npm - @azure/identity - Versions diffs - 1.2.0-beta.2 → 1.2.0 - Mend

@azure/identity 1.2.0-beta.2 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @azure/identity might be problematic. Click here for more details.

Files changed (72) hide show

package/dist-esm/src/credentials/interactiveBrowserCredential.js CHANGED Viewed

@@ -1,16 +1,13 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 import { __awaiter } from "tslib";
-import { credentialLogger } from "../util/logging";
-import { IdentityClient } from "../client/identityClient";
+import { credentialLogger, formatError, formatSuccess } from "../util/logging";
 import { DefaultTenantId, DeveloperSignOnClientId } from "../constants";
+import { AuthenticationRequired, MsalClient } from "../client/msalClient";
 import express from "express";
-import { PublicClientApplication } from "@azure/msal-node";
 import open from "open";
-import { CredentialUnavailable } from "../client/errors";
+import { checkTenantId } from "../util/checkTenantId";
 const logger = credentialLogger("InteractiveBrowserCredential");
-class AuthenticationRequired extends CredentialUnavailable {
-}
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
  * using the interactive login flow, either via browser redirects or a popup
@@ -18,12 +15,11 @@ class AuthenticationRequired extends CredentialUnavailable {
  */
 export class InteractiveBrowserCredential {
     constructor(options) {
-        this.identityClient = new IdentityClient(options);
-        this.tenantId = (options && options.tenantId) || DefaultTenantId;
-        this.clientId = (options && options.clientId) || DeveloperSignOnClientId;
-        // Future update: this is for persistent caching
-        this.persistenceEnabled = this.persistenceEnabled = (options === null || options === void 0 ? void 0 : options.cacheOptions) !== undefined;
-        this.authenticationRecord = options === null || options === void 0 ? void 0 : options.authenticationRecord;
+        const tenantId = (options && options.tenantId) || DefaultTenantId;
+        const clientId = (options && options.clientId) || DeveloperSignOnClientId;
+        checkTenantId(logger, tenantId);
+        // const persistenceEnabled = options?.persistenceEnabled ? options?.persistenceEnabled : false;
+        // const authenticationRecord = options?.authenticationRecord;
         if (options && options.redirectUri) {
             if (typeof options.redirectUri === "string") {
                 this.redirectUri = options.redirectUri;
@@ -40,29 +36,19 @@ export class InteractiveBrowserCredential {
         if (isNaN(this.port)) {
             this.port = 80;
         }
+        let authorityHost;
         if (options && options.authorityHost) {
             if (options.authorityHost.endsWith("/")) {
-                this.authorityHost = options.authorityHost + this.tenantId;
+                authorityHost = options.authorityHost + tenantId;
             }
             else {
-                this.authorityHost = options.authorityHost + "/" + this.tenantId;
+                authorityHost = options.authorityHost + "/" + tenantId;
             }
         }
         else {
-            this.authorityHost = "https://login.microsoftonline.com/" + this.tenantId;
+            authorityHost = "https://login.microsoftonline.com/" + tenantId;
         }
-        const knownAuthorities = this.tenantId === "adfs" ? [this.authorityHost] : [];
-        const publicClientConfig = {
-            auth: {
-                clientId: this.clientId,
-                authority: this.authorityHost,
-                knownAuthorities: knownAuthorities
-            },
-            cache: options === null || options === void 0 ? void 0 : options.cacheOptions,
-            system: { networkClient: this.identityClient }
-        };
-        this.pca = new PublicClientApplication(publicClientConfig);
-        this.msalCacheManager = this.pca.getTokenCache();
+        this.msalClient = new MsalClient({ clientId, authority: authorityHost }, false, undefined, options);
     }
     /**
      * Authenticates with Azure Active Directory and returns an access token if
@@ -76,37 +62,13 @@ export class InteractiveBrowserCredential {
      */
     getToken(scopes, _options) {
         const scopeArray = typeof scopes === "object" ? scopes : [scopes];
-        if (this.authenticationRecord && this.persistenceEnabled) {
-            return this.acquireTokenFromCache().catch((e) => {
-                if (e instanceof AuthenticationRequired) {
-                    return this.acquireTokenFromBrowser(scopeArray);
-                }
-                else {
-                    throw e;
-                }
-            });
-        }
-        else {
-            return this.acquireTokenFromBrowser(scopeArray);
-        }
-    }
-    acquireTokenFromCache() {
-        return __awaiter(this, void 0, void 0, function* () {
-            yield this.msalCacheManager.readFromPersistence();
-            const silentRequest = {
-                account: this.authenticationRecord,
-                scopes: ["https://vault.azure.net/user_impersonation", "https://vault.azure.net/.default"]
-            };
-            try {
-                const response = yield this.pca.acquireTokenSilent(silentRequest);
-                logger.info("Successful silent token acquisition");
-                return {
-                    expiresOnTimestamp: response.expiresOn.getTime(),
-                    token: response.accessToken
-                };
+        return this.msalClient.acquireTokenFromCache(scopeArray).catch((e) => {
+            if (e instanceof AuthenticationRequired) {
+                return this.acquireTokenFromBrowser(scopeArray);
             }
-            catch (e) {
-                throw new AuthenticationRequired("Could not authenticate silently using the cache");
+            else {
+                logger.getToken.info(formatError(scopes, e));
+                throw e;
             }
         });
     }
@@ -116,11 +78,8 @@ export class InteractiveBrowserCredential {
                 scopes: scopeArray,
                 redirectUri: this.redirectUri
             };
-            const response = yield this.pca.getAuthCodeUrl(authCodeUrlParameters);
+            const response = yield this.msalClient.getAuthCodeUrl(authCodeUrlParameters);
             yield open(response);
-            if (this.persistenceEnabled) {
-                yield this.msalCacheManager.readFromPersistence();
-            }
         });
     }
     acquireTokenFromBrowser(scopeArray) {
@@ -147,19 +106,21 @@ export class InteractiveBrowserCredential {
                         scopes: scopeArray
                     };
                     try {
-                        const authResponse = yield this.pca.acquireTokenByCode(tokenRequest);
-                        res.sendStatus(200);
-                        if (this.persistenceEnabled) {
-                            this.msalCacheManager.writeToPersistence();
-                        }
+                        const authResponse = yield this.msalClient.acquireTokenByCode(tokenRequest);
+                        const successMessage = `Authentication Complete. You can close the browser and return to the application.`;
+                        const expiresOnTimestamp = authResponse === null || authResponse === void 0 ? void 0 : authResponse.expiresOn.valueOf();
+                        res.status(200).send(successMessage);
+                        logger.getToken.info(formatSuccess(scopeArray));
                         resolve({
-                            expiresOnTimestamp: authResponse.expiresOn.valueOf(),
+                            expiresOnTimestamp,
                             token: authResponse.accessToken
                         });
                     }
                     catch (error) {
-                        res.status(500).send(error);
-                        reject(new Error(`Authentication Error "${req.query["error"]}":\n\n${req.query["error_description"]}`));
+                        const errorMessage = formatError(scopeArray, `${req.query["error"]}. ${req.query["error_description"]}`);
+                        res.status(500).send(errorMessage);
+                        logger.getToken.info(errorMessage);
+                        reject(new Error(errorMessage));
                     }
                     finally {
                         cleanup();

