secret_rs/

lib.rs

//!
#![doc = include_str!("../README.md")]
//!

use crate::error::SecretError;
use base64::{Engine, engine::GeneralPurpose, prelude::BASE64_STANDARD};
pub use error::Result;
#[cfg(feature = "notify")]
pub use notify::SecretWatcher;
use serde::{Deserialize, Serialize, de::Visitor, ser::SerializeMap};
use serde_json::Value;
use std::{
    ffi::OsStr,
    fmt::{Debug, Display},
    fs,
    path::{Path, PathBuf},
};
use zeroize::ZeroizeOnDrop;

mod error;
#[cfg(feature = "notify")]
mod notify;

struct Base64(GeneralPurpose);

trait Decoder {
    fn decode(&self, input: &str) -> Result<Vec<u8>>;
}

impl Decoder for Base64 {
    fn decode(&self, input: &str) -> Result<Vec<u8>> {
        self.0
            .decode(input)
            .map_err(|err| SecretError::Decode(Encoding::Base64.to_string(), err.to_string()))
    }
}

/// Define which type of encoding the library supports when it needs to read the actual secret value.
#[derive(Debug, Clone, Copy, Deserialize, Serialize, PartialEq)]
#[cfg_attr(feature = "json-schema", derive(::schemars::JsonSchema))]
pub enum Encoding {
    #[serde(rename = "base64")]
    Base64,
}

impl Display for Encoding {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(
            f,
            "{}",
            match self {
                Encoding::Base64 => "base64",
            }
        )
    }
}

fn decode(content: &str, encoding: Option<Encoding>) -> Result<String> {
    if let Some(encoding) = encoding {
        let decoder: Box<dyn Decoder> = match encoding {
            Encoding::Base64 => Box::new(Base64(BASE64_STANDARD)),
        };
        decoder
            .decode(content)
            .map_err(|err| SecretError::Decode(encoding.to_string(), err.to_string()))
            .and_then(|content| {
                String::from_utf8(content).map_err(|err| SecretError::InvalidUtf8(err.to_string()))
            })
    } else {
        Ok(content.to_string())
    }
}

enum SupportedExtensions {
    Json,
    Ini,
    None,
}

enum JsonIndex<'a> {
    String(&'a str),
    Index(u32),
}

fn traverse_json_and_get<'a, I>(
    json: &'a Value,
    mut path: I,
    output: &'a mut Option<&'a Value>,
) -> Result<&'a mut Option<&'a Value>, String>
where
    I: Iterator<Item = JsonIndex<'a>>,
{
    if let Some(index) = path.next() {
        match (index, json) {
            (JsonIndex::Index(idx), Value::Array(arr)) => traverse_json_and_get(
                arr.get(idx as usize).ok_or(format!(
                    "while traversing array no item at index '{idx}' was found"
                ))?,
                path,
                output,
            ),
            (JsonIndex::String(str), Value::Object(obj)) => traverse_json_and_get(
                obj.get(str).ok_or(format!(
                    "while traversing object no field named '{str}' was found"
                ))?,
                path,
                output,
            ),
            (index, json) => Err(format!(
                "found index {} to traverse invalid structure {}",
                match index {
                    JsonIndex::String(str) => format!("String({str})"),
                    JsonIndex::Index(idx) => format!("Integer({idx})"),
                },
                match json {
                    Value::Null => "null",
                    Value::Bool(_) => "bool",
                    Value::Number(_) => "number",
                    Value::String(_) => "string",
                    Value::Array(_) => "array",
                    Value::Object(_) => "object",
                }
            )),
        }
    } else {
        *output = Some(json);
        Ok(output)
    }
}

impl From<Option<&OsStr>> for SupportedExtensions {
    fn from(value: Option<&OsStr>) -> Self {
        if let Some(extension) = value {
            if extension == "json" {
                SupportedExtensions::Json
            } else if extension == "ini" {
                SupportedExtensions::Ini
            } else {
                SupportedExtensions::None
            }
        } else {
            SupportedExtensions::None
        }
    }
}

fn get_key_from_file(extension: Option<&OsStr>, content: &str, key: &str) -> Result<String> {
    use ini::Ini;

    match extension.into() {
        SupportedExtensions::Json => {
            let json_content = serde_json::from_str::<Value>(content)
                .map_err(|err| SecretError::Json(err.to_string()))?;

