@adobe/helix-onedrive-support 7.1.2 → 8.0.0

package/src/OneDriveAuth.d.ts

@@ -0,0 +1,98 @@
+/*
+ * Copyright 2022 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+import {AuthenticationResult, ClientApplication, ICachePlugin} from "@azure/msal-node";
+
+export declare interface OneDriveAuthOptions {
+  clientId: string;
+  clientSecret?: string;
+  refreshToken?: string;
+  log?: Console;
+  tenant?: string;
+  scopes?: string[];
+  localAuthCache?:boolean;
+
+  /**
+   * use cache plugin instead for default (global) token cache.
+   */
+  cachePlugin?: ICachePlugin,
+
+  /**
+   * Disables the cache for the tenant lookup.
+   * @default process.env.HELIX_ONEDRIVE_NO_TENANT_CACHE
+   */
+  noTenantCache?: boolean;
+
+  /**
+   * Map to use for the tenant lookup cache. If empty, a module-global cache will be used.
+   * Note that the cache is only used, if the `noTenantCache` flag is `falsy`
+   */
+  tenantCache?: Map<string, string>;
+}
+
+/**
+ * Helper class that facilitates authentication for one drive.
+ */
+export declare class OneDriveAuth {
+  /**
+   * Creates a new OneDriveAuth helper.
+   * @param {OneDriveAuthOptions} opts Options.
+   */
+  constructor(opts: OneDriveAuthOptions);
+
+  /**
+   * {@code true} if this client is initialized.
+   */
+  isAuthenticated(): boolean;
+
+  /**
+   * the logger of this client
+   */
+  log: Console;
+
+  /**
+   * the MSAL client application
+   */
+  app: ClientApplication;
+
+  /**
+   * the authority url for login.
+   */
+  getAuthorityUrl(): string;
+
+  /**
+   * Performs a login using an interactive flow which prompts the user to open a browser window and
+   * enter the authorization code.
+   * @params {function} [onCode] - optional function that gets invoked after code was retrieved.
+   * @returns {Promise<AuthenticationResult>}
+   */
+  acquireTokenByDeviceCode(onCode: Function): Promise<AuthenticationResult>;
+
+  /**
+   * Sets the access token to use for all requests. if the token is a valid JWT token,
+   * its `tid` claim is used a tenant (if no tenant is already set).
+   *
+   * @param {string} bearerToken
+   * @returns {OneDriveAuth} this
+   */
+  setAccessToken(bearerToken): OneDriveAuth;
+
+  /**
+   * Acquires the access token either from the cache or from MS.
+   * @param {boolean} silentOnly
+   * @returns {Promise<AuthenticationResult>}
+   */
+  authenticate(silentOnly: boolean): Promise<AuthenticationResult>;
+
+  dispose() : Promise<void>;
+
+  initTenantFromUrl(sharingUrl: string|URL): Promise<void>;
+}

