Fix consistent passing of secureString and secureObject

Author: SteveL-MSFT

dsc_lib/locales/en-us.toml

@@ -511,6 +511,7 @@ parsingIndexAccessor = "Parsing index accessor '%{index}'"
 indexNotFound = "Index value not found"
 invalidAccessorKind = "Invalid accessor kind: '%{kind}'"
 functionResult = "Function results: %{results}"
+functionResultSecure = "Function result is secure"
 evalAccessors = "Evaluating accessors"
 memberNameNotFound = "Member '%{member}' not found"
 accessOnNonObject = "Member access on non-object value"

dsc_lib/src/configure/mod.rs

@@ -3,6 +3,7 @@
 
 use crate::configure::config_doc::{ExecutionKind, Metadata, Resource};
 use crate::configure::context::{Context, ProcessMode};
+use crate::configure::parameters::is_secure_value;
 use crate::configure::{config_doc::RestartRequired, parameters::Input};
 use crate::discovery::discovery_trait::DiscoveryFilter;
 use crate::dscerror::DscError;
@@ -214,7 +215,19 @@ fn add_metadata(dsc_resource: &DscResource, mut properties: Option<Map<String, V
 
     match properties {
         Some(properties) => {
-            Ok(serde_json::to_string(&properties)?)
+            let mut unsecure_properties = Map::new();
+            for (key, value) in properties {
+                if is_secure_value(&value) {
+                    if value.get("secureString").is_some() {
+                        unsecure_properties.insert(key.clone(), "<secureString>".into());
+                    } else if value.get("secureObject").is_some() {
+                        unsecure_properties.insert(key.clone(), "<secureObject>".into());
+                    }
+                } else {
+                    unsecure_properties.insert(key, value);
+                }
+            }
+            Ok(serde_json::to_string(&unsecure_properties)?)
         },
         _ => {
             Ok(String::new())

dsc_lib/src/configure/parameters.rs

@@ -12,19 +12,53 @@ pub struct Input {
 }
 
 #[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
-#[serde(deny_unknown_fields, untagged)]
-pub enum SecureKind {
+pub struct SecureString {
     #[serde(rename = "secureString")]
-    SecureString(String),
+    pub secure_string: String,
+}
+
+impl Display for SecureString {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "<secureString>")
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
+pub struct SecureObject {
     #[serde(rename = "secureObject")]
-    SecureObject(Value),
+    pub secure_object: Value,
 }
 
-impl Display for SecureKind {
+impl Display for SecureObject {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self {
-            SecureKind::SecureString(_) => write!(f, "<secureString>"),
-            SecureKind::SecureObject(_) => write!(f, "<secureObject>"),
+        write!(f, "<secureObject>")
+    }
+}
+
+/// Check if a given JSON value is a secure value (either `SecureString` or `SecureObject`).
+///
+/// # Arguments
+///
+/// * `value` - The JSON value to check.
+///
+/// # Returns
+///
+/// `true` if the value is a secure value, `false` otherwise.
+#[must_use]
+pub fn is_secure_value(value: &Value) -> bool {
+    if let Some(obj) = value.as_object() {
+        if obj.len() == 1 && (obj.contains_key("secureString") || obj.contains_key("secureObject")) {
+            return true;
         }
     }
+    false
+}
+
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
+#[serde(deny_unknown_fields, untagged)]
+pub enum SecureKind {
+    #[serde(rename = "secureString")]
+    SecureString(SecureString),
+    #[serde(rename = "secureObject")]
+    SecureObject(SecureObject),
 }

dsc_lib/src/dscresources/command_resource.rs

@@ -717,9 +717,9 @@ async fn run_process_async(executable: &str, args: Option<Vec<String>>, input: O
 #[allow(clippy::implicit_hasher)]
 #[tokio::main]
 pub async fn invoke_command(executable: &str, args: Option<Vec<String>>, input: Option<&str>, cwd: Option<&str>, env: Option<HashMap<String, String>>, exit_codes: Option<&HashMap<i32, String>>) -> Result<(i32, String, String), DscError> {
-    debug!("{}", t!("dscresources.commandResource.commandInvoke", executable = executable, args = args : {:?}));
+    trace!("{}", t!("dscresources.commandResource.commandInvoke", executable = executable, args = args : {:?}));
     if let Some(cwd) = cwd {
-        debug!("{}", t!("dscresources.commandResource.commandCwd", cwd = cwd));
+        trace!("{}", t!("dscresources.commandResource.commandCwd", cwd = cwd));
     }
 
     match run_process_async(executable, args, input, cwd, env, exit_codes).await {

dsc_lib/src/functions/parameters.rs

@@ -2,7 +2,7 @@
 // Licensed under the MIT License.
 
