Move some classes out of MessageController (#569)

ChristopherHX · web-flow · commit 52f9c76da5fe · 2025-03-02T17:12:34.000Z
* secretprovider
* template context creation
diff --git a/src/Runner.Server/Controllers/MessageController.cs b/src/Runner.Server/Controllers/MessageController.cs
diff --git a/src/Runner.Server/Services/AzurePipelinesVariablesProvider.cs b/src/Runner.Server/Services/AzurePipelinesVariablesProvider.cs
@@ -0,0 +1,24 @@
+using System.Collections.Generic;
+
+namespace Runner.Server.Services
+{
+
+    public class AzurePipelinesVariablesProvider : IVariablesProvider
+    {
+        private readonly ISecretsProvider parent;
+        private readonly IDictionary<string, string> rootVars;
+
+        public AzurePipelinesVariablesProvider(ISecretsProvider parent, IDictionary<string, string> rootVars){
+            this.parent = parent;
+            this.rootVars = rootVars;
+        }
+    
+        public IDictionary<string, string> GetVariablesForEnvironment(string name = null)
+        {
+            if(string.IsNullOrEmpty(name)) {
+                return rootVars;
+            }
+            return parent.GetVariablesForEnvironment(name);
+        }
+    }
+}
diff --git a/src/Runner.Server/Services/DefaultSecretsProvider.cs b/src/Runner.Server/Services/DefaultSecretsProvider.cs
@@ -0,0 +1,44 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.Extensions.Configuration;
+
+namespace Runner.Server.Services
+{
+    public class DefaultSecretsProvider : ISecretsProvider
+    {
+        private Dictionary<string, Dictionary<string, string>> SecretsEnvironments { get; set; }
+        private Dictionary<string, Dictionary<string, string>> VarEnvironments { get; set; }
+        public DefaultSecretsProvider(IConfiguration configuration) {
+            var secenvs = (configuration.GetSection("Runner.Server:Environments").Get<Dictionary<string, Dictionary<string, string>>>() ?? new Dictionary<string, Dictionary<string, string>>(StringComparer.OrdinalIgnoreCase)).ToArray();
+            SecretsEnvironments = new Dictionary<string, Dictionary<string, string>>(StringComparer.OrdinalIgnoreCase);
+            foreach(var secenv in secenvs) {
+                SecretsEnvironments[secenv.Key] = new Dictionary<string, string>(secenv.Value, StringComparer.OrdinalIgnoreCase);
+            }
+            var globalSecrets = configuration.GetSection("Runner.Server:Secrets")?.Get<List<Secret>>() ?? new List<Secret>();                
+            if(!SecretsEnvironments.ContainsKey("")) {
+                SecretsEnvironments[""] = globalSecrets.ToDictionary(sec => sec.Name, sec => sec.Value, StringComparer.OrdinalIgnoreCase);
+            }
+            var varenvs = (configuration.GetSection("Runner.Server:VarEnvironments").Get<Dictionary<string, Dictionary<string, string>>>() ?? new Dictionary<string, Dictionary<string, string>>(StringComparer.OrdinalIgnoreCase)).ToArray();
+            VarEnvironments = new Dictionary<string, Dictionary<string, string>>(StringComparer.OrdinalIgnoreCase);
+            foreach(var varenv in varenvs) {
+                VarEnvironments[varenv.Key] = new Dictionary<string, string>(varenv.Value, StringComparer.OrdinalIgnoreCase);
+            }
+
+        }
+        public IDictionary<string, string> GetSecretsForEnvironment(GitHub.DistributedTask.ObjectTemplating.ITraceWriter traceWriter, string name = null)
+        {
+            return (SecretsEnvironments.TryGetValue("", out var def) ? def : null).Merge(name != null && SecretsEnvironments.TryGetValue(name, out var val) ? val : null);
+        }
+
+        public IDictionary<string, string> GetReservedSecrets()
+        {
+            return SecretHelper.WithReservedSecrets(null, SecretsEnvironments.TryGetValue("", out var def) ? def : null);
+        }
+
+        public IDictionary<string, string> GetVariablesForEnvironment(string name = null)
+        {
