StackStorm · Kami · Jul 11, 2018 · Jul 10, 2018 · Jul 10, 2018 · Jul 10, 2018
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -33,6 +33,15 @@ Changed
 
   Contributed by Nick Maludy (Encore Technologies).
 
+
+Fixed
+~~~~~
+
+* Fixed a bug where ``secret: true`` was not applying to full object and array trees. (bugfix) #4234
+  Reported by @jjm
+
+  Contributed by Nick Maludy (Encore Technologies).
+
 2.8.0 - July 10, 2018
 ---------------------
 

diff --git a/st2common/st2common/util/secrets.py b/st2common/st2common/util/secrets.py
@@ -66,6 +66,17 @@ def get_secret_parameters(parameters):
 
     secret_parameters = {}
     parameters_type = parameters.get('type')
+    # If the parameter itself is secret, then skip all processing below it
+    # and return the type of this parameter.
+    #
+    # **This causes the _full_ object / array tree to be secret (no children will be shown).**
+    #
+    # **Important** that we do this check first, so in case this parameter
+    # is an `object` or `array`, and the user wants the full thing
+    # to be secret, that it is marked as secret.
+    if parameters.get('secret', False):
+        return parameters_type
+
     iterator = None
     if parameters_type == 'object':
         # if this is an object, then iterate over the properties within
@@ -95,7 +106,24 @@ def get_secret_parameters(parameters):
             continue
 
         parameter_type = options.get('type')
-        if parameter_type in ['object', 'array']:
+        if options.get('secret', False):
+            # If this parameter is secret, then add it our secret parameters
+            #
+            # **This causes the _full_ object / array tree to be secret
+            #   (no children will be shown)**
+            #
+            # **Important** that we do this check first, so in case this parameter
+            # is an `object` or `array`, and the user wants the full thing
+            # to be secret, that it is marked as secret.
+            if isinstance(secret_parameters, list):
+                secret_parameters.append(parameter_type)
+            elif isinstance(secret_parameters, dict):
+                secret_parameters[parameter] = parameter_type
+            else:
+                return parameter_type
+        elif parameter_type in ['object', 'array']:
+            # otherwise recursively dive into the `object`/`array` and
+            # find individual parameters marked as secret
             sub_params = get_secret_parameters(options)
             if sub_params:
                 if isinstance(secret_parameters, list):
@@ -104,14 +132,6 @@ def get_secret_parameters(parameters):
                     secret_parameters[parameter] = sub_params
                 else:
                     return sub_params
-        elif options.get('secret', False):
-            # if this parameter is secret, then add it our secret parameters
-            if isinstance(secret_parameters, list):
-                secret_parameters.append(parameter_type)
-            elif isinstance(secret_parameters, dict):
-                secret_parameters[parameter] = parameter_type
-            else:
-                return parameter_type
 
     return secret_parameters