@azure/identity 3.1.3 → 3.2.0-alpha.20230213.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of @azure/identity might be problematic. Click here for more details.
- package/README.md +10 -1
- package/dist/index.js +238 -113
- package/dist/index.js.map +1 -1
- package/dist-esm/src/constants.js +1 -1
- package/dist-esm/src/constants.js.map +1 -1
- package/dist-esm/src/credentials/authorityValidationOptions.js +4 -0
- package/dist-esm/src/credentials/authorityValidationOptions.js.map +1 -0
- package/dist-esm/src/credentials/authorizationCodeCredentialOptions.js.map +1 -1
- package/dist-esm/src/credentials/azureApplicationCredential.js +0 -2
- package/dist-esm/src/credentials/azureApplicationCredential.js.map +1 -1
- package/dist-esm/src/credentials/azureDeveloperCliCredential.browser.js +23 -0
- package/dist-esm/src/credentials/azureDeveloperCliCredential.browser.js.map +1 -0
- package/dist-esm/src/credentials/azureDeveloperCliCredential.js +136 -0
- package/dist-esm/src/credentials/azureDeveloperCliCredential.js.map +1 -0
- package/dist-esm/src/credentials/azureDeveloperCliCredentialOptions.js +4 -0
- package/dist-esm/src/credentials/azureDeveloperCliCredentialOptions.js.map +1 -0
- package/dist-esm/src/credentials/chainedTokenCredential.js +0 -4
- package/dist-esm/src/credentials/chainedTokenCredential.js.map +1 -1
- package/dist-esm/src/credentials/clientAssertionCredentialOptions.js.map +1 -1
- package/dist-esm/src/credentials/clientCertificateCredentialOptions.js.map +1 -1
- package/dist-esm/src/credentials/clientSecretCredentialOptions.js.map +1 -1
- package/dist-esm/src/credentials/defaultAzureCredential.js +2 -2
- package/dist-esm/src/credentials/defaultAzureCredential.js.map +1 -1
- package/dist-esm/src/credentials/defaultAzureCredentialOptions.js.map +1 -1
- package/dist-esm/src/credentials/environmentCredentialOptions.js.map +1 -1
- package/dist-esm/src/credentials/interactiveBrowserCredentialOptions.js.map +1 -1
- package/dist-esm/src/credentials/interactiveCredentialOptions.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/index.js +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/index.js.map +1 -1
- package/dist-esm/src/credentials/onBehalfOfCredentialOptions.js.map +1 -1
- package/dist-esm/src/index.js.map +1 -1
- package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js +1 -1
- package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js.map +1 -1
- package/dist-esm/src/msal/flows.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js +1 -1
- package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js.map +1 -1
- package/dist-esm/src/msal/utils.js +2 -2
- package/dist-esm/src/msal/utils.js.map +1 -1
- package/package.json +8 -8
- package/types/identity.d.ts +24 -13
package/dist/index.js
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
4
|
|
|
5
5
|
var msalNode = require('@azure/msal-node');
|
|
6
|
-
var logger$
|
|
6
|
+
var logger$n = require('@azure/logger');
|
|
7
7
|
var msalCommon = require('@azure/msal-common');
|
|
8
8
|
var abortController = require('@azure/abort-controller');
|
|
9
9
|
var coreUtil = require('@azure/core-util');
|
|
@@ -177,7 +177,7 @@ class AuthenticationRequiredError extends Error {
|
|
|
177
177
|
/**
|
|
178
178
|
* The AzureLogger used for all clients within the identity package
|
|
179
179
|
*/
|
|
180
|
-
const logger$
|
|
180
|
+
const logger$m = logger$n.createClientLogger("identity");
|
|
181
181
|
/**
|
|
182
182
|
* Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
|
|
183
183
|
* @param supportedEnvVars - List of environment variable names
|
|
@@ -217,7 +217,7 @@ function formatError(scope, error) {
|
|
|
217
217
|
* `[title] => [message]`
|
|
218
218
|
*
|
|
219
219
|
*/
|
|
220
|
-
function credentialLoggerInstance(title, parent, log = logger$
|
|
220
|
+
function credentialLoggerInstance(title, parent, log = logger$m) {
|
|
221
221
|
const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
|
|
222
222
|
function info(message) {
|
|
223
223
|
log.info(`${fullTitle} =>`, message);
|
|
@@ -246,7 +246,7 @@ function credentialLoggerInstance(title, parent, log = logger$l) {
|
|
|
246
246
|
* `[title] => getToken() => [message]`
|
|
247
247
|
*
|
|
248
248
|
*/
|
|
249
|
-
function credentialLogger(title, log = logger$
|
|
249
|
+
function credentialLogger(title, log = logger$m) {
|
|
250
250
|
const credLogger = credentialLoggerInstance(title, undefined, log);
|
|
251
251
|
return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
|
|
252
252
|
}
|
|
@@ -256,7 +256,7 @@ function credentialLogger(title, log = logger$l) {
|
|
|
256
256
|
/**
|
|
257
257
|
* Current version of the `@azure/identity` package.
|
|
258
258
|
*/
|
|
259
|
-
const SDK_VERSION = `3.1
|
|
259
|
+
const SDK_VERSION = `3.2.0-beta.1`;
|
|
260
260
|
/**
|
|
261
261
|
* The default client ID for authentication
|
|
262
262
|
* @internal
|
|
@@ -355,8 +355,8 @@ function getAuthority(tenantId, host) {
|
|
|
355
355
|
* by sending it within the known authorities in the MSAL configuration.
|
|
356
356
|
* @internal
|
|
357
357
|
*/
|
|
358
|
-
function getKnownAuthorities(tenantId, authorityHost) {
|
|
359
|
-
if (tenantId === "adfs" && authorityHost) {
|
|
358
|
+
function getKnownAuthorities(tenantId, authorityHost, disableInstanceDiscovery) {
|
|
359
|
+
if ((tenantId === "adfs" && authorityHost) || disableInstanceDiscovery) {
|
|
360
360
|
return [authorityHost];
|
|
361
361
|
}
|
|
362
362
|
return [];
|
|
@@ -726,7 +726,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
726
726
|
this.allowLoggingAccountIdentifiers = (_b = options === null || options === void 0 ? void 0 : options.loggingOptions) === null || _b === void 0 ? void 0 : _b.allowLoggingAccountIdentifiers;
|
|
727
727
|
}
|
|
728
728
|
async sendTokenRequest(request) {
|
|
729
|
-
logger$
|
|
729
|
+
logger$m.info(`IdentityClient: sending token request to [${request.url}]`);
|
|
730
730
|
const response = await this.sendRequest(request);
|
|
731
731
|
if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
|
|
732
732
|
const parsedBody = JSON.parse(response.bodyAsText);
|
|
@@ -741,12 +741,12 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
741
741
|
},
|
|
742
742
|
refreshToken: parsedBody.refresh_token,
|
|
743
743
|
};
|
|
744
|
-
logger$
|
|
744
|
+
logger$m.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
|
|
745
745
|
return token;
|
|
746
746
|
}
|
|
747
747
|
else {
|
|
748
748
|
const error = new AuthenticationError(response.status, response.bodyAsText);
|
|
749
|
-
logger$
|
|
749
|
+
logger$m.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
|
|
750
750
|
throw error;
|
|
751
751
|
}
|
|
752
752
|
}
|
|
@@ -754,7 +754,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
754
754
|
if (refreshToken === undefined) {
|
|
755
755
|
return null;
|
|
756
756
|
}
|
|
757
|
-
logger$
|
|
757
|
+
logger$m.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
|
|
758
758
|
const refreshParams = {
|
|
759
759
|
grant_type: "refresh_token",
|
|
760
760
|
client_id: clientId,
|
|
@@ -780,7 +780,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
780
780
|
tracingOptions: updatedOptions.tracingOptions,
|
|
781
781
|
});
|
|
782
782
|
const response = await this.sendTokenRequest(request);
|
|
783
|
-
logger$
|
|
783
|
+
logger$m.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
|
|
784
784
|
return response;
|
|
785
785
|
}
|
|
786
786
|
catch (err) {
|
|
@@ -789,11 +789,11 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
789
789
|
// It's likely that the refresh token has expired, so
|
|
790
790
|
// return null so that the credential implementation will
|
|
791
791
|
// initiate the authentication flow again.