package/src/OneDriveAuth.js

@@ -0,0 +1,310 @@
+/*
+ * Copyright 2019 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+
+// eslint-disable-next-line max-classes-per-file
+import { keepAliveNoCache } from '@adobe/helix-fetch';
+import { ConfidentialClientApplication, LogLevel } from '@azure/msal-node';
+import { decodeJwt } from 'jose';
+import { MemCachePlugin } from './cache/MemCachePlugin.js';
+import { StatusCodeError } from './StatusCodeError.js';
+
+const { fetch, reset } = keepAliveNoCache({ userAgent: 'helix-fetch' });
+
+const AZ_AUTHORITY_HOST_URL = 'https://login.windows.net';
+const AZ_COMMON_TENANT = 'common';
+
+const DEFAULT_SCOPES = ['https://graph.microsoft.com/.default', 'openid', 'profile', 'offline_access'];
+
+const MSAL_LOG_LEVELS = [
+  'error',
+  'warn',
+  'info',
+  'debug',
+  'trace',
+];
+
+/**
+ * aliases
+ * @typedef {import('@azure/msal-node').AuthenticationResult} AuthenticationResult
+*/
+
+/**
+ * map that caches the tenant ids
+ * @type {Map<string, string>}
+ */
+const globalTenantCache = new Map();
+
+/**
+ * Helper class that facilitates accessing one drive.
+ *
+ * @class
+ * @field {ConfidentialClientApplication|PublicClientApplication} app
+ */
+export class OneDriveAuth {
+  /**
+   * @param {OneDriveAuthOptions} opts Options
+   */
+  constructor(opts) {
+    if (!opts.clientId) {
+      throw new Error('Missing clientId.');
+    }
+    if (opts.username || opts.password) {
+      throw new Error('Username/password authentication no longer supported.');
+    }
+
+    this.clientId = opts.clientId;
+    this.clientSecret = opts.clientSecret || '';
+    this.refreshToken = opts.refreshToken || '';
+    this._log = opts.log || console;
+    this.tenant = opts.tenant;
+    this.cachePlugin = opts.cachePlugin;
+    this.scopes = opts.scopes || DEFAULT_SCOPES;
+
+    if (!opts.noTenantCache && !process.env.HELIX_ONEDRIVE_NO_TENANT_CACHE) {
+      /** @type {Map<string, string>} */
+      this.tenantCache = opts.tenantCache || globalTenantCache;
+    }
+
+    if ((opts.localAuthCache || process.env.HELIX_ONEDRIVE_LOCAL_AUTH_CACHE) && !this.cachePlugin) {
+      this.cachePlugin = new MemCachePlugin({
+        log: this._log,
+        key: 'default',
+        caches: new Map(),
+      });
+    }
+  }
+
+  get app() {
+    if (!this._app) {
+      const {
+        log,
+        cachePlugin,
+      } = this;
+      const msalConfig = {
+        auth: {
+          clientId: this.clientId,
+          clientSecret: this.clientSecret,
+          authority: this.getAuthorityUrl(),
+        },
+        system: {
+          loggerOptions: {
+            loggerCallback(loglevel, message) {
+              log[MSAL_LOG_LEVELS[loglevel]](message);
+            },
+            piiLoggingEnabled: false,
+            logLevel: LogLevel.Verbose,
+          },
+        },
+      };
+
+      if (cachePlugin) {
+        msalConfig.cache = {
+          cachePlugin,
+        };
+      }
+      this._app = new ConfidentialClientApplication(msalConfig);
+    }
+    return this._app;
+  }
+
+  async resolveTenant(tenantHostName) {
+    const { log } = this;
+    const configUrl = `https://login.windows.net/${tenantHostName}.onmicrosoft.com/.well-known/openid-configuration`;
+    const res = await fetch(configUrl);
+    if (!res.ok) {
+      log.info(`error fetching openid-configuration for ${tenantHostName}: ${res.status}. Fallback to 'common'`);
+      return AZ_COMMON_TENANT;
+    }
+
+    const { issuer } = await res.json();
+    if (!issuer) {
+      log.info(`unable to extract tenant from openid-configuration for ${tenantHostName}: no 'issuer'. Fallback to 'common'`);
+      return AZ_COMMON_TENANT;
+    }
+
+    // eslint-disable-next-line prefer-destructuring
+    const tenant = new URL(issuer).pathname.split('/')[1];
+    log.info(`fetched tenant information from for ${tenantHostName}: ${tenant}`);
+    return tenant;
+  }
+
+  static getTenantHostFromUrl(sharingUrl) {
+    const url = sharingUrl instanceof URL
+      ? sharingUrl
+      : new URL(sharingUrl);
+    let [tenantHost] = url.hostname.split('.');
+    // special case: `xxxx-my.sharepoint.com`
+    if (url.hostname.endsWith('-my.sharepoint.com')) {
+      tenantHost = tenantHost.substring(0, tenantHost.length - 3);
+    }
+    return tenantHost;
+  }
+
+  async initTenantFromUrl(sharingUrl) {
+    if (this.tenant) {
