@azure/identity 2.1.0-beta.1 → 2.1.0-beta.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of @azure/identity might be problematic. Click here for more details.
- package/CHANGELOG.md +16 -2
- package/README.md +4 -3
- package/dist/index.js +281 -182
- package/dist/index.js.map +1 -1
- package/dist-esm/src/client/identityClient.js +38 -2
- package/dist-esm/src/client/identityClient.js.map +1 -1
- package/dist-esm/src/credentials/authorizationCodeCredential.js.map +1 -1
- package/dist-esm/src/credentials/clientCertificateCredential.js +5 -2
- package/dist-esm/src/credentials/clientCertificateCredential.js.map +1 -1
- package/dist-esm/src/credentials/defaultAzureCredential.js +13 -26
- package/dist-esm/src/credentials/defaultAzureCredential.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2019.js +77 -0
- package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2019.js.map +1 -0
- package/dist-esm/src/credentials/managedIdentityCredential/index.js +10 -1
- package/dist-esm/src/credentials/managedIdentityCredential/index.js.map +1 -1
- package/dist-esm/src/credentials/onBehalfOfCredential.js +0 -21
- package/dist-esm/src/credentials/onBehalfOfCredential.js.map +1 -1
- package/dist-esm/src/credentials/onBehalfOfCredentialOptions.js.map +1 -1
- package/dist-esm/src/index.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalClientCertificate.js +5 -1
- package/dist-esm/src/msal/nodeFlows/msalClientCertificate.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalDeviceCode.js +0 -2
- package/dist-esm/src/msal/nodeFlows/msalDeviceCode.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js +12 -1
- package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js.map +1 -1
- package/dist-esm/src/tokenCredentialOptions.js.map +1 -1
- package/package.json +7 -7
- package/types/identity.d.ts +132 -57
package/dist/index.js
CHANGED
|
@@ -8,7 +8,7 @@ var coreClient = require('@azure/core-client');
|
|
|
8
8
|
var coreUtil = require('@azure/core-util');
|
|
9
9
|
var coreRestPipeline = require('@azure/core-rest-pipeline');
|
|
10
10
|
var abortController = require('@azure/abort-controller');
|
|
11
|
-
var logger$
|
|
11
|
+
var logger$l = require('@azure/logger');
|
|
12
12
|
var msalCommon = require('@azure/msal-common');
|
|
13
13
|
var uuid = require('uuid');
|
|
14
14
|
var fs = require('fs');
|
|
@@ -273,7 +273,7 @@ async function trace(operationName, options, fn, createSpanFn = createSpan) {
|
|
|
273
273
|
/**
|
|
274
274
|
* The AzureLogger used for all clients within the identity package
|
|
275
275
|
*/
|
|
276
|
-
const logger$
|
|
276
|
+
const logger$k = logger$l.createClientLogger("identity");
|
|
277
277
|
/**
|
|
278
278
|
* Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
|
|
279
279
|
* @param supportedEnvVars - List of environment variable names
|
|
@@ -313,7 +313,7 @@ function formatError(scope, error) {
|
|
|
313
313
|
* `[title] => [message]`
|
|
314
314
|
*
|
|
315
315
|
*/
|
|
316
|
-
function credentialLoggerInstance(title, parent, log = logger$
|
|
316
|
+
function credentialLoggerInstance(title, parent, log = logger$k) {
|
|
317
317
|
const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
|
|
318
318
|
function info(message) {
|
|
319
319
|
log.info(`${fullTitle} =>`, message);
|
|
@@ -338,7 +338,7 @@ function credentialLoggerInstance(title, parent, log = logger$j) {
|
|
|
338
338
|
* `[title] => getToken() => [message]`
|
|
339
339
|
*
|
|
340
340
|
*/
|
|
341
|
-
function credentialLogger(title, log = logger$
|
|
341
|
+
function credentialLogger(title, log = logger$k) {
|
|
342
342
|
const credLogger = credentialLoggerInstance(title, undefined, log);
|
|
343
343
|
return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
|
|
344
344
|
}
|
|
@@ -367,8 +367,8 @@ function getIdentityClientAuthorityHost(options) {
|
|
|
367
367
|
*/
|
|
368
368
|
class IdentityClient extends coreClient.ServiceClient {
|
|
369
369
|
constructor(options) {
|
|
370
|
-
var _a;
|
|
371
|
-
const packageDetails = `azsdk-js-identity/2.1.0-beta.
|
|
370
|
+
var _a, _b;
|
|
371
|
+
const packageDetails = `azsdk-js-identity/2.1.0-beta.2`;
|
|
372
372
|
const userAgentPrefix = ((_a = options === null || options === void 0 ? void 0 : options.userAgentOptions) === null || _a === void 0 ? void 0 : _a.userAgentPrefix)
|
|
373
373
|
? `${options.userAgentOptions.userAgentPrefix} ${packageDetails}`
|
|
374
374
|
: `${packageDetails}`;
|
|
@@ -383,9 +383,10 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
383
383
|
}, baseUri }));
|
|
384
384
|
this.authorityHost = baseUri;
|
|
385
385
|
this.abortControllers = new Map();
|
|
386
|
+
this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
|
|
386
387
|
}
|
|
387
388
|
async sendTokenRequest(request, expiresOnParser) {
|
|
388
|
-
logger$
|
|
389
|
+
logger$k.info(`IdentityClient: sending token request to [${request.url}]`);
|
|
389
390
|
const response = await this.sendRequest(request);
|
|
390
391
|
expiresOnParser =
|
|
391
392
|
expiresOnParser ||
|
|
@@ -397,6 +398,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
397
398
|
if (!parsedBody.access_token) {
|
|
398
399
|
return null;
|
|
399
400
|
}
|
|
401
|
+
this.logIdentifiers(response);
|
|
400
402
|
const token = {
|
|
401
403
|
accessToken: {
|
|
402
404
|
token: parsedBody.access_token,
|
|
@@ -404,12 +406,12 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
404
406
|
},
|
|
405
407
|
refreshToken: parsedBody.refresh_token,
|
|
406
408
|
};
|
|
407
|
-
logger$
|
|
409
|
+
logger$k.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
|
|
408
410
|
return token;
|
|
409
411
|
}
|
|
410
412
|
else {
|
|
411
413
|
const error = new AuthenticationError(response.status, response.bodyAsText);
|
|
412
|
-
logger$
|
|
414
|
+
logger$k.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
|
|
413
415
|
throw error;
|
|
414
416
|
}
|
|
415
417
|
}
|
|
@@ -417,7 +419,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
417
419
|
if (refreshToken === undefined) {
|
|
418
420
|
return null;
|
|
419
421
|
}
|
|
420
|
-
logger$
|
|
422
|
+
logger$k.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
|
|
421
423
|
const { span, updatedOptions } = createSpan("IdentityClient-refreshAccessToken", options);
|
|
422
424
|
const refreshParams = {
|
|
423
425
|
grant_type: "refresh_token",
|
|
@@ -443,7 +445,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
443
445
|
tracingOptions: updatedOptions === null || updatedOptions === void 0 ? void 0 : updatedOptions.tracingOptions,
|
|
444
446
|
});
|
|
445
447
|
const response = await this.sendTokenRequest(request, expiresOnParser);
|
|
446
|
-
logger$
|
|
448
|
+
logger$k.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
|
|
447
449
|
return response;
|
|
448
450
|
}
|
|
449
451
|
catch (err) {
|
|
@@ -452,7 +454,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
452
454
|
// It's likely that the refresh token has expired, so
|
|
453
455
|
// return null so that the credential implementation will
|
|
454
456
|
// initiate the authentication flow again.
