@azure/identity-cache-persistence 1.1.1 → 1.1.2-alpha.20240619.4

package/dist-esm/identity/src/msal/nodeFlows/msalClientCertificate.js

@@ -1,122 +0,0 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-import { __awaiter } from "tslib";
-import { MsalNode } from "./msalNodeCommon";
-import { createHash, createPrivateKey } from "crypto";
-import { formatError } from "../../util/logging";
-import { handleMsalError } from "../utils";
-import { promisify } from "util";
-import { readFile } from "fs";
-const readFileAsync = promisify(readFile);
-/**
- * Tries to asynchronously load a certificate from the given path.
- *
- * @param configuration - Either the PEM value or the path to the certificate.
- * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.
- * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.
- * @internal
- */
-export function parseCertificate(configuration, sendCertificateChain) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const certificateParts = {};
-        const certificate = configuration
-            .certificate;
-        const certificatePath = configuration
-            .certificatePath;
-        certificateParts.certificateContents =
-            certificate || (yield readFileAsync(certificatePath, "utf8"));
-        if (sendCertificateChain) {
-            certificateParts.x5c = certificateParts.certificateContents;
-        }
-        const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/g;
-        const publicKeys = [];
-        // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c
-        let match;
-        do {
-            match = certificatePattern.exec(certificateParts.certificateContents);
-            if (match) {
-                publicKeys.push(match[3]);
-            }
-        } while (match);
-        if (publicKeys.length === 0) {
-            throw new Error("The file at the specified path does not contain a PEM-encoded certificate.");
-        }
-        certificateParts.thumbprint = createHash("sha1")
-            .update(Buffer.from(publicKeys[0], "base64"))
-            .digest("hex")
-            .toUpperCase();
-        return certificateParts;
-    });
-}
-/**
- * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
- * @internal
- */
-export class MsalClientCertificate extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.requiresConfidential = true;
-        this.configuration = options.configuration;
-        this.sendCertificateChain = options.sendCertificateChain;
-    }
-    // Changing the MSAL configuration asynchronously
-    init(options) {
-        const _super = Object.create(null, {
-            init: { get: () => super.init }
-        });
-        return __awaiter(this, void 0, void 0, function* () {
-            try {
-                const parts = yield parseCertificate(this.configuration, this.sendCertificateChain);
-                let privateKey;
-                if (this.configuration.certificatePassword !== undefined) {
-                    const privateKeyObject = createPrivateKey({
-                        key: parts.certificateContents,
-                        passphrase: this.configuration.certificatePassword,
-                        format: "pem",
-                    });
-                    privateKey = privateKeyObject
-                        .export({
-                        format: "pem",
-                        type: "pkcs8",
-                    })
-                        .toString();
-                }
-                else {
-                    privateKey = parts.certificateContents;
-                }
-                this.msalConfig.auth.clientCertificate = {
-                    thumbprint: parts.thumbprint,
-                    privateKey: privateKey,
-                    x5c: parts.x5c,
-                };
-            }
-            catch (error) {
-                this.logger.info(formatError("", error));
-                throw error;
-            }
-            return _super.init.call(this, options);
-        });
-    }
-    doGetToken(scopes_1) {
-        return __awaiter(this, arguments, void 0, function* (scopes, options = {}) {
-            try {
-                const clientCredReq = {
-                    scopes,
-                    correlationId: options.correlationId,
-                    azureRegion: this.azureRegion,
-                    authority: options.authority,
-                    claims: options.claims,
-                };
-                const result = yield this.getApp("confidential", options.enableCae).acquireTokenByClientCredential(clientCredReq);
-                // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,
-                // The Client Credential flow does not return the account information from the authentication service,
-                // so each time getToken gets called, we will have to acquire a new token through the service.
