fix: tighten coder_secret validation, add duplicate detection, and address other pr feedback

dylanhuff-at-coder · dylanhuff-at-coder · commit b99b63d829ce · 2026-04-21T04:03:51.000Z
diff --git a/extract/secret.go b/extract/secret.go
@@ -35,21 +35,43 @@ func SecretFromBlock(block *terraform.Block) (req *types.SecretRequirement, diag
 		diags = diags.Append(helpDiag)
 	}
 
-	env := optionalString(block, "env")
-	file := optionalString(block, "file")
+	// Check presence separately from value so we can distinguish "attribute
+	// absent" from "attribute present but wrong type"; the latter must produce
+	// a type diagnostic instead of being silently treated as unset.
+	envAttr := block.GetAttribute("env")
+	fileAttr := block.GetAttribute("file")
+	envSet := envAttr != nil && !envAttr.IsNil()
+	fileSet := fileAttr != nil && !fileAttr.IsNil()
 
-	// Mutual exclusivity: exactly one of env/file must be set.
+	var env, file string
+	if envSet {
+		v, d := requiredString(block, "env")
+		if d != nil {
+			diags = diags.Append(d)
+		}
+		env = v
+	}
+	if fileSet {
+		v, d := requiredString(block, "file")
+		if d != nil {
+			diags = diags.Append(d)
+		}
+		file = v
+	}
+
+	// Mutual exclusivity is based on presence, not parsed value, so a
+	// wrong-type attribute still counts as "set" here.
 	switch {
-	case env == "" && file == "":
-		r := block.HCLBlock().Body.MissingItemRange()
+	case !envSet && !fileSet:
+		r := block.HCLBlock().DefRange
 		diags = diags.Append(&hcl.Diagnostic{
 			Severity: hcl.DiagError,
 			Summary:  `Invalid "coder_secret" block`,
 			Detail:   `Exactly one of "env" or "file" must be set, neither were set`,
 			Subject:  &r,
 		})
-	case env != "" && file != "":
-		r := block.HCLBlock().Body.MissingItemRange()
+	case envSet && fileSet:
+		r := block.HCLBlock().DefRange
 		diags = diags.Append(&hcl.Diagnostic{
 			Severity: hcl.DiagError,
 			Summary:  `Invalid "coder_secret" block`,
diff --git a/preview_test.go b/preview_test.go
@@ -42,13 +42,13 @@ func Test_Extract(t *testing.T) {
 		failPreview bool
 		input       preview.Input
 
-		expTags      map[string]string
-		unknownTags  []string
-		params       map[string]assertParam
-		variables    map[string]assertVariable
-		presetsFuncs func(t *testing.T, presets []types.Preset)
-		presets      map[string]assertPreset
-		warnings     []*regexp.Regexp
+		expTags            map[string]string
+		unknownTags        []string
+		params             map[string]assertParam
+		variables          map[string]assertVariable
+		presetsFuncs       func(t *testing.T, presets []types.Preset)
+		presets            map[string]assertPreset
+		warnings           []*regexp.Regexp
 		secretRequirements []types.SecretRequirement
 	}{
 		{
@@ -1200,6 +1200,60 @@ data "coder_secret" "x" {
 `,
 			wantDiag: `Exactly one of "env" or "file" must be set`,
 		},
+		{
+			name: "env wrong type (number)",
+			tf: `
+data "coder_secret" "x" {
+  env          = 42
+  help_message = "ok"
+}
+`,
+			wantDiag: `Expected a string`,
+		},
+		{
+			name: "file wrong type (bool)",
+			tf: `
+data "coder_secret" "x" {
+  file         = true
+  help_message = "ok"
+}
+`,
+			wantDiag: `Expected a string`,
+		},
+		{
+			name: "env null",
+			tf: `
+data "coder_secret" "x" {
+  env          = null
+  help_message = "ok"
+}
+`,
+			wantDiag: `Expected a string`,
+		},
+		{
+			name: "file null",
+			tf: `
+data "coder_secret" "x" {
+  file         = null
+  help_message = "ok"
+}
+`,
+			wantDiag: `Expected a string`,
+		},
+		{
+			name: "duplicate block labels",
+			tf: `
+data "coder_secret" "x" {
+  env          = "A"
+  help_message = "first"
+}
+data "coder_secret" "x" {
+  env          = "B"
+  help_message = "second"
+}
+`,
+			wantDiag: `duplicate coder_secret blocks with name "x"`,
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
@@ -1219,3 +1273,42 @@ data "coder_secret" "x" {
 		})
 	}
 }
+
+// Test_SecretRequirement_DuplicateDetectionRequiresExtractionSuccess pins the
+// current behavior: duplicate-label detection only fires for blocks that
+// successfully extract. When one of two same-labeled blocks has an extraction
+// error (e.g. wrong attribute type), the dedup bookkeeping skips it, so the
+// "duplicate coder_secret blocks" diagnostic does not appear — only the
+// per-block extraction error does. This matches parameter.go's precedent.
+// If this behavior is ever changed to "track duplicates regardless of
+// extraction success," update this test.
+func Test_SecretRequirement_DuplicateDetectionRequiresExtractionSuccess(t *testing.T) {
+	t.Parallel()
+	tf := `
+data "coder_secret" "x" {
+  env          = 42
+  help_message = "first"
+}
+data "coder_secret" "x" {
+  env          = "B"
+  help_message = "second"
+}
+`
+	fsys := fstest.MapFS{"main.tf": &fstest.MapFile{Data: []byte(tf)}}
+	_, diags := preview.Preview(context.Background(), preview.Input{}, fsys)
+	require.True(t, diags.HasErrors(), "expected errors; got %v", diags)
+
+	var hasTypeErr, hasDupeErr bool
+	for _, d := range diags {
+		msg := d.Summary + " " + d.Detail
+		if strings.Contains(msg, "Expected a string") {
+			hasTypeErr = true
+		}
+		if strings.Contains(msg, "duplicate coder_secret blocks") {
+			hasDupeErr = true
+		}
+	}
+	require.True(t, hasTypeErr, "expected type error for env=42; got: %v", diags)
+	require.False(t, hasDupeErr,
+		"duplicate diagnostic unexpectedly fired; dedup should only track successful extractions. diags: %v", diags)
+}
diff --git a/secret.go b/secret.go
@@ -1,6 +1,9 @@
 package preview
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/aquasecurity/trivy/pkg/iac/terraform"
 	"github.com/hashicorp/hcl/v2"
 
