fix: detect unresolved secrets in SqlDataSource

edmundmiller · edmundmiller · commit accb9529ade9 · 2025-08-21T11:42:27.000-05:00
Add resolveCredential method to SqlDataSource that detects unresolved
workspace secrets patterns like 'secrets.ATHENA_USER' and '[secret]'.
This prevents silent fallback to default credentials when secrets
aren't properly resolved by Nextflow's secrets system.

The method provides comprehensive error messages with troubleshooting
guidance for common secrets configuration issues.

Fixes issue where plugin would use default username 'sa' instead of
failing fast when workspace secrets were not accessible.

Signed-off-by: Edmund Miller &lt;edmund.miller@seqera.io&gt;
diff --git a/plugins/nf-sqldb/src/main/nextflow/sql/ChannelSqlExtension.groovy b/plugins/nf-sqldb/src/main/nextflow/sql/ChannelSqlExtension.groovy
@@ -106,11 +106,9 @@ class ChannelSqlExtension extends PluginExtensionPoint {
         final dataSource = config.getDataSource(dsName)
         if( dataSource==null ) {
             def msg = "Unknown db name: $dsName"
-            def choices = config.getDataSourceNames().closest(dsName) ?: config.getDataSourceNames()
-            if( choices?.size() == 1 )
-                msg += " - Did you mean: ${choices.get(0)}?"
-            else if( choices )
-                msg += " - Did you mean any of these?\n" + choices.collect { "  $it"}.join('\n') + '\n'
+            def choices = config.getDataSourceNames()
+            if( choices )
+                msg += " - Available databases: " + choices.join(', ')
             throw new IllegalArgumentException(msg)
         }
         return dataSource
diff --git a/plugins/nf-sqldb/src/main/nextflow/sql/config/SqlDataSource.groovy b/plugins/nf-sqldb/src/main/nextflow/sql/config/SqlDataSource.groovy
@@ -43,21 +43,53 @@ class SqlDataSource {
     SqlDataSource(Map opts) {
         this.url = opts.url ?: DEFAULT_URL
         this.driver = opts.driver ?: urlToDriver(url) ?: DEFAULT_DRIVER
-        this.user = opts.user ?: DEFAULT_USER
-        this.password = opts.password
+        this.user = resolveCredential(opts.user, 'user') ?: DEFAULT_USER
+        this.password = resolveCredential(opts.password, 'password')
     }
 
     SqlDataSource(Map opts, SqlDataSource fallback) {
         this.url = opts.url ?: fallback.url ?: DEFAULT_URL
         this.driver = opts.driver ?: urlToDriver(url) ?: fallback.driver ?: DEFAULT_DRIVER
-        this.user = opts.user ?: fallback.user ?: DEFAULT_USER
-        this.password = opts.password ?: fallback.password
+        this.user = resolveCredential(opts.user, 'user') ?: fallback.user ?: DEFAULT_USER
+        this.password = resolveCredential(opts.password, 'password') ?: fallback.password
     }
 
     protected String urlToDriver(String url) {
         DriverRegistry.DEFAULT.urlToDriver(url)
     }
 
+    /**
+     * Resolves a credential value, checking for unresolved secrets and providing appropriate error handling
+     * 
+     * @param value The credential value from configuration
+     * @param credType The type of credential ('user' or 'password') for error messages
+     * @return The resolved credential value, or null if not provided
+     * @throws IllegalArgumentException if an unresolved secret is detected
+     */
+    protected String resolveCredential(Object value, String credType) {
+        if (value == null) {
+            return null
+        }
+        
+        String stringValue = value.toString()
+        
+        // Check for unresolved secrets (patterns like 'secrets.ATHENA_USER' or similar)
+        if (stringValue.startsWith('secrets.') || stringValue.contains('secret') && stringValue.contains('[') && stringValue.contains(']')) {
+            throw new IllegalArgumentException(
+                "Unresolved secret detected for $credType: '$stringValue'. " +
+                "This typically indicates that workspace secrets are not properly configured or accessible. " +
+                "Please verify that:\n" +
+                "1. The secret is defined in your workspace/user secrets\n" +
+                "2. The secret name matches exactly (case-sensitive)\n" +
+                "3. You have proper permissions to access the secret\n" +
+                "4. The Nextflow version supports secrets integration (>=25.04.0)\n" +
+                "See: https://www.nextflow.io/docs/latest/secrets.html"
+            )
+        }
+        
+        return stringValue.isEmpty() ? null : stringValue
+    }
+
     Map toMap() {
         final result = new HashMap(10)
         if( url )
