-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding support for ADO service connection in PowershellV2 Task #20726
base: master
Are you sure you want to change the base?
Conversation
0f78c68
to
e575715
Compare
3552b97
to
d58a630
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Taking to offline discussion]
@@ -7,6 +7,137 @@ import { validateFileArgs } from './helpers'; | |||
import { ArgsSanitizingError } from './errors'; | |||
import { emitTelemetry } from 'azure-pipelines-tasks-utility-common/telemetry'; | |||
var uuidV4 = require('uuid/v4'); | |||
import * as msal from "@azure/msal-node"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
special handling is needed for older node runners (node10 needs msal1). Node10 is used by agent in some scenerios e.g. when using system node for some fallback scenerios. We'll need to ensure we include that to test matrix
$hub = $taskDict["Hub"] | ||
$projectId = $taskDict["ProjectId"] | ||
|
||
$url = $uri + "$projectId/_apis/distributedtask/hubs/$hub/plans/$planId/jobs/$jobId/oidctoken?serviceConnectionId=$serviceConnectionId&api-version=7.1-preview.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Client classes are automatically generated for backend ADO REST APIs.
See TaskHttpClient
class, which contains CreateOidcTokenAsync
method.
) | ||
|
||
$defaultEnvironmentMSALAuthUri = "https://login.microsoftonline.com/" | ||
$defaultEnvironmentADALAuthUri = "https://login.windows.net/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ADAL has been deprecated.
I would only keep the MSAL path, as the use of ADAL will likely be considered a security issue.
$oidcToken = $responseContent.oidcToken | ||
|
||
if ($null -eq $oidcToken -or $oidcToken -eq [string]::Empty) { | ||
throw (New-Object System.Exception("CouldNotGenerateOidcToken")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a very generic Exception type to me. Maybe we can introduce new Exception class for that purpose?
Task name: PowershellV2
Description:
The change is to add support for the Azure Devops Service Connection in the PowershellV2 task.
The requirement is to allow the user to use the Azure Devops Service Connection in the PowershellV2 task and have an utility function to get the access token for that service connection.
We have added a new task input field called azureDevOpsServiceConnection.
To get the access token for the service connection, we have added a new utility function called Get-AzDoToken. User can directly call this method to fetch the access token for the service connection. If an ADO service conn is passed in inputs, this function would return the access token for the ADO service conn, otherwise it would return the default $(System.AccessToken).
For both the node script and the powershell script, we are running a token handler asynchronously which would listen for requests from the UserScript(sent via Get-AzDoToken) and return the access token.
For node script, we have used FIFO pipes for communication between the TokenHandler and the Get-AzDoToken method running in UserScript.
For powershell script, we have used EventHandles for signaling and a shared file for reading and writing the access token.
For code execution flow, refer : https://microsoftapc-my.sharepoint.com/:w:/g/personal/prsinghal_microsoft_com/EY2mag9RXDxChJQ2yqYA1NMBWKQwhNnKjK3KLzYfUzwCiA?e=06W770
Documentation changes required: Y
Added unit tests: (Y/N) Y
Attached related issue: https://dev.azure.com/mseng/AzureDevOps/_workitems/edit/2189744
Checklist: