npm - @azure/identity - Versions diffs - 1.2.0-beta.2 → 1.2.0 - Mend

@azure/identity 1.2.0-beta.2 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @azure/identity might be problematic. Click here for more details.

Files changed (72) hide show

package/dist-esm/src/util/logging.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"logging.js","sourceRoot":"","sources":["../../../src/util/logging.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,kBAAkB,EAAe,MAAM,eAAe,CAAC;AAEhE;;GAEG;AACH,MAAM,CAAC,MAAM,MAAM,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;AAOrD;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,gBAA0B;IACvD,OAAO,gBAAgB,CAAC,MAAM,CAC5B,CAAC,GAA2B,EAAE,WAAmB,EAAE,EAAE;QACnD,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE;YAC5B,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;SAChC;aAAM;YACL,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;SAC/B;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAC9B,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,cAAsB,EAAE,gBAA0B;IAC3E,MAAM,EAAE,QAAQ,EAAE,GAAG,cAAc,CAAC,gBAAgB,CAAC,CAAC;IACtD,MAAM,CAAC,IAAI,CACT,GAAG,cAAc,kDAAkD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACzF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAwB;IACpD,OAAO,~~YAAY~~,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,~~EAAE~~,CAAC;~~AACvE~~,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAqB;~~IAC/C~~,OAAO,~~UAAU~~,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,~~EAAE~~,CAAC;~~AACvE~~,CAAC;AAkBD;;;;;;;GAOG;AACH,MAAM,UAAU,wBAAwB,CACtC,KAAa,EACb,MAAiC,EACjC,MAAmB,MAAM;IAEzB,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,SAAS,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;IAElE,SAAS,IAAI,CAAC,OAAe;QAC3B,GAAG,CAAC,IAAI,CAAC,GAAG,SAAS,KAAK,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,OAAO;QACL,KAAK;QACL,SAAS;QACT,IAAI;KACL,CAAC;AACJ,CAAC;AAUD;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa,EAAE,MAAmB,MAAM;IACvE,MAAM,MAAM,GAAG,wBAAwB,CAAC,KAAK,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;IAC/D,uCACK,MAAM,KACT,QAAQ,EAAE,wBAAwB,CAAC,eAAe,EAAE,MAAM,EAAE,GAAG,CAAC,IAChE;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { createClientLogger, AzureLogger } from \"@azure/logger\";\n\n/*\n The AzureLogger used for all clients within the identity package\n /\nexport const logger = createClientLogger(\"identity\");\n\ninterface EnvironmentAccumulator {\n missing: string[];\n assigned: string[];\n}\n\n/\n Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.\n * @param supportedEnvVars List of environment variable names\n /\nexport function processEnvVars(supportedEnvVars: string[]): EnvironmentAccumulator {\n return supportedEnvVars.reduce(\n (acc: EnvironmentAccumulator, envVariable: string) => {\n if (process.env[envVariable]) {\n acc.assigned.push(envVariable);\n } else {\n acc.missing.push(envVariable);\n }\n return acc;\n },\n { missing: [], assigned: [] }\n );\n}\n\n/\n Based on a given list of environment variable names,\n * logs the environment variables currently assigned during the usage of a credential that goes by the given name.\n * @param credentialName Name of the credential in use\n * @param supportedEnvVars List of environment variables supported by that credential\n /\nexport function logEnvVars(credentialName: string, supportedEnvVars: string[]): void {\n const { assigned } = processEnvVars(supportedEnvVars);\n logger.info(\n `${credentialName} => Found the following environment variables: ${assigned.join(\", \")}`\n );\n}\n\n/\n Formatting the success event on the credentials\n /\nexport function formatSuccess(scope: string \| string[]): string {\n return `SUCCESS: ${Array.isArray(scope) ? scope.join(\", \") : scope}~~`;\~~n}\n\n/\n Formatting the success event on the credentials\n /\nexport function formatError(error: Error \| string): string {\n ~~return~~ `~~ERROR~~: ${typeof error === \"string\" ? error : error.message}~~`;\~~n}\n\n/\n A CredentialLoggerInstance is a logger properly formatted to work in a credential's constructor, and its methods.\n /\nexport interface CredentialLoggerInstance {\n title: string;\n fullTitle: string;\n info(message: string): void;\n /\n The logging functions for warning and error are intentionally left out, since we want the identity logging to be at the info level.\n * Otherwise, they would look like:\n \n warning(message: string): void;\n * error(err: Error): void;\n /\n}\n\n/\n Generates a CredentialLoggerInstance.\n \n It logs with the format:\n \n [title] => [message]\n \n /\nexport function credentialLoggerInstance(\n title: string,\n parent?: CredentialLoggerInstance,\n log: AzureLogger = logger\n): CredentialLoggerInstance {\n const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;\n\n function info(message: string): void {\n log.info(`${fullTitle} =>`, message);\n }\n\n return {\n title,\n fullTitle,\n info\n };\n}\n\n/*\n A CredentialLogger is a logger declared at the credential's constructor, and used at any point in the credential.\n * It has all the properties of a CredentialLoggerInstance, plus other logger instances, one per method.\n /\nexport interface CredentialLogger extends CredentialLoggerInstance {\n getToken: CredentialLoggerInstance;\n}\n\n/\n Generates a CredentialLogger, which is a logger declared at the credential's constructor, and used at any point in the credential.\n * It has all the properties of a CredentialLoggerInstance, plus other logger instances, one per method.\n \n It logs with the format:\n \n [title] => [message]\n * [title] => getToken() => [message]\n \n /\nexport function credentialLogger(title: string, log: AzureLogger = logger): CredentialLogger {\n const logger = credentialLoggerInstance(title, undefined, log);\n return {\n ...logger,\n getToken: credentialLoggerInstance(\"=> getToken()\", logger, log)\n };\n}\n"]}
1	+ {"version":3,"file":"logging.js","sourceRoot":"","sources":["../../../src/util/logging.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,kBAAkB,EAAe,MAAM,eAAe,CAAC;AAEhE;;GAEG;AACH,MAAM,CAAC,MAAM,MAAM,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;AAOrD;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,gBAA0B;IACvD,OAAO,gBAAgB,CAAC,MAAM,CAC5B,CAAC,GAA2B,EAAE,WAAmB,EAAE,EAAE;QACnD,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE;YAC5B,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;SAChC;aAAM;YACL,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;SAC/B;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAC9B,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,cAAsB,EAAE,gBAA0B;IAC3E,MAAM,EAAE,QAAQ,EAAE,GAAG,cAAc,CAAC,gBAAgB,CAAC,CAAC;IACtD,MAAM,CAAC,IAAI,CACT,GAAG,cAAc,kDAAkD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACzF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAwB;IACpD,OAAO,oBAAoB,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC;AAChF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAoC,EAAE,KAAqB;IACrF,IAAI,OAAO,GAAG,QAAQ,CAAC;IACvB,IAAI,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,MAAM,EAAE;QACjB,OAAO,IAAI,YAAY,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC;KAC3E;IACD,OAAO,GAAG,OAAO,mBAAmB,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC;AAC3F,CAAC;AAkBD;;;;;;;GAOG;AACH,MAAM,UAAU,wBAAwB,CACtC,KAAa,EACb,MAAiC,EACjC,MAAmB,MAAM;IAEzB,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,SAAS,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;IAElE,SAAS,IAAI,CAAC,OAAe;QAC3B,GAAG,CAAC,IAAI,CAAC,GAAG,SAAS,KAAK,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAED,OAAO;QACL,KAAK;QACL,SAAS;QACT,IAAI;KACL,CAAC;AACJ,CAAC;AAUD;;;;;;;;;GASG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa,EAAE,MAAmB,MAAM;IACvE,MAAM,MAAM,GAAG,wBAAwB,CAAC,KAAK,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC;IAC/D,uCACK,MAAM,KACT,QAAQ,EAAE,wBAAwB,CAAC,eAAe,EAAE,MAAM,EAAE,GAAG,CAAC,IAChE;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { createClientLogger, AzureLogger } from \"@azure/logger\";\n\n/*\n The AzureLogger used for all clients within the identity package\n /\nexport const logger = createClientLogger(\"identity\");\n\ninterface EnvironmentAccumulator {\n missing: string[];\n assigned: string[];\n}\n\n/\n Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.