            let key_path = key.split('.').map(|index| {
                let index = index.trim().strip_prefix('[').unwrap_or(index);
                let index = index.strip_suffix(']').unwrap_or(index).trim();
                let index = index.strip_prefix('\'').unwrap_or(index);
                let index = index.strip_suffix('\'').unwrap_or(index).trim();
                index
                    .parse::<u32>()
                    .map(JsonIndex::Index)
                    .unwrap_or(JsonIndex::String(index))
            });
            traverse_json_and_get(&json_content, key_path, &mut None)
                .map_err(|err| SecretError::JsonTraverse(err.to_string()))?
                .and_then(|v| match v {
                    Value::String(s) => Some(s.clone()),
                    _ => None,
                })
                .ok_or(SecretError::JsonKey(key.to_string()))
        }
        _ => {
            let ini_content =
                Ini::load_from_str(content).map_err(|err| SecretError::Ini(err.to_string()))?;
            ini_content
                .get_from(None::<String>, key)
                .map(String::from)
                .ok_or(SecretError::JsonKey(key.to_string()))
        }
    }
}

/// A secret container that abstracts how it is written within the configuration file.
#[derive(Clone, PartialEq, ZeroizeOnDrop)]
pub enum Secret {
    /// Represents a plaintext secret. It is read as-is from the configuration file.
    ///
    /// ```
    /// use serde::Deserialize;
    /// use serde_json::json;
    /// use secret_rs::Secret;
    ///
    /// #[derive(Deserialize, Debug, PartialEq)]
    /// struct SimpleConfig {
    ///     plain: Secret
    /// }
    ///
    /// let parsed_config = serde_json::from_value::<SimpleConfig>(json!({
    ///     "plain": "my-secret-value"
    /// })).unwrap();
    ///
    /// let expected_config = SimpleConfig {
    ///     plain: Secret::Plain { content: String::from("my-secret-value") }
    /// };
    ///
    /// assert_eq!(parsed_config, expected_config)
    /// ```
    Plain {
        #[zeroize]
        content: String,
    },
    /// Represents a secret contained within the selected environment variable, which is specified in the `key` field.
    /// Encoding can be signalled using the `encoding` key with value `"base64"`.
    ///
    /// ```
    /// use serde::Deserialize;
    /// use serde_json::json;
    /// use secret_rs::Secret;
    ///
    /// #[derive(Deserialize, Debug, PartialEq)]
    /// struct EnvConfig {
    ///     env: Secret
    /// }
    ///
    /// unsafe {std::env::set_var("MY_SECRET_INFO", String::from("my-secret-value"));}
    ///
    /// let parsed_config = serde_json::from_value::<EnvConfig>(json!({
    ///     "env": {
    ///         "type": "env",
    ///         "key": "MY_SECRET_INFO"
    ///     }
    /// })).unwrap();
    ///
    /// let expected_config = EnvConfig {
    ///     env: Secret::Env {
    ///         key: String::from("MY_SECRET_INFO"),
    ///         content: String::from("my-secret-value"),
    ///         encoding: None
    ///     }
    /// };
    ///
    /// assert_eq!(parsed_config, expected_config);
    /// ```
    Env {
        #[zeroize(skip)]
        key: String,
        #[zeroize]
        content: String,
        #[zeroize(skip)]
        encoding: Option<Encoding>,
    },
    /// Represents a secret contained in a file, whose filepath can be found in the `path` field. A file may contain
    /// either a single value, which is loaded completely into the secret content, or a set of key-value pairs
    /// (following [.ini](https://en.wikipedia.org/wiki/INI_file) format), where only the one specified in the `key` field is loaded.
    /// Encoding can be signalled using the `encoding` key with value `"base64"`.
    ///
    /// #### Secret loaded from the whole file
    ///
    /// ```
    /// use std::path::PathBuf;
    /// use assert_fs::fixture::{FileWriteStr, PathChild};
    /// use serde::Deserialize;
    /// use serde_json::json;
    /// use secret_rs::Secret;
    ///
    /// #[derive(Deserialize, Debug, PartialEq)]
    /// struct FileConfig {
