-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathReadSecrets.ps1
195 lines (184 loc) · 9.32 KB
/
ReadSecrets.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
Param(
[Parameter(HelpMessage = "All GitHub Secrets in compressed JSON format", Mandatory = $true)]
[string] $gitHubSecrets = "",
[Parameter(HelpMessage = "Comma-separated list of Secrets to get. Secrets preceded by an asterisk are returned encrypted", Mandatory = $true)]
[string] $getSecrets = "",
[Parameter(HelpMessage = "Determines whether you want to use the GhTokenWorkflow secret for TokenForPush", Mandatory = $false)]
[string] $useGhTokenWorkflowForPush = 'false'
)
$buildMutexName = "AL-Go-ReadSecrets"
$buildMutex = New-Object System.Threading.Mutex($false, $buildMutexName)
try {
try {
if (!$buildMutex.WaitOne(1000)) {
Write-Host "Waiting for other process executing ReadSecrets"
$buildMutex.WaitOne() | Out-Null
Write-Host "Other process completed ReadSecrets"
}
}
catch [System.Threading.AbandonedMutexException] {
Write-Host "Other process terminated abnormally"
}
. (Join-Path -Path $PSScriptRoot -ChildPath "..\AL-Go-Helper.ps1" -Resolve)
Import-Module (Join-Path $PSScriptRoot ".\ReadSecretsHelper.psm1") -ArgumentList $gitHubSecrets
$outSecrets = [ordered]@{}
$settings = $env:Settings | ConvertFrom-Json | ConvertTo-HashTable
$keyVaultCredentials = GetKeyVaultCredentials
$getAppDependencySecrets = $false
$getTokenForPush = $false
[System.Collections.ArrayList]$secretsCollection = @()
foreach($secret in ($getSecrets.Split(',') | Select-Object -Unique)) {
if ($secret -eq 'TokenForPush') {
$getTokenForPush = $true
if ($useGhTokenWorkflowForPush -ne 'true') { continue }
# If we are using the ghTokenWorkflow for commits, we need to get ghTokenWorkflow secret
$secret = 'ghTokenWorkflow'
}
$secretNameProperty = "$($secret.TrimStart('-*'))SecretName"
if ($secret -eq 'AppDependencySecrets') {
$getAppDependencySecrets = $true
}
else {
$secretName = $secret
if ($settings.Keys -contains $secretNameProperty) {
$secretName = $settings."$secretNameProperty"
}
# Secret is the AL-Go name of the secret
# SecretName is the actual name of the secret to get from the KeyVault or GitHub environment
if ($secretName) {
if ($secretName -ne $secret) {
# Setup mapping between AL-Go secret name and actual secret name
$secret = "$($secret)=$secretName"
}
if ($secretsCollection -notcontains $secret) {
# Add secret to the collection of secrets to get
$secretsCollection += $secret
}
}
}
}
if ($getAppDependencySecrets) {
# Loop through appDependencyProbingPaths and trustedNuGetFeeds and add secrets to the collection of secrets to get
$settingsCollection = @()
if ($settings.Keys -contains 'appDependencyProbingPaths') {
$settingsCollection += $settings.appDependencyProbingPaths
}
if ($settings.Keys -contains 'trustedNuGetFeeds') {
$settingsCollection += $settings.trustedNuGetFeeds
}
foreach($settingsItem in $settingsCollection) {
if ($settingsItem.PsObject.Properties.name -eq "AuthTokenSecret") {
if ($secretsCollection -notcontains $settingsItem.authTokenSecret) {
$secretsCollection += $settingsItem.authTokenSecret
}
}
}
# Look through installApps and installTestApps for secrets and add them to the collection of secrets to get
foreach($installSettingsKey in @('installApps','installTestApps')) {
if ($settings.Keys -contains $installSettingsKey) {
$settings."$installSettingsKey" | ForEach-Object {
# If any of the installApps URLs contains '${{SECRETNAME}}' we need to get the secret
$pattern = '.*(\$\{\{\s*([^}]+?)\s*\}\}).*'
if ($_ -match $pattern) {
$secretName = $matches[2]
if ($secretsCollection -notcontains $secretName) {
$secretsCollection += $secretName
}
}
}
}
}
}
# Loop through secrets (use @() to allow us to remove items from the collection while looping)
foreach($secret in @($secretsCollection)) {
$secretSplit = $secret.Split('=')
$secretsProperty = $secretSplit[0]