\n * @param supportedEnvVars List of environment variable names\n /\nexport function processEnvVars(supportedEnvVars: string[]): EnvironmentAccumulator {\n return supportedEnvVars.reduce(\n (acc: EnvironmentAccumulator, envVariable: string) => {\n if (process.env[envVariable]) {\n acc.assigned.push(envVariable);\n } else {\n acc.missing.push(envVariable);\n }\n return acc;\n },\n { missing: [], assigned: [] }\n );\n}\n\n/\n Based on a given list of environment variable names,\n * logs the environment variables currently assigned during the usage of a credential that goes by the given name.\n * @param credentialName Name of the credential in use\n * @param supportedEnvVars List of environment variables supported by that credential\n /\nexport function logEnvVars(credentialName: string, supportedEnvVars: string[]): void {\n const { assigned } = processEnvVars(supportedEnvVars);\n logger.info(\n `${credentialName} => Found the following environment variables: ${assigned.join(\", \")}`\n );\n}\n\n/\n Formatting the success event on the credentials\n /\nexport function formatSuccess(scope: string \| string[]): string {\n return `SUCCESS. Scopes: ${Array.isArray(scope) ? scope.join(\", \") : scope}.`;\n}\n\n/\n Formatting the success event on the credentials\n /\nexport function formatError(scope: string \| string[] \| undefined, error: Error \| string): string {\n let message = \"ERROR.\";\n if (scope?.length) {\n message += ` Scopes: ${Array.isArray(scope) ? scope.join(\", \") : scope}.`;\n }\n return `${message} Error message: ${typeof error === \"string\" ? error : error.message}.`;\n}\n\n/\n A CredentialLoggerInstance is a logger properly formatted to work in a credential's constructor, and its methods.\n /\nexport interface CredentialLoggerInstance {\n title: string;\n fullTitle: string;\n info(message: string): void;\n /\n The logging functions for warning and error are intentionally left out, since we want the identity logging to be at the info level.\n * Otherwise, they would look like:\n \n warning(message: string): void;\n * error(err: Error): void;\n /\n}\n\n/\n Generates a CredentialLoggerInstance.\n \n It logs with the format:\n \n [title] => [message]\n \n /\nexport function credentialLoggerInstance(\n title: string,\n parent?: CredentialLoggerInstance,\n log: AzureLogger = logger\n): CredentialLoggerInstance {\n const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;\n\n function info(message: string): void {\n log.info(`${fullTitle} =>`, message);\n }\n\n return {\n title,\n fullTitle,\n info\n };\n}\n\n/*\n A CredentialLogger is a logger declared at the credential's constructor, and used at any point in the credential.\n * It has all the properties of a CredentialLoggerInstance, plus other logger instances, one per method.\n /\nexport interface CredentialLogger extends CredentialLoggerInstance {\n getToken: CredentialLoggerInstance;\n}\n\n/\n Generates a CredentialLogger, which is a logger declared at the credential's constructor, and used at any point in the credential.\n * It has all the properties of a CredentialLoggerInstance, plus other logger instances, one per method.\n \n It logs with the format:\n \n [title] => [message]\n * [title] => getToken() => [message]\n \n /\nexport function credentialLogger(title: string, log: AzureLogger = logger): CredentialLogger {\n const logger = credentialLoggerInstance(title, undefined, log);\n return {\n ...logger,\n getToken: credentialLoggerInstance(\"=> getToken()\", logger, log)\n };\n}\n"]}

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@azure/identity",
   "sdk-type": "client",
-  "version": "1.2.0-beta.2",
+  "version": "1.2.0",
   "description": "Provides credential implementations for Azure SDK libraries that can authenticate with Azure Active Directory",
   "main": "dist/index.js",
   "module": "dist-esm/src/index.js",
@@ -9,7 +9,7 @@
   "browser": {
     "./dist-esm/src/credentials/azureCliCredential.js": "./dist-esm/src/credentials/azureCliCredential.browser.js",
     "./dist-esm/src/credentials/environmentCredential.js": "./dist-esm/src/credentials/environmentCredential.browser.js",
-    "./dist-esm/src/credentials/managedIdentityCredential.js": "./dist-esm/src/credentials/managedIdentityCredential.browser.js",
+    "./dist-esm/src/credentials/managedIdentityCredential/index.js": "./dist-esm/src/credentials/managedIdentityCredential/index.browser.js",
     "./dist-esm/src/credentials/clientCertificateCredential.js": "./dist-esm/src/credentials/clientCertificateCredential.browser.js",
     "./dist-esm/src/credentials/deviceCodeCredential.js": "./dist-esm/src/credentials/deviceCodeCredential.browser.js",
     "./dist-esm/src/credentials/defaultAzureCredential.js": "./dist-esm/src/credentials/defaultAzureCredential.browser.js",
@@ -79,11 +79,12 @@
   "homepage": "https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/identity/identity/README.md",
   "sideEffects": false,
   "dependencies": {
-    "@azure/core-http": "^1.1.6",
+    "@azure/core-http": "^1.2.0",
     "@azure/core-tracing": "1.0.0-preview.9",
     "@azure/logger": "^1.0.0",
-    "@azure/msal-node": "^1.0.0-alpha.8",
+    "@azure/msal-node": "^1.0.0-alpha.13",
     "@opentelemetry/api": "^0.10.2",
+    "axios": "^0.20.0",
     "events": "^3.0.0",
     "jws": "^4.0.0",
     "msal": "^1.0.2",
@@ -135,6 +136,7 @@
     "typescript": "~3.9.3",
     "util": "^0.12.1",
     "sinon": "^9.0.2",
-    "@types/sinon": "^9.0.4"
+    "@types/sinon": "^9.0.4",
+    "mock-fs": "^4.10.4"
   }
 }

package/types/identity.d.ts CHANGED Viewed

@@ -293,7 +293,7 @@ export declare interface ClientCertificateCredentialOptions extends TokenCredent
      * Option to include x5c header for SubjectName and Issuer name authorization.
      * Set this option to send base64 encoded public certificate in the client assertion header as an x5c claim
      */
-    includeX5c?: boolean;
+    sendCertificateChain?: boolean;
 }
 /**
@@ -380,23 +380,22 @@ export declare interface DefaultAzureCredentialOptions extends TokenCredentialOp
  * that the user can enter into https://microsoft.com/devicelogin.
  */
 export declare class DeviceCodeCredential implements TokenCredential {
-    private pca;
-    private tenantId;
-    private clientId;
     private userPromptCallback;
-    private authorityHost;
+    private msalClient;
     /**
      * Creates an instance of DeviceCodeCredential with the details needed
      * to initiate the device code authorization flow with Azure Active Directory.
      *
      * @param tenantId The Azure Active Directory tenant (directory) ID or name.
+     *                 The default value is 'organizations'.
      *                 'organizations' may be used when dealing with multi-tenant scenarios.
      * @param clientId The client (application) ID of an App Registration in the tenant.
+     *                 By default we will try to use the Azure CLI's client ID to authenticate.
      * @param userPromptCallback A callback function that will be invoked to show
                                  {@link DeviceCodeInfo} to the user. If left unassigned, we will automatically log the device code information and the authentication instructions in the console.
      * @param options Options for configuring the client which makes the authentication request.
      */
-    constructor(tenantId: string | "organizations", clientId: string, userPromptCallback?: DeviceCodePromptCallback, options?: TokenCredentialOptions);
+    constructor(tenantId?: string, clientId?: string, userPromptCallback?: DeviceCodePromptCallback, options?: TokenCredentialOptions);
     /**
      * Authenticates with Azure Active Directory and returns an access token if
      * successful.  If authentication cannot be performed at this time, this method may
@@ -523,16 +522,9 @@ export { GetTokenOptions }
  * window.  This credential is not currently supported in Node.js.
  */
 export declare class InteractiveBrowserCredential implements TokenCredential {
-    private identityClient;
-    private pca;
-    private msalCacheManager;
-    private tenantId;
-    private clientId;
-    private persistenceEnabled;
     private redirectUri;
-    private authorityHost;
-    private authenticationRecord;
     private port;
+    private msalClient;
     constructor(options?: InteractiveBrowserCredentialOptions);
     /**
      * Authenticates with Azure Active Directory and returns an access token if
@@ -545,7 +537,6 @@ export declare class InteractiveBrowserCredential implements TokenCredential {
      *                TokenCredential implementation might make.
