From 4b17a90fda90458ced76992e6384838664077460 Mon Sep 17 00:00:00 2001 From: Mitch Denny Date: Tue, 20 Apr 2021 13:23:53 +1000 Subject: [PATCH 1/2] Fix retain runs auth. --- eng/common/pipelines/templates/steps/retain-run.yml | 2 +- eng/common/scripts/Add-RetentionLease.ps1 | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/eng/common/pipelines/templates/steps/retain-run.yml b/eng/common/pipelines/templates/steps/retain-run.yml index a514b90f2291..c2ac6186674b 100644 --- a/eng/common/pipelines/templates/steps/retain-run.yml +++ b/eng/common/pipelines/templates/steps/retain-run.yml @@ -18,5 +18,5 @@ steps: -RunId $(Build.BuildId) -OwnerId Pipeline -DaysValid ${{parameters.DaysValid}} - -Base64EncodedAuthToken $env:SYSTEM_ACCESSTOKEN + -AccessToken $env:SYSTEM_ACCESSTOKEN -Debug \ No newline at end of file diff --git a/eng/common/scripts/Add-RetentionLease.ps1 b/eng/common/scripts/Add-RetentionLease.ps1 index c368b255436a..570d448f709c 100644 --- a/eng/common/scripts/Add-RetentionLease.ps1 +++ b/eng/common/scripts/Add-RetentionLease.ps1 @@ -19,24 +19,28 @@ param( [int]$DaysValid, [Parameter(Mandatory = $true)] - [string]$Base64EncodedAuthToken + [string]$AccessToken ) +$unencodedAuthToken = "nobody:$AccessToken" +$unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken) +$encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes) + . (Join-Path $PSScriptRoot common.ps1) LogDebug "Checking for existing leases on run: $RunId" -$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $Base64EncodedAuthToken +$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken if ($existingLeases.count -ne 0) { LogDebug "Found $($existingLeases.count) leases, will delete them first." foreach ($lease in $existingLeases.value) { LogDebug "Deleting lease: $($lease.leaseId)" - Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $Base64EncodedAuthToken + Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $encodedAuthToken } } LogDebug "Creating new lease on run: $RunId" -$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $Base64EncodedAuthToken +$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $encodedAuthToken LogDebug "Lease ID is: $($lease.value.leaseId)" \ No newline at end of file From 8cb1f1c25e19e3fae2c390ed4eaf913b32375038 Mon Sep 17 00:00:00 2001 From: Mitch Denny Date: Wed, 21 Apr 2021 08:42:59 +1000 Subject: [PATCH 2/2] Emit encoded token as secret. --- eng/common/scripts/Add-RetentionLease.ps1 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/eng/common/scripts/Add-RetentionLease.ps1 b/eng/common/scripts/Add-RetentionLease.ps1 index 570d448f709c..dd56c20a5531 100644 --- a/eng/common/scripts/Add-RetentionLease.ps1 +++ b/eng/common/scripts/Add-RetentionLease.ps1 @@ -26,6 +26,13 @@ $unencodedAuthToken = "nobody:$AccessToken" $unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken) $encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes) +# We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines +# build logs. Azure Pipelines will see this text and register the secret as a value it should *** out +# before being transmitted to the server (and shown in logs). It means if the value is accidentally +# leaked anywhere else that it won't be visible. The downside is that when the script is executed +# on a local development box, it will be visible. +Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)" + . (Join-Path $PSScriptRoot common.ps1) LogDebug "Checking for existing leases on run: $RunId"