Unset xtrace while logging into acr via podman to prevent exposing the acr login secret

Reference: https://portal.microsofticm.com/imp/v5/incidents/details/752908291/summary

Author: s-fairchild

pkg/deploy/generator/scripts/util-common.sh

@@ -1,26 +1,72 @@
 #!/bin/bash
 # Internal Functions and Constants
 
+# declare -r empty_str=""
+#
 # empty_str - constant; used by functions for optional nameref string arguements
-# empty_str=""
 # shellcheck disable=SC2034
 declare -r empty_str=""
 
-# role_gateway - constant; Is used to determine which VMSS is being bootstrapped
+# declare -r role_gateway="gateway"
+#
 # this should be referenced by scripts sourcing this file
 # role_gateway="gateway"
 declare -r role_gateway="gateway"
-# role_rp - constant; Is used to determine which VMSS is being bootstrapped
+
+# declare -r role_rp="rp"
+#
 # this should be referenced by scripts sourcing this file
 # role_rp="rp"
 declare -r role_rp="rp"
+
+# declare -r role_devproxy="devproxy"
+#
 # role_devproxy - constant; Is used to determine which VMSS is being bootstrapped
-# role_devproxy="devproxy"
 declare -r role_devproxy="devproxy"
+
+# declare -r us_gov_cloud="AzureUSGovernment"
+#
 # us_gov_cloud - constant; Is the name of AZURECLOUDNAME for US government cloud
-# us_gov_cloud="AzureUSGovernment"
 declare -r us_gov_cloud="AzureUSGovernment"
 
+# declare -i XTRACE_IS_SET
+#
+# Global variable used to keep track of if xtrace was/is set.
+declare -i XTRACE_IS_SET
+
+# declare -i XTRACE_SET=1
+#
+# constant value used to set XTRACE_IS_SET
+declare -ir XTRACE_SET=1
+
+# declare -i XTRACE_UNSET=0
+#
+# constant value used to set XTRACE_IS_SET
+declare -ir XTRACE_UNSET=0
+
+# xtrace_set_capture()
+#
+# Captures if xtrace is set in the current shell using global variable XTRACE_IS_SET.
+#   * Used for reapplying xtrace setting after disabling.
+#   * Sets XTRACE_IS_SET=XTRACE_SET (if true) or XTRACE_IS_SET=XTRACE_UNSET (if false).
+xtrace_set_capture() {
+    [[ $- =~ "x" ]] && XTRACE_IS_SET=$XTRACE_SET || XTRACE_IS_SET=$XTRACE_UNSET
+}
+
+# xtrace_unset()
+#
+# Un-sets xtrace (if set)
+xtrace_unset() {
+    (( XTRACE_IS_SET == XTRACE_SET )) && set +x
+}
+
+# xtrace_set()
+#
+# Sets xtrace (if unset)
+xtrace_set() {
+    (( XTRACE_IS_SET == XTRACE_UNSET )) && set -x
+}
+
 # log is a wrapper for echo that includes the function name
 # Args
 # 1) msg - string

pkg/deploy/generator/scripts/util-system.sh

@@ -141,7 +141,7 @@ pull_container_images() {
     log "starting"
 
     # shellcheck disable=SC2034
-    local -ri retry_time=30
+    local -ir retry_time=30
     cmd=(
         az
         login
@@ -157,24 +157,39 @@ pull_container_images() {
     mkdir -p /root/.docker
     touch /etc/containers/nodocker
 
+    [ -n "${registry_conf}" ] && write_file REGISTRY_AUTH_FILE registry_conf "true"
+
     # This name is used in the case that az acr login searches for this in it's environment
+    # exported here as it's used by podman login and subsequent podman pull
     export REGISTRY_AUTH_FILE="/root/.docker/config.json"
 
-    if [ -n "${registry_conf}" ]; then
-        write_file REGISTRY_AUTH_FILE registry_conf true
-    fi
-
-    log "logging into prod acr"
-    cmd=(
-        az
-        acr
-        login
-        --name
-        # TODO replace this with variable expansion
-        # Reference: https://www.shellcheck.net/wiki/SC2001
-        "$(sed -e 's|.*/||' <<<"$ACRRESOURCEID")"
-    )
-
+   # shellcheck disable=SC2329
+   _() {
+        local -r acr="$1"
+        local -r registry="$2"
+
+        xtrace_set_capture
+        xtrace_unset
+
+        log "logging into container registry $2"
+        az acr login \
+            --name "$acr" \
+            --expose-token \
+            --output tsv \
+            --query accessToken \
+            | podman login \
+                --username "00000000-0000-0000-0000-000000000000" \
+                --password-stdin \
+                "$registry"
+        local -ir status=$?
+
+        xtrace_set
+        return "$status"
+   }
+
+    local -r acr_name="${ACRRESOURCEID##*/}"
+    local -r registry_name="${acr_name}.azurecr.io"
+    cmd=(_ "$acr_name" "$registry_name")
     retry cmd retry_time
 
     # shellcheck disable=SC2068