Fix OIDC token exchange for Artifactory, Distribution and Xray service connections

Author: agrasth

jfrog-tasks-utils/utils.js

@@ -393,37 +393,42 @@ function maskSecrets(str) {
         .replace(/--access-token='.*?'/g, '--access-token=***');
 }
 
-async function configureJfrogCliServer(jfrogService, serverId, cliPath, buildDir) {
-    let oidcProviderName = tl.getEndpointAuthorizationParameter(jfrogService, 'oidcProviderName', true);
-    let oidcAccessToken;
-
-    if (oidcProviderName) {
-        let serviceUrl = tl.getEndpointUrl(jfrogService, false);
-        let platformUrl = '';
-        try {
-            platformUrl = tl.getEndpointAuthorizationParameter(jfrogService, 'jfrogPlatformUrl', true);
-        } catch (error) {
-            console.warn('Failed to get platform url from field: ' + error + '\nparsing from url instead');
-        }
-        if (!platformUrl || !platformUrl.trim()) {
-            platformUrl = parsePlatformUrlFromServiceUrl(serviceUrl);
-        }
-        oidcAccessToken = await exchangeOidcTokenAndSetStepVariables(jfrogService, platformUrl, oidcProviderName, cliPath, buildDir);
+async function fetchOidcTokenIfConfigured(service, cliPath, buildDir) {
+    const oidcProviderName = tl.getEndpointAuthorizationParameter(service, 'oidcProviderName', true);
+    if (!oidcProviderName) {
+        return undefined;
     }
+    const serviceUrl = tl.getEndpointUrl(service, false);
+    let platformUrl = '';
+    try {
+        platformUrl = tl.getEndpointAuthorizationParameter(service, 'jfrogPlatformUrl', true);
+    } catch (error) {
+        console.warn('Failed to get platform url from field: ' + error + '\nparsing from url instead');
+    }
+    if (!platformUrl || !platformUrl.trim()) {
+        platformUrl = parsePlatformUrlFromServiceUrl(serviceUrl);
+    }
+    return exchangeOidcTokenAndSetStepVariables(service, platformUrl, oidcProviderName, cliPath, buildDir);
+}
 
+async function configureJfrogCliServer(jfrogService, serverId, cliPath, buildDir) {
+    const oidcAccessToken = await fetchOidcTokenIfConfigured(jfrogService, cliPath, buildDir);
     return configureSpecificCliServer(jfrogService, '--url', serverId, cliPath, buildDir, oidcAccessToken);
 }
 
-function configureArtifactoryCliServer(artifactoryService, serverId, cliPath, buildDir) {
-    return configureSpecificCliServer(artifactoryService, '--artifactory-url', serverId, cliPath, buildDir);
+async function configureArtifactoryCliServer(artifactoryService, serverId, cliPath, buildDir) {
+    const oidcAccessToken = await fetchOidcTokenIfConfigured(artifactoryService, cliPath, buildDir);
+    return configureSpecificCliServer(artifactoryService, '--artifactory-url', serverId, cliPath, buildDir, oidcAccessToken);
 }
 
-function configureDistributionCliServer(distributionService, serverId, cliPath, buildDir) {
-    return configureSpecificCliServer(distributionService, '--distribution-url', serverId, cliPath, buildDir);
+async function configureDistributionCliServer(distributionService, serverId, cliPath, buildDir) {
+    const oidcAccessToken = await fetchOidcTokenIfConfigured(distributionService, cliPath, buildDir);
+    return configureSpecificCliServer(distributionService, '--distribution-url', serverId, cliPath, buildDir, oidcAccessToken);
 }
 
-function configureXrayCliServer(xrayService, serverId, cliPath, buildDir) {
-    return configureSpecificCliServer(xrayService, '--xray-url', serverId, cliPath, buildDir);
+async function configureXrayCliServer(xrayService, serverId, cliPath, buildDir) {
+    const oidcAccessToken = await fetchOidcTokenIfConfigured(xrayService, cliPath, buildDir);
+    return configureSpecificCliServer(xrayService, '--xray-url', serverId, cliPath, buildDir, oidcAccessToken);
 }
 
