[Az.RecoveryServices.Backup] Handling breaking change for SecureToken in Get-AzAccessToken command (#27406)

Author: hiaga

src/RecoveryServices/RecoveryServices.Backup.Helpers/HelperUtils.cs

@@ -21,7 +21,7 @@
 using ResourceManagerModel = Microsoft.Azure.Management.Internal.Resources.Models;
 using ServiceClientModel = Microsoft.Azure.Management.RecoveryServices.Backup.Models;
 using CrrModel = Microsoft.Azure.Management.RecoveryServices.Backup.CrossRegionRestore.Models;
-using Newtonsoft.Json;
+using Microsoft.WindowsAzure.Commands.Common;
 
 namespace Microsoft.Azure.Commands.RecoveryServices.Backup.Helpers
 {
@@ -413,5 +413,42 @@ public static List<T> GetPagedRMList<T>(
 
             return resources;
         }
+
+        #region Common Helper Functions
+        /// <summary>
+        /// Helper function to return one of Token or SecureToken after decryption
+        /// </summary>
+        /// <param name="token"></param>
+        /// <param name="secureToken"></param>
+        /// <returns></returns>
+        /// <exception cref="ArgumentException"></exception>
+        public static string GetPlainToken(string token, System.Security.SecureString secureToken)
+        {
+            bool hasToken = !string.IsNullOrEmpty(token);
+            bool hasSecureToken = secureToken != null && secureToken.Length > 0;
+
+            if (hasToken || hasSecureToken)
+            {
+                if (hasToken && hasSecureToken)
+                {
+                    throw new ArgumentException(Resources.BothTokenProvided);
+                }
+                else if (hasToken)
+                {
+                    Logger.Instance.WriteWarning(Resources.TokenParameterDepricate);
+                    return token;
+                }
+                else
+                {
+                    var plainToken = secureToken.ConvertToString();
+                    Logger.Instance.WriteDebug("Converted secure token");
+                    return plainToken;
+                }
+            }
+            Logger.Instance.WriteDebug("plainToken returning empty");
+            return "";
+        }
+
+        #endregion
     }
 }

src/RecoveryServices/RecoveryServices.Backup.Models/Properties/Resources.Designer.cs

@@ -886,4 +886,10 @@ Please contact Microsoft for further assistance.</value>
   <data name="InvalidSoftDeleteFeatureStateException" xml:space="preserve">
     <value>Setting SoftDeleteFeatureState to 'AlwaysON' will automatically set HybridBackupSecurityFeature to AlwaysON. Please remove the DisableHybridBackupSecurityFeature parameter or use a different value for the SoftDeleteFeatureState parameter.</value>
   </data>
+  <data name="BothTokenProvided" xml:space="preserve">
+    <value>Both Token and SecureToken parameters cannot be provided together</value>
+  </data>
+  <data name="TokenParameterDepricate" xml:space="preserve">
+    <value>The Token parameter is deprecated and will be removed in future versions. Please use SecureToken instead</value>
+  </data>
 </root>

src/RecoveryServices/RecoveryServices.Backup.Models/Properties/Resources.resx

@@ -339,7 +339,7 @@ function Test-AzureVMMUA
 	$vmName = "VM;iaasvmcontainerv2;hiagarg;hiaganewvm2"
 	$vmFriendlyName = "hiaganewvm2"
 	# $resGuardId = "/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourceGroups/iaasvm-pstest-rg/providers/Microsoft.DataProtection/resourceGuards/mua-pstest-rguard"
-	$resGuardId = "/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourceGroups/hiagarg/providers/Microsoft.DataProtection/ResourceGuards/test1-rGuard"
+	$resGuardId = "/subscriptions/38304e13-357e-405e-9e9a-220351dcce8c/resourceGroups/hiagarg/providers/Microsoft.DataProtection/ResourceGuards/test1-rGuard" # HiagaPSTest1
 	$lowerRetentionPolicy = "mua-vm-lowerDailyRet"
 
 	try

src/RecoveryServices/RecoveryServices.Backup.Test/ScenarioTests/IaasVm/ItemTests.ps1

@@ -59,15 +59,22 @@ public SwitchParameter RemoveRecoveryPoints
         /// If this option is used, all the data backed up for this item will 
         /// expire as per the protection policy retention settings
         /// </summary>
-        [Parameter(Mandatory = false,  HelpMessage = ParamHelpMsgs.Item.SuspendBackupOption)]        
+        [Parameter(Mandatory = false, HelpMessage = ParamHelpMsgs.Item.SuspendBackupOption)]
         public SwitchParameter RetainRecoveryPointsAsPerPolicy { get; set; }
 
