Added optional parameter strict

victormlg · victormlg · commit bf81cd04ea7f · 2025-03-12T17:21:12.000+01:00
Changelog: Added an optional parameter strict for validjson and validdata policy functions. This makes the functions evaluate to false on json primitives. Ticket: CFE-4163 Signed-off-by: Victor Moene <victor.moene@northern.tech>
diff --git a/examples/validdata.cf b/examples/validdata.cf
@@ -3,17 +3,24 @@ bundle agent main
 {
   vars:
     "json_string" string => '{"test": [1, 2, 3]}';
-
+    "primitive" string => "\"hello\"";
+    
   reports:
     "This JSON string is valid!"
       if => validdata("$(json_string)", "JSON");
     "This JSON string is not valid."
       unless => validdata("$(json_string)", "JSON");
+
+    "This JSON string is valid! (strict)"
+      if => validdata("$(primitive)", "JSON", "true");
+    "This JSON string is not valid. (strict)"
+      unless => validdata("$(primitive)", "JSON", "true");
 }
 #+end_src
 ###############################################################################
 #+begin_src example_output
 #@ ```
 #@ R: This JSON string is valid!
+#@ R: This JSON string is not valid. (strict)
 #@ ```
 #+end_src
diff --git a/examples/validjson.cf b/examples/validjson.cf
@@ -3,17 +3,25 @@ bundle agent main
 {
   vars:
     "json_string" string => '{"test": [1, 2, 3]}';
+    "primitive" string => "\"hello\"";
 
   reports:
     "This JSON string is valid!"
       if => validjson("$(json_string)");
     "This JSON string is not valid."
       unless => validjson("$(json_string)");
+
+    "This JSON string is valid! (strict)"
+      if => validjson("$(primitive)", "true");
+    "This JSON string is not valid. (strict)"
+      unless => validjson("$(primitive)", "true");
 }
+
 #+end_src
 ###############################################################################
 #+begin_src example_output
 #@ ```
 #@ R: This JSON string is valid!
+#@ R: This JSON string is not valid. (strict)
 #@ ```
 #+end_src
diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c
@@ -7208,7 +7208,8 @@ static FnCallResult FnCallReadJson(ARG_UNUSED EvalContext *ctx,
 
 static FnCallResult ValidateDataGeneric(const char *const fname,
                                         const char *data,
-                                        const DataFileType requested_mode)
+                                        const DataFileType requested_mode,
+                                        bool strict)
 {
     assert(data != NULL);
     if (requested_mode != DATAFILETYPE_JSON)
@@ -7226,7 +7227,13 @@ static FnCallResult ValidateDataGeneric(const char *const fname,
         Log(LOG_LEVEL_VERBOSE, "%s: %s", fname, JsonParseErrorToString(err));
     }
 
-    FnCallResult ret = FnReturnContext(json != NULL);
+    bool isvalid = json != NULL;
+    if (strict)
+    {
+        isvalid = isvalid && JsonGetElementType(json) != JSON_ELEMENT_TYPE_PRIMITIVE;
+    }
+    
+    FnCallResult ret = FnReturnContext(isvalid);
     JsonDestroy(json);
     return ret;
 }
@@ -7242,12 +7249,17 @@ static FnCallResult FnCallValidData(ARG_UNUSED EvalContext *ctx,
         Log(LOG_LEVEL_ERR, "Function '%s' requires two arguments", fp->name);
         return FnFailure();
     }
+    bool strict = false;
+    if (args->next != NULL)
+    {
+        strict = BooleanFromString(RlistScalarValue(args->next));
+    }
 
     const char *data = RlistScalarValue(args);
     const char *const mode_string = RlistScalarValue(args->next);
     DataFileType requested_mode = GetDataFileTypeFromString(mode_string);
 
-    return ValidateDataGeneric(fp->name, data, requested_mode);
+    return ValidateDataGeneric(fp->name, data, requested_mode, strict);
 }
 
 static FnCallResult FnCallValidJson(ARG_UNUSED EvalContext *ctx,
@@ -7261,9 +7273,14 @@ static FnCallResult FnCallValidJson(ARG_UNUSED EvalContext *ctx,
         Log(LOG_LEVEL_ERR, "Function '%s' requires one argument", fp->name);
         return FnFailure();
     }
+    bool strict = false;
+    if (args->next != NULL)
+    {
+        strict = BooleanFromString(RlistScalarValue(args->next));
+    }
 
     const char *data = RlistScalarValue(args);
-    return ValidateDataGeneric(fp->name, data, DATAFILETYPE_JSON);
+    return ValidateDataGeneric(fp->name, data, DATAFILETYPE_JSON, strict);
 }
 
 static FnCallResult FnCallReadModuleProtocol(
@@ -9885,6 +9902,7 @@ static const FnCallArg READFILE_ARGS[] =
 static const FnCallArg VALIDDATATYPE_ARGS[] =
 {
     {CF_ANYSTRING, CF_DATA_TYPE_STRING, "String to validate as JSON"},
+    {CF_BOOL, CF_DATA_TYPE_OPTION, "Enable more strict validation, requiring the result to be a valid data container, matching the requirements of parsejson()."},
     {NULL, CF_DATA_TYPE_NONE, NULL}
 };
 