|
|
455
|
-
logger$
|
|
457
|
+
logger$k.info(`IdentityClient: interaction required for client ID: ${clientId}`);
|
|
456
458
|
span.setStatus({
|
|
457
459
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
458
460
|
message: err.message,
|
|
@@ -460,7 +462,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
460
462
|
return null;
|
|
461
463
|
}
|
|
462
464
|
else {
|
|
463
|
-
logger$
|
|
465
|
+
logger$k.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
|
|
464
466
|
span.setStatus({
|
|
465
467
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
466
468
|
message: err.message,
|
|
@@ -518,6 +520,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
518
520
|
abortSignal: this.generateAbortSignal(noCorrelationId),
|
|
519
521
|
});
|
|
520
522
|
const response = await this.sendRequest(request);
|
|
523
|
+
this.logIdentifiers(response);
|
|
521
524
|
return {
|
|
522
525
|
body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
|
|
523
526
|
headers: response.headers.toJSON(),
|
|
@@ -534,12 +537,45 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
534
537
|
abortSignal: this.generateAbortSignal(this.getCorrelationId(options)),
|
|
535
538
|
});
|
|
536
539
|
const response = await this.sendRequest(request);
|
|
540
|
+
this.logIdentifiers(response);
|
|
537
541
|
return {
|
|
538
542
|
body: response.bodyAsText ? JSON.parse(response.bodyAsText) : undefined,
|
|
539
543
|
headers: response.headers.toJSON(),
|
|
540
544
|
status: response.status,
|
|
541
545
|
};
|
|
542
546
|
}
|
|
547
|
+
/**
|
|
548
|
+
* If allowLoggingAccountIdentifiers was set on the constructor options
|
|
549
|
+
* we try to log the account identifiers by parsing the received access token.
|
|
550
|
+
*
|
|
551
|
+
* The account identifiers we try to log are:
|
|
552
|
+
* - `appid`: The application or Client Identifier.
|
|
553
|
+
* - `upn`: User Principal Name.
|
|
554
|
+
* - It might not be available in some authentication scenarios.
|
|
555
|
+
* - If it's not available, we put a placeholder: "No User Principal Name available".
|
|
556
|
+
* - `tid`: Tenant Identifier.
|
|
557
|
+
* - `oid`: Object Identifier of the authenticated user.
|
|
558
|
+
*/
|
|
559
|
+
logIdentifiers(response) {
|
|
560
|
+
if (!this.allowLoggingAccountIdentifiers || !response.bodyAsText) {
|
|
561
|
+
return;
|
|
562
|
+
}
|
|
563
|
+
const unavailableUpn = "No User Principal Name available";
|
|
564
|
+
try {
|
|
565
|
+
const parsed = response.parsedBody || JSON.parse(response.bodyAsText);
|
|
566
|
+
const accessToken = parsed.access_token;
|
|
567
|
+
if (!accessToken) {
|
|
568
|
+
// Without an access token allowLoggingAccountIdentifiers isn't useful.
|
|
569
|
+
return;
|
|
570
|
+
}
|
|
571
|
+
const base64Metadata = accessToken.split(".")[1];
|
|
572
|
+
const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
|
|
573
|
+
logger$k.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
|
|
574
|
+
}
|
|
575
|
+
catch (e) {
|
|
576
|
+
logger$k.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
|
|
577
|
+
}
|
|
578
|
+
}
|
|
543
579
|
}
|
|
544
580
|
|
|
545
581
|
// Copyright (c) Microsoft Corporation.
|
|
@@ -978,7 +1014,7 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
978
1014
|
const tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
|
|
979
1015
|
this.authorityHost = options.authorityHost || process.env.AZURE_AUTHORITY_HOST;
|
|
980
1016
|
const authority = getAuthority(tenantId, this.authorityHost);
|
|
981
|
-
this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority }));
|
|
1017
|
+
this.identityClient = new IdentityClient(Object.assign(Object.assign({}, options.tokenCredentialOptions), { authorityHost: authority, loggingOptions: options.loggingOptions }));
|
|
982
1018
|
let clientCapabilities = ["cp1"];
|
|
983
1019
|
if (process.env.AZURE_IDENTITY_DISABLE_CP1) {
|
|
984
1020
|
clientCapabilities = [];
|
|
@@ -1115,6 +1151,17 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1115
1151
|
options.correlationId = (options === null || options === void 0 ? void 0 : options.correlationId) || this.generateUuid();
|
|
1116
1152
|
await this.init(options);
|
|
1117
1153
|
try {
|
|
1154
|
+
// MSAL now caches tokens based on their claims,
|
|
1155
|
+
// so now one has to keep track fo claims in order to retrieve the newer tokens from acquireTokenSilent
|
|
1156
|
+
// This update happened on PR: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4533
|
|
1157
|
+
const optionsClaims = options.claims;
|
|
1158
|
+
if (optionsClaims) {
|
|
1159
|
+
this.cachedClaims = optionsClaims;
|
|
1160
|
+
}
|
|
1161
|
+
if (this.cachedClaims && !optionsClaims) {
|
|
1162
|
+
options.claims = this.cachedClaims;
|
|
1163
|
+
}
|
|
1164
|
+
// We don't return the promise since we want to catch errors right here.
|
|
1118
1165
|
return await this.getTokenSilent(scopes, options);
|
|
1119
1166
|
}
|
|
1120
1167
|
catch (err) {
|
|
@@ -1137,7 +1184,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1137
1184
|
// Copyright (c) Microsoft Corporation.
|
|
1138
1185
|
const CommonTenantId = "common";
|
|
1139
1186
|
const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
|
|
1140
|
-
const logger$
|
|
1187
|
+
const logger$j = credentialLogger("VisualStudioCodeCredential");
|
|
1141
1188
|
let findCredentials = undefined;
|
|
1142
1189
|
const vsCodeCredentialControl = {
|
|
1143
1190
|
setVsCodeCredentialFinder(finder) {
|
|
@@ -1190,7 +1237,7 @@ function getPropertyFromVSCode(property) {
|
|
|
1190
1237
|
}
|
|
1191
1238
|
}
|
|
1192
1239
|
catch (e) {
|
|
1193
|
-
logger$
|
|
1240
|
+
logger$j.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
|
|
1194
1241
|
return;
|
|
1195
1242
|
}
|
|
1196
1243
|
}
|
|
@@ -1218,7 +1265,7 @@ class VisualStudioCodeCredential {
|
|
|
1218
1265
|
const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
|
|
1219
1266
|
this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
|
|
1220
1267
|
if (options && options.tenantId) {
|
|
1221
|
-
checkTenantId(logger$
|
|
1268
|
+
checkTenantId(logger$j, options.tenantId);
|
|
1222
1269
|
this.tenantId = options.tenantId;
|
|
1223
1270
|
}
|
|
1224
1271
|
else {
|
|
@@ -1270,7 +1317,7 @@ class VisualStudioCodeCredential {
|
|
|
1270
1317
|
// Check to make sure the scope we get back is a valid scope
|
|
1271
1318
|
if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
|
|
1272
1319
|
const error = new Error("Invalid scope was specified by the user or calling client");
|
|
1273
|
-
logger$
|
|
1320
|
+
logger$j.getToken.info(formatError(scopes, error));
|
|
1274
1321
|
throw error;
|
|
1275
1322
|
}
|
|
1276
1323
|
if (scopeString.indexOf("offline_access") < 0) {
|
|
@@ -1290,18 +1337,18 @@ class VisualStudioCodeCredential {
|
|
|
1290
1337
|
if (refreshToken) {
|
|
1291
1338
|
const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
|
|
1292
1339
|
if (tokenResponse) {
|
|
1293
|
-
logger$
|
|
1340
|
+
logger$j.getToken.info(formatSuccess(scopes));
|
|
1294
1341
|
return tokenResponse.accessToken;
|
|
1295
1342
|
}
|
|
1296
1343
|
else {
|
|
1297
1344
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
1298
|
-
logger$
|
|
1345
|
+
logger$j.getToken.info(formatError(scopes, error));
|
|
1299
1346
|
throw error;
|
|
1300
1347
|
}
|
|
1301
1348
|
}
|
|
1302
1349
|
else {
|
|
1303
1350
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
1304
|
-
logger$
|
|
1351
|
+
logger$j.getToken.info(formatError(scopes, error));
|
|
1305
1352
|
throw error;
|
|
1306
1353
|
}
|
|
1307
1354
|
}
|
|
@@ -1352,7 +1399,7 @@ function useIdentityPlugin(plugin) {
|
|
|
1352
1399
|
/**
|
|
1353
1400
|
* @internal
|
|
1354
1401
|
*/
|
|
1355
|
-
const logger$
|
|
1402
|
+
const logger$i = credentialLogger("ChainedTokenCredential");
|
|
1356
1403
|
/**
|
|
1357
1404
|
* Enables multiple `TokenCredential` implementations to be tried in order
|
|
1358
1405
|
* until one of the getToken methods returns an access token.