      */
     getToken(scopes: string | string[], _options?: GetTokenOptions): Promise<AccessToken | null>;
-    private acquireTokenFromCache;
     private openAuthCodeUrl;
     private acquireTokenFromBrowser;
 }
@@ -579,19 +570,6 @@ export declare interface InteractiveBrowserCredentialOptions extends TokenCreden
      * The client (application) ID of an App Registration in the tenant.
      */
     clientId?: string;
-    /**
-     * The cache options to use when credentials are being checked.
-     */
-    cacheOptions?: {
-        cachePlugin?: {
-            readFromStorage: () => Promise<string>;
-            writeToStorage: (getMergedState: (oldState: string) => string) => Promise<void>;
-        };
-    };
-    /**
-     * The authentication record to use to find existing tokens in the cache
-     */
-    authenticationRecord?: AuthenticationRecord;
 }
 /**
@@ -626,11 +604,8 @@ export declare class ManagedIdentityCredential implements TokenCredential {
      * @param options Options for configuring the client which makes the access token request.
      */
     constructor(options?: TokenCredentialOptions);
-    private mapScopesToResource;
-    private createImdsAuthRequest;
-    private createAppServiceMsiAuthRequest;
-    private createCloudShellMsiAuthRequest;
-    private pingImdsEndpoint;
+    private cachedMSI;
+    private cachedAvailableMSI;
     private authenticateManagedIdentity;
     /**
      * Authenticates with Azure Active Directory and returns an access token if
@@ -703,6 +678,7 @@ export declare class UsernamePasswordCredential implements TokenCredential {
 export declare class VisualStudioCodeCredential implements TokenCredential {
     private identityClient;
     private tenantId;
+    private cloudName;
     /**
      * Creates an instance of VisualStudioCodeCredential to use for automatically authenticating via VSCode.
      *

package/dist-esm/src/credentials/managedIdentityCredential.browser.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"managedIdentityCredential.browser.js","sourceRoot":"","sources":["../../../src/credentials/managedIdentityCredential.browser.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAIlC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAEhE,MAAM,wBAAwB,GAAG,IAAI,KAAK,CACxC,4DAA4D,CAC7D,CAAC;AACF,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;AAE7D,MAAM,OAAO,yBAAyB;IAGpC;QACE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,wBAAwB,CAAC,CAAC,CAAC;QACnD,MAAM,wBAAwB,CAAC;IACjC,CAAC;IAEY,QAAQ;;YACnB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,wBAAwB,CAAC,CAAC,CAAC;YAC5D,MAAM,wBAAwB,CAAC;QACjC,CAAC;KAAA;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, TokenCredential } from \"@azure/core-http\";\nimport { TokenCredentialOptions } from \"../client/identityClient\";\nimport { credentialLogger, formatError } from \"../util/logging\";\n\nconst BrowserNotSupportedError = new Error(\n \"ManagedIdentityCredential is not supported in the browser.\"\n);\nconst logger = credentialLogger(\"ManagedIdentityCredential\");\n\nexport class ManagedIdentityCredential implements TokenCredential {\n constructor(clientId: string, options?: TokenCredentialOptions);\n constructor(options?: TokenCredentialOptions);\n constructor() {\n logger.info(formatError(BrowserNotSupportedError));\n throw BrowserNotSupportedError;\n }\n\n public async getToken(): Promise<AccessToken | null> {\n logger.getToken.info(formatError(BrowserNotSupportedError));\n throw BrowserNotSupportedError;\n }\n}\n"]}

package/dist-esm/src/credentials/managedIdentityCredential.js DELETED Viewed

@@ -1,376 +0,0 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-import { __awaiter } from "tslib";
-import qs from "qs";
-import { RestError } from "@azure/core-http";
-import { IdentityClient } from "../client/identityClient";
-import { createSpan } from "../util/tracing";
-import { AuthenticationErrorName, AuthenticationError, CredentialUnavailable } from "../client/errors";
-import { CanonicalCode } from "@opentelemetry/api";
-import { credentialLogger, formatSuccess, formatError } from "../util/logging";
-const DefaultScopeSuffix = "/.default";
-export const ImdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
-export const ImdsApiVersion = "2018-02-01";
-export const AppServiceMsiApiVersion = "2017-09-01";
-const logger = credentialLogger("ManagedIdentityCredential");
-/**
- * Attempts authentication using a managed identity that has been assigned
- * to the deployment environment.  This authentication type works in Azure VMs,
- * App Service and Azure Functions applications, and inside of Azure Cloud Shell.
- *
- * More information about configuring managed identities can be found here:
- *
- * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- */
-export class ManagedIdentityCredential {
-    /**
-     * @internal
-     * @ignore
-     */
-    constructor(clientIdOrOptions, options) {
-        this.isEndpointUnavailable = null;
-        if (typeof clientIdOrOptions === "string") {
-            // clientId, options constructor
-            this.clientId = clientIdOrOptions;
-            this.identityClient = new IdentityClient(options);
-        }
-        else {
-            // options only constructor
-            this.identityClient = new IdentityClient(clientIdOrOptions);
-        }
-    }
-    mapScopesToResource(scopes) {
-        let scope = "";
-        if (Array.isArray(scopes)) {
-            if (scopes.length !== 1) {
-                throw new Error("To convert to a resource string the specified array must be exactly length 1");
-            }
-            scope = scopes[0];
-        }
-        else if (typeof scopes === "string") {
-            scope = scopes;
-        }
-        if (!scope.endsWith(DefaultScopeSuffix)) {
-            return scope;
-        }
-        return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
-    }
-    createImdsAuthRequest(resource, clientId) {
-        const queryParameters = {
-            resource,
-            "api-version": ImdsApiVersion
-        };
-        if (clientId) {
-            queryParameters.client_id = clientId;
-        }
-        return {
-            url: ImdsEndpoint,
-            method: "GET",
-            queryParameters,
-            headers: {
-                Accept: "application/json",
-                Metadata: true
-            }
-        };
-    }
-    createAppServiceMsiAuthRequest(resource, clientId, version) {
-        const queryParameters = {
-            resource,
-            "api-version": AppServiceMsiApiVersion
-        };
-        if (version === "2019-08-01") {
-            if (clientId) {
-                queryParameters.client_id = clientId;
-            }
-            return {
-                url: process.env.IDENTITY_ENDPOINT,
-                method: "GET",
-                queryParameters,
-                headers: {
-                    Accept: "application/json",
-                    "X-IDENTITY-HEADER": process.env.IDENTITY_HEADER
-                }
-            };
-        }
-        else if (version === "2017-09-01") {
-            if (clientId) {
-                queryParameters.clientid = clientId;
-            }
-            return {
-                url: process.env.MSI_ENDPOINT,
-                method: "GET",
-                queryParameters,
-                headers: {
-                    Accept: "application/json",
-                    secret: process.env.MSI_SECRET
-                }
-            };
-        }
-        else {
-            throw new Error(`Unsupported version ${version}. The supported versions are "2019-08-01" and "2017-09-01"`);
-        }
-    }
-    createCloudShellMsiAuthRequest(resource, clientId) {
-        const body = {
-            resource
-        };
-        if (clientId) {
-            body.client_id = clientId;
-        }
-        return {
-            url: process.env.MSI_ENDPOINT,
-            method: "POST",
-            body: qs.stringify(body),
-            headers: {
-                Accept: "application/json",
-                Metadata: true,
-                "Content-Type": "application/x-www-form-urlencoded"
-            }
-        };
-    }
-    pingImdsEndpoint(resource, clientId, getTokenOptions) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const { span, options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
-            const request = this.createImdsAuthRequest(resource, clientId);
-            // This will always be populated, but let's make TypeScript happy
-            if (request.headers) {
-                // Remove the Metadata header to invoke a request error from
-                // IMDS endpoint
-                delete request.headers.Metadata;
-            }
-            request.spanOptions = options.tracingOptions && options.tracingOptions.spanOptions;
-            try {
-                // Create a request with a timeout since we expect that
-                // not having a "Metadata" header should cause an error to be
-                // returned quickly from the endpoint, proving its availability.
