Support different levels validation for JSON reader stream

[xiekeyang]

As previous discussion among developers, to use selectable strict mode, for validating media type of referenced objects. After enabling strict media types unmatched to OCI will be expected failure.

• each object media type in manifest and manifest list should be validated.
• add unit test cases for un/strict mode, with expected result.
• image-tool repo should introduce the new flag if this PR be landed.
• rename previous functions from xxDescendants to xxMediaType, because functions validate all objects media type, not only descendants.

Signed-off-by: xiekeyang xiekeyang@huawei.com

[wking]

In #403 I avoided repeating this string by setting up the error (once) and then either warning about it or returning it depending on strict.

[xiekeyang]

Updated in
6934d41
3da0cd8
a2d0b36

I code it as,

  msg := fmt.Sprintf(...)
  if strict {
          return fmt.Errorf("error: %s", msg)
  }   
  fmt.Printf("warning: %s\n", msg)

I honestly like fmt.Sprintf to generate message, because it may be error or warning type.
fmt.Errorf and fmt.Printf can distinguish returning or omitting behavior.

[wking]

There's a reasonable amount of overlap between this PR and #403, but I'm happy to rebase #403 if this one lands first.

[xiekeyang]

There's a reasonable amount of overlap between this PR and #403, but
I'm happy to rebase #403 if this one lands first.

Ah they have really some overlap. We should resolve the conflict if one landed.

[wking]

I'm fine with the “warning: ” prefix you have below, but I don't think you need an “error: ” prefix for the error string. You know it's an error because its Go type is error, having “error” in the string payload is redundant. If you want to display these to users with an error prefix (which is fine with me), then prefix the error with “error: ” when you print it to stderr (or wherever). But don't add the prefix here.

[xiekeyang]

Agree with you and fix in 25825f3 7b13896 and 4daf4f7

I have hesitated to this, and then comply that we are usual to wrap error message(body). Actually I like error messages to be concise.

[wking]

You can do the same Sprintf (or whatever) unification here.

[xiekeyang]

Yeah, it is a nit, fix in 25825f3#diff-4a672c41642ea30ebf88bb87685cf72aR119

[wking]

This looks like it will conflict with your in-flight #444 (also adding a schema/manifestlist_test.go from scratch).

[xiekeyang]

Right. I would resolve the conflict after any PR landed firstly.
The test cases in these PRs are for different purpose.

[wking]

I haven't looked into #444 again, but I think manifestlist_test.go needs a success test with OCI-defined mediaTypes for both the root mediaType and the manifests[0].mediaType.

[xiekeyang]

@stevvooe @vbatts
This PR is adding strict mode for schema media type, as maintainers suggestion. I think it is ready, PTAL, thanks.

[philips]

Overall OK but needs docs and removal of random printing.

[philips]

can you please describe what strict does?

[xiekeyang]

I add doc in d9b5499#diff-4a672c41642ea30ebf88bb87685cf72aR49. PTAL.

[philips]

erm, I don't think this package should just randomly printf stuff

[xiekeyang]

@philips , here I keep previous non-strict behavior(warning) unchanged. And I think it seems had better to warn customer his media-type is not OCI format, even be accepted.
Or do you have some proposal for this?

[wking]

I think we should stick to printing warnings for this PR.

In follow-up work we can add a validation argument which can hold a test-harness handle (e.g. a more generic form of the harness *tap.T I mocked up in opencontainers/image-tools@4f0b3c1b). Then these test functions can register errors and warnings without worrying about how the results are being collected or displayed. But we don't need to bite all of that off in one chunk ;).

[wking]

I think better docs for strict are “require the validated object to only contain content which the OCI defines (or references) in the spec”. More notes on assorted shades of validation strictness in opencontainers/image-tools#66.

[xiekeyang]

@wking I think your words may be good as help message for customer, but I really want to present the design purpose here, as my words.

[wking]

What design purpose are my words missing? This comment is going to be in user-facing godocs, so I think we need to cover both audiences.

[xiekeyang]

fixed in b68d692#diff-4a672c41642ea30ebf88bb87685cf72aR50

[wking]

This fails now (since #404), because your example is not a manifest list. I think you want to update this mediaType to application/vnd.oci.image.manifest.list.v1+json, but you should be able to leave the rest of this particular JSON blob alone.

[wking]

This will fail regardless of strict (since #404). I'm fine leaving a test for that in place (with fail: true), but the test should use strict: false to show that the failure is due to you not passing a manifest-list, and not due to particular validation strictness.

