bugs

microsoft · Jun 5, 2024 · 06aabcd · 06aabcd
1 parent 1a5db97
commit 06aabcd
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 24 deletions.
diff --git a/Actions/AL-Go-Helper.ps1 b/Actions/AL-Go-Helper.ps1
@@ -2411,26 +2411,29 @@ function ConnectAz {
         Clear-AzContext -Scope Process
         Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
         if ($azureCredentials.PSObject.Properties.Name -eq 'ClientSecret' -and $azureCredentials.ClientSecret) {
+            Write-Host "Connecting to Azure using clientId and clientSecret."
             $credential = New-Object PSCredential -argumentList $azureCredentials.ClientId, $azureCredentials.ClientSecret
             Connect-AzAccount -ServicePrincipal -Tenant $azureCredentials.TenantId -Credential $credential -WarningAction SilentlyContinue | Out-Null
         }
         else {
             try {
-                Write-Host "Query ID_TOKEN from $ENV:ACTIONS_ID_TOKEN_REQUEST_URL"
+                Write-Host "Query federated token"
                 $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
             }
             catch {
-                throw "Unable to get ID_TOKEN, maybe id_token: write permissions are missing. Error was $($_.Exception.Message)"
+                throw "Unable to get federated token, maybe id_token: write permissions are missing. Error was $($_.Exception.Message)"
             }
+            Write-Host "Connecting to Azure using clientId and federated token."
             Connect-AzAccount -ApplicationId $azureCredentials.ClientId -Tenant $azureCredentials.TenantId -FederatedToken $result.value -WarningAction SilentlyContinue | Out-Null
         }
         if ($azureCredentials.PSObject.Properties.Name -eq 'SubScriptionId' -and $azureCredentials.subscriptionId) {
+            Write-Host "Selecting subscription $($azureCredentials.SubscriptionId)"
             Set-AzContext -SubscriptionId $azureCredentials.SubscriptionId -Tenant $azureCredentials.TenantId -ErrorAction SilentlyContinue -WarningAction SilentlyContinue | Out-Null
         }
         $script:keyvaultConnectionExists = $true
-        Write-Host "Successfully connected to Azure Key Vault."
+        Write-Host "Successfully connected to Azure"
     }
     catch {
-        throw "Error trying to authenticate to Azure using Az. Error was $($_.Exception.Message)"
+        throw "Error trying to authenticate to Azure. Error was $($_.Exception.Message)"
     }
 }
diff --git a/Actions/Deliver/Deliver.ps1 b/Actions/Deliver/Deliver.ps1
@@ -29,6 +29,7 @@ function ConnectAzStorageAccount {
     $message = ''
     if ($storageAccountCredentials.PSObject.Properties.Name -eq 'sastoken') {
         try {
+            Write-Host "Creating AzStorageContext based on StorageAccountName and sastoken"
             $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccountCredentials.StorageAccountName -SasToken $storageAccountCredentials.sastoken
         }
         catch {
@@ -37,20 +38,22 @@ function ConnectAzStorageAccount {
     }
     elseif ($storageAccountCredentials.PSObject.Properties.Name -eq 'StorageAccountKey') {
         try {
+            Write-Host "Creating AzStorageContext based on StorageAccountName and StorageAccountKey"
             $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccountCredentials.StorageAccountName -StorageAccountKey $storageAccountCredentials.StorageAccountKey
         }
         catch {
             $message = "Unable to create AzStorageContext based on StorageAccountName and StorageAccountKey.`nError was: $($_.Exception.Message)"
         }
     }
-    elseif (($storageAccountCredentials.PSObject.Properties.Name -eq 'ClientID') -and ($storageAccountCredentials.PSObject.Properties.Name -eq 'TenantID') -and ($storageAccountCredentials.PSObject.Properties.Name -eq 'SubscriptionId')) {
+    elseif (($storageAccountCredentials.PSObject.Properties.Name -eq 'clientID') -and ($storageAccountCredentials.PSObject.Properties.Name -eq 'tenantID')) {
         try {
             InstallAzModuleIfNeeded -moduleName 'Az.Accounts'
             ConnectAz -azureCredentials $storageAccountCredentials
+            Write-Host "Creating AzStorageContext based on StorageAccountName and managed identity/app registration"
             $azStorageContext = New-AzStorageContext -StorageAccountName $storageAccountCredentials.StorageAccountName -UseConnectedAccount
         }
         catch {
-            $message = "Unable to create AzStorageContext based on StorageAccountName and federated credentials.`nError was: $($_.Exception.Message)"
+            $message = "Unable to create AzStorageContext based on StorageAccountName and managed identity.`nError was: $($_.Exception.Message)"
         }
     }
     else {

