implement schema validation for vendoring and CLI schemas (#1147)

* Update atmos schema init

* updated schema

* refactor schema name

* fixed test case

* processSchemas updated

* fix golangci lint

* fix the downloadSchemaFromURL lint

* lint fix validate stacks

* lint fix

* fixed lints

* fix lint

* fix lint

* fix lint

* fixed the processCommandLineArgs lint

* fix lint

* fix lint

* Update internal/exec/validate_stacks.go

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

* Update pkg/config/utils.go

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

* Update pkg/config/utils.go

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

* Update pkg/config/utils.go

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

* Update pkg/config/utils.go

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

* Update pkg/config/utils.go

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

* Update pkg/config/utils.go

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

* Update pkg/config/utils.go

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

* fix tests

* fixed log messages

* add new interface based downloader package

* update the usage and remove old gogetter usage

* [autofix.ci] apply automated fixes

* add unit test cases

* [autofix.ci] apply automated fixes

* fix golangci lint

* fix golangci-lint

* fixed logging

* fix vendor test case

* [autofix.ci] apply automated fixes

* added unit test cases to have more coverage

* Update pkg/downloader/custom_github_detector.go

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>

* fix test

* [autofix.ci] apply automated fixes

* golangci-lint fix

* fix golangci-lint

* ignore mock files in the test

* fix rebase

* fix golangci-lint

* fixed logging

* add validate schema initial code

* temp commit

* [autofix.ci] apply automated fixes

* refactor the code

* Fix test case

* added unit testcase for validator

* [autofix.ci] apply automated fixes

* fixed golangci-lint

* [autofix.ci] apply automated fixes

* fix golangci-lint

* used existing gogetter

* unit test case updated

* [autofix.ci] apply automated fixes

* golangci-lint fix

* [autofix.ci] apply automated fixes

* more test cases

* [autofix.ci] apply automated fixes

* rebase fix

* lint test

* update validator

* [autofix.ci] apply automated fixes

* update validator

* glob match updated

* fix glob for mac and windows

* add inline schema support

* [autofix.ci] apply automated fixes

* schema is the new name

* codecov updated

* fix test cases

* updated atmos schemas library

* fix macos test case

* fix test cases

* add more schemas

* update logging structure

* trying to ignore mock files

* set flag and key

* [autofix.ci] apply automated fixes

* remove old unwanted test

* fix merge issues

* update file name

* custom git detector

* [autofix.ci] apply automated fixes

* added global schema

* fix golangci lint

* updated parsing logic

* fix test case

* fix test case

* reduce complexity

* updated describe_config test

* fix snapshots

* fix test case

* updated snapshot

* fix tests

* Update cmd/validate_schema.go

Co-authored-by: Andriy Knysh <[email protected]>

* Update internal/exec/validate_schema.go

Co-authored-by: Andriy Knysh <[email protected]>

* fix comments

* [autofix.ci] apply automated fixes

* added negative test cases

* [autofix.ci] apply automated fixes

* fix suggestions

* fix golangci-lint

* updated the help

* udpate tests

* fix golangci-lint

* add help examples for validate schema

* add website docs

* remove unwanted flag

* updated the doc

* fix coderabbit

* updated schema

---------

Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Andriy Knysh <[email protected]>

Author: 4 people

.golangci.yml

@@ -115,7 +115,7 @@ linters-settings:
       - name: add-constant
         arguments:
           - maxLitCount: "3"
-            allowStrs: '"","image","error","path","import","path","%w","%s"'
+            allowStrs: '"","image","error","path","import","path","%w","%s","file","/"'
             allowInts: "0,1,2,3,4"
             allowFloats: "0.0,0.,1.0,1.,2.0,2."
       - name: argument-limit

Makefile

@@ -61,7 +61,8 @@ testacc: get
 
 testacc-cover: get
 	@echo "Running tests with coverage"
-	go test $(TEST) -v $(TESTARGS) -timeout 20m -coverprofile=coverage.out
+	go test $(TEST) -v $(TESTARGS) -timeout 20m -coverprofile=coverage.out.tmp
+	cat coverage.out.tmp | grep -v "mock_" > coverage.out
 