+        /// <summary>
+        /// Parameter deprecated. Please use SecureToken instead.
+        /// </summary>
+        [Parameter(Mandatory = false, HelpMessage = ParamHelpMsgs.ResourceGuard.TokenDepricated, ValueFromPipeline = false)]
+        [ValidateNotNullOrEmpty]
+        public string Token;
+
         /// <summary>
         /// Auxiliary access token for authenticating critical operation to resource guard subscription
         /// </summary>
         [Parameter(Mandatory = false, HelpMessage = ParamHelpMsgs.ResourceGuard.AuxiliaryAccessToken, ValueFromPipeline = false)]
         [ValidateNotNullOrEmpty]
-        public string Token;
+        public System.Security.SecureString SecureToken;
 
         /// <summary>
         /// Prevents the confirmation dialog when specified.
@@ -93,12 +100,13 @@ public override void ExecuteCmdlet()
                         string vaultName = resourceIdentifier.ResourceName;
                         string resourceGroupName = resourceIdentifier.ResourceGroupName;
 
-                        if (Token != "" && Token != null && !this.DeleteBackupData && RetainRecoveryPointsAsPerPolicy.IsPresent)
+                        string plainToken = HelperUtils.GetPlainToken(Token, SecureToken);
+                        if (plainToken != "" && plainToken != null && !this.DeleteBackupData && RetainRecoveryPointsAsPerPolicy.IsPresent)
                         {
                             throw new ArgumentException(String.Format(Resources.DisableWithRetainBackupNotCrititcal));
                         }
 
-                        if(DeleteBackupData && RetainRecoveryPointsAsPerPolicy.IsPresent)
+                        if (DeleteBackupData && RetainRecoveryPointsAsPerPolicy.IsPresent)
                         {
                             throw new AzPSArgumentException(String.Format(Resources.CantRemoveAndRetainRPsSimultaneously), "RetainRecoveryPointsAsPerPolicy");
                         }
@@ -110,14 +118,14 @@ public override void ExecuteCmdlet()
                                 { VaultParams.ResourceGroupName, resourceGroupName },
                                 { ItemParams.Item, Item },
                                 { ItemParams.DeleteBackupData, this.DeleteBackupData },
-                                { ResourceGuardParams.Token, Token },
+                                { ResourceGuardParams.Token, plainToken },
                             }, ServiceClientAdapter);
 
                         IPsBackupProvider psBackupProvider =
                             providerManager.GetProviderInstance(Item.WorkloadType,
                             Item.BackupManagementType);
-                         
-                        if(DeleteBackupData)
+
+                        if (DeleteBackupData)
                         {
                             #region Archived RPs 
                             // Fetch RecoveryPoints in Archive Tier, if yes throw warning and confirmation prompt
@@ -131,13 +139,13 @@ public override void ExecuteCmdlet()
                                 var restorePointQueryType = "FullAndDifferential";
 
                                 string queryFilterString = QueryBuilder.Instance.GetQueryString(new ServiceClientModel.BmsrpQueryObject()
-                                {      
+                                {
                                     RestorePointQueryType = restorePointQueryType,
                                     ExtendedInfo = true
                                 });
                                 queryFilter = new ODataQuery<ServiceClientModel.BmsrpQueryObject>();
                                 queryFilter.Filter = queryFilterString;
-                            }                            
+                            }
 
                             var rpListResponse = ServiceClientAdapter.GetRecoveryPoints(
                                containerUri,
@@ -171,7 +179,7 @@ public override void ExecuteCmdlet()
                             else
                             {
                                 var itemResponse = psBackupProvider.DisableProtectionWithDeleteData();
-                             
+
                                 // Track Response and display job details
                                 HandleCreatedJob(
                                         itemResponse,
@@ -206,7 +214,6 @@ public override void ExecuteCmdlet()
                     }
                 );
             }, ShouldProcess(Item.Name, VerbsLifecycle.Disable));
-
-        }
+        }        
     }
 }

src/RecoveryServices/RecoveryServices.Backup/Cmdlets/Item/DisableAzureRmRecoveryServicesBackupProtection.cs

@@ -99,12 +99,19 @@ public class EnableAzureRmRecoveryServicesBackupProtection : RSBackupVaultCmdlet
         [ValidateNotNullOrEmpty]
         public ItemBase Item { get; set; }
 
