From 881a3527cf4974e9dd7160da19f1427b3f679fc8 Mon Sep 17 00:00:00 2001
From: freddydk <freddydk@users.noreply.github.com>
Date: Wed, 5 Jun 2024 09:02:35 +0200
Subject: [PATCH] non-sec

---
 Actions/AL-Go-Helper.ps1                   |  3 ++-
 Actions/ReadSecrets/ReadSecrets.ps1        | 26 ++++++++--------------
 Actions/ReadSecrets/ReadSecretsHelper.psm1 |  1 -
 3 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/Actions/AL-Go-Helper.ps1 b/Actions/AL-Go-Helper.ps1
index ff13c3a74..184642184 100644
--- a/Actions/AL-Go-Helper.ps1
+++ b/Actions/AL-Go-Helper.ps1
@@ -2404,6 +2404,7 @@ function InstallAzModuleIfNeeded {
 }
 
 function ConnectAz {
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Justification = 'GitHub Secrets come in as plain text')]
     param(
         [PsCustomObject] $azureCredentials
     )
@@ -2412,7 +2413,7 @@ function ConnectAz {
         Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue
         if ($azureCredentials.PSObject.Properties.Name -eq 'ClientSecret' -and $azureCredentials.ClientSecret) {
             Write-Host "Connecting to Azure using clientId and clientSecret."
-            $credential = New-Object pscredential -ArgumentList $azureCredentials.ClientId, $azureCredentials.ClientSecret
+            $credential = New-Object pscredential -ArgumentList $azureCredentials.ClientId, (ConvertTo-SecureString -string $azureCredentials.ClientSecret -AsPlainText -Force)
             Connect-AzAccount -ServicePrincipal -Tenant $azureCredentials.TenantId -Credential $credential -WarningAction SilentlyContinue | Out-Null
         }
         else {
diff --git a/Actions/ReadSecrets/ReadSecrets.ps1 b/Actions/ReadSecrets/ReadSecrets.ps1
index d2aec5d9f..4b59da6e3 100644
--- a/Actions/ReadSecrets/ReadSecrets.ps1
+++ b/Actions/ReadSecrets/ReadSecrets.ps1
@@ -1,5 +1,4 @@
-[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Justification = 'GitHub Secrets come in as plain text')]
-Param(
+Param(
     [Parameter(HelpMessage = "All GitHub Secrets in compressed JSON format", Mandatory = $true)]
     [string] $gitHubSecrets = "",
     [Parameter(HelpMessage = "Comma-separated list of Secrets to get. Secrets preceded by an asterisk are returned encrypted", Mandatory = $true)]
@@ -101,22 +100,15 @@ try {
                             MaskValue -key "$($secretName).$($keyName)" -value "$($json."$keyName")"
                         }
                     }
-                    if ($json.ContainsKey('clientID')) {
-                        Write-Host "clientID found"
-                        if ($json.ContainsKey('clientSecret')) {
-                            Write-Host "clientSecret found"
-                            $json.clientSecret = ConvertTo-SecureString $json.clientSecret -AsPlainText -Force
+                    if ($json.ContainsKey('clientID') -and !$json.ContainsKey('clientSecret')) {
+                        try {
+                            Write-Host "Query federated token"
+                            $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
+                            $json += @{ "clientAssertion" = $result.value }
+                            $secretValue = $json | ConvertTo-Json -Compress
                         }
-                        else {
-                            try {
-                                Write-Host "Query federated token"
-                                $result = Invoke-RestMethod -Method GET -UseBasicParsing -Headers @{ "Authorization" = "bearer $ENV:ACTIONS_ID_TOKEN_REQUEST_TOKEN"; "Accept" = "application/vnd.github+json" } -Uri "$ENV:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange"
-                                $json += @{ "clientAssertion" = $result.value }
-                                $secretValue = $json | ConvertTo-Json -Compress
-                            }
-                            catch {
-                                Write-Host "::WARNING::Unable to get ID_TOKEN, maybe id_token: write permissions are missing"
-                            }
+                        catch {
+                            Write-Host "::WARNING::Unable to get ID_TOKEN, maybe id_token: write permissions are missing"
                         }
                     }
                 }
diff --git a/Actions/ReadSecrets/ReadSecretsHelper.psm1 b/Actions/ReadSecrets/ReadSecretsHelper.psm1
index 08547b042..3a52f1d94 100644
--- a/Actions/ReadSecrets/ReadSecretsHelper.psm1
+++ b/Actions/ReadSecrets/ReadSecretsHelper.psm1
@@ -78,7 +78,6 @@ function GetKeyVaultCredentials {
             if ($creds.PSObject.Properties.Name -eq 'ClientSecret' -and $creds.ClientSecret) {
                 # Mask ClientSecret
                 MaskValue -key 'ClientSecret' -value $creds.ClientSecret
-                $creds.ClientSecret = ConvertTo-SecureString $creds.ClientSecret -AsPlainText -Force
             }
             # Check thet $creds contains the needed properties
             $creds.ClientId | Out-Null