npm - @azure/identity - Versions diffs - 4.14.0-beta.1 → 4.14.0-beta.3 - Mend

@azure/identity 4.14.0-beta.1 → 4.14.0-beta.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (571) hide show

package/dist/commonjs/credentials/azureCliCredential.js CHANGED Viewed

@@ -1,224 +1,255 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AzureCliCredential = exports.cliCredentialInternals = exports.azureCliPublicErrorMessages = void 0;
-const tslib_1 = require("tslib");
-const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js");
-const logging_js_1 = require("../util/logging.js");
-const scopeUtils_js_1 = require("../util/scopeUtils.js");
-const errors_js_1 = require("../errors.js");
-const child_process_1 = tslib_1.__importDefault(require("child_process"));
-const tracing_js_1 = require("../util/tracing.js");
-const subscriptionUtils_js_1 = require("../util/subscriptionUtils.js");
-const logger = (0, logging_js_1.credentialLogger)("AzureCliCredential");
-/**
- * Messages to use when throwing in this credential.
- * @internal
- */
-exports.azureCliPublicErrorMessages = {
-    claim: "This credential doesn't support claims challenges. To authenticate with the required claims, please run the following command:",
-    notInstalled: "Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.",
-    login: "Please run 'az login' from a command prompt to authenticate before using this credential.",
-    unknown: "Unknown error while trying to retrieve the access token",
-    unexpectedResponse: 'Unexpected response from Azure CLI when getting token. Expected "expiresOn" to be a RFC3339 date string. Got:',
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
 };
-/**
- * Mockable reference to the CLI credential cliCredentialFunctions
- * @internal
- */
-exports.cliCredentialInternals = {
-    /**
-     * @internal
-     */
-    getSafeWorkingDir() {
-        if (process.platform === "win32") {
-            let systemRoot = process.env.SystemRoot || process.env["SYSTEMROOT"];
-            if (!systemRoot) {
-                logger.getToken.warning("The SystemRoot environment variable is not set. This may cause issues when using the Azure CLI credential.");
-                systemRoot = "C:\\Windows";
-            }
-            return systemRoot;
-        }
-        else {
-            return "/bin";
-        }
-    },
-    /**
-     * Gets the access token from Azure CLI
-     * @param resource - The resource to use when getting the token
-     * @internal
-     */
-    async getAzureCliAccessToken(resource, tenantId, subscription, timeout) {
-        let tenantSection = [];
-        let subscriptionSection = [];
-        if (tenantId) {
-            tenantSection = ["--tenant", tenantId];
-        }
-        if (subscription) {
-            // Add quotes around the subscription to handle subscriptions with spaces
-            subscriptionSection = ["--subscription", `"${subscription}"`];
-        }
-        return new Promise((resolve, reject) => {
-            try {
-                const args = [
-                    "account",
-                    "get-access-token",
-                    "--output",
-                    "json",
-                    "--resource",
-                    resource,
-                    ...tenantSection,
-                    ...subscriptionSection,
-                ];
-                const command = ["az", ...args].join(" ");
-                child_process_1.default.exec(command, { cwd: exports.cliCredentialInternals.getSafeWorkingDir(), timeout }, (error, stdout, stderr) => {
-                    resolve({ stdout: stdout, stderr: stderr, error });
-                });
-            }
-            catch (err) {
-                reject(err);
-            }
-        });
-    },
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var azureCliCredential_exports = {};
+__export(azureCliCredential_exports, {
+  AzureCliCredential: () => AzureCliCredential,
+  azureCliPublicErrorMessages: () => azureCliPublicErrorMessages,
+  cliCredentialInternals: () => cliCredentialInternals
+});
+module.exports = __toCommonJS(azureCliCredential_exports);
+var import_tenantIdUtils = require("../util/tenantIdUtils.js");
+var import_logging = require("../util/logging.js");
+var import_scopeUtils = require("../util/scopeUtils.js");
+var import_errors = require("../errors.js");
+var import_child_process = __toESM(require("child_process"));
+var import_tracing = require("../util/tracing.js");
+var import_subscriptionUtils = require("../util/subscriptionUtils.js");
+const logger = (0, import_logging.credentialLogger)("AzureCliCredential");
+const azureCliPublicErrorMessages = {
+  claim: "This credential doesn't support claims challenges. To authenticate with the required claims, please run the following command:",
+  notInstalled: "Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.",
+  login: "Please run 'az login' from a command prompt to authenticate before using this credential.",
+  unknown: "Unknown error while trying to retrieve the access token",
+  unexpectedResponse: 'Unexpected response from Azure CLI when getting token. Expected "expiresOn" to be a RFC3339 date string. Got:'
+};
+const cliCredentialInternals = {
+  /**
+   * @internal
+   */
+  getSafeWorkingDir() {
+    if (process.platform === "win32") {
+      let systemRoot = process.env.SystemRoot || process.env["SYSTEMROOT"];
+      if (!systemRoot) {
+        logger.getToken.warning(
+          "The SystemRoot environment variable is not set. This may cause issues when using the Azure CLI credential."
+        );
+        systemRoot = "C:\\Windows";
+      }
+      return systemRoot;
+    } else {
+      return "/bin";
+    }
+  },
+  /**
+   * Gets the access token from Azure CLI
+   * @param resource - The resource to use when getting the token
+   * @internal
+   */
+  async getAzureCliAccessToken(resource, tenantId, subscription, timeout) {
+    let tenantSection = [];
+    let subscriptionSection = [];
+    if (tenantId) {
+      tenantSection = ["--tenant", tenantId];
+    }
+    if (subscription) {
+      subscriptionSection = ["--subscription", `"${subscription}"`];
+    }
+    return new Promise((resolve, reject) => {
+      try {
+        const args = [
+          "account",
+          "get-access-token",
+          "--output",
+          "json",
+          "--resource",
+          resource,
+          ...tenantSection,
+          ...subscriptionSection
+        ];
+        const command = ["az", ...args].join(" ");
+        import_child_process.default.exec(
+          command,
+          { cwd: cliCredentialInternals.getSafeWorkingDir(), timeout },
+          (error, stdout, stderr) => {
+            resolve({ stdout, stderr, error });
+          }
+        );
+      } catch (err) {
+        reject(err);
+      }
+    });
+  }
 };
-/**
- * This credential will use the currently logged-in user login information
- * via the Azure CLI ('az') commandline tool.
- * To do so, it will read the user access token and expire time
- * with Azure CLI command "az account get-access-token".
- */
 class AzureCliCredential {
-    tenantId;
-    additionallyAllowedTenantIds;
-    timeout;
-    subscription;
-    /**
-     * Creates an instance of the {@link AzureCliCredential}.
