feat(compose-spec): Add content property for secrets in compose-spec.json

[idsulik]

Fixes docker/compose#12033

Add content to secret property, because in case of environment value, we add "content" property but it wasn't defined in the spec

[ndeloof]

we add "content" property but it wasn't defined in the spec

This is by design: we don't want sensible data to be exposed as plain text in a compose file

[ndeloof]

This introduces a major risk for users to put sensible data in a compose file and publish by mistake, we can't let them shoot into their own feet

[idsulik]

@ndeloof good point, thank you! pushed fix. Added validation to prevent from specifying "content" for the secrets property

[ndeloof]

SecretConfig already has a custom MarshalJSON so that content is excluded from json output. But with use of map[string]any for yaml processing, this isn't used by gojsonschema validator. Will need to find an equivalent hack

[idsulik]

@ndeloof here is an equivalent ) at least tmp solution

[ndeloof]

but we loose value doing so

[idsulik]

we can copy for validation

[idsulik]

pushed changes. now it clones the map and validate

[ndeloof]

AFAICT this won't catch a compose file using invalid attribute content to set secret, while value will be actually loaded.

[ndeloof]

Suggestion: to avoid letting content be used in compose.yaml and miss it during validation, resolved value could be stored in map with key #value (with a #) which makes it an invalid key in yaml (until user set key with quote, but this can't be by accident then).

[idsulik]

Suggestion: to avoid letting content be used in compose.yaml and miss it during validation, resolved value could be stored in map with key #value (with a #) which makes it an invalid key in yaml (until user set key with quote, but this can't be by accident then).

@ndeloof , if you mean this changes:

# environment.go
		if found, ok := environment[env]; ok {
			secret["#value"] = found
		}

then it won'r work:

secrets.one-secret-token Additional property #value is not allowed

[ndeloof]

oh indeed.

[ndeloof]

A possible workaround is to use a fake extension key x-#value that would be valid regarding the spec

[idsulik]

A possible workaround is to use a fake extension key x-#value that would be valid regarding the spec

I'm not sure I get the idea if I rename

if found, ok := environment[env]; ok {
	secret["content"] = found
}

into

if found, ok := environment[env]; ok {
	secret["x-#value"] = found
}

Then how do we map this key into the Secret struct's content field?

[ndeloof]

Then how do we map this key into the Secret struct's content field?

need to add a DecodeMapstructure func to FileObjectConfig so it detects this custom key is set and use it as value

[idsulik]

@ndeloof pushed changes.
p.s. extracted the key name into constant for consistency

[glours]

LGTM
@idsulik can you sign-off your commits please?

[idsulik]

@glours done