From 29c093afaec391e8eee896222aa733b9a7a9c9ae Mon Sep 17 00:00:00 2001
From: Alan Savage <3028205+asavageiv@users.noreply.github.com>
Date: Tue, 9 Sep 2025 14:44:23 -0700
Subject: [PATCH] Make secrets global and init on first use.

This allows all containers to use any secret declared anywhere
in their placeholders but they will not be generated and
written to the configuration until they are used.

Signed-off-by: Alan Savage <3028205+asavageiv@users.noreply.github.com>
---
 php/src/Container/Container.php        |  6 ------
 php/src/ContainerDefinitionFetcher.php |  8 +++++---
 php/src/Data/ConfigurationManager.php  | 14 +++++++++-----
 php/src/Docker/DockerActionManager.php | 14 +-------------
 4 files changed, 15 insertions(+), 27 deletions(-)

diff --git a/php/src/Container/Container.php b/php/src/Container/Container.php
index 77858283..baee1c00 100644
--- a/php/src/Container/Container.php
+++ b/php/src/Container/Container.php
@@ -19,8 +19,6 @@ readonly class Container {
         private ContainerEnvironmentVariables $containerEnvironmentVariables,
         /** @var string[] */
         private array                         $dependsOn,
-        /** @var string[] */
-        private array                         $secrets,
         private string                        $uiSecret,
         /** @var string[] */
         private array                         $devices,
@@ -82,10 +80,6 @@ readonly class Container {
         return $this->maxShutdownTime;
     }
 
-    public function GetSecrets() : array {
-        return $this->secrets;
-    }
-
     public function GetUiSecret() : string {
         return $this->dockerActionManager->GetAndGenerateSecretWrapper($this->uiSecret);
     }
diff --git a/php/src/ContainerDefinitionFetcher.php b/php/src/ContainerDefinitionFetcher.php
index 6809650c..a404e3a3 100644
--- a/php/src/ContainerDefinitionFetcher.php
+++ b/php/src/ContainerDefinitionFetcher.php
@@ -239,9 +239,12 @@ readonly class ContainerDefinitionFetcher {
                 $internalPort = $entry['internal_port'];
             }
 
-            $secrets = [];
             if (isset($entry['secrets'])) {
-                $secrets = $entry['secrets'];
+                // All secrets are registered with the configuration when they 
+                // are discovered so they can be later generated at time-of-use.
+                foreach ($entry['secrets'] as $secret) {
+                    $this->configurationManager->RegisterSecret($secret);
+                }
             }
 
             $uiSecret = '';
@@ -320,7 +323,6 @@ readonly class ContainerDefinitionFetcher {
                 $volumes,
                 $variables,
                 $dependsOn,
-                $secrets,
                 $uiSecret,
                 $devices,
                 $enableNvidiaGpu,
diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php
index 257e69d0..ceae13d0 100644
--- a/php/src/Data/ConfigurationManager.php
+++ b/php/src/Data/ConfigurationManager.php
@@ -7,6 +7,8 @@ use AIO\Controller\DockerController;
 
 class ConfigurationManager
 {
+    private array $secrets = [];
+
     public function GetConfig() : array
     {
         if(file_exists(DataConst::GetConfigFile()))
@@ -50,13 +52,15 @@ class ConfigurationManager
         return $config['secrets'][$secretId];
     }
 
-    public function GetSecret(string $secretId) : string {
-        $config = $this->GetConfig();
-        if(!isset($config['secrets'][$secretId])) {
-            $config['secrets'][$secretId] = "";
+    public function GetRegisteredSecret(string $secretId) : string {
+        if ($this->secrets[$secretId]) {
+            return $this->GetAndGenerateSecret($secretId);
         }
+        throw new \Exception("The secret " . $secretId . " was not registered. Please check if it is defined in secrets of containers.json.");
+    }
 
-        return $config['secrets'][$secretId];
+    public function RegisterSecret(string $secretId) : void {
+        $this->secrets[$secretId] = true;
     }
 
     private function DoubleSafeBackupSecret(string $borgBackupPassword) : void {
diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php
index f6ffbdc3..d46bc5c9 100644
--- a/php/src/Docker/DockerActionManager.php
+++ b/php/src/Docker/DockerActionManager.php
@@ -221,10 +221,6 @@ readonly class DockerActionManager {
             $requestBody['HostConfig']['Binds'] = $volumes;
         }
 
-        foreach ($container->GetSecrets() as $secret) {
-            $this->configurationManager->GetAndGenerateSecret($secret);
-        }
-
         $aioVariables = $container->GetAioVariables()->GetVariables();
         foreach ($aioVariables as $variable) {
             $config = $this->configurationManager->GetConfig();
@@ -566,18 +562,10 @@ readonly class DockerActionManager {
             // Allow to get local ip-address of caddy container and add it to trusted proxies automatically
             'CADDY_IP_ADDRESS' => in_array('caddy', $this->configurationManager->GetEnabledCommunityContainers(), true) ? gethostbyname('nextcloud-aio-caddy') : '',
             'WHITEBOARD_ENABLED' => $this->configurationManager->isWhiteboardEnabled() ? 'yes' : '',
-            default => $this->getSecretOrThrow($placeholder),
+            default => $this->configurationManager->GetRegisteredSecret($placeholder),
         };
     }
 
-    private function getSecretOrThrow(string $secretName): string {
-        $secret = $this->configurationManager->GetSecret($secretName);
-        if ($secret === "") {
-            throw new \Exception("The secret " . $secretName . " is empty. Cannot substitute its value. Please check if it is defined in secrets of containers.json.");
-        }
-        return $secret;
-    }
-
     private function isContainerUpdateAvailable(string $id): string {
         $container = $this->containerDefinitionFetcher->GetContainerById($id);