From 7a294346023525f5e003e1c677491234580a387d Mon Sep 17 00:00:00 2001
From: VS MobileTools Engineering Service 2
 <vsmobiletoolsengsvc2@microsoft.com>
Date: Fri, 13 Sep 2024 09:19:17 -0700
Subject: [PATCH] [release/8.0.1xx-xcode15.4] Disable/reenable agents using
 dynamically obtained access token (#21224)

Replace `MacPoolAccessToken` with a dynamically obtained Azure DevOps
access token. The `MacPoolAccessToken` is backed by the
`botdeploy--azdo--token--register--untrusted` secret, which is limited
to a 7-day lifespan. This change removes the dependency on that token


Backport of #21216

---------

Co-authored-by: Mike Bond <mjbond-msft@outlook.com>
---
 .../devops/automation/templates/variables.yml |  2 --
 .../templates/windows/generate-token.yml      | 25 +++++++++++++++++++
 .../templates/windows/reenable-mac.yml        | 10 +++++++-
 .../templates/windows/reserve-mac.yml         |  9 ++++++-
 4 files changed, 42 insertions(+), 4 deletions(-)
 create mode 100644 tools/devops/automation/templates/windows/generate-token.yml

diff --git a/tools/devops/automation/templates/variables.yml b/tools/devops/automation/templates/variables.yml
index 38e6ddc50d75..cabd95d39e32 100644
--- a/tools/devops/automation/templates/variables.yml
+++ b/tools/devops/automation/templates/variables.yml
@@ -36,5 +36,3 @@ variables:
   value: true
 - name: BUILD_REVISION
   value: azure-devops-$(Build.SourceVersion)
-- name: MacPoolAccessToken
-  value: $(botdeploy--azdo--token--register--untrusted)
diff --git a/tools/devops/automation/templates/windows/generate-token.yml b/tools/devops/automation/templates/windows/generate-token.yml
new file mode 100644
index 000000000000..97001b181403
--- /dev/null
+++ b/tools/devops/automation/templates/windows/generate-token.yml
@@ -0,0 +1,25 @@
+# Sets the AzDO.BearerToken variable that can be used as the auth token to disable/reenable agents
+steps:
+- template: azure-tools/az-client-update.yml@yaml-templates    # AzureCLI step below requires that AzClient 2.x is installed on the agent
+  parameters:
+    platform: 'All'       # Update Az tools for both Windows and Mac agents
+    version: '2.62.0'
+
+# https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-security-configuration/configuration-guides/pat-burndown-guidance#authentication-from-pipelines
+# Requires Azure client 2.x
+- task: AzureCLI@2
+  displayName: 'AzDO.BearerToken based on service connection'
+  enabled: true
+  inputs:
+    azureSubscription: 'DevDiv - SharedUntrustedAgentPool-Manage'
+    scriptType: 'pscore'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      # if this fails, check out this bash script that includes diagnostics:
+      # https://gist.github.com/johnterickson/19f80a3e969e39f1000d118739176e62
+
+      # Note that the resource is specified to limit the token to Azure DevOps
+      $token = az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv
+
+      Write-Host "Setting AzDO.BearerToken"
+      Write-Host "##vso[task.setvariable variable=AzDO.BearerToken;issecret=true]${token}"
diff --git a/tools/devops/automation/templates/windows/reenable-mac.yml b/tools/devops/automation/templates/windows/reenable-mac.yml
index b06f211a807a..269802117011 100644
--- a/tools/devops/automation/templates/windows/reenable-mac.yml
+++ b/tools/devops/automation/templates/windows/reenable-mac.yml
@@ -47,9 +47,17 @@ steps:
   condition: always()
   continueOnError: true
 
+# Sets the AzDO.BearerToken variable used as the auth token to disable/reenable agents
+- template: ./generate-token.yml
+
 - pwsh: |
     Import-Module $Env:SYSTEM_DEFAULTWORKINGDIRECTORY\xamarin-macios\tools\devops\automation\scripts\MaciosCI.psd1
-    $vsts = New-VSTS -Org "devdiv" -Project "DevDiv" -Token $(MacPoolAccessToken)
+
+    $azdoBearerToken = "$(AzDO.BearerToken)"
+    $azdoBearerTokenHint = $azdoBearerToken.Substring(0, 8)
+    Write-Host "AzDO.BearerToken (hint): ${azdoBearerTokenHint}"
+
+    $vsts = New-VSTS -Org "devdiv" -Project "DevDiv" -Token $azdoBearerToken
 
     # get the pool and the agent objects and enable the bot
     $pool = $vsts.Pools.GetPool("$Env:MAC_AGENT_POOL")
diff --git a/tools/devops/automation/templates/windows/reserve-mac.yml b/tools/devops/automation/templates/windows/reserve-mac.yml
index a1fef1d8ec47..afbd6e7dc216 100644
--- a/tools/devops/automation/templates/windows/reserve-mac.yml
+++ b/tools/devops/automation/templates/windows/reserve-mac.yml
@@ -64,13 +64,20 @@ steps:
     AUTH_TOKEN_VSENG_XAMARIN_MAC_DEVICES_P12: ${{ parameters.xqaCertPass }}
     AUTH_TOKEN_VSENG_XAMARIN_MAC_DEVICES_2_P12: ${{ parameters.xqaCertPass }}
 
+# Sets the AzDO.BearerToken variable used as the auth token to disable/reenable agents
+- template: ./generate-token.yml
+
 - pwsh: |
     Import-Module $Env:SYSTEM_DEFAULTWORKINGDIRECTORY\xamarin-macios\tools\devops\automation\scripts\MaciosCI.psd1
 
     New-Item -Path "$($Env:HOME)" -Name "remote_build_testing" -Force -ItemType "directory"
     New-Item -Path "$($Env:HOME)/remote_build_testing" -Name "BuildId.txt" -ItemType "file" -Force -Value "$($Env:BUILD_BUILDID)"
 
-    $vsts = New-VSTS -Org "devdiv" -Project "DevDiv" -Token $(MacPoolAccessToken)
+    $azdoBearerToken = "$(AzDO.BearerToken)"
+    $azdoBearerTokenHint = $azdoBearerToken.Substring(0, 8)
+    Write-Host "AzDO.BearerToken (hint): ${azdoBearerTokenHint}"
+
+    $vsts = New-VSTS -Org "devdiv" -Project "DevDiv" -Token $azdoBearerToken
 
     # get the pool and the agent objects and disable the bot
     $pool = $vsts.Pools.GetPool("${{ parameters.macPool }}")