Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync eng/common directory with azure-sdk-tools for PR 1565 #14553

Merged
merged 2 commits into from
Apr 21, 2021
Merged

Sync eng/common directory with azure-sdk-tools for PR 1565 #14553

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4b17a90
Fix retain runs auth.
mitchdenny Apr 20, 2021
8cb1f1c
Emit encoded token as secret.
mitchdenny Apr 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion eng/common/pipelines/templates/steps/retain-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,5 @@ steps:
-RunId $(Build.BuildId)
-OwnerId Pipeline
-DaysValid ${{parameters.DaysValid}}
-Base64EncodedAuthToken $env:SYSTEM_ACCESSTOKEN
-AccessToken $env:SYSTEM_ACCESSTOKEN
-Debug
19 changes: 15 additions & 4 deletions eng/common/scripts/Add-RetentionLease.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,24 +19,35 @@ param(
[int]$DaysValid,

[Parameter(Mandatory = $true)]
[string]$Base64EncodedAuthToken
[string]$AccessToken
)

$unencodedAuthToken = "nobody:$AccessToken"
$unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken)
$encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes)

# We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines
# build logs. Azure Pipelines will see this text and register the secret as a value it should *** out
# before being transmitted to the server (and shown in logs). It means if the value is accidentally
# leaked anywhere else that it won't be visible. The downside is that when the script is executed
# on a local development box, it will be visible.
Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)"

. (Join-Path $PSScriptRoot common.ps1)

LogDebug "Checking for existing leases on run: $RunId"
$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $Base64EncodedAuthToken
$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken

if ($existingLeases.count -ne 0) {
LogDebug "Found $($existingLeases.count) leases, will delete them first."

foreach ($lease in $existingLeases.value) {
LogDebug "Deleting lease: $($lease.leaseId)"
Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $Base64EncodedAuthToken
Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $encodedAuthToken
}

}

LogDebug "Creating new lease on run: $RunId"
$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $Base64EncodedAuthToken
$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $encodedAuthToken
LogDebug "Lease ID is: $($lease.value.leaseId)"