@azure/identity 3.3.2-alpha.20231016.2 → 3.3.2-alpha.20231017.9

package/dist/index.js

@@ -557,8 +557,8 @@ function processMultiTenantRequest(tenantId, getTokenOptions, additionallyAllowe
  * @internal
  */
 function checkTenantId(logger, tenantId) {
-    if (!tenantId.match(/^[0-9a-zA-Z-.:/]+$/)) {
-        const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://docs.microsoft.com/partner-center/find-ids-and-domain-names.");
+    if (!tenantId.match(/^[0-9a-zA-Z-.]+$/)) {
+        const error = new Error("Invalid tenant id provided. You can locate your tenant id by following the instructions listed here: https://learn.microsoft.com/partner-center/find-ids-and-domain-names.");
         logger.info(formatError("", error));
         throw error;
     }
@@ -582,7 +582,7 @@ function resolveTenantId(logger, tenantId, clientId) {
 /**
  * @internal
  */
-function resolveAddionallyAllowedTenantIds(additionallyAllowedTenants) {
+function resolveAdditionallyAllowedTenantIds(additionallyAllowedTenants) {
     if (!additionallyAllowedTenants || additionallyAllowedTenants.length === 0) {
         return [];
     }
@@ -1058,7 +1058,7 @@ class MsalNode extends MsalBaseUtilities {
         this.requiresConfidential = false;
         this.msalConfig = this.defaultNodeMsalConfig(options);
         this.tenantId = resolveTenantId(options.logger, options.tenantId, options.clientId);
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds((_a = options === null || options === void 0 ? void 0 : options.tokenCredentialOptions) === null || _a === void 0 ? void 0 : _a.additionallyAllowedTenants);
         this.clientId = this.msalConfig.auth.clientId;
         if (options === null || options === void 0 ? void 0 : options.getAssertion) {
             this.getAssertion = options.getAssertion;
@@ -1398,7 +1398,7 @@ class VisualStudioCodeCredential {
         else {
             this.tenantId = CommonTenantId;
         }
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         checkUnsupportedTenant(this.tenantId);
     }
     /**
@@ -1741,20 +1741,21 @@ const imdsMsi = {
             skipQuery: true,
         });
         return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
-            var _a;
+            var _a, _b;
             requestOptions.tracingOptions = options.tracingOptions;
             // Create a request with a timeout since we expect that
             // not having a "Metadata" header should cause an error to be
             // returned quickly from the endpoint, proving its availability.
             const request = coreRestPipeline.createPipelineRequest(requestOptions);
-            // Default to 300 if the default of 0 is used.
+            // Default to 1000 if the default of 0 is used.
             // Negative values can still be used to disable the timeout.
-            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 300;
+            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
             // This MSI uses the imdsEndpoint to get the token, which only uses http://
             request.allowInsecureConnection = true;
+            let response;
             try {
                 logger$j.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
-                await identityClient.sendRequest(request);
+                response = await identityClient.sendRequest(request);
             }
             catch (err) {
                 // If the request failed, or Node.js was unable to establish a connection,
@@ -1762,9 +1763,18 @@ const imdsMsi = {
                 if (coreUtil.isError(err)) {
                     logger$j.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
                 }
+                // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
+                // rather than just timing out, as expected.
                 logger$j.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
                 return false;
             }
+            if (response.status === 403) {
+                if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("A socket operation was attempted to an unreachable network")) {
+                    logger$j.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
+                    logger$j.info(`${msiName$4}: ${response.bodyAsText}`);
+                    return false;
+                }
+            }
             // If we received any response, the endpoint is available
             logger$j.info(`${msiName$4}: The Azure IMDS endpoint is available`);
             return true;
@@ -1971,7 +1981,7 @@ class ClientAssertionCredential {
             throw new Error("ClientAssertionCredential: tenantId, clientId, and clientAssertion are required parameters.");
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.clientId = clientId;
         this.options = options;
         this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$h, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
@@ -2289,7 +2299,7 @@ const logger$c = credentialLogger("ManagedIdentityCredential");
  * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
  *
  * More information about configuring managed identities can be found here:
- * https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
+ * https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
  */
 class ManagedIdentityCredential {
     /**
@@ -2480,6 +2490,15 @@ class ManagedIdentityCredential {
             if (err.statusCode === 400) {
                 throw new CredentialUnavailableError(`${ManagedIdentityCredential.name}: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
             }
+            // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
+            // rather than just timing out, as expected.
+            if (err.statusCode === 403 || err.code === 403) {
+                if (err.message.includes("A socket operation was attempted to an unreachable network")) {
+                    const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
+                    logger$c.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+            }
             // If the error has no status code, we can assume there was no available identity.
             // This will throw silently during any ChainedTokenCredential.
             if (err.statusCode === undefined) {
@@ -2576,7 +2595,7 @@ function ensureScopes(scopes) {
  * @internal
  */
 function ensureValidScopeForDevTimeCreds(scope, logger) {
-    if (!scope.match(/^[0-9a-zA-Z-.:/]+$/)) {
+    if (!scope.match(/^[0-9a-zA-Z-_.:/]+$/)) {
         const error = new Error("Invalid scope was specified by the user or calling client");
         logger.getToken.info(formatError(scope, error));
         throw error;
@@ -2662,7 +2681,7 @@ class AzureCliCredential {
             checkTenantId(logger$b, options === null || options === void 0 ? void 0 : options.tenantId);
             this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         }
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
@@ -2844,7 +2863,7 @@ class AzurePowerShellCredential {
             checkTenantId(logger$a, options === null || options === void 0 ? void 0 : options.tenantId);
             this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         }
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
@@ -3130,7 +3149,7 @@ const logger$8 = credentialLogger(credentialName$2);
  * certificate that is assigned to an App Registration. More information
  * on how to configure certificate authentication can be found here:
  *
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
+ * https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
  *
  */
 class ClientCertificateCredential {
@@ -3139,7 +3158,7 @@ class ClientCertificateCredential {
             throw new Error(`${credentialName$2}: tenantId and clientId are required parameters.`);
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         const configuration = Object.assign({}, (typeof certificatePathOrConfiguration === "string"
             ? {
                 certificatePath: certificatePathOrConfiguration,
@@ -3234,7 +3253,7 @@ class ClientSecretCredential {
             throw new Error("ClientSecretCredential: tenantId, clientId, and clientSecret are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.");
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalClientSecret(Object.assign(Object.assign({}, options), { logger: logger$7,
             clientId,
             tenantId,
@@ -3314,7 +3333,7 @@ class UsernamePasswordCredential {
             throw new Error("UsernamePasswordCredential: tenantId, clientId, username and password are required parameters. To troubleshoot, visit https://aka.ms/azsdk/js/identity/usernamepasswordcredential/troubleshoot.");
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$6,
             clientId,
             tenantId,
@@ -3548,7 +3567,7 @@ class AzureDeveloperCliCredential {
             checkTenantId(logger$4, options === null || options === void 0 ? void 0 : options.tenantId);
             this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
         }
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
     }
     /**
@@ -3781,7 +3800,7 @@ class InteractiveBrowserCredential {
             ? options.redirectUri()
             : options.redirectUri || "http://localhost";
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$3,
             redirectUri }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
@@ -3897,7 +3916,7 @@ class DeviceCodeCredential {
      */
     constructor(options) {
         this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$2, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
@@ -4016,7 +4035,7 @@ class AuthorizationCodeCredential {
         }
         // TODO: Validate tenant if provided
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
         this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
             clientId,
             tenantId, tokenCredentialOptions: options || {}, logger: logger$1, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
@@ -4098,7 +4117,7 @@ class MsalOnBehalfOf extends MsalNode {
 const credentialName = "OnBehalfOfCredential";
 const logger = credentialLogger(credentialName);
 /**
- * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
+ * Enables authentication to Microsoft Entra ID using the [On Behalf Of flow](https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow).
  */
 class OnBehalfOfCredential {
     constructor(options) {
@@ -4110,7 +4129,7 @@ class OnBehalfOfCredential {
             throw new Error(`${credentialName}: tenantId, clientId, clientSecret (or certificatePath) and userAssertionToken are required parameters.`);
         }
         this.tenantId = tenantId;
-        this.additionallyAllowedTenantIds = resolveAddionallyAllowedTenantIds(additionallyAllowedTenantIds);
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(additionallyAllowedTenantIds);
         this.msalFlow = new MsalOnBehalfOf(Object.assign(Object.assign({}, this.options), { logger, tokenCredentialOptions: this.options }));
     }
     /**