@azure/identity 2.0.0-beta.4 → 2.0.1-alpha.20211025.3

package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2017.js.map

@@ -1 +1 @@
-{"version":3,"file":"appServiceMsi2017.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/appServiceMsi2017.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAOlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAE7C,MAAM,MAAM,GAAG,gBAAgB,CAAC,gDAAgD,CAAC,CAAC;AAElF,SAAS,eAAe,CAAC,WAAgB;IACvC,4DAA4D;IAC5D,8CAA8C;IAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAgB,EAAE,QAAiB;IAChE,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,YAAY;KAC5B,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,eAAe,CAAC,QAAQ,GAAG,QAAQ,CAAC;KACrC;IAED,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;QAC7B,MAAM,EAAE,KAAK;QACb,eAAe;QACf,OAAO,EAAE;YACP,MAAM,EAAE,kBAAkB;YAC1B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;SAC/B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAQ;IACpC,KAAK,CAAC,WAAW;QACf,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACxB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;SAC/D;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,cAA8B,EAC9B,QAAgB,EAChB,QAAiB,EACjB,kBAAmC,EAAE;QAErC,MAAM,CAAC,IAAI,CACT,yFAAyF,OAAO,CAAC,GAAG,CAAC,YAAY,6BAA6B,CAC/I,CAAC;QAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACzC,eAAe,EACf,eAAe,CAChB,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\n\nimport { RequestPrepareOptions } from \"@azure/core-http\";\n\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { MSI } from \"./models\";\nimport { msiGenericGetToken } from \"./utils\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential - AppServiceMSI 2017\");\n\nfunction expiresInParser(requestBody: any): number {\n  // Parse a date format like \"06/20/2019 02:57:58 +00:00\" and\n  // convert it into a JavaScript-formatted date\n  return Date.parse(requestBody.expires_on);\n}\n\nfunction prepareRequestOptions(resource: string, clientId?: string): RequestPrepareOptions {\n  const queryParameters: any = {\n    resource,\n    \"api-version\": \"2017-09-01\"\n  };\n\n  if (clientId) {\n    queryParameters.clientid = clientId;\n  }\n\n  return {\n    url: process.env.MSI_ENDPOINT,\n    method: \"GET\",\n    queryParameters,\n    headers: {\n      Accept: \"application/json\",\n      secret: process.env.MSI_SECRET\n    }\n  };\n}\n\nexport const appServiceMsi2017: MSI = {\n  async isAvailable(): Promise<boolean> {\n    const env = process.env;\n    const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);\n    if (!result) {\n      logger.info(\"The Azure App Service MSI 2017 is unavailable.\");\n    }\n    return result;\n  },\n  async getToken(\n    identityClient: IdentityClient,\n    resource: string,\n    clientId?: string,\n    getTokenOptions: GetTokenOptions = {}\n  ): Promise<AccessToken | null> {\n    logger.info(\n      `Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`\n    );\n\n    return msiGenericGetToken(\n      identityClient,\n      prepareRequestOptions(resource, clientId),\n      expiresInParser,\n      getTokenOptions\n    );\n  }\n};\n"]}
+{"version":3,"file":"appServiceMsi2017.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/appServiceMsi2017.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,iBAAiB,EAA0B,MAAM,2BAA2B,CAAC;AAEtF,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAElE,MAAM,OAAO,GAAG,gDAAgD,CAAC;AACjE,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC,SAAS,eAAe,CAAC,WAAgB;IACvC,4DAA4D;IAC5D,8CAA8C;IAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,QAAiB;IAEjB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;KACnE;IAED,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,YAAY;KAC5B,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,eAAe,CAAC,QAAQ,GAAG,QAAQ,CAAC;KACrC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;IAEnD,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE;QAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,8CAA8C,CAAC,CAAC;KAC3E;IACD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE;QAC3B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,4CAA4C,CAAC,CAAC;KACzE;IAED,OAAO;QACL,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE;QACtD,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU;SAC/B,CAAC;KACH,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAQ;IACpC,KAAK,CAAC,WAAW,CAAC,MAAM;QACtB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;SACd;QACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACxB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QAC3D,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,mFAAmF,CAC9F,CAAC;SACH;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;QAE3D,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,2FAA2F,OAAO,CAAC,GAAG,CAAC,YAAY,6BAA6B,CAC3J,CAAC;QAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EACvC,eAAe,EACf,eAAe,CAChB,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { createHttpHeaders, PipelineRequestOptions } from \"@azure/core-rest-pipeline\";\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { MSI, MSIConfiguration } from \"./models\";\nimport { mapScopesToResource, msiGenericGetToken } from \"./utils\";\n\nconst msiName = \"ManagedIdentityCredential - AppServiceMSI 2017\";\nconst logger = credentialLogger(msiName);\n\nfunction expiresInParser(requestBody: any): number {\n  // Parse a date format like \"06/20/2019 02:57:58 +00:00\" and\n  // convert it into a JavaScript-formatted date\n  return Date.parse(requestBody.expires_on);\n}\n\nfunction prepareRequestOptions(\n  scopes: string | string[],\n  clientId?: string\n): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n\n  const queryParameters: any = {\n    resource,\n    \"api-version\": \"2017-09-01\"\n  };\n\n  if (clientId) {\n    queryParameters.clientid = clientId;\n  }\n\n  const query = new URLSearchParams(queryParameters);\n\n  // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n  if (!process.env.MSI_ENDPOINT) {\n    throw new Error(`${msiName}: Missing environment variable: MSI_ENDPOINT`);\n  }\n  if (!process.env.MSI_SECRET) {\n    throw new Error(`${msiName}: Missing environment variable: MSI_SECRET`);\n  }\n\n  return {\n    url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,\n    method: \"GET\",\n    headers: createHttpHeaders({\n      Accept: \"application/json\",\n      secret: process.env.MSI_SECRET\n    })\n  };\n}\n\nexport const appServiceMsi2017: MSI = {\n  async isAvailable(scopes): Promise<boolean> {\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n    const env = process.env;\n    const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);\n    if (!result) {\n      logger.info(\n        `${msiName}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`\n      );\n    }\n    return result;\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {}\n  ): Promise<AccessToken | null> {\n    const { identityClient, scopes, clientId } = configuration;\n\n    logger.info(\n      `${msiName}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`\n    );\n\n    return msiGenericGetToken(\n      identityClient,\n      prepareRequestOptions(scopes, clientId),\n      expiresInParser,\n      getTokenOptions\n    );\n  }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js

@@ -1,28 +1,38 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
+import { createHttpHeaders, createPipelineRequest } from "@azure/core-rest-pipeline";
+import { readFile } from "fs";
 import { credentialLogger } from "../../util/logging";
-import { msiGenericGetToken } from "./utils";
+import { mapScopesToResource, msiGenericGetToken } from "./utils";
 import { azureArcAPIVersion } from "./constants";
-import { AuthenticationError } from "../../client/errors";
-import { readFile } from "fs";
-const logger = credentialLogger("ManagedIdentityCredential - ArcMSI");
+import { AuthenticationError } from "../../errors";
+const msiName = "ManagedIdentityCredential - Azure Arc MSI";
+const logger = credentialLogger(msiName);
 // Azure Arc MSI doesn't have a special expiresIn parser.
