Sync eng/common directory with azure-sdk-tools for PR 1565 (#14553)

* Fix retain runs auth. * Emit encoded token as secret. Co-authored-by: Mitch Denny <[email protected]>
Azure · Apr 21, 2021 · e6d0d5f · e6d0d5f
1 parent 5764700
commit e6d0d5f
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/eng/common/pipelines/templates/steps/retain-run.yml b/eng/common/pipelines/templates/steps/retain-run.yml
@@ -18,5 +18,5 @@ steps:
         -RunId $(Build.BuildId)
         -OwnerId Pipeline
         -DaysValid ${{parameters.DaysValid}}
-        -Base64EncodedAuthToken $env:SYSTEM_ACCESSTOKEN
+        -AccessToken $env:SYSTEM_ACCESSTOKEN
         -Debug
diff --git a/eng/common/scripts/Add-RetentionLease.ps1 b/eng/common/scripts/Add-RetentionLease.ps1
@@ -19,24 +19,35 @@ param(
   [int]$DaysValid,
 
   [Parameter(Mandatory = $true)]
-  [string]$Base64EncodedAuthToken
+  [string]$AccessToken
 )
 
+$unencodedAuthToken = "nobody:$AccessToken"
+$unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken)
+$encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes)
+
+# We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines
+# build logs. Azure Pipelines will see this text and register the secret as a value it should *** out
+# before being transmitted to the server (and shown in logs). It means if the value is accidentally
+# leaked anywhere else that it won't be visible. The downside is that when the script is executed
+# on a local development box, it will be visible.
+Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)"
+
 . (Join-Path $PSScriptRoot common.ps1)
 
 LogDebug "Checking for existing leases on run: $RunId"
-$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $Base64EncodedAuthToken
+$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken
 
 if ($existingLeases.count -ne 0) {
     LogDebug "Found $($existingLeases.count) leases, will delete them first."
 
     foreach ($lease in $existingLeases.value) {
         LogDebug "Deleting lease: $($lease.leaseId)"
-        Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $Base64EncodedAuthToken
+        Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $encodedAuthToken
     }
 
 }
 
 LogDebug "Creating new lease on run: $RunId"
-$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $Base64EncodedAuthToken
+$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $encodedAuthToken
 LogDebug "Lease ID is: $($lease.value.leaseId)"