Merge pull request #7507 from sbueringer/pr-validate-unknown-variable-fields

k8s-ci-robot · web-flow · commit 69576fcae116 · 2022-11-07T10:08:16.000-08:00
⚠️ ClusterClass: validate unknown fields in variable values
diff --git a/api/v1beta1/clusterclass_types.go b/api/v1beta1/clusterclass_types.go
@@ -319,6 +319,12 @@ type JSONSchemaProps struct {
 	// +optional
 	ExclusiveMinimum bool `json:"exclusiveMinimum,omitempty"`
 
+	// XPreserveUnknownFields allows setting fields in a variable object
+	// which are not defined in the variable schema. This affects fields recursively,
+	// except if nested properties or additionalProperties are specified in the schema.
+	// +optional
+	XPreserveUnknownFields bool `json:"x-kubernetes-preserve-unknown-fields,omitempty"`
+
 	// Enum is the list of valid values of the variable.
 	// NOTE: Can be set for all types.
 	// +optional
diff --git a/api/v1beta1/zz_generated.openapi.go b/api/v1beta1/zz_generated.openapi.go
diff --git a/config/crd/bases/cluster.x-k8s.io_clusterclasses.yaml b/config/crd/bases/cluster.x-k8s.io_clusterclasses.yaml
diff --git a/internal/topology/variables/cluster_variable_validation.go b/internal/topology/variables/cluster_variable_validation.go
@@ -19,8 +19,11 @@ package variables
 import (
 	"encoding/json"
 	"fmt"
+	"strings"
 
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+	structuralschema "k8s.io/apiextensions-apiserver/pkg/apiserver/schema"
+	structuralpruning "k8s.io/apiextensions-apiserver/pkg/apiserver/schema/pruning"
 	"k8s.io/apiextensions-apiserver/pkg/apiserver/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
@@ -133,7 +136,55 @@ func ValidateClusterVariable(clusterVariable *clusterv1.ClusterVariable, cluster
 
 	// Validate variable against the schema.
 	// NOTE: We're reusing a library func used in CRD validation.
-	return validation.ValidateCustomResource(fldPath, variableValue, validator)
+	if err := validation.ValidateCustomResource(fldPath, variableValue, validator); err != nil {
+		return err
+	}
+
+	return validateUnknownFields(fldPath, clusterVariable, variableValue, apiExtensionsSchema)
+}
+
+// validateUnknownFields validates the given variableValue for unknown fields.
+// This func returns an error if there are variable fields in variableValue that are not defined in
+// variableSchema and if x-kubernetes-preserve-unknown-fields is not set.
+func validateUnknownFields(fldPath *field.Path, clusterVariable *clusterv1.ClusterVariable, variableValue interface{}, variableSchema *apiextensions.JSONSchemaProps) field.ErrorList {
+	// Structural schema pruning does not work with scalar values,
+	// so we wrap the schema and the variable in objects.
+	// <variable-name>: <variable-value>
+	wrappedVariable := map[string]interface{}{
+		clusterVariable.Name: variableValue,
+	}
+	// type: object
+	// properties:
+	//   <variable-name>: <variable-schema>
+	wrappedSchema := &apiextensions.JSONSchemaProps{
+		Type: "object",
+		Properties: map[string]apiextensions.JSONSchemaProps{
+			clusterVariable.Name: *variableSchema,
+		},
+	}
+	ss, err := structuralschema.NewStructural(wrappedSchema)
+	if err != nil {
+		return field.ErrorList{field.Invalid(fldPath, "",
+			fmt.Sprintf("failed defaulting variable %q: %v", clusterVariable.Name, err))}
+	}
+
+	// Run Prune to check if it would drop any unknown fields.
+	opts := structuralschema.UnknownFieldPathOptions{
+		// TrackUnknownFieldPaths has to be true so PruneWithOptions returns the unknown fields.
+		TrackUnknownFieldPaths: true,
+	}
+	prunedUnknownFields := structuralpruning.PruneWithOptions(wrappedVariable, ss, false, opts)
+	if len(prunedUnknownFields) > 0 {
+		// If prune dropped any unknown fields, return an error.
+		// This means that not all variable fields have been defined in the variable schema and
+		// x-kubernetes-preserve-unknown-fields was not set.
+		return field.ErrorList{
+			field.Invalid(fldPath, "",
+				fmt.Sprintf("failed validation: %q fields are not specified in the variable schema of variable %q", strings.Join(prunedUnknownFields, ","), clusterVariable.Name)),
+		}
+	}
+
+	return nil
 }
 
