check if secrets defined in services are defined

glours · glours · commit 8570d504a1d2 · 2022-11-02T22:17:21.000+01:00
Signed-off-by: Guillaume Lours &lt;705411+glours@users.noreply.github.com&gt;
diff --git a/loader/validate.go b/loader/validate.go
@@ -70,6 +70,12 @@ func checkConsistency(project *types.Project) error {
 				return errors.Wrap(errdefs.ErrInvalid, fmt.Sprintf("service %q refers to undefined config %s", s.Name, config.Source))
 			}
 		}
+
+		for _, secret := range s.Secrets {
+			if _, ok := project.Secrets[secret.Source]; !ok {
+				return errors.Wrap(errdefs.ErrInvalid, fmt.Sprintf("service %q refers to undefined secret %s", s.Name, secret.Source))
+			}
+		}
 	}
 
 	for name, secret := range project.Secrets {
diff --git a/loader/validate_test.go b/loader/validate_test.go
@@ -174,7 +174,7 @@ func TestValidateSecret(t *testing.T) {
 		err := checkConsistency(project)
 		assert.NilError(t, err)
 	})
-	t.Run("uset secret", func(t *testing.T) {
+	t.Run("unset secret type", func(t *testing.T) {
 		project := &types.Project{
 			Secrets: types.Secrets{
 				"foo": types.SecretConfig{},
@@ -183,6 +183,49 @@ func TestValidateSecret(t *testing.T) {
 		err := checkConsistency(project)
 		assert.Error(t, err, "secret \"foo\" must declare either `file` or `environment`: invalid compose project")
 	})
+
+	t.Run("service secret exist", func(t *testing.T) {
+		project := &types.Project{
+			Secrets: types.Secrets{
+				"foo": types.SecretConfig{
+					External: types.External{
+						External: true,
+					},
+				},
+			},
+			Services: types.Services([]types.ServiceConfig{
+				{
+					Name:  "myservice",
+					Image: "scratch",
+					Secrets: []types.ServiceSecretConfig{
+						{
+							Source: "foo",
+						},
+					},
+				},
+			}),
+		}
+		err := checkConsistency(project)
+		assert.NilError(t, err)
+	})
+
+	t.Run("service secret undefined", func(t *testing.T) {
+		project := &types.Project{
+			Services: types.Services([]types.ServiceConfig{
+				{
+					Name:  "myservice",
+					Image: "scratch",
+					Secrets: []types.ServiceSecretConfig{
+						{
+							Source: "foo",
+						},
+					},
+				},
+			}),
+		}
+		err := checkConsistency(project)
+		assert.Error(t, err, `service "myservice" refers to undefined secret foo: invalid compose project`)
+	})
 }
 
 func TestValidateDependsOn(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,12 @@ func checkConsistency(project *types.Project) error {`
`70`	`70`	`return errors.Wrap(errdefs.ErrInvalid, fmt.Sprintf("service %q refers to undefined config %s", s.Name, config.Source))`
`71`	`71`	`}`
`72`	`72`	`}`
	`73`	`+`
	`74`	`+ for _, secret := range s.Secrets {`
	`75`	`+ if _, ok := project.Secrets[secret.Source]; !ok {`
	`76`	`+ return errors.Wrap(errdefs.ErrInvalid, fmt.Sprintf("service %q refers to undefined secret %s", s.Name, secret.Source))`
	`77`	`+ }`
	`78`	`+ }`
`73`	`79`	`}`
`74`	`80`
`75`	`81`	`for name, secret := range project.Secrets {`