Initial support for secret function and extension

Author: SteveL-MSFT

dsc/src/subcommand.rs

@@ -645,8 +645,10 @@ fn list_extensions(dsc: &mut DscManager, extension_name: Option<&String>, format
     let mut include_separator = false;
     for manifest_resource in dsc.list_available(&DiscoveryKind::Extension, extension_name.unwrap_or(&String::from("*")), "", progress_format) {
         if let ImportedManifest::Extension(extension) = manifest_resource {
+            let mut capabilities = "--".to_string();
             let capability_types = [
                 (ExtensionCapability::Discover, "d"),
+                (ExtensionCapability::Secret, "s"),
             ];
             let mut capabilities = "-".repeat(capability_types.len());
 

dsc_lib/src/extensions/dscextension.rs

@@ -6,11 +6,11 @@ use serde::{Deserialize, Serialize};
 use serde_json::Value;
 use schemars::JsonSchema;
 use std::{fmt::Display, path::Path};
-use tracing::{info, trace};
+use tracing::{debug, info, trace};
 
 use crate::{discovery::command_discovery::{load_manifest, ImportedManifest}, dscerror::DscError, dscresources::{command_resource::{invoke_command, process_args}, dscresource::DscResource}};
 
-use super::{discover::DiscoverResult, extension_manifest::ExtensionManifest};
+use super::{discover::DiscoverResult, extension_manifest::ExtensionManifest, secret::SecretArgKind};
 
 #[derive(Clone, Debug, Deserialize, Serialize, JsonSchema)]
 #[serde(deny_unknown_fields)]
@@ -39,12 +39,15 @@ pub struct DscExtension {
 pub enum Capability {
     /// The extension aids in discovering resources.
     Discover,
+    /// The extension aids in retrieving secrets.
+    Secret,
 }
 
 impl Display for Capability {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
             Capability::Discover => write!(f, "Discover"),
+            Capability::Secret => write!(f, "Secret"),
         }
     }
 }
@@ -125,10 +128,75 @@ impl DscExtension {
             ))
         }
     }
+
+    pub fn secret(&self, name: &str, vault: Option<&str>) -> Result<Value, DscError> {
+        if self.capabilities.contains(&Capability::Secret) {
+            let extension = match serde_json::from_value::<ExtensionManifest>(self.manifest.clone()) {
+                Ok(manifest) => manifest,
+                Err(err) => {
+                    return Err(DscError::Manifest(self.type_name.clone(), err));
+                }
+            };
+            let Some(secret) = extension.secret else {
+                return Err(DscError::UnsupportedCapability(self.type_name.clone(), Capability::Secret.to_string()));
+            };
+            let args = process_secret_args(secret.args.as_ref(), name, vault);
+            let (_exit_code, stdout, _stderr) = invoke_command(
+                &secret.executable,
+                args,
+                vault,
+                Some(self.directory.as_str()),
+                None,
+                extension.exit_codes.as_ref(),
+            )?;
+            if stdout.is_empty() {
+                info!("{}", t!("extensions.dscextension.secretNoResults", extension = self.type_name));
+                Ok(Value::Null)
+            } else {
+                match serde_json::from_str(&stdout) {
+                    Ok(value) => Ok(value),
+                    Err(err) => Err(DscError::Json(err)),
+                }
+            }
+        } else {
+            Err(DscError::UnsupportedCapability(
+                self.type_name.clone(),
+                Capability::Secret.to_string()
+            ))
+        }
+    }
 }
 
 impl Default for DscExtension {
     fn default() -> Self {
         DscExtension::new()
     }
 }
+
+fn process_secret_args(args: Option<&Vec<SecretArgKind>>, name: &str, vault: Option<&str>) -> Option<Vec<String>> {
+    let Some(arg_values) = args else {
+        debug!("{}", t!("dscresources.commandResource.noArgs"));
+        return None;
+    };
+
+    let mut processed_args = Vec::<String>::new();
+    for arg in arg_values {
+        match arg {
+            SecretArgKind::String(s) => {
+                processed_args.push(s.clone());
+            },
+            SecretArgKind::Name { name_arg } => {
+                processed_args.push(name_arg.to_string());
+                processed_args.push(name.to_string());
+            },
+            SecretArgKind::Vault { vault_arg } => {
+                if let Some(value) = vault {
+                    processed_args.push(vault_arg.to_string());
+                    processed_args.push(value.to_string());
+                }
+            },
+        }
+    }
+
+    Some(processed_args)
+}

dsc_lib/src/extensions/extension_manifest.rs

@@ -9,26 +9,28 @@ use serde_json::Value;
 use std::collections::HashMap;
 
 use crate::{dscerror::DscError, schemas::DscRepoSchema};
-use crate::extensions::discover::DiscoverMethod;
+use crate::extensions::{discover::DiscoverMethod, secret::SecretMethod};
 
