microsoft · AlexVTor · Feb 28, 2024 · Feb 27, 2024 · Feb 27, 2024 · Feb 27, 2024
@@ -11,6 +11,12 @@ import * as ngRunner from 'azure-pipelines-tasks-packaging-common/nuget/NuGetToo
 import * as pkgLocationUtils from 'azure-pipelines-tasks-packaging-common/locationUtilities';
 import { getProjectAndFeedIdFromInputParam, logError } from 'azure-pipelines-tasks-packaging-common/util';
 
+interface EndpointCredentials {
+    endpoint: string;
+    username?: string;
+    password: string;
+}
+
 export async function run(): Promise<void> {
     let packagingLocation: pkgLocationUtils.PackagingLocation;
     try {
@@ -65,8 +71,9 @@ export async function run(): Promise<void> {
         }
 
         // Setting up auth info
-        const accessToken = pkgLocationUtils.getSystemAccessToken();
+        let accessToken;
         const isInternalFeed: boolean = nugetFeedType === 'internal';
+        accessToken = getAccessToken(isInternalFeed);
         const internalAuthInfo = new auth.InternalAuthInfo(urlPrefixes, accessToken, /*useCredProvider*/ null, true);
 
         let configFile = null;
@@ -182,3 +189,57 @@ function dotNetNuGetPushAsync(dotnetPath: string, packageFile: string, feedUri:
     const envWithProxy = ngRunner.setNuGetProxyEnvironment(process.env, /*configFile*/ null, feedUri);
     return dotnet.exec({ cwd: workingDirectory, env: envWithProxy } as IExecOptions);
 }
+
+function getAccessToken(isInternalFeed: boolean): string{
+    let accessToken: string;
+    let allowServiceConnection = tl.getVariable('PUBLISH_VIA_SERVICE_CONNECTION');
+
+    if(allowServiceConnection) {
+        let endpoint = tl.getInput('externalEndpoint', false);
+
+        if(endpoint && isInternalFeed === true) {
+            tl.debug("Found external endpoint, will use token for auth");
+            let endpointAuth = tl.getEndpointAuthorization(endpoint, true);
+            let endpointScheme = tl.getEndpointAuthorizationScheme(endpoint, true).toLowerCase();
+            switch(endpointScheme)
+            {
+                case ("token"):
+                    accessToken = endpointAuth.parameters["apitoken"];
+                    break;
+                default:
+                    tl.warning(tl.loc("Warning_UnsupportedServiceConnectionAuth"));
+                    break;
+            }
+        }
+        if(!accessToken && isInternalFeed === true)
+        {            
+            tl.debug("Checking for auth from Cred Provider."); 
+            const feed = getProjectAndFeedIdFromInputParam('feedPublish');
+            const JsonEndpointsString = process.env["VSS_NUGET_EXTERNAL_FEED_ENDPOINTS"];
+            if (JsonEndpointsString) {
+                tl.debug(`Endpoints found: ${JsonEndpointsString}`);
+
+                let endpointsArray: { endpointCredentials: EndpointCredentials[] } = JSON.parse(JsonEndpointsString);
+                tl.debug(`Feed details ${feed.feedId} ${feed.projectId}`);
+
+                for (let endpoint_in = 0; endpoint_in < endpointsArray.endpointCredentials.length; endpoint_in++) {
+                    if (endpointsArray.endpointCredentials[endpoint_in].endpoint.search(feed.feedName) != -1) {
+                        tl.debug(`Endpoint Credentials found for ${feed.feedName}`);
+                        accessToken = endpointsArray.endpointCredentials[endpoint_in].password;
+                        break;
+                    }
+                }
+            }
+        }
+        if(!accessToken)
+        {
+            tl.debug('Defaulting to use the System Access Token.');
+            accessToken = pkgLocationUtils.getSystemAccessToken();
+        }
+    }
+    else {
+        accessToken = pkgLocationUtils.getSystemAccessToken();
+    }
+
+    return accessToken;
+}
@@ -17,7 +17,7 @@
     "demands": [],
     "version": {
         "Major": 2,
-        "Minor": 235,
+        "Minor": 236,
         "Patch": 0
     },
     "minimumAgentVersion": "2.144.0",
@@ -579,6 +579,7 @@
         "Net5NugetVersionCompat": ".NET 5 has some compatibility issues with older Nuget versions(<=5.7), so if you are using an older Nuget version(and not dotnet cli) to restore, then the dotnet cli commands (e.g. dotnet build) which rely on such restored packages might fail. To mitigate such error, you can either: (1) - Use dotnet cli to restore, (2) - Use Nuget version 5.8 to restore, (3) - Use global.json using an older sdk version(<=3) to build",
         "DeprecatedDotnet2_2_And_3_0": "Info: .NET Core SDK/runtime 2.2 and 3.0 are now End of Life(EOL) and have been removed from all hosted agents. If you're using these SDK/runtimes on hosted agents, kindly upgrade to newer versions which are not EOL, or else use UseDotNet task to install the required version.",
         "Warning_IncludeNuGetOrgEnabled": "IncludeNugetOrg is currently enabled for this task. To resolve this warning, edit your build task and set 'includeNuGetOrg' to 'false' or deselect 'Use packages from NuGet.org'.",
-        "Error_IncludeNuGetOrgEnabled": "Packages failed to restore. Edit your build task and set 'includeNuGetOrg' to 'false' or deselect 'Use packages from NuGet.org'."
+        "Error_IncludeNuGetOrgEnabled": "Packages failed to restore. Edit your build task and set 'includeNuGetOrg' to 'false' or deselect 'Use packages from NuGet.org'.",
+        "Warning_UnsupportedServiceConnectionAuth" : "The service connection does not use a supported authentication method. Please use a service connection with personal access token based auth."
     }
 }
@@ -17,7 +17,7 @@
   "demands": [],
   "version": {
     "Major": 2,
-    "Minor": 235,
+    "Minor": 236,
     "Patch": 0
   },
   "minimumAgentVersion": "2.144.0",

