@azure/identity 4.11.2 → 4.12.1-alpha.20251006.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (193) hide show
  1. package/README.md +2 -1
  2. package/dist/browser/constants.d.ts +1 -1
  3. package/dist/browser/constants.js +1 -1
  4. package/dist/browser/constants.js.map +1 -1
  5. package/dist/browser/credentials/defaultAzureCredentialFunctions.d.ts +3 -1
  6. package/dist/browser/credentials/defaultAzureCredentialFunctions.d.ts.map +1 -1
  7. package/dist/browser/credentials/defaultAzureCredentialFunctions.js +4 -0
  8. package/dist/browser/credentials/defaultAzureCredentialFunctions.js.map +1 -1
  9. package/dist/browser/credentials/defaultAzureCredentialOptions.d.ts +12 -0
  10. package/dist/browser/credentials/defaultAzureCredentialOptions.d.ts.map +1 -1
  11. package/dist/browser/credentials/defaultAzureCredentialOptions.js.map +1 -1
  12. package/dist/browser/credentials/managedIdentityCredential/options.d.ts +15 -0
  13. package/dist/browser/credentials/managedIdentityCredential/options.d.ts.map +1 -1
  14. package/dist/browser/credentials/managedIdentityCredential/options.js.map +1 -1
  15. package/dist/browser/index.d.ts +1 -1
  16. package/dist/browser/index.d.ts.map +1 -1
  17. package/dist/browser/index.js.map +1 -1
  18. package/dist/browser/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -1
  19. package/dist/browser/msal/browserFlows/msalBrowserCommon.js +0 -1
  20. package/dist/browser/msal/browserFlows/msalBrowserCommon.js.map +1 -1
  21. package/dist/browser/msal/nodeFlows/msalClient.d.ts.map +1 -1
  22. package/dist/browser/msal/nodeFlows/msalClient.js +0 -2
  23. package/dist/browser/msal/nodeFlows/msalClient.js.map +1 -1
  24. package/dist/browser/msal/nodeFlows/msalPlugins.d.ts.map +1 -1
  25. package/dist/browser/msal/nodeFlows/msalPlugins.js +50 -22
  26. package/dist/browser/msal/nodeFlows/msalPlugins.js.map +1 -1
  27. package/dist/browser/msal/utils.d.ts.map +1 -1
  28. package/dist/browser/msal/utils.js +0 -4
  29. package/dist/browser/msal/utils.js.map +1 -1
  30. package/dist/commonjs/constants.d.ts +1 -1
  31. package/dist/commonjs/constants.js +1 -1
  32. package/dist/commonjs/constants.js.map +1 -1
  33. package/dist/commonjs/credentials/azureCliCredential.d.ts +11 -0
  34. package/dist/commonjs/credentials/azureCliCredential.d.ts.map +1 -1
  35. package/dist/commonjs/credentials/azureCliCredential.js +29 -6
  36. package/dist/commonjs/credentials/azureCliCredential.js.map +1 -1
  37. package/dist/commonjs/credentials/azureDeveloperCliCredential.d.ts +11 -1
  38. package/dist/commonjs/credentials/azureDeveloperCliCredential.d.ts.map +1 -1
  39. package/dist/commonjs/credentials/azureDeveloperCliCredential.js +34 -6
  40. package/dist/commonjs/credentials/azureDeveloperCliCredential.js.map +1 -1
  41. package/dist/commonjs/credentials/azurePowerShellCredential.d.ts +1 -0
  42. package/dist/commonjs/credentials/azurePowerShellCredential.d.ts.map +1 -1
  43. package/dist/commonjs/credentials/azurePowerShellCredential.js +14 -1
  44. package/dist/commonjs/credentials/azurePowerShellCredential.js.map +1 -1
  45. package/dist/commonjs/credentials/defaultAzureCredential.d.ts +18 -1
  46. package/dist/commonjs/credentials/defaultAzureCredential.d.ts.map +1 -1
  47. package/dist/commonjs/credentials/defaultAzureCredential.js +42 -3
  48. package/dist/commonjs/credentials/defaultAzureCredential.js.map +1 -1
  49. package/dist/commonjs/credentials/defaultAzureCredentialFunctions.d.ts +3 -1
  50. package/dist/commonjs/credentials/defaultAzureCredentialFunctions.d.ts.map +1 -1
  51. package/dist/commonjs/credentials/defaultAzureCredentialFunctions.js +4 -0
  52. package/dist/commonjs/credentials/defaultAzureCredentialFunctions.js.map +1 -1
  53. package/dist/commonjs/credentials/defaultAzureCredentialOptions.d.ts +12 -0
  54. package/dist/commonjs/credentials/defaultAzureCredentialOptions.d.ts.map +1 -1
  55. package/dist/commonjs/credentials/defaultAzureCredentialOptions.js.map +1 -1
  56. package/dist/commonjs/credentials/managedIdentityCredential/index.d.ts +1 -0
  57. package/dist/commonjs/credentials/managedIdentityCredential/index.d.ts.map +1 -1
  58. package/dist/commonjs/credentials/managedIdentityCredential/index.js +6 -2
  59. package/dist/commonjs/credentials/managedIdentityCredential/index.js.map +1 -1
  60. package/dist/commonjs/credentials/managedIdentityCredential/options.d.ts +15 -0
  61. package/dist/commonjs/credentials/managedIdentityCredential/options.d.ts.map +1 -1
  62. package/dist/commonjs/credentials/managedIdentityCredential/options.js.map +1 -1
  63. package/dist/commonjs/credentials/visualStudioCodeCredential.d.ts.map +1 -1
  64. package/dist/commonjs/credentials/visualStudioCodeCredential.js +5 -1
  65. package/dist/commonjs/credentials/visualStudioCodeCredential.js.map +1 -1
  66. package/dist/commonjs/index.d.ts +1 -1
  67. package/dist/commonjs/index.d.ts.map +1 -1
  68. package/dist/commonjs/index.js.map +1 -1
  69. package/dist/commonjs/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -1
  70. package/dist/commonjs/msal/browserFlows/msalBrowserCommon.js +0 -1
  71. package/dist/commonjs/msal/browserFlows/msalBrowserCommon.js.map +1 -1
  72. package/dist/commonjs/msal/nodeFlows/msalClient.d.ts.map +1 -1
  73. package/dist/commonjs/msal/nodeFlows/msalClient.js +0 -2
  74. package/dist/commonjs/msal/nodeFlows/msalClient.js.map +1 -1
  75. package/dist/commonjs/msal/nodeFlows/msalPlugins.d.ts.map +1 -1
  76. package/dist/commonjs/msal/nodeFlows/msalPlugins.js +50 -22
  77. package/dist/commonjs/msal/nodeFlows/msalPlugins.js.map +1 -1
  78. package/dist/commonjs/msal/utils.d.ts.map +1 -1
  79. package/dist/commonjs/msal/utils.js +0 -4
  80. package/dist/commonjs/msal/utils.js.map +1 -1
  81. package/dist/commonjs/plugins/consumer.d.ts.map +1 -1
  82. package/dist/commonjs/plugins/consumer.js +0 -1
  83. package/dist/commonjs/plugins/consumer.js.map +1 -1
  84. package/dist/commonjs/tsdoc-metadata.json +1 -1
  85. package/dist/esm/constants.d.ts +1 -1
  86. package/dist/esm/constants.js +1 -1
  87. package/dist/esm/constants.js.map +1 -1
  88. package/dist/esm/credentials/azureCliCredential.d.ts +11 -0
  89. package/dist/esm/credentials/azureCliCredential.d.ts.map +1 -1
  90. package/dist/esm/credentials/azureCliCredential.js +28 -5
  91. package/dist/esm/credentials/azureCliCredential.js.map +1 -1
  92. package/dist/esm/credentials/azureDeveloperCliCredential.d.ts +11 -1
  93. package/dist/esm/credentials/azureDeveloperCliCredential.d.ts.map +1 -1
  94. package/dist/esm/credentials/azureDeveloperCliCredential.js +33 -5
  95. package/dist/esm/credentials/azureDeveloperCliCredential.js.map +1 -1
  96. package/dist/esm/credentials/azurePowerShellCredential.d.ts +1 -0
  97. package/dist/esm/credentials/azurePowerShellCredential.d.ts.map +1 -1
  98. package/dist/esm/credentials/azurePowerShellCredential.js +14 -1
  99. package/dist/esm/credentials/azurePowerShellCredential.js.map +1 -1
  100. package/dist/esm/credentials/defaultAzureCredential.d.ts +18 -1
  101. package/dist/esm/credentials/defaultAzureCredential.d.ts.map +1 -1
  102. package/dist/esm/credentials/defaultAzureCredential.js +42 -3
  103. package/dist/esm/credentials/defaultAzureCredential.js.map +1 -1
  104. package/dist/esm/credentials/defaultAzureCredentialFunctions.d.ts +3 -1
  105. package/dist/esm/credentials/defaultAzureCredentialFunctions.d.ts.map +1 -1
  106. package/dist/esm/credentials/defaultAzureCredentialFunctions.js +4 -0
  107. package/dist/esm/credentials/defaultAzureCredentialFunctions.js.map +1 -1
  108. package/dist/esm/credentials/defaultAzureCredentialOptions.d.ts +12 -0
  109. package/dist/esm/credentials/defaultAzureCredentialOptions.d.ts.map +1 -1
  110. package/dist/esm/credentials/defaultAzureCredentialOptions.js.map +1 -1
  111. package/dist/esm/credentials/managedIdentityCredential/index.d.ts +1 -0
  112. package/dist/esm/credentials/managedIdentityCredential/index.d.ts.map +1 -1
  113. package/dist/esm/credentials/managedIdentityCredential/index.js +6 -2
  114. package/dist/esm/credentials/managedIdentityCredential/index.js.map +1 -1
  115. package/dist/esm/credentials/managedIdentityCredential/options.d.ts +15 -0
  116. package/dist/esm/credentials/managedIdentityCredential/options.d.ts.map +1 -1
  117. package/dist/esm/credentials/managedIdentityCredential/options.js.map +1 -1
  118. package/dist/esm/credentials/visualStudioCodeCredential.d.ts.map +1 -1
  119. package/dist/esm/credentials/visualStudioCodeCredential.js +5 -1
  120. package/dist/esm/credentials/visualStudioCodeCredential.js.map +1 -1
  121. package/dist/esm/index.d.ts +1 -1
  122. package/dist/esm/index.d.ts.map +1 -1
  123. package/dist/esm/index.js.map +1 -1
  124. package/dist/esm/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -1
  125. package/dist/esm/msal/browserFlows/msalBrowserCommon.js +0 -1
  126. package/dist/esm/msal/browserFlows/msalBrowserCommon.js.map +1 -1
  127. package/dist/esm/msal/nodeFlows/msalClient.d.ts.map +1 -1
  128. package/dist/esm/msal/nodeFlows/msalClient.js +0 -2
  129. package/dist/esm/msal/nodeFlows/msalClient.js.map +1 -1
  130. package/dist/esm/msal/nodeFlows/msalPlugins.d.ts.map +1 -1
  131. package/dist/esm/msal/nodeFlows/msalPlugins.js +50 -22
  132. package/dist/esm/msal/nodeFlows/msalPlugins.js.map +1 -1
  133. package/dist/esm/msal/utils.d.ts.map +1 -1
  134. package/dist/esm/msal/utils.js +0 -4
  135. package/dist/esm/msal/utils.js.map +1 -1
  136. package/dist/esm/plugins/consumer.d.ts.map +1 -1
  137. package/dist/esm/plugins/consumer.js +0 -1
  138. package/dist/esm/plugins/consumer.js.map +1 -1
  139. package/dist/workerd/constants.d.ts +1 -1
  140. package/dist/workerd/constants.js +1 -1
  141. package/dist/workerd/constants.js.map +1 -1
  142. package/dist/workerd/credentials/azureCliCredential.d.ts +11 -0
  143. package/dist/workerd/credentials/azureCliCredential.d.ts.map +1 -1
  144. package/dist/workerd/credentials/azureCliCredential.js +28 -5
  145. package/dist/workerd/credentials/azureCliCredential.js.map +1 -1
  146. package/dist/workerd/credentials/azureDeveloperCliCredential.d.ts +11 -1
  147. package/dist/workerd/credentials/azureDeveloperCliCredential.d.ts.map +1 -1
  148. package/dist/workerd/credentials/azureDeveloperCliCredential.js +33 -5
  149. package/dist/workerd/credentials/azureDeveloperCliCredential.js.map +1 -1
  150. package/dist/workerd/credentials/azurePowerShellCredential.d.ts +1 -0
  151. package/dist/workerd/credentials/azurePowerShellCredential.d.ts.map +1 -1
  152. package/dist/workerd/credentials/azurePowerShellCredential.js +14 -1
  153. package/dist/workerd/credentials/azurePowerShellCredential.js.map +1 -1
  154. package/dist/workerd/credentials/defaultAzureCredential.d.ts +18 -1
  155. package/dist/workerd/credentials/defaultAzureCredential.d.ts.map +1 -1
  156. package/dist/workerd/credentials/defaultAzureCredential.js +42 -3
  157. package/dist/workerd/credentials/defaultAzureCredential.js.map +1 -1
  158. package/dist/workerd/credentials/defaultAzureCredentialFunctions.d.ts +3 -1
  159. package/dist/workerd/credentials/defaultAzureCredentialFunctions.d.ts.map +1 -1
  160. package/dist/workerd/credentials/defaultAzureCredentialFunctions.js +4 -0
  161. package/dist/workerd/credentials/defaultAzureCredentialFunctions.js.map +1 -1
  162. package/dist/workerd/credentials/defaultAzureCredentialOptions.d.ts +12 -0
  163. package/dist/workerd/credentials/defaultAzureCredentialOptions.d.ts.map +1 -1
  164. package/dist/workerd/credentials/defaultAzureCredentialOptions.js.map +1 -1
  165. package/dist/workerd/credentials/managedIdentityCredential/index.d.ts +1 -0
  166. package/dist/workerd/credentials/managedIdentityCredential/index.d.ts.map +1 -1
  167. package/dist/workerd/credentials/managedIdentityCredential/index.js +6 -2
  168. package/dist/workerd/credentials/managedIdentityCredential/index.js.map +1 -1
  169. package/dist/workerd/credentials/managedIdentityCredential/options.d.ts +15 -0
  170. package/dist/workerd/credentials/managedIdentityCredential/options.d.ts.map +1 -1
  171. package/dist/workerd/credentials/managedIdentityCredential/options.js.map +1 -1
  172. package/dist/workerd/credentials/visualStudioCodeCredential.d.ts.map +1 -1
  173. package/dist/workerd/credentials/visualStudioCodeCredential.js +5 -1
  174. package/dist/workerd/credentials/visualStudioCodeCredential.js.map +1 -1
  175. package/dist/workerd/index.d.ts +1 -1
  176. package/dist/workerd/index.d.ts.map +1 -1
  177. package/dist/workerd/index.js.map +1 -1
  178. package/dist/workerd/msal/browserFlows/msalBrowserCommon.d.ts.map +1 -1
  179. package/dist/workerd/msal/browserFlows/msalBrowserCommon.js +0 -1
  180. package/dist/workerd/msal/browserFlows/msalBrowserCommon.js.map +1 -1
  181. package/dist/workerd/msal/nodeFlows/msalClient.d.ts.map +1 -1
  182. package/dist/workerd/msal/nodeFlows/msalClient.js +0 -2
  183. package/dist/workerd/msal/nodeFlows/msalClient.js.map +1 -1
  184. package/dist/workerd/msal/nodeFlows/msalPlugins.d.ts.map +1 -1
  185. package/dist/workerd/msal/nodeFlows/msalPlugins.js +50 -22
  186. package/dist/workerd/msal/nodeFlows/msalPlugins.js.map +1 -1
  187. package/dist/workerd/msal/utils.d.ts.map +1 -1
  188. package/dist/workerd/msal/utils.js +0 -4
  189. package/dist/workerd/msal/utils.js.map +1 -1
  190. package/dist/workerd/plugins/consumer.d.ts.map +1 -1
  191. package/dist/workerd/plugins/consumer.js +0 -1
  192. package/dist/workerd/plugins/consumer.js.map +1 -1
  193. package/package.json +7 -7
package/dist/commonjs/credentials/azureCliCredential.js CHANGED
@@ -2,7 +2,7 @@
2
2
  // Copyright (c) Microsoft Corporation.
