diff --git a/Base.yml b/Base.yml index c2ca0d5..1c4825b 100644 --- a/Base.yml +++ b/Base.yml @@ -458,6 +458,64 @@ $graph: jsonldPredicate: _id: "cwl:listing" +- name: SecretText + type: record + doc: | + An input parameter value that is confidential. This feature is + intended for values such as passwords, API tokens, or encryption + keys. + + When a parameter reference refers to a SecretText object, it must + be replaced with the object's value of `plaintext`. + fields: + - name: class + type: + type: enum + name: SecretText_class + symbols: + - cwl:SecretText + jsonldPredicate: + _id: "@type" + _type: "@vocab" + doc: Indicates this object represents a secret. + - name: secretTextId + type: string? + doc: | + This is an identifier to be used to fetch a secret value from + the workflow platform secrets management service. This assumes a + key-value model where the secret identifier is passed to the + secret store and a confidential string value (the password, + API token, encryption key, etc) is returned. + + If `plaintext` is null and `secretTextId` is non-null, the + value of `plaintext` should be set by looking up the value of + `secretTextId` on the workflow platform's secrets management + service. + + The format of the secret identifier, as well as protocol, + service endpoint, key management, access permissions, and + authentication for the secrets management service are + implementation specific and out of scope for this document. + + The `secretTextId` field is optional. If `secretTextId` is + not provided, `plaintext` must be non-null. + + If the platform does not offer secrets management, or there is + a failure when retrieving the value of a secret, and + `plaintext` is null, it is a fatal error. + + - name: plaintext + type: string? + doc: | + Contains the secret value. + + Implementations should apply special handling to confidential + values to avoid displaying them in logs, including them in + output, or otherwise making them visible or accessible in any + way that has potential to leak beyond what is required to make + the value of the confidential input parameter available to + workflow processes that need it. + - name: CWLObjectType type: union @@ -470,6 +528,7 @@ $graph: - string - File - Directory + - SecretText - type: array items: - "null" diff --git a/CommandLineTool.yml b/CommandLineTool.yml index 604c668..dcf94be 100644 --- a/CommandLineTool.yml +++ b/CommandLineTool.yml @@ -51,6 +51,11 @@ $graph: ## Changelog for v1.3.0-dev1 + * Added [SecretText](#SecretText) object type to represent input + types that should be kept confidential by the workflow runner, + such as passwords. SecretText can also be used to refer to + credentials storage in a platform secrets management server. + See also the [CWL Workflow Description, v1.3.0-dev1 changelog](Workflow.html#Changelog). For other changes since CWL v1.0, see the [CWL Command Line Tool Description, v1.1 changelog](https://www.commonwl.org/v1.1/CommandLineTool.html#Changelog) diff --git a/Workflow.yml b/Workflow.yml index 176de9a..25abf8e 100644 --- a/Workflow.yml +++ b/Workflow.yml @@ -40,6 +40,12 @@ $graph: CWL group. ## Changelog + + * Added [SecretText](#SecretText) object type to represent input + types that should be kept confidential by the workflow runner, + such as passwords. SecretText can also be used to refer to + credentials storage in a platform secrets management server. + See also the [CWL Command Line Tool Description, v1.3.0-dev1 changelog](CommandLineTool.html#Changelog). For other changes since CWL v1.0, see the [CWL Workflow Description, v1.1 changelog](https://www.commonwl.org/v1.1/Workflow.html#Changelog)