Add strict mode to fail on unresolved secrets in SecretSourceResolver (#2814)

somiljain2006 · timja · web-flow · commit fc1796c5dcd7 · 2026-04-03T15:13:09.000+01:00
Co-authored-by: Tim Jacomb &lt;21194782+timja@users.noreply.github.com&gt;
diff --git a/docs/features/secrets.adoc b/docs/features/secrets.adoc
@@ -342,6 +342,17 @@ credentials:
           
 ```
 
+=== Strict Secret Resolution
+
+By default, if a secret variable cannot be resolved, JCasC will log a warning and replace the variable with an empty string. If you are using a remote secrets engine, this can result in credentials being unexpectedly overwritten with empty values during a configuration reload.
+
+To prevent this, you can enable **Strict Secret Resolution**. When enabled, any unresolved secret that does not have a defined default value (using the `:-` operator) will cause the configuration reload to abort entirely, leaving the previous working configuration intact.
+
+You can enable this by setting the following environment variable or Java system property:
+
+* **Environment Variable:** `CASC_STRICT_SECRET_RESOLUTION=true`
+* **System Property:** `-Dcasc.strict.secret.resolution=true`
+
 == Useful links
 
 * link:https://jenkins.io/doc/developer/security/secrets/[Jenkins Developer Guide: Storing Secrets in Jenkins]
diff --git a/plugin/src/main/java/io/jenkins/plugins/casc/SecretSourceResolver.java b/plugin/src/main/java/io/jenkins/plugins/casc/SecretSourceResolver.java
@@ -115,10 +115,21 @@ static class UnresolvedLookup implements StringLookup {
 
         static final UnresolvedLookup INSTANCE = new UnresolvedLookup();
 
+        private static final String STRICT_MODE_ENV = "CASC_STRICT_SECRET_RESOLUTION";
+        private static final String STRICT_MODE_PROP = "casc.strict.secret.resolution";
+
         private UnresolvedLookup() {}
 
         @Override
         public String lookup(String key) {
+            boolean isStrict =
+                    Boolean.parseBoolean(System.getProperty(STRICT_MODE_PROP, System.getenv(STRICT_MODE_ENV)));
+
+            if (isStrict) {
+                throw new IllegalStateException(
+                        String.format("Unable to resolve variable '%s'. Aborting configuration reload.", key));
+            }
+
             LOGGER.log(
                     Level.WARNING,
                     String.format(
diff --git a/plugin/src/test/java/io/jenkins/plugins/casc/SecretSourceResolverTest.java b/plugin/src/test/java/io/jenkins/plugins/casc/SecretSourceResolverTest.java
@@ -4,6 +4,7 @@
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.startsWith;
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.Assert.assertThrows;
 import static org.junit.Assert.assertTrue;
 
 import io.jenkins.plugins.casc.SecretSourceResolver.Base64Lookup;
@@ -521,4 +522,58 @@ public void resolve_trimWithSpacesOnly_becomesEmpty() {
         environment.set("FOO", "   ");
         assertThat(resolve("${trim:${FOO}}"), equalTo(""));
     }
+
+    @Test
+    public void resolve_strictModeEnvVar_throwsExceptionOnMissingVar() {
+        environment.set("CASC_STRICT_SECRET_RESOLUTION", "true");
+
+        IllegalStateException exception = assertThrows(IllegalStateException.class, () -> {
+            resolve("${MISSING_SECRET_VAR}");
+        });
+
+        assertThat(exception.getMessage(), containsString("MISSING_SECRET_VAR"));
+    }
+
+    @Test
+    public void resolve_strictModeSysProp_throwsExceptionOnMissingVar() {
+        System.setProperty("casc.strict.secret.resolution", "true");
+        try {
+            IllegalStateException exception = assertThrows(IllegalStateException.class, () -> {
+                resolve("${ANOTHER_MISSING_VAR}");
+            });
+            assertThat(exception.getMessage(), containsString("ANOTHER_MISSING_VAR"));
+        } finally {
+            System.clearProperty("casc.strict.secret.resolution");
+        }
+    }
+
+    @Test
+    public void resolve_strictMode_ignoresExceptionIfDefaultProvided() {
+        environment.set("CASC_STRICT_SECRET_RESOLUTION", "true");
+
+        String output = resolve("${MISSING_SECRET_VAR:-my_fallback_value}");
+
+        assertThat(output, equalTo("my_fallback_value"));
+    }
+
+    @Test
+    public void resolve_strictModeSetToFalse_defaultsToEmptyString() {
+        environment.set("CASC_STRICT_SECRET_RESOLUTION", "false");
+
+        String output = resolve("${MISSING_SECRET_VAR}");
+
+        assertThat(output, equalTo(""));
+        assertTrue(logContains("Configuration import: Found unresolved variable 'MISSING_SECRET_VAR'"));
+    }
+
+    @Test
+    public void resolve_strictMode_multipleVariables_oneMissing_shouldFail() {
+        environment.set("CASC_STRICT_SECRET_RESOLUTION", "true");
+        environment.set("FOO", "hello");
+
+        IllegalStateException exception = assertThrows(IllegalStateException.class, () -> {
+            resolve("${FOO}:${MISSING}");
+        });
+        assertThat(exception.getMessage(), containsString("MISSING"));
+    }
 }
