fix: allows non-secret array value, if all items are secret

Author: joelgallant

app-config/src/schema.test.ts

@@ -1,7 +1,7 @@
 import { JsonObject } from './common';
 import { ParsedValue } from './parsed-value';
 import { generateSymmetricKey, encryptValue } from './encryption';
-import { encryptedDirective, extendsDirective } from './extensions';
+import { encryptedDirective, extendsDirective, envDirective } from './extensions';
 import { loadSchema } from './schema';
 import { withTempFiles } from './test-util';
 
@@ -556,5 +556,34 @@ describe('Validation', () => {
         },
       );
     });
+
+    it('allows a "secret" array with all secret values, but not secret itself', async () => {
+      await withTempFiles(
+        {
+          '.app-config.schema.yml': `
+          type: object
+          properties:
+            foo:
+              type: array
+              secret: true
+              items:
+                type: string
+        `,
+        },
+        async (inDir) => {
+          const { validate } = await loadSchema({ directory: inDir('.') });
+          const symmetricKey = await generateSymmetricKey(1);
+
+          const parsed = await ParsedValue.parseLiteral(
+            {
+              foo: [await encryptValue('secret-1', symmetricKey)],
+            },
+            [encryptedDirective(symmetricKey), envDirective()],
+          );
+
+          validate(parsed.toJSON() as JsonObject, parsed);
+        },
+      );
+    });
   });
 });

app-config/src/schema.ts

@@ -123,12 +123,11 @@ export async function loadSchema({
         const arr = found.asArray();
 
         if (arr) {
-          if (!arr.every((v) => v.meta.fromSecrets)) {
-            return false;
-          }
+          return arr.every((v) => v.meta.fromSecrets);
         }
 
         if (!found.meta.fromSecrets) {
+          // arrays that are "secret" don't need to be secret themselves, just the items in that array do
           return false;
         }
       }