@azure/identity 4.2.0-alpha.20240425.2 → 4.3.0-alpha.20240426.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +40 -36
- package/dist/index.js +292 -163
- package/dist/index.js.map +1 -1
- package/dist-esm/src/credentials/azurePipelinesServiceConnectionCredential.js +129 -0
- package/dist-esm/src/credentials/azurePipelinesServiceConnectionCredential.js.map +1 -0
- package/dist-esm/src/credentials/azurePipelinesServiceConnectionCredentialOptions.js +4 -0
- package/dist-esm/src/credentials/azurePipelinesServiceConnectionCredentialOptions.js.map +1 -0
- package/dist-esm/src/index.js +1 -0
- package/dist-esm/src/index.js.map +1 -1
- package/dist-esm/src/util/logging.js +4 -0
- package/dist-esm/src/util/logging.js.map +1 -1
- package/package.json +1 -1
- package/types/identity.d.ts +45 -0
package/dist/index.js
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
4
|
|
|
5
|
-
var logger$
|
|
5
|
+
var logger$r = require('@azure/logger');
|
|
6
6
|
var coreClient = require('@azure/core-client');
|
|
7
7
|
var coreUtil = require('@azure/core-util');
|
|
8
8
|
var coreRestPipeline = require('@azure/core-rest-pipeline');
|
|
@@ -197,7 +197,7 @@ const msalPlugins = {
|
|
|
197
197
|
/**
|
|
198
198
|
* The AzureLogger used for all clients within the identity package
|
|
199
199
|
*/
|
|
200
|
-
const logger$
|
|
200
|
+
const logger$q = logger$r.createClientLogger("identity");
|
|
201
201
|
/**
|
|
202
202
|
* Separates a list of environment variable names into a plain object with two arrays: an array of missing environment variables and another array with assigned environment variables.
|
|
203
203
|
* @param supportedEnvVars - List of environment variable names
|
|
@@ -237,7 +237,7 @@ function formatError(scope, error) {
|
|
|
237
237
|
* `[title] => [message]`
|
|
238
238
|
*
|
|
239
239
|
*/
|
|
240
|
-
function credentialLoggerInstance(title, parent, log = logger$
|
|
240
|
+
function credentialLoggerInstance(title, parent, log = logger$q) {
|
|
241
241
|
const fullTitle = parent ? `${parent.fullTitle} ${title}` : title;
|
|
242
242
|
function info(message) {
|
|
243
243
|
log.info(`${fullTitle} =>`, message);
|
|
@@ -248,12 +248,16 @@ function credentialLoggerInstance(title, parent, log = logger$p) {
|
|
|
248
248
|
function verbose(message) {
|
|
249
249
|
log.verbose(`${fullTitle} =>`, message);
|
|
250
250
|
}
|
|
251
|
+
function error(message) {
|
|
252
|
+
log.error(`${fullTitle} =>`, message);
|
|
253
|
+
}
|
|
251
254
|
return {
|
|
252
255
|
title,
|
|
253
256
|
fullTitle,
|
|
254
257
|
info,
|
|
255
258
|
warning,
|
|
256
259
|
verbose,
|
|
260
|
+
error,
|
|
257
261
|
};
|
|
258
262
|
}
|
|
259
263
|
/**
|
|
@@ -266,7 +270,7 @@ function credentialLoggerInstance(title, parent, log = logger$p) {
|
|
|
266
270
|
* `[title] => getToken() => [message]`
|
|
267
271
|
*
|
|
268
272
|
*/
|
|
269
|
-
function credentialLogger(title, log = logger$
|
|
273
|
+
function credentialLogger(title, log = logger$q) {
|
|
270
274
|
const credLogger = credentialLoggerInstance(title, undefined, log);
|
|
271
275
|
return Object.assign(Object.assign({}, credLogger), { parent: log, getToken: credentialLoggerInstance("=> getToken()", credLogger, log) });
|
|
272
276
|
}
|
|
@@ -594,7 +598,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
594
598
|
this.tokenCredentialOptions = Object.assign({}, options);
|
|
595
