From cb9665594175b6b2d8e3559842f3e6c3c76c643d Mon Sep 17 00:00:00 2001
From: Bill Long <bilong@microsoft.com>
Date: Thu, 27 Jun 2024 14:13:54 -0500
Subject: [PATCH] Update pipelines to use 1ES templates

---
 .../IIS/ExchangeBackEnd-ECP_web.config        |  52 ++--
 azure-pipeline-merge.yml                      |  87 ++++---
 azure-pipeline-release.yml                    | 223 +++++++++---------
 3 files changed, 191 insertions(+), 171 deletions(-)

diff --git a/Diagnostics/HealthChecker/Tests/DataCollection/E15/Exchange/IIS/ExchangeBackEnd-ECP_web.config b/Diagnostics/HealthChecker/Tests/DataCollection/E15/Exchange/IIS/ExchangeBackEnd-ECP_web.config
index 674e3ca42a..adcc65db73 100644
--- a/Diagnostics/HealthChecker/Tests/DataCollection/E15/Exchange/IIS/ExchangeBackEnd-ECP_web.config
+++ b/Diagnostics/HealthChecker/Tests/DataCollection/E15/Exchange/IIS/ExchangeBackEnd-ECP_web.config
@@ -1,31 +1,31 @@
 <?xml version="1.0"?>
 <configuration>
-  <!-- 
+  <!--
       Configuration section for Exchange Control Panel:
-  
+
      - rbacPrincipalMaximumAge: TimeSpan: Ex: 00:15:00 - 15 minutes.
-       Controls for how long we cache RBAC information for a particular identity. 
+       Controls for how long we cache RBAC information for a particular identity.
        This timeout is absolute, ie, it will expire even if the user is constantly using it.
        This allows administrators to control for how long a user can run ECP with
        out-of-date role assignments.
-       
+
      - rbacRunspaceSlidingExpiration: TimeSpan: Ex: 00:05:00 - 5 minutes.
        Controls for how long we keep RBAC runspaces cached for a particular identity.
        This timeout slides, ie, each time the user accesses his runspace we will let
-       the runspace live for this much longer. 
-       
-       Note that when the RbacPrincipal reaches its maximum age it will forcefully 
-       expire and will take the associated runspaces with it, so 
-       rbacRunspaceSlidingExpiration needs to be less than or equal to 
+       the runspace live for this much longer.
+
+       Note that when the RbacPrincipal reaches its maximum age it will forcefully
+       expire and will take the associated runspaces with it, so
+       rbacRunspaceSlidingExpiration needs to be less than or equal to
        rbacPrincipalMaximumAge.
-       
+
        Performance of the server can be tweaked between these two properties.
        Increasing the timeouts allows the server to cache RBAC information
        and runspaces for longer periods, therefore responding faster to returning
-       users at the cost of memory and a delay in automatically picking up changes 
+       users at the cost of memory and a delay in automatically picking up changes
        in role assignments. Note that users can force a refresh of their RBAC
        information by creating new session (ie, opening new browser windows).
-       
+
   <configSections>
     <section name="rbacConfig" type="Microsoft.Exchange.PowerShell.RbacHostingTools.Asp.Net.RbacSection, Microsoft.Exchange.PowerShell.RbacHostingTools" restartOnExternalChanges="true"/>
   </configSections>
@@ -48,7 +48,7 @@
     <add key="AddSourceToErrorMessages" value="false" />
     <!-- Specify the directories to probe binaries, separate each path by a semicolon  -->
     <add key="BinSearchFolders" value="C:\Program Files\Microsoft\Exchange Server\V15\bin;C:\Program Files\Microsoft\Exchange Server\V15\bin\CmdletExtensionAgents;C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\bin" />
-    <!-- A tri-state switch indicating whether we want to show debug information such as call stack of exception. 
+    <!-- A tri-state switch indicating whether we want to show debug information such as call stack of exception.
            However, note that client javascript callstack will always be shown.
