Fix JSON schema resolver bug (#2188)

rayokota · fangnx · web-flow · commit 35d5608710ec · 2026-02-11T14:22:50.000-08:00
* update * Simplify validation code * Fix build * Revert "Fix build" This reverts commit 9965eca. * Fix build * Fix build * Fix build --------- Co-authored-by: Naxin <nfang@confluent.io>
diff --git a/requirements/requirements-examples.txt b/requirements/requirements-examples.txt
@@ -15,7 +15,7 @@ requests
 avro>=1.11.1,<2
 
 pyrsistent
-jsonschema
+jsonschema >= 4.18.0
 orjson >= 3.10
 
 googleapis-common-protos
diff --git a/requirements/requirements-json.txt b/requirements/requirements-json.txt
@@ -1,3 +1,3 @@
 pyrsistent
-jsonschema
+jsonschema >= 4.18.0
 orjson >= 3.10
diff --git a/src/confluent_kafka/schema_registry/common/json_schema.py b/src/confluent_kafka/schema_registry/common/json_schema.py
@@ -201,8 +201,13 @@ def _validate_subschemas(
             try:
                 ref = subschema.get("$ref")
                 if ref is not None:
-                    subschema = resolver.lookup(ref).contents
-                validate(instance=message, schema=subschema, registry=registry)
+                    resolved = resolver.lookup(ref)
+                    subschema = resolved.contents
+                    # Pass _resolver (not resolver) to use the new referencing library's
+                    # Resolver with correct context for nested $ref resolution
+                    validate(instance=message, schema=subschema, registry=registry, _resolver=resolved.resolver)
+                else:
+                    validate(instance=message, schema=subschema, registry=registry)
                 return subschema
             except ValidationError:
                 pass
diff --git a/tests/schema_registry/_async/test_json_serdes.py b/tests/schema_registry/_async/test_json_serdes.py
@@ -1192,3 +1192,260 @@ async def deserialize_with_all_versions(client, ser_ctx, obj_bytes, obj, obj2, o
     deser = await AsyncJSONDeserializer(None, schema_registry_client=client, conf=deser_conf)
     newobj = await deser(obj_bytes, ser_ctx)
     assert obj3 == newobj
+
+
+async def test_json_oneof_with_refs_nested_refs():
+    """
+    Test oneOf with $ref that contains nested $refs.
+
+    This test validates the fix for the bug where oneOf subschemas containing
+    $refs that themselves contain nested $refs would fail with:
+    PointerToNowhere: '/definitions/...' does not exist
+
+    The fix ensures the resolver context is maintained when validating
+    resolved subschemas.
+    """
+    executor = FieldEncryptionExecutor.register_with_clock(FakeClock())
+
+    conf = {'url': _BASE_URL}
+    client = AsyncSchemaRegistryClient.new_client(conf)
+    ser_conf = {'auto.register.schemas': False, 'use.latest.version': True}
+    rule_conf = {'secret': 'mysecret'}
+
+    # Schema with oneOf containing $ref, where the resolved schema has nested $refs
+    schema = {
+        "type": "object",
+        "properties": {
+            "transactionType": {"type": "string"},
+            "data": {"oneOf": [{"$ref": "#/$defs/Account"}, {"$ref": "#/$defs/Payment"}]},
+        },
+        "required": ["transactionType", "data"],
+        "$defs": {
+            "Account": {
+                "type": "object",
+                "properties": {
+                    "accountId": {"type": "string", "confluent:tags": ["PII"]},
+                    "partyType": {"type": "string"},
+                    "paymentMethod": {"$ref": "#/$defs/PaymentMethod"},  # Nested $ref!
+                    "party": {"$ref": "#/$defs/PartyInfo"},  # Another nested $ref!