3
3
  // Licensed under the MIT License.
4
4
  Object.defineProperty(exports, "__esModule", { value: true });
5
- exports.AzureCliCredential = exports.cliCredentialInternals = void 0;
5
+ exports.AzureCliCredential = exports.cliCredentialInternals = exports.azureCliPublicErrorMessages = void 0;
6
6
  const tslib_1 = require("tslib");
7
7
  const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js");
8
8
  const logging_js_1 = require("../util/logging.js");
@@ -12,6 +12,17 @@ const child_process_1 = tslib_1.__importDefault(require("child_process"));
12
12
  const tracing_js_1 = require("../util/tracing.js");
13
13
  const subscriptionUtils_js_1 = require("../util/subscriptionUtils.js");
14
14
  const logger = (0, logging_js_1.credentialLogger)("AzureCliCredential");
15
+ /**
16
+ * Messages to use when throwing in this credential.
17
+ * @internal
18
+ */
19
+ exports.azureCliPublicErrorMessages = {
20
+ claim: "This credential doesn't support claims challenges. To authenticate with the required claims, please run the following command:",
21
+ notInstalled: "Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.",
22
+ login: "Please run 'az login' from a command prompt to authenticate before using this credential.",
23
+ unknown: "Unknown error while trying to retrieve the access token",
24
+ unexpectedResponse: 'Unexpected response from Azure CLI when getting token. Expected "expiresOn" to be a RFC3339 date string. Got:',
25
+ };
15
26
  /**
16
27
  * Mockable reference to the CLI credential cliCredentialFunctions
17
28
  * @internal
@@ -111,6 +122,19 @@ class AzureCliCredential {
111
122
  * TokenCredential implementation might make.
112
123
  */
113
124
  async getToken(scopes, options = {}) {
125
+ const scope = typeof scopes === "string" ? scopes : scopes[0];
126
+ const claimsValue = options.claims;
127
+ if (claimsValue && claimsValue.trim()) {
128
+ const encodedClaims = btoa(claimsValue);
129
+ let loginCmd = `az login --claims-challenge ${encodedClaims} --scope ${scope}`;
130
+ const tenantIdFromOptions = options.tenantId;
131
+ if (tenantIdFromOptions) {
132
+ loginCmd += ` --tenant ${tenantIdFromOptions}`;
133
+ }
134
+ const error = new errors_js_1.CredentialUnavailableError(`${exports.azureCliPublicErrorMessages.claim} ${loginCmd}`);
135
+ logger.getToken.info((0, logging_js_1.formatError)(scope, error));
136
+ throw error;
137
+ }
114
138
  const tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, options, this.additionallyAllowedTenantIds);
115
139
  if (tenantId) {
116
140
  (0, tenantIdUtils_js_1.checkTenantId)(logger, tenantId);
@@ -118,7 +142,6 @@ class AzureCliCredential {
118
142
  if (this.subscription) {
119
143
  (0, subscriptionUtils_js_1.checkSubscription)(logger, this.subscription);
120
144
  }
121
- const scope = typeof scopes === "string" ? scopes : scopes[0];
122
145
  logger.getToken.info(`Using the scope ${scope}`);
123
146
  return tracing_js_1.tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
124
147
  try {
@@ -129,12 +152,12 @@ class AzureCliCredential {
129
152
  const isLoginError = obj.stderr?.match("(.*)az login(.*)") && !specificScope;
130
153
  const isNotInstallError = obj.stderr?.match("az:(.*)not found") || obj.stderr?.startsWith("'az' is not recognized");
131
154
  if (isNotInstallError) {
132
- const error = new errors_js_1.CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
155
+ const error = new errors_js_1.CredentialUnavailableError(exports.azureCliPublicErrorMessages.notInstalled);
133
156
  logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
134
157
  throw error;
135
158
  }
136
159
  if (isLoginError) {
137
- const error = new errors_js_1.CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
160
+ const error = new errors_js_1.CredentialUnavailableError(exports.azureCliPublicErrorMessages.login);
138
161
  logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
139
162
  throw error;
140
163
  }
@@ -154,7 +177,7 @@ class AzureCliCredential {
154
177
  catch (err) {
155
178
  const error = err.name === "CredentialUnavailableError"
156
179
  ? err
157
- : new errors_js_1.CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
180
+ : new errors_js_1.CredentialUnavailableError(err.message || exports.azureCliPublicErrorMessages.unknown);
158
181
  logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
159
182
  throw error;
160
183
  }
@@ -188,7 +211,7 @@ class AzureCliCredential {
188
211
  expiresOnTimestamp = new Date(response.expiresOn).getTime();
189
212
  // ensure expiresOn is well-formatted
190
213
  if (isNaN(expiresOnTimestamp)) {
191
- throw new errors_js_1.CredentialUnavailableError(`Unexpected response from Azure CLI when getting token. Expected "expiresOn" to be a RFC3339 date string. Got: "${response.expiresOn}"`);
214
+ throw new errors_js_1.CredentialUnavailableError(`${exports.azureCliPublicErrorMessages.unexpectedResponse} "${response.expiresOn}"`);
192
215
  }
193
216
  return {
194
217
  token,
package/dist/commonjs/credentials/azureCliCredential.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"azureCliCredential.js","sourceRoot":"","sources":["../../../src/credentials/azureCliCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;;AAGlC,+DAIkC;AAClC,mDAAkF;AAClF,yDAA0F;AAG1F,4CAA0D;AAC1D,0EAA0C;AAC1C,mDAAmD;AACnD,uEAAiE;AAEjE,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,oBAAoB,CAAC,CAAC;AAEtD;;;GAGG;AACU,QAAA,sBAAsB,GAAG;IACpC;;OAEG;IACH,iBAAiB;QACf,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,IAAI,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACrE,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,OAAO,CACrB,4GAA4G,CAC7G,CAAC;gBAEF,UAAU,GAAG,aAAa,CAAC;YAC7B,CAAC;YACD,OAAO,UAAU,CAAC;QACpB,CAAC;aAAM,CAAC;YACN,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,sBAAsB,CAC1B,QAAgB,EAChB,QAAiB,EACjB,YAAqB,EACrB,OAAgB;QAEhB,IAAI,aAAa,GAAa,EAAE,CAAC;QACjC,IAAI,mBAAmB,GAAa,EAAE,CAAC;QACvC,IAAI,QAAQ,EAAE,CAAC;YACb,aAAa,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,YAAY,EAAE,CAAC;YACjB,yEAAyE;YACzE,mBAAmB,GAAG,CAAC,gBAAgB,EAAE,IAAI,YAAY,GAAG,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG;oBACX,SAAS;oBACT,kBAAkB;oBAClB,UAAU;oBACV,MAAM;oBACN,YAAY;oBACZ,QAAQ;oBACR,GAAG,aAAa;oBAChB,GAAG,mBAAmB;iBACvB,CAAC;gBACF,MAAM,OAAO,GAAG,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1C,uBAAa,CAAC,IAAI,CAChB,OAAO,EACP,EAAE,GAAG,EAAE,8BAAsB,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,EAC5D,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;oBACxB,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;gBACrD,CAAC,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF;;;;;GAKG;AACH,MAAa,kBAAkB;IACrB,QAAQ,CAAU;IAClB,4BAA4B,CAAW;IACvC,OAAO,CAAU;IACjB,YAAY,CAAU;IAE9B;;;;;;;OAOG;IACH,YAAY,OAAmC;QAC7C,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,IAAA,gCAAa,EAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,OAAO,EAAE,YAAY,EAAE,CAAC;YAC1B,IAAA,wCAAiB,EAAC,MAAM,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;YACjD,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,CAAC;QAC5C,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,QAAQ,GAAG,IAAA,4CAAyB,EACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;QACF,IAAI,QAAQ,EAAE,CAAC;YACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,IAAA,wCAAiB,EAAC,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC9D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;QAEjD,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACrF,IAAI,CAAC;gBACH,IAAA,+CAA+B,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBAC/C,MAAM,QAAQ,GAAG,IAAA,gCAAgB,EAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,GAAG,GAAG,MAAM,8BAAsB,CAAC,sBAAsB,CAC7D,QAAQ,EACR,QAAQ,EACR,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,OAAO,CACb,CAAC;gBACF,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBACpE,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,aAAa,CAAC;gBAC7E,MAAM,iBAAiB,GACrB,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,wBAAwB,CAAC,CAAC;gBAE5F,IAAI,iBAAiB,EAAE,CAAC;oBACtB,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,kLAAkL,CACnL,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,IAAI,YAAY,EAAE,CAAC;oBACjB,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,2FAA2F,CAC5F,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,IAAI,CAAC;oBACH,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC;oBAChC,MAAM,QAAQ,GAAgB,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;oBAClE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;oBAC5C,OAAO,QAAQ,CAAC;gBAClB,CAAC;gBAAC,OAAO,CAAM,EAAE,CAAC;oBAChB,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;wBACf,MAAM,IAAI,sCAA0B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBACnD,CAAC;oBACD,MAAM,CAAC,CAAC;gBACV,CAAC;YACH,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,KAAK,GACT,GAAG,CAAC,IAAI,KAAK,4BAA4B;oBACvC,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,IAAI,sCAA0B,CAC3B,GAAa,CAAC,OAAO,IAAI,yDAAyD,CACpF,CAAC;gBACR,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;OASG;IACK,gBAAgB,CAAC,WAAmB;QAC1C,MAAM,QAAQ,GAAQ,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC;QACnC,8EAA8E;QAC9E,8BAA8B;QAC9B,IAAI,kBAAkB,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC;QACzE,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC/B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YACvE,OAAO;gBACL,KAAK;gBACL,kBAAkB;gBAClB,SAAS,EAAE,QAAQ;aACpB,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,kBAAkB,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QAE5D,qCAAqC;QACrC,IAAI,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,sCAA0B,CAClC,kHAAkH,QAAQ,CAAC,SAAS,GAAG,CACxI,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK;YACL,kBAAkB;YAClB,SAAS,EAAE,QAAQ;SACpB,CAAC;IACJ,CAAC;CACF;AArJD,gDAqJC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n checkTenantId,\n processMultiTenantRequest,\n resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport { ensureValidScopeForDevTimeCreds, getScopeResource } from \"../util/scopeUtils.js\";\n\nimport type { AzureCliCredentialOptions } from \"./azureCliCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport child_process from \"child_process\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport { checkSubscription } from \"../util/subscriptionUtils.js\";\n\nconst logger = credentialLogger(\"AzureCliCredential\");\n\n/**\n * Mockable reference to the CLI credential cliCredentialFunctions\n * @internal\n */\nexport const cliCredentialInternals = {\n /**\n * @internal\n */\n getSafeWorkingDir(): string {\n if (process.platform === \"win32\") {\n let systemRoot = process.env.SystemRoot || process.env[\"SYSTEMROOT\"];\n if (!systemRoot) {\n logger.getToken.warning(\n \"The SystemRoot environment variable is not set. This may cause issues when using the Azure CLI credential.\",\n );\n\n systemRoot = \"C:\\\\Windows\";\n }\n return systemRoot;\n } else {\n return \"/bin\";\n }\n },\n\n /**\n * Gets the access token from Azure CLI\n * @param resource - The resource to use when getting the token\n * @internal\n */\n async getAzureCliAccessToken(\n resource: string,\n tenantId?: string,\n subscription?: string,\n timeout?: number,\n ): Promise<{ stdout: string; stderr: string; error: Error | null }> {\n let tenantSection: string[] = [];\n let subscriptionSection: string[] = [];\n if (tenantId) {\n tenantSection = [\"--tenant\", tenantId];\n }\n if (subscription) {\n // Add quotes around the subscription to handle subscriptions with spaces\n subscriptionSection = [\"--subscription\", `\"${subscription}\"`];\n }\n return new Promise((resolve, reject) => {\n try {\n const args = [\n \"account\",\n \"get-access-token\",\n \"--output\",\n \"json\",\n \"--resource\",\n resource,\n ...tenantSection,\n ...subscriptionSection,\n ];\n const command = [\"az\", ...args].join(\" \");\n child_process.exec(\n command,\n { cwd: cliCredentialInternals.getSafeWorkingDir(), timeout },\n (error, stdout, stderr) => {\n resolve({ stdout: stdout, stderr: stderr, error });\n },\n );\n } catch (err: any) {\n reject(err);\n }\n });\n },\n};\n\n/**\n * This credential will use the currently logged-in user login information\n * via the Azure CLI ('az') commandline tool.\n * To do so, it will read the user access token and expire time\n * with Azure CLI command \"az account get-access-token\".\n */\nexport class AzureCliCredential implements TokenCredential {\n private tenantId?: string;\n private additionallyAllowedTenantIds: string[];\n private timeout?: number;\n private subscription?: string;\n\n /**\n * Creates an instance of the {@link AzureCliCredential}.\n *\n * To use this credential, ensure that you have already logged\n * in via the 'az' tool using the command \"az login\" from the commandline.\n *\n * @param options - Options, to optionally allow multi-tenant requests.\n */\n constructor(options?: AzureCliCredentialOptions) {\n if (options?.tenantId) {\n checkTenantId(logger, options?.tenantId);\n this.tenantId = options?.tenantId;\n }\n if (options?.subscription) {\n checkSubscription(logger, options?.subscription);\n this.subscription = options?.subscription;\n }\n this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n options?.additionallyAllowedTenants,\n );\n this.timeout = options?.processTimeoutInMs;\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n const tenantId = processMultiTenantRequest(\n this.tenantId,\n options,\n this.additionallyAllowedTenantIds,\n );\n if (tenantId) {\n checkTenantId(logger, tenantId);\n }\n if (this.subscription) {\n checkSubscription(logger, this.subscription);\n }\n const scope = typeof scopes === \"string\" ? scopes : scopes[0];\n logger.getToken.info(`Using the scope ${scope}`);\n\n return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n try {\n ensureValidScopeForDevTimeCreds(scope, logger);\n const resource = getScopeResource(scope);\n const obj = await cliCredentialInternals.getAzureCliAccessToken(\n resource,\n tenantId,\n this.subscription,\n this.timeout,\n );\n const specificScope = obj.stderr?.match(\"(.