 /**
@@ -738,10 +743,10 @@ async function configureDefaultJfrogServer(serverId, cliPath, workDir) {
  * @param cliPath - Path to JFrog CLI executable.
  * @param workDir - Working directory.
  */
-function configureDefaultArtifactoryServer(usageType, cliPath, workDir) {
+async function configureDefaultArtifactoryServer(usageType, cliPath, workDir) {
     let artifactoryService = tl.getInput('artifactoryConnection', true);
     const serverId = assembleUniqueServerId(usageType);
-    configureArtifactoryCliServer(artifactoryService, serverId, cliPath, workDir);
+    await configureArtifactoryCliServer(artifactoryService, serverId, cliPath, workDir);
     useCliServer(serverId, cliPath, workDir);
     return serverId;
 }
@@ -752,10 +757,10 @@ function configureDefaultArtifactoryServer(usageType, cliPath, workDir) {
  * @param cliPath - Path to JFrog CLI executable.
  * @param workDir - Working directory.
  */
-function configureDefaultDistributionServer(usageType, cliPath, workDir) {
+async function configureDefaultDistributionServer(usageType, cliPath, workDir) {
     let distributionService = tl.getInput('distributionConnection', true);
     const serverId = assembleUniqueServerId(usageType);
-    configureDistributionCliServer(distributionService, serverId, cliPath, workDir);
+    await configureDistributionCliServer(distributionService, serverId, cliPath, workDir);
     useCliServer(serverId, cliPath, workDir);
     return serverId;
 }
@@ -766,10 +771,10 @@ function configureDefaultDistributionServer(usageType, cliPath, workDir) {
  * @param cliPath - Path to JFrog CLI executable.
  * @param workDir - Working directory.
  */
-function configureDefaultXrayServer(usageType, cliPath, workDir) {
+async function configureDefaultXrayServer(usageType, cliPath, workDir) {
     let xrayService = tl.getInput('xrayConnection', true);
     const serverId = assembleUniqueServerId(usageType);
-    configureXrayCliServer(xrayService, serverId, cliPath, workDir);
+    await configureXrayCliServer(xrayService, serverId, cliPath, workDir);
     useCliServer(serverId, cliPath, workDir);
     return serverId;
 }
@@ -1265,14 +1270,14 @@ function assembleUniqueServerId(usageType) {
  * @param repoDeploy - Repository to use for deploying. Pass a falsy value to skip.
  * @returns {string[]}
  */
-function createBuildToolConfigFile(cliPath, cmd, requiredWorkDir, configCommand, repoResolver, repoDeploy) {
+async function createBuildToolConfigFile(cliPath, cmd, requiredWorkDir, configCommand, repoResolver, repoDeploy) {
     let cliCommand = cliJoin(cliPath, configCommand);
     let serverIdResolve;
     let serverIdDeploy;
     if (repoResolver) {
         // Configure Artifactory resolver server.
         const usageType = cmd + tl.getInput('command', true) + '_resolver';
-        serverIdResolve = configureDefaultArtifactoryServer(usageType, cliPath, requiredWorkDir);
+        serverIdResolve = await configureDefaultArtifactoryServer(usageType, cliPath, requiredWorkDir);
 
         // Add serverId and repo to config command.
         cliCommand = cliJoin(cliCommand, '--server-id-resolve=' + quote(serverIdResolve));
@@ -1281,7 +1286,7 @@ function createBuildToolConfigFile(cliPath, cmd, requiredWorkDir, configCommand,
     if (repoDeploy) {
         // Configure Artifactory deployer server.
         const usageType = cmd + tl.getInput('command', true) + '_deployer';
-        serverIdDeploy = configureDefaultArtifactoryServer(usageType, cliPath, requiredWorkDir);
+        serverIdDeploy = await configureDefaultArtifactoryServer(usageType, cliPath, requiredWorkDir);
 
         // Add serverId and repo to config command.
         cliCommand = cliJoin(cliCommand, '--server-id-deploy=' + quote(serverIdDeploy));

tasks/JFrogAudit/audit.ts

@@ -4,12 +4,12 @@ import * as tl from 'azure-pipelines-task-lib/task';
 const cliAuditCommand: string = 'audit';
 let serverId: string;
 
-function RunTaskCbk(cliPath: string): void {
+async function RunTaskCbk(cliPath: string): Promise<void> {
     const inputWorkingDirectory: string = tl.getInput('workingDirectory', false) ?? '';
     const defaultWorkDir: string = tl.getVariable('System.DefaultWorkingDirectory') ?? process.cwd();
     const sourcePath: string = utils.determineCliWorkDir(defaultWorkDir, inputWorkingDirectory);
 
-    serverId = utils.configureDefaultXrayServer('xray_audit', cliPath, sourcePath);
+    serverId = await utils.configureDefaultXrayServer('xray_audit', cliPath, sourcePath);
 
     let auditCommand: string = utils.cliJoin(cliPath, cliAuditCommand);
     auditCommand = utils.addServerIdOption(auditCommand, serverId);

tasks/JFrogBuildPromotion/buildPromotion.js

@@ -4,13 +4,13 @@ const utils = require('@jfrog/tasks-utils/utils.js');
 const cliPromoteCommand = 'rt bpr';
 let serverId;
 