-     *
-     * To use this credential, ensure that you have already logged
-     * in via the 'az' tool using the command "az login" from the commandline.
-     *
-     * @param options - Options, to optionally allow multi-tenant requests.
-     */
-    constructor(options) {
-        if (options?.tenantId) {
-            (0, tenantIdUtils_js_1.checkTenantId)(logger, options?.tenantId);
-            this.tenantId = options?.tenantId;
-        }
-        if (options?.subscription) {
-            (0, subscriptionUtils_js_1.checkSubscription)(logger, options?.subscription);
-            this.subscription = options?.subscription;
-        }
-        this.additionallyAllowedTenantIds = (0, tenantIdUtils_js_1.resolveAdditionallyAllowedTenantIds)(options?.additionallyAllowedTenants);
-        this.timeout = options?.processTimeoutInMs;
+  tenantId;
+  additionallyAllowedTenantIds;
+  timeout;
+  subscription;
+  /**
+   * Creates an instance of the {@link AzureCliCredential}.
+   *
+   * To use this credential, ensure that you have already logged
+   * in via the 'az' tool using the command "az login" from the commandline.
+   *
+   * @param options - Options, to optionally allow multi-tenant requests.
+   */
+  constructor(options) {
+    if (options?.tenantId) {
+      (0, import_tenantIdUtils.checkTenantId)(logger, options?.tenantId);
+      this.tenantId = options?.tenantId;
+    }
+    if (options?.subscription) {
+      (0, import_subscriptionUtils.checkSubscription)(logger, options?.subscription);
+      this.subscription = options?.subscription;
+    }
+    this.additionallyAllowedTenantIds = (0, import_tenantIdUtils.resolveAdditionallyAllowedTenantIds)(
+      options?.additionallyAllowedTenants
+    );
+    this.timeout = options?.processTimeoutInMs;
+  }
+  /**
+   * Authenticates with Microsoft Entra ID and returns an access token if successful.
+   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+   *
+   * @param scopes - The list of scopes for which the token will have access.
+   * @param options - The options used to configure any requests this
+   *                TokenCredential implementation might make.
+   */
+  async getToken(scopes, options = {}) {
+    const scope = typeof scopes === "string" ? scopes : scopes[0];
+    const claimsValue = options.claims;
+    if (claimsValue && claimsValue.trim()) {
+      const encodedClaims = btoa(claimsValue);
+      let loginCmd = `az login --claims-challenge ${encodedClaims} --scope ${scope}`;
+      const tenantIdFromOptions = options.tenantId;
+      if (tenantIdFromOptions) {
+        loginCmd += ` --tenant ${tenantIdFromOptions}`;
+      }
+      const error = new import_errors.CredentialUnavailableError(
+        `${azureCliPublicErrorMessages.claim} ${loginCmd}`
+      );
+      logger.getToken.info((0, import_logging.formatError)(scope, error));
+      throw error;
     }
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        const scope = typeof scopes === "string" ? scopes : scopes[0];
-        const claimsValue = options.claims;
-        if (claimsValue && claimsValue.trim()) {
-            const encodedClaims = btoa(claimsValue);
-            let loginCmd = `az login --claims-challenge ${encodedClaims} --scope ${scope}`;
-            const tenantIdFromOptions = options.tenantId;
-            if (tenantIdFromOptions) {
-                loginCmd += ` --tenant ${tenantIdFromOptions}`;
-            }
-            const error = new errors_js_1.CredentialUnavailableError(`${exports.azureCliPublicErrorMessages.claim} ${loginCmd}`);
-            logger.getToken.info((0, logging_js_1.formatError)(scope, error));
-            throw error;
+    const tenantId = (0, import_tenantIdUtils.processMultiTenantRequest)(
+      this.tenantId,
+      options,
+      this.additionallyAllowedTenantIds
+    );
+    if (tenantId) {
+      (0, import_tenantIdUtils.checkTenantId)(logger, tenantId);
+    }
+    if (this.subscription) {
+      (0, import_subscriptionUtils.checkSubscription)(logger, this.subscription);
+    }
+    logger.getToken.info(`Using the scope ${scope}`);
+    return import_tracing.tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
+      try {
+        (0, import_scopeUtils.ensureValidScopeForDevTimeCreds)(scope, logger);
+        const resource = (0, import_scopeUtils.getScopeResource)(scope);
+        const obj = await cliCredentialInternals.getAzureCliAccessToken(
+          resource,
+          tenantId,
+          this.subscription,
+          this.timeout
+        );
+        const specificScope = obj.stderr?.match("(.*)az login --scope(.*)");
+        const isLoginError = obj.stderr?.match("(.*)az login(.*)") && !specificScope;
+        const isNotInstallError = obj.stderr?.match("az:(.*)not found") || obj.stderr?.startsWith("'az' is not recognized");
+        if (isNotInstallError) {
+          const error = new import_errors.CredentialUnavailableError(azureCliPublicErrorMessages.notInstalled);
+          logger.getToken.info((0, import_logging.formatError)(scopes, error));
+          throw error;
         }
-        const tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, options, this.additionallyAllowedTenantIds);
-        if (tenantId) {
-            (0, tenantIdUtils_js_1.checkTenantId)(logger, tenantId);
+        if (isLoginError) {
+          const error = new import_errors.CredentialUnavailableError(azureCliPublicErrorMessages.login);
+          logger.getToken.info((0, import_logging.formatError)(scopes, error));
+          throw error;
         }
-        if (this.subscription) {
-            (0, subscriptionUtils_js_1.checkSubscription)(logger, this.subscription);
+        try {
+          const responseData = obj.stdout;
+          const response = this.parseRawResponse(responseData);
+          logger.getToken.info((0, import_logging.formatSuccess)(scopes));
+          return response;
+        } catch (e) {
+          if (obj.stderr) {
+            throw new import_errors.CredentialUnavailableError(obj.stderr);
+          }
+          throw e;
         }
-        logger.getToken.info(`Using the scope ${scope}`);
-        return tracing_js_1.tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
-            try {
-                (0, scopeUtils_js_1.ensureValidScopeForDevTimeCreds)(scope, logger);
-                const resource = (0, scopeUtils_js_1.getScopeResource)(scope);
-                const obj = await exports.cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.subscription, this.timeout);
-                const specificScope = obj.stderr?.match("(.*)az login --scope(.*)");
-                const isLoginError = obj.stderr?.match("(.*)az login(.*)") && !specificScope;
-                const isNotInstallError = obj.stderr?.match("az:(.*)not found") || obj.stderr?.startsWith("'az' is not recognized");
-                if (isNotInstallError) {
-                    const error = new errors_js_1.CredentialUnavailableError(exports.azureCliPublicErrorMessages.notInstalled);
-                    logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
-                    throw error;
-                }
-                if (isLoginError) {
-                    const error = new errors_js_1.CredentialUnavailableError(exports.azureCliPublicErrorMessages.login);
-                    logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
-                    throw error;
-                }
-                try {
-                    const responseData = obj.stdout;
-                    const response = this.parseRawResponse(responseData);
-                    logger.getToken.info((0, logging_js_1.formatSuccess)(scopes));
-                    return response;
-                }
-                catch (e) {
-                    if (obj.stderr) {
-                        throw new errors_js_1.CredentialUnavailableError(obj.stderr);
-                    }
-                    throw e;
-                }
-            }
-            catch (err) {
-                const error = err.name === "CredentialUnavailableError"
-                    ? err
-                    : new errors_js_1.CredentialUnavailableError(err.message || exports.azureCliPublicErrorMessages.unknown);
-                logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
-                throw error;
-            }
-        });
+      } catch (err) {
+        const error = err.name === "CredentialUnavailableError" ? err : new import_errors.CredentialUnavailableError(
+          err.message || azureCliPublicErrorMessages.unknown
+        );
+        logger.getToken.info((0, import_logging.formatError)(scopes, error));
+        throw error;
+      }
+    });
+  }
+  /**
+   * Parses the raw JSON response from the Azure CLI into a usable AccessToken object
+   *
+   * @param rawResponse - The raw JSON response from the Azure CLI
+   * @returns An access token with the expiry time parsed from the raw response
+   *
+   * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:
+   *
+   * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.