*)az login --scope(.*)\");\n const isLoginError = obj.stderr?.match(\"(.*)az login(.*)\") && !specificScope;\n const isNotInstallError =\n obj.stderr?.match(\"az:(.*)not found\") || obj.stderr?.startsWith(\"'az' is not recognized\");\n\n if (isNotInstallError) {\n const error = new CredentialUnavailableError(\n \"Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.\",\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n if (isLoginError) {\n const error = new CredentialUnavailableError(\n \"Please run 'az login' from a command prompt to authenticate before using this credential.\",\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n try {\n const responseData = obj.stdout;\n const response: AccessToken = this.parseRawResponse(responseData);\n logger.getToken.info(formatSuccess(scopes));\n return response;\n } catch (e: any) {\n if (obj.stderr) {\n throw new CredentialUnavailableError(obj.stderr);\n }\n throw e;\n }\n } catch (err: any) {\n const error =\n err.name === \"CredentialUnavailableError\"\n ? err\n : new CredentialUnavailableError(\n (err as Error).message || \"Unknown error while trying to retrieve the access token\",\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n });\n }\n\n /**\n * Parses the raw JSON response from the Azure CLI into a usable AccessToken object\n *\n * @param rawResponse - The raw JSON response from the Azure CLI\n * @returns An access token with the expiry time parsed from the raw response\n *\n * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:\n *\n * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.\n */\n private parseRawResponse(rawResponse: string): AccessToken {\n const response: any = JSON.parse(rawResponse);\n const token = response.accessToken;\n // if available, expires_on will be a number representing seconds since epoch.\n // ensure it's a number or NaN\n let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;\n if (!isNaN(expiresOnTimestamp)) {\n logger.getToken.info(\"expires_on is available and is valid, using it\");\n return {\n token,\n expiresOnTimestamp,\n tokenType: \"Bearer\",\n };\n }\n\n // fallback to the older expiresOn - an RFC3339 date string\n expiresOnTimestamp = new Date(response.expiresOn).getTime();\n\n // ensure expiresOn is well-formatted\n if (isNaN(expiresOnTimestamp)) {\n throw new CredentialUnavailableError(\n `Unexpected response from Azure CLI when getting token. Expected \"expiresOn\" to be a RFC3339 date string. Got: \"${response.expiresOn}\"`,\n );\n }\n\n return {\n token,\n expiresOnTimestamp,\n tokenType: \"Bearer\",\n };\n }\n}\n"]}
1
+ {"version":3,"file":"azureCliCredential.js","sourceRoot":"","sources":["../../../src/credentials/azureCliCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;;AAGlC,+DAIkC;AAClC,mDAAkF;AAClF,yDAA0F;AAG1F,4CAA0D;AAC1D,0EAA0C;AAC1C,mDAAmD;AACnD,uEAAiE;AAEjE,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,oBAAoB,CAAC,CAAC;AAEtD;;;GAGG;AACU,QAAA,2BAA2B,GAAG;IACzC,KAAK,EACH,gIAAgI;IAClI,YAAY,EACV,kLAAkL;IACpL,KAAK,EACH,2FAA2F;IAC7F,OAAO,EAAE,yDAAyD;IAClE,kBAAkB,EAChB,+GAA+G;CAClH,CAAC;AAEF;;;GAGG;AACU,QAAA,sBAAsB,GAAG;IACpC;;OAEG;IACH,iBAAiB;QACf,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,IAAI,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACrE,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,OAAO,CACrB,4GAA4G,CAC7G,CAAC;gBAEF,UAAU,GAAG,aAAa,CAAC;YAC7B,CAAC;YACD,OAAO,UAAU,CAAC;QACpB,CAAC;aAAM,CAAC;YACN,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,sBAAsB,CAC1B,QAAgB,EAChB,QAAiB,EACjB,YAAqB,EACrB,OAAgB;QAEhB,IAAI,aAAa,GAAa,EAAE,CAAC;QACjC,IAAI,mBAAmB,GAAa,EAAE,CAAC;QACvC,IAAI,QAAQ,EAAE,CAAC;YACb,aAAa,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,YAAY,EAAE,CAAC;YACjB,yEAAyE;YACzE,mBAAmB,GAAG,CAAC,gBAAgB,EAAE,IAAI,YAAY,GAAG,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG;oBACX,SAAS;oBACT,kBAAkB;oBAClB,UAAU;oBACV,MAAM;oBACN,YAAY;oBACZ,QAAQ;oBACR,GAAG,aAAa;oBAChB,GAAG,mBAAmB;iBACvB,CAAC;gBACF,MAAM,OAAO,GAAG,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1C,uBAAa,CAAC,IAAI,CAChB,OAAO,EACP,EAAE,GAAG,EAAE,8BAAsB,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,EAC5D,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;oBACxB,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;gBACrD,CAAC,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF;;;;;GAKG;AACH,MAAa,kBAAkB;IACrB,QAAQ,CAAU;IAClB,4BAA4B,CAAW;IACvC,OAAO,CAAU;IACjB,YAAY,CAAU;IAE9B;;;;;;;OAOG;IACH,YAAY,OAAmC;QAC7C,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,IAAA,gCAAa,EAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,OAAO,EAAE,YAAY,EAAE,CAAC;YAC1B,IAAA,wCAAiB,EAAC,MAAM,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;YACjD,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,CAAC;QAC5C,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC;QACnC,IAAI,WAAW,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC;YACtC,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;YACxC,IAAI,QAAQ,GAAG,+BAA+B,aAAa,YAAY,KAAK,EAAE,CAAC;YAE/E,MAAM,mBAAmB,GAAG,OAAO,CAAC,QAAQ,CAAC;YAC7C,IAAI,mBAAmB,EAAE,CAAC;gBACxB,QAAQ,IAAI,aAAa,mBAAmB,EAAE,CAAC;YACjD,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,GAAG,mCAA2B,CAAC,KAAK,IAAI,QAAQ,EAAE,CACnD,CAAC;YACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;YAChD,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,IAAA,4CAAyB,EACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;QACF,IAAI,QAAQ,EAAE,CAAC;YACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,IAAA,wCAAiB,EAAC,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;QAEjD,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACrF,IAAI,CAAC;gBACH,IAAA,+CAA+B,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBAC/C,MAAM,QAAQ,GAAG,IAAA,gCAAgB,EAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,GAAG,GAAG,MAAM,8BAAsB,CAAC,sBAAsB,CAC7D,QAAQ,EACR,QAAQ,EACR,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,OAAO,CACb,CAAC;gBACF,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBACpE,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,aAAa,CAAC;gBAC7E,MAAM,iBAAiB,GACrB,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,wBAAwB,CAAC,CAAC;gBAE5F,IAAI,iBAAiB,EAAE,CAAC;oBACtB,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,mCAA2B,CAAC,YAAY,CAAC,CAAC;oBACvF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,IAAI,YAAY,EAAE,CAAC;oBACjB,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,mCAA2B,CAAC,KAAK,CAAC,CAAC;oBAChF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,IAAI,CAAC;oBACH,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC;oBAChC,MAAM,QAAQ,GAAgB,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;oBAClE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;oBAC5C,OAAO,QAAQ,CAAC;gBAClB,CAAC;gBAAC,OAAO,CAAM,EAAE,CAAC;oBAChB,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;wBACf,MAAM,IAAI,sCAA0B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBACnD,CAAC;oBACD,MAAM,CAAC,CAAC;gBACV,CAAC;YACH,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,KAAK,GACT,GAAG,CAAC,IAAI,KAAK,4BAA4B;oBACvC,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,IAAI,sCAA0B,CAC3B,GAAa,CAAC,OAAO,IAAI,mCAA2B,CAAC,OAAO,CAC9D,CAAC;gBACR,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;OASG;IACK,gBAAgB,CAAC,WAAmB;QAC1C,MAAM,QAAQ,GAAQ,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC;QACnC,8EAA8E;QAC9E,8BAA8B;QAC9B,IAAI,kBAAkB,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC;QACzE,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC/B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YACvE,OAAO;gBACL,KAAK;gBACL,kBAAkB;gBAClB,SAAS,EAAE,QAAQ;aACpB,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,kBAAkB,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QAE5D,qCAAqC;QACrC,IAAI,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,sCAA0B,CAClC,GAAG,mCAA2B,CAAC,kBAAkB,KAAK,QAAQ,CAAC,SAAS,GAAG,CAC5E,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK;YACL,kBAAkB;YAClB,SAAS,EAAE,QAAQ;SACpB,CAAC;IACJ,CAAC;CACF;AAlKD,gDAkKC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n checkTenantId,\n processMultiTenantRequest,\n resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport { ensureValidScopeForDevTimeCreds, getScopeResource } from \"../util/scopeUtils.js\";\n\nimport type { AzureCliCredentialOptions } from \"./azureCliCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport child_process from \"child_process\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport { checkSubscription } from \"../util/subscriptionUtils.js\";\n\nconst logger = credentialLogger(\"AzureCliCredential\");\n\n/**\n * Messages to use when throwing in this credential.\n * @internal\n */\nexport const azureCliPublicErrorMessages = {\n claim:\n \"This credential doesn't support claims challenges. To authenticate with the required claims, please run the following command:\",\n notInstalled:\n \"Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.\",\n login:\n \"Please run 'az login' from a command prompt to authenticate before using this credential.\",\n unknown: \"Unknown error while trying to retrieve the access token\",\n unexpectedResponse:\n 'Unexpected response from Azure CLI when getting token. Expected \"expiresOn\" to be a RFC3339 date string. Got:',\n};\n\n/**\n * Mockable reference to the CLI credential cliCredentialFunctions\n * @internal\n */\nexport const cliCredentialInternals = {\n /**\n * @internal\n */\n getSafeWorkingDir(): string {\n if (process.platform === \"win32\") {\n let systemRoot = process.env.SystemRoot || process.env[\"SYSTEMROOT\"];\n if (!systemRoot) {\n logger.getToken.warning(\n \"The SystemRoot environment variable is not set. This may cause issues when using the Azure CLI credential.\",\n );\n\n systemRoot = \"C:\\\\Windows\";\n }\n return systemRoot;\n } else {\n return \"/bin\";\n }\n },\n\n /**\n * Gets the access token from Azure CLI\n * @param resource - The resource to use when getting the token\n * @internal\n */\n async getAzureCliAccessToken(\n resource: string,\n tenantId?: string,\n subscription?: string,\n timeout?: number,\n ): Promise<{ stdout: string; stderr: string; error: Error | null }> {\n let tenantSection: string[] = [];\n let subscriptionSection: string[] = [];\n if (tenantId) {\n tenantSection = [\"--tenant\", tenantId];\n }\n if (subscription) {\n // Add quotes around the subscription to handle subscriptions with spaces\n subscriptionSection = [\"--subscription\", `\"${subscription}\"`];\n }\n return new Promise((resolve, reject) => {\n try {\n const args = [\n \"account\",\n \"get-access-token\",\n \"--output\",\n \"json\",\n \"--resource\",\n resource,\n ...tenantSection,\n ...subscriptionSection,\n ];\n const command = [\"az\", ...args].join(\" \");\n child_process.exec(\n command,\n { cwd: cliCredentialInternals.getSafeWorkingDir(), timeout },\n (error, stdout, stderr) => {\n resolve({ stdout: stdout, stderr: stderr, error });\n },\n );\n } catch (err: any) {\n reject(err);\n }\n });\n },\n};\n\n/**\n * This credential will use the currently logged-in user login information\n * via the Azure CLI ('az') commandline tool.\n * To do so, it will read the user access token and expire time\n * with Azure CLI command \"az account get-access-token\".\n */\nexport class AzureCliCredential implements TokenCredential {\n private tenantId?: string;\n private additionallyAllowedTenantIds: string[];\n private timeout?: number;\n private subscription?: string;\n\n /**\n * Creates an instance of the {@link AzureCliCredential}.\n *\n * To use this credential, ensure that you have already logged\n * in via the 'az' tool using the command \"az login\" from the commandline.\n *\n * @param options - Options, to optionally allow multi-tenant requests.\n */\n constructor(options?: AzureCliCredentialOptions) {\n if (options?.tenantId) {\n checkTenantId(logger, options?.tenantId);\n this.tenantId = options?.tenantId;\n }\n if (options?.subscription) {\n checkSubscription(logger, options?.subscription);\n this.subscription = options?.subscription;\n }\n this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n options?.additionallyAllowedTenants,\n );\n this.timeout = options?.processTimeoutInMs;\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n const scope = typeof scopes === \"string\" ? scopes : scopes[0];\n const claimsValue = options.claims;\n if (claimsValue && claimsValue.trim()) {\n const encodedClaims = btoa(claimsValue);\n let loginCmd = `az login --claims-challenge ${encodedClaims} --scope ${scope}`;\n\n const tenantIdFromOptions = options.tenantId;\n if (tenantIdFromOptions) {\n loginCmd += ` --tenant ${tenantIdFromOptions}`;\n }\n\n const error = new CredentialUnavailableError(\n `${azureCliPublicErrorMessages.claim} ${loginCmd}`,\n );\n logger.getToken.info(formatError(scope, error));\n throw error;\n }\n\n const tenantId = processMultiTenantRequest(\n this.tenantId,\n options,\n this.additionallyAllowedTenantIds,\n );\n if (tenantId) {\n checkTenantId(logger, tenantId);\n }\n if (this.subscription) {\n checkSubscription(logger, this.subscription);\n }\n logger.getToken.info(`Using the scope ${scope}`);\n\n return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n try {\n ensureValidScopeForDevTimeCreds(scope, logger);\n const resource = getScopeResource(scope);\n const obj = await cliCredentialInternals.getAzureCliAccessToken(\n resource,\n tenantId,\n this.subscription,\n this.timeout,\n );\n const specificScope = obj.stderr?.match(\"(.*)az login --scope(.*)\");\n const isLoginError = obj.stderr?.match(\"(.*)az login(.*)\") && !specificScope;\n const isNotInstallError =\n obj.stderr?.match(\"az:(.