-                const webResource = this.identityClient.createWebResource(request);
-                webResource.timeout = (options.requestOptions && options.requestOptions.timeout) || 500;
-                try {
-                    logger.info(`Pinging IMDS endpoint`);
-                    yield this.identityClient.sendRequest(webResource);
-                }
-                catch (err) {
-                    if ((err instanceof RestError && err.code === RestError.REQUEST_SEND_ERROR) ||
-                        err.name === "AbortError" ||
-                        err.code === "ECONNREFUSED" || // connection refused
-                        err.code === "EHOSTDOWN" // host is down
-                    ) {
-                        // If the request failed, or NodeJS was unable to establish a connection,
-                        // or the host was down, we'll assume the IMDS endpoint isn't available.
-                        logger.info(`IMDS endpoint unavailable`);
-                        span.setStatus({
-                            code: CanonicalCode.UNAVAILABLE,
-                            message: err.message
-                        });
-                        return false;
-                    }
-                }
-                // If we received any response, the endpoint is available
-                logger.info(`IMDS endpoint is available`);
-                return true;
-            }
-            catch (err) {
-                // createWebResource failed.
-                // This error should bubble up to the user.
-                logger.info(formatError(`Error when creating the WebResource for the IMDS endpoint: ${err.message}`));
-                span.setStatus({
-                    code: CanonicalCode.UNKNOWN,
-                    message: err.message
-                });
-                throw err;
-            }
-            finally {
-                span.end();
-            }
-        });
-    }
-    authenticateManagedIdentity(scopes, checkIfImdsEndpointAvailable, clientId, getTokenOptions) {
-        return __awaiter(this, void 0, void 0, function* () {
-            let authRequestOptions;
-            const resource = this.mapScopesToResource(scopes);
-            let expiresInParser;
-            const { span, options } = createSpan("ManagedIdentityCredential-authenticateManagedIdentity", getTokenOptions);
-            try {
-                // Detect which type of environment we are running in
-                if (process.env.IDENTITY_ENDPOINT && process.env.IDENTITY_HEADER) {
-                    // Running in App Service 2019-08-01
-                    authRequestOptions = this.createAppServiceMsiAuthRequest(resource, clientId, "2019-08-01");
-                    expiresInParser = (requestBody) => {
-                        // Parses a string representation of the seconds since epoch into a number value
-                        return Number(requestBody.expires_on);
-                    };
-                    logger.info(`Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
-                }
-                else if (process.env.MSI_ENDPOINT) {
-                    if (process.env.MSI_SECRET) {
-                        // Running in App Service
-                        authRequestOptions = this.createAppServiceMsiAuthRequest(resource, clientId, "2017-09-01");
-                        expiresInParser = (requestBody) => {
-                            // Parse a date format like "06/20/2019 02:57:58 +00:00" and
-                            // convert it into a JavaScript-formatted date
-                            return Date.parse(requestBody.expires_on);
-                        };
-                        logger.info(`Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
-                    }
-                    else {
-                        logger.info(`Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
-                        // Running in Cloud Shell
-                        authRequestOptions = this.createCloudShellMsiAuthRequest(resource, clientId);
-                    }
-                }
-                else {
-                    expiresInParser = (requestBody) => {
-                        if (requestBody.expires_on) {
-                            // Use the expires_on timestamp if it's available
-                            const expires = +requestBody.expires_on * 1000;
-                            logger.info(`IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
-                            return expires;
-                        }
-                        else {
-                            // If these aren't possible, use expires_in and calculate a timestamp
-                            const expires = Date.now() + requestBody.expires_in * 1000;
-                            logger.info(`IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
-                            return expires;
-                        }
-                    };
-                    logger.info(`Using the IMDS endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
-                    // Ping the IMDS endpoint to see if it's available
-                    if (!checkIfImdsEndpointAvailable ||
-                        (yield this.pingImdsEndpoint(resource, clientId, options))) {
-                        // Running in an Azure VM
-                        authRequestOptions = this.createImdsAuthRequest(resource, clientId);
-                    }
-                    else {
-                        // Returning null tells the ManagedIdentityCredential that
-                        // no MSI authentication endpoints are available
-                        return null;
-                    }
-                }
-                const webResource = this.identityClient.createWebResource(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: options.abortSignal, spanOptions: options.tracingOptions && options.tracingOptions.spanOptions }, authRequestOptions));
-                const tokenResponse = yield this.identityClient.sendTokenRequest(webResource, expiresInParser);
-                return (tokenResponse && tokenResponse.accessToken) || null;
-            }
-            catch (err) {
-                // Expected errors to reach this point:
-                // - When we try call createWebResource and it fails (at any point).
-                // - When identityClient.sendTokenRequest throws.
-                //   If the status code was 400, it means that the endpoint is working,
-                //   but no identity is available.
-                //
-                // Errors that might reach this point, but shouldn't:
-                // - When createAppServiceMsiAuthRequest is called with an unsupported version.
-                //   We shouldn't see this happening, because we specify the version in the parameters.
-                //
-                // Errors that shouldn't reach this point at all:
-                // - If we tried to reach to the IMDS endpoint and it ends up being unavailable, we simply don't call to createImdsAuthRequest, so we return null.
-                const code = err.name === AuthenticationErrorName
-                    ? CanonicalCode.UNAUTHENTICATED
-                    : CanonicalCode.UNKNOWN;
-                span.setStatus({
-                    code,
-                    message: err.message
-                });
-                throw err;
-            }
-            finally {
-                span.end();
-            }
-        });
-    }
-    /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
-     *
-     * @param scopes The list of scopes for which the token will have access.
-     * @param options The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    getToken(scopes, options) {
-        return __awaiter(this, void 0, void 0, function* () {
-            let result = null;
-            const { span, options: newOptions } = createSpan("ManagedIdentityCredential-getToken", options);
-            try {
-                // isEndpointAvailable can be true, false, or null,
-                // If it's null, it means we don't yet know whether
-                // the endpoint is available and need to check for it.
-                if (this.isEndpointUnavailable !== true) {
-                    result = yield this.authenticateManagedIdentity(scopes, this.isEndpointUnavailable === null, this.clientId, newOptions);
-                    if (result === null) {
-                        // If authenticateManagedIdentity returns null,
-                        // it means no MSI endpoints are available.
-                        // If so, we avoid trying to reach to them in future requests.
-                        this.isEndpointUnavailable = true;
-                        // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
-                        // yet we had no access token. For this reason, we'll throw once with a specific message:
-                        const error = new CredentialUnavailable("The managed identity endpoint was reached, yet no tokens were received.");
-                        logger.getToken.info(formatError(error));
-                        throw error;
-                    }
-                    // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
-                    // We will assume that this endpoint is reachable from this point forward,
-                    // and avoid pinging again to it.
-                    // Details:
-                    // - If `isEndpointUnavailable` is not true, `authenticateManagedIdentity` is called.
-                    // - If `isEndpointUnavailable` is only set to false if `authenticateManagedIdentity` returns null.
-                    // - If `isEndpointUnavailable` is null, `authenticateManagedIdentity` wil be called with "true" as the second parameter.
-                    // - When `authenticateManagedIdentity` is called with `checkIfImdsEndpointAvailable` set to "true", `pingImdsEndpoint` is called.
-                    // - If `pingImdsEndpoint` returns false, `authenticateManagedIdentity` returns null, which sets `isEndpointUnavailable` to false.
-                    // - If `pingImdsEndpoint` returns true, `authenticateManagedIdentity` tries to authenticate with the IMDS endpoint.
-                    // - If `authenticateManagedIdentity` tries to authenticate, and throws, we move to the catch section of this function.
-                    // - If `authenticateManagedIdentity` manages to authenticate, `result` won't be null.
-                    // - If `result` isn't null at this point, the endpoint was in fact available at first.
-                    // - To avoid calling again to `pingImdsEndpoint`, we need to set `isEndpointUnavailable` to false,
-                    //   so that `authenticateManagedIdentity` gets to be called with `checkIfImdsEndpointAvailable` set to "false",
-                    //   thus skipping any further call to `pingImdsEndpoint`.
-                    this.isEndpointUnavailable = false;
-                }
-                else {
-                    // We've previously determined that the endpoint was unavailable,
-                    // either because it was unreachable or permanently unable to authenticate.
-                    const error = new CredentialUnavailable("The managed identity endpoint is not currently available");
-                    logger.getToken.info(formatError(error));
-                    throw error;
-                }
-                logger.getToken.info(formatSuccess(scopes));
-                return result;
-            }
-            catch (err) {
-                // CredentialUnavailable errors are expected to reach here.