package/dist-esm/src/credentials/interactiveBrowserCredential.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"interactiveBrowserCredential.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AASlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAGxE,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,EACL,uBAAuB,EAIxB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAEzD,MAAM,MAAM,GAAG,gBAAgB,CAAC,8BAA8B,CAAC,CAAC;AAEhE,MAAM,sBAAuB,SAAQ,qBAAqB;CAAG;AAE7D;;;;GAIG;AACH,MAAM,OAAO,4BAA4B;IAYvC,YAAY,OAA6C;QACvD,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC,QAAQ,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,eAAe,CAAC;QACjE,IAAI,CAAC,QAAQ,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,uBAAuB,CAAC;QAEzE,gDAAgD;QAChD,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,kBAAkB,GAAG,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,YAAY,MAAK,SAAS,CAAC;QACxF,IAAI,CAAC,oBAAoB,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,oBAAoB,CAAC;QAE1D,IAAI,OAAO,IAAI,OAAO,CAAC,WAAW,EAAE;YAClC,IAAI,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ,EAAE;gBAC3C,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;aACxC;iBAAM;gBACL,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;aAC1C;SACF;aAAM;YACL,IAAI,CAAC,WAAW,GAAG,kBAAkB,CAAC;SACvC;QAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACpB,IAAI,CAAC,IAAI,GAAG,EAAE,CAAC;SAChB;QAED,IAAI,OAAO,IAAI,OAAO,CAAC,aAAa,EAAE;YACpC,IAAI,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;gBACvC,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,QAAQ,CAAC;aAC5D;iBAAM;gBACL,IAAI,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;aAClE;SACF;aAAM;YACL,IAAI,CAAC,aAAa,GAAG,oCAAoC,GAAG,IAAI,CAAC,QAAQ,CAAC;SAC3E;QAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAE9E,MAAM,kBAAkB,GAAkB;YACxC,IAAI,EAAE;gBACJ,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,SAAS,EAAE,IAAI,CAAC,aAAa;gBAC7B,gBAAgB,EAAE,gBAAgB;aACnC;YACD,KAAK,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,YAAY;YAC5B,MAAM,EAAE,EAAE,aAAa,EAAE,IAAI,CAAC,cAAc,EAAE;SAC/C,CAAC;QACF,IAAI,CAAC,GAAG,GAAG,IAAI,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;QAC3D,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC;IACnD,CAAC;IAED;;;;;;;;;OASG;IACI,QAAQ,CACb,MAAyB,EACzB,QAA0B;QAE1B,MAAM,UAAU,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAElE,IAAI,IAAI,CAAC,oBAAoB,IAAI,IAAI,CAAC,kBAAkB,EAAE;YACxD,OAAO,IAAI,CAAC,qBAAqB,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;gBAC9C,IAAI,CAAC,YAAY,sBAAsB,EAAE;oBACvC,OAAO,IAAI,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC;iBACjD;qBAAM;oBACL,MAAM,CAAC,CAAC;iBACT;YACH,CAAC,CAAC,CAAC;SACJ;aAAM;YACL,OAAO,IAAI,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC;SACjD;IACH,CAAC;IAEa,qBAAqB;;YACjC,MAAM,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,EAAE,CAAC;YAElD,MAAM,aAAa,GAAG;gBACpB,OAAO,EAAE,IAAI,CAAC,oBAAqB;gBACnC,MAAM,EAAE,CAAC,4CAA4C,EAAE,kCAAkC,CAAC;aAC3F,CAAC;YAEF,IAAI;gBACF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;gBAClE,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;gBACnD,OAAO;oBACL,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;oBAChD,KAAK,EAAE,QAAQ,CAAC,WAAW;iBAC5B,CAAC;aACH;YAAC,OAAO,CAAC,EAAE;gBACV,MAAM,IAAI,sBAAsB,CAAC,iDAAiD,CAAC,CAAC;aACrF;QACH,CAAC;KAAA;IAEa,eAAe,CAAC,UAAoB;;YAChD,MAAM,qBAAqB,GAAG;gBAC5B,MAAM,EAAE,UAAU;gBAClB,WAAW,EAAE,IAAI,CAAC,WAAW;aAC9B,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,qBAAqB,CAAC,CAAC;YACtE,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;YAErB,IAAI,IAAI,CAAC,kBAAkB,EAAE;gBAC3B,MAAM,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,EAAE,CAAC;aACnD;QACH,CAAC;KAAA;IAEa,uBAAuB,CAAC,UAAoB;;YACxD,2BAA2B;YAC3B,OAAO,IAAI,OAAO,CAAqB,CAAO,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC/D,2BAA2B;gBAC3B,IAAI,MAA+B,CAAC;gBACpC,IAAI,eAAmC,CAAC;gBAExC,SAAS,OAAO;oBACd,IAAI,MAAM,EAAE;wBACV,MAAM,CAAC,KAAK,EAAE,CAAC;qBAChB;oBACD,IAAI,eAAe,EAAE;wBACnB,eAAe,CAAC,OAAO,EAAE,CAAC;qBAC3B;gBACH,CAAC;gBAED,gCAAgC;gBAChC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;gBAEtB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAO,GAAG,EAAE,GAAG,EAAE,EAAE;oBAC9B,MAAM,YAAY,GAA6B;wBAC7C,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,IAAc;wBAC9B,WAAW,EAAE,IAAI,CAAC,WAAW;wBAC7B,MAAM,EAAE,UAAU;qBACnB,CAAC;oBAEF,IAAI;wBACF,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;wBACrE,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;wBAEpB,IAAI,IAAI,CAAC,kBAAkB,EAAE;4BAC3B,IAAI,CAAC,gBAAgB,CAAC,kBAAkB,EAAE,CAAC;yBAC5C;wBAED,OAAO,CAAC;4BACN,kBAAkB,EAAE,YAAY,CAAC,SAAS,CAAC,OAAO,EAAE;4BACpD,KAAK,EAAE,YAAY,CAAC,WAAW;yBAChC,CAAC,CAAC;qBACJ;oBAAC,OAAO,KAAK,EAAE;wBACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;wBAE5B,MAAM,CACJ,IAAI,KAAK,CACP,yBAAyB,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CACrF,CACF,CAAC;qBACH;4BAAS;wBACR,OAAO,EAAE,CAAC;qBACX;gBACH,CAAC,CAAA,CAAC,CAAC;gBAEH,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAClC,MAAM,CAAC,IAAI,CAAC,oDAAoD,IAAI,CAAC,IAAI,GAAG,CAAC,CAC9E,CAAC;gBACF,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,eAAe,GAAG,MAAM,CAAC,CAAC,CAAC;gBAEhE,IAAI;oBACF,MAAM,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;iBACxC;gBAAC,OAAO,CAAC,EAAE;oBACV,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,CAAC;iBACT;YACH,CAAC,CAAA,CAAC,CAAC;QACL,CAAC;KAAA;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\n/* eslint-disable @typescript-eslint/no-unused-vars /\n\nimport { TokenCredential, GetTokenOptions, AccessToken } from \"@azure/core-http\";\nimport {\n InteractiveBrowserCredentialOptions,\n AuthenticationRecord\n} from \"./interactiveBrowserCredentialOptions\";\nimport { credentialLogger } from \"../util/logging\";\nimport { IdentityClient } from \"../client/identityClient\";\nimport { DefaultTenantId, DeveloperSignOnClientId } from \"../constants\";\nimport { Socket } from \"net\";\n\nimport express from \"express\";\nimport {\n PublicClientApplication,\n TokenCache,\n AuthorizationCodeRequest,\n Configuration\n} from \"@azure/msal-node\";\nimport open from \"open\";\nimport http from \"http\";\nimport { CredentialUnavailable } from \"../client/errors\";\n\nconst logger = credentialLogger(\"InteractiveBrowserCredential\");\n\nclass AuthenticationRequired extends CredentialUnavailable {}\n\n/\n Enables authentication to Azure Active Directory inside of the web browser\n * using the interactive login flow, either via browser redirects or a popup\n * window. This credential is not currently supported in Node.js.\n /\nexport class InteractiveBrowserCredential implements TokenCredential {\n private identityClient: IdentityClient;\n private pca: PublicClientApplication;\n private msalCacheManager: TokenCache;\n private tenantId: string;\n private clientId: string;\n private persistenceEnabled: boolean;\n private redirectUri: string;\n private authorityHost: string;\n private authenticationRecord: AuthenticationRecord \| undefined;\n private port: number;\n\n constructor(options?: InteractiveBrowserCredentialOptions) {\n this.identityClient = new IdentityClient(options);\n this.tenantId = (options && options.tenantId) \|\| DefaultTenantId;\n this.clientId = (options && options.clientId) \|\| DeveloperSignOnClientId;\n\n // Future update: this is for persistent caching\n this.persistenceEnabled = this.persistenceEnabled = options?.cacheOptions !== undefined;\n this.authenticationRecord = options?.authenticationRecord;\n\n if (options && options.redirectUri) {\n if (typeof options.redirectUri === \"string\") {\n this.redirectUri = options.redirectUri;\n } else {\n this.redirectUri = options.redirectUri();\n }\n } else {\n this.redirectUri = \"http://localhost\";\n }\n\n const url = new URL(this.redirectUri);\n this.port = parseInt(url.port);\n if (isNaN(this.port)) {\n this.port = 80;\n }\n\n if (options && options.authorityHost) {\n if (options.authorityHost.endsWith(\"/\")) {\n this.authorityHost = options.authorityHost + this.tenantId;\n } else {\n this.authorityHost = options.authorityHost + \"/\" + this.tenantId;\n }\n } else {\n this.authorityHost = \"https://login.microsoftonline.com/\" + this.tenantId;\n }\n\n const knownAuthorities = this.tenantId === \"adfs\" ? [this.authorityHost] : [];\n\n const publicClientConfig: Configuration = {\n auth: {\n clientId: this.clientId,\n authority: this.authorityHost,\n knownAuthorities: knownAuthorities\n },\n cache: options?.cacheOptions,\n system: { networkClient: this.identityClient }\n };\n this.pca = new PublicClientApplication(publicClientConfig);\n this.msalCacheManager = this.pca.getTokenCache();\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if\n * successful. If authentication cannot be performed at this time, this method may\n * return null. If an error occurs during authentication, an {@link AuthenticationError}\n * containing failure details will be thrown.\n \n @param scopes The list of scopes for which the token will have access.\n * @param options The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public getToken(\n scopes: string \| string[],\n _options?: GetTokenOptions\n ): Promise<AccessToken \| null> {\n const scopeArray = typeof scopes === \"object\" ? scopes : [scopes];\n\n if (this.authenticationRecord && this.persistenceEnabled) {\n return this.acquireTokenFromCache().catch((e) => {\n if (e instanceof AuthenticationRequired) {\n return this.acquireTokenFromBrowser(scopeArray);\n } else {\n throw e;\n }\n });\n } else {\n return this.acquireTokenFromBrowser(scopeArray);\n }\n }\n\n private async acquireTokenFromCache(): Promise<AccessToken \| null> {\n await this.msalCacheManager.readFromPersistence();\n\n const silentRequest = {\n account: this.authenticationRecord!,\n scopes: [\"https://vault.azure.net/user_impersonation\", \"https://vault.azure.net/.default\"]\n };\n\n try {\n const response = await this.pca.acquireTokenSilent(silentRequest);\n logger.info(\"Successful silent token acquisition\");\n return {\n expiresOnTimestamp: response.expiresOn.getTime(),\n token: response.accessToken\n };\n } catch (e) {\n throw new AuthenticationRequired(\"Could not authenticate silently using the cache\");\n }\n }\n\n private async openAuthCodeUrl(scopeArray: string[]): Promise<void> {\n const authCodeUrlParameters = {\n scopes: scopeArray,\n redirectUri: this.redirectUri\n };\n\n const response = await this.pca.getAuthCodeUrl(authCodeUrlParameters);\n await open(response);\n\n if (this.persistenceEnabled) {\n await this.msalCacheManager.readFromPersistence();\n }\n }\n\n private async acquireTokenFromBrowser(scopeArray: string[]): Promise<AccessToken \| null> {\n // eslint-disable-next-line\n return new Promise<AccessToken \| null>(async (resolve, reject) => {\n // eslint-disable-next-line\n let listen: http.Server \| undefined;\n let socketToDestroy: Socket \| undefined;\n\n function cleanup() {\n if (listen) {\n listen.close();\n }\n if (socketToDestroy) {\n socketToDestroy.destroy();\n }\n }\n\n // Create Express App and Routes\n const app = express();\n\n app.get(\"/\", async (req, res) => {\n const tokenRequest: AuthorizationCodeRequest = {\n code: req.query.code as string,\n redirectUri: this.redirectUri,\n scopes: scopeArray\n };\n\n try {\n const authResponse = await this.pca.acquireTokenByCode(tokenRequest);\n res.sendStatus(200);\n\n if (this.persistenceEnabled) {\n this.msalCacheManager.writeToPersistence();\n }\n\n resolve({\n expiresOnTimestamp: authResponse.expiresOn.valueOf(),\n token: authResponse.accessToken\n });\n } catch (error) {\n res.status(500).send(error);\n\n reject(\n new Error(\n `Authentication Error \"${req.query[\"error\"]}\":\\n\\n${req.query[\"error_description\"]}`\n )\n );\n } finally {\n cleanup();\n }\n });\n\n listen = app.listen(this.port, () =>\n logger.info(`Msal Node Auth Code Sample app listening on port ${this.port}!`)\n );\n listen.on(\"connection\", (socket) => (socketToDestroy = socket));\n\n try {\n await this.openAuthCodeUrl(scopeArray);\n } catch (e) {\n cleanup();\n throw e;\n }\n });\n }\n}\n"]}