*)not found\") || obj.stderr?.startsWith(\"'az' is not recognized\");\n\n if (isNotInstallError) {\n const error = new CredentialUnavailableError(azureCliPublicErrorMessages.notInstalled);\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n if (isLoginError) {\n const error = new CredentialUnavailableError(azureCliPublicErrorMessages.login);\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n try {\n const responseData = obj.stdout;\n const response: AccessToken = this.parseRawResponse(responseData);\n logger.getToken.info(formatSuccess(scopes));\n return response;\n } catch (e: any) {\n if (obj.stderr) {\n throw new CredentialUnavailableError(obj.stderr);\n }\n throw e;\n }\n } catch (err: any) {\n const error =\n err.name === \"CredentialUnavailableError\"\n ? err\n : new CredentialUnavailableError(\n (err as Error).message || azureCliPublicErrorMessages.unknown,\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n });\n }\n\n /**\n * Parses the raw JSON response from the Azure CLI into a usable AccessToken object\n *\n * @param rawResponse - The raw JSON response from the Azure CLI\n * @returns An access token with the expiry time parsed from the raw response\n *\n * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:\n *\n * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.\n */\n private parseRawResponse(rawResponse: string): AccessToken {\n const response: any = JSON.parse(rawResponse);\n const token = response.accessToken;\n // if available, expires_on will be a number representing seconds since epoch.\n // ensure it's a number or NaN\n let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;\n if (!isNaN(expiresOnTimestamp)) {\n logger.getToken.info(\"expires_on is available and is valid, using it\");\n return {\n token,\n expiresOnTimestamp,\n tokenType: \"Bearer\",\n };\n }\n\n // fallback to the older expiresOn - an RFC3339 date string\n expiresOnTimestamp = new Date(response.expiresOn).getTime();\n\n // ensure expiresOn is well-formatted\n if (isNaN(expiresOnTimestamp)) {\n throw new CredentialUnavailableError(\n `${azureCliPublicErrorMessages.unexpectedResponse} \"${response.expiresOn}\"`,\n );\n }\n\n return {\n token,\n expiresOnTimestamp,\n tokenType: \"Bearer\",\n };\n }\n}\n"]}
package/dist/commonjs/credentials/azureDeveloperCliCredential.d.ts CHANGED
@@ -1,5 +1,15 @@
1
1
  import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
2
2
  import type { AzureDeveloperCliCredentialOptions } from "./azureDeveloperCliCredentialOptions.js";
3
+ /**
4
+ * Messages to use when throwing in this credential.
5
+ * @internal
6
+ */
7
+ export declare const azureDeveloperCliPublicErrorMessages: {
8
+ notInstalled: string;
9
+ login: string;
10
+ unknown: string;
11
+ claim: string;
12
+ };
3
13
  /**
4
14
  * Mockable reference to the Developer CLI credential cliCredentialFunctions
5
15
  * @internal
@@ -14,7 +24,7 @@ export declare const developerCliCredentialInternals: {
14
24
  * @param scopes - The scopes to use when getting the token
15
25
  * @internal
16
26
  */
17
- getAzdAccessToken(scopes: string[], tenantId?: string, timeout?: number): Promise<{
27
+ getAzdAccessToken(scopes: string[], tenantId?: string, timeout?: number, claims?: string): Promise<{
18
28
  stdout: string;
19
29
  stderr: string;
20
30
  error: Error | null;
package/dist/commonjs/credentials/azureDeveloperCliCredential.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"azureDeveloperCliCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureDeveloperCliCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEtF,OAAO,KAAK,EAAE,kCAAkC,EAAE,MAAM,yCAAyC,CAAC;AAalG;;;GAGG;AACH,eAAO,MAAM,+BAA+B;IAC1C;;OAEG;yBACkB,MAAM;IAiB3B;;;;OAIG;8BAEO,MAAM,EAAE,aACL,MAAM,YACP,MAAM,GACf,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;KAAE,CAAC;CAkCpE,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,2BAA4B,YAAW,eAAe;IACjE,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,OAAO,CAAC,CAAS;IAEzB;;;;;;;OAOG;gBACS,OAAO,CAAC,EAAE,kCAAkC;IAWxD;;;;;;;OAOG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;CA4ExB"}
1
+ {"version":3,"file":"azureDeveloperCliCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureDeveloperCliCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEtF,OAAO,KAAK,EAAE,kCAAkC,EAAE,MAAM,yCAAyC,CAAC;AAalG;;;GAGG;AACH,eAAO,MAAM,oCAAoC;;;;;CAQhD,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B;IAC1C;;OAEG;yBACkB,MAAM;IAiB3B;;;;OAIG;8BAEO,MAAM,EAAE,aACL,MAAM,YACP,MAAM,WACP,MAAM,GACd,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;KAAE,CAAC;CA0CpE,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,2BAA4B,YAAW,eAAe;IACjE,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,OAAO,CAAC,CAAS;IAEzB;;;;;;;OAOG;gBACS,OAAO,CAAC,EAAE,kCAAkC;IAWxD;;;;;;;OAOG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;CAwFxB"}
package/dist/commonjs/credentials/azureDeveloperCliCredential.js CHANGED
@@ -2,7 +2,7 @@
2
2
  // Copyright (c) Microsoft Corporation.
3
3
  // Licensed under the MIT License.
4
4
  Object.defineProperty(exports, "__esModule", { value: true });
5
- exports.AzureDeveloperCliCredential = exports.developerCliCredentialInternals = void 0;
5
+ exports.AzureDeveloperCliCredential = exports.developerCliCredentialInternals = exports.azureDeveloperCliPublicErrorMessages = void 0;
6
6
  const tslib_1 = require("tslib");
7
7
  const logging_js_1 = require("../util/logging.js");
8
8
  const errors_js_1 = require("../errors.js");
@@ -11,6 +11,16 @@ const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js");
11
11
  const tracing_js_1 = require("../util/tracing.js");
12
12
  const scopeUtils_js_1 = require("../util/scopeUtils.js");
13
13
  const logger = (0, logging_js_1.credentialLogger)("AzureDeveloperCliCredential");
14
+ /**
15
+ * Messages to use when throwing in this credential.
16
+ * @internal
17
+ */
18
+ exports.azureDeveloperCliPublicErrorMessages = {
19
+ notInstalled: "Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.",
20
+ login: "Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.",
21
+ unknown: "Unknown error while trying to retrieve the access token",
22
+ claim: "This credential doesn't support claims challenges. To authenticate with the required claims, please run the following command:",
23
+ };
14
24
  /**
15
25
  * Mockable reference to the Developer CLI credential cliCredentialFunctions
16
26
  * @internal
@@ -37,11 +47,16 @@ exports.developerCliCredentialInternals = {
37
47
  * @param scopes - The scopes to use when getting the token
38
48
  * @internal
39
49
  */
40
- async getAzdAccessToken(scopes, tenantId, timeout) {
50
+ async getAzdAccessToken(scopes, tenantId, timeout, claims) {
41
51
  let tenantSection = [];
42
52
  if (tenantId) {
43
53
  tenantSection = ["--tenant-id", tenantId];
44
54
  }
55
+ let claimsSections = [];
56
+ if (claims) {
57
+ const encodedClaims = btoa(claims);
58
+ claimsSections = ["--claims", encodedClaims];
59
+ }
45
60
  return new Promise((resolve, reject) => {
46
61
  try {
47
62
  const args = [
@@ -49,8 +64,10 @@ exports.developerCliCredentialInternals = {
49
64
  "token",
50
65
  "--output",
51
66
  "json",
67
+ "--no-prompt",
52
68
  ...scopes.reduce((previous, current) => previous.concat("--scope", current), []),
53
69
  ...tenantSection,
70
+ ...claimsSections,
54
71
  ];
55
72
  const command = ["azd", ...args].join(" ");
56
73
  child_process_1.default.exec(command, {
@@ -137,18 +154,29 @@ class AzureDeveloperCliCredential {
137
154
  scopeList.forEach((scope) => {
138
155
  (0, scopeUtils_js_1.ensureValidScopeForDevTimeCreds)(scope, logger);
139
156
  });
140
- const obj = await exports.developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
157
+ const obj = await exports.developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout, options.claims);
158
+ const isMFARequiredError = obj.stderr?.match("must use multi-factor authentication") ||
159
+ obj.stderr?.match("reauthentication required");
141
160
  const isNotLoggedInError = obj.stderr?.match("not logged in, run `azd login` to login") ||
142
161
  obj.stderr?.match("not logged in, run `azd auth login` to login");
143
162
  const isNotInstallError = obj.stderr?.match("azd:(.*)not found") ||
144
163
  obj.stderr?.startsWith("'azd' is not recognized");
145
164
  if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
146
- const error = new errors_js_1.CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
165
+ const error = new errors_js_1.CredentialUnavailableError(exports.azureDeveloperCliPublicErrorMessages.notInstalled);
147
166
  logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
148
167
  throw error;
149
168
  }
150
169
  if (isNotLoggedInError) {
151
- const error = new errors_js_1.CredentialUnavailableError("Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
170
+ const error = new errors_js_1.CredentialUnavailableError(exports.azureDeveloperCliPublicErrorMessages.login);
171
+ logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
172
+ throw error;
173
+ }
174
+ if (isMFARequiredError) {
175
+ const scope = scopeList
176
+ .reduce((previous, current) => previous.concat("--scope", current), [])
177
+ .join(" ");
178
+ const loginCmd = `azd auth login ${scope}`;
179
+ const error = new errors_js_1.CredentialUnavailableError(`${exports.azureDeveloperCliPublicErrorMessages.claim} ${loginCmd}`);
152
180
  logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
153
181
  throw error;
154
182
  }
@@ -171,7 +199,7 @@ class AzureDeveloperCliCredential {
171
199
  catch (err) {
172
200
  const error = err.name === "CredentialUnavailableError"
173
201
  ? err
174
- : new errors_js_1.CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
202
+ : new errors_js_1.CredentialUnavailableError(err.message || exports.azureDeveloperCliPublicErrorMessages.unknown);
175
203
  logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
176
204
  throw error;
177
205
  }
package/dist/commonjs/credentials/azureDeveloperCliCredential.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"azureDeveloperCliCredential.js","sourceRoot":"","sources":["../../../src/credentials/azureDeveloperCliCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;;AAGlC,mDAAkF;AAElF,4CAA0D;AAC1D,0EAA0C;AAC1C,+DAIkC;AAClC,mDAAmD;AACnD,yDAAwE;AAExE,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,6BAA6B,CAAC,CAAC;AAE/D;;;GAGG;AACU,QAAA,+BAA+B,GAAG;IAC7C;;OAEG;IACH,iBAAiB;QACf,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,IAAI,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACrE,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,OAAO,CACrB,sHAAsH,CACvH,CAAC;gBAEF,UAAU,GAAG,aAAa,CAAC;YAC7B,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;aAAM,CAAC;YACN,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CACrB,MAAgB,EAChB,QAAiB,EACjB,OAAgB;QAEhB,IAAI,aAAa,GAAa,EAAE,CAAC;QACjC,IAAI,QAAQ,EAAE,CAAC;YACb,aAAa,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG;oBACX,MAAM;oBACN,OAAO;oBACP,UAAU;oBACV,MAAM;oBACN,GAAG,MAAM,CAAC,MAAM,CACd,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,EAC1D,EAAE,CACH;oBACD,GAAG,aAAa;iBACjB,CAAC;gBACF,MAAM,OAAO,GAAG,CAAC,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC3C,uBAAa,CAAC,IAAI,CAChB,OAAO,EACP;oBACE,GAAG,EAAE,uCAA+B,CAAC,iBAAiB,EAAE;oBACxD,OAAO;iBACR,EACD,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;oBACxB,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;gBACrC,CAAC,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAa,2BAA2B;IAC9B,QAAQ,CAAU;IAClB,4BAA4B,CAAW;IACvC,OAAO,CAAU;IAEzB;;;;;;;OAOG;IACH,YAAY,OAA4C;QACtD,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,IAAA,gCAAa,EAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,QAAQ,GAAG,IAAA,4CAAyB,EACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;QACF,IAAI,QAAQ,EAAE,CAAC;YACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,SAAmB,CAAC;QACxB,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,SAAS,GAAG,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,MAAM,CAAC;QACrB,CAAC;QACD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oBAAoB,MAAM,EAAE,CAAC,CAAC;QAEnD,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACrF,IAAI,CAAC;gBACH,SAAS,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;oBAC1B,IAAA,+CAA+B,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBACjD,CAAC,CAAC,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,uCAA+B,CAAC,iBAAiB,CACjE,SAAS,EACT,QAAQ,EACR,IAAI,CAAC,OAAO,CACb,CAAC;gBACF,MAAM,kBAAkB,GACtB,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,yCAAyC,CAAC;oBAC5D,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,8CAA8C,CAAC,CAAC;gBACpE,MAAM,iBAAiB,GACrB,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,mBAAmB,CAAC;oBACtC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,yBAAyB,CAAC,CAAC;gBAEpD,IAAI,iBAAiB,IAAI,CAAC,GAAG,CAAC,KAAK,IAAK,GAAG,CAAC,KAAa,CAAC,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;oBAC7E,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,wKAAwK,CACzK,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBAED,IAAI,kBAAkB,EAAE,CAAC;oBACvB,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,+NAA+N,CAChO,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBAED,IAAI,CAAC;oBACH,MAAM,IAAI,GAAyC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBAC1E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;oBAC5C,OAAO;wBACL,KAAK,EAAE,IAAI,CAAC,KAAK;wBACjB,kBAAkB,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;wBACtD,SAAS,EAAE,QAAQ;qBACL,CAAC;gBACnB,CAAC;gBAAC,OAAO,CAAM,EAAE,CAAC;oBAChB,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;wBACf,MAAM,IAAI,sCAA0B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBACnD,CAAC;oBACD,MAAM,CAAC,CAAC;gBACV,CAAC;YACH,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,KAAK,GACT,GAAG,CAAC,IAAI,KAAK,4BAA4B;oBACvC,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,IAAI,sCAA0B,CAC3B,GAAa,CAAC,OAAO,IAAI,yDAAyD,CACpF,CAAC;gBACR,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AA/GD,kEA+GC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport type { AzureDeveloperCliCredentialOptions } from \"./azureDeveloperCliCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport child_process from \"child_process\";\nimport {\n checkTenantId,\n processMultiTenantRequest,\n resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport { ensureValidScopeForDevTimeCreds } from \"../util/scopeUtils.js\";\n\nconst logger = credentialLogger(\"AzureDeveloperCliCredential\");\n\n/**\n * Mockable reference to the Developer CLI credential cliCredentialFunctions\n * @internal\n */\nexport const developerCliCredentialInternals = {\n /**\n * @internal\n */\n getSafeWorkingDir(): string {\n if (process.platform === \"win32\") {\n let systemRoot = process.env.SystemRoot || process.env[\"SYSTEMROOT\"];\n if (!systemRoot) {\n logger.getToken.warning(\n \"The SystemRoot environment variable is not set. This may cause issues when using the Azure Developer CLI credential.