+            return (VarEnvironments.TryGetValue("", out var def) ? def : null).Merge(name != null && VarEnvironments.TryGetValue(name, out var val) ? val : null);
+        }
+    }
+}
diff --git a/src/Runner.Server/Services/ISecretsProvider.cs b/src/Runner.Server/Services/ISecretsProvider.cs
@@ -0,0 +1,10 @@
+using System.Collections.Generic;
+
+namespace Runner.Server.Services
+{
+    public interface ISecretsProvider {
+        IDictionary<string, string> GetSecretsForEnvironment(GitHub.DistributedTask.ObjectTemplating.ITraceWriter traceWriter, string name = null);
+        IDictionary<string, string> GetVariablesForEnvironment(string name = null);
+        IDictionary<string, string> GetReservedSecrets();
+    }
+}
diff --git a/src/Runner.Server/Services/ReusableWorkflowSecretsProvider.cs b/src/Runner.Server/Services/ReusableWorkflowSecretsProvider.cs
@@ -0,0 +1,102 @@
+using System;
+using System.Collections.Generic;
+using System.Text.RegularExpressions;
+using GitHub.DistributedTask.Logging;
+using GitHub.DistributedTask.ObjectTemplating.Tokens;
+using GitHub.DistributedTask.Pipelines.ContextData;
+
+namespace Runner.Server.Services
+{
+    public class ReusableWorkflowSecretsProvider : ISecretsProvider
+    {
+        private ISecretsProvider parent;
+        private TemplateToken secretsMapping;
+        private DictionaryContextData contextData;
+        private string jobName;
+        private WorkflowContext workflowContext;
+        private List<TemplateToken> environment;
+
+        public ReusableWorkflowSecretsProvider(string jobName, ISecretsProvider parent, TemplateToken secretsMapping, DictionaryContextData contextData, WorkflowContext workflowContext, List<TemplateToken> environment){
+            this.parent = parent;
+            this.secretsMapping = secretsMapping;
+            this.contextData = contextData;
+            this.jobName = jobName;
+            this.workflowContext = workflowContext;
+            this.environment = environment;
+        }
+        public IDictionary<string, string> GetSecretsForEnvironment(GitHub.DistributedTask.ObjectTemplating.ITraceWriter traceWriter, string name = null)
+        {
+            var parentSecrets = parent.GetSecretsForEnvironment(traceWriter, name);
+            traceWriter.Info("{0}", $"Evaluating Secrets of {jobName} for environment '{name?.Replace("'","''")}'");
+            SecretMasker masker = new SecretMasker();
+            var linesplitter = new Regex("\r?\n");
+            foreach(var variable in parentSecrets) {
+                if(!string.IsNullOrEmpty(variable.Value)) {
+                    masker.AddValue(variable.Value);
+                    if(variable.Value.Contains('\r') || variable.Value.Contains('\n')) {
+                        foreach(var line in linesplitter.Split(variable.Value)) {
+                            masker.AddValue(line);
+                        }
+                    }
+                }
+            }
+            masker.AddValueEncoder(ValueEncoders.Base64StringEscape);
+            masker.AddValueEncoder(ValueEncoders.Base64StringEscapeShift1);
+            masker.AddValueEncoder(ValueEncoders.Base64StringEscapeShift2);
+            masker.AddValueEncoder(ValueEncoders.CommandLineArgumentEscape);
+            masker.AddValueEncoder(ValueEncoders.ExpressionStringEscape);
+            masker.AddValueEncoder(ValueEncoders.JsonStringEscape);
+            masker.AddValueEncoder(ValueEncoders.UriDataEscape);
+            masker.AddValueEncoder(ValueEncoders.XmlDataEscape);
+            masker.AddValueEncoder(ValueEncoders.TrimDoubleQuotes);
+            masker.AddValueEncoder(ValueEncoders.PowerShellPreAmpersandEscape);
+            masker.AddValueEncoder(ValueEncoders.PowerShellPostAmpersandEscape);
+            var secureTraceWriter = new TraceWriter2(line => {
+                traceWriter.Info("{0}", masker.MaskSecrets(line));
+            });
+            var result = new DictionaryContextData();
+            foreach (var variable in parentSecrets) {
+                result[variable.Key] = new StringContextData(variable.Value);
+            }
+            var jobEnvCtx = new DictionaryContextData();
+            foreach(var envBlock in environment) {
+                var envTemplateContext = SecretHelper.CreateTemplateContext(secureTraceWriter, workflowContext, contextData);
+                envTemplateContext.ExpressionValues["env"] = jobEnvCtx;
+                envTemplateContext.ExpressionValues["secrets"] = result;
+                var cEnv = GitHub.DistributedTask.ObjectTemplating.TemplateEvaluator.Evaluate(envTemplateContext, "job-env", envBlock, 0, null, true);
+                // Best effort, don't check for errors
+                // templateContext.Errors.Check();
+                // Best effort, make global env available this is not available on github actions
+                if(cEnv is MappingToken genvToken) {
+                    foreach(var kv in genvToken) {
+                        if(kv.Key is StringToken key && kv.Value is StringToken val) {
+                            jobEnvCtx[key.Value] = new StringContextData(val.Value);
+                        }
+                    }
+                }
+            }
+            var templateContext = SecretHelper.CreateTemplateContext(secureTraceWriter, workflowContext, contextData);
+            templateContext.ExpressionValues["env"] = jobEnvCtx;
+            templateContext.ExpressionValues["secrets"] = result;
+            var evalSec = secretsMapping != null ? GitHub.DistributedTask.ObjectTemplating.TemplateEvaluator.Evaluate(templateContext, templateContext.Schema.Definitions.ContainsKey("job-secrets") ? "job-secrets" : "workflow-job-secrets-mapping", secretsMapping, 0, null, true)?.AssertMapping($"jobs.{name}.secrets") : null;
+            templateContext.Errors.Check();
+            IDictionary<string, string> ret = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+            if(evalSec != null) {
+                foreach(var entry in evalSec) {
+                    ret[entry.Key.AssertString($"jobs.{jobName}.secrets mapping key").Value] = entry.Value.AssertString($"jobs.{jobName}.secrets mapping value").Value;
+                }
+            }
+            return SecretHelper.WithReservedSecrets(ret, parentSecrets);
+        }
+
+        public IDictionary<string, string> GetReservedSecrets()
+        {
+            return parent.GetReservedSecrets();
+        }
+
+        public IDictionary<string, string> GetVariablesForEnvironment(string name = null)
+        {
+            return parent.GetVariablesForEnvironment(name);
+        }
+    }
+}
diff --git a/src/Runner.Server/Services/ScheduleSecretsProvider.cs b/src/Runner.Server/Services/ScheduleSecretsProvider.cs
@@ -0,0 +1,24 @@
+using System.Collections.Generic;
+
+namespace Runner.Server.Services
+{
+    public class ScheduleSecretsProvider : ISecretsProvider
+    {
+        public IDictionary<string, IDictionary<string, string>> SecretsEnvironments { get; set; }
+        public IDictionary<string, IDictionary<string, string>> VarEnvironments { get; set; }
+        public IDictionary<string, string> GetSecretsForEnvironment(GitHub.DistributedTask.ObjectTemplating.ITraceWriter traceWriter, string name = null)
+        {
+            return (SecretsEnvironments.TryGetValue("", out var def) ? def : null).Merge(name != null && SecretsEnvironments.TryGetValue(name, out var val) ? val : null);
+        }
+
+        public IDictionary<string, string> GetReservedSecrets()
+        {
+            return SecretHelper.WithReservedSecrets(null, SecretsEnvironments.TryGetValue("", out var def) ? def : null);
+        }
+
+        public IDictionary<string, string> GetVariablesForEnvironment(string name = null)
+        {
+            return (VarEnvironments.TryGetValue("", out var def) ? def : null).Merge(name != null && VarEnvironments.TryGetValue(name, out var val) ? val : null);
+        }
+    }
+}
diff --git a/src/Runner.Server/Services/Secret.cs b/src/Runner.Server/Services/Secret.cs
@@ -0,0 +1,8 @@
+namespace Runner.Server.Services
+{
+    public class Secret
+    {
+        public string Name {get;set;}
+        public string Value {get;set;}
+    }
+}
diff --git a/src/Runner.Server/Services/SecretHelper.cs b/src/Runner.Server/Services/SecretHelper.cs
@@ -0,0 +1,92 @@
+using System;
+using System.Collections.Generic;
+using System.Text.RegularExpressions;
+using GitHub.DistributedTask.Expressions2;
+using GitHub.DistributedTask.ObjectTemplating;
+using GitHub.DistributedTask.ObjectTemplating.Schema;
+using GitHub.DistributedTask.Pipelines.ContextData;
+using GitHub.DistributedTask.Pipelines.ObjectTemplating;
+using Sdk.Pipelines;
+
+namespace Runner.Server.Services
+{
+    public class SecretHelper
+    {
+        public static bool IsReservedVariable(string v) {
+            var pattern = new Regex("^[a-zA-Z_][a-zA-Z_0-9]*$");
+            return !pattern.IsMatch(v) || v.StartsWith("GITHUB_", StringComparison.OrdinalIgnoreCase);
+        }
+
+        public static bool IsActionsDebugVariable(string v) {
+            return string.Equals(v, "ACTIONS_STEP_DEBUG", StringComparison.OrdinalIgnoreCase) || string.Equals(v, "ACTIONS_RUNNER_DEBUG", StringComparison.OrdinalIgnoreCase);
+        }
+
+        public static IDictionary<string, string> WithReservedSecrets(IDictionary<string, string> dict, IDictionary<string, string> reservedsecrets) {
+            var ret = dict == null ? new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase) : new Dictionary<string, string>(dict, StringComparer.OrdinalIgnoreCase);
+            if(reservedsecrets != null) {
+                foreach(var kv in reservedsecrets) {
+                    if(IsReservedVariable(kv.Key) || /* Allow overriding them while calling reusable workflows */ !ret.ContainsKey(kv.Key) && IsActionsDebugVariable(kv.Key)) {
+                        ret[kv.Key] = kv.Value;
+                    }
+                }
+            }
+            return ret;
+        }
+
+        public static TemplateContext CreateTemplateContext(GitHub.DistributedTask.ObjectTemplating.ITraceWriter traceWriter, WorkflowContext context, DictionaryContextData contextData = null, ExecutionContext exctx = null) {
+            ExpressionFlags flags = ExpressionFlags.None;
+            if(context.HasFeature("system.runner.server.extendedFunctions")) {
+                flags |= ExpressionFlags.ExtendedFunctions;
+            }
+            if(context.HasFeature("system.runner.server.extendedDirectives")) {
+                flags |= ExpressionFlags.ExtendedDirectives;
+            }
+            if(context.HasFeature("system.runner.server.allowAnyForInsert")) {
+                flags |= ExpressionFlags.AllowAnyForInsert;
+            }
+            if(context.HasFeature("system.runner.server.FixInvalidActionsIfExpression")) {
+                flags |= ExpressionFlags.FixInvalidActionsIfExpression;
+            }
+            if(context.HasFeature("system.runner.server.FailInvalidActionsIfExpression")) {
+                flags |= ExpressionFlags.FailInvalidActionsIfExpression;
+            }
+            // For Gitea Actions
+            var absoluteActions = context.HasFeature("system.runner.server.absolute_actions");
+            var templateContext = new TemplateContext() {
+                Flags = flags,
+                CancellationToken = System.Threading.CancellationToken.None,
+                Errors = new TemplateValidationErrors(10, 500),
+                Memory = new TemplateMemory(
+                    maxDepth: 100,
+                    maxEvents: 1000000,
+                    maxBytes: 10 * 1024 * 1024),
+                TraceWriter = traceWriter,
+                Schema = PipelineTemplateSchemaFactory.GetSchema(),
+                AbsoluteActions = absoluteActions,
+            };
+            if(context.FeatureToggles.TryGetValue("system.runner.server.workflow_schema", out var workflow_schema)) {
+                var objectReader = new JsonObjectReader(null, workflow_schema);
+                templateContext.Schema = TemplateSchema.Load(objectReader);
+            }
+            if(exctx != null) {
+                templateContext.State[nameof(ExecutionContext)] = exctx;
+                templateContext.ExpressionFunctions.Add(new FunctionInfo<AlwaysFunction>(PipelineTemplateConstants.Always, 0, 0));
+                templateContext.ExpressionFunctions.Add(new FunctionInfo<CancelledFunction>(PipelineTemplateConstants.Cancelled, 0, 0));
+                templateContext.ExpressionFunctions.Add(new FunctionInfo<FailureFunction>(PipelineTemplateConstants.Failure, 0, Int32.MaxValue));
+                templateContext.ExpressionFunctions.Add(new FunctionInfo<SuccessFunction>(PipelineTemplateConstants.Success, 0, Int32.MaxValue));
+            }
+            if(contextData != null) {
+                foreach (var pair in contextData) {
+                    templateContext.ExpressionValues[pair.Key] = pair.Value;
+                }
+            }
+            if(context.FileTable != null) {
+                foreach(var fileName in context.FileTable) {
+                    templateContext.GetFileId(fileName);
+                }
+            }
+            return templateContext;
+        }
+
+    }
+}
diff --git a/src/Runner.Server/Services/TraceWriter2.cs b/src/Runner.Server/Services/TraceWriter2.cs
@@ -0,0 +1,79 @@
+using System;
+using System.Text.RegularExpressions;
+
+namespace Runner.Server.Services
+{
+    public class TraceWriter2 : GitHub.DistributedTask.ObjectTemplating.ITraceWriter, GitHub.DistributedTask.Expressions2.ITraceWriter
+    {
+        private Action<string> callback;
+        private Regex regex;
+        private int verbosity;
+        public TraceWriter2(Action<string> callback, int verbosity = 0) {
+            this.callback = callback;
+            regex = new Regex("\r?\n");
+            this.verbosity = verbosity;
+        }
+
+        public void Callback(string lines) {
+            foreach(var line in regex.Split(lines)) {
+                callback(line);
+            }
+        }
+
+        public void Error(string format, params object[] args)
+        {
+            if(args?.Length == 1 && args[0] is Exception ex) {
+                Callback(string.Format("{0} {1}", format, ex.Message));
+                return;
+            }
+            try {
+                Callback(args?.Length > 0 ? string.Format(format, args) : format);
+            } catch {
+                Callback(format);
+            }
+        }
+
+        public void Info(string format, params object[] args)
+        {
+            if(verbosity <= 2) {
+                try {
+                    Callback(args?.Length > 0 ? string.Format(format, args) : format);
+                } catch {
+                    Callback(format);
+                }
+            }
+        }
+
+        public void Info(string message)
+        {
+            if(verbosity <= 2) {
+                Callback(message);
+            }
+        }
+        public void Verbose(string format, params object[] args)
+        {
+            if(verbosity <= 1) {
+                try {
+                    Callback(args?.Length > 0 ? string.Format(format, args) : format);
+                } catch {
+                    Callback(format);
+                }
+            }
+        }
+
+        public void Verbose(string message)
+        {
+            if(verbosity <= 1) {
+                Callback(message);
+            }
+        }
+
+        public void Trace(string message)
+        {
+            if(verbosity <= 0) {
+                Callback(message);
+            }
+        }
+    }
+
+}
diff --git a/src/Runner.Server/Services/WorkflowContext.cs b/src/Runner.Server/Services/WorkflowContext.cs
diff --git a/src/Runner.Server/Services/WorkflowState.cs b/src/Runner.Server/Services/WorkflowState.cs
diff --git a/src/Sdk/Pipelines/ExecutionContext.cs b/src/Sdk/Pipelines/ExecutionContext.cs