+   */
+  parseRawResponse(rawResponse) {
+    const response = JSON.parse(rawResponse);
+    const token = response.accessToken;
+    let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1e3;
+    if (!isNaN(expiresOnTimestamp)) {
+      logger.getToken.info("expires_on is available and is valid, using it");
+      return {
+        token,
+        expiresOnTimestamp,
+        tokenType: "Bearer"
+      };
     }
-    /**
-     * Parses the raw JSON response from the Azure CLI into a usable AccessToken object
-     *
-     * @param rawResponse - The raw JSON response from the Azure CLI
-     * @returns An access token with the expiry time parsed from the raw response
-     *
-     * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:
-     *
-     * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.
-     */
-    parseRawResponse(rawResponse) {
-        const response = JSON.parse(rawResponse);
-        const token = response.accessToken;
-        // if available, expires_on will be a number representing seconds since epoch.
-        // ensure it's a number or NaN
-        let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;
-        if (!isNaN(expiresOnTimestamp)) {
-            logger.getToken.info("expires_on is available and is valid, using it");
-            return {
-                token,
-                expiresOnTimestamp,
-                tokenType: "Bearer",
-            };
-        }
-        // fallback to the older expiresOn - an RFC3339 date string
-        expiresOnTimestamp = new Date(response.expiresOn).getTime();
-        // ensure expiresOn is well-formatted
-        if (isNaN(expiresOnTimestamp)) {
-            throw new errors_js_1.CredentialUnavailableError(`${exports.azureCliPublicErrorMessages.unexpectedResponse} "${response.expiresOn}"`);
-        }
-        return {
-            token,
-            expiresOnTimestamp,
-            tokenType: "Bearer",
-        };
+    expiresOnTimestamp = new Date(response.expiresOn).getTime();
+    if (isNaN(expiresOnTimestamp)) {
+      throw new import_errors.CredentialUnavailableError(
+        `${azureCliPublicErrorMessages.unexpectedResponse} "${response.expiresOn}"`
+      );
     }
+    return {
+      token,
+      expiresOnTimestamp,
+      tokenType: "Bearer"
+    };
+  }
 }
-exports.AzureCliCredential = AzureCliCredential;
-//# sourceMappingURL=azureCliCredential.js.map
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AzureCliCredential,
+  azureCliPublicErrorMessages,
+  cliCredentialInternals
+});
+//# sourceMappingURL=azureCliCredential.js.map

package/dist/commonjs/credentials/azureCliCredential.js.map CHANGED Viewed

@@ -1 +1,7 @@
-{"version":3,"file":"azureCliCredential.js","sourceRoot":"","sources":["../../../src/credentials/azureCliCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;;AAGlC,+DAIkC;AAClC,mDAAkF;AAClF,yDAA0F;AAG1F,4CAA0D;AAC1D,0EAA0C;AAC1C,mDAAmD;AACnD,uEAAiE;AAEjE,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,oBAAoB,CAAC,CAAC;AAEtD;;;GAGG;AACU,QAAA,2BAA2B,GAAG;IACzC,KAAK,EACH,gIAAgI;IAClI,YAAY,EACV,kLAAkL;IACpL,KAAK,EACH,2FAA2F;IAC7F,OAAO,EAAE,yDAAyD;IAClE,kBAAkB,EAChB,+GAA+G;CAClH,CAAC;AAEF;;;GAGG;AACU,QAAA,sBAAsB,GAAG;IACpC;;OAEG;IACH,iBAAiB;QACf,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,IAAI,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACrE,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,OAAO,CACrB,4GAA4G,CAC7G,CAAC;gBAEF,UAAU,GAAG,aAAa,CAAC;YAC7B,CAAC;YACD,OAAO,UAAU,CAAC;QACpB,CAAC;aAAM,CAAC;YACN,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,sBAAsB,CAC1B,QAAgB,EAChB,QAAiB,EACjB,YAAqB,EACrB,OAAgB;QAEhB,IAAI,aAAa,GAAa,EAAE,CAAC;QACjC,IAAI,mBAAmB,GAAa,EAAE,CAAC;QACvC,IAAI,QAAQ,EAAE,CAAC;YACb,aAAa,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,YAAY,EAAE,CAAC;YACjB,yEAAyE;YACzE,mBAAmB,GAAG,CAAC,gBAAgB,EAAE,IAAI,YAAY,GAAG,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG;oBACX,SAAS;oBACT,kBAAkB;oBAClB,UAAU;oBACV,MAAM;oBACN,YAAY;oBACZ,QAAQ;oBACR,GAAG,aAAa;oBAChB,GAAG,mBAAmB;iBACvB,CAAC;gBACF,MAAM,OAAO,GAAG,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAC1C,uBAAa,CAAC,IAAI,CAChB,OAAO,EACP,EAAE,GAAG,EAAE,8BAAsB,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,EAC5D,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;oBACxB,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;gBACrD,CAAC,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF;;;;;GAKG;AACH,MAAa,kBAAkB;IACrB,QAAQ,CAAU;IAClB,4BAA4B,CAAW;IACvC,OAAO,CAAU;IACjB,YAAY,CAAU;IAE9B;;;;;;;OAOG;IACH,YAAY,OAAmC;QAC7C,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,IAAA,gCAAa,EAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,EAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,OAAO,EAAE,YAAY,EAAE,CAAC;YAC1B,IAAA,wCAAiB,EAAC,MAAM,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;YACjD,IAAI,CAAC,YAAY,GAAG,OAAO,EAAE,YAAY,CAAC;QAC5C,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,EAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC;QACnC,IAAI,WAAW,IAAI,WAAW,CAAC,IAAI,EAAE,EAAE,CAAC;YACtC,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,CAAC;YACxC,IAAI,QAAQ,GAAG,+BAA+B,aAAa,YAAY,KAAK,EAAE,CAAC;YAE/E,MAAM,mBAAmB,GAAG,OAAO,CAAC,QAAQ,CAAC;YAC7C,IAAI,mBAAmB,EAAE,CAAC;gBACxB,QAAQ,IAAI,aAAa,mBAAmB,EAAE,CAAC;YACjD,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,GAAG,mCAA2B,CAAC,KAAK,IAAI,QAAQ,EAAE,CACnD,CAAC;YACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;YAChD,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,IAAA,4CAAyB,EACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;QACF,IAAI,QAAQ,EAAE,CAAC;YACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,IAAA,wCAAiB,EAAC,