@azure/core-client 1.3.2-alpha.20211001.1 → 1.4.0-alpha.20211123.3

package/CHANGELOG.md

@@ -1,15 +1,24 @@
 # Release History
 
-## 1.3.2 (Unreleased)
+## 1.4.0 (Unreleased)
 
 ### Features Added
 
+- Added a new function `authorizeRequestOnClaimChallenge`, that can be used with the `@azure/core-rest-pipeline`'s `bearerTokenAuthenticationPolicy` to support [Continuous Access Evaluation (CAE) challenges](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation).
+  - Call the `bearerTokenAuthenticationPolicy` with the following options: `bearerTokenAuthenticationPolicy({ authorizeRequestOnChallenge: authorizeRequestOnClaimChallenge })`. Once provided, the `bearerTokenAuthenticationPolicy` policy will internally handle Continuous Access Evaluation (CAE) challenges. When it can't complete a challenge it will return the 401 (unauthorized) response from ARM.
+
 ### Breaking Changes
 
 ### Bugs Fixed
 
 ### Other Changes
 
+## 1.3.2 (2021-10-25)
+
+### Bugs Fixed
+
+- Skip query parameter replacement for absolute URLs. [PR #18310](https://github.com/Azure/azure-sdk-for-js/pull/18310)
+
 ## 1.3.1 (2021-09-30)
 
 ### Other Changes

package/README.md

@@ -1,4 +1,4 @@
-# Azure Core Service client library for JavaScript (Experimental)
+# Azure Core Service client library for JavaScript
 
 This library is primarily intended to be used in code generated by [AutoRest](https://github.com/Azure/Autorest) and [`autorest.typescript`](https://github.com/Azure/autorest.typescript).
 

package/dist/index.js

@@ -3,6 +3,7 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var coreRestPipeline = require('@azure/core-rest-pipeline');
+var logger$1 = require('@azure/logger');
 require('@azure/core-asynciterator-polyfill');
 
 // Copyright (c) Microsoft Corporation.
@@ -140,6 +141,13 @@ function encodeByteArray(value) {
 function decodeString(value) {
     return Buffer.from(value, "base64");
 }
+/**
+ * Decodes a base64 string into a string.
+ * @param value - the base64 string to decode
+ */
+function decodeStringToString(value) {
+    return Buffer.from(value, "base64").toString();
+}
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -1145,6 +1153,7 @@ const CollectionFormatToDelimiterMap = {
 };
 function getRequestUrl(baseUri, operationSpec, operationArguments, fallbackObject) {
     const urlReplacements = calculateUrlReplacements(operationSpec, operationArguments, fallbackObject);
+    let isAbsolutePath = false;
     let requestUrl = replaceAll(baseUri, urlReplacements);
     if (operationSpec.path) {
         const path = replaceAll(operationSpec.path, urlReplacements);
@@ -1153,13 +1162,20 @@ function getRequestUrl(baseUri, operationSpec, operationArguments, fallbackObjec
         // ignore the baseUri.
         if (isAbsoluteUrl(path)) {
             requestUrl = path;
+            isAbsolutePath = true;
         }
         else {
             requestUrl = appendPath(requestUrl, path);
         }
     }
     const { queryParams, sequenceParams } = calculateQueryParameters(operationSpec, operationArguments, fallbackObject);
-    requestUrl = appendQueryParams(requestUrl, queryParams, sequenceParams);
+    /**
+     * Notice that this call sets the `noOverwrite` parameter to true if the `requestUrl`
+     * is an absolute path. This ensures that existing query parameter values in `requestUrl`
+     * do not get overwritten. On the other hand when `requestUrl` is not absolute path, it
+     * is still being built so there is nothing to overwrite.
+     */
+    requestUrl = appendQueryParams(requestUrl, queryParams, sequenceParams, isAbsolutePath);
     return requestUrl;
 }
 function replaceAll(input, replacements) {
@@ -1297,7 +1313,7 @@ function simpleParseQueryParams(queryString) {
     return result;
 }
 /** @internal */
-function appendQueryParams(url, queryParams, sequenceParams) {
+function appendQueryParams(url, queryParams, sequenceParams, noOverwrite = false) {
     if (queryParams.size === 0) {
         return url;
     }
@@ -1319,14 +1335,15 @@ function appendQueryParams(url, queryParams, sequenceParams) {
             }
         }
         else if (existingValue) {
-            let newValue = value;
             if (Array.isArray(value)) {
                 value.unshift(existingValue);
             }
             else if (sequenceParams.has(name)) {
-                newValue = [existingValue, value];
+                combinedParams.set(name, [existingValue, value]);
+            }
+            if (!noOverwrite) {
+                combinedParams.set(name, value);
             }
-            combinedParams.set(name, newValue);
         }
         else {
             combinedParams.set(name, value);
@@ -1337,12 +1354,15 @@ function appendQueryParams(url, queryParams, sequenceParams) {
         if (typeof value === "string") {
             searchPieces.push(`${name}=${value}`);
         }
-        else {
+        else if (Array.isArray(value)) {
             // QUIRK: If we get an array of values, include multiple key/value pairs
             for (const subValue of value) {
                 searchPieces.push(`${name}=${subValue}`);
             }
         }
+        else {
+            searchPieces.push(`${name}=${value}`);
+        }
     }
     // QUIRK: we have to set search manually as searchParams will encode comma when it shouldn't.
     parsedUrl.search = searchPieces.length ? `?${searchPieces.join("&")}` : "";
@@ -1874,10 +1894,77 @@ function getCredentialScopes(options) {
     return undefined;
 }
 