            It accepts the following values, default is None:
                All:     Always show debug information for all errors.
@@ -124,12 +124,12 @@
     <GlobalInfo lang="fil-PH" name="FirstName,Initials,LastName" address="Street,ZipPostal,StateProvince,City,Country" />
   </GlobalInfos>
   <system.web>
-    <machineKey validationKey="CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF" decryptionKey="E9D2490BD0075B51D1BA5288514514AF" validation="SHA1" decryption="3DES" />
+    <machineKey validationKey="AutoGenerate,IsolateApps" />
     <!--
         Set client scripts location to version/scripts, so that request to WebRequest.axd will be replaced with this static path
     -->
     <webControls clientScriptsLocation="/ecp/15.0.1497.2/scripts/" />
-    <!-- 
+    <!--
 	  Enable HTTPOnly flag for server generated cookies.
     We used to require secure (HTTPS) cookies too, but CAS-2-CAS scenarios can use just HTTP.
 	  Please note that these settings can be overwritten programmatically. So we specify entries here just
@@ -289,21 +289,21 @@
     <serviceHostingEnvironment aspNetCompatibilityEnabled="true" minFreeMemoryPercentageToActivateService="0" />
     <bindings>
       <webHttpBinding>
-        <!-- 
-          ECP Web Services are auto-configured and do not need to be listed here. 
+        <!--
+          ECP Web Services are auto-configured and do not need to be listed here.
           However, their svc file must include the following setting to activate the correct host:
             Factory="Microsoft.Exchange.Management.ControlPanel.ServiceHostFactory"
-            
+
           We auto-configure the bindings based on the schema of the endpoint address.
           HTTPS binding is used by the https://server/ecp base address and similarly the
-          HTTP binding is used with the http://server/ecp base address. 
-          
-          Note that HTTP is primarily for use with CAS-2-CAS proxy scenarios and requires 
+          HTTP binding is used with the http://server/ecp base address.
+
+          Note that HTTP is primarily for use with CAS-2-CAS proxy scenarios and requires
           the 'ecp' vdir to be configured to 'not' require SSL. In this case both endpoints
           are created. If the vdir is configured to require SSL then only the https endpoint
           is created.
-          
-          In below the maxStringContentLength explicitly defines the maximum length required 
+
+          In below the maxStringContentLength explicitly defines the maximum length required
           throughout ECP. For example, OOF is using this value in its rich text editor to restrict the content inside.
           Changing this number smaller may result in webservice failures.
           Increase maxReceivedMessageSize and maxReceivedMessageSize to 2M to support 50,000 mailboxes for migration CSV file.
@@ -325,7 +325,7 @@
         <binding name="http" maxReceivedMessageSize="524288">
           <readerQuotas maxStringContentLength="128000" />
         </binding>
-        <!-- 
+        <!--
             Configuration for invoking the Microsoft Online (BPOS) shell web service.
         -->
         <binding name="MsOnlineShellService_BindingConfiguration" maxReceivedMessageSize="102400">
@@ -337,7 +337,7 @@
       </wsHttpBinding>
     </bindings>
     <client>
-      <!-- 
+      <!--
             This section specifies the configuration for invoking the Microsoft Online (BPOS) shell web service.
