fix handling of arrays

Author: SteveL-MSFT

dsc/examples/secure_parameters.dsc.yaml

@@ -8,13 +8,23 @@ parameters:
     type: bool
     defaultValue: false
 resources:
-  - name: Echo 1
+  - name: SecureString
     type: Microsoft.DSC.Debug/Echo
     properties:
       output: "[parameters('myString')]"
       showSecrets: "[parameters('showSecrets')]"
-  - name: Echo 2
+  - name: SecureObject
     type: Microsoft.DSC.Debug/Echo
     properties:
       output: "[parameters('myObject').myProperty]"
       showSecrets: "[parameters('showSecrets')]"
+  - name: SecureArray
+    type: Microsoft.DSC.Debug/Echo
+    properties:
+      output: "[parameters('myObject').myArray]"
+      showSecrets: "[parameters('showSecrets')]"
+  - name: SecureArrayIndexed
+    type: Microsoft.DSC.Debug/Echo
+    properties:
+      output: "[parameters('myObject').myArray[1]]"
+      showSecrets: "[parameters('showSecrets')]"

dsc/examples/secure_parameters.parameters.yaml

@@ -2,3 +2,6 @@ parameters:
   myString: mySecret
   myObject:
     myProperty: mySecretProperty
+    myArray:
+      - item1
+      - item2

dsc/examples/secure_parameters_shown.parameters.yaml

@@ -2,4 +2,7 @@ parameters:
   myString: mySecret
   myObject:
     myProperty: mySecretProperty
+    myArray:
+      - item1
+      - item2
   showSecrets: true

dsc/tests/dsc_parameters.tests.ps1

@@ -275,17 +275,25 @@ Describe 'Parameters tests' {
     }
 
     It 'secure types can be passed as objects to resources but redacted in output' {
-      $out = dsc config -f $PSScriptRoot/../examples/secure_parameters.parameters.yaml get -f $PSScriptRoot/../examples/secure_parameters.dsc.yaml | ConvertFrom-Json
+      $out = dsc -l trace config -f $PSScriptRoot/../examples/secure_parameters.parameters.yaml get -f $PSScriptRoot/../examples/secure_parameters.dsc.yaml 2> $TestDrive/error.log | ConvertFrom-Json
       $LASTEXITCODE | Should -Be 0
+      $out.results.Count | Should -Be 4
       $out.results[0].result.actualState.output | Should -BeExactly '<secureValue>'
       $out.results[1].result.actualState.output | Should -BeExactly '<secureValue>'
+      $out.results[2].result.actualState.output[0] | Should -BeExactly '<secureValue>'
+      $out.results[2].result.actualState.output[1] | Should -BeExactly '<secureValue>'
+      $out.results[3].result.actualState.output | Should -BeExactly '<secureValue>'
     }
 
     It 'secure types can be passed as objects to resources' {
       $out = dsc config -f $PSScriptRoot/../examples/secure_parameters_shown.parameters.yaml get -f $PSScriptRoot/../examples/secure_parameters.dsc.yaml | ConvertFrom-Json
       $LASTEXITCODE | Should -Be 0
+      $out.results.Count | Should -Be 4
       $out.results[0].result.actualState.output.secureString | Should -BeExactly 'mySecret'
       $out.results[1].result.actualState.output.secureString | Should -BeExactly 'mySecretProperty'
+      $out.results[2].result.actualState.output[0].secureString | Should -BeExactly 'item1'
+      $out.results[2].result.actualState.output[1].secureString | Should -BeExactly 'item2'
+      $out.results[3].result.actualState.output.secureObject.secureString | Should -BeExactly 'item2'
     }
 
     It 'parameter types are validated for <type>' -TestCases @(

dsc_lib/src/configure/parameters.rs

@@ -11,6 +11,8 @@ pub struct Input {
     pub parameters: HashMap<String, Value>,
 }
 
+pub const SECURE_VALUE_REDACTED: &str = "<secureValue>";
+
 #[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
 pub struct SecureString {
     #[serde(rename = "secureString")]
@@ -19,7 +21,7 @@ pub struct SecureString {
 
 impl Display for SecureString {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "<secureValue>")
+        write!(f, "{SECURE_VALUE_REDACTED}")
     }
 }
 
