Hello friends :) I have a JSON Schema that looks like this:
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Sync Repo Settings Config",
"description": "Schema for defining the sync repo settings config",
"additionalProperties": false,
"type": "object",
"$ref": "#/definitions/repoConfig",
"definitions": {
"repoConfig": {
"type": "object",
"properties": {
"name": {
"description": "A simple label for describing the ruleset.",
"type": "string"
},
"selector": {
"description": "For use in the org/.github repository. A GitHub repo search query that identifies the repositories which should be managed by the given rule.",
"type": "boolean"
},
"squashMergeAllowed": {
"description": "Whether or not squash-merging is enabled on this repository.",
"type": "boolean"
},
"rebaseMergeAllowed": {
"description": "Whether or not rebase-merging is enabled on this repository.",
"type": "boolean"
},
"mergeCommitAllowed": {
"description": "Whether or not PRs are merged with a merge commit on this repository.",
"type": "boolean"
},
"deleteBranchOnMerge": {
"description": "Either true to allow automatically deleting head branches when pull requests are merged, or false to prevent automatic deletion.",
"type": "boolean"
},
"branchProtectionRules": {
"description": "Branch protection rules",
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"pattern": {
"description": "Identifies the protection rule pattern.",
"type": "string"
},
"dismissesStaleReviews": {
"description": "Will new commits pushed to matching branches dismiss pull request review approvals.",
"type": "boolean"
},
"isAdminEnforced": {
"description": "Can admins overwrite branch protection.",
"type": "boolean"
},
"requiredApprovingReviewCount": {
"description": "Number of approving reviews required to update matching branches.",
"type": "number"
},
"requiredStatusCheckContexts": {
"description": "List of required status check contexts that must pass for commits to be accepted to matching branches.",
"type": "array",
"items": {
"type": "string"
}
},
"requiresCodeOwnerReviews": {
"description": "Are reviews from code owners required to update matching branches.",
"type": "boolean"
},
"requiresCommitSignatures": {
"description": "Are commits required to be signed.",
"type": "boolean"
},
"requiresStatusChecks": {
"description": "Are status checks required to update matching branches.",
"type": "boolean"
},
"requiresStrictStatusChecks": {
"description": "Are branches required to be up to date before merging.",
"type": "boolean"
},
"restrictsPushes": {
"description": "Is pushing to matching branches restricted.",
"type": "boolean"
},
"restrictsReviewDismissals": {
"description": "Is dismissal of pull request reviews restricted.",
"type": "boolean"
}
}
}
},
"permissionRules": {
"description": "List of explicit permissions to add (additive only)",
"type": "array",
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"team": {
"description": "Team slug to provide access.",
"type": "string"
},
"permission": {
"description": "Permission to provide the team. Can be one of (pull|push|admin)",
"type": "string",
"enum": ["pull", "push", "admin"]
}
},
"required": ["team", "permission"]
}
}
}
}
}
}
I am trying to create a re-usable repoConfig schema, which can also be represented in the root of my json documents. I'm being fussy, and turning the additionalProperties setting off, just to make 100% everything is working as expected. When I try to validate this document:
{
"rebaseMergeAllowed": false,
"branchProtectionRules": [
{
"requiresCodeOwnerReviews": true,
"requiredStatusCheckContexts": [
"check1",
"check2"
]
}
],
"permissionRules": [
{
"team": "team1",
"permission": "push"
}
]
}
I am getting the following error from the ajv npm module during validation:
[
{
instancePath: '',
schemaPath: '#/additionalProperties',
keyword: 'additionalProperties',
params: { additionalProperty: 'rebaseMergeAllowed' },
message: 'must NOT have additional properties'
}
]
If I take the collection of properties defined in my shared repoConfig object and directly inline them in the root of my schema document, the validator works as expected.
While Ether's answer is correct, you actually have an XY problem here.
(I think ajv actually allows $ref and definitions at the root level. The legality of this is debatable and unclear.)
Your problem here is in your use of additionalProperties, in that it cannot "see through" applicators, such as $ref.
Validation with "additionalProperties" applies only to the child values of instance names that do not match any names in "properties", and do not match any regular expression in "patternProperties".
https://datatracker.ietf.org/doc/html/draft-handrews-json-schema-validation-01#section-6.5.6
In simpler terms, the properties and patternProperties within the same schema object as additionalProperties only.
If you need to continue using draft-07 of JSON Schema, then you need to redefine the properties at the same level (You can give them a value of true).
If you can move to a newer version of JSON Schema, you can use unevaluatedProperties, which in simple terms, CAN "see through" applicator keywords. It's a little more complex, but it would behave how you expect.