@azure/identity 4.14.0-alpha.20251205.1 → 4.14.0-alpha.20251209.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (174) hide show
  1. package/dist/browser/client/identityClient.d.ts +0 -4
  2. package/dist/browser/client/identityClient.d.ts.map +1 -1
  3. package/dist/browser/client/identityClient.js +3 -16
  4. package/dist/browser/client/identityClient.js.map +1 -1
  5. package/dist/browser/credentials/brokerCredential.d.ts +2 -2
  6. package/dist/browser/credentials/brokerCredential.d.ts.map +1 -1
  7. package/dist/browser/credentials/brokerCredential.js +0 -1
  8. package/dist/browser/credentials/brokerCredential.js.map +1 -1
  9. package/dist/browser/credentials/workloadIdentityCredentialOptions.d.ts +2 -2
  10. package/dist/browser/credentials/workloadIdentityCredentialOptions.d.ts.map +1 -1
  11. package/dist/browser/credentials/workloadIdentityCredentialOptions.js.map +1 -1
  12. package/dist/browser/msal/nodeFlows/msalClient.d.ts +14 -8
  13. package/dist/browser/msal/nodeFlows/msalClient.d.ts.map +1 -1
  14. package/dist/browser/msal/nodeFlows/msalClient.js +3 -3
  15. package/dist/browser/msal/nodeFlows/msalClient.js.map +1 -1
  16. package/dist/browser/msal/utils.d.ts +0 -9
  17. package/dist/browser/msal/utils.d.ts.map +1 -1
  18. package/dist/browser/msal/utils.js +2 -15
  19. package/dist/browser/msal/utils.js.map +1 -1
  20. package/dist/browser/util/authorityHost.d.ts +10 -0
  21. package/dist/browser/util/authorityHost.d.ts.map +1 -0
  22. package/dist/browser/util/authorityHost.js +18 -0
  23. package/dist/browser/util/authorityHost.js.map +1 -0
  24. package/dist/commonjs/client/identityClient.d.ts +0 -4
  25. package/dist/commonjs/client/identityClient.d.ts.map +1 -1
  26. package/dist/commonjs/client/identityClient.js +2 -16
  27. package/dist/commonjs/client/identityClient.js.map +1 -1
  28. package/dist/commonjs/credentials/authorizationCodeCredential.d.ts.map +1 -1
  29. package/dist/commonjs/credentials/authorizationCodeCredential.js +0 -1
  30. package/dist/commonjs/credentials/authorizationCodeCredential.js.map +1 -1
  31. package/dist/commonjs/credentials/brokerCredential.d.ts +2 -2
  32. package/dist/commonjs/credentials/brokerCredential.d.ts.map +1 -1
  33. package/dist/commonjs/credentials/brokerCredential.js +0 -1
  34. package/dist/commonjs/credentials/brokerCredential.js.map +1 -1
  35. package/dist/commonjs/credentials/clientAssertionCredential.d.ts.map +1 -1
  36. package/dist/commonjs/credentials/clientAssertionCredential.js +1 -2
  37. package/dist/commonjs/credentials/clientAssertionCredential.js.map +1 -1
  38. package/dist/commonjs/credentials/clientCertificateCredential.d.ts.map +1 -1
  39. package/dist/commonjs/credentials/clientCertificateCredential.js +0 -1
  40. package/dist/commonjs/credentials/clientCertificateCredential.js.map +1 -1
  41. package/dist/commonjs/credentials/clientSecretCredential.d.ts.map +1 -1
  42. package/dist/commonjs/credentials/clientSecretCredential.js +0 -1
  43. package/dist/commonjs/credentials/clientSecretCredential.js.map +1 -1
  44. package/dist/commonjs/credentials/deviceCodeCredential.d.ts.map +1 -1
  45. package/dist/commonjs/credentials/deviceCodeCredential.js +0 -1
  46. package/dist/commonjs/credentials/deviceCodeCredential.js.map +1 -1
  47. package/dist/commonjs/credentials/interactiveBrowserCredential.d.ts.map +1 -1
  48. package/dist/commonjs/credentials/interactiveBrowserCredential.js +0 -1
  49. package/dist/commonjs/credentials/interactiveBrowserCredential.js.map +1 -1
  50. package/dist/commonjs/credentials/onBehalfOfCredential.d.ts.map +1 -1
  51. package/dist/commonjs/credentials/onBehalfOfCredential.js +0 -1
  52. package/dist/commonjs/credentials/onBehalfOfCredential.js.map +1 -1
  53. package/dist/commonjs/credentials/usernamePasswordCredential.d.ts.map +1 -1
  54. package/dist/commonjs/credentials/usernamePasswordCredential.js +0 -1
  55. package/dist/commonjs/credentials/usernamePasswordCredential.js.map +1 -1
  56. package/dist/commonjs/credentials/visualStudioCodeCredential.js.map +1 -1
  57. package/dist/commonjs/credentials/workloadIdentityCredential.js +3 -3
  58. package/dist/commonjs/credentials/workloadIdentityCredential.js.map +1 -1
  59. package/dist/commonjs/credentials/workloadIdentityCredentialOptions.d.ts +2 -2
  60. package/dist/commonjs/credentials/workloadIdentityCredentialOptions.d.ts.map +1 -1
  61. package/dist/commonjs/credentials/workloadIdentityCredentialOptions.js.map +1 -1
  62. package/dist/commonjs/msal/nodeFlows/msalClient.d.ts +14 -8
  63. package/dist/commonjs/msal/nodeFlows/msalClient.d.ts.map +1 -1
  64. package/dist/commonjs/msal/nodeFlows/msalClient.js +4 -4
  65. package/dist/commonjs/msal/nodeFlows/msalClient.js.map +1 -1
  66. package/dist/commonjs/msal/utils.d.ts +0 -9
  67. package/dist/commonjs/msal/utils.d.ts.map +1 -1
  68. package/dist/commonjs/msal/utils.js +1 -15
  69. package/dist/commonjs/msal/utils.js.map +1 -1
  70. package/dist/commonjs/util/authorityHost.d.ts +10 -0
  71. package/dist/commonjs/util/authorityHost.d.ts.map +1 -0
  72. package/dist/commonjs/util/authorityHost.js +21 -0
  73. package/dist/commonjs/util/authorityHost.js.map +1 -0
  74. package/dist/esm/client/identityClient.d.ts +0 -4
  75. package/dist/esm/client/identityClient.d.ts.map +1 -1
  76. package/dist/esm/client/identityClient.js +3 -16
  77. package/dist/esm/client/identityClient.js.map +1 -1
  78. package/dist/esm/credentials/authorizationCodeCredential.d.ts.map +1 -1
  79. package/dist/esm/credentials/authorizationCodeCredential.js +0 -1
  80. package/dist/esm/credentials/authorizationCodeCredential.js.map +1 -1
  81. package/dist/esm/credentials/brokerCredential.d.ts +2 -2
  82. package/dist/esm/credentials/brokerCredential.d.ts.map +1 -1
  83. package/dist/esm/credentials/brokerCredential.js +0 -1
  84. package/dist/esm/credentials/brokerCredential.js.map +1 -1
  85. package/dist/esm/credentials/clientAssertionCredential.d.ts.map +1 -1
  86. package/dist/esm/credentials/clientAssertionCredential.js +1 -2
  87. package/dist/esm/credentials/clientAssertionCredential.js.map +1 -1
  88. package/dist/esm/credentials/clientCertificateCredential.d.ts.map +1 -1
  89. package/dist/esm/credentials/clientCertificateCredential.js +0 -1
  90. package/dist/esm/credentials/clientCertificateCredential.js.map +1 -1
  91. package/dist/esm/credentials/clientSecretCredential.d.ts.map +1 -1
  92. package/dist/esm/credentials/clientSecretCredential.js +0 -1
  93. package/dist/esm/credentials/clientSecretCredential.js.map +1 -1
  94. package/dist/esm/credentials/deviceCodeCredential.d.ts.map +1 -1
  95. package/dist/esm/credentials/deviceCodeCredential.js +0 -1
  96. package/dist/esm/credentials/deviceCodeCredential.js.map +1 -1
  97. package/dist/esm/credentials/interactiveBrowserCredential.d.ts.map +1 -1
  98. package/dist/esm/credentials/interactiveBrowserCredential.js +0 -1
  99. package/dist/esm/credentials/interactiveBrowserCredential.js.map +1 -1
  100. package/dist/esm/credentials/onBehalfOfCredential.d.ts.map +1 -1
  101. package/dist/esm/credentials/onBehalfOfCredential.js +0 -1
  102. package/dist/esm/credentials/onBehalfOfCredential.js.map +1 -1
  103. package/dist/esm/credentials/usernamePasswordCredential.d.ts.map +1 -1
  104. package/dist/esm/credentials/usernamePasswordCredential.js +0 -1
  105. package/dist/esm/credentials/usernamePasswordCredential.js.map +1 -1
  106. package/dist/esm/credentials/visualStudioCodeCredential.js.map +1 -1
  107. package/dist/esm/credentials/workloadIdentityCredential.js +3 -3
  108. package/dist/esm/credentials/workloadIdentityCredential.js.map +1 -1
  109. package/dist/esm/credentials/workloadIdentityCredentialOptions.d.ts +2 -2
  110. package/dist/esm/credentials/workloadIdentityCredentialOptions.d.ts.map +1 -1
  111. package/dist/esm/credentials/workloadIdentityCredentialOptions.js.map +1 -1
  112. package/dist/esm/msal/nodeFlows/msalClient.d.ts +14 -8
  113. package/dist/esm/msal/nodeFlows/msalClient.d.ts.map +1 -1
  114. package/dist/esm/msal/nodeFlows/msalClient.js +3 -3
  115. package/dist/esm/msal/nodeFlows/msalClient.js.map +1 -1
  116. package/dist/esm/msal/utils.d.ts +0 -9
  117. package/dist/esm/msal/utils.d.ts.map +1 -1
  118. package/dist/esm/msal/utils.js +2 -15
  119. package/dist/esm/msal/utils.js.map +1 -1
  120. package/dist/esm/util/authorityHost.d.ts +10 -0
  121. package/dist/esm/util/authorityHost.d.ts.map +1 -0
  122. package/dist/esm/util/authorityHost.js +18 -0
  123. package/dist/esm/util/authorityHost.js.map +1 -0
  124. package/dist/workerd/client/identityClient.d.ts +0 -4
  125. package/dist/workerd/client/identityClient.d.ts.map +1 -1
  126. package/dist/workerd/client/identityClient.js +3 -16
  127. package/dist/workerd/client/identityClient.js.map +1 -1
  128. package/dist/workerd/credentials/authorizationCodeCredential.d.ts.map +1 -1
  129. package/dist/workerd/credentials/authorizationCodeCredential.js +0 -1
  130. package/dist/workerd/credentials/authorizationCodeCredential.js.map +1 -1
  131. package/dist/workerd/credentials/brokerCredential.d.ts +2 -2
  132. package/dist/workerd/credentials/brokerCredential.d.ts.map +1 -1
  133. package/dist/workerd/credentials/brokerCredential.js +0 -1
  134. package/dist/workerd/credentials/brokerCredential.js.map +1 -1
  135. package/dist/workerd/credentials/clientAssertionCredential.d.ts.map +1 -1
  136. package/dist/workerd/credentials/clientAssertionCredential.js +1 -2
  137. package/dist/workerd/credentials/clientAssertionCredential.js.map +1 -1
  138. package/dist/workerd/credentials/clientCertificateCredential.d.ts.map +1 -1
  139. package/dist/workerd/credentials/clientCertificateCredential.js +0 -1
  140. package/dist/workerd/credentials/clientCertificateCredential.js.map +1 -1
  141. package/dist/workerd/credentials/clientSecretCredential.d.ts.map +1 -1
  142. package/dist/workerd/credentials/clientSecretCredential.js +0 -1
  143. package/dist/workerd/credentials/clientSecretCredential.js.map +1 -1
  144. package/dist/workerd/credentials/deviceCodeCredential.d.ts.map +1 -1
  145. package/dist/workerd/credentials/deviceCodeCredential.js +0 -1
  146. package/dist/workerd/credentials/deviceCodeCredential.js.map +1 -1
  147. package/dist/workerd/credentials/interactiveBrowserCredential.d.ts.map +1 -1
  148. package/dist/workerd/credentials/interactiveBrowserCredential.js +0 -1
  149. package/dist/workerd/credentials/interactiveBrowserCredential.js.map +1 -1
  150. package/dist/workerd/credentials/onBehalfOfCredential.d.ts.map +1 -1
  151. package/dist/workerd/credentials/onBehalfOfCredential.js +0 -1
  152. package/dist/workerd/credentials/onBehalfOfCredential.js.map +1 -1
  153. package/dist/workerd/credentials/usernamePasswordCredential.d.ts.map +1 -1
  154. package/dist/workerd/credentials/usernamePasswordCredential.js +0 -1
  155. package/dist/workerd/credentials/usernamePasswordCredential.js.map +1 -1
  156. package/dist/workerd/credentials/visualStudioCodeCredential.js.map +1 -1
  157. package/dist/workerd/credentials/workloadIdentityCredential.js +3 -3
  158. package/dist/workerd/credentials/workloadIdentityCredential.js.map +1 -1
  159. package/dist/workerd/credentials/workloadIdentityCredentialOptions.d.ts +2 -2
  160. package/dist/workerd/credentials/workloadIdentityCredentialOptions.d.ts.map +1 -1
  161. package/dist/workerd/credentials/workloadIdentityCredentialOptions.js.map +1 -1
  162. package/dist/workerd/msal/nodeFlows/msalClient.d.ts +14 -8
  163. package/dist/workerd/msal/nodeFlows/msalClient.d.ts.map +1 -1
  164. package/dist/workerd/msal/nodeFlows/msalClient.js +3 -3
  165. package/dist/workerd/msal/nodeFlows/msalClient.js.map +1 -1
  166. package/dist/workerd/msal/utils.d.ts +0 -9
  167. package/dist/workerd/msal/utils.d.ts.map +1 -1
  168. package/dist/workerd/msal/utils.js +2 -15
  169. package/dist/workerd/msal/utils.js.map +1 -1
  170. package/dist/workerd/util/authorityHost.d.ts +10 -0
  171. package/dist/workerd/util/authorityHost.d.ts.map +1 -0
  172. package/dist/workerd/util/authorityHost.js +18 -0
  173. package/dist/workerd/util/authorityHost.js.map +1 -0
  174. package/package.json +1 -1
package/dist/commonjs/credentials/workloadIdentityCredential.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"workloadIdentityCredential.js","sourceRoot":"","sources":["../../../src/credentials/workloadIdentityCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAwElC,4EAwCC;AA7GD,mDAAsE;AAEtE,iFAA2E;AAC3E,4CAA0D;AAE1D,+DAAyD;AACzD,+CAA4C;AAE5C,kEAAoE;AAEpE,uEAAyE;AACzE,qCAAuC;AAEvC,MAAM,cAAc,GAAG,4BAA4B,CAAC;AACpD;;;;;;GAMG;AACU,QAAA,qCAAqC,GAAG;IACnD,iBAAiB;IACjB,iBAAiB;IACjB,4BAA4B;CAC7B,CAAC;AAEF,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,cAAc,CAAC,CAAC;AAEhD;;GAEG;AACH,MAAM,aAAa,GAAG;IACpB,2BAA2B,EAAE,CAAC,QAAgB,EAAE,KAAc,EAAE,EAAE,CAChE,2CAA2C,QAAQ,MAAM,KAAK,EAAE;IAClE,oBAAoB,EAAE,CAAC,QAAgB,EAAE,EAAE,CACzC,qDAAqD,QAAQ,GAAG;IAClE,2BAA2B,EAAE,CAAC,GAAW,EAAE,EAAE,CAC3C,8BAA8B,GAAG,8BAA8B;IACjE,uBAAuB,EAAE,CAAC,GAAW,EAAE,EAAE,CACvC,8BAA8B,GAAG,4BAA4B;IAC/D,0BAA0B,EAAE,CAAC,GAAW,EAAE,EAAE,CAC1C,8BAA8B,GAAG,+BAA+B;IAClE,aAAa,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,iCAAiC,IAAI,EAAE;IACxE,sBAAsB,EAAE,CAAC,IAAY,EAAE,KAAc,EAAE,EAAE,CACvD,uCAAuC,IAAI,KAAK,KAAK,EAAE;IACzD,uBAAuB,EAAE,8DAA8D;IACvF,iBAAiB,EAAE,CAAC,IAAwB,EAAE,EAAE,CAAC,8BAA8B,IAAI,GAAG;IACtF,eAAe,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,0BAA0B,IAAI,GAAG;IACpE,YAAY,EAAE,qCAAqC;IACnD,kBAAkB,EAAE;qIAC+G;IACnI,kBAAkB,EAAE;qIAC+G;IACnI,wBAAwB,EAAE;qIACyG;IACnI,mBAAmB,EAAE,6GAA6G;IAClI,0BAA0B,EAAE,iGAAiG;IAC7H,gBAAgB,EAAE;;;;iKAI6I;CAChK,CAAC;AAEF;;;GAGG;AACH,SAAgB,gCAAgC,CAAC,QAAgB;IAC/D,IAAI,UAAe,CAAC;IACpB,IAAI,CAAC;QACH,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,2BAA2B,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,CACnG,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,oBAAoB,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAChG,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QAC/C,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,2BAA2B,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,EAAE,CACzG,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,uBAAuB,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,EAAE,CACrG,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;QACpB,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,0BAA0B,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,EAAE,CACxG,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;QACvD,+EAA+E;QAC/E,UAAU,CAAC,QAAQ,GAAG,GAAG,CAAC;IAC5B,CAAC;IAED,OAAO,UAAU,CAAC,QAAQ,EAAE,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAa,0BAA0B;IAC7B,MAAM,CAAwC;IAC9C,8BAA8B,GAAuB,SAAS,CAAC;IAC/D,SAAS,GAAuB,SAAS,CAAC;IAC1C,sBAAsB,CAAqB;IAEnD,wDAAwD;IAChD,iBAAiB,CAAsD;IACvE,YAAY,CAAqB;IACjC,MAAM,CAAqB;IAC3B,MAAM,CAAqB;IAC3B,OAAO,CAAqB;IAEpC;;;;OAIG;IACH,YAAY,OAA2C;QACrD,kDAAkD;QAClD,MAAM,WAAW,GAAG,IAAA,2BAAc,EAAC,6CAAqC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9F,MAAM,CAAC,IAAI,CAAC,8CAA8C,WAAW,EAAE,CAAC,CAAC;QAEzE,MAAM,iCAAiC,GAAG,OAAO,IAAI,EAAE,CAAC;QACxD,MAAM,QAAQ,GAAG,iCAAiC,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAC3F,MAAM,QAAQ,GAAG,iCAAiC,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAC3F,IAAI,CAAC,sBAAsB;YACzB,iCAAiC,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;QAE5F,IAAI,QAAQ,EAAE,CAAC;YACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,kBAAkB,EAAE,CACzE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,kBAAkB,EAAE,CACzE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACjC,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,wBAAwB,EAAE,CAC/E,CAAC;QACJ,CAAC;QAED,6EAA6E;QAC7E,IAAI,iCAAiC,CAAC,+BAA+B,EAAE,CAAC;YACtE,MAAM,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;YACtE,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;YAChE,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;YAC9D,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;YAE9D,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,mGAAmG;gBACnG,iFAAiF;gBACjF,IAAI,iBAAiB,IAAI,gBAAgB,IAAI,gBAAgB,EAAE,CAAC;oBAC9D,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,mBAAmB,EAAE,CAC1E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,IAAI,CACT,uHAAuH,CACxH,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,UAAU,GAAG,gCAAgC,CAAC,oBAAoB,CAAC,CAAC;gBAE1E,oEAAoE;gBACpE,gFAAgF;gBAChF,IAAI,gBAAgB,IAAI,gBAAgB,EAAE,CAAC;oBACzC,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,0BAA0B,EAAE,CACjF,CAAC;gBACJ,CAAC;gBAED,IAAI,CAAC,MAAM,GAAG,gBAAgB,CAAC;gBAC/B,IAAI,CAAC,MAAM,GAAG,gBAAgB,CAAC;gBAC/B,IAAI,CAAC,OAAO,GAAG,iBAAiB,CAAC;gBAEjC,iDAAiD;gBACjD,MAAM,WAAW,GAAG,IAAI,CAAC,oBAAoB,CAAC,UAAU,CAAC,CAAC;gBAC1D,iCAAiC,CAAC,UAAU,GAAG,WAAW,CAAC;gBAC3D,MAAM,CAAC,IAAI,CAAC,GAAG,cAAc,yCAAyC,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CACT,sDAAsD,QAAQ,eAAe,iCAAiC,CAAC,QAAQ,uCAAuC,CAC/J,CAAC;QAEF,IAAI,CAAC,MAAM,GAAG,IAAI,wDAAyB,CACzC,QAAQ,EACR,QAAQ,EACR,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAChC,iCAAiC,CAClC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,oBAAoB,CAAC,aAAqB;QAChD,MAAM,aAAa,GAAG,IAAA,4CAAuB,GAAE,CAAC;QAChD,iFAAiF;QACjF,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QAE/C,OAAO;YACL,WAAW,EAAE,KAAK,EAAE,OAAwB,EAA6B,EAAE;gBACzE,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAExC,MAAM,CAAC,IAAI,CACT,GAAG,cAAc,iDAAiD,aAAa,EAAE,CAClF,CAAC;gBAEF,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;gBAExC,kEAAkE;gBAClE,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBAC3D,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAClD,CAAC,CAAC,QAAQ,CAAC,QAAQ,GAAG,WAAW;oBACjC,CAAC,CAAC,QAAQ,CAAC,QAAQ,GAAG,GAAG,GAAG,WAAW,CAAC;gBAE1C,qEAAqE;gBACrE,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;gBACxC,MAAM,CAAC,QAAQ,GAAG,YAAY,CAAC;gBAC/B,MAAM,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;gBAClC,MAAM,CAAC,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC;gBAE9B,OAAO,CAAC,GAAG,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAChC,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;gBAE5C,MAAM,CAAC,IAAI,CAAC,GAAG,cAAc,wBAAwB,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;gBACpE,wDAAwD;gBACxD,OAAO,aAAa,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAC5C,CAAC;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,cAAc;QACpB,yCAAyC;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5B,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5E,CAAC;YACD,OAAO,IAAI,CAAC,iBAAiB,CAAC;QAChC,CAAC;QAED,0EAA0E;QAC1E,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5B,IAAI,CAAC,IAAA,gDAAyB,EAAC,IAAI,CAAC,MAAO,CAAC,EAAE,CAAC;oBAC7C,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,uBAAuB,EAAE,CAC9E,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1E,IAAI,CAAC,iBAAiB,CAAC,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;YAC1C,CAAC;YACD,OAAO,IAAI,CAAC,iBAAiB,CAAC;QAChC,CAAC;QAED,qEAAqE;QACrE,IAAI,WAAmB,CAAC;QACxB,IAAI,CAAC;YACH,WAAW,GAAG,IAAA,sBAAY,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,sBAAsB,CAAC,IAAI,CAAC,MAAO,EAAE,KAAK,CAAC,EAAE,CAClG,CAAC;QACJ,CAAC;QACD,+CAA+C;QAC/C,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5B,sFAAsF;gBACtF,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CACjF,CAAC;YACJ,CAAC;YACD,2DAA2D;YAC3D,OAAO,IAAI,CAAC,iBAAiB,CAAC;QAChC,CAAC;QAED,0BAA0B;QAC1B,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACjE,MAAM,YAAY,GAAG,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAElD,IAAI,CAAC,IAAA,gDAAyB,EAAC,YAAY,CAAC,EAAE,CAAC;gBAC7C,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,uBAAuB,EAAE,CAC9E,CAAC;YACJ,CAAC;YAED,4DAA4D;YAC5D,IAAI,CAAC,iBAAiB,GAAG;gBACvB,EAAE,EAAE,YAAY;gBAChB,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;aAClD,CAAC;YACF,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;QAClC,CAAC;QAED,OAAO,IAAI,CAAC,iBAAkB,CAAC;IACjC,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,OAAyB;QAEzB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,YAAY,GAAG,GAAG,cAAc,qBAAqB,aAAa,CAAC,gBAAgB,EAAE,CAAC;YAC5F,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC1B,MAAM,IAAI,sCAA0B,CAAC,YAAY,CAAC,CAAC;QACrD,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAEO,KAAK,CAAC,gBAAgB;QAC5B,2CAA2C;QAC3C,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YACjF,IAAI,CAAC,8BAA8B,GAAG,SAAS,CAAC;QAClD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACjC,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,iBAAiB,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,CACrG,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,8BAA8B,EAAE,CAAC;YACzC,MAAM,IAAI,GAAG,MAAM,IAAA,mBAAQ,EAAC,IAAI,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC;YACjE,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,eAAe,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,CACnG,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,8BAA8B,GAAG,KAAK,CAAC;gBAC5C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC9B,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,8BAA8B,CAAC;IAC7C,CAAC;CACF;AAjQD,gEAiQC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { credentialLogger, processEnvVars } from \"../util/logging.js\";\n\nimport { ClientAssertionCredential } from \"./clientAssertionCredential.