|
|
@@ -1407,7 +1454,7 @@ class ChainedTokenCredential {
|
|
|
1407
1454
|
errors.push(err);
|
|
1408
1455
|
}
|
|
1409
1456
|
else {
|
|
1410
|
-
logger$
|
|
1457
|
+
logger$i.getToken.info(formatError(scopes, err));
|
|
1411
1458
|
throw err;
|
|
1412
1459
|
}
|
|
1413
1460
|
}
|
|
@@ -1418,11 +1465,11 @@ class ChainedTokenCredential {
|
|
|
1418
1465
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
1419
1466
|
message: err.message,
|
|
1420
1467
|
});
|
|
1421
|
-
logger$
|
|
1468
|
+
logger$i.getToken.info(formatError(scopes, err));
|
|
1422
1469
|
throw err;
|
|
1423
1470
|
}
|
|
1424
1471
|
span.end();
|
|
1425
|
-
logger$
|
|
1472
|
+
logger$i.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
|
|
1426
1473
|
if (token === null) {
|
|
1427
1474
|
throw new CredentialUnavailableError("Failed to retrieve a valid token");
|
|
1428
1475
|
}
|
|
@@ -1500,7 +1547,7 @@ const cliCredentialInternals = {
|
|
|
1500
1547
|
});
|
|
1501
1548
|
},
|
|
1502
1549
|
};
|
|
1503
|
-
const logger$
|
|
1550
|
+
const logger$h = credentialLogger("AzureCliCredential");
|
|
1504
1551
|
/**
|
|
1505
1552
|
* This credential will use the currently logged-in user login information
|
|
1506
1553
|
* via the Azure CLI ('az') commandline tool.
|
|
@@ -1530,11 +1577,11 @@ class AzureCliCredential {
|
|
|
1530
1577
|
async getToken(scopes, options) {
|
|
1531
1578
|
const tenantId = processMultiTenantRequest(this.tenantId, options);
|
|
1532
1579
|
if (tenantId) {
|
|
1533
|
-
checkTenantId(logger$
|
|
1580
|
+
checkTenantId(logger$h, tenantId);
|
|
1534
1581
|
}
|
|
1535
1582
|
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
|
1536
|
-
logger$
|
|
1537
|
-
ensureValidScope(scope, logger$
|
|
1583
|
+
logger$h.getToken.info(`Using the scope ${scope}`);
|
|
1584
|
+
ensureValidScope(scope, logger$h);
|
|
1538
1585
|
const resource = getScopeResource(scope);
|
|
1539
1586
|
let responseData = "";
|
|
1540
1587
|
const { span } = createSpan(`${this.constructor.name}.getToken`, options);
|
|
@@ -1545,22 +1592,22 @@ class AzureCliCredential {
|
|
|
1545
1592
|
const isNotInstallError = obj.stderr.match("az:(.*)not found") || obj.stderr.startsWith("'az' is not recognized");
|
|
1546
1593
|
if (isNotInstallError) {
|
|
1547
1594
|
const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
|
|
1548
|
-
logger$
|
|
1595
|
+
logger$h.getToken.info(formatError(scopes, error));
|
|
1549
1596
|
throw error;
|
|
1550
1597
|
}
|
|
1551
1598
|
else if (isLoginError) {
|
|
1552
1599
|
const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
|
|
1553
|
-
logger$
|
|
1600
|
+
logger$h.getToken.info(formatError(scopes, error));
|
|
1554
1601
|
throw error;
|
|
1555
1602
|
}
|
|
1556
1603
|
const error = new CredentialUnavailableError(obj.stderr);
|
|
1557
|
-
logger$
|
|
1604
|
+
logger$h.getToken.info(formatError(scopes, error));
|
|
1558
1605
|
throw error;
|
|
1559
1606
|
}
|
|
1560
1607
|
else {
|
|
1561
1608
|
responseData = obj.stdout;
|
|
1562
1609
|
const response = JSON.parse(responseData);
|
|
1563
|
-
logger$
|
|
1610
|
+
logger$h.getToken.info(formatSuccess(scopes));
|
|
1564
1611
|
const returnValue = {
|
|
1565
1612
|
token: response.accessToken,
|
|
1566
1613
|
expiresOnTimestamp: new Date(response.expiresOn).getTime(),
|
|
@@ -1574,7 +1621,7 @@ class AzureCliCredential {
|
|
|
1574
1621
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
1575
1622
|
message: error.message,
|
|
1576
1623
|
});
|
|
1577
|
-
logger$
|
|
1624
|
+
logger$h.getToken.info(formatError(scopes, error));
|
|
1578
1625
|
throw error;
|
|
1579
1626
|
}
|
|
1580
1627
|
}
|
|
@@ -1611,7 +1658,7 @@ const processUtils = {
|
|
|
1611
1658
|
};
|
|
1612
1659
|
|
|
1613
1660
|
// Copyright (c) Microsoft Corporation.
|
|
1614
|
-
const logger$
|
|
1661
|
+
const logger$g = credentialLogger("AzurePowerShellCredential");
|
|
1615
1662
|
const isWindows = process.platform === "win32";
|
|
1616
1663
|
/**
|
|
1617
1664
|
* Returns a platform-appropriate command name by appending ".exe" on Windows.
|
|
@@ -1742,15 +1789,15 @@ class AzurePowerShellCredential {
|
|
|
1742
1789
|
return trace(`${this.constructor.name}.getToken`, options, async () => {
|
|
1743
1790
|
const tenantId = processMultiTenantRequest(this.tenantId, options);
|
|
1744
1791
|
if (tenantId) {
|
|
1745
|
-
checkTenantId(logger$
|
|
1792
|
+
checkTenantId(logger$g, tenantId);
|
|
1746
1793
|
}
|
|
1747
1794
|
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
|
1748
|
-
ensureValidScope(scope, logger$
|
|
1749
|
-
logger$
|
|
1795
|
+
ensureValidScope(scope, logger$g);
|
|
1796
|
+
logger$g.getToken.info(`Using the scope ${scope}`);
|
|
1750
1797
|
const resource = getScopeResource(scope);
|
|
1751
1798
|
try {
|
|
1752
1799
|
const response = await this.getAzurePowerShellAccessToken(resource, tenantId);
|
|
1753
|
-
logger$
|
|
1800
|
+
logger$g.getToken.info(formatSuccess(scopes));
|
|
1754
1801
|
return {
|
|
1755
1802
|
token: response.Token,
|
|
1756
1803
|
expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
|
|
@@ -1759,16 +1806,16 @@ class AzurePowerShellCredential {
|
|
|
1759
1806
|
catch (err) {
|
|
1760
1807
|
if (isNotInstalledError(err)) {
|
|
1761
1808
|
const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
|
|
1762
|
-
logger$
|
|
1809
|
+
logger$g.getToken.info(formatError(scope, error));
|
|
1763
1810
|
throw error;
|
|
1764
1811
|
}
|
|
1765
1812
|
else if (isLoginError(err)) {
|
|
1766
1813
|
const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
|
|
1767
|
-
logger$
|
|
1814
|
+
logger$g.getToken.info(formatError(scope, error));
|
|
1768
1815
|
throw error;
|
|
1769
1816
|
}
|
|
1770
1817
|
const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
|
|
1771
|
-
logger$
|
|
1818
|
+
logger$g.getToken.info(formatError(scope, error));
|
|
1772
1819
|
throw error;
|
|
1773
1820
|
}
|
|
1774
1821
|
});
|
|
@@ -1806,7 +1853,7 @@ class MsalClientSecret extends MsalNode {
|
|
|
1806
1853
|
}
|
|
1807
1854
|
|
|
1808
1855
|
// Copyright (c) Microsoft Corporation.
|
|
1809
|
-
const logger$
|
|
1856
|
+
const logger$f = credentialLogger("ClientSecretCredential");
|
|
1810
1857
|
/**
|
|
1811
1858
|
* Enables authentication to Azure Active Directory using a client secret
|
|
1812
1859
|
* that was generated for an App Registration. More information on how
|
|
@@ -1830,7 +1877,7 @@ class ClientSecretCredential {
|
|
|
1830
1877
|
if (!tenantId || !clientId || !clientSecret) {
|
|
1831
1878
|
throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
|
|
1832
1879
|
}
|
|
1833
|
-
this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$
|
|
1880
|
+
this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$f,
|
|
1834
1881
|
clientId,
|
|
1835
1882
|
tenantId,
|
|
1836
1883
|
clientSecret, tokenCredentialOptions: options }));
|
|
@@ -1863,8 +1910,12 @@ const readFileAsync$2 = util.promisify(fs.readFile);
|
|
|
1863
1910
|
*/
|
|
1864
1911
|
async function parseCertificate(configuration, sendCertificateChain) {
|
|
1865
1912
|
const certificateParts = {};
|
|
1913
|
+
const certificate = configuration
|
|
1914
|
+
.certificate;
|
|
1915
|
+
const certificatePath = configuration
|
|
1916
|
+
.certificatePath;
|
|
1866
1917
|
certificateParts.certificateContents =
|
|
1867
|
-
|
|
1918
|
+
certificate || (await readFileAsync$2(certificatePath, "utf8"));
|
|
1868
1919
|
if (sendCertificateChain) {
|
|
1869
1920
|
certificateParts.x5c = certificateParts.certificateContents;
|
|
1870
1921
|
}
|
|
@@ -1936,7 +1987,7 @@ class MsalClientCertificate extends MsalNode {
|
|
|
1936
1987
|
|
|
1937
1988
|
// Copyright (c) Microsoft Corporation.