|
|
792
|
-
logger$
|
|
792
|
+
logger$m.info(`IdentityClient: interaction required for client ID: ${clientId}`);
|
|
793
793
|
return null;
|
|
794
794
|
}
|
|
795
795
|
else {
|
|
796
|
-
logger$
|
|
796
|
+
logger$m.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
|
|
797
797
|
throw err;
|
|
798
798
|
}
|
|
799
799
|
}
|
|
@@ -895,10 +895,10 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
895
895
|
}
|
|
896
896
|
const base64Metadata = accessToken.split(".")[1];
|
|
897
897
|
const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
|
|
898
|
-
logger$
|
|
898
|
+
logger$m.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
|
|
899
899
|
}
|
|
900
900
|
catch (e) {
|
|
901
|
-
logger$
|
|
901
|
+
logger$m.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
|
|
902
902
|
}
|
|
903
903
|
}
|
|
904
904
|
}
|
|
@@ -1088,7 +1088,7 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1088
1088
|
auth: {
|
|
1089
1089
|
clientId,
|
|
1090
1090
|
authority,
|
|
1091
|
-
knownAuthorities: getKnownAuthorities(tenantId, authority),
|
|
1091
|
+
knownAuthorities: getKnownAuthorities(tenantId, authority, options.disableInstanceDiscovery),
|
|
1092
1092
|
clientCapabilities,
|
|
1093
1093
|
},
|
|
1094
1094
|
// Cache is defined in this.prepare();
|
|
@@ -1096,7 +1096,7 @@ class MsalNode extends MsalBaseUtilities {
|
|
|
1096
1096
|
networkClient: this.identityClient,
|
|
1097
1097
|
loggerOptions: {
|
|
1098
1098
|
loggerCallback: defaultLoggerCallback(options.logger),
|
|
1099
|
-
logLevel: getMSALLogLevel(logger$
|
|
1099
|
+
logLevel: getMSALLogLevel(logger$n.getLogLevel()),
|
|
1100
1100
|
},
|
|
1101
1101
|
},
|
|
1102
1102
|
};
|
|
@@ -1254,7 +1254,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1254
1254
|
// Copyright (c) Microsoft Corporation.
|
|
1255
1255
|
const CommonTenantId = "common";
|
|
1256
1256
|
const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
|
|
1257
|
-
const logger$
|
|
1257
|
+
const logger$l = credentialLogger("VisualStudioCodeCredential");
|
|
1258
1258
|
let findCredentials = undefined;
|
|
1259
1259
|
const vsCodeCredentialControl = {
|
|
1260
1260
|
setVsCodeCredentialFinder(finder) {
|
|
@@ -1307,7 +1307,7 @@ function getPropertyFromVSCode(property) {
|
|
|
1307
1307
|
}
|
|
1308
1308
|
}
|
|
1309
1309
|
catch (e) {
|
|
1310
|
-
logger$
|
|
1310
|
+
logger$l.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
|
|
1311
1311
|
return;
|
|
1312
1312
|
}
|
|
1313
1313
|
}
|
|
@@ -1340,7 +1340,7 @@ class VisualStudioCodeCredential {
|
|
|
1340
1340
|
const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
|
|
1341
1341
|
this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
|
|
1342
1342
|
if (options && options.tenantId) {
|
|
1343
|
-
checkTenantId(logger$
|
|
1343
|
+
checkTenantId(logger$l, options.tenantId);
|
|
1344
1344
|
this.tenantId = options.tenantId;
|
|
1345
1345
|
}
|
|
1346
1346
|
else {
|
|
@@ -1395,7 +1395,7 @@ class VisualStudioCodeCredential {
|
|
|
1395
1395
|
// Check to make sure the scope we get back is a valid scope
|
|
1396
1396
|
if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
|
|
1397
1397
|
const error = new Error("Invalid scope was specified by the user or calling client");
|
|
1398
|
-
logger$
|
|
1398
|
+
logger$l.getToken.info(formatError(scopes, error));
|
|
1399
1399
|
throw error;
|
|
1400
1400
|
}
|
|
1401
1401
|
if (scopeString.indexOf("offline_access") < 0) {
|
|
@@ -1415,18 +1415,18 @@ class VisualStudioCodeCredential {
|
|
|
1415
1415
|
if (refreshToken) {
|
|
1416
1416
|
const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
|
|
1417
1417
|
if (tokenResponse) {
|
|
1418
|
-
logger$
|
|
1418
|
+
logger$l.getToken.info(formatSuccess(scopes));
|
|
1419
1419
|
return tokenResponse.accessToken;
|
|
1420
1420
|
}
|
|
1421
1421
|
else {
|
|
1422
1422
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
1423
|
-
logger$
|
|
1423
|
+
logger$l.getToken.info(formatError(scopes, error));
|
|
1424
1424
|
throw error;
|
|
1425
1425
|
}
|
|
1426
1426
|
}
|
|
1427
1427
|
else {
|
|
1428
1428
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
1429
|
-
logger$
|
|
1429
|
+
logger$l.getToken.info(formatError(scopes, error));
|
|
1430
1430
|
throw error;
|
|
1431
1431
|
}
|
|
1432
1432
|
}
|
|
@@ -1475,7 +1475,7 @@ function useIdentityPlugin(plugin) {
|
|
|
1475
1475
|
|
|
1476
1476
|
// Copyright (c) Microsoft Corporation.
|
|
1477
1477
|
const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
|
|
1478
|
-
const logger$
|
|
1478
|
+
const logger$k = credentialLogger(msiName$6);
|
|
1479
1479
|
/**
|
|
1480
1480
|
* Generates the options used on the request for an access token.