 const expiresInParser = undefined;
-function prepareRequestOptions(resource) {
+function prepareRequestOptions(scopes) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": azureArcAPIVersion
     };
-    return {
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);
+    }
+    return createPipelineRequest({
         // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token
-        url: process.env.IDENTITY_ENDPOINT,
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
         method: "GET",
-        queryParameters,
-        headers: {
+        headers: createHttpHeaders({
             Accept: "application/json",
-            Metadata: true
-        }
-    };
+            Metadata: "true"
+        })
+    });
 }
 // Since "fs"'s readFileSync locks the thread, and to avoid extra dependencies.
 function readFileAsync(path, options) {
@@ -34,37 +44,49 @@ function readFileAsync(path, options) {
     }));
 }
 async function filePathRequest(identityClient, requestPrepareOptions) {
-    const response = await identityClient.sendRequest(identityClient.createWebResource(requestPrepareOptions));
+    const response = await identityClient.sendRequest(createPipelineRequest(requestPrepareOptions));
     if (response.status !== 401) {
         let message = "";
         if (response.bodyAsText) {
             message = ` Response: ${response.bodyAsText}`;
         }
-        throw new AuthenticationError(response.status, `To authenticate with Azure Arc MSI, status code 401 is expected on the first request.${message}`);
+        throw new AuthenticationError(response.status, `${msiName}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
     }
     const authHeader = response.headers.get("www-authenticate") || "";
-    return authHeader.split("=").slice(1)[0];
+    try {
+        return authHeader.split("=").slice(1)[0];
+    }
+    catch (e) {
+        throw Error(`Invalid www-authenticate header format: ${authHeader}`);
+    }
 }
 export const arcMsi = {
-    async isAvailable() {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
         if (!result) {
-            logger.info("The Azure Arc MSI is unavailable.");
+            logger.info(`${msiName}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
         }
         return result;
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        logger.info(`Using the Azure Arc MSI to authenticate.`);
+    async getToken(configuration, getTokenOptions = {}) {
+        var _a;
+        const { identityClient, scopes, clientId } = configuration;
+        logger.info(`${msiName}: Authenticating.`);
         if (clientId) {
-            throw new Error("User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.");
+            throw new Error(`${msiName}: User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity, omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.`);
         }
-        const requestOptions = Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal, spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions }, prepareRequestOptions(resource));
+        const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
         if (!filePath) {
-            throw new Error("Azure Arc MSI failed to find the token file.");
+            throw new Error(`${msiName}: Failed to find the token file.`);
         }
         const key = await readFileAsync(filePath, { encoding: "utf-8" });
-        requestOptions.headers["Authorization"] = `Basic ${key}`;
+        (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
         return msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions);
     }
 };

package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js.map

@@ -1 +1 @@
-{"version":3,"file":"arcMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/arcMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAMlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAE9B,MAAM,MAAM,GAAG,gBAAgB,CAAC,oCAAoC,CAAC,CAAC;AAEtE,yDAAyD;AACzD,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,SAAS,qBAAqB,CAAC,QAAiB;IAC9C,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,OAAO;QACL,8EAA8E;QAC9E,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAClC,MAAM,EAAE,KAAK;QACb,eAAe;QACf,OAAO,EAAE;YACP,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,IAAI;SACf;KACF,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,SAAS,aAAa,CAAC,IAAY,EAAE,OAA6B;IAChE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CACrC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,GAAG,EAAE;YACP,MAAM,CAAC,GAAG,CAAC,CAAC;SACb;QACD,OAAO,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,cAA8B,EAC9B,qBAA4C;IAE5C,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,CAC/C,cAAc,CAAC,iBAAiB,CAAC,qBAAqB,CAAC,CACxD,CAAC;IAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;QAC3B,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,UAAU,EAAE;YACvB,OAAO,GAAG,cAAc,QAAQ,CAAC,UAAU,EAAE,CAAC;SAC/C;QACD,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,CAAC,MAAM,EACf,wFAAwF,OAAO,EAAE,CAClG,CAAC;KACH;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;IAClE,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,CAAC,MAAM,MAAM,GAAQ;IACzB,KAAK,CAAC,WAAW;QACf,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACnF,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;SAClD;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,cAA8B,EAC9B,QAAiB,EACjB,QAAiB,EACjB,kBAAmC,EAAE;QAErC,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;QAExD,IAAI,QAAQ,EAAE;YACZ,MAAM,IAAI,KAAK,CACb,4TAA4T,CAC7T,CAAC;SACH;QAED,MAAM,cAAc,mBAClB,0BAA0B,EAAE,IAAI,EAChC,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,eAAe,CAAC,WAAW,EACxC,WAAW,EAAE,eAAe,CAAC,cAAc,IAAI,eAAe,CAAC,cAAc,CAAC,WAAW,IACtF,qBAAqB,CAAC,QAAQ,CAAC,CACnC,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;QAEvE,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;SACjE;QAED,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,cAAc,CAAC,OAAQ,CAAC,eAAe,CAAC,GAAG,SAAS,GAAG,EAAE,CAAC;QAE1D,OAAO,kBAAkB,CAAC,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;IAC9F,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { RequestPrepareOptions } from \"@azure/core-http\";\n\nimport { MSI } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { msiGenericGetToken } from \"./utils\";\nimport { azureArcAPIVersion } from \"./constants\";\nimport { AuthenticationError } from \"../../client/errors\";\nimport { readFile } from \"fs\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential - ArcMSI\");\n\n// Azure Arc MSI doesn't have a special expiresIn parser.\nconst expiresInParser = undefined;\n\nfunction prepareRequestOptions(resource?: string): RequestPrepareOptions {\n  const queryParameters: any = {\n    resource,\n    \"api-version\": azureArcAPIVersion\n  };\n\n  return {\n    // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token\n    url: process.env.IDENTITY_ENDPOINT,\n    method: \"GET\",\n    queryParameters,\n    headers: {\n      Accept: \"application/json\",\n      Metadata: true\n    }\n  };\n}\n\n// Since \"fs\"'s readFileSync locks the thread, and to avoid extra dependencies.