1	+ {"version":3,"file":"interactiveBrowserCredential.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAMlC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAExE,OAAO,EAAE,sBAAsB,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAG1E,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,MAAM,MAAM,GAAG,gBAAgB,CAAC,8BAA8B,CAAC,CAAC;AAEhE;;;;GAIG;AACH,MAAM,OAAO,4BAA4B;IAKvC,YAAY,OAA6C;QACvD,MAAM,QAAQ,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,eAAe,CAAC;QAClE,MAAM,QAAQ,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,uBAAuB,CAAC;QAE1E,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAEhC,gGAAgG;QAChG,8DAA8D;QAE9D,IAAI,OAAO,IAAI,OAAO,CAAC,WAAW,EAAE;YAClC,IAAI,OAAO,OAAO,CAAC,WAAW,KAAK,QAAQ,EAAE;gBAC3C,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;aACxC;iBAAM;gBACL,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;aAC1C;SACF;aAAM;YACL,IAAI,CAAC,WAAW,GAAG,kBAAkB,CAAC;SACvC;QAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACpB,IAAI,CAAC,IAAI,GAAG,EAAE,CAAC;SAChB;QAED,IAAI,aAAa,CAAC;QAClB,IAAI,OAAO,IAAI,OAAO,CAAC,aAAa,EAAE;YACpC,IAAI,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;gBACvC,aAAa,GAAG,OAAO,CAAC,aAAa,GAAG,QAAQ,CAAC;aAClD;iBAAM;gBACL,aAAa,GAAG,OAAO,CAAC,aAAa,GAAG,GAAG,GAAG,QAAQ,CAAC;aACxD;SACF;aAAM;YACL,aAAa,GAAG,oCAAoC,GAAG,QAAQ,CAAC;SACjE;QAED,IAAI,CAAC,UAAU,GAAG,IAAI,UAAU,CAC9B,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,EACtC,KAAK,EACL,SAAS,EACT,OAAO,CACR,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACI,QAAQ,CACb,MAAyB,EACzB,QAA0B;QAE1B,MAAM,UAAU,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAElE,OAAO,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;YACnE,IAAI,CAAC,YAAY,sBAAsB,EAAE;gBACvC,OAAO,IAAI,CAAC,uBAAuB,CAAC,UAAU,CAAC,CAAC;aACjD;iBAAM;gBACL,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC7C,MAAM,CAAC,CAAC;aACT;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAEa,eAAe,CAAC,UAAoB;;YAChD,MAAM,qBAAqB,GAAG;gBAC5B,MAAM,EAAE,UAAU;gBAClB,WAAW,EAAE,IAAI,CAAC,WAAW;aAC9B,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,qBAAqB,CAAC,CAAC;YAC7E,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;KAAA;IAEa,uBAAuB,CAAC,UAAoB;;YACxD,2BAA2B;YAC3B,OAAO,IAAI,OAAO,CAAqB,CAAO,OAAO,EAAE,MAAM,EAAE,EAAE;gBAC/D,2BAA2B;gBAC3B,IAAI,MAA+B,CAAC;gBACpC,IAAI,eAAmC,CAAC;gBAExC,SAAS,OAAO;oBACd,IAAI,MAAM,EAAE;wBACV,MAAM,CAAC,KAAK,EAAE,CAAC;qBAChB;oBACD,IAAI,eAAe,EAAE;wBACnB,eAAe,CAAC,OAAO,EAAE,CAAC;qBAC3B;gBACH,CAAC;gBAED,gCAAgC;gBAChC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;gBAEtB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAO,GAAG,EAAE,GAAG,EAAE,EAAE;oBAC9B,MAAM,YAAY,GAA6B;wBAC7C,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,IAAc;wBAC9B,WAAW,EAAE,IAAI,CAAC,WAAW;wBAC7B,MAAM,EAAE,UAAU;qBACnB,CAAC;oBAEF,IAAI;wBACF,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;wBAC5E,MAAM,cAAc,GAAG,mFAAmF,CAAC;wBAC3G,MAAM,kBAAkB,GAAG,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,SAAS,CAAC,OAAO,EAAE,CAAC;wBAC7D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;wBACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC;wBAEhD,OAAO,CAAC;4BACN,kBAAkB;4BAClB,KAAK,EAAE,YAAY,CAAC,WAAW;yBAChC,CAAC,CAAC;qBACJ;oBAAC,OAAO,KAAK,EAAE;wBACd,MAAM,YAAY,GAAG,WAAW,CAC9B,UAAU,EACV,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,GAAG,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAC3D,CAAC;wBACF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBACnC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;wBACnC,MAAM,CAAC,IAAI,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC;qBACjC;4BAAS;wBACR,OAAO,EAAE,CAAC;qBACX;gBACH,CAAC,CAAA,CAAC,CAAC;gBAEH,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,CAClC,MAAM,CAAC,IAAI,CAAC,oDAAoD,IAAI,CAAC,IAAI,GAAG,CAAC,CAC9E,CAAC;gBACF,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,eAAe,GAAG,MAAM,CAAC,CAAC,CAAC;gBAEhE,IAAI;oBACF,MAAM,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;iBACxC;gBAAC,OAAO,CAAC,EAAE;oBACV,OAAO,EAAE,CAAC;oBACV,MAAM,CAAC,CAAC;iBACT;YACH,CAAC,CAAA,CAAC,CAAC;QACL,CAAC;KAAA;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\n/* eslint-disable @typescript-eslint/no-unused-vars /\n\nimport { TokenCredential, GetTokenOptions, AccessToken } from \"@azure/core-http\";\nimport { InteractiveBrowserCredentialOptions } from \"./interactiveBrowserCredentialOptions\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging\";\nimport { DefaultTenantId, DeveloperSignOnClientId } from \"../constants\";\nimport { Socket } from \"net\";\nimport { AuthenticationRequired, MsalClient } from \"../client/msalClient\";\nimport { AuthorizationCodeRequest } from \"@azure/msal-node\";\n\nimport express from \"express\";\nimport open from \"open\";\nimport http from \"http\";\nimport { checkTenantId } from \"../util/checkTenantId\";\n\nconst logger = credentialLogger(\"InteractiveBrowserCredential\");\n\n/\n Enables authentication to Azure Active Directory inside of the web browser\n * using the interactive login flow, either via browser redirects or a popup\n * window. This credential is not currently supported in Node.js.\n /\nexport class InteractiveBrowserCredential implements TokenCredential {\n private redirectUri: string;\n private port: number;\n private msalClient: MsalClient;\n\n constructor(options?: InteractiveBrowserCredentialOptions) {\n const tenantId = (options && options.tenantId) \|\| DefaultTenantId;\n const clientId = (options && options.clientId) \|\| DeveloperSignOnClientId;\n\n checkTenantId(logger, tenantId);\n\n // const persistenceEnabled = options?.persistenceEnabled ? options?.persistenceEnabled : false;\n // const authenticationRecord = options?.authenticationRecord;\n\n if (options && options.redirectUri) {\n if (typeof options.redirectUri === \"string\") {\n this.redirectUri = options.redirectUri;\n } else {\n this.redirectUri = options.redirectUri();\n }\n } else {\n this.redirectUri = \"http://localhost\";\n }\n\n const url = new URL(this.redirectUri);\n this.port = parseInt(url.port);\n if (isNaN(this.port)) {\n this.port = 80;\n }\n\n let authorityHost;\n if (options && options.authorityHost) {\n if (options.authorityHost.endsWith(\"/\")) {\n authorityHost = options.authorityHost + tenantId;\n } else {\n authorityHost = options.authorityHost + \"/\" + tenantId;\n }\n } else {\n authorityHost = \"https://login.microsoftonline.com/\" + tenantId;\n }\n\n this.msalClient = new MsalClient(\n { clientId, authority: authorityHost },\n false,\n undefined,\n options\n );\n }\n\n /\n Authenticates with Azure Active Directory and returns an access token if\n * successful. If authentication cannot be performed at this time, this method may\n * return null. If an error occurs during authentication, an {@link AuthenticationError}\n * containing failure details will be thrown.\n \n @param scopes The list of scopes for which the token will have access.\n * @param options The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public getToken(\n scopes: string \| string[],\n _options?: GetTokenOptions\n ): Promise<AccessToken \| null> {\n const scopeArray = typeof scopes === \"object\" ? scopes : [scopes];\n\n return this.msalClient.acquireTokenFromCache(scopeArray).catch((e) => {\n if (e instanceof AuthenticationRequired) {\n return this.acquireTokenFromBrowser(scopeArray);\n } else {\n logger.getToken.info(formatError(scopes, e));\n throw e;\n }\n });\n }\n\n private async openAuthCodeUrl(scopeArray: string[]): Promise<void> {\n const authCodeUrlParameters = {\n scopes: scopeArray,\n redirectUri: this.redirectUri\n };\n\n const response = await this.msalClient.getAuthCodeUrl(authCodeUrlParameters);\n await open(response);\n }\n\n private async acquireTokenFromBrowser(scopeArray: string[]): Promise<AccessToken \| null> {\n // eslint-disable-next-line\n return new Promise<AccessToken \| null>(async (resolve, reject) => {\n // eslint-disable-next-line\n let listen: http.Server \| undefined;\n let socketToDestroy: Socket \| undefined;\n\n function cleanup(): void {\n if (listen) {\n listen.close();\n }\n if (socketToDestroy) {\n socketToDestroy.destroy();\n }\n }\n\n // Create Express App and Routes\n const app = express();\n\n app.get(\"/\", async (req, res) => {\n const tokenRequest: AuthorizationCodeRequest = {\n code: req.query.code as string,\n redirectUri: this.redirectUri,\n scopes: scopeArray\n };\n\n try {\n const authResponse = await this.msalClient.acquireTokenByCode(tokenRequest);\n const successMessage = `Authentication Complete. You can close the browser and return to the application.`;\n const expiresOnTimestamp = authResponse?.expiresOn.valueOf();\n res.status(200).send(successMessage);\n logger.getToken.info(formatSuccess(scopeArray));\n\n resolve({\n expiresOnTimestamp,\n token: authResponse.accessToken\n });\n } catch (error) {\n const errorMessage = formatError(\n scopeArray,\n `${req.query[\"error\"]}. ${req.query[\"error_description\"]}`\n );\n res.status(500).send(errorMessage);\n logger.getToken.info(errorMessage);\n reject(new Error(errorMessage));\n } finally {\n cleanup();\n }\n });\n\n listen = app.listen(this.port, () =>\n logger.info(`Msal Node Auth Code Sample app listening on port ${this.port}!`)\n );\n listen.on(\"connection\", (socket) => (socketToDestroy = socket));\n\n try {\n await this.openAuthCodeUrl(scopeArray);\n } catch (e) {\n cleanup();\n throw e;\n }\n });\n }\n}\n"]}