@@ -5,7 +5,9 @@ import { INpmRegistry, NpmRegistry } from 'azure-pipelines-tasks-packaging-commo
 import { NpmToolRunner } from './npmtoolrunner';
 import * as util from 'azure-pipelines-tasks-packaging-common/util';
 import * as npmutil from 'azure-pipelines-tasks-packaging-common/npm/npmutil';
-import { PackagingLocation } from 'azure-pipelines-tasks-packaging-common/locationUtilities';
+import * as npmrcparser from 'azure-pipelines-tasks-packaging-common/npm/npmrcparser';
+import { getSystemAccessToken, PackagingLocation, getFeedRegistryUrl, RegistryType } from 'azure-pipelines-tasks-packaging-common/locationUtilities';
+import * as os from 'os';
 
 export async function run(packagingLocation: PackagingLocation): Promise<void> {
     const workingDir = tl.getInput(NpmTaskInput.WorkingDir) || process.cwd();
@@ -33,10 +35,9 @@ export async function getPublishRegistry(packagingLocation: PackagingLocation):
         case RegistryLocation.Feed:
             tl.debug(tl.loc('PublishFeed'));
             const feed = util.getProjectAndFeedIdFromInputParam(NpmTaskInput.PublishFeed);
-            npmRegistry = await NpmRegistry.FromFeedId(
+            npmRegistry = await getNpmRegistry(
                 packagingLocation.DefaultPackagingUri,
-                feed.feedId,
-                feed.projectId,
+                feed, 
                 false /* authOnly */,
                 true /* useSession */);
             break;
@@ -47,4 +48,67 @@ export async function getPublishRegistry(packagingLocation: PackagingLocation):
             break;
     }
     return npmRegistry;
+}
+
+async function getNpmRegistry(defaultPackagingUri: string, feed: any, authOnly?: boolean, useSession?: boolean) {
+    const lineEnd = os.EOL;
+    let url: string;
+    let nerfed: string;
+    let auth: string;
+    let username: string;
+    let email: string;
+    let password64: string;
+
+    url = npmrcparser.NormalizeRegistry( await getFeedRegistryUrl(defaultPackagingUri, RegistryType.npm, feed.feedId, feed.projectId, null, useSession));
+    nerfed = util.toNerfDart(url);
+
+    // Setting up auth info
+    const accessToken = getAccessToken();
+
+    // Azure DevOps does not support PATs+Bearer only JWTs+Bearer
+    email = 'VssEmail';
+    username = 'VssToken';
+    password64 = Buffer.from(accessToken).toString('base64');
+    tl.setSecret(password64);
+
+    auth = nerfed + ':username=' + username + lineEnd;
+    auth += nerfed + ':_password=' + password64 + lineEnd;
+    auth += nerfed + ':email=' + email + lineEnd;
+
+    return new NpmRegistry(url, auth, authOnly);
+}
+
+function getAccessToken(): string {
+    let accessToken: string;
+    let allowServiceConnection = tl.getVariable('PUBLISH_VIA_SERVICE_CONNECTION');
+
+    if(allowServiceConnection) {
+        let endpoint = tl.getInput('publishEndpoint', false);
+
+        if(endpoint) {
+            tl.debug("Found external endpoint, will use token for auth");
+            let endpointAuth = tl.getEndpointAuthorization(endpoint, true);
+            let endpointScheme = tl.getEndpointAuthorizationScheme(endpoint, true).toLowerCase();
