Best-effort detection of potentially secret variables

code/go/internal/validator/spec.go

@@ -107,6 +107,7 @@ func processErrors(errs specerrors.ValidationErrors) specerrors.ValidationErrors
 		new      string
 	}{
 		{"Must not validate the schema (not)", "Must not be present"},
+		{"secret is required", "variable identified as possible secret, secret parameter required to be set to true or false"},
 	}
 	redundant := []string{
 		"Must validate \"then\" as \"if\" was valid",
@@ -118,18 +119,15 @@ func processErrors(errs specerrors.ValidationErrors) specerrors.ValidationErrors
 	for _, e := range errs {
 		for _, msg := range msgTransforms {
 			if strings.Contains(e.Error(), msg.original) {
-				processedErrs = append(processedErrs,
-					specerrors.NewStructuredError(
-						errors.New(strings.Replace(e.Error(), msg.original, msg.new, 1)),
-						specerrors.UnassignedCode),
-				)
-				continue
+				e = specerrors.NewStructuredError(
+					errors.New(strings.Replace(e.Error(), msg.original, msg.new, 1)),
+					specerrors.UnassignedCode)
 			}
-			if substringInSlice(e.Error(), redundant) {
-				continue
-			}
-			processedErrs = append(processedErrs, e)
 		}
+		if substringInSlice(e.Error(), redundant) {
+			continue
+		}
+		processedErrs = append(processedErrs, e)
 	}
 
 	return processedErrs

code/go/pkg/validator/validator_test.go

@@ -193,6 +193,13 @@ func TestValidateFile(t *testing.T) {
 				"field vars.0: Additional property secret is not allowed",
 			},
 		},
+		"bad_secret_vars_v3": {
+			"manifest.yml",
+			[]string{
+				"field vars.0: variable identified as possible secret, secret parameter required to be set to true or false",
+				"field vars.1: variable identified as possible secret, secret parameter required to be set to true or false",
+			},
+		},
 		"bad_lifecycle": {
 			"data_stream/test/lifecycle.yml",
 			[]string{
@@ -250,8 +257,13 @@ func TestValidateFile(t *testing.T) {
 
 	filter := specerrors.NewFilter(&specerrors.ConfigFilter{
 		Errors: specerrors.Processors{
-			// TODO: Actually fix the references instead of ignoring the error.
-			ExcludeChecks: []string{"SVR00004"},
+			ExcludeChecks: []string{
+				// Allow to test unreleased features in "good" packages.
+				"PSR00001",
+
+				// TODO: Actually fix the references instead of ignoring the error.
+				"SVR00004",
+			},
 		},
 	})
 

spec/changelog.yml

@@ -10,6 +10,9 @@
   - description: Add parquet files in terraform service deployer
     type: enhancement
     link: https://github.com/elastic/package-spec/pull/662
+  - description: Require to define if a variable is a secret if it looks like a secret
+    type: enhancement
+    link: https://github.com/elastic/package-spec/pull/665
 - version: 3.0.1
   changes:
   - description: Using non-GA versions of the spec in GA packages produces a filterable validation error instead of a warning

