schema: do not manipulate draft4 metaschema for jsonschema 2.6.0 (#2098)

Only set additionalProperties = False on draft4 schema
definition in jsonschema 3.0 or greater
because cloud-init globally registers its draft4 extensions
as the primary validator for any draft4-based schemas in
the same python process.

This affects solutions such as subiquity and
ubuntu-desktop-installer which invoke jsonschema.validate
in the same process at runtime just after calling
cloudinit.schema.get_jsonschema_validator.

The resulting Tracebacks are seen as something like:
 jsonschema.exceptions.SchemaError:
 {'$ref': '#/definitions/ref_id'} is not valid under any of the
 given schema

Background:
cloud-init needs to extend draft4 schema to better
validate and warn 'deprecated' properties in draft4-based
cloud-init schema definitions. Our unittests also attempt
to strictly validate any meta schema definitions for the
cc_* config modules.

To accomplish strict meta schema validation cloud-init makes
a copy of the draft4 meta schema and adds an
'additionalProperties' = True to that schema to raise specific
errors and catch typos in cc_ module schema definitions.

Given that cloud-init at runtime extends and registers
a draft4 schema validator, any external consumers
of jsonschema.validate with draft4-base schemas are
exposed to cloud-init's validator so let's limit our risk
exposure.

For python 2.6.0, we cannot specify make draft4 schema
strict because any "$ref" keys are not yet resolved
to their actual #/defintions/<id> values so the traceback above
will always be generated in 'strict' mode for complex schemas.

This does not affect jsonschema 3.0+ which appears to resolve
schema $refs values before schema validation.

1 files changed, 5 insertions, 4 deletions

diff --git a/cloudinit/config/schema.py b/cloudinit/config/schema.py
index 0669defc..9886bde6 100644
--- a/cloudinit/config/schema.py
+++ b/cloudinit/config/schema.py
@@ -319,8 +319,7 @@ def get_jsonschema_validator():
     # type jsonschema attributes in cloud-init's schema.
     # This allows #cloud-config to provide valid yaml "content: !!binary | ..."
 
-    strict_metaschema = deepcopy(Draft4Validator.META_SCHEMA)
-    strict_metaschema["additionalProperties"] = False
+    meta_schema = deepcopy(Draft4Validator.META_SCHEMA)
 
     # This additional label allows us to specify a different name
     # than the property key when generating docs.
@@ -328,10 +327,11 @@ def get_jsonschema_validator():
     # otherwise the property label in the generated docs will be a
     # regular expression.
     # http://json-schema.org/understanding-json-schema/reference/object.html#pattern-properties
-    strict_metaschema["properties"]["label"] = {"type": "string"}
+    meta_schema["properties"]["label"] = {"type": "string"}
 
     validator_kwargs = {}
     if hasattr(Draft4Validator, "TYPE_CHECKER"):  # jsonschema 3.0+
+        meta_schema["additionalProperties"] = False  # Unsupported in 2.6.0
         type_checker = Draft4Validator.TYPE_CHECKER.redefine(
             "string", is_schema_byte_string
         )
@@ -339,6 +339,7 @@ def get_jsonschema_validator():
             "type_checker": type_checker,
         }
     else:  # jsonschema 2.6 workaround
+        # pylint:disable-next=no-member
         types = Draft4Validator.DEFAULT_TYPES  # pylint: disable=E1101
         # Allow bytes as well as string (and disable a spurious unsupported
         # assignment-operation pylint warning which appears because this
@@ -354,7 +355,7 @@ def get_jsonschema_validator():
     validators["anyOf"] = _anyOf
 
     cloudinitValidator = create(
-        meta_schema=strict_metaschema,
+        meta_schema=meta_schema,
         validators=validators,
         version="draft4",
         **validator_kwargs,