Fix propagation of secrets#1573
Draft
SteveL-MSFT wants to merge 1 commit into
Draft
Conversation
SteveL-MSFT
force-pushed
the
secret-securestring
branch
from
e78909b to
7a86ad9
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the secret-extension pipeline so secrets are propagated as secureString (and validated distinctly from string/object) through the DSC engine, and adjusts the Debug/Echo resource and tests to reveal/redact secrets based on showSecrets.
Changes:
- Wrap secret-extension stdout as
secureStringin the extension handler, and havesecret()return that secure JSON value instead of a plaintext string. - Tighten parameter validation/handling so
secureString/secureObjectare treated as distinct JSON shapes (not interchangeable withstring/object). - Update Echo and secret-extension Pester tests to use
showSecretsand validate expected secret visibility.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| resources/dscecho/src/main.rs | Unwrap/redact secure outputs depending on showSecrets, including array/object handling changes. |
| lib/dsc-lib/src/functions/secret.rs | Parse extension output as SecureString JSON and return as a JSON value instead of a plain string. |
| lib/dsc-lib/src/functions/parameters.rs | Validate that secureString/secureObject parameters are in the expected secure JSON format. |
| lib/dsc-lib/src/extensions/secret.rs | Wrap raw secret extension output as a serialized SecureString JSON object. |
| lib/dsc-lib/src/configure/mod.rs | Validate parameter types with distinct checks for secureString and secureObject. |
| lib/dsc-lib/locales/en-us.toml | Add localized error messages for secure-type validation and secret-format failures. |
| extensions/test/secret/secret.ps1 | Adjust test secret extension behavior to suppress errors for missing secrets. |
| dsc/tests/dsc_extension_secret.tests.ps1 | Update secret extension tests to set showSecrets: true and validate unwrapped secret output. |
Comments suppressed due to low confidence (1)
lib/dsc-lib/src/functions/secret.rs:9
secret()now returns a JSON object ({"secureString": ...}), but its function metadata still advertisesreturn_types: [String]. This makesdsc function list/schema outputs misleading for consumers. Update the metadata to reportObjectas the return type.
use crate::configure::{context::Context, parameters::SecureString};
use crate::extensions::dscextension::Capability;
use crate::functions::{FunctionArgKind, FunctionCategory, FunctionMetadata};
use rust_i18n::t;
use serde_json::Value;
Comment on lines
+43
to
49
| Output::Array(ref mut arr) => { | ||
| for item in arr.iter_mut() { | ||
| if echo.show_secrets == Some(true) { | ||
| *item = get_secure_contents(item).unwrap_or_else(|| redact(item)); | ||
| } else { | ||
| *item = redact(item); | ||
| } |
Comment on lines
+52
to
+55
| Output::Object(ref mut obj) => { | ||
| obj.clone_from(redact(&Value::Object(obj.clone())) | ||
| .as_object() | ||
| .expect("Expected redact() to return a Value::Object")); }, |
Comment on lines
+79
to
+87
| fn get_secure_contents(value: &Value) -> Option<Value> { | ||
| if let Ok(secure_string) = serde_json::from_value::<SecureString>(value.clone()) { | ||
| return Some(Value::String(secure_string.secure_string)); | ||
| } else if let Ok(secure_object) = serde_json::from_value::<SecureObject>(value.clone()) { | ||
| return Some(Value::Object(secure_object.secure_object)); | ||
| } | ||
|
|
||
| Some(value.clone()) | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Summary
Looking into the problem, it would seem that the solution is NOT to have secret extensions wrap their output as JSON. Instead, the problem is that the secret extension handler should be wrapping the output of an extension as a
secureStringand propagate that through the engine. This led to a few fixes to make this work end-to-end:showSecretswith the Echo resourcesecureStringobjectsecureStringandsecureObjectfromstringandobjectso they are distinctEchoresource to properly unwrap thesecureStringorsecureObjectwhenshowSecretsistruePR Context
Fix #1569