@azure/identity 3.3.1-alpha.20231009.1 → 3.3.1

package/dist/index.js

@@ -1,5 +1,7 @@
 'use strict';
 
+Object.defineProperty(exports, '__esModule', { value: true });
+
 var msalNode = require('@azure/msal-node');
 var logger$o = require('@azure/logger');
 var msalCommon = require('@azure/msal-common');
@@ -21,7 +23,10 @@ var http = require('http');
 var open = require('open');
 var stoppable = require('stoppable');
 
-function _interopNamespaceDefault(e) {
+function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
+
+function _interopNamespace(e) {
+    if (e && e.__esModule) return e;
     var n = Object.create(null);
     if (e) {
         Object.keys(e).forEach(function (k) {
@@ -34,13 +39,21 @@ function _interopNamespaceDefault(e) {
             }
         });
     }
-    n.default = e;
+    n["default"] = e;
     return Object.freeze(n);
 }
 
-var msalNode__namespace = /*#__PURE__*/_interopNamespaceDefault(msalNode);
-var msalCommon__namespace = /*#__PURE__*/_interopNamespaceDefault(msalCommon);
-var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_process);
+var msalNode__namespace = /*#__PURE__*/_interopNamespace(msalNode);
+var msalCommon__namespace = /*#__PURE__*/_interopNamespace(msalCommon);
+var fs__default = /*#__PURE__*/_interopDefaultLegacy(fs);
+var os__default = /*#__PURE__*/_interopDefaultLegacy(os);
+var path__default = /*#__PURE__*/_interopDefaultLegacy(path);
+var https__default = /*#__PURE__*/_interopDefaultLegacy(https);
+var child_process__default = /*#__PURE__*/_interopDefaultLegacy(child_process);
+var child_process__namespace = /*#__PURE__*/_interopNamespace(child_process);
+var http__default = /*#__PURE__*/_interopDefaultLegacy(http);
+var open__default = /*#__PURE__*/_interopDefaultLegacy(open);
+var stoppable__default = /*#__PURE__*/_interopDefaultLegacy(stoppable);
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -162,7 +175,6 @@ class AuthenticationRequiredError extends Error {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * The AzureLogger used for all clients within the identity package
  */
@@ -293,7 +305,6 @@ const CACHE_CAE_SUFFIX = ".cae";
 const CACHE_NON_CAE_SUFFIX = ".nocae";
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Latest AuthenticationRecord version
  * @internal
@@ -523,7 +534,6 @@ function deserializeAuthenticationRecord(serializedRecord) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 function createConfigurationErrorMessage(tenantId) {
     return `The current credential is not configured to acquire tokens for tenant ${tenantId}. To enable acquiring tokens for this tenant add it to the AdditionallyAllowedTenants on the credential options, or add "*" to AdditionallyAllowedTenants to allow acquiring tokens for any tenant.`;
 }
@@ -557,7 +567,6 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * @internal
  */
@@ -609,7 +618,6 @@ function getIdentityTokenEndpointSuffix(tenantId) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Creates a span using the global tracer.
  * @internal
@@ -630,7 +638,6 @@ const azureArcAPIVersion = "2019-11-01";
 const azureFabricVersion = "2019-07-01-preview";
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
  * These are GET requests that require sending a `resource` parameter on the query.
@@ -681,7 +688,6 @@ function parseExpirationTimestamp(body) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const noCorrelationId = "noCorrelationId";
 /**
  * @internal
@@ -1026,7 +1032,6 @@ var RegionalAuthority;
 })(RegionalAuthority || (RegionalAuthority = {}));
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * The current persistence provider, undefined by default.
  * @internal
@@ -1308,7 +1313,6 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const CommonTenantId = "common";
 const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
 const logger$m = credentialLogger("VisualStudioCodeCredential");
@@ -1343,10 +1347,10 @@ function getPropertyFromVSCode(property) {
     const settingsPath = ["User", "settings.json"];
     // Eventually we can add more folders for more versions of VSCode.
     const vsCodeFolder = "Code";
-    const homedir = os.homedir();
+    const homedir = os__default["default"].homedir();
     function loadProperty(...pathSegments) {
-        const fullPath = path.join(...pathSegments, vsCodeFolder, ...settingsPath);
-        const settings = JSON.parse(fs.readFileSync(fullPath, { encoding: "utf8" }));
+        const fullPath = path__default["default"].join(...pathSegments, vsCodeFolder, ...settingsPath);
+        const settings = JSON.parse(fs__default["default"].readFileSync(fullPath, { encoding: "utf8" }));
         return settings[property];
     }
     try {
@@ -1489,7 +1493,6 @@ class VisualStudioCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * The context passed to an Identity plugin. This contains objects that
  * plugins can use to set backend implementations.
@@ -1531,7 +1534,6 @@ function useIdentityPlugin(plugin) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
 const logger$l = credentialLogger(msiName$6);
 /**
@@ -1599,7 +1601,6 @@ const appServiceMsi2017 = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
 const logger$k = credentialLogger(msiName$5);
 /**
@@ -1671,7 +1672,6 @@ const cloudShellMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName$4 = "ManagedIdentityCredential - IMDS";
 const logger$j = credentialLogger(msiName$4);
 /**
@@ -1804,7 +1804,6 @@ const imdsMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
 const logger$i = credentialLogger(msiName$3);
 /**
@@ -1915,7 +1914,6 @@ const arcMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * MSAL client assertion client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
  * @internal
@@ -1955,7 +1953,6 @@ class MsalClientAssertion extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$h = credentialLogger("ClientAssertionCredential");
 /**
  * Authenticates a service principal with a JWT assertion.
@@ -1999,7 +1996,6 @@ class ClientAssertionCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const credentialName$3 = "WorkloadIdentityCredential";
 /**
  * Contains the list of all supported environment variable names so that an
@@ -2098,7 +2094,6 @@ class WorkloadIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName$2 = "ManagedIdentityCredential - Token Exchange";
 const logger$f = credentialLogger(msiName$2);
 /**
@@ -2128,7 +2123,6 @@ function tokenExchangeMsi() {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 // This MSI can be easily tested by deploying a container to Azure Service Fabric with the Dockerfile:
 //
 //   FROM node:12
@@ -2207,7 +2201,7 @@ const fabricMsi = {
             "IDENTITY_SERVER_THUMBPRINT=[REDACTED].",
         ].join(" "));
         const request = coreRestPipeline.createPipelineRequest(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$1(scopes, clientId, resourceId)));
-        request.agent = new https.Agent({
+        request.agent = new https__default["default"].Agent({
             // This is necessary because Service Fabric provides a self-signed certificate.
             // The alternative path is to verify the certificate using the IDENTITY_SERVER_THUMBPRINT env variable.
             rejectUnauthorized: false,
@@ -2218,7 +2212,6 @@ const fabricMsi = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
 const logger$d = credentialLogger(msiName);
 /**
@@ -2286,7 +2279,6 @@ const appServiceMsi2019 = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$c = credentialLogger("ManagedIdentityCredential");
 /**
  * Attempts authentication using a managed identity available at the deployment environment.
@@ -2567,7 +2559,6 @@ class ManagedIdentityCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Ensures the scopes value is an array.
  * @internal
@@ -2595,7 +2586,6 @@ function getScopeResource(scope) {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Mockable reference to the CLI credential cliCredentialFunctions
  * @internal
@@ -2627,7 +2617,7 @@ const cliCredentialInternals = {
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process.execFile("az", [
+                child_process__default["default"].execFile("az", [
                     "account",
                     "get-access-token",
                     "--output",
@@ -2662,7 +2652,10 @@ class AzureCliCredential {
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
-        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            checkTenantId(logger$b, options === null || options === void 0 ? void 0 : options.tenantId);
+            this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        }
         this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
@@ -2676,6 +2669,9 @@ class AzureCliCredential {
      */
     async getToken(scopes, options = {}) {
         const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
+        if (tenantId) {
+            checkTenantId(logger$b, tenantId);
+        }
         const scope = typeof scopes === "string" ? scopes : scopes[0];
         logger$b.getToken.info(`Using the scope ${scope}`);
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
@@ -2726,7 +2722,6 @@ class AzureCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Easy to mock childProcess utils.
  * @internal
@@ -2757,7 +2752,6 @@ const processUtils = {
 };
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$a = credentialLogger("AzurePowerShellCredential");
 const isWindows = process.platform === "win32";
 /**
@@ -2838,7 +2832,10 @@ class AzurePowerShellCredential {
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
-        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            checkTenantId(logger$a, options === null || options === void 0 ? void 0 : options.tenantId);
+            this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        }
         this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
@@ -2864,15 +2861,11 @@ class AzurePowerShellCredential {
             const results = await runCommands([
                 [
                     powerShellCommand,
-                    "-NoProfile",
-                    "-NonInteractive",
                     "-Command",
                     "Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru",
                 ],
                 [
                     powerShellCommand,
-                    "-NoProfile",
-                    "-NonInteractive",
                     "-Command",
                     `Get-AzAccessToken ${tenantSection} -ResourceUrl "${resource}" | ConvertTo-Json`,
                 ],
@@ -2898,6 +2891,9 @@ class AzurePowerShellCredential {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
             const scope = typeof scopes === "string" ? scopes : scopes[0];
+            if (tenantId) {
+                checkTenantId(logger$a, tenantId);
+            }
             try {
                 ensureValidScopeForDevTimeCreds(scope, logger$a);
                 logger$a.getToken.info(`Using the scope ${scope}`);
@@ -2929,7 +2925,6 @@ class AzurePowerShellCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * @internal
  */
@@ -3008,7 +3003,6 @@ class ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const readFileAsync = util.promisify(fs.readFile);
 /**
  * Tries to asynchronously load a certificate from the given path.
@@ -3114,7 +3108,6 @@ class MsalClientCertificate extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const credentialName$2 = "ClientCertificateCredential";
 const logger$8 = credentialLogger(credentialName$2);
 /**
@@ -3169,7 +3162,6 @@ class ClientCertificateCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * MSAL client secret client. Calls to MSAL's confidential application's `acquireTokenByClientCredential` during `doGetToken`.
  * @internal
@@ -3200,7 +3192,6 @@ class MsalClientSecret extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$7 = credentialLogger("ClientSecretCredential");
 /**
  * Enables authentication to Azure Active Directory using a client secret
@@ -3250,7 +3241,6 @@ class ClientSecretCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * MSAL username and password client. Calls to the MSAL's public application's `acquireTokenByUsernamePassword` during `doGetToken`.
  * @internal
@@ -3281,7 +3271,6 @@ class MsalUsernamePassword extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$6 = credentialLogger("UsernamePasswordCredential");
 /**
  * Enables authentication to Azure Active Directory with a user's
@@ -3335,7 +3324,6 @@ class UsernamePasswordCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Contains the list of all supported environment variable names so that an
  * appropriate error message can be generated when no credentials can be
@@ -3448,7 +3436,6 @@ class EnvironmentCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Mockable reference to the Developer CLI credential cliCredentialFunctions
  * @internal
@@ -3480,7 +3467,7 @@ const developerCliCredentialInternals = {
         }
         return new Promise((resolve, reject) => {
             try {
-                child_process.execFile("azd", [
+                child_process__default["default"].execFile("azd", [
                     "auth",
                     "token",
                     "--output",
@@ -3489,7 +3476,6 @@ const developerCliCredentialInternals = {
                     ...tenantSection,
                 ], {
                     cwd: developerCliCredentialInternals.getSafeWorkingDir(),
-                    shell: true,
                     timeout,
                 }, (error, stdout, stderr) => {
                     resolve({ stdout, stderr, error });
@@ -3537,7 +3523,10 @@ class AzureDeveloperCliCredential {
      * @param options - Options, to optionally allow multi-tenant requests.
      */
     constructor(options) {
-        this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            checkTenantId(logger$4, options === null || options === void 0 ? void 0 : options.tenantId);
+            this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        }
         this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
@@ -3551,6 +3540,9 @@ class AzureDeveloperCliCredential {
      */
     async getToken(scopes, options = {}) {
         const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
+        if (tenantId) {
+            checkTenantId(logger$4, tenantId);
+        }
         let scopeList;
         if (typeof scopes === "string") {
             scopeList = [scopes];
@@ -3562,6 +3554,9 @@ class AzureDeveloperCliCredential {
         return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
             var _a, _b, _c, _d;
             try {
+                scopeList.forEach((scope) => {
+                    ensureValidScopeForDevTimeCreds(scope, logger$4);
+                });
                 const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
                 const isNotLoggedInError = ((_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login")) ||
                     ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("not logged in, run `azd auth login` to login"));
@@ -3604,7 +3599,6 @@ class AzureDeveloperCliCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * A shim around ManagedIdentityCredential that adapts it to accept
  * `DefaultAzureCredentialOptions`.
@@ -3701,13 +3695,12 @@ class DefaultAzureCredential extends ChainedTokenCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * A call to open(), but mockable
  * @internal
  */
 const interactiveBrowserMockable = {
-    open,
+    open: open__default["default"],
 };
 /**
  * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
@@ -3789,8 +3782,8 @@ class MsalOpenBrowser extends MsalNode {
                     cleanup();
                 });
             };
-            const app = http.createServer(requestListener);
-            const server = stoppable(app);
+            const app = http__default["default"].createServer(requestListener);
+            const server = stoppable__default["default"](app);
             const listen = app.listen(this.port, this.hostname, () => this.logger.info(`InteractiveBrowserCredential listening on port ${this.port}!`));
             function cleanup() {
                 if (listen) {
@@ -3862,7 +3855,6 @@ class MsalOpenBrowser extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$3 = credentialLogger("InteractiveBrowserCredential");
 /**
  * Enables authentication to Azure Active Directory inside of the web browser
@@ -3933,7 +3925,6 @@ class InteractiveBrowserCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * MSAL device code client. Calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`.
  * @internal
@@ -3966,7 +3957,6 @@ class MsalDeviceCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$2 = credentialLogger("DeviceCodeCredential");
 /**
  * Method that logs the user code from the DeviceCodeCredential.
@@ -4045,7 +4035,6 @@ class DeviceCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
  * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
@@ -4089,7 +4078,6 @@ class MsalAuthorizationCode extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const logger$1 = credentialLogger("AuthorizationCodeCredential");
 /**
  * Enables authentication to Azure Active Directory using an authorization code
@@ -4145,7 +4133,6 @@ class AuthorizationCodeCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * MSAL on behalf of flow. Calls to MSAL's confidential application's `acquireTokenOnBehalfOf` during `doGetToken`.
  * @internal
@@ -4199,7 +4186,6 @@ class MsalOnBehalfOf extends MsalNode {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 const credentialName = "OnBehalfOfCredential";
 const logger = credentialLogger(credentialName);
 /**
@@ -4235,7 +4221,6 @@ class OnBehalfOfCredential {
 }
 
 // Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
 /**
  * Returns a new instance of the {@link DefaultAzureCredential}.
  */