-                return this.handleResult(scopes, result || undefined);
-            }
-            catch (err) {
-                throw handleMsalError(scopes, err, options);
-            }
-        });
-    }
-}
-//# sourceMappingURL=msalClientCertificate.js.map

package/dist-esm/identity/src/msal/nodeFlows/msalClientCertificate.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"msalClientCertificate.js","sourceRoot":"","sources":["../../../../../../identity/src/msal/nodeFlows/msalClientCertificate.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAOlC,OAAO,EAAE,QAAQ,EAAmB,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,QAAQ,CAAC;AAKtD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAE9B,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAqC1C;;;;;;;GAOG;AACH,MAAM,UAAgB,gBAAgB,CACpC,aAA0D,EAC1D,oBAA8B;;QAE9B,MAAM,gBAAgB,GAA8B,EAAE,CAAC;QAEvD,MAAM,WAAW,GAAwB,aAAiD;aACvF,WAAW,CAAC;QACf,MAAM,eAAe,GAAwB,aAAqD;aAC/F,eAAe,CAAC;QACnB,gBAAgB,CAAC,mBAAmB;YAClC,WAAW,IAAI,CAAC,MAAM,aAAa,CAAC,eAAgB,EAAE,MAAM,CAAC,CAAC,CAAC;QACjE,IAAI,oBAAoB,EAAE,CAAC;YACzB,gBAAgB,CAAC,GAAG,GAAG,gBAAgB,CAAC,mBAAmB,CAAC;QAC9D,CAAC;QAED,MAAM,kBAAkB,GACtB,+FAA+F,CAAC;QAClG,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,qHAAqH;QACrH,IAAI,KAAK,CAAC;QACV,GAAG,CAAC;YACF,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,CAAC,CAAC;YACtE,IAAI,KAAK,EAAE,CAAC;gBACV,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC,QAAQ,KAAK,EAAE;QAEhB,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,4EAA4E,CAAC,CAAC;QAChG,CAAC;QAED,gBAAgB,CAAC,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC;aAC7C,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;aAC5C,MAAM,CAAC,KAAK,CAAC;aACb,WAAW,EAAE,CAAC;QAEjB,OAAO,gBAAoC,CAAC;IAC9C,CAAC;CAAA;AAED;;;GAGG;AACH,MAAM,OAAO,qBAAsB,SAAQ,QAAQ;IAIjD,YAAY,OAAqC;QAC/C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,oBAAoB,GAAG,IAAI,CAAC;QACjC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;QAC3C,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAC3D,CAAC;IAED,iDAAiD;IAC3C,IAAI,CAAC,OAAuC;;;;;YAChD,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,aAAa,EAAE,IAAI,CAAC,oBAAoB,CAAC,CAAC;gBAEpF,IAAI,UAA8B,CAAC;gBACnC,IAAI,IAAI,CAAC,aAAa,CAAC,mBAAmB,KAAK,SAAS,EAAE,CAAC;oBACzD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;wBACxC,GAAG,EAAE,KAAK,CAAC,mBAAmB;wBAC9B,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC,mBAAmB;wBAClD,MAAM,EAAE,KAAK;qBACd,CAAC,CAAC;oBAEH,UAAU,GAAG,gBAAgB;yBAC1B,MAAM,CAAC;wBACN,MAAM,EAAE,KAAK;wBACb,IAAI,EAAE,OAAO;qBACd,CAAC;yBACD,QAAQ,EAAE,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,UAAU,GAAG,KAAK,CAAC,mBAAmB,CAAC;gBACzC,CAAC;gBAED,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG;oBACvC,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,UAAU,EAAE,UAAU;oBACtB,GAAG,EAAE,KAAK,CAAC,GAAG;iBACf,CAAC;YACJ,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;gBACzC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,OAAO,OAAM,IAAI,YAAC,OAAO,EAAE;QAC7B,CAAC;KAAA;IAEe,UAAU;6DACxB,MAAgB,EAChB,UAAyC,EAAE;YAE3C,IAAI,CAAC;gBACH,MAAM,aAAa,GAA4B;oBAC7C,MAAM;oBACN,aAAa,EAAE,OAAO,CAAC,aAAa;oBACpC,WAAW,EAAE,IAAI,CAAC,WAAW;oBAC7B,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;iBACvB,CAAC;gBACF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAC9B,cAAc,EACd,OAAO,CAAC,SAAS,CAClB,CAAC,8BAA8B,CAAC,aAAa,CAAC,CAAC;gBAChD,iHAAiH;gBACjH,sGAAsG;gBACtG,8FAA8F;gBAC9F,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,IAAI,SAAS,CAAC,CAAC;YACxD,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;KAAA;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport {\n  ClientCertificateCredentialPEMConfiguration,\n  ClientCertificatePEMCertificate,\n  ClientCertificatePEMCertificatePath,\n} from \"../../credentials/clientCertificateCredential\";\nimport { MsalNode, MsalNodeOptions } from \"./msalNodeCommon\";\nimport { createHash, createPrivateKey } from \"crypto\";\n\nimport { AccessToken } from \"@azure/core-auth\";\nimport { ClientCredentialRequest } from \"@azure/msal-node\";\nimport { CredentialFlowGetTokenOptions } from \"../credentials\";\nimport { formatError } from \"../../util/logging\";\nimport { handleMsalError } from \"../utils\";\nimport { promisify } from \"util\";\nimport { readFile } from \"fs\";\n\nconst readFileAsync = promisify(readFile);\n\n/**\n * Options that can be passed to configure MSAL to handle client certificates.