From 18fb2de0896f8b323d7918461b9cbbe255c2bb17 Mon Sep 17 00:00:00 2001 From: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com> Date: Tue, 11 Apr 2023 18:32:39 -0700 Subject: [PATCH] Sync eng/common directory with azure-sdk-tools for PR 5951 (#4537) * Switch to using standard PAT tokens instead of base 64 For most of these we can use the standard System.AccessToken given to the build instead of maintaining a specific token. However that token isn't base 64 encoded so we need to encode it. With this we can stop explicitly passing PAT's unless we need to access another DevOps org and we also don't have to remember to keep the PAT's in KV base 64 encoded. Add error detection for queue build script to fail if we get login response. * PR Feedback --------- Co-authored-by: Wes Haggard --- eng/common/scripts/Add-RetentionLease.ps1 | 14 +------------- eng/common/scripts/Invoke-DevOpsAPI.ps1 | 14 ++++++++++++++ eng/common/scripts/Queue-Pipeline.ps1 | 20 ++++++++++++++++---- eng/common/scripts/logging.ps1 | 15 +++++++++------ 4 files changed, 40 insertions(+), 23 deletions(-) diff --git a/eng/common/scripts/Add-RetentionLease.ps1 b/eng/common/scripts/Add-RetentionLease.ps1 index cbc677730..ae7b80119 100644 --- a/eng/common/scripts/Add-RetentionLease.ps1 +++ b/eng/common/scripts/Add-RetentionLease.ps1 @@ -26,19 +26,7 @@ Set-StrictMode -Version 3 . (Join-Path $PSScriptRoot common.ps1) -$unencodedAuthToken = "nobody:$AccessToken" -$unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken) -$encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes) - -if ($isDevOpsRun) { - # We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines - # build logs. Azure Pipelines will see this text and register the secret as a value it should *** out - # before being transmitted to the server (and shown in logs). It means if the value is accidentally - # leaked anywhere else that it won't be visible. The downside is that when the script is executed - # on a local development box, it will be visible. - Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)" -} - +$encodedAuthToken = Get-Base64EncodedToken $AccessToken LogDebug "Checking for existing leases on run: $RunId" $existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken diff --git a/eng/common/scripts/Invoke-DevOpsAPI.ps1 b/eng/common/scripts/Invoke-DevOpsAPI.ps1 index bc89aa88b..ff1c8c02f 100644 --- a/eng/common/scripts/Invoke-DevOpsAPI.ps1 +++ b/eng/common/scripts/Invoke-DevOpsAPI.ps1 @@ -2,6 +2,20 @@ $DevOpsAPIBaseURI = "https://dev.azure.com/{0}/{1}/_apis/{2}/{3}?{4}api-version=6.0" +function Get-Base64EncodedToken([string]$AuthToken) +{ + $unencodedAuthToken = "nobody:$AuthToken" + $unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken) + $encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes) + + if (Test-SupportsDevOpsLogging) { + # Mark the encoded value as a secret so that DevOps will star any references to it that might end up in the logs + Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)" + } + + return $encodedAuthToken +} + function Get-DevOpsApiHeaders ($Base64EncodedToken) { $headers = @{ Authorization = "Basic $Base64EncodedToken" diff --git a/eng/common/scripts/Queue-Pipeline.ps1 b/eng/common/scripts/Queue-Pipeline.ps1 index 179ba5853..281bc2f9a 100644 --- a/eng/common/scripts/Queue-Pipeline.ps1 +++ b/eng/common/scripts/Queue-Pipeline.ps1 @@ -17,7 +17,7 @@ pipeline. Pipline definition ID .PARAMETER CancelPreviousBuilds -Requires a value for SourceBranch. Cancel previous builds before queuing the new +Requires a value for SourceBranch. Cancel previous builds before queuing the new build. .PARAMETER VsoQueuedPipelines @@ -55,18 +55,25 @@ param( [boolean]$CancelPreviousBuilds=$false, - [Parameter(Mandatory = $false)] [string]$VsoQueuedPipelines, - [Parameter(Mandatory = $true)] + # Already base 64 encoded authentication token [string]$Base64EncodedAuthToken, + # Unencoded authentication token + [string]$AuthToken, + [Parameter(Mandatory = $false)] [string]$BuildParametersJson ) . (Join-Path $PSScriptRoot common.ps1) +if (!$Base64EncodedAuthToken) +{ + $Base64EncodedAuthToken = Get-Base64EncodedToken $AuthToken +} + # Skip if SourceBranch is empty because it we cannot generate a target branch # name from an empty string. if ($CancelPreviousBuilds -and $SourceBranch) @@ -105,11 +112,16 @@ catch { exit 1 } +if (!$resp.definition) { + LogError "Invalid queue build response: $resp" + exit 1 +} + LogDebug "Pipeline [ $($resp.definition.name) ] queued at [ $($resp._links.web.href) ]" if ($VsoQueuedPipelines) { $enVarValue = [System.Environment]::GetEnvironmentVariable($VsoQueuedPipelines) - $QueuedPipelineLinks = if ($enVarValue) { + $QueuedPipelineLinks = if ($enVarValue) { "$enVarValue
[$($resp.definition.name)]($($resp._links.web.href))" }else { "[$($resp.definition.name)]($($resp._links.web.href))" diff --git a/eng/common/scripts/logging.ps1 b/eng/common/scripts/logging.ps1 index 5266d9614..84adec47f 100644 --- a/eng/common/scripts/logging.ps1 +++ b/eng/common/scripts/logging.ps1 @@ -1,8 +1,11 @@ -$isDevOpsRun = ($null -ne $env:SYSTEM_TEAMPROJECTID) +function Test-SupportsDevOpsLogging() +{ + return ($null -ne $env:SYSTEM_TEAMPROJECTID) +} function LogWarning { - if ($isDevOpsRun) + if (Test-SupportsDevOpsLogging) { Write-Host "##vso[task.LogIssue type=warning;]$args" } @@ -14,11 +17,11 @@ function LogWarning function LogError { - if ($isDevOpsRun) + if (Test-SupportsDevOpsLogging) { Write-Host "##vso[task.LogIssue type=error;]$args" } - else + else { Write-Error "$args" } @@ -26,11 +29,11 @@ function LogError function LogDebug { - if ($isDevOpsRun) + if (Test-SupportsDevOpsLogging) { Write-Host "[debug]$args" } - else + else { Write-Debug "$args" }