    ///     file: Secret
    /// }
    ///
    /// let temp = assert_fs::TempDir::new().unwrap();
    /// let file = temp.child("private-key.pem");
    /// let path = file.to_string_lossy();
    ///
    /// file.write_str("PEM-secret\n").unwrap();
    ///
    /// let parsed_config = serde_json::from_value::<FileConfig>(json!({
    ///     "file": {
    ///         "type": "file",
    ///         "path": path
    ///     }
    /// })).unwrap();
    ///
    /// let expected_config = FileConfig {
    ///     file: Secret::File {
    ///         path: PathBuf::from(path.to_string()),
    ///         key: None,
    ///         content: "PEM-secret\n".into(),
    ///         encoding: None
    ///     }
    /// };
    ///
    /// assert_eq!(parsed_config, expected_config);
    /// ```
    ///
    /// #### Secret loaded from a key of a secrets file
    ///
    /// ```
    /// use std::path::PathBuf;
    /// use assert_fs::fixture::{FileWriteStr, PathChild};
    /// use serde::Deserialize;
    /// use serde_json::json;
    /// use secret_rs::Secret;
    ///
    /// #[derive(Deserialize, Debug, PartialEq)]
    /// struct FileConfig {
    ///     file: Secret
    /// }
    ///
    /// let temp = assert_fs::TempDir::new().unwrap();
    /// let file = temp.child("secrets.ini");
    /// let path = file.to_string_lossy();
    ///
    /// file.write_str("MY_SECRET=hello_there\n").unwrap();
    ///
    /// let parsed_config = serde_json::from_value::<FileConfig>(json!({
    ///     "file": {
    ///         "type": "file",
    ///         "key": "MY_SECRET",
    ///         "path": path
    ///     }
    /// })).unwrap();
    ///
    /// let expected_config = FileConfig {
    ///     file: Secret::File {
    ///         path: PathBuf::from(path.to_string()),
    ///         key: Some(String::from("MY_SECRET")),
    ///         content: String::from("hello_there"),
    ///         encoding: None
    ///     }
    /// };
    ///
    /// assert_eq!(parsed_config, expected_config);
    /// ```
    ///
    /// Secrets can also be stored in JSON files.
    ///
    /// ```
    /// use std::path::PathBuf;
    /// use assert_fs::fixture::{FileWriteStr, PathChild};
    /// use serde::Deserialize;
    /// use serde_json::json;
    /// use secret_rs::Secret;
    ///
    /// #[derive(Deserialize, Debug, PartialEq)]
    /// struct FileConfig {
    ///     file: Secret
    /// }
    ///
    /// let temp = assert_fs::TempDir::new().unwrap();
    /// let file = temp.child("secrets.json");
    /// let path = file.to_string_lossy();
    ///
    /// file.write_str(r#"{"key1":[{"MY_SECRET":"hello_there"}]}"#).unwrap();
    ///
    /// let parsed_config = serde_json::from_value::<FileConfig>(json!({
    ///     "file": {
    ///         "type": "file",
    ///         "key": "key1.[0].MY_SECRET",
    ///         "path": path
    ///     }
    /// })).unwrap();
    ///
    /// let expected_config = FileConfig {
    ///     file: Secret::File {
    ///         path: PathBuf::from(path.to_string()),
    ///         key: Some(String::from("key1.[0].MY_SECRET")),
    ///         content: String::from("hello_there"),
    ///         encoding: None
    ///     }
    /// };
    ///
    /// assert_eq!(parsed_config, expected_config);
    /// ```
    File {
        #[zeroize(skip)]
        path: PathBuf,
        #[zeroize(skip)]
        key: Option<String>,
        #[zeroize]
        content: String,
        #[zeroize(skip)]
        encoding: Option<Encoding>,
    },
}

impl Secret {
    /// Extract the actual secret content from the underlying data structure.
    pub fn read(&self) -> &str {
        match self {
            Secret::Plain { content }
            | Secret::Env { content, .. }
            | Secret::File { content, .. } => content.as_str(),
        }
    }
}

impl AsRef<str> for Secret {
    fn as_ref(&self) -> &str {
        self.read()
    }
}

impl Default for Secret {
    fn default() -> Self {
        Self::Plain {
            content: Default::default(),
        }
    }
}

impl From<String> for Secret {
    fn from(value: String) -> Self {
        Secret::Plain { content: value }
    }
}

