code review

microsoft · Jun 6, 2024 · 009c877 · 009c877
1 parent 99148c9
commit 009c877
Show file tree

Hide file tree

Showing 5 changed files with 108 additions and 27 deletions.
diff --git a/Actions/Deploy/Deploy.ps1 b/Actions/Deploy/Deploy.ps1
@@ -75,7 +75,6 @@ if (Test-Path $customScript) {
     . $customScript -parameters $parameters
 }
 else {
-    $authContext | ConvertFrom-Json | ConvertTo-Json | Out-Host
     try {
         $authContextParams = $authContext | ConvertFrom-Json | ConvertTo-HashTable
         $bcAuthContext = New-BcAuthContext @authContextParams

diff --git a/Actions/Sign/Sign.ps1 b/Actions/Sign/Sign.ps1
@@ -46,12 +46,13 @@ try {
         throw "KeyVaultName is not specified in AzureCredentials nor in settings. Please specify it in one of them."
     }
 
-    $AzureCredentialParams = @{
-        "ClientId" = $AzureCredentials.clientId
-        "TenantId" = $AzureCredentials.tenantId
-    }
+    $AzureCredentialParams = @{}
     if ($AzureCredentials.PSobject.Properties.name -eq "clientSecret") {
-        $AzureCredentialParams += @{ "ClientSecret" = $AzureCredentials.clientSecret }
+        $AzureCredentialParams += @{
+            "ClientId" = $AzureCredentials.clientId
+            "ClientSecret" = $AzureCredentials.clientSecret
+            "TenantId" = $AzureCredentials.tenantId
+        }
     }
     else {
         InstallAzModuleIfNeeded -moduleName 'Az.Accounts'

diff --git a/Actions/Sign/Sign.psm1 b/Actions/Sign/Sign.psm1
@@ -5,39 +5,40 @@
     Installs the dotnet signing tool.
 #>
 function Install-SigningTool() {
-        . (Join-Path -Path $PSScriptRoot -ChildPath "..\AL-Go-Helper.ps1" -Resolve)
+    . (Join-Path -Path $PSScriptRoot -ChildPath "..\AL-Go-Helper.ps1" -Resolve)
 
-        # Create folder in temp directory with a unique name
-        $tempFolder = Join-Path -Path ([System.IO.Path]::GetTempPath()) "SigningTool-$(Get-Random)"
+    # Create folder in temp directory with a unique name
+    $tempFolder = Join-Path -Path ([System.IO.Path]::GetTempPath()) "SigningTool-$(Get-Random)"
 
-        # Get version of the signing tool
-        $version = Get-PackageVersion -PackageName "sign"
+    # Get version of the signing tool
+    $version = Get-PackageVersion -PackageName "sign"
 
-        # Install the signing tool in the temp folder
-        Write-Host "Installing signing tool version $version in $tempFolder"
-        New-Item -ItemType Directory -Path $tempFolder | Out-Null
-        dotnet tool install sign --version $version --tool-path $tempFolder | Out-Null
+    # Install the signing tool in the temp folder
+    Write-Host "Installing signing tool version $version in $tempFolder"
+    New-Item -ItemType Directory -Path $tempFolder | Out-Null
+    dotnet tool install sign --version $version --tool-path $tempFolder | Out-Null
 
-        # Return the path to the signing tool
-        $signingTool = Join-Path -Path $tempFolder "sign.exe" -Resolve
-        return $signingTool
+    # Return the path to the signing tool
+    $signingTool = Join-Path -Path $tempFolder "sign.exe" -Resolve
+    return $signingTool
 }
 
 <#
     .SYNOPSIS
     Signs files in a given path using a certificate from Azure Key Vault.
     .DESCRIPTION
     Signs files in a given path using a certificate from Azure Key Vault.
+    Connection to the Azure Key Vault can be done using a service principal or a managed identity.
     .PARAMETER KeyVaultName
     The name of the Azure Key Vault where the certificate is stored.
     .PARAMETER CertificateName
     The name of the certificate in the Azure Key Vault.
     .PARAMETER ClientId
-    The client ID of the service principal used to authenticate with Azure Key Vault.
+    [Optional] The client ID of the service principal used to authenticate with Azure Key Vault. If not specified, managed identity will be used.
     .PARAMETER ClientSecret
-    The client secret of the service principal used to authenticate with Azure Key Vault.
+    [Optional] The client secret of the service principal used to authenticate with Azure Key Vault. If not specified, managed identity will be used.
     .PARAMETER TenantId
-    The tenant ID of the service principal used to authenticate with Azure Key Vault.
+    [Optional] The tenant ID of the service principal used to authenticate with Azure Key Vault. If not specified, managed identity will be used.
     .PARAMETER FilesToSign
     The path to the file(s) to be signed. Supports wildcards.
     .PARAMETER Description
@@ -51,20 +52,22 @@ function Install-SigningTool() {
     .PARAMETER Verbosity
     The verbosity level of the signing tool.
     .EXAMPLE
-    Invoke-SigningTool -KeyVaultName "my-key-vault" -CertificateName "my-certificatename" -ClientId "my-client-id" -ClientSecret "my-client-secret" -TenantId "my-tenant-id"
+    Invoke-SigningTool -KeyVaultName "my-key-vault" -CertificateName "my-certificatename" -ClientId "my-client-id" -ClientSecret "my-client-secret" -TenantId "my-tenant-id" `
                     -FilesToSign "C:\path\to\files\*.app" -Description "Signed with AL-Go for GitHub" -DescriptionUrl "github.com/myorg/myrepo"
+    .EXAMPLE
+    Invoke-SigningTool -KeyVaultName "my-key-vault" -CertificateName "my-certificatename" -FilesToSign "C:\path\to\files\*.app" -Description "Signed with AL-Go for GitHub" -DescriptionUrl "github.com/myorg/myrepo"
 #>
 function Invoke-SigningTool() {
     param(
         [Parameter(Mandatory = $true)]
         [string] $KeyVaultName,
         [Parameter(Mandatory = $true)]
         [string] $CertificateName,
-        [Parameter(Mandatory = $true)]
+        [Parameter(Mandatory = $false)]
         [string] $ClientId,
         [Parameter(Mandatory = $false)]
         [string] $ClientSecret,
-        [Parameter(Mandatory = $true)]
+        [Parameter(Mandatory = $false)]
         [string] $TenantId,
         [Parameter(Mandatory = $true)]
         [string] $FilesToSign,
@@ -83,8 +86,8 @@ function Invoke-SigningTool() {
     $signingToolExe = Install-SigningTool
 