 #[derive(Debug, Default, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
 #[serde(deny_unknown_fields)]
 pub struct ExtensionManifest {
-    /// The version of the resource manifest schema.
+    /// The version of the extension manifest schema.
     #[serde(rename = "$schema")]
     #[schemars(schema_with = "ExtensionManifest::recognized_schema_uris_subschema")]
     pub schema_version: String,
     /// The namespaced name of the extension.
     #[serde(rename = "type")]
     pub r#type: String,
-    /// The version of the resource using semantic versioning.
+    /// The version of the extension using semantic versioning.
     pub version: String,
-    /// The description of the resource.
+    /// The description of the extension.
     pub description: Option<String>,
-    /// Tags for the resource.
+    /// Tags for the extension.
     pub tags: Option<Vec<String>>,
-    /// Details how to call the Discover method of the resource.
+    /// Details how to call the Discover method of the extension.
     pub discover: Option<DiscoverMethod>,
+    /// Details how to call the Secret method of the extension.
+    pub secret: Option<SecretMethod>,
     /// Mapping of exit codes to descriptions.  Zero is always success and non-zero is always failure.
     #[serde(rename = "exitCodes", skip_serializing_if = "Option::is_none")]
     pub exit_codes: Option<HashMap<i32, String>>,

dsc_lib/src/extensions/mod.rs

@@ -4,3 +4,4 @@
 pub mod discover;
 pub mod dscextension;
 pub mod extension_manifest;
+pub mod secret;

dsc_lib/src/extensions/secret.rs

@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
+#[serde(untagged)]
+pub enum SecretArgKind {
+    /// The argument is a string.
+    String(String),
+    /// The argument accepts the secret name.
+    Name {
+        /// The argument that accepts the secret name.
+        #[serde(rename = "nameArg")]
+        name_arg: String,
+    },
+    /// The argument accepts the vault name.
+    Vault {
+        /// The argument that accepts the vault name.
+        #[serde(rename = "vaultArg")]
+        vault_arg: String,
+    },
+}
+
+#[derive(Debug, Default, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
+pub struct SecretMethod {
+    /// The command to run to get the state of the resource.
+    pub executable: String,
+    /// The arguments to pass to the command to perform a Get.
+    pub args: Option<Vec<SecretArgKind>>,
+}
+
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
+pub struct SecretResult {
+    pub secret: String,
+}

dsc_lib/src/functions/secret.rs

@@ -0,0 +1,67 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+use crate::DscError;
+use crate::configure::context::Context;
+use crate::functions::AcceptedArgKind;
+use serde_json::Value;
+use super::Function;
+
+#[derive(Debug, Default)]
+pub struct Secret {}
+
+impl Function for Secret {
+    fn accepted_arg_types(&self) -> Vec<AcceptedArgKind> {
+        vec![AcceptedArgKind::String]
+    }
+
+    fn min_args(&self) -> usize {
+        1
+    }
+
+    fn max_args(&self) -> usize {
+        2
+    }
+
+    fn invoke(&self, args: &[Value], context: &Context) -> Result<Value, DscError> {
+        let secret = args[0].as_str().ok_or_else(|| {
+            DscError::InvalidArgumentType("Secret function requires a string argument".to_string())
+        })?.to_string();
+        let vault: Option<String> = if args.len() > 1 {
+            args[1].as_str().map(|s| s.to_string())
+        } else {
+            None
+        };
+
+        // if no vault name is provided, we query all extensions supporting the secret method
+        // to see if any of them can provide the secret.  If none can or if multiple can, we return an error.
+
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::configure::context::Context;
+    use crate::parser::Statement;
+
+    #[test]
+    fn strings() {
+        let mut parser = Statement::new().unwrap();
+        let result = parser.parse_and_execute("[base64('hello world')]", &Context::new()).unwrap();
+        assert_eq!(result, "aGVsbG8gd29ybGQ=");
+    }
+
+    #[test]
+    fn numbers() {
+        let mut parser = Statement::new().unwrap();
+        let result = parser.parse_and_execute("[base64(123)]", &Context::new());
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn nested() {
+        let mut parser = Statement::new().unwrap();
+        let result = parser.parse_and_execute("[base64(base64('hello world'))]", &Context::new()).unwrap();
+        assert_eq!(result, "YUdWc2JHOGdkMjl5YkdRPQ==");
+    }
+}