Merge pull request #966 from sigstore/unknown-fields

loosebazooka · web-flow · commit 67b9be26df6b · 2025-05-23T10:09:47.000-04:00
ignoreUnknownFields when parsing json
diff --git a/config/forbiddenApis.txt b/config/forbiddenApis.txt
@@ -0,0 +1 @@
+com.google.protobuf.util.JsonFormat#parser() @ Use dev.sigstore.json.ProtoJson#parser() instead
diff --git a/sigstore-java/build.gradle.kts b/sigstore-java/build.gradle.kts
@@ -116,6 +116,13 @@ jsonSchema2Pojo {
     }
 }
 
+forbiddenApis {
+    // Don't allow sigstore-java developers to directly call JsonFormat.parser(), use our wrapper instead
+    // which allows for ignored fields.
+    signaturesFiles = files("$rootDir/config/forbiddenApis.txt")
+    suppressAnnotations = setOf("dev.sigstore.forbidden.SuppressForbidden")
+}
+
 // TODO: keep until these code gen plugins explicitly declare dependencies
 tasks.named("sourcesJar") {
     dependsOn("generateJsonSchema2DataClassConfigRekor")
diff --git a/sigstore-java/src/main/java/dev/sigstore/bundle/BundleReader.java b/sigstore-java/src/main/java/dev/sigstore/bundle/BundleReader.java
@@ -16,7 +16,7 @@
 package dev.sigstore.bundle;
 
 import com.google.protobuf.ByteString;
-import com.google.protobuf.util.JsonFormat;
+import dev.sigstore.json.ProtoJson;
 import dev.sigstore.proto.ProtoMutators;
 import dev.sigstore.proto.common.v1.HashAlgorithm;
 import dev.sigstore.rekor.client.ImmutableInclusionProof;
@@ -36,7 +36,7 @@ class BundleReader {
   static Bundle readBundle(Reader jsonReader) throws BundleParseException {
     var protoBundleBuilder = dev.sigstore.proto.bundle.v1.Bundle.newBuilder();
     try {
-      JsonFormat.parser().merge(jsonReader, protoBundleBuilder);
+      ProtoJson.parser().merge(jsonReader, protoBundleBuilder);
     } catch (IOException ioe) {
       throw new BundleParseException("Could not process bundle json", ioe);
     }
diff --git a/sigstore-java/src/main/java/dev/sigstore/bundle/BundleVerifier.java b/sigstore-java/src/main/java/dev/sigstore/bundle/BundleVerifier.java
@@ -21,14 +21,15 @@
 import com.google.protobuf.InvalidProtocolBufferException;
 import com.google.protobuf.MessageOrBuilder;
 import com.google.protobuf.util.JsonFormat;
+import dev.sigstore.json.ProtoJson;
 import dev.sigstore.proto.bundle.v1.Bundle;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 
 /** Implements Sigstore Bundle verification. */
 public class BundleVerifier {
-  static final JsonFormat.Parser JSON_PARSER = JsonFormat.parser();
+  static final JsonFormat.Parser JSON_PARSER = ProtoJson.parser();
 
   /**
    * Parses Sigstore Bundle JSON into protobuf.
diff --git a/sigstore-java/src/main/java/dev/sigstore/forbidden/SuppressForbidden.java b/sigstore-java/src/main/java/dev/sigstore/forbidden/SuppressForbidden.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.forbidden;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Annotation to suppress forbidden apis errors. Try to scope this as tightly as possible to the
+ * class, method or field in question.
+ */
+@Retention(RetentionPolicy.CLASS)
+@Target({ElementType.CONSTRUCTOR, ElementType.FIELD, ElementType.METHOD, ElementType.TYPE})
+public @interface SuppressForbidden {
+  String reason();
+}
diff --git a/sigstore-java/src/main/java/dev/sigstore/json/ProtoJson.java b/sigstore-java/src/main/java/dev/sigstore/json/ProtoJson.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.json;
+
+import com.google.protobuf.util.JsonFormat;
+import dev.sigstore.forbidden.SuppressForbidden;
+
+/** Use this instead of JsonFormat to pick up default formatter options for sigstore-java. */
+public class ProtoJson {
+
+  /** Default parser to use for sigstore parsing that doesn't fail with unknown fields */
+  @SuppressForbidden(reason = "JsonFormat#parser")
+  public static JsonFormat.Parser parser() {
+    return JsonFormat.parser().ignoringUnknownFields();
+  }
+}
diff --git a/sigstore-java/src/main/java/dev/sigstore/trustroot/SigstoreSigningConfig.java b/sigstore-java/src/main/java/dev/sigstore/trustroot/SigstoreSigningConfig.java
@@ -15,7 +15,7 @@
  */
 package dev.sigstore.trustroot;
 
