@azure/core-client 1.3.1 → 1.3.3-alpha.20211101.2

package/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Release History
 
+## 1.3.3 (Unreleased)
+
+### Features Added
+
+- Added a new function `authorizeRequestOnClaimChallenge`, that can be used with the `@azure/core-rest-pipeline`'s `bearerTokenAuthenticationPolicy` to support [Continuous Access Evaluation (CAE) challenges](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation).
+  - Call the `bearerTokenAuthenticationPolicy` with the following options: `bearerTokenAuthenticationPolicy({ authorizeRequestOnChallenge: authorizeRequestOnClaimChallenge })`. Once provided, the `bearerTokenAuthenticationPolicy` policy will internally handle Continuous Access Evaluation (CAE) challenges. When it can't complete a challenge it will return the 401 (unauthorized) response from ARM.
+
+### Breaking Changes
+
+### Bugs Fixed
+
+### Other Changes
+
+## 1.3.2 (2021-10-25)
+
+### Bugs Fixed
+
+- Skip query parameter replacement for absolute URLs. [PR #18310](https://github.com/Azure/azure-sdk-for-js/pull/18310)
+
 ## 1.3.1 (2021-09-30)
 
 ### Other Changes

package/dist/index.js

@@ -3,6 +3,7 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var coreRestPipeline = require('@azure/core-rest-pipeline');
+var logger$1 = require('@azure/logger');
 require('@azure/core-asynciterator-polyfill');
 
 // Copyright (c) Microsoft Corporation.
@@ -140,6 +141,13 @@ function encodeByteArray(value) {
 function decodeString(value) {
     return Buffer.from(value, "base64");
 }
+/**
+ * Decodes a base64 string into a string.
+ * @param value - the base64 string to decode
+ */
+function decodeStringToString(value) {
+    return Buffer.from(value, "base64").toString();
+}
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -1145,6 +1153,7 @@ const CollectionFormatToDelimiterMap = {
 };
 function getRequestUrl(baseUri, operationSpec, operationArguments, fallbackObject) {
     const urlReplacements = calculateUrlReplacements(operationSpec, operationArguments, fallbackObject);
+    let isAbsolutePath = false;
     let requestUrl = replaceAll(baseUri, urlReplacements);
     if (operationSpec.path) {
         const path = replaceAll(operationSpec.path, urlReplacements);
@@ -1153,13 +1162,20 @@ function getRequestUrl(baseUri, operationSpec, operationArguments, fallbackObjec
         // ignore the baseUri.
         if (isAbsoluteUrl(path)) {
             requestUrl = path;
+            isAbsolutePath = true;
         }
         else {
             requestUrl = appendPath(requestUrl, path);
         }
     }
     const { queryParams, sequenceParams } = calculateQueryParameters(operationSpec, operationArguments, fallbackObject);
-    requestUrl = appendQueryParams(requestUrl, queryParams, sequenceParams);
+    /**
+     * Notice that this call sets the `noOverwrite` parameter to true if the `requestUrl`
+     * is an absolute path. This ensures that existing query parameter values in `requestUrl`
+     * do not get overwritten. On the other hand when `requestUrl` is not absolute path, it
+     * is still being built so there is nothing to overwrite.
+     */
+    requestUrl = appendQueryParams(requestUrl, queryParams, sequenceParams, isAbsolutePath);
     return requestUrl;
 }
 function replaceAll(input, replacements) {
@@ -1297,7 +1313,7 @@ function simpleParseQueryParams(queryString) {
     return result;
 }
 /** @internal */
-function appendQueryParams(url, queryParams, sequenceParams) {
+function appendQueryParams(url, queryParams, sequenceParams, noOverwrite = false) {
     if (queryParams.size === 0) {
         return url;
     }
@@ -1319,14 +1335,15 @@ function appendQueryParams(url, queryParams, sequenceParams) {
             }
         }
         else if (existingValue) {
-            let newValue = value;
             if (Array.isArray(value)) {
                 value.unshift(existingValue);
             }
             else if (sequenceParams.has(name)) {
-                newValue = [existingValue, value];
+                combinedParams.set(name, [existingValue, value]);
+            }
+            if (!noOverwrite) {
+                combinedParams.set(name, value);
             }
-            combinedParams.set(name, newValue);
         }
         else {
             combinedParams.set(name, value);
@@ -1874,10 +1891,77 @@ function getCredentialScopes(options) {
     return undefined;
 }
 