+        /// <summary>
+        /// Parameter deprecated. Please use SecureToken instead
+        /// </summary>
+        [Parameter(Mandatory = false, ParameterSetName = ModifyProtectionParameterSet, HelpMessage = ParamHelpMsgs.ResourceGuard.TokenDepricated, ValueFromPipeline = false)]
+        [ValidateNotNullOrEmpty]
+        public string Token;
+
         /// <summary>
         /// Parameter to authorize operations protected by cross tenant resource guard. Use command (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token to fetch authorization token for different tenant.
         /// </summary>
         [Parameter(Mandatory = false, ParameterSetName = ModifyProtectionParameterSet, HelpMessage = ParamHelpMsgs.ResourceGuard.AuxiliaryAccessToken, ValueFromPipeline = false)]
         [ValidateNotNullOrEmpty]
-        public string Token;
+        public System.Security.SecureString SecureToken;
 
         /// <summary>
         /// List of Disk LUNs to include in backup
@@ -164,6 +171,8 @@ public override void ExecuteCmdlet()
                     shouldProcessName = Item.Name;
                     isMUAOperation = true;
                 }
+                
+                string plainToken = HelperUtils.GetPlainToken(Token, SecureToken);
 
                 if (ShouldProcess(shouldProcessName, VerbsLifecycle.Enable))
                 {
@@ -258,7 +267,7 @@ public override void ExecuteCmdlet()
                                 { ItemParams.ExclusionDisksList, ExclusionDisksList },
                                 { ItemParams.ResetExclusionSettings, ResetExclusionSettings },
                                 { ItemParams.ExcludeAllDataDisks, ExcludeAllDataDisks.IsPresent },
-                                { ResourceGuardParams.Token, Token },
+                                { ResourceGuardParams.Token, plainToken },
                                 { ResourceGuardParams.IsMUAOperation, isMUAOperation },
                             }, ServiceClientAdapter);
 

src/RecoveryServices/RecoveryServices.Backup/Cmdlets/Item/EnableAzureRmRecoveryServicesBackupProtection.cs

@@ -43,10 +43,14 @@ public class SetAzureRmRecoveryServicesBackupProtectionPolicy : RSBackupVaultCmd
         [ValidateNotNullOrEmpty]
         public PolicyBase Policy { get; set; }
 
-        [Parameter(Mandatory = false, ValueFromPipeline = false, HelpMessage = ParamHelpMsgs.ResourceGuard.AuxiliaryAccessToken, ParameterSetName = ModifyPolicyParamSet)]
+        [Parameter(Mandatory = false, ValueFromPipeline = false, HelpMessage = ParamHelpMsgs.ResourceGuard.TokenDepricated, ParameterSetName = ModifyPolicyParamSet)]
         [ValidateNotNullOrEmpty]
         public string Token;
 
+        [Parameter(Mandatory = false, ValueFromPipeline = false, HelpMessage = ParamHelpMsgs.ResourceGuard.AuxiliaryAccessToken, ParameterSetName = ModifyPolicyParamSet)]
+        [ValidateNotNullOrEmpty]
+        public System.Security.SecureString SecureToken;
+
         /// <summary>
         /// Retention policy object to be modified
         /// </summary>
@@ -215,6 +219,8 @@ public override void ExecuteCmdlet()
                     }
                 }
 
+                string plainToken = HelperUtils.GetPlainToken(Token, SecureToken);
+                
                 PsBackupProviderManager providerManager = new PsBackupProviderManager(
                     new Dictionary<System.Enum, object>()
                     {
@@ -224,7 +230,7 @@ public override void ExecuteCmdlet()
                         { PolicyParams.RetentionPolicy, RetentionPolicy },
                         { PolicyParams.SchedulePolicy, SchedulePolicy },
                         { PolicyParams.FixForInconsistentItems, FixForInconsistentItems.IsPresent },
-                        { ResourceGuardParams.Token, Token },
+                        { ResourceGuardParams.Token, plainToken },
                         { ResourceGuardParams.IsMUAOperation, isMUAOperation },
                         { PolicyParams.ExistingPolicy, servicePolicy},
                         { PolicyParams.TieringPolicy, tieringDetails},

src/RecoveryServices/RecoveryServices.Backup/Cmdlets/ProtectionPolicy/SetAzureRmRecoveryServicesBackupProtectionPolicy.cs

@@ -23,6 +23,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Management.Automation;
+using Microsoft.Azure.Commands.RecoveryServices.Backup.Helpers;
 
 namespace Microsoft.Azure.Commands.RecoveryServices.Backup.Cmdlets
 {
@@ -323,11 +324,17 @@ public class RestoreAzureRmRecoveryServicesBackupItem : RSBackupVaultCmdletBase
         public SwitchParameter RestoreToEdgeZone { get; set; }
 
         /// <summary>
-        /// Parameter to authorize operations protected by cross tenant resource guard. Use command (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token to fetch authorization token for different tenant.
+        /// Parameter deprecated. Please use SecureToken instead
         /// </summary>
-        [Parameter(Mandatory = false, HelpMessage = ParamHelpMsgs.ResourceGuard.AuxiliaryAccessToken, ValueFromPipeline = false)]        
+        [Parameter(Mandatory = false, HelpMessage = ParamHelpMsgs.ResourceGuard.TokenDepricated, ValueFromPipeline = false)]        
         public string Token;
 