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;QAEjD,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACrF,IAAI,CAAC;gBACH,IAAA,+CAA+B,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBAC/C,MAAM,QAAQ,GAAG,IAAA,gCAAgB,EAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,GAAG,GAAG,MAAM,8BAAsB,CAAC,sBAAsB,CAC7D,QAAQ,EACR,QAAQ,EACR,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,OAAO,CACb,CAAC;gBACF,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBACpE,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,kBAAkB,CAAC,IAAI,CAAC,aAAa,CAAC;gBAC7E,MAAM,iBAAiB,GACrB,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,wBAAwB,CAAC,CAAC;gBAE5F,IAAI,iBAAiB,EAAE,CAAC;oBACtB,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,mCAA2B,CAAC,YAAY,CAAC,CAAC;oBACvF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,IAAI,YAAY,EAAE,CAAC;oBACjB,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,mCAA2B,CAAC,KAAK,CAAC,CAAC;oBAChF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,IAAI,CAAC;oBACH,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC;oBAChC,MAAM,QAAQ,GAAgB,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;oBAClE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;oBAC5C,OAAO,QAAQ,CAAC;gBAClB,CAAC;gBAAC,OAAO,CAAM,EAAE,CAAC;oBAChB,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;wBACf,MAAM,IAAI,sCAA0B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBACnD,CAAC;oBACD,MAAM,CAAC,CAAC;gBACV,CAAC;YACH,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,KAAK,GACT,GAAG,CAAC,IAAI,KAAK,4BAA4B;oBACvC,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,IAAI,sCAA0B,CAC3B,GAAa,CAAC,OAAO,IAAI,mCAA2B,CAAC,OAAO,CAC9D,CAAC;gBACR,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;OASG;IACK,gBAAgB,CAAC,WAAmB;QAC1C,MAAM,QAAQ,GAAQ,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC;QACnC,8EAA8E;QAC9E,8BAA8B;QAC9B,IAAI,kBAAkB,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC;QACzE,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC/B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YACvE,OAAO;gBACL,KAAK;gBACL,kBAAkB;gBAClB,SAAS,EAAE,QAAQ;aACpB,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,kBAAkB,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QAE5D,qCAAqC;QACrC,IAAI,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,sCAA0B,CAClC,GAAG,mCAA2B,CAAC,kBAAkB,KAAK,QAAQ,CAAC,SAAS,GAAG,CAC5E,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK;YACL,kBAAkB;YAClB,SAAS,EAAE,QAAQ;SACpB,CAAC;IACJ,CAAC;CACF;AAlKD,gDAkKC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  checkTenantId,\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport { ensureValidScopeForDevTimeCreds, getScopeResource } from \"../util/scopeUtils.js\";\n\nimport type { AzureCliCredentialOptions } from \"./azureCliCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport child_process from \"child_process\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport { checkSubscription } from \"../util/subscriptionUtils.js\";\n\nconst logger = credentialLogger(\"AzureCliCredential\");\n\n/**\n * Messages to use when throwing in this credential.\n * @internal\n */\nexport const azureCliPublicErrorMessages = {\n  claim:\n    \"This credential doesn't support claims challenges. To authenticate with the required claims, please run the following command:\",\n  notInstalled:\n    \"Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.\",\n  login:\n    \"Please run 'az login' from a command prompt to authenticate before using this credential.\",\n  unknown: \"Unknown error while trying to retrieve the access token\",\n  unexpectedResponse:\n    'Unexpected response from Azure CLI when getting token. Expected \"expiresOn\" to be a RFC3339 date string. Got:',\n};\n\n/**\n * Mockable reference to the CLI credential cliCredentialFunctions\n * @internal\n */\nexport const cliCredentialInternals = {\n  /**\n   * @internal\n   */\n  getSafeWorkingDir(): string {\n    if (process.platform === \"win32\") {\n      let systemRoot = process.env.SystemRoot || process.env[\"SYSTEMROOT\"];\n      if (!systemRoot) {\n        logger.getToken.warning(\n          \"The SystemRoot environment variable is not set. This may cause issues when using the Azure CLI credential.\",\n        );\n\n        systemRoot = \"C:\\\\Windows\";\n      }\n      return systemRoot;\n    } else {\n      return \"/bin\";\n    }\n  },\n\n  /**\n   * Gets the access token from Azure CLI\n   * @param resource - The resource to use when getting the token\n   * @internal\n   */\n  async getAzureCliAccessToken(\n    resource: string,\n    tenantId?: string,\n    subscription?: string,\n    timeout?: number,\n  ): Promise<{ stdout: string; stderr: string; error: Error | null }> {\n    let tenantSection: string[] = [];\n    let subscriptionSection: string[] = [];\n    if (tenantId) {\n      tenantSection = [\"--tenant\", tenantId];\n    }\n    if (subscription) {\n      // Add quotes around the subscription to handle subscriptions with spaces\n      subscriptionSection = [\"--subscription\", `\"${subscription}\"`];\n    }\n    return new Promise((resolve, reject) => {\n      try {\n        const args = [\n          \"account\",\n          \"get-access-token\",\n          \"--output\",\n          \"json\",\n          \"--resource\",\n          resource,\n          ...tenantSection,\n          ...subscriptionSection,\n        ];\n        const command = [\"az\", ...args].join(\" \");\n        child_process.exec(\n          command,\n          { cwd: cliCredentialInternals.getSafeWorkingDir(), timeout },\n          (error, stdout, stderr) => {\n            resolve({ stdout: stdout, stderr: stderr, error });\n          },\n        );\n      } catch (err: any) {\n        reject(err);\n      }\n    });\n  },\n};\n\n/**\n * This credential will use the currently logged-in user login information\n * via the Azure CLI ('az') commandline tool.