(SCHEMA) Enhance docs and validation for secret in extension manifest schema

michaeltlombardi · michaeltlombardi · commit 64ad4afbc352 · 2025-09-05T11:41:45.000-05:00
This change makes some corrections to the documentation for the `secret` field in the extension manifest schema: - Moves the documentation about the capability contract from `secret.executable` up to `secret`. - Redefines the documentation for `secret.executable` to indicate defining the path to an executable file. - Rewrites the documentation for `secret.args` to clarify the requirement to define a secret name input argument exactly once and the implications of not defining the vault input argument. The new documentation also shows examples of manifest snippets and the effective invocation. - Adds annotation keywords to document the various valid argument types. This change makes enhancements to the validation for the `secret` field: - It makes `args` required, even though it isn't required in the schema for the struct, because there's no functional way to pass the name of a secret to the extension without defining a secret name input argument. In `process_secret_args`, DSC considers it valid to define `secret` without any arguments and without the secret name input argument, but doing so means the extension is never sent the name of the secret to retrieve. The same is true for manifests that don't define the vault input argument, though conceivably an extension could be implemented without support for retrieving secrets from a named vault. https://github.com/PowerShell/DSC/blob/4750f779ecb27eb480f7ab37b8e8a526ed5054f5/dsc_lib/src/extensions/secret.rs#L108-L134 - It changes the `anyOf` in `secret.args.items` to `oneOf`, which is more strictly correct. An item must be _either_ a string argument _or_ a secret name input argument _or_ a vault input argument. - It ensures that the minimum length for a defined argument is `1`, preventing the accidental defining of an empty string. Arguably, we should also use the `pattern` keyword to forbid spacing characters, but this change doesn't add that stricter validation. - Replaces usage of `additionalProperties` with `unevaluatedProperties` to better support integrating tools and schema extensions. - Adds the `allOf` keyword to the top level of `secret` to provide validation for defining the correct number of secret name input arguments and vault name input arguments. The author must define exactly one secret name input argument in `secret.args` and zero or one vault input argument. The subschemas use the VS Code extended vocabulary keyword `errorMessage` to provide specific messaging when an author defines too few or too many of the secret name input argument and too many of the vault input argument. Finally, this change also updates the default snippets to remove the invalid snippets, which didn't define the secret name input argument, and to reword the documentation for those snippets. It also corrects the numbering of the snippet placeholders.
diff --git a/schemas/src/extension/manifest.secret.yaml b/schemas/src/extension/manifest.secret.yaml
@@ -10,126 +10,296 @@ markdownDescription: | # VS Code only
   [_Online Documentation_][00]
   ***
 
-  Defines how DSC must call the DSC extension to retrieve a secret value. An
-  extension that defines this field in its manifest has the `secret` capability.
+  Defines how DSC must call the DSC extension to retrieve a secret value. An extension that defines
+  this field in its manifest has the `secret` capability.
 
-  The secret operation is expected to output a single line to stdout containing
-  the secret text. If the extension outputs no data to stdout, DSC treats it as
-  "no secret returned". If the extension outputs multiple lines, DSC treats that
-  as an error.
+  DSC expects extensions implementing the `secret` capability to adhere to the following contract:
 
-  For details about the output format, see
-  [Secret extension operation stdout][01].
+  1. If the extension retrieves the secret, the extension must emit the secret to stdout as a
+     single line of plaintext and exit with code `0`. DSC consumes the emitted output and makes the
+     secret available in the configuration document.
+
+     If the extension emits more than one line to stdout, DSC raises an error.
+
+  1. If the extension cannot retrieve the secret because the secret doesn't exist, the extension
+     must not emit any text to stdout and must exit with code `0`. DSC interprets this result as
+     the secret not existing in the vault.
+
+  1. If the extension cannot retrieve the secret for any other reason, such as invalid credentials
+     or an API error, the extension should emit a descriptive error message as a JSON Line to
+     stderr and exit with a nonzero exit code. DSC interprets the nonzero exit code as an
+     operational failure and surfaces that information and any emitted error messages to the user.
+
+  When the exit code for the operation is `0`, DSC interprets the operation as completing without
+  errors. For extensions, failure to retrieve a secret because it doesn't exist is _not_ an error.
+  Failure to retrieve a secret for any other reason _is_ an error and the extension should exit
+  with a nonzero code. For an improved user experience, the extension should define the `exitCodes`
+  field in the extension manifest to indicate what the nonzero exit code means.
+
+  For more information about how DSC validates the data for stdout, see
+  [Secret extension operation stdout][01]. For more information about defining exit codes for the
+  extension, see [`exitCodes`][02] in the extension manifest schema reference.
 