\",\n );\n\n systemRoot = \"C:\\\\Windows\";\n }\n\n return systemRoot;\n } else {\n return \"/bin\";\n }\n },\n\n /**\n * Gets the access token from Azure Developer CLI\n * @param scopes - The scopes to use when getting the token\n * @internal\n */\n async getAzdAccessToken(\n scopes: string[],\n tenantId?: string,\n timeout?: number,\n ): Promise<{ stdout: string; stderr: string; error: Error | null }> {\n let tenantSection: string[] = [];\n if (tenantId) {\n tenantSection = [\"--tenant-id\", tenantId];\n }\n return new Promise((resolve, reject) => {\n try {\n const args = [\n \"auth\",\n \"token\",\n \"--output\",\n \"json\",\n ...scopes.reduce<string[]>(\n (previous, current) => previous.concat(\"--scope\", current),\n [],\n ),\n ...tenantSection,\n ];\n const command = [\"azd\", ...args].join(\" \");\n child_process.exec(\n command,\n {\n cwd: developerCliCredentialInternals.getSafeWorkingDir(),\n timeout,\n },\n (error, stdout, stderr) => {\n resolve({ stdout, stderr, error });\n },\n );\n } catch (err: any) {\n reject(err);\n }\n });\n },\n};\n\n/**\n * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy\n * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific\n * to Azure developers. It allows users to authenticate as a user and/or a service principal against\n * <a href=\"https://learn.microsoft.com/entra/fundamentals/\">Microsoft Entra ID</a>. The\n * AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of\n * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or\n * service principal and executes an Azure CLI command underneath to authenticate the application against\n * Microsoft Entra ID.\n *\n * <h2> Configure AzureDeveloperCliCredential </h2>\n *\n * To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the\n * commands below:\n *\n * <ol>\n * <li>Run \"azd auth login\" in Azure Developer CLI to authenticate interactively as a user.</li>\n * <li>Run \"azd auth login --client-id clientID --client-secret clientSecret\n * --tenant-id tenantID\" to authenticate as a service principal.</li>\n * </ol>\n *\n * You may need to repeat this process after a certain time period, depending on the refresh token validity in your\n * organization. Generally, the refresh token validity period is a few weeks to a few months.\n * AzureDeveloperCliCredential will prompt you to sign in again.\n */\nexport class AzureDeveloperCliCredential implements TokenCredential {\n private tenantId?: string;\n private additionallyAllowedTenantIds: string[];\n private timeout?: number;\n\n /**\n * Creates an instance of the {@link AzureDeveloperCliCredential}.\n *\n * To use this credential, ensure that you have already logged\n * in via the 'azd' tool using the command \"azd auth login\" from the commandline.\n *\n * @param options - Options, to optionally allow multi-tenant requests.\n */\n constructor(options?: AzureDeveloperCliCredentialOptions) {\n if (options?.tenantId) {\n checkTenantId(logger, options?.tenantId);\n this.tenantId = options?.tenantId;\n }\n this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n options?.additionallyAllowedTenants,\n );\n this.timeout = options?.processTimeoutInMs;\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n const tenantId = processMultiTenantRequest(\n this.tenantId,\n options,\n this.additionallyAllowedTenantIds,\n );\n if (tenantId) {\n checkTenantId(logger, tenantId);\n }\n let scopeList: string[];\n if (typeof scopes === \"string\") {\n scopeList = [scopes];\n } else {\n scopeList = scopes;\n }\n logger.getToken.info(`Using the scopes ${scopes}`);\n\n return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n try {\n scopeList.forEach((scope) => {\n ensureValidScopeForDevTimeCreds(scope, logger);\n });\n const obj = await developerCliCredentialInternals.getAzdAccessToken(\n scopeList,\n tenantId,\n this.timeout,\n );\n const isNotLoggedInError =\n obj.stderr?.match(\"not logged in, run `azd login` to login\") ||\n obj.stderr?.match(\"not logged in, run `azd auth login` to login\");\n const isNotInstallError =\n obj.stderr?.match(\"azd:(.*)not found\") ||\n obj.stderr?.startsWith(\"'azd' is not recognized\");\n\n if (isNotInstallError || (obj.error && (obj.error as any).code === \"ENOENT\")) {\n const error = new CredentialUnavailableError(\n \"Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.\",\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n if (isNotLoggedInError) {\n const error = new CredentialUnavailableError(\n \"Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.\",\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n try {\n const resp: { token: string; expiresOn: string } = JSON.parse(obj.stdout);\n logger.getToken.info(formatSuccess(scopes));\n return {\n token: resp.token,\n expiresOnTimestamp: new Date(resp.expiresOn).getTime(),\n tokenType: \"Bearer\",\n } as AccessToken;\n } catch (e: any) {\n if (obj.stderr) {\n throw new CredentialUnavailableError(obj.stderr);\n }\n throw e;\n }\n } catch (err: any) {\n const error =\n err.name === \"CredentialUnavailableError\"\n ? err\n : new CredentialUnavailableError(\n (err as Error).message || \"Unknown error while trying to retrieve the access token\",\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n });\n }\n}\n"]}
1
+ {"version":3,"file":"azureDeveloperCliCredential.js","sourceRoot":"","sources":["../../../src/credentials/azureDeveloperCliCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;;AAGlC,mDAAkF;AAElF,4CAA0D;AAC1D,0EAA0C;AAC1C,+DAIkC;AAClC,mDAAmD;AACnD,yDAAwE;AAExE,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,6BAA6B,CAAC,CAAC;AAE/D;;;GAGG;AACU,QAAA,oCAAoC,GAAG;IAClD,YAAY,EACV,wKAAwK;IAC1K,KAAK,EACH,+NAA+N;IACjO,OAAO,EAAE,yDAAyD;IAClE,KAAK,EACH,gIAAgI;CACnI,CAAC;AAEF;;;GAGG;AACU,QAAA,+BAA+B,GAAG;IAC7C;;OAEG;IACH,iBAAiB;QACf,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,IAAI,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACrE,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,OAAO,CACrB,sHAAsH,CACvH,CAAC;gBAEF,UAAU,GAAG,aAAa,CAAC;YAC7B,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;aAAM,CAAC;YACN,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CACrB,MAAgB,EAChB,QAAiB,EACjB,OAAgB,EAChB,MAAe;QAEf,IAAI,aAAa,GAAa,EAAE,CAAC;QACjC,IAAI,QAAQ,EAAE,CAAC;YACb,aAAa,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QAC5C,CAAC;QAED,IAAI,cAAc,GAAa,EAAE,CAAC;QAClC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YACnC,cAAc,GAAG,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG;oBACX,MAAM;oBACN,OAAO;oBACP,UAAU;oBACV,MAAM;oBACN,aAAa;oBACb,GAAG,MAAM,CAAC,MAAM,CACd,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,EAC1D,EAAE,CACH;oBACD,GAAG,aAAa;oBAChB,GAAG,cAAc;iBAClB,CAAC;gBACF,MAAM,OAAO,GAAG,CAAC,KAAK,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC3C,uBAAa,CAAC,IAAI,CAChB,OAAO,EACP;oBACE,GAAG,EAAE,uCAA+B,CAAC,iBAAiB,EAAE;oBACxD,OAAO;iBACR,EACD,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;oBACxB,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;gBACrC,CAAC,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAa,2BAA2B;IAC9B,QAAQ,CAAU;IAClB,4BAA4B,CAAW;IACvC,OAAO,CAAU;IAEzB;;;;;;;OAOG;IACH,YAAY,OAA4C;QACtD,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,IAAA,gCAAa,EAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,QAAQ,GAAG,IAAA,4CAAyB,EACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;QACF,IAAI,QAAQ,EAAE,CAAC;YACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,SAAmB,CAAC;QACxB,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,SAAS,GAAG,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,MAAM,CAAC;QACrB,CAAC;QACD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oBAAoB,MAAM,EAAE,CAAC,CAAC;QAEnD,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACrF,IAAI,CAAC;gBACH,SAAS,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;oBAC1B,IAAA,+CAA+B,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBACjD,CAAC,CAAC,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,uCAA+B,CAAC,iBAAiB,CACjE,SAAS,EACT,QAAQ,EACR,IAAI,CAAC,OAAO,EACZ,OAAO,CAAC,MAAM,CACf,CAAC;gBACF,MAAM,kBAAkB,GACtB,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,sCAAsC,CAAC;oBACzD,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,2BAA2B,CAAC,CAAC;gBACjD,MAAM,kBAAkB,GACtB,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,yCAAyC,CAAC;oBAC5D,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,8CAA8C,CAAC,CAAC;gBACpE,MAAM,iBAAiB,GACrB,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,mBAAmB,CAAC;oBACtC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,yBAAyB,CAAC,CAAC;gBACpD,IAAI,iBAAiB,IAAI,CAAC,GAAG,CAAC,KAAK,IAAK,GAAG,CAAC,KAAa,CAAC,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;oBAC7E,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,4CAAoC,CAAC,YAAY,CAClD,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBAED,IAAI,kBAAkB,EAAE,CAAC;oBACvB,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,4CAAoC,CAAC,KAAK,CAAC,CAAC;oBACzF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,IAAI,kBAAkB,EAAE,CAAC;oBACvB,MAAM,KAAK,GAAG,SAAS;yBACpB,MAAM,CAAW,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC;yBAChF,IAAI,CAAC,GAAG,CAAC,CAAC;oBACb,MAAM,QAAQ,GAAG,kBAAkB,KAAK,EAAE,CAAC;oBAC3C,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,GAAG,4CAAoC,CAAC,KAAK,IAAI,QAAQ,EAAE,CAC5D,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBAED,IAAI,CAAC;oBACH,MAAM,IAAI,GAAyC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBAC1E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;oBAC5C,OAAO;wBACL,KAAK,EAAE,IAAI,CAAC,KAAK;wBACjB,kBAAkB,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;wBACtD,SAAS,EAAE,QAAQ;qBACL,CAAC;gBACnB,CAAC;gBAAC,OAAO,CAAM,EAAE,CAAC;oBAChB,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;wBACf,MAAM,IAAI,sCAA0B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBACnD,CAAC;oBACD,MAAM,CAAC,CAAC;gBACV,CAAC;YACH,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,KAAK,GACT,GAAG,CAAC,IAAI,KAAK,4BAA4B;oBACvC,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,IAAI,sCAA0B,CAC3B,GAAa,CAAC,OAAO,IAAI,4CAAoC,CAAC,OAAO,CACvE,CAAC;gBACR,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AA3HD,kEA2HC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport type { AzureDeveloperCliCredentialOptions } from \"./azureDeveloperCliCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport child_process from \"child_process\";\nimport {\n checkTenantId,\n processMultiTenantRequest,\n resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport { ensureValidScopeForDevTimeCreds } from \"../util/scopeUtils.js\";\n\nconst logger = credentialLogger(\"AzureDeveloperCliCredential\");\n\n/**\n * Messages to use when throwing in this credential.\n * @internal\n */\nexport const azureDeveloperCliPublicErrorMessages = {\n notInstalled:\n \"Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.\",\n login:\n \"Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.\",\n unknown: \"Unknown error while trying to retrieve the access token\",\n claim:\n \"This credential doesn't support claims challenges. To authenticate with the required claims, please run the following command:\",\n};\n\n/**\n * Mockable reference to the Developer CLI credential cliCredentialFunctions\n * @internal\n */\nexport const developerCliCredentialInternals = {\n /**\n * @internal\n */\n getSafeWorkingDir(): string {\n if (process.platform === \"win32\") {\n let systemRoot = process.env.SystemRoot || process.env[\"SYSTEMROOT\"];\n if (!systemRoot) {\n logger.getToken.warning(\n \"The SystemRoot environment variable is not set. This may cause issues when using the Azure Developer CLI credential.\",\n );\n\n systemRoot = \"C:\\\\Windows\";\n }\n\n return systemRoot;\n } else {\n return \"/bin\";\n }\n },\n\n /**\n * Gets the access token from Azure Developer CLI\n * @param scopes - The scopes to use when getting the token\n * @internal\n */\n async getAzdAccessToken(\n scopes: string[],\n tenantId?: string,\n timeout?: number,\n claims?: string,\n ): Promise<{ stdout: string; stderr: string; error: Error | null }> {\n let tenantSection: string[] = [];\n if (tenantId) {\n tenantSection = [\"--tenant-id\", tenantId];\n }\n\n let claimsSections: string[] = [];\n if (claims) {\n const encodedClaims = btoa(claims);\n claimsSections = [\"--claims\", encodedClaims];\n }\n return new Promise((resolve, reject) => {\n try {\n const args = [\n \"auth\",\n \"token\",\n \"--output\",\n \"json\",\n \"--no-prompt\",\n ...scopes.reduce<string[]>(\n (previous, current) => previous.concat(\"--scope\", current),\n [],\n ),\n ...tenantSection,\n ...claimsSections,\n ];\n const command = [\"azd\", ...args].join(\" \");\n child_process.exec(\n command,\n {\n cwd: developerCliCredentialInternals.getSafeWorkingDir(),\n timeout,\n },\n (error, stdout, stderr) => {\n resolve({ stdout, stderr, error });\n },\n );\n } catch (err: any) {\n reject(err);\n }\n });\n },\n};\n\n/**\n * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy\n * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific\n * to Azure developers. It allows users to authenticate as a user and/or a service principal against\n * <a href=\"https://learn.microsoft.com/entra/fundamentals/\">Microsoft Entra ID</a>. The\n * AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of\n * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or\n * service principal and executes an Azure CLI command underneath to authenticate the application against\n * Microsoft Entra ID.