package/dist-esm/src/credentials/interactiveBrowserCredentialOptions.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"interactiveBrowserCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { TokenCredentialOptions } from \"../client/identityClient\";\n\n/*\n The \"login style\" to use in the authentication flow:\n * - \"redirect\" redirects the user to the authentication page and then\n * redirects them back to the page once authentication is completed.\n * - \"popup\" opens a new browser window through with the redirect flow\n * is initiated. The user's existing browser window does not leave\n * the current page\n /\nexport type BrowserLoginStyle = \"redirect\" \| \"popup\";\n\n/\n The record to use to find the cached tokens in the cache\n /\nexport interface AuthenticationRecord {\n /\n The associated authority, if used\n /\n authority?: string;\n\n /\n The home account Id\n /\n homeAccountId: string;\n\n /\n The login environment, eg \"login.windows.net\"\n /\n environment: string;\n\n /\n The associated tenant ID\n /\n tenantId: string;\n\n /\n The username of the logged in account\n /\n username: string;\n}\n\n/\n Defines options for the InteractiveBrowserCredential class.\n /\nexport interface InteractiveBrowserCredentialOptions extends TokenCredentialOptions {\n /\n Specifies whether a redirect or a popup window should be used to\n * initiate the user authentication flow. Possible values are \"redirect\"\n * or \"popup\" (default) for browser and \"popup\" (default) for node.\n \n /\n loginStyle?: BrowserLoginStyle;\n\n /*\n Gets the redirect URI of the application. This should be same as the value\n * in the application registration portal. Defaults to `window.location.href`.\n /\n redirectUri?: string \| (() => string);\n\n /\n Gets the URI to which the user will be redirected when logging out.\n * Defaults to `window.location.href`.\n /\n postLogoutRedirectUri?: string \| (() => string);\n\n /\n The Azure Active Directory tenant (directory) ID.\n /\n tenantId?: string;\n\n /\n The client (application) ID of an App Registration in the tenant.\n /\n clientId?: string;\n\n /\n The cache options to use when credentials are being checked.\n /\n cacheOptions?: {\n cachePlugin?: {\n readFromStorage: () => Promise<string>;\n writeToStorage: (getMergedState: (oldState: string) => string) => Promise<void>;\n }~~;\n };\n~~\n ~~/\n The authentication record to use to find existing tokens in the cache\n */\n authenticationRecord?: AuthenticationRecord;\n}\n~~"]}
1	+ {"version":3,"file":"interactiveBrowserCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/interactiveBrowserCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { TokenCredentialOptions } from \"../client/identityClient\";\n\n/*\n The \"login style\" to use in the authentication flow:\n * - \"redirect\" redirects the user to the authentication page and then\n * redirects them back to the page once authentication is completed.\n * - \"popup\" opens a new browser window through with the redirect flow\n * is initiated. The user's existing browser window does not leave\n * the current page\n /\nexport type BrowserLoginStyle = \"redirect\" \| \"popup\";\n\n/\n Defines options for the InteractiveBrowserCredential class.\n /\nexport interface InteractiveBrowserCredentialOptions extends TokenCredentialOptions {\n /\n Specifies whether a redirect or a popup window should be used to\n * initiate the user authentication flow. Possible values are \"redirect\"\n * or \"popup\" (default) for browser and \"popup\" (default) for node.\n \n /\n loginStyle?: BrowserLoginStyle;\n\n /*\n Gets the redirect URI of the application. This should be same as the value\n * in the application registration portal. Defaults to `window.location.href`.\n /\n redirectUri?: string \| (() => string);\n\n /\n Gets the URI to which the user will be redirected when logging out.\n * Defaults to `window.location.href`.\n /\n postLogoutRedirectUri?: string \| (() => string);\n\n /\n The Azure Active Directory tenant (directory) ID.\n /\n tenantId?: string;\n\n /\n The client (application) ID of an App Registration in the tenant.\n */\n clientId?: string;\n}\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2017.js ADDED Viewed