\n * @internal\n */\nexport interface MsalClientCertificateOptions extends MsalNodeOptions {\n  /**\n   * Location of the PEM certificate.\n   */\n  configuration: ClientCertificateCredentialPEMConfiguration;\n  /**\n   * Option to include x5c header for SubjectName and Issuer name authorization.\n   * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim\n   */\n  sendCertificateChain?: boolean;\n}\n\n/**\n * Parts of a certificate, as understood by MSAL.\n * @internal\n */\ninterface CertificateParts {\n  /**\n   * Hex encoded X.509 SHA-1 thumbprint of the certificate\n   */\n  thumbprint: string;\n  /**\n   * The PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----\n   */\n  certificateContents: string;\n  /**\n   * x5c header.\n   */\n  x5c: string;\n}\n\n/**\n * Tries to asynchronously load a certificate from the given path.\n *\n * @param configuration - Either the PEM value or the path to the certificate.\n * @param sendCertificateChain - Option to include x5c header for SubjectName and Issuer name authorization.\n * @returns - The certificate parts, or `undefined` if the certificate could not be loaded.\n * @internal\n */\nexport async function parseCertificate(\n  configuration: ClientCertificateCredentialPEMConfiguration,\n  sendCertificateChain?: boolean,\n): Promise<CertificateParts> {\n  const certificateParts: Partial<CertificateParts> = {};\n\n  const certificate: string | undefined = (configuration as ClientCertificatePEMCertificate)\n    .certificate;\n  const certificatePath: string | undefined = (configuration as ClientCertificatePEMCertificatePath)\n    .certificatePath;\n  certificateParts.certificateContents =\n    certificate || (await readFileAsync(certificatePath!, \"utf8\"));\n  if (sendCertificateChain) {\n    certificateParts.x5c = certificateParts.certificateContents;\n  }\n\n  const certificatePattern =\n    /(-+BEGIN CERTIFICATE-+)(\\n\\r?|\\r\\n?)([A-Za-z0-9+/\\n\\r]+=*)(\\n\\r?|\\r\\n?)(-+END CERTIFICATE-+)/g;\n  const publicKeys: string[] = [];\n\n  // Match all possible certificates, in the order they are in the file. These will form the chain that is used for x5c\n  let match;\n  do {\n    match = certificatePattern.exec(certificateParts.certificateContents);\n    if (match) {\n      publicKeys.push(match[3]);\n    }\n  } while (match);\n\n  if (publicKeys.length === 0) {\n    throw new Error(\"The file at the specified path does not contain a PEM-encoded certificate.\");\n  }\n\n  certificateParts.thumbprint = createHash(\"sha1\")\n    .update(Buffer.from(publicKeys[0], \"base64\"))\n    .digest(\"hex\")\n    .toUpperCase();\n\n  return certificateParts as CertificateParts;\n}\n\n/**\n * MSAL client certificate client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.\n * @internal\n */\nexport class MsalClientCertificate extends MsalNode {\n  private configuration: ClientCertificateCredentialPEMConfiguration;\n  private sendCertificateChain?: boolean;\n\n  constructor(options: MsalClientCertificateOptions) {\n    super(options);\n    this.requiresConfidential = true;\n    this.configuration = options.configuration;\n    this.sendCertificateChain = options.sendCertificateChain;\n  }\n\n  // Changing the MSAL configuration asynchronously\n  async init(options?: CredentialFlowGetTokenOptions): Promise<void> {\n    try {\n      const parts = await parseCertificate(this.configuration, this.sendCertificateChain);\n\n      let privateKey: string | undefined;\n      if (this.configuration.certificatePassword !== undefined) {\n        const privateKeyObject = createPrivateKey({\n          key: parts.certificateContents,\n          passphrase: this.configuration.certificatePassword,\n          format: \"pem\",\n        });\n\n        privateKey = privateKeyObject\n          .export({\n            format: \"pem\",\n            type: \"pkcs8\",\n          })\n          .toString();\n      } else {\n        privateKey = parts.certificateContents;\n      }\n\n      this.msalConfig.auth.clientCertificate = {\n        thumbprint: parts.thumbprint,\n        privateKey: privateKey,\n        x5c: parts.x5c,\n      };\n    } catch (error: any) {\n      this.logger.info(formatError(\"\", error));\n      throw error;\n    }\n    return super.init(options);\n  }\n\n  protected async doGetToken(\n    scopes: string[],\n    options: CredentialFlowGetTokenOptions = {},\n  ): Promise<AccessToken> {\n    try {\n      const clientCredReq: ClientCredentialRequest = {\n        scopes,\n        correlationId: options.correlationId,\n        azureRegion: this.azureRegion,\n        authority: options.authority,\n        claims: options.claims,\n      };\n      const result = await this.getApp(\n        \"confidential\",\n        options.enableCae,\n      ).acquireTokenByClientCredential(clientCredReq);\n      // Even though we're providing the same default in memory persistence cache that we use for DeviceCodeCredential,\n      // The Client Credential flow does not return the account information from the authentication service,\n      // so each time getToken gets called, we will have to acquire a new token through the service.\n      return this.handleResult(scopes, result || undefined);\n    } catch (err: any) {\n      throw handleMsalError(scopes, err, options);\n    }\n  }\n}\n"]}

package/dist-esm/identity/src/msal/nodeFlows/msalOnBehalfOf.js

@@ -1,66 +0,0 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-import { __awaiter } from "tslib";
-import { MsalNode } from "./msalNodeCommon";
-import { formatError } from "../../util/logging";
-import { handleMsalError } from "../utils";
-import { parseCertificate } from "./msalClientCertificate";
-/**
- * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.
- * @internal
- */
-export class MsalOnBehalfOf extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.logger.info("Initialized MSAL's On-Behalf-Of flow");
-        this.requiresConfidential = true;
-        this.userAssertionToken = options.userAssertionToken;
-        this.certificatePath = options.certificatePath;
-        this.sendCertificateChain = options.sendCertificateChain;
-        this.clientSecret = options.clientSecret;
-    }
-    // Changing the MSAL configuration asynchronously
-    init(options) {
-        const _super = Object.create(null, {
-            init: { get: () => super.init }
-        });
-        return __awaiter(this, void 0, void 0, function* () {
-            if (this.certificatePath) {
-                try {
-                    const parts = yield parseCertificate({ certificatePath: this.certificatePath }, this.sendCertificateChain);
-                    this.msalConfig.auth.clientCertificate = {
-                        thumbprint: parts.thumbprint,
-                        privateKey: parts.certificateContents,
-                        x5c: parts.x5c,
-                    };
-                }
-                catch (error) {
-                    this.logger.info(formatError("", error));
-                    throw error;
-                }
-            }
-            else {
-                this.msalConfig.auth.clientSecret = this.clientSecret;
-            }
-            return _super.init.call(this, options);
-        });
-    }
-    doGetToken(scopes_1) {
-        return __awaiter(this, arguments, void 0, function* (scopes, options = {}) {
-            try {
-                const result = yield this.getApp("confidential", options.enableCae).acquireTokenOnBehalfOf({
-                    scopes,
-                    correlationId: options.correlationId,
-                    authority: options.authority,
-                    claims: options.claims,
-                    oboAssertion: this.userAssertionToken,
-                });
-                return this.handleResult(scopes, result || undefined);
-            }
-            catch (err) {
-                throw handleMsalError(scopes, err, options);
-            }
-        });
-    }
-}
-//# sourceMappingURL=msalOnBehalfOf.js.map

