@azure/identity 4.1.0-alpha.20240124.2 → 4.1.0-alpha.20240126.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of @azure/identity might be problematic. Click here for more details.
- package/dist/index.js +369 -327
- package/dist/index.js.map +1 -1
- package/dist-esm/src/client/identityClient.js.map +1 -1
- package/dist-esm/src/credentials/authorizationCodeCredential.js.map +1 -1
- package/dist-esm/src/credentials/azureApplicationCredential.js +6 -7
- package/dist-esm/src/credentials/azureApplicationCredential.js.map +1 -1
- package/dist-esm/src/credentials/azureCliCredential.js.map +1 -1
- package/dist-esm/src/credentials/azureDeveloperCliCredential.js.map +1 -1
- package/dist-esm/src/credentials/azurePowerShellCredential.js +1 -1
- package/dist-esm/src/credentials/azurePowerShellCredential.js.map +1 -1
- package/dist-esm/src/credentials/chainedTokenCredential.js.map +1 -1
- package/dist-esm/src/credentials/clientAssertionCredential.js.map +1 -1
- package/dist-esm/src/credentials/clientCertificateCredential.js.map +1 -1
- package/dist-esm/src/credentials/clientSecretCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/clientSecretCredential.js.map +1 -1
- package/dist-esm/src/credentials/defaultAzureCredential.js +114 -71
- package/dist-esm/src/credentials/defaultAzureCredential.js.map +1 -1
- package/dist-esm/src/credentials/environmentCredential.js.map +1 -1
- package/dist-esm/src/credentials/interactiveBrowserCredential.browser.js.map +1 -1
- package/dist-esm/src/credentials/interactiveBrowserCredential.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2017.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/appServiceMsi2019.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/cloudShellMsi.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/fabricMsi.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/imdsMsi.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/index.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/tokenExchangeMsi.js.map +1 -1
- package/dist-esm/src/credentials/managedIdentityCredential/utils.js.map +1 -1
- package/dist-esm/src/credentials/onBehalfOfCredential.js.map +1 -1
- package/dist-esm/src/credentials/usernamePasswordCredential.js.map +1 -1
- package/dist-esm/src/credentials/visualStudioCodeCredential.js.map +1 -1
- package/dist-esm/src/credentials/workloadIdentityCredential.js.map +1 -1
- package/dist-esm/src/errors.js.map +1 -1
- package/dist-esm/src/msal/browserFlows/msalAuthCode.js.map +1 -1
- package/dist-esm/src/msal/browserFlows/msalBrowserCommon.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalAuthorizationCode.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalClientAssertion.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalClientCertificate.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalClientSecret.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalDeviceCode.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalNodeCommon.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalOnBehalfOf.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalOpenBrowser.js.map +1 -1
- package/dist-esm/src/msal/nodeFlows/msalUsernamePassword.js.map +1 -1
- package/dist-esm/src/msal/utils.browser.js.map +1 -1
- package/dist-esm/src/msal/utils.js.map +1 -1
- package/dist-esm/src/util/identityTokenEndpoint.js.map +1 -1
- package/dist-esm/src/util/logging.js.map +1 -1
- package/dist-esm/src/util/processMultiTenantRequest.browser.js.map +1 -1
- package/dist-esm/src/util/processMultiTenantRequest.js.map +1 -1
- package/dist-esm/src/util/processUtils.js.map +1 -1
- package/dist-esm/src/util/scopeUtils.js.map +1 -1
- package/dist-esm/src/util/tenantIdUtils.js.map +1 -1
- package/package.json +2 -2
package/dist/index.js
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
4
|
|
|
5
5
|
var msalCommon = require('@azure/msal-node');
|
|
6
|
-
var logger$
|
|
6
|
+
var logger$q = require('@azure/logger');
|
|
7
7
|
var abortController = require('@azure/abort-controller');
|
|
8
8
|
var coreUtil = require('@azure/core-util');
|
|
9
9
|
var coreClient = require('@azure/core-client');
|
|
@@ -104,7 +104,7 @@ const CACHE_NON_CAE_SUFFIX = ".nocae";
|
|
|
104
104
|
/**
|
|
105
105
|
* The AzureLogger used for all clients within the identity package
|
|
106
106
|
*/
|
|
107
|
-
const logger$
|
|
107
|
+
const logger$p = logger$q.createClientLogger("identity");
|
|
108
108
|
/**
|
|
109
109
|
* Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
|
|
110
110
|
* @param supportedEnvVars - List of environment variable names
|
|
@@ -144,7 +144,7 @@ function formatError(scope, error) {
|
|
|
144
144
|
* `[title] => [message]`
|
|
145
145
|
*
|
|
146
146
|
*/
|
|
147
|
-
function credentialLoggerInstance(title, parent, log = logger$
|
|
147
|
+
function credentialLoggerInstance(title, parent, log = logger$p) {
|
|
148
148
|
const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
|
|
149
149
|
function info(message) {
|
|
150
150
|
log.info(`${fullTitle} =>`, message);
|
|
@@ -173,7 +173,7 @@ function credentialLoggerInstance(title, parent, log = logger$o) {
|
|
|
173
173
|
* `[title] => getToken() => [message]`
|
|
174
174
|
*
|
|
175
175
|
*/
|
|
176
|
-
function credentialLogger(title, log = logger$
|
|
176
|
+
function credentialLogger(title, log = logger$p) {
|
|
177
177
|
const credLogger = credentialLoggerInstance(title, undefined, log);
|
|
178
178
|
return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
|
|
179
179
|
}
|
|
@@ -302,7 +302,7 @@ class AuthenticationRequiredError extends Error {
|
|
|
302
302
|
/**
|
|
303
303
|
* @internal
|
|
304
304
|
*/
|
|
305
|
-
const logger$
|
|
305
|
+
const logger$o = credentialLogger("IdentityUtils");
|
|
306
306
|
/**
|
|
307
307
|
* Latest AuthenticationRecord version
|
|
308
308
|
* @internal
|
|
@@ -314,7 +314,7 @@ const LatestAuthenticationRecordVersion = "1.0";
|
|
|
314
314
|
*/
|
|
315
315
|
function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
|
|
316
316
|
const error = (message) => {
|
|
317
|
-
logger$
|
|
317
|
+
logger$o.getToken.info(message);
|
|
318
318
|
return new AuthenticationRequiredError({
|
|
319
319
|
scopes: Array.isArray(scopes) ? scopes : [scopes],
|
|
320
320
|
getTokenOptions,
|
|
@@ -414,17 +414,17 @@ function handleMsalError(scopes, error, getTokenOptions) {
|
|
|
414
414
|
const msalError = error;
|
|
415
415
|
switch (msalError.errorCode) {
|
|
416
416
|
case "endpoints_resolution_error":
|
|
417
|
-
logger$
|
|
417
|
+
logger$o.info(formatError(scopes, error.message));
|
|
418
418
|
return new CredentialUnavailableError(error.message);
|
|
419
419
|
case "device_code_polling_cancelled":
|
|
420
420
|
return new abortController.AbortError("The authentication has been aborted by the caller.");
|
|
421
421
|
case "consent_required":
|
|
422
422
|
case "interaction_required":
|
|
423
423
|
case "login_required":
|
|
424
|
-
logger$
|
|
424
|
+
logger$o.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
|
|
425
425
|
break;
|
|
426
426
|
default:
|
|
427
|
-
logger$
|
|
427
|
+
logger$o.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
|
|
428
428
|
break;
|
|
429
429
|
}
|
|
430
430
|
}
|
|
@@ -434,7 +434,7 @@ function handleMsalError(scopes, error, getTokenOptions) {
|
|
|
434
434
|
return error;
|
|
435
435
|
}
|
|
436
436
|
if (error.name === "NativeAuthError") {
|
|
437
|
-
logger$
|
|
437
|
+
logger$o.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
|
|
438
438
|
return error;
|
|
439
439
|
}
|
|
440
440
|
return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
|
|
@@ -703,7 +703,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
703
703
|
this.tokenCredentialOptions = Object.assign({}, options);
|
|
704
704
|
}
|
|
705
705
|
async sendTokenRequest(request) {
|
|
706
|
-
logger$
|
|
706
|
+
logger$p.info(`IdentityClient: sending token request to [${request.url}]`);
|
|
707
707
|
const response = await this.sendRequest(request);
|
|
708
708
|
if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
|
|
709
709
|
const parsedBody = JSON.parse(response.bodyAsText);
|
|
@@ -718,12 +718,12 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
718
718
|
},
|
|
719
719
|
refreshToken: parsedBody.refresh_token,
|
|
720
720
|
};
|
|
721
|
-
logger$
|
|
721
|
+
logger$p.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
|
|
722
722
|
return token;
|
|
723
723
|
}
|
|
724
724
|
else {
|
|
725
725
|
const error = new AuthenticationError(response.status, response.bodyAsText);
|
|
726
|
-
logger$
|
|
726
|
+
logger$p.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
|
|
727
727
|
throw error;
|
|
728
728
|
}
|
|
729
729
|
}
|
|
@@ -731,7 +731,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
731
731
|
if (refreshToken === undefined) {
|
|
732
732
|
return null;
|
|
733
733
|
}
|
|
734
|
-
logger$
|
|
734
|
+
logger$p.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
|
|
735
735
|
const refreshParams = {
|
|
736
736
|
grant_type: "refresh_token",
|
|
737
737
|
client_id: clientId,
|
|
@@ -757,7 +757,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
757
757
|
tracingOptions: updatedOptions.tracingOptions,
|
|
758
758
|
});
|
|
759
759
|
const response = await this.sendTokenRequest(request);
|
|
760
|
-
logger$
|
|
760
|
+
logger$p.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
|
|
761
761
|
return response;
|
|
762
762
|
}
|
|
763
763
|
catch (err) {
|
|
@@ -766,11 +766,11 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
766
766
|
// It's likely that the refresh token has expired, so
|
|
767
767
|
// return null so that the credential implementation will
|
|
768
768
|
// initiate the authentication flow again.
|
|
769
|
-
logger$
|
|
769
|
+
logger$p.info(`IdentityClient: interaction required for client ID: ${clientId}`);
|
|
770
770
|
return null;
|
|
771
771
|
}
|
|
772
772
|
else {
|
|
773
|
-
logger$
|
|
773
|
+
logger$p.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
|
|
774
774
|
throw err;
|
|
775
775
|
}
|
|
776
776
|
}
|
|
@@ -879,10 +879,10 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
879
879
|
}
|
|
880
880
|
const base64Metadata = accessToken.split(".")[1];
|
|
881
881
|
const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
|
|
882
|
-
logger$
|
|
882
|
+
logger$p.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
|
|
883
883
|
}
|
|
884
884
|
catch (e) {
|
|
885
|
-
logger$
|
|
885
|
+
logger$p.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
|
|
886
886
|
}
|
|
887
887
|
}
|
|
888
888
|
}
|
|
@@ -1115,7 +1115,7 @@ class MsalNode {
|
|
|
1115
1115
|
networkClient: this.identityClient,
|
|
1116
1116
|
loggerOptions: {
|
|
1117
1117
|
loggerCallback: defaultLoggerCallback(options.logger),
|
|
1118
|
-
logLevel: getMSALLogLevel(logger$
|
|
1118
|
+
logLevel: getMSALLogLevel(logger$q.getLogLevel()),
|
|
1119
1119
|
piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
|
|
1120
1120
|
},
|
|
1121
1121
|
},
|
|
@@ -1352,7 +1352,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
1352
1352
|
// Licensed under the MIT license.
|
|
1353
1353
|
const CommonTenantId = "common";
|
|
1354
1354
|
const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
|
|
1355
|
-
const logger$
|
|
1355
|
+
const logger$n = credentialLogger("VisualStudioCodeCredential");
|
|
1356
1356
|
let findCredentials = undefined;
|
|
1357
1357
|
const vsCodeCredentialControl = {
|
|
1358
1358
|
setVsCodeCredentialFinder(finder) {
|
|
@@ -1405,7 +1405,7 @@ function getPropertyFromVSCode(property) {
|
|
|
1405
1405
|
}
|
|
1406
1406
|
}
|
|
1407
1407
|
catch (e) {
|
|
1408
|
-
logger$
|
|
1408
|
+
logger$n.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
|
|
1409
1409
|
return;
|
|
1410
1410
|
}
|
|
1411
1411
|
}
|
|
@@ -1438,7 +1438,7 @@ class VisualStudioCodeCredential {
|
|
|
1438
1438
|
const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
|
|
1439
1439
|
this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
|
|
1440
1440
|
if (options && options.tenantId) {
|
|
1441
|
-
checkTenantId(logger$
|
|
1441
|
+
checkTenantId(logger$n, options.tenantId);
|
|
1442
1442
|
this.tenantId = options.tenantId;
|
|
1443
1443
|
}
|
|
1444
1444
|
else {
|
|
@@ -1478,7 +1478,7 @@ class VisualStudioCodeCredential {
|
|
|
1478
1478
|
async getToken(scopes, options) {
|
|
1479
1479
|
var _a, _b;
|
|
1480
1480
|
await this.prepareOnce();
|
|
1481
|
-
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$
|
|
1481
|
+
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$n) || this.tenantId;
|
|
1482
1482
|
if (findCredentials === undefined) {
|
|
1483
1483
|
throw new CredentialUnavailableError([
|
|
1484
1484
|
"No implementation of `VisualStudioCodeCredential` is available.",
|
|
@@ -1492,7 +1492,7 @@ class VisualStudioCodeCredential {
|
|
|
1492
1492
|
// Check to make sure the scope we get back is a valid scope
|
|
1493
1493
|
if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
|
|
1494
1494
|
const error = new Error("Invalid scope was specified by the user or calling client");
|
|
1495
|
-
logger$
|
|
1495
|
+
logger$n.getToken.info(formatError(scopes, error));
|
|
1496
1496
|
throw error;
|
|
1497
1497
|
}
|
|
1498
1498
|
if (scopeString.indexOf("offline_access") < 0) {
|
|
@@ -1512,18 +1512,18 @@ class VisualStudioCodeCredential {
|
|
|
1512
1512
|
if (refreshToken) {
|
|
1513
1513
|
const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
|
|
1514
1514
|
if (tokenResponse) {
|
|
1515
|
-
logger$
|
|
1515
|
+
logger$n.getToken.info(formatSuccess(scopes));
|
|
1516
1516
|
return tokenResponse.accessToken;
|
|
1517
1517
|
}
|
|
1518
1518
|
else {
|
|
1519
1519
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
1520
|
-
logger$
|
|
1520
|
+
logger$n.getToken.info(formatError(scopes, error));
|
|
1521
1521
|
throw error;
|
|
1522
1522
|
}
|
|
1523
1523
|
}
|
|
1524
1524
|
else {
|
|
1525
1525
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
1526
|
-
logger$
|
|
1526
|
+
logger$n.getToken.info(formatError(scopes, error));
|
|
1527
1527
|
throw error;
|
|
1528
1528
|
}
|
|
1529
1529
|
}
|
|
@@ -1575,7 +1575,7 @@ function useIdentityPlugin(plugin) {
|
|
|
1575
1575
|
// Copyright (c) Microsoft Corporation.
|
|
1576
1576
|
// Licensed under the MIT license.
|
|
1577
1577
|
const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
|
|
1578
|
-
const logger$
|
|
1578
|
+
const logger$m = credentialLogger(msiName$6);
|
|
1579
1579
|
/**
|
|
1580
1580
|
* Generates the options used on the request for an access token.
|
|
1581
1581
|
*/
|
|
@@ -1616,22 +1616,22 @@ const appServiceMsi2017 = {
|
|
|
1616
1616
|
async isAvailable({ scopes }) {
|
|
1617
1617
|
const resource = mapScopesToResource(scopes);
|
|
1618
1618
|
if (!resource) {
|
|
1619
|
-
logger$
|
|
1619
|
+
logger$m.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
|
|
1620
1620
|
return false;
|
|
1621
1621
|
}
|
|
1622
1622
|
const env = process.env;
|
|
1623
1623
|
const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
|
|
1624
1624
|
if (!result) {
|
|
1625
|
-
logger$
|
|
1625
|
+
logger$m.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
|
|
1626
1626
|
}
|
|
1627
1627
|
return result;
|
|
1628
1628
|
},
|
|
1629
1629
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1630
1630
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1631
1631
|
if (resourceId) {
|
|
1632
|
-
logger$
|
|
1632
|
+
logger$m.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
1633
1633
|
}
|
|
1634
|
-
logger$
|
|
1634
|
+
logger$m.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
|
|
1635
1635
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), {
|
|
1636
1636
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1637
1637
|
allowInsecureConnection: true }));
|
|
@@ -1643,7 +1643,7 @@ const appServiceMsi2017 = {
|
|
|
1643
1643
|
// Copyright (c) Microsoft Corporation.
|
|
1644
1644
|
// Licensed under the MIT license.
|
|
1645
1645
|
const msiName$5 = "ManagedIdentityCredential - CloudShellMSI";
|
|
1646
|
-
const logger$
|
|
1646
|
+
const logger$l = credentialLogger(msiName$5);
|
|
1647
1647
|
/**
|
|
1648
1648
|
* Generates the options used on the request for an access token.
|
|
1649
1649
|
*/
|
|
@@ -1686,24 +1686,24 @@ const cloudShellMsi = {
|
|
|
1686
1686
|
async isAvailable({ scopes }) {
|
|
1687
1687
|
const resource = mapScopesToResource(scopes);
|
|
1688
1688
|
if (!resource) {
|
|
1689
|
-
logger$
|
|
1689
|
+
logger$l.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
|
|
1690
1690
|
return false;
|
|
1691
1691
|
}
|
|
1692
1692
|
const result = Boolean(process.env.MSI_ENDPOINT);
|
|
1693
1693
|
if (!result) {
|
|
1694
|
-
logger$
|
|
1694
|
+
logger$l.info(`${msiName$5}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
|
|
1695
1695
|
}
|
|
1696
1696
|
return result;
|
|
1697
1697
|
},
|
|
1698
1698
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1699
1699
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1700
1700
|
if (clientId) {
|
|
1701
|
-
logger$
|
|
1701
|
+
logger$l.warning(`${msiName$5}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
1702
1702
|
}
|
|
1703
1703
|
if (resourceId) {
|
|
1704
|
-
logger$
|
|
1704
|
+
logger$l.warning(`${msiName$5}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
|
|
1705
1705
|
}
|
|
1706
|
-
logger$
|
|
1706
|
+
logger$l.info(`${msiName$5}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
|
|
1707
1707
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), {
|
|
1708
1708
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1709
1709
|
allowInsecureConnection: true }));
|
|
@@ -1715,7 +1715,7 @@ const cloudShellMsi = {
|
|
|
1715
1715
|
// Copyright (c) Microsoft Corporation.