\n *\n * <h2> Configure AzureDeveloperCliCredential </h2>\n *\n * To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the\n * commands below:\n *\n * <ol>\n * <li>Run \"azd auth login\" in Azure Developer CLI to authenticate interactively as a user.</li>\n * <li>Run \"azd auth login --client-id clientID --client-secret clientSecret\n * --tenant-id tenantID\" to authenticate as a service principal.</li>\n * </ol>\n *\n * You may need to repeat this process after a certain time period, depending on the refresh token validity in your\n * organization. Generally, the refresh token validity period is a few weeks to a few months.\n * AzureDeveloperCliCredential will prompt you to sign in again.\n */\nexport class AzureDeveloperCliCredential implements TokenCredential {\n private tenantId?: string;\n private additionallyAllowedTenantIds: string[];\n private timeout?: number;\n\n /**\n * Creates an instance of the {@link AzureDeveloperCliCredential}.\n *\n * To use this credential, ensure that you have already logged\n * in via the 'azd' tool using the command \"azd auth login\" from the commandline.\n *\n * @param options - Options, to optionally allow multi-tenant requests.\n */\n constructor(options?: AzureDeveloperCliCredentialOptions) {\n if (options?.tenantId) {\n checkTenantId(logger, options?.tenantId);\n this.tenantId = options?.tenantId;\n }\n this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n options?.additionallyAllowedTenants,\n );\n this.timeout = options?.processTimeoutInMs;\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n const tenantId = processMultiTenantRequest(\n this.tenantId,\n options,\n this.additionallyAllowedTenantIds,\n );\n if (tenantId) {\n checkTenantId(logger, tenantId);\n }\n let scopeList: string[];\n if (typeof scopes === \"string\") {\n scopeList = [scopes];\n } else {\n scopeList = scopes;\n }\n logger.getToken.info(`Using the scopes ${scopes}`);\n\n return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n try {\n scopeList.forEach((scope) => {\n ensureValidScopeForDevTimeCreds(scope, logger);\n });\n const obj = await developerCliCredentialInternals.getAzdAccessToken(\n scopeList,\n tenantId,\n this.timeout,\n options.claims,\n );\n const isMFARequiredError =\n obj.stderr?.match(\"must use multi-factor authentication\") ||\n obj.stderr?.match(\"reauthentication required\");\n const isNotLoggedInError =\n obj.stderr?.match(\"not logged in, run `azd login` to login\") ||\n obj.stderr?.match(\"not logged in, run `azd auth login` to login\");\n const isNotInstallError =\n obj.stderr?.match(\"azd:(.*)not found\") ||\n obj.stderr?.startsWith(\"'azd' is not recognized\");\n if (isNotInstallError || (obj.error && (obj.error as any).code === \"ENOENT\")) {\n const error = new CredentialUnavailableError(\n azureDeveloperCliPublicErrorMessages.notInstalled,\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n if (isNotLoggedInError) {\n const error = new CredentialUnavailableError(azureDeveloperCliPublicErrorMessages.login);\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n if (isMFARequiredError) {\n const scope = scopeList\n .reduce<string[]>((previous, current) => previous.concat(\"--scope\", current), [])\n .join(\" \");\n const loginCmd = `azd auth login ${scope}`;\n const error = new CredentialUnavailableError(\n `${azureDeveloperCliPublicErrorMessages.claim} ${loginCmd}`,\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n\n try {\n const resp: { token: string; expiresOn: string } = JSON.parse(obj.stdout);\n logger.getToken.info(formatSuccess(scopes));\n return {\n token: resp.token,\n expiresOnTimestamp: new Date(resp.expiresOn).getTime(),\n tokenType: \"Bearer\",\n } as AccessToken;\n } catch (e: any) {\n if (obj.stderr) {\n throw new CredentialUnavailableError(obj.stderr);\n }\n throw e;\n }\n } catch (err: any) {\n const error =\n err.name === \"CredentialUnavailableError\"\n ? err\n : new CredentialUnavailableError(\n (err as Error).message || azureDeveloperCliPublicErrorMessages.unknown,\n );\n logger.getToken.info(formatError(scopes, error));\n throw error;\n }\n });\n }\n}\n"]}
package/dist/commonjs/credentials/azurePowerShellCredential.d.ts CHANGED
@@ -21,6 +21,7 @@ export declare const powerShellErrors: {
21
21
  export declare const powerShellPublicErrorMessages: {
22
22
  login: string;
23
23
  installed: string;
24
+ claim: string;
24
25
  troubleshoot: string;
25
26
  };
26
27
  /**
package/dist/commonjs/credentials/azurePowerShellCredential.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"azurePowerShellCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAStF,OAAO,KAAK,EAAE,gCAAgC,EAAE,MAAM,uCAAuC,CAAC;AAS9F;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAMzD;AAuBD;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;CAI5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAKzC,CAAC;AAUF;;;;GAIG;AACH,eAAO,MAAM,YAAY,UAA0B,CAAC;AAMpD;;;;GAIG;AACH,qBAAa,yBAA0B,YAAW,eAAe;IAC/D,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,OAAO,CAAC,CAAS;IAEzB;;;;;;;;;;OAUG;gBACS,OAAO,CAAC,EAAE,gCAAgC;IAWtD;;;OAGG;YACW,6BAA6B;IAwE3C;;;;;;OAMG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;CAwCxB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAyB/C"}
1
+ {"version":3,"file":"azurePowerShellCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAStF,OAAO,KAAK,EAAE,gCAAgC,EAAE,MAAM,uCAAuC,CAAC;AAS9F;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAMzD;AAuBD;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;CAI5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;;CAOzC,CAAC;AAUF;;;;GAIG;AACH,eAAO,MAAM,YAAY,UAA0B,CAAC;AAMpD;;;;GAIG;AACH,qBAAa,yBAA0B,YAAW,eAAe;IAC/D,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,OAAO,CAAC,CAAS;IAEzB;;;;;;;;;;OAUG;gBACS,OAAO,CAAC,EAAE,gCAAgC;IAWtD;;;OAGG;YACW,6BAA6B;IAwE3C;;;;;;OAMG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;CA0DxB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAyB/C"}
package/dist/commonjs/credentials/azurePowerShellCredential.js CHANGED
@@ -58,6 +58,7 @@ exports.powerShellErrors = {
58
58
  exports.powerShellPublicErrorMessages = {
59
59
  login: "Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.",
60
60
  installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`,
61
+ claim: "This credential doesn't support claims challenges. To authenticate with the required claims, please run the following command:",
61
62
  troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,
62
63
  };
63
64
  // PowerShell Azure User not logged in error check.
@@ -180,8 +181,20 @@ class AzurePowerShellCredential {
180
181
  */
181
182
  async getToken(scopes, options = {}) {
182
183
  return tracing_js_1.tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
183
- const tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, options, this.additionallyAllowedTenantIds);
184
184
  const scope = typeof scopes === "string" ? scopes : scopes[0];
185
+ const claimsValue = options.claims;
186
+ if (claimsValue && claimsValue.trim()) {
187
+ const encodedClaims = btoa(claimsValue);
188
+ let loginCmd = `Connect-AzAccount -ClaimsChallenge ${encodedClaims}`;
189
+ const tenantIdFromOptions = options.tenantId;
190
+ if (tenantIdFromOptions) {
191
+ loginCmd += ` -Tenant ${tenantIdFromOptions}`;
192
+ }
193
+ const error = new errors_js_1.CredentialUnavailableError(`${exports.powerShellPublicErrorMessages.claim} ${loginCmd}`);
194
+ logger.getToken.info((0, logging_js_1.formatError)(scope, error));
195
+ throw error;
196
+ }
197
+ const tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, options, this.additionallyAllowedTenantIds);
185
198
  if (tenantId) {
186
199
  (0, tenantIdUtils_js_1.checkTenantId)(logger, tenantId);
187
200
  }
package/dist/commonjs/credentials/azurePowerShellCredential.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"azurePowerShellCredential.js","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAyBlC,sCAMC;AAmOD,wCA2BC;AA1RD,+DAIkC;AAClC,mDAAkF;AAClF,yDAA0F;AAG1F,4CAA0D;AAC1D,6DAAuD;AACvD,mDAAmD;AAEnD,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,2BAA2B,CAAC,CAAC;AAE7D,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;AAE/C;;;;GAIG;AACH,SAAgB,aAAa,CAAC,WAAmB;IAC/C,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,GAAG,WAAW,MAAM,CAAC;IAC9B,CAAC;SAAM,CAAC;QACN,OAAO,WAAW,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,WAAW,CAAC,QAAoB,EAAE,OAAgB;IAC/D,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,EAAE,GAAG,UAAU,CAAC,GAAG,OAAO,CAAC;QACtC,MAAM,MAAM,GAAG,CAAC,MAAM,8BAAY,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,EAAE;YAC5D,QAAQ,EAAE,MAAM;YAChB,OAAO;SACR,CAAC,CAAW,CAAC;QAEd,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACU,QAAA,gBAAgB,GAAG;IAC9B,KAAK,EAAE,gCAAgC;IACvC,SAAS,EACP,uIAAuI;CAC1I,CAAC;AAEF;;;GAGG;AACU,QAAA,6BAA6B,GAAG;IAC3C,KAAK,EACH,8FAA8F;IAChG,SAAS,EAAE,4KAA4K;IACvL,YAAY,EAAE,4FAA4F;CAC3G,CAAC;AAEF,mDAAmD;AACnD,MAAM,YAAY,GAA4C,CAAC,GAAU,EAAE,EAAE,CAC3E,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,wBAAgB,CAAC,KAAK,MAAM,CAAC,CAAC;AAEzD,qDAAqD;AACrD,MAAM,mBAAmB,GAA4C,CAAC,GAAU,EAAE,EAAE,CAClF,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,wBAAgB,CAAC,SAAS,CAAC,CAAC;AAEhD;;;;GAIG;AACU,QAAA,YAAY,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;AAEpD,IAAI,SAAS,EAAE,CAAC;IACd,oBAAY,CAAC,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAa,yBAAyB;IAC5B,QAAQ,CAAU;IAClB,4BAA4B,CAAW;IACvC,OAAO,CAAU;IAEzB;;;;;;;;;;OAUG;IACH,YAAY,OAA0C;QACpD,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,IAAA,gCAAa,EAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,6BAA6B,CACzC,QAAgB,EAChB,QAAiB,EACjB,OAAgB;QAEhB,uDAAuD;QACvD,KAAK,MAAM,iBAAiB,IAAI,CAAC,GAAG,oBAAY,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC;gBACH,MAAM,WAAW,CAAC,CAAC,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;YAC1D,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,gFAAgF;gBAChF,oBAAY,CAAC,KAAK,EAAE,CAAC;gBACrB,SAAS;YACX,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC;gBAChC;oBACE,iBAAiB;oBACjB,YAAY;oBACZ,iBAAiB;oBACjB,UAAU;oBACV;yBACe,QAAQ,IAAI,EAAE;;;;;6BAKV,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAmC1B;iBACF;aACF,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAC1B,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;IAC9F,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACrF,MAAM,QAAQ,GAAG,IAAA,4CAAyB,EACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;YACF,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC9D,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YAClC,CAAC;YACD,IAAI,CAAC;gBACH,IAAA,+CAA+B,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBAC/C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;gBACjD,MAAM,QAAQ,GAAG,IAAA,gCAAgB,EAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,6BAA6B,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC5F,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,kBAAkB,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;oBAC1D,SAAS,EAAE,QAAQ;iBACL,CAAC;YACnB,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,IAAI,mBAAmB,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,qCAA6B,CAAC,SAAS,CAAC,CAAC;oBACtF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;oBAChD,MAAM,KAAK,CAAC;gBACd,CAAC;qBAAM,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,qCAA6B,CAAC,KAAK,CAAC,CAAC;oBAClF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;oBAChD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,GAAG,GAAG,KAAK,qCAA6B,CAAC,YAAY,EAAE,CACxD,CAAC;gBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;gBAChD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAzJD,8DAyJC;AAED;;;GAGG;AACI,KAAK,UAAU,cAAc,CAClC,MAAc;IAEd,MAAM,SAAS,GAAG,WAAW,CAAC;IAC9B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,kBAAkB,GAAG,MAAM,CAAC;IAChC,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrC,IAAI,WAAW,EAAE,KAAK,EAAE,CAAC;wBACvB,kBAAkB,GAAG,kBAAkB,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;wBAC1D,IAAI,kBAAkB,EAAE,CAAC;4BACvB,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;wBAC9C,CAAC;wBACD,OAAO,WAAW,CAAC;oBACrB,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,SAAS;gBACX,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,8DAA8D,MAAM,EAAE,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,yDAAyD,MAAM,EAAE,CAAC,CAAC;AACrF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n checkTenantId,\n processMultiTenantRequest,\n resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport { ensureValidScopeForDevTimeCreds, getScopeResource } from \"../util/scopeUtils.js\";\n\nimport type { AzurePowerShellCredentialOptions } from \"./azurePowerShellCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport { processUtils } from \"../util/processUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\n\nconst logger = credentialLogger(\"AzurePowerShellCredential\");\n\nconst isWindows = process.platform === \"win32\";\n\n/**\n * Returns a platform-appropriate command name by appending \".exe\" on Windows.\n *\n * @internal\n */\nexport function formatCommand(commandName: string): string {\n if (isWindows) {\n return `${commandName}.exe`;\n } else {\n return commandName;\n }\n}\n\n/**\n * Receives a list of commands to run, executes them, then returns the outputs.