impl From<&str> for Secret {
    fn from(value: &str) -> Self {
        Self::Plain {
            content: value.into(),
        }
    }
}

impl Debug for Secret {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Self::Plain { .. } => f.debug_tuple("Plain").field(&"[REDACTED]").finish(),
            Self::Env { key, .. } => f.debug_tuple("Env").field(key).finish(),
            Self::File { path, key, .. } => f
                .debug_struct("File")
                .field("path", path)
                .field("key", key)
                .finish(),
        }
    }
}

impl Display for Secret {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        match self {
            Secret::Plain { .. } => write!(f, "[REDACTED]"),
            Secret::Env { key, .. } => {
                write!(f, r#"type: "env", key: "{key}"#)
            }
            Secret::File { path, key, .. } => {
                write!(f, r#"type: "file", path: {path:?}, key: "{key:?}"#)
            }
        }
    }
}

#[cfg(feature = "json-schema")]
impl ::schemars::JsonSchema for Secret {
    fn schema_name() -> std::borrow::Cow<'static, str> {
        "Secret".into()
    }

    fn json_schema(generator: &mut ::schemars::SchemaGenerator) -> ::schemars::Schema {
        use ::schemars::json_schema;

        json_schema!({
            "examples": [
                "my-secret",
                {
                    "type":"env",
                    "key":"CUSTOM_ENV_VAR"
                },
                {
                    "type":"env",
                    "key":"CUSTOM_ENV_VAR",
                    "encoding": "base64"
                },
                {
                    "type":"file",
                    "path":"/path/to/file"
                }
            ],
            "anyOf": [
                {
                    "type": "string"
                },
                {
                    "type": "object",
                    "required": ["type", "key"],
                    "properties": {
                        "type": {
                            "const": "env"
                        },
                        "key": {
                            "type": "string"
                        },
                        "encoding": Encoding::json_schema(generator),
                    }
                },
                {
                    "type": "object",
                    "required": ["type", "path"],
                    "properties": {
                        "type": {
                            "const": "file"
                        },
                        "key": {
                            "type": "string"
                        },
                        "path": {
                            "type": "string",
                        },
                        "encoding": Encoding::json_schema(generator),
                    }
                }
            ]
        })
    }
}

impl Serialize for Secret {
    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
    where
        S: serde::Serializer,
    {
        match self {
            Secret::Plain { content } => serializer.serialize_str(content),
            Secret::Env { key, encoding, .. } => {
                let mut map = serializer.serialize_map(None)?;
                map.serialize_entry("type", "env")?;
                map.serialize_entry("key", key)?;
                if let Some(encoding) = encoding {
                    map.serialize_entry("encoding", encoding)?;
                }
                map.end()
            }
            Secret::File {
                path,
                key,
                encoding,
                ..
            } => {
                let mut map = serializer.serialize_map(None)?;
                map.serialize_entry("type", "file")?;
                map.serialize_entry("path", path)?;
                if let Some(key) = key {
                    map.serialize_entry("key", key)?;
                }
                if let Some(encoding) = encoding {
                    map.serialize_entry("encoding", encoding)?;
                }
                map.end()
            }
        }
    }
}

struct SecretVisitor;

fn get_content_from_file(
    path: &Path,
    key: Option<&str>,
    encoding: Option<Encoding>,
) -> Result<String> {
    let content = fs::read_to_string(path)
        .map_err(|err| SecretError::FileRead(path.to_path_buf(), err.to_string()))?;

    let content = match key.as_ref() {
        Some(key) => get_key_from_file(path.extension(), &content, key)?,
        None => content,
    };

    decode(&content, encoding)
}

impl<'de> Visitor<'de> for SecretVisitor {
    type Value = Secret;

    fn expecting(&self, formatter: &mut std::fmt::Formatter) -> std::fmt::Result {
        formatter.write_str("enum Secret")
    }

    fn visit_str<E>(self, v: &str) -> Result<Self::Value, E>
    where
        E: serde::de::Error,
    {
        Ok(Secret::Plain {
            content: v.to_string(),
        })
    }

    fn visit_map<A>(self, mut map: A) -> Result<Self::Value, A::Error>
    where
        A: serde::de::MapAccess<'de>,
    {
        enum SecretGuard {
            Env,
            File,
        }

