Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding support for ADO service connection in PowershellV2 Task #20726

Open
wants to merge 37 commits into
base: master
Choose a base branch
from

Conversation

praval-microsoft
Copy link
Collaborator

@praval-microsoft praval-microsoft commented Dec 11, 2024

Task name: PowershellV2

Description:

The change is to add support for the Azure Devops Service Connection in the PowershellV2 task.

The requirement is to allow the user to use the Azure Devops Service Connection in the PowershellV2 task and have an utility function to get the access token for that service connection.

We have added a new task input field called azureDevOpsServiceConnection.

To get the access token for the service connection, we have added a new utility function called Get-AzDoToken. User can directly call this method to fetch the access token for the service connection. If an ADO service conn is passed in inputs, this function would return the access token for the ADO service conn, otherwise it would return the default $(System.AccessToken).

For both the node script and the powershell script, we are running a token handler asynchronously which would listen for requests from the UserScript(sent via Get-AzDoToken) and return the access token.

For node script, we have used FIFO pipes for communication between the TokenHandler and the Get-AzDoToken method running in UserScript.
For powershell script, we have used EventHandles for signaling and a shared file for reading and writing the access token.

For code execution flow, refer : https://microsoftapc-my.sharepoint.com/:w:/g/personal/prsinghal_microsoft_com/EY2mag9RXDxChJQ2yqYA1NMBWKQwhNnKjK3KLzYfUzwCiA?e=06W770

Documentation changes required: Y

Added unit tests: (Y/N) Y

Attached related issue: https://dev.azure.com/mseng/AzureDevOps/_workitems/edit/2189744

Checklist:

  • Task version was bumped - please check instruction how to do it
  • Checked that applied changes work as expected

@praval-microsoft praval-microsoft marked this pull request as ready for review December 17, 2024 05:29
@praval-microsoft praval-microsoft requested a review from a team as a code owner December 17, 2024 05:29
@praval-microsoft praval-microsoft changed the title Feature/wisc psv2 task Adding support for ADO service connection in PowershellV2 Task Dec 17, 2024
Copy link
Contributor

@merlynomsft merlynomsft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Taking to offline discussion]

@@ -7,6 +7,137 @@ import { validateFileArgs } from './helpers';
import { ArgsSanitizingError } from './errors';
import { emitTelemetry } from 'azure-pipelines-tasks-utility-common/telemetry';
var uuidV4 = require('uuid/v4');
import * as msal from "@azure/msal-node";
Copy link
Contributor

@merlynomsft merlynomsft Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

special handling is needed for older node runners (node10 needs msal1). Node10 is used by agent in some scenerios e.g. when using system node for some fallback scenerios. We'll need to ensure we include that to test matrix

$hub = $taskDict["Hub"]
$projectId = $taskDict["ProjectId"]

$url = $uri + "$projectId/_apis/distributedtask/hubs/$hub/plans/$planId/jobs/$jobId/oidctoken?serviceConnectionId=$serviceConnectionId&api-version=7.1-preview.1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Client classes are automatically generated for backend ADO REST APIs.
See TaskHttpClient class, which contains CreateOidcTokenAsync method.

)

$defaultEnvironmentMSALAuthUri = "https://login.microsoftonline.com/"
$defaultEnvironmentADALAuthUri = "https://login.windows.net/"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ADAL has been deprecated.
I would only keep the MSAL path, as the use of ADAL will likely be considered a security issue.

$oidcToken = $responseContent.oidcToken

if ($null -eq $oidcToken -or $oidcToken -eq [string]::Empty) {
throw (New-Object System.Exception("CouldNotGenerateOidcToken"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like a very generic Exception type to me. Maybe we can introduce new Exception class for that purpose?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants