private void InitializeSecretMasker(Pipelines.AgentJobRequestMessage message)
{
Trace.Entering();
ArgUtil.NotNull(message, nameof(message));
ArgUtil.NotNull(message.Resources, nameof(message.Resources));
// Add mask hints for secret variables
foreach (var variable in (message.Variables ?? new Dictionary <string, VariableValue>()))
{
// Skip secrets which are just white spaces.
if (variable.Value.IsSecret && !string.IsNullOrWhiteSpace(variable.Value.Value))
{
AddUserSuppliedSecret(variable.Value.Value);
// also, we escape some characters for variables when we print them out in debug mode. We need to
// add the escaped version of these secrets as well
var escapedSecret = variable.Value.Value.Replace("%", "%AZP25")
.Replace("\r", "%0D")
.Replace("\n", "%0A");
AddUserSuppliedSecret(escapedSecret);
// Since % escaping may be turned off, also mask a version escaped with just newlines
var escapedSecret2 = variable.Value.Value.Replace("\r", "%0D")
.Replace("\n", "%0A");
AddUserSuppliedSecret(escapedSecret2);
}
}
// Add mask hints
foreach (MaskHint maskHint in (message.MaskHints ?? new List <MaskHint>()))
{
if (maskHint.Type == MaskType.Regex)
{
HostContext.SecretMasker.AddRegex(maskHint.Value, $"Worker_{WellKnownSecretAliases.AddingMaskHint}");
// We need this because the worker will print out the job message JSON to diag log
// and SecretMasker has JsonEscapeEncoder hook up
HostContext.SecretMasker.AddValue(maskHint.Value, WellKnownSecretAliases.AddingMaskHint);
}
else
{
// TODO: Should we fail instead? Do any additional pains need to be taken here? Should the job message not be traced?
Trace.Warning($"Unsupported mask type '{maskHint.Type}'.");
}
}
// TODO: Avoid adding redundant secrets. If the endpoint auth matches the system connection, then it's added as a value secret and as a regex secret. Once as a value secret b/c of the following code that iterates over each endpoint. Once as a regex secret due to the hint sent down in the job message.
// Add masks for service endpoints
foreach (ServiceEndpoint endpoint in message.Resources.Endpoints ?? new List <ServiceEndpoint>())
{
foreach (var keyValuePair in endpoint.Authorization?.Parameters ?? new Dictionary <string, string>())
{
if (!string.IsNullOrEmpty(keyValuePair.Value) && MaskingUtil.IsEndpointAuthorizationParametersSecret(keyValuePair.Key))
{
HostContext.SecretMasker.AddValue(keyValuePair.Value, $"Worker_EndpointAuthorizationParameters_{keyValuePair.Key}");
}
}
}
// Add masks for secure file download tickets
foreach (SecureFile file in message.Resources.SecureFiles ?? new List <SecureFile>())
{
if (!string.IsNullOrEmpty(file.Ticket))
{
HostContext.SecretMasker.AddValue(file.Ticket, WellKnownSecretAliases.SecureFileTicket);
}
}
}
public Response <BasicResponse> SetSessionData([FromBody] SessionDataToSet req)
{
try
{
lock (UserSession.CurrentSession)
{
LogableTask.LogSingleActivity("SetStartupData", "SetStartupData", TraceLevel.Info, $"going to save session key {req.key} as {MaskingUtil.MasKPANInString(req.value)}");
UserSession.CurrentSession.SessionData.Add(new KeyValuePair <string, string>(req.key, req.value));
LogableTask.LogSingleActivity("New SessionData", MethodBase.GetCurrentMethod(), TraceLevel.Info, JsonConvert.SerializeObject(UserSession.CurrentSession.SessionData));
}
return(new Response <BasicResponse>
{
Success = true
});
}
catch (Exception ex)
{
LogableTask.LogSingleActivity("SetSessionData", MethodBase.GetCurrentMethod(), TraceLevel.Error, ex);
return(new Response <BasicResponse>
{
Success = false
});
}
}
