Fix absolute path handling for secret files

Secret files are converted to bind mounts, so handle them in the same way
as volumes - detect and handle unix-like absolute paths.

Signed-off-by: Oldřich Jedlička <[email protected]>

Author: oldium

loader/full-example.yml

@@ -428,6 +428,8 @@ secrets:
     environment: BAR
     x-bar: baz
     x-foo: bar
+  secret5:
+    file: /abs/secret_data
 x-bar: baz
 x-foo: bar
 x-nested:

loader/full-struct_test.go

@@ -574,6 +574,9 @@ func secrets(workingDir string) map[string]types.SecretConfig {
 				"x-foo": "bar",
 			},
 		},
+		"secret5": {
+			File: "/abs/secret_data",
+		},
 	}
 }
 
@@ -985,6 +988,8 @@ secrets:
     environment: BAR
     x-bar: baz
     x-foo: bar
+  secret5:
+    file: /abs/secret_data
 configs:
   config1:
     file: %s
@@ -1106,6 +1111,10 @@ func fullExampleJSON(workingDir, homeDir string) string {
       "name": "bar",
       "environment": "BAR",
       "external": false
+    },
+    "secret5": {
+      "file": "/abs/secret_data",
+      "external": false
     }
   },
   "services": {

loader/loader.go

@@ -660,8 +660,8 @@ func resolveEnvironment(serviceConfig *types.ServiceConfig, workingDir string, l
 	return nil
 }
 
-func resolveVolumePath(volume types.ServiceVolumeConfig, workingDir string, lookupEnv template.Mapping) types.ServiceVolumeConfig {
-	filePath := expandUser(volume.Source, lookupEnv)
+func resolveMaybeUnixPath(path string, workingDir string, lookupEnv template.Mapping) string {
+	filePath := expandUser(path, lookupEnv)
 	// Check if source is an absolute path (either Unix or Windows), to
 	// handle a Windows client with a Unix daemon or vice-versa.
 	//
@@ -671,10 +671,21 @@ func resolveVolumePath(volume types.ServiceVolumeConfig, workingDir string, look
 	if !paths.IsAbs(filePath) && !isAbs(filePath) {
 		filePath = absPath(workingDir, filePath)
 	}
-	volume.Source = filePath
+	return filePath
+}
+
+func resolveVolumePath(volume types.ServiceVolumeConfig, workingDir string, lookupEnv template.Mapping) types.ServiceVolumeConfig {
+	volume.Source = resolveMaybeUnixPath(volume.Source, workingDir, lookupEnv)
 	return volume
 }
 
+func resolveSecretsPath(secret types.SecretConfig, workingDir string, lookupEnv template.Mapping) types.SecretConfig {
+	if ! secret.External.External && secret.File != "" {
+		secret.File = resolveMaybeUnixPath(secret.File, workingDir, lookupEnv)
+	}
+	return secret
+}
+
 // TODO: make this more robust
 func expandUser(path string, lookupEnv template.Mapping) string {
 	if strings.HasPrefix(path, "~") {
@@ -782,11 +793,14 @@ func LoadSecrets(source map[string]interface{}, details types.ConfigDetails, res
 		return secrets, err
 	}
 	for name, secret := range secrets {
-		obj, err := loadFileObjectConfig(name, "secret", types.FileObjectConfig(secret), details, resolvePaths)
+		obj, err := loadFileObjectConfig(name, "secret", types.FileObjectConfig(secret), details, false)
 		if err != nil {
 			return nil, err
 		}
 		secretConfig := types.SecretConfig(obj)
+		if resolvePaths {
+			secretConfig = resolveSecretsPath(secretConfig, details.WorkingDir, details.LookupEnv)
+		}
 		secrets[name] = secretConfig
 	}
 	return secrets, nil