+// Copyright (c) Microsoft Corporation.
+const logger = logger$1.createClientLogger("authorizeRequestOnClaimChallenge");
+/**
+ * Converts: `Bearer a="b", c="d", Bearer d="e", f="g"`.
+ * Into: `[ { a: 'b', c: 'd' }, { d: 'e', f: 'g' } ]`.
+ *
+ * @internal
+ */
+function parseCAEChallenge(challenges) {
+    const bearerChallenges = `, ${challenges.trim()}`.split(", Bearer ").filter((x) => x);
+    return bearerChallenges.map((challenge) => {
+        const challengeParts = `${challenge.trim()}, `.split('", ').filter((x) => x);
+        const keyValuePairs = challengeParts.map((keyValue) => (([key, value]) => ({ [key]: value }))(keyValue.trim().split('="')));
+        // Key-value pairs to plain object:
+        return keyValuePairs.reduce((a, b) => (Object.assign(Object.assign({}, a), b)), {});
+    });
+}
+/**
+ * This function can be used as a callback for the `bearerTokenAuthenticationPolicy` of `@azure/core-rest-pipeline`, to support CAE challenges:
+ * [Continuous Access Evaluation](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation).
+ *
+ * Call the `bearerTokenAuthenticationPolicy` with the following options:
+ *
+ * ```ts
+ * import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline";
+ * import { authorizeRequestOnClaimChallenge } from "@azure/core-client";
+ *
+ * const bearerTokenAuthenticationPolicy = bearerTokenAuthenticationPolicy({
+ *   authorizeRequestOnChallenge: authorizeRequestOnClaimChallenge
+ * });
+ * ```
+ *
+ * Once provided, the `bearerTokenAuthenticationPolicy` policy will internally handle Continuous Access Evaluation (CAE) challenges.
+ * When it can't complete a challenge it will return the 401 (unauthorized) response from ARM.
+ *
+ * Example challenge with claims:
+ *
+ * ```
+ * Bearer authorization_uri="https://login.windows-ppe.net/", error="invalid_token",
+ * error_description="User session has been revoked",
+ * claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTYwMzc0MjgwMCJ9fX0="
+ * ```
+ */
+async function authorizeRequestOnClaimChallenge(onChallengeOptions) {
+    const { scopes, response } = onChallengeOptions;
+    const challenge = response.headers.get("WWW-Authenticate");
+    if (!challenge) {
+        logger.info(`The WWW-Authenticate header was missing. Failed to perform the Continuous Access Evaluation authentication flow.`);
+        return false;
+    }
+    const challenges = parseCAEChallenge(challenge) || [];
+    const parsedChallenge = challenges.find((x) => x.claims);
+    if (!parsedChallenge) {
+        logger.info(`The WWW-Authenticate header was missing the necessary "claims" to perform the Continuous Access Evaluation authentication flow.`);
+        return false;
+    }
+    const accessToken = await onChallengeOptions.getAccessToken(parsedChallenge.scope ? [parsedChallenge.scope] : scopes, {
+        claims: decodeStringToString(parsedChallenge.claims)
+    });
+    if (!accessToken) {
+        return false;
+    }
+    onChallengeOptions.request.headers.set("Authorization", `Bearer ${accessToken.token}`);
+    return true;
+}
+
 exports.MapperTypeNames = MapperTypeNames;
 exports.ServiceClient = ServiceClient;
 exports.XML_ATTRKEY = XML_ATTRKEY;
 exports.XML_CHARKEY = XML_CHARKEY;
+exports.authorizeRequestOnClaimChallenge = authorizeRequestOnClaimChallenge;
 exports.createClientPipeline = createClientPipeline;
 exports.createSerializer = createSerializer;
 exports.deserializationPolicy = deserializationPolicy;