-function RunTaskCbk(cliPath) {
+async function RunTaskCbk(cliPath) {
     let workDir = tl.getVariable('System.DefaultWorkingDirectory');
     if (!workDir) {
         tl.setResult(tl.TaskResult.Failed, 'Failed getting default working directory.');
         return;
     }
-    serverId = utils.configureDefaultArtifactoryServer('build_promotion', cliPath, workDir);
+    serverId = await utils.configureDefaultArtifactoryServer('build_promotion', cliPath, workDir);
 
     // Get input parameters
     let buildName = tl.getInput('buildName', true);

tasks/JFrogBuildScan/buildScan.js

@@ -4,7 +4,7 @@ const utils = require('@jfrog/tasks-utils/utils.js');
 const cliXrayBuildScanCommand = 'bs';
 let serverId;
 
-function RunTaskCbk(cliPath) {
+async function RunTaskCbk(cliPath) {
     let workDir = tl.getVariable('System.DefaultWorkingDirectory');
     if (!workDir) {
         tl.setResult(tl.TaskResult.Failed, 'Failed getting default working directory.');
@@ -14,7 +14,7 @@ function RunTaskCbk(cliPath) {
     let buildName = tl.getInput('buildName', true);
     let buildNumber = tl.getInput('buildNumber', true);
 
-    serverId = utils.configureDefaultXrayServer('xray_build_scan', cliPath, workDir);
+    serverId = await utils.configureDefaultXrayServer('xray_build_scan', cliPath, workDir);
 
     let cliCommand = utils.cliJoin(cliPath, cliXrayBuildScanCommand, utils.quote(buildName), utils.quote(buildNumber));
     cliCommand = utils.addBoolParam(cliCommand, 'vuln', 'vuln');

tasks/JFrogCollectIssues/collectIssues.js

@@ -6,7 +6,7 @@ const fs = require('fs');
 const cliCollectIssuesCommand = 'rt bag';
 let serverId;
 
-function RunTaskCbk(cliPath) {
+async function RunTaskCbk(cliPath) {
     let defaultWorkDir = tl.getVariable('System.DefaultWorkingDirectory');
     if (!defaultWorkDir) {
         tl.setResult(tl.TaskResult.Failed, 'Failed getting default working directory.');
@@ -35,7 +35,7 @@ function RunTaskCbk(cliPath) {
         return;
     }
 
-    serverId = utils.configureDefaultArtifactoryServer('collect_issues', cliPath, requiredWorkDir);
+    serverId = await utils.configureDefaultArtifactoryServer('collect_issues', cliPath, requiredWorkDir);
 
     let cliCommand = utils.cliJoin(
         cliPath,

tasks/JFrogDiscardBuilds/discardBuilds.js

@@ -4,13 +4,13 @@ const utils = require('@jfrog/tasks-utils/utils.js');
 const cliDiscardCommand = 'rt bdi';
 let serverId;
 
-function RunTaskCbk(cliPath) {
+async function RunTaskCbk(cliPath) {
     let workDir = tl.getVariable('System.DefaultWorkingDirectory');
     if (!workDir) {
         tl.setResult(tl.TaskResult.Failed, 'Failed getting default working directory.');
         return;
     }
-    serverId = utils.configureDefaultArtifactoryServer('discard_build', cliPath, workDir);
+    serverId = await utils.configureDefaultArtifactoryServer('discard_build', cliPath, workDir);
 
     let buildName = tl.getInput('buildName', true);
 

tasks/JFrogDistribution/distribution.ts

@@ -9,38 +9,38 @@ const cliRbdCommand: string = 'ds rbd';
 const cliRbdelCommand: string = 'ds rbdel';
 let serverId: string;
 
-function RunTaskCbk(cliPath: string): void {
+async function RunTaskCbk(cliPath: string): Promise<void> {
     const workDir: string = getWorkDir();
     const rbCommand: string = tl.getInput('command', true) ?? '';
     switch (rbCommand) {
         case 'create':
-            performRbCreate(cliPath, workDir);
+            await performRbCreate(cliPath, workDir);
             break;
         case 'update':
-            performRbUpdate(cliPath, workDir);
+            await performRbUpdate(cliPath, workDir);
             break;
         case 'sign':
-            performRbSign(cliPath, workDir);
+            await performRbSign(cliPath, workDir);
             break;
         case 'distribute':
-            performRbDistribute(cliPath, workDir);
+            await performRbDistribute(cliPath, workDir);
             break;
         case 'delete':
-            performRbDelete(cliPath, workDir);
+            await performRbDelete(cliPath, workDir);
             break;
     }
 }
 
