Skip to content

Commit

Permalink
non-sec
Browse files Browse the repository at this point in the history
  • Loading branch information
@freddydk
freddydk committed Jun 5, 2024
1 parent 6536189 commit 881a352
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 19 deletions.
3 changes: 2 additions & 1 deletion Actions/AL-Go-Helper.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2404,6 +2404,7 @@ function InstallAzModuleIfNeeded {
}

function ConnectAz {
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Justification = 'GitHub Secrets come in as plain text')]
param(
[PsCustomObject] $azureCredentials
)
Expand All @@ -2412,7 +2413,7 @@ function ConnectAz {
Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
if ($azureCredentials.PSObject.Properties.Name -eq 'ClientSecret' -and $azureCredentials.ClientSecret) {
Write-Host "Connecting to Azure using clientId and clientSecret."
$credential = New-Object pscredential -ArgumentList $azureCredentials.ClientId, $azureCredentials.ClientSecret
$credential = New-Object pscredential -ArgumentList $azureCredentials.ClientId, (ConvertTo-SecureString -string $azureCredentials.ClientSecret -AsPlainText -Force)
Connect-AzAccount -ServicePrincipal -Tenant $azureCredentials.TenantId -Credential $credential -WarningAction SilentlyContinue | Out-Null
}
else {
Expand Down
26 changes: 9 additions & 17 deletions Actions/ReadSecrets/ReadSecrets.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Justification = 'GitHub Secrets come in as plain text')]
Param(
Param(
[Parameter(HelpMessage = "All GitHub Secrets in compressed JSON format", Mandatory = $true)]
[string] $gitHubSecrets = "",
[Parameter(HelpMessage = "Comma-separated list of Secrets to get. Secrets preceded by an asterisk are returned encrypted", Mandatory = $true)]
Expand Down Expand Up @@ -101,22 +100,15 @@ try {
MaskValue -key "$($secretName).$($keyName)" -value "$($json."$keyName")"
}
}
if ($json.ContainsKey('clientID')) {
Write-Host "clientID found"
if ($json.ContainsKey('clientSecret')) {
Write-Host "clientSecret found"
$json.clientSecret = ConvertTo-SecureString $json.clientSecret -AsPlainText -Force
if ($json.ContainsKey('clientID') -and !$json.ContainsKey('clientSecret')) {
try {
Write-Host "Query federated token"
$result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
$json += @{ "clientAssertion" = $result.value }
$secretValue = $json | ConvertTo-Json -Compress
}
else {
try {
Write-Host "Query federated token"
$result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
$json += @{ "clientAssertion" = $result.value }
$secretValue = $json | ConvertTo-Json -Compress
}
catch {
Write-Host "::WARNING::Unable to get ID_TOKEN, maybe id_token: write permissions are missing"
}
catch {
Write-Host "::WARNING::Unable to get ID_TOKEN, maybe id_token: write permissions are missing"
}
}
}
Expand Down
1 change: 0 additions & 1 deletion Actions/ReadSecrets/ReadSecretsHelper.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,6 @@ function GetKeyVaultCredentials {
if ($creds.PSObject.Properties.Name -eq 'ClientSecret' -and $creds.ClientSecret) {
# Mask ClientSecret
MaskValue -key 'ClientSecret' -value $creds.ClientSecret
$creds.ClientSecret = ConvertTo-SecureString $creds.ClientSecret -AsPlainText -Force
}
# Check thet $creds contains the needed properties
$creds.ClientId | Out-Null
Expand Down

0 comments on commit 881a352

Please sign in to comment.