             The "???" values are specified at deployment time, as implemented in:
             sources/dev/Management/src/Management/Deployment/Components/DatacenterClientAccessComponent.xml
@@ -353,7 +353,7 @@
         <behavior name="MsOnlineShellService_EndPointBehavior">
           <clientCredentials>
             <serviceCertificate>
-              <!-- Use the exchange server certificate in local server for authentication when connect 
+              <!-- Use the exchange server certificate in local server for authentication when connect
               to Shell service. No point to check whether our certificate has been revocated. -->
               <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" />
             </serviceCertificate>
diff --git a/azure-pipeline-merge.yml b/azure-pipeline-merge.yml
index be7009b9ee..ad846fe10c 100644
--- a/azure-pipeline-merge.yml
+++ b/azure-pipeline-merge.yml
@@ -1,38 +1,49 @@
-pool:
-  vmImage: 'windows-latest'
-
-steps:
-- pwsh: |
-    cd .\.build
-    .\docs.ps1
-  displayName: "Docs Check"
-
-- pwsh: .\.build\SpellCheck.ps1
-  displayName: "Spell Check"
-
-- pwsh: |
-    cd .\.build
-    .\CodeFormatter.ps1 -Branch $env:TargetBranchName
-  displayName: "Code Formatting Script"
-  condition: and(succeeded(), ne(variables['Build.SourceBranch'], 'refs/heads/release'))
-  env:
-    TargetBranchName: $(System.PullRequest.TargetBranch)
-
-- pwsh: |
-    cd .\.build
-    .\Build.ps1
-  displayName: "Build Script"
-
-- pwsh: |
-    cd .\.build
-    .\Pester.ps1 -NoProgress -Branch $env:TargetBranchName
-  displayName: "Running Invoke-Pester"
-  env:
-    TargetBranchName: $(System.PullRequest.TargetBranch)
-
-- pwsh: |
-    cd .\.build
-    .\ValidateMerge.ps1 -Branch $env:TargetBranchName
-  displayName: "Validate commit times"
-  env:
-    TargetBranchName: $(System.PullRequest.TargetBranch)
+resources:
+  repositories:
+  - repository: 1ESPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
+extends:
+  template: v1/1ES.Unofficial.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    pool:
+      name: MSSecurity-1ES-Build-Agents-Pool
+      image: MSSecurity-1ES-Windows-2022
+      os: windows
+    customBuildTags:
+    - ES365AIMigrationTooling
+    stages:
+    - stage: stage
+      jobs:
+      - job: job
+        steps:
+        - pwsh: |
+            cd .\.build
+            .\docs.ps1
+          displayName: "Docs Check"
+        - pwsh: .\.build\SpellCheck.ps1
+          displayName: "Spell Check"
+        - pwsh: |
+            cd .\.build
+            .\CodeFormatter.ps1 -Branch $env:TargetBranchName
+          displayName: "Code Formatting Script"
+          condition: and(succeeded(), ne(variables['Build.SourceBranch'], 'refs/heads/release'))
+          env:
+            TargetBranchName: $(System.PullRequest.TargetBranch)
+        - pwsh: |
+            cd .\.build
+            .\Build.ps1
+          displayName: "Build Script"
+        - pwsh: |
+            cd .\.build
+            .\Pester.ps1 -NoProgress -Branch $env:TargetBranchName
+          displayName: "Running Invoke-Pester"
+          env:
+            TargetBranchName: $(System.PullRequest.TargetBranch)
+        - pwsh: |
+            cd .\.build
+            .\ValidateMerge.ps1 -Branch $env:TargetBranchName
+          displayName: "Validate commit times"
+          env:
+            TargetBranchName: $(System.PullRequest.TargetBranch)
diff --git a/azure-pipeline-release.yml b/azure-pipeline-release.yml
index e0f4c55589..ce768e4c2e 100644
--- a/azure-pipeline-release.yml
+++ b/azure-pipeline-release.yml
@@ -1,110 +1,119 @@
 trigger:
   branches:
     include:
-      - release
-
-pool:
-  vmImage: 'windows-latest'
-
-steps:
-- pwsh: |
-    cd .\.build
-    .\Build.ps1
-  displayName: "Build Script"
-
-- task: EsrpCodeSigning@2