[xiekeyang]

@opencontainers/image-spec-maintainers @wking ,
Now validation rule for JSON object is that the root object media-type MUST be OCI format, or will be reject.
But we allow the referenced objects, like manifest in manifest-list, config in manifest, to be not OCI format(non-strict mode).
If we really want that? I remember we had discussed this(#404 (comment)), but I still not fully understand why. WDYT?
I would fix this patch after agreement achieved.

[xiekeyang]

@opencontainers/image-spec-maintainers @wking
I fix the patch, in accordance with #404.

• Only valid referenced object;
• Unit test only for referenced object;

PTAL

[wking]

This is currently illegal (although possibly not validated). See #407, which is trying to make it legal. For the purpose of this test, you should use the usual strictly-valid dummy layer from the other tests.

[xiekeyang]

@wking , but current schema really allows empty layer slice(I've debug it). I think spec also allow empty. I honest dislike to avoid unclear of undetermined stuff in specific patch.
To add more test case for optional layers is another story(IMO).

[wking]

On Thu, Nov 17, 2016 at 06:00:35PM -0800, xiekeyang wrote:

… but current schema really allows empty layer slice (I've debug it). I think spec also allow empty…

I don't think the spec allows empty layers, based on:

The array MUST have the base image at index 0.

#407, and #318 before it, are attempting to lift that restriction. But I agree that you don't want to get involved in that discussion in this PR. By using the usual single-entry layers array here, you would avoid getting involved.

[xiekeyang]

@wking You are right. Excuse me to misunderstood the previous discussion. I fix it in a183979#diff-6493def706b32045f8d30e7a4b860c46R158.
What you mentioned seems a bug, which I would fix following up.

[wking]

It seems like we should be able to validate spec examples strictly.

[xiekeyang]

Yes, you are right. This test is for spec validation, which MUST be strict OCI format coincidence. false will lead this test case loss effectiveness. fix in b68d692#diff-5b73117945d63fe6253dccb9c210d74fR76.

[wking]

The diff from both b68d692 and a183979 looks fine to me, although I think we might want to squash the commits together. As it stands running the test suite on just b68d692 raises: $ make test go test -race -cover github.com/opencontainers/image-spec/schema github.com/opencontainers/image-spec/specs-go github.com/opencontainers/image-spec/specs-go/v1 # github.com/opencontainers/image-spec/schema_test schema/manifest_test.go:118: not enough arguments in call to schema.MediaTypeManifest.Validate FAIL github.com/opencontainers/image-spec/schema [build failed] …

[xiekeyang]

squashed in 833391c

[wking]

833391c looks good to me :).

[stevvooe]

How can we define a validation framework that can support different levels of validation? This PR sub-divides the validation space into media types and not media types. This creates the problem that we now have to define what belongs in strict and what doesn't.

Wouldn't it make sense if we have options to control the suites of validation? For example, to get the "strict" behavior, one might configure this as:

Validate(r, ValidateFields, ValidateMediaTypes)

We could also have explicit sets of validation that meet certain support-levels:

var ValidateV1Strict []Validator{ValidateFields, ValidateMediaTypes}

Validate(r, ValidateV2Strict...)

Without a definition of what "strict" means, we'll be in the position that this will be under definition of the implementation, where if we are clear what is being validated, we can assure users they are in line with the specification.

[wking]

On Mon, Nov 21, 2016 at 01:24:03PM -0800, Stephen Day wrote:

This creates the problem that we now have to define what belongs in
strict and what doesn't.

There's a definition here 1. I think we can tighten that defintion
up (maybe on the heels of #432?), but the wording in 1 seems like a
reasonable start (and we can update it if we think of better wording
before #432 gives us somewhere to put formal definitions).

Wouldn't it make sense if we have options to control the suites of validation?…

Validate(r, ValidateFields, ValidateMediaTypes)

I'm fine with this sort of breakdown, but if we want to support it I
think we're want to supply functions:

• Validate (everything)
• ValidateFields (only validate the fields)
• ValidateMediaTypes (only validate the referenced media types)

And it seems orthogonal to how strictly we do each of those
validations. E.g. you can have “uses a field that's not defined in
the spec” passing a relaxed validation (it's legal 2) but failing
strict validation (the extension field doesn't have OCI-defined
semantics). Or you can have “uses a layer media type that's not
defined in the spec” passing relaxed validation (it's legal 3) but
failing strict validation (an application/zip layer doesn't have
OCI-defined semantics).

