@azure/identity 4.2.0-alpha.20240425.2 → 4.2.1

package/dist-esm/src/constants.js

@@ -3,7 +3,7 @@
 /**
  * Current version of the `@azure/identity` package.
  */
-export const SDK_VERSION = `4.2.0`;
+export const SDK_VERSION = `4.2.1`;
 /**
  * The default client ID for authentication
  * @internal

package/dist-esm/src/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,OAAO,CAAC;AAEnC;;;GAGG;AACH,2EAA2E;AAC3E,6CAA6C;AAC7C,uGAAuG;AACvG,MAAM,CAAC,MAAM,uBAAuB,GAAG,sCAAsC,CAAC;AAE9E;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,QAAQ,CAAC;AAExC;;GAEG;AACH,MAAM,CAAN,IAAY,mBAiBX;AAjBD,WAAY,mBAAmB;IAC7B;;OAEG;IACH,oEAA6C,CAAA;IAC7C;;OAEG;IACH,wEAAiD,CAAA;IACjD;;OAEG;IACH,2EAAoD,CAAA;IACpD;;OAEG;IACH,6EAAsD,CAAA;AACxD,CAAC,EAjBW,mBAAmB,KAAnB,mBAAmB,QAiB9B;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,mBAAmB,CAAC,gBAAgB,CAAC;AAEzE;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAa,CAAC,GAAG,CAAC,CAAC;AAE3C;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAEtC;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,OAAO,CAAC;AAE5C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,YAAY,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\n/**\n * Current version of the `@azure/identity` package.\n */\nexport const SDK_VERSION = `4.2.0`;\n\n/**\n * The default client ID for authentication\n * @internal\n */\n// TODO: temporary - this is the Azure CLI clientID - we'll replace it when\n// Developer Sign On application is available\n// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9\nexport const DeveloperSignOnClientId = \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\";\n\n/**\n * The default tenant for authentication\n * @internal\n */\nexport const DefaultTenantId = \"common\";\n\n/**\n * A list of known Azure authority hosts\n */\nexport enum AzureAuthorityHosts {\n  /**\n   * China-based Azure Authority Host\n   */\n  AzureChina = \"https://login.chinacloudapi.cn\",\n  /**\n   * Germany-based Azure Authority Host\n   */\n  AzureGermany = \"https://login.microsoftonline.de\",\n  /**\n   * US Government Azure Authority Host\n   */\n  AzureGovernment = \"https://login.microsoftonline.us\",\n  /**\n   * Public Cloud Azure Authority Host\n   */\n  AzurePublicCloud = \"https://login.microsoftonline.com\",\n}\n\n/**\n * @internal\n * The default authority host.\n */\nexport const DefaultAuthorityHost = AzureAuthorityHosts.AzurePublicCloud;\n\n/**\n * @internal\n * Allow acquiring tokens for any tenant for multi-tentant auth.\n */\nexport const ALL_TENANTS: string[] = [\"*\"];\n\n/**\n * @internal\n */\nexport const CACHE_CAE_SUFFIX = \"cae\";\n\n/**\n * @internal\n */\nexport const CACHE_NON_CAE_SUFFIX = \"nocae\";\n\n/**\n * @internal\n *\n * The default name for the cache persistence plugin.\n * Matches the constant defined in the cache persistence package.\n */\nexport const DEFAULT_TOKEN_CACHE_NAME = \"msal.cache\";\n"]}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,OAAO,CAAC;AAEnC;;;GAGG;AACH,2EAA2E;AAC3E,6CAA6C;AAC7C,uGAAuG;AACvG,MAAM,CAAC,MAAM,uBAAuB,GAAG,sCAAsC,CAAC;AAE9E;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,QAAQ,CAAC;AAExC;;GAEG;AACH,MAAM,CAAN,IAAY,mBAiBX;AAjBD,WAAY,mBAAmB;IAC7B;;OAEG;IACH,oEAA6C,CAAA;IAC7C;;OAEG;IACH,wEAAiD,CAAA;IACjD;;OAEG;IACH,2EAAoD,CAAA;IACpD;;OAEG;IACH,6EAAsD,CAAA;AACxD,CAAC,EAjBW,mBAAmB,KAAnB,mBAAmB,QAiB9B;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,mBAAmB,CAAC,gBAAgB,CAAC;AAEzE;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAa,CAAC,GAAG,CAAC,CAAC;AAE3C;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAEtC;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,OAAO,CAAC;AAE5C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,YAAY,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\n/**\n * Current version of the `@azure/identity` package.