+            switch(endpointScheme)
+            {
+                case ("token"):
+                    accessToken = endpointAuth.parameters["apitoken"];
+                    break;
+                default:
+                    tl.warning(tl.loc("UnsupportedServiceConnectionAuth"));
+                    break;
+            }
+        }
+        if(!accessToken)
+        {
+            tl.debug('Defaulting to use the System Access Token.');
+            accessToken = getSystemAccessToken();
+        }
+        return accessToken;
+    }
+    else{
+        accessToken = getSystemAccessToken();
+    }
+
+    return accessToken;
 }
@@ -9,7 +9,7 @@
     "author": "Microsoft Corporation",
     "version": {
         "Major": 1,
-        "Minor": 231,
+        "Minor": 236,
         "Patch": 0
     },
     "runsOn": [
@@ -204,6 +204,8 @@
         "OverridingProjectNpmrc": "Overriding project .npmrc: %s",
         "RestoringProjectNpmrc": "Restoring project .npmrc",
         "WorkingDirectoryNotDirectory": "Please change your working directory to a valid directory",
-        "NGCommon_AreaNotFoundInSps": "Unable to locate the '%s' [%s] area. The service containing that area may not be available in your region."
+        "NGCommon_AreaNotFoundInSps": "Unable to locate the '%s' [%s] area. The service containing that area may not be available in your region.",
+        "UnsupportedServiceConnectionAuth" : "The service connection does not use a supported authentication method. Please use a service connection with personal access token based auth."
+
     }
 }
@@ -9,7 +9,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 1,
-    "Minor": 231,
+    "Minor": 236,
     "Patch": 0
   },
   "runsOn": [

@@ -36,6 +36,12 @@ interface IVstsNuGetPushOptions {
     settings: vstsNuGetPushToolRunner.VstsNuGetPushSettings;
 }
 
+interface EndpointCredentials {
+    endpoint: string;
+    username?: string;
+    password: string;
+}
+
 export async function run(nuGetPath: string): Promise<void> {
     let packagingLocation: pkgLocationUtils.PackagingLocation;
     try {
@@ -103,7 +109,10 @@ export async function run(nuGetPath: string): Promise<void> {
         }
 
         // Setting up auth info
-        const accessToken = pkgLocationUtils.getSystemAccessToken();
+        let accessToken;
+        let feed;
+        const isInternalFeed: boolean = nugetFeedType === "internal";
+        accessToken = getAccessToken(isInternalFeed);
         const quirks = await ngToolRunner.getNuGetQuirksAsync(nuGetPath);
 
         // Clauses ordered in this way to avoid short-circuit evaluation, so the debug info printed by the functions
@@ -131,7 +140,6 @@ export async function run(nuGetPath: string): Promise<void> {
         let credCleanup = () => { return; };
 
         let feedUri: string;
-        const isInternalFeed: boolean = nugetFeedType === "internal";
 
         let authInfo: auth.NuGetExtendedAuthInfo;
         let nuGetConfigHelper: NuGetConfigHelper2;
@@ -405,3 +413,57 @@ function shouldUseVstsNuGetPush(isInternalFeed: boolean, conflictsAllowed: boole
 