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport type { WorkloadIdentityCredentialOptions } from \"./workloadIdentityCredentialOptions.js\";\nimport { checkTenantId } from \"../util/tenantIdUtils.js\";\nimport { readFile } from \"node:fs/promises\";\nimport type { PipelineRequest, PipelineResponse, HttpClient } from \"@azure/core-rest-pipeline\";\nimport { createDefaultHttpClient } from \"@azure/core-rest-pipeline\";\nimport type { TlsSettings } from \"@azure/core-rest-pipeline\";\nimport { canParseAsX509Certificate } from \"../util/certificatesUtils.js\";\nimport { readFileSync } from \"node:fs\";\n\nconst credentialName = \"WorkloadIdentityCredential\";\n/**\n * Contains the list of all supported environment variable names so that an\n * appropriate error message can be generated when no credentials can be\n * configured.\n *\n * @internal\n */\nexport const SupportedWorkloadEnvironmentVariables = [\n \"AZURE_TENANT_ID\",\n \"AZURE_CLIENT_ID\",\n \"AZURE_FEDERATED_TOKEN_FILE\",\n];\n\nconst logger = credentialLogger(credentialName);\n\n/**\n * Error messages for WorkloadIdentityCredential\n */\nconst ErrorMessages = {\n FAILED_TO_PARSE_TOKEN_PROXY: (endpoint: string, error: unknown) =>\n `Failed to parse custom token proxy URL \"${endpoint}\": ${error}`,\n INVALID_HTTPS_SCHEME: (protocol: string) =>\n `Custom token endpoint must use https scheme, got \"${protocol}\"`,\n TOKEN_ENDPOINT_NO_USER_INFO: (url: string) =>\n `Custom token endpoint URL \"${url}\" must not contain user info`,\n TOKEN_ENDPOINT_NO_QUERY: (url: string) =>\n `Custom token endpoint URL \"${url}\" must not contain a query`,\n TOKEN_ENDPOINT_NO_FRAGMENT: (url: string) =>\n `Custom token endpoint URL \"${url}\" must not contain a fragment`,\n CA_FILE_EMPTY: (file: string) => `CA certificate file is empty: ${file}`,\n FAILED_TO_READ_CA_FILE: (file: string, error: unknown) =>\n `Failed to read CA certificate file: ${file}. ${error}`,\n INVALID_CA_CERTIFICATES: `Invalid CA certificate data: no valid PEM certificates found`,\n INVALID_FILE_PATH: (path: string | undefined) => `Invalid file path provided ${path}.`,\n NO_FILE_CONTENT: (path: string) => `No content on the file ${path}.`,\n NO_CA_SOURCE: `No CA certificate source specified.`,\n CLIENT_ID_REQUIRED: `clientId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - \"AZURE_CLIENT_ID\".\n See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`,\n TENANT_ID_REQUIRED: `tenantId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - \"AZURE_TENANT_ID\".\n See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`,\n TOKEN_FILE_PATH_REQUIRED: `federatedTokenFilePath is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - \"AZURE_FEDERATED_TOKEN_FILE\".\n See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`,\n TOKEN_PROXY_NOT_SET: `AZURE_KUBERNETES_TOKEN_PROXY is not set but other custom endpoint-related environment variables are present`,\n CA_FILE_AND_DATA_EXCLUSIVE: `AZURE_KUBERNETES_CA_FILE and AZURE_KUBERNETES_CA_DATA are mutually exclusive. Specify only one.`,\n MISSING_ENV_VARS: `tenantId, clientId, and federatedTokenFilePath are required parameters. \n In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - \n \"AZURE_TENANT_ID\",\n \"AZURE_CLIENT_ID\",\n \"AZURE_FEDERATED_TOKEN_FILE\". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`,\n};\n\n/**\n * @internal\n * Parses and validates the custom token proxy endpoint URL\n */\nexport function parseAndValidateCustomTokenProxy(endpoint: string): string {\n let tokenProxy: URL;\n try {\n tokenProxy = new URL(endpoint);\n } catch (error) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.FAILED_TO_PARSE_TOKEN_PROXY(endpoint, error)}`,\n );\n }\n\n if (tokenProxy.protocol !== \"https:\") {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.INVALID_HTTPS_SCHEME(tokenProxy.protocol)}`,\n );\n }\n\n if (tokenProxy.username || tokenProxy.password) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TOKEN_ENDPOINT_NO_USER_INFO(tokenProxy.toString())}`,\n );\n }\n\n if (tokenProxy.search) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TOKEN_ENDPOINT_NO_QUERY(tokenProxy.toString())}`,\n );\n }\n\n if (tokenProxy.hash) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TOKEN_ENDPOINT_NO_FRAGMENT(tokenProxy.toString())}`,\n );\n }\n\n if (!tokenProxy.pathname || tokenProxy.pathname === \"\") {\n // if the path is empty, set it to \"/\" to avoid stripping the path from req.URL\n tokenProxy.pathname = \"/\";\n }\n\n return tokenProxy.toString();\n}\n\n/**\n * Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs)\n * to access other Azure resources without the need for a service principal or managed identity. With Workload Identity\n * authentication, applications authenticate themselves using their own identity, rather than using a shared service\n * principal or managed identity. Under the hood, Workload Identity authentication uses the concept of Service Account\n * Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using Workload\n * Identity authentication, you can avoid the need to manage and rotate service principals or managed identities for\n * each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't\n * need to worry about storing and securing sensitive credentials themselves.\n * The WorkloadIdentityCredential supports Microsoft Entra Workload ID authentication on Azure Kubernetes and acquires\n * a token using the SACs available in the Azure Kubernetes environment.\n * Refer to <a href=\"https://learn.microsoft.com/azure/aks/workload-identity-overview\">Microsoft Entra\n * Workload ID</a> for more information.\n */\nexport class WorkloadIdentityCredential implements TokenCredential {\n private client: ClientAssertionCredential | undefined;\n private azureFederatedTokenFileContent: string | undefined = undefined;\n private cacheDate: number | undefined = undefined;\n private federatedTokenFilePath: string | undefined;\n\n // AKS proxy CA caching - persists across token requests\n private cachedTlsSettings: (TlsSettings & { servername?: string }) | undefined;\n private cachedCaData: Buffer | undefined;\n private caData: string | undefined;\n private caFile: string | undefined;\n private sniName: string | undefined;\n\n /**\n * WorkloadIdentityCredential supports Microsoft Entra Workload ID on Kubernetes.\n *\n * @param options - The identity client options to use for authentication.\n */\n constructor(options?: WorkloadIdentityCredentialOptions) {\n // Logging environment variables for error details\n const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(\", \");\n logger.info(`Found the following environment variables: ${assignedEnv}`);\n\n const workloadIdentityCredentialOptions = options ?? {};\n const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;\n const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;\n this.federatedTokenFilePath =\n workloadIdentityCredentialOptions.tokenFilePath || process.env.AZURE_FEDERATED_TOKEN_FILE;\n\n if (tenantId) {\n checkTenantId(logger, tenantId);\n }\n if (!clientId) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.CLIENT_ID_REQUIRED}`,\n );\n }\n\n if (!tenantId) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TENANT_ID_REQUIRED}`,\n );\n }\n\n if (!this.federatedTokenFilePath) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TOKEN_FILE_PATH_REQUIRED}`,\n );\n }\n\n // Use identity binding mode only when enableAzureKubernetesTokenProxy is set\n if (workloadIdentityCredentialOptions.enableAzureKubernetesTokenProxy) {\n const kubernetesTokenProxy = process.env.AZURE_KUBERNETES_TOKEN_PROXY;\n const kubernetesSNIName = process.env.AZURE_KUBERNETES_SNI_NAME;\n const kubernetesCAFile = process.env.AZURE_KUBERNETES_CA_FILE;\n const kubernetesCAData = process.env.AZURE_KUBERNETES_CA_DATA;\n\n if (!kubernetesTokenProxy) {\n // Custom token proxy is not set, while other Kubernetes-related environment variables are present,\n // this is likely a configuration issue so erroring out to avoid misconfiguration\n if (kubernetesSNIName || kubernetesCAFile || kubernetesCAData) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TOKEN_PROXY_NOT_SET}`,\n );\n }\n logger.info(\n `enableAzureKubernetesTokenProxy is true but AZURE_KUBERNETES_TOKEN_PROXY is not set, using normal authentication flow`,\n );\n } else {\n const tokenProxy = parseAndValidateCustomTokenProxy(kubernetesTokenProxy);\n\n // CAFile and CAData are mutually exclusive, at most one can be set.\n // If none of CAFile or CAData are set, the default system CA pool will be used.\n if (kubernetesCAFile && kubernetesCAData) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.CA_FILE_AND_DATA_EXCLUSIVE}`,\n );\n }\n\n this.caData = kubernetesCAData;\n this.caFile = kubernetesCAFile;\n this.sniName = kubernetesSNIName;\n\n // Configure client options with AKS proxy client\n const proxyClient = this.createAksProxyClient(tokenProxy);\n workloadIdentityCredentialOptions.httpClient = proxyClient;\n logger.info(`${credentialName}: Using proxy client for token requests`);\n }\n }\n\n logger.info(\n `Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`,\n );\n\n this.client = new ClientAssertionCredential(\n tenantId,\n clientId,\n this.readFileContents.bind(this),\n workloadIdentityCredentialOptions,\n );\n }\n\n /**\n * Creates a proxy HttpClient that intercepts token requests and redirects them to the Kubernetes endpoint\n * Caching is handled at the credential level to persist across token requests\n */\n private createAksProxyClient(tokenEndpoint: string): HttpClient {\n const defaultClient = createDefaultHttpClient();\n // Init cached TLS settings at construction time to fail fast on misconfiguration\n this.cachedTlsSettings = this.getTlsSettings();\n\n return {\n sendRequest: async (request: PipelineRequest): Promise<PipelineResponse> => {\n const requestUrl = new URL(request.url);\n\n logger.info(\n `${credentialName}: Redirecting request to Kubernetes endpoint: ${tokenEndpoint}`,\n );\n\n const proxyUrl = new URL(tokenEndpoint);\n\n // Remove leading slash from request path and join with proxy path\n const requestPath = requestUrl.pathname.replace(/^\\//, \"\");\n const combinedPath = proxyUrl.pathname.endsWith(\"/\")\n ? proxyUrl.pathname + requestPath\n : proxyUrl.pathname + \"/\" + requestPath;\n\n // Create new URL preserving query and fragment from original request\n const newUrl = new URL(proxyUrl.origin);\n newUrl.pathname = combinedPath;\n newUrl.search = requestUrl.search;\n newUrl.hash = requestUrl.hash;\n\n request.url = newUrl.toString();\n request.tlsSettings = this.getTlsSettings();\n\n logger.info(`${credentialName}: Sending request to ${request.url}`);\n // Forward the modified request with custom TLS settings\n return defaultClient.sendRequest(request);\n },\n };\n }\n\n /**\n * Gets TLS settings for the request.\n * Handles a few scenarios with CA data or CA file provided.\n */\n private getTlsSettings(): TlsSettings & { servername?: string } {\n // No CA overrides, use default transport\n if (!this.caData && !this.caFile) {\n if (!this.cachedTlsSettings) {\n this.cachedTlsSettings = this.sniName ? { servername: this.sniName } : {};\n }\n return this.cachedTlsSettings;\n }\n\n // Host provided CA bytes in AZURE_KUBERNETES_CA_DATA and can't change now\n if (!this.caFile) {\n if (!this.cachedTlsSettings) {\n if (!canParseAsX509Certificate(this.caData!)) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.INVALID_CA_CERTIFICATES}`,\n );\n }\n this.cachedTlsSettings = this.sniName ? { servername: this.sniName } : {};\n this.cachedTlsSettings.ca = this.caData;\n }\n return this.cachedTlsSettings;\n }\n\n // Host provided the CA bytes in a file whose contents it can change,\n let fileContent: Buffer;\n try {\n fileContent = readFileSync(this.caFile);\n } catch (error) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.FAILED_TO_READ_CA_FILE(this.caFile!, error)}`,\n );\n }\n // This can happen in the middle of CA rotation\n if (fileContent.length === 0) {\n if (!this.cachedTlsSettings) {\n // If the transport was never created, error out here to force retrying the call later\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.CA_FILE_EMPTY(this.caFile)}`,\n );\n }\n // If the transport was already created, just keep using it\n return this.cachedTlsSettings;\n }\n\n // Check if CA has changed\n if (!this.cachedCaData || !fileContent.equals(this.cachedCaData)) {\n const caDataString = fileContent.toString(\"utf8\");\n\n if (!canParseAsX509Certificate(caDataString)) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.INVALID_CA_CERTIFICATES}`,\n );\n }\n\n // CA has changed, rebuild the TLS settings with new CA pool\n this.cachedTlsSettings = {\n ca: caDataString,\n ...(this.sniName && { servername: this.sniName }),\n };\n this.cachedCaData = fileContent;\n }\n\n return this.cachedTlsSettings!;\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options?: GetTokenOptions,\n ): Promise<AccessToken> {\n if (!this.client) {\n const errorMessage = `${credentialName}: is unavailable. ${ErrorMessages.MISSING_ENV_VARS}`;\n logger.info(errorMessage);\n throw new CredentialUnavailableError(errorMessage);\n }\n logger.info(\"Invoking getToken() of Client Assertion Credential\");\n return this.client.getToken(scopes, options);\n }\n\n private async readFileContents(): Promise<string> {\n // Cached assertions expire after 5 minutes\n if (this.cacheDate !== undefined && Date.now() - this.cacheDate >= 1000 * 60 * 5) {\n this.azureFederatedTokenFileContent = undefined;\n }\n if (!this.federatedTokenFilePath) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.INVALID_FILE_PATH(this.federatedTokenFilePath)}`,\n );\n }\n if (!this.azureFederatedTokenFileContent) {\n const file = await readFile(this.federatedTokenFilePath, \"utf8\");\n const value = file.trim();\n if (!value) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.NO_FILE_CONTENT(this.federatedTokenFilePath)}`,\n );\n } else {\n this.azureFederatedTokenFileContent = value;\n this.cacheDate = Date.now();\n }\n }\n return this.azureFederatedTokenFileContent;\n }\n}\n"]}
1
+ {"version":3,"file":"workloadIdentityCredential.js","sourceRoot":"","sources":["../../../src/credentials/workloadIdentityCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAwElC,4EAwCC;AA7GD,mDAAsE;AAEtE,iFAA2E;AAC3E,4CAA0D;AAE1D,+DAAyD;AACzD,+CAA4C;AAE5C,kEAAoE;AAEpE,uEAAyE;AACzE,qCAAuC;AAEvC,MAAM,cAAc,GAAG,4BAA4B,CAAC;AACpD;;;;;;GAMG;AACU,QAAA,qCAAqC,GAAG;IACnD,iBAAiB;IACjB,iBAAiB;IACjB,4BAA4B;CAC7B,CAAC;AAEF,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,cAAc,CAAC,CAAC;AAEhD;;GAEG;AACH,MAAM,aAAa,GAAG;IACpB,2BAA2B,EAAE,CAAC,QAAgB,EAAE,KAAc,EAAE,EAAE,CAChE,2CAA2C,QAAQ,MAAM,KAAK,EAAE;IAClE,oBAAoB,EAAE,CAAC,QAAgB,EAAE,EAAE,CACzC,qDAAqD,QAAQ,GAAG;IAClE,2BAA2B,EAAE,CAAC,GAAW,EAAE,EAAE,CAC3C,8BAA8B,GAAG,8BAA8B;IACjE,uBAAuB,EAAE,CAAC,GAAW,EAAE,EAAE,CACvC,8BAA8B,GAAG,4BAA4B;IAC/D,0BAA0B,EAAE,CAAC,GAAW,EAAE,EAAE,CAC1C,8BAA8B,GAAG,+BAA+B;IAClE,aAAa,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,iCAAiC,IAAI,EAAE;IACxE,sBAAsB,EAAE,CAAC,IAAY,EAAE,KAAc,EAAE,EAAE,CACvD,uCAAuC,IAAI,KAAK,KAAK,EAAE;IACzD,uBAAuB,EAAE,8DAA8D;IACvF,iBAAiB,EAAE,CAAC,IAAwB,EAAE,EAAE,CAAC,8BAA8B,IAAI,GAAG;IACtF,eAAe,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,0BAA0B,IAAI,GAAG;IACpE,YAAY,EAAE,qCAAqC;IACnD,kBAAkB,EAAE;qIAC+G;IACnI,kBAAkB,EAAE;qIAC+G;IACnI,wBAAwB,EAAE;qIACyG;IACnI,mBAAmB,EAAE,6GAA6G;IAClI,0BAA0B,EAAE,iGAAiG;IAC7H,gBAAgB,EAAE;;;;iKAI6I;CAChK,CAAC;AAEF;;;GAGG;AACH,SAAgB,gCAAgC,CAAC,QAAgB;IAC/D,IAAI,UAAe,CAAC;IACpB,IAAI,CAAC;QACH,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,2BAA2B,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAE,CACnG,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,oBAAoB,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAChG,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;QAC/C,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,2BAA2B,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,EAAE,CACzG,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC;QACtB,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,uBAAuB,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,EAAE,CACrG,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;QACpB,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,0BAA0B,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,EAAE,CACxG,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,UAAU,CAAC,QAAQ,IAAI,UAAU,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;QACvD,+EAA+E;QAC/E,UAAU,CAAC,QAAQ,GAAG,GAAG,CAAC;IAC5B,CAAC;IAED,OAAO,UAAU,CAAC,QAAQ,EAAE,CAAC;AAC/B,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAa,0BAA0B;IAC7B,MAAM,CAAwC;IAC9C,8BAA8B,GAAuB,SAAS,CAAC;IAC/D,SAAS,GAAuB,SAAS,CAAC;IAC1C,sBAAsB,CAAqB;IAEnD,wDAAwD;IAChD,iBAAiB,CAAsD;IACvE,YAAY,CAAqB;IACjC,MAAM,CAAqB;IAC3B,MAAM,CAAqB;IAC3B,OAAO,CAAqB;IAEpC;;;;OAIG;IACH,YAAY,OAA2C;QACrD,kDAAkD;QAClD,MAAM,WAAW,GAAG,IAAA,2BAAc,EAAC,6CAAqC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9F,MAAM,CAAC,IAAI,CAAC,8CAA8C,WAAW,EAAE,CAAC,CAAC;QAEzE,MAAM,iCAAiC,GAAG,OAAO,IAAI,EAAE,CAAC;QACxD,MAAM,QAAQ,GAAG,iCAAiC,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAC3F,MAAM,QAAQ,GAAG,iCAAiC,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;QAC3F,IAAI,CAAC,sBAAsB;YACzB,iCAAiC,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC;QAE5F,IAAI,QAAQ,EAAE,CAAC;YACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,kBAAkB,EAAE,CACzE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,kBAAkB,EAAE,CACzE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACjC,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,wBAAwB,EAAE,CAC/E,CAAC;QACJ,CAAC;QAED,8DAA8D;QAC9D,IAAI,iCAAiC,CAAC,gBAAgB,EAAE,CAAC;YACvD,MAAM,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC;YACtE,MAAM,iBAAiB,GAAG,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC;YAChE,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;YAC9D,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC;YAE9D,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,mGAAmG;gBACnG,iFAAiF;gBACjF,IAAI,iBAAiB,IAAI,gBAAgB,IAAI,gBAAgB,EAAE,CAAC;oBAC9D,