Merge pull request #316 from glours/check-service-secrets

Check service secrets existence
compose-spec · Nov 7, 2022 · 87bd752 · 87bd752
2 parents 4493cba + a9ba921
commit 87bd752
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 5 deletions.
diff --git a/loader/validate.go b/loader/validate.go
@@ -70,6 +70,12 @@ func checkConsistency(project *types.Project) error {
 				return errors.Wrap(errdefs.ErrInvalid, fmt.Sprintf("service %q refers to undefined config %s", s.Name, config.Source))
 			}
 		}
+
+		for _, secret := range s.Secrets {
+			if _, ok := project.Secrets[secret.Source]; !ok {
+				return errors.Wrap(errdefs.ErrInvalid, fmt.Sprintf("service %q refers to undefined secret %s", s.Name, secret.Source))
+			}
+		}
 	}
 
 	for name, secret := range project.Secrets {

diff --git a/loader/validate_test.go b/loader/validate_test.go
@@ -174,7 +174,7 @@ func TestValidateSecret(t *testing.T) {
 		err := checkConsistency(project)
 		assert.NilError(t, err)
 	})
-	t.Run("uset secret", func(t *testing.T) {
+	t.Run("unset secret type", func(t *testing.T) {
 		project := &types.Project{
 			Secrets: types.Secrets{
 				"foo": types.SecretConfig{},
@@ -183,6 +183,49 @@ func TestValidateSecret(t *testing.T) {
 		err := checkConsistency(project)
 		assert.Error(t, err, "secret \"foo\" must declare either `file` or `environment`: invalid compose project")
 	})
+
+	t.Run("service secret exist", func(t *testing.T) {
+		project := &types.Project{
+			Secrets: types.Secrets{
+				"foo": types.SecretConfig{
+					External: types.External{
+						External: true,
+					},
+				},
+			},
+			Services: types.Services([]types.ServiceConfig{
+				{
+					Name:  "myservice",
+					Image: "scratch",
+					Secrets: []types.ServiceSecretConfig{
+						{
+							Source: "foo",
+						},
+					},
+				},
+			}),
+		}
+		err := checkConsistency(project)
+		assert.NilError(t, err)
+	})
+
+	t.Run("service secret undefined", func(t *testing.T) {
+		project := &types.Project{
+			Services: types.Services([]types.ServiceConfig{
+				{
+					Name:  "myservice",
+					Image: "scratch",
+					Secrets: []types.ServiceSecretConfig{
+						{
+							Source: "foo",
+						},
+					},
+				},
+			}),
+		}
+		err := checkConsistency(project)
+		assert.Error(t, err, `service "myservice" refers to undefined secret foo: invalid compose project`)
+	})
 }
 
 func TestValidateDependsOn(t *testing.T) {

diff --git a/types/project.go b/types/project.go
@@ -258,25 +258,33 @@ func (p *Project) WithoutUnnecessaryResources() {
 
 	networks := Networks{}
 	for k := range requiredNetworks {
-		networks[k] = p.Networks[k]
+		if value, ok := p.Networks[k]; ok {
+			networks[k] = value
+		}
 	}
 	p.Networks = networks
 
 	volumes := Volumes{}
 	for k := range requiredVolumes {
-		volumes[k] = p.Volumes[k]
+		if value, ok := p.Volumes[k]; ok {
+			volumes[k] = value
+		}
 	}
 	p.Volumes = volumes
 
 	secrets := Secrets{}
 	for k := range requiredSecrets {
-		secrets[k] = p.Secrets[k]
+		if value, ok := p.Secrets[k]; ok {
+			secrets[k] = value
+		}
 	}
 	p.Secrets = secrets
 
 	configs := Configs{}
 	for k := range requiredConfigs {
-		configs[k] = p.Configs[k]
+		if value, ok := p.Configs[k]; ok {
+			configs[k] = value
+		}
 	}
 	p.Configs = configs
 }