fix(build): fix secret config validation not working (#6598)

iapershin · alexey-igrychev · web-flow · commit e9269c05aa59 · 2025-02-05T21:53:57.000Z
Signed-off-by: Yaroslav Pershin &lt;62902094+iapershin@users.noreply.github.com&gt;
Signed-off-by: Aleksei Igrychev &lt;aleksei.igrychev@palark.com&gt;
Co-authored-by: Aleksei Igrychev &lt;aleksei.igrychev@palark.com&gt;
diff --git a/pkg/config/raw_image_from_dockerfile.go b/pkg/config/raw_image_from_dockerfile.go
@@ -170,3 +170,7 @@ func (c *rawImageFromDockerfile) toImageFromDockerfileDirective(giterminismManag
 
 	return image, nil
 }
+
+func (r *rawImageFromDockerfile) getDoc() *doc {
+	return r.doc
+}
diff --git a/pkg/config/raw_secrets.go b/pkg/config/raw_secrets.go
@@ -4,40 +4,48 @@ import (
 	"fmt"
 )
 
+// TODO (iapershin)
+// rawOrigin is not suitable here since image stack contains `doc` property and couldn't be used along with doc()
+// refactor to use common approach
+type rawParent interface {
+	getDoc() *doc
+}
+
 type rawSecret struct {
-	Id         string `yaml:"id"`
+	Id         string `yaml:"id,omitempty"`
 	Env        string `yaml:"env,omitempty"`
 	Src        string `yaml:"src,omitempty"`
 	PlainValue string `yaml:"value,omitempty"`
 
-	doc *doc `yaml:"-"` // parent
+	parent rawParent `yaml:"-"` // parent
 
 	UnsupportedAttributes map[string]interface{} `yaml:",inline"`
 }
 
 func (s *rawSecret) UnmarshalYAML(unmarshal func(interface{}) error) error {
-	parentStack.Push(s)
+	if parent, ok := parentStack.Peek().(rawParent); ok {
+		s.parent = parent
+	}
+
 	type plain rawSecret
-	err := unmarshal((*plain)(s))
-	parentStack.Pop()
-	if err != nil {
-		return fmt.Errorf("secrets parsing error: %w", err)
+	if err := unmarshal((*plain)(s)); err != nil {
+		return err
 	}
 
 	if err := s.validate(); err != nil {
-		return fmt.Errorf("secrets validation error: %w", err)
+		return newDetailedConfigError(fmt.Sprintf("secrets validation error: %s", err.Error()), s, s.parent.getDoc())
 	}
 
-	if err := checkOverflow(s.UnsupportedAttributes, nil, s.doc); err != nil {
-		return fmt.Errorf("secrets validation error: %w", err)
+	if err := checkOverflow(s.UnsupportedAttributes, nil, s.parent.getDoc()); err != nil {
+		return err
 	}
 
 	return nil
 }
 
 func (s *rawSecret) validate() error {
 	if !oneOrNone([]bool{s.Env != "", s.Src != "", s.PlainValue != ""}) {
-		return newDetailedConfigError("specify only env or src or value in secret", s, s.doc)
+		return fmt.Errorf("secret type could be ONLY `env`, `src` or `value`")
 	}
 	return nil
 }
@@ -51,6 +59,6 @@ func (s *rawSecret) toDirective() (Secret, error) {
 	case s.PlainValue != "":
 		return newSecretFromPlainValue(s)
 	default:
-		return nil, newDetailedConfigError("secret type is not supported", s, s.doc)
+		return nil, newDetailedConfigError("secret should be defined as `env`, `src` or `value`", s, s.parent.getDoc())
 	}
 }
diff --git a/pkg/config/raw_stapel_image.go b/pkg/config/raw_stapel_image.go
@@ -342,3 +342,7 @@ func (c *rawStapelImage) toBaseStapelImageBaseDirective(giterminismManager giter
 
 	return imageBase, nil
 }
+
+func (r *rawStapelImage) getDoc() *doc {
+	return r.doc
+}
diff --git a/pkg/config/secrets.go b/pkg/config/secrets.go
@@ -36,7 +36,7 @@ type SecretFromPlainValue struct {
 
 func newSecretFromEnv(s *rawSecret) (*SecretFromEnv, error) {
 	if _, exists := os.LookupEnv(s.Env); !exists {
-		return nil, fmt.Errorf("specified env variable doesn't exist")
+		return nil, fmt.Errorf("specified env variable `%s` doesn't exist", s.Env)
 	}
 	if s.Id == "" {
 		s.Id = s.Env
@@ -140,14 +140,14 @@ func GetValidatedSecrets(rawSecrets []*rawSecret, giterminismManager giterminism
 	for _, s := range rawSecrets {
 		secret, err := s.toDirective()
 		if err != nil {
-			return nil, err
+			return nil, newDetailedConfigError(fmt.Sprintf("unable to load build secrets: %s", err.Error()), s, s.parent.getDoc())
 		}
 
 		secretId := secret.GetSecretId()
 		if _, ok := secretIds[secretId]; !ok {
 			secretIds[secretId] = struct{}{}
 		} else {
-			return nil, newDetailedConfigError("duplicated secret %s", secretId, s.doc)
+			return nil, newDetailedConfigError(fmt.Sprintf("duplicated secret %q", secretId), nil, s.parent.getDoc())
 		}
 
 		err = secret.InspectByGiterminism(giterminismManager)
diff --git a/pkg/giterminism_manager/manager.go b/pkg/giterminism_manager/manager.go
@@ -29,6 +29,7 @@ func NewManager(ctx context.Context, configRelPath, projectDir string, localGitR
 	if options.LooseGiterminism {
 		err := errors.NewError(`We recommend using werf-giterminism.yaml to loosen giterminism instead of using --loose-giterminism/WERF_LOOSE_GITERMINISM`)
 		logboek.Context(ctx).Warn().LogLn(err)
+		logboek.Context(ctx).LogOptionalLn()
 	}
 
 	fr := file_reader.NewFileReader(sharedOptions)

Original file line number	Diff line number	Diff line change
`@@ -170,3 +170,7 @@ func (c *rawImageFromDockerfile) toImageFromDockerfileDirective(giterminismManag`
`170`	`170`
`171`	`171`	`return image, nil`
`172`	`172`	`}`
	`173`	`+`
	`174`	`+func (r rawImageFromDockerfile) getDoc() doc {`
	`175`	`+ return r.doc`
	`176`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -342,3 +342,7 @@ func (c *rawStapelImage) toBaseStapelImageBaseDirective(giterminismManager giter`
`342`	`342`
`343`	`343`	`return imageBase, nil`
`344`	`344`	`}`
	`345`	`+`
	`346`	`+func (r rawStapelImage) getDoc() doc {`
	`347`	`+ return r.doc`
	`348`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ func NewManager(ctx context.Context, configRelPath, projectDir string, localGitR`
`29`	`29`	`if options.LooseGiterminism {`
`30`	`30`	err := errors.NewError(`We recommend using werf-giterminism.yaml to loosen giterminism instead of using --loose-giterminism/WERF_LOOSE_GITERMINISM`)
`31`	`31`	`logboek.Context(ctx).Warn().LogLn(err)`
	`32`	`+ logboek.Context(ctx).LogOptionalLn()`
`32`	`33`	`}`
`33`	`34`
`34`	`35`	`fr := file_reader.NewFileReader(sharedOptions)`