|
|
1716
1716
|
// Licensed under the MIT license.
|
|
1717
1717
|
const msiName$4 = "ManagedIdentityCredential - IMDS";
|
|
1718
|
-
const logger$
|
|
1718
|
+
const logger$k = credentialLogger(msiName$4);
|
|
1719
1719
|
/**
|
|
1720
1720
|
* Generates the options used on the request for an access token.
|
|
1721
1721
|
*/
|
|
@@ -1773,7 +1773,7 @@ const imdsMsi = {
|
|
|
1773
1773
|
async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
|
|
1774
1774
|
const resource = mapScopesToResource(scopes);
|
|
1775
1775
|
if (!resource) {
|
|
1776
|
-
logger$
|
|
1776
|
+
logger$k.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
|
|
1777
1777
|
return false;
|
|
1778
1778
|
}
|
|
1779
1779
|
// if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
|
|
@@ -1801,39 +1801,39 @@ const imdsMsi = {
|
|
|
1801
1801
|
request.allowInsecureConnection = true;
|
|
1802
1802
|
let response;
|
|
1803
1803
|
try {
|
|
1804
|
-
logger$
|
|
1804
|
+
logger$k.info(`${msiName$4}: Pinging the Azure IMDS endpoint`);
|
|
1805
1805
|
response = await identityClient.sendRequest(request);
|
|
1806
1806
|
}
|
|
1807
1807
|
catch (err) {
|
|
1808
1808
|
// If the request failed, or Node.js was unable to establish a connection,
|
|
1809
1809
|
// or the host was down, we'll assume the IMDS endpoint isn't available.
|
|
1810
1810
|
if (coreUtil.isError(err)) {
|
|
1811
|
-
logger$
|
|
1811
|
+
logger$k.verbose(`${msiName$4}: Caught error ${err.name}: ${err.message}`);
|
|
1812
1812
|
}
|
|
1813
1813
|
// This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
|
|
1814
1814
|
// rather than just timing out, as expected.
|
|
1815
|
-
logger$
|
|
1815
|
+
logger$k.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
|
|
1816
1816
|
return false;
|
|
1817
1817
|
}
|
|
1818
1818
|
if (response.status === 403) {
|
|
1819
1819
|
if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("A socket operation was attempted to an unreachable network")) {
|
|
1820
|
-
logger$
|
|
1821
|
-
logger$
|
|
1820
|
+
logger$k.info(`${msiName$4}: The Azure IMDS endpoint is unavailable`);
|
|
1821
|
+
logger$k.info(`${msiName$4}: ${response.bodyAsText}`);
|
|
1822
1822
|
return false;
|
|
1823
1823
|
}
|
|
1824
1824
|
}
|
|
1825
1825
|
// If we received any response, the endpoint is available
|
|
1826
|
-
logger$
|
|
1826
|
+
logger$k.info(`${msiName$4}: The Azure IMDS endpoint is available`);
|
|
1827
1827
|
return true;
|
|
1828
1828
|
});
|
|
1829
1829
|
},
|
|
1830
1830
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1831
1831
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1832
1832
|
if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
|
|
1833
|
-
logger$
|
|
1833
|
+
logger$k.info(`${msiName$4}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
|
|
1834
1834
|
}
|
|
1835
1835
|
else {
|
|
1836
|
-
logger$
|
|
1836
|
+
logger$k.info(`${msiName$4}: Using the default Azure IMDS endpoint ${imdsHost}.`);
|
|
1837
1837
|
}
|
|
1838
1838
|
let nextDelayInMs = imdsMsiRetryConfig.startDelayInMs;
|
|
1839
1839
|
for (let retries = 0; retries < imdsMsiRetryConfig.maxRetries; retries++) {
|
|
@@ -1858,7 +1858,7 @@ const imdsMsi = {
|
|
|
1858
1858
|
// Copyright (c) Microsoft Corporation.
|
|
1859
1859
|
// Licensed under the MIT license.
|
|
1860
1860
|
const msiName$3 = "ManagedIdentityCredential - Azure Arc MSI";
|
|
1861
|
-
const logger$
|
|
1861
|
+
const logger$j = credentialLogger(msiName$3);
|
|
1862
1862
|
/**
|
|
1863
1863
|
* Generates the options used on the request for an access token.
|
|
1864
1864
|
*/
|
|
@@ -1932,12 +1932,12 @@ const arcMsi = {
|
|
|
1932
1932
|
async isAvailable({ scopes }) {
|
|
1933
1933
|
const resource = mapScopesToResource(scopes);
|
|
1934
1934
|
if (!resource) {
|
|
1935
|
-
logger$
|
|
1935
|
+
logger$j.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
|
|
1936
1936
|
return false;
|
|
1937
1937
|
}
|
|
1938
1938
|
const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
|
|
1939
1939
|
if (!result) {
|
|
1940
|
-
logger$
|
|
1940
|
+
logger$j.info(`${msiName$3}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
|
|
1941
1941
|
}
|
|
1942
1942
|
return result;
|
|
1943
1943
|
},
|
|
@@ -1945,12 +1945,12 @@ const arcMsi = {
|
|
|
1945
1945
|
var _a;
|
|
1946
1946
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1947
1947
|
if (clientId) {
|
|
1948
|
-
logger$
|
|
1948
|
+
logger$j.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
1949
1949
|
}
|
|
1950
1950
|
if (resourceId) {
|
|
1951
|
-
logger$
|
|
1951
|
+
logger$j.warning(`${msiName$3}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
|
|
1952
1952
|
}
|
|
1953
|
-
logger$
|
|
1953
|
+
logger$j.info(`${msiName$3}: Authenticating.`);
|
|
1954
1954
|
const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), { allowInsecureConnection: true });
|
|
1955
1955
|
const filePath = await filePathRequest(identityClient, requestOptions);
|
|
1956
1956
|
if (!filePath) {
|
|
@@ -2008,7 +2008,7 @@ class MsalClientAssertion extends MsalNode {
|
|
|
2008
2008
|
|
|
2009
2009
|
// Copyright (c) Microsoft Corporation.
|
|
2010
2010
|
// Licensed under the MIT license.
|
|
2011
|
-
const logger$
|
|
2011
|
+
const logger$i = credentialLogger("ClientAssertionCredential");
|
|
2012
2012
|
/**
|
|
2013
2013
|
* Authenticates a service principal with a JWT assertion.
|
|
2014
2014
|
*/
|
|
@@ -2031,7 +2031,7 @@ class ClientAssertionCredential {
|
|
|
2031
2031
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
2032
2032
|
this.clientId = clientId;
|
|
2033
2033
|
this.options = options;
|
|
2034
|
-
this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$
|
|
2034
|
+
this.msalFlow = new MsalClientAssertion(Object.assign(Object.assign({}, options), { logger: logger$i, clientId: this.clientId, tenantId: this.tenantId, tokenCredentialOptions: this.options, getAssertion }));
|
|
2035
2035
|
}
|
|
2036
2036
|
/**
|
|
2037
2037
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -2043,7 +2043,7 @@ class ClientAssertionCredential {
|
|
|
2043
2043
|
*/
|
|
2044
2044
|
async getToken(scopes, options = {}) {
|
|
2045
2045
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
2046
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$
|
|
2046
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$i);
|
|
2047
2047
|
const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
|
|
2048
2048
|
return this.msalFlow.getToken(arrayScopes, newOptions);
|
|
2049
2049
|
});
|
|
@@ -2065,7 +2065,7 @@ const SupportedWorkloadEnvironmentVariables = [
|
|
|
2065
2065
|
"AZURE_CLIENT_ID",
|
|
2066
2066
|
"AZURE_FEDERATED_TOKEN_FILE",
|
|
2067
2067
|
];
|
|
2068
|
-
const logger$
|
|
2068
|
+
const logger$h = credentialLogger(credentialName$3);
|
|
2069
2069
|
/**
|
|
2070
2070
|
* Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs)
|
|
2071
2071
|
* to access other Azure resources without the need for a service principal or managed identity. With Workload Identity
|
|
@@ -2091,17 +2091,17 @@ class WorkloadIdentityCredential {
|
|
|
2091
2091
|
this.cacheDate = undefined;
|
|
2092
2092
|
// Logging environment variables for error details
|
|
2093
2093
|
const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
|
|
2094
|
-
logger$
|
|
2094
|
+
logger$h.info(`Found the following environment variables: ${assignedEnv}`);
|
|
2095
2095
|
const workloadIdentityCredentialOptions = options !== null && options !== void 0 ? options : {};
|
|
2096
2096
|
const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;
|
|
2097
2097
|
const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;
|
|
2098
2098
|
this.federatedTokenFilePath =
|
|
2099
2099
|
workloadIdentityCredentialOptions.tokenFilePath || process.env.AZURE_FEDERATED_TOKEN_FILE;
|
|
2100
2100
|
if (tenantId) {
|
|
2101
|
-
checkTenantId(logger$
|
|
2101
|
+
checkTenantId(logger$h, tenantId);
|
|
2102
2102
|
}
|
|
2103
2103
|
if (clientId && tenantId && this.federatedTokenFilePath) {
|
|
2104
|
-
logger$
|
|
2104
|
+
logger$h.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
|
|
2105
2105
|
this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
|
|
2106
2106
|
}
|
|
2107
2107
|
}
|
|
@@ -2120,10 +2120,10 @@ class WorkloadIdentityCredential {
|
|
|
2120
2120
|
"AZURE_TENANT_ID",
|
|
2121
2121
|
"AZURE_CLIENT_ID",
|
|
2122
2122
|
"AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot `;
|
|
2123
|
-
logger$
|
|
2123
|
+
logger$h.info(errorMessage);
|
|
2124
2124
|
throw new CredentialUnavailableError(errorMessage);
|
|
2125
2125
|
}
|
|
2126
|
-
logger$
|
|
2126
|
+
logger$h.info("Invoking getToken() of Client Assertion Credential");
|
|
2127
2127
|
return this.client.getToken(scopes, options);
|
|
2128
2128
|
}
|
|
2129
2129
|
async readFileContents() {
|
|
@@ -2152,7 +2152,7 @@ class WorkloadIdentityCredential {
|
|
|
2152
2152
|
// Copyright (c) Microsoft Corporation.