@@ -0,0 +1,44 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+import { __awaiter } from "tslib";
+import { credentialLogger } from "../../util/logging";
+import { msiGenericGetToken } from "./utils";
+const logger = credentialLogger("ManagedIdentityCredential - AppServiceMSI 2017");
+function expiresInParser(requestBody) {
+    // Parse a date format like "06/20/2019 02:57:58 +00:00" and
+    // convert it into a JavaScript-formatted date
+    return Date.parse(requestBody.expires_on);
+}
+function prepareRequestOptions(resource, clientId) {
+    const queryParameters = {
+        resource,
+        "api-version": "2017-09-01"
+    };
+    if (clientId) {
+        queryParameters.clientid = clientId;
+    }
+    return {
+        url: process.env.MSI_ENDPOINT,
+        method: "GET",
+        queryParameters,
+        headers: {
+            Accept: "application/json",
+            secret: process.env.MSI_SECRET
+        }
+    };
+}
+export const appServiceMsi2017 = {
+    isAvailable() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const env = process.env;
+            return Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
+        });
+    },
+    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+        return __awaiter(this, void 0, void 0, function* () {
+            logger.info(`Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
+            return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
+        });
+    }
+};
+//# sourceMappingURL=appServiceMsi2017.js.map

package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2017.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"appServiceMsi2017.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/appServiceMsi2017.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAIlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAE7C,MAAM,MAAM,GAAG,gBAAgB,CAAC,gDAAgD,CAAC,CAAC;AAElF,SAAS,eAAe,CAAC,WAAgB;IACvC,4DAA4D;IAC5D,8CAA8C;IAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAgB,EAAE,QAAiB;IAChE,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,YAAY;KAC5B,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,eAAe,CAAC,QAAQ,GAAG,QAAQ,CAAC;KACrC;IAED,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;QAC7B,MAAM,EAAE,KAAK;QACb,eAAe;QACf,OAAO,EAAE;YACP,MAAM,EAAE,kBAAkB;YAC1B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;SAC/B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAQ;IAC9B,WAAW;;YACf,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YACxB,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QACrD,CAAC;KAAA;IACK,QAAQ,CACZ,cAA8B,EAC9B,QAAgB,EAChB,QAAiB,EACjB,kBAAmC,EAAE;;YAErC,MAAM,CAAC,IAAI,CACT,yFAAyF,OAAO,CAAC,GAAG,CAAC,YAAY,6BAA6B,CAC/I,CAAC;YAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACzC,eAAe,EACf,eAAe,CAChB,CAAC;QACJ,CAAC;KAAA;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, RequestPrepareOptions } from \"@azure/core-http\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { MSI } from \"./models\";\nimport { msiGenericGetToken } from \"./utils\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential - AppServiceMSI 2017\");\n\nfunction expiresInParser(requestBody: any): number {\n // Parse a date format like \"06/20/2019 02:57:58 +00:00\" and\n // convert it into a JavaScript-formatted date\n return Date.parse(requestBody.expires_on);\n}\n\nfunction prepareRequestOptions(resource: string, clientId?: string): RequestPrepareOptions {\n const queryParameters: any = {\n resource,\n \"api-version\": \"2017-09-01\"\n };\n\n if (clientId) {\n queryParameters.clientid = clientId;\n }\n\n return {\n url: process.env.MSI_ENDPOINT,\n method: \"GET\",\n queryParameters,\n headers: {\n Accept: \"application/json\",\n secret: process.env.MSI_SECRET\n }\n };\n}\n\nexport const appServiceMsi2017: MSI = {\n async isAvailable(): Promise<boolean> {\n const env = process.env;\n return Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);\n },\n async getToken(\n identityClient: IdentityClient,\n resource: string,\n clientId?: string,\n getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken | null> {\n logger.info(\n `Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`\n );\n\n return msiGenericGetToken(\n identityClient,\n prepareRequestOptions(resource, clientId),\n expiresInParser,\n getTokenOptions\n );\n }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js ADDED Viewed

