@azure/identity 2.0.0-beta.3 → 2.0.0

package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js

@@ -1,44 +1,64 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { __awaiter } from "tslib";
-import { delay, RestError } from "@azure/core-http";
+import { delay } from "@azure/core-util";
+import { createHttpHeaders, createPipelineRequest, RestError } from "@azure/core-rest-pipeline";
 import { SpanStatusCode } from "@azure/core-tracing";
-import { AuthenticationError } from "../../client/errors";
 import { credentialLogger } from "../../util/logging";
 import { createSpan } from "../../util/tracing";
-import { imdsApiVersion, imdsEndpoint } from "./constants";
-import { msiGenericGetToken } from "./utils";
-const logger = credentialLogger("ManagedIdentityCredential - IMDS");
+import { imdsApiVersion, imdsEndpointPath, imdsHost } from "./constants";
+import { mapScopesToResource, msiGenericGetToken } from "./utils";
+import { AuthenticationError } from "../../errors";
+const msiName = "ManagedIdentityCredential - IMDS";
+const logger = credentialLogger(msiName);
 function expiresInParser(requestBody) {
     if (requestBody.expires_on) {
         // Use the expires_on timestamp if it's available
         const expires = +requestBody.expires_on * 1000;
-        logger.info(`IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
+        logger.info(`${msiName}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
         return expires;
     }
     else {
         // If these aren't possible, use expires_in and calculate a timestamp
         const expires = Date.now() + requestBody.expires_in * 1000;
-        logger.info(`IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
+        logger.info(`${msiName}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
         return expires;
     }
 }
-function prepareRequestOptions(resource, clientId) {
-    const queryParameters = {
-        resource,
-        "api-version": imdsApiVersion
+function prepareRequestOptions(scopes, clientId, options) {
+    var _a;
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
+    const { skipQuery, skipMetadataHeader } = options || {};
+    let query = "";
+    // Pod Identity will try to process this request even if the Metadata header is missing.
+    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
+    if (!skipQuery) {
+        const queryParameters = {
+            resource,
+            "api-version": imdsApiVersion
+        };
+        if (clientId) {
+            queryParameters.client_id = clientId;
+        }
+        const params = new URLSearchParams(queryParameters);
+        query = `?${params.toString()}`;
+    }
+    const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
+    const rawHeaders = {
+        Accept: "application/json",
+        Metadata: "true"
     };
-    if (clientId) {
-        queryParameters.client_id = clientId;
+    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
+    if (skipMetadataHeader) {
+        delete rawHeaders.Metadata;
     }
     return {
-        url: imdsEndpoint,
+        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
+        url: `${url}${query}`,
         method: "GET",
-        queryParameters,
-        headers: {
-            Accept: "application/json",
-            Metadata: true
-        }
+        headers: createHttpHeaders(rawHeaders)
     };
 }
 // 800ms -> 1600ms -> 3200ms
@@ -48,84 +68,88 @@ export const imdsMsiRetryConfig = {
     intervalIncrement: 2
 };
 export const imdsMsi = {
-    isAvailable(identityClient, resource, clientId, getTokenOptions) {
-        var _a, _b, _c;
-        return __awaiter(this, void 0, void 0, function* () {
-            const { span, updatedOptions } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
-            const request = prepareRequestOptions(resource, clientId);
-            // This will always be populated, but let's make TypeScript happy
-            if (request.headers) {
-                // Remove the Metadata header to invoke a request error from
-                // IMDS endpoint
-                delete request.headers.Metadata;
-            }
-            request.spanOptions = (_a = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _a === void 0 ? void 0 : _a.spanOptions;
-            request.tracingContext = (_b = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _b === void 0 ? void 0 : _b.tracingContext;
+    async isAvailable(scopes, identityClient, clientId, getTokenOptions) {
+        var _a, _b;
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
+        // if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
+        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
+            return true;
+        }
+        const requestOptions = prepareRequestOptions(resource, clientId, {
+            skipMetadataHeader: true,
+            skipQuery: true
+        });
+        requestOptions.tracingOptions = options.tracingOptions;
+        try {
+            // Create a request with a timeout since we expect that
+            // not having a "Metadata" header should cause an error to be
+            // returned quickly from the endpoint, proving its availability.
+            const request = createPipelineRequest(requestOptions);
+            request.timeout = (_b = (_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) !== null && _b !== void 0 ? _b : 300;
+            // This MSI uses the imdsEndpoint to get the token, which only uses http://
+            request.allowInsecureConnection = true;
             try {
-                // Create a request with a timeout since we expect that
-                // not having a "Metadata" header should cause an error to be
-                // returned quickly from the endpoint, proving its availability.
-                const webResource = identityClient.createWebResource(request);
-                webResource.timeout = ((_c = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.requestOptions) === null || _c === void 0 ? void 0 : _c.timeout) || 500;
-                try {
-                    logger.info(`Pinging IMDS endpoint`);
-                    yield identityClient.sendRequest(webResource);
-                }
-                catch (err) {
-                    if ((err.name === "RestError" && err.code === RestError.REQUEST_SEND_ERROR) ||
-                        err.name === "AbortError" ||
-                        err.code === "ECONNREFUSED" || // connection refused
-                        err.code === "EHOSTDOWN" // host is down
-                    ) {
-                        // If the request failed, or NodeJS was unable to establish a connection,
-                        // or the host was down, we'll assume the IMDS endpoint isn't available.
-                        logger.info(`The Azure IMDS endpoint is unavailable`);
-                        span.setStatus({
-                            code: SpanStatusCode.ERROR,
-                            message: err.message
-                        });
-                        return false;
-                    }
-                }
-                // If we received any response, the endpoint is available
-                logger.info(`The Azure IMDS endpoint is available`);
-                // IMDS MSI available!
-                return true;
+                logger.info(`${msiName}: Pinging the Azure IMDS endpoint`);
+                await identityClient.sendRequest(request);
             }
             catch (err) {
-                // createWebResource failed.
-                // This error should bubble up to the user.
