Implement strict decoding for JetStream API requests

[caspervonb]

This implements optional strict JSON decoding for JetStream.

The intent of this is to minimize accidental misalignments between server and clients, we've had numerous of these across the various clients, especially for rarely used fields in the request payloads.

Signed-off-by: Casper Beyer [email protected]

[derekcollison]

https://app.travis-ci.com/github/nats-io/nats-server/jobs/625767923

Needs a fix

[neilalexander]

Not convinced by this block, in that if strict mode is disabled, we can in effect unmarshal twice. (Unmarshalling JSON is actually quite expensive on CPU so need to be careful on hot paths.)

Why this vs just having one decoder and setting DisallowUnknownFields() based on the Strict setting?

[caspervonb]

My first pass did just that, but was discussed offline with @ripienaar that we want to log marshaling failures even if strict is set to false to have a softer error path but keep the current behavior for existing deployments where it would at-least surface in the logs.

[neilalexander]

A misbehaving client is going to a) spam log lines and b) unmarshal twice for each request. I don't think that's wise, needs further discussion.

[ripienaar]

Derek suggested that for 2.11 while we are in soft mode we should still report the problem so client authors can discover and remediate issues so he suggested this approach. It's nice a nice assist before we enable this by default to reject requests but I agree with you it will spam logs until things are fixed.

[wallyqs]

I think client authors could enable this as an opt-in too, in order to avoid spamming there is rateLimitFormatWarnf which would log less

[ripienaar]

Yeah we discussed maybe a header on specific requests - but we have no api behaviours on headers so I am a bit reluctant.

Other option is something at the request level like we have action on consumer or pedantic now - big ripple effect on clients having to support it and ultimately this does not help users. The point is to identify bad clients that perhaps are not compatible or have bugs. So making it opt-in only for clients that support it is a no win

[ripienaar]

rateLimitFormatWarnf is a good idea though for sure

[Jarema]

I think that any opt-in for the client misses the point that Derek had - it's about detecting problems with non-tier-1 and older clients, and those will not have such opt-in implemented.

[caspervonb]

Changed the log lines to use rate limited warnings.

[wallyqs]

what is a sample line that gets reported here?

[caspervonb]

[10037] 2024/09/06 14:50:14.087465 [ERR] Invalid JetStream request '$G > $JS.API.STREAM.INFO.ORDERS': json: unknown field "stream_name"

[caspervonb]

Now with rate limit warnings instead of error it is:

[11545] 2024/09/06 15:10:33.449547 [WRN] Invalid JetStream request '$G > $JS.API.STREAM.INFO.ORDERS': json: unknown field "stream_name"

[caspervonb]

There's one failing test, but this is failing on main as-well so I don't think that's related.

[wallyqs]

I think we can remove these from banner

[caspervonb]

I'd vote to keep it, it's a sanity notice that you got the configuration you expected?

[neilalexander]

Let's only print it if cfg.Strict == true.

[caspervonb]

Ran the meta benchmarks on this as they're pretty request heavy:

JetStreamCreate/N=1,R=1,storage=Memory,C=12/resource=Stream-14        593.6µ ± ∞ ¹   618.6µ ± ∞ ¹       ~ (p=1.000 n=1) ²
JetStreamCreate/N=1,R=1,storage=Memory,C=12/resource=KVBucket-14      1.065m ± ∞ ¹   1.074m ± ∞ ¹       ~ (p=1.000 n=1) ²
JetStreamCreate/N=1,R=1,storage=Memory,C=12/resource=ObjStore-14      2.889m ± ∞ ¹   2.831m ± ∞ ¹       ~ (p=1.000 n=1) ²
JetStreamCreate/N=3,R=3,storage=Memory,C=12/resource=Stream-14        51.54m ± ∞ ¹   56.28m ± ∞ ¹       ~ (p=1.000 n=1) ²
JetStreamCreate/N=3,R=3,storage=Memory,C=12/resource=KVBucket-14      63.51m ± ∞ ¹   58.32m ± ∞ ¹       ~ (p=1.000 n=1) ²
JetStreamCreate/N=3,R=3,storage=Memory,C=12/resource=ObjStore-14      62.60m ± ∞ ¹   64.33m ± ∞ ¹       ~ (p=1.000 n=1) ²
JetStreamCreate/N=3,R=3,storage=File,C=12/resource=Stream-14          60.38m ± ∞ ¹   56.13m ± ∞ ¹       ~ (p=1.000 n=1) ²
JetStreamCreate/N=3,R=3,storage=File,C=12/resource=KVBucket-14        66.11m ± ∞ ¹   56.62m ± ∞ ¹       ~ (p=1.000 n=1) ²
JetStreamCreate/N=3,R=3,storage=File,C=12/resource=ObjStore-14        58.56m ± ∞ ¹   59.47m ± ∞ ¹       ~ (p=1.000 n=1) ²

[neilalexander]

Better to do a type assertion here for s, ok := vv.(bool), return an error if the type assert fails, and then set JetStreamStrict to the bool value. Otherwise setting strict: false in the config does the wrong thing.

[neilalexander]

Mind rebasing this & resolving conflicts please?

[ripienaar]

Please make sure the strict option value is shown in jsz output

[neilalexander]

Let's only print it if cfg.Strict == true.