   [00]: <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>
   [01]: <DOCS_BASE_URL>/reference/schemas/extension/stdout/secret?<DOCS_VERSION_PIN>
+  [02]: <DOCS_BASE_URL>/reference/schemas/extension/manifest/root?<DOCS_VERSION_PIN>#exitcodes
 
 type: object
 required:
   - executable
+  - args
 properties:
   executable:
     $ref: /<PREFIX>/<VERSION>/definitions/commandExecutable.yaml
     markdownDescription: |
       ***
-      [_Online Documentation_][01]
+      [_Online Documentation_][00]
       ***
 
-      DSC expects extensions implementing the `secret` capability to adhere to the
-      following contract:
-      
-        1. If the extension retrieves the secret, the extension must emit the secret
-          to stdout as a single line of plaintext and exit with code `0`. DSC
-          consumes the emitted output and makes the secret available in the
-          configuration document.
-
-          If the extension emits more than one line to stdout, DSC raises an error.
-        1. If the extension cannot retrieve the secret because the secret doesn't
-          exist, the extension must not emit any text to stdout and must exit with
-          code `0`. DSC interprets this result as the secret not existing in the
-          vault.
-        1. If the extension cannot retrieve the secret for any other reason, such
-          as invalid credentials or an API error, the extension should emit
-          a descriptive error message as a JSON Line to stderr and exit with a
-          nonzero exit code. DSC interprets the nonzero exit code as an operational
-          failure and surfaces that information and any emitted error messages to
-          the user.
-
-      When the exit code for the operation is `0`, DSC interprets the operation as
-      completing without errors. For extensions, failure to retrieve a secret
-      because it doesn't exist is _not_ an error. Failure to retrieve a secret
-      for any other reason _is_ an error and the extension should exit with a
-      nonzero code. For an improved user experience, the extension should define
-      the `exitCodes` field in the extension manifest to indicate what the nonzero
-      exit code means.
-      
-      For more information about how DSC validates the data for stdout, see
-      [Secret extension operation stdout][01]. For more information about defining
-      exit codes for the extension, see [`exitCodes`][02] in the extension manifest
-      schema reference.
-
-      [00]: <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>
-      [01]: <DOCS_BASE_URL>/reference/schemas/extension/stdout/secret?<DOCS_VERSION_PIN>
-      [02]: <DOCS_BASE_URL>/reference/schemas/extension/manifest/root?<DOCS_VERSION_PIN>#exitcodes
+      Defines the name of the command to run. The value must be the name of a command discoverable
+      in the system's `PATH` environment variable or the full path to the command. A file extension
+      is only required when the command isn't recognizable by the operating system as an
+      executable.
+
+      [00]: <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>#executable
   args:
     title: Arguments
     description: >-
       Defines an ordered list of arguments to pass to the command.
     markdownDescription: |
       ***
-      [_Online Documentation_][01]
+      [_Online Documentation_][00]
       ***
 
-      Defines an ordered list of arguments to pass to the command. Items can be plain strings or
-      structured entries indicating which argument name should receive the secret name or the vault
-      name.
+      Defines an ordered list of arguments to pass to the command. DSC passes each defined item to
+      the executable in the order you define them. Items can be string arguments, the secret name
+      input argument, or the vault input argument.
+
+      In order for DSC to retrieve a secret with the extension, the manifest must define the secret
+      name input argument. For DSC to retreieve a secret from a specific vault with the extension,
+      the manifest must define the vault input argument.
+
+      For example, given the following manifest snippet:
+
+      ```jsonc
+      {
+        // ellided extension manifest fields
+        "secret": {
+          "executable": "my_secret_extension",
+          "args": [
+            "get",
+            { "nameArg": "--secretName" }
+          ]
+        }
+      }
+      ```
 
-      DSC expands structured entries as follows:
+      When DSC invokes the extension to retrieve a secret named `apiToken`, it constructs
+      the following effective command:
 