\n * To do so, it will read the user access token and expire time\n * with Azure CLI command \"az account get-access-token\".\n */\nexport class AzureCliCredential implements TokenCredential {\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private timeout?: number;\n  private subscription?: string;\n\n  /**\n   * Creates an instance of the {@link AzureCliCredential}.\n   *\n   * To use this credential, ensure that you have already logged\n   * in via the 'az' tool using the command \"az login\" from the commandline.\n   *\n   * @param options - Options, to optionally allow multi-tenant requests.\n   */\n  constructor(options?: AzureCliCredentialOptions) {\n    if (options?.tenantId) {\n      checkTenantId(logger, options?.tenantId);\n      this.tenantId = options?.tenantId;\n    }\n    if (options?.subscription) {\n      checkSubscription(logger, options?.subscription);\n      this.subscription = options?.subscription;\n    }\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    this.timeout = options?.processTimeoutInMs;\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  public async getToken(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    const scope = typeof scopes === \"string\" ? scopes : scopes[0];\n    const claimsValue = options.claims;\n    if (claimsValue && claimsValue.trim()) {\n      const encodedClaims = btoa(claimsValue);\n      let loginCmd = `az login --claims-challenge ${encodedClaims} --scope ${scope}`;\n\n      const tenantIdFromOptions = options.tenantId;\n      if (tenantIdFromOptions) {\n        loginCmd += ` --tenant ${tenantIdFromOptions}`;\n      }\n\n      const error = new CredentialUnavailableError(\n        `${azureCliPublicErrorMessages.claim} ${loginCmd}`,\n      );\n      logger.getToken.info(formatError(scope, error));\n      throw error;\n    }\n\n    const tenantId = processMultiTenantRequest(\n      this.tenantId,\n      options,\n      this.additionallyAllowedTenantIds,\n    );\n    if (tenantId) {\n      checkTenantId(logger, tenantId);\n    }\n    if (this.subscription) {\n      checkSubscription(logger, this.subscription);\n    }\n    logger.getToken.info(`Using the scope ${scope}`);\n\n    return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n      try {\n        ensureValidScopeForDevTimeCreds(scope, logger);\n        const resource = getScopeResource(scope);\n        const obj = await cliCredentialInternals.getAzureCliAccessToken(\n          resource,\n          tenantId,\n          this.subscription,\n          this.timeout,\n        );\n        const specificScope = obj.stderr?.match(\"(.*)az login --scope(.*)\");\n        const isLoginError = obj.stderr?.match(\"(.*)az login(.*)\") && !specificScope;\n        const isNotInstallError =\n          obj.stderr?.match(\"az:(.*)not found\") || obj.stderr?.startsWith(\"'az' is not recognized\");\n\n        if (isNotInstallError) {\n          const error = new CredentialUnavailableError(azureCliPublicErrorMessages.notInstalled);\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n        if (isLoginError) {\n          const error = new CredentialUnavailableError(azureCliPublicErrorMessages.login);\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n        try {\n          const responseData = obj.stdout;\n          const response: AccessToken = this.parseRawResponse(responseData);\n          logger.getToken.info(formatSuccess(scopes));\n          return response;\n        } catch (e: any) {\n          if (obj.stderr) {\n            throw new CredentialUnavailableError(obj.stderr);\n          }\n          throw e;\n        }\n      } catch (err: any) {\n        const error =\n          err.name === \"CredentialUnavailableError\"\n            ? err\n            : new CredentialUnavailableError(\n                (err as Error).message || azureCliPublicErrorMessages.unknown,\n              );\n        logger.getToken.info(formatError(scopes, error));\n        throw error;\n      }\n    });\n  }\n\n  /**\n   * Parses the raw JSON response from the Azure CLI into a usable AccessToken object\n   *\n   * @param rawResponse - The raw JSON response from the Azure CLI\n   * @returns An access token with the expiry time parsed from the raw response\n   *\n   * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:\n   *\n   * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.\n   */\n  private parseRawResponse(rawResponse: string): AccessToken {\n    const response: any = JSON.parse(rawResponse);\n    const token = response.accessToken;\n    // if available, expires_on will be a number representing seconds since epoch.\n    // ensure it's a number or NaN\n    let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;\n    if (!isNaN(expiresOnTimestamp)) {\n      logger.getToken.info(\"expires_on is available and is valid, using it\");\n      return {\n        token,\n        expiresOnTimestamp,\n        tokenType: \"Bearer\",\n      };\n    }\n\n    // fallback to the older expiresOn - an RFC3339 date string\n    expiresOnTimestamp = new Date(response.expiresOn).getTime();\n\n    // ensure expiresOn is well-formatted\n    if (isNaN(expiresOnTimestamp)) {\n      throw new CredentialUnavailableError(\n        `${azureCliPublicErrorMessages.unexpectedResponse} \"${response.expiresOn}\"`,\n      );\n    }\n\n    return {\n      token,\n      expiresOnTimestamp,\n      tokenType: \"Bearer\",\n    };\n  }\n}\n"]}
+{
+  "version": 3,