\n */\nexport const SDK_VERSION = `4.2.1`;\n\n/**\n * The default client ID for authentication\n * @internal\n */\n// TODO: temporary - this is the Azure CLI clientID - we'll replace it when\n// Developer Sign On application is available\n// https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Constants.cs#L9\nexport const DeveloperSignOnClientId = \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\";\n\n/**\n * The default tenant for authentication\n * @internal\n */\nexport const DefaultTenantId = \"common\";\n\n/**\n * A list of known Azure authority hosts\n */\nexport enum AzureAuthorityHosts {\n  /**\n   * China-based Azure Authority Host\n   */\n  AzureChina = \"https://login.chinacloudapi.cn\",\n  /**\n   * Germany-based Azure Authority Host\n   */\n  AzureGermany = \"https://login.microsoftonline.de\",\n  /**\n   * US Government Azure Authority Host\n   */\n  AzureGovernment = \"https://login.microsoftonline.us\",\n  /**\n   * Public Cloud Azure Authority Host\n   */\n  AzurePublicCloud = \"https://login.microsoftonline.com\",\n}\n\n/**\n * @internal\n * The default authority host.\n */\nexport const DefaultAuthorityHost = AzureAuthorityHosts.AzurePublicCloud;\n\n/**\n * @internal\n * Allow acquiring tokens for any tenant for multi-tentant auth.\n */\nexport const ALL_TENANTS: string[] = [\"*\"];\n\n/**\n * @internal\n */\nexport const CACHE_CAE_SUFFIX = \"cae\";\n\n/**\n * @internal\n */\nexport const CACHE_NON_CAE_SUFFIX = \"nocae\";\n\n/**\n * @internal\n *\n * The default name for the cache persistence plugin.\n * Matches the constant defined in the cache persistence package.\n */\nexport const DEFAULT_TOKEN_CACHE_NAME = \"msal.cache\";\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js

@@ -1,11 +1,11 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 import { createHttpHeaders, createPipelineRequest, } from "@azure/core-rest-pipeline";
-import { readFile } from "fs";
 import { AuthenticationError } from "../../errors";
+import { azureArcAPIVersion } from "./constants";
 import { credentialLogger } from "../../util/logging";
+import fs from "node:fs";
 import { mapScopesToResource } from "./utils";
-import { azureArcAPIVersion } from "./constants";
 const msiName = "ManagedIdentityCredential - Azure Arc MSI";
 const logger = credentialLogger(msiName);
 /**
@@ -41,18 +41,6 @@ function prepareRequestOptions(scopes, clientId, resourceId) {
         }),
     });
 }
-/**
- * Retrieves the file contents at the given path using promises.
- * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
- */
-function readFileAsync(path, options) {
-    return new Promise((resolve, reject) => readFile(path, options, (err, data) => {
-        if (err) {
-            reject(err);
-        }
-        resolve(data);
-    }));
-}
 /**
  * Does a request to the authentication provider that results in a file path.
  */
@@ -73,6 +61,43 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         throw Error(`Invalid www-authenticate header format: ${authHeader}`);
     }
 }
+export function platformToFilePath() {
+    switch (process.platform) {
+        case "win32":
+            if (!process.env.PROGRAMDATA) {
+                throw new Error(`${msiName}: PROGRAMDATA environment variable has no value.`);
+            }
+            return `${process.env.PROGRAMDATA}\\AzureConnectedMachineAgent\\Tokens`;
+        case "linux":
+            return "/var/opt/azcmagent/tokens";
+        default:
+            throw new Error(`${msiName}: Unsupported platform ${process.platform}.`);
+    }
+}
+/**
+ * Validates that a given Azure Arc MSI file path is valid for use.
+ *
+ * A valid file will:
+ * 1. Be in the expected path for the current platform.
