@azure/identity 4.2.0-alpha.20240425.2 → 4.2.1

package/dist/index.js

@@ -12,6 +12,7 @@ var fs = require('fs');
 var os = require('os');
 var path = require('path');
 var msalCommon = require('@azure/msal-node');
+var fs$1 = require('node:fs');
 var https = require('https');
 var promises = require('fs/promises');
 var child_process = require('child_process');
@@ -44,7 +45,7 @@ var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_proce
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `4.2.0`;
+const SDK_VERSION = `4.2.1`;
 /**
  * The default client ID for authentication
  * @internal
@@ -1175,18 +1176,6 @@ function prepareRequestOptions$3(scopes, clientId, resourceId) {
         }),
     });
 }
-/**
- * Retrieves the file contents at the given path using promises.
- * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
- */
-function readFileAsync$1(path, options) {
-    return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
-        if (err) {
-            reject(err);
-        }
-        resolve(data);
-    }));
-}
 /**
  * Does a request to the authentication provider that results in a file path.
  */
@@ -1207,6 +1196,43 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         throw Error(`Invalid www-authenticate header format: ${authHeader}`);
     }
 }
+function platformToFilePath() {
+    switch (process.platform) {
+        case "win32":
+            if (!process.env.PROGRAMDATA) {
+                throw new Error(`${msiName$4}: PROGRAMDATA environment variable has no value.`);
+            }
+            return `${process.env.PROGRAMDATA}\\AzureConnectedMachineAgent\\Tokens`;
+        case "linux":
+            return "/var/opt/azcmagent/tokens";
+        default:
+            throw new Error(`${msiName$4}: Unsupported platform ${process.platform}.`);
+    }
+}
+/**
+ * Validates that a given Azure Arc MSI file path is valid for use.
+ *
+ * A valid file will:
+ * 1. Be in the expected path for the current platform.
+ * 2. Have a `.key` extension.
+ * 3. Be at most 4096 bytes in size.
+ */
+function validateKeyFile(filePath) {
+    if (!filePath) {
+        throw new Error(`${msiName$4}: Failed to find the token file.`);
+    }
+    if (!filePath.endsWith(".key")) {
+        throw new Error(`${msiName$4}: unexpected file path from HIMDS service: ${filePath}.`);
+    }
+    const expectedPath = platformToFilePath();
+    if (!filePath.startsWith(expectedPath)) {
+        throw new Error(`${msiName$4}: unexpected file path from HIMDS service: ${filePath}.`);
+    }
+    const stats = fs$1.statSync(filePath);
+    if (stats.size > 4096) {
+        throw new Error(`${msiName$4}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`);
+    }
+}
 /**
  * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
  */
@@ -1236,10 +1262,8 @@ const arcMsi = {
         logger$l.info(`${msiName$4}: Authenticating.`);
         const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
-        if (!filePath) {
-            throw new Error(`${msiName$4}: Failed to find the token file.`);
-        }
-        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
+        validateKeyFile(filePath);
+        const key = await fs$1.promises.readFile(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
         const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).