From nobody Mon Feb 9 02:28:22 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1489646097684984.5964070850976; Wed, 15 Mar 2017 23:34:57 -0700 (PDT) Received: from localhost ([::1]:41142 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1coOzw-0002R5-5H for importer@patchew.org; Thu, 16 Mar 2017 02:34:56 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:54677) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1coOtR-00066K-OF for qemu-devel@nongnu.org; Thu, 16 Mar 2017 02:28:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1coOtO-000714-RE for qemu-devel@nongnu.org; Thu, 16 Mar 2017 02:28:13 -0400 Received: from mx1.redhat.com ([209.132.183.28]:54868) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1coOtO-0006zw-HT for qemu-devel@nongnu.org; Thu, 16 Mar 2017 02:28:10 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8F200C054905 for ; Thu, 16 Mar 2017 06:28:10 +0000 (UTC) Received: from blackfin.pond.sub.org (ovpn-116-26.ams2.redhat.com [10.36.116.26]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3258862926 for ; Thu, 16 Mar 2017 06:28:10 +0000 (UTC) Received: by blackfin.pond.sub.org (Postfix, from userid 1000) id D167A11385E0; Thu, 16 Mar 2017 07:28:05 +0100 (CET) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 8F200C054905 Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=armbru@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 8F200C054905 From: Markus Armbruster To: qemu-devel@nongnu.org Date: Thu, 16 Mar 2017 07:27:23 +0100 Message-Id: <1489645685-4750-8-git-send-email-armbru@redhat.com> In-Reply-To: <1489645685-4750-1-git-send-email-armbru@redhat.com> References: <1489645685-4750-1-git-send-email-armbru@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 16 Mar 2017 06:28:10 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PULL for 2.9 07/49] qapi: Have each QAPI schema declare its returns white-list X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" qapi.py has a hardcoded white-list of command names that may violate the rules on permitted return types. Add a new pragma directive 'returns-whitelist', and use it to replace the hard-coded white-list. Signed-off-by: Markus Armbruster Message-Id: <1489582656-31133-6-git-send-email-armbru@redhat.com> Reviewed-by: Eric Blake --- docs/qapi-code-gen.txt | 13 +++++----- qapi-schema.json | 12 +++++++++ qga/qapi-schema.json | 15 +++++++++++ scripts/qapi.py | 30 +++++++-----------= ---- tests/Makefile.include | 1 + .../qapi-schema/pragma-returns-whitelist-crap.err | 1 + .../qapi-schema/pragma-returns-whitelist-crap.exit | 1 + .../qapi-schema/pragma-returns-whitelist-crap.json | 3 +++ .../qapi-schema/pragma-returns-whitelist-crap.out | 0 tests/qapi-schema/qapi-schema-test.json | 7 +++++ tests/qapi-schema/returns-whitelist.err | 2 +- tests/qapi-schema/returns-whitelist.json | 4 +++ 12 files changed, 61 insertions(+), 28 deletions(-) create mode 100644 tests/qapi-schema/pragma-returns-whitelist-crap.err create mode 100644 tests/qapi-schema/pragma-returns-whitelist-crap.exit create mode 100644 tests/qapi-schema/pragma-returns-whitelist-crap.json create mode 100644 tests/qapi-schema/pragma-returns-whitelist-crap.out diff --git a/docs/qapi-code-gen.txt b/docs/qapi-code-gen.txt index 5532b60..3d17005 100644 --- a/docs/qapi-code-gen.txt +++ b/docs/qapi-code-gen.txt @@ -318,6 +318,9 @@ pragma to different values in parts of the schema doesn= 't work. Pragma 'doc-required' takes a boolean value. If true, documentation is required. Default is false. =20 +Pragma 'returns-whitelist' takes a list of command