+      return;
+    }
+    const { log } = this;
+    const tenantHost = OneDriveAuth.getTenantHostFromUrl(sharingUrl);
+
+    if (this.tenantCache) {
+      this.tenant = this.tenantCache.get(tenantHost);
+    }
+    if (!this.tenant) {
+      this.tenant = await this.resolveTenant(tenantHost);
+      if (this.tenantCache) {
+        this.tenantCache.set(tenantHost, this.tenant);
+      }
+    }
+    log.info(`using tenant ${this.tenant} for ${tenantHost} from ${sharingUrl}`);
+  }
+
+  /**
+   */
+  // eslint-disable-next-line class-methods-use-this
+  async dispose() {
+    // TODO: clear other state?
+    return reset();
+  }
+
+  /**
+   */
+  get log() {
+    return this._log;
+  }
+
+  getAuthorityUrl() {
+    if (!this.tenant) {
+      throw new Error('unable to compute authority url. no tenant.');
+    }
+    return `${AZ_AUTHORITY_HOST_URL}/${this.tenant}`;
+  }
+
+  /**
+   * @returns {boolean}
+   */
+  async isAuthenticated() {
+    const accounts = await this.app.getTokenCache().getAllAccounts();
+    return accounts.length > 0;
+  }
+
+  /**
+   * Performs a login using an interactive flow which prompts the user to open a browser window and
+   * enter the authorization code.
+   * @params {function} [onCode] - optional function that gets invoked after code was retrieved.
+   * @returns {Promise<AuthenticationResult>}
+   */
+  async acquireTokenByDeviceCode(onCode) {
+    const { log, app } = this;
+    try {
+      return await app.acquireTokenByDeviceCode({
+        deviceCodeCallback: async (code) => {
+          log.info(code.message);
+          if (typeof onCode === 'function') {
+            await onCode(code);
+          }
+        },
+        scopes: this.scopes,
+      });
+    } catch (e) {
+      log.error('Error while requesting access token with device code', e);
+      throw e;
+    }
+  }
+
+  /**
+   * Sets the access token to use for all requests. if the token is a valid JWT token,
+   * its `tid` claim is used a tenant (if no tenant is already set).
+   *
+   * @param {string} bearerToken
+   * @returns {OneDriveAuth} this
+   */
+  setAccessToken(bearerToken) {
+    const { log } = this;
+    /** @type AuthenticationResult */
+    this.authResult = {
+      accessToken: bearerToken,
+    };
+    if (!this.tenant) {
+      try {
+        const { tid } = decodeJwt(bearerToken);
+        if (tid) {
+          log.info(`using tenant from access token: ${tid}`);
+          this.tenant = tid;
+        }
+      } catch (e) {
+        log.warn(`unable to decode access token: ${e.message}`);
+      }
+    }
+    this.authResult.tenantId = this.tenant;
+    return this;
+  }
+
+  /**
+   * Authenticates against MS
+   * @param {boolean} silentOnly
+   * @returns {Promise<null|AuthenticationResult>}
+   */
+  async doAuthenticate(silentOnly) {
+    const { log, app } = this;
+    const accounts = await app.getTokenCache().getAllAccounts();
+    if (accounts.length > 0) {
+      try {
+        return await app.acquireTokenSilent({
+          account: accounts[0],
+        });
+      } catch (e) {
+        if (e.message !== 'Entry not found in cache.') {
+          log.warn(`Unable to acquire token from cache: ${e}`);
+        } else {
+          log.debug(`Unable to acquire token from cache: ${e}`);
+        }
+      }
+    }
+    if (silentOnly) {
+      return null;
+    }
+
+    try {
+      if (this.refreshToken) {
+        log.debug('acquire token with refresh token.');
+        return await app.acquireTokenByRefreshToken({
+          refreshToken: this.refreshToken,
+        });
+      } else if (this.clientSecret) {
+        log.debug('acquire token with client credentials.');
+        return await app.acquireTokenByClientCredential({
+          scopes: this.scopes,
+        });
+      } else {
+        const err = new StatusCodeError('No valid authentication credentials supplied.');
+        err.statusCode = 401;
+        throw err;
+      }
+    } catch (e) {
+      log.error(`Error while acquiring access token ${e}`);
+      throw e;
+    }
+  }
+
+  /**
+   * Authenticates by either using the cached result or talking to MS
+   * @param {boolean} silentOnly
+   * @returns {Promise<AuthenticationResult>}
+   */
+  async authenticate(silentOnly) {
+    if (!this.authResult) {
+      this.authResult = await this.doAuthenticate(silentOnly);
+    }
+    return this.authResult;
+  }
+}