\nfunction readFileAsync(path: string, options: { encoding: string }): Promise<string> {\n  return new Promise((resolve, reject) =>\n    readFile(path, options, (err, data) => {\n      if (err) {\n        reject(err);\n      }\n      resolve(data);\n    })\n  );\n}\n\nasync function filePathRequest(\n  identityClient: IdentityClient,\n  requestPrepareOptions: RequestPrepareOptions\n): Promise<string | undefined> {\n  const response = await identityClient.sendRequest(\n    identityClient.createWebResource(requestPrepareOptions)\n  );\n\n  if (response.status !== 401) {\n    let message = \"\";\n    if (response.bodyAsText) {\n      message = ` Response: ${response.bodyAsText}`;\n    }\n    throw new AuthenticationError(\n      response.status,\n      `To authenticate with Azure Arc MSI, status code 401 is expected on the first request.${message}`\n    );\n  }\n\n  const authHeader = response.headers.get(\"www-authenticate\") || \"\";\n  return authHeader.split(\"=\").slice(1)[0];\n}\n\nexport const arcMsi: MSI = {\n  async isAvailable(): Promise<boolean> {\n    const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);\n    if (!result) {\n      logger.info(\"The Azure Arc MSI is unavailable.\");\n    }\n    return result;\n  },\n  async getToken(\n    identityClient: IdentityClient,\n    resource?: string,\n    clientId?: string,\n    getTokenOptions: GetTokenOptions = {}\n  ): Promise<AccessToken | null> {\n    logger.info(`Using the Azure Arc MSI to authenticate.`);\n\n    if (clientId) {\n      throw new Error(\n        \"User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.\"\n      );\n    }\n\n    const requestOptions = {\n      disableJsonStringifyOnBody: true,\n      deserializationMapper: undefined,\n      abortSignal: getTokenOptions.abortSignal,\n      spanOptions: getTokenOptions.tracingOptions && getTokenOptions.tracingOptions.spanOptions,\n      ...prepareRequestOptions(resource)\n    };\n\n    const filePath = await filePathRequest(identityClient, requestOptions);\n\n    if (!filePath) {\n      throw new Error(\"Azure Arc MSI failed to find the token file.\");\n    }\n\n    const key = await readFileAsync(filePath, { encoding: \"utf-8\" });\n    requestOptions.headers![\"Authorization\"] = `Basic ${key}`;\n\n    return msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions);\n  }\n};\n"]}
+{"version":3,"file":"arcMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/arcMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EACL,iBAAiB,EACjB,qBAAqB,EAEtB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAE9B,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAEnD,MAAM,OAAO,GAAG,2CAA2C,CAAC;AAC5D,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC,yDAAyD;AACzD,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,SAAS,qBAAqB,CAAC,MAAyB;IACtD,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;KACnE;IACD,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;IAEnD,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;KAChF;IAED,OAAO,qBAAqB,CAAC;QAC3B,8EAA8E;QAC9E,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE;QAC3D,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,MAAM;SACjB,CAAC;KACH,CAAC,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,SAAS,aAAa,CAAC,IAAY,EAAE,OAA6B;IAChE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CACrC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,GAAG,EAAE;YACP,MAAM,CAAC,GAAG,CAAC,CAAC;SACb;QACD,OAAO,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,cAA8B,EAC9B,qBAA6C;IAE7C,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,qBAAqB,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAEhG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE;QAC3B,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,UAAU,EAAE;YACvB,OAAO,GAAG,cAAc,QAAQ,CAAC,UAAU,EAAE,CAAC;SAC/C;QACD,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,CAAC,MAAM,EACf,GAAG,OAAO,2FAA2F,OAAO,EAAE,CAC/G,CAAC;KACH;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;IAClE,IAAI;QACF,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;KAC1C;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,KAAK,CAAC,2CAA2C,UAAU,EAAE,CAAC,CAAC;KACtE;AACH,CAAC;AAED,MAAM,CAAC,MAAM,MAAM,GAAQ;IACzB,KAAK,CAAC,WAAW,CAAC,MAAM;QACtB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;SACd;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACnF,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,6EAA6E,CACxF,CAAC;SACH;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;QAE3D,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mBAAmB,CAAC,CAAC;QAE3C,IAAI,QAAQ,EAAE;YACZ,MAAM,IAAI,KAAK,CACb,GAAG,OAAO,+TAA+T,CAC1U,CAAC;SACH;QAED,MAAM,cAAc,iCAClB,0BAA0B,EAAE,IAAI,EAChC,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,eAAe,CAAC,WAAW,IACrC,qBAAqB,CAAC,MAAM,CAAC,KAChC,uBAAuB,EAAE,IAAI,GAC9B,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;QAEvE,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,kCAAkC,CAAC,CAAC;SAC/D;QAED,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,MAAA,cAAc,CAAC,OAAO,0CAAE,GAAG,CAAC,eAAe,EAAE,SAAS,GAAG,EAAE,CAAC,CAAC;QAE7D,OAAO,kBAAkB,CAAC,cAAc,EAAE,cAAc,EAAE,eAAe,EAAE,eAAe,CAAC,CAAC;IAC9F,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport {\n  createHttpHeaders,\n  createPipelineRequest,\n  PipelineRequestOptions\n} from \"@azure/core-rest-pipeline\";\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { readFile } from \"fs\";\nimport { MSI, MSIConfiguration } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { mapScopesToResource, msiGenericGetToken } from \"./utils\";\nimport { azureArcAPIVersion } from \"./constants\";\nimport { AuthenticationError } from \"../../errors\";\n\nconst msiName = \"ManagedIdentityCredential - Azure Arc MSI\";\nconst logger = credentialLogger(msiName);\n\n// Azure Arc MSI doesn't have a special expiresIn parser.\nconst expiresInParser = undefined;\n\nfunction prepareRequestOptions(scopes: string | string[]): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n  const queryParameters: any = {\n    resource,\n    \"api-version\": azureArcAPIVersion\n  };\n\n  const query = new URLSearchParams(queryParameters);\n\n  // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n  if (!process.env.IDENTITY_ENDPOINT) {\n    throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);\n  }\n\n  return createPipelineRequest({\n    // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token\n    url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,\n    method: \"GET\",\n    headers: createHttpHeaders({\n      Accept: \"application/json\",\n      Metadata: \"true\"\n    })\n  });\n}\n\n// Since \"fs\"'s readFileSync locks the thread, and to avoid extra dependencies.\nfunction readFileAsync(path: string, options: { encoding: string }): Promise<string> {\n  return new Promise((resolve, reject) =>\n    readFile(path, options, (err, data) => {\n      if (err) {\n        reject(err);\n      }\n      resolve(data);\n    })\n  );\n}\n\nasync function filePathRequest(\n  identityClient: IdentityClient,\n  requestPrepareOptions: PipelineRequestOptions\n): Promise<string | undefined> {\n  const response = await identityClient.sendRequest(createPipelineRequest(requestPrepareOptions));\n\n  if (response.status !