private void InitializeSecretMasker(Pipelines.AgentJobRequestMessage message) { Trace.Entering(); ArgUtil.NotNull(message, nameof(message)); ArgUtil.NotNull(message.Resources, nameof(message.Resources)); // Add mask hints for secret variables foreach (var variable in (message.Variables ?? new Dictionary <string, VariableValue>())) { // Skip secrets which are just white spaces. if (variable.Value.IsSecret && !string.IsNullOrWhiteSpace(variable.Value.Value)) { AddUserSuppliedSecret(variable.Value.Value); // also, we escape some characters for variables when we print them out in debug mode. We need to // add the escaped version of these secrets as well var escapedSecret = variable.Value.Value.Replace("%", "%AZP25") .Replace("\r", "%0D") .Replace("\n", "%0A"); AddUserSuppliedSecret(escapedSecret); // Since % escaping may be turned off, also mask a version escaped with just newlines var escapedSecret2 = variable.Value.Value.Replace("\r", "%0D") .Replace("\n", "%0A"); AddUserSuppliedSecret(escapedSecret2); } } // Add mask hints foreach (MaskHint maskHint in (message.MaskHints ?? new List <MaskHint>())) { if (maskHint.Type == MaskType.Regex) { HostContext.SecretMasker.AddRegex(maskHint.Value, $"Worker_{WellKnownSecretAliases.AddingMaskHint}"); // We need this because the worker will print out the job message JSON to diag log // and SecretMasker has JsonEscapeEncoder hook up HostContext.SecretMasker.AddValue(maskHint.Value, WellKnownSecretAliases.AddingMaskHint); } else { // TODO: Should we fail instead? Do any additional pains need to be taken here? Should the job message not be traced? Trace.Warning($"Unsupported mask type '{maskHint.Type}'."); } } // TODO: Avoid adding redundant secrets. If the endpoint auth matches the system connection, then it's added as a value secret and as a regex secret. Once as a value secret b/c of the following code that iterates over each endpoint. Once as a regex secret due to the hint sent down in the job message. // Add masks for service endpoints foreach (ServiceEndpoint endpoint in message.Resources.Endpoints ?? new List <ServiceEndpoint>()) { foreach (var keyValuePair in endpoint.Authorization?.Parameters ?? new Dictionary <string, string>()) { if (!string.IsNullOrEmpty(keyValuePair.Value) && MaskingUtil.IsEndpointAuthorizationParametersSecret(keyValuePair.Key)) { HostContext.SecretMasker.AddValue(keyValuePair.Value, $"Worker_EndpointAuthorizationParameters_{keyValuePair.Key}"); } } } // Add masks for secure file download tickets foreach (SecureFile file in message.Resources.SecureFiles ?? new List <SecureFile>()) { if (!string.IsNullOrEmpty(file.Ticket)) { HostContext.SecretMasker.AddValue(file.Ticket, WellKnownSecretAliases.SecureFileTicket); } } }
public Response <BasicResponse> SetSessionData([FromBody] SessionDataToSet req) { try { lock (UserSession.CurrentSession) { LogableTask.LogSingleActivity("SetStartupData", "SetStartupData", TraceLevel.Info, $"going to save session key {req.key} as {MaskingUtil.MasKPANInString(req.value)}"); UserSession.CurrentSession.SessionData.Add(new KeyValuePair <string, string>(req.key, req.value)); LogableTask.LogSingleActivity("New SessionData", MethodBase.GetCurrentMethod(), TraceLevel.Info, JsonConvert.SerializeObject(UserSession.CurrentSession.SessionData)); } return(new Response <BasicResponse> { Success = true }); } catch (Exception ex) { LogableTask.LogSingleActivity("SetSessionData", MethodBase.GetCurrentMethod(), TraceLevel.Error, ex); return(new Response <BasicResponse> { Success = false }); } }