diff --git a/Actions/ReadSecrets/ReadSecrets.ps1 b/Actions/ReadSecrets/ReadSecrets.ps1
@@ -102,8 +102,7 @@ try {
                     }
                     if ($json.ContainsKey('clientID') -and !$json.ContainsKey('clientSecret')) {
                         try {
-                            $json.Keys | Out-Host
-                            Write-Host "Query ID_TOKEN from $ENV:ACTIONS_ID_TOKEN_REQUEST_URL"
+                            Write-Host "Query federated token"
                             $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
                             $json += @{ "clientAssertion" = $result.value }
                             $secretValue = $json | ConvertTo-Json -Compress

diff --git a/Actions/Sign/Sign.ps1 b/Actions/Sign/Sign.ps1
@@ -72,22 +72,6 @@ try {
 
     # Get parameters for signing
     $AzureCredentials = ConvertFrom-Json $AzureCredentialsJson
-    $AzureCredentialParams = @{
-        "ClientId" = $AzureCredentials.clientId
-        "TenantId" = $AzureCredentials.tenantId
-    }
-    if ($AzureCredentials.PSobject.Properties.name -eq "clientSecret") {
-        $AzureCredentialParams += @{ "ClientSecret" = $AzureCredentials.clientSecret }
-    }
-    else {
-        Write-Host "Query ID_TOKEN from $ENV:ACTIONS_ID_TOKEN_REQUEST_URL"
-        $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
-        InstallKeyVaultModuleIfNeeded
-        Connect-AzAccount -ApplicationId $AzureCredentials.ClientId -Tenant $AzureCredentials.TenantId -FederatedToken $result.value -WarningAction SilentlyContinue | Out-Null
-        if ($AzureCredentials.PSObject.Properties.Name -eq 'SubScriptionId') {
-            Set-AzContext -SubscriptionId $AzureCredentials.SubscriptionId -Tenant $AzureCredentials.TenantId -ErrorAction SilentlyContinue -WarningAction SilentlyContinue | Out-Null
-        }
-    }
     $settings = $env:Settings | ConvertFrom-Json
     if ($settings.keyVaultName) {
         $AzureKeyVaultName = $settings.keyVaultName
@@ -98,6 +82,18 @@ try {
     else {
         throw "KeyVaultName is not specified in AzureCredentials nor in settings. Please specify it in one of them."
     }
+
+    InstallAzModuleIfNeeded -moduleName 'Az.Accounts'
+    $AzureCredentialParams = @{
+        "ClientId" = $AzureCredentials.clientId
+        "TenantId" = $AzureCredentials.tenantId
+    }
+    if ($AzureCredentials.PSobject.Properties.name -eq "clientSecret") {
+        $AzureCredentialParams += @{ "ClientSecret" = $AzureCredentials.clientSecret }
+    }
+    else {
+        ConnectAz -azureCredentials $storageAccountCredentials
+    }
     $description = "Signed with AL-Go for GitHub"
     $descriptionUrl = "$ENV:GITHUB_SERVER_URL/$ENV:GITHUB_REPOSITORY"