+  "sources": ["../../../src/credentials/azureCliCredential.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  checkTenantId,\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport { ensureValidScopeForDevTimeCreds, getScopeResource } from \"../util/scopeUtils.js\";\n\nimport type { AzureCliCredentialOptions } from \"./azureCliCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport child_process from \"child_process\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport { checkSubscription } from \"../util/subscriptionUtils.js\";\n\nconst logger = credentialLogger(\"AzureCliCredential\");\n\n/**\n * Messages to use when throwing in this credential.\n * @internal\n */\nexport const azureCliPublicErrorMessages = {\n  claim:\n    \"This credential doesn't support claims challenges. To authenticate with the required claims, please run the following command:\",\n  notInstalled:\n    \"Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.\",\n  login:\n    \"Please run 'az login' from a command prompt to authenticate before using this credential.\",\n  unknown: \"Unknown error while trying to retrieve the access token\",\n  unexpectedResponse:\n    'Unexpected response from Azure CLI when getting token. Expected \"expiresOn\" to be a RFC3339 date string. Got:',\n};\n\n/**\n * Mockable reference to the CLI credential cliCredentialFunctions\n * @internal\n */\nexport const cliCredentialInternals = {\n  /**\n   * @internal\n   */\n  getSafeWorkingDir(): string {\n    if (process.platform === \"win32\") {\n      let systemRoot = process.env.SystemRoot || process.env[\"SYSTEMROOT\"];\n      if (!systemRoot) {\n        logger.getToken.warning(\n          \"The SystemRoot environment variable is not set. This may cause issues when using the Azure CLI credential.\",\n        );\n\n        systemRoot = \"C:\\\\Windows\";\n      }\n      return systemRoot;\n    } else {\n      return \"/bin\";\n    }\n  },\n\n  /**\n   * Gets the access token from Azure CLI\n   * @param resource - The resource to use when getting the token\n   * @internal\n   */\n  async getAzureCliAccessToken(\n    resource: string,\n    tenantId?: string,\n    subscription?: string,\n    timeout?: number,\n  ): Promise<{ stdout: string; stderr: string; error: Error | null }> {\n    let tenantSection: string[] = [];\n    let subscriptionSection: string[] = [];\n    if (tenantId) {\n      tenantSection = [\"--tenant\", tenantId];\n    }\n    if (subscription) {\n      // Add quotes around the subscription to handle subscriptions with spaces\n      subscriptionSection = [\"--subscription\", `\"${subscription}\"`];\n    }\n    return new Promise((resolve, reject) => {\n      try {\n        const args = [\n          \"account\",\n          \"get-access-token\",\n          \"--output\",\n          \"json\",\n          \"--resource\",\n          resource,\n          ...tenantSection,\n          ...subscriptionSection,\n        ];\n        const command = [\"az\", ...args].join(\" \");\n        child_process.exec(\n          command,\n          { cwd: cliCredentialInternals.getSafeWorkingDir(), timeout },\n          (error, stdout, stderr) => {\n            resolve({ stdout: stdout, stderr: stderr, error });\n          },\n        );\n      } catch (err: any) {\n        reject(err);\n      }\n    });\n  },\n};\n\n/**\n * This credential will use the currently logged-in user login information\n * via the Azure CLI ('az') commandline tool.\n * To do so, it will read the user access token and expire time\n * with Azure CLI command \"az account get-access-token\".\n */\nexport class AzureCliCredential implements TokenCredential {\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private timeout?: number;\n  private subscription?: string;\n\n  /**\n   * Creates an instance of the {@link AzureCliCredential}.\n   *\n   * To use this credential, ensure that you have already logged\n   * in via the 'az' tool using the command \"az login\" from the commandline.\n   *\n   * @param options - Options, to optionally allow multi-tenant requests.\n   */\n  constructor(options?: AzureCliCredentialOptions) {\n    if (options?.tenantId) {\n      checkTenantId(logger, options?.tenantId);\n      this.tenantId = options?.tenantId;\n    }\n    if (options?.subscription) {\n      checkSubscription(logger, options?.subscription);\n      this.subscription = options?.subscription;\n    }\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    this.timeout = options?.processTimeoutInMs;\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  public async getToken(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    const scope = typeof scopes === \"string\" ? scopes : scopes[0];\n    const claimsValue = options.claims;\n    if (claimsValue && claimsValue.trim()) {\n      const encodedClaims = btoa(claimsValue);\n      let loginCmd = `az login --claims-challenge ${encodedClaims} --scope ${scope}`;\n\n      const tenantIdFromOptions = options.tenantId;\n      if (tenantIdFromOptions) {\n        loginCmd += ` --tenant ${tenantIdFromOptions}`;\n      }\n\n      const error = new CredentialUnavailableError(\n        `${azureCliPublicErrorMessages.claim} ${loginCmd}`,\n      );\n      logger.getToken.info(formatError(scope, error));\n      throw error;\n    }\n\n    const tenantId = processMultiTenantRequest(\n      this.tenantId,\n      options,\n      this.additionallyAllowedTenantIds,\n    );\n    if (tenantId) {\n      checkTenantId(logger, tenantId);\n    }\n    if (this.subscription) {\n      checkSubscription(logger, this.subscription);\n    }\n    logger.getToken.info(`Using the scope ${scope}`);\n\n    return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n      try {\n        ensureValidScopeForDevTimeCreds(scope, logger);\n        const resource = getScopeResource(scope);\n        const obj = await cliCredentialInternals.getAzureCliAccessToken(\n          resource,\n          tenantId,\n          this.subscription,\n          this.timeout,\n        );\n        const specificScope = obj.stderr?.match(\"(.