== 401) {\n    let message = \"\";\n    if (response.bodyAsText) {\n      message = ` Response: ${response.bodyAsText}`;\n    }\n    throw new AuthenticationError(\n      response.status,\n      `${msiName}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`\n    );\n  }\n\n  const authHeader = response.headers.get(\"www-authenticate\") || \"\";\n  try {\n    return authHeader.split(\"=\").slice(1)[0];\n  } catch (e) {\n    throw Error(`Invalid www-authenticate header format: ${authHeader}`);\n  }\n}\n\nexport const arcMsi: MSI = {\n  async isAvailable(scopes): Promise<boolean> {\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n    const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);\n    if (!result) {\n      logger.info(\n        `${msiName}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`\n      );\n    }\n    return result;\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {}\n  ): Promise<AccessToken | null> {\n    const { identityClient, scopes, clientId } = configuration;\n\n    logger.info(`${msiName}: Authenticating.`);\n\n    if (clientId) {\n      throw new Error(\n        `${msiName}: User assigned identity is not supported by the Azure Arc Managed Identity Endpoint. To authenticate with the system assigned identity, omit the client id when constructing the ManagedIdentityCredential, or if authenticating with the DefaultAzureCredential ensure the AZURE_CLIENT_ID environment variable is not set.`\n      );\n    }\n\n    const requestOptions = {\n      disableJsonStringifyOnBody: true,\n      deserializationMapper: undefined,\n      abortSignal: getTokenOptions.abortSignal,\n      ...prepareRequestOptions(scopes),\n      allowInsecureConnection: true\n    };\n\n    const filePath = await filePathRequest(identityClient, requestOptions);\n\n    if (!filePath) {\n      throw new Error(`${msiName}: Failed to find the token file.`);\n    }\n\n    const key = await readFileAsync(filePath, { encoding: \"utf-8\" });\n    requestOptions.headers?.set(\"Authorization\", `Basic ${key}`);\n\n    return msiGenericGetToken(identityClient, requestOptions, expiresInParser, getTokenOptions);\n  }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/cloudShellMsi.js

@@ -1,40 +1,56 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import qs from "qs";
+import { createHttpHeaders } from "@azure/core-rest-pipeline";
 import { credentialLogger } from "../../util/logging";
-import { msiGenericGetToken } from "./utils";
-const logger = credentialLogger("ManagedIdentityCredential - CloudShellMSI");
+import { mapScopesToResource, msiGenericGetToken } from "./utils";
+const msiName = "ManagedIdentityCredential - CloudShellMSI";
+const logger = credentialLogger(msiName);
 // Cloud Shell MSI doesn't have a special expiresIn parser.
 const expiresInParser = undefined;
-function prepareRequestOptions(resource, clientId) {
+function prepareRequestOptions(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
     const body = {
         resource
     };
     if (clientId) {
         body.client_id = clientId;
     }
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.MSI_ENDPOINT) {
+        throw new Error(`${msiName}: Missing environment variable: MSI_ENDPOINT`);
+    }
+    const params = new URLSearchParams(body);
     return {
         url: process.env.MSI_ENDPOINT,
         method: "POST",
-        body: qs.stringify(body),
-        headers: {
+        body: params.toString(),
+        headers: createHttpHeaders({
             Accept: "application/json",
-            Metadata: true,
+            Metadata: "true",
             "Content-Type": "application/x-www-form-urlencoded"
-        }
+        })
     };
 }
 export const cloudShellMsi = {
-    async isAvailable() {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const result = Boolean(process.env.MSI_ENDPOINT);
         if (!result) {
-            logger.info("The Azure Cloud Shell MSI is unavailable.");
+            logger.info(`${msiName}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
         }
         return result;
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        logger.info(`Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the Cloud Shell to proceed with the authentication.`);
-        return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger.info(`${msiName}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
+        return msiGenericGetToken(identityClient, prepareRequestOptions(scopes, clientId), expiresInParser, getTokenOptions);
     }
 };
 //# sourceMappingURL=cloudShellMsi.js.map

package/dist-esm/src/credentials/managedIdentityCredential/cloudShellMsi.js.map

@@ -1 +1 @@
-{"version":3,"file":"cloudShellMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/cloudShellMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,MAAM,IAAI,CAAC;AAMpB,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAE7C,MAAM,MAAM,GAAG,gBAAgB,CAAC,2CAA2C,CAAC,CAAC;AAE7E,2DAA2D;AAC3D,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,SAAS,qBAAqB,CAAC,QAAgB,EAAE,QAAiB;IAChE,MAAM,IAAI,GAAQ;QAChB,QAAQ;KACT,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;KAC3B;IAED,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;QAC7B,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC;QACxB,OAAO,EAAE;YACP,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,IAAI;YACd,cAAc,EAAE,mCAAmC;SACpD;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAQ;IAChC,KAAK,CAAC,WAAW;QACf,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;SAC1D;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,cAA8B,EAC9B,QAAgB,EAChB,QAAiB,EACjB,kBAAmC,EAAE;QAErC,MAAM,CAAC,IAAI,CACT,wEAAwE,OAAO,CAAC,GAAG,CAAC,YAAY,iEAAiE,CAClK,CAAC;QAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACzC,eAAe,EACf,eAAe,CAChB,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport qs from \"qs\";\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { RequestPrepareOptions } from \"@azure/core-http\";\n\nimport { MSI } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { msiGenericGetToken } from \"./utils\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential - CloudShellMSI\");\n\n// Cloud Shell MSI doesn't have a special expiresIn parser.\nconst expiresInParser = undefined;\n\nfunction prepareRequestOptions(resource: string, clientId?: string): RequestPrepareOptions {\n  const body: any = {\n    resource\n  };\n\n  if (clientId) {\n    body.client_id = clientId;\n  }\n\n  return {\n    url: process.env.MSI_ENDPOINT,\n    method: \"POST\",\n    body: qs.stringify(body),\n    headers: {\n      Accept: \"application/json\",\n      Metadata: true,\n      \"Content-Type\": \"application/x-www-form-urlencoded\"\n    }\n  };\n}\n\nexport const cloudShellMsi: MSI = {\n  async isAvailable(): Promise<boolean> {\n    const result = Boolean(process.env.MSI_ENDPOINT);\n    if (!result) {\n      logger.info(\"The Azure Cloud Shell MSI is unavailable.\");\n    }\n    return result;\n  },\n  async getToken(\n    identityClient: IdentityClient,\n    resource: string,\n    clientId?: string,\n    getTokenOptions: GetTokenOptions = {}\n  ): Promise<AccessToken | null> {\n    logger.info(\n      `Using the endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the Cloud Shell to proceed with the authentication.`\n    );\n\n    return msiGenericGetToken(\n      identityClient,\n      prepareRequestOptions(resource, clientId),\n      expiresInParser,\n      getTokenOptions\n    );\n  }\n};\n"]}