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,mBAAmB,EAAE,CAC1E,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,IAAI,CACT,wGAAwG,CACzG,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,UAAU,GAAG,gCAAgC,CAAC,oBAAoB,CAAC,CAAC;gBAE1E,oEAAoE;gBACpE,gFAAgF;gBAChF,IAAI,gBAAgB,IAAI,gBAAgB,EAAE,CAAC;oBACzC,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,0BAA0B,EAAE,CACjF,CAAC;gBACJ,CAAC;gBAED,IAAI,CAAC,MAAM,GAAG,gBAAgB,CAAC;gBAC/B,IAAI,CAAC,MAAM,GAAG,gBAAgB,CAAC;gBAC/B,IAAI,CAAC,OAAO,GAAG,iBAAiB,CAAC;gBAEjC,iDAAiD;gBACjD,MAAM,WAAW,GAAG,IAAI,CAAC,oBAAoB,CAAC,UAAU,CAAC,CAAC;gBAC1D,iCAAiC,CAAC,UAAU,GAAG,WAAW,CAAC;gBAC3D,MAAM,CAAC,IAAI,CAAC,GAAG,cAAc,yCAAyC,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CACT,sDAAsD,QAAQ,eAAe,iCAAiC,CAAC,QAAQ,uCAAuC,CAC/J,CAAC;QAEF,IAAI,CAAC,MAAM,GAAG,IAAI,wDAAyB,CACzC,QAAQ,EACR,QAAQ,EACR,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAChC,iCAAiC,CAClC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,oBAAoB,CAAC,aAAqB;QAChD,MAAM,aAAa,GAAG,IAAA,4CAAuB,GAAE,CAAC;QAChD,iFAAiF;QACjF,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QAE/C,OAAO;YACL,WAAW,EAAE,KAAK,EAAE,OAAwB,EAA6B,EAAE;gBACzE,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;gBAExC,MAAM,CAAC,IAAI,CACT,GAAG,cAAc,iDAAiD,aAAa,EAAE,CAClF,CAAC;gBAEF,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;gBAExC,kEAAkE;gBAClE,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBAC3D,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAClD,CAAC,CAAC,QAAQ,CAAC,QAAQ,GAAG,WAAW;oBACjC,CAAC,CAAC,QAAQ,CAAC,QAAQ,GAAG,GAAG,GAAG,WAAW,CAAC;gBAE1C,qEAAqE;gBACrE,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;gBACxC,MAAM,CAAC,QAAQ,GAAG,YAAY,CAAC;gBAC/B,MAAM,CAAC,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;gBAClC,MAAM,CAAC,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC;gBAE9B,OAAO,CAAC,GAAG,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAChC,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;gBAE5C,MAAM,CAAC,IAAI,CAAC,GAAG,cAAc,wBAAwB,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;gBACpE,wDAAwD;gBACxD,OAAO,aAAa,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAC5C,CAAC;SACF,CAAC;IACJ,CAAC;IAED;;;OAGG;IACK,cAAc;QACpB,yCAAyC;QACzC,IAAI,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5B,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5E,CAAC;YACD,OAAO,IAAI,CAAC,iBAAiB,CAAC;QAChC,CAAC;QAED,0EAA0E;QAC1E,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5B,IAAI,CAAC,IAAA,gDAAyB,EAAC,IAAI,CAAC,MAAO,CAAC,EAAE,CAAC;oBAC7C,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,uBAAuB,EAAE,CAC9E,CAAC;gBACJ,CAAC;gBACD,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1E,IAAI,CAAC,iBAAiB,CAAC,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;YAC1C,CAAC;YACD,OAAO,IAAI,CAAC,iBAAiB,CAAC;QAChC,CAAC;QAED,qEAAqE;QACrE,IAAI,WAAmB,CAAC;QACxB,IAAI,CAAC;YACH,WAAW,GAAG,IAAA,sBAAY,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,sBAAsB,CAAC,IAAI,CAAC,MAAO,EAAE,KAAK,CAAC,EAAE,CAClG,CAAC;QACJ,CAAC;QACD,+CAA+C;QAC/C,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5B,sFAAsF;gBACtF,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CACjF,CAAC;YACJ,CAAC;YACD,2DAA2D;YAC3D,OAAO,IAAI,CAAC,iBAAiB,CAAC;QAChC,CAAC;QAED,0BAA0B;QAC1B,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACjE,MAAM,YAAY,GAAG,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAElD,IAAI,CAAC,IAAA,gDAAyB,EAAC,YAAY,CAAC,EAAE,CAAC;gBAC7C,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,uBAAuB,EAAE,CAC9E,CAAC;YACJ,CAAC;YAED,4DAA4D;YAC5D,IAAI,CAAC,iBAAiB,GAAG;gBACvB,EAAE,EAAE,YAAY;gBAChB,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;aAClD,CAAC;YACF,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC;QAClC,CAAC;QAED,OAAO,IAAI,CAAC,iBAAkB,CAAC;IACjC,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,OAAyB;QAEzB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,YAAY,GAAG,GAAG,cAAc,qBAAqB,aAAa,CAAC,gBAAgB,EAAE,CAAC;YAC5F,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC1B,MAAM,IAAI,sCAA0B,CAAC,YAAY,CAAC,CAAC;QACrD,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAEO,KAAK,CAAC,gBAAgB;QAC5B,2CAA2C;QAC3C,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,IAAI,IAAI,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YACjF,IAAI,CAAC,8BAA8B,GAAG,SAAS,CAAC;QAClD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACjC,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,iBAAiB,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,CACrG,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,8BAA8B,EAAE,CAAC;YACzC,MAAM,IAAI,GAAG,MAAM,IAAA,mBAAQ,EAAC,IAAI,CAAC,sBAAsB,EAAE,MAAM,CAAC,CAAC;YACjE,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC1B,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qBAAqB,aAAa,CAAC,eAAe,CAAC,IAAI,CAAC,sBAAsB,CAAC,EAAE,CACnG,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,8BAA8B,GAAG,KAAK,CAAC;gBAC5C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC9B,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC,8BAA8B,CAAC;IAC7C,CAAC;CACF;AAjQD,gEAiQC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { credentialLogger, processEnvVars } from \"../util/logging.js\";\n\nimport { ClientAssertionCredential } from \"./clientAssertionCredential.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport type { WorkloadIdentityCredentialOptions } from \"./workloadIdentityCredentialOptions.js\";\nimport { checkTenantId } from \"../util/tenantIdUtils.js\";\nimport { readFile } from \"node:fs/promises\";\nimport type { PipelineRequest, PipelineResponse, HttpClient } from \"@azure/core-rest-pipeline\";\nimport { createDefaultHttpClient } from \"@azure/core-rest-pipeline\";\nimport type { TlsSettings } from \"@azure/core-rest-pipeline\";\nimport { canParseAsX509Certificate } from \"../util/certificatesUtils.js\";\nimport { readFileSync } from \"node:fs\";\n\nconst credentialName = \"WorkloadIdentityCredential\";\n/**\n * Contains the list of all supported environment variable names so that an\n * appropriate error message can be generated when no credentials can be\n * configured.\n *\n * @internal\n */\nexport const SupportedWorkloadEnvironmentVariables = [\n \"AZURE_TENANT_ID\",\n \"AZURE_CLIENT_ID\",\n \"AZURE_FEDERATED_TOKEN_FILE\",\n];\n\nconst logger = credentialLogger(credentialName);\n\n/**\n * Error messages for WorkloadIdentityCredential\n */\nconst ErrorMessages = {\n FAILED_TO_PARSE_TOKEN_PROXY: (endpoint: string, error: unknown) =>\n `Failed to parse custom token proxy URL \"${endpoint}\": ${error}`,\n INVALID_HTTPS_SCHEME: (protocol: string) =>\n `Custom token endpoint must use https scheme, got \"${protocol}\"`,\n TOKEN_ENDPOINT_NO_USER_INFO: (url: string) =>\n `Custom token endpoint URL \"${url}\" must not contain user info`,\n TOKEN_ENDPOINT_NO_QUERY: (url: string) =>\n `Custom token endpoint URL \"${url}\" must not contain a query`,\n TOKEN_ENDPOINT_NO_FRAGMENT: (url: string) =>\n `Custom token endpoint URL \"${url}\" must not contain a fragment`,\n CA_FILE_EMPTY: (file: string) => `CA certificate file is empty: ${file}`,\n FAILED_TO_READ_CA_FILE: (file: string, error: unknown) =>\n `Failed to read CA certificate file: ${file}. ${error}`,\n INVALID_CA_CERTIFICATES: `Invalid CA certificate data: no valid PEM certificates found`,\n INVALID_FILE_PATH: (path: string | undefined) => `Invalid file path provided ${path}.`,\n NO_FILE_CONTENT: (path: string) => `No content on the file ${path}.`,\n NO_CA_SOURCE: `No CA certificate source specified.`,\n CLIENT_ID_REQUIRED: `clientId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - \"AZURE_CLIENT_ID\".\n See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`,\n TENANT_ID_REQUIRED: `tenantId is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - \"AZURE_TENANT_ID\".\n See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`,\n TOKEN_FILE_PATH_REQUIRED: `federatedTokenFilePath is a required parameter. In DefaultAzureCredential and ManagedIdentityCredential, this can be provided as an environment variable - \"AZURE_FEDERATED_TOKEN_FILE\".\n See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`,\n TOKEN_PROXY_NOT_SET: `AZURE_KUBERNETES_TOKEN_PROXY is not set but other custom endpoint-related environment variables are present`,\n CA_FILE_AND_DATA_EXCLUSIVE: `AZURE_KUBERNETES_CA_FILE and AZURE_KUBERNETES_CA_DATA are mutually exclusive. Specify only one.`,\n MISSING_ENV_VARS: `tenantId, clientId, and federatedTokenFilePath are required parameters. \n In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables - \n \"AZURE_TENANT_ID\",\n \"AZURE_CLIENT_ID\",\n \"AZURE_FEDERATED_TOKEN_FILE\". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot`,\n};\n\n/**\n * @internal\n * Parses and validates the custom token proxy endpoint URL\n */\nexport function parseAndValidateCustomTokenProxy(endpoint: string): string {\n let tokenProxy: URL;\n try {\n tokenProxy = new URL(endpoint);\n } catch (error) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.FAILED_TO_PARSE_TOKEN_PROXY(endpoint, error)}`,\n );\n }\n\n if (tokenProxy.protocol !== \"https:\") {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.INVALID_HTTPS_SCHEME(tokenProxy.protocol)}`,\n );\n }\n\n if (tokenProxy.username || tokenProxy.password) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TOKEN_ENDPOINT_NO_USER_INFO(tokenProxy.toString())}`,\n );\n }\n\n if (tokenProxy.search) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TOKEN_ENDPOINT_NO_QUERY(tokenProxy.toString())}`,\n );\n }\n\n if (tokenProxy.hash) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TOKEN_ENDPOINT_NO_FRAGMENT(tokenProxy.toString())}`,\n );\n }\n\n if (!tokenProxy.pathname || tokenProxy.pathname === \"\") {\n // if the path is empty, set it to \"/\" to avoid stripping the path from req.URL\n tokenProxy.pathname = \"/\";\n }\n\n return tokenProxy.toString();\n}\n\n/**\n * Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs)\n * to access other Azure resources without the need for a service principal or managed identity. With Workload Identity\n * authentication, applications authenticate themselves using their own identity, rather than using a shared service\n * principal or managed identity. Under the hood, Workload Identity authentication uses the concept of Service Account\n * Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using Workload\n * Identity authentication, you can avoid the need to manage and rotate service principals or managed identities for\n * each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't\n * need to worry about storing and securing sensitive credentials themselves.\n * The WorkloadIdentityCredential supports Microsoft Entra Workload ID authentication on Azure Kubernetes and acquires\n * a token using the SACs available in the Azure Kubernetes environment.\n * Refer to <a href=\"https://learn.microsoft.com/azure/aks/workload-identity-overview\">Microsoft Entra\n * Workload ID</a> for more information.\n */\nexport class WorkloadIdentityCredential implements TokenCredential {\n private client: ClientAssertionCredential | undefined;\n private azureFederatedTokenFileContent: string | undefined = undefined;\n private cacheDate: number | undefined = undefined;\n private federatedTokenFilePath: string | undefined;\n\n // AKS proxy CA caching - persists across token requests\n private cachedTlsSettings: (TlsSettings & { servername?: string }) | undefined;\n private cachedCaData: Buffer | undefined;\n private caData: string | undefined;\n private caFile: string | undefined;\n private sniName: string | undefined;\n\n /**\n * WorkloadIdentityCredential supports Microsoft Entra Workload ID on Kubernetes.\n *\n * @param options - The identity client options to use for authentication.\n */\n constructor(options?: WorkloadIdentityCredentialOptions) {\n // Logging environment variables for error details\n const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(\", \");\n logger.info(`Found the following environment variables: ${assignedEnv}`);\n\n const workloadIdentityCredentialOptions = options ?? {};\n const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;\n const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;\n this.federatedTokenFilePath =\n workloadIdentityCredentialOptions.tokenFilePath || process.env.AZURE_FEDERATED_TOKEN_FILE;\n\n if (tenantId) {\n checkTenantId(logger, tenantId);\n }\n if (!clientId) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.CLIENT_ID_REQUIRED}`,\n );\n }\n\n if (!tenantId) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TENANT_ID_REQUIRED}`,\n );\n }\n\n if (!this.federatedTokenFilePath) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TOKEN_FILE_PATH_REQUIRED}`,\n );\n }\n\n // Use identity binding mode only when enableAzureProxy is set\n if (workloadIdentityCredentialOptions.enableAzureProxy) {\n const kubernetesTokenProxy = process.env.AZURE_KUBERNETES_TOKEN_PROXY;\n const kubernetesSNIName = process.env.AZURE_KUBERNETES_SNI_NAME;\n const kubernetesCAFile = process.env.AZURE_KUBERNETES_CA_FILE;\n const kubernetesCAData = process.env.AZURE_KUBERNETES_CA_DATA;\n\n if (!kubernetesTokenProxy) {\n // Custom token proxy is not set, while other Kubernetes-related environment variables are present,\n // this is likely a configuration issue so erroring out to avoid misconfiguration\n if (kubernetesSNIName || kubernetesCAFile || kubernetesCAData) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.TOKEN_PROXY_NOT_SET}`,\n );\n }\n logger.info(\n `enableAzureProxy is true but AZURE_KUBERNETES_TOKEN_PROXY is not set, using normal authentication flow`,\n );\n } else {\n const tokenProxy = parseAndValidateCustomTokenProxy(kubernetesTokenProxy);\n\n // CAFile and CAData are mutually exclusive, at most one can be set.\n // If none of CAFile or CAData are set, the default system CA pool will be used.\n if (kubernetesCAFile && kubernetesCAData) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.CA_FILE_AND_DATA_EXCLUSIVE}`,\n );\n }\n\n this.caData = kubernetesCAData;\n this.caFile = kubernetesCAFile;\n this.sniName = kubernetesSNIName;\n\n // Configure client options with AKS proxy client\n const proxyClient = this.createAksProxyClient(tokenProxy);\n workloadIdentityCredentialOptions.httpClient = proxyClient;\n logger.info(`${credentialName}: Using proxy client for token requests`);\n }\n }\n\n logger.info(\n `Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`,\n );\n\n this.client = new ClientAssertionCredential(\n tenantId,\n clientId,\n this.readFileContents.bind(this),\n workloadIdentityCredentialOptions,\n );\n }\n\n /**\n * Creates a proxy HttpClient that intercepts token requests and redirects them to the Kubernetes endpoint\n * Caching is handled at the credential level to persist across token requests\n */\n private createAksProxyClient(tokenEndpoint: string): HttpClient {\n const defaultClient = createDefaultHttpClient();\n // Init cached TLS settings at construction time to fail fast on misconfiguration\n this.cachedTlsSettings = this.getTlsSettings();\n\n return {\n sendRequest: async (request: PipelineRequest): Promise<PipelineResponse> => {\n const requestUrl = new URL(request.url);\n\n logger.info(\n `${credentialName}: Redirecting request to Kubernetes endpoint: ${tokenEndpoint}`,\n );\n\n const proxyUrl = new URL(tokenEndpoint);\n\n // Remove leading slash from request path and join with proxy path\n const requestPath = requestUrl.pathname.replace(/^\\//, \"\");\n const combinedPath = proxyUrl.pathname.endsWith(\"/\")\n ? proxyUrl.pathname + requestPath\n : proxyUrl.pathname + \"/\" + requestPath;\n\n // Create new URL preserving query and fragment from original request\n const newUrl = new URL(proxyUrl.origin);\n newUrl.pathname = combinedPath;\n newUrl.search = requestUrl.search;\n newUrl.hash = requestUrl.hash;\n\n request.url = newUrl.toString();\n request.tlsSettings = this.getTlsSettings();\n\n logger.info(`${credentialName}: Sending request to ${request.url}`);\n // Forward the modified request with custom TLS settings\n return defaultClient.sendRequest(request);\n },\n };\n }\n\n /**\n * Gets TLS settings for the request.\n * Handles a few scenarios with CA data or CA file provided.\n */\n private getTlsSettings(): TlsSettings & { servername?: string } {\n // No CA overrides, use default transport\n if (!this.caData && !this.caFile) {\n if (!this.cachedTlsSettings) {\n this.cachedTlsSettings = this.sniName ? { servername: this.sniName } : {};\n }\n return this.cachedTlsSettings;\n }\n\n // Host provided CA bytes in AZURE_KUBERNETES_CA_DATA and can't change now\n if (!this.caFile) {\n if (!this.cachedTlsSettings) {\n if (!canParseAsX509Certificate(this.caData!)) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.INVALID_CA_CERTIFICATES}`,\n );\n }\n this.cachedTlsSettings = this.sniName ? { servername: this.sniName } : {};\n this.cachedTlsSettings.ca = this.caData;\n }\n return this.cachedTlsSettings;\n }\n\n // Host provided the CA bytes in a file whose contents it can change,\n let fileContent: Buffer;\n try {\n fileContent = readFileSync(this.caFile);\n } catch (error) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.FAILED_TO_READ_CA_FILE(this.caFile!, error)}`,\n );\n }\n // This can happen in the middle of CA rotation\n if (fileContent.length === 0) {\n if (!this.cachedTlsSettings) {\n // If the transport was never created, error out here to force retrying the call later\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.CA_FILE_EMPTY(this.caFile)}`,\n );\n }\n // If the transport was already created, just keep using it\n return this.cachedTlsSettings;\n }\n\n // Check if CA has changed\n if (!this.cachedCaData || !fileContent.equals(this.cachedCaData)) {\n const caDataString = fileContent.toString(\"utf8\");\n\n if (!canParseAsX509Certificate(caDataString)) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.INVALID_CA_CERTIFICATES}`,\n );\n }\n\n // CA has changed, rebuild the TLS settings with new CA pool\n this.cachedTlsSettings = {\n ca: caDataString,\n ...(this.sniName && { servername: this.sniName }),\n };\n this.cachedCaData = fileContent;\n }\n\n return this.cachedTlsSettings!;\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options?: GetTokenOptions,\n ): Promise<AccessToken> {\n if (!this.client) {\n const errorMessage = `${credentialName}: is unavailable. ${ErrorMessages.MISSING_ENV_VARS}`;\n logger.info(errorMessage);\n throw new CredentialUnavailableError(errorMessage);\n }\n logger.info(\"Invoking getToken() of Client Assertion Credential\");\n return this.client.getToken(scopes, options);\n }\n\n private async readFileContents(): Promise<string> {\n // Cached assertions expire after 5 minutes\n if (this.cacheDate !== undefined && Date.now() - this.cacheDate >= 1000 * 60 * 5) {\n this.azureFederatedTokenFileContent = undefined;\n }\n if (!this.federatedTokenFilePath) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.INVALID_FILE_PATH(this.federatedTokenFilePath)}`,\n );\n }\n if (!this.azureFederatedTokenFileContent) {\n const file = await readFile(this.federatedTokenFilePath, \"utf8\");\n const value = file.trim();\n if (!value) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. ${ErrorMessages.NO_FILE_CONTENT(this.federatedTokenFilePath)}`,\n );\n } else {\n this.azureFederatedTokenFileContent = value;\n this.cacheDate = Date.now();\n }\n }\n return this.azureFederatedTokenFileContent;\n }\n}\n"]}
package/dist/commonjs/credentials/workloadIdentityCredentialOptions.d.ts CHANGED
@@ -17,8 +17,8 @@ export interface WorkloadIdentityCredentialOptions extends MultiTenantTokenCrede
17
17
  */
18
18
  tokenFilePath?: string;
19
19
  /**
20
- * Enables the identity binding feature.
