Change secret extensions to emit secret without JSON wrapping

Steve Lee (POWERSHELL HE/HIM) (from Dev Box) · Steve Lee (POWERSHELL HE/HIM) (from Dev Box) · commit e9ec9d5ca1b1 · 2025-08-12T09:09:35.000-07:00
diff --git a/dsc/tests/dsc_extension_secret.tests.ps1 b/dsc/tests/dsc_extension_secret.tests.ps1
diff --git a/dsc_lib/src/extensions/dscextension.rs b/dsc_lib/src/extensions/dscextension.rs
@@ -9,7 +9,20 @@ use schemars::JsonSchema;
 use std::{fmt::Display, path::Path};
 use tracing::{debug, info, trace};
 
-use crate::{discovery::command_discovery::{load_manifest, ImportedManifest}, dscerror::DscError, dscresources::{command_resource::{invoke_command, process_args}, dscresource::DscResource}, extensions::{import::ImportArgKind, secret::SecretResult}};
+use crate::{
+    discovery::command_discovery::{
+        load_manifest, ImportedManifest
+    },
+    dscerror::DscError,
+    dscresources::{
+        command_resource::{
+            invoke_command,
+            process_args
+        },
+        dscresource::DscResource
+    },
+    extensions::import::ImportArgKind
+};
 
 use super::{discover::DiscoverResult, extension_manifest::ExtensionManifest, secret::SecretArgKind};
 
@@ -232,18 +245,8 @@ impl DscExtension {
                 info!("{}", t!("extensions.dscextension.secretNoResults", extension = self.type_name));
                 Ok(None)
             } else {
-                let result: SecretResult = match serde_json::from_str(&stdout) {
-                    Ok(value) => value,
-                    Err(err) => {
-                        return Err(DscError::Extension(t!("extensions.dscextension.secretExtensionReturnedInvalidJson", extension = self.type_name, error = err).to_string()));
-                    }
-                };
-                if result.secure_string.is_some() {
-                    debug!("{}", t!("extensions.dscextension.extensionReturnedSecret", extension = self.type_name));
-                } else {
-                    debug!("{}", t!("extensions.dscextension.extensionReturnedNoSecret", extension = self.type_name));
-                }
-                Ok(result.secure_string)
+                debug!("{}", t!("extensions.dscextension.extensionReturnedSecret", extension = self.type_name));
+                Ok(Some(stdout))
             }
         } else {
             Err(DscError::UnsupportedCapability(
diff --git a/dsc_lib/src/extensions/secret.rs b/dsc_lib/src/extensions/secret.rs
@@ -30,9 +30,3 @@ pub struct SecretMethod {
     /// The arguments to pass to the command to perform a Get.
     pub args: Option<Vec<SecretArgKind>>,
 }
-
-#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
-pub struct SecretResult {
-    #[serde(rename = "secureString")]
-    pub secure_string: Option<String>,
-}
diff --git a/extensions/bicep/bicep.dsc.extension.json b/extensions/bicep/bicep.dsc.extension.json
@@ -1,5 +1,5 @@
 {
-    "$schema": "https://aka.ms/dsc/schemas/v3/bundled/resource/manifest.json",
+    "$schema": "https://aka.ms/dsc/schemas/v3/bundled/extension/manifest.json",
     "type": "Microsoft.DSC.Extension/Bicep",
     "version": "0.1.0",
     "description": "Enable passing Bicep file directly to DSC, but requires bicep executable to be available.",
diff --git a/extensions/test/secret/secret.ps1 b/extensions/test/secret/secret.ps1
@@ -43,10 +43,8 @@ function get-secret($hashtable, $name, $vault) {
     return $null
 }
 
-$secret = if ($Second) {
+if ($Second) {
     get-secret -hashtable $secretTwo -name $Name -vault $Vault
 } else {
     get-secret -hashtable $secretsOne -name $Name -vault $Vault
 }
-
-@{ secureString = $secret } | ConvertTo-Json -Compress | Write-Output
diff --git a/extensions/test/secret/testSecret.dsc.extension.json b/extensions/test/secret/testSecret.dsc.extension.json
@@ -1,8 +1,8 @@
 {
-    "$schema": "https://aka.ms/dsc/schemas/v3/bundled/resource/manifest.json",
+    "$schema": "https://aka.ms/dsc/schemas/v3/bundled/extension/manifest.json",
     "type": "Test/Secret",
     "version": "0.1.0",
-    "description": "Example secret resource for testing.",
+    "description": "Example secret extension for testing.",
     "secret": {
         "executable": "pwsh",
         "args": [
diff --git a/extensions/test/secret/testSecret2.dsc.extension.json b/extensions/test/secret/testSecret2.dsc.extension.json
@@ -1,8 +1,8 @@
 {
-    "$schema": "https://aka.ms/dsc/schemas/v3/bundled/resource/manifest.json",
+    "$schema": "https://aka.ms/dsc/schemas/v3/bundled/extension/manifest.json",
     "type": "Test/Secret2",
     "version": "0.1.0",
-    "description": "Duplicate secret resource for testing.",
+    "description": "Duplicate secret extension for testing.",
     "secret": {
         "executable": "pwsh",
         "args": [

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "$schema": "https://aka.ms/dsc/schemas/v3/bundled/resource/manifest.json",`
	`2`	`+ "$schema": "https://aka.ms/dsc/schemas/v3/bundled/extension/manifest.json",`
`3`	`3`	`"type": "Microsoft.DSC.Extension/Bicep",`
`4`	`4`	`"version": "0.1.0",`
`5`	`5`	`"description": "Enable passing Bicep file directly to DSC, but requires bicep executable to be available.",`
Original file line number	Diff line number	Diff line change
`@@ -43,10 +43,8 @@ function get-secret($hashtable, $name, $vault) {`
`43`	`43`	`return $null`
`44`	`44`	`}`
`45`	`45`
`46`		`-$secret = if ($Second) {`
	`46`	`+if ($Second) {`
`47`	`47`	`get-secret -hashtable $secretTwo -name $Name -vault $Vault`
`48`	`48`	`} else {`
`49`	`49`	`get-secret -hashtable $secretsOne -name $Name -vault $Vault`
`50`	`50`	`}`
`51`		`-`
`52`		`-@{ secureString = $secret } \| ConvertTo-Json -Compress \| Write-Output`