+{"version":3,"file":"cloudShellMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/cloudShellMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAAE,iBAAiB,EAA0B,MAAM,2BAA2B,CAAC;AAGtF,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAElE,MAAM,OAAO,GAAG,2CAA2C,CAAC;AAC5D,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC,2DAA2D;AAC3D,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,QAAiB;IAEjB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;KACnE;IAED,MAAM,IAAI,GAAQ;QAChB,QAAQ;KACT,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;KAC3B;IAED,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE;QAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,8CAA8C,CAAC,CAAC;KAC3E;IACD,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC;IACzC,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY;QAC7B,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;QACvB,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,MAAM;YAChB,cAAc,EAAE,mCAAmC;SACpD,CAAC;KACH,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAQ;IAChC,KAAK,CAAC,WAAW,CAAC,MAAM;QACtB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;SACd;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,iEAAiE,CAAC,CAAC;SAC1F;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;QAE3D,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,4EAA4E,OAAO,CAAC,GAAG,CAAC,YAAY,GAAG,CAClH,CAAC;QAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EACvC,eAAe,EACf,eAAe,CAChB,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { createHttpHeaders, PipelineRequestOptions } from \"@azure/core-rest-pipeline\";\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { MSI, MSIConfiguration } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { mapScopesToResource, msiGenericGetToken } from \"./utils\";\n\nconst msiName = \"ManagedIdentityCredential - CloudShellMSI\";\nconst logger = credentialLogger(msiName);\n\n// Cloud Shell MSI doesn't have a special expiresIn parser.\nconst expiresInParser = undefined;\n\nfunction prepareRequestOptions(\n  scopes: string | string[],\n  clientId?: string\n): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n\n  const body: any = {\n    resource\n  };\n\n  if (clientId) {\n    body.client_id = clientId;\n  }\n\n  // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n  if (!process.env.MSI_ENDPOINT) {\n    throw new Error(`${msiName}: Missing environment variable: MSI_ENDPOINT`);\n  }\n  const params = new URLSearchParams(body);\n  return {\n    url: process.env.MSI_ENDPOINT,\n    method: \"POST\",\n    body: params.toString(),\n    headers: createHttpHeaders({\n      Accept: \"application/json\",\n      Metadata: \"true\",\n      \"Content-Type\": \"application/x-www-form-urlencoded\"\n    })\n  };\n}\n\nexport const cloudShellMsi: MSI = {\n  async isAvailable(scopes): Promise<boolean> {\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n    const result = Boolean(process.env.MSI_ENDPOINT);\n    if (!result) {\n      logger.info(`${msiName}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);\n    }\n    return result;\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {}\n  ): Promise<AccessToken | null> {\n    const { identityClient, scopes, clientId } = configuration;\n\n    logger.info(\n      `${msiName}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`\n    );\n\n    return msiGenericGetToken(\n      identityClient,\n      prepareRequestOptions(scopes, clientId),\n      expiresInParser,\n      getTokenOptions\n    );\n  }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/constants.js

@@ -1,7 +1,8 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 export const DefaultScopeSuffix = "/.default";
-export const imdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
+export const imdsHost = "http://169.254.169.254";
+export const imdsEndpointPath = "/metadata/identity/oauth2/token";
 export const imdsApiVersion = "2018-02-01";
 export const azureArcAPIVersion = "2019-11-01";
 export const azureFabricVersion = "2019-07-01-preview";

package/dist-esm/src/credentials/managedIdentityCredential/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,MAAM,CAAC,MAAM,kBAAkB,GAAG,WAAW,CAAC;AAE9C,MAAM,CAAC,MAAM,YAAY,GAAG,uDAAuD,CAAC;AACpF,MAAM,CAAC,MAAM,cAAc,GAAG,YAAY,CAAC;AAC3C,MAAM,CAAC,MAAM,kBAAkB,GAAG,YAAY,CAAC;AAC/C,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nexport const DefaultScopeSuffix = \"/.default\";\n\nexport const imdsEndpoint = \"http://169.254.169.254/metadata/identity/oauth2/token\";\nexport const imdsApiVersion = \"2018-02-01\";\nexport const azureArcAPIVersion = \"2019-11-01\";\nexport const azureFabricVersion = \"2019-07-01-preview\";\n"]}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,MAAM,CAAC,MAAM,kBAAkB,GAAG,WAAW,CAAC;AAE9C,MAAM,CAAC,MAAM,QAAQ,GAAG,wBAAwB,CAAC;AACjD,MAAM,CAAC,MAAM,gBAAgB,GAAG,iCAAiC,CAAC;AAClE,MAAM,CAAC,MAAM,cAAc,GAAG,YAAY,CAAC;AAC3C,MAAM,CAAC,MAAM,kBAAkB,GAAG,YAAY,CAAC;AAC/C,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nexport const DefaultScopeSuffix = \"/.default\";\n\nexport const imdsHost = \"http://169.254.169.254\";\nexport const imdsEndpointPath = \"/metadata/identity/oauth2/token\";\nexport const imdsApiVersion = \"2018-02-01\";\nexport const azureArcAPIVersion = \"2019-11-01\";\nexport const azureFabricVersion = \"2019-07-01-preview\";\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/fabricMsi.js

@@ -1,14 +1,21 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
+import https from "https";
+import { createHttpHeaders } from "@azure/core-rest-pipeline";
 import { credentialLogger } from "../../util/logging";
-import { msiGenericGetToken } from "./utils";
+import { mapScopesToResource, msiGenericGetToken } from "./utils";
 import { azureFabricVersion } from "./constants";
-const logger = credentialLogger("ManagedIdentityCredential - Fabric MSI");
+const msiName = "ManagedIdentityCredential - Fabric MSI";
+const logger = credentialLogger(msiName);
 function expiresInParser(requestBody) {
     // Parses a string representation of the seconds since epoch into a number value
     return Number(requestBody.expires_on);
 }
-function prepareRequestOptions(resource, clientId) {
+function prepareRequestOptions(scopes, clientId) {
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
     const queryParameters = {
         resource,
         "api-version": azureFabricVersion