|
|
2153
2153
|
// Licensed under the MIT license.
|
|
2154
2154
|
const msiName$2 = "ManagedIdentityCredential - Token Exchange";
|
|
2155
|
-
const logger$
|
|
2155
|
+
const logger$g = credentialLogger(msiName$2);
|
|
2156
2156
|
/**
|
|
2157
2157
|
* Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
|
|
2158
2158
|
*/
|
|
@@ -2165,7 +2165,7 @@ function tokenExchangeMsi() {
|
|
|
2165
2165
|
env.AZURE_TENANT_ID &&
|
|
2166
2166
|
process.env.AZURE_FEDERATED_TOKEN_FILE);
|
|
2167
2167
|
if (!result) {
|
|
2168
|
-
logger$
|
|
2168
|
+
logger$g.info(`${msiName$2}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
|
|
2169
2169
|
}
|
|
2170
2170
|
return result;
|
|
2171
2171
|
},
|
|
@@ -2192,7 +2192,7 @@ function tokenExchangeMsi() {
|
|
|
2192
2192
|
// curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
|
|
2193
2193
|
//
|
|
2194
2194
|
const msiName$1 = "ManagedIdentityCredential - Fabric MSI";
|
|
2195
|
-
const logger$
|
|
2195
|
+
const logger$f = credentialLogger(msiName$1);
|
|
2196
2196
|
/**
|
|
2197
2197
|
* Generates the options used on the request for an access token.
|
|
2198
2198
|
*/
|
|
@@ -2236,22 +2236,22 @@ const fabricMsi = {
|
|
|
2236
2236
|
async isAvailable({ scopes }) {
|
|
2237
2237
|
const resource = mapScopesToResource(scopes);
|
|
2238
2238
|
if (!resource) {
|
|
2239
|
-
logger$
|
|
2239
|
+
logger$f.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
|
|
2240
2240
|
return false;
|
|
2241
2241
|
}
|
|
2242
2242
|
const env = process.env;
|
|
2243
2243
|
const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
|
|
2244
2244
|
if (!result) {
|
|
2245
|
-
logger$
|
|
2245
|
+
logger$f.info(`${msiName$1}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
|
|
2246
2246
|
}
|
|
2247
2247
|
return result;
|
|
2248
2248
|
},
|
|
2249
2249
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2250
2250
|
const { scopes, identityClient, clientId, resourceId } = configuration;
|
|
2251
2251
|
if (resourceId) {
|
|
2252
|
-
logger$
|
|
2252
|
+
logger$f.warning(`${msiName$1}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
2253
2253
|
}
|
|
2254
|
-
logger$
|
|
2254
|
+
logger$f.info([
|
|
2255
2255
|
`${msiName$1}:`,
|
|
2256
2256
|
"Using the endpoint and the secret coming from the environment variables:",
|
|
2257
2257
|
`IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
|
|
@@ -2272,7 +2272,7 @@ const fabricMsi = {
|
|
|
2272
2272
|
// Copyright (c) Microsoft Corporation.
|
|
2273
2273
|
// Licensed under the MIT license.
|
|
2274
2274
|
const msiName = "ManagedIdentityCredential - AppServiceMSI 2019";
|
|
2275
|
-
const logger$
|
|
2275
|
+
const logger$e = credentialLogger(msiName);
|
|
2276
2276
|
/**
|
|
2277
2277
|
* Generates the options used on the request for an access token.
|
|
2278
2278
|
*/
|
|
@@ -2316,19 +2316,19 @@ const appServiceMsi2019 = {
|
|
|
2316
2316
|
async isAvailable({ scopes }) {
|
|
2317
2317
|
const resource = mapScopesToResource(scopes);
|
|
2318
2318
|
if (!resource) {
|
|
2319
|
-
logger$
|
|
2319
|
+
logger$e.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);
|
|
2320
2320
|
return false;
|
|
2321
2321
|
}
|
|
2322
2322
|
const env = process.env;
|
|
2323
2323
|
const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
|
|
2324
2324
|
if (!result) {
|
|
2325
|
-
logger$
|
|
2325
|
+
logger$e.info(`${msiName}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
|
|
2326
2326
|
}
|
|
2327
2327
|
return result;
|
|
2328
2328
|
},
|
|
2329
2329
|
async getToken(configuration, getTokenOptions = {}) {
|
|
2330
2330
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
2331
|
-
logger$
|
|
2331
|
+
logger$e.info(`${msiName}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
|
|
2332
2332
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), {
|
|
2333
2333
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
2334
2334
|
allowInsecureConnection: true }));
|
|
@@ -2339,7 +2339,7 @@ const appServiceMsi2019 = {
|
|
|
2339
2339
|
|
|
2340
2340
|
// Copyright (c) Microsoft Corporation.
|
|
2341
2341
|
// Licensed under the MIT license.
|
|
2342
|
-
const logger$
|
|
2342
|
+
const logger$d = credentialLogger("ManagedIdentityCredential");
|
|
2343
2343
|
/**
|
|
2344
2344
|
* Attempts authentication using a managed identity available at the deployment environment.
|
|
2345
2345
|
* This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
|
|
@@ -2389,7 +2389,7 @@ class ManagedIdentityCredential {
|
|
|
2389
2389
|
},
|
|
2390
2390
|
system: {
|
|
2391
2391
|
loggerOptions: {
|
|
2392
|
-
logLevel: getMSALLogLevel(logger$
|
|
2392
|
+
logLevel: getMSALLogLevel(logger$q.getLogLevel()),
|
|
2393
2393
|
},
|
|
2394
2394
|
},
|
|
2395
2395
|
});
|
|
@@ -2485,7 +2485,7 @@ class ManagedIdentityCredential {
|
|
|
2485
2485
|
// It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
|
|
2486
2486
|
// yet we had no access token. For this reason, we'll throw once with a specific message:
|
|
2487
2487
|
const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
|
|
2488
|
-
logger$
|
|
2488
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2489
2489
|
throw error;
|
|
2490
2490
|
}
|
|
2491
2491
|
// Since `authenticateManagedIdentity` didn't throw, and the result was not null,
|
|
@@ -2497,10 +2497,10 @@ class ManagedIdentityCredential {
|
|
|
2497
2497
|
// We've previously determined that the endpoint was unavailable,
|
|
2498
2498
|
// either because it was unreachable or permanently unable to authenticate.
|
|
2499
2499
|
const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
|
|
2500
|
-
logger$
|
|
2500
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2501
2501
|
throw error;
|
|
2502
2502
|
}
|
|
2503
|
-
logger$
|
|
2503
|
+
logger$d.getToken.info(formatSuccess(scopes));
|
|
2504
2504
|
return result;
|
|
2505
2505
|
}
|
|
2506
2506
|
catch (err) {
|
|
@@ -2522,14 +2522,14 @@ class ManagedIdentityCredential {
|
|
|
2522
2522
|
// we can safely assume the credential is unavailable.
|
|
2523
2523
|
if (err.code === "ENETUNREACH") {
|
|
2524
2524
|
const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
|
|
2525
|
-
logger$
|
|
2525
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2526
2526
|
throw error;
|
|
2527
2527
|
}
|
|
2528
2528
|
// If either the host was unreachable,
|
|
2529
2529
|
// we can safely assume the credential is unavailable.
|
|
2530
2530
|
if (err.code === "EHOSTUNREACH") {
|
|
2531
2531
|
const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
|
|
2532
|
-
logger$
|
|
2532
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2533
2533
|
throw error;
|
|
2534
2534
|
}
|
|
2535
2535
|
// If err.statusCode has a value of 400, it comes from sendTokenRequest,
|
|
@@ -2542,7 +2542,7 @@ class ManagedIdentityCredential {
|
|
|
2542
2542
|
if (err.statusCode === 403 || err.code === 403) {
|
|
2543
2543
|
if (err.message.includes("A socket operation was attempted to an unreachable network")) {
|
|
2544
2544
|
const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
|
|
2545
|
-
logger$
|
|
2545
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2546
2546
|
throw error;
|
|
2547
2547
|
}
|
|
2548
2548
|
}
|
|
@@ -2569,7 +2569,7 @@ class ManagedIdentityCredential {
|
|
|
2569
2569
|
*/
|
|
2570
2570
|
handleResult(scopes, result, getTokenOptions) {
|
|
2571
2571
|
this.ensureValidMsalToken(scopes, result, getTokenOptions);
|
|
2572
|
-
logger$
|
|
2572
|
+
logger$d.getToken.info(formatSuccess(scopes));
|
|
2573
2573
|
return {
|
|
2574
2574
|
token: result.accessToken,
|
|
2575
2575
|
expiresOnTimestamp: result.expiresOn.getTime(),
|
|
@@ -2581,7 +2581,7 @@ class ManagedIdentityCredential {
|
|
|
2581
2581
|
*/
|
|
2582
2582
|
ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
|
|
2583
2583
|
const error = (message) => {
|
|
2584
|
-
logger$
|
|
2584
|
+
logger$d.getToken.info(message);
|
|
2585
2585
|
return new AuthenticationRequiredError({
|
|
2586
2586
|
scopes: Array.isArray(scopes) ? scopes : [scopes],
|
|
2587
2587
|
getTokenOptions,
|
|
@@ -2601,12 +2601,12 @@ class ManagedIdentityCredential {
|
|
|
2601
2601
|
initializeSetAppTokenProvider() {
|
|
2602
2602
|
if (!this.isAppTokenProviderInitialized) {
|
|
2603
2603
|
this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters) => {
|
|
2604
|
-
logger$
|
|
2604
|
+
logger$d.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
|
|
2605
2605
|
const getTokenOptions = Object.assign({}, appTokenProviderParameters);
|
|
2606
|
-
logger$
|
|
2606
|
+
logger$d.info(`authenticateManagedIdentity invoked with scopes- ${JSON.stringify(appTokenProviderParameters.scopes)} and getTokenOptions - ${JSON.stringify(getTokenOptions)}`);
|
|
2607
2607
|
const resultToken = await this.authenticateManagedIdentity(appTokenProviderParameters.scopes, getTokenOptions);
|
|
2608
2608
|
if (resultToken) {
|
|
2609
|
-
logger$
|
|
2609
|
+
logger$d.info(`SetAppTokenProvider will save the token in cache`);
|
|
2610
2610
|
const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
|
|
2611
2611
|
? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
|
|
2612
2612
|
: 0;
|
|
@@ -2616,7 +2616,7 @@ class ManagedIdentityCredential {
|
|
|
2616
2616
|
};
|
|
2617
2617
|
}
|
|
2618
2618
|
else {
|
|
2619
|
-
logger$
|
|
2619
|
+
logger$d.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
|
|
2620
2620
|
return {
|
|
2621
2621
|
accessToken: "no_access_token_returned",
|
|
2622
2622
|
expiresInSeconds: 0,
|
|
@@ -2707,7 +2707,7 @@ const cliCredentialInternals = {
|
|
|
2707
2707
|
});
|
|
2708
2708
|
},
|
|
2709
2709
|
};
|
|
2710
|
-
const logger$
|
|
2710
|
+
const logger$c = credentialLogger("AzureCliCredential");
|
|
2711
2711
|
/**
|
|
2712
2712
|
* This credential will use the currently logged-in user login information
|
|
2713
2713
|
* via the Azure CLI ('az') commandline tool.
|
|
@@ -2725,7 +2725,7 @@ class AzureCliCredential {
|
|
|
2725
2725
|
*/
|
|
2726
2726
|
constructor(options) {
|
|
2727
2727
|
if (options === null || options === void 0 ? void 0 : options.tenantId) {
|
|
2728
|
-
checkTenantId(logger$
|
|
2728
|
+
checkTenantId(logger$c, options === null || options === void 0 ? void 0 : options.tenantId);
|
|
2729
2729
|
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
|
2730
2730
|
}
|
|
2731
2731
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
@@ -2742,14 +2742,14 @@ class AzureCliCredential {
|
|
|
2742
2742
|
async getToken(scopes, options = {}) {
|
|
2743
2743
|
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
|
2744
2744
|
if (tenantId) {
|
|
2745
|
-
checkTenantId(logger$
|
|
2745
|
+
checkTenantId(logger$c, tenantId);
|
|
2746
2746
|
}
|
|
2747
2747
|
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
|
2748
|
-
logger$
|
|
2748
|
+
logger$c.getToken.info(`Using the scope ${scope}`);
|
|
2749
2749
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
|
2750
2750
|
var _a, _b, _c, _d;
|
|
2751
2751
|
try {
|
|
2752
|
-
ensureValidScopeForDevTimeCreds(scope, logger$
|
|
2752
|
+
ensureValidScopeForDevTimeCreds(scope, logger$c);
|
|
2753
2753
|
const resource = getScopeResource(scope);
|
|
2754
2754
|
const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.timeout);
|
|
2755
2755
|
const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
|
|
@@ -2757,18 +2757,18 @@ class AzureCliCredential {
|
|
|
2757
2757
|
const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
|
|
2758
2758
|
if (isNotInstallError) {
|
|
2759
2759
|
const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
|
|
2760
|
-
logger$
|
|
2760
|
+
logger$c.getToken.info(formatError(scopes, error));
|
|
2761
2761
|
throw error;
|
|
2762
2762
|
}
|
|
2763
2763
|
if (isLoginError) {
|
|
2764
2764
|
const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
|
|
2765
|
-
logger$
|
|
2765
|
+
logger$c.getToken.info(formatError(scopes, error));
|
|
2766
2766
|
throw error;
|
|
2767
2767
|
}
|
|
2768
2768
|
try {
|
|
2769
2769
|
const responseData = obj.stdout;
|
|
2770
2770
|
const response = this.parseRawResponse(responseData);
|
|
2771
|
-
logger$
|
|
2771
|
+
logger$c.getToken.info(formatSuccess(scopes));
|
|
2772
2772
|
return response;
|
|
2773
2773
|
}
|
|
2774
2774
|
catch (e) {
|
|
@@ -2782,7 +2782,7 @@ class AzureCliCredential {
|
|
|
2782
2782
|
const error = err.name === "CredentialUnavailableError"
|
|
2783
2783
|
? err
|
|
2784
2784
|
: new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
|
|
2785
|
-
logger$
|
|
2785
|
+
logger$c.getToken.info(formatError(scopes, error));
|
|
2786
2786
|
throw error;
|
|
2787
2787
|
}
|
|
2788
2788
|
});
|
|
@@ -2804,7 +2804,7 @@ class AzureCliCredential {
|
|
|
2804
2804
|
// ensure it's a number or NaN
|
|
2805
2805
|
let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;
|
|
2806
2806
|
if (!isNaN(expiresOnTimestamp)) {
|
|
2807
|
-
logger$
|
|
2807
|
+
logger$c.getToken.info("expires_on is available and is valid, using it");
|
|
2808
2808
|
return {
|
|
2809
2809
|
token,
|
|
2810
2810
|
expiresOnTimestamp,
|
|
@@ -2823,6 +2823,170 @@ class AzureCliCredential {
|
|
|
2823
2823
|
}
|
|
2824
2824
|
}
|
|
2825
2825
|
|
|
2826
|
+
// Copyright (c) Microsoft Corporation.
|
|
2827
|
+
// Licensed under the MIT license.
|
|
2828
|
+
/**
|
|
2829
|
+
* Mockable reference to the Developer CLI credential cliCredentialFunctions
|
|
2830
|
+
* @internal
|
|
2831
|
+
*/
|
|
2832
|
+
const developerCliCredentialInternals = {
|
|
2833
|
+
/**
|
|
2834
|
+
* @internal
|
|
2835
|
+
*/
|
|
2836
|
+
getSafeWorkingDir() {
|
|
2837
|
+
if (process.platform === "win32") {
|
|
2838
|
+
if (!process.env.SystemRoot) {
|
|
2839
|
+
throw new Error("Azure Developer CLI credential expects a 'SystemRoot' environment variable");
|
|
2840
|
+
}
|
|
2841
|
+
return process.env.SystemRoot;
|
|
2842
|
+
}
|
|
2843
|
+
else {
|
|
2844
|
+
return "/bin";
|
|
2845
|
+
}
|
|
2846
|
+
},
|
|
2847
|
+
/**
|
|
2848
|
+
* Gets the access token from Azure Developer CLI
|
|
2849
|
+
* @param scopes - The scopes to use when getting the token
|
|
2850
|
+
* @internal
|
|
2851
|
+
*/
|
|
2852
|
+
async getAzdAccessToken(scopes, tenantId, timeout) {
|
|
2853
|
+
let tenantSection = [];
|
|
2854
|
+
if (tenantId) {
|
|
2855
|
+
tenantSection = ["--tenant-id", tenantId];
|
|
2856
|
+
}
|
|
2857
|
+
return new Promise((resolve, reject) => {
|
|
2858
|
+
try {
|
|
2859
|
+
child_process.execFile("azd", [
|
|
2860
|
+
"auth",
|
|
2861
|
+
"token",
|
|
2862
|
+
"--output",
|
|
2863
|
+
"json",
|
|
2864
|
+
...scopes.reduce((previous, current) => previous.concat("--scope", current), []),
|
|
2865
|
+
...tenantSection,
|
|
2866
|
+
], {
|
|
2867
|
+
cwd: developerCliCredentialInternals.getSafeWorkingDir(),
|
|
2868
|
+
timeout,
|
|
2869
|
+
}, (error, stdout, stderr) => {
|
|
2870
|
+
resolve({ stdout, stderr, error });
|
|
2871
|
+
});
|
|
2872
|
+
}
|
|
2873
|
+
catch (err) {
|
|
2874
|
+
reject(err);
|
|
2875
|
+
}
|
|
2876
|
+
});
|
|
2877
|
+
},
|
|
2878
|
+
};
|
|
2879
|
+
const logger$b = credentialLogger("AzureDeveloperCliCredential");
|
|
2880
|
+
/**
|
|
2881
|
+
* Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy
|
|
2882
|
+
* resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific
|
|
2883
|
+
* to Azure developers. It allows users to authenticate as a user and/or a service principal against
|
|
2884
|
+
* <a href="https://learn.microsoft.com/azure/active-directory/fundamentals/">Microsoft Entra ID</a>. The
|
|
2885
|
+
* AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
|
|
2886
|
+
* the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or
|
|
2887
|
+
* service principal and executes an Azure CLI command underneath to authenticate the application against
|
|
2888
|
+
* Microsoft Entra ID.