20
+ * Enables the {@link https://learn.microsoft.com/azure/aks/identity-bindings-concepts | identity binding feature}.
21
21
  */
22
- enableAzureKubernetesTokenProxy?: boolean;
22
+ enableAzureProxy?: boolean;
23
23
  }
24
24
  //# sourceMappingURL=workloadIdentityCredentialOptions.d.ts.map
package/dist/commonjs/credentials/workloadIdentityCredentialOptions.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"workloadIdentityCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/workloadIdentityCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,iCACf,SAAQ,iCAAiC,EAAE,0BAA0B;IACrE;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,+BAA+B,CAAC,EAAE,OAAO,CAAC;CAC3C"}
1
+ {"version":3,"file":"workloadIdentityCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/workloadIdentityCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,iCACf,SAAQ,iCAAiC,EAAE,0BAA0B;IACrE;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,gBAAgB,CAAC,EAAE,OAAO,CAAC;CAC5B"}
package/dist/commonjs/credentials/workloadIdentityCredentialOptions.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"workloadIdentityCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/workloadIdentityCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link WorkloadIdentityCredential}\n */\nexport interface WorkloadIdentityCredentialOptions\n extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {\n /**\n * ID of the application's Microsoft Entra tenant. Also called its directory ID.\n */\n tenantId?: string;\n /**\n * The client ID of a Microsoft Entra app registration.\n */\n clientId?: string;\n /**\n * The path to a file containing a Kubernetes service account token that authenticates the identity.\n */\n tokenFilePath?: string;\n /**\n * Enables the identity binding feature.\n */\n enableAzureKubernetesTokenProxy?: boolean;\n}\n"]}
1
+ {"version":3,"file":"workloadIdentityCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/workloadIdentityCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link WorkloadIdentityCredential}\n */\nexport interface WorkloadIdentityCredentialOptions\n extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {\n /**\n * ID of the application's Microsoft Entra tenant. Also called its directory ID.\n */\n tenantId?: string;\n /**\n * The client ID of a Microsoft Entra app registration.\n */\n clientId?: string;\n /**\n * The path to a file containing a Kubernetes service account token that authenticates the identity.\n */\n tokenFilePath?: string;\n /**\n * Enables the {@link https://learn.microsoft.com/azure/aks/identity-bindings-concepts | identity binding feature}.\n */\n enableAzureProxy?: boolean;\n}\n"]}
package/dist/commonjs/msal/nodeFlows/msalClient.d.ts CHANGED
@@ -4,9 +4,10 @@ import type { AuthenticationRecord, CertificateParts } from "../types.js";
4
4
  import type { CredentialLogger } from "../../util/logging.js";
5
5
  import type { BrokerOptions } from "./brokerOptions.js";
6
6
  import type { DeviceCodePromptCallback } from "../../credentials/deviceCodeCredentialOptions.js";
7
- import { IdentityClient } from "../../client/identityClient.js";
8
7
  import type { InteractiveBrowserCredentialNodeOptions } from "../../credentials/interactiveBrowserCredentialOptions.js";
9
8
  import type { TokenCachePersistenceOptions } from "./tokenCachePersistenceOptions.js";
9
+ import { CommonClientOptions } from "@azure/core-client";
10
+ import { LogPolicyOptions } from "@azure/core-rest-pipeline";
10
11
  /**
11
12
  * Represents the options for acquiring a token using flows that support silent authentication.
12
13
  */
@@ -138,7 +139,7 @@ export interface MsalClient {
138
139
  /**
139
140
  * Represents the options for configuring the MsalClient.
140
141
  */
141
- export interface MsalClientOptions {
142
+ export interface MsalClientOptions extends CommonClientOptions {
142
143
  /**
143
144
  * Parameters that enable WAM broker authentication in the InteractiveBrowserCredential.
144
145
  */
@@ -154,15 +155,20 @@ export interface MsalClientOptions {
154
155
  /**
155
156
  * A custom authority host.
156
157
  */
157
- authorityHost?: IdentityClient["tokenCredentialOptions"]["authorityHost"];
158
+ authorityHost?: string;
158
159
  /**
159
160
  * Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.
160
161
  */
161
- loggingOptions?: IdentityClient["tokenCredentialOptions"]["loggingOptions"];
162
- /**
163
- * The token credential options for the MsalClient.
164
- */
165
- tokenCredentialOptions?: IdentityClient["tokenCredentialOptions"];
162
+ loggingOptions?: LogPolicyOptions & {
163
+ /**
164
+ * Allows logging account information once the authentication flow succeeds.
165
+ */
166
+ allowLoggingAccountIdentifiers?: boolean;
167
+ /**
168
+ * Allows logging personally identifiable information for customer support.
169
+ */
170
+ enableUnsafeSupportLogging?: boolean;
171
+ };
166
172
  /**
167
173
  * Determines whether instance discovery is disabled.
168
174
  */
package/dist/commonjs/msal/nodeFlows/msalClient.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"msalClient.d.ts","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClient.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AAEzC,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,KAAK,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAiB9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,kDAAkD,CAAC;AACjG,OAAO,EAAE,cAAc,EAAE,MAAM,gCAAgC,CAAC;AAChE,OAAO,KAAK,EAAE,uCAAuC,EAAE,MAAM,0DAA0D,CAAC;AACxH,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAUtF;;GAEG;AACH,MAAM,WAAW,6BAA8B,SAAQ,eAAe;IACpE;;;;;;OAMG;IACH,8BAA8B,CAAC,EAAE,OAAO,CAAC;CAC1C;AAED;;GAEG;AACH,MAAM,WAAW,0BAA2B,SAAQ,6BAA6B;IAC/E;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;OAEG;IACH,2BAA2B,CAAC,EAAE,uCAAuC,CAAC,6BAA6B,CAAC,CAAC;IACrG;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB;;;;;;;;;OASG;IACH,kBAAkB,CAChB,MAAM,EAAE,MAAM,EAAE,EAChB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,GAAG,gBAAgB,GAAG,CAAC,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,EACtE,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;OAKG;IACH,4BAA4B,CAC1B,MAAM,EAAE,MAAM,EAAE,EAChB,OAAO,EAAE,0BAA0B,GAClC,OAAO,CAAC,WAAW,CAAC,CAAC;IACxB;;;;;;;;OAQG;IACH,0BAA0B,CACxB,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IACxB;;;;;;;OAOG;IACH,oBAAoB,CAClB,MAAM,EAAE,MAAM,EAAE,EAChB,kBAAkB,EAAE,wBAAwB,EAC5C,OAAO,CAAC,EAAE,6BAA6B,GACtC,OAAO,CAAC,WAAW,CAAC,CAAC;IACxB;;;;;;;OAOG;IACH,2BAA2B,CACzB,MAAM,EAAE,MAAM,EAAE,EAChB,WAAW,EAAE,gBAAgB,EAC7B,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;;;OAOG;IACH,yBAAyB,CACvB,MAAM,EAAE,MAAM,EAAE,EAChB,eAAe,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,EACtC,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;;;OAOG;IACH,sBAAsB,CACpB,MAAM,EAAE,MAAM,EAAE,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;;;;;;;OAWG;IACH,2BAA2B,CACzB,MAAM,EAAE,MAAM,EAAE,EAChB,WAAW,EAAE,MAAM,EACnB,iBAAiB,EAAE,MAAM,EACzB,YAAY,CAAC,EAAE,MAAM,EACrB,OAAO,CAAC,EAAE,6BAA6B,GACtC,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;OAIG;IACH,gBAAgB,IAAI,oBAAoB,GAAG,SAAS,CAAC;IAErD;;;;;;;OAOG;IACH,gBAAgB,CACd,MAAM,EAAE,MAAM,EAAE,EAChB,uBAAuB,EAAE,OAAO,EAChC,OAAO,CAAC,EAAE,0BAA0B,GACnC,OAAO,CAAC,WAAW,CAAC,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,aAAa,CAAC,EAAE,aAAa,CAAC;IAE9B;;OAEG;IACH,4BAA4B,CAAC,EAAE,4BAA4B,CAAC;IAE5D;;OAEG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAE7B;;OAEG;IACH,aAAa,CAAC,EAAE,cAAc,CAAC,wBAAwB,CAAC,CAAC,eAAe,CAAC,CAAC;IAE1E;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC,wBAAwB,CAAC,CAAC,gBAAgB,CAAC,CAAC;IAE5E;;OAEG;IACH,sBAAsB,CAAC,EAAE,cAAc,CAAC,wBAAwB,CAAC,CAAC;IAElE;;OAEG;IACH,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC;;OAEG;IACH,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAE1B;;OAEG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;CAC7C;AAED;;;;;;;GAOG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,iBAAiB,GAAE,iBAAsB,GACxC,IAAI,CAAC,aAAa,CAoCpB;AAuBD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,uBAAuB,GAAE,iBAAsB,GAC9C,UAAU,CA0jBZ"}
1
+ {"version":3,"file":"msalClient.d.ts","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClient.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AAEzC,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACrE,OAAO,KAAK,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC1E,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAgB9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,kDAAkD,CAAC;AAEjG,OAAO,KAAK,EAAE,uCAAuC,EAAE,MAAM,0DAA0D,CAAC;AACxH,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AAItF,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAQ7D;;GAEG;AACH,MAAM,WAAW,6BAA8B,SAAQ,eAAe;IACpE;;;;;;OAMG;IACH,8BAA8B,CAAC,EAAE,OAAO,CAAC;CAC1C;AAED;;GAEG;AACH,MAAM,WAAW,0BAA2B,SAAQ,6BAA6B;IAC/E;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;OAEG;IACH,2BAA2B,CAAC,EAAE,uCAAuC,CAAC,6BAA6B,CAAC,CAAC;IACrG;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB;;;;;;;;;OASG;IACH,kBAAkB,CAChB,MAAM,EAAE,MAAM,EAAE,EAChB,kBAAkB,EAAE,MAAM,EAC1B,iBAAiB,EAAE,MAAM,GAAG,gBAAgB,GAAG,CAAC,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC,EACtE,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;OAKG;IACH,4BAA4B,CAC1B,MAAM,EAAE,MAAM,EAAE,EAChB,OAAO,EAAE,0BAA0B,GAClC,OAAO,CAAC,WAAW,CAAC,CAAC;IACxB;;;;;;;;OAQG;IACH,0BAA0B,CACxB,MAAM,EAAE,MAAM,EAAE,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IACxB;;;;;;;OAOG;IACH,oBAAoB,CAClB,MAAM,EAAE,MAAM,EAAE,EAChB,kBAAkB,EAAE,wBAAwB,EAC5C,OAAO,CAAC,EAAE,6BAA6B,GACtC,OAAO,CAAC,WAAW,CAAC,CAAC;IACxB;;;;;;;OAOG;IACH,2BAA2B,CACzB,MAAM,EAAE,MAAM,EAAE,EAChB,WAAW,EAAE,gBAAgB,EAC7B,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;;;OAOG;IACH,yBAAyB,CACvB,MAAM,EAAE,MAAM,EAAE,EAChB,eAAe,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,EACtC,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;;;OAOG;IACH,sBAAsB,CACpB,MAAM,EAAE,MAAM,EAAE,EAChB,YAAY,EAAE,MAAM,EACpB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;;;;;;;;OAWG;IACH,2BAA2B,CACzB,MAAM,EAAE,MAAM,EAAE,EAChB,WAAW,EAAE,MAAM,EACnB,iBAAiB,EAAE,MAAM,EACzB,YAAY,CAAC,EAAE,MAAM,EACrB,OAAO,CAAC,EAAE,6BAA6B,GACtC,OAAO,CAAC,WAAW,CAAC,CAAC;IAExB;;;;OAIG;IACH,gBAAgB,IAAI,oBAAoB,GAAG,SAAS,CAAC;IAErD;;;;;;;OAOG;IACH,gBAAgB,CACd,MAAM,EAAE,MAAM,EAAE,EAChB,uBAAuB,EAAE,OAAO,EAChC,OAAO,CAAC,EAAE,0BAA0B,GACnC,OAAO,CAAC,WAAW,CAAC,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAkB,SAAQ,mBAAmB;IAC5D;;OAEG;IACH,aAAa,CAAC,EAAE,aAAa,CAAC;IAE9B;;OAEG;IACH,4BAA4B,CAAC,EAAE,4BAA4B,CAAC;IAE5D;;OAEG;IACH,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAE7B;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;OAEG;IACH,cAAc,CAAC,EAAE,gBAAgB,GAAG;QAClC;;WAEG;QACH,8BAA8B,CAAC,EAAE,OAAO,CAAC;QACzC;;WAEG;QACH,0BAA0B,CAAC,EAAE,OAAO,CAAC;KACtC,CAAC;IAEF;;OAEG;IACH,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC;;OAEG;IACH,MAAM,CAAC,EAAE,gBAAgB,CAAC;IAE1B;;OAEG;IACH,oBAAoB,CAAC,EAAE,oBAAoB,CAAC;CAC7C;AAED;;;;;;;GAOG;AACH,wBAAgB,yBAAyB,CACvC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,iBAAiB,GAAE,iBAAsB,GACxC,IAAI,CAAC,aAAa,CAmCpB;AAuBD;;;;;;;;;GASG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,uBAAuB,GAAE,iBAAsB,GAC9C,UAAU,CA0jBZ"}
package/dist/commonjs/msal/nodeFlows/msalClient.js CHANGED
@@ -14,6 +14,7 @@ const identityClient_js_1 = require("../../client/identityClient.js");
14
14
  const regionalAuthority_js_1 = require("../../regionalAuthority.js");
15
15
  const logger_1 = require("@azure/logger");
16
16
  const tenantIdUtils_js_1 = require("../../util/tenantIdUtils.js");
17
+ const authorityHost_js_1 = require("../../util/authorityHost.js");
17
18
  /**
18
19
  * The default logger used if no logger was passed in by the credential.