 # Run acceptance tests with coverage report
 testacc-coverage: testacc-cover

cmd/markdown/atmos_validate_schema_usage.md

@@ -0,0 +1,11 @@
+- Validate all the schemas
+
+```bash
+ $ atmos validate schema
+```
+
+- Validate specific schema
+
+```
+ $ atmos validate schema [schemaToValidate]
+```

cmd/validate_schema.go

@@ -0,0 +1,75 @@
+package cmd
+
+import (
+	"errors"
+
+	log "github.com/charmbracelet/log"
+	"github.com/cloudposse/atmos/internal/exec"
+	u "github.com/cloudposse/atmos/pkg/utils"
+	"github.com/spf13/cobra"
+)
+
+// ValidateSchemaCmd represents the 'atmos validate schema' command.
+//
+// This command reads the 'schemas' section from the atmos.yaml configuration file,
+// where each schema entry specifies a JSON schema path and a glob pattern for matching YAML files.
+//
+// For each entry:
+//   - The JSON schema is loaded.
+//   - All YAML files matching the glob pattern are discovered.
+//   - Each YAML file is converted to JSON and validated against the schema.
+//
+// This command ensures that configuration files conform to expected structures and helps
+// catch errors early in the development or deployment process.
+var ValidateSchemaCmd = &cobra.Command{
+	Use:   "schema",
+	Short: "Validate YAML files against JSON schemas defined in atmos.yaml",
+	Long: `The validate schema command reads the ` + "`" + `schemas` + "`" + ` section of the atmos.yaml file 
+and validates matching YAML files against their corresponding JSON schemas.
+
+Each entry under ` + "`" + `schemas` + "`" + ` should define:
+  - ` + "`" + `schema` + "`" + `: The path to the JSON schema file.
+  - ` + "`" + `matches` + "`" + `: A glob pattern that specifies which YAML files to validate.
+
+For every schema entry:
+  - The JSON schema is loaded from the specified path.
+  - All files matching the glob pattern are collected.
+  - Each matching YAML file is parsed and converted to JSON.
+  - The converted YAML is validated against the schema.
+
+This command helps ensure that configuration files follow a defined structure 
+and are compliant with expected formats, reducing configuration drift and runtime errors.
+`,
+	FParseErrWhitelist: struct{ UnknownFlags bool }{UnknownFlags: false},
+	Args:               cobra.MaximumNArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		// Check Atmos configuration
+		checkAtmosConfig()
+		schema := ""
+		key := ""
+		if len(args) > 0 {
+			key = args[0] // Use provided argument
+		}
+
+		if cmd.Flags().Changed("schemas-atmos-manifest") {
+			schema, _ = cmd.Flags().GetString("schemas-atmos-manifest")
+		}
+
+		if key == "" && schema != "" {
+			log.Error("key not provided for the schema to be used")
+			u.OsExit(1)
+		}
+
+		if err := exec.NewAtmosValidatorExecutor(&atmosConfig).ExecuteAtmosValidateSchemaCmd(key, schema); err != nil {
+			if errors.Is(err, exec.ErrInvalidYAML) {
+				u.OsExit(1)
+			}
+			u.PrintErrorMarkdownAndExit("", err, "")
+		}
+	},
+}
+
+func init() {
+	ValidateSchemaCmd.PersistentFlags().String("schemas-atmos-manifest", "", "Specifies the path to a JSON schema file used to validate the structure and content of the Atmos manifest file")
+	validateCmd.AddCommand(ValidateSchemaCmd)
+}

codecov.yml

@@ -9,6 +9,7 @@ coverage:
         threshold: 2% # Allow a small drop in coverage
         base: auto
   ignore:
+    - "**/mock_*.go"  # Adjust this pattern based on your project structure
     - "mock_*.go"  # Adjust this pattern based on your project structure
 
 comment:

examples/demo-schemas/atmos.yaml

@@ -0,0 +1,21 @@
+schemas:
+  schemaFromFile:
+    manifest: ./manifest.json
+    matches:
+      - config.yaml
+  schemaFromInternet:
+    manifest: https://json.schemastore.org/bower.json
+    matches:
+      - bower.yaml
+  schemaFromInline:
+    manifest: |
+      {
+        "type": "object",
+        "properties": {
+          "name": { "type": "string" },
+          "age": { "type": "integer" }
+        },
+        "required": ["name"]
+      }
+    matches:
+      - inline.yaml

examples/demo-schemas/bower.yaml

@@ -0,0 +1,10 @@
+name: "my-project"
+version: "1.0.0"
+description: "A sample project to demonstrate bower.json schema validation."
+main: "index.js"
+authors:
+  - "Jane Doe <[email protected]>"
+license: "MIT"
+dependencies:
+  jquery: "^3.5.1"
+  lodash: "^4.17.20"

examples/demo-schemas/config.yaml

@@ -0,0 +1,16 @@
+name: "MyApp"
+version: "1.0.0"
+enabled: true
+settings:
+  timeout: 30
+  debug: false
+users:
+  - id: 1
+    name: "Alice"
+    role: "admin"
+  - id: 2
+    name: "Bob"
+    role: "user"
+  - id: 3
+    name: "Charlie"
+    role: "guest"

examples/demo-schemas/inline.yaml

@@ -0,0 +1,2 @@
+name: John
+age: 30

examples/demo-schemas/manifest.json

@@ -0,0 +1,50 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "type": "object",
+    "properties": {
+      "name": {
+        "type": "string"
+      },
+      "version": {
+        "type": "string",
+        "pattern": "^[0-9]+\\.[0-9]+\\.[0-9]+$"
+      },
+      "enabled": {
+        "type": "boolean"
+      },
+      "settings": {
+        "type": "object",
+        "properties": {
+          "timeout": {
+            "type": "integer",
+            "minimum": 1
+          },
+          "debug": {
+            "type": "boolean"
+          }
+        },
+        "required": ["timeout"]
+      },
+      "users": {
+        "type": "array",
+        "items": {
+          "type": "object",
+          "properties": {
+            "id": {
+              "type": "integer"
+            },
+            "name": {
+              "type": "string"
+            },
+            "role": {
+              "type": "string",
+              "enum": ["admin", "user", "guest"]
+            }
+          },
+          "required": ["id", "name", "role"]
+        }
+      }
+    },
+    "required": ["name", "version", "enabled", "settings"]
+  }
+  

