Mask ACR token on Windows when System.Debug is true (#4868)

* Mask ACR token on Windows when System.Debug is true

-- Added refresh token to secret masker
-- Added FF to use --password-stdin on windows

* Mask ACR token on Windows when System.Debug is true

-- Removed PipelineFeatureSource
-- Fixed review points

* Mask ACR token on Windows when System.Debug is true

-- Removed Env source

Author: DmitriiBobreshev

src/Agent.Sdk/Knob/AgentKnobs.cs

@@ -730,5 +730,12 @@ public class AgentKnobs
             "Checks if the PSModulePath environment variable contains locations specific to PowerShell Core.",
             new EnvironmentKnobSource("AZP_AGENT_CHECK_PSMODULES_LOCATIONS"),
             new BuiltInDefaultKnobSource("false"));
+
+        public static readonly Knob UseDockerStdinPasswordOnWindows = new Knob(
+            nameof(UseDockerStdinPasswordOnWindows),
+            "If true, use --password-stdin for docker login on Windows.",
+            new RuntimeKnobSource("AZP_AGENT_USE_DOCKER_STDIN_PASSWORD_WINDOWS"),
+            new PipelineFeatureSource("UseDockerStdinPasswordOnWindows"),
+            new BuiltInDefaultKnobSource("false"));
     }
 }

src/Agent.Worker/Container/DockerCommandManager.cs

@@ -100,7 +100,9 @@ public async Task<int> DockerLogin(IExecutionContext context, string server, str
             ArgUtil.NotNull(username, nameof(username));
             ArgUtil.NotNull(password, nameof(password));
 
-            var action = new Func<Task<int>>(async () => PlatformUtil.RunningOnWindows
+            var useDockerStdinPasswordOnWindows = AgentKnobs.UseDockerStdinPasswordOnWindows.GetValue(context).AsBoolean();
+
+            var action = new Func<Task<int>>(async () => PlatformUtil.RunningOnWindows && !useDockerStdinPasswordOnWindows
                 // Wait for 17.07 to switch using stdin for docker registry password.
                 ? await ExecuteDockerCommandAsync(context, "login", $"--username \"{username}\" --password \"{password.Replace("\"", "\\\"")}\" {server}", new List<string>() { password }, context.CancellationToken)
                 : await ExecuteDockerCommandAsync(context, "login", $"--username \"{username}\" --password-stdin {server}", new List<string>() { password }, context.CancellationToken)

src/Agent.Worker/ContainerOperationProvider.cs

@@ -296,6 +296,10 @@ private async Task<string> GetAcrPasswordFromAADToken(IExecutionContext executio
             {
                 throw new NotSupportedException("Could not acquire ACR token from given AAD token. Please check that the necessary access is provided and try again.");
             }
+
+            // Mark retrieved password as secret
+            HostContext.SecretMasker.AddValue(AcrPassword);
+
             return AcrPassword;
         }