Nesting oneOf inside allOf not working as expected (python jsonschema)

Question

OK, I'm sure there's something wrong with this jsonschema, but I just can't seem to wrap my head around the problem.

I'm not going to post the actual code, but a minimal example that reproduces the issue.

Here's what I had before, which worked fine:

person = {
    'type': 'object',
    'properties': {
        'name': {
            'type': 'string'
        }
        'auth_token': {
             'type': 'string',
        },
        'username': {
            'type': 'string'
        },
        'password': {
            'type': 'string'
        }
    },
    'oneOf': [
        {
            'required': ['auth_token']
        },
        {
            'required': ['username', 'password']
        }
    ],
    'required': ['name']
}

The idea here was that you always need to provide the name of the person, and then either an auth token or a username and password pair. As I said above, this validation worked fine, since we have parametrized tests that send all posible combinations of invalid JSON and evaluate the resulting error message, and those tests pass.

But then a new requirement came in and I needed to add a second mutually exclusive required pair of fields, which I did in this way:

person = {
    'type': 'object',
    'properties': {
        'name': {
            'type': 'string'
        }
        'auth_token': {
             'type': 'string',
        },
        'username': {
            'type': 'string'
        },
        'password': {
            'type': 'string'
        },
        'project_id': {
            'type': 'number'
        },
        'contract_date_from': {
            'type': 'string'
        }
        'contract_date_to': {
            'type': 'string'
        }
    },
    'allOf': [
        {
            'oneOf': [
                {
                    'required': ['auth_token']
                },
                {
                    'required': ['username', 'password']
                }
            ]
        },
        {
            'oneOf': [
                {
                    'required': ['project_id']
                },
                {
                    'required': ['contract_date_from', 'contract_date_to']
                }
            ]
        }
    ],
    'required': ['name']
}

But now the second validation always fails, whether the json provided is valid or invalid. The error message I get is:

{'name': 'John Doe', 'auth_token': '9d9a324b-26de-4ac3-85eb-05566e4a7204', 'username': None, 'password': None, 'project_id': 2785, 'contract_date_from': None, 'contract_date_to': None} is valid under each of {'required': ['contract_date_from', 'contract_date_to']}, {'required': ['project_id']}

No matter what values I send in those three fields (ie. project id, contract date from and contract date to), it fails with the same error. I've tried leaving all three empty, completing all three, and all permutations in between, but the error stays the same.

I've been reading the documentation for json schema but I can't seem to grasp what's going on with this example. I'm considering trying different approaches for this, but I'd really like to understand why this is not working. Any help is appreciated!

Answer 1

{'name': 'John Doe', 'auth_token': '9d9a324b-26de-4ac3-85eb-05566e4a7204', 'username': None, 'password': None, 'project_id': 2785, 'contract_date_from': None, 'contract_date_to': None} is valid under each of {'required': ['contract_date_from', 'contract_date_to']}, {'required': ['project_id']}

Read the error message more carefully: you requested that project_id be provided, OR contract_date_from and contract_date_to are provided, but you are providing all three of these. Providing a null value in a property is still providing a property. The error message is confusing, but you'd be failing validation anyway because null is not a string. Your evaluator is simply running the allOf->anyOfs first, so that's the error that comes back first. You should still get the type violation errors as well, though (if you don't, that's a bug: evaluators are required to provide ALL errors, not just the first.)

You can make the errors better at the expense of brevity by adding the "type" checks to live next to the "required" keywords. That will ensure the oneOf keywords produce failures rather than successes and maybe make the error messages more obvious.