19
20
  */
@@ -28,10 +29,9 @@ const msalLogger = (0, logging_js_1.credentialLogger)("MsalClient");
28
29
  */
29
30
  function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
30
31
  const resolvedTenant = (0, tenantIdUtils_js_1.resolveTenantId)(msalClientOptions.logger ?? msalLogger, tenantId, clientId);
31
- // TODO: move and reuse getIdentityClientAuthorityHost
32
- const authority = (0, utils_js_1.getAuthority)(resolvedTenant, (0, utils_js_1.getAuthorityHost)(msalClientOptions));
32
+ const authority = (0, utils_js_1.getAuthority)(resolvedTenant, (0, authorityHost_js_1.getAuthorityHost)(msalClientOptions));
33
33
  const httpClient = new identityClient_js_1.IdentityClient({
34
- ...msalClientOptions.tokenCredentialOptions,
34
+ ...msalClientOptions,
35
35
  authorityHost: authority,
36
36
  loggingOptions: msalClientOptions.loggingOptions,
37
37
  });
@@ -155,7 +155,7 @@ function createMsalClient(clientId, tenantId, createMsalClientOptions = {}) {
155
155
  */
156
156
  function calculateRequestAuthority(options) {
157
157
  if (options?.tenantId) {
158
- return (0, utils_js_1.getAuthority)(options.tenantId, (0, utils_js_1.getAuthorityHost)(createMsalClientOptions));
158
+ return (0, utils_js_1.getAuthority)(options.tenantId, (0, authorityHost_js_1.getAuthorityHost)(createMsalClientOptions));
159
159
  }
160
160
  return state.msalConfig.auth.authority;
161
161
  }
package/dist/commonjs/msal/nodeFlows/msalClient.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"msalClient.js","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClient.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;AA+QlC,8DAwCC;AAiCD,4CA8jBC;;AAp5BD,+DAAyC;AAKzC,sDAAwE;AAExE,qDAA+C;AAC/C,0CAUqB;AAErB,+CAA8D;AAG9D,sEAAgE;AAGhE,qEAAwE;AACxE,0CAA4C;AAC5C,kEAA8D;AAE9D;;GAEG;AACH,MAAM,UAAU,GAAG,IAAA,6BAAgB,EAAC,YAAY,CAAC,CAAC;AAoOlD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CACvC,QAAgB,EAChB,QAAgB,EAChB,oBAAuC,EAAE;IAEzC,MAAM,cAAc,GAAG,IAAA,kCAAe,EACpC,iBAAiB,CAAC,MAAM,IAAI,UAAU,EACtC,QAAQ,EACR,QAAQ,CACT,CAAC;IAEF,sDAAsD;IACtD,MAAM,SAAS,GAAG,IAAA,uBAAY,EAAC,cAAc,EAAE,IAAA,2BAAgB,EAAC,iBAAiB,CAAC,CAAC,CAAC;IAEpF,MAAM,UAAU,GAAG,IAAI,kCAAc,CAAC;QACpC,GAAG,iBAAiB,CAAC,sBAAsB;QAC3C,aAAa,EAAE,SAAS;QACxB,cAAc,EAAE,iBAAiB,CAAC,cAAc;KACjD,CAAC,CAAC;IAEH,MAAM,UAAU,GAAuB;QACrC,IAAI,EAAE;YACJ,QAAQ;YACR,SAAS;YACT,gBAAgB,EAAE,IAAA,8BAAmB,EACnC,cAAc,EACd,SAAS,EACT,iBAAiB,CAAC,wBAAwB,CAC3C;SACF;QACD,MAAM,EAAE;YACN,aAAa,EAAE,UAAU;YACzB,aAAa,EAAE;gBACb,cAAc,EAAE,IAAA,gCAAqB,EAAC,iBAAiB,CAAC,MAAM,IAAI,UAAU,CAAC;gBAC7E,QAAQ,EAAE,IAAA,0BAAe,EAAC,IAAA,oBAAW,GAAE,CAAC;gBACxC,iBAAiB,EAAE,iBAAiB,CAAC,cAAc,EAAE,0BAA0B;aAChF;SACF;KACF,CAAC;IACF,OAAO,UAAU,CAAC;AACpB,CAAC;AAuBD;;;;;;;;;GASG;AACH,SAAgB,gBAAgB,CAC9B,QAAgB,EAChB,QAAgB,EAChB,0BAA6C,EAAE;IAE/C,MAAM,KAAK,GAAoB;QAC7B,UAAU,EAAE,yBAAyB,CAAC,QAAQ,EAAE,QAAQ,EAAE,uBAAuB,CAAC;QAClF,aAAa,EAAE,uBAAuB,CAAC,oBAAoB;YACzD,CAAC,CAAC,IAAA,uBAAY,EAAC,uBAAuB,CAAC,oBAAoB,CAAC;YAC5D,CAAC,CAAC,IAAI;QACR,mBAAmB,EAAE,4BAAW,CAAC,2BAA2B,CAAC,uBAAuB,CAAC;QACrF,MAAM,EAAE,uBAAuB,CAAC,MAAM,IAAI,UAAU;KACrD,CAAC;IAEF,MAAM,UAAU,GAA8C,IAAI,GAAG,EAAE,CAAC;IACxE,KAAK,UAAU,YAAY,CACzB,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,eAAe,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,eAAe,EAAE,CAAC;YACpB,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;YAC7F,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,oCAAoC;QACpC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,iDAAiD,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CAC/F,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,eAAe,GAAG,IAAI,IAAI,CAAC,uBAAuB,CAAC;YACjD,GAAG,KAAK,CAAC,UAAU;YACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE;YACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE;SAC1C,CAAC,CAAC;QAEH,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QAExC,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,MAAM,gBAAgB,GAAoD,IAAI,GAAG,EAAE,CAAC;IACpF,KAAK,UAAU,kBAAkB,CAC/B,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,qBAAqB,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACzD,IAAI,qBAAqB,EAAE,CAAC;YAC1B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,sEAAsE,CACvE,CAAC;YACF,OAAO,qBAAqB,CAAC;QAC/B,CAAC;QAED,oCAAoC;QACpC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,uDACE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAClC,GAAG,CACJ,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,qBAAqB,GAAG,IAAI,IAAI,CAAC,6BAA6B,CAAC;YAC7D,GAAG,KAAK,CAAC,UAAU;YACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE;YACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE;SAC1C,CAAC,CAAC;QAEH,gBAAgB,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;QAEpD,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IAED,KAAK,UAAU,cAAc,CAC3B,GAAsE,EACtE,MAAgB,EAChB,UAA2B,EAAE;QAE7B,IAAI,KAAK,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;YACjC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;YACtE,MAAM,IAAI,uCAA2B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QACpD,CAAC;QAED,gEAAgE;QAChE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,KAAK,CAAC,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;QACtC,CAAC;QAED,MAAM,aAAa,GAA2B;YAC5C,OAAO,EAAE,KAAK,CAAC,aAAa;YAC5B,MAAM;YACN,MAAM,EAAE,KAAK,CAAC,YAAY;SAC3B,CAAC;QAEF,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC/C,aAAa,CAAC,oBAAoB,KAAK,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBAC1D,aAAa,CAAC,oBAAoB,CAAC,mBAAmB,CAAC,GAAG,sBAAsB,CAAC;YACnF,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC;YACrC,aAAa,CAAC,QAAQ,GAAG,OAAO,CAAC,wBAAwB,CAAC,KAAK,CAAC;YAChE,aAAa,CAAC,oBAAoB,GAAG,KAAK,CAAC;YAC3C,aAAa,CAAC,qBAAqB,GAAG,OAAO,CAAC,wBAAwB,CAAC,qBAAqB,CAAC;YAC7F,aAAa,CAAC,kBAAkB,GAAG,OAAO,CAAC,wBAAwB,CAAC,kBAAkB,CAAC;QACzF,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACnE,IAAI,CAAC;YACH,OAAO,MAAM,GAAG,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;QACrD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,SAAS,yBAAyB,CAAC,OAAyB;QAC1D,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,OAAO,IAAA,uBAAY,EAAC,OAAO,CAAC,QAAQ,EAAE,IAAA,2BAAgB,EAAC,uBAAuB,CAAC,CAAC,CAAC;QACnF,CAAC;QACD,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;IACzC,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,UAAU,wBAAwB,CACrC,OAA0E,EAC1E,MAAqB,EACrB,OAAsC,EACtC,wBAAyE;QAEzE,IAAI,QAAQ,GAAqC,IAAI,CAAC;QACtD,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;gBAC7C,MAAM,CAAC,CAAC;YACV,CAAC;YACD,IAAI,OAAO,CAAC,8BAA8B,EAAE,CAAC;gBAC3C,MAAM,IAAI,uCAA2B,CAAC;oBACpC,MAAM;oBACN,eAAe,EAAE,OAAO;oBACxB,OAAO,EACL,uFAAuF;iBAC1F,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,QAAQ,GAAG,MAAM,wBAAwB,EAAE,CAAC;YAC9C,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,KAAK,CAAC,aAAa,GAAG,QAAQ,EAAE,OAAO,IAAI,IAAI,CAAC;QAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;QAClD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,WAAW;YAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;YAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;YACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;SACf,CAAC;IACnB,CAAC;IAED,KAAK,UAAU,sBAAsB,CACnC,MAAgB,EAChB,YAAoB,EACpB,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE9E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QAElD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,IAAA,iDAA0B,GAAE;gBACzC,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC,CAAC;YACH,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAChD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;gBAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;gBACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;aACf,CAAC;QACnB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,yBAAyB,CACtC,MAAgB,EAChB,eAAsC,EACtC,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAEjF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QAExD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,IAAA,iDAA0B,GAAE;gBACzC,MAAM,EAAE,OAAO,EAAE,MAAM;gBACvB,eAAe;aAChB,CAAC,CAAC;YACH,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;gBAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;gBACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;aACf,CAAC;QACnB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAA6B,EAC7B,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEnF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC;QAEtD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,IAAA,iDAA0B,GAAE;gBACzC,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC,CAAC;YACH,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;gBAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;gBACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;aACf,CAAC;QACnB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,oBAAoB,CACjC,MAAgB,EAChB,kBAA4C,EAC5C,UAAyC,EAAE;QAE3C,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QAE5E,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,MAAM,cAAc,GAA2B;gBAC7C,MAAM;gBACN,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,IAAI,KAAK;gBAC9C,kBAAkB;gBAClB,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC;YACF,MAAM,iBAAiB,GAAG,OAAO,CAAC,wBAAwB,CAAC,cAAc,CAAC,CAAC;YAC3E,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,OAAO,CAAC,WAAW,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE;oBACjD,cAAc,CAAC,MAAM,GAAG,IAAI,CAAC;gBAC/B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,iBAAiB,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,0BAA0B,CACvC,MAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;QAEtF,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,MAAM,cAAc,GAAiC;gBACnD,MAAM;gBACN,QAAQ;gBACR,QAAQ;gBACR,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC;YAEF,OAAO,OAAO,CAAC,8BAA8B,CAAC,cAAc,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,gBAAgB;QACvB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,IAAA,uBAAY,EAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAAmB,EACnB,iBAAyB,EACzB,YAAqB,EACrB,UAAyC,EAAE;QAE3C,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEnF,IAAI,OAA0E,CAAC;QAC/E,IAAI,YAAY,EAAE,CAAC;YACjB,mFAAmF;YACnF,gIAAgI;YAChI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;YAClD,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,OAAO,OAAO,CAAC,kBAAkB,CAAC;gBAChC,MAAM;gBACN,WAAW;gBACX,IAAI,EAAE,iBAAiB;gBACvB,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,kBAAkB,CAC/B,MAAgB,EAChB,kBAA0B,EAC1B,iBAAsE,EACtE,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAElF,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,gBAAgB;YAChB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;YACtE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,iBAAiB,CAAC;QACzD,CAAC;aAAM,IAAI,OAAO,iBAAiB,KAAK,UAAU,EAAE,CAAC;YACnD,mBAAmB;YACnB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;YAClF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,GAAG,iBAAiB,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,qBAAqB;YACrB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAC3E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;QAC9D,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,sBAAsB,CAAC;gBACpD,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,YAAY,EAAE,kBAAkB;aACjC,CAAC,CAAC;YACH,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;YAChD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;gBAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;gBACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;aACf,CAAC;QACnB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,SAAS,4BAA4B,CACnC,MAAgB,EAChB,OAAmC;QAEnC,OAAO;YACL,WAAW,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;gBACzB,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;gBAClC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,MAAM;YACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;YAC7C,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,aAAa,EAAE,OAAO,EAAE,2BAA2B,EAAE,YAAY;YACjE,eAAe,EAAE,OAAO,EAAE,2BAA2B,EAAE,cAAc;YACrE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB;SACxD,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,UAAU,wBAAwB,CACrC,MAAgB,EAChB,uBAAgC,EAChC,UAAsC,EAAE;QAExC,UAAU,CAAC,OAAO,CAAC,+CAA+C,CAAC,CAAC;QAEpE,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAExC,MAAM,kBAAkB,GAAG,4BAA4B,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACzE,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACxD,kBAAkB,CAAC,YAAY,GAAG,MAAM,CAAC,IAAI,CAC3C,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,CACpD,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,+EAA+E;YAC/E,UAAU,CAAC,OAAO,CAChB,kIAAkI,CACnI,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;YAC1D,CAAC,kBAAkB,CAAC,oBAAoB,KAAK,EAAE,CAAC,CAAC,mBAAmB,CAAC;gBACnE,sBAAsB,CAAC;QAC3B,CAAC;QACD,IAAI,uBAAuB,EAAE,CAAC;YAC5B,kBAAkB,CAAC,MAAM,GAAG,MAAM,CAAC;YACnC,UAAU,CAAC,OAAO,CAAC,mEAAmE,CAAC,CAAC;QAC1F,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,OAAO,CAAC,qEAAqE,CAAC,CAAC;QAC5F,CAAC;QAED,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC;YACrC,kBAAkB,CAAC,QAAQ,GAAG,OAAO,CAAC,wBAAwB,CAAC,KAAK,CAAC;YACrE,kBAAkB,CAAC,oBAAoB,GAAG,KAAK,CAAC;YAChD,kBAAkB,CAAC,qBAAqB;gBACtC,OAAO,CAAC,wBAAwB,CAAC,qBAAqB,CAAC;YACzD,kBAAkB,CAAC,kBAAkB,GAAG,OAAO,CAAC,wBAAwB,CAAC,kBAAkB,CAAC;QAC9F,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,GAAG,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,UAAU,CAAC,OAAO,CAAC,8CAA8C,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YAC9E,IAAI,OAAO,CAAC,8BAA8B,EAAE,CAAC;gBAC3C,MAAM,IAAI,uCAA2B,CAAC;oBACpC,MAAM;oBACN,eAAe,EAAE,OAAO;oBACxB,OAAO,EAAE,2DAA2D;iBACrE,CAAC,CAAC;YACL,CAAC;YACD,oGAAoG;YACpG,IAAI,uBAAuB,EAAE,CAAC;gBAC5B,OAAO,wBAAwB,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;YAC1D,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,CAAC;YACV,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,UAAU,gBAAgB,CAC7B,MAAgB,EAChB,uBAAgC,EAChC,UAAsC,EAAE;QAExC,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,2FAA2F,uBAAuB,EAAE,CACrH,CAAC;QACF,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAAC,MAAM,EAAE,uBAAuB,EAAE,OAAO,CAAC,CAAC;QAC1F,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,KAAK,CAAC,aAAa,GAAG,QAAQ,EAAE,OAAO,IAAI,IAAI,CAAC;QAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;QAClD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,WAAW;YAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;YAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;YACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;SACf,CAAC;IACnB,CAAC;IAED,KAAK,UAAU,4BAA4B,CACzC,MAAgB,EAChB,UAAsC,EAAE;QAExC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QAEtE,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAExC,OAAO,wBAAwB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,kBAAkB,GAAG,4BAA4B,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAEzE,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC/C,OAAO,wBAAwB,CAC7B,MAAM,EACN,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,uBAAuB,IAAI,KAAK,EACjE,OAAO,CACR,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC;gBACrC,kBAAkB,CAAC,QAAQ,GAAG,OAAO,CAAC,wBAAwB,CAAC,KAAK,CAAC;gBACrE,kBAAkB,CAAC,oBAAoB,GAAG,KAAK,CAAC;gBAChD,kBAAkB,CAAC,qBAAqB;oBACtC,OAAO,CAAC,wBAAwB,CAAC,qBAAqB,CAAC;gBACzD,kBAAkB,CAAC,kBAAkB,GAAG,OAAO,CAAC,wBAAwB,CAAC,kBAAkB,CAAC;YAC9F,CAAC;YACD,OAAO,GAAG,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,gBAAgB;QAChB,gBAAgB;QAChB,sBAAsB;QACtB,yBAAyB;QACzB,2BAA2B;QAC3B,oBAAoB;QACpB,0BAA0B;QAC1B,2BAA2B;QAC3B,kBAAkB;QAClB,4BAA4B;KAC7B,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport * as msal from \"@azure/msal-node\";\n\nimport type { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport type { AuthenticationRecord, CertificateParts } from \"../types.js\";\nimport type { CredentialLogger } from \"../../util/logging.js\";\nimport { credentialLogger, formatSuccess } from \"../../util/logging.js\";\nimport type { PluginConfiguration } from \"./msalPlugins.js\";\nimport { msalPlugins } from \"./msalPlugins.js\";\nimport {\n defaultLoggerCallback,\n ensureValidMsalToken,\n getAuthority,\n getAuthorityHost,\n getKnownAuthorities,\n getMSALLogLevel,\n handleMsalError,\n msalToPublic,\n publicToMsal,\n} from \"../utils.js\";\n\nimport { AuthenticationRequiredError } from \"../../errors.js\";\nimport type { BrokerOptions } from \"./brokerOptions.js\";\nimport type { DeviceCodePromptCallback } from \"../../credentials/deviceCodeCredentialOptions.js\";\nimport { IdentityClient } from \"../../client/identityClient.js\";\nimport type { InteractiveBrowserCredentialNodeOptions } from \"../../credentials/interactiveBrowserCredentialOptions.js\";\nimport type { TokenCachePersistenceOptions } from \"./tokenCachePersistenceOptions.js\";\nimport { calculateRegionalAuthority } from \"../../regionalAuthority.js\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { resolveTenantId } from \"../../util/tenantIdUtils.js\";\n\n/**\n * The default logger used if no logger was passed in by the credential.\n */\nconst msalLogger = credentialLogger(\"MsalClient\");\n\n/**\n * Represents the options for acquiring a token using flows that support silent authentication.\n */\nexport interface GetTokenWithSilentAuthOptions extends GetTokenOptions {\n /**\n * Disables automatic authentication. If set to true, the method will throw an error if the user needs to authenticate.\n *\n * @remarks\n *\n * This option will be set to `false` when the user calls `authenticate` directly on a credential that supports it.\n */\n disableAutomaticAuthentication?: boolean;\n}\n\n/**\n * Represents the options for acquiring a token interactively.\n */\nexport interface GetTokenInteractiveOptions extends GetTokenWithSilentAuthOptions {\n /**\n * Window handle for parent window, required for WAM authentication.\n */\n parentWindowHandle?: Buffer;\n /**\n * Shared configuration options for browser customization\n */\n browserCustomizationOptions?: InteractiveBrowserCredentialNodeOptions[\"browserCustomizationOptions\"];\n /**\n * loginHint allows a user name to be pre-selected for interactive logins.\n * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.\n */\n loginHint?: string;\n}\n\n/**\n * Represents a client for interacting with the Microsoft Authentication Library (MSAL).\n */\nexport interface MsalClient {\n /**\n *\n * Retrieves an access token by using the on-behalf-of flow and a client assertion callback of the calling service.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param userAssertionToken - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.\n * @param clientCredentials - The client secret OR client certificate OR client `getAssertion` callback.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenOnBehalfOf(\n scopes: string[],\n userAssertionToken: string,\n clientCredentials: string | CertificateParts | (() => Promise<string>),\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using an interactive prompt (InteractiveBrowserCredential).\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByInteractiveRequest(\n scopes: string[],\n options: GetTokenInteractiveOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by using a user's username and password.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param username - The username provided by the developer.\n * @param password - The user's password provided by the developer.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByUsernamePassword(\n scopes: string[],\n username: string,\n password: string,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by prompting the user to authenticate using a device code.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param userPromptCallback - The callback function that allows developers to customize the prompt message.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByDeviceCode(\n scopes: string[],\n userPromptCallback: DeviceCodePromptCallback,\n options?: GetTokenWithSilentAuthOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by using a client certificate.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param certificate - The client certificate used for authentication.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientCertificate(\n scopes: string[],\n certificate: CertificateParts,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using a client assertion.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param clientAssertion - The client `getAssertion` callback used for authentication.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientAssertion(\n scopes: string[],\n clientAssertion: () => Promise<string>,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using a client secret.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param clientSecret - The client secret of the application. This is a credential that the application can use to authenticate itself.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientSecret(\n scopes: string[],\n clientSecret: string,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using an authorization code flow.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param authorizationCode - An authorization code that was received from following the\n authorization code flow. This authorization code must not\n have already been used to obtain an access token.\n * @param redirectUri - The redirect URI that was used to request the authorization code.\n Must be the same URI that is configured for the App Registration.\n * @param clientSecret - An optional client secret that was generated for the App Registration.\n * @param options - Additional options that may be provided to the method.\n */\n getTokenByAuthorizationCode(\n scopes: string[],\n redirectUri: string,\n authorizationCode: string,\n clientSecret?: string,\n options?: GetTokenWithSilentAuthOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves the last authenticated account. This method expects an authentication record to have been previously loaded.\n *\n * An authentication record could be loaded by calling the `getToken` method, or by providing an `authenticationRecord` when creating a credential.\n */\n getActiveAccount(): AuthenticationRecord | undefined;\n\n /**\n * Retrieves an access token using brokered authentication.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param useDefaultBrokerAccount - Whether to use the default broker account for authentication.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getBrokeredToken(\n scopes: string[],\n useDefaultBrokerAccount: boolean,\n options?: GetTokenInteractiveOptions,\n ): Promise<AccessToken>;\n}\n\n/**\n * Represents the options for configuring the MsalClient.\n */\nexport interface MsalClientOptions {\n /**\n * Parameters that enable WAM broker authentication in the InteractiveBrowserCredential.\n */\n brokerOptions?: BrokerOptions;\n\n /**\n * Parameters that enable token cache persistence in the Identity credentials.