@@ -31,7 +33,7 @@ pub struct SecureObject {
 
 impl Display for SecureObject {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "<secureValue>")
+        write!(f, "{SECURE_VALUE_REDACTED}")
     }
 }
 

dsc_lib/src/dscresources/dscresource.rs

@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-use crate::{configure::{Configurator, config_doc::{Configuration, ExecutionKind, Resource}, context::ProcessMode, parameters::is_secure_value}, dscresources::resource_manifest::Kind};
+use crate::{configure::{Configurator, config_doc::{Configuration, ExecutionKind, Resource}, context::ProcessMode, parameters::{SECURE_VALUE_REDACTED, is_secure_value}}, dscresources::resource_manifest::Kind};
 use crate::dscresources::invoke_result::{ResourceGetResponse, ResourceSetResponse};
 use dscerror::DscError;
 use jsonschema::Validator;
@@ -503,9 +503,8 @@ pub fn get_well_known_properties() -> HashMap<String, Value> {
 ///
 /// Original value if not sensitive, otherwise a redacted value
 pub fn redact(value: &Value) -> Value {
-    trace!("Redacting value: {value}");
     if is_secure_value(value) {
-        return Value::String("<secureValue>".to_string());
+        return Value::String(SECURE_VALUE_REDACTED.to_string());
     }
 
     if let Some(map) = value.as_object() {

dsc_lib/src/parser/expressions.rs

@@ -196,6 +196,15 @@ impl Expression {
     }
 }
 
+/// Convert a JSON value to a secure value if it is a string or an array of strings.
+///
+/// Arguments
+///
+/// * `value` - The JSON value to convert.
+///
+/// Returns
+///
+/// The converted JSON value.
 fn convert_to_secure(value: &Value) -> Value {
     if let Some(string) = value.as_str() {
         let secure_string = crate::configure::parameters::SecureString {
@@ -205,12 +214,10 @@ fn convert_to_secure(value: &Value) -> Value {
     }
 
     if let Some(obj) = value.as_object() {
-        if obj.len() == 1 && obj.contains_key("secureObject") {
-            let secure_object = crate::configure::parameters::SecureObject {
-                secure_object: obj["secureObject"].clone(),
-            };
-            return serde_json::to_value(secure_object).unwrap_or(value.clone());
-        }
+        let secure_object = crate::configure::parameters::SecureObject {
+            secure_object: serde_json::Value::Object(obj.clone()),
+        };
+        return serde_json::to_value(secure_object).unwrap_or(value.clone());
     }
 
     if let Some(array) = value.as_array() {

dscecho/locales/en-us.toml

@@ -2,4 +2,3 @@ _version = 1
 
 [main]
 invalidJson = "Error JSON does not match schema"
-noInput = "No input provided."

dscecho/src/main.rs

@@ -8,10 +8,13 @@ use args::Args;
 use clap::Parser;
 use rust_i18n::{i18n, t};
 use schemars::schema_for;
+use serde_json::{Map, Value};
 use crate::echo::{Echo, Output};
 
 i18n!("locales", fallback = "en-us");
 
+const SECURE_VALUE_REDACTED: &str = "<secureValue>";
+
 fn main() {
     let args = Args::parse();
     match args.input {
@@ -24,9 +27,21 @@ fn main() {
                 }
             };
             if echo.show_secrets != Some(true) {
-                match &echo.output {
+                match echo.output {
                     Output::SecureString(_) | Output::SecureObject(_) => {
-                        echo.output = Output::String("<secureValue>".to_string());
+                        echo.output = Output::String(SECURE_VALUE_REDACTED.to_string());
+                    },
+                    Output::Array(ref mut arr) => {
+                        for item in arr.iter_mut() {
+                            if is_secure_value(item) {
+                                *item = Value::String(SECURE_VALUE_REDACTED.to_string());
+                            } else {
+                                *item = redact(item);
+                            }
+                        }
+                    },
+                    Output::Object(ref mut obj) => {
+                        *obj = redact(obj);
                     },
                     _ => {}
                 }
@@ -36,11 +51,39 @@ fn main() {
             return;
         },
         None => {
-            eprintln!("{}", t!("main.noInput"));
+            let schema = schema_for!(Echo);
+            let json = serde_json::to_string_pretty(&schema).unwrap();
+            println!("{json}");
+        }
+    }
+}
+
+fn is_secure_value(value: &Value) -> bool {
+    if let Some(obj) = value.as_object() {
+        if obj.len() == 1 && (obj.contains_key("secureString") || obj.contains_key("secureObject")) {
+            return true;
         }
     }
+    false
+}
+
+pub fn redact(value: &Value) -> Value {
+    if is_secure_value(value) {
+        return Value::String(SECURE_VALUE_REDACTED.to_string());
+    }
+
+    if let Some(map) = value.as_object() {
+        let mut new_map = Map::new();
+        for (key, val) in map {
+            new_map.insert(key.clone(), redact(val));
+        }
+        return Value::Object(new_map);
+    }
+
+    if let Some(array) = value.as_array() {
+        let new_array: Vec<Value> = array.iter().map(redact).collect();
+        return Value::Array(new_array);
+    }
 
-    let schema = schema_for!(Echo);
-    let json = serde_json::to_string_pretty(&schema).unwrap();
-    println!("{json}");
+    value.clone()
 }