-                logger.info(`Error when creating the WebResource for the IMDS endpoint: ${err.message}`);
-                span.setStatus({
-                    code: SpanStatusCode.ERROR,
-                    message: err.message
-                });
-                throw err;
-            }
-            finally {
-                span.end();
+                if ((err.name === "RestError" && err.code === RestError.REQUEST_SEND_ERROR) ||
+                    err.name === "AbortError" ||
+                    err.code === "ENETUNREACH" || // Network unreachable
+                    err.code === "ECONNREFUSED" || // connection refused
+                    err.code === "EHOSTDOWN" // host is down
+                ) {
+                    // If the request failed, or Node.js was unable to establish a connection,
+                    // or the host was down, we'll assume the IMDS endpoint isn't available.
+                    logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);
+                    span.setStatus({
+                        code: SpanStatusCode.ERROR,
+                        message: err.message
+                    });
+                    return false;
+                }
             }
-        });
+            // If we received any response, the endpoint is available
+            logger.info(`${msiName}: The Azure IMDS endpoint is available`);
+            return true;
+        }
+        catch (err) {
+            // createWebResource failed.
+            // This error should bubble up to the user.
+            logger.info(`${msiName}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
+            span.setStatus({
+                code: SpanStatusCode.ERROR,
+                message: err.message
+            });
+            throw err;
+        }
+        finally {
+            span.end();
+        }
     },
-    getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        return __awaiter(this, void 0, void 0, function* () {
-            logger.info(`Using the IMDS endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
-            let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
-            for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
-                try {
-                    return yield msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
-                }
-                catch (error) {
-                    if (error.statusCode === 404) {
-                        yield delay(nextDelayInMs);
-                        nextDelayInMs *= imdsMsiRetryConfig.intervalIncrement;
-                        continue;
-                    }
-                    throw error;
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger.info(`${msiName}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
+        let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
+        for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
+            try {
+                return await msiGenericGetToken(identityClient, prepareRequestOptions(scopes, clientId), expiresInParser, getTokenOptions);
+            }
+            catch (error) {
+                if (error.statusCode === 404) {
+                    await delay(nextDelayInMs);
+                    nextDelayInMs *= imdsMsiRetryConfig.intervalIncrement;
+                    continue;
                 }
+                throw error;
             }
-            throw new AuthenticationError(404, `Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
-        });
+        }
+        throw new AuthenticationError(404, `${msiName}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
     }
 };
 //# sourceMappingURL=imdsMsi.js.map

package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js.map

@@ -1 +1 @@
-{"version":3,"file":"imdsMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/imdsMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAElC,OAAO,EAEL,KAAK,EAGL,SAAS,EACV,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAE7C,MAAM,MAAM,GAAG,gBAAgB,CAAC,kCAAkC,CAAC,CAAC;AAEpE,SAAS,eAAe,CAAC,WAAgB;IACvC,IAAI,WAAW,CAAC,UAAU,EAAE;QAC1B,iDAAiD;QACjD,MAAM,OAAO,GAAG,CAAC,WAAW,CAAC,UAAU,GAAG,IAAI,CAAC;QAC/C,MAAM,CAAC,IAAI,CAAC,0BAA0B,OAAO,qBAAqB,WAAW,CAAC,UAAU,GAAG,CAAC,CAAC;QAC7F,OAAO,OAAO,CAAC;KAChB;SAAM;QACL,qEAAqE;QACrE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,UAAU,GAAG,IAAI,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,0BAA0B,OAAO,qBAAqB,WAAW,CAAC,UAAU,GAAG,CAAC,CAAC;QAC7F,OAAO,OAAO,CAAC;KAChB;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAiB,EAAE,QAAiB;IACjE,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,cAAc;KAC9B,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;KACtC;IAED,OAAO;QACL,GAAG,EAAE,YAAY;QACjB,MAAM,EAAE,KAAK;QACb,eAAe;QACf,OAAO,EAAE;YACP,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,IAAI;SACf;KACF,CAAC;AACJ,CAAC;AAED,4BAA4B;AAC5B,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,UAAU,EAAE,CAAC;IACb,cAAc,EAAE,GAAG;IACnB,iBAAiB,EAAE,CAAC;CACrB,CAAC;AAEF,MAAM,CAAC,MAAM,OAAO,GAAQ;IACpB,WAAW,CACf,cAA8B,EAC9B,QAAgB,EAChB,QAAiB,EACjB,eAAiC;;;YAEjC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,UAAU,CACzC,4CAA4C,EAC5C,eAAe,CAChB,CAAC;YAEF,MAAM,OAAO,GAAG,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAE1D,iEAAiE;YACjE,IAAI,OAAO,CAAC,OAAO,EAAE;gBACnB,4DAA4D;gBAC5D,gBAAgB;gBAChB,OAAO,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;aACjC;YAED,OAAO,CAAC,WAAW,GAAG,MAAA,cAAc,aAAd,cAAc,uBAAd,cAAc,CAAE,cAAc,0CAAE,WAAW,CAAC;YAClE,OAAO,CAAC,cAAc,GAAG,MAAA,cAAc,aAAd,cAAc,uBAAd,cAAc,CAAE,cAAc,0CAAE,cAAc,CAAC;YAExE,IAAI;gBACF,uDAAuD;gBACvD,6DAA6D;gBAC7D,gEAAgE;gBAChE,MAAM,WAAW,GAAG,cAAc,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;gBAC9D,WAAW,CAAC,OAAO,GAAG,CAAA,MAAA,cAAc,aAAd,cAAc,uBAAd,cAAc,CAAE,cAAc,0CAAE,OAAO,KAAI,GAAG,CAAC;gBAErE,IAAI;oBACF,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;oBACrC,MAAM,cAAc,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;iBAC/C;gBAAC,OAAO,GAAG,EAAE;oBACZ,IACE,CAAC,GAAG,CAAC,IAAI,KAAK,WAAW,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,kBAAkB,CAAC;wBACvE,GAAG,CAAC,IAAI,KAAK,YAAY;wBACzB,GAAG,CAAC,IAAI,KAAK,cAAc,IAAI,qBAAqB;wBACpD,GAAG,CAAC,IAAI,KAAK,WAAW,CAAC,eAAe;sBACxC;wBACA,yEAAyE;wBACzE,wEAAwE;wBACxE,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;wBACtD,IAAI,CAAC,SAAS,CAAC;4BACb,IAAI,EAAE,cAAc,CAAC,KAAK;4BAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;yBACrB,CAAC,CAAC;wBACH,OAAO,KAAK,CAAC;qBACd;iBACF;gBAED,yDAAyD;gBACzD,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;gBAEpD,sBAAsB;gBACtB,OAAO,IAAI,CAAC;aACb;YAAC,OAAO,GAAG,EAAE;gBACZ,4BAA4B;gBAC5B,2CAA2C;gBAC3C,MAAM,CAAC,IAAI,CAAC,8DAA8D,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBACzF,IAAI,CAAC,SAAS,CAAC;oBACb,IAAI,EAAE,cAAc,CAAC,KAAK;oBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC,CAAC;gBACH,MAAM,GAAG,CAAC;aACX;oBAAS;gBACR,IAAI,CAAC,GAAG,EAAE,CAAC;aACZ;;KACF;IACK,QAAQ,CACZ,cAA8B,EAC9B,QAAgB,EAChB,QAAiB,EACjB,kBAAmC,EAAE;;YAErC,MAAM,CAAC,IAAI,CACT,6EAA6E,OAAO,CAAC,GAAG,CAAC,YAAY,iEAAiE,CACvK,CAAC;YAEF,IAAI,aAAa,GAAG,kBAAkB,CAAC,cAAc,CAAC;YACtD,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,kBAAkB,CAAC,UAAU,EAAE,OAAO,EAAE,EAAE;gBACxE,IAAI;oBACF,OAAO,MAAM,kBAAkB,CAC7B,cAAc,EACd,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACzC,eAAe,EACf,eAAe,CAChB,CAAC;iBACH;gBAAC,OAAO,KAAK,EAAE;oBACd,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,EAAE;wBAC5B,MAAM,KAAK,CAAC,aAAa,CAAC,CAAC;wBAC3B,aAAa,IAAI,kBAAkB,CAAC,iBAAiB,CAAC;wBACtD,SAAS;qBACV;oBACD,MAAM,KAAK,CAAC;iBACb;aACF;YAED,MAAM,IAAI,mBAAmB,CAC3B,GAAG,EACH,uCAAuC,kBAAkB,CAAC,UAAU,WAAW,CAChF,CAAC;QACJ,CAAC;KAAA;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport {\n  AccessToken,\n  delay,\n  GetTokenOptions,\n  RequestPrepareOptions,\n  RestError\n} from \"@azure/core-http\";\nimport { SpanStatusCode } from \"@azure/core-tracing\";\nimport { AuthenticationError } from \"../../client/errors\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { createSpan } from \"../../util/tracing\";\nimport { imdsApiVersion, imdsEndpoint } from \"./constants\";\nimport { MSI } from \"./models\";\nimport { msiGenericGetToken } from \"./utils\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential - IMDS\");\n\nfunction expiresInParser(requestBody: any): number {\n  if (requestBody.expires_on) {\n    // Use the expires_on timestamp if it's available\n    const expires = +requestBody.expires_on * 1000;\n    logger.info(`IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);\n    return expires;\n  } else {\n    // If these aren't possible, use expires_in and calculate a timestamp\n    const expires = Date.now() + requestBody.expires_in * 1000;\n    logger.info(`IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);\n    return expires;\n  }\n}\n\nfunction prepareRequestOptions(resource?: string, clientId?: string): RequestPrepareOptions {\n  const queryParameters: any = {\n    resource,\n    \"api-version\": imdsApiVersion\n  };\n\n  if (clientId) {\n    queryParameters.client_id = clientId;\n  }\n\n  return {\n    url: imdsEndpoint,\n    method: \"GET\",\n    queryParameters,\n    headers: {\n      Accept: \"application/json\",\n      Metadata: true\n    }\n  };\n}\n\n// 800ms -> 1600ms -> 3200ms\nexport const imdsMsiRetryConfig = {\n  maxRetries: 3,\n  startDelayInMs: 800,\n  intervalIncrement: 2\n};\n\nexport const imdsMsi: MSI = {\n  async isAvailable(\n    identityClient: IdentityClient,\n    resource: string,\n    clientId?: string,\n    getTokenOptions?: GetTokenOptions\n  ): Promise<boolean> {\n    const { span, updatedOptions } = createSpan(\n      \"ManagedIdentityCredential-pingImdsEndpoint\",\n      getTokenOptions\n    );\n\n    const request = prepareRequestOptions(resource, clientId);\n\n    // This will always be populated, but let's make TypeScript happy\n    if (request.headers) {\n      // Remove the Metadata header to invoke a request error from\n      // IMDS endpoint\n      delete request.headers.Metadata;\n    }\n\n    request.spanOptions = updatedOptions?.tracingOptions?.spanOptions;\n    request.tracingContext = updatedOptions?.tracingOptions?.tracingContext;\n\n    try {\n      // Create a request with a timeout since we expect that\n      // not having a \"Metadata\" header should cause an error to be\n      // returned quickly from the endpoint, proving its availability.\n      const webResource = identityClient.createWebResource(request);\n      webResource.timeout = updatedOptions?.requestOptions?.timeout || 500;\n\n      try {\n        logger.info(`Pinging IMDS endpoint`);\n        await identityClient.sendRequest(webResource);\n      } catch (err) {\n        if (\n          (err.name === \"RestError\" && err.code === RestError.REQUEST_SEND_ERROR) ||\n          err.name === \"AbortError\" ||\n          err.code === \"ECONNREFUSED\" || // connection refused\n          err.code === \"EHOSTDOWN\" // host is down\n        ) {\n          // If the request failed, or NodeJS was unable to establish a connection,\n          // or the host was down, we'll assume the IMDS endpoint isn't available.\n          logger.info(`The Azure IMDS endpoint is unavailable`);\n          span.setStatus({\n            code: SpanStatusCode.ERROR,\n            message: err.message\n          });\n          return false;\n        }\n      }\n\n      // If we received any response, the endpoint is available\n      logger.info(`The Azure IMDS endpoint is available`);\n\n      // IMDS MSI available!