-      - `{ "nameArg": "<flag>" }` expands to `"<flag>", "<secret-name>"`.
-      - `{ "vaultArg": "<flag>" }` expands to `"<flag>", "<vault-name>"` (only when a vault is
-        specified by the caller).
+      ```bash
+      my_secret_extension get --secretName apiToken
+      ```
 
-      [01]: <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>#args
+      If the user needs to retrieve a secret from a specific vault, DSC is unable to pass the vault
+      name to the previously defined snippet. The following snippet supports passing the vault name
+      to the extension as well as the secret name:
+
+      ```jsonc
+      {
+        // ellided extension manifest fields
+        "secret": {
+          "executable": "my_secret_extension",
+          "args": [
+            "get",
+            { "nameArg": "--secretName" },
+            { "vaultArg": "--vaultName" }
+          ]
+        }
+      }
+      ```
+
+      When DSC invokes the extension to retrieve a secret named `apiToken` from the `services`
+      vault, it constructs the following effective command:
+
+      ```bash
+      my_secret_extension get --secretName apiToken --vaultName services
+      ```
+
+      [00]: <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>#args
     type: array
     items:
-      anyOf:
-        - type: string
+      oneOf:
+        - title: String argument
+          description: >-
+            Any item in the argument array can be a string representing a static argument to pass
+            to the command, like `get` or `--quiet`.
+          markdownDescription: |-
+            ***
+            [_Online Documentation_][00]
+            ***
+
+            Any item in the argument array can be a string representing a static argument to pass
+            to the command, like `get` or `--quiet`.
+
+            [00]: <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>#string-arguments
+          type: string
+          minLength: 1
         - type: object
-          additionalProperties: false
+          title: Secret name input argument
+          description: >-
+            Defines the argument for the command that accepts the name of a secret.
+          markdownDescription: |-
+            ***
+            [_Online Documentation_][00]
+            ***
+
+            Defines the argument for the command that accepts the name of a secret. DSC passes the
+            name of the secret as a string after the defined argument. You must define this
+            argument as an object with the `nameArg` property set to the appropriate argument for
+            the extension command, like `--secret` or `--secret-name`.
+
+            An extension implementing the `secret` capability _must_ define a secret name input
+            argument exactly once.
+
+            [00]: <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>#secret-name-input-argument
+          unevaluatedProperties: false
           required:
             - nameArg
           properties:
             nameArg:
+              title: Secret name input argument definition
+              description: >-
+                Defines the literal string for the argument that accepts the name of the secret to
+                retrieve, like `--name` or `--secret-name`.
+              markdownDescription: |-
+                Defines the literal string for the argument that accepts the name of the secret to
+                retrieve, like `--name` or `--secret-name`.
               type: string
+              minLength: 1
         - type: object
-          additionalProperties: false
+          title: Vault input argument
+          description: >-
+            Defines the argument for the command that accepts the name of a specific vault to
+            retrieve a secret from.
+          markdownDescription: |-
+            ***
+            [_Online Documentation_][00]
+            ***
+
+            Defines the argument for the command that accepts the name of a specific vault to
+            retrieve a secret from. Define this argument as an object with the `vaultArg` property
+            set to the appropriate argument for the extension command, like `--vault` or
+            `--vault-name`.
+
+            To support retrieving secrets from a specific vault, an extension implementing the
+            `secret` capability _must_ define a vault input argument exactly once.
+
+            [00]: <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>#vault-input-argument
+          unevaluatedProperties: false
           required:
             - vaultArg
           properties:
             vaultArg:
+              title: Vault input argument definition
+              description: >-
+                Defines the literal string for the argument that accepts the name of the vault to
+                retrieve a secret from, like `--vault` or `--vault-name`.
+              markdownDescription: |-
+                Defines the literal string for the argument that accepts the name of the vault to
+                retrieve a secret from, like `--vault` or `--vault-name`.
               type: string
+              minLength: 1
+
+# Need to use an allOf with multiple possibilities to capture the requirement to define the secret
+# name input argument exactly once and the vault input argument no more than once. Note that
+# the YAML language server in VS Code currently doesn't understand the `minContains` and
+# `maxContains` keywords, so when defining the extension manifest in YAML with the schema, the
+# language server identifies the vault input argument as required. When defining the extension
+# manifest in JSON, the language server correctly identifies the minimum and maximum number of
+# arguments to use.
+#
+# Unfortunately, because we only get one error message per item in the `allOf` keyword, we have to
+# define two entries for the secret name input argument to provide better validation error messages.
+#
+# We use long lines for error messages, which can't use Markdown, so line breaks are literal.
+allOf:
+  - title: Missing secret name input argument
+    $comment: >-
+      This validation subschema ensures that `secret.args` contains a secret name input argument.
+      Without this argument, DSC can't pass the name of the secret to retrieve when invoking the
+      extension's secret command.
+
+      We define this separately from the maximum contains validation subschema to improve the error
+      messaging in VS Code.
+    properties:
+      args:
+        errorMessage: |-
+          The `secret` command doesn't define the secret name input argument. If you don't define the secret name input argument, DSC can't pass the secret name to the extension for retrieval. You can only define one secret name input argument for the command.
+
+          You must define one argument in `secret.args` as a JSON object with the `nameArg` property. For more information, see:
+
+          <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>
+        contains:
+          type: object
+          required: [nameArg]
+        minContains: 1
+  - title: Multiple secret name input arguments
+    $comment: >-
+      This validation subschema ensures that `secret.args` doesn't contain more than one secret
+      name input argument. Defining more than one secret name input argument is invalid.
+
+      We define this separately from the minimum contains validation subschema to improve the error
+      messaging in VS Code.
+    properties:
+      args:
+        errorMessage: |-
+          The `secret` command defines the secret name input argument more than once. You can only define one secret name input argument for the command.
+
+          You must define one argument in `secret.args` as a JSON object with the `nameArg` property and remove the additional secret name input arguments. For more information, see:
+
+          <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>
+        contains:
+          type: object
+          required: [nameArg]
+        maxContains: 1
+  - title: Multiple vault input arguments
+    $comment: >-
+      This validation subschema ensures that `secret.args` contains zero or one vault input
+      arguments. Defining a vault input argument is optional. Extensions that don't define the
+      vault input argument don't support retrieving secrets from a specific vault. Defining
+      more than one vault input argument is invalid.
+    properties:
+      args:
+        errorMessage: |-
+          The `secret` command defines the vault input argument more than once. If you don't define the vault input argument, DSC can't pass the vault to the extension for retrieving a secret from a specific vault. You can only define one vault input argument for the command.
+
+          You can define one argument in `secret.args` as a JSON object with the `vaultArg` property. For more information, see:
+
+          <DOCS_BASE_URL>/reference/schemas/extension/manifest/secret?<DOCS_VERSION_PIN>
+        contains:
+          type: object
+          required: [vaultArg]
+        minContains: 0
+        maxContains: 1
 