+ * 2. Have a `.key` extension.
+ * 3. Be at most 4096 bytes in size.
+ */
+export function validateKeyFile(filePath) {
+    if (!filePath) {
+        throw new Error(`${msiName}: Failed to find the token file.`);
+    }
+    if (!filePath.endsWith(".key")) {
+        throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);
+    }
+    const expectedPath = platformToFilePath();
+    if (!filePath.startsWith(expectedPath)) {
+        throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);
+    }
+    const stats = fs.statSync(filePath);
+    if (stats.size > 4096) {
+        throw new Error(`${msiName}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`);
+    }
+}
 /**
  * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
  */
@@ -102,10 +127,8 @@ export const arcMsi = {
         logger.info(`${msiName}: Authenticating.`);
         const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
-        if (!filePath) {
-            throw new Error(`${msiName}: Failed to find the token file.`);
-        }
-        const key = await readFileAsync(filePath, { encoding: "utf-8" });
+        validateKeyFile(filePath);
+        const key = await fs.promises.readFile(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
         const request = createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).

package/dist-esm/src/credentials/managedIdentityCredential/arcMsi.js.map

@@ -1 +1 @@
-{"version":3,"file":"arcMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/arcMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAElC,OAAO,EAEL,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAC9B,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,OAAO,GAAG,2CAA2C,CAAC;AAC5D,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC;;GAEG;AACH,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,QAAiB,EACjB,UAAmB;IAEnB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,eAAe,GAA2B;QAC9C,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,IAAI,QAAQ,EAAE,CAAC;QACb,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;IACvC,CAAC;IACD,IAAI,UAAU,EAAE,CAAC;QACf,eAAe,CAAC,UAAU,GAAG,UAAU,CAAC;IAC1C,CAAC;IAED,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;IAEnD,OAAO,qBAAqB,CAAC;QAC3B,8EAA8E;QAC9E,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE;QAC3D,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,MAAM;SACjB,CAAC;KACH,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,IAAY,EAAE,OAAqC;IACxE,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,CACrC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;QACpC,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC;IAChB,CAAC,CAAC,CACH,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAC5B,cAA8B,EAC9B,qBAA6C;IAE7C,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,qBAAqB,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAEhG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACxB,OAAO,GAAG,cAAc,QAAQ,CAAC,UAAU,EAAE,CAAC;QAChD,CAAC;QACD,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,CAAC,MAAM,EACf,GAAG,OAAO,2FAA2F,OAAO,EAAE,CAC/G,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;IAClE,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,MAAM,KAAK,CAAC,2CAA2C,UAAU,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,MAAM,GAAQ;IACzB,IAAI,EAAE,KAAK;IACX,KAAK,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE;QAC1B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACnF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,6EAA6E,CACxF,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,aAAa,CAAC;QAEvE,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,OAAO,CACZ,GAAG,OAAO,kGAAkG,CAC7G,CAAC;QACJ,CAAC;QACD,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,OAAO,CACZ,GAAG,OAAO,uGAAuG,CAClH,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mBAAmB,CAAC,CAAC;QAE3C,MAAM,cAAc,iCAClB,0BAA0B,EAAE,IAAI,EAChC,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,eAAe,CAAC,WAAW,IACrC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAC,KACtD,uBAAuB,EAAE,IAAI,GAC9B,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;QAEvE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,kCAAkC,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACjE,MAAA,cAAc,CAAC,OAAO,0CAAE,GAAG,CAAC,eAAe,EAAE,SAAS,GAAG,EAAE,CAAC,CAAC;QAE7D,MAAM,OAAO,GAAG,qBAAqB,iCAChC,cAAc;YACjB,0FAA0F;YAC1F,uBAAuB,EAAE,IAAI,IAC7B,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACrE,OAAO,CAAC,aAAa,IAAI,aAAa,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC;IAC9D,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport {\n  PipelineRequestOptions,\n  createHttpHeaders,\n  createPipelineRequest,\n} from \"@azure/core-rest-pipeline\";\nimport { GetTokenOptions } from \"@azure/core-auth\";\nimport { readFile } from \"fs\";\nimport { AuthenticationError } from \"../../errors\";\nimport { credentialLogger } from \"../../util/logging\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { mapScopesToResource } from \"./utils\";\nimport { MSI, MSIConfiguration, MSIToken } from \"./models\";\nimport { azureArcAPIVersion } from \"./constants\";\n\nconst msiName = \"ManagedIdentityCredential - Azure Arc MSI\";\nconst logger = credentialLogger(msiName);\n\n/**\n * Generates the options used on the request for an access token.\n */\nfunction prepareRequestOptions(\n  scopes: string | string[],\n  clientId?: string,\n  resourceId?: string,\n): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n  const queryParameters: Record<string, string> = {\n    resource,\n    \"api-version\": azureArcAPIVersion,\n  };\n\n  if (clientId) {\n    queryParameters.client_id = clientId;\n  }\n  if (resourceId) {\n    queryParameters.msi_res_id = resourceId;\n  }\n\n  // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n  if (!process.env.IDENTITY_ENDPOINT) {\n    throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);\n  }\n\n  const query = new URLSearchParams(queryParameters);\n\n  return createPipelineRequest({\n    // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token\n    url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,\n    method: \"GET\",\n    headers: createHttpHeaders({\n      Accept: \"application/json\",\n      Metadata: \"true\",\n    }),\n  });\n}\n\n/**\n * Retrieves the file contents at the given path using promises.\n * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.\n */\nfunction readFileAsync(path: string, options: { encoding: BufferEncoding }): Promise<string> {\n  return new Promise((resolve, reject) =>\n    readFile(path, options, (err, data) => {\n      if (err) {\n        reject(err);\n      }\n      resolve(data);\n    }),\n  );\n}\n\n/**\n * Does a request to the authentication provider that results in a file path.\n */\nasync function filePathRequest(\n  identityClient: IdentityClient,\n  requestPrepareOptions: PipelineRequestOptions,\n): Promise<string | undefined> {\n  const response = await identityClient.sendRequest(createPipelineRequest(requestPrepareOptions));\n\n  if (response.status !== 401) {\n    let message = \"\";\n    if (response.bodyAsText) {\n      message = ` Response: ${response.bodyAsText}`;\n    }\n    throw new AuthenticationError(\n      response.status,\n      `${msiName}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`,\n    );\n  }\n\n  const authHeader = response.headers.get(\"www-authenticate\") || \"\";\n  try {\n    return authHeader.split(\"=\").slice(1)[0];\n  } catch (e: any) {\n    throw Error(`Invalid www-authenticate header format: ${authHeader}`);\n  }\n}\n\n/**\n * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.\n */\nexport const arcMsi: MSI = {\n  name: \"arc\",\n  async isAvailable({ scopes }): Promise<boolean> {\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n    const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);\n    if (!result) {\n      logger.info(\n        `${msiName}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`,\n      );\n    }\n    return result;\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {},\n  ): Promise<MSIToken | null> {\n    const { identityClient, scopes, clientId, resourceId } = configuration;\n\n    if (clientId) {\n      logger.warning(\n        `${msiName}: user-assigned identities not supported. The argument clientId might be ignored by the service.`,\n      );\n    }\n    if (resourceId) {\n      logger.warning(\n        `${msiName}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`,\n      );\n    }\n\n    logger.info(`${msiName}: Authenticating.