 func getClusterVariablesMap(clusterVariables []clusterv1.ClusterVariable) map[string]*clusterv1.ClusterVariable {
diff --git a/internal/topology/variables/cluster_variable_validation_test.go b/internal/topology/variables/cluster_variable_validation_test.go
@@ -900,6 +900,223 @@ func Test_ValidateClusterVariable(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "Valid object with x-kubernetes-preserve-unknown-fields",
+			clusterClassVariable: &clusterv1.ClusterClassVariable{
+				Name:     "testObject",
+				Required: true,
+				Schema: clusterv1.VariableSchema{
+					OpenAPIV3Schema: clusterv1.JSONSchemaProps{
+						Type: "object",
+						Properties: map[string]clusterv1.JSONSchemaProps{
+							"knownProperty": {
+								Type: "boolean",
+							},
+						},
+						// Preserves fields for the current object (in this case unknownProperty).
+						XPreserveUnknownFields: true,
+					},
+				},
+			},
+			clusterVariable: &clusterv1.ClusterVariable{
+				Name: "testObject",
+				Value: apiextensionsv1.JSON{
+					Raw: []byte(`{"knownProperty":false,"unknownProperty":true}`),
+				},
+			},
+		},
+		{
+			name: "Error if undefined field",
+			clusterClassVariable: &clusterv1.ClusterClassVariable{
+				Name:     "testObject",
+				Required: true,
+				Schema: clusterv1.VariableSchema{
+					OpenAPIV3Schema: clusterv1.JSONSchemaProps{
+						Type: "object",
+						Properties: map[string]clusterv1.JSONSchemaProps{
+							"knownProperty": {
+								Type: "boolean",
+							},
+						},
+					},
+				},
+			},
+			clusterVariable: &clusterv1.ClusterVariable{
+				Name: "testObject",
+				Value: apiextensionsv1.JSON{
+					// unknownProperty is not defined in the schema.
+					Raw: []byte(`{"knownProperty":false,"unknownProperty":true}`),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "Error if undefined field with different casing",
+			clusterClassVariable: &clusterv1.ClusterClassVariable{
+				Name:     "testObject",
+				Required: true,
+				Schema: clusterv1.VariableSchema{
+					OpenAPIV3Schema: clusterv1.JSONSchemaProps{
+						Type: "object",
+						Properties: map[string]clusterv1.JSONSchemaProps{
+							"knownProperty": {
+								Type: "boolean",
+							},
+						},
+					},
+				},
+			},
+			clusterVariable: &clusterv1.ClusterVariable{
+				Name: "testObject",
+				Value: apiextensionsv1.JSON{
+					// KnownProperty is only defined with lower case in the schema.
+					Raw: []byte(`{"KnownProperty":false}`),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "Valid nested object with x-kubernetes-preserve-unknown-fields",
+			clusterClassVariable: &clusterv1.ClusterClassVariable{
+				Name:     "testObject",
+				Required: true,
+				Schema: clusterv1.VariableSchema{
+					OpenAPIV3Schema: clusterv1.JSONSchemaProps{
+						Type: "object",
+						// XPreserveUnknownFields preservers recursively if the object has nested fields
+						// as no nested Properties are defined.
+						XPreserveUnknownFields: true,
+					},
+				},
+			},
+			clusterVariable: &clusterv1.ClusterVariable{
+				Name: "testObject",
+				Value: apiextensionsv1.JSON{
+					Raw: []byte(`{"test": {"unknownProperty":false}}`),
+				},
+			},
+		},
+		{
+			name: "Valid object with nested fields and x-kubernetes-preserve-unknown-fields",
+			clusterClassVariable: &clusterv1.ClusterClassVariable{
+				Name:     "testObject",
+				Required: true,
+				Schema: clusterv1.VariableSchema{
+					OpenAPIV3Schema: clusterv1.JSONSchemaProps{
+						Type: "object",
+						Properties: map[string]clusterv1.JSONSchemaProps{
+							"test": {
+								Type: "object",
+								Properties: map[string]clusterv1.JSONSchemaProps{
+									"knownProperty": {
+										Type: "boolean",
+									},
+								},
+								// Preserves fields on the current level (in this case unknownProperty).