        let mut type_name = None;
        let mut key_name = None;
        let mut path_name = None;
        let mut encoding_name = None;
        while let Ok(Some(key)) = map.next_key::<String>() {
            match key.as_str() {
                "type" => {
                    let type_value = map.next_value::<String>()?;
                    type_name = match type_value.as_str() {
                        "env" => Some(SecretGuard::Env),
                        "file" => Some(SecretGuard::File),
                        _ => {
                            return Err(<A::Error as serde::de::Error>::custom(
                                "unsupported value for key 'type'",
                            ));
                        }
                    };
                }
                "key" => {
                    let key_value = map.next_value::<String>()?;
                    key_name = Some(key_value);
                }
                "path" => {
                    let path_value = map.next_value::<PathBuf>()?;
                    path_name = Some(path_value);
                }
                "encoding" => {
                    let encoding_value = map.next_value::<Encoding>()?;
                    encoding_name = Some(encoding_value);
                }
                _ => {}
            }
        }

        match (type_name, key_name, path_name, encoding_name) {
            (Some(SecretGuard::Env), Some(key_name), _, encoding) => Ok(Secret::Env {
                content: std::env::var(key_name.clone())
                    .map_err(|err| {
                        <A::Error as serde::de::Error>::custom(format!(
                            "cannot read environment variable '{key_name}': {err}"
                        ))
                    })
                    .and_then(|content| {
                        decode(&content, encoding)
                            .map_err(|err| <A::Error as serde::de::Error>::custom(err.to_string()))
                    })?,
                key: key_name,
                encoding,
            }),
            (Some(SecretGuard::File), key, Some(path), encoding) => Ok(Secret::File {
                content: get_content_from_file(&path, key.as_deref(), encoding)
                    .map_err(|err| <A::Error as serde::de::Error>::custom(err.to_string()))?,
                path,
                key,
                encoding,
            }),
            _ => Err(<A::Error as serde::de::Error>::custom(
                "unsupported enum variant",
            )),
        }
    }
}

impl<'de> Deserialize<'de> for Secret {
    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
    where
        D: serde::Deserializer<'de>,
    {
        deserializer.deserialize_any(SecretVisitor)
    }
}

#[cfg(test)]
mod tests {
    use super::{Encoding, Secret};
    use assert_fs::fixture::{FileWriteStr, PathChild};
    use base64::prelude::*;
    use rstest::rstest;
    use std::path::PathBuf;

    #[rstest]
    #[case(r#""my secret""#, Secret::from("my secret"))]
    #[case(r#"{"type":"env","key":"CUSTOM_ENV_VAR"}"#, Secret::Env { key: "CUSTOM_ENV_VAR".into(), content: "value".into(), encoding: None })]
    fn serde_json_tests(#[case] input: &str, #[case] expected: Secret) {
        match &expected {
            Secret::Env { key, content, .. } => unsafe {
                std::env::set_var(key, content);
            },
            Secret::Plain { .. } => {}
            _ => unimplemented!(),
        };

        let input: Secret = serde_json::from_str(input).expect("input to be deserialized");
        assert_eq!(input, expected);
    }

    #[rstest]
    #[case("secret", "SECRET=hello\n", "SECRET")]
    #[case("secret.ini", "SECRET=hello\n", "SECRET")]
    #[case("secret.whatever", "SECRET=hello\n", "SECRET")]
    #[case("secret1.json", r#"{"SECRET":"hello"}"#, "SECRET")]
    #[case(
        "secret2.json",
        r#"{"ANOTHER_SECRET":{"SECRET":["hello"]}}"#,
        "ANOTHER_SECRET.SECRET.0"
    )]
    fn secrets_in_file_with_keys(
        #[case] filename: &str,
        #[case] file_content: &str,
        #[case] key: &str,
    ) {
        let temp = assert_fs::TempDir::new().unwrap();
        let file = temp.child(filename);
        let path = file.to_string_lossy();
        file.write_str(file_content).unwrap();