@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+import { __awaiter } from "tslib";
+import { credentialLogger } from "../../util/logging";
+import { msiGenericGetToken } from "./utils";
+import { azureArcAPIVersion } from "./constants";
+import { AuthenticationError } from "../../client/errors";
+import { readFile } from "fs";
+const logger = credentialLogger("ManagedIdentityCredential - ArcMSI");
+// Azure Arc MSI doesn't have a special expiresIn parser.
+const expiresInParser = undefined;
+function prepareRequestOptions(resource) {
+    const queryParameters = {
+        resource,
+        "api-version": azureArcAPIVersion
+    };
+    return {
+        // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
+        url: process.env.IDENTITY_ENDPOINT,
+        method: "GET",
+        queryParameters,
+        headers: {
+            Accept: "application/json",
+            Metadata: true
+        }
+    };
+}
+// Since "fs"'s readFileSync locks the thread, and to avoid extra dependencies.
+function readFileAsync(path, options) {
+    return new Promise((resolve, reject) => readFile(path, options, (err, data) => {
+        if (err) {
+            reject(err);
+        }
+        resolve(data);
+    }));
+}
+function filePathRequest(identityClient, requestPrepareOptions) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const response = yield identityClient.sendRequest(identityClient.createWebResource(requestPrepareOptions));
+        if (response.status !== 401) {
+            let message = "";
+            if (response.bodyAsText) {
+                message = ` Response: ${response.bodyAsText}`;
+            }
+            throw new AuthenticationError(response.status, `To authenticate with Azure Arc MSI, status code 401 is expected on the first request.${message}`);
+        }
+        const authHeader = response.headers.get("www-authenticate") || "";
+        return authHeader.split("=").slice(1)[0];
+    });
+}
+export const arcMsi = {
+    isAvailable() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
+        });
+    },
+    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+        return __awaiter(this, void 0, void 0, function* () {
+            logger.info(`Using the Azure Arc MSI to authenticate.`);
+            if (clientId) {
+                throw new Error("User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.");
+            }
+            const requestOptions = Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions }, prepareRequestOptions(resource));
+            const filePath = yield filePathRequest(identityClient, requestOptions);
+            if (!filePath) {
+                throw new Error("Azure Arc MSI failed to find the token file.");
+            }
+            const key = yield readFileAsync(filePath, { encoding: "utf-8" });
+            requestOptions.headers["Authorization"] = `Basic ${key}`;
+            return msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions);
+        });
+    }
+};
+//# sourceMappingURL=arcMsi.js.map

package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"arcMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/arcMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAIlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAE9B,MAAM,MAAM,GAAG,gBAAgB,CAAC,oCAAoC,CAAC,CAAC;AAEtE,yDAAyD;AACzD,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,SAAS,qBAAqB,CAAC,QAAiB;IAC9C,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,OAAO;QACL,8EAA8E;QAC9E,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAClC,MAAM,EAAE,KAAK;QACb,eAAe;QACf,OAAO,EAAE;YACP,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,IAAI;SACf;KACF,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,SAAS,aAAa,CAAC,IAAY,EAAE,OAA6B;IAChE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CACrC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,GAAG,EAAE;YACP,MAAM,CAAC,GAAG,CAAC,CAAC;SACb;QACD,OAAO,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,SAAe,eAAe,CAC5B,cAA8B,EAC9B,qBAA4C;;QAE5C,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,CAC/C,cAAc,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,CACxD,CAAC;QAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;YAC3B,IAAI,OAAO,GAAG,EAAE,CAAC;YACjB,IAAI,QAAQ,CAAC,UAAU,EAAE;gBACvB,OAAO,GAAG,cAAc,QAAQ,CAAC,UAAU,EAAE,CAAC;aAC/C;YACD,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,CAAC,MAAM,EACf,wFAAwF,OAAO,EAAE,CAClG,CAAC;SACH;QAED,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;QAClE,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;CAAA;AAED,MAAM,CAAC,MAAM,MAAM,GAAQ;IACnB,WAAW;;YACf,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAC7E,CAAC;KAAA;IACK,QAAQ,CACZ,cAA8B,EAC9B,QAAiB,EACjB,QAAiB,EACjB,kBAAmC,EAAE;;YAErC,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;YAExD,IAAI,QAAQ,EAAE;gBACZ,MAAM,IAAI,KAAK,CACb,4TAA4T,CAC7T,CAAC;aACH;YAED,MAAM,cAAc,mBAClB,0BAA0B,EAAE,IAAI,EAChC,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,eAAe,CAAC,WAAW,EACxC,WAAW,EAAE,eAAe,CAAC,cAAc,IAAI,eAAe,CAAC,cAAc,CAAC,WAAW,IACtF,qBAAqB,CAAC,QAAQ,CAAC,CACnC,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;YAEvE,IAAI,CAAC,QAAQ,EAAE;gBACb,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;aACjE;YAED,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;YACjE,cAAc,CAAC,OAAQ,CAAC,eAAe,CAAC,GAAG,SAAS,GAAG,EAAE,CAAC;YAE1D,OAAO,kBAAkB,CAAC,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;QAC9F,CAAC;KAAA;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, RequestPrepareOptions } from \"@azure/core-http\";\nimport { MSI } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { msiGenericGetToken } from \"./utils\";\nimport { azureArcAPIVersion } from \"./constants\";\nimport { AuthenticationError } from \"../../client/errors\";\nimport { readFile } from \"fs\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential - ArcMSI\");\n\n// Azure Arc MSI doesn't have a special expiresIn parser.\nconst expiresInParser = undefined;\n\nfunction prepareRequestOptions(resource?: string): RequestPrepareOptions {\n const queryParameters: any = {\n resource,\n \"api-version\": azureArcAPIVersion\n };\n\n return {\n // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token\n url: process.env.IDENTITY_ENDPOINT,\n method: \"GET\",\n queryParameters,\n headers: {\n Accept: \"application/json\",\n Metadata: true\n }\n };\n}\n\n// Since \"fs\"'s readFileSync locks the thread, and to avoid extra dependencies.\nfunction readFileAsync(path: string, options: { encoding: string }): Promise<string> {\n return new Promise((resolve, reject) =>\n readFile(path, options, (err, data) => {\n if (err) {\n reject(err);\n }\n resolve(data);\n })\n );\n}\n\nasync function filePathRequest(\n identityClient: IdentityClient,\n requestPrepareOptions: RequestPrepareOptions\n): Promise<string | undefined> {\n const response = await identityClient.sendRequest(\n identityClient.createWebResource(requestPrepareOptions)\n );\n\n if (response.status !== 401) {\n let message = \"\";\n if (response.bodyAsText) {\n message = ` Response: ${response.bodyAsText}`;\n }\n throw new AuthenticationError(\n response.status,\n `To authenticate with Azure Arc MSI, status code 401 is expected on the first request.${message}`\n );\n }\n\n const authHeader = response.headers.get(\"www-authenticate\") || \"\";\n return authHeader.split(\"=\").slice(1)[0];\n}\n\nexport const arcMsi: MSI = {\n async isAvailable(): Promise<boolean> {\n return Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);\n },\n async getToken(\n identityClient: IdentityClient,\n resource?: string,\n clientId?: string,\n getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken | null> {\n logger.info(`Using the Azure Arc MSI to authenticate.`);\n\n if (clientId) {\n throw new Error(\n \"User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.\"\n );\n }\n\n const requestOptions = {\n disableJsonStringifyOnBody: true,\n deserializationMapper: undefined,\n abortSignal: getTokenOptions.abortSignal,\n spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions,\n ...prepareRequestOptions(resource)\n };\n\n const filePath = await filePathRequest(identityClient, requestOptions);\n\n if (!filePath) {\n throw new Error(\"Azure Arc MSI failed to find the token file.\");\n }\n\n const key = await readFileAsync(filePath, { encoding: \"utf-8\" });\n requestOptions.headers![\"Authorization\"] = `Basic ${key}`;\n\n return msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions);\n }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/cloudShellMsi.js ADDED Viewed