     # Sign files
-    if ($ClientSecret) {
-        Write-Host "Invoking signing tool using client secret"
+    if ($ClientId -and $ClientSecret -and $TenantId) {
+        Write-Host "Invoking signing tool using clientId/clientSecret"
         . $signingToolExe code azure-key-vault `
             --azure-key-vault-url "https://$KeyVaultName.vault.azure.net/" `
             --azure-key-vault-certificate $CertificateName `

diff --git a/Scenarios/secrets.md b/Scenarios/secrets.md
@@ -0,0 +1,75 @@
+# Secrets
+
+The behavior of AL-Go for GitHub is very much controlled by settings and secrets.
+
+To learn more about the settings used by AL-Go for GitHub, please navigate to [Settings](settings.md).
+
+## Where are the secrets defined
+
+Secrets in GitHub can be defined on the Organizational level, on the repository level or on an environment.
+
+**Organizational secrets** are defined on your GitHub organization and can be shared with the repositories in your organization. For the free GitHub plan, organizational secrets can only be shared with public repositories.
+
+**Repository secrets** are defined on the individual repository and you can define any number of secrets on the repository. If you define a secret on the repository level with the same name as an organizational secret, shared with the repository, the repository secret overrides the organizational secret.
+
+**Environment secrets** are defined underneath an environment and is only available to the workflow during deployment to this environment. For the free GitHub plan, environments (and secrets obviously) are only available on public repositories.
+
+> [!NOTE]
+> In AL-Go for GitHub you can also define your secrets in an Azure KeyVault, but you would still need to create one secret in GitHub called [Azure_Credentials](https://aka.ms/algosecrets#azure_credentials) to be able to access the Azure KeyVault.
+
+## Important information about secrets (e.g. common mistakes...)
+
+Please read the following topics carefully and make sure that you do not run into any of these common mistakes, which might cause some problems.
+
+### Secret values masked in logs
+
+All secrets exposed to a repository will be masked (replaced with ***) in the workflow logs of that repository. This is good, as this ensures that secrets are not exposed 
+
+
+### Only expose secrets necessary secrets to AL-Go repositories
+
+You should only make 
+
+### Don't have secrets that are not secret
+
+
+### Compressed json
+
+### Avoid secrets alltogether
+
+By using managed identities and federated credentials, you can avoid having secrets 
+
+## Microsoft Entra App Registration
+
+### Federated credentials vs. clientSecret
+
+## Managed identities (For accessing Azure resources)
+
+### Federated credentials
+
+
+
+
+## Connect to Azure (Azure_Credentials)
+
+### Read secrets from KeyVault
+
+Two security models for KeyVaults
+
+### Sign an app
+
+Keyvault must be premium SKU + how to change SKU using AZ CLI
+
+### Create Azure VMs???
+
+## <a id="AuthContext"></a>Deploy to an environment (AuthContext)
+
+## <a id="AppSourceContext"></a>Deliver to AppSource (AppSourceContext)
+
+## <a id="StorageContext"></a>Deliver to storage (StorageContext)
+
+Different auth models
+
+## <a id="NuGetContext"></a>Deliver to NuGet (NuGetContext)
+
+## <a id="GitHubPackagesContext"></a>Deliver to GitHub Packages (GitHubPackagesContext)
diff --git a/Scenarios/settings.md b/Scenarios/settings.md
@@ -1,5 +1,8 @@
 # Settings
-The behavior of AL-Go for GitHub is very much controlled by settings.
+
+The behavior of AL-Go for GitHub is very much controlled by settings and secrets.
+
+To learn more about the secrets used by AL-Go for GitHub, please navigate to [Secrets](secrets.md).
 
 ## Where are the settings located