`);\n\n    const requestOptions = {\n      disableJsonStringifyOnBody: true,\n      deserializationMapper: undefined,\n      abortSignal: getTokenOptions.abortSignal,\n      ...prepareRequestOptions(scopes, clientId, resourceId),\n      allowInsecureConnection: true,\n    };\n\n    const filePath = await filePathRequest(identityClient, requestOptions);\n\n    if (!filePath) {\n      throw new Error(`${msiName}: Failed to find the token file.`);\n    }\n\n    const key = await readFileAsync(filePath, { encoding: \"utf-8\" });\n    requestOptions.headers?.set(\"Authorization\", `Basic ${key}`);\n\n    const request = createPipelineRequest({\n      ...requestOptions,\n      // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).\n      allowInsecureConnection: true,\n    });\n    const tokenResponse = await identityClient.sendTokenRequest(request);\n    return (tokenResponse && tokenResponse.accessToken) || null;\n  },\n};\n"]}
+{"version":3,"file":"arcMsi.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/arcMsi.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAEL,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAGnD,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE9C,MAAM,OAAO,GAAG,2CAA2C,CAAC;AAC5D,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;AAEzC;;GAEG;AACH,SAAS,qBAAqB,CAC5B,MAAyB,EACzB,QAAiB,EACjB,UAAmB;IAEnB,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,sCAAsC,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,eAAe,GAA2B;QAC9C,QAAQ;QACR,aAAa,EAAE,kBAAkB;KAClC,CAAC;IAEF,IAAI,QAAQ,EAAE,CAAC;QACb,eAAe,CAAC,SAAS,GAAG,QAAQ,CAAC;IACvC,CAAC;IACD,IAAI,UAAU,EAAE,CAAC;QACf,eAAe,CAAC,UAAU,GAAG,UAAU,CAAC;IAC1C,CAAC;IAED,wIAAwI;IACxI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC;IAEnD,OAAO,qBAAqB,CAAC;QAC3B,8EAA8E;QAC9E,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,KAAK,CAAC,QAAQ,EAAE,EAAE;QAC3D,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,iBAAiB,CAAC;YACzB,MAAM,EAAE,kBAAkB;YAC1B,QAAQ,EAAE,MAAM;SACjB,CAAC;KACH,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAC5B,cAA8B,EAC9B,qBAA6C;IAE7C,MAAM,QAAQ,GAAG,MAAM,cAAc,CAAC,WAAW,CAAC,qBAAqB,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAEhG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;QACjB,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;YACxB,OAAO,GAAG,cAAc,QAAQ,CAAC,UAAU,EAAE,CAAC;QAChD,CAAC;QACD,MAAM,IAAI,mBAAmB,CAC3B,QAAQ,CAAC,MAAM,EACf,GAAG,OAAO,2FAA2F,OAAO,EAAE,CAC/G,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;IAClE,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,MAAM,KAAK,CAAC,2CAA2C,UAAU,EAAE,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,QAAQ,OAAO,CAAC,QAAQ,EAAE,CAAC;QACzB,KAAK,OAAO;YACV,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,kDAAkD,CAAC,CAAC;YAChF,CAAC;YACD,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,sCAAsC,CAAC;QAC1E,KAAK,OAAO;YACV,OAAO,2BAA2B,CAAC;QACrC;YACE,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,0BAA0B,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IAC7E,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAAC,QAAiB;IAC/C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,kCAAkC,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,8CAA8C,QAAQ,GAAG,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,YAAY,GAAG,kBAAkB,EAAE,CAAC;IAC1C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,GAAG,OAAO,8CAA8C,QAAQ,GAAG,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,IAAI,GAAG,IAAI,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,GAAG,OAAO,iBAAiB,QAAQ,+BAA+B,KAAK,CAAC,IAAI,SAAS,CACtF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,MAAM,GAAQ;IACzB,IAAI,EAAE,KAAK;IACX,KAAK,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE;QAC1B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mDAAmD,CAAC,CAAC;YAC3E,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACnF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CACT,GAAG,OAAO,6EAA6E,CACxF,CAAC;QACJ,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,KAAK,CAAC,QAAQ,CACZ,aAA+B,EAC/B,kBAAmC,EAAE;;QAErC,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,aAAa,CAAC;QAEvE,