npm - @azure/identity - Versions diffs - 4.14.0-beta.1 → 4.14.0-beta.3 - Mend

@azure/identity 4.14.0-beta.1 → 4.14.0-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (571) hide show

package/dist/commonjs/credentials/managedIdentityCredential/imdsMsi.js.map CHANGED Viewed

@@ -1 +1,7 @@
-{"version":3,"file":"imdsMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/imdsMsi.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAGlC,kEAAqF;AACrF,gDAA2C;AAG3C,sDAAyD;AACzD,yCAAiD;AACjD,sDAAsD;AAGtD,MAAM,OAAO,GAAG,kCAAkC,CAAC;AACnD,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,OAAO,CAAC,CAAC;AAEzC,MAAM,QAAQ,GAAG,wBAAwB,CAAC;AAC1C,MAAM,gBAAgB,GAAG,iCAAiC,CAAC;AAE3D;;;GAGG;AACH,SAAS,4BAA4B,CAAC,MAAyB;IAC7D,MAAM,QAAQ,GAAG,IAAA,8BAAmB,EAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;IACpE,CAAC;IAED,wFAAwF;IACxF,iGAAiG;IACjG,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,iCAAiC,IAAI,QAAQ,CAAC,CAAC;IAEjG,MAAM,UAAU,GAA2B;QACzC,MAAM,EAAE,kBAAkB;QAC1B,qFAAqF;KACtF,CAAC;IAEF,OAAO;QACL,wCAAwC;QACxC,GAAG,EAAE,GAAG,GAAG,EAAE;QACb,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,IAAA,sCAAiB,EAAC,UAAU,CAAC;KACvC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACU,QAAA,OAAO,GAAG;IACrB,IAAI,EAAE,SAAS;IACf,KAAK,CAAC,WAAW,CAAC,OAMjB;QACC,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAA,8BAAmB,EAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;QACf,CAAC;QAED,oHAAoH;QACpH,IAAI,OAAO,CAAC,GAAG,CAAC,iCAAiC,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,cAAc,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAC;QAE9D,OAAO,0BAAa,CAAC,QAAQ,CAC3B,4CAA4C,EAC5C,eAAe,IAAI,EAAE,EACrB,KAAK,EAAE,cAAc,EAAE,EAAE;YACvB,cAAc,CAAC,cAAc,GAAG,cAAc,CAAC,cAAc,CAAC;YAE9D,uDAAuD;YACvD,6DAA6D;YAC7D,gEAAgE;YAChE,MAAM,OAAO,GAAG,IAAA,0CAAqB,EAAC,cAAc,CAAC,CAAC;YAEtD,+CAA+C;YAC/C,4DAA4D;YAC5D,OAAO,CAAC,OAAO,GAAG,cAAc,CAAC,cAAc,EAAE,OAAO,IAAI,IAAI,CAAC;YAEjE,2EAA2E;YAC3E,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC;YACvC,IAAI,QAA0B,CAAC;YAC/B,IAAI,CAAC;gBACH,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mCAAmC,CAAC,CAAC;gBAC3D,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YACvD,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,0EAA0E;gBAC1E,wEAAwE;gBACxE,IAAI,IAAA,mBAAO,EAAC,GAAG,CAAC,EAAE,CAAC;oBACjB,MAAM,CAAC,OAAO,CAAC,GAAG,OAAO,kBAAkB,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;gBACzE,CAAC;gBACD,6NAA6N;gBAC7N,4CAA4C;gBAC5C,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,0CAA0C,CAAC,CAAC;gBAClE,OAAO,KAAK,CAAC;YACf,CAAC;YACD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,IAAI,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;oBACjD,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,0CAA0C,CAAC,CAAC;oBAClE,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,KAAK,QAAQ,CAAC,UAAU,EAAE,CAAC,CAAC;oBAClD,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YACD,yDAAyD;YACzD,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,wCAAwC,CAAC,CAAC;YAChE,OAAO,IAAI,CAAC;QACd,CAAC,CACF,CAAC;IACJ,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { PipelineRequestOptions, PipelineResponse } from \"@azure/core-rest-pipeline\";\nimport { createHttpHeaders, createPipelineRequest } from \"@azure/core-rest-pipeline\";\nimport { isError } from \"@azure/core-util\";\n\nimport type { GetTokenOptions } from \"@azure/core-auth\";\nimport { credentialLogger } from \"../../util/logging.js\";\nimport { mapScopesToResource } from \"./utils.js\";\nimport { tracingClient } from \"../../util/tracing.js\";\nimport type { IdentityClient } from \"../../client/identityClient.js\";\n\nconst msiName = \"ManagedIdentityCredential - IMDS\";\nconst logger = credentialLogger(msiName);\n\nconst imdsHost = \"http://169.254.169.254\";\nconst imdsEndpointPath = \"/metadata/identity/oauth2/token\";\n\n/**\n * Generates an invalid request options to get a response quickly from IMDS endpoint.