package/src/OneDriveMock.js

@@ -9,10 +9,10 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-const OneDrive = require('./OneDrive.js');
-const Workbook = require('./Workbook.js');
-const StatusCodeError = require('./StatusCodeError.js');
-const { driveItemFromURL, driveItemToURL } = require('./utils.js');
+import { OneDrive } from './OneDrive.js';
+import { OneDriveAuth } from './OneDriveAuth.js';
+import { Workbook } from './excel/Workbook.js';
+import { StatusCodeError } from './StatusCodeError.js';
 
 /**
  * Handle the `namedItems` operation on a workbook / worksheet
@@ -139,10 +139,22 @@ function handleTable(sheet, segs, method, body) {
 /**
  * Mock OneDrive client that supports some of the operations the `OneDrive` class does.
  */
-class OneDriveMock extends OneDrive {
-  constructor() {
+export class OneDriveMock extends OneDrive {
+  constructor({ auth } = {}) {
+    if (!auth) {
+      // eslint-disable-next-line no-param-reassign
+      auth = new OneDriveAuth({
+        clientId: 'mock-id',
+        tenant: 'test-tenant',
+      });
+      // eslint-disable-next-line no-param-reassign
+      auth.accessToken = {
+        accessToken: 'dummy-token',
+        tenantId: 'test-tenant',
+      };
+    }
     super({
-      clientId: 'mock-id',
+      auth,
     });
     this.workbooks = [];
     this.sharelinks = {};
@@ -310,8 +322,3 @@ class OneDriveMock extends OneDrive {
     }
   }
 }
-
-module.exports = Object.assign(OneDriveMock, {
-  driveItemToURL,
-  driveItemFromURL,
-});

package/src/SharePointSite.js

@@ -9,14 +9,15 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
+import { keepAliveNoCache } from '@adobe/helix-fetch';
+import { StatusCodeError } from './StatusCodeError.js';
 
-const { fetch } = require('@adobe/helix-fetch').keepAliveNoCache({ userAgent: 'helix-fetch' });
-const StatusCodeError = require('./StatusCodeError.js');
+const { fetch } = keepAliveNoCache({ userAgent: 'helix-fetch' });
 
 /**
  * Helper class accessing folders and files using the SharePoint V1 API.
  */
-class SharePointSite {
+export class SharePointSite {
   constructor(opts) {
     this._owner = opts.owner;
     this._site = opts.site;
@@ -113,11 +114,10 @@ class SharePointSite {
       // await result in order to be able to catch any error
       return await (rawResponseBody || !json ? resp.buffer() : resp.json());
     } catch (e) {
-      /* istanbul ignore else */
+      /* c8 ignore next 4 */
       if (e instanceof StatusCodeError) {
         throw e;
       }
-      /* istanbul ignore next */
       throw StatusCodeError.fromError(e);
     }
   }
@@ -126,5 +126,3 @@ class SharePointSite {
     return this._log;
   }
 }
-
-module.exports = SharePointSite;

package/src/StatusCodeError.js

@@ -10,13 +10,13 @@
  * governing permissions and limitations under the License.
  */
 
