clevis-pin-tpm2/0001-Add-JSON-schema-validation-to-reject-unknown-fields.patch

From d1ab04c3d8cffae06fef09fbe5cf8202e59df3d7 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Sun, 14 Dec 2025 18:58:57 -0300
Subject: [PATCH] Add JSON schema validation to reject unknown fields

Adds serde(deny_unknown_fields) attribute to TPM2Config to catch
typos and invalid field names in JSON configuration. Previously,
invalid fields like "pcrs_ids" were silently ignored, which could
lead to unexpected behavior.

Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
 src/cli.rs | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/src/cli.rs b/src/cli.rs
index e5caa70..97eaabb 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -7,6 +7,7 @@ use tpm2_policy::TPMPolicyStep;
 use crate::utils::get_authorized_policy_step;
 
 #[derive(Serialize, Deserialize, std::fmt::Debug)]
+#[serde(deny_unknown_fields)]
 pub(super) struct TPM2Config {
     pub hash: Option<String>,
     pub key: Option<String>,
@@ -235,3 +236,39 @@ pub(super) fn get_mode_and_cfg(args: &[String]) -> Result<(ActionMode, Option<TP
 
     Ok((mode, cfg))
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_valid_config_parsing() {
+        let config_str = r#"{"pcr_ids": "7"}"#;
+        let result = serde_json::from_str::<TPM2Config>(config_str);
+        assert!(result.is_ok());
+    }
+
+    #[test]
+    fn test_invalid_field_name_rejected() {
+        // Using "pcrs_ids" instead of "pcr_ids" should fail
+        let config_str = r#"{"pcrs_ids": "7"}"#;
+        let result = serde_json::from_str::<TPM2Config>(config_str);
+        assert!(result.is_err());
+        let err = result.unwrap_err();
+        assert!(err.to_string().contains("unknown field"));
+    }
+
+    #[test]
+    fn test_multiple_invalid_fields_rejected() {
+        let config_str = r#"{"invalid_field": "value", "another_invalid": "value2"}"#;
+        let result = serde_json::from_str::<TPM2Config>(config_str);
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_valid_complex_config() {
+        let config_str = r#"{"pcr_ids": [7, 11], "pcr_bank": "sha256", "hash": "sha256"}"#;
+        let result = serde_json::from_str::<TPM2Config>(config_str);
+        assert!(result.is_ok());
+    }
+}
-- 
2.47.3