preserve Authorization header in redirects for new protocol (#158)

ChristopherHX · Sep 1, 2023 · 6316f0a · 6316f0a
1 parent 9c900a4
commit 6316f0a
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 5 deletions.
diff --git a/actionsdotnetactcompat/act_worker.go b/actionsdotnetactcompat/act_worker.go
@@ -291,6 +291,17 @@ func ExecWorker(rqt *protocol.AgentJobRequestMessage, wc actionsrunner.WorkerCon
 	runnerConfig.AutoRemove = true     // Needed to cleanup always cleanup container
 	runnerConfig.ForcePull = true
 	runnerConfig.ForceRebuild = true
+	// allow downloading actions like older actions/runner using credentials of the redirect url
+	downloadActionHttpClient := *vssConnection.HttpClient()
+	downloadActionHttpClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+		if len(via) >= 10 {
+			return fmt.Errorf("stopped after 10 redirects")
+		}
+		if len(via) >= 1 && req.Host != via[0].Host {
+			req.Header.Del("Authorization")
+		}
+		return nil
+	}
 	runnerConfig.DownloadAction = func(ngcei git.NewGitCloneExecutorInput) common.Executor {
 		return func(ctx context.Context) error {
 			actionList := &protocol.ActionReferenceList{}
@@ -313,7 +324,7 @@ func ExecWorker(rqt *protocol.AgentJobRequestMessage, wc actionsrunner.WorkerCon
 				if v.Authentication != nil && v.Authentication.Token != "" {
 					token = v.Authentication.Token
 				}
-				err := downloadAndExtractAction(ctx, ngcei.Dir, actionurl[0], actionurl[1], v.ResolvedSha, v.TarballUrl, token, vssConnection.Client)
+				err := downloadAndExtractAction(ctx, ngcei.Dir, actionurl[0], actionurl[1], v.ResolvedSha, v.TarballUrl, token, &downloadActionHttpClient)
 				if err != nil {
 					return err
 				}
@@ -351,7 +362,7 @@ func ExecWorker(rqt *protocol.AgentJobRequestMessage, wc actionsrunner.WorkerCon
 						if v.Authentication != nil && v.Authentication.Token != "" {
 							token = v.Authentication.Token
 						}
-						err := downloadAndExtractAction(ctx, ngcei.Dir, actionurl[0], actionurl[1], v.ResolvedSha, v.TarUrl, token, vssConnection.Client)
+						err := downloadAndExtractAction(ctx, ngcei.Dir, actionurl[0], actionurl[1], v.ResolvedSha, v.TarUrl, token, &downloadActionHttpClient)
 						if err != nil {
 							return err
 						}

diff --git a/actionsrunner/runner.go b/actionsrunner/runner.go
@@ -433,6 +433,7 @@ func runJob(runnerenv RunnerEnvironment, joblock *sync.Mutex, vssConnection *pro
 		var runServiceUrl string
 		{
 			if strings.EqualFold(message.MessageType, "RunnerJobRequest") {
+				plogger.Printf("Warning: TaskAgentMessage.MessageType is %v, which has not been properly tested due to missing access to test servers of the new protocol before rollout. Please report any failures to https://github.com/ChristopherHX/github-act-runner/issues.\n", message.MessageType)
 				rjrr := &RunnerJobRequestRef{}
 				json.Unmarshal(src, rjrr)
 				for retries := 0; retries < 5; retries++ {

diff --git a/protocol/connection.go b/protocol/connection.go
@@ -70,9 +70,6 @@ func (vssConnection *VssConnection) HttpClient() *http.Client {
 				if len(via) >= 10 {
 					return fmt.Errorf("stopped after 10 redirects")
 				}
-				if len(via) >= 1 && req.Host != via[0].Host {
-					req.Header.Del("Authorization")
-				}
 				return nil
 			},
 		}