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,OAAO,CACZ,GAAG,OAAO,kGAAkG,CAC7G,CAAC;QACJ,CAAC;QACD,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,OAAO,CACZ,GAAG,OAAO,uGAAuG,CAClH,CAAC;QACJ,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,mBAAmB,CAAC,CAAC;QAE3C,MAAM,cAAc,iCAClB,0BAA0B,EAAE,IAAI,EAChC,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,eAAe,CAAC,WAAW,IACrC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAC,KACtD,uBAAuB,EAAE,IAAI,GAC9B,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,cAAc,EAAE,cAAc,CAAC,CAAC;QACvE,eAAe,CAAC,QAAQ,CAAC,CAAC;QAE1B,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACxE,MAAA,cAAc,CAAC,OAAO,0CAAE,GAAG,CAAC,eAAe,EAAE,SAAS,GAAG,EAAE,CAAC,CAAC;QAE7D,MAAM,OAAO,GAAG,qBAAqB,iCAChC,cAAc;YACjB,0FAA0F;YAC1F,uBAAuB,EAAE,IAAI,IAC7B,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,cAAc,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QACrE,OAAO,CAAC,aAAa,IAAI,aAAa,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC;IAC9D,CAAC;CACF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT license.\n\nimport { MSI, MSIConfiguration, MSIToken } from \"./models\";\nimport {\n  PipelineRequestOptions,\n  createHttpHeaders,\n  createPipelineRequest,\n} from \"@azure/core-rest-pipeline\";\n\nimport { AuthenticationError } from \"../../errors\";\nimport { GetTokenOptions } from \"@azure/core-auth\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport { azureArcAPIVersion } from \"./constants\";\nimport { credentialLogger } from \"../../util/logging\";\nimport fs from \"node:fs\";\nimport { mapScopesToResource } from \"./utils\";\n\nconst msiName = \"ManagedIdentityCredential - Azure Arc MSI\";\nconst logger = credentialLogger(msiName);\n\n/**\n * Generates the options used on the request for an access token.\n */\nfunction prepareRequestOptions(\n  scopes: string | string[],\n  clientId?: string,\n  resourceId?: string,\n): PipelineRequestOptions {\n  const resource = mapScopesToResource(scopes);\n  if (!resource) {\n    throw new Error(`${msiName}: Multiple scopes are not supported.`);\n  }\n  const queryParameters: Record<string, string> = {\n    resource,\n    \"api-version\": azureArcAPIVersion,\n  };\n\n  if (clientId) {\n    queryParameters.client_id = clientId;\n  }\n  if (resourceId) {\n    queryParameters.msi_res_id = resourceId;\n  }\n\n  // This error should not bubble up, since we verify that this environment variable is defined in the isAvailable() method defined below.\n  if (!process.env.IDENTITY_ENDPOINT) {\n    throw new Error(`${msiName}: Missing environment variable: IDENTITY_ENDPOINT`);\n  }\n\n  const query = new URLSearchParams(queryParameters);\n\n  return createPipelineRequest({\n    // Should be similar to: http://localhost:40342/metadata/identity/oauth2/token\n    url: `${process.env.IDENTITY_ENDPOINT}?${query.toString()}`,\n    method: \"GET\",\n    headers: createHttpHeaders({\n      Accept: \"application/json\",\n      Metadata: \"true\",\n    }),\n  });\n}\n\n/**\n * Does a request to the authentication provider that results in a file path.\n */\nasync function filePathRequest(\n  identityClient: IdentityClient,\n  requestPrepareOptions: PipelineRequestOptions,\n): Promise<string | undefined> {\n  const response = await identityClient.sendRequest(createPipelineRequest(requestPrepareOptions));\n\n  if (response.status !== 401) {\n    let message = \"\";\n    if (response.bodyAsText) {\n      message = ` Response: ${response.bodyAsText}`;\n    }\n    throw new AuthenticationError(\n      response.status,\n      `${msiName}: To authenticate with Azure Arc MSI, status code 401 is expected on the first request. ${message}`,\n    );\n  }\n\n  const authHeader = response.headers.get(\"www-authenticate\") || \"\";\n  try {\n    return authHeader.split(\"=\").slice(1)[0];\n  } catch (e: any) {\n    throw Error(`Invalid www-authenticate header format: ${authHeader}`);\n  }\n}\n\nexport function platformToFilePath(): string {\n  switch (process.platform) {\n    case \"win32\":\n      if (!process.env.PROGRAMDATA) {\n        throw new Error(`${msiName}: PROGRAMDATA environment variable has no value.