|
|
1938
1989
|
const credentialName$2 = "ClientCertificateCredential";
|
|
1939
|
-
const logger$
|
|
1990
|
+
const logger$e = credentialLogger(credentialName$2);
|
|
1940
1991
|
/**
|
|
1941
1992
|
* Enables authentication to Azure Active Directory using a PEM-encoded
|
|
1942
1993
|
* certificate that is assigned to an App Registration. More information
|
|
@@ -1955,14 +2006,17 @@ class ClientCertificateCredential {
|
|
|
1955
2006
|
certificatePath: certificatePathOrConfiguration,
|
|
1956
2007
|
}
|
|
1957
2008
|
: certificatePathOrConfiguration));
|
|
1958
|
-
|
|
2009
|
+
const certificate = configuration
|
|
2010
|
+
.certificate;
|
|
2011
|
+
const certificatePath = configuration.certificatePath;
|
|
2012
|
+
if (!configuration || !(certificate || certificatePath)) {
|
|
1959
2013
|
throw new Error(`${credentialName$2}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
|
1960
2014
|
}
|
|
1961
|
-
if (
|
|
2015
|
+
if (certificate && certificatePath) {
|
|
1962
2016
|
throw new Error(`${credentialName$2}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
|
1963
2017
|
}
|
|
1964
2018
|
this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { configuration,
|
|
1965
|
-
logger: logger$
|
|
2019
|
+
logger: logger$e,
|
|
1966
2020
|
clientId,
|
|
1967
2021
|
tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
|
|
1968
2022
|
}
|
|
@@ -2013,7 +2067,7 @@ class MsalUsernamePassword extends MsalNode {
|
|
|
2013
2067
|
}
|
|
2014
2068
|
|
|
2015
2069
|
// Copyright (c) Microsoft Corporation.
|
|
2016
|
-
const logger$
|
|
2070
|
+
const logger$d = credentialLogger("UsernamePasswordCredential");
|
|
2017
2071
|
/**
|
|
2018
2072
|
* Enables authentication to Azure Active Directory with a user's
|
|
2019
2073
|
* username and password. This credential requires a high degree of
|
|
@@ -2036,7 +2090,7 @@ class UsernamePasswordCredential {
|
|
|
2036
2090
|
if (!tenantId || !clientId || !username || !password) {
|
|
2037
2091
|
throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
|
|
2038
2092
|
}
|
|
2039
|
-
this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$
|
|
2093
|
+
this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$d,
|
|
2040
2094
|
clientId,
|
|
2041
2095
|
tenantId,
|
|
2042
2096
|
username,
|
|
@@ -2079,7 +2133,7 @@ const AllSupportedEnvironmentVariables = [
|
|
|
2079
2133
|
"AZURE_PASSWORD",
|
|
2080
2134
|
];
|
|
2081
2135
|
const credentialName$1 = "EnvironmentCredential";
|
|
2082
|
-
const logger$
|
|
2136
|
+
const logger$c = credentialLogger(credentialName$1);
|
|
2083
2137
|
/**
|
|
2084
2138
|
* Enables authentication to Azure Active Directory using client secret
|
|
2085
2139
|
* details configured in environment variables
|
|
@@ -2109,26 +2163,26 @@ class EnvironmentCredential {
|
|
|
2109
2163
|
// Keep track of any missing environment variables for error details
|
|
2110
2164
|
this._credential = undefined;
|
|
2111
2165
|
const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
|
|
2112
|
-
logger$
|
|
2166
|
+
logger$c.info(`Found the following environment variables: ${assigned}`);
|
|
2113
2167
|
const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
|
|
2114
2168
|
if (tenantId) {
|
|
2115
|
-
checkTenantId(logger$
|
|
2169
|
+
checkTenantId(logger$c, tenantId);
|
|
2116
2170
|
}
|
|
2117
2171
|
if (tenantId && clientId && clientSecret) {
|
|
2118
|
-
logger$
|
|
2172
|
+
logger$c.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
|
|
2119
2173
|
this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, options);
|
|
2120
2174
|
return;
|
|
2121
2175
|
}
|
|
2122
2176
|
const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
|
|
2123
2177
|
if (tenantId && clientId && certificatePath) {
|
|
2124
|
-
logger$
|
|
2178
|
+
logger$c.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
|
|
2125
2179
|
this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath }, options);
|
|
2126
2180
|
return;
|
|
2127
2181
|
}
|
|
2128
2182
|
const username = process.env.AZURE_USERNAME;
|
|
2129
2183
|
const password = process.env.AZURE_PASSWORD;
|
|
2130
2184
|
if (tenantId && clientId && username && password) {
|
|
2131
|
-
logger$
|
|
2185
|
+
logger$c.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
|
|
2132
2186
|
this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, options);
|
|
2133
2187
|
}
|
|
2134
2188
|
}
|
|
@@ -2143,7 +2197,7 @@ class EnvironmentCredential {
|
|
|
2143
2197
|
if (this._credential) {
|
|
2144
2198
|
try {
|
|
2145
2199
|
const result = await this._credential.getToken(scopes, newOptions);
|
|
2146
|
-
logger$
|
|
2200
|
+
logger$c.getToken.info(formatSuccess(scopes));
|
|
2147
2201
|
return result;
|
|
2148
2202
|
}
|
|
2149
2203
|
catch (err) {
|
|
@@ -2151,7 +2205,7 @@ class EnvironmentCredential {
|
|
|
2151
2205
|
error: `${credentialName$1} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
|
|
2152
2206
|
error_description: err.message.toString().split("More details:").join(""),
|
|
2153
2207
|
});
|
|
2154
|
-
logger$
|
|
2208
|
+
logger$c.getToken.info(formatError(scopes, authenticationError));
|
|
2155
2209
|
throw authenticationError;
|
|
2156
2210
|
}
|
|
2157
2211
|
}
|
|
@@ -2197,22 +2251,22 @@ function mapScopesToResource(scopes) {
|
|
|
2197
2251
|
}
|
|
2198
2252
|
|
|
2199
2253
|
// Copyright (c) Microsoft Corporation.
|
|
2200
|
-
const msiName$
|
|
2201
|
-
const logger$
|
|
2254
|
+
const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
|
|
2255
|
+
const logger$b = credentialLogger(msiName$6);
|
|
2202
2256
|
/**
|
|
2203
2257
|
* Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
|
|
2204
2258
|
*/
|
|
2205
|
-
function expiresOnParser$
|
|
2259
|
+
function expiresOnParser$3(requestBody) {
|
|
2206
2260
|
// App Service always returns string expires_on values.
|
|
2207
2261
|
return Date.parse(requestBody.expires_on);
|
|
2208
2262
|
}
|
|
2209
2263
|
/**
|
|
2210
2264
|
* Generates the options used on the request for an access token.