\n * The response indicates the availability of IMSD service; otherwise the request would time out.\n */\nfunction prepareInvalidRequestOptions(scopes: string | string[]): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n\n  // Pod Identity will try to process this request even if the Metadata header is missing.\n  // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.\n  const url = new URL(imdsEndpointPath, process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST ?? imdsHost);\n\n  const rawHeaders: Record<string, string> = {\n    Accept: \"application/json\",\n    // intentionally leave out the Metadata header to invoke an error from IMDS endpoint.\n  };\n\n  return {\n    // intentionally not including any query\n    url: `${url}`,\n    method: \"GET\",\n    headers: createHttpHeaders(rawHeaders),\n  };\n}\n\n/**\n * Defines how to determine whether the Azure IMDS MSI is available.\n *\n * Actually getting the token once we determine IMDS is available is handled by MSAL.\n */\nexport const imdsMsi = {\n  name: \"imdsMsi\",\n  async isAvailable(options: {\n    scopes: string | string[];\n    identityClient?: IdentityClient;\n    clientId?: string;\n    resourceId?: string;\n    getTokenOptions?: GetTokenOptions;\n  }): Promise<boolean> {\n    const { scopes, identityClient, getTokenOptions } = options;\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n\n    // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist\n    if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {\n      return true;\n    }\n\n    if (!identityClient) {\n      throw new Error(\"Missing IdentityClient\");\n    }\n\n    const requestOptions = prepareInvalidRequestOptions(resource);\n\n    return tracingClient.withSpan(\n      \"ManagedIdentityCredential-pingImdsEndpoint\",\n      getTokenOptions ?? {},\n      async (updatedOptions) => {\n        requestOptions.tracingOptions = updatedOptions.tracingOptions;\n\n        // Create a request with a timeout since we expect that\n        // not having a \"Metadata\" header should cause an error to be\n        // returned quickly from the endpoint, proving its availability.\n        const request = createPipelineRequest(requestOptions);\n\n        // Default to 1000 if the default of 0 is used.\n        // Negative values can still be used to disable the timeout.\n        request.timeout = updatedOptions.requestOptions?.timeout || 1000;\n\n        // This MSI uses the imdsEndpoint to get the token, which only uses http://\n        request.allowInsecureConnection = true;\n        let response: PipelineResponse;\n        try {\n          logger.info(`${msiName}: Pinging the Azure IMDS endpoint`);\n          response = await identityClient.sendRequest(request);\n        } catch (err: unknown) {\n          // If the request failed, or Node.js was unable to establish a connection,\n          // or the host was down, we'll assume the IMDS endpoint isn't available.\n          if (isError(err)) {\n            logger.verbose(`${msiName}: Caught error ${err.name}: ${err.message}`);\n          }\n          // This is a special case for Docker Desktop which responds with a 403 with a message that contains \"A socket operation was attempted to an unreachable network\" or \"A socket operation was attempted to an unreachable host\"\n          // rather than just timing out, as expected.\n          logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);\n          return false;\n        }\n        if (response.status === 403) {\n          if (response.bodyAsText?.includes(\"unreachable\")) {\n            logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);\n            logger.info(`${msiName}: ${response.bodyAsText}`);\n            return false;\n          }\n        }\n        // If we received any response, the endpoint is available\n        logger.info(`${msiName}: The Azure IMDS endpoint is available`);\n        return true;\n      },\n    );\n  },\n};\n"]}
+{
+  "version": 3,
+  "sources": ["../../../../src/credentials/managedIdentityCredential/imdsMsi.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { PipelineRequestOptions, PipelineResponse } from \"@azure/core-rest-pipeline\";\nimport { createHttpHeaders, createPipelineRequest } from \"@azure/core-rest-pipeline\";\nimport { isError } from \"@azure/core-util\";\n\nimport type { GetTokenOptions } from \"@azure/core-auth\";\nimport { credentialLogger } from \"../../util/logging.js\";\nimport { mapScopesToResource } from \"./utils.js\";\nimport { tracingClient } from \"../../util/tracing.js\";\nimport type { IdentityClient } from \"../../client/identityClient.js\";\n\nconst msiName = \"ManagedIdentityCredential - IMDS\";\nconst logger = credentialLogger(msiName);\n\nconst imdsHost = \"http://169.254.169.254\";\nconst imdsEndpointPath = \"/metadata/identity/oauth2/token\";\n\n/**\n * Generates an invalid request options to get a response quickly from IMDS endpoint.\n * The response indicates the availability of IMSD service; otherwise the request would time out.\n */\nfunction prepareInvalidRequestOptions(scopes: string | string[]): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n\n  // Pod Identity will try to process this request even if the Metadata header is missing.\n  // We can exclude the request query to ensure no IMDS endpoint tries to process the ping request.\n  const url = new URL(imdsEndpointPath, process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST ?? imdsHost);\n\n  const rawHeaders: Record<string, string> = {\n    Accept: \"application/json\",\n    // intentionally leave out the Metadata header to invoke an error from IMDS endpoint.\n  };\n\n  return {\n    // intentionally not including any query\n    url: `${url}`,\n    method: \"GET\",\n    headers: createHttpHeaders(rawHeaders),\n  };\n}\n\n/**\n * Defines how to determine whether the Azure IMDS MSI is available.\n *\n * Actually getting the token once we determine IMDS is available is handled by MSAL.\n */\nexport const imdsMsi = {\n  name: \"imdsMsi\",\n  async isAvailable(options: {\n    scopes: string | string[];\n    identityClient?: IdentityClient;\n    clientId?: string;\n    resourceId?: string;\n    getTokenOptions?: GetTokenOptions;\n  }): Promise<boolean> {\n    const { scopes, identityClient, getTokenOptions } = options;\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n\n    // if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist\n    if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {\n      return true;\n    }\n\n    if (!identityClient) {\n      throw new Error(\"Missing IdentityClient\");\n    }\n\n    const requestOptions = prepareInvalidRequestOptions(resource);\n\n    return tracingClient.withSpan(\n      \"ManagedIdentityCredential-pingImdsEndpoint\",\n      getTokenOptions ?? {},\n      async (updatedOptions) => {\n        requestOptions.tracingOptions = updatedOptions.tracingOptions;\n\n        // Create a request with a timeout since we expect that\n        // not having a \"Metadata\" header should cause an error to be\n        // returned quickly from the endpoint, proving its availability.