|
|
2889
|
+
*
|
|
2890
|
+
* <h2> Configure AzureDeveloperCliCredential </h2>
|
|
2891
|
+
*
|
|
2892
|
+
* To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the
|
|
2893
|
+
* commands below:
|
|
2894
|
+
*
|
|
2895
|
+
* <ol>
|
|
2896
|
+
* <li>Run "azd auth login" in Azure Developer CLI to authenticate interactively as a user.</li>
|
|
2897
|
+
* <li>Run "azd auth login --client-id clientID --client-secret clientSecret
|
|
2898
|
+
* --tenant-id tenantID" to authenticate as a service principal.</li>
|
|
2899
|
+
* </ol>
|
|
2900
|
+
*
|
|
2901
|
+
* You may need to repeat this process after a certain time period, depending on the refresh token validity in your
|
|
2902
|
+
* organization. Generally, the refresh token validity period is a few weeks to a few months.
|
|
2903
|
+
* AzureDeveloperCliCredential will prompt you to sign in again.
|
|
2904
|
+
*/
|
|
2905
|
+
class AzureDeveloperCliCredential {
|
|
2906
|
+
/**
|
|
2907
|
+
* Creates an instance of the {@link AzureDeveloperCliCredential}.
|
|
2908
|
+
*
|
|
2909
|
+
* To use this credential, ensure that you have already logged
|
|
2910
|
+
* in via the 'azd' tool using the command "azd auth login" from the commandline.
|
|
2911
|
+
*
|
|
2912
|
+
* @param options - Options, to optionally allow multi-tenant requests.
|
|
2913
|
+
*/
|
|
2914
|
+
constructor(options) {
|
|
2915
|
+
if (options === null || options === void 0 ? void 0 : options.tenantId) {
|
|
2916
|
+
checkTenantId(logger$b, options === null || options === void 0 ? void 0 : options.tenantId);
|
|
2917
|
+
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
|
2918
|
+
}
|
|
2919
|
+
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
2920
|
+
this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
|
|
2921
|
+
}
|
|
2922
|
+
/**
|
|
2923
|
+
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
2924
|
+
* If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
|
|
2925
|
+
*
|
|
2926
|
+
* @param scopes - The list of scopes for which the token will have access.
|
|
2927
|
+
* @param options - The options used to configure any requests this
|
|
2928
|
+
* TokenCredential implementation might make.
|
|
2929
|
+
*/
|
|
2930
|
+
async getToken(scopes, options = {}) {
|
|
2931
|
+
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
|
2932
|
+
if (tenantId) {
|
|
2933
|
+
checkTenantId(logger$b, tenantId);
|
|
2934
|
+
}
|
|
2935
|
+
let scopeList;
|
|
2936
|
+
if (typeof scopes === "string") {
|
|
2937
|
+
scopeList = [scopes];
|
|
2938
|
+
}
|
|
2939
|
+
else {
|
|
2940
|
+
scopeList = scopes;
|
|
2941
|
+
}
|
|
2942
|
+
logger$b.getToken.info(`Using the scopes ${scopes}`);
|
|
2943
|
+
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
|
2944
|
+
var _a, _b, _c, _d;
|
|
2945
|
+
try {
|
|
2946
|
+
scopeList.forEach((scope) => {
|
|
2947
|
+
ensureValidScopeForDevTimeCreds(scope, logger$b);
|
|
2948
|
+
});
|
|
2949
|
+
const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
|
|
2950
|
+
const isNotLoggedInError = ((_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login")) ||
|
|
2951
|
+
((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("not logged in, run `azd auth login` to login"));
|
|
2952
|
+
const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("azd:(.*)not found")) ||
|
|
2953
|
+
((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'azd' is not recognized"));
|
|
2954
|
+
if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
|
|
2955
|
+
const error = new CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
|
|
2956
|
+
logger$b.getToken.info(formatError(scopes, error));
|
|
2957
|
+
throw error;
|
|
2958
|
+
}
|
|
2959
|
+
if (isNotLoggedInError) {
|
|
2960
|
+
const error = new CredentialUnavailableError("Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
|
|
2961
|
+
logger$b.getToken.info(formatError(scopes, error));
|
|
2962
|
+
throw error;
|
|
2963
|
+
}
|
|
2964
|
+
try {
|
|
2965
|
+
const resp = JSON.parse(obj.stdout);
|
|
2966
|
+
logger$b.getToken.info(formatSuccess(scopes));
|
|
2967
|
+
return {
|
|
2968
|
+
token: resp.token,
|
|
2969
|
+
expiresOnTimestamp: new Date(resp.expiresOn).getTime(),
|
|
2970
|
+
};
|
|
2971
|
+
}
|
|
2972
|
+
catch (e) {
|
|
2973
|
+
if (obj.stderr) {
|
|
2974
|
+
throw new CredentialUnavailableError(obj.stderr);
|
|
2975
|
+
}
|
|
2976
|
+
throw e;
|
|
2977
|
+
}
|
|
2978
|
+
}
|
|
2979
|
+
catch (err) {
|
|
2980
|
+
const error = err.name === "CredentialUnavailableError"
|
|
2981
|
+
? err
|
|
2982
|
+
: new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
|
|
2983
|
+
logger$b.getToken.info(formatError(scopes, error));
|
|
2984
|
+
throw error;
|
|
2985
|
+
}
|
|
2986
|
+
});
|
|
2987
|
+
}
|
|
2988
|
+
}
|
|
2989
|
+
|
|
2826
2990
|
// Copyright (c) Microsoft Corporation.
|
|
2827
2991
|
// Licensed under the MIT license.
|
|
2828
2992
|
/**
|
|
@@ -3553,262 +3717,140 @@ class EnvironmentCredential {
|
|
|
3553
3717
|
|
|
3554
3718
|
// Copyright (c) Microsoft Corporation.
|
|
3555
3719
|
// Licensed under the MIT license.
|
|
3720
|
+
const logger$4 = credentialLogger("DefaultAzureCredential");
|
|
3556
3721
|
/**
|
|
3557
|
-
*
|
|
3722
|
+
* Creates a {@link ManagedIdentityCredential} from the provided options.
|
|
3723
|
+
* @param options - Options to configure the credential.