+        /// <summary>
+        /// Parameter to authorize operations protected by cross tenant resource guard. Use command (Get-AzAccessToken -TenantId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx").Token to fetch authorization token for different tenant.
+        /// </summary>
+        [Parameter(Mandatory = false, HelpMessage = ParamHelpMsgs.ResourceGuard.AuxiliaryAccessToken, ValueFromPipeline = false)]
+        public System.Security.SecureString SecureToken;
+
         [Parameter(Mandatory = false, ParameterSetName = AzureManagedVMCreateNewParameterSet,
             HelpMessage = ParamHelpMsgs.RestoreVM.DiskAccessOption)]        
         [Parameter(Mandatory = false, ParameterSetName = AzureManagedVMReplaceExistingParameterSet,
@@ -403,6 +410,8 @@ public override void ExecuteCmdlet()
                     RestoreType = "OriginalLocation";
                 }
 
+                string plainToken = HelperUtils.GetPlainToken(Token, SecureToken);
+
                 providerParameters.Add(VaultParams.VaultName, vaultName);
                 providerParameters.Add(VaultParams.ResourceGroupName, resourceGroupName);
                 providerParameters.Add(VaultParams.VaultLocation, VaultLocation);
@@ -428,7 +437,7 @@ public override void ExecuteCmdlet()
                 providerParameters.Add(RestoreVMBackupItemParams.TargetSubnetName, TargetSubnetName);
                 providerParameters.Add(RestoreVMBackupItemParams.TargetSubscriptionId, TargetSubscriptionId);
                 providerParameters.Add(RestoreVMBackupItemParams.RestoreToEdgeZone, RestoreToEdgeZone.IsPresent);
-                providerParameters.Add(ResourceGuardParams.Token, Token);
+                providerParameters.Add(ResourceGuardParams.Token, plainToken);
                 providerParameters.Add(ResourceGuardParams.IsMUAOperation, true);
 
                 if (DiskEncryptionSetId != null)

src/RecoveryServices/RecoveryServices.Backup/Cmdlets/Restore/RestoreAzureRMRecoveryServicesBackupItem.cs

@@ -16,6 +16,7 @@
 using System.Management.Automation;
 using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
 using Microsoft.Azure.Commands.RecoveryServices.Backup.Cmdlets.ServiceClientAdapterNS;
+using Microsoft.Azure.Commands.RecoveryServices.Backup.Helpers;
 
 namespace Microsoft.Azure.Commands.RecoveryServices.Backup.Cmdlets
 {
@@ -27,10 +28,14 @@ public class RemoveAzureRmRecoveryServicesResourceGuardMapping : RSBackupVaultCm
     {
         internal const string DeleteAzureResourceGuardMapping = "DeleteAzureResourceGuardMapping";
 
-        [Parameter(Mandatory = false, ValueFromPipeline = false, ParameterSetName = DeleteAzureResourceGuardMapping, HelpMessage = ParamHelpMsgs.ResourceGuard.AuxiliaryAccessToken)]
+        [Parameter(Mandatory = false, ValueFromPipeline = false, ParameterSetName = DeleteAzureResourceGuardMapping, HelpMessage = ParamHelpMsgs.ResourceGuard.TokenDepricated)]
         [ValidateNotNullOrEmpty]
         public string Token;
 
+        [Parameter(Mandatory = false, ValueFromPipeline = false, ParameterSetName = DeleteAzureResourceGuardMapping, HelpMessage = ParamHelpMsgs.ResourceGuard.AuxiliaryAccessToken)]
+        [ValidateNotNullOrEmpty]
+        public System.Security.SecureString SecureToken;
+
         public override void ExecuteCmdlet()
         {
             ExecutionBlock(() =>
@@ -42,7 +47,10 @@ public override void ExecuteCmdlet()
                     string resourceGroupName = resourceIdentifier.ResourceGroupName;
 
                     string resourceGuardMappingName = "VaultProxy";
-                    Rest.Azure.AzureOperationResponse result = ServiceClientAdapter.DeleteResourceGuardMapping(vaultName, resourceGroupName, resourceGuardMappingName, Token);
+
+                    string plainToken = HelperUtils.GetPlainToken(Token, SecureToken);
+
+                    Rest.Azure.AzureOperationResponse result = ServiceClientAdapter.DeleteResourceGuardMapping(vaultName, resourceGroupName, resourceGuardMappingName, plainToken);
                     WriteObject(result);
                 }
                 catch (Exception exception)