\n        const request = createPipelineRequest(requestOptions);\n\n        // Default to 1000 if the default of 0 is used.\n        // Negative values can still be used to disable the timeout.\n        request.timeout = updatedOptions.requestOptions?.timeout || 1000;\n\n        // This MSI uses the imdsEndpoint to get the token, which only uses http://\n        request.allowInsecureConnection = true;\n        let response: PipelineResponse;\n        try {\n          logger.info(`${msiName}: Pinging the Azure IMDS endpoint`);\n          response = await identityClient.sendRequest(request);\n        } catch (err: unknown) {\n          // If the request failed, or Node.js was unable to establish a connection,\n          // or the host was down, we'll assume the IMDS endpoint isn't available.\n          if (isError(err)) {\n            logger.verbose(`${msiName}: Caught error ${err.name}: ${err.message}`);\n          }\n          // This is a special case for Docker Desktop which responds with a 403 with a message that contains \"A socket operation was attempted to an unreachable network\" or \"A socket operation was attempted to an unreachable host\"\n          // rather than just timing out, as expected.\n          logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);\n          return false;\n        }\n        if (response.status === 403) {\n          if (response.bodyAsText?.includes(\"unreachable\")) {\n            logger.info(`${msiName}: The Azure IMDS endpoint is unavailable`);\n            logger.info(`${msiName}: ${response.bodyAsText}`);\n            return false;\n          }\n        }\n        // If we received any response, the endpoint is available\n        logger.info(`${msiName}: The Azure IMDS endpoint is available`);\n        return true;\n      },\n    );\n  },\n};\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,gCAAyD;AACzD,uBAAwB;AAGxB,qBAAiC;AACjC,mBAAoC;AACpC,qBAA8B;AAG9B,MAAM,UAAU;AAChB,MAAM,aAAS,iCAAiB,OAAO;AAEvC,MAAM,WAAW;AACjB,MAAM,mBAAmB;AAMzB,SAAS,6BAA6B,QAAmD;AACvF,QAAM,eAAW,kCAAoB,MAAM;AAC3C,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,MAAM,GAAG,OAAO,sCAAsC;AAAA,EAClE;AAIA,QAAM,MAAM,IAAI,IAAI,kBAAkB,QAAQ,IAAI,qCAAqC,QAAQ;AAE/F,QAAM,aAAqC;AAAA,IACzC,QAAQ;AAAA;AAAA,EAEV;AAEA,SAAO;AAAA;AAAA,IAEL,KAAK,GAAG,GAAG;AAAA,IACX,QAAQ;AAAA,IACR,aAAS,6CAAkB,UAAU;AAAA,EACvC;AACF;AAOO,MAAM,UAAU;AAAA,EACrB,MAAM;AAAA,EACN,MAAM,YAAY,SAMG;AACnB,UAAM,EAAE,QAAQ,gBAAgB,gBAAgB,IAAI;AACpD,UAAM,eAAW,kCAAoB,MAAM;AAC3C,QAAI,CAAC,UAAU;AACb,aAAO,KAAK,GAAG,OAAO,mDAAmD;AACzE,aAAO;AAAA,IACT;AAGA,QAAI,QAAQ,IAAI,mCAAmC;AACjD,aAAO;AAAA,IACT;AAEA,QAAI,CAAC,gBAAgB;AACnB,YAAM,IAAI,MAAM,wBAAwB;AAAA,IAC1C;AAEA,UAAM,iBAAiB,6BAA6B,QAAQ;AAE5D,WAAO,6BAAc;AAAA,MACnB;AAAA,MACA,mBAAmB,CAAC;AAAA,MACpB,OAAO,mBAAmB;AACxB,uBAAe,iBAAiB,eAAe;AAK/C,cAAM,cAAU,iDAAsB,cAAc;AAIpD,gBAAQ,UAAU,eAAe,gBAAgB,WAAW;AAG5D,gBAAQ,0BAA0B;AAClC,YAAI;AACJ,YAAI;AACF,iBAAO,KAAK,GAAG,OAAO,mCAAmC;AACzD,qBAAW,MAAM,eAAe,YAAY,OAAO;AAAA,QACrD,SAAS,KAAc;AAGrB,kBAAI,0BAAQ,GAAG,GAAG;AAChB,mBAAO,QAAQ,GAAG,OAAO,kBAAkB,IAAI,IAAI,KAAK,IAAI,OAAO,EAAE;AAAA,UACvE;AAGA,iBAAO,KAAK,GAAG,OAAO,0CAA0C;AAChE,iBAAO;AAAA,QACT;AACA,YAAI,SAAS,WAAW,KAAK;AAC3B,cAAI,SAAS,YAAY,SAAS,aAAa,GAAG;AAChD,mBAAO,KAAK,GAAG,OAAO,0CAA0C;AAChE,mBAAO,KAAK,GAAG,OAAO,KAAK,SAAS,UAAU,EAAE;AAChD,mBAAO;AAAA,UACT;AAAA,QACF;AAEA,eAAO,KAAK,GAAG,OAAO,wCAAwC;AAC9D,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF;AACF;",