|
|
3724
|
+
*
|
|
3558
3725
|
* @internal
|
|
3559
3726
|
*/
|
|
3560
|
-
|
|
3561
|
-
|
|
3562
|
-
|
|
3563
|
-
|
|
3564
|
-
|
|
3565
|
-
|
|
3566
|
-
|
|
3567
|
-
|
|
3568
|
-
|
|
3569
|
-
|
|
3570
|
-
|
|
3571
|
-
|
|
3572
|
-
|
|
3573
|
-
|
|
3574
|
-
}
|
|
3575
|
-
|
|
3576
|
-
|
|
3577
|
-
|
|
3578
|
-
|
|
3579
|
-
|
|
3580
|
-
|
|
3581
|
-
|
|
3582
|
-
if (tenantId) {
|
|
3583
|
-
tenantSection = ["--tenant-id", tenantId];
|
|
3584
|
-
}
|
|
3585
|
-
return new Promise((resolve, reject) => {
|
|
3586
|
-
try {
|
|
3587
|
-
child_process.execFile("azd", [
|
|
3588
|
-
"auth",
|
|
3589
|
-
"token",
|
|
3590
|
-
"--output",
|
|
3591
|
-
"json",
|
|
3592
|
-
...scopes.reduce((previous, current) => previous.concat("--scope", current), []),
|
|
3593
|
-
...tenantSection,
|
|
3594
|
-
], {
|
|
3595
|
-
cwd: developerCliCredentialInternals.getSafeWorkingDir(),
|
|
3596
|
-
timeout,
|
|
3597
|
-
}, (error, stdout, stderr) => {
|
|
3598
|
-
resolve({ stdout, stderr, error });
|
|
3599
|
-
});
|
|
3600
|
-
}
|
|
3601
|
-
catch (err) {
|
|
3602
|
-
reject(err);
|
|
3603
|
-
}
|
|
3604
|
-
});
|
|
3605
|
-
},
|
|
3606
|
-
};
|
|
3607
|
-
const logger$4 = credentialLogger("AzureDeveloperCliCredential");
|
|
3727
|
+
function createDefaultManagedIdentityCredential(options) {
|
|
3728
|
+
var _a, _b, _c;
|
|
3729
|
+
const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
|
|
3730
|
+
const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
|
|
3731
|
+
const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
|
|
3732
|
+
const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
|
|
3733
|
+
const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
|
|
3734
|
+
if (managedResourceId) {
|
|
3735
|
+
const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
|
|
3736
|
+
return new ManagedIdentityCredential(managedIdentityResourceIdOptions);
|
|
3737
|
+
}
|
|
3738
|
+
if (workloadFile && workloadIdentityClientId) {
|
|
3739
|
+
const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId: tenantId });
|
|
3740
|
+
return new ManagedIdentityCredential(workloadIdentityClientId, workloadIdentityCredentialOptions);
|
|
3741
|
+
}
|
|
3742
|
+
if (managedIdentityClientId) {
|
|
3743
|
+
const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
|
|
3744
|
+
return new ManagedIdentityCredential(managedIdentityClientOptions);
|
|
3745
|
+
}
|
|
3746
|
+
// We may be able to return a UnavailableCredential here, but that may be a breaking change
|
|
3747
|
+
return new ManagedIdentityCredential(options);
|
|
3748
|
+
}
|
|
3608
3749
|
/**
|
|
3609
|
-
*
|
|
3610
|
-
*
|
|
3611
|
-
* to Azure developers. It allows users to authenticate as a user and/or a service principal against
|
|
3612
|
-
* <a href="https://learn.microsoft.com/azure/active-directory/fundamentals/">Microsoft Entra ID</a>. The
|
|
3613
|
-
* AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
|
|
3614
|
-
* the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or
|
|
3615
|
-
* service principal and executes an Azure CLI command underneath to authenticate the application against
|
|
3616
|
-
* Microsoft Entra ID.
|
|
3617
|
-
*
|
|
3618
|
-
* <h2> Configure AzureDeveloperCliCredential </h2>
|
|
3619
|
-
*
|
|
3620
|
-
* To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the
|
|
3621
|
-
* commands below:
|
|
3750
|
+
* Creates a {@link WorkloadIdentityCredential} from the provided options.
|
|
3751
|
+
* @param options - Options to configure the credential.
|
|
3622
3752
|
*
|
|
3623
|
-
*
|
|
3624
|
-
* <li>Run "azd auth login" in Azure Developer CLI to authenticate interactively as a user.</li>
|
|
3625
|
-
* <li>Run "azd auth login --client-id clientID --client-secret clientSecret
|
|
3626
|
-
* --tenant-id tenantID" to authenticate as a service principal.</li>
|
|
3627
|
-
* </ol>
|
|
3628
|
-
*
|
|
3629
|
-
* You may need to repeat this process after a certain time period, depending on the refresh token validity in your
|
|
3630
|
-
* organization. Generally, the refresh token validity period is a few weeks to a few months.
|
|
3631
|
-
* AzureDeveloperCliCredential will prompt you to sign in again.
|
|
3753
|
+
* @internal
|
|
3632
3754
|
*/
|
|
3633
|
-
|
|
3634
|
-
|
|
3635
|
-
|
|
3636
|
-
|
|
3637
|
-
|
|
3638
|
-
|
|
3639
|
-
|
|
3640
|
-
|
|
3641
|
-
|
|
3642
|
-
constructor(options) {
|
|
3643
|
-
if (options === null || options === void 0 ? void 0 : options.tenantId) {
|
|
3644
|
-
checkTenantId(logger$4, options === null || options === void 0 ? void 0 : options.tenantId);
|
|
3645
|
-
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
|
3646
|
-
}
|
|
3647
|
-
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
3648
|
-
this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
|
|
3755
|
+
function createDefaultWorkloadIdentityCredential(options) {
|
|
3756
|
+
var _a, _b, _c;
|
|
3757
|
+
const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
|
|
3758
|
+
const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
|
|
3759
|
+
const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
|
|
3760
|
+
const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
|
|
3761
|
+
if (workloadFile && workloadIdentityClientId) {
|
|
3762
|
+
const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId, clientId: workloadIdentityClientId, tokenFilePath: workloadFile });
|
|
3763
|
+
return new WorkloadIdentityCredential(workloadIdentityCredentialOptions);
|
|
3649
3764
|
}
|
|
3650
|
-
|
|
3651
|
-
|
|
3652
|
-
|
|
3653
|
-
*
|
|
3654
|
-
* @param scopes - The list of scopes for which the token will have access.
|
|
3655
|
-
* @param options - The options used to configure any requests this
|
|
3656
|
-
* TokenCredential implementation might make.
|
|
3657
|
-
*/
|
|
3658
|
-
async getToken(scopes, options = {}) {
|
|
3659
|
-
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
|
3660
|
-
if (tenantId) {
|
|
3661
|
-
checkTenantId(logger$4, tenantId);
|
|
3662
|
-
}
|
|
3663
|
-
let scopeList;
|
|
3664
|
-
if (typeof scopes === "string") {
|
|
3665
|
-
scopeList = [scopes];
|
|
3666
|
-
}
|
|
3667
|
-
else {
|
|
3668
|
-
scopeList = scopes;
|
|
3669
|
-
}
|
|
3670
|
-
logger$4.getToken.info(`Using the scopes ${scopes}`);
|
|
3671
|
-
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
|
3672
|
-
var _a, _b, _c, _d;
|
|
3673
|
-
try {
|
|
3674
|
-
scopeList.forEach((scope) => {
|
|
3675
|
-
ensureValidScopeForDevTimeCreds(scope, logger$4);
|
|
3676
|
-
});
|
|
3677
|
-
const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
|
|
3678
|
-
const isNotLoggedInError = ((_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login")) ||
|
|
3679
|
-
((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("not logged in, run `azd auth login` to login"));
|
|
3680
|
-
const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("azd:(.*)not found")) ||
|
|
3681
|
-
((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'azd' is not recognized"));
|
|
3682
|
-
if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
|
|
3683
|
-
const error = new CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
|
|
3684
|
-
logger$4.getToken.info(formatError(scopes, error));
|
|
3685
|
-
throw error;
|
|
3686
|
-
}
|
|
3687
|
-
if (isNotLoggedInError) {
|
|
3688
|
-
const error = new CredentialUnavailableError("Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
|
|
3689
|
-
logger$4.getToken.info(formatError(scopes, error));
|
|
3690
|
-
throw error;
|
|
3691
|
-
}
|
|
3692
|
-
try {
|
|
3693
|
-
const resp = JSON.parse(obj.stdout);
|
|
3694
|
-
logger$4.getToken.info(formatSuccess(scopes));
|
|
3695
|
-
return {
|
|
3696
|
-
token: resp.token,
|
|
3697
|
-
expiresOnTimestamp: new Date(resp.expiresOn).getTime(),
|
|
3698
|
-
};
|
|
3699
|
-
}
|
|
3700
|
-
catch (e) {
|
|
3701
|
-
if (obj.stderr) {
|
|
3702
|
-
throw new CredentialUnavailableError(obj.stderr);
|
|
3703
|
-
}
|
|
3704
|
-
throw e;
|
|
3705
|
-
}
|
|
3706
|
-
}
|
|
3707
|
-
catch (err) {
|
|
3708
|
-
const error = err.name === "CredentialUnavailableError"
|
|
3709
|
-
? err
|
|
3710
|
-
: new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
|
|
3711
|
-
logger$4.getToken.info(formatError(scopes, error));
|
|
3712
|
-
throw error;
|
|
3713
|
-
}
|
|
3714
|
-
});
|
|
3765
|
+
if (tenantId) {
|
|
3766
|
+
const workloadIdentityClientTenantOptions = Object.assign(Object.assign({}, options), { tenantId });
|
|
3767
|
+
return new WorkloadIdentityCredential(workloadIdentityClientTenantOptions);
|
|
3715
3768
|
}
|
|
3769
|
+
// We may be able to return a UnavailableCredential here, but that may be a breaking change
|
|
3770
|
+
return new WorkloadIdentityCredential(options);
|
|
3716
3771
|
}
|
|
3717
|
-
|
|
3718
|
-
// Copyright (c) Microsoft Corporation.
|
|
3719
|
-
// Licensed under the MIT license.
|
|
3720
3772
|
/**
|
|
3721
|
-
*
|
|
3722
|
-
*
|
|
3773
|
+
* Creates a {@link AzureDeveloperCliCredential} from the provided options.
|
|
3774
|
+
* @param options - Options to configure the credential.
|
|
3723
3775
|
*
|
|
3724
3776
|
* @internal
|
|
3725
3777
|
*/
|
|
3726
|
-
|
|
3727
|
-
|
|
3728
|
-
|
|
3729
|
-
constructor(options) {
|
|
3730
|
-
var _a, _b, _c;
|
|
3731
|
-
const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
|
|
3732
|
-
const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
|
|
3733
|
-
const managedResourceId = options === null || options === void 0 ? void 0 : options.managedIdentityResourceId;
|
|
3734
|
-
const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
|
|
3735
|
-
const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
|
|
3736
|
-
// ManagedIdentityCredential throws if both the resourceId and the clientId are provided.
