Fix regression on secure inline object types and resource-derived string and object types (#18170)

Resolves #18161 
###### Microsoft Reviewers: [Open in
CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com/Azure/bicep/pull/18170)

Author: jeskew

src/Bicep.Core.IntegrationTests/ScenarioTests.cs

@@ -5776,8 +5776,8 @@ public void Test_Issue12908()
 
         result.ExcludingLinterDiagnostics().Should().HaveDiagnostics(new[]
         {
-            ("BCP439", DiagnosticLevel.Error, """The @secure() decorator can only be used on statements whose type clause is "string,", "object", or a literal type."""),
-            ("BCP439", DiagnosticLevel.Error, """The @secure() decorator can only be used on statements whose type clause is "string,", "object", or a literal type."""),
+            ("BCP308", DiagnosticLevel.Error, """The decorator "secure" may not be used on statements whose declared type is a reference to a user-defined type."""),
+            ("BCP308", DiagnosticLevel.Error, """The decorator "secure" may not be used on statements whose declared type is a reference to a user-defined type."""),
         });
     }
 

src/Bicep.Core.IntegrationTests/UserDefinedTypeTests.cs

@@ -155,7 +155,7 @@ param intParam constrainedInt
             ("BCP308", DiagnosticLevel.Error, "The decorator \"maxValue\" may not be used on statements whose declared type is a reference to a user-defined type."),
             ("BCP308", DiagnosticLevel.Error, "The decorator \"minLength\" may not be used on statements whose declared type is a reference to a user-defined type."),
             ("BCP308", DiagnosticLevel.Error, "The decorator \"maxLength\" may not be used on statements whose declared type is a reference to a user-defined type."),
-            ("BCP439", DiagnosticLevel.Error, "The @secure() decorator can only be used on statements whose type clause is \"string,\", \"object\", or a literal type."),
+            ("BCP308", DiagnosticLevel.Error, "The decorator \"secure\" may not be used on statements whose declared type is a reference to a user-defined type."),
             ("BCP308", DiagnosticLevel.Error, "The decorator \"allowed\" may not be used on statements whose declared type is a reference to a user-defined type."),
             ("no-unused-params", DiagnosticLevel.Warning, "Parameter \"stringParam\" is declared but never used."),
             ("BCP308", DiagnosticLevel.Error, "The decorator \"minValue\" may not be used on statements whose declared type is a reference to a user-defined type."),
@@ -1991,13 +1991,46 @@ public void Secure_decorator_is_blocked_on_any_and_resource_derived_types()
             type untyped = any
 
             @secure()
-            type rdt = resourceInput<'Microsoft.Resources/deployments@2022-09-01'>.name
+            type rdt = resourceInput<'Microsoft.Compute/virtualMachines/extensions@2019-12-01'>.properties.settings
             """);
 
         result.ExcludingLinterDiagnostics().Should().HaveDiagnostics(
         [
-            ("BCP439", DiagnosticLevel.Error, "The @secure() decorator can only be used on statements whose type clause is \"string,\", \"object\", or a literal type."),
-            ("BCP439", DiagnosticLevel.Error, "The @secure() decorator can only be used on statements whose type clause is \"string,\", \"object\", or a literal type."),
+            ("BCP440", DiagnosticLevel.Error, "The @secure() decorator can only be used on statements whose type is a subtype of \"string\" or \"object\"."),
+            ("BCP440", DiagnosticLevel.Error, "The @secure() decorator can only be used on statements whose type is a subtype of \"string\" or \"object\"."),
         ]);
     }
+
+    [TestMethod]
+    public void Secure_decorator_is_permitted_on_inline_object_types()
+    {
+        var result = CompilationHelper.Compile("""
+            @secure()
+            param config {
+              *: string
+            }
+
+            @secure()
+            param foo 'bar' | 'baz' | 'quux'
+            """);
+
+        result.ExcludingLinterDiagnostics().Should().NotHaveAnyDiagnostics();
+    }
+
+    [TestMethod]
+    public void Secure_decorator_on_resource_derived_type_should_use_secure_ARM_primitive_type()
+    {
+        var result = CompilationHelper.Compile("""
+            @secure()
+            type stringRdt = resourceInput<'Microsoft.Resources/tags@2022-09-01'>.properties.tags.*
+
+            @secure()
+            type objectRdt = resourceInput<'Microsoft.Resources/tags@2022-09-01'>.properties.tags
+            """);
+
+        result.Should().NotHaveAnyCompilationBlockingDiagnostics();
+        result.Template.Should().NotBeNull();
+        result.Template.Should().HaveValueAtPath("$.definitions.stringRdt.type", "securestring");
+        result.Template.Should().HaveValueAtPath("$.definitions.objectRdt.type", "secureObject");
+    }
 }

src/Bicep.Core/Diagnostics/DiagnosticBuilder.cs

@@ -2000,6 +2000,10 @@ public Diagnostic BaseIdentifierRedeclared() => CoreError(
             public Diagnostic SecureDecoratorOnlyAllowedOnStringsAndObjects() => CoreError(
                 "BCP439",
                 "The @secure() decorator can only be used on statements whose type clause is \"string,\", \"object\", or a literal type.");
+
+            public Diagnostic SecureDecoratorTargetMustFitWithinStringOrObject() => CoreError(
+                "BCP440",
+                "The @secure() decorator can only be used on statements whose type is a subtype of \"string\" or \"object\".");
         }
 
         public static DiagnosticBuilderInternal ForPosition(TextSpan span)

src/Bicep.Core/Semantics/Namespaces/SystemNamespaceType.cs

@@ -1844,24 +1844,14 @@ static IEnumerable<Decorator> GetBicepTemplateDecorators(IFeatureProvider featur
                             return;
                         }
 
-                        var targetTypeClause = UnwrapNullableSyntax(GetDeclaredTypeSyntaxOfParent(decoratorSyntax, binder));
-                        if (IsLiteralSyntax(targetTypeClause, typeManager))
+                        if (TypeHelper.TryGetArmPrimitiveType(targetType) is null)
                         {
-                            // @secure() is allowed on literal string and object types
-                            return;
-                        }
-
-                        if (targetTypeClause is not null &&
-                            binder.GetSymbolInfo(targetTypeClause) is AmbientTypeSymbol ambientType &&
-                            ambientType.DeclaringNamespace.ExtensionName.Equals(BuiltInName) &&
-                            ambientType.Name is LanguageConstants.TypeNameString or LanguageConstants.ObjectType)
-                        {
-                            // @secure() is allowed if the target's type syntax is "string" or "object"
-                            return;
+                            // if we won't be emitting a "type" constraint in the compiled JSON, we can't make it a secure type
+                            diagnosticWriter.Write(
+                                DiagnosticBuilder.ForPosition(decoratorSyntax).SecureDecoratorTargetMustFitWithinStringOrObject());
                         }
 
-                        diagnosticWriter.Write(
-                            DiagnosticBuilder.ForPosition(decoratorSyntax).SecureDecoratorOnlyAllowedOnStringsAndObjects());
+                        ValidateNotTargetingAlias(decoratorName, decoratorSyntax, targetType, typeManager, binder, parsingErrorLookup, diagnosticWriter);
                     })
                     .WithEvaluator((functionCall, decorated) =>
                     {