+								XPreserveUnknownFields: true,
+							},
+						},
+					},
+				},
+			},
+			clusterVariable: &clusterv1.ClusterVariable{
+				Name: "testObject",
+				Value: apiextensionsv1.JSON{
+					Raw: []byte(`{"test": {"knownProperty":false,"unknownProperty":true}}`),
+				},
+			},
+		},
+		{
+			name: "Error if undefined field nested",
+			clusterClassVariable: &clusterv1.ClusterClassVariable{
+				Name:     "testObject",
+				Required: true,
+				Schema: clusterv1.VariableSchema{
+					OpenAPIV3Schema: clusterv1.JSONSchemaProps{
+						Type: "object",
+						Properties: map[string]clusterv1.JSONSchemaProps{
+							"test": {
+								Type: "object",
+								Properties: map[string]clusterv1.JSONSchemaProps{
+									"knownProperty": {
+										Type: "boolean",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			clusterVariable: &clusterv1.ClusterVariable{
+				Name: "testObject",
+				Value: apiextensionsv1.JSON{
+					// unknownProperty is not defined in the schema.
+					Raw: []byte(`{"test": {"knownProperty":false,"unknownProperty":true}}`),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "Error if undefined field nested and x-kubernetes-preserve-unknown-fields one level above",
+			clusterClassVariable: &clusterv1.ClusterClassVariable{
+				Name:     "testObject",
+				Required: true,
+				Schema: clusterv1.VariableSchema{
+					OpenAPIV3Schema: clusterv1.JSONSchemaProps{
+						Type: "object",
+						Properties: map[string]clusterv1.JSONSchemaProps{
+							"test": {
+								Type: "object",
+								Properties: map[string]clusterv1.JSONSchemaProps{
+									"knownProperty": {
+										Type: "boolean",
+									},
+								},
+							},
+						},
+						// Preserves only on the current level as nested Properties are defined.
+						XPreserveUnknownFields: true,
+					},
+				},
+			},
+			clusterVariable: &clusterv1.ClusterVariable{
+				Name: "testObject",
+				Value: apiextensionsv1.JSON{
+					Raw: []byte(`{"test": {"knownProperty":false,"unknownProperty":true}}`),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "Valid object with mid-level unknown fields",
+			clusterClassVariable: &clusterv1.ClusterClassVariable{
+				Name:     "testObject",
+				Required: true,
+				Schema: clusterv1.VariableSchema{
+					OpenAPIV3Schema: clusterv1.JSONSchemaProps{
+						Type: "object",
+						Properties: map[string]clusterv1.JSONSchemaProps{
+							"test": {
+								Type: "object",
+								Properties: map[string]clusterv1.JSONSchemaProps{
+									"knownProperty": {
+										Type: "boolean",
+									},
+								},
+							},
+						},
+						// Preserves only on the current level as nested Properties are defined.
+						XPreserveUnknownFields: true,
+					},
+				},
+			},
+			clusterVariable: &clusterv1.ClusterVariable{
+				Name: "testObject",
+				Value: apiextensionsv1.JSON{
+					Raw: []byte(`{"test": {"knownProperty":false},"unknownProperty":true}`),
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/internal/topology/variables/schema.go b/internal/topology/variables/schema.go
@@ -23,6 +23,7 @@ import (
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/utils/pointer"
 
 	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
@@ -48,6 +49,13 @@ func convertToAPIExtensionsJSONSchemaProps(schema *clusterv1.JSONSchemaProps, fl
 		ExclusiveMinimum: schema.ExclusiveMinimum,
 	}
 
+	// Only set XPreserveUnknownFields to true if it's true.
+	// apiextensions.JSONSchemaProps only allows setting XPreserveUnknownFields
+	// to true or undefined, false is forbidden.
+	if schema.XPreserveUnknownFields {
+		props.XPreserveUnknownFields = pointer.Bool(true)
+	}
+
 	if schema.Default != nil && schema.Default.Raw != nil {
 		var v interface{}
 		if err := json.Unmarshal(schema.Default.Raw, &v); err != nil {