 use crate::configure::config_doc::DataType;
-use crate::configure::parameters::SecureKind;
+use crate::configure::parameters::{SecureObject, SecureString};
 use crate::DscError;
 use crate::configure::context::Context;
 use crate::functions::{FunctionArgKind, Function, FunctionCategory, FunctionMetadata};
@@ -40,11 +40,15 @@ impl Function for Parameters {
                         let Some(value) = value.as_str() else {
                             return Err(DscError::Parser(t!("functions.parameters.keyNotString", key = key).to_string()));
                         };
-                        let secure_string = SecureKind::SecureString(value.to_string());
+                        let secure_string = SecureString {
+                            secure_string: value.to_string(),
+                        };
                         Ok(serde_json::to_value(secure_string)?)
                     },
                     DataType::SecureObject => {
-                        let secure_object = SecureKind::SecureObject(value.clone());
+                        let secure_object = SecureObject {
+                            secure_object: value.clone(),
+                        };
                         Ok(serde_json::to_value(secure_object)?)
                     },
                     _ => {

dsc_lib/src/parser/expressions.rs

@@ -7,6 +7,7 @@ use tracing::{debug, trace};
 use tree_sitter::Node;
 
 use crate::configure::context::Context;
+use crate::configure::parameters::is_secure_value;
 use crate::dscerror::DscError;
 use crate::functions::FunctionDispatcher;
 use crate::parser::functions::Function;
@@ -113,17 +114,30 @@ impl Expression {
     /// This function will return an error if the expression fails to execute.
     pub fn invoke(&self, function_dispatcher: &FunctionDispatcher, context: &Context) -> Result<Value, DscError> {
         let result = self.function.invoke(function_dispatcher, context)?;
-        // skip trace if function is 'secret()'
-        if self.function.name() != "secret" {
+        if self.function.name() != "secret" && !is_secure_value(&result) {
             let result_json = serde_json::to_string(&result)?;
             trace!("{}", t!("parser.expression.functionResult", results = result_json));
+        } else {
+            trace!("{}", t!("parser.expression.functionResultSecure"));
         }
         if self.accessors.is_empty() {
             Ok(result)
         }
         else {
             debug!("{}", t!("parser.expression.evalAccessors"));
             let mut value = result;
+            let is_secure = is_secure_value(&value);
+            if is_secure {
+                // if a SecureString, extract the string value
+                if let Some(string) = value.get("secureString") {
+                    if let Some(s) = string.as_str() {
+                        value = Value::String(s.to_string());
+                    }
+                } else if let Some(obj) = value.get("secureObject") {
+                    // if a SecureObject, extract the object value
+                    value = obj.clone();
+                }
+            }
             for accessor in &self.accessors {
                 let mut index = Value::Null;
                 match accessor {
@@ -132,7 +146,12 @@ impl Expression {
                             if !object.contains_key(member) {
                                 return Err(DscError::Parser(t!("parser.expression.memberNameNotFound", member = member).to_string()));
                             }
-                            value = object[member].clone();
+                            if is_secure {
+                                // if the original value was a secure value, we need to convert the member value back to secure
+                                value = convert_to_secure(&object[member]);
+                            } else {
+                                value = object[member].clone();
+                            }
                         } else {
                             return Err(DscError::Parser(t!("parser.expression.accessOnNonObject").to_string()));
                         }
@@ -169,3 +188,27 @@ impl Expression {
         }
     }
 }
+
+fn convert_to_secure(value: &Value) -> Value {
+    if let Some(string) = value.as_str() {
+        let secure_string = crate::configure::parameters::SecureString {
+            secure_string: string.to_string(),
+        };
+        return serde_json::to_value(secure_string).unwrap_or(value.clone());
+    }
+
+    if let Some(obj) = value.as_object() {
+        if obj.len() == 1 && obj.contains_key("secureObject") {
+            let secure_object = crate::configure::parameters::SecureObject {
+                secure_object: obj["secureObject"].clone(),
+            };
+            return serde_json::to_value(secure_object).unwrap_or(value.clone());
+        }
+    }
+
+    if let Some(array) = value.as_array() {
+        let new_array: Vec<Value> = array.iter().map(convert_to_secure).collect();
+        return Value::Array(new_array);
+    }
+    value.clone()
+}

dscecho/src/echo.rs

@@ -17,13 +17,25 @@ pub enum Output {
     #[serde(rename = "object")]
     Object(Value),
     #[serde(rename = "secureObject")]
-    SecureObject(Value),
+    SecureObject(SecureObject),
     #[serde(rename = "secureString")]
-    SecureString(String),
+    SecureString(SecureString),
     #[serde(rename = "string")]
     String(String),
 }
 
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
+#[serde(deny_unknown_fields)]
+pub struct SecureString {
+    pub secure_string: String,
+}
+
+#[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
+#[serde(deny_unknown_fields)]
+pub struct SecureObject {
+    pub secure_object: Value,
+}
+
 #[derive(Debug, Clone, PartialEq, Deserialize, Serialize, JsonSchema)]
 #[serde(deny_unknown_fields)]
 pub struct Echo {

dscecho/src/main.rs

@@ -8,21 +8,30 @@ use args::Args;
 use clap::Parser;
 use rust_i18n::{i18n, t};
 use schemars::schema_for;
-use crate::echo::Echo;
+use crate::echo::{Echo, Output};
 
 i18n!("locales", fallback = "en-us");
 
 fn main() {
     let args = Args::parse();
     match args.input {
         Some(input) => {
-            let echo = match serde_json::from_str::<Echo>(&input) {
+            let mut echo = match serde_json::from_str::<Echo>(&input) {
                 Ok(echo) => echo,
                 Err(err) => {
                     eprintln!("{}: {err}", t!("main.invalidJson"));
                     std::process::exit(1);
                 }
             };
+            match echo.output {
+                Output::SecureObject(_) => {
+                    echo.output = Output::String("<secureObject>".to_string());
+                },
+                Output::SecureString(_) => {
+                    echo.output = Output::String("<secureString>".to_string());
+                },
+                _ => {}
+            }
             let json = serde_json::to_string(&echo).unwrap();
             println!("{json}");
             return;