@@ -0,0 +1,41 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+import { __awaiter } from "tslib";
+import qs from "qs";
+import { credentialLogger } from "../../util/logging";
+import { msiGenericGetToken } from "./utils";
+const logger = credentialLogger("ManagedIdentityCredential - CloudShellMSI");
+// Cloud Shell MSI doesn't have a special expiresIn parser.
+const expiresInParser = undefined;
+function prepareRequestOptions(resource, clientId) {
+    const body = {
+        resource
+    };
+    if (clientId) {
+        body.client_id = clientId;
+    }
+    return {
+        url: process.env.MSI_ENDPOINT,
+        method: "POST",
+        body: qs.stringify(body),
+        headers: {
+            Accept: "application/json",
+            Metadata: true,
+            "Content-Type": "application/x-www-form-urlencoded"
+        }
+    };
+}
+export const cloudShellMsi = {
+    isAvailable() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return Boolean(process.env.MSI_ENDPOINT);
+        });
+    },
+    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+        return __awaiter(this, void 0, void 0, function* () {
+            logger.info(`Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the Cloud Shell to proceed with the authentication.`);
+            return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
+        });
+    }
+};
+//# sourceMappingURL=cloudShellMsi.js.map

package/dist-esm/src/credentials/managedIdentityCredential/cloudShellMsi.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cloudShellMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/cloudShellMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAElC,OAAO,EAAE,MAAM,IAAI,CAAC;AAGpB,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAE7C,MAAM,MAAM,GAAG,gBAAgB,CAAC,2CAA2C,CAAC,CAAC;AAE7E,2DAA2D;AAC3D,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,SAAS,qBAAqB,CAAC,QAAgB,EAAE,QAAiB;IAChE,MAAM,IAAI,GAAQ;QAChB,QAAQ;KACT,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;KAC3B;IAED,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;QAC7B,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC;QACxB,OAAO,EAAE;YACP,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,IAAI;YACd,cAAc,EAAE,mCAAmC;SACpD;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAQ;IAC1B,WAAW;;YACf,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC3C,CAAC;KAAA;IACK,QAAQ,CACZ,cAA8B,EAC9B,QAAgB,EAChB,QAAiB,EACjB,kBAAmC,EAAE;;YAErC,MAAM,CAAC,IAAI,CACT,wEAAwE,OAAO,CAAC,GAAG,CAAC,YAAY,iEAAiE,CAClK,CAAC;YAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACzC,eAAe,EACf,eAAe,CAChB,CAAC;QACJ,CAAC;KAAA;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport qs from \"qs\";\nimport { AccessToken, GetTokenOptions, RequestPrepareOptions } from \"@azure/core-http\";\nimport { MSI } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { msiGenericGetToken } from \"./utils\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential - CloudShellMSI\");\n\n// Cloud Shell MSI doesn't have a special expiresIn parser.\nconst expiresInParser = undefined;\n\nfunction prepareRequestOptions(resource: string, clientId?: string): RequestPrepareOptions {\n const body: any = {\n resource\n };\n\n if (clientId) {\n body.client_id = clientId;\n }\n\n return {\n url: process.env.MSI_ENDPOINT,\n method: \"POST\",\n body: qs.stringify(body),\n headers: {\n Accept: \"application/json\",\n Metadata: true,\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n }\n };\n}\n\nexport const cloudShellMsi: MSI = {\n async isAvailable(): Promise<boolean> {\n return Boolean(process.env.MSI_ENDPOINT);\n },\n async getToken(\n identityClient: IdentityClient,\n resource: string,\n clientId?: string,\n getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken | null> {\n logger.info(\n `Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the Cloud Shell to proceed with the authentication.`\n );\n\n return msiGenericGetToken(\n identityClient,\n prepareRequestOptions(resource, clientId),\n expiresInParser,\n getTokenOptions\n );\n }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/constants.js ADDED Viewed

@@ -0,0 +1,8 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+export const DefaultScopeSuffix = "/.default";
+export const imdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
+export const imdsApiVersion = "2018-02-01";
+export const azureArcAPIVersion = "2019-11-01";
+export const azureFabricVersion = "2019-07-01-preview";
+//# sourceMappingURL=constants.js.map

package/dist-esm/src/credentials/managedIdentityCredential/constants.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,MAAM,CAAC,MAAM,kBAAkB,GAAG,WAAW,CAAC;AAE9C,MAAM,CAAC,MAAM,YAAY,GAAG,uDAAuD,CAAC;AACpF,MAAM,CAAC,MAAM,cAAc,GAAG,YAAY,CAAC;AAC3C,MAAM,CAAC,MAAM,kBAAkB,GAAG,YAAY,CAAC;AAC/C,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nexport const DefaultScopeSuffix = \"/.default\";\n\nexport const imdsEndpoint = \"http://169.254.169.254/metadata/identity/oauth2/token\";\nexport const imdsApiVersion = \"2018-02-01\";\nexport const azureArcAPIVersion = \"2019-11-01\";\nexport const azureFabricVersion = \"2019-07-01-preview\";\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/fabricMsi.js ADDED Viewed