+// Copyright (c) Microsoft Corporation.
+const logger = logger$1.createClientLogger("authorizeRequestOnClaimChallenge");
+/**
+ * Converts: `Bearer a="b", c="d", Bearer d="e", f="g"`.
+ * Into: `[ { a: 'b', c: 'd' }, { d: 'e', f: 'g' } ]`.
+ *
+ * @internal
+ */
+function parseCAEChallenge(challenges) {
+    const bearerChallenges = `, ${challenges.trim()}`.split(", Bearer ").filter((x) => x);
+    return bearerChallenges.map((challenge) => {
+        const challengeParts = `${challenge.trim()}, `.split('", ').filter((x) => x);
+        const keyValuePairs = challengeParts.map((keyValue) => (([key, value]) => ({ [key]: value }))(keyValue.trim().split('="')));
+        // Key-value pairs to plain object:
+        return keyValuePairs.reduce((a, b) => (Object.assign(Object.assign({}, a), b)), {});
+    });
+}
+/**
+ * This function can be used as a callback for the `bearerTokenAuthenticationPolicy` of `@azure/core-rest-pipeline`, to support CAE challenges:
+ * [Continuous Access Evaluation](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation).
+ *
+ * Call the `bearerTokenAuthenticationPolicy` with the following options:
+ *
+ * ```ts
+ * import { bearerTokenAuthenticationPolicy } from "@azure/core-rest-pipeline";
+ * import { authorizeRequestOnClaimChallenge } from "@azure/core-client";
+ *
+ * const bearerTokenAuthenticationPolicy = bearerTokenAuthenticationPolicy({
+ *   authorizeRequestOnChallenge: authorizeRequestOnClaimChallenge
+ * });
+ * ```
+ *
+ * Once provided, the `bearerTokenAuthenticationPolicy` policy will internally handle Continuous Access Evaluation (CAE) challenges.
+ * When it can't complete a challenge it will return the 401 (unauthorized) response from ARM.
+ *
+ * Example challenge with claims:
+ *
+ * ```
+ * Bearer authorization_uri="https://login.windows-ppe.net/", error="invalid_token",
+ * error_description="User session has been revoked",
+ * claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTYwMzc0MjgwMCJ9fX0="
+ * ```
+ */
+async function authorizeRequestOnClaimChallenge(onChallengeOptions) {
+    const { scopes, response } = onChallengeOptions;
+    const challenge = response.headers.get("WWW-Authenticate");
+    if (!challenge) {
+        logger.info(`The WWW-Authenticate header was missing. Failed to perform the Continuous Access Evaluation authentication flow.`);
+        return false;
+    }
+    const challenges = parseCAEChallenge(challenge) || [];
+    const parsedChallenge = challenges.find((x) => x.claims);
+    if (!parsedChallenge) {
+        logger.info(`The WWW-Authenticate header was missing the necessary "claims" to perform the Continuous Access Evaluation authentication flow.`);
+        return false;
+    }
+    const accessToken = await onChallengeOptions.getAccessToken(parsedChallenge.scope ? [parsedChallenge.scope] : scopes, {
+        claims: decodeStringToString(parsedChallenge.claims)
+    });
+    if (!accessToken) {
+        return false;
+    }
+    onChallengeOptions.request.headers.set("Authorization", `Bearer ${accessToken.token}`);
+    return true;
+}
+
 exports.MapperTypeNames = MapperTypeNames;
 exports.ServiceClient = ServiceClient;
 exports.XML_ATTRKEY = XML_ATTRKEY;
 exports.XML_CHARKEY = XML_CHARKEY;
+exports.authorizeRequestOnClaimChallenge = authorizeRequestOnClaimChallenge;
 exports.createClientPipeline = createClientPipeline;
 exports.createSerializer = createSerializer;
 exports.deserializationPolicy = deserializationPolicy;