599
|
}
|
|
596
600
|
async sendTokenRequest(request) {
|
|
597
|
-
logger$
|
|
601
|
+
logger$q.info(`IdentityClient: sending token request to [${request.url}]`);
|
|
598
602
|
const response = await this.sendRequest(request);
|
|
599
603
|
if (response.bodyAsText && (response.status === 200 || response.status === 201)) {
|
|
600
604
|
const parsedBody = JSON.parse(response.bodyAsText);
|
|
@@ -609,12 +613,12 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
609
613
|
},
|
|
610
614
|
refreshToken: parsedBody.refresh_token,
|
|
611
615
|
};
|
|
612
|
-
logger$
|
|
616
|
+
logger$q.info(`IdentityClient: [${request.url}] token acquired, expires on ${token.accessToken.expiresOnTimestamp}`);
|
|
613
617
|
return token;
|
|
614
618
|
}
|
|
615
619
|
else {
|
|
616
620
|
const error = new AuthenticationError(response.status, response.bodyAsText);
|
|
617
|
-
logger$
|
|
621
|
+
logger$q.warning(`IdentityClient: authentication error. HTTP status: ${response.status}, ${error.errorResponse.errorDescription}`);
|
|
618
622
|
throw error;
|
|
619
623
|
}
|
|
620
624
|
}
|
|
@@ -622,7 +626,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
622
626
|
if (refreshToken === undefined) {
|
|
623
627
|
return null;
|
|
624
628
|
}
|
|
625
|
-
logger$
|
|
629
|
+
logger$q.info(`IdentityClient: refreshing access token with client ID: ${clientId}, scopes: ${scopes} started`);
|
|
626
630
|
const refreshParams = {
|
|
627
631
|
grant_type: "refresh_token",
|
|
628
632
|
client_id: clientId,
|
|
@@ -648,7 +652,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
648
652
|
tracingOptions: updatedOptions.tracingOptions,
|
|
649
653
|
});
|
|
650
654
|
const response = await this.sendTokenRequest(request);
|
|
651
|
-
logger$
|
|
655
|
+
logger$q.info(`IdentityClient: refreshed token for client ID: ${clientId}`);
|
|
652
656
|
return response;
|
|
653
657
|
}
|
|
654
658
|
catch (err) {
|
|
@@ -657,11 +661,11 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
657
661
|
// It's likely that the refresh token has expired, so
|
|
658
662
|
// return null so that the credential implementation will
|
|
659
663
|
// initiate the authentication flow again.
|
|
660
|
-
logger$
|
|
664
|
+
logger$q.info(`IdentityClient: interaction required for client ID: ${clientId}`);
|
|
661
665
|
return null;
|
|
662
666
|
}
|
|
663
667
|
else {
|
|
664
|
-
logger$
|
|
668
|
+
logger$q.warning(`IdentityClient: failed refreshing token for client ID: ${clientId}: ${err}`);
|
|
665
669
|
throw err;
|
|
666
670
|
}
|
|
667
671
|
}
|
|
@@ -770,10 +774,10 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
770
774
|
}
|
|
771
775
|
const base64Metadata = accessToken.split(".")[1];
|
|
772
776
|
const { appid, upn, tid, oid } = JSON.parse(Buffer.from(base64Metadata, "base64").toString("utf8"));
|
|
773
|
-
logger$
|
|
777
|
+
logger$q.info(`[Authenticated account] Client ID: ${appid}. Tenant ID: ${tid}. User Principal Name: ${upn || unavailableUpn}. Object ID (user): ${oid}`);
|
|
774
778
|
}
|
|
775
779
|
catch (e) {
|
|
776
|
-
logger$
|
|
780
|
+
logger$q.warning("allowLoggingAccountIdentifiers was set, but we couldn't log the account information. Error:", e.message);
|
|
777
781
|
}
|
|
778
782
|
}
|
|
779
783
|
}
|
|
@@ -782,7 +786,7 @@ class IdentityClient extends coreClient.ServiceClient {
|
|
|
782
786
|
// Licensed under the MIT license.