@@ -0,0 +1,59 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+import { __awaiter } from "tslib";
+import { credentialLogger } from "../../util/logging";
+import { msiGenericGetToken } from "./utils";
+import { azureFabricVersion } from "./constants";
+const logger = credentialLogger("ManagedIdentityCredential - Fabric MSI");
+function expiresInParser(requestBody) {
+    // Parses a string representation of the seconds since epoch into a number value
+    return Number(requestBody.expires_on);
+}
+function prepareRequestOptions(resource, clientId) {
+    const queryParameters = {
+        resource,
+        "api-version": azureFabricVersion
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    return {
+        url: process.env.IDENTITY_ENDPOINT,
+        method: "GET",
+        queryParameters,
+        headers: {
+            Accept: "application/json",
+            Secret: process.env.IDENTITY_HEADER
+        }
+    };
+}
+// This credential can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
+//
+//   FROM node:12
+//   RUN wget https://host.any/path/bash.sh
+//   CMD ["bash", "bash.sh"]
+//
+// Where the bash script contains:
+//
+//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
+//
+export const fabricMsi = {
+    isAvailable() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const env = process.env;
+            return Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
+        });
+    },
+    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+        return __awaiter(this, void 0, void 0, function* () {
+            logger.info([
+                "Using the endpoint and the secret coming from the environment variables:",
+                `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
+                "IDENTITY_HEADER=[REDACTED] and",
+                "IDENTITY_SERVER_THUMBPRINT=[REDACTED]."
+            ].join(" "));
+            return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
+        });
+    }
+};
+//# sourceMappingURL=fabricMsi.js.map

package/dist-esm/src/credentials/managedIdentityCredential/fabricMsi.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"fabricMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/fabricMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAIlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,wCAAwC,CAAC,CAAC;AAE1E,SAAS,eAAe,CAAC,WAAgB;IACvC,gFAAgF;IAChF,OAAO,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAgB,EAAE,QAAiB;IAChE,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;KACtC;IAED,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAClC,MAAM,EAAE,KAAK;QACb,eAAe;QACf,OAAO,EAAE;YACP,MAAM,EAAE,kBAAkB;YAC1B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;SACpC;KACF,CAAC;AACJ,CAAC;AAED,6GAA6G;AAC7G,EAAE;AACF,iBAAiB;AACjB,2CAA2C;AAC3C,4BAA4B;AAC5B,EAAE;AACF,kCAAkC;AAClC,EAAE;AACF,wIAAwI;AACxI,EAAE;AAEF,MAAM,CAAC,MAAM,SAAS,GAAQ;IACtB,WAAW;;YACf,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YACxB,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,0BAA0B,CAAC,CAAC;QACjG,CAAC;KAAA;IACK,QAAQ,CACZ,cAA8B,EAC9B,QAAgB,EAChB,QAAiB,EACjB,kBAAmC,EAAE;;YAErC,MAAM,CAAC,IAAI,CACT;gBACE,0EAA0E;gBAC1E,qBAAqB,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG;gBACrD,gCAAgC;gBAChC,wCAAwC;aACzC,CAAC,IAAI,CAAC,GAAG,CAAC,CACZ,CAAC;YAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACzC,eAAe,EACf,eAAe,CAChB,CAAC;QACJ,CAAC;KAAA;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions, RequestPrepareOptions } from \"@azure/core-http\";\nimport { MSI } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { msiGenericGetToken } from \"./utils\";\nimport { azureFabricVersion } from \"./constants\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential - Fabric MSI\");\n\nfunction expiresInParser(requestBody: any): number {\n // Parses a string representation of the seconds since epoch into a number value\n return Number(requestBody.expires_on);\n}\n\nfunction prepareRequestOptions(resource: string, clientId?: string): RequestPrepareOptions {\n const queryParameters: any = {\n resource,\n \"api-version\": azureFabricVersion\n };\n\n if (clientId) {\n queryParameters.client_id = clientId;\n }\n\n return {\n url: process.env.IDENTITY_ENDPOINT,\n method: \"GET\",\n queryParameters,\n headers: {\n Accept: \"application/json\",\n Secret: process.env.IDENTITY_HEADER\n }\n };\n}\n\n// This credential can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:\n//\n// FROM node:12\n// RUN wget https://host.any/path/bash.sh\n// CMD [\"bash\", \"bash.sh\"]\n//\n// Where the bash script contains:\n//\n// curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H \"Secret: $IDENTITY_HEADER\"\n//\n\nexport const fabricMsi: MSI = {\n async isAvailable(): Promise<boolean> {\n const env = process.env;\n return Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);\n },\n async getToken(\n identityClient: IdentityClient,\n resource: string,\n clientId?: string,\n getTokenOptions: GetTokenOptions = {}\n ): Promise<AccessToken | null> {\n logger.info(\n [\n \"Using the endpoint and the secret coming from the environment variables:\",\n `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,\n \"IDENTITY_HEADER=[REDACTED] and\",\n \"IDENTITY_SERVER_THUMBPRINT=[REDACTED].\"\n ].join(\" \")\n );\n\n return msiGenericGetToken(\n identityClient,\n prepareRequestOptions(resource, clientId),\n expiresInParser,\n getTokenOptions\n );\n }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js ADDED Viewed

@@ -0,0 +1,109 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+import { __awaiter } from "tslib";
+import { RestError } from "@azure/core-http";
+import { CanonicalCode } from "@opentelemetry/api";
+import { credentialLogger } from "../../util/logging";
+import { createSpan } from "../../util/tracing";
+import { imdsApiVersion, imdsEndpoint } from "./constants";
+import { msiGenericGetToken } from "./utils";
+const logger = credentialLogger("ManagedIdentityCredential - IMDS");
+function expiresInParser(requestBody) {
+    if (requestBody.expires_on) {
+        // Use the expires_on timestamp if it's available
+        const expires = +requestBody.expires_on * 1000;
+        logger.info(`IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
+        return expires;
+    }
+    else {
+        // If these aren't possible, use expires_in and calculate a timestamp
+        const expires = Date.now() + requestBody.expires_in * 1000;
+        logger.info(`IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
+        return expires;
+    }
+}
+function prepareRequestOptions(resource, clientId) {
+    const queryParameters = {
+        resource,
+        "api-version": imdsApiVersion
+    };
+    if (clientId) {
+        queryParameters.client_id = clientId;
+    }
+    return {
+        url: imdsEndpoint,
+        method: "GET",
+        queryParameters,
+        headers: {
+            Accept: "application/json",
+            Metadata: true
+        }
+    };
+}
+export const imdsMsi = {
+    isAvailable(identityClient, resource, clientId, getTokenOptions) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const { span, options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
+            const request = prepareRequestOptions(resource, clientId);
+            // This will always be populated, but let's make TypeScript happy
+            if (request.headers) {
+                // Remove the Metadata header to invoke a request error from
+                // IMDS endpoint
+                delete request.headers.Metadata;
+            }
+            request.spanOptions = options.tracingOptions && options.tracingOptions.spanOptions;
+            try {
+                // Create a request with a timeout since we expect that
+                // not having a "Metadata" header should cause an error to be
+                // returned quickly from the endpoint, proving its availability.
+                const webResource = identityClient.createWebResource(request);
+                webResource.timeout = (options.requestOptions && options.requestOptions.timeout) || 500;
+                try {
+                    logger.info(`Pinging IMDS endpoint`);
+                    yield identityClient.sendRequest(webResource);
+                }
+                catch (err) {
+                    if ((err instanceof RestError && err.code === RestError.REQUEST_SEND_ERROR) ||
+                        err.name === "AbortError" ||
+                        err.code === "ECONNREFUSED" || // connection refused
+                        err.code === "EHOSTDOWN" // host is down
+                    ) {
+                        // If the request failed, or NodeJS was unable to establish a connection,
+                        // or the host was down, we'll assume the IMDS endpoint isn't available.
+                        logger.info(`IMDS endpoint unavailable`);
+                        span.setStatus({
+                            code: CanonicalCode.UNAVAILABLE,
+                            message: err.message
+                        });
+                        // IMDS MSI unavailable.
+                        return false;
+                    }
+                }
+                // If we received any response, the endpoint is available
+                logger.info(`IMDS endpoint is available`);
+                // IMDS MSI available!
+                return true;
+            }
+            catch (err) {
+                // createWebResource failed.
+                // This error should bubble up to the user.
+                logger.info(`Error when creating the WebResource for the IMDS endpoint: ${err.message}`);
+                span.setStatus({
+                    code: CanonicalCode.UNKNOWN,
+                    message: err.message
+                });
+                throw err;
+            }
+            finally {
+                span.end();
+            }
+        });
+    },
+    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+        return __awaiter(this, void 0, void 0, function* () {
+            logger.info(`Using the IMDS endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
+            return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
+        });
+    }
+};
+//# sourceMappingURL=imdsMsi.js.map