[stevvooe]

@wking Please let the submitter respond to code review comments.

Again, you linked me to something without any context and I have no clue what you mean.

[xiekeyang]

@stevvooe I mostly understand and agree your expectation. Let me refactor the PR and re-submit sooner.

[xiekeyang]

@stevvooe
With current PR, image tool usage will be like,

$ oci-valid-tool --strict=false customized-manifest.json
Warn: referenced config has an unknown media type: application/vnd.oci.customized.config.v1+json
OK!

$ oci-valid-tool --strict=true customized-manifest.json
Error: referenced config has an unknown media type: application/vnd.oci.customized.config.v1+json
Failed!

Customized json is failed under strict mode, and prompt warning non-strict mode.

I think your proposal want tool to be more flexible, like,

$ oci-valid-tool --level [fields] customized-manifest.json
OK!

$ oci-valid-tool --level [fields,ref-media] customized-manifest.json
Failed!

And you want to involve all possible objects(in future) to level array, right?

However, I still have a question. You said,

This creates the problem that we now have to define what belongs in strict and what doesn't.

Actually I think belongs in strict means all of customized fields image spec mentioned. I assume(not sure) consumer just want to check all customized fields totally, by one strict flag. Do you think consumer really want to set series fields in level flag? If it is some complex to consumer?

[xiekeyang]

I refactor patch according to @stevvooe proposal of level usage and function interface. It is done in https://github.com/xiekeyang/image-spec/blob/6b47a182a3b6499df2bead20016d6e4eec7fdb4e/schema/validator.go.

• To provide validating function array for different level objects.
• To support schema and referenced media type validation.
• To allow image tools or consumer to select different validation levels for specific require.
• To add unit test cases for new interface.
  cc @stevvooe @philips @vbatts PTAL.

[xiekeyang]

@stevvooe @philips If the latest commit of 21ef4e8 and d898abe OK? PTAL, thanks a lot!

[wking]

This approach loses the strict distinction you had before. I don't see a way to invoke this to error out when a media type is truly invalid (i.e. not compliant with RFC 6838, #448) vs. not necessarily supported by an OCI-compliant implementation (e.g. a non-OCI type). I think we need to restore the strict option you had before so we can make distinctions like that (more on strictness in opencontainers/image-tools#66).

[xiekeyang]

@wking
After former proposal from @stevvooe, I think we have made agreement. Current commit follows up the proposal thought, to use function slice. Consumer can select objects(fields, media type...) at will.

I don't see a way to invoke this to error out when a media type is truly invalid (i.e. not compliant with RFC 6838, #448) vs. not necessarily supported by an OCI-compliant implementation (e.g. a non-OCI type).

Under truly invalid case, JSON schema prompts error.
Under non-OCI type, validator will prompt error only if ref-type(here is media type) function is selected. Or it is validated successfully.
Honestly I'm not very willing roll back the former strict framework, which has been rejected. And we had better to wait @stevvooe's feedback.
cc @stevvooe WDYT?

[wking]

Under truly invalid case, JSON schema prompts error.

This is not always true. For example, the hostname / UTS-namespace requirement (a case of the general namespace no-tweaking requirement) is not covered by the JSON Schema.

Honestly I'm not very willing roll back the former strict framework, which has been rejected. And we had better to wait @stevvooe's feedback.

Yeah, better to not change anything until we know what the maintainers are looking for.

[wking]

And to give a JSON Schema limitation for this spec, we don't currently check to see that descriptors don't use the reserved data. And I'm not sure how you'd phrase that in JSON Schema since we have to allow other unrecognized properties.

[xiekeyang]

And to give a JSON Schema limitation for this spec, we don't currently check to see that descriptors don't use the reserved data. And I'm not sure how you'd phrase that in JSON Schema since we have to allow other unrecognized properties.

It didn't, and I don't think it belongs to this patch.

[wking]

I don't think it belongs to this patch.

I agree that we don't want to cover the reserved data as part of this PR. This PR is about two things:

• Broadly, setting a precedent for handling verification for behaviour which images MAY use but which implementations MUST support.
• Narrowly, adding optional validation for per-location media types, which are a special case of the broader issue.

So while I have no desire to expand the narrow target, I want to try and solve it in a way that will cover the broader issue. I think the strict option sets a precedent which will scale well as we extend it to other spec statements.

I'm less clear on how the “pass in an array of validator functions” will scale. It seems like it might end up with a separate validator for each spec statement? Or maybe we'll end up with a ValidateOnlyContainsOCIRequiredSettings validator? Or…? It's not clear to me how we're expected to apply this approach to future spec statements.

