diff --git a/eng/common/scripts/Add-RetentionLease.ps1 b/eng/common/scripts/Add-RetentionLease.ps1 index cbc677730..ae7b80119 100644 --- a/eng/common/scripts/Add-RetentionLease.ps1 +++ b/eng/common/scripts/Add-RetentionLease.ps1 @@ -26,19 +26,7 @@ Set-StrictMode -Version 3 . (Join-Path $PSScriptRoot common.ps1) -$unencodedAuthToken = "nobody:$AccessToken" -$unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken) -$encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes) - -if ($isDevOpsRun) { - # We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines - # build logs. Azure Pipelines will see this text and register the secret as a value it should *** out - # before being transmitted to the server (and shown in logs). It means if the value is accidentally - # leaked anywhere else that it won't be visible. The downside is that when the script is executed - # on a local development box, it will be visible. - Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)" -} - +$encodedAuthToken = Get-Base64EncodedToken $AccessToken LogDebug "Checking for existing leases on run: $RunId" $existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken diff --git a/eng/common/scripts/Invoke-DevOpsAPI.ps1 b/eng/common/scripts/Invoke-DevOpsAPI.ps1 index bc89aa88b..ff1c8c02f 100644 --- a/eng/common/scripts/Invoke-DevOpsAPI.ps1 +++ b/eng/common/scripts/Invoke-DevOpsAPI.ps1 @@ -2,6 +2,20 @@ $DevOpsAPIBaseURI = "https://dev.azure.com/{0}/{1}/_apis/{2}/{3}?{4}api-version=6.0" +function Get-Base64EncodedToken([string]$AuthToken) +{ + $unencodedAuthToken = "nobody:$AuthToken" + $unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken) + $encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes) + + if (Test-SupportsDevOpsLogging) { + # Mark the encoded value as a secret so that DevOps will star any references to it that might end up in the logs + Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)" + } + + return $encodedAuthToken +} + function Get-DevOpsApiHeaders ($Base64EncodedToken) { $headers = @{ Authorization = "Basic $Base64EncodedToken" diff --git a/eng/common/scripts/Queue-Pipeline.ps1 b/eng/common/scripts/Queue-Pipeline.ps1 index 179ba5853..281bc2f9a 100644 --- a/eng/common/scripts/Queue-Pipeline.ps1 +++ b/eng/common/scripts/Queue-Pipeline.ps1 @@ -17,7 +17,7 @@ pipeline. Pipline definition ID .PARAMETER CancelPreviousBuilds -Requires a value for SourceBranch. Cancel previous builds before queuing the new +Requires a value for SourceBranch. Cancel previous builds before queuing the new build. .PARAMETER VsoQueuedPipelines @@ -55,18 +55,25 @@ param( [boolean]$CancelPreviousBuilds=$false, - [Parameter(Mandatory = $false)] [string]$VsoQueuedPipelines, - [Parameter(Mandatory = $true)] + # Already base 64 encoded authentication token [string]$Base64EncodedAuthToken, + # Unencoded authentication token + [string]$AuthToken, + [Parameter(Mandatory = $false)] [string]$BuildParametersJson ) . (Join-Path $PSScriptRoot common.ps1) +if (!$Base64EncodedAuthToken) +{ + $Base64EncodedAuthToken = Get-Base64EncodedToken $AuthToken +} + # Skip if SourceBranch is empty because it we cannot generate a target branch # name from an empty string. if ($CancelPreviousBuilds -and $SourceBranch) @@ -105,11 +112,16 @@ catch { exit 1 } +if (!$resp.definition) { + LogError "Invalid queue build response: $resp" + exit 1 +} + LogDebug "Pipeline [ $($resp.definition.name) ] queued at [ $($resp._links.web.href) ]" if ($VsoQueuedPipelines) { $enVarValue = [System.Environment]::GetEnvironmentVariable($VsoQueuedPipelines) - $QueuedPipelineLinks = if ($enVarValue) { + $QueuedPipelineLinks = if ($enVarValue) { "$enVarValue
[$($resp.definition.name)]($($resp._links.web.href))" }else { "[$($resp.definition.name)]($($resp._links.web.href))" diff --git a/eng/common/scripts/logging.ps1 b/eng/common/scripts/logging.ps1 index 5266d9614..84adec47f 100644 --- a/eng/common/scripts/logging.ps1 +++ b/eng/common/scripts/logging.ps1 @@ -1,8 +1,11 @@ -$isDevOpsRun = ($null -ne $env:SYSTEM_TEAMPROJECTID) +function Test-SupportsDevOpsLogging() +{ + return ($null -ne $env:SYSTEM_TEAMPROJECTID) +} function LogWarning { - if ($isDevOpsRun) + if (Test-SupportsDevOpsLogging) { Write-Host "##vso[task.LogIssue type=warning;]$args" } @@ -14,11 +17,11 @@ function LogWarning function LogError { - if ($isDevOpsRun) + if (Test-SupportsDevOpsLogging) { Write-Host "##vso[task.LogIssue type=error;]$args" } - else + else { Write-Error "$args" } @@ -26,11 +29,11 @@ function LogError function LogDebug { - if ($isDevOpsRun) + if (Test-SupportsDevOpsLogging) { Write-Host "[debug]$args" } - else + else { Write-Debug "$args" }