+                },
+                "required": ["accountId"],
+            },
+            "Payment": {
+                "type": "object",
+                "properties": {
+                    "paymentId": {"type": "string", "confluent:tags": ["PII"]},
+                    "amount": {"type": "number"},
+                },
+                "required": ["paymentId", "amount"],
+            },
+            "PaymentMethod": {
+                "type": "object",
+                "properties": {"type": {"type": "string"}, "details": {"type": "string", "confluent:tags": ["PII"]}},
+            },
+            "PartyInfo": {"type": "object", "properties": {"name": {"type": "string"}, "address": {"type": "string"}}},
+        },
+    }
+
+    rule = Rule(
+        "test-encrypt",
+        "",
+        RuleKind.TRANSFORM,
+        RuleMode.WRITEREAD,
+        "ENCRYPT",
+        ["PII"],
+        RuleParams({"encrypt.kek.name": "kek1", "encrypt.kms.type": "local-kms", "encrypt.kms.key.id": "mykey"}),
+        None,
+        None,
+        "ERROR,NONE",
+        False,
+    )
+    await client.register_schema(_SUBJECT, Schema(json.dumps(schema), "JSON", [], None, RuleSet(None, [rule])))
+
+    # Test with Account type (has nested $refs)
+    obj = {
+        "transactionType": "account_update",
+        "data": {
+            "accountId": "ACC123",
+            "partyType": "Payer",
+            "paymentMethod": {"type": "card", "details": "1234-5678-9012-3456"},
+            "party": {"name": "John Doe", "address": "123 Main St"},
+        },
+    }
+
+    ser = await AsyncJSONSerializer(json.dumps(schema), client, conf=ser_conf, rule_conf=rule_conf)
+    dek_client = executor.executor.client
+    ser_ctx = SerializationContext(_TOPIC, MessageField.VALUE)
+    obj_bytes = await ser(obj, ser_ctx)
+
+    # Verify encryption happened
+    assert obj['data']['accountId'] != 'ACC123'
+    assert obj['data']['paymentMethod']['details'] != '1234-5678-9012-3456'
+
+    # Reset for comparison
+    obj['data']['accountId'] = 'ACC123'
+    obj['data']['paymentMethod']['details'] = '1234-5678-9012-3456'
+
+    deser = await AsyncJSONDeserializer(None, schema_registry_client=client, rule_conf=rule_conf)
+    executor.executor.client = dek_client
+    obj2 = await deser(obj_bytes, ser_ctx)
+    assert obj == obj2
+
+
+async def test_json_anyof_with_refs():
+    """
+    Test anyOf with $refs to ensure all union types are handled correctly.
+    """
+    executor = FieldEncryptionExecutor.register_with_clock(FakeClock())
+
+    conf = {'url': _BASE_URL}
+    client = AsyncSchemaRegistryClient.new_client(conf)
+    ser_conf = {'auto.register.schemas': False, 'use.latest.version': True}
+    rule_conf = {'secret': 'mysecret'}
+
+    schema = {
+        "type": "object",
+        "properties": {"value": {"anyOf": [{"$ref": "#/$defs/StringValue"}, {"$ref": "#/$defs/NumberValue"}]}},
+        "$defs": {
+            "StringValue": {
+                "type": "object",
+                "properties": {"strValue": {"type": "string", "confluent:tags": ["PII"]}},
+            },
+            "NumberValue": {"type": "object", "properties": {"numValue": {"type": "number"}}},
+        },
+    }
+
+    rule = Rule(
+        "test-encrypt",
+        "",
+        RuleKind.TRANSFORM,
+        RuleMode.WRITEREAD,
+        "ENCRYPT",
+        ["PII"],
+        RuleParams({"encrypt.kek.name": "kek1", "encrypt.kms.type": "local-kms", "encrypt.kms.key.id": "mykey"}),
+        None,
+        None,
+        "ERROR,NONE",
+        False,
+    )
+    await client.register_schema(_SUBJECT, Schema(json.dumps(schema), "JSON", [], None, RuleSet(None, [rule])))
+
+    obj = {"value": {"strValue": "sensitive-data"}}
+
+    ser = await AsyncJSONSerializer(json.dumps(schema), client, conf=ser_conf, rule_conf=rule_conf)
+    dek_client = executor.executor.client
+    ser_ctx = SerializationContext(_TOPIC, MessageField.VALUE)
+    obj_bytes = await ser(obj, ser_ctx)
+
+    assert obj['value']['strValue'] != 'sensitive-data'
+    obj['value']['strValue'] = 'sensitive-data'
+
+    deser = await AsyncJSONDeserializer(None, schema_registry_client=client, rule_conf=rule_conf)
+    executor.executor.client = dek_client
+    obj2 = await deser(obj_bytes, ser_ctx)
+    assert obj == obj2
+
+
+async def test_json_allof_with_refs():
+    """
+    Test allOf with $refs to ensure composition works correctly.