names that may +violate the rules on permitted return types. Default is none. + =20 =3D=3D=3D Struct types =3D=3D=3D =20 @@ -566,12 +569,10 @@ The member is optional from the command declaration; = if absent, the "return" member will be an empty dictionary. If 'returns' is present, it must be the string name of a complex or built-in type, a one-element array containing the name of a complex or built-in type. -Although it is permitted to have the 'returns' member name a built-in -type or an array of built-in types, any command that does this cannot -be extended to return additional information in the future; thus, new -commands should strongly consider returning a dictionary-based type or -an array of dictionaries, even if the dictionary only contains one -member at the present. +To return anything else, you have to list the command in pragma +'returns-whitelist'. If you do this, the command cannot be extended +to return additional information in the future. Use of +'returns-whitelist' for new commands is strongly discouraged. =20 All commands in Client JSON Protocol use a dictionary to report failure, with no way to specify that in QAPI. Where the error return diff --git a/qapi-schema.json b/qapi-schema.json index d5438ee..93e9e98 100644 --- a/qapi-schema.json +++ b/qapi-schema.json @@ -51,6 +51,18 @@ =20 { 'pragma': { 'doc-required': true } } =20 +# Whitelists to permit QAPI rule violations; think twice before you +# add to them! +{ 'pragma': { + # Commands allowed to return a non-dictionary: + 'returns-whitelist': [ + 'human-monitor-command', + 'qom-get', + 'query-migrate-cache-size', + 'query-tpm-models', + 'query-tpm-types', + 'ringbuf-read' ] } } + # QAPI common definitions { 'include': 'qapi/common.json' } =20 diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json index 3f3d428..a8e4bda 100644 --- a/qga/qapi-schema.json +++ b/qga/qapi-schema.json @@ -13,6 +13,21 @@ =20 { 'pragma': { 'doc-required': true } } =20 +# Whitelists to permit QAPI rule violations; think twice before you +# add to them! +{ 'pragma': { + # Commands allowed to return a non-dictionary: + 'returns-whitelist': [ + 'guest-file-open', + 'guest-fsfreeze-freeze', + 'guest-fsfreeze-freeze-list', + 'guest-fsfreeze-status', + 'guest-fsfreeze-thaw', + 'guest-get-time', + 'guest-set-vcpus', + 'guest-sync', + 'guest-sync-delimited' ] } } + ## # @guest-sync-delimited: # diff --git a/scripts/qapi.py b/scripts/qapi.py index fe9d3cf..1d86d85 100644 --- a/scripts/qapi.py +++ b/scripts/qapi.py @@ -41,26 +41,7 @@ builtin_types =3D { doc_required =3D False =20 # Whitelist of commands allowed to return a non-dictionary -returns_whitelist =3D [ - # From QMP: - 'human-monitor-command', - 'qom-get', - 'query-migrate-cache-size', - 'query-tpm-models', - 'query-tpm-types', - 'ringbuf-read', - - # From QGA: - 'guest-file-open', - 'guest-fsfreeze-freeze', - 'guest-fsfreeze-freeze-list', - 'guest-fsfreeze-status', - 'guest-fsfreeze-thaw', - 'guest-get-time', - 'guest-set-vcpus', - 'guest-sync', - 'guest-sync-delimited', -] +returns_whitelist =3D [] =20 # Whitelist of entities allowed to violate case conventions case_whitelist =3D [ @@ -321,12 +302,19 @@ class QAPISchemaParser(object): self.docs.extend(exprs_include.docs) =20 def _pragma(self, name, value, info): - global doc_required + global doc_required, returns_whitelist if name =3D=3D 'doc-required': if not isinstance(value, bool): raise QAPISemError(info, "Pragma 'doc-required' must be boolean") doc_required =3D value + elif name =3D=3D 'returns-whitelist': + if (not isinstance(value, list) + or