@@ -9941,6 +9959,7 @@ static const FnCallArg VALIDDATA_ARGS[] =
 {
     {CF_ANYSTRING, CF_DATA_TYPE_STRING, "String to validate as JSON"},
     {"JSON", CF_DATA_TYPE_OPTION, "Type of data to validate"},
+    {CF_BOOL, CF_DATA_TYPE_OPTION, "Enable more strict validation, requiring the result to be a valid data container, matching the requirements of parsejson()."},
     {NULL, CF_DATA_TYPE_NONE, NULL}
 };
 
@@ -10691,7 +10710,7 @@ const FnCallType CF_FNCALL_TYPES[] =
     FnCallTypeNew("userexists", CF_DATA_TYPE_CONTEXT, USEREXISTS_ARGS, &FnCallUserExists, "True if user name or numerical id exists on this host",
                   FNCALL_OPTION_NONE, FNCALL_CATEGORY_SYSTEM, SYNTAX_STATUS_NORMAL),
     FnCallTypeNew("validdata", CF_DATA_TYPE_CONTEXT, VALIDDATA_ARGS, &FnCallValidData, "Check for errors in JSON or YAML data",
-                  FNCALL_OPTION_NONE, FNCALL_CATEGORY_DATA, SYNTAX_STATUS_NORMAL),
+                  FNCALL_OPTION_VARARG, FNCALL_CATEGORY_DATA, SYNTAX_STATUS_NORMAL),
     FnCallTypeNew("validjson", CF_DATA_TYPE_CONTEXT, VALIDDATATYPE_ARGS, &FnCallValidJson, "Check for errors in JSON data",
                   FNCALL_OPTION_VARARG, FNCALL_CATEGORY_DATA, SYNTAX_STATUS_NORMAL),
     FnCallTypeNew("variablesmatching", CF_DATA_TYPE_STRING_LIST, CLASSMATCH_ARGS, &FnCallVariablesMatching, "List the variables matching regex arg1 and tag regexes arg2,arg3,...",
diff --git a/tests/acceptance/01_vars/02_functions/validjson_strict.cf b/tests/acceptance/01_vars/02_functions/validjson_strict.cf
@@ -0,0 +1,64 @@
+body common control 
+{
+  inputs => { "../../default.cf.sub" };
+  bundlesequence => { test, check };
+  version => "1.0";
+}
+
+bundle agent test 
+{
+  meta:
+    "description" -> { "CFE-4163" }
+      string => "Test policy strict parameter of validjson and validdata";
+}
+
+bundle agent check
+{
+  vars:
+    "json" string => readfile("$(this.promise_dirname)/validdata.cf.json", inf);
+    "invjson" string => readfile("$(this.promise_dirname)/validdata.cf.inv.json", inf);
+    "mystring" string => "\"foo\"";
+    "mynumber" string => "3.14";
+    "mybool" string => "true";
+    "mynull" string => "null";
+
+  classes:
+    "isvalid_json"
+      expression => validjson("$(json)", "false");
+    "isinvalid_json"
+      expression => not(validjson("$(invjson)", "false"));
+    "isvalid_string_primitive"
+      expression => validjson("$(mystring)", "false");
+    "isvalid_number_primitive_strict"
+      expression => validjson("$(mynumber)", "false");
+    "isvalid_bool_primitive"
+      expression => validjson("$(mybool)", "false");
+    "isvalid_null_primitive"
+      expression => validjson("$(mynull)", "false");
+
+    "invalid_json_strict"
+      expression => validjson("$(json)", "true");
+    "isinvalid_json_strict"
+      expression => not(validjson("$(invjson)", "true"));
+    "isinvalid_string_primitive_strict"
+      expression => not(validjson("$(mystring)", "true"));
+    "isinvalid_number_primitive_strict"
+      expression => not(validjson("$(mynumber)", "true"));
+    "isinvalid_bool_primitive_strict"
+      expression => not(validjson("$(mybool)", "true"));
+    "isinvalid_null_primitive_strict"
+      expression => not(validjson("$(mynull)", "true"));
+
+    "ok"
+      and => { "isvalid_json", "isvalid_string_primitive", "isvalid_number_primitive_strict", "isvalid_bool_primitive",
+       "isvalid_null_primitive", "invalid_json_strict", "isinvalid_string_primitive_strict",
+      "isinvalid_number_primitive_strict", "isinvalid_bool_primitive_strict", "isinvalid_null_primitive_strict",
+      "isinvalid_json", "isinvalid_json_strict" };
+
+
+  reports:
+    ok::
+      "$(this.promise_filename) Pass";
+    !ok::
+      "$(this.promise_filename) FAIL";
+}