`);\n      }\n      return `${process.env.PROGRAMDATA}\\\\AzureConnectedMachineAgent\\\\Tokens`;\n    case \"linux\":\n      return \"/var/opt/azcmagent/tokens\";\n    default:\n      throw new Error(`${msiName}: Unsupported platform ${process.platform}.`);\n  }\n}\n\n/**\n * Validates that a given Azure Arc MSI file path is valid for use.\n *\n * A valid file will:\n * 1. Be in the expected path for the current platform.\n * 2. Have a `.key` extension.\n * 3. Be at most 4096 bytes in size.\n */\nexport function validateKeyFile(filePath?: string): asserts filePath is string {\n  if (!filePath) {\n    throw new Error(`${msiName}: Failed to find the token file.`);\n  }\n\n  if (!filePath.endsWith(\".key\")) {\n    throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);\n  }\n\n  const expectedPath = platformToFilePath();\n  if (!filePath.startsWith(expectedPath)) {\n    throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);\n  }\n\n  const stats = fs.statSync(filePath);\n  if (stats.size > 4096) {\n    throw new Error(\n      `${msiName}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`,\n    );\n  }\n}\n\n/**\n * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.\n */\nexport const arcMsi: MSI = {\n  name: \"arc\",\n  async isAvailable({ scopes }): Promise<boolean> {\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      logger.info(`${msiName}: Unavailable. Multiple scopes are not supported.`);\n      return false;\n    }\n    const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);\n    if (!result) {\n      logger.info(\n        `${msiName}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`,\n      );\n    }\n    return result;\n  },\n  async getToken(\n    configuration: MSIConfiguration,\n    getTokenOptions: GetTokenOptions = {},\n  ): Promise<MSIToken | null> {\n    const { identityClient, scopes, clientId, resourceId } = configuration;\n\n    if (clientId) {\n      logger.warning(\n        `${msiName}: user-assigned identities not supported. The argument clientId might be ignored by the service.`,\n      );\n    }\n    if (resourceId) {\n      logger.warning(\n        `${msiName}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`,\n      );\n    }\n\n    logger.info(`${msiName}: Authenticating.`);\n\n    const requestOptions = {\n      disableJsonStringifyOnBody: true,\n      deserializationMapper: undefined,\n      abortSignal: getTokenOptions.abortSignal,\n      ...prepareRequestOptions(scopes, clientId, resourceId),\n      allowInsecureConnection: true,\n    };\n\n    const filePath = await filePathRequest(identityClient, requestOptions);\n    validateKeyFile(filePath);\n\n    const key = await fs.promises.readFile(filePath, { encoding: \"utf-8\" });\n    requestOptions.headers?.set(\"Authorization\", `Basic ${key}`);\n\n    const request = createPipelineRequest({\n      ...requestOptions,\n      // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).\n      allowInsecureConnection: true,\n    });\n    const tokenResponse = await identityClient.sendTokenRequest(request);\n    return (tokenResponse && tokenResponse.accessToken) || null;\n  },\n};\n"]}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@azure/identity",
   "sdk-type": "client",
-  "version": "4.2.0-alpha.20240425.2",
+  "version": "4.2.1",
   "description": "Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID",
   "main": "dist/index.js",
   "module": "dist-esm/src/index.js",
@@ -115,7 +115,7 @@
     "@azure/core-util": "^1.3.0",
     "@azure/logger": "^1.0.0",
     "@azure/msal-browser": "^3.11.1",
-    "@azure/msal-node": "^2.6.6",
+    "@azure/msal-node": "^2.9.2",
     "events": "^3.0.0",
     "jws": "^4.0.0",
     "open": "^8.0.0",
@@ -124,10 +124,10 @@
   },
   "devDependencies": {
     "@azure-tools/test-recorder": "^3.0.0",
-    "@azure/dev-tool": ">=1.0.0-alpha <1.0.0-alphb",
-    "@azure/eslint-plugin-azure-sdk": ">=3.0.0-alpha <3.0.0-alphb",
+    "@azure/dev-tool": "^1.0.0",
+    "@azure/eslint-plugin-azure-sdk": "^3.0.0",
     "@azure/keyvault-keys": "^4.2.0",
-    "@azure-tools/test-utils": ">=1.0.0-alpha <1.0.0-alphb",
+    "@azure-tools/test-utils": "^1.0.0",
     "@microsoft/api-extractor": "^7.31.1",
     "@types/chai": "^4.1.6",
     "@types/jsonwebtoken": "^9.0.0",