-                // We intend them to bubble up, so that DefaultAzureCredential can catch them.
-                if (err instanceof CredentialUnavailable) {
-                    throw err;
-                }
-                // Expected errors to reach this point:
-                // - Errors coming from a method unexpectedly breaking.
-                // - When identityClient.sendTokenRequest throws, in which case
-                //   if the status code was 400, it means that the endpoint is working,
-                //   but no identity is available.
-                span.setStatus({
-                    code: CanonicalCode.UNKNOWN,
-                    message: err.message
-                });
-                if (err.code === "ENETUNREACH") {
-                    const error = new CredentialUnavailable("ManagedIdentityCredential is unavailable. No managed identity endpoint found.");
-                    logger.getToken.info(formatError(error));
-                    throw error;
-                }
-                // If err.statusCode has a value of 400, it comes from sendTokenRequest,
-                // and it means that the endpoint is working, but that no identity is available.
-                if (err.statusCode === 400) {
-                    throw new CredentialUnavailable("The managed identity endpoint is indicating there's no available identity");
-                }
-                throw new AuthenticationError(err.statusCode, {
-                    error: "ManagedIdentityCredential authentication failed.",
-                    error_description: err.message
-                });
-            }
-            finally {
-                // Finally is always called, both if we return and if we throw in the above try/catch.
-                span.end();
-            }
-        });
-    }
-}
-//# sourceMappingURL=managedIdentityCredential.js.map

package/dist-esm/src/credentials/managedIdentityCredential.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"managedIdentityCredential.js","sourceRoot":"","sources":["../../../src/credentials/managedIdentityCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAElC,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,EAIL,SAAS,EAEV,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,cAAc,EAA0B,MAAM,0BAA0B,CAAC;AAClF,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EACL,uBAAuB,EACvB,mBAAmB,EACnB,qBAAqB,EACtB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE/E,MAAM,kBAAkB,GAAG,WAAW,CAAC;AACvC,MAAM,CAAC,MAAM,YAAY,GAAG,uDAAuD,CAAC;AACpF,MAAM,CAAC,MAAM,cAAc,GAAG,YAAY,CAAC;AAC3C,MAAM,CAAC,MAAM,uBAAuB,GAAG,YAAY,CAAC;AACpD,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;AAE7D;;;;;;;;GAQG;AACH,MAAM,OAAO,yBAAyB;IAmBpC;;;OAGG;IACH,YACE,iBAA8D,EAC9D,OAAgC;QAtB1B,0BAAqB,GAAmB,IAAI,CAAC;QAwBnD,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE;YACzC,gCAAgC;YAChC,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC;YAClC,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;SACnD;aAAM;YACL,2BAA2B;YAC3B,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,iBAAiB,CAAC,CAAC;SAC7D;IACH,CAAC;IAEO,mBAAmB,CAAC,MAAyB;QACnD,IAAI,KAAK,GAAG,EAAE,CAAC;QACf,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE;YACzB,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE;gBACvB,MAAM,IAAI,KAAK,CACb,8EAA8E,CAC/E,CAAC;aACH;YAED,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;SACnB;aAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE;YACrC,KAAK,GAAG,MAAM,CAAC;SAChB;QAED,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE;YACvC,OAAO,KAAK,CAAC;SACd;QAED,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,WAAW,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAChE,CAAC;IAEO,qBAAqB,CAAC,QAAgB,EAAE,QAAiB;QAC/D,MAAM,eAAe,GAAQ;YAC3B,QAAQ;YACR,aAAa,EAAE,cAAc;SAC9B,CAAC;QAEF,IAAI,QAAQ,EAAE;YACZ,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;SACtC;QAED,OAAO;YACL,GAAG,EAAE,YAAY;YACjB,MAAM,EAAE,KAAK;YACb,eAAe;YACf,OAAO,EAAE;gBACP,MAAM,EAAE,kBAAkB;gBAC1B,QAAQ,EAAE,IAAI;aACf;SACF,CAAC;IACJ,CAAC;IAEO,8BAA8B,CACpC,QAAgB,EAChB,QAAiB,EACjB,OAAqC;QAErC,MAAM,eAAe,GAAQ;YAC3B,QAAQ;YACR,aAAa,EAAE,uBAAuB;SACvC,CAAC;QAEF,IAAI,OAAO,KAAK,YAAY,EAAE;YAC5B,IAAI,QAAQ,EAAE;gBACZ,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;aACtC;YAED,OAAO;gBACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;gBAClC,MAAM,EAAE,KAAK;gBACb,eAAe;gBACf,OAAO,EAAE;oBACP,MAAM,EAAE,kBAAkB;oBAC1B,mBAAmB,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;iBACjD;aACF,CAAC;SACH;aAAM,IAAI,OAAO,KAAK,YAAY,EAAE;YACnC,IAAI,QAAQ,EAAE;gBACZ,eAAe,CAAC,QAAQ,GAAG,QAAQ,CAAC;aACrC;YAED,OAAO;gBACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;gBAC7B,MAAM,EAAE,KAAK;gBACb,eAAe;gBACf,OAAO,EAAE;oBACP,MAAM,EAAE,kBAAkB;oBAC1B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;iBAC/B;aACF,CAAC;SACH;aAAM;YACL,MAAM,IAAI,KAAK,CACb,uBAAuB,OAAO,4DAA4D,CAC3F,CAAC;SACH;IACH,CAAC;IAEO,8BAA8B,CACpC,QAAgB,EAChB,QAAiB;QAEjB,MAAM,IAAI,GAAQ;YAChB,QAAQ;SACT,CAAC;QAEF,IAAI,QAAQ,EAAE;YACZ,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;SAC3B;QAED,OAAO;YACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;YAC7B,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC;YACxB,OAAO,EAAE;gBACP,MAAM,EAAE,kBAAkB;gBAC1B,QAAQ,EAAE,IAAI;gBACd,cAAc,EAAE,mCAAmC;aACpD;SACF,CAAC;IACJ,CAAC;IAEa,gBAAgB,CAC5B,QAAgB,EAChB,QAAiB,EACjB,eAAiC;;YAEjC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,UAAU,CAClC,4CAA4C,EAC5C,eAAe,CAChB,CAAC;YACF,MAAM,OAAO,GAAG,IAAI,CAAC,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAE/D,iEAAiE;YACjE,IAAI,OAAO,CAAC,OAAO,EAAE;gBACnB,4DAA4D;gBAC5D,gBAAgB;gBAChB,OAAO,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;aACjC;YAED,OAAO,CAAC,WAAW,GAAG,OAAO,CAAC,cAAc,IAAI,OAAO,CAAC,cAAc,CAAC,WAAW,CAAC;YAEnF,IAAI;gBACF,uDAAuD;gBACvD,6DAA6D;gBAC7D,gEAAgE;gBAChE,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;gBACnE,WAAW,CAAC,OAAO,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC;gBAExF,IAAI;oBACF,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;oBACrC,MAAM,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;iBACpD;gBAAC,OAAO,GAAG,EAAE;oBACZ,IACE,CAAC,GAAG,YAAY,SAAS,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,kBAAkB,CAAC;wBACvE,GAAG,CAAC,IAAI,KAAK,YAAY;wBACzB,GAAG,CAAC,IAAI,KAAK,cAAc,IAAI,qBAAqB;wBACpD,GAAG,CAAC,IAAI,KAAK,WAAW,CAAC,eAAe;sBACxC;wBACA,yEAAyE;wBACzE,wEAAwE;wBACxE,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;wBACzC,IAAI,CAAC,SAAS,CAAC;4BACb,IAAI,EAAE,aAAa,CAAC,WAAW;4BAC/B,OAAO,EAAE,GAAG,CAAC,OAAO;yBACrB,CAAC,CAAC;wBACH,OAAO,KAAK,CAAC;qBACd;iBACF;gBAED,yDAAyD;gBACzD,MAAM,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBAC1C,OAAO,IAAI,CAAC;aACb;YAAC,OAAO,GAAG,EAAE;gBACZ,4BAA4B;gBAC5B,2CAA2C;gBAC3C,MAAM,CAAC,IAAI,CACT,WAAW,CAAC,8DAA8D,GAAG,CAAC,OAAO,EAAE,CAAC,CACzF,CAAC;gBACF,IAAI,CAAC,SAAS,CAAC;oBACb,IAAI,EAAE,aAAa,CAAC,OAAO;oBAC3B,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC;aACX;oBAAS;gBACR,IAAI,CAAC,GAAG,EAAE,CAAC;aACZ;QACH,CAAC;KAAA;IAEa,2BAA2B,CACvC,MAAyB,EACzB,4BAAqC,EACrC,QAAiB,EACjB,eAAiC;;YAEjC,IAAI,kBAAyC,CAAC;YAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAClD,IAAI,eAA2D,CAAC;YAEhE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,UAAU,CAClC,uDAAuD,EACvD,eAAe,CAChB,CAAC;YAEF,IAAI;gBACF,qDAAqD;gBACrD,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE;oBAChE,oCAAoC;oBACpC,kBAAkB,GAAG,IAAI,CAAC,8BAA8B,CAAC,QAAQ,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;oBAC3F,eAAe,GAAG,CAAC,WAAgB,EAAE,EAAE;wBACrC,gFAAgF;wBAChF,OAAO,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;oBACxC,CAAC,CAAC;oBACF,MAAM,CAAC,IAAI,CACT,8FAA8F,OAAO,CAAC,GAAG,CAAC,iBAAiB,kCAAkC,CAC9J,CAAC;iBACH;qBAAM,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE;oBACnC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE;wBAC1B,yBAAyB;wBACzB,kBAAkB,GAAG,IAAI,CAAC,8BAA8B,CACtD,QAAQ,EACR,QAAQ,EACR,YAAY,CACb,CAAC;wBACF,eAAe,GAAG,CAAC,WAAgB,EAAE,EAAE;4BACrC,4DAA4D;4BAC5D,8CAA8C;4BAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;wBAC5C,CAAC,CAAC;wBACF,MAAM,CAAC,IAAI,CACT,yFAAyF,OAAO,CAAC,GAAG,CAAC,YAAY,6BAA6B,CAC/I,CAAC;qBACH;yBAAM;wBACL,MAAM,CAAC,IAAI,CACT,wEAAwE,OAAO,CAAC,GAAG,CAAC,YAAY,iEAAiE,CAClK,CAAC;wBACF,yBAAyB;wBACzB,kBAAkB,GAAG,IAAI,CAAC,8BAA8B,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;qBAC9E;iBACF;qBAAM;oBACL,eAAe,GAAG,CAAC,WAAgB,EAAE,EAAE;wBACrC,IAAI,WAAW,CAAC,UAAU,EAAE;4BAC1B,iDAAiD;4BACjD,MAAM,OAAO,GAAG,CAAC,WAAW,CAAC,UAAU,GAAG,IAAI,CAAC;4BAC/C,MAAM,CAAC,IAAI,CACT,0BAA0B,OAAO,qBAAqB,WAAW,CAAC,UAAU,GAAG,CAChF,CAAC;4BACF,OAAO,OAAO,CAAC;yBAChB;6BAAM;4BACL,qEAAqE;4BACrE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,UAAU,GAAG,IAAI,CAAC;4BAC3D,MAAM,CAAC,IAAI,CACT,0BAA0B,OAAO,qBAAqB,WAAW,CAAC,UAAU,GAAG,CAChF,CAAC;4BACF,OAAO,OAAO,CAAC;yBAChB;oBACH,CAAC,CAAC;oBACF,MAAM,CAAC,IAAI,CACT,6EAA6E,OAAO,CAAC,GAAG,CAAC,YAAY,iEAAiE,CACvK,CAAC;oBACF,kDAAkD;oBAClD,IACE,CAAC,4BAA4B;wBAC7B,CAAC,MAAM,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,EAC1D;wBACA,yBAAyB;wBACzB,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;qBACrE;yBAAM;wBACL,0DAA0D;wBAC1D,gDAAgD;wBAChD,OAAO,IAAI,CAAC;qBACb;iBACF;gBAED,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,CAAC,iBAAiB,iBACvD,0BAA0B,EAAE,IAAI,EAChC,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,OAAO,CAAC,WAAW,EAChC,WAAW,EAAE,OAAO,CAAC,cAAc,IAAI,OAAO,CAAC,cAAc,CAAC,WAAW,IACtE,kBAAkB,EACrB,CAAC;gBAEH,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,gBAAgB,CAC9D,WAAW,EACX,eAAe,CAChB,CAAC;gBACF,OAAO,CAAC,aAAa,IAAI,aAAa,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC;aAC7D;YAAC,OAAO,GAAG,EAAE;gBACZ,uCAAuC;gBACvC,oEAAoE;gBACpE,iDAAiD;gBACjD,uEAAuE;gBACvE,kCAAkC;gBAClC,EAAE;gBACF,qDAAqD;gBACrD,+EAA+E;gBAC/E,uFAAuF;gBACvF,EAAE;gBACF,iDAAiD;gBACjD,kJAAkJ;gBAElJ,MAAM,IAAI,GACR,GAAG,CAAC,IAAI,KAAK,uBAAuB;oBAClC,CAAC,CAAC,aAAa,CAAC,eAAe;oBAC/B,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC;gBAC5B,IAAI,CAAC,SAAS,CAAC;oBACb,IAAI;oBACJ,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC;aACX;oBAAS;gBACR,IAAI,CAAC,GAAG,EAAE,CAAC;aACZ;QACH,CAAC;KAAA;IAED;;;;;;;;;OASG;IACU,QAAQ,CACnB,MAAyB,EACzB,OAAyB;;YAEzB,IAAI,MAAM,GAAuB,IAAI,CAAC;YAEtC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,UAAU,CAAC,oCAAoC,EAAE,OAAO,CAAC,CAAC;YAEhG,IAAI;gBACF,mDAAmD;gBACnD,mDAAmD;gBACnD,sDAAsD;gBACtD,IAAI,IAAI,CAAC,qBAAqB,KAAK,IAAI,EAAE;oBACvC,MAAM,GAAG,MAAM,IAAI,CAAC,2BAA2B,CAC7C,MAAM,EACN,IAAI,CAAC,qBAAqB,KAAK,IAAI,EACnC,IAAI,CAAC,QAAQ,EACb,UAAU,CACX,CAAC;oBAEF,IAAI,MAAM,KAAK,IAAI,EAAE;wBACnB,+CAA+C;wBAC/C,2CAA2C;wBAC3C,8DAA8D;wBAC9D,IAAI,CAAC,qBAAqB,GAAG,IAAI,CAAC;wBAElC,qGAAqG;wBACrG,yFAAyF;wBACzF,MAAM,KAAK,GAAG,IAAI,qBAAqB,CACrC,yEAAyE,CAC1E,CAAC;wBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;wBACzC,MAAM,KAAK,CAAC;qBACb;oBAED,iFAAiF;oBACjF,0EAA0E;oBAC1E,iCAAiC;oBACjC,WAAW;oBACX,qFAAqF;oBACrF,mGAAmG;oBACnG,yHAAyH;oBACzH,kIAAkI;oBAClI,kIAAkI;oBAClI,oHAAoH;oBACpH,uHAAuH;oBACvH,sFAAsF;oBACtF,uFAAuF;oBACvF,mGAAmG;oBACnG,gHAAgH;oBAChH,0DAA0D;oBAC1D,IAAI,CAAC,qBAAqB,GAAG,KAAK,CAAC;iBACpC;qBAAM;oBACL,iEAAiE;oBACjE,2EAA2E;oBAC3E,MAAM,KAAK,GAAG,IAAI,qBAAqB,CACrC,0DAA0D,CAC3D,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;oBACzC,MAAM,KAAK,CAAC;iBACb;gBAED,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC5C,OAAO,MAAM,CAAC;aACf;YAAC,OAAO,GAAG,EAAE;gBACZ,2DAA2D;gBAC3D,8EAA8E;gBAC9E,IAAI,GAAG,YAAY,qBAAqB,EAAE;oBACxC,MAAM,GAAG,CAAC;iBACX;gBAED,uCAAuC;gBACvC,uDAAuD;gBACvD,+DAA+D;gBAC/D,uEAAuE;gBACvE,kCAAkC;gBAElC,IAAI,CAAC,SAAS,CAAC;oBACb,IAAI,EAAE,aAAa,CAAC,OAAO;oBAC3B,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC,CAAC;gBAEH,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,EAAE;oBAC9B,MAAM,KAAK,GAAG,IAAI,qBAAqB,CACrC,+EAA+E,CAChF,CAAC;oBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC;oBACzC,MAAM,KAAK,CAAC;iBACb;gBAED,wEAAwE;gBACxE,gFAAgF;gBAChF,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE;oBAC1B,MAAM,IAAI,qBAAqB,CAC7B,2EAA2E,CAC5E,CAAC;iBACH;gBAED,MAAM,IAAI,mBAAmB,CAAC,GAAG,CAAC,UAAU,EAAE;oBAC5C,KAAK,EAAE,kDAAkD;oBACzD,iBAAiB,EAAE,GAAG,CAAC,OAAO;iBAC/B,CAAC,CAAC;aACJ;oBAAS;gBACR,sFAAsF;gBACtF,IAAI,CAAC,GAAG,EAAE,CAAC;aACZ;QACH,CAAC;KAAA;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport qs from \"qs\";\nimport {\n AccessToken,\n GetTokenOptions,\n RequestPrepareOptions,\n RestError,\n TokenCredential\n} from \"@azure/core-http\";\nimport { IdentityClient, TokenCredentialOptions } from \"../client/identityClient\";\nimport { createSpan } from \"../util/tracing\";\nimport {\n AuthenticationErrorName,\n AuthenticationError,\n CredentialUnavailable\n} from \"../client/errors\";\nimport { CanonicalCode } from \"@opentelemetry/api\";\nimport { credentialLogger, formatSuccess, formatError } from \"../util/logging\";\n\nconst DefaultScopeSuffix = \"/.default\";\nexport const ImdsEndpoint = \"http://169.254.169.254/metadata/identity/oauth2/token\";\nexport const ImdsApiVersion = \"2018-02-01\";\nexport const AppServiceMsiApiVersion = \"2017-09-01\";\nconst logger = credentialLogger(\"ManagedIdentityCredential\");\n\n/**\n * Attempts authentication using a managed identity that has been assigned\n * to the deployment environment. This authentication type works in Azure VMs,\n * App Service and Azure Functions applications, and inside of Azure Cloud Shell.\n *\n * More information about configuring managed identities can be found here:\n *\n * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview\n */\nexport class ManagedIdentityCredential implements TokenCredential {\n private identityClient: IdentityClient;\n private clientId: string | undefined;\n private isEndpointUnavailable: boolean | null = null;\n\n /**\n * Creates an instance of ManagedIdentityCredential with the client ID of a\n * user-assigned identity.\n *\n * @param clientId The client ID of the user-assigned identity.\n * @param options Options for configuring the client which makes the access token request.\n */\n constructor(clientId: string, options?: TokenCredentialOptions);\n /**\n * Creates an instance of ManagedIdentityCredential\n *\n * @param options Options for configuring the client which makes the access token request.