\n * If anything fails, an error is thrown.\n * @internal\n */\nasync function runCommands(commands: string[][], timeout?: number): Promise<string[]> {\n const results: string[] = [];\n\n for (const command of commands) {\n const [file, ...parameters] = command;\n const result = (await processUtils.execFile(file, parameters, {\n encoding: \"utf8\",\n timeout,\n })) as string;\n\n results.push(result);\n }\n\n return results;\n}\n\n/**\n * Known PowerShell errors\n * @internal\n */\nexport const powerShellErrors = {\n login: \"Run Connect-AzAccount to login\",\n installed:\n \"The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory\",\n};\n\n/**\n * Messages to use when throwing in this credential.\n * @internal\n */\nexport const powerShellPublicErrorMessages = {\n login:\n \"Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.\",\n installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: \"Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force\".`,\n troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,\n};\n\n// PowerShell Azure User not logged in error check.\nconst isLoginError: (err: Error) => RegExpMatchArray | null = (err: Error) =>\n err.message.match(`(.*)${powerShellErrors.login}(.*)`);\n\n// Az Module not Installed in Azure PowerShell check.\nconst isNotInstalledError: (err: Error) => RegExpMatchArray | null = (err: Error) =>\n err.message.match(powerShellErrors.installed);\n\n/**\n * The PowerShell commands to be tried, in order.\n *\n * @internal\n */\nexport const commandStack = [formatCommand(\"pwsh\")];\n\nif (isWindows) {\n commandStack.push(formatCommand(\"powershell\"));\n}\n\n/**\n * This credential will use the currently logged-in user information from the\n * Azure PowerShell module. To do so, it will read the user access token and\n * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`\n */\nexport class AzurePowerShellCredential implements TokenCredential {\n private tenantId?: string;\n private additionallyAllowedTenantIds: string[];\n private timeout?: number;\n\n /**\n * Creates an instance of the {@link AzurePowerShellCredential}.\n *\n * To use this credential:\n * - Install the Azure Az PowerShell module with:\n * `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.\n * - You have already logged in to Azure PowerShell using the command\n * `Connect-AzAccount` from the command line.\n *\n * @param options - Options, to optionally allow multi-tenant requests.\n */\n constructor(options?: AzurePowerShellCredentialOptions) {\n if (options?.tenantId) {\n checkTenantId(logger, options?.tenantId);\n this.tenantId = options?.tenantId;\n }\n this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n options?.additionallyAllowedTenants,\n );\n this.timeout = options?.processTimeoutInMs;\n }\n\n /**\n * Gets the access token from Azure PowerShell\n * @param resource - The resource to use when getting the token\n */\n private async getAzurePowerShellAccessToken(\n resource: string,\n tenantId?: string,\n timeout?: number,\n ): Promise<{ Token: string; ExpiresOn: string }> {\n // Clone the stack to avoid mutating it while iterating\n for (const powerShellCommand of [...commandStack]) {\n try {\n await runCommands([[powerShellCommand, \"/?\"]], timeout);\n } catch (e: any) {\n // Remove this credential from the original stack so that we don't try it again.\n commandStack.shift();\n continue;\n }\n\n const results = await runCommands([\n [\n powerShellCommand,\n \"-NoProfile\",\n \"-NonInteractive\",\n \"-Command\",\n `\n $tenantId = \"${tenantId ?? \"\"}\"\n $m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru\n $useSecureString = $m.Version -ge [version]'2.17.0' -and $m.Version -lt [version]'5.0.0'\n\n $params = @{\n ResourceUrl = \"${resource}\"\n }\n\n if ($tenantId.Length -gt 0) {\n $params[\"TenantId\"] = $tenantId\n }\n\n if ($useSecureString) {\n $params[\"AsSecureString\"] = $true\n }\n\n $token = Get-AzAccessToken @params\n\n $result = New-Object -TypeName PSObject\n $result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn\n\n if ($token.Token -is [System.Security.SecureString]) {\n if ($PSVersionTable.PSVersion.Major -lt 7) {\n $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($token.Token)\n try {\n $result | Add-Member -MemberType NoteProperty -Name Token -Value ([System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr))\n }\n finally {\n [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)\n }\n }\n else {\n $result | Add-Member -MemberType NoteProperty -Name Token -Value ($token.Token | ConvertFrom-SecureString -AsPlainText)\n }\n }\n else {\n $result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token\n }\n\n Write-Output (ConvertTo-Json $result)\n `,\n ],\n ]);\n\n const result = results[0];\n return parseJsonToken(result);\n }\n throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n const tenantId = processMultiTenantRequest(\n this.tenantId,\n options,\n this.additionallyAllowedTenantIds,\n );\n const scope = typeof scopes === \"string\" ? scopes : scopes[0];\n if (tenantId) {\n checkTenantId(logger, tenantId);\n }\n try {\n ensureValidScopeForDevTimeCreds(scope, logger);\n logger.getToken.info(`Using the scope ${scope}`);\n const resource = getScopeResource(scope);\n const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);\n logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.Token,\n expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),\n tokenType: \"Bearer\",\n } as AccessToken;\n } catch (err: any) {\n if (isNotInstalledError(err)) {\n const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);\n logger.getToken.info(formatError(scope, error));\n throw error;\n } else if (isLoginError(err)) {\n const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);\n logger.getToken.info(formatError(scope, error));\n throw error;\n }\n const error = new CredentialUnavailableError(\n `${err}. ${powerShellPublicErrorMessages.troubleshoot}`,\n );\n logger.getToken.info(formatError(scope, error));\n throw error;\n }\n });\n }\n}\n\n/**\n *\n * @internal\n */\nexport async function parseJsonToken(\n result: string,\n): Promise<{ Token: string; ExpiresOn: string }> {\n const jsonRegex = /{[^{}]*}/g;\n const matches = result.match(jsonRegex);\n let resultWithoutToken = result;\n if (matches) {\n try {\n for (const item of matches) {\n try {\n const jsonContent = JSON.parse(item);\n if (jsonContent?.Token) {\n resultWithoutToken = resultWithoutToken.replace(item, \"\");\n if (resultWithoutToken) {\n logger.getToken.warning(resultWithoutToken);\n }\n return jsonContent;\n }\n } catch (e) {\n continue;\n }\n }\n } catch (e: any) {\n throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);\n }\n }\n throw new Error(`No access token found in the output. Received output: ${result}`);\n}\n"]}
1
+ {"version":3,"file":"azurePowerShellCredential.js","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAyBlC,sCAMC;AAuPD,wCA2BC;AA9SD,+DAIkC;AAClC,mDAAkF;AAClF,yDAA0F;AAG1F,4CAA0D;AAC1D,6DAAuD;AACvD,mDAAmD;AAEnD,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,2BAA2B,CAAC,CAAC;AAE7D,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;AAE/C;;;;GAIG;AACH,SAAgB,aAAa,CAAC,WAAmB;IAC/C,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,GAAG,WAAW,MAAM,CAAC;IAC9B,CAAC;SAAM,CAAC;QACN,OAAO,WAAW,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,WAAW,CAAC,QAAoB,EAAE,OAAgB;IAC/D,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,EAAE,GAAG,UAAU,CAAC,GAAG,OAAO,CAAC;QACtC,MAAM,MAAM,GAAG,CAAC,MAAM,8BAAY,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,EAAE;YAC5D,QAAQ,EAAE,MAAM;YAChB,OAAO;SACR,CAAC,CAAW,CAAC;QAEd,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACU,QAAA,gBAAgB,GAAG;IAC9B,KAAK,EAAE,gCAAgC;IACvC,SAAS,EACP,uIAAuI;CAC1I,CAAC;AAEF;;;GAGG;AACU,QAAA,6BAA6B,GAAG;IAC3C,KAAK,EACH,8FAA8F;IAChG,SAAS,EAAE,4KAA4K;IACvL,KAAK,EACH,gIAAgI;IAClI,YAAY,EAAE,4FAA4F;CAC3G,CAAC;AAEF,mDAAmD;AACnD,MAAM,YAAY,GAA4C,CAAC,GAAU,EAAE,EAAE,CAC3E,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,wBAAgB,CAAC,KAAK,MAAM,CAAC,CAAC;AAEzD,qDAAqD;AACrD,MAAM,mBAAmB,GAA4C,CAAC,GAAU,EAAE,EAAE,CAClF,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,wBAAgB,CAAC,SAAS,CAAC,CAAC;AAEhD;;;;GAIG;AACU,QAAA,YAAY,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;AAEpD,IAAI,SAAS,EAAE,CAAC;IACd,oBAAY,CAAC,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAa,yBAAyB;IAC5B,QAAQ,CAAU;IAClB,4BAA4B,CAAW;IACvC,OAAO,CAAU;IAEzB;;;;;;;;;;OAUG;IACH,YAAY,OAA0C;QACpD,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,IAAA,gCAAa,EAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,6BAA6B,CACzC,QAAgB,EAChB,QAAiB,EACjB,OAAgB;QAEhB,uDAAuD;QACvD,KAAK,MAAM,iBAAiB,IAAI,CAAC,GAAG,oBAAY,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC;gBACH,MAAM,WAAW,CAAC,CAAC,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;YAC1D,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,gFAAgF;gBAChF,oBAAY,CAAC,KAAK,EAAE,CAAC;gBACrB,SAAS;YACX,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC;gBAChC;oBACE,iBAAiB;oBACjB,YAAY;oBACZ,iBAAiB;oBACjB,UAAU;oBACV;yBACe,QAAQ,IAAI,EAAE;;;;;6BAKV,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;WAmC1B;iBACF;aACF,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAC1B,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;IAC9F,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACrF,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAE9D,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC;YACnC,IAAI,WAAW,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC;gBACtC,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;gBACxC,IAAI,QAAQ,GAAG,sCAAsC,aAAa,EAAE,CAAC;gBAErE,MAAM,mBAAmB,GAAG,OAAO,CAAC,QAAQ,CAAC;gBAC7C,IAAI,mBAAmB,EAAE,CAAC;oBACxB,QAAQ,IAAI,YAAY,mBAAmB,EAAE,CAAC;gBAChD,CAAC;gBACD,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,GAAG,qCAA6B,CAAC,KAAK,IAAI,QAAQ,EAAE,CACrD,CAAC;gBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;gBAChD,MAAM,KAAK,CAAC;YACd,CAAC;YAED,MAAM,QAAQ,GAAG,IAAA,4CAAyB,EACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;YACF,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YAClC,CAAC;YACD,IAAI,CAAC;gBACH,IAAA,+CAA+B,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBAC/C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;gBACjD,MAAM,QAAQ,GAAG,IAAA,gCAAgB,EAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,6BAA6B,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC5F,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,kBAAkB,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;oBAC1D,SAAS,EAAE,QAAQ;iBACL,CAAC;YACnB,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,IAAI,mBAAmB,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,qCAA6B,CAAC,SAAS,CAAC,CAAC;oBACtF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;oBAChD,MAAM,KAAK,CAAC;gBACd,CAAC;qBAAM,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,qCAA6B,CAAC,KAAK,CAAC,CAAC;oBAClF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;oBAChD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,GAAG,GAAG,KAAK,qCAA6B,CAAC,YAAY,EAAE,CACxD,CAAC;gBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;gBAChD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AA3KD,8DA2KC;AAED;;;GAGG;AACI,KAAK,UAAU,cAAc,CAClC,MAAc;IAEd,MAAM,SAAS,GAAG,WAAW,CAAC;IAC9B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,kBAAkB,GAAG,MAAM,CAAC;IAChC,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrC,IAAI,WAAW,EAAE,KAAK,EAAE,CAAC;wBACvB,kBAAkB,GAAG,kBAAkB,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;wBAC1D,IAAI,kBAAkB,EAAE,CAAC;4BACvB,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;wBAC9C,CAAC;wBACD,OAAO,WAAW,CAAC;oBACrB,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,SAAS;gBACX,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,8DAA8D,MAAM,EAAE,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,yDAAyD,MAAM,EAAE,CAAC,CAAC;AACrF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n checkTenantId,\n processMultiTenantRequest,\n resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport { ensureValidScopeForDevTimeCreds, getScopeResource } from \"../util/scopeUtils.js\";\n\nimport type { AzurePowerShellCredentialOptions } from \"./azurePowerShellCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport { processUtils } from \"../util/processUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\n\nconst logger = credentialLogger(\"AzurePowerShellCredential\");\n\nconst isWindows = process.platform === \"win32\";\n\n/**\n * Returns a platform-appropriate command name by appending \".exe\" on Windows.\n *\n * @internal\n */\nexport function formatCommand(commandName: string): string {\n if (isWindows) {\n return `${commandName}.exe`;\n } else {\n return commandName;\n }\n}\n\n/**\n * Receives a list of commands to run, executes them, then returns the outputs.\n * If anything fails, an error is thrown.\n * @internal\n */\nasync function runCommands(commands: string[][], timeout?: number): Promise<string[]> {\n const results: string[] = [];\n\n for (const command of commands) {\n const [file, ...parameters] = command;\n const result = (await processUtils.execFile(file, parameters, {\n encoding: \"utf8\",\n timeout,\n })) as string;\n\n results.push(result);\n }\n\n return results;\n}\n\n/**\n * Known PowerShell errors\n * @internal\n */\nexport const powerShellErrors = {\n login: \"Run Connect-AzAccount to login\",\n installed:\n \"The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory\",\n};\n\n/**\n * Messages to use when throwing in this credential.\n * @internal\n */\nexport const powerShellPublicErrorMessages = {\n login:\n \"Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.\",\n installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: \"Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force\".