|
|
1481
1481
|
*/
|
|
@@ -1515,22 +1515,22 @@ const appServiceMsi2017 = {
|
|
|
1515
1515
|
async isAvailable({ scopes }) {
|
|
1516
1516
|
const resource = mapScopesToResource(scopes);
|
|
1517
1517
|
if (!resource) {
|
|
1518
|
-
logger$
|
|
1518
|
+
logger$k.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
|
|
1519
1519
|
return false;
|
|
1520
1520
|
}
|
|
1521
1521
|
const env = process.env;
|
|
1522
1522
|
const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
|
|
1523
1523
|
if (!result) {
|
|
1524
|
-
logger$
|
|
1524
|
+
logger$k.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
|
|
1525
1525
|
}
|
|
1526
1526
|
return result;
|
|
1527
1527
|
},
|
|
1528
1528
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1529
1529
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1530
1530
|
if (resourceId) {
|
|
1531
|
-
logger$
|
|
1531
|
+
logger$k.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
1532
1532
|
}
|
|
1533
|
-
logger$
|
|
1533
|
+
logger$k.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
|
|
1534
1534
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$6(scopes, clientId)), {
|
|
1535
1535
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1536
1536
|
allowInsecureConnection: true }));
|
|
@@ -1541,7 +1541,7 @@ const appServiceMsi2017 = {
|
|
|
1541
1541
|
|
|
1542
1542
|
// Copyright (c) Microsoft Corporation.
|
|
1543
1543
|
const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
|
|
1544
|
-
const logger$
|
|
1544
|
+
const logger$j = credentialLogger(msiName$5);
|
|
1545
1545
|
/**
|
|
1546
1546
|
* Generates the options used on the request for an access token.
|
|
1547
1547
|
*/
|
|
@@ -1583,24 +1583,24 @@ const cloudShellMsi = {
|
|
|
1583
1583
|
async isAvailable({ scopes }) {
|
|
1584
1584
|
const resource = mapScopesToResource(scopes);
|
|
1585
1585
|
if (!resource) {
|
|
1586
|
-
logger$
|
|
1586
|
+
logger$j.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
|
|
1587
1587
|
return false;
|
|
1588
1588
|
}
|
|
1589
1589
|
const result = Boolean(process.env.MSI_ENDPOINT);
|
|
1590
1590
|
if (!result) {
|
|
1591
|
-
logger$
|
|
1591
|
+
logger$j.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
|
|
1592
1592
|
}
|
|
1593
1593
|
return result;
|
|
1594
1594
|
},
|
|
1595
1595
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1596
1596
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1597
1597
|
if (clientId) {
|
|
1598
|
-
logger$
|
|
1598
|
+
logger$j.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
1599
1599
|
}
|
|
1600
1600
|
if (resourceId) {
|
|
1601
|
-
logger$
|
|
1601
|
+
logger$j.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
|
|
1602
1602
|
}
|
|
1603
|
-
logger$
|
|
1603
|
+
logger$j.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
|
|
1604
1604
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId, resourceId)), {
|
|
1605
1605
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1606
1606
|
allowInsecureConnection: true }));
|
|
@@ -1611,7 +1611,7 @@ const cloudShellMsi = {
|
|
|
1611
1611
|
|
|
1612
1612
|
// Copyright (c) Microsoft Corporation.
|
|
1613
1613
|
const msiName$4 = "ManagedIdentityCredential - IMDS";
|
|
1614
|
-
const logger$
|
|
1614
|
+
const logger$i = credentialLogger(msiName$4);
|
|
1615
1615
|
/**
|
|
1616
1616
|
* Generates the options used on the request for an access token.
|
|
1617
1617
|
*/
|
|
@@ -1668,7 +1668,7 @@ const imdsMsi = {
|
|
|
1668
1668
|
async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
|
|
1669
1669
|
const resource = mapScopesToResource(scopes);
|
|
1670
1670
|
if (!resource) {
|
|
1671
|
-
logger$
|
|
1671
|
+
logger$i.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
|
|
1672
1672
|
return false;
|
|
1673
1673
|
}
|
|
1674
1674
|
// if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
|
|
@@ -1695,30 +1695,30 @@ const imdsMsi = {
|
|
|
1695
1695
|
// This MSI uses the imdsEndpoint to get the token, which only uses http://
|
|
1696
1696
|
request.allowInsecureConnection = true;
|
|
1697
1697
|
try {
|
|
1698
|
-
logger$
|
|
1698
|
+
logger$i.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
|
|
1699
1699
|
await identityClient.sendRequest(request);
|
|
1700
1700
|
}
|
|
1701
1701
|
catch (err) {
|
|
1702
1702
|
// If the request failed, or Node.js was unable to establish a connection,
|
|
1703
1703
|
// or the host was down, we'll assume the IMDS endpoint isn't available.
|
|
1704
1704
|
if (coreUtil.isError(err)) {
|
|
1705
|
-
logger$
|
|
1705
|
+
logger$i.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
|
|
1706
1706
|
}
|
|
1707
|
-
logger$
|
|
1707
|
+
logger$i.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
|
|
1708
1708
|
return false;
|
|
1709
1709
|
}
|
|
1710
1710
|
// If we received any response, the endpoint is available
|
|
1711
|
-
logger$
|
|
1711
|
+
logger$i.info(`${msiName$4}: The Azure IMDS endpoint is available`);
|
|
1712
1712
|
return true;
|
|
1713
1713
|
});
|
|
1714
1714
|
},
|
|
1715
1715
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1716
1716
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1717
1717
|
if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
|
|
1718
|
-
logger$
|
|
1718
|
+
logger$i.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
|
|
1719
1719
|
}
|
|
1720
1720
|
else {
|
|
1721
|
-
logger$
|
|
1721
|
+
logger$i.info(`${msiName$4}: Using the default Azure IMDS endpoint ${imdsHost}.`);
|
|
1722
1722
|
}
|
|
1723
1723
|
let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
|
|
1724
1724
|
for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
|
|
@@ -1742,7 +1742,7 @@ const imdsMsi = {
|
|
|
1742
1742
|
|
|
1743
1743
|
// Copyright (c) Microsoft Corporation.
|
|
1744
1744
|
const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
|
|
1745
|
-
const logger$
|
|
1745
|
+
const logger$h = credentialLogger(msiName$3);
|
|
1746
1746
|
/**
|
|
1747
1747
|
* Generates the options used on the request for an access token.
|
|
1748
1748
|
*/
|
|
@@ -1815,12 +1815,12 @@ const arcMsi = {
|
|
|
1815
1815
|
async isAvailable({ scopes }) {
|
|
1816
1816
|
const resource = mapScopesToResource(scopes);
|
|
1817
1817
|
if (!resource) {
|
|
1818
|
-
logger$
|
|
1818
|
+
logger$h.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
|
|
1819
1819
|
return false;
|
|
1820
1820
|
}
|
|
1821
1821
|
const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
|
|
1822
1822
|
if (!result) {
|
|
1823
|
-
logger$
|
|
1823
|
+
logger$h.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
|
|
1824
1824
|
}
|
|
1825
1825
|
return result;
|
|
1826
1826
|
},
|
|
@@ -1828,12 +1828,12 @@ const arcMsi = {
|
|
|
1828
1828
|
var _a;
|
|
1829
1829
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1830
1830
|
if (clientId) {
|
|
1831
|
-
logger$
|
|
1831
|
+
logger$h.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
1832
1832
|
}
|
|
1833
1833
|
if (resourceId) {
|
|
1834
|
-
logger$
|
|
1834
|
+
logger$h.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
|
|
1835
1835
|
}
|
|
1836
|
-
logger$
|
|
1836
|
+
logger$h.info(`${msiName$3}: Authenticating.`);
|
|
1837
1837
|
const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
|
|
1838
1838
|
const filePath = await filePathRequest(identityClient, requestOptions);
|
|
1839
1839
|
if (!filePath) {
|
|
@@ -1851,7 +1851,7 @@ const arcMsi = {
|
|
|
1851
1851
|
|
|
1852
1852
|
// Copyright (c) Microsoft Corporation.
|
|
1853
1853
|
const msiName$2 = "ManagedIdentityCredential - Token Exchange";
|
|
1854
|
-
const logger$
|
|
1854
|
+
const logger$g = credentialLogger(msiName$2);
|
|
1855
1855
|
const readFileAsync$1 = util.promisify(fs__default["default"].readFile);
|
|
1856
1856
|
/**
|
|
1857
1857
|
* Generates the options used on the request for an access token.
|
|
@@ -1907,13 +1907,13 @@ function tokenExchangeMsi() {
|
|
|
1907
1907
|
const env = process.env;
|
|
1908
1908
|
const result = Boolean((clientId || env.AZURE_CLIENT_ID) && env.AZURE_TENANT_ID && azureFederatedTokenFilePath);
|
|
1909
1909
|
if (!result) {
|
|
1910
|
-
logger$
|
|
1910
|
+
logger$g.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
|
|
1911
1911
|
}
|
|
1912
1912
|
return result;
|
|
1913
1913
|
},
|
|
1914
1914
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1915
1915
|
const { identityClient, scopes, clientId } = configuration;
|
|
1916
|
-
logger$
|
|
1916
|
+
logger$g.info(`${msiName$2}: Using the client assertion coming from environment variables.`);
|
|
1917
1917
|
let assertion;
|
|
1918
1918
|
try {
|
|
1919
1919
|
assertion = await readAssertion();
|
|
@@ -1942,7 +1942,7 @@ function tokenExchangeMsi() {
|
|
|
1942
1942
|
// curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
|
|
1943
1943
|
//
|
|
1944
1944
|
const msiName$1 = "ManagedIdentityCredential - Fabric MSI";
|
|
1945
|
-
const logger$
|
|
1945
|
+
const logger$f = credentialLogger(msiName$1);
|
|
1946
1946
|
/**
|
|
1947
1947
|
* Generates the options used on the request for an access token.
|
|
1948
1948
|
*/
|
|
@@ -1985,22 +1985,22 @@ const fabricMsi = {
|
|
|
1985
1985
|
async isAvailable({ scopes }) {
|
|
1986
1986
|
const resource = mapScopesToResource(scopes);
|
|
1987
1987
|
if (!resource) {
|
|
1988
|
-
logger$
|
|
1988
|
+
logger$f.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
|
|
1989
1989
|
return false;
|
|
1990
1990
|
}
|
|
1991
1991
|
const env = process.env;
|
|
1992
1992
|
const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
|
|
1993
1993
|
if (!result) {
|
|
1994
|
-
logger$
|
|
1994
|
+
logger$f.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
|
|
1995
1995
|
}
|
|
1996
1996
|
return result;
|
|
1997
1997
|
},
|
|
1998
1998
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1999
1999
|
const { scopes, identityClient, clientId, resourceId } = configuration;
|
|
2000
2000
|
if (resourceId) {
|
|
2001
|
-
logger$
|
|
2001
|
+
logger$f.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
2002
2002
|
}
|
|
2003
|
-
logger$
|
|
2003
|
+
logger$f.info([
|
|
2004
2004
|
`${msiName$1}:`,
|
|
2005
2005
|
"Using the endpoint and the secret coming from the environment variables:",
|
|
2006
2006
|
`IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
|
|
@@ -2020,7 +2020,7 @@ const fabricMsi = {
|
|
|
2020
2020
|
|
|
2021
2021
|
// Copyright (c) Microsoft Corporation.
|
|
2022
2022
|
const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
|
|
2023
|
-
const logger$
|
|
2023
|
+
const logger$e = credentialLogger(msiName);
|
|
2024
2024
|
/**
|
|
2025
2025
|
* Generates the options used on the request for an access token.
|
|
2026
2026
|
*/
|
|
@@ -2063,19 +2063,19 @@ const appServiceMsi2019 = {
|
|
|
2063
2063
|
async isAvailable({ scopes }) {
|
|
2064
2064
|
const resource = mapScopesToResource(scopes);
|
|
2065
2065
|
if (!resource) {
|
|
2066
|
-
logger$
|
|
2066
|
+
logger$e.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
|
|
2067
2067
|
return false;
|
|
2068
2068
|
}
|
|
2069
2069
|
const env = process.env;
|
|
2070
2070
|
const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
|
|
2071
2071
|
if (!result) {
|
|
2072
|
-
logger$
|
|
2072
|
+
logger$e.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
|
|
2073
2073
|
}
|
|
2074
2074
|
return result;
|
|
2075
2075
|
},
|
|
2076
2076
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2077
2077
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2078
|
-
logger$
|
|
2078
|
+
logger$e.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
|
|
2079
2079
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), {
|
|
2080
2080
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2081
2081
|
allowInsecureConnection: true }));
|
|
@@ -2085,7 +2085,7 @@ const appServiceMsi2019 = {
|
|
|
2085
2085
|
};
|
|
2086
2086
|
|
|
2087
2087
|
// Copyright (c) Microsoft Corporation.
|
|
2088
|
-
const logger$
|
|
2088
|
+
const logger$d = credentialLogger("ManagedIdentityCredential");
|
|
2089
2089
|
/**
|
|
2090
2090
|
* Attempts authentication using a managed identity available at the deployment environment.
|
|
2091
2091
|
* This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
|
|
@@ -2202,14 +2202,14 @@ class ManagedIdentityCredential {
|
|
|
2202
2202
|
const appTokenParameters = {
|
|
2203
2203
|
correlationId: this.identityClient.getCorrelationId(),
|
|
2204
2204
|
tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "organizations",
|
|
2205
|
-
scopes: [
|
|
2205
|
+
scopes: Array.isArray(scopes) ? scopes : [scopes],
|
|
2206
2206
|
claims: options === null || options === void 0 ? void 0 : options.claims,
|
|
2207
2207
|
};
|
|
2208
2208
|
this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters = appTokenParameters) => {
|
|
2209
|
-
logger$
|
|
2209
|
+
logger$d.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
|
|
2210
2210
|
const resultToken = await this.authenticateManagedIdentity(scopes, Object.assign(Object.assign({}, updatedOptions), appTokenProviderParameters));
|
|
2211
2211
|
if (resultToken) {
|
|
2212
|
-
logger$
|
|
2212
|
+
logger$d.info(`SetAppTokenProvider has saved the token in cache`);
|
|
2213
2213
|
const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
|
|
2214
2214
|
? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
|
|
2215
2215
|
: 0;
|
|
@@ -2219,7 +2219,7 @@ class ManagedIdentityCredential {
|
|
|
2219
2219
|
};
|
|
2220
2220
|
}
|
|
2221
2221
|
else {
|
|
2222
|
-
logger$
|
|
2222
|
+
logger$d.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
|
|
2223
2223
|
return {
|
|
2224
2224
|
accessToken: "no_access_token_returned",
|
|
2225
2225
|
expiresInSeconds: 0,
|
|
@@ -2236,7 +2236,7 @@ class ManagedIdentityCredential {
|
|
|
2236
2236
|
// It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
|
|
2237
2237
|
// yet we had no access token. For this reason, we'll throw once with a specific message:
|
|
2238
2238
|
const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
|
|
2239
|
-
logger$
|
|
2239
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2240
2240
|
throw error;
|
|
2241
2241
|
}
|
|
2242
2242
|
// Since `authenticateManagedIdentity` didn't throw, and the result was not null,
|
|
@@ -2248,10 +2248,10 @@ class ManagedIdentityCredential {
|
|
|
2248
2248
|
// We've previously determined that the endpoint was unavailable,
|
|
2249
2249
|
// either because it was unreachable or permanently unable to authenticate.
|
|
2250
2250
|
const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
|
|
2251
|
-
logger$
|
|
2251
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2252
2252
|
throw error;
|
|
2253
2253
|
}
|
|
2254
|
-
logger$
|
|
2254
|
+
logger$d.getToken.info(formatSuccess(scopes));
|
|
2255
2255
|
return result;
|
|
2256
2256
|
}
|
|
2257
2257
|
catch (err) {
|
|
@@ -2273,14 +2273,14 @@ class ManagedIdentityCredential {
|
|
|
2273
2273
|
// we can safely assume the credential is unavailable.
|
|
2274
2274
|
if (err.code === "ENETUNREACH") {
|
|
2275
2275
|
const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
|
|
2276
|
-
logger$
|
|
2276
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2277
2277
|
throw error;
|
|
2278
2278
|
}
|
|
2279
2279
|
// If either the host was unreachable,
|
|
2280
2280
|
// we can safely assume the credential is unavailable.
|
|
2281
2281
|
if (err.code === "EHOSTUNREACH") {
|
|
2282
2282
|
const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
|
|
2283
|
-
logger$
|
|
2283
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2284
2284
|
throw error;
|
|
2285
2285
|
}
|
|
2286
2286
|
// If err.statusCode has a value of 400, it comes from sendTokenRequest,
|
|
@@ -2311,7 +2311,7 @@ class ManagedIdentityCredential {
|
|
|
2311
2311
|
*/
|
|
2312
2312
|
handleResult(scopes, result, getTokenOptions) {
|
|
2313
2313
|
this.ensureValidMsalToken(scopes, result, getTokenOptions);
|
|
2314
|
-
logger$
|
|
2314
|
+
logger$d.getToken.info(formatSuccess(scopes));
|
|
2315
2315
|
return {
|
|
2316
2316
|
token: result.accessToken,
|
|
2317
2317
|
expiresOnTimestamp: result.expiresOn.getTime(),
|
|
@@ -2323,7 +2323,7 @@ class ManagedIdentityCredential {
|
|
|
2323
2323
|
*/
|
|
2324
2324
|
ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
|
|
2325
2325
|
const error = (message) => {
|
|
2326
|
-
logger$
|
|
2326
|
+
logger$d.getToken.info(message);
|
|
2327
2327
|
return new AuthenticationRequiredError({
|
|
2328
2328
|
scopes: Array.isArray(scopes) ? scopes : [scopes],
|
|
2329
2329
|
getTokenOptions,
|
|
@@ -2419,7 +2419,7 @@ const cliCredentialInternals = {
|
|
|
2419
2419
|
});
|
|
2420
2420
|
},
|
|
2421
2421
|
};
|
|
2422
|
-
const logger$
|
|
2422
|
+
const logger$c = credentialLogger("AzureCliCredential");
|
|
2423
2423
|
/**
|
|
2424
2424
|
* This credential will use the currently logged-in user login information
|
|
2425
2425
|
* via the Azure CLI ('az') commandline tool.
|
|
@@ -2450,8 +2450,8 @@ class AzureCliCredential {
|
|
|
2450
2450
|
async getToken(scopes, options = {}) {
|
|
2451
2451
|
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
|
2452
2452
|
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
|
2453
|
-
logger$
|
|
2454
|
-
ensureValidScope(scope, logger$
|
|
2453
|
+
logger$c.getToken.info(`Using the scope ${scope}`);
|
|
2454
|
+
ensureValidScope(scope, logger$c);
|
|
2455
2455
|
const resource = getScopeResource(scope);
|
|
2456
2456
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
|
2457
2457
|
var _a, _b, _c, _d;
|
|
@@ -2462,18 +2462,18 @@ class AzureCliCredential {
|
|
|
2462
2462
|
const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
|
|
2463
2463
|
if (isNotInstallError) {
|
|
2464
2464
|
const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
|
|
2465
|
-
logger$
|
|
2465
|
+
logger$c.getToken.info(formatError(scopes, error));
|
|
2466
2466
|
throw error;
|
|
2467
2467
|
}
|
|
2468
2468
|
if (isLoginError) {
|
|
2469
2469
|
const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
|
|
2470
|
-
logger$
|
|
2470
|
+
logger$c.getToken.info(formatError(scopes, error));
|
|
2471
2471
|
throw error;
|
|
2472
2472
|
}
|
|
2473
2473
|
try {
|
|
2474
2474
|
const responseData = obj.stdout;
|
|
2475
2475
|
const response = JSON.parse(responseData);
|
|
2476
|
-
logger$
|
|
2476
|
+
logger$c.getToken.info(formatSuccess(scopes));
|
|
2477
2477
|
const returnValue = {
|
|
2478
2478
|
token: response.accessToken,
|
|
2479
2479
|
expiresOnTimestamp: new Date(response.expiresOn).getTime(),
|
|
@@ -2491,7 +2491,7 @@ class AzureCliCredential {
|
|
|
2491
2491
|
const error = err.name === "CredentialUnavailableError"
|
|
2492
2492
|
? err
|
|
2493
2493
|
: new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
|
|
2494
|
-
logger$
|
|
2494
|
+
logger$c.getToken.info(formatError(scopes, error));
|
|
2495
2495
|
throw error;
|
|
2496
2496
|
}
|
|
2497
2497
|
});
|
|
@@ -2529,7 +2529,7 @@ const processUtils = {
|
|
|
2529
2529
|
};
|
|
2530
2530
|
|
|
2531
2531
|
// Copyright (c) Microsoft Corporation.
|
|
2532
|
-
const logger$
|
|
2532
|
+
const logger$b = credentialLogger("AzurePowerShellCredential");
|
|
2533
2533
|
const isWindows = process.platform === "win32";
|
|
2534
2534
|
/**
|
|
2535
2535
|
* Returns a platform-appropriate command name by appending ".exe" on Windows.
|
|
@@ -2661,12 +2661,12 @@ class AzurePowerShellCredential {
|
|
|
2661
2661
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
|
2662
2662
|
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
|
2663
2663
|
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
|
2664
|
-
ensureValidScope(scope, logger$
|
|
2665
|
-
logger$
|
|
2664
|
+
ensureValidScope(scope, logger$b);
|
|
2665
|
+
logger$b.getToken.info(`Using the scope ${scope}`);
|
|
2666
2666
|
const resource = getScopeResource(scope);
|
|
2667
2667
|
try {
|
|
2668
2668
|
const response = await this.getAzurePowerShellAccessToken(resource, tenantId);
|
|
2669
|
-
logger$
|
|
2669
|
+
logger$b.getToken.info(formatSuccess(scopes));
|
|
2670
2670
|
return {
|
|
2671
2671
|
token: response.Token,
|
|
2672
2672
|
expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
|
|
@@ -2675,16 +2675,16 @@ class AzurePowerShellCredential {
|
|
|
2675
2675
|
catch (err) {
|
|
2676
2676
|
if (isNotInstalledError(err)) {
|
|
2677
2677
|
const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
|
|
2678
|
-
logger$
|
|
2678
|
+
logger$b.getToken.info(formatError(scope, error));
|
|
2679
2679
|
throw error;
|
|
2680
2680
|
}
|
|
2681
2681
|
else if (isLoginError(err)) {
|
|
2682
2682
|
const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
|
|
2683
|
-
logger$
|
|
2683
|
+
logger$b.getToken.info(formatError(scope, error));
|
|
2684
2684
|
throw error;
|
|
2685
2685
|
}
|
|
2686
2686
|
const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
|
|
2687
|
-
logger$
|
|
2687
|
+
logger$b.getToken.info(formatError(scope, error));
|
|
2688
2688
|
throw error;
|
|
2689
2689
|
}
|
|
2690
2690
|
});
|
|
@@ -2695,7 +2695,7 @@ class AzurePowerShellCredential {
|
|
|
2695
2695
|
/**
|
|
2696
2696
|
* @internal
|
|
2697
2697
|
*/
|
|
2698
|
-
const logger$
|
|
2698
|
+
const logger$a = credentialLogger("ChainedTokenCredential");
|
|
2699
2699
|
/**
|
|
2700
2700
|
* Enables multiple `TokenCredential` implementations to be tried in order
|
|
2701
2701
|
* until one of the getToken methods returns an access token.
|
|
@@ -2714,10 +2714,6 @@ class ChainedTokenCredential {
|
|
|
2714
2714
|
* ```
|
|
2715
2715
|
*/
|
|
2716
2716
|
constructor(...sources) {
|
|
2717
|
-
/**
|
|
2718
|
-
* The message to use when the chained token fails to get a token
|
|
2719
|
-
*/
|
|
2720
|
-
this.UnavailableMessage = "ChainedTokenCredential => failed to retrieve a token from the included credentials";
|
|
2721
2717
|
this._sources = [];
|
|
2722
2718
|
this._sources = sources;
|
|
2723
2719
|
}
|
|
@@ -2750,17 +2746,17 @@ class ChainedTokenCredential {
|
|
|
2750
2746
|
errors.push(err);
|
|
2751
2747
|
}
|
|
2752
2748
|
else {
|
|
2753
|
-
logger$
|
|
2749
|
+
logger$a.getToken.info(formatError(scopes, err));
|
|
2754
2750
|
throw err;
|
|
2755
2751
|
}
|
|
2756
2752
|
}
|
|
2757
2753
|
}
|
|
2758
2754
|
if (!token && errors.length > 0) {
|
|
2759
2755
|
const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
|
|
2760
|
-
logger$
|
|
2756
|
+
logger$a.getToken.info(formatError(scopes, err));
|
|
2761
2757
|
throw err;
|
|
2762
2758
|
}
|
|
2763
|
-
logger$
|
|
2759
|
+
logger$a.getToken.info(`Result for ${successfulCredentialName}: ${formatSuccess(scopes)}`);
|
|
2764
2760
|
if (token === null) {
|
|
2765
2761
|
throw new CredentialUnavailableError("Failed to retrieve a valid token");
|
|
2766
2762
|
}
|
|
@@ -2876,7 +2872,7 @@ class MsalClientCertificate extends MsalNode {
|
|
|
2876
2872
|
|
|
2877
2873
|
// Copyright (c) Microsoft Corporation.
|
|
2878
2874
|
const credentialName$2 = "ClientCertificateCredential";
|
|
2879
|
-
const logger$
|
|
2875
|
+
const logger$9 = credentialLogger(credentialName$2);
|
|
2880
2876
|
/**
|
|
2881
2877
|
* Enables authentication to Azure Active Directory using a PEM-encoded
|
|
2882
2878
|
* certificate that is assigned to an App Registration. More information
|
|
@@ -2907,7 +2903,7 @@ class ClientCertificateCredential {
|
|
|
2907
2903
|
throw new Error(`${credentialName$2}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
|
2908
2904
|
}
|
|
2909
2905
|
this.msalFlow = new MsalClientCertificate(Object.assign(Object.assign({}, options), { configuration,
|
|
2910
|
-
logger: logger$
|
|
2906
|
+
logger: logger$9,
|
|
2911
2907
|
clientId,
|
|
2912
2908
|
tenantId, sendCertificateChain: options.sendCertificateChain, tokenCredentialOptions: options }));
|
|
2913
2909
|
}
|
|
@@ -2959,7 +2955,7 @@ class MsalClientSecret extends MsalNode {
|
|
|
2959
2955
|
}
|
|
2960
2956
|
|
|
2961
2957
|
// Copyright (c) Microsoft Corporation.
|
|
2962
|
-
const logger$
|
|
2958
|
+
const logger$8 = credentialLogger("ClientSecretCredential");
|
|
2963
2959
|
/**
|
|
2964
2960
|
* Enables authentication to Azure Active Directory using a client secret
|
|
2965
2961
|
* that was generated for an App Registration. More information on how
|
|
@@ -2985,7 +2981,7 @@ class ClientSecretCredential {
|
|
|
2985
2981
|
}
|
|
2986
2982
|
this.tenantId = tenantId;
|
|
2987
2983
|
this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
2988
|
-
this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$
|
|
2984
|
+
this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$8,
|
|
2989
2985
|
clientId,
|
|
2990
2986
|
tenantId,
|
|
2991
2987
|
clientSecret, tokenCredentialOptions: options }));
|
|
@@ -3038,7 +3034,7 @@ class MsalUsernamePassword extends MsalNode {
|
|
|
3038
3034
|
}
|
|
3039
3035
|
|
|
3040
3036
|
// Copyright (c) Microsoft Corporation.
|
|
3041
|
-
const logger$
|
|
3037
|
+
const logger$7 = credentialLogger("UsernamePasswordCredential");
|
|
3042
3038
|
/**
|
|
3043
3039
|
* Enables authentication to Azure Active Directory with a user's
|
|
3044
3040
|
* username and password. This credential requires a high degree of
|
|
@@ -3063,7 +3059,7 @@ class UsernamePasswordCredential {
|
|
|
3063
3059
|
}
|
|
3064
3060
|
this.tenantId = tenantId;
|
|
3065
3061
|
this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
3066
|
-
this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$
|
|
3062
|
+
this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$7,
|
|
3067
3063
|
clientId,
|
|
3068
3064
|
tenantId,
|
|
3069
3065
|
username,
|
|
@@ -3114,7 +3110,7 @@ function getAdditionallyAllowedTenants() {
|
|
|
3114
3110
|
return additionallyAllowedValues.split(";");
|
|
3115
3111
|
}
|
|
3116
3112
|
const credentialName$1 = "EnvironmentCredential";
|
|
3117
|
-
const logger$
|
|
3113
|
+
const logger$6 = credentialLogger(credentialName$1);
|
|
3118
3114
|
/**
|
|
3119
3115
|
* Enables authentication to Azure Active Directory using a client secret or certificate, or as a user
|
|
3120
3116
|
* with a username and password.
|
|
@@ -3148,29 +3144,29 @@ class EnvironmentCredential {
|
|
|
3148
3144
|
// Keep track of any missing environment variables for error details
|
|
3149
3145
|
this._credential = undefined;
|
|
3150
3146
|
const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
|
|
3151
|
-
logger$
|
|
3147
|
+
logger$6.info(`Found the following environment variables: ${assigned}`);
|
|
3152
3148
|
const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
|
|
3153
3149
|
const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
|
|
3154
3150
|
const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
|
|
3155
3151
|
if (tenantId) {
|
|
3156
|
-
checkTenantId(logger$
|
|
3152
|
+
checkTenantId(logger$6, tenantId);
|
|
3157
3153
|
}
|
|
3158
3154
|
if (tenantId && clientId && clientSecret) {
|
|
3159
|
-
logger$
|
|
3155
|
+
logger$6.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
|
|
3160
3156
|
this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
|
|
3161
3157
|
return;
|
|
3162
3158
|
}
|
|
3163
3159
|
const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
|
|
3164
3160
|
const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
|
|
3165
3161
|
if (tenantId && clientId && certificatePath) {
|
|
3166
|
-
logger$
|
|
3162
|
+
logger$6.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
|
|
3167
3163
|
this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
|
|
3168
3164
|
return;
|
|
3169
3165
|
}
|
|
3170
3166
|
const username = process.env.AZURE_USERNAME;
|
|
3171
3167
|
const password = process.env.AZURE_PASSWORD;
|
|
3172
3168
|
if (tenantId && clientId && username && password) {
|
|
3173
|
-
logger$
|
|
3169
|
+
logger$6.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
|
|
3174
3170
|
this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
|
|
3175
3171
|
}
|
|
3176
3172
|
}
|
|
@@ -3185,7 +3181,7 @@ class EnvironmentCredential {
|
|
|
3185
3181
|
if (this._credential) {
|
|
3186
3182
|
try {
|
|
3187
3183
|
const result = await this._credential.getToken(scopes, newOptions);
|
|
3188
|
-
logger$
|
|
3184
|
+
logger$6.getToken.info(formatSuccess(scopes));
|
|
3189
3185
|
return result;
|
|
3190
3186
|
}
|
|
3191
3187
|
catch (err) {
|
|
@@ -3193,7 +3189,7 @@ class EnvironmentCredential {
|
|
|
3193
3189
|
error: `${credentialName$1} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
|
|
3194
3190
|
error_description: err.message.toString().split("More details:").join(""),
|
|
3195
3191
|
});
|
|
3196
|
-
logger$
|
|
3192
|
+
logger$6.getToken.info(formatError(scopes, authenticationError));
|
|
3197
3193
|
throw authenticationError;
|
|
3198
3194
|
}
|
|
3199
3195
|
}
|
|
@@ -3202,6 +3198,136 @@ class EnvironmentCredential {
|
|
|
3202
3198
|
}
|
|
3203
3199
|
}
|
|
3204
3200
|
|
|
3201
|
+
// Copyright (c) Microsoft Corporation.
|
|
3202
|
+
/**
|
|
3203
|
+
* Mockable reference to the Developer CLI credential cliCredentialFunctions
|
|
3204
|
+
* @internal
|
|
3205
|
+
*/
|
|
3206
|
+
const developerCliCredentialInternals = {
|
|
3207
|
+
/**
|
|
3208
|
+
* @internal
|
|
3209
|
+
*/
|
|
3210
|
+
getSafeWorkingDir() {
|
|
3211
|
+
if (process.platform === "win32") {
|
|
3212
|
+
if (!process.env.SystemRoot) {
|
|
3213
|
+
throw new Error("Azure Developer CLI credential expects a 'SystemRoot' environment variable");
|
|
3214
|
+
}
|
|
3215
|
+
return process.env.SystemRoot;
|
|
3216
|
+
}
|
|
3217
|
+
else {
|
|
3218
|
+
return "/bin";
|
|
3219
|
+
}
|
|
3220
|
+
},
|
|
3221
|
+
/**
|
|
3222
|
+
* Gets the access token from Azure Developer CLI
|
|
3223
|
+
* @param scopes - The scopes to use when getting the token
|
|
3224
|
+
* @internal
|
|
3225
|
+
*/
|
|
3226
|
+
async getAzdAccessToken(scopes, tenantId) {
|
|
3227
|
+
let tenantSection = [];
|
|
3228
|
+
if (tenantId) {
|
|
3229
|
+
tenantSection = ["--tenant-id", tenantId];
|
|
3230
|
+
}
|
|
3231
|
+
return new Promise((resolve, reject) => {
|
|
3232
|
+
try {
|
|
3233
|
+
child_process__default["default"].execFile("azd", [
|
|
3234
|
+
"auth",
|
|
3235
|
+
"token",
|
|
3236
|
+
"--output",
|
|
3237
|
+
"json",
|
|
3238
|
+
...scopes.reduce((previous, current) => previous.concat("--scope", current), []),
|
|
3239
|
+
...tenantSection,
|
|
3240
|
+
], { cwd: developerCliCredentialInternals.getSafeWorkingDir(), shell: true }, (error, stdout, stderr) => {
|
|
3241
|
+
resolve({ stdout, stderr, error });
|
|
3242
|
+
});
|
|
3243
|
+
}
|
|
3244
|
+
catch (err) {
|
|
3245
|
+
reject(err);
|
|
3246
|
+
}
|
|
3247
|
+
});
|
|
3248
|
+
},
|
|
3249
|
+
};
|
|
3250
|
+
const logger$5 = credentialLogger("AzureDeveloperCliCredential");
|
|
3251
|
+
/**
|
|
3252
|
+
* This credential will use the currently logged-in user login information
|
|
3253
|
+
* via the Azure Developer CLI ('az') commandline tool.
|
|
3254
|
+
* To do so, it will read the user access token and expire time
|
|
3255
|
+
* with Azure Developer CLI command "azd auth token".
|
|
3256
|
+
*/
|
|
3257
|
+
class AzureDeveloperCliCredential {
|
|
3258
|
+
/**
|
|
3259
|
+
* Creates an instance of the {@link AzureDeveloperCliCredential}.
|
|
3260
|
+
*
|
|
3261
|
+
* To use this credential, ensure that you have already logged
|
|
3262
|
+
* in via the 'azd' tool using the command "azd login" from the commandline.
|
|
3263
|
+
*
|
|
3264
|
+
* @param options - Options, to optionally allow multi-tenant requests.
|
|
3265
|
+
*/
|
|
3266
|
+
constructor(options) {
|
|
3267
|
+
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
|
3268
|
+
this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
3269
|
+
}
|
|
3270
|
+
/**
|
|
3271
|
+
* Authenticates with Azure Active Directory and returns an access token if successful.
|
|
3272
|
+
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
|
3273
|
+
*
|
|
3274
|
+
* @param scopes - The list of scopes for which the token will have access.
|
|
3275
|
+
* @param options - The options used to configure any requests this
|
|
3276
|
+
* TokenCredential implementation might make.
|
|
3277
|
+
*/
|
|
3278
|
+
async getToken(scopes, options = {}) {
|
|
3279
|
+
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
|
3280
|
+
let scopeList;
|
|
3281
|
+
if (typeof scopes === "string") {
|
|
3282
|
+
scopeList = [scopes];
|
|
3283
|
+
}
|
|
3284
|
+
else {
|
|
3285
|
+
scopeList = scopes;
|
|
3286
|
+
}
|
|
3287
|
+
logger$5.getToken.info(`Using the scopes ${scopes}`);
|
|
3288
|
+
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
|
3289
|
+
var _a, _b, _c;
|
|
3290
|
+
try {
|
|
3291
|
+
const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId);
|
|
3292
|
+
const isNotLoggedInError = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login");
|
|
3293
|
+
const isNotInstallError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("azd:(.*)not found")) ||
|
|
3294
|
+
((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.startsWith("'azd' is not recognized"));
|
|
3295
|
+
if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
|
|
3296
|
+
const error = new CredentialUnavailableError("Azure Developer CLI could not be found. Please visit https://aka.ms/azure-dev for installation instructions and then, once installed, authenticate to your Azure account using 'azd login'.");
|
|
3297
|
+
logger$5.getToken.info(formatError(scopes, error));
|
|
3298
|
+
throw error;
|
|
3299
|
+
}
|
|
3300
|
+
if (isNotLoggedInError) {
|
|
3301
|
+
const error = new CredentialUnavailableError("Please run 'azd login' from a command prompt to authenticate before using this credential.");
|
|
3302
|
+
logger$5.getToken.info(formatError(scopes, error));
|
|
3303
|
+
throw error;
|
|
3304
|
+
}
|
|
3305
|
+
try {
|
|
3306
|
+
const resp = JSON.parse(obj.stdout);
|
|
3307
|
+
logger$5.getToken.info(formatSuccess(scopes));
|
|
3308
|
+
return {
|
|
3309
|
+
token: resp.token,
|
|
3310
|
+
expiresOnTimestamp: new Date(resp.expiresOn).getTime(),
|
|
3311
|
+
};
|
|
3312
|
+
}
|
|
3313
|
+
catch (e) {
|
|
3314
|
+
if (obj.stderr) {
|
|
3315
|
+
throw new CredentialUnavailableError(obj.stderr);
|
|
3316
|
+
}
|
|
3317
|
+
throw e;
|
|
3318
|
+
}
|
|
3319
|
+
}
|
|
3320
|
+
catch (err) {
|
|
3321
|
+
const error = err.name === "CredentialUnavailableError"
|
|
3322
|
+
? err
|
|
3323
|
+
: new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
|
|
3324
|
+
logger$5.getToken.info(formatError(scopes, error));
|
|
3325
|
+
throw error;
|
|
3326
|
+
}
|
|
3327
|
+
});
|
|
3328
|
+
}
|
|
3329
|
+
}
|
|
3330
|
+
|
|
3205
3331
|
// Copyright (c) Microsoft Corporation.
|
|
3206
3332
|
/**
|
|
3207
3333
|
* A shim around ManagedIdentityCredential that adapts it to accept
|
|
@@ -3233,6 +3359,7 @@ class DefaultManagedIdentityCredential extends ManagedIdentityCredential {
|
|
|
3233
3359
|
const defaultCredentials = [
|
|
3234
3360
|
EnvironmentCredential,
|
|
3235
3361
|
DefaultManagedIdentityCredential,
|
|
3362
|
+
AzureDeveloperCliCredential,
|
|
3236
3363
|
AzureCliCredential,
|
|
3237
3364
|
AzurePowerShellCredential,
|
|
3238
3365
|
];
|
|
@@ -3243,8 +3370,6 @@ const defaultCredentials = [
|
|
|
3243
3370
|
class DefaultAzureCredential extends ChainedTokenCredential {
|
|
3244
3371
|
constructor(options) {
|
|
3245
3372
|
super(...defaultCredentials.map((ctor) => new ctor(options)));
|
|
3246
|
-
this.UnavailableMessage =
|
|
3247
|
-
"DefaultAzureCredential => failed to retrieve a token from the included credentials. To troubleshoot, visit https://aka.ms/azsdk/js/identity/defaultazurecredential/troubleshoot.";
|
|
3248
3373
|
}
|
|
3249
3374
|
}
|
|
3250
3375
|
|
|
@@ -3886,7 +4011,7 @@ exports.UsernamePasswordCredential = UsernamePasswordCredential;
|
|
|
3886
4011
|
exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
|
|
3887
4012
|
exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
|
|
3888
4013
|
exports.getDefaultAzureCredential = getDefaultAzureCredential;
|
|
3889
|
-
exports.logger = logger$
|
|
4014
|
+
exports.logger = logger$m;
|
|
3890
4015
|
exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
|
|
3891
4016
|
exports.useIdentityPlugin = useIdentityPlugin;
|
|
3892
4017
|
//# sourceMappingURL=index.js.map
|