|
|
2211
2265
|
*/
|
|
2212
|
-
function prepareRequestOptions$
|
|
2266
|
+
function prepareRequestOptions$6(scopes, clientId) {
|
|
2213
2267
|
const resource = mapScopesToResource(scopes);
|
|
2214
2268
|
if (!resource) {
|
|
2215
|
-
throw new Error(`${msiName$
|
|
2269
|
+
throw new Error(`${msiName$6}: Multiple scopes are not supported.`);
|
|
2216
2270
|
}
|
|
2217
2271
|
const queryParameters = {
|
|
2218
2272
|
resource,
|
|
@@ -2224,10 +2278,10 @@ function prepareRequestOptions$5(scopes, clientId) {
|
|
|
2224
2278
|
const query = new URLSearchParams(queryParameters);
|
|
2225
2279
|
// This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
|
|
2226
2280
|
if (!process.env.MSI_ENDPOINT) {
|
|
2227
|
-
throw new Error(`${msiName$
|
|
2281
|
+
throw new Error(`${msiName$6}: Missing environment variable: MSI_ENDPOINT`);
|
|
2228
2282
|
}
|
|
2229
2283
|
if (!process.env.MSI_SECRET) {
|
|
2230
|
-
throw new Error(`${msiName$
|
|
2284
|
+
throw new Error(`${msiName$6}: Missing environment variable: MSI_SECRET`);
|
|
2231
2285
|
}
|
|
2232
2286
|
return {
|
|
2233
2287
|
url: `${process.env.MSI_ENDPOINT}?${query.toString()}`,
|
|
@@ -2245,40 +2299,40 @@ const appServiceMsi2017 = {
|
|
|
2245
2299
|
async isAvailable({ scopes }) {
|
|
2246
2300
|
const resource = mapScopesToResource(scopes);
|
|
2247
2301
|
if (!resource) {
|
|
2248
|
-
logger$
|
|
2302
|
+
logger$b.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
|
|
2249
2303
|
return false;
|
|
2250
2304
|
}
|
|
2251
2305
|
const env = process.env;
|
|
2252
2306
|
const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
|
|
2253
2307
|
if (!result) {
|
|
2254
|
-
logger$
|
|
2308
|
+
logger$b.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
|
|
2255
2309
|
}
|
|
2256
2310
|
return result;
|
|
2257
2311
|
},
|
|
2258
2312
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2259
2313
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2260
2314
|
if (resourceId) {
|
|
2261
|
-
logger$
|
|
2315
|
+
logger$b.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
2262
2316
|
}
|
|
2263
|
-
logger$
|
|
2264
|
-
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$
|
|
2317
|
+
logger$b.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
|
|
2318
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$6(scopes, clientId)), {
|
|
2265
2319
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2266
2320
|
allowInsecureConnection: true }));
|
|
2267
|
-
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$
|
|
2321
|
+
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$3);
|
|
2268
2322
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
2269
2323
|
},
|
|
2270
2324
|
};
|
|
2271
2325
|
|
|
2272
2326
|
// Copyright (c) Microsoft Corporation.
|
|
2273
|
-
const msiName$
|
|
2274
|
-
const logger$
|
|
2327
|
+
const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
|
|
2328
|
+
const logger$a = credentialLogger(msiName$5);
|
|
2275
2329
|
/**
|
|
2276
2330
|
* Generates the options used on the request for an access token.
|
|
2277
2331
|
*/
|
|
2278
|
-
function prepareRequestOptions$
|
|
2332
|
+
function prepareRequestOptions$5(scopes, clientId, resourceId) {
|
|
2279
2333
|
const resource = mapScopesToResource(scopes);
|
|
2280
2334
|
if (!resource) {
|
|
2281
|
-
throw new Error(`${msiName$
|
|
2335
|
+
throw new Error(`${msiName$5}: Multiple scopes are not supported.`);
|
|
2282
2336
|
}
|
|
2283
2337
|
const body = {
|
|
2284
2338
|
resource,
|
|
@@ -2291,7 +2345,7 @@ function prepareRequestOptions$4(scopes, clientId, resourceId) {
|
|
|
2291
2345
|
}
|
|
2292
2346
|
// This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
|
|
2293
2347
|
if (!process.env.MSI_ENDPOINT) {
|
|
2294
|
-
throw new Error(`${msiName$
|
|
2348
|
+
throw new Error(`${msiName$5}: Missing environment variable: MSI_ENDPOINT`);
|
|
2295
2349
|
}
|
|
2296
2350
|
const params = new URLSearchParams(body);
|
|
2297
2351
|
return {
|
|
@@ -2313,25 +2367,25 @@ const cloudShellMsi = {
|
|
|
2313
2367
|
async isAvailable({ scopes }) {
|
|
2314
2368
|
const resource = mapScopesToResource(scopes);
|
|
2315
2369
|
if (!resource) {
|
|
2316
|
-
logger$
|
|
2370
|
+
logger$a.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
|
|
2317
2371
|
return false;
|
|
2318
2372
|
}
|
|
2319
2373
|
const result = Boolean(process.env.MSI_ENDPOINT);
|
|
2320
2374
|
if (!result) {
|
|
2321
|
-
logger$
|
|
2375
|
+
logger$a.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
|
|
2322
2376
|
}
|
|
2323
2377
|
return result;
|
|
2324
2378
|
},
|
|
2325
2379
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2326
2380
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2327
2381
|
if (clientId) {
|
|
2328
|
-
logger$
|
|
2382
|
+
logger$a.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
2329
2383
|
}
|
|
2330
2384
|
if (resourceId) {
|
|
2331
|
-
logger$
|
|
2385
|
+
logger$a.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
|
|
2332
2386
|
}
|
|
2333
|
-
logger$
|
|
2334
|
-
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$
|
|
2387
|
+
logger$a.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
|
|
2388
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId, resourceId)), {
|
|
2335
2389
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2336
2390
|
allowInsecureConnection: true }));
|
|
2337
2391
|
const tokenResponse = await identityClient.sendTokenRequest(request);
|
|
@@ -2340,33 +2394,33 @@ const cloudShellMsi = {
|
|
|
2340
2394
|
};
|
|
2341
2395
|
|
|
2342
2396
|
// Copyright (c) Microsoft Corporation.
|
|
2343
|
-
const msiName$
|
|
2344
|
-
const logger$
|
|
2397
|
+
const msiName$4 = "ManagedIdentityCredential - IMDS";
|
|
2398
|
+
const logger$9 = credentialLogger(msiName$4);
|
|
2345
2399
|
/**
|
|
2346
2400
|
* Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
|
|
2347
2401
|
*/
|
|
2348
|
-
function expiresOnParser$
|
|
2402
|
+
function expiresOnParser$2(requestBody) {
|
|
2349
2403
|
if (requestBody.expires_on) {
|
|
2350
2404
|
// Use the expires_on timestamp if it's available
|
|
2351
2405
|
const expires = +requestBody.expires_on * 1000;
|
|
2352
|
-
logger$
|
|
2406
|
+
logger$9.info(`${msiName$4}: Using expires_on: ${expires} (original value: ${requestBody.expires_on})`);
|
|
2353
2407
|
return expires;
|
|
2354
2408
|
}
|
|
2355
2409
|
else {
|
|
2356
2410
|
// If these aren't possible, use expires_in and calculate a timestamp
|
|
2357
2411
|
const expires = Date.now() + requestBody.expires_in * 1000;
|
|
2358
|
-
logger$
|
|
2412
|
+
logger$9.info(`${msiName$4}: IMDS using expires_in: ${expires} (original value: ${requestBody.expires_in})`);
|
|
2359
2413
|
return expires;
|
|
2360
2414
|
}
|
|
2361
2415
|
}
|
|
2362
2416
|
/**
|
|
2363
2417
|
* Generates the options used on the request for an access token.
|
|
2364
2418
|
*/
|
|
2365
|
-
function prepareRequestOptions$
|
|
2419
|
+
function prepareRequestOptions$4(scopes, clientId, resourceId, options) {
|
|
2366
2420
|
var _a;
|
|
2367
2421
|
const resource = mapScopesToResource(scopes);
|
|
2368
2422
|
if (!resource) {
|
|
2369
|
-
throw new Error(`${msiName$
|
|
2423
|
+
throw new Error(`${msiName$4}: Multiple scopes are not supported.`);
|
|
2370
2424
|
}
|
|
2371
2425
|
const { skipQuery, skipMetadataHeader } = options || {};
|
|
2372
2426
|
let query = "";
|
|
@@ -2416,7 +2470,7 @@ const imdsMsi = {
|
|
|
2416
2470
|
var _a, _b;
|
|
2417
2471
|
const resource = mapScopesToResource(scopes);
|
|
2418
2472
|
if (!resource) {
|
|
2419
|
-
logger$
|
|
2473
|
+
logger$9.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
|
|
2420
2474
|
return false;
|
|
2421
2475
|
}
|
|
2422
2476
|
const { span, updatedOptions: options } = createSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions);
|
|
@@ -2427,7 +2481,7 @@ const imdsMsi = {
|
|
|
2427
2481
|
if (!identityClient) {
|
|
2428
2482
|
throw new Error("Missing IdentityClient");
|
|
2429
2483
|
}
|
|
2430
|
-
const requestOptions = prepareRequestOptions$
|
|
2484
|
+
const requestOptions = prepareRequestOptions$4(resource, clientId, resourceId, {
|
|
2431
2485
|
skipMetadataHeader: true,
|
|
2432
2486
|
skipQuery: true,
|
|
2433
2487
|
});
|
|
@@ -2441,7 +2495,7 @@ const imdsMsi = {
|
|
|
2441
2495
|
// This MSI uses the imdsEndpoint to get the token, which only uses http://
|
|
2442
2496
|
request.allowInsecureConnection = true;
|
|
2443
2497
|
try {
|
|
2444
|
-
logger$
|
|
2498
|
+
logger$9.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
|
|
2445
2499
|
await identityClient.sendRequest(request);
|
|
2446
2500
|
}
|
|
2447
2501
|
catch (err) {
|
|
@@ -2453,7 +2507,7 @@ const imdsMsi = {
|
|
|
2453
2507
|
) {
|
|
2454
2508
|
// If the request failed, or Node.js was unable to establish a connection,
|
|
2455
2509
|
// or the host was down, we'll assume the IMDS endpoint isn't available.