\n */\n tokenCachePersistenceOptions?: TokenCachePersistenceOptions;\n\n /**\n * Indicates if this is being used by VSCode credential.\n */\n isVSCodeCredential?: boolean;\n\n /**\n * A custom authority host.\n */\n authorityHost?: IdentityClient[\"tokenCredentialOptions\"][\"authorityHost\"];\n\n /**\n * Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.\n */\n loggingOptions?: IdentityClient[\"tokenCredentialOptions\"][\"loggingOptions\"];\n\n /**\n * The token credential options for the MsalClient.\n */\n tokenCredentialOptions?: IdentityClient[\"tokenCredentialOptions\"];\n\n /**\n * Determines whether instance discovery is disabled.\n */\n disableInstanceDiscovery?: boolean;\n\n /**\n * The logger for the MsalClient.\n */\n logger?: CredentialLogger;\n\n /**\n * The authentication record for the MsalClient.\n */\n authenticationRecord?: AuthenticationRecord;\n}\n\n/**\n * Generates the configuration for MSAL (Microsoft Authentication Library).\n *\n * @param clientId - The client ID of the application.\n * @param tenantId - The tenant ID of the Azure Active Directory.\n * @param msalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns The MSAL configuration object.\n */\nexport function generateMsalConfiguration(\n clientId: string,\n tenantId: string,\n msalClientOptions: MsalClientOptions = {},\n): msal.Configuration {\n const resolvedTenant = resolveTenantId(\n msalClientOptions.logger ?? msalLogger,\n tenantId,\n clientId,\n );\n\n // TODO: move and reuse getIdentityClientAuthorityHost\n const authority = getAuthority(resolvedTenant, getAuthorityHost(msalClientOptions));\n\n const httpClient = new IdentityClient({\n ...msalClientOptions.tokenCredentialOptions,\n authorityHost: authority,\n loggingOptions: msalClientOptions.loggingOptions,\n });\n\n const msalConfig: msal.Configuration = {\n auth: {\n clientId,\n authority,\n knownAuthorities: getKnownAuthorities(\n resolvedTenant,\n authority,\n msalClientOptions.disableInstanceDiscovery,\n ),\n },\n system: {\n networkClient: httpClient,\n loggerOptions: {\n loggerCallback: defaultLoggerCallback(msalClientOptions.logger ?? msalLogger),\n logLevel: getMSALLogLevel(getLogLevel()),\n piiLoggingEnabled: msalClientOptions.loggingOptions?.enableUnsafeSupportLogging,\n },\n },\n };\n return msalConfig;\n}\n\n/**\n * Represents the state necessary for the MSAL (Microsoft Authentication Library) client to operate.\n * This includes the MSAL configuration, cached account information, Azure region, and a flag to disable automatic authentication.\n */\ninterface MsalClientState {\n /** The configuration for the MSAL client. */\n msalConfig: msal.Configuration;\n\n /** The cached account information, or null if no account information is cached. */\n cachedAccount: msal.AccountInfo | null;\n\n /** Configured plugins */\n pluginConfiguration: PluginConfiguration;\n\n /** Claims received from challenges, cached for the next request */\n cachedClaims?: string;\n\n /** The logger instance */\n logger: CredentialLogger;\n}\n\n/**\n * Creates an instance of the MSAL (Microsoft Authentication Library) client.\n *\n * @param clientId - The client ID of the application.\n * @param tenantId - The tenant ID of the Azure Active Directory.\n * @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns An instance of the MSAL client.\n *\n * @public\n */\nexport function createMsalClient(\n clientId: string,\n tenantId: string,\n createMsalClientOptions: MsalClientOptions = {},\n): MsalClient {\n const state: MsalClientState = {\n msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),\n cachedAccount: createMsalClientOptions.authenticationRecord\n ? publicToMsal(createMsalClientOptions.authenticationRecord)\n : null,\n pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),\n logger: createMsalClientOptions.logger ?? msalLogger,\n };\n\n const publicApps: Map<string, msal.PublicClientApplication> = new Map();\n async function getPublicApp(\n options: GetTokenOptions = {},\n ): Promise<msal.PublicClientApplication> {\n const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n let publicClientApp = publicApps.get(appKey);\n if (publicClientApp) {\n state.logger.getToken.info(\"Existing PublicClientApplication found in cache, returning it.\");\n return publicClientApp;\n }\n\n // Initialize a new app and cache it\n state.logger.getToken.info(\n `Creating new PublicClientApplication with CAE ${options.enableCae ? \"enabled\" : \"disabled\"}.`,\n );\n\n const cachePlugin = options.enableCae\n ? state.pluginConfiguration.cache.cachePluginCae\n : state.pluginConfiguration.cache.cachePlugin;\n\n state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n publicClientApp = new msal.PublicClientApplication({\n ...state.msalConfig,\n broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n cache: { cachePlugin: await cachePlugin },\n });\n\n publicApps.set(appKey, publicClientApp);\n\n return publicClientApp;\n }\n\n const confidentialApps: Map<string, msal.ConfidentialClientApplication> = new Map();\n async function getConfidentialApp(\n options: GetTokenOptions = {},\n ): Promise<msal.ConfidentialClientApplication> {\n const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n let confidentialClientApp = confidentialApps.get(appKey);\n if (confidentialClientApp) {\n state.logger.getToken.info(\n \"Existing ConfidentialClientApplication found in cache, returning it.\",\n );\n return confidentialClientApp;\n }\n\n // Initialize a new app and cache it\n state.logger.getToken.info(\n `Creating new ConfidentialClientApplication with CAE ${\n options.enableCae ? \"enabled\" : \"disabled\"\n }.`,\n );\n\n const cachePlugin = options.enableCae\n ? state.pluginConfiguration.cache.cachePluginCae\n : state.pluginConfiguration.cache.cachePlugin;\n\n state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n confidentialClientApp = new msal.ConfidentialClientApplication({\n ...state.msalConfig,\n broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n cache: { cachePlugin: await cachePlugin },\n });\n\n confidentialApps.set(appKey, confidentialClientApp);\n\n return confidentialClientApp;\n }\n\n async function getTokenSilent(\n app: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n scopes: string[],\n options: GetTokenOptions = {},\n ): Promise<msal.AuthenticationResult> {\n if (state.cachedAccount === null) {\n state.logger.getToken.info(\"No cached account found in local state.\");\n throw new AuthenticationRequiredError({ scopes });\n }\n\n // Keep track and reuse the claims we received across challenges\n if (options.claims) {\n state.cachedClaims = options.claims;\n }\n\n const silentRequest: msal.SilentFlowRequest = {\n account: state.cachedAccount,\n scopes,\n claims: state.cachedClaims,\n };\n\n if (state.pluginConfiguration.broker.isEnabled) {\n silentRequest.tokenQueryParameters ||= {};\n if (state.pluginConfiguration.broker.enableMsaPassthrough) {\n silentRequest.tokenQueryParameters[\"msal_request_type\"] = \"consumer_passthrough\";\n }\n }\n\n if (options.proofOfPossessionOptions) {\n silentRequest.shrNonce = options.proofOfPossessionOptions.nonce;\n silentRequest.authenticationScheme = \"pop\";\n silentRequest.resourceRequestMethod = options.proofOfPossessionOptions.resourceRequestMethod;\n silentRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;\n }\n state.logger.getToken.info(\"Attempting to acquire token silently\");\n try {\n return await app.acquireTokenSilent(silentRequest);\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n /**\n * Builds an authority URL for the given request. The authority may be different than the one used when creating the MSAL client\n * if the user is creating cross-tenant requests\n */\n function calculateRequestAuthority(options?: GetTokenOptions): string | undefined {\n if (options?.tenantId) {\n return getAuthority(options.tenantId, getAuthorityHost(createMsalClientOptions));\n }\n return state.msalConfig.auth.authority;\n }\n\n /**\n * Performs silent authentication using MSAL to acquire an access token.\n * If silent authentication fails, falls back to interactive authentication.\n *\n * @param msalApp - The MSAL application instance.\n * @param scopes - The scopes for which to acquire the access token.\n * @param options - The options for acquiring the access token.\n * @param onAuthenticationRequired - A callback function to handle interactive authentication when silent authentication fails.\n * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.\n */\n async function withSilentAuthentication(\n msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n scopes: Array<string>,\n options: GetTokenWithSilentAuthOptions,\n onAuthenticationRequired: () => Promise<msal.AuthenticationResult | null>,\n ): Promise<AccessToken> {\n let response: msal.AuthenticationResult | null = null;\n try {\n response = await getTokenSilent(msalApp, scopes, options);\n } catch (e: any) {\n if (e.name !== \"AuthenticationRequiredError\") {\n throw e;\n }\n if (options.disableAutomaticAuthentication) {\n throw new AuthenticationRequiredError({\n scopes,\n getTokenOptions: options,\n message:\n \"Automatic authentication has been disabled. You may call the authentication() method.\",\n });\n }\n }\n\n // Silent authentication failed\n if (response === null) {\n try {\n response = await onAuthenticationRequired();\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n // At this point we should have a token, process it\n ensureValidMsalToken(scopes, response, options);\n state.cachedAccount = response?.account ?? null;\n\n state.logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n }\n\n async function getTokenByClientSecret(\n scopes: string[],\n clientSecret: string,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client secret`);\n\n state.msalConfig.auth.clientSecret = clientSecret;\n\n const msalApp = await getConfidentialApp(options);\n\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n });\n ensureValidMsalToken(scopes, response, options);\n state.logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByClientAssertion(\n scopes: string[],\n clientAssertion: () => Promise<string>,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client assertion`);\n\n state.msalConfig.auth.clientAssertion = clientAssertion;\n\n const msalApp = await getConfidentialApp(options);\n\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n clientAssertion,\n });\n ensureValidMsalToken(scopes, response, options);\n\n state.logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByClientCertificate(\n scopes: string[],\n certificate: CertificateParts,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client certificate`);\n\n state.msalConfig.auth.clientCertificate = certificate;\n\n const msalApp = await getConfidentialApp(options);\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n });\n ensureValidMsalToken(scopes, response, options);\n\n state.logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByDeviceCode(\n scopes: string[],\n deviceCodeCallback: DeviceCodePromptCallback,\n options: GetTokenWithSilentAuthOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using device code`);\n\n const msalApp = await getPublicApp(options);\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n const requestOptions: msal.DeviceCodeRequest = {\n scopes,\n cancel: options?.abortSignal?.aborted ?? false,\n deviceCodeCallback,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n };\n const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);\n if (options.abortSignal) {\n options.abortSignal.addEventListener(\"abort\", () => {\n requestOptions.cancel = true;\n });\n }\n\n return deviceCodeRequest;\n });\n }\n\n async function getTokenByUsernamePassword(\n scopes: string[],\n username: string,\n password: string,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using username and password`);\n\n const msalApp = await getPublicApp(options);\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n const requestOptions: msal.UsernamePasswordRequest = {\n scopes,\n username,\n password,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n };\n\n return msalApp.acquireTokenByUsernamePassword(requestOptions);\n });\n }\n\n function getActiveAccount(): AuthenticationRecord | undefined {\n if (!state.cachedAccount) {\n return undefined;\n }\n return msalToPublic(clientId, state.cachedAccount);\n }\n\n async function getTokenByAuthorizationCode(\n scopes: string[],\n redirectUri: string,\n authorizationCode: string,\n clientSecret?: string,\n options: GetTokenWithSilentAuthOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using authorization code`);\n\n let msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication;\n if (clientSecret) {\n // If a client secret is provided, we need to use a confidential client application\n // See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret\n state.msalConfig.auth.clientSecret = clientSecret;\n msalApp = await getConfidentialApp(options);\n } else {\n msalApp = await getPublicApp(options);\n }\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n return msalApp.acquireTokenByCode({\n scopes,\n redirectUri,\n code: authorizationCode,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n });\n });\n }\n\n async function getTokenOnBehalfOf(\n scopes: string[],\n userAssertionToken: string,\n clientCredentials: string | CertificateParts | (() => Promise<string>),\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);\n\n if (typeof clientCredentials === \"string\") {\n // Client secret\n msalLogger.getToken.info(`Using client secret for on behalf of flow`);\n state.msalConfig.auth.clientSecret = clientCredentials;\n } else if (typeof clientCredentials === \"function\") {\n // Client Assertion\n msalLogger.getToken.info(`Using client assertion callback for on behalf of flow`);\n state.msalConfig.auth.clientAssertion = clientCredentials;\n } else {\n // Client certificate\n msalLogger.getToken.info(`Using client certificate for on behalf of flow`);\n state.msalConfig.auth.clientCertificate = clientCredentials;\n }\n\n const msalApp = await getConfidentialApp(options);\n try {\n const response = await msalApp.acquireTokenOnBehalfOf({\n scopes,\n authority: calculateRequestAuthority(options),\n claims: options.claims,\n oboAssertion: userAssertionToken,\n });\n ensureValidMsalToken(scopes, response, options);\n\n msalLogger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n /**\n * Creates a base interactive request configuration for MSAL interactive authentication.\n * This is shared between interactive and brokered authentication flows.\n */\n function createBaseInteractiveRequest(\n scopes: string[],\n options: GetTokenInteractiveOptions,\n ): msal.InteractiveRequest {\n return {\n openBrowser: async (url) => {\n const open = await import(\"open\");\n await open.default(url, { newInstance: true });\n },\n scopes,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n loginHint: options?.loginHint,\n errorTemplate: options?.browserCustomizationOptions?.errorMessage,\n successTemplate: options?.browserCustomizationOptions?.successMessage,\n prompt: options?.loginHint ? \"login\" : \"select_account\",\n };\n }\n\n /**\n * @internal\n */\n async function getBrokeredTokenInternal(\n scopes: string[],\n useDefaultBrokerAccount: boolean,\n options: GetTokenInteractiveOptions = {},\n ): Promise<msal.AuthenticationResult> {\n msalLogger.verbose(\"Authentication will resume through the broker\");\n\n const app = await getPublicApp(options);\n\n const interactiveRequest = createBaseInteractiveRequest(scopes, options);\n if (state.pluginConfiguration.broker.parentWindowHandle) {\n interactiveRequest.windowHandle = Buffer.from(\n state.pluginConfiguration.broker.parentWindowHandle,\n );\n } else {\n // this is a bug, as the pluginConfiguration handler should validate this case.\n msalLogger.warning(\n \"Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.\",\n );\n }\n\n if (state.pluginConfiguration.broker.enableMsaPassthrough) {\n (interactiveRequest.tokenQueryParameters ??= {})[\"msal_request_type\"] =\n \"consumer_passthrough\";\n }\n if (useDefaultBrokerAccount) {\n interactiveRequest.prompt = \"none\";\n msalLogger.verbose(\"Attempting broker authentication using the default broker account\");\n } else {\n msalLogger.verbose(\"Attempting broker authentication without the default broker account\");\n }\n\n if (options.proofOfPossessionOptions) {\n interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;\n interactiveRequest.authenticationScheme = \"pop\";\n interactiveRequest.resourceRequestMethod =\n options.proofOfPossessionOptions.resourceRequestMethod;\n interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;\n }\n try {\n return await app.acquireTokenInteractive(interactiveRequest);\n } catch (e: any) {\n msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);\n if (options.disableAutomaticAuthentication) {\n throw new AuthenticationRequiredError({\n scopes,\n getTokenOptions: options,\n message: \"Cannot silently authenticate with default broker account.\",\n });\n }\n // If we tried to use the default broker account and failed, fall back to interactive authentication\n if (useDefaultBrokerAccount) {\n return getBrokeredTokenInternal(scopes, false, options);\n } else {\n throw e;\n }\n }\n }\n\n /**\n * A helper function that supports brokered authentication through the MSAL's public application.\n *\n * When useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.\n * If the default broker account is not available, the method will fall back to interactive authentication.\n */\n async function getBrokeredToken(\n scopes: string[],\n useDefaultBrokerAccount: boolean,\n options: GetTokenInteractiveOptions = {},\n ): Promise<AccessToken> {\n msalLogger.getToken.info(\n `Attempting to acquire token using brokered authentication with useDefaultBrokerAccount: ${useDefaultBrokerAccount}`,\n );\n const response = await getBrokeredTokenInternal(scopes, useDefaultBrokerAccount, options);\n ensureValidMsalToken(scopes, response, options);\n state.cachedAccount = response?.account ?? null;\n\n state.logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n }\n\n async function getTokenByInteractiveRequest(\n scopes: string[],\n options: GetTokenInteractiveOptions = {},\n ): Promise<AccessToken> {\n msalLogger.getToken.info(`Attempting to acquire token interactively`);\n\n const app = await getPublicApp(options);\n\n return withSilentAuthentication(app, scopes, options, async () => {\n const interactiveRequest = createBaseInteractiveRequest(scopes, options);\n\n if (state.pluginConfiguration.broker.isEnabled) {\n return getBrokeredTokenInternal(\n scopes,\n state.pluginConfiguration.broker.useDefaultBrokerAccount ?? false,\n options,\n );\n }\n if (options.proofOfPossessionOptions) {\n interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;\n interactiveRequest.authenticationScheme = \"pop\";\n interactiveRequest.resourceRequestMethod =\n options.proofOfPossessionOptions.resourceRequestMethod;\n interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;\n }\n return app.acquireTokenInteractive(interactiveRequest);\n });\n }\n\n return {\n getActiveAccount,\n getBrokeredToken,\n getTokenByClientSecret,\n getTokenByClientAssertion,\n getTokenByClientCertificate,\n getTokenByDeviceCode,\n getTokenByUsernamePassword,\n getTokenByAuthorizationCode,\n getTokenOnBehalfOf,\n getTokenByInteractiveRequest,\n };\n}\n"]}
1