go.mod

@@ -0,0 +1,140 @@
+package exec
+
+import (
+	"fmt"
+
+	log "github.com/charmbracelet/log"
+
+	"github.com/cloudposse/atmos/pkg/downloader"
+	"github.com/cloudposse/atmos/pkg/filematch"
+	"github.com/cloudposse/atmos/pkg/schema"
+	"github.com/cloudposse/atmos/pkg/validator"
+)
+
+var ErrInvalidYAML = fmt.Errorf("invalid YAML")
+
+type ErrInvalidPattern struct {
+	Pattern string
+	err     error
+}
+
+func (e ErrInvalidPattern) Error() string {
+	return fmt.Sprintf("invalid pattern %q: %v", e.Pattern, e.err)
+}
+
+type atmosValidatorExecutor struct {
+	validator      validator.Validator
+	fileDownloader downloader.FileDownloader
+	fileMatcher    filematch.FileMatcher
+	atmosConfig    *schema.AtmosConfiguration
+}
+
+func NewAtmosValidatorExecutor(atmosConfig *schema.AtmosConfiguration) *atmosValidatorExecutor {
+	fileDownloader := downloader.NewGoGetterDownloader(atmosConfig)
+	return &atmosValidatorExecutor{
+		validator:      validator.NewYAMLSchemaValidator(atmosConfig),
+		fileDownloader: fileDownloader,
+		fileMatcher:    filematch.NewGlobMatcher(),
+		atmosConfig:    atmosConfig,
+	}
+}
+
+func (av *atmosValidatorExecutor) ExecuteAtmosValidateSchemaCmd(sourceKey string, customSchema string) error {
+	validationSchemaWithFiles, err := av.buildValidationSchema(sourceKey, customSchema)
+	if err != nil {
+		return err
+	}
+
+	totalErrCount, err := av.validateSchemas(validationSchemaWithFiles)
+	if err != nil {
+		return err
+	}
+
+	if totalErrCount > 0 {
+		return ErrInvalidYAML
+	}
+	return nil
+}
+
+func (av *atmosValidatorExecutor) buildValidationSchema(sourceKey, customSchema string) (map[string][]string, error) {
+	validationSchemaWithFiles := make(map[string][]string)
+	log.Debug("Building validation schema with files", "sourceKey", sourceKey, "customSchema", customSchema, "schemas", av.atmosConfig.Schemas)
+	for k := range av.atmosConfig.Schemas {
+		if av.shouldSkipSchema(k, sourceKey) {
+			log.Debug("Skipping schema", "key", k, "sourceKey", sourceKey)
+			continue
+		}
+
+		schemaValue := av.prepareSchemaValue(k, sourceKey, customSchema)
+		if schemaValue.Schema == "" {
+			log.Debug("Skipping schema with empty schema", "key", k, "sourceKey", sourceKey, "schemaValue", schemaValue)
+			continue
+		}
+
+		files, err := av.fileMatcher.MatchFiles(schemaValue.Matches)
+		if err != nil {
+			return nil, err
+		}
+		log.Debug("Files matched", "schema", schemaValue.Schema, "matcher", schemaValue.Matches, "filesMatched", files)
+		validationSchemaWithFiles[schemaValue.Schema] = files
+	}
+	log.Debug("Validation schema with files", "validationSchemaWithFiles", validationSchemaWithFiles)
+	return validationSchemaWithFiles, nil
+}
+
+func (av *atmosValidatorExecutor) shouldSkipSchema(k, sourceKey string) bool {
+	return (sourceKey != "" && sourceKey != k) || k == "cue" || k == "opa" || k == "jsonschema"
+}
+
+func (av *atmosValidatorExecutor) prepareSchemaValue(k, sourceKey, customSchema string) schema.SchemaRegistry {
+	value := av.atmosConfig.GetSchemaRegistry(k)
+	if sourceKey != "" && customSchema != "" {
+		value.Schema = customSchema
+	}
+	switch {
+	case value.Schema == "" && value.Manifest == "":
+		value.Schema = fmt.Sprintf("atmos://schema/%s/manifest/1.0", k)
+	case value.Schema == "" && value.Manifest != "":
+		value.Schema = value.Manifest
+	case customSchema != "":
+		value.Schema = customSchema
+	}
+	if len(value.Matches) == 0 && sourceKey == "atmos" {
+		value.Matches = []string{"atmos.yaml", "atmos.yml"}
+	}
+
+	return value
+}
+
+func (av *atmosValidatorExecutor) validateSchemas(schemas map[string][]string) (uint, error) {
+	totalErrCount := uint(0)
+	for k, files := range schemas {
+		errCount, err := av.printValidation(k, files)
+		if err != nil {
+			return 0, err
+		}
+		totalErrCount += errCount
+	}
+	return totalErrCount, nil
+}
+
+func (av *atmosValidatorExecutor) printValidation(schema string, files []string) (uint, error) {
+	count := uint(0)
+	for _, file := range files {
+		log.Debug("validating", "schema", schema, "file", file)
+		validationErrors, err := av.validator.ValidateYAMLSchema(schema, file)
+		if err != nil {
+			return count, err
+		}
+		if len(validationErrors) == 0 {
+			log.Info("No Validation Errors", "file", file, "schema", schema)
+			continue
+		}
+		log.Error("Invalid YAML", "file", file)
+		for _, err := range validationErrors {
+			log.Error("", "file", file, "field", err.Field(), "type", err.Type(), "description", err.Description())
+			count++
+		}
+	}
+	return count, nil
+}