+  "names": []
+}

package/dist/commonjs/credentials/managedIdentityCredential/imdsRetryPolicy.js CHANGED Viewed

@@ -1,46 +1,53 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.imdsRetryPolicy = imdsRetryPolicy;
-const core_rest_pipeline_1 = require("@azure/core-rest-pipeline");
-const core_util_1 = require("@azure/core-util");
-// Matches the default retry configuration in expontentialRetryStrategy.ts
-const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;
-// For 410 responses, we need at least 70 seconds total retry duration
-// With 5 retries using exponential backoff: delays of d, 2d, 4d, 8d, 16d sum to 31d
-// Accounting for jitter (which can reduce delays by 20%), we need 31d * 0.8 >= 70
-// So we need d >= 70/24.8 = 2.82 seconds. Using 3 seconds to be safe.
-const MIN_DELAY_FOR_410_MS = 3000;
-/**
- * An additional policy that retries on 404 and 410 errors. The default retry policy does not retry on
- * 404s or 410s, but the IMDS endpoint can return these when the token is not yet available or when
- * the identity is still being set up. This policy will retry on 404s and 410s with an exponential backoff.
- * For 410 responses, it uses a minimum 3-second initial delay to ensure at least 70 seconds total duration.
- *
- * @param msiRetryConfig - The retry configuration for the MSI credential.
- * @returns - The policy that will retry on 404s and 410s.
- */
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var imdsRetryPolicy_exports = {};
+__export(imdsRetryPolicy_exports, {
+  imdsRetryPolicy: () => imdsRetryPolicy
+});
+module.exports = __toCommonJS(imdsRetryPolicy_exports);
+var import_core_rest_pipeline = require("@azure/core-rest-pipeline");
+var import_core_util = require("@azure/core-util");
+const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1e3 * 64;
+const MIN_DELAY_FOR_410_MS = 3e3;
 function imdsRetryPolicy(msiRetryConfig) {
-    return (0, core_rest_pipeline_1.retryPolicy)([
-        {
-            name: "imdsRetryPolicy",
-            retry: ({ retryCount, response }) => {
-                if (response?.status !== 404 && response?.status !== 410) {
-                    return { skipStrategy: true };
-                }
-                // For 410 responses, use a minimum 3-second delay to ensure at least 70 seconds total retry duration
-                const initialDelayMs = response?.status === 410
-                    ? Math.max(MIN_DELAY_FOR_410_MS, msiRetryConfig.startDelayInMs)
-                    : msiRetryConfig.startDelayInMs;
-                return (0, core_util_1.calculateRetryDelay)(retryCount, {
-                    retryDelayInMs: initialDelayMs,
-                    maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,
-                });
-            },
-        },
-    ], {
-        maxRetries: msiRetryConfig.maxRetries,
-    });
+  return (0, import_core_rest_pipeline.retryPolicy)(
+    [
+      {
+        name: "imdsRetryPolicy",
+        retry: ({ retryCount, response }) => {
+          if (response?.status !== 404 && response?.status !== 410) {
+            return { skipStrategy: true };
+          }