\n      return true;\n    } catch (err) {\n      // createWebResource failed.\n      // This error should bubble up to the user.\n      logger.info(`Error when creating the WebResource for the IMDS endpoint: ${err.message}`);\n      span.setStatus({\n        code: SpanStatusCode.ERROR,\n        message: err.message\n      });\n      throw err;\n    } finally {\n      span.end();\n    }\n  },\n  async getToken(\n    identityClient: IdentityClient,\n    resource: string,\n    clientId?: string,\n    getTokenOptions: GetTokenOptions = {}\n  ): Promise<AccessToken | null> {\n    logger.info(\n      `Using the IMDS endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`\n    );\n\n    let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;\n    for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {\n      try {\n        return await msiGenericGetToken(\n          identityClient,\n          prepareRequestOptions(resource, clientId),\n          expiresInParser,\n          getTokenOptions\n        );\n      } catch (error) {\n        if (error.statusCode === 404) {\n          await delay(nextDelayInMs);\n          nextDelayInMs *= imdsMsiRetryConfig.intervalIncrement;\n          continue;\n        }\n        throw error;\n      }\n    }\n\n    throw new AuthenticationError(\n      404,\n      `Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`\n    );\n  }\n};\n"]}
+{"version":3,"file":"imdsMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/imdsMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAEzC,OAAO,EACL,iBAAiB,EAEjB,qBAAqB,EACrB,SAAS,EACV,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEzE,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAEnD,MAAM,OAAO,GAAG,kCAAkC,CAAC;AACnD,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC,SAAS,eAAe,CAAC,WAAgB;IACvC,IAAI,WAAW,CAAC,UAAU,EAAE;QAC1B,iDAAiD;QACjD,MAAM,OAAO,GAAG,CAAC,WAAW,CAAC,UAAU,GAAG,IAAI,CAAC;QAC/C,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,uBAAuB,OAAO,qBAAqB,WAAW,CAAC,UAAU,GAAG,CACvF,CAAC;QACF,OAAO,OAAO,CAAC;KAChB;SAAM;QACL,qEAAqE;QACrE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,UAAU,GAAG,IAAI,CAAC;QAC3D,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,4BAA4B,OAAO,qBAAqB,WAAW,CAAC,UAAU,GAAG,CAC5F,CAAC;QACF,OAAO,OAAO,CAAC;KAChB;AACH,CAAC;AAED,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,QAAiB,EACjB,OAGC;;IAED,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;KACnE;IAED,MAAM,EAAE,SAAS,EAAE,kBAAkB,EAAE,GAAG,OAAO,IAAI,EAAE,CAAC;IACxD,IAAI,KAAK,GAAG,EAAE,CAAC;IAEf,wFAAwF;IACxF,iGAAiG;IACjG,IAAI,CAAC,SAAS,EAAE;QACd,MAAM,eAAe,GAAQ;YAC3B,QAAQ;YACR,aAAa,EAAE,cAAc;SAC9B,CAAC;QACF,IAAI,QAAQ,EAAE;YACZ,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;SACtC;QACD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;QACpD,KAAK,GAAG,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;KACjC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,gBAAgB,EAAE,MAAA,OAAO,CAAC,GAAG,CAAC,iCAAiC,mCAAI,QAAQ,CAAC,CAAC;IAEjG,MAAM,UAAU,GAA2B;QACzC,MAAM,EAAE,kBAAkB;QAC1B,QAAQ,EAAE,MAAM;KACjB,CAAC;IAEF,iFAAiF;IACjF,IAAI,kBAAkB,EAAE;QACtB,OAAO,UAAU,CAAC,QAAQ,CAAC;KAC5B;IAED,OAAO;QACL,wFAAwF;QACxF,GAAG,EAAE,GAAG,GAAG,GAAG,KAAK,EAAE;QACrB,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC,UAAU,CAAC;KACvC,CAAC;AACJ,CAAC;AAED,4BAA4B;AAC5B,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,UAAU,EAAE,CAAC;IACb,cAAc,EAAE,GAAG;IACnB,iBAAiB,EAAE,CAAC;CACrB,CAAC;AAEF,MAAM,CAAC,MAAM,OAAO,GAAQ;IAC1B,KAAK,CAAC,WAAW,CACf,MAAyB,EACzB,cAA8B,EAC9B,QAAiB,EACjB,eAAiC;;QAEjC,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;SACd;QACD,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,UAAU,CAClD,4CAA4C,EAC5C,eAAe,CAChB,CAAC;QAEF,mHAAmH;QACnH,IAAI,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE;YACjD,OAAO,IAAI,CAAC;SACb;QAED,MAAM,cAAc,GAAG,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,EAAE;YAC/D,kBAAkB,EAAE,IAAI;YACxB,SAAS,EAAE,IAAI;SAChB,CAAC,CAAC;QACH,cAAc,CAAC,cAAc,GAAG,OAAO,CAAC,cAAc,CAAC;QAEvD,IAAI;YACF,uDAAuD;YACvD,6DAA6D;YAC7D,gEAAgE;YAChE,MAAM,OAAO,GAAG,qBAAqB,CAAC,cAAc,CAAC,CAAC;YAEtD,OAAO,CAAC,OAAO,GAAG,MAAA,MAAA,OAAO,CAAC,cAAc,0CAAE,OAAO,mCAAI,GAAG,CAAC;YAEzD,2EAA2E;YAC3E,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;YAEvC,IAAI;gBACF,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mCAAmC,CAAC,CAAC;gBAC3D,MAAM,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;aAC3C;YAAC,OAAO,GAAG,EAAE;gBACZ,IACE,CAAC,GAAG,CAAC,IAAI,KAAK,WAAW,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,CAAC,kBAAkB,CAAC;oBACvE,GAAG,CAAC,IAAI,KAAK,YAAY;oBACzB,GAAG,CAAC,IAAI,KAAK,aAAa,IAAI,sBAAsB;oBACpD,GAAG,CAAC,IAAI,KAAK,cAAc,IAAI,qBAAqB;oBACpD,GAAG,CAAC,IAAI,KAAK,WAAW,CAAC,eAAe;kBACxC;oBACA,0EAA0E;oBAC1E,wEAAwE;oBACxE,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,0CAA0C,CAAC,CAAC;oBAClE,IAAI,CAAC,SAAS,CAAC;wBACb,IAAI,EAAE,cAAc,CAAC,KAAK;wBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;qBACrB,CAAC,CAAC;oBACH,OAAO,KAAK,CAAC;iBACd;aACF;YAED,yDAAyD;YACzD,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,wCAAwC,CAAC,CAAC;YAChE,OAAO,IAAI,CAAC;SACb;QAAC,OAAO,GAAG,EAAE;YACZ,4BAA4B;YAC5B,2CAA2C;YAC3C,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,sEAAsE,GAAG,CAAC,OAAO,EAAE,CAC9F,CAAC;YACF,IAAI,CAAC,SAAS,CAAC;gBACb,IAAI,EAAE,cAAc,CAAC,KAAK;gBAC1B,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;SACX;gBAAS;YACR,IAAI,CAAC,GAAG,EAAE,CAAC;SACZ;IACH,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;QAE3D,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,qFAAqF,OAAO,CAAC,GAAG,CAAC,YAAY,iEAAiE,CACzL,CAAC;QAEF,IAAI,aAAa,GAAG,kBAAkB,CAAC,cAAc,CAAC;QACtD,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,kBAAkB,CAAC,UAAU,EAAE,OAAO,EAAE,EAAE;YACxE,IAAI;gBACF,OAAO,MAAM,kBAAkB,CAC7B,cAAc,EACd,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EACvC,eAAe,EACf,eAAe,CAChB,CAAC;aACH;YAAC,OAAO,KAAK,EAAE;gBACd,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,EAAE;oBAC5B,MAAM,KAAK,CAAC,aAAa,CAAC,CAAC;oBAC3B,aAAa,IAAI,kBAAkB,CAAC,iBAAiB,CAAC;oBACtD,SAAS;iBACV;gBACD,MAAM,KAAK,CAAC;aACb;SACF;QAED,MAAM,IAAI,mBAAmB,CAC3B,GAAG,EACH,GAAG,OAAO,yCAAyC,kBAAkB,CAAC,UAAU,WAAW,CAC5F,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { delay } from \"@azure/core-util\";\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport {\n  createHttpHeaders,\n  PipelineRequestOptions,\n  createPipelineRequest,\n  RestError\n} from \"@azure/core-rest-pipeline\";\nimport { SpanStatusCode } from \"@azure/core-tracing\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { createSpan } from \"../../util/tracing\";\nimport { imdsApiVersion, imdsEndpointPath, imdsHost } from \"./constants\";\nimport { MSI, MSIConfiguration } from \"./models\";\nimport { mapScopesToResource, msiGenericGetToken } from \"./utils\";\nimport { AuthenticationError } from \"../../errors\";\n\nconst msiName = \"ManagedIdentityCredential - IMDS\";\nconst logger = credentialLogger(msiName);\n\nfunction expiresInParser(requestBody: any): number {\n  if (requestBody.expires_on) {\n    // Use the expires_on timestamp if it's available\n    const expires = +requestBody.expires_on * 1000;\n    logger.info(\n      `${msiName}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`\n    );\n    return expires;\n  } else {\n    // If these aren't possible, use expires_in and calculate a timestamp\n    const expires = Date.now() + requestBody.expires_in * 1000;\n    logger.info(\n      `${msiName}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`\n    );\n    return expires;\n  }\n}\n\nfunction prepareRequestOptions(\n  scopes: string | string[],\n  clientId?: string,\n  options?: {\n    skipQuery?: boolean;\n    skipMetadataHeader?: boolean;\n  }\n): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n\n  const { skipQuery, skipMetadataHeader } = options || {};\n  let query = \"\";\n\n  // Pod Identity will try to process this request even if the Metadata header is missing.\n  // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.\n  if (!skipQuery) {\n    const queryParameters: any = {\n      resource,\n      \"api-version\": imdsApiVersion\n    };\n    if (clientId) {\n      queryParameters.client_id = clientId;\n    }\n    const params = new URLSearchParams(queryParameters);\n    query = `?${params.toString()}`;\n  }\n\n  const url = new URL(imdsEndpointPath, process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST ?? imdsHost);\n\n  const rawHeaders: Record<string, string> = {\n    Accept: \"application/json\",\n    Metadata: \"true\"\n  };\n\n  // Remove the Metadata header to invoke a request error from some IMDS endpoints.\n  if (skipMetadataHeader) {\n    delete rawHeaders.Metadata;\n  }\n\n  return {\n    // In this case, the `?` should be added in the \"query\" variable `skipQuery` is not set.\n    url: `${url}${query}`,\n    method: \"GET\",\n    headers: createHttpHeaders(rawHeaders)\n  };\n}\n\n// 800ms -> 1600ms -> 3200ms\nexport const imdsMsiRetryConfig = {\n  maxRetries: 3,\n  startDelayInMs: 800,\n  intervalIncrement: 2\n};\n\nexport const imdsMsi: MSI = {\n  async isAvailable(\n    scopes: string | string[],\n    identityClient: IdentityClient,\n    clientId?: string,\n    getTokenOptions?: GetTokenOptions\n  ): Promise<boolean> {\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n    const { span, updatedOptions: options } = createSpan(\n      \"ManagedIdentityCredential-pingImdsEndpoint\",\n      getTokenOptions\n    );\n\n    // if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist\n    if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {\n      return true;\n    }\n\n    const requestOptions = prepareRequestOptions(resource, clientId, {\n      skipMetadataHeader: true,\n      skipQuery: true\n    });\n    requestOptions.tracingOptions = options.tracingOptions;\n\n    try {\n      // Create a request with a timeout since we expect that\n      // not having a \"Metadata\" header should cause an error to be\n      // returned quickly from the endpoint, proving its availability.\n      const request = createPipelineRequest(requestOptions);\n\n      request.timeout = options.requestOptions?.timeout ?? 300;\n\n      // This MSI uses the imdsEndpoint to get the token, which only uses http://\n      request.allowInsecureConnection = true;\n\n      try {\n        logger.info(`${msiName}: Pinging the Azure IMDS endpoint`);\n        await identityClient.sendRequest(request);\n      } catch (err) {\n        if (\n          (err.name === \"RestError\" && err.code === RestError.REQUEST_SEND_ERROR) ||\n          err.name === \"AbortError\" ||\n          err.code === \"ENETUNREACH\" || // Network unreachable\n          err.code === \"ECONNREFUSED\" || // connection refused\n          err.code === \"EHOSTDOWN\" // host is down\n        ) {\n          // If the request failed, or Node.js was unable to establish a connection,\n          // or the host was down, we'll assume the IMDS endpoint isn't available.\n          logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);\n          span.setStatus({\n            code: SpanStatusCode.ERROR,\n            message: err.message\n          });\n          return false;\n        }\n      }\n\n      // If we received any response, the endpoint is available\n      logger.info(`${msiName}: The Azure IMDS endpoint is available`);\n      return true;\n    } catch (err) {\n      // createWebResource failed.\n      // This error should bubble up to the user.