+    """
+    executor = FieldEncryptionExecutor.register_with_clock(FakeClock())
+
+    conf = {'url': _BASE_URL}
+    client = AsyncSchemaRegistryClient.new_client(conf)
+    ser_conf = {'auto.register.schemas': False, 'use.latest.version': True}
+    rule_conf = {'secret': 'mysecret'}
+
+    schema = {
+        "type": "object",
+        "properties": {"entity": {"allOf": [{"$ref": "#/$defs/BaseEntity"}, {"$ref": "#/$defs/Timestamped"}]}},
+        "$defs": {
+            "BaseEntity": {"type": "object", "properties": {"id": {"type": "string", "confluent:tags": ["PII"]}}},
+            "Timestamped": {"type": "object", "properties": {"createdAt": {"type": "integer"}}},
+        },
+    }
+
+    rule = Rule(
+        "test-encrypt",
+        "",
+        RuleKind.TRANSFORM,
+        RuleMode.WRITEREAD,
+        "ENCRYPT",
+        ["PII"],
+        RuleParams({"encrypt.kek.name": "kek1", "encrypt.kms.type": "local-kms", "encrypt.kms.key.id": "mykey"}),
+        None,
+        None,
+        "ERROR,NONE",
+        False,
+    )
+    await client.register_schema(_SUBJECT, Schema(json.dumps(schema), "JSON", [], None, RuleSet(None, [rule])))
+
+    obj = {"entity": {"id": "entity-123", "createdAt": 1234567890}}
+
+    ser = await AsyncJSONSerializer(json.dumps(schema), client, conf=ser_conf, rule_conf=rule_conf)
+    dek_client = executor.executor.client
+    ser_ctx = SerializationContext(_TOPIC, MessageField.VALUE)
+    obj_bytes = await ser(obj, ser_ctx)
+
+    assert obj['entity']['id'] != 'entity-123'
+    obj['entity']['id'] = 'entity-123'
+
+    deser = await AsyncJSONDeserializer(None, schema_registry_client=client, rule_conf=rule_conf)
+    executor.executor.client = dek_client
+    obj2 = await deser(obj_bytes, ser_ctx)
+    assert obj == obj2
+
+
+async def test_json_deeply_nested_refs():
+    """
+    Test deeply nested $refs (3 levels) with oneOf to ensure resolver context
+    is maintained through multiple levels of resolution.
+    """
+    executor = FieldEncryptionExecutor.register_with_clock(FakeClock())
+
+    conf = {'url': _BASE_URL}
+    client = AsyncSchemaRegistryClient.new_client(conf)
+    ser_conf = {'auto.register.schemas': False, 'use.latest.version': True}
+    rule_conf = {'secret': 'mysecret'}
+
+    # 3-level nesting: oneOf -> Level1 -> Level2 -> Level3
+    schema = {
+        "type": "object",
+        "properties": {"data": {"oneOf": [{"$ref": "#/$defs/Level1"}]}},
+        "$defs": {
+            "Level1": {"type": "object", "properties": {"level2": {"$ref": "#/$defs/Level2"}}},
+            "Level2": {"type": "object", "properties": {"level3": {"$ref": "#/$defs/Level3"}}},
+            "Level3": {"type": "object", "properties": {"secretData": {"type": "string", "confluent:tags": ["PII"]}}},
+        },
+    }
+
+    rule = Rule(
+        "test-encrypt",
+        "",
+        RuleKind.TRANSFORM,
+        RuleMode.WRITEREAD,
+        "ENCRYPT",
+        ["PII"],
+        RuleParams({"encrypt.kek.name": "kek1", "encrypt.kms.type": "local-kms", "encrypt.kms.key.id": "mykey"}),
+        None,
+        None,
+        "ERROR,NONE",
+        False,
+    )
+    await client.register_schema(_SUBJECT, Schema(json.dumps(schema), "JSON", [], None, RuleSet(None, [rule])))
+
+    obj = {"data": {"level2": {"level3": {"secretData": "deep-secret"}}}}
+
+    ser = await AsyncJSONSerializer(json.dumps(schema), client, conf=ser_conf, rule_conf=rule_conf)
+    dek_client = executor.executor.client
+    ser_ctx = SerializationContext(_TOPIC, MessageField.VALUE)
+    obj_bytes = await ser(obj, ser_ctx)
+
+    assert obj['data']['level2']['level3']['secretData'] != 'deep-secret'
+    obj['data']['level2']['level3']['secretData'] = 'deep-secret'
+
+    deser = await AsyncJSONDeserializer(None, schema_registry_client=client, rule_conf=rule_conf)
+    executor.executor.client = dek_client
+    obj2 = await deser(obj_bytes, ser_ctx)
+    assert obj == obj2
diff --git a/tests/schema_registry/_sync/test_json_serdes.py b/tests/schema_registry/_sync/test_json_serdes.py