@@ -16,14 +23,21 @@ function prepareRequestOptions(resource, clientId) {
     if (clientId) {
         queryParameters.client_id = clientId;
     }
+    const query = new URLSearchParams(queryParameters);
+    // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
+    if (!process.env.IDENTITY_ENDPOINT) {
+        throw new Error("Missing environment variable: IDENTITY_ENDPOINT");
+    }
+    if (!process.env.IDENTITY_HEADER) {
+        throw new Error("Missing environment variable: IDENTITY_HEADER");
+    }
     return {
-        url: process.env.IDENTITY_ENDPOINT,
+        url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
         method: "GET",
-        queryParameters,
-        headers: {
+        headers: createHttpHeaders({
             Accept: "application/json",
             Secret: process.env.IDENTITY_HEADER
-        }
+        })
     };
 }
 // This credential can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
@@ -37,22 +51,33 @@ function prepareRequestOptions(resource, clientId) {
 //   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
 //
 export const fabricMsi = {
-    async isAvailable() {
+    async isAvailable(scopes) {
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
         const env = process.env;
         const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
         if (!result) {
-            logger.info("The Azure App Service Fabric MSI is unavailable.");
+            logger.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
         }
         return result;
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
+    async getToken(configuration, getTokenOptions = {}) {
+        const { scopes, identityClient, clientId } = configuration;
         logger.info([
+            `${msiName}:`,
             "Using the endpoint and the secret coming from the environment variables:",
             `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
             "IDENTITY_HEADER=[REDACTED] and",
             "IDENTITY_SERVER_THUMBPRINT=[REDACTED]."
         ].join(" "));
-        return msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
+        return msiGenericGetToken(identityClient, prepareRequestOptions(scopes, clientId), expiresInParser, getTokenOptions, new https.Agent({
+            // This is necessary because Service Fabric provides a self-signed certificate.
+            // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
+            rejectUnauthorized: false
+        }));
     }
 };
 //# sourceMappingURL=fabricMsi.js.map

package/dist-esm/src/credentials/managedIdentityCredential/fabricMsi.js.map

@@ -1 +1 @@
-{"version":3,"file":"fabricMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/fabricMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAMlC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,MAAM,GAAG,gBAAgB,CAAC,wCAAwC,CAAC,CAAC;AAE1E,SAAS,eAAe,CAAC,WAAgB;IACvC,gFAAgF;IAChF,OAAO,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,qBAAqB,CAAC,QAAgB,EAAE,QAAiB;IAChE,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;KACtC;IAED,OAAO;QACL,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB;QAClC,MAAM,EAAE,KAAK;QACb,eAAe;QACf,OAAO,EAAE;YACP,MAAM,EAAE,kBAAkB;YAC1B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;SACpC;KACF,CAAC;AACJ,CAAC;AAED,6GAA6G;AAC7G,EAAE;AACF,iBAAiB;AACjB,2CAA2C;AAC3C,4BAA4B;AAC5B,EAAE;AACF,kCAAkC;AAClC,EAAE;AACF,wIAAwI;AACxI,EAAE;AAEF,MAAM,CAAC,MAAM,SAAS,GAAQ;IAC5B,KAAK,CAAC,WAAW;QACf,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACxB,MAAM,MAAM,GAAG,OAAO,CACpB,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,0BAA0B,CAC/E,CAAC;QACF,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;SACjE;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,cAA8B,EAC9B,QAAgB,EAChB,QAAiB,EACjB,kBAAmC,EAAE;QAErC,MAAM,CAAC,IAAI,CACT;YACE,0EAA0E;YAC1E,qBAAqB,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG;YACrD,gCAAgC;YAChC,wCAAwC;SACzC,CAAC,IAAI,CAAC,GAAG,CAAC,CACZ,CAAC;QAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACzC,eAAe,EACf,eAAe,CAChB,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { RequestPrepareOptions } from \"@azure/core-http\";\n\nimport { MSI } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { msiGenericGetToken } from \"./utils\";\nimport { azureFabricVersion } from \"./constants\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential - Fabric MSI\");\n\nfunction expiresInParser(requestBody: any): number {\n  // Parses a string representation of the seconds since epoch into a number value\n  return Number(requestBody.expires_on);\n}\n\nfunction prepareRequestOptions(resource: string, clientId?: string): RequestPrepareOptions {\n  const queryParameters: any = {\n    resource,\n    \"api-version\": azureFabricVersion\n  };\n\n  if (clientId) {\n    queryParameters.client_id = clientId;\n  }\n\n  return {\n    url: process.env.IDENTITY_ENDPOINT,\n    method: \"GET\",\n    queryParameters,\n    headers: {\n      Accept: \"application/json\",\n      Secret: process.env.IDENTITY_HEADER\n    }\n  };\n}\n\n// This credential can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:\n//\n//   FROM node:12\n//   RUN wget https://host.any/path/bash.sh\n//   CMD [\"bash\", \"bash.sh\"]\n//\n// Where the bash script contains:\n//\n//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H \"Secret: $IDENTITY_HEADER\"\n//\n\nexport const fabricMsi: MSI = {\n  async isAvailable(): Promise<boolean> {\n    const env = process.env;\n    const result = Boolean(\n      env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT\n    );\n    if (!result) {\n      logger.info(\"The Azure App Service Fabric MSI is unavailable.\");\n    }\n    return result;\n  },\n  async getToken(\n    identityClient: IdentityClient,\n    resource: string,\n    clientId?: string,\n    getTokenOptions: GetTokenOptions = {}\n  ): Promise<AccessToken | null> {\n    logger.info(\n      [\n        \"Using the endpoint and the secret coming from the environment variables:\",\n        `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,\n        \"IDENTITY_HEADER=[REDACTED] and\",\n        \"IDENTITY_SERVER_THUMBPRINT=[REDACTED].\"\n      ].join(\" \")\n    );\n\n    return msiGenericGetToken(\n      identityClient,\n      prepareRequestOptions(resource, clientId),\n      expiresInParser,\n      getTokenOptions\n    );\n  }\n};\n"]}
