReader(schemaJSON))
+	if err != nil {
+		return fmt.Errorf("schema %q: decode JSON: %w", schemaPath, err)
+	}
+
+	abs, err := filepath.Abs(schemaPath)
+	if err != nil {
+		return fmt.Errorf("abs %q: %w", schemaPath, err)
+	}
+
+	if err := c.AddResource(abs, schemaDoc); err != nil {
+		return fmt.Errorf("add schema resource %q: %w", abs, err)
+	}
+
+	sch, err := c.Compile(abs)
+	if err != nil {
+		return fmt.Errorf("compile schema %q: %w", abs, err)
+	}
+
+	if err := sch.Validate(configDoc); err != nil {
+		var ve *jsonschema.ValidationError
+		if errors.As(err, &ve) {
+			return compactSchemaErr(ve)
+		}
+		return err
+	}
+
+	return nil
+}

pkg/acquisition/testdata/invalid/appsec/common_log_level_invalid.yaml

@@ -0,0 +1,5 @@
+# wantErr: failed to parse: not a valid logrus Level: "toto"
+# schemaErr: /log_level: value must be one of 'panic', 'fatal', 'error', 'warn', 'warning', 'info', 'debug', 'trace'
+source: appsec
+use_container_labels: true
+log_level: toto

pkg/acquisition/testdata/invalid/cloudwatch/common_log_level_invalid.yaml

@@ -0,0 +1,5 @@
+# wantErr: failed to parse: not a valid logrus Level: "toto"
+# schemaErr: /log_level: value must be one of 'panic', 'fatal', 'error', 'warn', 'warning', 'info', 'debug', 'trace'
+source: cloudwatch
+use_container_labels: true
+log_level: toto

pkg/acquisition/testdata/invalid/docker/common_log_level_invalid.yaml

@@ -0,0 +1,5 @@
+# wantErr: failed to parse: not a valid logrus Level: "toto"
+# schemaErr: /log_level: value must be one of 'panic', 'fatal', 'error', 'warn', 'warning', 'info', 'debug', 'trace'
+source: docker
+use_container_labels: true
+log_level: toto

…ata/invalid/docker/unsupported_mode.yaml …/invalid/docker/common_mode_invalid.yamlpkg/acquisition/testdata/invalid/docker/unsupported_mode.yaml renamed to pkg/acquisition/testdata/invalid/docker/common_mode_invalid.yaml pkg/acquisition/testdata/invalid/docker/unsupported_mode.yaml renamed to pkg/acquisition/testdata/invalid/docker/common_mode_invalid.yaml

@@ -1,4 +1,5 @@
 # wantErr: datasource of type docker: unsupported mode server for docker datasource
+# schemaErr: /mode: value must be one of 'tail', 'cat'
 mode: server
 source: docker
 container_name: