From e33048cbb431af2d3f35f13e1f9be62d1dcd6756 Mon Sep 17 00:00:00 2001
From: Azure SDK Bot <53356347+azure-sdk@users.noreply.github.com>
Date: Tue, 20 Apr 2021 17:16:05 -0700
Subject: [PATCH] Sync eng/common directory with azure-sdk-tools for PR 1565
 (#18155)

* Fix retain runs auth.

* Emit encoded token as secret.

Co-authored-by: Mitch Denny <midenn@microsoft.com>
---
 .../pipelines/templates/steps/retain-run.yml  |  2 +-
 eng/common/scripts/Add-RetentionLease.ps1     | 19 +++++++++++++++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/eng/common/pipelines/templates/steps/retain-run.yml b/eng/common/pipelines/templates/steps/retain-run.yml
index a514b90f2291..c2ac6186674b 100644
--- a/eng/common/pipelines/templates/steps/retain-run.yml
+++ b/eng/common/pipelines/templates/steps/retain-run.yml
@@ -18,5 +18,5 @@ steps:
         -RunId $(Build.BuildId)
         -OwnerId Pipeline
         -DaysValid ${{parameters.DaysValid}}
-        -Base64EncodedAuthToken $env:SYSTEM_ACCESSTOKEN
+        -AccessToken $env:SYSTEM_ACCESSTOKEN
         -Debug
\ No newline at end of file
diff --git a/eng/common/scripts/Add-RetentionLease.ps1 b/eng/common/scripts/Add-RetentionLease.ps1
index c368b255436a..dd56c20a5531 100644
--- a/eng/common/scripts/Add-RetentionLease.ps1
+++ b/eng/common/scripts/Add-RetentionLease.ps1
@@ -19,24 +19,35 @@ param(
   [int]$DaysValid,
 
   [Parameter(Mandatory = $true)]
-  [string]$Base64EncodedAuthToken
+  [string]$AccessToken
 )
 
+$unencodedAuthToken = "nobody:$AccessToken"
+$unencodedAuthTokenBytes = [System.Text.Encoding]::UTF8.GetBytes($unencodedAuthToken)
+$encodedAuthToken = [System.Convert]::ToBase64String($unencodedAuthTokenBytes)
+
+# We are doing this here so that there is zero chance that this token is emitted in Azure Pipelines
+# build logs. Azure Pipelines will see this text and register the secret as a value it should *** out
+# before being transmitted to the server (and shown in logs). It means if the value is accidentally
+# leaked anywhere else that it won't be visible. The downside is that when the script is executed
+# on a local development box, it will be visible.
+Write-Host "##vso[task.setvariable variable=_throwawayencodedaccesstoken;issecret=true;]$($encodedAuthToken)"
+
 . (Join-Path $PSScriptRoot common.ps1)
 
 LogDebug "Checking for existing leases on run: $RunId"
-$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $Base64EncodedAuthToken
+$existingLeases = Get-RetentionLeases -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -Base64EncodedAuthToken $encodedAuthToken
 
 if ($existingLeases.count -ne 0) {
     LogDebug "Found $($existingLeases.count) leases, will delete them first."
 
     foreach ($lease in $existingLeases.value) {
         LogDebug "Deleting lease: $($lease.leaseId)"
-        Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $Base64EncodedAuthToken
+        Delete-RetentionLease -Organization $Organization -Project $Project -LeaseId $lease.leaseId -Base64EncodedAuthToken $encodedAuthToken
     }
 
 }
 
 LogDebug "Creating new lease on run: $RunId"
-$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $Base64EncodedAuthToken
+$lease = Add-RetentionLease -Organization $Organization -Project $Project -DefinitionId $DefinitionId -RunId $RunId -OwnerId $OwnerId -DaysValid $DaysValid -Base64EncodedAuthToken $encodedAuthToken
 LogDebug "Lease ID is: $($lease.value.leaseId)"
\ No newline at end of file