*)az login --scope(.*)\");\n        const isLoginError = obj.stderr?.match(\"(.*)az login(.*)\") && !specificScope;\n        const isNotInstallError =\n          obj.stderr?.match(\"az:(.*)not found\") || obj.stderr?.startsWith(\"'az' is not recognized\");\n\n        if (isNotInstallError) {\n          const error = new CredentialUnavailableError(azureCliPublicErrorMessages.notInstalled);\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n        if (isLoginError) {\n          const error = new CredentialUnavailableError(azureCliPublicErrorMessages.login);\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n        try {\n          const responseData = obj.stdout;\n          const response: AccessToken = this.parseRawResponse(responseData);\n          logger.getToken.info(formatSuccess(scopes));\n          return response;\n        } catch (e: any) {\n          if (obj.stderr) {\n            throw new CredentialUnavailableError(obj.stderr);\n          }\n          throw e;\n        }\n      } catch (err: any) {\n        const error =\n          err.name === \"CredentialUnavailableError\"\n            ? err\n            : new CredentialUnavailableError(\n                (err as Error).message || azureCliPublicErrorMessages.unknown,\n              );\n        logger.getToken.info(formatError(scopes, error));\n        throw error;\n      }\n    });\n  }\n\n  /**\n   * Parses the raw JSON response from the Azure CLI into a usable AccessToken object\n   *\n   * @param rawResponse - The raw JSON response from the Azure CLI\n   * @returns An access token with the expiry time parsed from the raw response\n   *\n   * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:\n   *\n   * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.\n   */\n  private parseRawResponse(rawResponse: string): AccessToken {\n    const response: any = JSON.parse(rawResponse);\n    const token = response.accessToken;\n    // if available, expires_on will be a number representing seconds since epoch.\n    // ensure it's a number or NaN\n    let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;\n    if (!isNaN(expiresOnTimestamp)) {\n      logger.getToken.info(\"expires_on is available and is valid, using it\");\n      return {\n        token,\n        expiresOnTimestamp,\n        tokenType: \"Bearer\",\n      };\n    }\n\n    // fallback to the older expiresOn - an RFC3339 date string\n    expiresOnTimestamp = new Date(response.expiresOn).getTime();\n\n    // ensure expiresOn is well-formatted\n    if (isNaN(expiresOnTimestamp)) {\n      throw new CredentialUnavailableError(\n        `${azureCliPublicErrorMessages.unexpectedResponse} \"${response.expiresOn}\"`,\n      );\n    }\n\n    return {\n      token,\n      expiresOnTimestamp,\n      tokenType: \"Bearer\",\n    };\n  }\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,2BAIO;AACP,qBAA6D;AAC7D,wBAAkE;AAGlE,oBAA2C;AAC3C,2BAA0B;AAC1B,qBAA8B;AAC9B,+BAAkC;AAElC,MAAM,aAAS,iCAAiB,oBAAoB;AAM7C,MAAM,8BAA8B;AAAA,EACzC,OACE;AAAA,EACF,cACE;AAAA,EACF,OACE;AAAA,EACF,SAAS;AAAA,EACT,oBACE;AACJ;AAMO,MAAM,yBAAyB;AAAA;AAAA;AAAA;AAAA,EAIpC,oBAA4B;AAC1B,QAAI,QAAQ,aAAa,SAAS;AAChC,UAAI,aAAa,QAAQ,IAAI,cAAc,QAAQ,IAAI,YAAY;AACnE,UAAI,CAAC,YAAY;AACf,eAAO,SAAS;AAAA,UACd;AAAA,QACF;AAEA,qBAAa;AAAA,MACf;AACA,aAAO;AAAA,IACT,OAAO;AACL,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,uBACJ,UACA,UACA,cACA,SACkE;AAClE,QAAI,gBAA0B,CAAC;AAC/B,QAAI,sBAAgC,CAAC;AACrC,QAAI,UAAU;AACZ,sBAAgB,CAAC,YAAY,QAAQ;AAAA,IACvC;AACA,QAAI,cAAc;AAEhB,4BAAsB,CAAC,kBAAkB,IAAI,YAAY,GAAG;AAAA,IAC9D;AACA,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,UAAI;AACF,cAAM,OAAO;AAAA,UACX;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA,GAAG;AAAA,UACH,GAAG;AAAA,QACL;AACA,cAAM,UAAU,CAAC,MAAM,GAAG,IAAI,EAAE,KAAK,GAAG;AACxC,6BAAAA,QAAc;AAAA,UACZ;AAAA,UACA,EAAE,KAAK,uBAAuB,kBAAkB,GAAG,QAAQ;AAAA,UAC3D,CAAC,OAAO,QAAQ,WAAW;AACzB,oBAAQ,EAAE,QAAgB,QAAgB,MAAM,CAAC;AAAA,UACnD;AAAA,QACF;AAAA,MACF,SAAS,KAAU;AACjB,eAAO,GAAG;AAAA,MACZ;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAQO,MAAM,mBAA8C;AAAA,EACjD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUR,YAAY,SAAqC;AAC/C,QAAI,SAAS,UAAU;AACrB,8CAAc,QAAQ,SAAS,QAAQ;AACvC,WAAK,WAAW,SAAS;AAAA,IAC3B;AACA,QAAI,SAAS,cAAc;AACzB,sDAAkB,QAAQ,SAAS,YAAY;AAC/C,WAAK,eAAe,SAAS;AAAA,IAC/B;AACA,SAAK,mCAA+B;AAAA,MAClC,SAAS;AAAA,IACX;AACA,SAAK,UAAU,SAAS;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAa,SACX,QACA,UAA2B,CAAC,GACN;AACtB,UAAM,QAAQ,OAAO,WAAW,WAAW,SAAS,OAAO,CAAC;AAC5D,UAAM,cAAc,QAAQ;AAC5B,QAAI,eAAe,YAAY,KAAK,GAAG;AACrC,YAAM,gBAAgB,KAAK,WAAW;AACtC,UAAI,WAAW,+BAA+B,aAAa,YAAY,KAAK;AAE5E,YAAM,sBAAsB,QAAQ;AACpC,UAAI,qBAAqB;AACvB,oBAAY,aAAa,mBAAmB;AAAA,MAC9C;AAEA,YAAM,QAAQ,IAAI;AAAA,QAChB,GAAG,4BAA4B,KAAK,IAAI,QAAQ;AAAA,MAClD;AACA,aAAO,SAAS,SAAK,4BAAY,OAAO,KAAK,CAAC;AAC9C,YAAM;AAAA,IACR;AAEA,UAAM,eAAW;AAAA,MACf,KAAK;AAAA,MACL;AAAA,MACA,KAAK;AAAA,IACP;AACA,QAAI,UAAU;AACZ,8CAAc,QAAQ,QAAQ;AAAA,IAChC;AACA,QAAI,KAAK,cAAc;AACrB,sDAAkB,QAAQ,KAAK,YAAY;AAAA,IAC7C;AACA,WAAO,SAAS,KAAK,mBAAmB,KAAK,EAAE;AAE/C,WAAO,6BAAc,SAAS,GAAG,KAAK,YAAY,IAAI,aAAa,SAAS,YAAY;AACtF,UAAI;AACF,+DAAgC,OAAO,MAAM;AAC7C,cAAM,eAAW,oCAAiB,KAAK;AACvC,cAAM,MAAM,MAAM,uBAAuB;AAAA,UACvC;AAAA,UACA;AAAA,UACA,KAAK;AAAA,UACL,KAAK;AAAA,QACP;AACA,cAAM,gBAAgB,IAAI,QAAQ,MAAM,0BAA0B;AAClE,cAAM,eAAe,IAAI,QAAQ,MAAM,kBAAkB,KAAK,CAAC;AAC/D,cAAM,oBACJ,IAAI,QAAQ,MAAM,kBAAkB,KAAK,IAAI,QAAQ,WAAW,wBAAwB;AAE1F,YAAI,mBAAmB;AACrB,gBAAM,QAAQ,IAAI,yCAA2B,4BAA4B,YAAY;AACrF,iBAAO,SAAS,SAAK,4BAAY,QAAQ,KAAK,CAAC;AAC/C,gBAAM;AAAA,QACR;AACA,YAAI,cAAc;AAChB,gBAAM,QAAQ,IAAI,yCAA2B,4BAA4B,KAAK;AAC9E,iBAAO,SAAS,SAAK,4BAAY,QAAQ,KAAK,CAAC;AAC/C,gBAAM;AAAA,QACR;AACA,YAAI;AACF,gBAAM,eAAe,IAAI;AACzB,gBAAM,WAAwB,KAAK,iBAAiB,YAAY;AAChE,iBAAO,SAAS,SAAK,8BAAc,MAAM,CAAC;AAC1C,iBAAO;AAAA,QACT,SAAS,GAAQ;AACf,cAAI,IAAI,QAAQ;AACd,kBAAM,IAAI,yCAA2B,IAAI,MAAM;AAAA,UACjD;AACA,gBAAM;AAAA,QACR;AAAA,MACF,SAAS,KAAU;AACjB,cAAM,QACJ,IAAI,SAAS,+BACT,MACA,IAAI;AAAA,UACD,IAAc,WAAW,4BAA4B;AAAA,QACxD;AACN,eAAO,SAAS,SAAK,4BAAY,QAAQ,KAAK,CAAC;AAC/C,cAAM;AAAA,MACR;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYQ,iBAAiB,aAAkC;AACzD,UAAM,WAAgB,KAAK,MAAM,WAAW;AAC5C,UAAM,QAAQ,SAAS;AAGvB,QAAI,qBAAqB,OAAO,SAAS,SAAS,YAAY,EAAE,IAAI;AACpE,QAAI,CAAC,MAAM,kBAAkB,GAAG;AAC9B,aAAO,SAAS,KAAK,gDAAgD;AACrE,aAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA,WAAW;AAAA,MACb;AAAA,IACF;AAGA,yBAAqB,IAAI,KAAK,SAAS,SAAS,EAAE,QAAQ;AAG1D,QAAI,MAAM,kBAAkB,GAAG;AAC7B,YAAM,IAAI;AAAA,QACR,GAAG,4BAA4B,kBAAkB,KAAK,SAAS,SAAS;AAAA,MAC1E;AAAA,IACF;AAEA,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA,WAAW;AAAA,IACb;AAAA,EACF;AACF;",
+  "names": ["child_process"]
+}

package/dist/commonjs/credentials/azureCliCredentialOptions.js CHANGED Viewed

@@ -1,5 +1,16 @@
-"use strict";
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=azureCliCredentialOptions.js.map
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var azureCliCredentialOptions_exports = {};
+module.exports = __toCommonJS(azureCliCredentialOptions_exports);
+//# sourceMappingURL=azureCliCredentialOptions.js.map

package/dist/commonjs/credentials/azureCliCredentialOptions.js.map CHANGED Viewed

@@ -1 +1,7 @@
-{"version":3,"file":"azureCliCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/azureCliCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link AzureCliCredential}\n */\nexport interface AzureCliCredentialOptions extends MultiTenantTokenCredentialOptions {\n  /**\n   * Allows specifying a tenant ID\n   */\n  tenantId?: string;\n  /**\n   * Process timeout configurable for making token requests, provided in milliseconds\n   */\n  processTimeoutInMs?: number;\n  /**\n   * Subscription is the name or ID of a subscription. Set this to acquire tokens for an account other\n   * than the Azure CLI's current account.\n   */\n  subscription?: string;\n}\n"]}
+{
+  "version": 3,
+  "sources": ["../../../src/credentials/azureCliCredentialOptions.ts"],
+  "sourcesContent": ["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link AzureCliCredential}\n */\nexport interface AzureCliCredentialOptions extends MultiTenantTokenCredentialOptions {\n  /**\n   * Allows specifying a tenant ID\n   */\n  tenantId?: string;\n  /**\n   * Process timeout configurable for making token requests, provided in milliseconds\n   */\n  processTimeoutInMs?: number;\n  /**\n   * Subscription is the name or ID of a subscription. Set this to acquire tokens for an account other\n   * than the Azure CLI's current account.\n   */\n  subscription?: string;\n}\n"],
+  "mappings": ";;;;;;;;;;;;;AAAA;AAAA;",
+  "names": []
+}

package/dist/commonjs/credentials/azureDeveloperCliCredential.d.ts CHANGED Viewed

@@ -15,6 +15,16 @@ export declare const azureDeveloperCliPublicErrorMessages: {
  * @internal
  */
 export declare const developerCliCredentialInternals: {
+    /**
+     * Parses azd stderr JSON output to extract the error message.
+     * azd outputs JSON like: \{"type":"consoleMessage","timestamp":"...","data":\{"message":"ERROR: ..."\}\}
+     * If parsing succeeds and .data.message exists, returns the trimmed message.
+     * Otherwise, returns the raw stderr.
+     * @param stderr - The stderr output from azd command
+     * @returns The parsed error message or raw stderr
+     * @internal
+     */
+    parseAzdStderr(stderr: string): string;
     /**
      * @internal
      */

package/dist/commonjs/credentials/azureDeveloperCliCredential.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"azureDeveloperCliCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureDeveloperCliCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEtF,OAAO,KAAK,EAAE,kCAAkC,EAAE,MAAM,yCAAyC,CAAC;AAalG;;;GAGG;AACH,eAAO,MAAM,oCAAoC;;;;;CAQhD,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B;IAC1C;;OAEG;yBACkB,MAAM;IAiB3B;;;;OAIG;8BAEO,MAAM,EAAE,aACL,MAAM,YACP,MAAM,WACP,MAAM,GACd,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;KAAE,CAAC;CA0CpE,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,2BAA4B,YAAW,eAAe;IACjE,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,OAAO,CAAC,CAAS;IAEzB;;;;;;;OAOG;gBACS,OAAO,CAAC,EAAE,kCAAkC;IAWxD;;;;;;;OAOG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;~~CAwFxB~~"}
1	+ {"version":3,"file":"azureDeveloperCliCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureDeveloperCliCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEtF,OAAO,KAAK,EAAE,kCAAkC,EAAE,MAAM,yCAAyC,CAAC;AAalG;;;GAGG;AACH,eAAO,MAAM,oCAAoC;;;;;CAQhD,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B;IAC1C;;;;;;;;OAQG;2BACoB,MAAM,GAAG,MAAM;IAatC;;OAEG;yBACkB,MAAM;IAiB3B;;;;OAIG;8BAEO,MAAM,EAAE,aACL,MAAM,YACP,MAAM,WACP,MAAM,GACd,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;KAAE,CAAC;CA0CpE,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,2BAA4B,YAAW,eAAe;IACjE,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,OAAO,CAAC,CAAS;IAEzB;;;;;;;OAOG;gBACS,OAAO,CAAC,EAAE,kCAAkC;IAWxD;;;;;;;OAOG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;CAyFxB"}