Skip to content

Commit 8d6abbe

Browse files
azure-sdkmitchdenny
azure-sdk
and
mitchdenny
authored
Sync eng/common directory with azure-sdk-tools for PR 1565 (Azure#14939)
* Fix retain runs auth. * Emit encoded token as secret. Co-authored-by: Mitch Denny <[email protected]>
1 parent 7bf76b1 commit 8d6abbe

File tree

2 files changed

+16
-5
lines changed

2 files changed

+16
-5
lines changed

eng/common/pipelines/templates/steps/retain-run.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,5 +18,5 @@ steps:
1818
-RunId $(Build.BuildId)
1919
-OwnerId Pipeline
2020
-DaysValid ${{parameters.DaysValid}}
21-
-Base64EncodedAuthToken $env:SYSTEM_ACCESSTOKEN
21+
-AccessToken $env:SYSTEM_ACCESSTOKEN
2222
-Debug

eng/common/scripts/Add-RetentionLease.ps1

Lines changed: 15 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,24 +19,35 @@ param(
1919
[int]$DaysValid,
2020

2121
[Parameter(Mandatory = $true)]
22-
[string]$Base64EncodedAuthToken
22+
[string]$AccessToken
2323
)
2424

25+
$unencodedAuthToken = "nobody:$AccessToken"
26+
$unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken)
27+
$encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes)
28+
29+
# We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines
30+
# build logs. Azure Pipelines will see this text and register the secret as a value it should *** out
31+
# before being transmitted to the server (and shown in logs). It means if the value is accidentally
32+
# leaked anywhere else that it won't be visible. The downside is that when the script is executed
33+
# on a local development box, it will be visible.
34+
Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)"
35+
2536
. (Join-Path $PSScriptRoot common.ps1)
2637

2738
LogDebug "Checking for existing leases on run: $RunId"
28-
$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $Base64EncodedAuthToken
39+
$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken
2940

3041
if ($existingLeases.count -ne 0) {
3142
LogDebug "Found $($existingLeases.count) leases, will delete them first."
3243

3344
foreach ($lease in $existingLeases.value) {
3445
LogDebug "Deleting lease: $($lease.leaseId)"
35-
Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $Base64EncodedAuthToken
46+
Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $encodedAuthToken
3647
}
3748

3849
}
3950

4051
LogDebug "Creating new lease on run: $RunId"
41-
$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $Base64EncodedAuthToken
52+
$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $encodedAuthToken
4253
LogDebug "Lease ID is: $($lease.value.leaseId)"

0 commit comments

Comments
 (0)