From 5900ea65f2f08cf9e5df5ab940095e6d8cd7c861 Mon Sep 17 00:00:00 2001 From: "Dmitrii Bobreshev (Akvelon INC)" Date: Tue, 25 Jun 2024 14:55:31 +0200 Subject: [PATCH 1/3] Mask ACR token on Windows when System.Debug is true -- Added refresh token to secret masker -- Added FF to use --password-stdin on windows --- src/Agent.Sdk/Knob/AgentKnobs.cs | 9 +++++++++ src/Agent.Worker/Container/DockerCommandManager.cs | 4 +++- src/Agent.Worker/ContainerOperationProvider.cs | 4 ++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/Agent.Sdk/Knob/AgentKnobs.cs b/src/Agent.Sdk/Knob/AgentKnobs.cs index 07648eec92..fde906d05e 100644 --- a/src/Agent.Sdk/Knob/AgentKnobs.cs +++ b/src/Agent.Sdk/Knob/AgentKnobs.cs @@ -716,5 +716,14 @@ public class AgentKnobs "Checks if the PSModulePath environment variable contains locations specific to PowerShell Core.", new EnvironmentKnobSource("AZP_AGENT_CHECK_PSMODULES_LOCATIONS"), new BuiltInDefaultKnobSource("false")); + + public static readonly Knob UseDockerStdinPasswordOnWindows = new Knob( + nameof(CheckPsModulesLocations), + "If true, use --password-stdin for docker login on Windows.", + new EnvironmentKnobSource("AZP_AGENT_USE_DOCKER_STDIN_PASSWORD_WINDOWS"), + new RuntimeKnobSource("AZP_AGENT_USE_DOCKER_STDIN_PASSWORD_WINDOWS"), + new EnvironmentKnobSource("AZP_AGENT_USE_DOCKER_STDIN_PASSWORD_WINDOWS"), + new PipelineFeatureSource("UseDockerStdinPasswordOnWindows"), + new BuiltInDefaultKnobSource("false")); } } diff --git a/src/Agent.Worker/Container/DockerCommandManager.cs b/src/Agent.Worker/Container/DockerCommandManager.cs index ee4818b539..c93435d20a 100644 --- a/src/Agent.Worker/Container/DockerCommandManager.cs +++ b/src/Agent.Worker/Container/DockerCommandManager.cs @@ -100,7 +100,9 @@ public async Task DockerLogin(IExecutionContext context, string server, str ArgUtil.NotNull(username, nameof(username)); ArgUtil.NotNull(password, nameof(password)); - var action = new Func>(async () => PlatformUtil.RunningOnWindows + var useDockerStdinPasswordOnWindows = AgentKnobs.UseDockerStdinPasswordOnWindows.GetValue(context).AsBoolean(); + + var action = new Func>(async () => PlatformUtil.RunningOnWindows && !useDockerStdinPasswordOnWindows // Wait for 17.07 to switch using stdin for docker registry password. ? await ExecuteDockerCommandAsync(context, "login", $"--username \"{username}\" --password \"{password.Replace("\"", "\\\"")}\" {server}", new List() { password }, context.CancellationToken) : await ExecuteDockerCommandAsync(context, "login", $"--username \"{username}\" --password-stdin {server}", new List() { password }, context.CancellationToken) diff --git a/src/Agent.Worker/ContainerOperationProvider.cs b/src/Agent.Worker/ContainerOperationProvider.cs index 2362725334..636e5fd6db 100644 --- a/src/Agent.Worker/ContainerOperationProvider.cs +++ b/src/Agent.Worker/ContainerOperationProvider.cs @@ -296,6 +296,10 @@ private async Task GetAcrPasswordFromAADToken(IExecutionContext executio { throw new NotSupportedException("Could not acquire ACR token from given AAD token. Please check that the necessary access is provided and try again."); } + + // Mark retrieved password as secret + HostContext.SecretMasker.AddValue(AcrPassword); + return AcrPassword; } From ee631f61f514774094a7b1dc63b0f2593f0e97d2 Mon Sep 17 00:00:00 2001 From: "Dmitrii Bobreshev (Akvelon INC)" Date: Tue, 25 Jun 2024 16:51:18 +0200 Subject: [PATCH 2/3] Mask ACR token on Windows when System.Debug is true -- Removed PipelineFeatureSource -- Fixed review points --- src/Agent.Sdk/Knob/AgentKnobs.cs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/Agent.Sdk/Knob/AgentKnobs.cs b/src/Agent.Sdk/Knob/AgentKnobs.cs index fde906d05e..09c83853d2 100644 --- a/src/Agent.Sdk/Knob/AgentKnobs.cs +++ b/src/Agent.Sdk/Knob/AgentKnobs.cs @@ -718,12 +718,10 @@ public class AgentKnobs new BuiltInDefaultKnobSource("false")); public static readonly Knob UseDockerStdinPasswordOnWindows = new Knob( - nameof(CheckPsModulesLocations), + nameof(UseDockerStdinPasswordOnWindows), "If true, use --password-stdin for docker login on Windows.", - new EnvironmentKnobSource("AZP_AGENT_USE_DOCKER_STDIN_PASSWORD_WINDOWS"), new RuntimeKnobSource("AZP_AGENT_USE_DOCKER_STDIN_PASSWORD_WINDOWS"), new EnvironmentKnobSource("AZP_AGENT_USE_DOCKER_STDIN_PASSWORD_WINDOWS"), - new PipelineFeatureSource("UseDockerStdinPasswordOnWindows"), new BuiltInDefaultKnobSource("false")); } } From e40a152c0d989bf8b0db6f6b76a8e86db39de447 Mon Sep 17 00:00:00 2001 From: "Dmitrii Bobreshev (Akvelon INC)" Date: Tue, 25 Jun 2024 17:10:04 +0200 Subject: [PATCH 3/3] Mask ACR token on Windows when System.Debug is true -- Removed Env source --- src/Agent.Sdk/Knob/AgentKnobs.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Agent.Sdk/Knob/AgentKnobs.cs b/src/Agent.Sdk/Knob/AgentKnobs.cs index 09c83853d2..dfd33063dd 100644 --- a/src/Agent.Sdk/Knob/AgentKnobs.cs +++ b/src/Agent.Sdk/Knob/AgentKnobs.cs @@ -721,7 +721,7 @@ public class AgentKnobs nameof(UseDockerStdinPasswordOnWindows), "If true, use --password-stdin for docker login on Windows.", new RuntimeKnobSource("AZP_AGENT_USE_DOCKER_STDIN_PASSWORD_WINDOWS"), - new EnvironmentKnobSource("AZP_AGENT_USE_DOCKER_STDIN_PASSWORD_WINDOWS"), + new PipelineFeatureSource("UseDockerStdinPasswordOnWindows"), new BuiltInDefaultKnobSource("false")); } }