|
|
3737
|
-
if (managedResourceId) {
|
|
3738
|
-
const managedIdentityResourceIdOptions = Object.assign(Object.assign({}, options), { resourceId: managedResourceId });
|
|
3739
|
-
super(managedIdentityResourceIdOptions);
|
|
3740
|
-
}
|
|
3741
|
-
else if (workloadFile && workloadIdentityClientId) {
|
|
3742
|
-
const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId: tenantId });
|
|
3743
|
-
super(workloadIdentityClientId, workloadIdentityCredentialOptions);
|
|
3744
|
-
}
|
|
3745
|
-
else if (managedIdentityClientId) {
|
|
3746
|
-
const managedIdentityClientOptions = Object.assign(Object.assign({}, options), { clientId: managedIdentityClientId });
|
|
3747
|
-
super(managedIdentityClientOptions);
|
|
3748
|
-
}
|
|
3749
|
-
else {
|
|
3750
|
-
super(options);
|
|
3751
|
-
}
|
|
3752
|
-
}
|
|
3778
|
+
function createDefaultAzureDeveloperCliCredential(options = {}) {
|
|
3779
|
+
const processTimeoutInMs = options.processTimeoutInMs;
|
|
3780
|
+
return new AzureDeveloperCliCredential(Object.assign({ processTimeoutInMs }, options));
|
|
3753
3781
|
}
|
|
3754
3782
|
/**
|
|
3755
|
-
*
|
|
3756
|
-
*
|
|
3783
|
+
* Creates a {@link AzureCliCredential} from the provided options.
|
|
3784
|
+
* @param options - Options to configure the credential.
|
|
3757
3785
|
*
|
|
3758
3786
|
* @internal
|
|
3759
3787
|
*/
|
|
3760
|
-
|
|
3761
|
-
|
|
3762
|
-
|
|
3763
|
-
constructor(options) {
|
|
3764
|
-
var _a, _b, _c;
|
|
3765
|
-
const managedIdentityClientId = (_a = options === null || options === void 0 ? void 0 : options.managedIdentityClientId) !== null && _a !== void 0 ? _a : process.env.AZURE_CLIENT_ID;
|
|
3766
|
-
const workloadIdentityClientId = (_b = options === null || options === void 0 ? void 0 : options.workloadIdentityClientId) !== null && _b !== void 0 ? _b : managedIdentityClientId;
|
|
3767
|
-
const workloadFile = process.env.AZURE_FEDERATED_TOKEN_FILE;
|
|
3768
|
-
const tenantId = (_c = options === null || options === void 0 ? void 0 : options.tenantId) !== null && _c !== void 0 ? _c : process.env.AZURE_TENANT_ID;
|
|
3769
|
-
if (workloadFile && workloadIdentityClientId) {
|
|
3770
|
-
const workloadIdentityCredentialOptions = Object.assign(Object.assign({}, options), { tenantId, clientId: workloadIdentityClientId, tokenFilePath: workloadFile });
|
|
3771
|
-
super(workloadIdentityCredentialOptions);
|
|
3772
|
-
}
|
|
3773
|
-
else if (tenantId) {
|
|
3774
|
-
const workloadIdentityClientTenantOptions = Object.assign(Object.assign({}, options), { tenantId });
|
|
3775
|
-
super(workloadIdentityClientTenantOptions);
|
|
3776
|
-
}
|
|
3777
|
-
else {
|
|
3778
|
-
super(options);
|
|
3779
|
-
}
|
|
3780
|
-
}
|
|
3788
|
+
function createDefaultAzureCliCredential(options = {}) {
|
|
3789
|
+
const processTimeoutInMs = options.processTimeoutInMs;
|
|
3790
|
+
return new AzureCliCredential(Object.assign({ processTimeoutInMs }, options));
|
|
3781
3791
|
}
|
|
3782
|
-
|
|
3783
|
-
|
|
3784
|
-
|
|
3785
|
-
|
|
3792
|
+
/**
|
|
3793
|
+
* Creates a {@link AzurePowerShellCredential} from the provided options.
|
|
3794
|
+
* @param options - Options to configure the credential.
|
|
3795
|
+
*
|
|
3796
|
+
* @internal
|
|
3797
|
+
*/
|
|
3798
|
+
function createDefaultAzurePowershellCredential(options = {}) {
|
|
3799
|
+
const processTimeoutInMs = options.processTimeoutInMs;
|
|
3800
|
+
return new AzurePowerShellCredential(Object.assign({ processTimeoutInMs }, options));
|
|
3786
3801
|
}
|
|
3787
|
-
|
|
3788
|
-
|
|
3789
|
-
|
|
3790
|
-
|
|
3802
|
+
/**
|
|
3803
|
+
* Creates an {@link EnvironmentCredential} from the provided options.
|
|
3804
|
+
* @param options - Options to configure the credential.
|
|
3805
|
+
*
|
|
3806
|
+
* @internal
|
|
3807
|
+
*/
|
|
3808
|
+
function createEnvironmentCredential(options = {}) {
|
|
3809
|
+
return new EnvironmentCredential(options);
|
|
3791
3810
|
}
|
|
3792
|
-
|
|
3793
|
-
|
|
3794
|
-
|
|
3811
|
+
/**
|
|
3812
|
+
* A no-op credential that logs the reason it was skipped if getToken is called.
|
|
3813
|
+
* @internal
|
|
3814
|
+
*/
|
|
3815
|
+
class UnavailableDefaultCredential {
|
|
3816
|
+
constructor(credentialName, message) {
|
|
3817
|
+
this.credentialName = credentialName;
|
|
3818
|
+
this.credentialUnavailableErrorMessage = message;
|
|
3819
|
+
}
|
|
3820
|
+
getToken() {
|
|
3821
|
+
logger$4.getToken.info(`Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`);
|
|
3822
|
+
return Promise.resolve(null);
|
|
3795
3823
|
}
|
|
3796
3824
|
}
|
|
3797
|
-
const defaultCredentials = [
|
|
3798
|
-
EnvironmentCredential,
|
|
3799
|
-
DefaultWorkloadIdentityCredential,
|
|
3800
|
-
DefaultManagedIdentityCredential,
|
|
3801
|
-
DefaultAzureCliCredential,
|
|
3802
|
-
DefaultAzurePowershellCredential,
|
|
3803
|
-
DefaultAzureDeveloperCliCredential,
|
|
3804
|
-
];
|
|
3805
3825
|
/**
|
|
3806
3826
|
* Provides a default {@link ChainedTokenCredential} configuration that should
|
|
3807
3827
|
* work for most applications that use the Azure SDK.
|
|
3808
3828
|
*/
|
|
3809
3829
|
class DefaultAzureCredential extends ChainedTokenCredential {
|
|
3810
3830
|
constructor(options) {
|
|
3811
|
-
|
|
3831
|
+
const credentialFunctions = [
|
|
3832
|
+
createEnvironmentCredential,
|
|
3833
|
+
createDefaultWorkloadIdentityCredential,
|
|
3834
|
+
createDefaultManagedIdentityCredential,
|
|
3835
|
+
createDefaultAzureCliCredential,
|
|
3836
|
+
createDefaultAzurePowershellCredential,
|
|
3837
|
+
createDefaultAzureDeveloperCliCredential,
|
|
3838
|
+
];
|
|
3839
|
+
// DefaultCredential constructors should not throw, instead throwing on getToken() which is handled by ChainedTokenCredential.
|
|
3840
|
+
// When adding new credentials to the default chain, consider:
|
|
3841
|
+
// 1. Making the constructor parameters required and explicit
|
|
3842
|
+
// 2. Validating any required parameters in the factory function
|
|
3843
|
+
// 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason
|
|
3844
|
+
const credentials = credentialFunctions.map((createCredentialFn) => {
|
|
3845
|
+
try {
|
|
3846
|
+
return createCredentialFn(options);
|
|
3847
|
+
}
|
|
3848
|
+
catch (err) {
|
|
3849
|
+
logger$4.warning(`Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`);
|
|
3850
|
+
return new UnavailableDefaultCredential(createCredentialFn.name, err.message);
|
|
3851
|
+
}
|
|
3852
|
+
});
|
|
3853
|
+
super(...credentials);
|
|
3812
3854
|
}
|
|
3813
3855
|
}
|
|
3814
3856
|
|
|
@@ -4304,7 +4346,7 @@ exports.VisualStudioCodeCredential = VisualStudioCodeCredential;
|
|
|
4304
4346
|
exports.WorkloadIdentityCredential = WorkloadIdentityCredential;
|
|
4305
4347
|
exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
|
|
4306
4348
|
exports.getDefaultAzureCredential = getDefaultAzureCredential;
|
|
4307
|
-
exports.logger = logger$
|
|
4349
|
+
exports.logger = logger$p;
|
|
4308
4350
|
exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
|
|
4309
4351
|
exports.useIdentityPlugin = useIdentityPlugin;
|
|
4310
4352
|
//# sourceMappingURL=index.js.map
|