\n */\n constructor(options?: TokenCredentialOptions);\n /**\n * @internal\n * @ignore\n */\n constructor(\n clientIdOrOptions: string | TokenCredentialOptions | undefined,\n options?: TokenCredentialOptions\n ) {\n if (typeof clientIdOrOptions === \"string\") {\n // clientId, options constructor\n this.clientId = clientIdOrOptions;\n this.identityClient = new IdentityClient(options);\n } else {\n // options only constructor\n this.identityClient = new IdentityClient(clientIdOrOptions);\n }\n }\n\n private mapScopesToResource(scopes: string | string[]): string {\n let scope = \"\";\n if (Array.isArray(scopes)) {\n if (scopes.length !== 1) {\n throw new Error(\n \"To convert to a resource string the specified array must be exactly length 1\"\n );\n }\n\n scope = scopes[0];\n } else if (typeof scopes === \"string\") {\n scope = scopes;\n }\n\n if (!scope.endsWith(DefaultScopeSuffix)) {\n return scope;\n }\n\n return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));\n }\n\n private createImdsAuthRequest(resource: string, clientId?: string): RequestPrepareOptions {\n const queryParameters: any = {\n resource,\n \"api-version\": ImdsApiVersion\n };\n\n if (clientId) {\n queryParameters.client_id = clientId;\n }\n\n return {\n url: ImdsEndpoint,\n method: \"GET\",\n queryParameters,\n headers: {\n Accept: \"application/json\",\n Metadata: true\n }\n };\n }\n\n private createAppServiceMsiAuthRequest(\n resource: string,\n clientId?: string,\n version?: \"2019-08-01\" | \"2017-09-01\"\n ): RequestPrepareOptions {\n const queryParameters: any = {\n resource,\n \"api-version\": AppServiceMsiApiVersion\n };\n\n if (version === \"2019-08-01\") {\n if (clientId) {\n queryParameters.client_id = clientId;\n }\n\n return {\n url: process.env.IDENTITY_ENDPOINT,\n method: \"GET\",\n queryParameters,\n headers: {\n Accept: \"application/json\",\n \"X-IDENTITY-HEADER\": process.env.IDENTITY_HEADER\n }\n };\n } else if (version === \"2017-09-01\") {\n if (clientId) {\n queryParameters.clientid = clientId;\n }\n\n return {\n url: process.env.MSI_ENDPOINT,\n method: \"GET\",\n queryParameters,\n headers: {\n Accept: \"application/json\",\n secret: process.env.MSI_SECRET\n }\n };\n } else {\n throw new Error(\n `Unsupported version ${version}. The supported versions are \"2019-08-01\" and \"2017-09-01\"`\n );\n }\n }\n\n private createCloudShellMsiAuthRequest(\n resource: string,\n clientId?: string\n ): RequestPrepareOptions {\n const body: any = {\n resource\n };\n\n if (clientId) {\n body.client_id = clientId;\n }\n\n return {\n url: process.env.MSI_ENDPOINT,\n method: \"POST\",\n body: qs.stringify(body),\n headers: {\n Accept: \"application/json\",\n Metadata: true,\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n }\n };\n }\n\n private async pingImdsEndpoint(\n resource: string,\n clientId?: string,\n getTokenOptions?: GetTokenOptions\n ): Promise<boolean> {\n const { span, options } = createSpan(\n \"ManagedIdentityCredential-pingImdsEndpoint\",\n getTokenOptions\n );\n const request = this.createImdsAuthRequest(resource, clientId);\n\n // This will always be populated, but let's make TypeScript happy\n if (request.headers) {\n // Remove the Metadata header to invoke a request error from\n // IMDS endpoint\n delete request.headers.Metadata;\n }\n\n request.spanOptions = options.tracingOptions && options.tracingOptions.spanOptions;\n\n try {\n // Create a request with a timeout since we expect that\n // not having a \"Metadata\" header should cause an error to be\n // returned quickly from the endpoint, proving its availability.\n const webResource = this.identityClient.createWebResource(request);\n webResource.timeout = (options.requestOptions && options.requestOptions.timeout) || 500;\n\n try {\n logger.info(`Pinging IMDS endpoint`);\n await this.identityClient.sendRequest(webResource);\n } catch (err) {\n if (\n (err instanceof RestError && err.code === RestError.REQUEST_SEND_ERROR) ||\n err.name === \"AbortError\" ||\n err.code === \"ECONNREFUSED\" || // connection refused\n err.code === \"EHOSTDOWN\" // host is down\n ) {\n // If the request failed, or NodeJS was unable to establish a connection,\n // or the host was down, we'll assume the IMDS endpoint isn't available.\n logger.info(`IMDS endpoint unavailable`);\n span.setStatus({\n code: CanonicalCode.UNAVAILABLE,\n message: err.message\n });\n return false;\n }\n }\n\n // If we received any response, the endpoint is available\n logger.info(`IMDS endpoint is available`);\n return true;\n } catch (err) {\n // createWebResource failed.\n // This error should bubble up to the user.\n logger.info(\n formatError(`Error when creating the WebResource for the IMDS endpoint: ${err.message}`)\n );\n span.setStatus({\n code: CanonicalCode.UNKNOWN,\n message: err.message\n });\n throw err;\n } finally {\n span.end();\n }\n }\n\n private async authenticateManagedIdentity(\n scopes: string | string[],\n checkIfImdsEndpointAvailable: boolean,\n clientId?: string,\n getTokenOptions?: GetTokenOptions\n ): Promise<AccessToken | null> {\n let authRequestOptions: RequestPrepareOptions;\n const resource = this.mapScopesToResource(scopes);\n let expiresInParser: ((requestBody: any) => number) | undefined;\n\n const { span, options } = createSpan(\n \"ManagedIdentityCredential-authenticateManagedIdentity\",\n getTokenOptions\n );\n\n try {\n // Detect which type of environment we are running in\n if (process.env.IDENTITY_ENDPOINT && process.env.IDENTITY_HEADER) {\n // Running in App Service 2019-08-01\n authRequestOptions = this.createAppServiceMsiAuthRequest(resource, clientId, \"2019-08-01\");\n expiresInParser = (requestBody: any) => {\n // Parses a string representation of the seconds since epoch into a number value\n return Number(requestBody.expires_on);\n };\n logger.info(\n `Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`\n );\n } else if (process.env.MSI_ENDPOINT) {\n if (process.env.MSI_SECRET) {\n // Running in App Service\n authRequestOptions = this.createAppServiceMsiAuthRequest(\n resource,\n clientId,\n \"2017-09-01\"\n );\n expiresInParser = (requestBody: any) => {\n // Parse a date format like \"06/20/2019 02:57:58 +00:00\" and\n // convert it into a JavaScript-formatted date\n return Date.parse(requestBody.expires_on);\n };\n logger.info(\n `Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`\n );\n } else {\n logger.info(\n `Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`\n );\n // Running in Cloud Shell\n authRequestOptions = this.createCloudShellMsiAuthRequest(resource, clientId);\n }\n } else {\n expiresInParser = (requestBody: any) => {\n if (requestBody.expires_on) {\n // Use the expires_on timestamp if it's available\n const expires = +requestBody.expires_on * 1000;\n logger.info(\n `IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`\n );\n return expires;\n } else {\n // If these aren't possible, use expires_in and calculate a timestamp\n const