|
|
2456
|
-
logger$
|
|
2510
|
+
logger$9.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
|
|
2457
2511
|
span.setStatus({
|
|
2458
2512
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
2459
2513
|
message: err.message,
|
|
@@ -2462,13 +2516,13 @@ const imdsMsi = {
|
|
|
2462
2516
|
}
|
|
2463
2517
|
}
|
|
2464
2518
|
// If we received any response, the endpoint is available
|
|
2465
|
-
logger$
|
|
2519
|
+
logger$9.info(`${msiName$4}: The Azure IMDS endpoint is available`);
|
|
2466
2520
|
return true;
|
|
2467
2521
|
}
|
|
2468
2522
|
catch (err) {
|
|
2469
2523
|
// createWebResource failed.
|
|
2470
2524
|
// This error should bubble up to the user.
|
|
2471
|
-
logger$
|
|
2525
|
+
logger$9.info(`${msiName$4}: Error when creating the WebResource for the Azure IMDS endpoint: ${err.message}`);
|
|
2472
2526
|
span.setStatus({
|
|
2473
2527
|
code: coreTracing.SpanStatusCode.ERROR,
|
|
2474
2528
|
message: err.message,
|
|
@@ -2481,12 +2535,12 @@ const imdsMsi = {
|
|
|
2481
2535
|
},
|
|
2482
2536
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2483
2537
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2484
|
-
logger$
|
|
2538
|
+
logger$9.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable MSI_ENDPOINT=${process.env.MSI_ENDPOINT}, and using the cloud shell to proceed with the authentication.`);
|
|
2485
2539
|
let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
|
|
2486
2540
|
for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
|
|
2487
2541
|
try {
|
|
2488
|
-
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$
|
|
2489
|
-
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$
|
|
2542
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
|
|
2543
|
+
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$2);
|
|
2490
2544
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
2491
2545
|
}
|
|
2492
2546
|
catch (error) {
|
|
@@ -2498,20 +2552,20 @@ const imdsMsi = {
|
|
|
2498
2552
|
throw error;
|
|
2499
2553
|
}
|
|
2500
2554
|
}
|
|
2501
|
-
throw new AuthenticationError(404, `${msiName$
|
|
2555
|
+
throw new AuthenticationError(404, `${msiName$4}: Failed to retrieve IMDS token after ${imdsMsiRetryConfig.maxRetries} retries.`);
|
|
2502
2556
|
},
|
|
2503
2557
|
};
|
|
2504
2558
|
|
|
2505
2559
|
// Copyright (c) Microsoft Corporation.
|
|
2506
|
-
const msiName$
|
|
2507
|
-
const logger$
|
|
2560
|
+
const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
|
|
2561
|
+
const logger$8 = credentialLogger(msiName$3);
|
|
2508
2562
|
/**
|
|
2509
2563
|
* Generates the options used on the request for an access token.
|
|
2510
2564
|
*/
|
|
2511
|
-
function prepareRequestOptions$
|
|
2565
|
+
function prepareRequestOptions$3(scopes, clientId, resourceId) {
|
|
2512
2566
|
const resource = mapScopesToResource(scopes);
|
|
2513
2567
|
if (!resource) {
|
|
2514
|
-
throw new Error(`${msiName$
|
|
2568
|
+
throw new Error(`${msiName$3}: Multiple scopes are not supported.`);
|
|
2515
2569
|
}
|
|
2516
2570
|
const queryParameters = {
|
|
2517
2571
|
resource,
|
|
@@ -2525,7 +2579,7 @@ function prepareRequestOptions$2(scopes, clientId, resourceId) {
|
|
|
2525
2579
|
}
|
|
2526
2580
|
// This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
|
|
2527
2581
|
if (!process.env.IDENTITY_ENDPOINT) {
|
|
2528
|
-
throw new Error(`${msiName$
|
|
2582
|
+
throw new Error(`${msiName$3}: Missing environment variable: IDENTITY_ENDPOINT`);
|
|
2529
2583
|
}
|
|
2530
2584
|
const query = new URLSearchParams(queryParameters);
|
|
2531
2585
|
return coreRestPipeline.createPipelineRequest({
|
|
@@ -2560,7 +2614,7 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
|
|
|
2560
2614
|
if (response.bodyAsText) {
|
|
2561
2615
|
message = ` Response: ${response.bodyAsText}`;
|
|
2562
2616
|
}
|
|
2563
|
-
throw new AuthenticationError(response.status, `${msiName$
|
|
2617
|
+
throw new AuthenticationError(response.status, `${msiName$3}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`);
|
|
2564
2618
|
}
|
|
2565
2619
|
const authHeader = response.headers.get("www-authenticate") || "";
|
|
2566
2620
|
try {
|
|
@@ -2577,12 +2631,12 @@ const arcMsi = {
|
|
|
2577
2631
|
async isAvailable({ scopes }) {
|
|
2578
2632
|
const resource = mapScopesToResource(scopes);
|
|
2579
2633
|
if (!resource) {
|
|
2580
|
-
logger$
|
|
2634
|
+
logger$8.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
|
|
2581
2635
|
return false;
|
|
2582
2636
|
}
|
|
2583
2637
|
const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
|
|
2584
2638
|
if (!result) {
|
|
2585
|
-
logger$
|
|
2639
|
+
logger$8.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
|
|
2586
2640
|
}
|
|
2587
2641
|
return result;
|
|
2588
2642
|
},
|
|
@@ -2590,16 +2644,16 @@ const arcMsi = {
|
|
|
2590
2644
|
var _a;
|
|
2591
2645
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2592
2646
|
if (clientId) {
|
|
2593
|
-
logger$
|
|
2647
|
+
logger$8.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
2594
2648
|
}
|
|
2595
2649
|
if (resourceId) {
|
|
2596
|
-
logger$
|
|
2650
|
+
logger$8.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
|
|
2597
2651
|
}
|
|
2598
|
-
logger$
|
|
2599
|
-
const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$
|
|
2652
|
+
logger$8.info(`${msiName$3}: Authenticating.`);
|
|
2653
|
+
const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
|
|
2600
2654
|
const filePath = await filePathRequest(identityClient, requestOptions);
|
|
2601
2655
|
if (!filePath) {
|
|
2602
|
-
throw new Error(`${msiName$
|
|
2656
|
+
throw new Error(`${msiName$3}: Failed to find the token file.`);
|
|
2603
2657
|
}
|
|
2604
2658
|
const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
|
|
2605
2659
|
(_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
|
|
@@ -2612,13 +2666,13 @@ const arcMsi = {
|
|
|
2612
2666
|
};
|
|
2613
2667
|
|
|
2614
2668
|
// Copyright (c) Microsoft Corporation.
|
|
2615
|
-
const msiName$
|
|
2616
|
-
const logger$
|
|
2669
|
+
const msiName$2 = "ManagedIdentityCredential - Token Exchange";
|
|
2670
|
+
const logger$7 = credentialLogger(msiName$2);
|
|
2617
2671
|
const readFileAsync = util.promisify(fs__default["default"].readFile);
|
|
2618
2672
|
/**
|
|
2619
2673
|
* Generates the options used on the request for an access token.
|
|
2620
2674
|
*/
|
|
2621
|
-
function prepareRequestOptions$
|
|
2675
|
+
function prepareRequestOptions$2(scopes, clientAssertion, clientId) {
|
|
2622
2676
|
var _a;
|
|
2623
2677
|
const bodyParams = {
|
|
2624
2678
|
scope: Array.isArray(scopes) ? scopes.join(" ") : scopes,
|
|
@@ -2669,21 +2723,21 @@ function tokenExchangeMsi() {
|
|
|
2669
2723
|
const env = process.env;
|
|
2670
2724
|
const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
|
|
2671
2725
|
if (!result) {
|
|
2672
|
-
logger$
|
|
2726
|
+
logger$7.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
|
|
2673
2727
|
}
|
|
2674
2728
|
return result;
|
|
2675
2729
|
},
|
|
2676
2730
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2677
2731
|
const { identityClient, scopes, clientId } = configuration;
|
|
2678
|
-
logger$
|
|
2732
|
+
logger$7.info(`${msiName$2}: Using the client assertion coming from environment variables.`);
|
|
2679
2733
|
let assertion;
|
|
2680
2734
|
try {
|
|
2681
2735
|
assertion = await readAssertion();
|
|
2682
2736
|
}
|
|
2683
2737
|
catch (err) {
|
|
2684
|
-
throw new Error(`${msiName$
|
|
2738
|
+
throw new Error(`${msiName$2}: Failed to read ${azureFederatedTokenFilePath}, indicated by the environment variable AZURE_FEDERATED_TOKEN_FILE`);
|
|
2685
2739
|
}
|
|
2686
|
-
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$
|
|
2740
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, assertion, clientId || process.env.AZURE_CLIENT_ID)), {
|
|
2687
2741
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2688
2742
|
allowInsecureConnection: true }));
|
|
2689
2743
|
const tokenResponse = await identityClient.sendTokenRequest(request);
|
|
@@ -2703,22 +2757,22 @@ function tokenExchangeMsi() {
|
|
|
2703
2757
|
//
|
|
2704
2758
|
// curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
|
|
2705
2759
|
//
|
|
2706
|
-
const msiName = "ManagedIdentityCredential - Fabric MSI";
|
|
2707
|
-
const logger$
|
|
2760
|
+
const msiName$1 = "ManagedIdentityCredential - Fabric MSI";
|
|
2761
|
+
const logger$6 = credentialLogger(msiName$1);
|
|
2708
2762
|
/**
|
|
2709
2763
|
* Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
|
|
2710
2764
|
*/
|
|
2711
|
-
function expiresOnParser(requestBody) {
|
|
2765
|
+
function expiresOnParser$1(requestBody) {
|
|
2712
2766
|
// Parses a string representation of the milliseconds since epoch into a number value
|
|
2713
2767
|
return Number(requestBody.expires_on);
|
|
2714
2768
|
}
|
|
2715
2769
|
/**
|
|
2716
2770
|
* Generates the options used on the request for an access token.
|
|
2717
2771
|
*/
|
|
2718
|
-
function prepareRequestOptions(scopes, clientId, resourceId) {
|
|
2772
|
+
function prepareRequestOptions$1(scopes, clientId, resourceId) {
|
|
2719
2773
|
const resource = mapScopesToResource(scopes);
|
|
2720
2774
|
if (!resource) {
|
|
2721
|
-
throw new Error(`${msiName}: Multiple scopes are not supported.`);
|
|
2775
|
+
throw new Error(`${msiName$1}: Multiple scopes are not supported.`);
|
|
2722
2776
|
}
|
|
2723
2777
|
const queryParameters = {
|
|
2724
2778
|
resource,
|
|
@@ -2754,34 +2808,107 @@ const fabricMsi = {
|
|
|
2754
2808
|
async isAvailable({ scopes }) {
|
|
2755
2809
|
const resource = mapScopesToResource(scopes);
|
|
2756
2810
|
if (!resource) {
|
|
2757
|
-
logger$
|
|
2811
|
+
logger$6.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
|
|
2758
2812
|
return false;
|
|
2759
2813
|
}
|
|
2760
2814
|
const env = process.env;
|
|
2761
2815
|
const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
|
|
2762
2816
|
if (!result) {
|
|
2763
|
-
logger$
|
|
2817
|
+
logger$6.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
|
|
2764
2818
|
}
|
|
2765
2819
|
return result;
|
|
2766
2820
|
},
|
|
2767
2821
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2768
2822
|
const { scopes, identityClient, clientId, resourceId } = configuration;
|
|
2769
2823
|
if (resourceId) {
|
|
2770
|
-
logger$
|
|
2824
|
+
logger$6.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
2771
2825
|
}
|
|
2772
|
-
logger$
|
|
2773
|
-
`${msiName}:`,
|
|
2826
|
+
logger$6.info([
|
|
2827
|
+
`${msiName$1}:`,
|
|
2774
2828
|
"Using the endpoint and the secret coming from the environment variables:",
|
|
2775
2829
|
`IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
|
|
2776
2830
|
"IDENTITY_HEADER=[REDACTED] and",
|
|
2777
2831
|
"IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
|
|
2778
2832
|
].join(" "));
|
|
2779
|
-
const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)));
|
|
2833
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
|
|
2780
2834
|
request.agent = new https__default["default"].Agent({
|
|
2781
2835
|
// This is necessary because Service Fabric provides a self-signed certificate.
|
|
2782
2836
|
// The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
|
|
2783
2837
|
rejectUnauthorized: false,
|
|
2784
2838
|
});
|
|
2839
|
+
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser$1);
|
|
2840
|
+
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
2841
|
+
},
|
|
2842
|
+
};
|
|
2843
|
+
|
|
2844
|
+
// Copyright (c) Microsoft Corporation.
|
|
2845
|
+
const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
|
|
2846
|
+
const logger$5 = credentialLogger(msiName);
|
|
2847
|
+
/**
|
|
2848
|
+
* Formats the expiration date of the received token into the number of milliseconds between that date and midnight, January 1, 1970.
|
|
2849
|
+
*/
|
|
2850
|
+
function expiresOnParser(requestBody) {
|
|
2851
|
+
// App Service always returns string expires_on values.
|
|
2852
|
+
return Date.parse(requestBody.expires_on);
|
|
2853
|
+
}
|
|
2854
|
+
/**
|
|
2855
|
+
* Generates the options used on the request for an access token.
|
|
2856
|
+
*/
|
|
2857
|
+
function prepareRequestOptions(scopes, clientId, resourceId) {
|
|
2858
|
+
const resource = mapScopesToResource(scopes);
|
|
2859
|
+
if (!resource) {
|
|
2860
|
+
throw new Error(`${msiName}: Multiple scopes are not supported.`);
|
|
2861
|
+
}
|
|
2862
|
+
const queryParameters = {
|
|
2863
|
+
resource,
|
|
2864
|
+
"api-version": "2019-08-01",
|
|
2865
|
+
};
|
|
2866
|
+
if (clientId) {
|
|
2867
|
+
queryParameters.client_id = clientId;
|
|
2868
|
+
}
|
|
2869
|
+
if (resourceId) {
|
|
2870
|
+
queryParameters.mi_res_id = resourceId;
|
|
2871
|
+
}
|
|
2872
|
+
const query = new URLSearchParams(queryParameters);
|
|
2873
|
+
// This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.
|
|
2874
|
+
if (!process.env.IDENTITY_ENDPOINT) {
|
|
2875
|
+
throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);
|
|
2876
|
+
}
|
|
2877
|
+
if (!process.env.IDENTITY_HEADER) {
|
|
2878
|
+
throw new Error(`${msiName}: Missing environment variable: IDENTITY_HEADER`);
|
|
2879
|
+
}
|
|
2880
|
+
return {
|
|
2881
|
+
url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,
|
|
2882
|
+
method: "GET",
|
|
2883
|
+
headers: coreRestPipeline.createHttpHeaders({
|
|
2884
|
+
Accept: "application/json",
|
|
2885
|
+
"X-IDENTITY-HEADER": process.env.IDENTITY_HEADER,
|
|
2886
|
+
}),
|
|
2887
|
+
};
|
|
2888
|
+
}
|
|
2889
|
+
/**
|
|
2890
|
+
* Defines how to determine whether the Azure App Service MSI is available, and also how to retrieve a token from the Azure App Service MSI.
|
|
2891
|
+
*/
|
|
2892
|
+
const appServiceMsi2019 = {
|
|
2893
|
+
async isAvailable({ scopes }) {
|
|
2894
|
+
const resource = mapScopesToResource(scopes);
|
|
2895
|
+
if (!resource) {
|
|
2896
|
+
logger$5.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
|
|
2897
|
+
return false;
|
|
2898
|
+
}
|
|
2899
|
+
const env = process.env;
|
|
2900
|
+
const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
|
|
2901
|
+
if (!result) {
|
|
2902
|
+
logger$5.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
|
|
2903
|
+
}
|
|
2904
|
+
return result;
|
|
2905
|
+
},
|
|
2906
|
+
async getToken(configuration, getTokenOptions = {}) {
|
|
2907
|
+
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2908
|
+
logger$5.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
|
|
2909
|
+
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), {
|
|
2910
|
+
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2911
|
+
allowInsecureConnection: true }));
|
|
2785
2912
|
const tokenResponse = await identityClient.sendTokenRequest(request, expiresOnParser);
|
|
2786
2913
|
return (tokenResponse && tokenResponse.accessToken) || null;
|
|
2787
2914
|
},
|
|
@@ -2828,7 +2955,15 @@ class ManagedIdentityCredential {
|
|
|
2828
2955
|
if (this.cachedMSI) {
|
|
2829
2956
|
return this.cachedMSI;
|
|
2830
2957
|
}
|
|
2831
|
-
const MSIs = [
|
|
2958
|
+
const MSIs = [
|
|
2959
|
+
fabricMsi,
|
|
2960
|
+
appServiceMsi2019,
|
|
2961
|
+
appServiceMsi2017,
|
|
2962
|
+
cloudShellMsi,
|
|
2963
|
+
arcMsi,
|
|
2964
|
+
tokenExchangeMsi(),
|
|
2965
|
+
imdsMsi,
|
|
2966
|
+
];
|
|
2832
2967
|
for (const msi of MSIs) {
|
|
2833
2968
|
if (await msi.isAvailable({
|
|
2834
2969
|
scopes,
|
|
@@ -2970,13 +3105,24 @@ class ManagedIdentityCredential {
|
|
|
2970
3105
|
* @internal
|
|
2971
3106
|
*/
|
|
2972
3107
|
class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
|
|
3108
|
+
// Constructor overload with just the other default options
|
|
3109
|
+
// Last constructor overload with Union of all options not required since the above two constructor overloads have optional properties
|
|
2973
3110
|
constructor(options) {
|
|
2974
3111
|
var _a, _b, _c;
|
|
2975
3112
|
const managedIdentityClientId = (_b = (_a = options) === null || _a === void 0 ? void 0 : _a.managedIdentityClientId) !== null && _b !== void 0 ? _b : process.env.AZURE_CLIENT_ID;
|
|
2976
3113
|
const managedResourceId = (_c = options) === null || _c === void 0 ? void 0 : _c.managedIdentityResourceId;
|
|
2977
3114
|
// ManagedIdentityCredential throws if both the resourceId and the clientId are provided.
|
|
2978
|
-
|
|
2979
|
-
|
|
3115
|
+
if (managedResourceId) {
|
|
3116
|
+
const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
|
|
3117
|
+
super(managedIdentityResourceIdOptions);
|
|
3118
|
+
}
|
|
3119
|
+
else if (managedIdentityClientId) {
|
|
3120
|
+
const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
|
|
3121
|
+
super(managedIdentityClientOptions);
|
|
3122
|
+
}
|
|
3123
|
+
else {
|
|
3124
|
+
super(options);
|
|
3125
|
+
}
|
|
2980
3126
|
}
|
|
2981
3127
|
}
|
|
2982
3128
|
const defaultCredentials = [
|
|
@@ -2991,30 +3137,6 @@ const defaultCredentials = [
|
|
|
2991
3137
|
* work for most applications that use the Azure SDK.
|
|
2992
3138
|
*/
|
|
2993
3139
|
class DefaultAzureCredential extends ChainedTokenCredential {
|
|
2994
|
-
/**
|
|
2995
|
-
* Creates an instance of the DefaultAzureCredential class.
|
|
2996
|
-
*
|
|
2997
|
-
* This credential provides a default {@link ChainedTokenCredential} configuration that should
|
|
2998
|
-
* work for most applications that use the Azure SDK.
|
|
2999
|
-
*
|
|
3000
|
-
* The following credential types will be tried, in order:
|
|
3001
|
-
*
|
|
3002
|
-
* - {@link EnvironmentCredential}
|
|
3003
|
-
* - {@link ManagedIdentityCredential}
|
|
3004
|
-
* - {@link VisualStudioCodeCredential}
|
|
3005
|
-
* - {@link AzureCliCredential}
|
|
3006
|
-
* - {@link AzurePowerShellCredential}
|
|
3007
|
-
*
|
|
3008
|
-
* Consult the documentation of these credential types for more information
|
|
3009
|
-
* on how they attempt authentication.
|
|
3010
|
-
*
|
|
3011
|
-
* **Note**: `VisualStudioCodeCredential` is provided by a plugin package:
|
|
3012
|
-
* `@azure/identity-vscode`. If this package is not installed and registered
|
|
3013
|
-
* using the plugin API (`useIdentityPlugin`), then authentication using
|
|
3014
|
-
* `VisualStudioCodeCredential` will not be available.
|
|
3015
|
-
*
|
|
3016
|
-
* @param options - Optional parameters. See {@link DefaultAzureCredentialOptions}.
|
|
3017
|
-
*/
|
|
3018
3140
|
constructor(options) {
|
|
3019
3141
|
super(...defaultCredentials.map((ctor) => new ctor(options)));
|
|
3020
3142
|
this.UnavailableMessage =
|
|
@@ -3269,8 +3391,6 @@ class MsalDeviceCode extends MsalNode {
|
|
|
3269
3391
|
claims: options === null || options === void 0 ? void 0 : options.claims,
|
|
3270
3392
|
};
|
|
3271
3393
|
const promise = this.publicApp.acquireTokenByDeviceCode(requestOptions);
|
|
3272
|
-
// TODO:
|
|
3273
|
-
// This should work, but it currently doesn't. I'm waiting for an answer from the MSAL team.
|
|
3274
3394
|
const deviceResponse = await this.withCancellation(promise, options === null || options === void 0 ? void 0 : options.abortSignal, () => {
|
|
3275
3395
|
requestOptions.cancel = true;
|
|
3276
3396
|
});
|
|
@@ -3507,27 +3627,6 @@ const logger = credentialLogger(credentialName);
|
|
|
3507
3627
|
* Enables authentication to Azure Active Directory using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
|
|
3508
3628
|
*/
|
|
3509
3629
|
class OnBehalfOfCredential {
|
|
3510
|
-
/**
|
|
3511
|
-
* Creates an instance of the {@link OnBehalfOfCredential} with the details
|
|
3512
|
-
* needed to authenticate against Azure Active Directory with a client
|
|
3513
|
-
* secret or a path to a PEM certificate, and an user assertion.
|
|
3514
|
-
*
|
|
3515
|
-
* Example using the `KeyClient` from [\@azure/keyvault-keys](https://www.npmjs.com/package/\@azure/keyvault-keys):
|
|
3516
|
-
*
|
|
3517
|
-
* ```ts
|
|
3518
|
-
* const tokenCredential = new OnBehalfOfCredential({
|
|
3519
|
-
* tenantId,
|
|
3520
|
-
* clientId,
|
|
3521
|
-
* clientSecret, // or `certificatePath: "/path/to/certificate.pem"
|
|
3522
|
-
* userAssertionToken: "access-token"
|
|
3523
|
-
* });
|
|
3524
|
-
* const client = new KeyClient("vault-url", tokenCredential);
|
|
3525
|
-
*
|
|
3526
|
-
* await client.getKey("key-name");
|
|
3527
|
-
* ```
|
|
3528
|
-
*
|
|
3529
|
-
* @param options - Optional parameters, generally common across credentials.
|
|
3530
|
-
*/
|
|
3531
3630
|
constructor(options) {
|
|
3532
3631
|
this.options = options;
|
|
3533
3632
|
const { clientSecret } = options;
|
|
@@ -3584,7 +3683,7 @@ exports.UsernamePasswordCredential = UsernamePasswordCredential;
|
|
|
3584
3683
|
exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
|
|
3585
3684
|
exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
|
|
3586
3685
|
exports.getDefaultAzureCredential = getDefaultAzureCredential;
|
|
3587
|
-
exports.logger = logger$
|
|
3686
|
+
exports.logger = logger$k;
|
|
3588
3687
|
exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
|
|
3589
3688
|
exports.useIdentityPlugin = useIdentityPlugin;
|
|
3590
3689
|
//# sourceMappingURL=index.js.map
|