Broker fixes for token refreshes and AccessDeniedException (#3161)

2025-12-10 12:21:58 +00:00 · 2024-02-21 16:43:01 -05:00
parent 6603bfb74c
commit 3449d5fa52
3 changed files with 32 additions and 4 deletions
--- a/src/Runner.Common/BrokerServer.cs
+++ b/src/Runner.Common/BrokerServer.cs
@@ -21,6 +21,8 @@ namespace GitHub.Runner.Common
        Task DeleteSessionAsync(CancellationToken cancellationToken);

        Task<TaskAgentMessage> GetRunnerMessageAsync(Guid? sessionId, TaskAgentStatus status, string version, string os, string architecture, bool disableUpdate, CancellationToken token);
+
+        Task UpdateConnectionIfNeeded(Uri serverUri, VssCredentials credentials);
    }

    public sealed class BrokerServer : RunnerService, IBrokerServer
@@ -59,7 +61,7 @@ namespace GitHub.Runner.Common
        {
            CheckConnection();
            var brokerSession = RetryRequest<TaskAgentMessage>(
-                async () => await _brokerHttpClient.GetRunnerMessageAsync(sessionId, version, status, os, architecture, disableUpdate, cancellationToken), cancellationToken);
+                async () => await _brokerHttpClient.GetRunnerMessageAsync(sessionId, version, status, os, architecture, disableUpdate, cancellationToken), cancellationToken, shouldRetry: ShouldRetryException);

            return brokerSession;
        }
@@ -69,5 +71,25 @@ namespace GitHub.Runner.Common
            CheckConnection();
            await _brokerHttpClient.DeleteSessionAsync(cancellationToken);
        }
+
+        public Task UpdateConnectionIfNeeded(Uri serverUri, VssCredentials credentials)
+        {
+            if (_brokerUri != serverUri || !_hasConnection)
+            {
+                return ConnectAsync(serverUri, credentials);
+            }
+
+            return Task.CompletedTask;
+        }
+
+        public bool ShouldRetryException(Exception ex)
+        {
+            if (ex is AccessDeniedException ade && ade.ErrorCode == 1)
+            {
+                return false;
+            }
+
+            return true;
+        }
    }
 }
--- a/src/Runner.Listener/MessageListener.cs
+++ b/src/Runner.Listener/MessageListener.cs
@@ -109,7 +109,8 @@ namespace GitHub.Runner.Listener
                    if (_session.BrokerMigrationMessage != null)
                    {
                        Trace.Info("Runner session is in migration mode: Creating Broker session with BrokerBaseUrl: {0}", _session.BrokerMigrationMessage.BrokerBaseUrl);
-                        await _brokerServer.ConnectAsync(_session.BrokerMigrationMessage.BrokerBaseUrl, _creds);
+
+                        await _brokerServer.UpdateConnectionIfNeeded(_session.BrokerMigrationMessage.BrokerBaseUrl, _creds);
                        _session = await _brokerServer.CreateSessionAsync(taskAgentSession, token);
                        _isBrokerSession = true;
                    }
@@ -256,7 +257,7 @@ namespace GitHub.Runner.Listener

                        var migrationMessage = JsonUtility.FromString<BrokerMigrationMessage>(message.Body);

-                        await _brokerServer.ConnectAsync(migrationMessage.BrokerBaseUrl, _creds);
+                        await _brokerServer.UpdateConnectionIfNeeded(migrationMessage.BrokerBaseUrl, _creds);
                        message = await _brokerServer.GetRunnerMessageAsync(_session.SessionId,
                                                                        runnerStatus,
                                                                        BuildConstants.RunnerPackage.Version,
--- a/src/Sdk/WebApi/WebApi/BrokerHttpClient.cs
+++ b/src/Sdk/WebApi/WebApi/BrokerHttpClient.cs
@@ -110,9 +110,14 @@ namespace GitHub.Actions.RunService.WebApi
                return result.Value;
            }

+            // the only time we throw a `Forbidden` exception from Listener /messages is when the runner is
+            // disable_update and is too old to poll
            if (result.StatusCode == HttpStatusCode.Forbidden)
            {
-                throw new AccessDeniedException(result.Error);
+                throw new AccessDeniedException($"{result.Error} Runner version v{runnerVersion} is deprecated and cannot receive messages.")
+                {
+                    ErrorCode = 1
+                };
            }

            throw new Exception($"Failed to get job message: {result.Error}");