Skip to content

Fix retain runs auth. #1565

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
2 commits merged into from
Apr 21, 2021
Merged

Fix retain runs auth. #1565

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1337f1e
Fix retain runs auth.
mitchdenny Apr 20, 2021
0f1047f
Emit encoded token as secret.
mitchdenny Apr 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion eng/common/pipelines/templates/steps/retain-run.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,5 @@ steps:
-RunId $(Build.BuildId)
-OwnerId Pipeline
-DaysValid ${{parameters.DaysValid}}
-Base64EncodedAuthToken $env:SYSTEM_ACCESSTOKEN
-AccessToken $env:SYSTEM_ACCESSTOKEN
-Debug
19 changes: 15 additions & 4 deletions eng/common/scripts/Add-RetentionLease.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,24 +19,35 @@ param(
[int]$DaysValid,

[Parameter(Mandatory = $true)]
[string]$Base64EncodedAuthToken
[string]$AccessToken
)

$unencodedAuthToken = "nobody:$AccessToken"
$unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken)
$encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes)
Copy link
Member

@weshaggard weshaggard Apr 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we set the encodedAuthToken as a secret value to ensure it doesn't get dumped out into the logs?

Copy link
Contributor Author

@mitchdenny mitchdenny Apr 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what you mean? Is there a mechanism in PowerShell to declare a variable as as secret so it is masked out? Or are you suggesting emitting a ##vso secret variable so that Azure DevOps will mask it for us?

Copy link
Member

@weshaggard weshaggard Apr 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking about the set variable like we do in other places like https://github.com/Azure/azure-sdk-tools/blob/master/eng/common/TestResources/build-test-resource-config.yml#L22.

Copy link
Contributor Author

@mitchdenny mitchdenny Apr 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've made this change, but I'm not entirely comfortable with it. I think that there is some exposure either way here. Fortunately in this context we are using $(System.AccessToken) which is relatively short lived.


# We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines
# build logs. Azure Pipelines will see this text and register the secret as a value it should *** out
# before being transmitted to the server (and shown in logs). It means if the value is accidentally
# leaked anywhere else that it won't be visible. The downside is that when the script is executed
# on a local development box, it will be visible.
Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)"

. (Join-Path $PSScriptRoot common.ps1)

LogDebug "Checking for existing leases on run: $RunId"
$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $Base64EncodedAuthToken
$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken

if ($existingLeases.count -ne 0) {
LogDebug "Found $($existingLeases.count) leases, will delete them first."

foreach ($lease in $existingLeases.value) {
LogDebug "Deleting lease: $($lease.leaseId)"
Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $Base64EncodedAuthToken
Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $encodedAuthToken
}

}

LogDebug "Creating new lease on run: $RunId"
$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $Base64EncodedAuthToken
$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $encodedAuthToken
LogDebug "Lease ID is: $($lease.value.leaseId)"