# Secret names preceded by an asterisk are returned encrypted (and base64 encoded unless...)
# Secret names preceded by a minus are not base64 encoded
$secretsPropertyName = $secretsProperty.TrimStart('-*')
$encrypted = $secretsProperty.TrimStart('-').StartsWith('*')
$base64encoded = !($secretsProperty.TrimStart('*').StartsWith('-'))
$secretName = $secretsPropertyName
if ($secretSplit.Count -gt 1) {
$secretName = $secretSplit[1]
}
if ($secretName) {
$secretValue = GetSecret -secret $secretName -keyVaultCredentials $keyVaultCredentials -encrypted:$encrypted
if ($secretValue) {
try {
$json = $secretValue | ConvertFrom-Json | ConvertTo-HashTable
}
catch {
$json = @{}
}
if ($json.Keys.Count) {
foreach($keyName in $json.Keys) {
if ((IsPropertySecret -propertyName $keyName) -and ($json."$keyName" -isnot [boolean])) {
# Mask individual values if property is secret
MaskValue -key "$($secretName).$($keyName)" -value "$($json."$keyName")"
}
}
if ($json.ContainsKey('clientID') -and !($json.ContainsKey('clientSecret') -or $json.ContainsKey('refreshToken'))) {
try {
Write-Host "Query federated token"
$result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
$json += @{ "clientAssertion" = $result.value }
$secretValue = $json | ConvertTo-Json -Compress
MaskValue -key "$secretName with federated token" -value $secretValue
}
catch {
throw "$SecretName doesn't contain any ClientSecret and AL-Go is unable to acquire an ID_TOKEN. Error was $($_.Exception.Message)"
}
}
}
if ($base64encoded) {
Write-Host "Base64 encode secret"
$secretValue = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($secretValue))
}
$outSecrets += @{ "$secretsPropertyName" = $secretValue }
Write-Host "$($secretsPropertyName) successfully read from secret $secretName"
$secretsCollection.Remove($secret)
}
elseif ($secretsPropertyName -eq 'gitSubmodulesToken') {
Write-Host "Using GitHub token for gitSubmodulesToken"
$outSecrets += @{ "$secretsPropertyName" = GetGithubSecret -SecretName 'github_token' }
}
}
}
if ($secretsCollection) {
$unresolvedSecrets = ($secretsCollection | ForEach-Object {
$secretSplit = @($_.Split('='))
$secretsProperty = $secretSplit[0]
# Secret names preceded by an asterisk are returned encrypted (and base64 encoded unless...)
# Secret names preceded by a minus are not base64 encoded
$secretsPropertyName = $secretsProperty.TrimStart('-*')
if ($secretSplit.Count -eq 1 -or ($secretSplit[1] -eq '')) {
$secretsPropertyName
}
else {
"$($secretsPropertyName) (Secret $($secretSplit[1]))"
}
$outSecrets += @{ "$secretsProperty" = "" }
}) -join ', '
Write-Host "The following secrets was not found: $unresolvedSecrets"
}
#region Action: Output
$outSecretsJson = $outSecrets | ConvertTo-Json -Compress
Add-Content -Encoding UTF8 -Path $env:GITHUB_OUTPUT -Value "Secrets=$outSecretsJson"
if ($getTokenForPush) {
if ($useGhTokenWorkflowForPush -eq 'true' -and $outSecrets.ghTokenWorkflow) {
Write-Host "Use ghTokenWorkflow for Push"
$ghToken = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($outSecrets.ghTokenWorkflow))
$ghToken = GetAccessToken -token $ghToken -permissions @{"actions"="read";"contents"="write";"pull_requests"="write";"metadata"="read";"workflows"="write"}
}
else {
Write-Host "Use github_token for Push"
$ghToken = GetGithubSecret -SecretName 'github_token'
}
Add-Content -Encoding UTF8 -Path $env:GITHUB_OUTPUT -Value "TokenForPush=$ghToken"
}
#endregion
}
finally {
$buildMutex.ReleaseMutex()
}