[xiekeyang]

@stevvooe If current patch looks as what you want?

[vbatts]

This SGTM. Though @stevvooe recommends this needs a technical proposal on how this kind of feature ties to the requirements of compliance and certification

[stevvooe]

@vbatts We can go forward with this approach until we have better requirements.

[xiekeyang]

@vbatts @stevvooe got it. I'd go on finishing this pr.

[xiekeyang]

@stevvooe I think you agree the current implementation of pr, to present selectable media validating function, which is controlled by function-map. In future we can add more val function for another objects if necessary. Is that right?

[xiekeyang]

@stevvooe I'm considering to use interface for Validator functions, but not figure out yet.

[vbatts]

Is this needing to block a vote for RC5?

[xiekeyang]

According to milestone, it is blocking RC5. If @stevvooe @wking @philips accept its map framework for validation, I can finish update in 2 or 3 days. Or for any other proposal, please put up freely, and I would take more analysis. Thanks a lot!

[xiekeyang]

Or we can consider to move this milestone to next release.

[xiekeyang]

@opencontainers/image-spec-maintainers I update this, to keep functional map, and add a bug fix commit. PTAL.

[wking]

I'm in favor of adding a title, but “Image Layout” is the whole structure, not just the oci-layout file. Can we follow the section headers and call this “oci-layout file” or some such?

What is valid=enabling about?

I don't think we want to invent a one-off media type here. If we want a media type for this file format (e.g. for example validation), I think we should declare a media type for the schema like we do with our other schemas (e.g. here and here for manifests).

[xiekeyang]

Sorry, valid=enabling is a redundant debugging item, should be removed.

[xiekeyang]

I extract this and put it on #579.

[wking]

I think we still want to validate this example as an index even if it doesn't occur in image-index.md. And titles seem like they'd always be a good idea. Why are you removing this?

[xiekeyang]

I remove this title as not to valid it. I understand that you want to valid it.
But I think spec_test.go should only valid those who are announced only in itself *.md. So I remove it, for it is just a reference. It is IMO, to be not sure.

[wking]

vlidateRefMediaMap → validateRefMediaMap.

[wking]

If we expect to be applying a series of these to validate a single blob, using an io.Reader seems wasteful. Is there some Go type magic we can use to pass a parsed JSON object through to the validator to let us only deserialize the JSON once?

[xiekeyang]

I didn't find out the better way yet. At the same time, I still think it had better to input io reader stream to. ValidateRefFuncs are public functions. Consumer should be allowed called them directly. Here we provide io reader to customer, who can use them freely, and it allows expend their job in future.

[wking]

ValidateRefFuncs are public functions.

That doesn't really matter. We could always provide io.Reader and parsed-JSON flavored versions if we figure out how to write a function that takes an already-parsed-from-JSON object.

[wking]

I don't see anything about “the schema” or “OCI format defined in the spec” in your current implementation (3ad5d1b). This function is just “read r into memory and call all of funcList on the content, dying on the first error”.

[wking]

No need to bother with this, since you're only calling a single f. Just pass your reader along:

if ok {
  if f == nil {
    …
  }
  return f(r)
}

[xiekeyang]

Yes, this should be fixed.

[wking]

I think we should be raising the same unimplemented error here as you currently have for f == nil. How about:

f, ok := vlidateRefMediaMap[v]
if ok && f != nil {
    return f(r)
}
return fmt.Errorf("referenced media type validation %q unimplemented", v)

[xiekeyang]

I'm hard to agree for this. Some validations such as descriptor, layout doesn't exist in function map, which make no sense. They should be ignore, but not prompt error.

[wking]

Some validations such as descriptor, layout doesn't exist in function map, which make no sense.

We can validate descriptors against the JSON Schema. And if you want JSON Schema validation handled elsewhere, we can define a no-op validator for types where we know there are no children. But I think silently ignoring validating for all types that have no validator registered is setting ourselves up for “oops, that wasn't valid, but we forgot to add a validator for $TYPE”.

[xiekeyang]

@stevvooe The stuff under discussion is that the argument variable for ValidRefFuncs should be io.Reader type or json type. I prefer to reader. WDYT?
cc @opencontainers/image-spec-maintainers

[xiekeyang]

I'm so regretful that I've make big effort on this, but it can't attract maintainers attention. Although I still think it really bring benefit according to pre discussion, I've to close it.