        // on linux, paths do not need escaping
        // on windows, `\` must be escaped then we use the Value::String
        // constructor to ensure properly formed JSON
        let input = format!(
            r#"{{"type":"file","path":{},"key":"{key}"}}"#,
            serde_json::Value::String(path.to_string())
        );

        let full_secret: Secret = serde_json::from_str(&input).expect("input to be deserialized");
        assert_eq!(
            full_secret,
            Secret::File {
                path: PathBuf::from(path.to_string()),
                key: Some(key.to_string()),
                content: "hello".into(),
                encoding: None
            }
        );
    }

    #[rstest]
    #[case("secret")]
    #[case("secret.ini")]
    #[case("secret.whatever")]
    fn file_secret_tests(#[case] filename: &str) {
        let temp = assert_fs::TempDir::new().unwrap();
        let file = temp.child(filename);
        let path = file.to_string_lossy();

        // on linux, paths do not need escaping
        // on windows, `\` must be escaped then we use the Value::String
        // constructor to ensure properly formed JSON
        let input = format!(
            r#"{{"type":"file","path":{}}}"#,
            serde_json::Value::String(path.to_string())
        );

        file.write_str("SECRET=hello\n").unwrap();

        let full_secret: Secret = serde_json::from_str(&input).expect("input to be deserialized");
        assert_eq!(
            full_secret,
            Secret::File {
                path: PathBuf::from(path.to_string()),
                key: None,
                content: "SECRET=hello\n".into(),
                encoding: None
            }
        );
    }

    #[test]
    fn partial_file_secret_tests() {
        let temp = assert_fs::TempDir::new().unwrap();
        let file = temp.child("secret");

        let path = file.to_string_lossy();
        // on linux, paths do not need escaping
        // on windows, `\` must be escaped then we use the Value::String
        // constructor to ensure properly formed JSON
        let input = format!(
            r#"{{"type":"file","path":{},"key":"SECRET"}}"#,
            serde_json::Value::String(path.to_string())
        );

        file.write_str("SECRET=hello\n").unwrap();

        let partial_secret: Secret =
            serde_json::from_str(&input).expect("input to be deserialized");
        assert_eq!(
            partial_secret,
            Secret::File {
                path: PathBuf::from(path.to_string()),
                key: Some("SECRET".into()),
                content: "hello".into(),
                encoding: None
            }
        );
    }

    #[rstest]
    #[case(Encoding::Base64)]
    fn partial_file_secret_tests_with_decoding(#[case] encoding: Encoding) {
        let temp = assert_fs::TempDir::new().unwrap();
        let file = temp.child("secret");

        let path = file.to_string_lossy();
        // on linux, paths do not need escaping
        // on windows, `\` must be escaped then we use the Value::String
        // constructor to ensure properly formed JSON
        let input = format!(
            r#"{{"type":"file","path":{},"key":"SECRET","encoding":"{encoding}"}}"#,
            serde_json::Value::String(path.to_string())
        );

        let decoded = "hello";
        let encoded = match encoding {
            Encoding::Base64 => BASE64_STANDARD.encode(decoded),
        };

        let file_content = format!(
            r#"SECRET="{encoded}"
"#
        );
        file.write_str(&file_content).unwrap();

        let partial_secret: Secret =
            serde_json::from_str(&input).expect("input to be deserialized");
        assert_eq!(
            partial_secret,
            Secret::File {
                path: PathBuf::from(path.to_string()),
                key: Some("SECRET".into()),
                content: "hello".into(),
                encoding: encoding.into()
            }
        );
    }

    #[rstest]
    #[case(Secret::from("my secret"), "[REDACTED]")]
    fn display_tests(#[case] secret: Secret, #[case] expected: &str) {
        assert_eq!(format!("{secret}"), expected);
    }

    #[cfg(feature = "json-schema")]
    #[rstest]
    fn ensure_valid_json_schema() {
        use schemars::{SchemaGenerator, generate::SchemaSettings};

        let schema_gen = SchemaGenerator::new(SchemaSettings::draft07());
        let schema = schema_gen.into_root_schema_for::<Secret>();

        let validator = jsonschema::validator_for(schema.as_value()).expect("a valid json schema");
        let examples = schema
            .as_object()
            .and_then(|m| m.get("examples"))
            .and_then(|e| e.as_array())
            .expect("json schema must have examples");

        assert!(!examples.is_empty());

        examples
            .iter()
            .for_each(|e| assert!(validator.validate(e).is_ok()))
    }
}