\n      logger.info(\n        `${msiName}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`\n      );\n      span.setStatus({\n        code: SpanStatusCode.ERROR,\n        message: err.message\n      });\n      throw err;\n    } finally {\n      span.end();\n    }\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {}\n  ): Promise<AccessToken | null> {\n    const { identityClient, scopes, clientId } = configuration;\n\n    logger.info(\n      `${msiName}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`\n    );\n\n    let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;\n    for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {\n      try {\n        return await msiGenericGetToken(\n          identityClient,\n          prepareRequestOptions(scopes, clientId),\n          expiresInParser,\n          getTokenOptions\n        );\n      } catch (error) {\n        if (error.statusCode === 404) {\n          await delay(nextDelayInMs);\n          nextDelayInMs *= imdsMsiRetryConfig.intervalIncrement;\n          continue;\n        }\n        throw error;\n      }\n    }\n\n    throw new AuthenticationError(\n      404,\n      `${msiName}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`\n    );\n  }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/index.browser.js

@@ -1,6 +1,5 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { __awaiter } from "tslib";
 import { credentialLogger, formatError } from "../../util/logging";
 const BrowserNotSupportedError = new Error("ManagedIdentityCredential is not supported in the browser.");
 const logger = credentialLogger("ManagedIdentityCredential");
@@ -9,11 +8,9 @@ export class ManagedIdentityCredential {
         logger.info(formatError("", BrowserNotSupportedError));
         throw BrowserNotSupportedError;
     }
-    getToken() {
-        return __awaiter(this, void 0, void 0, function* () {
-            logger.getToken.info(formatError("", BrowserNotSupportedError));
-            throw BrowserNotSupportedError;
-        });
+    async getToken() {
+        logger.getToken.info(formatError("", BrowserNotSupportedError));
+        throw BrowserNotSupportedError;
     }
 }
 //# sourceMappingURL=index.browser.js.map

package/dist-esm/src/credentials/managedIdentityCredential/index.browser.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.browser.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/index.browser.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;;AAIlC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEnE,MAAM,wBAAwB,GAAG,IAAI,KAAK,CACxC,4DAA4D,CAC7D,CAAC;AACF,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;AAE7D,MAAM,OAAO,yBAAyB;IAGpC;QACE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;QACvD,MAAM,wBAAwB,CAAC;IACjC,CAAC;IAEY,QAAQ;;YACnB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;YAChE,MAAM,wBAAwB,CAAC;QACjC,CAAC;KAAA;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, TokenCredential } from \"@azure/core-http\";\nimport { TokenCredentialOptions } from \"../../client/identityClient\";\nimport { credentialLogger, formatError } from \"../../util/logging\";\n\nconst BrowserNotSupportedError = new Error(\n  \"ManagedIdentityCredential is not supported in the browser.\"\n);\nconst logger = credentialLogger(\"ManagedIdentityCredential\");\n\nexport class ManagedIdentityCredential implements TokenCredential {\n  constructor(clientId: string, options?: TokenCredentialOptions);\n  constructor(options?: TokenCredentialOptions);\n  constructor() {\n    logger.info(formatError(\"\", BrowserNotSupportedError));\n    throw BrowserNotSupportedError;\n  }\n\n  public async getToken(): Promise<AccessToken | null> {\n    logger.getToken.info(formatError(\"\", BrowserNotSupportedError));\n    throw BrowserNotSupportedError;\n  }\n}\n"]}
+{"version":3,"file":"index.browser.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/index.browser.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAKlC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEnE,MAAM,wBAAwB,GAAG,IAAI,KAAK,CACxC,4DAA4D,CAC7D,CAAC;AACF,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;AAE7D,MAAM,OAAO,yBAAyB;IAGpC;QACE,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;QACvD,MAAM,wBAAwB,CAAC;IACjC,CAAC;IAEM,KAAK,CAAC,QAAQ;QACnB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,wBAAwB,CAAC,CAAC,CAAC;QAChE,MAAM,wBAAwB,CAAC;IACjC,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, TokenCredential } from \"@azure/core-auth\";\n\nimport { TokenCredentialOptions } from \"../../client/identityClient\";\nimport { credentialLogger, formatError } from \"../../util/logging\";\n\nconst BrowserNotSupportedError = new Error(\n  \"ManagedIdentityCredential is not supported in the browser.\"\n);\nconst logger = credentialLogger(\"ManagedIdentityCredential\");\n\nexport class ManagedIdentityCredential implements TokenCredential {\n  constructor(clientId: string, options?: TokenCredentialOptions);\n  constructor(options?: TokenCredentialOptions);\n  constructor() {\n    logger.info(formatError(\"\", BrowserNotSupportedError));\n    throw BrowserNotSupportedError;\n  }\n\n  public async getToken(): Promise<AccessToken | null> {\n    logger.getToken.info(formatError(\"\", BrowserNotSupportedError));\n    throw BrowserNotSupportedError;\n  }\n}\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/index.js

@@ -1,16 +1,15 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { __awaiter } from "tslib";
-import { IdentityClient } from "../../client/identityClient";
-import { createSpan } from "../../util/tracing";
-import { AuthenticationError, CredentialUnavailableError } from "../../client/errors";
 import { SpanStatusCode } from "@azure/core-tracing";
+import { IdentityClient } from "../../client/identityClient";
+import { AuthenticationError, CredentialUnavailableError } from "../../errors";
 import { credentialLogger, formatSuccess, formatError } from "../../util/logging";
-import { mapScopesToResource } from "./utils";
+import { appServiceMsi2017 } from "./appServiceMsi2017";
+import { createSpan } from "../../util/tracing";
 import { cloudShellMsi } from "./cloudShellMsi";
 import { imdsMsi } from "./imdsMsi";
-import { appServiceMsi2017 } from "./appServiceMsi2017";
 import { arcMsi } from "./arcMsi";
+import { tokenExchangeMsi } from "./tokenExchangeMsi";
 const logger = credentialLogger("ManagedIdentityCredential");
 /**
  * Attempts authentication using a managed identity that has been assigned
@@ -38,140 +37,136 @@ export class ManagedIdentityCredential {
             this.identityClient = new IdentityClient(clientIdOrOptions);
         }
     }
-    cachedAvailableMSI(resource, clientId, getTokenOptions) {
-        return __awaiter(this, void 0, void 0, function* () {
-            if (this.cachedMSI) {
-                return this.cachedMSI;
-            }
-            // "fabricMsi" can't be added yet because our HTTPs pipeline doesn't allow skipping the SSL verification step,
-            // which is necessary since Service Fabric only provides self-signed certificates on their Identity Endpoint.
-            const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, imdsMsi];
-            for (const msi of MSIs) {
-                if (yield msi.isAvailable(this.identityClient, resource, clientId, getTokenOptions)) {
-                    this.cachedMSI = msi;
-                    return msi;
-                }
+    async cachedAvailableMSI(scopes, clientId, getTokenOptions) {
+        if (this.cachedMSI) {
+            return this.cachedMSI;
+        }
+        // "fabricMsi" can't be added yet because our HTTPs pipeline doesn't allow skipping the SSL verification step,
+        // which is necessary since Service Fabric only provides self-signed certificates on their Identity Endpoint.
+        const MSIs = [appServiceMsi2017, cloudShellMsi, arcMsi, tokenExchangeMsi(), imdsMsi];
+        for (const msi of MSIs) {
+            if (await msi.isAvailable(scopes, this.identityClient, clientId, getTokenOptions)) {
+                this.cachedMSI = msi;
+                return msi;
             }
-            throw new CredentialUnavailableError("ManagedIdentityCredential - No MSI credential available");
-        });
+        }
+        throw new CredentialUnavailableError("ManagedIdentityCredential - No MSI credential available");
     }
-    authenticateManagedIdentity(scopes, clientId, getTokenOptions) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const resource = mapScopesToResource(scopes);
-            const { span, updatedOptions } = createSpan("ManagedIdentityCredential-authenticateManagedIdentity", getTokenOptions);
-            try {
-                // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
-                const availableMSI = yield this.cachedAvailableMSI(resource, clientId, updatedOptions);
-                return availableMSI.getToken(this.identityClient, resource, clientId, updatedOptions);
-            }
-            catch (err) {
-                span.setStatus({
-                    code: SpanStatusCode.ERROR,
-                    message: err.message
-                });
-                throw err;
-            }
-            finally {
-                span.end();
-            }
-        });
+    async authenticateManagedIdentity(scopes, clientId, getTokenOptions) {
+        const { span, updatedOptions } = createSpan("ManagedIdentityCredential-authenticateManagedIdentity", getTokenOptions);
+        try {
+            // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
+            const availableMSI = await this.cachedAvailableMSI(scopes, clientId, updatedOptions);
+            return availableMSI.getToken({
+                identityClient: this.identityClient,
+                scopes,
+                clientId
+            }, updatedOptions);
+        }
+        catch (err) {
+            span.setStatus({
+                code: SpanStatusCode.ERROR,
+                message: err.message
+            });
+            throw err;
+        }
+        finally {
+            span.end();
+        }
     }
     /**
-     * Authenticates with Azure Active Directory and returns an access token if
-     * successful.  If authentication cannot be performed at this time, this method may
-     * return null.  If an error occurs during authentication, an {@link AuthenticationError}
-     * containing failure details will be thrown.
+     * Authenticates with Azure Active Directory and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
      *
      * @param scopes - The list of scopes for which the token will have access.
      * @param options - The options used to configure any requests this
      *                TokenCredential implementation might make.
      */
-    getToken(scopes, options) {
-        return __awaiter(this, void 0, void 0, function* () {
-            let result = null;
-            const { span, updatedOptions } = createSpan("ManagedIdentityCredential-getToken", options);
-            try {
-                // isEndpointAvailable can be true, false, or null,
-                // If it's null, it means we don't yet know whether
-                // the endpoint is available and need to check for it.
-                if (this.isEndpointUnavailable !== true) {
-                    result = yield this.authenticateManagedIdentity(scopes, this.clientId, updatedOptions);
-                    if (result === null) {
-                        // If authenticateManagedIdentity returns null,
-                        // it means no MSI endpoints are available.
-                        // If so, we avoid trying to reach to them in future requests.