+ {"version":3,"file":"msalClient.js","sourceRoot":"","sources":["../../../../src/msal/nodeFlows/msalClient.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;AAqRlC,8DAuCC;AAiCD,4CA8jBC;;AAz5BD,+DAAyC;AAKzC,sDAAwE;AAExE,qDAA+C;AAC/C,0CASqB;AAErB,+CAA8D;AAG9D,sEAAgE;AAGhE,qEAAwE;AACxE,0CAA4C;AAC5C,kEAA8D;AAG9D,kEAA+D;AAE/D;;GAEG;AACH,MAAM,UAAU,GAAG,IAAA,6BAAgB,EAAC,YAAY,CAAC,CAAC;AAwOlD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CACvC,QAAgB,EAChB,QAAgB,EAChB,oBAAuC,EAAE;IAEzC,MAAM,cAAc,GAAG,IAAA,kCAAe,EACpC,iBAAiB,CAAC,MAAM,IAAI,UAAU,EACtC,QAAQ,EACR,QAAQ,CACT,CAAC;IAEF,MAAM,SAAS,GAAG,IAAA,uBAAY,EAAC,cAAc,EAAE,IAAA,mCAAgB,EAAC,iBAAiB,CAAC,CAAC,CAAC;IAEpF,MAAM,UAAU,GAAG,IAAI,kCAAc,CAAC;QACpC,GAAG,iBAAiB;QACpB,aAAa,EAAE,SAAS;QACxB,cAAc,EAAE,iBAAiB,CAAC,cAAc;KACjD,CAAC,CAAC;IAEH,MAAM,UAAU,GAAuB;QACrC,IAAI,EAAE;YACJ,QAAQ;YACR,SAAS;YACT,gBAAgB,EAAE,IAAA,8BAAmB,EACnC,cAAc,EACd,SAAS,EACT,iBAAiB,CAAC,wBAAwB,CAC3C;SACF;QACD,MAAM,EAAE;YACN,aAAa,EAAE,UAAU;YACzB,aAAa,EAAE;gBACb,cAAc,EAAE,IAAA,gCAAqB,EAAC,iBAAiB,CAAC,MAAM,IAAI,UAAU,CAAC;gBAC7E,QAAQ,EAAE,IAAA,0BAAe,EAAC,IAAA,oBAAW,GAAE,CAAC;gBACxC,iBAAiB,EAAE,iBAAiB,CAAC,cAAc,EAAE,0BAA0B;aAChF;SACF;KACF,CAAC;IACF,OAAO,UAAU,CAAC;AACpB,CAAC;AAuBD;;;;;;;;;GASG;AACH,SAAgB,gBAAgB,CAC9B,QAAgB,EAChB,QAAgB,EAChB,0BAA6C,EAAE;IAE/C,MAAM,KAAK,GAAoB;QAC7B,UAAU,EAAE,yBAAyB,CAAC,QAAQ,EAAE,QAAQ,EAAE,uBAAuB,CAAC;QAClF,aAAa,EAAE,uBAAuB,CAAC,oBAAoB;YACzD,CAAC,CAAC,IAAA,uBAAY,EAAC,uBAAuB,CAAC,oBAAoB,CAAC;YAC5D,CAAC,CAAC,IAAI;QACR,mBAAmB,EAAE,4BAAW,CAAC,2BAA2B,CAAC,uBAAuB,CAAC;QACrF,MAAM,EAAE,uBAAuB,CAAC,MAAM,IAAI,UAAU;KACrD,CAAC;IAEF,MAAM,UAAU,GAA8C,IAAI,GAAG,EAAE,CAAC;IACxE,KAAK,UAAU,YAAY,CACzB,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,eAAe,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,eAAe,EAAE,CAAC;YACpB,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;YAC7F,OAAO,eAAe,CAAC;QACzB,CAAC;QAED,oCAAoC;QACpC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,iDAAiD,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,GAAG,CAC/F,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,eAAe,GAAG,IAAI,IAAI,CAAC,uBAAuB,CAAC;YACjD,GAAG,KAAK,CAAC,UAAU;YACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE;YACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE;SAC1C,CAAC,CAAC;QAEH,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC;QAExC,OAAO,eAAe,CAAC;IACzB,CAAC;IAED,MAAM,gBAAgB,GAAoD,IAAI,GAAG,EAAE,CAAC;IACpF,KAAK,UAAU,kBAAkB,CAC/B,UAA2B,EAAE;QAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAErD,IAAI,qBAAqB,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACzD,IAAI,qBAAqB,EAAE,CAAC;YAC1B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,sEAAsE,CACvE,CAAC;YACF,OAAO,qBAAqB,CAAC;QAC/B,CAAC;QAED,oCAAoC;QACpC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CACxB,uDACE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAClC,GAAG,CACJ,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,SAAS;YACnC,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,cAAc;YAChD,CAAC,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAK,CAAC,WAAW,CAAC;QAEhD,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,kBAAkB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAEnF,qBAAqB,GAAG,IAAI,IAAI,CAAC,6BAA6B,CAAC;YAC7D,GAAG,KAAK,CAAC,UAAU;YACnB,MAAM,EAAE,EAAE,kBAAkB,EAAE,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE;YACnF,KAAK,EAAE,EAAE,WAAW,EAAE,MAAM,WAAW,EAAE;SAC1C,CAAC,CAAC;QAEH,gBAAgB,CAAC,GAAG,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;QAEpD,OAAO,qBAAqB,CAAC;IAC/B,CAAC;IAED,KAAK,UAAU,cAAc,CAC3B,GAAsE,EACtE,MAAgB,EAChB,UAA2B,EAAE;QAE7B,IAAI,KAAK,CAAC,aAAa,KAAK,IAAI,EAAE,CAAC;YACjC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;YACtE,MAAM,IAAI,uCAA2B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QACpD,CAAC;QAED,gEAAgE;QAChE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,KAAK,CAAC,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC;QACtC,CAAC;QAED,MAAM,aAAa,GAA2B;YAC5C,OAAO,EAAE,KAAK,CAAC,aAAa;YAC5B,MAAM;YACN,MAAM,EAAE,KAAK,CAAC,YAAY;SAC3B,CAAC;QAEF,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC/C,aAAa,CAAC,oBAAoB,KAAK,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;gBAC1D,aAAa,CAAC,oBAAoB,CAAC,mBAAmB,CAAC,GAAG,sBAAsB,CAAC;YACnF,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC;YACrC,aAAa,CAAC,QAAQ,GAAG,OAAO,CAAC,wBAAwB,CAAC,KAAK,CAAC;YAChE,aAAa,CAAC,oBAAoB,GAAG,KAAK,CAAC;YAC3C,aAAa,CAAC,qBAAqB,GAAG,OAAO,CAAC,wBAAwB,CAAC,qBAAqB,CAAC;YAC7F,aAAa,CAAC,kBAAkB,GAAG,OAAO,CAAC,wBAAwB,CAAC,kBAAkB,CAAC;QACzF,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QACnE,IAAI,CAAC;YACH,OAAO,MAAM,GAAG,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC;QACrD,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,SAAS,yBAAyB,CAAC,OAAyB;QAC1D,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,OAAO,IAAA,uBAAY,EAAC,OAAO,CAAC,QAAQ,EAAE,IAAA,mCAAgB,EAAC,uBAAuB,CAAC,CAAC,CAAC;QACnF,CAAC;QACD,OAAO,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC;IACzC,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,UAAU,wBAAwB,CACrC,OAA0E,EAC1E,MAAqB,EACrB,OAAsC,EACtC,wBAAyE;QAEzE,IAAI,QAAQ,GAAqC,IAAI,CAAC;QACtD,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,IAAI,CAAC,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;gBAC7C,MAAM,CAAC,CAAC;YACV,CAAC;YACD,IAAI,OAAO,CAAC,8BAA8B,EAAE,CAAC;gBAC3C,MAAM,IAAI,uCAA2B,CAAC;oBACpC,MAAM;oBACN,eAAe,EAAE,OAAO;oBACxB,OAAO,EACL,uFAAuF;iBAC1F,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,+BAA+B;QAC/B,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,QAAQ,GAAG,MAAM,wBAAwB,EAAE,CAAC;YAC9C,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,KAAK,CAAC,aAAa,GAAG,QAAQ,EAAE,OAAO,IAAI,IAAI,CAAC;QAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;QAClD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,WAAW;YAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;YAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;YACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;SACf,CAAC;IACnB,CAAC;IAED,KAAK,UAAU,sBAAsB,CACnC,MAAgB,EAChB,YAAoB,EACpB,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE9E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;QAElD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,IAAA,iDAA0B,GAAE;gBACzC,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC,CAAC;YACH,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAChD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;gBAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;gBACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;aACf,CAAC;QACnB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,yBAAyB,CACtC,MAAgB,EAChB,eAAsC,EACtC,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAEjF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,GAAG,eAAe,CAAC;QAExD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,IAAA,iDAA0B,GAAE;gBACzC,MAAM,EAAE,OAAO,EAAE,MAAM;gBACvB,eAAe;aAChB,CAAC,CAAC;YACH,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;gBAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;gBACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;aACf,CAAC;QACnB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAA6B,EAC7B,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEnF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC;QAEtD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,8BAA8B,CAAC;gBAC5D,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,WAAW,EAAE,IAAA,iDAA0B,GAAE;gBACzC,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC,CAAC;YACH,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;gBAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;gBACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;aACf,CAAC;QACnB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,KAAK,UAAU,oBAAoB,CACjC,MAAgB,EAChB,kBAA4C,EAC5C,UAAyC,EAAE;QAE3C,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QAE5E,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,MAAM,cAAc,GAA2B;gBAC7C,MAAM;gBACN,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,IAAI,KAAK;gBAC9C,kBAAkB;gBAClB,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC;YACF,MAAM,iBAAiB,GAAG,OAAO,CAAC,wBAAwB,CAAC,cAAc,CAAC,CAAC;YAC3E,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,OAAO,CAAC,WAAW,CAAC,gBAAgB,CAAC,OAAO,EAAE,GAAG,EAAE;oBACjD,cAAc,CAAC,MAAM,GAAG,IAAI,CAAC;gBAC/B,CAAC,CAAC,CAAC;YACL,CAAC;YAED,OAAO,iBAAiB,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,0BAA0B,CACvC,MAAgB,EAChB,QAAgB,EAChB,QAAgB,EAChB,UAA2B,EAAE;QAE7B,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;QAEtF,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5C,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,MAAM,cAAc,GAAiC;gBACnD,MAAM;gBACN,QAAQ;gBACR,QAAQ;gBACR,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC;YAEF,OAAO,OAAO,CAAC,8BAA8B,CAAC,cAAc,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC;IAED,SAAS,gBAAgB;QACvB,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,OAAO,IAAA,uBAAY,EAAC,QAAQ,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,UAAU,2BAA2B,CACxC,MAAgB,EAChB,WAAmB,EACnB,iBAAyB,EACzB,YAAqB,EACrB,UAAyC,EAAE;QAE3C,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;QAEnF,IAAI,OAA0E,CAAC;QAC/E,IAAI,YAAY,EAAE,CAAC;YACjB,mFAAmF;YACnF,gIAAgI;YAChI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;YAClD,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QACxC,CAAC;QAED,OAAO,wBAAwB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE;YAC7D,OAAO,OAAO,CAAC,kBAAkB,CAAC;gBAChC,MAAM;gBACN,WAAW;gBACX,IAAI,EAAE,iBAAiB;gBACvB,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,EAAE,MAAM;aACxB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,kBAAkB,CAC/B,MAAgB,EAChB,kBAA0B,EAC1B,iBAAsE,EACtE,UAA2B,EAAE;QAE7B,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAElF,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,gBAAgB;YAChB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;YACtE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,GAAG,iBAAiB,CAAC;QACzD,CAAC;aAAM,IAAI,OAAO,iBAAiB,KAAK,UAAU,EAAE,CAAC;YACnD,mBAAmB;YACnB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;YAClF,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,eAAe,GAAG,iBAAiB,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,qBAAqB;YACrB,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YAC3E,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;QAC9D,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,sBAAsB,CAAC;gBACpD,MAAM;gBACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;gBAC7C,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,YAAY,EAAE,kBAAkB;aACjC,CAAC,CAAC;YACH,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEhD,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;YAChD,OAAO;gBACL,KAAK,EAAE,QAAQ,CAAC,WAAW;gBAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;gBAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;gBACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;aACf,CAAC;QACnB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,IAAA,0BAAe,EAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,SAAS,4BAA4B,CACnC,MAAgB,EAChB,OAAmC;QAEnC,OAAO;YACL,WAAW,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;gBACzB,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;gBAClC,MAAM,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,MAAM;YACN,SAAS,EAAE,yBAAyB,CAAC,OAAO,CAAC;YAC7C,MAAM,EAAE,OAAO,EAAE,MAAM;YACvB,SAAS,EAAE,OAAO,EAAE,SAAS;YAC7B,aAAa,EAAE,OAAO,EAAE,2BAA2B,EAAE,YAAY;YACjE,eAAe,EAAE,OAAO,EAAE,2BAA2B,EAAE,cAAc;YACrE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB;SACxD,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,UAAU,wBAAwB,CACrC,MAAgB,EAChB,uBAAgC,EAChC,UAAsC,EAAE;QAExC,UAAU,CAAC,OAAO,CAAC,+CAA+C,CAAC,CAAC;QAEpE,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAExC,MAAM,kBAAkB,GAAG,4BAA4B,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACzE,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACxD,kBAAkB,CAAC,YAAY,GAAG,MAAM,CAAC,IAAI,CAC3C,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,kBAAkB,CACpD,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,+EAA+E;YAC/E,UAAU,CAAC,OAAO,CAChB,kIAAkI,CACnI,CAAC;QACJ,CAAC;QAED,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,oBAAoB,EAAE,CAAC;YAC1D,CAAC,kBAAkB,CAAC,oBAAoB,KAAK,EAAE,CAAC,CAAC,mBAAmB,CAAC;gBACnE,sBAAsB,CAAC;QAC3B,CAAC;QACD,IAAI,uBAAuB,EAAE,CAAC;YAC5B,kBAAkB,CAAC,MAAM,GAAG,MAAM,CAAC;YACnC,UAAU,CAAC,OAAO,CAAC,mEAAmE,CAAC,CAAC;QAC1F,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,OAAO,CAAC,qEAAqE,CAAC,CAAC;QAC5F,CAAC;QAED,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC;YACrC,kBAAkB,CAAC,QAAQ,GAAG,OAAO,CAAC,wBAAwB,CAAC,KAAK,CAAC;YACrE,kBAAkB,CAAC,oBAAoB,GAAG,KAAK,CAAC;YAChD,kBAAkB,CAAC,qBAAqB;gBACtC,OAAO,CAAC,wBAAwB,CAAC,qBAAqB,CAAC;YACzD,kBAAkB,CAAC,kBAAkB,GAAG,OAAO,CAAC,wBAAwB,CAAC,kBAAkB,CAAC;QAC9F,CAAC;QACD,IAAI,CAAC;YACH,OAAO,MAAM,GAAG,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,UAAU,CAAC,OAAO,CAAC,8CAA8C,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YAC9E,IAAI,OAAO,CAAC,8BAA8B,EAAE,CAAC;gBAC3C,MAAM,IAAI,uCAA2B,CAAC;oBACpC,MAAM;oBACN,eAAe,EAAE,OAAO;oBACxB,OAAO,EAAE,2DAA2D;iBACrE,CAAC,CAAC;YACL,CAAC;YACD,oGAAoG;YACpG,IAAI,uBAAuB,EAAE,CAAC;gBAC5B,OAAO,wBAAwB,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;YAC1D,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,CAAC;YACV,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,UAAU,gBAAgB,CAC7B,MAAgB,EAChB,uBAAgC,EAChC,UAAsC,EAAE;QAExC,UAAU,CAAC,QAAQ,CAAC,IAAI,CACtB,2FAA2F,uBAAuB,EAAE,CACrH,CAAC;QACF,MAAM,QAAQ,GAAG,MAAM,wBAAwB,CAAC,MAAM,EAAE,uBAAuB,EAAE,OAAO,CAAC,CAAC;QAC1F,IAAA,+BAAoB,EAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAChD,KAAK,CAAC,aAAa,GAAG,QAAQ,EAAE,OAAO,IAAI,IAAI,CAAC;QAEhD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;QAClD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,WAAW;YAC3B,kBAAkB,EAAE,QAAQ,CAAC,SAAS,CAAC,OAAO,EAAE;YAChD,qBAAqB,EAAE,QAAQ,CAAC,SAAS,EAAE,OAAO,EAAE;YACpD,SAAS,EAAE,QAAQ,CAAC,SAAS;SACf,CAAC;IACnB,CAAC;IAED,KAAK,UAAU,4BAA4B,CACzC,MAAgB,EAChB,UAAsC,EAAE;QAExC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QAEtE,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAExC,OAAO,wBAAwB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,kBAAkB,GAAG,4BAA4B,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAEzE,IAAI,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;gBAC/C,OAAO,wBAAwB,CAC7B,MAAM,EACN,KAAK,CAAC,mBAAmB,CAAC,MAAM,CAAC,uBAAuB,IAAI,KAAK,EACjE,OAAO,CACR,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,CAAC,wBAAwB,EAAE,CAAC;gBACrC,kBAAkB,CAAC,QAAQ,GAAG,OAAO,CAAC,wBAAwB,CAAC,KAAK,CAAC;gBACrE,kBAAkB,CAAC,oBAAoB,GAAG,KAAK,CAAC;gBAChD,kBAAkB,CAAC,qBAAqB;oBACtC,OAAO,CAAC,wBAAwB,CAAC,qBAAqB,CAAC;gBACzD,kBAAkB,CAAC,kBAAkB,GAAG,OAAO,CAAC,wBAAwB,CAAC,kBAAkB,CAAC;YAC9F,CAAC;YACD,OAAO,GAAG,CAAC,uBAAuB,CAAC,kBAAkB,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,gBAAgB;QAChB,gBAAgB;QAChB,sBAAsB;QACtB,yBAAyB;QACzB,2BAA2B;QAC3B,oBAAoB;QACpB,0BAA0B;QAC1B,2BAA2B;QAC3B,kBAAkB;QAClB,4BAA4B;KAC7B,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport * as msal from \"@azure/msal-node\";\n\nimport type { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport type { AuthenticationRecord, CertificateParts } from \"../types.js\";\nimport type { CredentialLogger } from \"../../util/logging.js\";\nimport { credentialLogger, formatSuccess } from \"../../util/logging.js\";\nimport type { PluginConfiguration } from \"./msalPlugins.js\";\nimport { msalPlugins } from \"./msalPlugins.js\";\nimport {\n defaultLoggerCallback,\n ensureValidMsalToken,\n getAuthority,\n getKnownAuthorities,\n getMSALLogLevel,\n handleMsalError,\n msalToPublic,\n publicToMsal,\n} from \"../utils.js\";\n\nimport { AuthenticationRequiredError } from \"../../errors.js\";\nimport type { BrokerOptions } from \"./brokerOptions.js\";\nimport type { DeviceCodePromptCallback } from \"../../credentials/deviceCodeCredentialOptions.js\";\nimport { IdentityClient } from \"../../client/identityClient.js\";\nimport type { InteractiveBrowserCredentialNodeOptions } from \"../../credentials/interactiveBrowserCredentialOptions.js\";\nimport type { TokenCachePersistenceOptions } from \"./tokenCachePersistenceOptions.js\";\nimport { calculateRegionalAuthority } from \"../../regionalAuthority.js\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { resolveTenantId } from \"../../util/tenantIdUtils.js\";\nimport { CommonClientOptions } from \"@azure/core-client\";\nimport { LogPolicyOptions } from \"@azure/core-rest-pipeline\";\nimport { getAuthorityHost } from \"../../util/authorityHost.js\";\n\n/**\n * The default logger used if no logger was passed in by the credential.\n */\nconst msalLogger = credentialLogger(\"MsalClient\");\n\n/**\n * Represents the options for acquiring a token using flows that support silent authentication.\n */\nexport interface GetTokenWithSilentAuthOptions extends GetTokenOptions {\n /**\n * Disables automatic authentication. If set to true, the method will throw an error if the user needs to authenticate.\n *\n * @remarks\n *\n * This option will be set to `false` when the user calls `authenticate` directly on a credential that supports it.\n */\n disableAutomaticAuthentication?: boolean;\n}\n\n/**\n * Represents the options for acquiring a token interactively.\n */\nexport interface GetTokenInteractiveOptions extends GetTokenWithSilentAuthOptions {\n /**\n * Window handle for parent window, required for WAM authentication.\n */\n parentWindowHandle?: Buffer;\n /**\n * Shared configuration options for browser customization\n */\n browserCustomizationOptions?: InteractiveBrowserCredentialNodeOptions[\"browserCustomizationOptions\"];\n /**\n * loginHint allows a user name to be pre-selected for interactive logins.\n * Setting this option skips the account selection prompt and immediately attempts to login with the specified account.\n */\n loginHint?: string;\n}\n\n/**\n * Represents a client for interacting with the Microsoft Authentication Library (MSAL).\n */\nexport interface MsalClient {\n /**\n *\n * Retrieves an access token by using the on-behalf-of flow and a client assertion callback of the calling service.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param userAssertionToken - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.\n * @param clientCredentials - The client secret OR client certificate OR client `getAssertion` callback.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenOnBehalfOf(\n scopes: string[],\n userAssertionToken: string,\n clientCredentials: string | CertificateParts | (() => Promise<string>),\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using an interactive prompt (InteractiveBrowserCredential).\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByInteractiveRequest(\n scopes: string[],\n options: GetTokenInteractiveOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by using a user's username and password.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param username - The username provided by the developer.\n * @param password - The user's password provided by the developer.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByUsernamePassword(\n scopes: string[],\n username: string,\n password: string,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by prompting the user to authenticate using a device code.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param userPromptCallback - The callback function that allows developers to customize the prompt message.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByDeviceCode(\n scopes: string[],\n userPromptCallback: DeviceCodePromptCallback,\n options?: GetTokenWithSilentAuthOptions,\n ): Promise<AccessToken>;\n /**\n * Retrieves an access token by using a client certificate.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param certificate - The client certificate used for authentication.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientCertificate(\n scopes: string[],\n certificate: CertificateParts,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using a client assertion.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param clientAssertion - The client `getAssertion` callback used for authentication.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientAssertion(\n scopes: string[],\n clientAssertion: () => Promise<string>,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using a client secret.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param clientSecret - The client secret of the application. This is a credential that the application can use to authenticate itself.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getTokenByClientSecret(\n scopes: string[],\n clientSecret: string,\n options?: GetTokenOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves an access token by using an authorization code flow.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param authorizationCode - An authorization code that was received from following the\n authorization code flow. This authorization code must not\n have already been used to obtain an access token.\n * @param redirectUri - The redirect URI that was used to request the authorization code.\n Must be the same URI that is configured for the App Registration.\n * @param clientSecret - An optional client secret that was generated for the App Registration.\n * @param options - Additional options that may be provided to the method.\n */\n getTokenByAuthorizationCode(\n scopes: string[],\n redirectUri: string,\n authorizationCode: string,\n clientSecret?: string,\n options?: GetTokenWithSilentAuthOptions,\n ): Promise<AccessToken>;\n\n /**\n * Retrieves the last authenticated account. This method expects an authentication record to have been previously loaded.\n *\n * An authentication record could be loaded by calling the `getToken` method, or by providing an `authenticationRecord` when creating a credential.\n */\n getActiveAccount(): AuthenticationRecord | undefined;\n\n /**\n * Retrieves an access token using brokered authentication.\n *\n * @param scopes - The scopes for which the access token is requested. These represent the resources that the application wants to access.\n * @param useDefaultBrokerAccount - Whether to use the default broker account for authentication.\n * @param options - Additional options that may be provided to the method.\n * @returns An access token.\n */\n getBrokeredToken(\n scopes: string[],\n useDefaultBrokerAccount: boolean,\n options?: GetTokenInteractiveOptions,\n ): Promise<AccessToken>;\n}\n\n/**\n * Represents the options for configuring the MsalClient.\n */\nexport interface MsalClientOptions extends CommonClientOptions {\n /**\n * Parameters that enable WAM broker authentication in the InteractiveBrowserCredential.\n */\n brokerOptions?: BrokerOptions;\n\n /**\n * Parameters that enable token cache persistence in the Identity credentials.\n */\n tokenCachePersistenceOptions?: TokenCachePersistenceOptions;\n\n /**\n * Indicates if this is being used by VSCode credential.\n */\n isVSCodeCredential?: boolean;\n\n /**\n * A custom authority host.\n */\n authorityHost?: string;\n\n /**\n * Allows users to configure settings for logging policy options, allow logging account information and personally identifiable information for customer support.\n */\n loggingOptions?: LogPolicyOptions & {\n /**\n * Allows logging account information once the authentication flow succeeds.\n */\n allowLoggingAccountIdentifiers?: boolean;\n /**\n * Allows logging personally identifiable information for customer support.\n */\n enableUnsafeSupportLogging?: boolean;\n };\n\n /**\n * Determines whether instance discovery is disabled.\n */\n disableInstanceDiscovery?: boolean;\n\n /**\n * The logger for the MsalClient.\n */\n logger?: CredentialLogger;\n\n /**\n * The authentication record for the MsalClient.\n */\n authenticationRecord?: AuthenticationRecord;\n}\n\n/**\n * Generates the configuration for MSAL (Microsoft Authentication Library).\n *\n * @param clientId - The client ID of the application.\n * @param tenantId - The tenant ID of the Azure Active Directory.\n * @param msalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns The MSAL configuration object.\n */\nexport function generateMsalConfiguration(\n clientId: string,\n tenantId: string,\n msalClientOptions: MsalClientOptions = {},\n): msal.Configuration {\n const resolvedTenant = resolveTenantId(\n msalClientOptions.logger ?? msalLogger,\n tenantId,\n clientId,\n );\n\n const authority = getAuthority(resolvedTenant, getAuthorityHost(msalClientOptions));\n\n const httpClient = new IdentityClient({\n ...msalClientOptions,\n authorityHost: authority,\n loggingOptions: msalClientOptions.loggingOptions,\n });\n\n const msalConfig: msal.Configuration = {\n auth: {\n clientId,\n authority,\n knownAuthorities: getKnownAuthorities(\n resolvedTenant,\n authority,\n msalClientOptions.disableInstanceDiscovery,\n ),\n },\n system: {\n networkClient: httpClient,\n loggerOptions: {\n loggerCallback: defaultLoggerCallback(msalClientOptions.logger ?? msalLogger),\n logLevel: getMSALLogLevel(getLogLevel()),\n piiLoggingEnabled: msalClientOptions.loggingOptions?.enableUnsafeSupportLogging,\n },\n },\n };\n return msalConfig;\n}\n\n/**\n * Represents the state necessary for the MSAL (Microsoft Authentication Library) client to operate.\n * This includes the MSAL configuration, cached account information, Azure region, and a flag to disable automatic authentication.\n */\ninterface MsalClientState {\n /** The configuration for the MSAL client. */\n msalConfig: msal.Configuration;\n\n /** The cached account information, or null if no account information is cached. */\n cachedAccount: msal.AccountInfo | null;\n\n /** Configured plugins */\n pluginConfiguration: PluginConfiguration;\n\n /** Claims received from challenges, cached for the next request */\n cachedClaims?: string;\n\n /** The logger instance */\n logger: CredentialLogger;\n}\n\n/**\n * Creates an instance of the MSAL (Microsoft Authentication Library) client.\n *\n * @param clientId - The client ID of the application.\n * @param tenantId - The tenant ID of the Azure Active Directory.\n * @param createMsalClientOptions - Optional. Additional options for creating the MSAL client.