-function performRbCreate(cliPath: string, workDir: string): void {
-    performRbCreateUpdate(cliPath, workDir, cliRbcCommand);
+async function performRbCreate(cliPath: string, workDir: string): Promise<void> {
+    await performRbCreateUpdate(cliPath, workDir, cliRbcCommand);
 }
 
-function performRbUpdate(cliPath: string, workDir: string): void {
-    performRbCreateUpdate(cliPath, workDir, cliRbuCommand);
+async function performRbUpdate(cliPath: string, workDir: string): Promise<void> {
+    await performRbCreateUpdate(cliPath, workDir, cliRbuCommand);
 }
 
-function performRbCreateUpdate(cliPath: string, workDir: string, cliCommandName: string): void {
-    let cliCommand: string = getCliCmdBase(cliPath, cliCommandName, workDir);
+async function performRbCreateUpdate(cliPath: string, workDir: string, cliCommandName: string): Promise<void> {
+    let cliCommand: string = await getCliCmdBase(cliPath, cliCommandName, workDir);
 
     const specPath: string = join(workDir, 'rbSpec' + Date.now() + '.json');
     cliCommand = utils.handleSpecFile(cliCommand, specPath);
@@ -66,8 +66,8 @@ function performRbCreateUpdate(cliPath: string, workDir: string, cliCommandName:
     execCli(cliPath, workDir, cliCommand, true, true);
 }
 
-function performRbSign(cliPath: string, workDir: string): void {
-    let cliCommand: string = getCliCmdBase(cliPath, cliRbsCommand, workDir);
+async function performRbSign(cliPath: string, workDir: string): Promise<void> {
+    let cliCommand: string = await getCliCmdBase(cliPath, cliRbsCommand, workDir);
 
     cliCommand = utils.addStringParam(cliCommand, 'passphrase', 'passphrase', false);
 
@@ -78,8 +78,8 @@ function performRbSign(cliPath: string, workDir: string): void {
     execCli(cliPath, workDir, cliCommand, false, true);
 }
 
-function performRbDistribute(cliPath: string, workDir: string): void {
-    let cliCommand: string = getCliCmdBase(cliPath, cliRbdCommand, workDir);
+async function performRbDistribute(cliPath: string, workDir: string): Promise<void> {
+    let cliCommand: string = await getCliCmdBase(cliPath, cliRbdCommand, workDir);
     try {
         const filePath: string = getDistRulesFilePath(workDir);
         cliCommand = utils.cliJoin(cliCommand, '--dist-rules=' + utils.quote(filePath));
@@ -96,8 +96,8 @@ function performRbDistribute(cliPath: string, workDir: string): void {
     execCli(cliPath, workDir, cliCommand, true, true);
 }
 
-function performRbDelete(cliPath: string, workDir: string): void {
-    let cliCommand: string = getCliCmdBase(cliPath, cliRbdelCommand, workDir);
+async function performRbDelete(cliPath: string, workDir: string): Promise<void> {
+    let cliCommand: string = await getCliCmdBase(cliPath, cliRbdelCommand, workDir);
     try {
         const filePath: string = getDistRulesFilePath(workDir);
         cliCommand = utils.cliJoin(cliCommand, '--dist-rules=' + utils.quote(filePath));
@@ -157,11 +157,11 @@ function getWorkDir(): string {
  * @param cliCommandName - Command name to run, including prefix.
  * @param workDir - Working directory.
  */
-function getCliCmdBase(cliPath: string, cliCommandName: string, workDir: string): string {
+async function getCliCmdBase(cliPath: string, cliCommandName: string, workDir: string): Promise<string> {
     const rbName: string = tl.getInput('rbName', true) ?? '';
     const rbVersion: string = tl.getInput('rbVersion', true) ?? '';
     const cliCommand: string = utils.cliJoin(cliPath, cliCommandName, rbName, rbVersion);
-    serverId = utils.configureDefaultDistributionServer('distribution_' + cliCommandName.replace(' ', '_'), cliPath, workDir);
+    serverId = await utils.configureDefaultDistributionServer('distribution_' + cliCommandName.replace(' ', '_'), cliPath, workDir);
     return utils.addServerIdOption(cliCommand, serverId);
 }
 

tasks/JFrogDocker/docker.ts

@@ -4,7 +4,7 @@ import * as tl from 'azure-pipelines-task-lib/task';
 const cliDockerCommand: string = 'docker';
 let serverId: string;
 
-function RunTaskCbk(cliPath: string): void {
+async function RunTaskCbk(cliPath: string): Promise<void> {
     // Validate docker exists on agent
     if (!utils.isToolExists('docker')) {
         tl.setResult(tl.TaskResult.Failed, 'Agent is missing required tool: docker.');
@@ -22,12 +22,12 @@ function RunTaskCbk(cliPath: string): void {
     switch (command) {
         case 'Push':
         case 'Pull': {
-            serverId = utils.configureDefaultArtifactoryServer('docker_' + command, cliPath, defaultWorkDir);
+            serverId = await utils.configureDefaultArtifactoryServer('docker_' + command, cliPath, defaultWorkDir);
             cliCommand = utils.appendBuildFlagsToCliCommand(cliCommand);
             break;
         }
         case 'Scan': {
-            serverId = utils.configureDefaultXrayServer('xray_docker_scan', cliPath, defaultWorkDir);
+            serverId = await utils.configureDefaultXrayServer('xray_docker_scan', cliPath, defaultWorkDir);
             cliCommand = utils.addBoolParam(cliCommand, 'allowFailBuild', 'fail');
 
             if (tl.getBoolInput('allowBypassArchiveLimits', false)) {

tasks/JFrogDotnet/dotnetBuild.js

@@ -8,7 +8,7 @@ const cliUploadCommand = 'rt u';
 const dotnetConfigCommand = 'dotnetc';
 
 // The .NET Core CLI is included in all Azure-hosted agents
-function RunTaskCbk(cliPath) {
+async function RunTaskCbk(cliPath) {
     let dotnetCommand = tl.getInput('command', true);
     switch (dotnetCommand) {
         case 'restore':
@@ -60,7 +60,7 @@ function performDotnetNugetPush(cliPath) {
 
     let nupkgPath = utils.fixWindowsPaths(tl.getPathInput('pathToNupkg', true, false));
     let uploadCommand = utils.cliJoin(cliPath, cliUploadCommand, utils.quote(nupkgPath), utils.quote(targetPath));
-    let serverId = utils.configureDefaultArtifactoryServer('dotnet_nuget_push', cliPath, buildDir);
+    let serverId = await utils.configureDefaultArtifactoryServer('dotnet_nuget_push', cliPath, buildDir);
     uploadCommand = utils.addServerIdOption(uploadCommand, serverId);
     uploadCommand = utils.cliJoin(uploadCommand, '--flat=' + utils.quote('true'));
     executeCliCommand(uploadCommand, buildDir, cliPath, [serverId]);
@@ -83,7 +83,7 @@ function performDotnetConfig(cliPath, requiredWorkDir, repoResolve) {
     let cliCommand = utils.cliJoin(cliPath, dotnetConfigCommand);
 
     // Create serverId
-    const resolverServerId = utils.configureDefaultArtifactoryServer('dotnet_resolver', cliPath, requiredWorkDir);
+    const resolverServerId = await utils.configureDefaultArtifactoryServer('dotnet_resolver', cliPath, requiredWorkDir);
 
     // Add serverId and repo to config command
     cliCommand = utils.cliJoin(cliCommand, '--server-id-resolve=' + utils.quote(resolverServerId));

tasks/JFrogGo/goBuild.js

@@ -9,7 +9,7 @@ const resolutionRepoInputName = 'resolutionRepo';
 const deploymentRepoInputName = 'targetRepo';
 let configuredServerIdsArray;
 
-function RunTaskCbk(cliPath) {
+async function RunTaskCbk(cliPath) {
     let defaultWorkDir = tl.getVariable('System.DefaultWorkingDirectory');
     if (!defaultWorkDir) {
         tl.setResult(tl.TaskResult.Failed, 'Failed getting default working directory.');
@@ -72,7 +72,7 @@ function performGoCommand(goCommand, cliPath, requiredWorkDir) {
  * @param repoDeploy - Deployment repo input name, null if not needed.
  */
 function performGoConfig(cliPath, requiredWorkDir, repoResolve, repoDeploy) {
-    configuredServerIdsArray = utils.createBuildToolConfigFile(cliPath, 'go', requiredWorkDir, cliGoConfigCommand, repoResolve, repoDeploy);
+    configuredServerIdsArray = await utils.createBuildToolConfigFile(cliPath, 'go', requiredWorkDir, cliGoConfigCommand, repoResolve, repoDeploy);
 }
 
 function performGoPublishCommand(cliPath, requiredWorkDir) {