implement secret function to use extensions

SteveL-MSFT · SteveL-MSFT · commit 861baa38f005 · 2025-07-15T14:58:28.000-07:00
diff --git a/dsc_lib/src/extensions/dscextension.rs b/dsc_lib/src/extensions/dscextension.rs
@@ -8,7 +8,7 @@ use schemars::JsonSchema;
 use std::{fmt::Display, path::Path};
 use tracing::{debug, info, trace};
 
-use crate::{discovery::command_discovery::{load_manifest, ImportedManifest}, dscerror::DscError, dscresources::{command_resource::{invoke_command, process_args}, dscresource::DscResource}};
+use crate::{discovery::command_discovery::{load_manifest, ImportedManifest}, dscerror::DscError, dscresources::{command_resource::{invoke_command, process_args}, dscresource::DscResource}, extensions::secret::SecretResult};
 
 use super::{discover::DiscoverResult, extension_manifest::ExtensionManifest, secret::SecretArgKind};
 
@@ -129,7 +129,21 @@ impl DscExtension {
         }
     }
 
-    pub fn secret(&self, name: &str, vault: Option<&str>) -> Result<Value, DscError> {
+    /// Retrieve a secret using the extension.
+    ///
+    /// # Arguments
+    ///
+    /// * `name` - The name of the secret to retrieve.
+    /// * `vault` - An optional vault name to use for the secret.
+    ///
+    /// # Returns
+    ///
+    /// A result containing the secret as a string or an error.
+    ///
+    /// # Errors
+    ///
+    /// This function will return an error if the secret retrieval fails or if the extension does not support the secret capability.
+    pub fn secret(&self, name: &str, vault: Option<&str>) -> Result<Option<String>, DscError> {
         if self.capabilities.contains(&Capability::Secret) {
             let extension = match serde_json::from_value::<ExtensionManifest>(self.manifest.clone()) {
                 Ok(manifest) => manifest,
@@ -151,12 +165,15 @@ impl DscExtension {
             )?;
             if stdout.is_empty() {
                 info!("{}", t!("extensions.dscextension.secretNoResults", extension = self.type_name));
-                Ok(Value::Null)
+                Ok(None)
             } else {
-                match serde_json::from_str(&stdout) {
-                    Ok(value) => Ok(value),
-                    Err(err) => Err(DscError::Json(err)),
-                }
+                let result: SecretResult = match serde_json::from_str(&stdout) {
+                    Ok(value) => value,
+                    Err(err) => {
+                        return Err(DscError::Json(err));
+                    }
+                };
+                Ok(Some(result.secret))
             }
         } else {
             Err(DscError::UnsupportedCapability(
diff --git a/dsc_lib/src/functions/secret.rs b/dsc_lib/src/functions/secret.rs
@@ -3,9 +3,11 @@
 
 use crate::DscError;
 use crate::configure::context::Context;
+use crate::extensions::Capability;
 use crate::functions::AcceptedArgKind;
 use serde_json::Value;
 use super::Function;
+use tracing::warn;
 
 #[derive(Debug, Default)]
 pub struct Secret {}
@@ -24,18 +26,43 @@ impl Function for Secret {
     }
 
     fn invoke(&self, args: &[Value], context: &Context) -> Result<Value, DscError> {
-        let secret = args[0].as_str().ok_or_else(|| {
+        let secret_name = args[0].as_str().ok_or_else(|| {
             DscError::InvalidArgumentType("Secret function requires a string argument".to_string())
         })?.to_string();
-        let vault: Option<String> = if args.len() > 1 {
+        let vault_name: Option<String> = if args.len() > 1 {
             args[1].as_str().map(|s| s.to_string())
         } else {
             None
         };
 
         // if no vault name is provided, we query all extensions supporting the secret method
         // to see if any of them can provide the secret.  If none can or if multiple can, we return an error.
-
+        let extensions = context.extensions();
+        let mut secret_returned = false;
+        let mut result: String = String::new();
+        for extension in extensions {
+            if extension.capabilities().contains(&Capability::Secret) {
+                match extension.secret(&secret_name, vault_name.as_deref()) {
+                    Ok(result) => {
+                        if secret_returned {
+                            return Err(DscError::MultipleSecretsFound(secret_name.clone()));
+                        }
+                        if let Some(secret_value) = result {
+                            result = secret_value;
+                            secret_returned = true;
+                        }
+                    },
+                    Err(err) => {
+                        warn!("Error occurred while retrieving secret from extension {}: {}", extension.type_name(), err);
+                    }
+                }
+            }
+        }
+        if !secret_returned {
+            Err(DscError::SecretNotFound(secret_name))
+        } else {
+            Ok(Value::String(result))
+        }
     }
 }
 