+          const initialDelayMs = response?.status === 410 ? Math.max(MIN_DELAY_FOR_410_MS, msiRetryConfig.startDelayInMs) : msiRetryConfig.startDelayInMs;
+          return (0, import_core_util.calculateRetryDelay)(retryCount, {
+            retryDelayInMs: initialDelayMs,
+            maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL
+          });
+        }
+      }
+    ],
+    {
+      maxRetries: msiRetryConfig.maxRetries
+    }
+  );
 }
-//# sourceMappingURL=imdsRetryPolicy.js.map
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  imdsRetryPolicy
+});
+//# sourceMappingURL=imdsRetryPolicy.js.map

package/dist/commonjs/credentials/managedIdentityCredential/imdsRetryPolicy.js.map CHANGED Viewed

@@ -1 +1,7 @@
-{"version":3,"file":"imdsRetryPolicy.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/imdsRetryPolicy.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;AA0BlC,0CA2BC;AAlDD,kEAAwD;AAGxD,gDAAuD;AAEvD,0EAA0E;AAC1E,MAAM,iCAAiC,GAAG,IAAI,GAAG,EAAE,CAAC;AAEpD,sEAAsE;AACtE,oFAAoF;AACpF,kFAAkF;AAClF,sEAAsE;AACtE,MAAM,oBAAoB,GAAG,IAAI,CAAC;AAElC;;;;;;;;GAQG;AACH,SAAgB,eAAe,CAAC,cAA+C;IAC7E,OAAO,IAAA,gCAAW,EAChB;QACE;YACE,IAAI,EAAE,iBAAiB;YACvB,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,QAAQ,EAAE,EAAE,EAAE;gBAClC,IAAI,QAAQ,EAAE,MAAM,KAAK,GAAG,IAAI,QAAQ,EAAE,MAAM,KAAK,GAAG,EAAE,CAAC;oBACzD,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;gBAChC,CAAC;gBAED,qGAAqG;gBACrG,MAAM,cAAc,GAClB,QAAQ,EAAE,MAAM,KAAK,GAAG;oBACtB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,oBAAoB,EAAE,cAAc,CAAC,cAAc,CAAC;oBAC/D,CAAC,CAAC,cAAc,CAAC,cAAc,CAAC;gBAEpC,OAAO,IAAA,+BAAmB,EAAC,UAAU,EAAE;oBACrC,cAAc,EAAE,cAAc;oBAC9B,iBAAiB,EAAE,iCAAiC;iBACrD,CAAC,CAAC;YACL,CAAC;SACF;KACF,EACD;QACE,UAAU,EAAE,cAAc,CAAC,UAAU;KACtC,CACF,CAAC;AACJ,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { PipelinePolicy } from \"@azure/core-rest-pipeline\";\nimport { retryPolicy } from \"@azure/core-rest-pipeline\";\n\nimport type { MSIConfiguration } from \"./models.js\";\nimport { calculateRetryDelay } from \"@azure/core-util\";\n\n// Matches the default retry configuration in expontentialRetryStrategy.ts\nconst DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;\n\n// For 410 responses, we need at least 70 seconds total retry duration\n// With 5 retries using exponential backoff: delays of d, 2d, 4d, 8d, 16d sum to 31d\n// Accounting for jitter (which can reduce delays by 20%), we need 31d * 0.8 >= 70\n// So we need d >= 70/24.8 = 2.82 seconds. Using 3 seconds to be safe.\nconst MIN_DELAY_FOR_410_MS = 3000;\n\n/**\n * An additional policy that retries on 404 and 410 errors. The default retry policy does not retry on\n * 404s or 410s, but the IMDS endpoint can return these when the token is not yet available or when\n * the identity is still being set up. This policy will retry on 404s and 410s with an exponential backoff.\n * For 410 responses, it uses a minimum 3-second initial delay to ensure at least 70 seconds total duration.\n *\n * @param msiRetryConfig - The retry configuration for the MSI credential.\n * @returns - The policy that will retry on 404s and 410s.\n */\nexport function imdsRetryPolicy(msiRetryConfig: MSIConfiguration[\"retryConfig\"]): PipelinePolicy {\n  return retryPolicy(\n    [\n      {\n        name: \"imdsRetryPolicy\",\n        retry: ({ retryCount, response }) => {\n          if (response?.status !== 404 && response?.status !