Improve reporting when assigning a secure value to an insecure target or vice versa

[jeskew]

Resolves #16252

Microsoft Reviewers: Open in CodeFlow

[github-actions]

Test this change out locally with the following install scripts (Action run 13952431314)

VSCode

• Mac/Linux

  bash <(curl -Ls https://aka.ms/bicep/nightly-vsix.sh) --run-id 13952431314

• Windows

  iex "& { $(irm https://aka.ms/bicep/nightly-vsix.ps1) } -RunId 13952431314"

Azure CLI

• Mac/Linux

  bash <(curl -Ls https://aka.ms/bicep/nightly-cli.sh) --run-id 13952431314

• Windows

  iex "& { $(irm https://aka.ms/bicep/nightly-cli.ps1) } -RunId 13952431314"

[jeskew]

There are a couple of cases where I expected the RP to mark something as sensitive in the Swagger, but they didn't. Besides this target, the other big surprises were resourceInput<'Microsoft.Compute/virtualMachines@2019-12-01'>.properties.osProfile.adminPassword (annotated as a regular string) and resourceInput<'Microsoft.KeyVault/vaults/secrets@2019-09-01'>.properties.value (ditto). I didn't check all API versions for those.

[github-actions]

Dotnet Test Results

    56 files   -     61      56 suites   - 61   28m 23s ⏱️ - 22m 8s
 9 932 tests  -  2 012   9 833 ✅  -  2 111  0 💤 ±0   99 ❌ + 99 
23 958 runs   - 17 467  23 760 ✅  - 17 665  0 💤 ±0  198 ❌ +198 

For more details on these failures, see this check.

Results for commit 2afb14a. ± Comparison against base commit 180a858.

This pull request removes 3787 and adds 595 tests. Note that renamed tests count towards both.

		nestedProp1: 1
		nestedProp2: 2
		prop1: true
		prop2: false
	1
	2
	\$'")
	prop1: true
	prop2: false
…

Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000
�Ա
�0\u0010\u0006��>E�\u0001�K�$���Ep�\u0001�=�bki+\u0014�w7\u001d���b[�|c� ��?"��vE6��\u0016R!\u0004�}\u001b8\u001a��zG�a�<\u0001\u0003�\u00140�ۯO�Ƶnl�F\u0019c�\u001f\u0014F�6YN�4\u0018"�\u000c#add �f���ɘ��9&Y�R+N����������x��pW�)��@��\u0000��Q�.�Zi��?J&�<�7>�\u0016Ԗ�o(]S��j��\u0007{��>�l��y�p\u001eJ��\u0005\u0000\u000c\u0000\u0000,"Value cannot be null. (Parameter 'source')")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000
��A\u000b�0\u0014\u0007��\u0014�\u0007�o�m��C�!#,\u0008��H!\u0003-�@��7\u000f�E�\u0016��q���6���N׫D�IQR&\u0010<J�\u0006�Dl]o0Sc�\u0005\u0008(��\u0010��}�\u0016��҅\u0019e��~\u0010W���,	�B���#e\u001c��tbJ��\u0012�97]��4���^�k�tg\u001d��>�������ҧ�\u00037�G%�P\u0002|$ ��M�G������a�	���~\u001b�s���ߞɲ,�\u001a�\u0013:�_�\u0000\u000c\u0000\u0000,"'7' is an invalid end of a number. Expected a delimiter. Path: $.INVALID_JSON | LineNumber: 0 | BytePositionInLine: 20.")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000
��K
� \u0010\u0006`�=�'03f�t�}�����>�)y�@��k\u0016�.\u0012�Ic�~;\u001d\u0006G�\u0017��\u000e��\u001e��\u0011�\u0008\u0012��\u0006�&��\u001f�B��\u0005\u0018\u0018E)c|X|�	]��ڏ��Y?Hfܶ��ѐ$ �$�l\u0001u���l
�Ͷ��sWW�N\�ʍ
�\C�F����[O�)�\u0000�!\u0019��Q��Ͽ_�����?���\u0011z�(��(�'no�\u0001\u0000\u000c\u0000\u0000,"The path: index.json was not found in artifact contents")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000\u0003��K
�0\u0010\u0006�=EN�Ό�����
A\u000b>h*}`A���Bp�⦶����\u000c3!�*ٹ>/ܡ�\u001b�\u00050�\u0012s��0��\u000fP�@�\u0002\u0002�f\u0012B��o2�kZW�U����(��=�E����\u0001��4%"ބ�~�����c����n^���\u000f
�T��\u000f�F��߷f|�?\u0000	dk��l\u000c���\u000e��"�����\u001fko\u0010EQ\u0014��	�eg�\u0000\u000c\u0000\u0000,"The path: index.json was not found in artifact contents")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000\u0003��Q\u000b�0\u0010\u0000�=�+�?`�ֹY�C�CFX\u0010�\u001a#�\u000c�P\u0003�?�|�^�^Ԃ�=����\u0018w���z��8)J6\u0005�.#}\u0003C"��78*��\u000b\u0010P��!�\u0016��҅ie�Z?H�TWi�\u0004\�@@��q�\u0005
�bb��\u0018�ћ��A��I�.�5oҳ��o?������j|��\u0010H�\u000e��S(%'`\u000ef\u001e�(3����p��؄��z���95\u001b��=Y�eY�{\u0002��\u0007\u0014\u0000\u000c\u0000\u0000,"'7' is an invalid end of a number. Expected a delimiter. Path: $.INVALID_JSON | LineNumber: 0 | BytePositionInLine: 20.")
Bicep.Core.IntegrationTests.AzTypesViaRegistryTests ‑ Bicep_compiler_handles_corrupted_extension_package_gracefully (\u001f�\u0008\u0000\u0000\u0000\u0000\u0000\u0000\u0003���
�0\u000c\u0000О���\u0007t��5*��E��\u0007T\u0017Qqsl\u0013\u0006��\u001d�ˆ\u0017�\u0004�N%	$��*X�f�6�R\u0011�	��4p�֝�\u0016j\u0012HO �b\u0017\u0011���$\u001d�UmK7�\u0010�~P8��>f� �P�\u0006$�3"�x�r��\u001c�ea�Cr�Snԩ��my�W>�5�\u001e���^�w�\u000f�\u0016�\u000f0&&m\u000c
p\u0007t�?�N�����t�sS��t�ٖ��B�����سy��y��\u0000�!��\u0000\u000c\u0000\u0000,"Value cannot be null. (Parameter 'source')")
Bicep.Core.IntegrationTests.DecompilationTests ‑ Decompiler_handles_banned_function_replacement ("createArray(1, 2, 3)","array","[
  1
  2
  3
]")
Bicep.Core.IntegrationTests.DecompilationTests ‑ Decompiler_handles_banned_function_replacement ("createObject('key', 'value')","object","{
  key: 'value'
}")
Bicep.Core.IntegrationTests.DecompilationTests ‑ Decompiler_handles_strings_with_newlines ("
","\n")
Bicep.Core.IntegrationTests.DecompilationTests ‑ Decompiler_handles_strings_with_newlines ("
","\r\n")
…

♻️ This comment has been updated with latest results.

[jeskew]

I'm not sure about this one. Using @allowed([]) and @secure() together seems like a niche use case (the value is a secret, but I will hardcode which values are acceptable in the template), and I couldn't figure out if it's better to warn here because the elements in the @allowed() array aren't protected in any way or drop the warning because the elements in the @allowed() array aren't protected in any way and users presumably know that.