\n * @returns An instance of the MSAL client.\n *\n * @public\n */\nexport function createMsalClient(\n clientId: string,\n tenantId: string,\n createMsalClientOptions: MsalClientOptions = {},\n): MsalClient {\n const state: MsalClientState = {\n msalConfig: generateMsalConfiguration(clientId, tenantId, createMsalClientOptions),\n cachedAccount: createMsalClientOptions.authenticationRecord\n ? publicToMsal(createMsalClientOptions.authenticationRecord)\n : null,\n pluginConfiguration: msalPlugins.generatePluginConfiguration(createMsalClientOptions),\n logger: createMsalClientOptions.logger ?? msalLogger,\n };\n\n const publicApps: Map<string, msal.PublicClientApplication> = new Map();\n async function getPublicApp(\n options: GetTokenOptions = {},\n ): Promise<msal.PublicClientApplication> {\n const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n let publicClientApp = publicApps.get(appKey);\n if (publicClientApp) {\n state.logger.getToken.info(\"Existing PublicClientApplication found in cache, returning it.\");\n return publicClientApp;\n }\n\n // Initialize a new app and cache it\n state.logger.getToken.info(\n `Creating new PublicClientApplication with CAE ${options.enableCae ? \"enabled\" : \"disabled\"}.`,\n );\n\n const cachePlugin = options.enableCae\n ? state.pluginConfiguration.cache.cachePluginCae\n : state.pluginConfiguration.cache.cachePlugin;\n\n state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n publicClientApp = new msal.PublicClientApplication({\n ...state.msalConfig,\n broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n cache: { cachePlugin: await cachePlugin },\n });\n\n publicApps.set(appKey, publicClientApp);\n\n return publicClientApp;\n }\n\n const confidentialApps: Map<string, msal.ConfidentialClientApplication> = new Map();\n async function getConfidentialApp(\n options: GetTokenOptions = {},\n ): Promise<msal.ConfidentialClientApplication> {\n const appKey = options.enableCae ? \"CAE\" : \"default\";\n\n let confidentialClientApp = confidentialApps.get(appKey);\n if (confidentialClientApp) {\n state.logger.getToken.info(\n \"Existing ConfidentialClientApplication found in cache, returning it.\",\n );\n return confidentialClientApp;\n }\n\n // Initialize a new app and cache it\n state.logger.getToken.info(\n `Creating new ConfidentialClientApplication with CAE ${\n options.enableCae ? \"enabled\" : \"disabled\"\n }.`,\n );\n\n const cachePlugin = options.enableCae\n ? state.pluginConfiguration.cache.cachePluginCae\n : state.pluginConfiguration.cache.cachePlugin;\n\n state.msalConfig.auth.clientCapabilities = options.enableCae ? [\"cp1\"] : undefined;\n\n confidentialClientApp = new msal.ConfidentialClientApplication({\n ...state.msalConfig,\n broker: { nativeBrokerPlugin: state.pluginConfiguration.broker.nativeBrokerPlugin },\n cache: { cachePlugin: await cachePlugin },\n });\n\n confidentialApps.set(appKey, confidentialClientApp);\n\n return confidentialClientApp;\n }\n\n async function getTokenSilent(\n app: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n scopes: string[],\n options: GetTokenOptions = {},\n ): Promise<msal.AuthenticationResult> {\n if (state.cachedAccount === null) {\n state.logger.getToken.info(\"No cached account found in local state.\");\n throw new AuthenticationRequiredError({ scopes });\n }\n\n // Keep track and reuse the claims we received across challenges\n if (options.claims) {\n state.cachedClaims = options.claims;\n }\n\n const silentRequest: msal.SilentFlowRequest = {\n account: state.cachedAccount,\n scopes,\n claims: state.cachedClaims,\n };\n\n if (state.pluginConfiguration.broker.isEnabled) {\n silentRequest.tokenQueryParameters ||= {};\n if (state.pluginConfiguration.broker.enableMsaPassthrough) {\n silentRequest.tokenQueryParameters[\"msal_request_type\"] = \"consumer_passthrough\";\n }\n }\n\n if (options.proofOfPossessionOptions) {\n silentRequest.shrNonce = options.proofOfPossessionOptions.nonce;\n silentRequest.authenticationScheme = \"pop\";\n silentRequest.resourceRequestMethod = options.proofOfPossessionOptions.resourceRequestMethod;\n silentRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;\n }\n state.logger.getToken.info(\"Attempting to acquire token silently\");\n try {\n return await app.acquireTokenSilent(silentRequest);\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n /**\n * Builds an authority URL for the given request. The authority may be different than the one used when creating the MSAL client\n * if the user is creating cross-tenant requests\n */\n function calculateRequestAuthority(options?: GetTokenOptions): string | undefined {\n if (options?.tenantId) {\n return getAuthority(options.tenantId, getAuthorityHost(createMsalClientOptions));\n }\n return state.msalConfig.auth.authority;\n }\n\n /**\n * Performs silent authentication using MSAL to acquire an access token.\n * If silent authentication fails, falls back to interactive authentication.\n *\n * @param msalApp - The MSAL application instance.\n * @param scopes - The scopes for which to acquire the access token.\n * @param options - The options for acquiring the access token.\n * @param onAuthenticationRequired - A callback function to handle interactive authentication when silent authentication fails.\n * @returns A promise that resolves to an AccessToken object containing the access token and its expiration timestamp.\n */\n async function withSilentAuthentication(\n msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication,\n scopes: Array<string>,\n options: GetTokenWithSilentAuthOptions,\n onAuthenticationRequired: () => Promise<msal.AuthenticationResult | null>,\n ): Promise<AccessToken> {\n let response: msal.AuthenticationResult | null = null;\n try {\n response = await getTokenSilent(msalApp, scopes, options);\n } catch (e: any) {\n if (e.name !== \"AuthenticationRequiredError\") {\n throw e;\n }\n if (options.disableAutomaticAuthentication) {\n throw new AuthenticationRequiredError({\n scopes,\n getTokenOptions: options,\n message:\n \"Automatic authentication has been disabled. You may call the authentication() method.\",\n });\n }\n }\n\n // Silent authentication failed\n if (response === null) {\n try {\n response = await onAuthenticationRequired();\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n // At this point we should have a token, process it\n ensureValidMsalToken(scopes, response, options);\n state.cachedAccount = response?.account ?? null;\n\n state.logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n }\n\n async function getTokenByClientSecret(\n scopes: string[],\n clientSecret: string,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client secret`);\n\n state.msalConfig.auth.clientSecret = clientSecret;\n\n const msalApp = await getConfidentialApp(options);\n\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n });\n ensureValidMsalToken(scopes, response, options);\n state.logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByClientAssertion(\n scopes: string[],\n clientAssertion: () => Promise<string>,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client assertion`);\n\n state.msalConfig.auth.clientAssertion = clientAssertion;\n\n const msalApp = await getConfidentialApp(options);\n\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n clientAssertion,\n });\n ensureValidMsalToken(scopes, response, options);\n\n state.logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByClientCertificate(\n scopes: string[],\n certificate: CertificateParts,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using client certificate`);\n\n state.msalConfig.auth.clientCertificate = certificate;\n\n const msalApp = await getConfidentialApp(options);\n try {\n const response = await msalApp.acquireTokenByClientCredential({\n scopes,\n authority: calculateRequestAuthority(options),\n azureRegion: calculateRegionalAuthority(),\n claims: options?.claims,\n });\n ensureValidMsalToken(scopes, response, options);\n\n state.logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n async function getTokenByDeviceCode(\n scopes: string[],\n deviceCodeCallback: DeviceCodePromptCallback,\n options: GetTokenWithSilentAuthOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using device code`);\n\n const msalApp = await getPublicApp(options);\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n const requestOptions: msal.DeviceCodeRequest = {\n scopes,\n cancel: options?.abortSignal?.aborted ?? false,\n deviceCodeCallback,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n };\n const deviceCodeRequest = msalApp.acquireTokenByDeviceCode(requestOptions);\n if (options.abortSignal) {\n options.abortSignal.addEventListener(\"abort\", () => {\n requestOptions.cancel = true;\n });\n }\n\n return deviceCodeRequest;\n });\n }\n\n async function getTokenByUsernamePassword(\n scopes: string[],\n username: string,\n password: string,\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using username and password`);\n\n const msalApp = await getPublicApp(options);\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n const requestOptions: msal.UsernamePasswordRequest = {\n scopes,\n username,\n password,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n };\n\n return msalApp.acquireTokenByUsernamePassword(requestOptions);\n });\n }\n\n function getActiveAccount(): AuthenticationRecord | undefined {\n if (!state.cachedAccount) {\n return undefined;\n }\n return msalToPublic(clientId, state.cachedAccount);\n }\n\n async function getTokenByAuthorizationCode(\n scopes: string[],\n redirectUri: string,\n authorizationCode: string,\n clientSecret?: string,\n options: GetTokenWithSilentAuthOptions = {},\n ): Promise<AccessToken> {\n state.logger.getToken.info(`Attempting to acquire token using authorization code`);\n\n let msalApp: msal.ConfidentialClientApplication | msal.PublicClientApplication;\n if (clientSecret) {\n // If a client secret is provided, we need to use a confidential client application\n // See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret\n state.msalConfig.auth.clientSecret = clientSecret;\n msalApp = await getConfidentialApp(options);\n } else {\n msalApp = await getPublicApp(options);\n }\n\n return withSilentAuthentication(msalApp, scopes, options, () => {\n return msalApp.acquireTokenByCode({\n scopes,\n redirectUri,\n code: authorizationCode,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n });\n });\n }\n\n async function getTokenOnBehalfOf(\n scopes: string[],\n userAssertionToken: string,\n clientCredentials: string | CertificateParts | (() => Promise<string>),\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n msalLogger.getToken.info(`Attempting to acquire token on behalf of another user`);\n\n if (typeof clientCredentials === \"string\") {\n // Client secret\n msalLogger.getToken.info(`Using client secret for on behalf of flow`);\n state.msalConfig.auth.clientSecret = clientCredentials;\n } else if (typeof clientCredentials === \"function\") {\n // Client Assertion\n msalLogger.getToken.info(`Using client assertion callback for on behalf of flow`);\n state.msalConfig.auth.clientAssertion = clientCredentials;\n } else {\n // Client certificate\n msalLogger.getToken.info(`Using client certificate for on behalf of flow`);\n state.msalConfig.auth.clientCertificate = clientCredentials;\n }\n\n const msalApp = await getConfidentialApp(options);\n try {\n const response = await msalApp.acquireTokenOnBehalfOf({\n scopes,\n authority: calculateRequestAuthority(options),\n claims: options.claims,\n oboAssertion: userAssertionToken,\n });\n ensureValidMsalToken(scopes, response, options);\n\n msalLogger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n } catch (err: any) {\n throw handleMsalError(scopes, err, options);\n }\n }\n\n /**\n * Creates a base interactive request configuration for MSAL interactive authentication.\n * This is shared between interactive and brokered authentication flows.\n */\n function createBaseInteractiveRequest(\n scopes: string[],\n options: GetTokenInteractiveOptions,\n ): msal.InteractiveRequest {\n return {\n openBrowser: async (url) => {\n const open = await import(\"open\");\n await open.default(url, { newInstance: true });\n },\n scopes,\n authority: calculateRequestAuthority(options),\n claims: options?.claims,\n loginHint: options?.loginHint,\n errorTemplate: options?.browserCustomizationOptions?.errorMessage,\n successTemplate: options?.browserCustomizationOptions?.successMessage,\n prompt: options?.loginHint ? \"login\" : \"select_account\",\n };\n }\n\n /**\n * @internal\n */\n async function getBrokeredTokenInternal(\n scopes: string[],\n useDefaultBrokerAccount: boolean,\n options: GetTokenInteractiveOptions = {},\n ): Promise<msal.AuthenticationResult> {\n msalLogger.verbose(\"Authentication will resume through the broker\");\n\n const app = await getPublicApp(options);\n\n const interactiveRequest = createBaseInteractiveRequest(scopes, options);\n if (state.pluginConfiguration.broker.parentWindowHandle) {\n interactiveRequest.windowHandle = Buffer.from(\n state.pluginConfiguration.broker.parentWindowHandle,\n );\n } else {\n // this is a bug, as the pluginConfiguration handler should validate this case.\n msalLogger.warning(\n \"Parent window handle is not specified for the broker. This may cause unexpected behavior. Please provide the parentWindowHandle.\",\n );\n }\n\n if (state.pluginConfiguration.broker.enableMsaPassthrough) {\n (interactiveRequest.tokenQueryParameters ??= {})[\"msal_request_type\"] =\n \"consumer_passthrough\";\n }\n if (useDefaultBrokerAccount) {\n interactiveRequest.prompt = \"none\";\n msalLogger.verbose(\"Attempting broker authentication using the default broker account\");\n } else {\n msalLogger.verbose(\"Attempting broker authentication without the default broker account\");\n }\n\n if (options.proofOfPossessionOptions) {\n interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;\n interactiveRequest.authenticationScheme = \"pop\";\n interactiveRequest.resourceRequestMethod =\n options.proofOfPossessionOptions.resourceRequestMethod;\n interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;\n }\n try {\n return await app.acquireTokenInteractive(interactiveRequest);\n } catch (e: any) {\n msalLogger.verbose(`Failed to authenticate through the broker: ${e.message}`);\n if (options.disableAutomaticAuthentication) {\n throw new AuthenticationRequiredError({\n scopes,\n getTokenOptions: options,\n message: \"Cannot silently authenticate with default broker account.\",\n });\n }\n // If we tried to use the default broker account and failed, fall back to interactive authentication\n if (useDefaultBrokerAccount) {\n return getBrokeredTokenInternal(scopes, false, options);\n } else {\n throw e;\n }\n }\n }\n\n /**\n * A helper function that supports brokered authentication through the MSAL's public application.\n *\n * When useDefaultBrokerAccount is true, the method will attempt to authenticate using the default broker account.\n * If the default broker account is not available, the method will fall back to interactive authentication.\n */\n async function getBrokeredToken(\n scopes: string[],\n useDefaultBrokerAccount: boolean,\n options: GetTokenInteractiveOptions = {},\n ): Promise<AccessToken> {\n msalLogger.getToken.info(\n `Attempting to acquire token using brokered authentication with useDefaultBrokerAccount: ${useDefaultBrokerAccount}`,\n );\n const response = await getBrokeredTokenInternal(scopes, useDefaultBrokerAccount, options);\n ensureValidMsalToken(scopes, response, options);\n state.cachedAccount = response?.account ?? null;\n\n state.logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.accessToken,\n expiresOnTimestamp: response.expiresOn.getTime(),\n refreshAfterTimestamp: response.refreshOn?.getTime(),\n tokenType: response.tokenType,\n } as AccessToken;\n }\n\n async function getTokenByInteractiveRequest(\n scopes: string[],\n options: GetTokenInteractiveOptions = {},\n ): Promise<AccessToken> {\n msalLogger.getToken.info(`Attempting to acquire token interactively`);\n\n const app = await getPublicApp(options);\n\n return withSilentAuthentication(app, scopes, options, async () => {\n const interactiveRequest = createBaseInteractiveRequest(scopes, options);\n\n if (state.pluginConfiguration.broker.isEnabled) {\n return getBrokeredTokenInternal(\n scopes,\n state.pluginConfiguration.broker.useDefaultBrokerAccount ?? false,\n options,\n );\n }\n if (options.proofOfPossessionOptions) {\n interactiveRequest.shrNonce = options.proofOfPossessionOptions.nonce;\n interactiveRequest.authenticationScheme = \"pop\";\n interactiveRequest.resourceRequestMethod =\n options.proofOfPossessionOptions.resourceRequestMethod;\n interactiveRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;\n }\n return app.acquireTokenInteractive(interactiveRequest);\n });\n }\n\n return {\n getActiveAccount,\n getBrokeredToken,\n getTokenByClientSecret,\n getTokenByClientAssertion,\n getTokenByClientCertificate,\n getTokenByDeviceCode,\n getTokenByUsernamePassword,\n getTokenByAuthorizationCode,\n getTokenOnBehalfOf,\n getTokenByInteractiveRequest,\n };\n}\n"]}
package/dist/commonjs/msal/utils.d.ts CHANGED
@@ -11,15 +11,6 @@ export interface ILoggerCallback {
11
11
  * @internal
12
12
  */
13
13
  export declare function ensureValidMsalToken(scopes: string | string[], msalToken?: MsalToken | null, getTokenOptions?: GetTokenOptions): asserts msalToken is ValidMsalToken;
14
- /**
15
- * Returns the authority host from either the options bag or the AZURE_AUTHORITY_HOST environment variable.
16
- *
17
- * Defaults to {@link DefaultAuthorityHost}.
18
- * @internal
19
- */
20
- export declare function getAuthorityHost(options?: {
21
- authorityHost?: string;
22
- }): string;
23
14
  /**
24
15
  * Generates a valid authority by combining a host with a tenantId.
25
16
  * @internal
package/dist/commonjs/msal/utils.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/msal/utils.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,oBAAoB,EAAE,eAAe,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEnG,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAM3D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEvC,MAAM,WAAW,eAAe;IAC9B,CAAC,KAAK,EAAE,UAAU,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,GAAG,IAAI,CAAC;CAC3E;AASD;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,SAAS,CAAC,EAAE,SAAS,GAAG,IAAI,EAC5B,eAAe,CAAC,EAAE,eAAe,GAChC,OAAO,CAAC,SAAS,IAAI,cAAc,CAkBrC;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,CAAC,EAAE;IAAE,aAAa,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAQ7E;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAYpE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,wBAAwB,CAAC,EAAE,OAAO,GACjC,MAAM,EAAE,CAKV;AAED;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,EAAE,CAClC,MAAM,EAAE,gBAAgB,EACxB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,KAC1B,eAoBF,CAAC;AAEJ;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,aAAa,GAAG,SAAS,GAAG,UAAU,CAAC,QAAQ,CAcxF;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,IAAI,MAAM,CAEnC;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,MAAM,EAAE,EAChB,KAAK,EAAE,KAAK,EACZ,eAAe,CAAC,EAAE,eAAe,GAChC,KAAK,CA6CP;AAGD,wBAAgB,YAAY,CAAC,OAAO,EAAE,oBAAoB,GAAG,UAAU,CAAC,WAAW,CAQlF;AAED,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,GAAG,oBAAoB,CAU7F;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CAElF;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,+BAA+B,CAAC,gBAAgB,EAAE,MAAM,GAAG,oBAAoB,CAQ9F"}
1
+ {"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/msal/utils.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,oBAAoB,EAAE,eAAe,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAEnG,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAM3D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEvC,MAAM,WAAW,eAAe;IAC9B,CAAC,KAAK,EAAE,UAAU,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,GAAG,IAAI,CAAC;CAC3E;AASD;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,SAAS,CAAC,EAAE,SAAS,GAAG,IAAI,EAC5B,eAAe,CAAC,EAAE,eAAe,GAChC,OAAO,CAAC,SAAS,IAAI,cAAc,CAkBrC;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAYpE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,aAAa,EAAE,MAAM,EACrB,wBAAwB,CAAC,EAAE,OAAO,GACjC,MAAM,EAAE,CAKV;AAED;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,EAAE,CAClC,MAAM,EAAE,gBAAgB,EACxB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,KAC1B,eAoBF,CAAC;AAEJ;;GAEG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,aAAa,GAAG,SAAS,GAAG,UAAU,CAAC,QAAQ,CAcxF;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,IAAI,MAAM,CAEnC;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,MAAM,EAAE,EAChB,KAAK,EAAE,KAAK,EACZ,eAAe,CAAC,EAAE,eAAe,GAChC,KAAK,CA6CP;AAGD,wBAAgB,YAAY,CAAC,OAAO,EAAE,oBAAoB,GAAG,UAAU,CAAC,WAAW,CAQlF;AAED,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,GAAG,oBAAoB,CAU7F;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,oBAAoB,GAAG,MAAM,CAElF;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,+BAA+B,CAAC,gBAAgB,EAAE,MAAM,GAAG,oBAAoB,CAQ9F"}
package/dist/commonjs/msal/utils.js CHANGED
@@ -4,7 +4,6 @@
4
4
  Object.defineProperty(exports, "__esModule", { value: true });
5
5
  exports.defaultLoggerCallback = void 0;
6
6
  exports.ensureValidMsalToken = ensureValidMsalToken;
7
- exports.getAuthorityHost = getAuthorityHost;
8
7
  exports.getAuthority = getAuthority;
9
8
  exports.getKnownAuthorities = getKnownAuthorities;
10
9
  exports.getMSALLogLevel = getMSALLogLevel;
@@ -48,19 +47,6 @@ function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
48
47
  throw error(`Response had no "accessToken" property.`);
49
48
  }
50
49
  }
51
- /**
52
- * Returns the authority host from either the options bag or the AZURE_AUTHORITY_HOST environment variable.
53
- *
54
- * Defaults to {@link DefaultAuthorityHost}.
55
- * @internal
56
- */
57
- function getAuthorityHost(options) {
58
- let authorityHost = options?.authorityHost;
59
- if (!authorityHost && core_util_1.isNodeLike) {
60
- authorityHost = process.env.AZURE_AUTHORITY_HOST;
61
- }
62
- return authorityHost ?? constants_js_1.DefaultAuthorityHost;
63
- }
64
50
  /**
65
51
  * Generates a valid authority by combining a host with a tenantId.
66
52
  * @internal
@@ -97,7 +83,7 @@ function getKnownAuthorities(tenantId, authorityHost, disableInstanceDiscovery)
97
83
  * @param credLogger - The logger of the credential.
98
84
  * @internal
99
85
  */
100
- const defaultLoggerCallback = (credLogger, platform = core_util_1.isNode ? "Node" : "Browser") => (level, message, containsPii) => {
86
+ const defaultLoggerCallback = (credLogger, platform = core_util_1.isNodeLike ? "Node" : "Browser") => (level, message, containsPii) => {
101
87
  if (containsPii) {
102
88
  return;
103
89
  }