Added one more case for the denied names blacklist

Signed-off-by: Diogo Monica <diogo.monica@gmail.com>

manager/controlapi/secret.go

@@ -200,7 +200,7 @@ func (s *Server) RemoveSecret(ctx context.Context, request *api.RemoveSecretRequ
 	}
 
 	err := s.store.Update(func(tx store.Tx) error {
-		// Check inf the secret exists
+		// Check if the secret exists
 		secret := store.GetSecret(tx, request.SecretID)
 		if secret == nil {
 			return grpc.Errorf(codes.NotFound, "could not find secret %s", request.SecretID)

manager/controlapi/secret_test.go

@@ -272,11 +272,17 @@ func TestRemoveUsedSecret(t *testing.T) {
 	_, err = ts.Client.CreateService(context.Background(), &api.CreateServiceRequest{Spec: service})
 	assert.NoError(t, err)
 
+	service2 := createSpec("service2", "image", 1)
+	service2.Task.GetContainer().Secrets = secretRefs
+	_, err = ts.Client.CreateService(context.Background(), &api.CreateServiceRequest{Spec: service2})
+	assert.NoError(t, err)
+
 	// removing a secret that exists but is in use fails
 	_, err = ts.Client.RemoveSecret(context.Background(), &api.RemoveSecretRequest{SecretID: resp.Secret.ID})
 	assert.Equal(t, codes.InvalidArgument, grpc.Code(err), grpc.ErrorDesc(err))
+	assert.Regexp(t, "service[1-2], service[1-2]", grpc.ErrorDesc(err))
 
-	// removing a secret that exists but is not in use with force succeeds
+	// removing a secret that exists but is not in use succeeds
 	_, err = ts.Client.RemoveSecret(context.Background(), &api.RemoveSecretRequest{SecretID: resp2.Secret.ID})
 	assert.NoError(t, err)
 

manager/controlapi/service_test.go

@@ -395,7 +395,7 @@ func TestSecretValidation(t *testing.T) {
 	assert.NoError(t, err)
 
 	// test secret References with invalid filenames
-	invalidFileNames := []string{"../secretfile.txt", "../../secretfile.txt", "file../.txt"}
+	invalidFileNames := []string{"../secretfile.txt", "../../secretfile.txt", "file../.txt", "subdir/file.txt"}
 	for i, invalidName := range invalidFileNames {
 		secretRef := createSecret(t, ts, invalidName, invalidName)