-const { AbortError, FetchError } = require('@adobe/helix-fetch');
+import { AbortError, FetchError } from '@adobe/helix-fetch';
 
 /**
  * Internal error class
  * @private
  */
-class StatusCodeError extends Error {
+export class StatusCodeError extends Error {
   /**
    * Converts a fetch error to a status code error.
    * @param {Error} err The original error
@@ -63,5 +63,3 @@ class StatusCodeError extends Error {
     this.details = details;
   }
 }
-
-module.exports = StatusCodeError;

package/src/cache/FSCacheManager.d.ts

@@ -0,0 +1,28 @@
+/*
+ * Copyright 2022 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+import { FSCachePlugin } from "./FSCachePlugin";
+
+export declare interface FSCacheManagerOptions {
+  log: Console;
+  dirPath: string;
+  type: string;
+}
+
+export declare class FSCacheManager {
+  constructor(opts: FSCacheManagerOptions);
+
+  listCacheKeys():Promise<string[]>;
+
+  hasCache(key:string):Promise<boolean>;
+
+  getCache(key:string):Promise<FSCachePlugin>;
+}

package/src/cache/FSCacheManager.js

@@ -0,0 +1,77 @@
+/*
+ * Copyright 2022 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+import fs from 'fs/promises';
+import path from 'path';
+import { FSCachePlugin } from './FSCachePlugin.js';
+
+/**
+ * aliases
+ * @typedef {import("@azure/msal-node").ICachePlugin} ICachePlugin
+ * @typedef {import("@azure/msal-node").TokenCacheContext} TokenCacheContext
+ */
+
+export class FSCacheManager {
+  constructor(opts) {
+    this.dirPath = opts.dirPath;
+    this.log = opts.log || console;
+    this.type = opts.type;
+  }
+
+  getCacheFilePath(key) {
+    return path.resolve(this.dirPath, `auth-${this.type}-${key}.json`);
+  }
+
+  async listCacheKeys() {
+    try {
+      const files = await fs.readdir(this.dirPath);
+      return files
+        .filter((name) => (name.startsWith('auth-') && name.endsWith('.json')))
+        .map((name) => name.replace(/auth-([a-z0-9]+)-([a-z0-9]+).json/i, '$2'));
+    } catch (e) {
+      if (e.code === 'ENOENT') {
+        return [];
+      }
+      throw e;
+    }
+  }
+
+  async hasCache(key) {
+    try {
+      await fs.lstat(this.getCacheFilePath(key));
+      return true;
+    } catch (e) {
+      if (e.code !== 'ENOENT') {
+        throw e;
+      }
+      return false;
+    }
+  }
+
+  /**
+   * @param key
+   * @returns {FSCachePlugin}
+   */
+  async getCache(key) {
+    try {
+      await fs.lstat(this.dirPath);
+    } catch (e) {
+      if (e.code !== 'ENOENT') {
+        throw e;
+      }
+      await fs.mkdir(this.dirPath);
+    }
+    return new FSCachePlugin({
+      log: this.log,
+      filePath: this.getCacheFilePath(key),
+    });
+  }
+}

package/src/cache/FSCachePlugin.d.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2022 Adobe. All rights reserved.
+ * This file is licensed to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License. You may obtain a copy
+ * of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR REPRESENTATIONS
+ * OF ANY KIND, either express or implied. See the License for the specific language
+ * governing permissions and limitations under the License.
+ */
+import { ICachePlugin, TokenCacheContext } from  '@azure/msal-node';
+
+import { Logger } from "../OneDrive";
+
+export declare interface FSCachePluginOptions {
+  log: Console;
+  filePath: string;
+}
+
+export declare class FSCachePlugin implements ICachePlugin {
+  constructor(opts: FSCachePluginOptions);
+
+  deleteCache(): Promise<void>;
+
+  afterCacheAccess(tokenCacheContext: TokenCacheContext): Promise<boolean>;
+
+  beforeCacheAccess(tokenCacheContext: TokenCacheContext): Promise<boolean>;
+}