-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
catch common resource schema issues in cfn validate #675
Conversation
8955e66
to
b9deeb5
Compare
@@ -1,6 +1,7 @@ | |||
import json | |||
import logging | |||
import os | |||
import re |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this type of testing. Get rid of some of the java patterns would be helpful. My question is the python re the one we want to standardize on? For instance ^[\d\w-_.+]*$
is technically valid but in python it needs to be ^[\d\w\-_.+]*$
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally, resource schema patterns should be valid and equivalent in both Python and Java (and more)
JSON schema itself recommends sticking to a minimal subset of regular expression syntax. Let's encourage the same
Just emitting warnings for patterns not valid in Python seems like a good start in that direction:
23 Could not validate regular expression: ^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$
6 Could not validate regular expression: ^[a-zA-Z0-9_\-\+\./\(\)\$\p{Zs}]+$
4 Could not validate regular expression: ^[a-zA-Z0-9-]+{1,255}$
3 Could not validate regular expression: ^([\p{L}\p{Z}\p{N}_.:=+\/\-@%]*)$
3 Could not validate regular expression: [\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF ]*
2 Could not validate regular expression: ^[\/]+([^~]*(~[01])*)*{1,512}$
2 Could not validate regular expression: ^((?!aws:)[\p{L}\p{Z}\p{N}_.:/=+\-@]*)$
2 Could not validate regular expression: [\p{L}\p{M}\p{Z}\p{S}\p{N}\p{P}]*
1 Could not validate regular expression: ^[a-zA-Z0-9_\-\+\./\(\)\p{Zs}]*$
1 Could not validate regular expression: ^[a-zA-Z0-9\s-_()\[\]]+$
1 Could not validate regular expression: ^[a-zA-Z-0-9-:\/]*{1,1000}$
1 Could not validate regular expression: ^[a-zA-Z-0-9-:\/.]*{1,1000}$
1 Could not validate regular expression: ^[\p{L}\p{Z}\p{N}_.:\/=+\-@%]*$
1 Could not validate regular expression: ^[\p{L}\p{Z}\p{N}_.:/=+\-@]*$|resource-groups:Name
1 Could not validate regular expression: ^[A-Za-z0-9._\-:\/#\+]+{1,255}$
1 Could not validate regular expression: ^(?!aws:.*)([\p{L}\p{Z}\p{N}_.:=+\/\-@%]*)$
1 Could not validate regular expression: ^(?!aws:)[\p{L}\p{Z}\p{N}_.:\/=+\-@%]*$
1 Could not validate regular expression: [^_\p{Z}][\p{L}\p{M}\p{S}\p{N}\p{P}][^_\p{Z}]+
1 Could not validate regular expression: [\p{L}\p{Z}\p{N}_.:\/=+\-@]+
1 Could not validate regular expression: [\p{L}\p{Z}\p{N}_.:\/=+\-@\[\]\{\}\$\\"]*
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
JSON schema itself recommends sticking to a minimal subset of regular expression syntax. Let's encourage the same
Agreed completely here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Golang has some interesting regex limitations even within that minimal subset:
hashicorp/terraform-provider-awscc#88
golang/go#7252
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would advise trying to use the schema flattener to check any nested object's properties. The flattener will place all nested schemas in the schema_map for use. iterating over these as well as the top level definitions and properties should allow you to definitively check all objects
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I suggest adding a test case with a large schema file with a lot of nested properties.
ran |
…on#675) * catching non-ASCII characters * hardcoded patterns/enums * lowercase properties * incorrect min/max constraints * invalid patterns
…on#675) * catching non-ASCII characters * hardcoded patterns/enums * lowercase properties * incorrect min/max constraints * invalid patterns
continuing #663, #668
fixes #395, #459, #414
how to run new validations on all existing resource provider schemas
arn:aws:
should instead be something likearn:aws[-a-z]*:
)