@@ -11,6 +14,10 @@ import (
 func secrets(modules terraform.Modules) ([]types.SecretRequirement, hcl.Diagnostics) {
 	diags := make(hcl.Diagnostics, 0)
 	reqs := make([]types.SecretRequirement, 0)
+	// Track blocks by label (e.g. "x" in `data "coder_secret" "x"`) so we can
+	// emit a single duplicate diagnostic per colliding label. Mirrors the
+	// parameter dedup pattern in parameter.go.
+	exists := make(map[string][]*terraform.Block)
 
 	for _, mod := range modules {
 		blocks := mod.GetDatasByType(types.BlockTypeSecret)
@@ -21,10 +28,29 @@ func secrets(modules terraform.Modules) ([]types.SecretRequirement, hcl.Diagnost
 			}
 			if req != nil {
 				reqs = append(reqs, *req)
+				name := block.NameLabel()
+				exists[name] = append(exists[name], block)
 			}
 		}
 	}
 
+	for name, blocks := range exists {
+		if len(blocks) <= 1 {
+			continue
+		}
+		var detail strings.Builder
+		for _, b := range blocks {
+			_, _ = detail.WriteString(fmt.Sprintf("block %q at %s\n",
+				b.Type()+"."+strings.Join(b.Labels(), "."),
+				b.HCLBlock().TypeRange))
+		}
+		diags = diags.Append(&hcl.Diagnostic{
+			Severity: hcl.DiagError,
+			Summary:  fmt.Sprintf("Found %d duplicate coder_secret blocks with name %q, this is not allowed", len(blocks), name),
+			Detail:   detail.String(),
+		})
+	}
+
 	types.SortSecretRequirements(reqs)
 	return reqs, diags
 }
diff --git a/types/secret.go b/types/secret.go
@@ -12,9 +12,9 @@ const BlockTypeSecret = "coder_secret"
 // template. Exactly one of Env or File will be non-empty; validation of that
 // invariant happens during extraction.
 type SecretRequirement struct {
-	Env         string `json:"env"`
-	File        string `json:"file"`
-	HelpMessage string `json:"help_message"`
+	Env         string `json:"env,omitempty"`
+	File        string `json:"file,omitempty"`
+	HelpMessage string `json:"help_message,omitempty"`
 }
 
 // SortSecretRequirements orders requirements first by Env then by File so
diff --git a/types/secret_test.go b/types/secret_test.go
@@ -0,0 +1,54 @@
+package types_test
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/preview/types"
+)
+
+// Test_SecretRequirement_JSON_Omitempty verifies that empty Env, File, and
+// HelpMessage fields are omitted from the marshaled JSON. Since extraction
+// enforces exactly one of Env/File is non-empty, omitempty makes the on-the-
+// wire shape explicit about which field applies.
+func Test_SecretRequirement_JSON_Omitempty(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name string
+		req  types.SecretRequirement
+		want string
+	}{
+		{
+			name: "env only",
+			req:  types.SecretRequirement{Env: "FOO", HelpMessage: "set FOO"},
+			want: `{"env":"FOO","help_message":"set FOO"}`,
+		},
+		{
+			name: "file only",
+			req:  types.SecretRequirement{File: "~/bar", HelpMessage: "set bar"},
+			want: `{"file":"~/bar","help_message":"set bar"}`,
+		},
+		{
+			name: "empty help_message is omitted",
+			req:  types.SecretRequirement{Env: "FOO"},
+			want: `{"env":"FOO"}`,
+		},
+		{
+			name: "all empty produces empty object",
+			req:  types.SecretRequirement{},
+			want: `{}`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			got, err := json.Marshal(tc.req)
+			require.NoError(t, err)
+			require.JSONEq(t, tc.want, string(got))
+		})
+	}
+}