spec/integration/data_stream/manifest.spec.yml

@@ -115,39 +115,51 @@ spec:
           default:
             description: Default value(s) for variable
             $ref: "#/definitions/input_variable_value"
-        if:
-          properties:
-            type:
-              const: select
-        then:
-          required:
-            - options
-          properties:
-            options:
-              description: List of options for select type
-              type: array
-              items:
-                type: object
-                additionalProperties: false
-                properties:
-                  value:
-                    type: string
-                    examples:
-                    - node
-                    - cluster
-                  text:
-                    type: string
-                    examples:
-                    - node
-                    - cluster
-                required:
-                - value
-                - text
-              min_items: 1
-        else:
-          not:
-            required:
-              - options
+        allOf:
+         - if:
+             properties:
+               type:
+                 const: select
+           then:
+             required:
+               - options
+             properties:
+               options:
+                 description: List of options for select type
+                 type: array
+                 items:
+                   type: object
+                   additionalProperties: false
+                   properties:
+                     value:
+                       type: string
+                       examples:
+                       - node
+                       - cluster
+                     text:
+                       type: string
+                       examples:
+                       - node
+                       - cluster
+                   required:
+                   - value
+                   - text
+                 min_items: 1
+           else:
+             not:
+               required:
+                 - options
+         - if:
+             anyOf:
+               - properties:
+                   name:
+                     pattern: "(password|api_key|access_key|token)"
+               - properties:
+                   type:
+                     const: password
+           then:
+             required:
+               - secret
         required:
           - name
           - type
@@ -494,6 +506,11 @@ spec:
   - title
 # JSON patches for newer versions should be placed on top
 versions:
+  - before: 3.0.2
+    patch:
+      # Required secret for variables that look like secrets.
+      - op: remove
+        path: /definitions/vars/items/allOf/1
   - before: 3.0.0
     patch:
       # Stricter validation of elasticsearch settings and mappings.

test/packages/bad_secret_vars_v3/LICENSE.txt

@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.

test/packages/bad_secret_vars_v3/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.0.1"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link

test/packages/bad_secret_vars_v3/docs/README.md

@@ -0,0 +1,84 @@
+<!-- Use this template language as a starting point, replacing {placeholder text} with details about the integration. -->
+<!-- Find more detailed documentation guidelines in https://github.com/elastic/integrations/blob/main/docs/documentation_guidelines.md -->
+
+# Bad Select Vars
+
+<!-- The Bad Select Vars integration allows you to monitor {name of service}. {name of service} is {describe service}.
+
+Use the Bad Select Vars integration to {purpose}. Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference {data stream type} when troubleshooting an issue.
+
+For example, if you wanted to {sample use case} you could {action}. Then you can {visualize|alert|troubleshoot} by {action}. -->
+
+## Data streams
+
+<!-- The Bad Select Vars integration collects {one|two} type{s} of data streams: {logs and/or metrics}. -->
+
+<!-- If applicable -->
+<!-- **Logs** help you keep a record of events happening in {service}.
+Log data streams collected by the {name} integration include {sample data stream(s)} and more. See more details in the [Logs](#logs-reference). -->
+
+<!-- If applicable -->
+<!-- **Metrics** give you insight into the state of {service}.
+Metric data streams collected by the {name} integration include {sample data stream(s)} and more. See more details in the [Metrics](#metrics-reference). -->
+
+<!-- Optional: Any additional notes on data streams -->
+
+## Requirements
+
+You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
+You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
+
+<!--
+	Optional: Other requirements including:
+	* System compatibility
+	* Supported versions of third-party products
+	* Permissions needed
+	* Anything else that could block a user from successfully using the integration
+-->
+
+## Setup
+
+<!-- Any prerequisite instructions -->
+
+For step-by-step instructions on how to set up an integration, see the
+[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide.
+
+<!-- Additional set up instructions -->
+
+<!-- If applicable -->
+<!-- ## Logs reference -->
+
+<!-- Repeat for each data stream of the current type -->
+<!-- ### {Data stream name}
+
+The `{data stream name}` data stream provides events from {source} of the following types: {list types}. -->
+
+<!-- Optional -->
+<!-- #### Example
+
+An example event for `{data stream name}` looks as following:
+
+{code block with example} -->
+
+<!-- #### Exported fields
+
+{insert table} -->
+
+<!-- If applicable -->
+<!-- ## Metrics reference -->
+
+<!-- Repeat for each data stream of the current type -->
+<!-- ### {Data stream name}
+
+The `{data stream name}` data stream provides events from {source} of the following types: {list types}. -->
+
+<!-- Optional -->
+<!-- #### Example
+
+An example event for `{data stream name}` looks as following:
+
+{code block with example} -->
+
+<!-- #### Exported fields
+
+{insert table} -->