+{"version":3,"file":"fabricMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/fabricMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,iBAAiB,EAA0B,MAAM,2BAA2B,CAAC;AAGtF,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,OAAO,GAAG,wCAAwC,CAAC;AACzD,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC,SAAS,eAAe,CAAC,WAAgB;IACvC,gFAAgF;IAChF,OAAO,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,QAAiB;IAEjB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;KACnE;IAED,MAAM,eAAe,GAAQ;QAC3B,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,IAAI,QAAQ,EAAE;QACZ,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;KACtC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;IAEnD,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;KACpE;IACD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE;QAChC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;KAClE;IAED,OAAO;QACL,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE;QAC3D,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe;SACpC,CAAC;KACH,CAAC;AACJ,CAAC;AAED,6GAA6G;AAC7G,EAAE;AACF,iBAAiB;AACjB,2CAA2C;AAC3C,4BAA4B;AAC5B,EAAE;AACF,kCAAkC;AAClC,EAAE;AACF,wIAAwI;AACxI,EAAE;AAEF,MAAM,CAAC,MAAM,SAAS,GAAQ;IAC5B,KAAK,CAAC,WAAW,CAAC,MAAM;QACtB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE;YACb,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;SACd;QACD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QACxB,MAAM,MAAM,GAAG,OAAO,CACpB,GAAG,CAAC,iBAAiB,IAAI,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,0BAA0B,CAC/E,CAAC;QACF,IAAI,CAAC,MAAM,EAAE;YACX,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,wHAAwH,CACnI,CAAC;SACH;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;QAErC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,GAAG,aAAa,CAAC;QAE3D,MAAM,CAAC,IAAI,CACT;YACE,GAAG,OAAO,GAAG;YACb,0EAA0E;YAC1E,qBAAqB,OAAO,CAAC,GAAG,CAAC,iBAAiB,GAAG;YACrD,gCAAgC;YAChC,wCAAwC;SACzC,CAAC,IAAI,CAAC,GAAG,CAAC,CACZ,CAAC;QAEF,OAAO,kBAAkB,CACvB,cAAc,EACd,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EACvC,eAAe,EACf,eAAe,EACf,IAAI,KAAK,CAAC,KAAK,CAAC;YACd,+EAA+E;YAC/E,uGAAuG;YACvG,kBAAkB,EAAE,KAAK;SAC1B,CAAC,CACH,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport https from \"https\";\nimport { createHttpHeaders, PipelineRequestOptions } from \"@azure/core-rest-pipeline\";\nimport { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { MSI, MSIConfiguration } from \"./models\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { mapScopesToResource, msiGenericGetToken } from \"./utils\";\nimport { azureFabricVersion } from \"./constants\";\n\nconst msiName = \"ManagedIdentityCredential - Fabric MSI\";\nconst logger = credentialLogger(msiName);\n\nfunction expiresInParser(requestBody: any): number {\n  // Parses a string representation of the seconds since epoch into a number value\n  return Number(requestBody.expires_on);\n}\n\nfunction prepareRequestOptions(\n  scopes: string | string[],\n  clientId?: string\n): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n\n  const queryParameters: any = {\n    resource,\n    \"api-version\": azureFabricVersion\n  };\n\n  if (clientId) {\n    queryParameters.client_id = clientId;\n  }\n\n  const query = new URLSearchParams(queryParameters);\n\n  // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n  if (!process.env.IDENTITY_ENDPOINT) {\n    throw new Error(\"Missing environment variable: IDENTITY_ENDPOINT\");\n  }\n  if (!process.env.IDENTITY_HEADER) {\n    throw new Error(\"Missing environment variable: IDENTITY_HEADER\");\n  }\n\n  return {\n    url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,\n    method: \"GET\",\n    headers: createHttpHeaders({\n      Accept: \"application/json\",\n      Secret: process.env.IDENTITY_HEADER\n    })\n  };\n}\n\n// This credential can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:\n//\n//   FROM node:12\n//   RUN wget https://host.any/path/bash.sh\n//   CMD [\"bash\", \"bash.sh\"]\n//\n// Where the bash script contains:\n//\n//   curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H \"Secret: $IDENTITY_HEADER\"\n//\n\nexport const fabricMsi: MSI = {\n  async isAvailable(scopes): Promise<boolean> {\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n    const env = process.env;\n    const result = Boolean(\n      env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT\n    );\n    if (!result) {\n      logger.info(\n        `${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`\n      );\n    }\n    return result;\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {}\n  ): Promise<AccessToken | null> {\n    const { scopes, identityClient, clientId } = configuration;\n\n    logger.info(\n      [\n        `${msiName}:`,\n        \"Using the endpoint and the secret coming from the environment variables:\",\n        `IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,\n        \"IDENTITY_HEADER=[REDACTED] and\",\n        \"IDENTITY_SERVER_THUMBPRINT=[REDACTED].\"\n      ].join(\" \")\n    );\n\n    return msiGenericGetToken(\n      identityClient,\n      prepareRequestOptions(scopes, clientId),\n      expiresInParser,\n      getTokenOptions,\n      new https.Agent({\n        // This is necessary because Service Fabric provides a self-signed certificate.\n        // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.\n        rejectUnauthorized: false\n      })\n    );\n  }\n};\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js

@@ -1,44 +1,64 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
-import { delay, RestError } from "@azure/core-http";
+import { delay } from "@azure/core-util";
+import { createHttpHeaders, createPipelineRequest, RestError } from "@azure/core-rest-pipeline";
 import { SpanStatusCode } from "@azure/core-tracing";
-import { AuthenticationError } from "../../client/errors";
 import { credentialLogger } from "../../util/logging";
 import { createSpan } from "../../util/tracing";
-import { imdsApiVersion, imdsEndpoint } from "./constants";
-import { msiGenericGetToken } from "./utils";
-const logger = credentialLogger("ManagedIdentityCredential - IMDS");
+import { imdsApiVersion, imdsEndpointPath, imdsHost } from "./constants";
+import { mapScopesToResource, msiGenericGetToken } from "./utils";
+import { AuthenticationError } from "../../errors";
+const msiName = "ManagedIdentityCredential - IMDS";
+const logger = credentialLogger(msiName);
 function expiresInParser(requestBody) {
     if (requestBody.expires_on) {
         // Use the expires_on timestamp if it's available
         const expires = +requestBody.expires_on * 1000;
-        logger.info(`IMDS using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
+        logger.info(`${msiName}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
         return expires;
     }
     else {
         // If these aren't possible, use expires_in and calculate a timestamp
         const expires = Date.now() + requestBody.expires_in * 1000;
-        logger.info(`IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
+        logger.info(`${msiName}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
         return expires;
     }
 }
-function prepareRequestOptions(resource, clientId) {
+function prepareRequestOptions(scopes, clientId, options) {
     var _a;
-    const queryParameters = {
-        resource,
-        "api-version": imdsApiVersion
+    const resource = mapScopesToResource(scopes);
+    if (!resource) {
+        throw new Error(`${msiName}: Multiple scopes are not supported.`);
+    }
+    const { skipQuery, skipMetadataHeader } = options || {};
+    let query = "";
+    // Pod Identity will try to process this request even if the Metadata header is missing.
+    // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.
+    if (!skipQuery) {
+        const queryParameters = {
+            resource,
+            "api-version": imdsApiVersion
+        };
+        if (clientId) {
+            queryParameters.client_id = clientId;
+        }
+        const params = new URLSearchParams(queryParameters);
+        query = `?${params.toString()}`;
+    }
+    const url = new URL(imdsEndpointPath, (_a = process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) !== null && _a !== void 0 ? _a : imdsHost);
+    const rawHeaders = {
+        Accept: "application/json",
+        Metadata: "true"
     };
-    if (clientId) {
-        queryParameters.client_id = clientId;
+    // Remove the Metadata header to invoke a request error from some IMDS endpoints.
+    if (skipMetadataHeader) {
+        delete rawHeaders.Metadata;
     }
     return {
-        url: (_a = process.env.AZURE_POD_IDENTITY_TOKEN_URL) !== null && _a !== void 0 ? _a : imdsEndpoint,
+        // In this case, the `?` should be added in the "query" variable `skipQuery` is not set.
+        url: `${url}${query}`,
         method: "GET",
-        queryParameters,
-        headers: {
-            Accept: "application/json",
-            Metadata: true
-        }
+        headers: createHttpHeaders(rawHeaders)
     };
 }
 // 800ms -> 1600ms -> 3200ms
@@ -48,43 +68,45 @@ export const imdsMsiRetryConfig = {
     intervalIncrement: 2
 };
 export const imdsMsi = {
-    async isAvailable(identityClient, resource, clientId, getTokenOptions) {
-        var _a, _b, _c;
-        const { span, updatedOptions } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
+    async isAvailable(scopes, identityClient, clientId, getTokenOptions) {
+        var _a, _b;
+        const resource = mapScopesToResource(scopes);
+        if (!resource) {
+            logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
+            return false;
+        }
+        const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
         // if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
-        if (process.env.AZURE_POD_IDENTITY_TOKEN_URL) {
+        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
             return true;
         }
-        const request = prepareRequestOptions(resource, clientId);
-        // This will always be populated, but let's make TypeScript happy
-        if (request.headers) {
-            // Remove the Metadata header to invoke a request error from
-            // IMDS endpoint
-            delete request.headers.Metadata;
-        }
-        request.spanOptions = (_a = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _a === void 0 ? void 0 : _a.spanOptions;
-        request.tracingContext = (_b = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions) === null || _b === void 0 ? void 0 : _b.tracingContext;
+        const requestOptions = prepareRequestOptions(resource, clientId, {
+            skipMetadataHeader: true,
+            skipQuery: true
+        });
+        requestOptions.tracingOptions = options.tracingOptions;
         try {
             // Create a request with a timeout since we expect that
             // not having a "Metadata" header should cause an error to be
             // returned quickly from the endpoint, proving its availability.
-            const webResource = identityClient.createWebResource(request);
-            // In Kubernetes pods, node-fetch (used by core-http) takes longer than 2 seconds to begin sending the network request,
-            // So smaller timeouts will cause this credential to be immediately aborted.
-            // This won't be a problem once we move Identity to core-rest-pipeline.
-            webResource.timeout = ((_c = updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.requestOptions) === null || _c === void 0 ? void 0 : _c.timeout) || 3000;
+            const request = createPipelineRequest(requestOptions);
+            request.timeout = (_b = (_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) !== null && _b !== void 0 ? _b : 300;
+            // This MSI uses the imdsEndpoint to get the token, which only uses http://
+            request.allowInsecureConnection = true;
             try {
-                await identityClient.sendRequest(webResource);
+                logger.info(`${msiName}: Pinging the Azure IMDS endpoint`);
+                await identityClient.sendRequest(request);
             }
             catch (err) {
                 if ((err.name === "RestError" && err.code === RestError.REQUEST_SEND_ERROR) ||
                     err.name === "AbortError" ||
+                    err.code === "ENETUNREACH" || // Network unreachable
                     err.code === "ECONNREFUSED" || // connection refused
                     err.code === "EHOSTDOWN" // host is down
                 ) {
-                    // If the request failed, or NodeJS was unable to establish a connection,
+                    // If the request failed, or Node.js was unable to establish a connection,
                     // or the host was down, we'll assume the IMDS endpoint isn't available.
-                    logger.info(`The Azure IMDS endpoint is unavailable`);
+                    logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);
                     span.setStatus({
                         code: SpanStatusCode.ERROR,
                         message: err.message
@@ -93,14 +115,13 @@ export const imdsMsi = {
                 }
             }
             // If we received any response, the endpoint is available
-            logger.info(`The Azure IMDS endpoint is available`);
-            // IMDS MSI available!
+            logger.info(`${msiName}: The Azure IMDS endpoint is available`);
             return true;
         }
         catch (err) {
             // createWebResource failed.
             // This error should bubble up to the user.
-            logger.info(`Error when creating the WebResource for the IMDS endpoint: ${err.message}`);
+            logger.info(`${msiName}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
             span.setStatus({
                 code: SpanStatusCode.ERROR,
                 message: err.message
@@ -111,12 +132,13 @@ export const imdsMsi = {
             span.end();
         }
     },
-    async getToken(identityClient, resource, clientId, getTokenOptions = {}) {
-        logger.info(`Using the IMDS endpoint coming form the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
+    async getToken(configuration, getTokenOptions = {}) {
+        const { identityClient, scopes, clientId } = configuration;
+        logger.info(`${msiName}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
         let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
         for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
             try {
-                return await msiGenericGetToken(identityClient, prepareRequestOptions(resource, clientId), expiresInParser, getTokenOptions);
+                return await msiGenericGetToken(identityClient, prepareRequestOptions(scopes, clientId), expiresInParser, getTokenOptions);
             }
             catch (error) {
                 if (error.statusCode === 404) {
@@ -127,7 +149,7 @@ export const imdsMsi = {
                 throw error;
             }
         }
-        throw new AuthenticationError(404, `Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
+        throw new AuthenticationError(404, `${msiName}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
     }
 };
 //# sourceMappingURL=imdsMsi.js.map