-import com.google.protobuf.util.JsonFormat;
+import dev.sigstore.json.ProtoJson;
 import dev.sigstore.proto.trustroot.v1.SigningConfig;
 import java.io.IOException;
 import java.io.InputStream;
@@ -66,7 +66,7 @@ static SigstoreSigningConfig from(SigningConfig proto) throws SigstoreConfigurat
   static SigstoreSigningConfig from(InputStream json) throws SigstoreConfigurationException {
     var signingConfigBuilder = SigningConfig.newBuilder();
     try (var reader = new InputStreamReader(json, StandardCharsets.UTF_8)) {
-      JsonFormat.parser().merge(reader, signingConfigBuilder);
+      ProtoJson.parser().merge(reader, signingConfigBuilder);
     } catch (IOException ex) {
       throw new SigstoreConfigurationException("Could not parse signing configuration", ex);
     }
diff --git a/sigstore-java/src/main/java/dev/sigstore/trustroot/SigstoreTrustedRoot.java b/sigstore-java/src/main/java/dev/sigstore/trustroot/SigstoreTrustedRoot.java
@@ -16,7 +16,7 @@
 package dev.sigstore.trustroot;
 
 import com.google.api.client.util.Lists;
-import com.google.protobuf.util.JsonFormat;
+import dev.sigstore.json.ProtoJson;
 import dev.sigstore.proto.trustroot.v1.TrustedRoot;
 import dev.sigstore.proto.trustroot.v1.TrustedRootOrBuilder;
 import java.io.IOException;
@@ -47,7 +47,7 @@ public interface SigstoreTrustedRoot {
   static SigstoreTrustedRoot from(InputStream json) throws SigstoreConfigurationException {
     var trustedRootBuilder = TrustedRoot.newBuilder();
     try (var reader = new InputStreamReader(json, StandardCharsets.UTF_8)) {
-      JsonFormat.parser().merge(reader, trustedRootBuilder);
+      ProtoJson.parser().merge(reader, trustedRootBuilder);
     } catch (IOException ex) {
       throw new SigstoreConfigurationException("Could not parse trusted root", ex);
     }
diff --git a/sigstore-java/src/test/java/dev/sigstore/timestamp/client/TimestampVerifierTest.java b/sigstore-java/src/test/java/dev/sigstore/timestamp/client/TimestampVerifierTest.java
@@ -21,7 +21,7 @@
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import com.google.common.io.Resources;
-import com.google.protobuf.util.JsonFormat;
+import dev.sigstore.json.ProtoJson;
 import dev.sigstore.proto.trustroot.v1.TrustedRoot;
 import dev.sigstore.trustroot.SigstoreTrustedRoot;
 import java.io.IOException;
@@ -93,7 +93,7 @@ public static void initTrustRoot() throws Exception {
             Resources.getResource("dev/sigstore/trustroot/trusted_root.json"),
             StandardCharsets.UTF_8);
     var builder = TrustedRoot.newBuilder();
-    JsonFormat.parser().merge(json, builder);
+    ProtoJson.parser().merge(json, builder);
 
     trustedRoot = SigstoreTrustedRoot.from(builder.build());
 
@@ -102,7 +102,7 @@ public static void initTrustRoot() throws Exception {
             Resources.getResource("dev/sigstore/trustroot/trusted_root_with_outdated_tsa.json"),
             StandardCharsets.UTF_8);
     builder = TrustedRoot.newBuilder();
-    JsonFormat.parser().merge(json, builder);
+    ProtoJson.parser().merge(json, builder);
 
     trustedRootWithOutdatedTsa = SigstoreTrustedRoot.from(builder.build());
 
@@ -111,7 +111,7 @@ public static void initTrustRoot() throws Exception {
             Resources.getResource("dev/sigstore/trustroot/trusted_root_with_multiple_tsas.json"),
             StandardCharsets.UTF_8);
     builder = TrustedRoot.newBuilder();
-    JsonFormat.parser().merge(json, builder);
+    ProtoJson.parser().merge(json, builder);
 
     trustedRootWithMultipleTsas = SigstoreTrustedRoot.from(builder.build());
   }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+com.google.protobuf.util.JsonFormat#parser() @ Use dev.sigstore.json.ProtoJson#parser() instead`
Original file line number	Diff line number	Diff line change
`@@ -116,6 +116,13 @@ jsonSchema2Pojo {`
`116`	`116`	`}`
`117`	`117`	`}`
`118`	`118`
	`119`	`+forbiddenApis {`
	`120`	`+ // Don't allow sigstore-java developers to directly call JsonFormat.parser(), use our wrapper instead`
	`121`	`+ // which allows for ignored fields.`
	`122`	`+ signaturesFiles = files("$rootDir/config/forbiddenApis.txt")`
	`123`	`+ suppressAnnotations = setOf("dev.sigstore.forbidden.SuppressForbidden")`
	`124`	`+}`
	`125`	`+`
`119`	`126`	`// TODO: keep until these code gen plugins explicitly declare dependencies`
`120`	`127`	`tasks.named("sourcesJar") {`
`121`	`128`	`dependsOn("generateJsonSchema2DataClassConfigRekor")`