package/dist-esm/identity/src/msal/nodeFlows/msalOnBehalfOf.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"msalOnBehalfOf.js","sourceRoot":"","sources":["../../../../../../identity/src/msal/nodeFlows/msalOnBehalfOf.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAElC,OAAO,EAAE,QAAQ,EAAmB,MAAM,kBAAkB,CAAC;AAI7D,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AA0B3D;;;GAGG;AACH,MAAM,OAAO,cAAe,SAAQ,QAAQ;IAM1C,YAAY,OAA8B;QACxC,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACzD,IAAI,CAAC,oBAAoB,GAAG,IAAI,CAAC;QACjC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;QACrD,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,CAAC;QAC/C,IAAI,CAAC,oBAAoB,GAAG,OAAO,CAAC,oBAAoB,CAAC;QACzD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;IAC3C,CAAC;IAED,iDAAiD;IAC3C,IAAI,CAAC,OAAuC;;;;;YAChD,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACzB,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAClC,EAAE,eAAe,EAAE,IAAI,CAAC,eAAe,EAAE,EACzC,IAAI,CAAC,oBAAoB,CAC1B,CAAC;oBACF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG;wBACvC,UAAU,EAAE,KAAK,CAAC,UAAU;wBAC5B,UAAU,EAAE,KAAK,CAAC,mBAAmB;wBACrC,GAAG,EAAE,KAAK,CAAC,GAAG;qBACf,CAAC;gBACJ,CAAC;gBAAC,OAAO,KAAU,EAAE,CAAC;oBACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,CAAC;oBACzC,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;YACxD,CAAC;YACD,OAAO,OAAM,IAAI,YAAC,OAAO,EAAE;QAC7B,CAAC;KAAA;IAEe,UAAU;6DACxB,MAAgB,EAChB,UAAyC,EAAE;YAE3C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,sBAAsB,CAAC;oBACzF,MAAM;oBACN,aAAa,EAAE,OAAO,CAAC,aAAa;oBACpC,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,YAAY,EAAE,IAAI,CAAC,kBAAkB;iBACtC,CAAC,CAAC;gBACH,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,IAAI,SAAS,CAAC,CAAC;YACxD,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;KAAA;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { MsalNode, MsalNodeOptions } from \"./msalNodeCommon\";\n\nimport { AccessToken } from \"@azure/core-auth\";\nimport { CredentialFlowGetTokenOptions } from \"../credentials\";\nimport { formatError } from \"../../util/logging\";\nimport { handleMsalError } from \"../utils\";\nimport { parseCertificate } from \"./msalClientCertificate\";\n\n/**\n * Options that can be passed to configure MSAL to handle On-Behalf-Of authentication requests.\n * @internal\n */\nexport interface MsalOnBehalfOfOptions extends MsalNodeOptions {\n  /**\n   * A client secret that was generated for the App Registration.\n   */\n  clientSecret?: string;\n  /**\n   * Location of the PEM certificate.\n   */\n  certificatePath?: string;\n  /**\n   * Option to include x5c header for SubjectName and Issuer name authorization.\n   * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim\n   */\n  sendCertificateChain?: boolean;\n  /**\n   * The user assertion for the On-Behalf-Of flow.\n   */\n  userAssertionToken: string;\n}\n\n/**\n * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.\n * @internal\n */\nexport class MsalOnBehalfOf extends MsalNode {\n  private userAssertionToken: string;\n  private certificatePath?: string;\n  private sendCertificateChain?: boolean;\n  private clientSecret?: string;\n\n  constructor(options: MsalOnBehalfOfOptions) {\n    super(options);\n    this.logger.info(\"Initialized MSAL's On-Behalf-Of flow\");\n    this.requiresConfidential = true;\n    this.userAssertionToken = options.userAssertionToken;\n    this.certificatePath = options.certificatePath;\n    this.sendCertificateChain = options.sendCertificateChain;\n    this.clientSecret = options.clientSecret;\n  }\n\n  // Changing the MSAL configuration asynchronously\n  async init(options?: CredentialFlowGetTokenOptions): Promise<void> {\n    if (this.certificatePath) {\n      try {\n        const parts = await parseCertificate(\n          { certificatePath: this.certificatePath },\n          this.sendCertificateChain,\n        );\n        this.msalConfig.auth.clientCertificate = {\n          thumbprint: parts.thumbprint,\n          privateKey: parts.certificateContents,\n          x5c: parts.x5c,\n        };\n      } catch (error: any) {\n        this.logger.info(formatError(\"\", error));\n        throw error;\n      }\n    } else {\n      this.msalConfig.auth.clientSecret = this.clientSecret;\n    }\n    return super.init(options);\n  }\n\n  protected async doGetToken(\n    scopes: string[],\n    options: CredentialFlowGetTokenOptions = {},\n  ): Promise<AccessToken> {\n    try {\n      const result = await this.getApp(\"confidential\", options.enableCae).acquireTokenOnBehalfOf({\n        scopes,\n        correlationId: options.correlationId,\n        authority: options.authority,\n        claims: options.claims,\n        oboAssertion: this.userAssertionToken,\n      });\n      return this.handleResult(scopes, result || undefined);\n    } catch (err: any) {\n      throw handleMsalError(scopes, err, options);\n    }\n  }\n}\n"]}