     return false;
 }
+
+function getAccessToken(isInternalFeed: boolean): string{
+    let accessToken: string;
+    let allowServiceConnection = tl.getVariable('PUBLISH_VIA_SERVICE_CONNECTION');
+
+    if(allowServiceConnection) {
+        let endpoint = tl.getInput('externalEndpoint', false);
+
+        if(endpoint && isInternalFeed === true) {
+            tl.debug("Found external endpoint, will use token for auth");
+            let endpointAuth = tl.getEndpointAuthorization(endpoint, true);
+            let endpointScheme = tl.getEndpointAuthorizationScheme(endpoint, true).toLowerCase();
+            switch(endpointScheme)
+            {
+                case ("token"):
+                    accessToken = endpointAuth.parameters["apitoken"];
+                    break;
+                default:
+                    tl.warning(tl.loc("Warning_UnsupportedServiceConnectionAuth"));
+                    break;
+            }
+        }
+        if(!accessToken && isInternalFeed === true)
+        {           
+            tl.debug("Checking for auth from Cred Provider."); 
+            const feed = getProjectAndFeedIdFromInputParam('feedPublish');
+            const JsonEndpointsString = process.env["VSS_NUGET_EXTERNAL_FEED_ENDPOINTS"];
+            if (JsonEndpointsString) {
+                tl.debug(`Endpoints found: ${JsonEndpointsString}`);
+
+                let endpointsArray: { endpointCredentials: EndpointCredentials[] } = JSON.parse(JsonEndpointsString);
+                tl.debug(`Feed details ${feed.feedId} ${feed.projectId}`);
+
+                for (let endpoint_in = 0; endpoint_in < endpointsArray.endpointCredentials.length; endpoint_in++) {
+                    if (endpointsArray.endpointCredentials[endpoint_in].endpoint.search(feed.feedName) != -1) {
+                        tl.debug(`Endpoint Credentials found for ${feed.feedName}`);
+                        accessToken = endpointsArray.endpointCredentials[endpoint_in].password;
+                        break;
+                    }
+                }
+            }
+        }
+        if(!accessToken)
+        {
+            tl.debug('Defaulting to use the System Access Token.');
+            accessToken = pkgLocationUtils.getSystemAccessToken();
+        }
+    }
+    else {
+        accessToken = pkgLocationUtils.getSystemAccessToken();
+    }
+
+    return accessToken;
+}
@@ -9,7 +9,7 @@
     "author": "Microsoft Corporation",
     "version": {
         "Major": 2,
-        "Minor": 231,
+        "Minor": 236,
         "Patch": 0
     },
     "runsOn": [
@@ -542,6 +542,7 @@
         "Warning_UpdatingNuGetVersion": "Updating version of NuGet.exe to %s from %s. Behavior changes or breaking changes might occur as NuGet updates to a new version. If this is not desired, deselect the 'Check for Latest Version' option in the task.",
         "Error_NugetFailedWithCodeAndErr": "The nuget command failed with exit code(%s) and error(%s)",
         "Warning_IncludeNuGetOrgEnabled":  "IncludeNugetOrg is currently enabled for this task. To resolve this warning, edit your build task and set 'includeNuGetOrg' to 'false' or deselect 'Use packages from NuGet.org'.",
-        "Error_IncludeNuGetOrgEnabled": "Packages failed to restore. Edit your build task and set 'includeNuGetOrg' to 'false' or deselect 'Use packages from NuGet.org'."
+        "Error_IncludeNuGetOrgEnabled": "Packages failed to restore. Edit your build task and set 'includeNuGetOrg' to 'false' or deselect 'Use packages from NuGet.org'.",
+        "Warning_UnsupportedServiceConnectionAuth" : "The service connection does not use a supported authentication method. Please use a service connection with personal access token based auth."
     }
 }
@@ -9,7 +9,7 @@
   "author": "Microsoft Corporation",
   "version": {
     "Major": 2,
-    "Minor": 231,
+    "Minor": 236,
     "Patch": 0
   },
   "runsOn": [

@@ -456,6 +456,7 @@
     "Warn_CredentialsNotFound": "Could not determine credentials to use for Universal Packages",
     "Warning_SessionCreationFailed": "Could not create provenance session: %s",
     "Error_UniversalPackagesNotSupportedOnPrem": "Universal Packages are not supported in Azure DevOps Server.",
-    "Error_ProcessorArchitectureNotSupported": "Universal Packages require an x64 agent."
+    "Error_ProcessorArchitectureNotSupported": "Universal Packages require an x64 agent.",
+    "Warning_UnsupportedServiceConnectionAuth" : "The service connection does not use a supported authentication method. Please use a service connection with personal access token based auth."
   }
 }