 defaultSnippets: # VS Code only
-  - label: ' Define without arguments'
-    markdownDescription: |
-      Define the `secret` command for the extension when no arguments are required.
-    body:
-      executable: ${2:executable_name}
-  - label: ' Define with arguments (flags + name)'
+  - label: ' Define with arguments (static string and secret name input arguments)'
     markdownDescription: |-
-      Define the `secret` command where the secret name is passed to a specific flag.
+      Define the `secret` command where the secret name is passed to the command. Use this
+      snippet if the extension doesn't support retrieving a secret from a specific vault.
     body:
-      executable: ${2:executable_name}
+      executable: ${1:executable_name}
       args:
-        - ${3:--get-secret}
-        - nameArg: ${4:--name}
-  - label: ' Define with arguments (flags + name + vault)'
+        - ${2:get}
+        - nameArg: ${3:--secret-name}
+  - label: ' Define with arguments (static string, secret name, and vault input arguments)'
     markdownDescription: |-
-      Define the `secret` command where both the secret name and the vault name are passed.
+      Define the `secret` command where both the secret name and the vault name are passed to the
+      command. Use this snippet if the extension supports retrieving a secret from a specific vault.
     body:
-      executable: ${2:executable_name}
+      executable: ${1:executable_name}
       args:
-        - ${3:--get-secret}
-        - nameArg: ${4:--name}
-        - vaultArg: ${5:--vault}
+        - ${2:get}
+        - nameArg: ${3:--secret-name}
+        - vaultArg: ${4:--vault-name}
