Fix plugin secrets in config

Signed-off-by: Ben Sherman <bentshermann@gmail.com>

Author: bentsherman

modules/nextflow/src/main/groovy/nextflow/cli/CmdRun.groovy

@@ -44,6 +44,8 @@ import nextflow.plugin.Plugins
 import nextflow.scm.AssetManager
 import nextflow.script.ScriptFile
 import nextflow.script.ScriptRunner
+import nextflow.secret.ConfigNullProvider
+import nextflow.secret.SecretsLoader
 import nextflow.util.CustomPoolFactory
 import nextflow.util.Duration
 import nextflow.util.HistoryFile
@@ -320,25 +322,39 @@ class CmdRun extends CmdBase implements HubOptions {
         checkRunName()
 
         printBanner()
-        Plugins.init()
 
-        // -- specify the arguments
+        // -- resolve main script
         final scriptFile = getScriptFile(pipeline)
 
-        // create the config object
-        final builder = new ConfigBuilder()
+        // -- load config (without secrets)
+        final secretsProvider = new ConfigNullProvider()
+        ConfigBuilder builder = new ConfigBuilder()
+            .setOptions(launcher.options)
+            .setCmdRun(this)
+            .setBaseDir(scriptFile.parent)
+            .setSecretsProvider(secretsProvider)
+        ConfigMap config = builder.build()
+
+        // -- load plugins
+        Plugins.init()
+        Plugins.load(config)
+
+        // -- load secrets provider
+        SecretsLoader.getInstance().load()
+
+        // -- reload config if secrets were used
+        if( secretsProvider.usedSecrets() ) {
+            log.debug "Config file used secrets -- reloading config with secrets provider"
+            builder = new ConfigBuilder()
                 .setOptions(launcher.options)
                 .setCmdRun(this)
                 .setBaseDir(scriptFile.parent)
-        final config = builder .build()
+            config = builder.build()
+        }
 
         // check DSL syntax in the config
         launchInfo(config, scriptFile)
 
-        // -- load plugins
-        final cfg = plugins ? [plugins: plugins.tokenize(',')] : config
-        Plugins.load(cfg)
-
         // -- validate config options
         if( NF.isSyntaxParserV2() )
             new ConfigValidator().validate(config)

modules/nextflow/src/main/groovy/nextflow/config/ConfigBuilder.groovy

@@ -33,6 +33,7 @@ import nextflow.cli.CmdRun
 import nextflow.exception.AbortOperationException
 import nextflow.exception.ConfigParseException
 import nextflow.secret.SecretsLoader
+import nextflow.secret.SecretsProvider
 import nextflow.trace.GraphObserver
 import nextflow.trace.ReportObserver
 import nextflow.trace.TimelineObserver
@@ -77,6 +78,8 @@ class ConfigBuilder {
 
     boolean showMissingVariables
 
+    SecretsProvider secretsProvider
+
     Map<ConfigObject, String> emptyVariables = new LinkedHashMap<>(10)
 
     Map<String,String> env = new HashMap<>(System.getenv())
@@ -103,6 +106,11 @@ class ConfigBuilder {
         return this
     }
 
+    ConfigBuilder setSecretsProvider(SecretsProvider value) {
+        this.secretsProvider = value
+        return this
+    }
+
     ConfigBuilder setOptions( CliOptions options ) {
         this.options = options
         return this
@@ -327,17 +335,20 @@ class ConfigBuilder {
         // this is needed to make sure to reuse the same
         // instance of the config vars across different instances of the ConfigBuilder
         // and prevent multiple parsing of the same params file (which can even be remote resource)
-        return cacheableConfigVars(baseDir)
+        final secretContext = secretsProvider
+            ? SecretsLoader.secretContext(secretsProvider)
+            : SecretsLoader.secretContext()
+        return cacheableConfigVars(baseDir, secretContext)
     }
 
     @Memoized
-    static private Map cacheableConfigVars(Path base) {
+    static private Map cacheableConfigVars(Path base, Object secretContext) {
         final binding = new HashMap(10)
         binding.put('baseDir', base)
         binding.put('projectDir', base)
         binding.put('launchDir', Paths.get('.').toRealPath())
         binding.put('outputDir', Paths.get('results').complete())
-        binding.put('secrets', SecretsLoader.secretContext())
+        binding.put('secrets', secretContext)
         return binding
     }
 
@@ -549,6 +560,9 @@ class ConfigBuilder {
         if( cmdRun.preview )
             config.preview = cmdRun.preview
 
+        if( cmdRun.plugins )
+            config.plugins = cmdRun.plugins.tokenize(',')
+
         // -- sets the working directory
         if( cmdRun.workDir )
             config.workDir = cmdRun.workDir

modules/nextflow/src/main/groovy/nextflow/secret/ConfigNullProvider.groovy

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2013-2024, Seqera Labs
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package nextflow.secret
+
+import groovy.transform.CompileStatic
+
+/**
+ * Specialization of the null secrets provider that is used to
+ * determine whether secrets are required in the config.
+ *
+ * @author Ben Sherman <bentshermann@gmail.com>
+ */
+@CompileStatic
+class ConfigNullProvider extends NullProvider {
+
+    private boolean accessed
+
+    @Override
+    Secret getSecret(String name) {
+        accessed = true
+        return new SecretImpl(name, '')
+    }
+
+    boolean usedSecrets() {
+        return accessed
+    }
+}

modules/nextflow/src/main/groovy/nextflow/secret/SecretsLoader.groovy

@@ -78,5 +78,9 @@ class SecretsLoader {
         final provider = isEnabled() ? getInstance().load() : new NullProvider()
         return makeSecretsContext(provider)
     }
-    
+
+    static Object secretContext(SecretsProvider provider) {
+        return makeSecretsContext(provider)
+    }
+
 }