== 410) {\n            return { skipStrategy: true };\n          }\n\n          // For 410 responses, use a minimum 3-second delay to ensure at least 70 seconds total retry duration\n          const initialDelayMs =\n            response?.status === 410\n              ? Math.max(MIN_DELAY_FOR_410_MS, msiRetryConfig.startDelayInMs)\n              : msiRetryConfig.startDelayInMs;\n\n          return calculateRetryDelay(retryCount, {\n            retryDelayInMs: initialDelayMs,\n            maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,\n          });\n        },\n      },\n    ],\n    {\n      maxRetries: msiRetryConfig.maxRetries,\n    },\n  );\n}\n"]}
+{
+  "version": 3,
+  "sources": ["../../../../src/credentials/managedIdentityCredential/imdsRetryPolicy.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { PipelinePolicy } from \"@azure/core-rest-pipeline\";\nimport { retryPolicy } from \"@azure/core-rest-pipeline\";\n\nimport type { MSIConfiguration } from \"./models.js\";\nimport { calculateRetryDelay } from \"@azure/core-util\";\n\n// Matches the default retry configuration in expontentialRetryStrategy.ts\nconst DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;\n\n// For 410 responses, we need at least 70 seconds total retry duration\n// With 5 retries using exponential backoff: delays of d, 2d, 4d, 8d, 16d sum to 31d\n// Accounting for jitter (which can reduce delays by 20%), we need 31d * 0.8 >= 70\n// So we need d >= 70/24.8 = 2.82 seconds. Using 3 seconds to be safe.\nconst MIN_DELAY_FOR_410_MS = 3000;\n\n/**\n * An additional policy that retries on 404 and 410 errors. The default retry policy does not retry on\n * 404s or 410s, but the IMDS endpoint can return these when the token is not yet available or when\n * the identity is still being set up. This policy will retry on 404s and 410s with an exponential backoff.\n * For 410 responses, it uses a minimum 3-second initial delay to ensure at least 70 seconds total duration.\n *\n * @param msiRetryConfig - The retry configuration for the MSI credential.\n * @returns - The policy that will retry on 404s and 410s.\n */\nexport function imdsRetryPolicy(msiRetryConfig: MSIConfiguration[\"retryConfig\"]): PipelinePolicy {\n  return retryPolicy(\n    [\n      {\n        name: \"imdsRetryPolicy\",\n        retry: ({ retryCount, response }) => {\n          if (response?.status !== 404 && response?.status !== 410) {\n            return { skipStrategy: true };\n          }\n\n          // For 410 responses, use a minimum 3-second delay to ensure at least 70 seconds total retry duration\n          const initialDelayMs =\n            response?.status === 410\n              ? Math.max(MIN_DELAY_FOR_410_MS, msiRetryConfig.startDelayInMs)\n              : msiRetryConfig.startDelayInMs;\n\n          return calculateRetryDelay(retryCount, {\n            retryDelayInMs: initialDelayMs,\n            maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,\n          });\n        },\n      },\n    ],\n    {\n      maxRetries: msiRetryConfig.maxRetries,\n    },\n  );\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,gCAA4B;AAG5B,uBAAoC;AAGpC,MAAM,oCAAoC,MAAO;AAMjD,MAAM,uBAAuB;AAWtB,SAAS,gBAAgB,gBAAiE;AAC/F,aAAO;AAAA,IACL;AAAA,MACE;AAAA,QACE,MAAM;AAAA,QACN,OAAO,CAAC,EAAE,YAAY,SAAS,MAAM;AACnC,cAAI,UAAU,WAAW,OAAO,UAAU,WAAW,KAAK;AACxD,mBAAO,EAAE,cAAc,KAAK;AAAA,UAC9B;AAGA,gBAAM,iBACJ,UAAU,WAAW,MACjB,KAAK,IAAI,sBAAsB,eAAe,cAAc,IAC5D,eAAe;AAErB,qBAAO,sCAAoB,YAAY;AAAA,YACrC,gBAAgB;AAAA,YAChB,mBAAmB;AAAA,UACrB,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAAA,IACA;AAAA,MACE,YAAY,eAAe;AAAA,IAC7B;AAAA,EACF;AACF;",
+  "names": []
+}