Sync eng/common directory with azure-sdk-tools for PR 5951 (#4537)

* Switch to using standard PAT tokens instead of base 64 For most of these we can use the standard System.AccessToken given to the build instead of maintaining a specific token. However that token isn't base 64 encoded so we need to encode it. With this we can stop explicitly passing PAT's unless we need to access another DevOps org and we also don't have to remember to keep the PAT's in KV base 64 encoded. Add error detection for queue build script to fail if we get login response. * PR Feedback --------- Co-authored-by: Wes Haggard <Wes.Haggard@microsoft.com>
2023-04-11 18:32:39 -07:00 · 2023-04-11 18:32:39 -07:00 · 18fb2de089
commit 18fb2de089
parent 49f0f9e869
4 changed files with 40 additions and 23 deletions
--- a/eng/common/scripts/Add-RetentionLease.ps1
+++ b/eng/common/scripts/Add-RetentionLease.ps1
@ -26,19 +26,7 @@ Set-StrictMode -Version 3

 . (Join-Path $PSScriptRoot common.ps1)

-$unencodedAuthToken = "nobody:$AccessToken"
-$unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken)
-$encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes)
-
-if ($isDevOpsRun) {
-  # We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines
-  # build logs. Azure Pipelines will see this text and register the secret as a value it should *** out
-  # before being transmitted to the server (and shown in logs). It means if the value is accidentally
-  # leaked anywhere else that it won't be visible. The downside is that when the script is executed
-  # on a local development box, it will be visible.
-  Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)"
-}
-
+$encodedAuthToken = Get-Base64EncodedToken $AccessToken

 LogDebug "Checking for existing leases on run: $RunId"
 $existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken
--- a/eng/common/scripts/Invoke-DevOpsAPI.ps1
+++ b/eng/common/scripts/Invoke-DevOpsAPI.ps1
@ -2,6 +2,20 @@

 $DevOpsAPIBaseURI = "https://dev.azure.com/{0}/{1}/_apis/{2}/{3}?{4}api-version=6.0"

+function Get-Base64EncodedToken([string]$AuthToken)
+{
+  $unencodedAuthToken = "nobody:$AuthToken"
+  $unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken)
+  $encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes)
+
+  if (Test-SupportsDevOpsLogging) {
+    # Mark the encoded value as a secret so that DevOps will star any references to it that might end up in the logs
+    Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)"
+  }
+
+  return $encodedAuthToken
+}
+
 function Get-DevOpsApiHeaders ($Base64EncodedToken) {
  $headers = @{
    Authorization = "Basic $Base64EncodedToken"
--- a/eng/common/scripts/Queue-Pipeline.ps1
+++ b/eng/common/scripts/Queue-Pipeline.ps1
@ -17,7 +17,7 @@ pipeline.
 Pipline definition ID

 .PARAMETER CancelPreviousBuilds
-Requires a value for SourceBranch. Cancel previous builds before queuing the new 
+Requires a value for SourceBranch. Cancel previous builds before queuing the new
 build.

 .PARAMETER VsoQueuedPipelines
@ -55,18 +55,25 @@ param(

  [boolean]$CancelPreviousBuilds=$false,

-  [Parameter(Mandatory = $false)]
  [string]$VsoQueuedPipelines,

-  [Parameter(Mandatory = $true)]
+  # Already base 64 encoded authentication token
  [string]$Base64EncodedAuthToken,

+  # Unencoded authentication token
+  [string]$AuthToken,
+
  [Parameter(Mandatory = $false)]
  [string]$BuildParametersJson
 )

 . (Join-Path $PSScriptRoot common.ps1)

+if (!$Base64EncodedAuthToken)
+{
+  $Base64EncodedAuthToken = Get-Base64EncodedToken $AuthToken
+}
+
 # Skip if SourceBranch is empty because it we cannot generate a target branch
 # name from an empty string.
 if ($CancelPreviousBuilds -and $SourceBranch)
@ -105,11 +112,16 @@ catch {
  exit 1
 }

+if (!$resp.definition) {
+  LogError "Invalid queue build response: $resp"
+  exit 1
+}
+
 LogDebug "Pipeline [ $($resp.definition.name) ] queued at [ $($resp._links.web.href) ]"

 if ($VsoQueuedPipelines) {
  $enVarValue = [System.Environment]::GetEnvironmentVariable($VsoQueuedPipelines)
-  $QueuedPipelineLinks = if ($enVarValue) { 
+  $QueuedPipelineLinks = if ($enVarValue) {
    "$enVarValue<br>[$($resp.definition.name)]($($resp._links.web.href))"
  }else {
    "[$($resp.definition.name)]($($resp._links.web.href))"
--- a/eng/common/scripts/logging.ps1
+++ b/eng/common/scripts/logging.ps1
@ -1,8 +1,11 @@
-$isDevOpsRun = ($null -ne $env:SYSTEM_TEAMPROJECTID)
+function Test-SupportsDevOpsLogging()
+{
+    return ($null -ne $env:SYSTEM_TEAMPROJECTID)
+}

 function LogWarning
 {
-    if ($isDevOpsRun) 
+    if (Test-SupportsDevOpsLogging)
    {
        Write-Host "##vso[task.LogIssue type=warning;]$args"
    }
@ -14,11 +17,11 @@ function LogWarning

 function LogError
 {
-    if ($isDevOpsRun) 
+    if (Test-SupportsDevOpsLogging)
    {
        Write-Host "##vso[task.LogIssue type=error;]$args"
    }
-    else 
+    else
    {
        Write-Error "$args"
    }
@ -26,11 +29,11 @@ function LogError

 function LogDebug
 {
-    if ($isDevOpsRun) 
+    if (Test-SupportsDevOpsLogging)
    {
        Write-Host "[debug]$args"
    }
-    else 
+    else
    {
        Write-Debug "$args"
    }