-  condition: and(succeeded(), ne (variables['Build.Reason'], 'PullRequest'), eq(variables['Build.SourceBranch'], 'refs/heads/release'))
-  inputs:
-    ConnectedServiceName: 'CSS Exchange Code Sign'
-    FolderPath: 'dist'
-    Pattern: '*.ps1'
-    signConfigType: 'inlineSignParams'
-    inlineOperation: |
-      [
-        {
-          "keyCode": "CP-230012",
-          "operationSetCode": "SigntoolSign",
-          "parameters": [
-            {
-              "parameterName": "OpusName",
-              "parameterValue": "CSS Exchange"
-            },
-            {
-              "parameterName": "OpusInfo",
-              "parameterValue": "https://github.com/microsoft/CSS-Exchange"
-            },
-            {
-              "parameterName": "PageHash",
-              "parameterValue": "/NPH"
-            },
-            {
-              "parameterName": "FileDigest",
-              "parameterValue": "/fd sha256"
-            },
-            {
-              "parameterName": "TimeStamp",
-              "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
-            }
-          ],
-          "toolName": "signtool.exe",
-          "toolVersion": "6.2.9304.0"
-        }
-      ]
-    SessionTimeout: '60'
-    MaxConcurrency: '50'
-    MaxRetryAttempts: '5'
-
-- pwsh: |
-    cd .\.build
-    .\BuildScriptVersions.ps1
-  displayName: "Build ScriptVersions.txt"
-
-- pwsh: |
-    Get-Content dist\ScriptVersions.txt
-  displayName: "Display Script Versions file"
-
-- pwsh: |
-    $tag = "v$((Get-Date).ToString(`"yy.MM.dd.HHmm`"))"
-    Write-Host "##vso[task.setvariable variable=ReleaseTagValue]$tag"
-    (Get-Content .\dist\ScriptVersions.txt) -replace '^(\S+.ps1)', ('[$1](https://github.com/microsoft/CSS-Exchange/releases/download/' + $tag + '/$1)') | Out-File dist\ScriptVersions.txt
-    Get-Content dist\ScriptVersions.txt
-  displayName: "Setting Script Versions text file"
-
-- task: GitHubRelease@0
-  displayName: 'Create GitHub Release - Draft'
-  condition: and(succeeded(), ne (variables['Build.Reason'], 'PullRequest'), eq(variables['Build.SourceBranch'], 'refs/heads/release'))
-  inputs:
-    gitHubConnection: 'GitHub Release'
-    repositoryName: microsoft/CSS-Exchange
-    action: create
-    tagSource: manual
-    tagPattern: 'v[0-9].[0-9].[0-9].[0-9]'
-    tag: $(ReleaseTagValue)
-    title: $(ReleaseTagValue)
-    releaseNotesSource: 'file'
-    releaseNotesFile: dist\ScriptVersions.txt
-    assets: |
-      dist\*.ps1
-      dist\*.nse
-      dist\*.zip
-      dist\*.txt
-      dist\*.csv
-    addChangeLog: true
-    isDraft: true
-
-- task: GitHubRelease@0
-  displayName: 'Publish GitHub Release'
-  condition: and(succeeded(), ne (variables['Build.Reason'], 'PullRequest'), eq(variables['Build.SourceBranch'], 'refs/heads/release'))
-  inputs:
-    gitHubConnection: 'GitHub Release'
-    repositoryName: microsoft/CSS-Exchange
-    action: edit
-    tagSource: manual
-    tagPattern: 'v[0-9].[0-9].[0-9].[0-9]'
-    tag: $(ReleaseTagValue)
-    title: $(ReleaseTagValue)
-    releaseNotesSource: 'file'
-    releaseNotesFile: dist\ScriptVersions.txt
-    assetUploadMode: replace
-    addChangeLog: true
-    isDraft: false
+    - release
+resources:
+  repositories:
+  - repository: 1ESPipelineTemplates
+    type: git
+    name: 1ESPipelineTemplates/1ESPipelineTemplates
+    ref: refs/tags/release
+extends:
+  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
+  parameters:
+    pool:
+      name: MSSecurity-1ES-Build-Agents-Pool
+      image: MSSecurity-1ES-Windows-2022
+      os: windows
+    customBuildTags:
+    - ES365AIMigrationTooling
+    stages:
+    - stage: stage
+      jobs:
+      - job: job
+        steps:
+        - pwsh: |
+            cd .\.build
+            .\Build.ps1
+          displayName: "Build Script"
+        - task: EsrpCodeSigning@2