expires = Date.now() + requestBody.expires_in * 1000;\n logger.info(\n `IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`\n );\n return expires;\n }\n };\n logger.info(\n `Using the IMDS endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`\n );\n // Ping the IMDS endpoint to see if it's available\n if (\n !checkIfImdsEndpointAvailable ||\n (await this.pingImdsEndpoint(resource, clientId, options))\n ) {\n // Running in an Azure VM\n authRequestOptions = this.createImdsAuthRequest(resource, clientId);\n } else {\n // Returning null tells the ManagedIdentityCredential that\n // no MSI authentication endpoints are available\n return null;\n }\n }\n\n const webResource = this.identityClient.createWebResource({\n disableJsonStringifyOnBody: true,\n deserializationMapper: undefined,\n abortSignal: options.abortSignal,\n spanOptions: options.tracingOptions && options.tracingOptions.spanOptions,\n ...authRequestOptions\n });\n\n const tokenResponse = await this.identityClient.sendTokenRequest(\n webResource,\n expiresInParser\n );\n return (tokenResponse && tokenResponse.accessToken) || null;\n } catch (err) {\n // Expected errors to reach this point:\n // - When we try call createWebResource and it fails (at any point).\n // - When identityClient.sendTokenRequest throws.\n // If the status code was 400, it means that the endpoint is working,\n // but no identity is available.\n //\n // Errors that might reach this point, but shouldn't:\n // - When createAppServiceMsiAuthRequest is called with an unsupported version.\n // We shouldn't see this happening, because we specify the version in the parameters.\n //\n // Errors that shouldn't reach this point at all:\n // - If we tried to reach to the IMDS endpoint and it ends up being unavailable, we simply don't call to createImdsAuthRequest, so we return null.\n\n const code =\n err.name === AuthenticationErrorName\n ? CanonicalCode.UNAUTHENTICATED\n : CanonicalCode.UNKNOWN;\n span.setStatus({\n code,\n message: err.message\n });\n throw err;\n } finally {\n span.end();\n }\n }\n\n /**\n * Authenticates with Azure Active Directory and returns an access token if\n * successful. If authentication cannot be performed at this time, this method may\n * return null. If an error occurs during authentication, an {@link AuthenticationError}\n * containing failure details will be thrown.\n *\n * @param scopes The list of scopes for which the token will have access.\n * @param options The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options?: GetTokenOptions\n ): Promise<AccessToken | null> {\n let result: AccessToken | null = null;\n\n const { span, options: newOptions } = createSpan(\"ManagedIdentityCredential-getToken\", options);\n\n try {\n // isEndpointAvailable can be true, false, or null,\n // If it's null, it means we don't yet know whether\n // the endpoint is available and need to check for it.\n if (this.isEndpointUnavailable !== true) {\n result = await this.authenticateManagedIdentity(\n scopes,\n this.isEndpointUnavailable === null,\n this.clientId,\n newOptions\n );\n\n if (result === null) {\n // If authenticateManagedIdentity returns null,\n // it means no MSI endpoints are available.\n // If so, we avoid trying to reach to them in future requests.\n this.isEndpointUnavailable = true;\n\n // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),\n // yet we had no access token. For this reason, we'll throw once with a specific message:\n const error = new CredentialUnavailable(\n \"The managed identity endpoint was reached, yet no tokens were received.\"\n );\n logger.getToken.info(formatError(error));\n throw error;\n }\n \n // Since `authenticateManagedIdentity` didn't throw, and the result was not null,\n // We will assume that this endpoint is reachable from this point forward,\n // and avoid pinging again to it.\n // Details:\n // - If `isEndpointUnavailable` is not true, `authenticateManagedIdentity` is called.\n // - If `isEndpointUnavailable` is only set to false if `authenticateManagedIdentity` returns null.\n // - If `isEndpointUnavailable` is null, `authenticateManagedIdentity` wil be called with \"true\" as the second parameter.\n // - When `authenticateManagedIdentity` is called with `checkIfImdsEndpointAvailable` set to \"true\", `pingImdsEndpoint` is called.\n // - If `pingImdsEndpoint` returns false, `authenticateManagedIdentity` returns null, which sets `isEndpointUnavailable` to false.\n // - If `pingImdsEndpoint` returns true, `authenticateManagedIdentity` tries to authenticate with the IMDS endpoint.\n // - If `authenticateManagedIdentity` tries to authenticate, and throws, we move to the catch section of this function.\n // - If `authenticateManagedIdentity` manages to authenticate, `result` won't be null.\n // - If `result` isn't null at this point, the endpoint was in fact available at first.\n // - To avoid calling again to `pingImdsEndpoint`, we need to set `isEndpointUnavailable` to false,\n // so that `authenticateManagedIdentity` gets to be called with `checkIfImdsEndpointAvailable` set to \"false\",\n // thus skipping any further call to `pingImdsEndpoint`.\n this.isEndpointUnavailable = false;\n } else {\n // We've previously determined that the endpoint was unavailable,\n // either because it was unreachable or permanently unable to authenticate.\n const error = new CredentialUnavailable(\n \"The managed identity endpoint is not currently available\"\n );\n logger.getToken.info(formatError(error));\n throw error;\n }\n\n logger.getToken.info(formatSuccess(scopes));\n return result;\n } catch (err) {\n // CredentialUnavailable errors are expected to reach here.\n // We intend them to bubble up, so that DefaultAzureCredential can catch them.\n if (err instanceof CredentialUnavailable) {\n throw err;\n }\n\n // Expected errors to reach this point:\n // - Errors coming from a method unexpectedly breaking.\n // - When identityClient.sendTokenRequest throws, in which case\n // if the status code was 400, it means that the endpoint is working,\n // but no identity is available.\n\n span.setStatus({\n code: CanonicalCode.UNKNOWN,\n message: err.message\n });\n\n if (err.code === \"ENETUNREACH\") {\n const error = new CredentialUnavailable(\n \"ManagedIdentityCredential is unavailable. No managed identity endpoint found.\"\n );\n\n logger.getToken.info(formatError(error));\n throw error;\n }\n\n // If err.statusCode has a value of 400, it comes from sendTokenRequest,\n // and it means that the endpoint is working, but that no identity is available.\n if (err.statusCode === 400) {\n throw new CredentialUnavailable(\n \"The managed identity endpoint is indicating there's no available identity\"\n );\n }\n\n throw new AuthenticationError(err.statusCode, {\n error: \"ManagedIdentityCredential authentication failed.\",\n error_description: err.message\n });\n } finally {\n // Finally is always called, both if we return and if we throw in the above try/catch.\n span.end();\n }\n }\n}\n"]}