-                        this.isEndpointUnavailable = true;
-                        // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
-                        // yet we had no access token. For this reason, we'll throw once with a specific message:
-                        const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-                        logger.getToken.info(formatError(scopes, error));
-                        throw error;
-                    }
-                    // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
-                    // We will assume that this endpoint is reachable from this point forward,
-                    // and avoid pinging again to it.
-                    this.isEndpointUnavailable = false;
-                }
-                else {
-                    // We've previously determined that the endpoint was unavailable,
-                    // either because it was unreachable or permanently unable to authenticate.
-                    const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
+    async getToken(scopes, options) {
+        let result = null;
+        const { span, updatedOptions } = createSpan("ManagedIdentityCredential.getToken", options);
+        try {
+            // isEndpointAvailable can be true, false, or null,
+            // If it's null, it means we don't yet know whether
+            // the endpoint is available and need to check for it.
+            if (this.isEndpointUnavailable !== true) {
+                result = await this.authenticateManagedIdentity(scopes, this.clientId, updatedOptions);
+                if (result === null) {
+                    // If authenticateManagedIdentity returns null,
+                    // it means no MSI endpoints are available.
+                    // If so, we avoid trying to reach to them in future requests.
+                    this.isEndpointUnavailable = true;
+                    // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
+                    // yet we had no access token. For this reason, we'll throw once with a specific message:
+                    const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
                     logger.getToken.info(formatError(scopes, error));
                     throw error;
                 }
-                logger.getToken.info(formatSuccess(scopes));
-                return result;
+                // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
+                // We will assume that this endpoint is reachable from this point forward,
+                // and avoid pinging again to it.
+                this.isEndpointUnavailable = false;
             }
-            catch (err) {
-                // CredentialUnavailable errors are expected to reach here.
-                // We intend them to bubble up, so that DefaultAzureCredential can catch them.
-                if (err.name === "AuthenticationRequiredError") {
-                    throw err;
-                }
-                // Expected errors to reach this point:
-                // - Errors coming from a method unexpectedly breaking.
-                // - When identityClient.sendTokenRequest throws, in which case
-                //   if the status code was 400, it means that the endpoint is working,
-                //   but no identity is available.
-                span.setStatus({
-                    code: SpanStatusCode.ERROR,
-                    message: err.message
-                });
-                // If either the network is unreachable,
-                // we can safely assume the credential is unavailable.
-                if (err.code === "ENETUNREACH") {
-                    const error = new CredentialUnavailableError("ManagedIdentityCredential is unavailable. Network unreachable.");
-                    logger.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
-                // If either the host was unreachable,
-                // we can safely assume the credential is unavailable.
-                if (err.code === "EHOSTUNREACH") {
-                    const error = new CredentialUnavailableError("ManagedIdentityCredential is unavailable. No managed identity endpoint found.");
-                    logger.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
-                // If err.statusCode has a value of 400, it comes from sendTokenRequest,
-                // and it means that the endpoint is working, but that no identity is available.
-                if (err.statusCode === 400) {
-                    throw new CredentialUnavailableError("The managed identity endpoint is indicating there's no available identity");
-                }
-                // If the error has no status code, we can assume there was no available identity.
-                // This will throw silently during any ChainedTokenCredential.
-                if (err.statusCode === undefined) {
-                    throw new CredentialUnavailableError(`ManagedIdentityCredential authentication failed. Message ${err.message}`);
-                }
-                // Any other error should break the chain.
-                throw new AuthenticationError(err.statusCode, {
-                    error: "ManagedIdentityCredential authentication failed.",
-                    error_description: err.message
-                });
+            else {
+                // We've previously determined that the endpoint was unavailable,
+                // either because it was unreachable or permanently unable to authenticate.
+                const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
+                logger.getToken.info(formatError(scopes, error));
+                throw error;
             }
-            finally {
-                // Finally is always called, both if we return and if we throw in the above try/catch.
-                span.end();
+            logger.getToken.info(formatSuccess(scopes));
+            return result;
+        }
+        catch (err) {
+            // CredentialUnavailable errors are expected to reach here.
+            // We intend them to bubble up, so that DefaultAzureCredential can catch them.
+            if (err.name === "AuthenticationRequiredError") {
+                throw err;
+            }
+            // Expected errors to reach this point:
+            // - Errors coming from a method unexpectedly breaking.
+            // - When identityClient.sendTokenRequest throws, in which case
+            //   if the status code was 400, it means that the endpoint is working,
+            //   but no identity is available.
+            span.setStatus({
+                code: SpanStatusCode.ERROR,
+                message: err.message
+            });
+            // If either the network is unreachable,
+            // we can safely assume the credential is unavailable.
+            if (err.code === "ENETUNREACH") {
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. Network unreachable. Message: ${err.message}`);
+                logger.getToken.info(formatError(scopes, error));
+                throw error;
+            }
+            // If either the host was unreachable,
+            // we can safely assume the credential is unavailable.
+            if (err.code === "EHOSTUNREACH") {
+                const error = new CredentialUnavailableError(`ManagedIdentityCredential is unavailable. No managed identity endpoint found. Message: ${err.message}`);
+                logger.getToken.info(formatError(scopes, error));
+                throw error;
             }
-        });
+            // If err.statusCode has a value of 400, it comes from sendTokenRequest,
+            // and it means that the endpoint is working, but that no identity is available.
+            if (err.statusCode === 400) {
+                throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
+            }
+            // If the error has no status code, we can assume there was no available identity.
+            // This will throw silently during any ChainedTokenCredential.
+            if (err.statusCode === undefined) {
+                throw new CredentialUnavailableError(`ManagedIdentityCredential authentication failed. Message ${err.message}`);
+            }
+            // Any other error should break the chain.
+            throw new AuthenticationError(err.statusCode, {
+                error: "ManagedIdentityCredential authentication failed.",
+                error_description: err.message
+            });
+        }
+        finally {
+            // Finally is always called, both if we return and if we throw in the above try/catch.
+            span.end();
+        }
     }
 }
 //# sourceMappingURL=index.js.map