any([not isinstance(elt, str) for elt in value])): + raise QAPISemError(info, + "Pragma returns-whitelist must be" + " a list of strings") + returns_whitelist =3D value else: raise QAPISemError(info, "Unknown pragma '%s'" % name) =20 diff --git a/tests/Makefile.include b/tests/Makefile.include index 7a58c12..f9da3aa 100644 --- a/tests/Makefile.include +++ b/tests/Makefile.include @@ -444,6 +444,7 @@ qapi-schema +=3D non-objects.json qapi-schema +=3D pragma-doc-required-crap.json qapi-schema +=3D pragma-extra-junk.json qapi-schema +=3D pragma-non-dict.json +qapi-schema +=3D pragma-returns-whitelist-crap.json qapi-schema +=3D qapi-schema-test.json qapi-schema +=3D quoted-structural-chars.json qapi-schema +=3D redefined-builtin.json diff --git a/tests/qapi-schema/pragma-returns-whitelist-crap.err b/tests/qa= pi-schema/pragma-returns-whitelist-crap.err new file mode 100644 index 0000000..5d77021 --- /dev/null +++ b/tests/qapi-schema/pragma-returns-whitelist-crap.err @@ -0,0 +1 @@ +tests/qapi-schema/pragma-returns-whitelist-crap.json:3: Pragma returns-whi= telist must be a list of strings diff --git a/tests/qapi-schema/pragma-returns-whitelist-crap.exit b/tests/q= api-schema/pragma-returns-whitelist-crap.exit new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/tests/qapi-schema/pragma-returns-whitelist-crap.exit @@ -0,0 +1 @@ +1 diff --git a/tests/qapi-schema/pragma-returns-whitelist-crap.json b/tests/q= api-schema/pragma-returns-whitelist-crap.json new file mode 100644 index 0000000..f6b81b0 --- /dev/null +++ b/tests/qapi-schema/pragma-returns-whitelist-crap.json @@ -0,0 +1,3 @@ +# 'returns-whitelist' must be list of strings + +{ 'pragma': { 'returns-whitelist': [ 'good', [ 'bad' ] ] } } diff --git a/tests/qapi-schema/pragma-returns-whitelist-crap.out b/tests/qa= pi-schema/pragma-returns-whitelist-crap.out new file mode 100644 index 0000000..e69de29 diff --git a/tests/qapi-schema/qapi-schema-test.json b/tests/qapi-schema/qa= pi-schema-test.json index 1719463..842ea3c 100644 --- a/tests/qapi-schema/qapi-schema-test.json +++ b/tests/qapi-schema/qapi-schema-test.json @@ -3,6 +3,13 @@ # This file is a stress test of supported qapi constructs that must # parse and compile correctly. =20 +# Whitelists to permit QAPI rule violations +{ 'pragma': { + # Commands allowed to return a non-dictionary: + 'returns-whitelist': [ + 'guest-get-time', + 'guest-sync' ] } } + { 'struct': 'TestStruct', 'data': { 'integer': 'int', 'boolean': 'bool', 'string': 'str' } } =20 diff --git a/tests/qapi-schema/returns-whitelist.err b/tests/qapi-schema/re= turns-whitelist.err index f47c1ee..b2ba7a9 100644 --- a/tests/qapi-schema/returns-whitelist.err +++ b/tests/qapi-schema/returns-whitelist.err @@ -1 +1 @@ -tests/qapi-schema/returns-whitelist.json:10: 'returns' for command 'no-way= -this-will-get-whitelisted' cannot use built-in type 'int' +tests/qapi-schema/returns-whitelist.json:14: 'returns' for command 'no-way= -this-will-get-whitelisted' cannot use built-in type 'int' diff --git a/tests/qapi-schema/returns-whitelist.json b/tests/qapi-schema/r= eturns-whitelist.json index e8b3cea..da20932 100644 --- a/tests/qapi-schema/returns-whitelist.json +++ b/tests/qapi-schema/returns-whitelist.json @@ -1,4 +1,8 @@ # we enforce that 'returns' be a dict or array of dict unless whitelisted + +{ 'pragma': { 'returns-whitelist': [ + 'human-monitor-command', 'query-tpm-models', 'guest-get-time' ] } } + { 'command': 'human-monitor-command', 'data': {'command-line': 'str', '*cpu-index': 'int'}, 'returns': 'str' } --=20 2.7.4