`,\n claim:\n \"This credential doesn't support claims challenges. To authenticate with the required claims, please run the following command:\",\n troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,\n};\n\n// PowerShell Azure User not logged in error check.\nconst isLoginError: (err: Error) => RegExpMatchArray | null = (err: Error) =>\n err.message.match(`(.*)${powerShellErrors.login}(.*)`);\n\n// Az Module not Installed in Azure PowerShell check.\nconst isNotInstalledError: (err: Error) => RegExpMatchArray | null = (err: Error) =>\n err.message.match(powerShellErrors.installed);\n\n/**\n * The PowerShell commands to be tried, in order.\n *\n * @internal\n */\nexport const commandStack = [formatCommand(\"pwsh\")];\n\nif (isWindows) {\n commandStack.push(formatCommand(\"powershell\"));\n}\n\n/**\n * This credential will use the currently logged-in user information from the\n * Azure PowerShell module. To do so, it will read the user access token and\n * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`\n */\nexport class AzurePowerShellCredential implements TokenCredential {\n private tenantId?: string;\n private additionallyAllowedTenantIds: string[];\n private timeout?: number;\n\n /**\n * Creates an instance of the {@link AzurePowerShellCredential}.\n *\n * To use this credential:\n * - Install the Azure Az PowerShell module with:\n * `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.\n * - You have already logged in to Azure PowerShell using the command\n * `Connect-AzAccount` from the command line.\n *\n * @param options - Options, to optionally allow multi-tenant requests.\n */\n constructor(options?: AzurePowerShellCredentialOptions) {\n if (options?.tenantId) {\n checkTenantId(logger, options?.tenantId);\n this.tenantId = options?.tenantId;\n }\n this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n options?.additionallyAllowedTenants,\n );\n this.timeout = options?.processTimeoutInMs;\n }\n\n /**\n * Gets the access token from Azure PowerShell\n * @param resource - The resource to use when getting the token\n */\n private async getAzurePowerShellAccessToken(\n resource: string,\n tenantId?: string,\n timeout?: number,\n ): Promise<{ Token: string; ExpiresOn: string }> {\n // Clone the stack to avoid mutating it while iterating\n for (const powerShellCommand of [...commandStack]) {\n try {\n await runCommands([[powerShellCommand, \"/?\"]], timeout);\n } catch (e: any) {\n // Remove this credential from the original stack so that we don't try it again.\n commandStack.shift();\n continue;\n }\n\n const results = await runCommands([\n [\n powerShellCommand,\n \"-NoProfile\",\n \"-NonInteractive\",\n \"-Command\",\n `\n $tenantId = \"${tenantId ?? \"\"}\"\n $m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru\n $useSecureString = $m.Version -ge [version]'2.17.0' -and $m.Version -lt [version]'5.0.0'\n\n $params = @{\n ResourceUrl = \"${resource}\"\n }\n\n if ($tenantId.Length -gt 0) {\n $params[\"TenantId\"] = $tenantId\n }\n\n if ($useSecureString) {\n $params[\"AsSecureString\"] = $true\n }\n\n $token = Get-AzAccessToken @params\n\n $result = New-Object -TypeName PSObject\n $result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn\n\n if ($token.Token -is [System.Security.SecureString]) {\n if ($PSVersionTable.PSVersion.Major -lt 7) {\n $ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($token.Token)\n try {\n $result | Add-Member -MemberType NoteProperty -Name Token -Value ([System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr))\n }\n finally {\n [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)\n }\n }\n else {\n $result | Add-Member -MemberType NoteProperty -Name Token -Value ($token.Token | ConvertFrom-SecureString -AsPlainText)\n }\n }\n else {\n $result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token\n }\n\n Write-Output (ConvertTo-Json $result)\n `,\n ],\n ]);\n\n const result = results[0];\n return parseJsonToken(result);\n }\n throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n const scope = typeof scopes === \"string\" ? scopes : scopes[0];\n\n const claimsValue = options.claims;\n if (claimsValue && claimsValue.trim()) {\n const encodedClaims = btoa(claimsValue);\n let loginCmd = `Connect-AzAccount -ClaimsChallenge ${encodedClaims}`;\n\n const tenantIdFromOptions = options.tenantId;\n if (tenantIdFromOptions) {\n loginCmd += ` -Tenant ${tenantIdFromOptions}`;\n }\n const error = new CredentialUnavailableError(\n `${powerShellPublicErrorMessages.claim} ${loginCmd}`,\n );\n\n logger.getToken.info(formatError(scope, error));\n throw error;\n }\n\n const tenantId = processMultiTenantRequest(\n this.tenantId,\n options,\n this.additionallyAllowedTenantIds,\n );\n if (tenantId) {\n checkTenantId(logger, tenantId);\n }\n try {\n ensureValidScopeForDevTimeCreds(scope, logger);\n logger.getToken.info(`Using the scope ${scope}`);\n const resource = getScopeResource(scope);\n const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);\n logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.Token,\n expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),\n tokenType: \"Bearer\",\n } as AccessToken;\n } catch (err: any) {\n if (isNotInstalledError(err)) {\n const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);\n logger.getToken.info(formatError(scope, error));\n throw error;\n } else if (isLoginError(err)) {\n const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);\n logger.getToken.info(formatError(scope, error));\n throw error;\n }\n const error = new CredentialUnavailableError(\n `${err}. ${powerShellPublicErrorMessages.troubleshoot}`,\n );\n logger.getToken.info(formatError(scope, error));\n throw error;\n }\n });\n }\n}\n\n/**\n *\n * @internal\n */\nexport async function parseJsonToken(\n result: string,\n): Promise<{ Token: string; ExpiresOn: string }> {\n const jsonRegex = /{[^{}]*}/g;\n const matches = result.match(jsonRegex);\n let resultWithoutToken = result;\n if (matches) {\n try {\n for (const item of matches) {\n try {\n const jsonContent = JSON.parse(item);\n if (jsonContent?.Token) {\n resultWithoutToken = resultWithoutToken.replace(item, \"\");\n if (resultWithoutToken) {\n logger.getToken.warning(resultWithoutToken);\n }\n return jsonContent;\n }\n } catch (e) {\n continue;\n }\n }\n } catch (e: any) {\n throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);\n }\n }\n throw new Error(`No access token found in the output. Received output: ${result}`);\n}\n"]}
package/dist/commonjs/credentials/defaultAzureCredential.d.ts CHANGED
@@ -25,10 +25,27 @@ export declare class UnavailableDefaultCredential implements TokenCredential {
25
25
  * - {@link AzureCliCredential}
26
26
  * - {@link AzurePowerShellCredential}
27
27
  * - {@link AzureDeveloperCliCredential}
28
- * - {@link BrokerCredential}
28
+ * - BrokerCredential (a broker-enabled credential that requires \@azure/identity-broker is installed)
29
29
  *
30
30
  * Consult the documentation of these credential types for more information
31
31
  * on how they attempt authentication.
32
+ *
33
+ * The following example demonstrates how to use the `requiredEnvVars` option to ensure that certain environment variables are set before the `DefaultAzureCredential` is instantiated.
34
+ * If any of the specified environment variables are missing or empty, an error will be thrown, preventing the application from continuing execution without the necessary configuration.
35
+ * It also demonstrates how to set the `AZURE_TOKEN_CREDENTIALS` environment variable to control which credentials are included in the chain.
36
+
37
+ * ```ts snippet:defaultazurecredential_requiredEnvVars
38
+ * import { DefaultAzureCredential } from "@azure/identity";
39
+ *
40
+ * const credential = new DefaultAzureCredential({
41
+ * requiredEnvVars: [
42
+ * "AZURE_CLIENT_ID",
43
+ * "AZURE_TENANT_ID",
44
+ * "AZURE_CLIENT_SECRET",
45
+ * "AZURE_TOKEN_CREDENTIALS",
46
+ * ],
47
+ * });
48
+ * ```
32
49
  */
33
50
  export declare class DefaultAzureCredential extends ChainedTokenCredential {
34
51
  /**
package/dist/commonjs/credentials/defaultAzureCredential.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"defaultAzureCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAO5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAgBxD;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;gBAEX,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAKnD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAM1B;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,qCAAqC;IAE3D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,uCAAuC;IAE7D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,6BAA6B;CAoFpD"}
1
+ {"version":3,"file":"defaultAzureCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/defaultAzureCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qCAAqC,EACrC,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,oCAAoC,CAAC;AAO5C,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAgBxD;;;GAGG;AACH,qBAAa,4BAA6B,YAAW,eAAe;IAClE,iCAAiC,EAAE,MAAM,CAAC;IAC1C,cAAc,EAAE,MAAM,CAAC;gBAEX,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;IAKnD,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAM1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,qBAAa,sBAAuB,SAAQ,sBAAsB;IAChE;;;;OAIG;gBACS,OAAO,CAAC,EAAE,qCAAqC;IAE3D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,uCAAuC;IAE7D;;;;OAIG;gBACS,OAAO,CAAC,EAAE,6BAA6B;CAyFpD"}
package/dist/commonjs/credentials/defaultAzureCredential.js CHANGED
@@ -38,13 +38,31 @@ exports.UnavailableDefaultCredential = UnavailableDefaultCredential;
38
38
  * - {@link AzureCliCredential}
39
39
  * - {@link AzurePowerShellCredential}
40
40
  * - {@link AzureDeveloperCliCredential}
41
- * - {@link BrokerCredential}
41
+ * - BrokerCredential (a broker-enabled credential that requires \@azure/identity-broker is installed)
42
42
  *
43
43
  * Consult the documentation of these credential types for more information
44
44
  * on how they attempt authentication.
45
+ *
46
+ * The following example demonstrates how to use the `requiredEnvVars` option to ensure that certain environment variables are set before the `DefaultAzureCredential` is instantiated.
47
+ * If any of the specified environment variables are missing or empty, an error will be thrown, preventing the application from continuing execution without the necessary configuration.
48
+ * It also demonstrates how to set the `AZURE_TOKEN_CREDENTIALS` environment variable to control which credentials are included in the chain.
49
+
50
+ * ```ts snippet:defaultazurecredential_requiredEnvVars
51
+ * import { DefaultAzureCredential } from "@azure/identity";
52
+ *
53
+ * const credential = new DefaultAzureCredential({
54
+ * requiredEnvVars: [
55
+ * "AZURE_CLIENT_ID",
56
+ * "AZURE_TENANT_ID",
57
+ * "AZURE_CLIENT_SECRET",
58
+ * "AZURE_TOKEN_CREDENTIALS",
59
+ * ],
60
+ * });
61
+ * ```
45
62
  */
46
63
  class DefaultAzureCredential extends chainedTokenCredential_js_1.ChainedTokenCredential {
47
64
  constructor(options) {
65
+ validateRequiredEnvVars(options);
48
66
  // If AZURE_TOKEN_CREDENTIALS is not set, use the default credential chain.
49
67
  const azureTokenCredentials = process.env.AZURE_TOKEN_CREDENTIALS
50
68
  ? process.env.AZURE_TOKEN_CREDENTIALS.trim().toLowerCase()
@@ -80,7 +98,11 @@ class DefaultAzureCredential extends chainedTokenCredential_js_1.ChainedTokenCre
80
98
  credentialFunctions = [defaultAzureCredentialFunctions_js_1.createDefaultWorkloadIdentityCredential];
81
99
  break;
82
100
  case "managedidentitycredential":
83
- credentialFunctions = [defaultAzureCredentialFunctions_js_1.createDefaultManagedIdentityCredential];
101
+ // Setting `sendProbeRequest` to false to ensure ManagedIdentityCredential behavior
102
+ // is consistent when used standalone in DAC chain or used directly.
103
+ credentialFunctions = [
104
+ () => (0, defaultAzureCredentialFunctions_js_1.createDefaultManagedIdentityCredential)({ sendProbeRequest: false }),
105
+ ];
84
106
  break;
85
107
  case "visualstudiocodecredential":
86
108
  credentialFunctions = [defaultAzureCredentialFunctions_js_1.createDefaultVisualStudioCodeCredential];
@@ -114,7 +136,7 @@ class DefaultAzureCredential extends chainedTokenCredential_js_1.ChainedTokenCre
114
136
  // 3. Returning a UnavailableDefaultCredential from the factory function if a credential is unavailable for any reason
115
137
  const credentials = credentialFunctions.map((createCredentialFn) => {
116
138
  try {
117
- return createCredentialFn(options);
139
+ return createCredentialFn(options ?? {});
118
140
  }
119
141
  catch (err) {
120
142
  logger.warning(`Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`);
@@ -125,4 +147,21 @@ class DefaultAzureCredential extends chainedTokenCredential_js_1.ChainedTokenCre
125
147
  }
126
148
  }
127
149
  exports.DefaultAzureCredential = DefaultAzureCredential;
150
+ /**
151
+ * This function checks that all environment variables in `options.requiredEnvVars` are set and non-empty.
152
+ * If any are missing or empty, it throws an error.
153
+ */
154
+ function validateRequiredEnvVars(options) {
155
+ if (options?.requiredEnvVars) {
156
+ const requiredVars = Array.isArray(options.requiredEnvVars)
157
+ ? options.requiredEnvVars
158
+ : [options.requiredEnvVars];
159
+ const missing = requiredVars.filter((envVar) => !process.env[envVar]);
160
+ if (missing.length > 0) {
161
+ const errorMessage = `Required environment ${missing.length === 1 ? "variable" : "variables"} '${missing.join(", ")}' for DefaultAzureCredential ${missing.length === 1 ? "is" : "are"} not set or empty.`;
162
+ logger.warning(errorMessage);
163
+ throw new Error(errorMessage);
164
+ }
165
+ }
166
+ }
128
167
  //# sourceMappingURL=defaultAzureCredential.js.map