Skip to content

Commit

Permalink
Added WIF support for checkout task
Browse files Browse the repository at this point in the history
  • Loading branch information
Sanju Yadav committed Jan 9, 2025
1 parent a79a8ef commit ea8ebe3
Showing 1 changed file with 42 additions and 0 deletions.
42 changes: 42 additions & 0 deletions src/Agent.Plugins/GitSourceProvider.cs
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@
using Microsoft.TeamFoundation.DistributedTask.WebApi;
using Microsoft.VisualStudio.Services.WebApi;
using Microsoft.VisualStudio.Services.Agent.Util;
using Microsoft.Identity.Client;
using Microsoft.VisualStudio.Services.Common;

namespace Agent.Plugins.Repository
{
Expand Down Expand Up @@ -189,6 +191,13 @@ public abstract class GitSourceProvider : ISourceProvider
private const string _pullRefsPrefix = "refs/pull/";
private const string _remotePullRefsPrefix = "refs/remotes/pull/";

/* private const string _tenantId = "tenantid";
private const string _clientId = "servicePrincipalId";
private const string _activeDirectoryServiceEndpointResourceId = "activeDirectoryServiceEndpointResourceId";
private const string _workloadIdentityFederationScheme = "WorkloadIdentityFederation";
private const string _managedServiceIdentityScheme = "ManagedServiceIdentity";
*/

// min git version that support add extra auth header.
protected Version _minGitVersionSupportAuthHeader = new Version(2, 9);

Expand Down Expand Up @@ -460,6 +469,39 @@ public async Task GetSourceAsync(
password = string.Empty;
}
break;
case EndpointAuthorizationSchemes.WorkloadIdentityFederation:
var tenantId = "";
var clientId = "";
//endpoint.Authorization?.Parameters?.TryGetValue(_tenantId, out tenantId);
//endpoint.Authorization?.Parameters?.TryGetValue(_clientId, out clientId);

var app = ConfidentialClientApplicationBuilder.Create(clientId)
.WithAuthority($"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token")
.WithRedirectUri("urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
.WithClientAssertion(async (AssertionRequestOptions options) =>
{
var systemConnection = executionContext.Endpoints.SingleOrDefault(x => string.Equals(x.Name, WellKnownServiceEndpointNames.SystemVssConnection, StringComparison.Ordinal));
ArgUtil.NotNull(systemConnection, nameof(systemConnection));
VssCredentials vssCredentials = VssUtil.GetVssCredential(systemConnection);
var collectionUri = new Uri(executionContext.Variables.GetValueOrDefault("system.collectionuri")?.Value);
using VssConnection vssConnection = VssUtil.CreateConnection(collectionUri, vssCredentials, trace: null);
TaskHttpClient taskClient = vssConnection.GetClient<TaskHttpClient>();
var idToken = await taskClient.CreateOidcTokenAsync(
scopeIdentifier: new Guid(executionContext.Variables.GetValueOrDefault("system.teamprojectid")?.Value),
hubName: executionContext.Variables.GetValueOrDefault("system.hosttype")?.Value,
planId: new Guid(executionContext.Variables.GetValueOrDefault("system.planid")?.Value),
jobId: new Guid(executionContext.Variables.GetValueOrDefault("system.jobId")?.Value),
serviceConnectionId: endpoint.Id,
claims: null,
cancellationToken: cancellationToken
);
return idToken.OidcToken;
})
.Build();
var authenticationResult = await app.AcquireTokenForClient(new string[] { $"499b84ac-1321-427f-aa17-267ca6975798/.default" }).ExecuteAsync(cancellationToken);
username = EndpointAuthorizationSchemes.WorkloadIdentityFederation;
password = authenticationResult.AccessToken;
break;
default:
executionContext.Warning($"Unsupport endpoint authorization schemes: {endpoint.Authorization.Scheme}");
break;
Expand Down

0 comments on commit ea8ebe3

Please sign in to comment.