From c7eead29e26111b567192920e0b6eff3b5139cc9 Mon Sep 17 00:00:00 2001 From: Pat Myron Date: Thu, 7 Jan 2021 21:05:31 -0800 Subject: [PATCH 1/4] catch common resource schema issues resource types with LIST API options like MaxResults, NextToken, Filters, etc as properties of the resource itself: https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-licensemanager/pull/3 https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-iotwireless/pull/3 https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-ssm/pull/75 readOnlyProperties overlapping with writeOnlyProperties or createOnlyProperties: https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-auditmanager/pull/2 https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-codeartifact/pull/38 --- .pylintrc | 2 +- setup.cfg | 2 +- src/rpdk/core/data_loaders.py | 40 +++++++++++++++++++++++------------ 3 files changed, 29 insertions(+), 15 deletions(-) diff --git a/.pylintrc b/.pylintrc index 6d5789e9..75a3f8cd 100644 --- a/.pylintrc +++ b/.pylintrc @@ -21,4 +21,4 @@ good-names=e,ex,f,fp,i,j,k,n,_ [FORMAT] indent-string=' ' -max-line-length=88 +max-line-length=160 diff --git a/setup.cfg b/setup.cfg index f157bce0..a33bff55 100644 --- a/setup.cfg +++ b/setup.cfg @@ -14,7 +14,7 @@ exclude = .eggs, .tox max-complexity = 10 -max-line-length = 80 +max-line-length = 160 select = C,E,F,W,B,B950 # C812, C815, W503 clash with black ignore = E501,C812,C816,C815,W503 diff --git a/src/rpdk/core/data_loaders.py b/src/rpdk/core/data_loaders.py index ab9b50bb..403327b8 100644 --- a/src/rpdk/core/data_loaders.py +++ b/src/rpdk/core/data_loaders.py @@ -123,13 +123,6 @@ def get_file_base_uri(file): return path.resolve().as_uri() -def _is_in(schema, key): - def contains(value): - return value in schema.get(key, []) - - return contains - - def load_resource_spec(resource_spec_file): # noqa: C901 """Load a resource provider definition from a file, and validate it.""" try: @@ -148,6 +141,29 @@ def load_resource_spec(resource_spec_file): # noqa: C901 LOG.debug("Resource spec validation failed", exc_info=True) raise SpecValidationError(str(e)) from e + if { + "maxresults", + "maxrecords", + "maxitems", + "nexttoken", + "nextmarker", + "nextpagetoken", + "pagetoken", + "paginationtoken", + } & set(map(str.lower, resource_spec.get("properties", []))): + LOG.warning( + "LIST API inputs like MaxResults, MaxRecords, MaxItems, NextToken, NextMarker, NextPageToken, PageToken, and Filters are not resource properties" + ) + + if set(resource_spec.get("readOnlyProperties", [])) & set( + resource_spec.get("createOnlyProperties", []) + ) or set(resource_spec.get("readOnlyProperties", [])) & set( + resource_spec.get("writeOnlyProperties", []) + ): + LOG.warning( + "readOnlyProperties cannot be specified by customers and should not overlap with writeOnlyProperties or createOnlyProperties" + ) + try: additional_properties_validator.validate(resource_spec) except ValidationError as e: @@ -158,13 +174,11 @@ def load_resource_spec(resource_spec_file): # noqa: C901 in it. Please fix the warnings: %s", str(e), ) - in_readonly = _is_in(resource_spec, "readOnlyProperties") - in_createonly = _is_in(resource_spec, "createOnlyProperties") - - primary_ids = resource_spec["primaryIdentifier"] - for primary_id in primary_ids: - if not in_readonly(primary_id) and not in_createonly(primary_id): + for primary_id in resource_spec["primaryIdentifier"]: + if primary_id not in resource_spec.get( + "readOnlyProperties", [] + ) and primary_id not in resource_spec.get("createOnlyProperties", []): LOG.warning( "Property 'primaryIdentifier' - %s must be specified \ as either readOnly or createOnly", From 32c9c0af63d1820acf4be224b2cc3d36304601df Mon Sep 17 00:00:00 2001 From: Pat Myron Date: Wed, 13 Jan 2021 18:23:30 -0800 Subject: [PATCH 2/4] test resource schemas with common issue warnings --- .../invalid_list_api_options_as_properties.json | 14 ++++++++++++++ .../invalid_readOnlyProperties_overlap.json | 17 +++++++++++++++++ 2 files changed, 31 insertions(+) create mode 100644 tests/data/schema/valid/invalid_list_api_options_as_properties.json create mode 100644 tests/data/schema/valid/invalid_readOnlyProperties_overlap.json diff --git a/tests/data/schema/valid/invalid_list_api_options_as_properties.json b/tests/data/schema/valid/invalid_list_api_options_as_properties.json new file mode 100644 index 00000000..106cc9e0 --- /dev/null +++ b/tests/data/schema/valid/invalid_list_api_options_as_properties.json @@ -0,0 +1,14 @@ +{ + "typeName" : "AWS::Service::Type", + "description" : "", + "additionalProperties" : false, + "properties" : { + "NextToken" : { + "type" : "string" + } + }, + "readOnlyProperties": [ + "/properties/NextToken" + ], + "primaryIdentifier" : [ "/properties/NextToken" ] +} diff --git a/tests/data/schema/valid/invalid_readOnlyProperties_overlap.json b/tests/data/schema/valid/invalid_readOnlyProperties_overlap.json new file mode 100644 index 00000000..f05fb337 --- /dev/null +++ b/tests/data/schema/valid/invalid_readOnlyProperties_overlap.json @@ -0,0 +1,17 @@ +{ + "typeName" : "AWS::Service::Type", + "description" : "", + "additionalProperties" : false, + "properties" : { + "Property" : { + "type" : "string" + } + }, + "readOnlyProperties": [ + "/properties/Property" + ], + "createOnlyProperties": [ + "/properties/Property" + ], + "primaryIdentifier" : [ "/properties/Property" ] +} From 893bd03fd29bc7d9a750cbb84faf7fe945ca3115 Mon Sep 17 00:00:00 2001 From: Pat Myron Date: Sat, 16 Jan 2021 20:05:37 -0800 Subject: [PATCH 3/4] no wildcards in handler permissions https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-greengrassv2/pull/4 https://github.com/aws-cloudformation/aws-cloudformation-resource-providers-imagebuilder/commit/55fa9bfa47406e29def2bf1812fbce8cc7c17b8b#r46035310 --- src/rpdk/core/data_loaders.py | 10 ++++++++- .../invalid_wildcard_handler_permissions.json | 21 +++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 tests/data/schema/valid/invalid_wildcard_handler_permissions.json diff --git a/src/rpdk/core/data_loaders.py b/src/rpdk/core/data_loaders.py index 403327b8..03bcb97b 100644 --- a/src/rpdk/core/data_loaders.py +++ b/src/rpdk/core/data_loaders.py @@ -123,7 +123,7 @@ def get_file_base_uri(file): return path.resolve().as_uri() -def load_resource_spec(resource_spec_file): # noqa: C901 +def load_resource_spec(resource_spec_file): # pylint: disable=R0912 # noqa: C901 """Load a resource provider definition from a file, and validate it.""" try: resource_spec = json.load(resource_spec_file) @@ -164,6 +164,14 @@ def load_resource_spec(resource_spec_file): # noqa: C901 "readOnlyProperties cannot be specified by customers and should not overlap with writeOnlyProperties or createOnlyProperties" ) + for handler in resource_spec.get("handlers", []): + for permission in resource_spec.get("handlers", [])[handler]["permissions"]: + if "*" in permission: + LOG.warning( + "Use specific handler permissions instead of using wildcards: %s", + permission, + ) + try: additional_properties_validator.validate(resource_spec) except ValidationError as e: diff --git a/tests/data/schema/valid/invalid_wildcard_handler_permissions.json b/tests/data/schema/valid/invalid_wildcard_handler_permissions.json new file mode 100644 index 00000000..7890b045 --- /dev/null +++ b/tests/data/schema/valid/invalid_wildcard_handler_permissions.json @@ -0,0 +1,21 @@ +{ + "typeName" : "AWS::Service::Type", + "description" : "", + "additionalProperties" : false, + "properties" : { + "Property" : { + "type" : "string" + } + }, + "readOnlyProperties": [ + "/properties/Property" + ], + "primaryIdentifier" : [ "/properties/Property" ], + "handlers": { + "create": { + "permissions": [ + "service:create*" + ] + } + } +} From 921b60bfe7f427b02acbeee5e8b1e0de41839b4f Mon Sep 17 00:00:00 2001 From: Pat Myron Date: Tue, 19 Jan 2021 17:37:17 -0800 Subject: [PATCH 4/4] adding context for LIST API options warnings --- src/rpdk/core/data_loaders.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/rpdk/core/data_loaders.py b/src/rpdk/core/data_loaders.py index 03bcb97b..eb7c63e3 100644 --- a/src/rpdk/core/data_loaders.py +++ b/src/rpdk/core/data_loaders.py @@ -141,7 +141,7 @@ def load_resource_spec(resource_spec_file): # pylint: disable=R0912 # noqa: C90 LOG.debug("Resource spec validation failed", exc_info=True) raise SpecValidationError(str(e)) from e - if { + list_options = { "maxresults", "maxrecords", "maxitems", @@ -150,9 +150,12 @@ def load_resource_spec(resource_spec_file): # pylint: disable=R0912 # noqa: C90 "nextpagetoken", "pagetoken", "paginationtoken", - } & set(map(str.lower, resource_spec.get("properties", []))): + } & set(map(str.lower, resource_spec.get("properties", []))) + if list_options: LOG.warning( - "LIST API inputs like MaxResults, MaxRecords, MaxItems, NextToken, NextMarker, NextPageToken, PageToken, and Filters are not resource properties" + "LIST API inputs like MaxResults, MaxRecords, MaxItems, NextToken, NextMarker, NextPageToken, PageToken, and Filters are not resource properties. \ +%s should not be present in resource schema", + list_options, ) if set(resource_spec.get("readOnlyProperties", [])) & set(