+          condition: and(succeeded(), ne (variables['Build.Reason'], 'PullRequest'), eq(variables['Build.SourceBranch'], 'refs/heads/release'))
+          inputs:
+            ConnectedServiceName: 'CSS Exchange Code Sign'
+            FolderPath: 'dist'
+            Pattern: '*.ps1'
+            signConfigType: 'inlineSignParams'
+            inlineOperation: |
+              [
+                {
+                  "keyCode": "CP-230012",
+                  "operationSetCode": "SigntoolSign",
+                  "parameters": [
+                    {
+                      "parameterName": "OpusName",
+                      "parameterValue": "CSS Exchange"
+                    },
+                    {
+                      "parameterName": "OpusInfo",
+                      "parameterValue": "https://github.com/microsoft/CSS-Exchange"
+                    },
+                    {
+                      "parameterName": "PageHash",
+                      "parameterValue": "/NPH"
+                    },
+                    {
+                      "parameterName": "FileDigest",
+                      "parameterValue": "/fd sha256"
+                    },
+                    {
+                      "parameterName": "TimeStamp",
+                      "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+                    }
+                  ],
+                  "toolName": "signtool.exe",
+                  "toolVersion": "6.2.9304.0"
+                }
+              ]
+            SessionTimeout: '60'
+            MaxConcurrency: '50'
+            MaxRetryAttempts: '5'
+        - pwsh: |
+            cd .\.build
+            .\BuildScriptVersions.ps1
+          displayName: "Build ScriptVersions.txt"
+        - pwsh: |
+            Get-Content dist\ScriptVersions.txt
+          displayName: "Display Script Versions file"
+        - pwsh: |
+            $tag = "v$((Get-Date).ToString(`"yy.MM.dd.HHmm`"))"
+            Write-Host "##vso[task.setvariable variable=ReleaseTagValue]$tag"
+            (Get-Content .\dist\ScriptVersions.txt) -replace '^(\S+.ps1)', ('[$1](https://github.com/microsoft/CSS-Exchange/releases/download/' + $tag + '/$1)') | Out-File dist\ScriptVersions.txt
+            Get-Content dist\ScriptVersions.txt
+          displayName: "Setting Script Versions text file"
+        - task: GitHubRelease@0
+          displayName: 'Create GitHub Release - Draft'
+          condition: and(succeeded(), ne (variables['Build.Reason'], 'PullRequest'), eq(variables['Build.SourceBranch'], 'refs/heads/release'))
+          inputs:
+            gitHubConnection: 'GitHub Release'
+            repositoryName: microsoft/CSS-Exchange
+            action: create
+            tagSource: manual
+            tagPattern: 'v[0-9].[0-9].[0-9].[0-9]'
+            tag: $(ReleaseTagValue)
+            title: $(ReleaseTagValue)
+            releaseNotesSource: 'file'
+            releaseNotesFile: dist\ScriptVersions.txt
+            assets: |
+              dist\*.ps1
+              dist\*.nse
+              dist\*.zip
+              dist\*.txt
+              dist\*.csv
+            addChangeLog: true
+            isDraft: true
+        - task: GitHubRelease@0
+          displayName: 'Publish GitHub Release'
+          condition: and(succeeded(), ne (variables['Build.Reason'], 'PullRequest'), eq(variables['Build.SourceBranch'], 'refs/heads/release'))
+          inputs:
+            gitHubConnection: 'GitHub Release'
+            repositoryName: microsoft/CSS-Exchange
+            action: edit
+            tagSource: manual
+            tagPattern: 'v[0-9].[0-9].[0-9].[0-9]'
+            tag: $(ReleaseTagValue)
+            title: $(ReleaseTagValue)
+            releaseNotesSource: 'file'
+            releaseNotesFile: dist\ScriptVersions.txt
+            assetUploadMode: replace
+            addChangeLog: true
+            isDraft: false