|
|
783
787
|
const CommonTenantId = "common";
|
|
784
788
|
const AzureAccountClientId = "aebc6443-996d-45c2-90f0-388ff96faa56"; // VSC: 'aebc6443-996d-45c2-90f0-388ff96faa56'
|
|
785
|
-
const logger$
|
|
789
|
+
const logger$p = credentialLogger("VisualStudioCodeCredential");
|
|
786
790
|
let findCredentials = undefined;
|
|
787
791
|
const vsCodeCredentialControl = {
|
|
788
792
|
setVsCodeCredentialFinder(finder) {
|
|
@@ -835,7 +839,7 @@ function getPropertyFromVSCode(property) {
|
|
|
835
839
|
}
|
|
836
840
|
}
|
|
837
841
|
catch (e) {
|
|
838
|
-
logger$
|
|
842
|
+
logger$p.info(`Failed to load the Visual Studio Code configuration file. Error: ${e.message}`);
|
|
839
843
|
return;
|
|
840
844
|
}
|
|
841
845
|
}
|
|
@@ -868,7 +872,7 @@ class VisualStudioCodeCredential {
|
|
|
868
872
|
const authorityHost = mapVSCodeAuthorityHosts[this.cloudName];
|
|
869
873
|
this.identityClient = new IdentityClient(Object.assign({ authorityHost }, options));
|
|
870
874
|
if (options && options.tenantId) {
|
|
871
|
-
checkTenantId(logger$
|
|
875
|
+
checkTenantId(logger$p, options.tenantId);
|
|
872
876
|
this.tenantId = options.tenantId;
|
|
873
877
|
}
|
|
874
878
|
else {
|
|
@@ -908,7 +912,7 @@ class VisualStudioCodeCredential {
|
|
|
908
912
|
async getToken(scopes, options) {
|
|
909
913
|
var _a, _b;
|
|
910
914
|
await this.prepareOnce();
|
|
911
|
-
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$
|
|
915
|
+
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds, logger$p) || this.tenantId;
|
|
912
916
|
if (findCredentials === undefined) {
|
|
913
917
|
throw new CredentialUnavailableError([
|
|
914
918
|
"No implementation of `VisualStudioCodeCredential` is available.",
|
|
@@ -922,7 +926,7 @@ class VisualStudioCodeCredential {
|
|
|
922
926
|
// Check to make sure the scope we get back is a valid scope
|
|
923
927
|
if (!scopeString.match(/^[0-9a-zA-Z-.:/]+$/)) {
|
|
924
928
|
const error = new Error("Invalid scope was specified by the user or calling client");
|
|
925
|
-
logger$
|
|
929
|
+
logger$p.getToken.info(formatError(scopes, error));
|
|
926
930
|
throw error;
|
|
927
931
|
}
|
|
928
932
|
if (scopeString.indexOf("offline_access") < 0) {
|
|
@@ -942,18 +946,18 @@ class VisualStudioCodeCredential {
|
|
|
942
946
|
if (refreshToken) {
|
|
943
947
|
const tokenResponse = await this.identityClient.refreshAccessToken(tenantId, AzureAccountClientId, scopeString, refreshToken, undefined);
|
|
944
948
|
if (tokenResponse) {
|
|
945
|
-
logger$
|
|
949
|
+
logger$p.getToken.info(formatSuccess(scopes));
|
|
946
950
|
return tokenResponse.accessToken;
|
|
947
951
|
}
|
|
948
952
|
else {
|
|
949
953
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Have you connected using the 'Azure Account' extension recently? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
950
|
-
logger$
|
|
954
|
+
logger$p.getToken.info(formatError(scopes, error));
|
|
951
955
|
throw error;
|
|
952
956
|
}
|
|
953
957
|
}
|
|
954
958
|
else {
|
|
955
959
|
const error = new CredentialUnavailableError("Could not retrieve the token associated with Visual Studio Code. Did you connect using the 'Azure Account' extension? To troubleshoot, visit https://aka.ms/azsdk/js/identity/vscodecredential/troubleshoot.");
|
|
956
|
-
logger$
|
|
960
|
+
logger$p.getToken.info(formatError(scopes, error));
|
|
957
961
|
throw error;
|
|
958
962
|
}
|
|
959
963
|
}
|
|
@@ -1005,7 +1009,7 @@ function useIdentityPlugin(plugin) {
|
|
|
1005
1009
|
// Copyright (c) Microsoft Corporation.
|
|
1006
1010
|
// Licensed under the MIT license.
|
|
1007
1011
|
const msiName$6 = "ManagedIdentityCredential - AppServiceMSI 2017";
|
|
1008
|
-
const logger$
|
|
1012
|
+
const logger$o = credentialLogger(msiName$6);
|
|
1009
1013
|
/**
|
|
1010
1014
|
* Generates the options used on the request for an access token.
|
|
1011
1015
|
*/
|
|
@@ -1046,22 +1050,22 @@ const appServiceMsi2017 = {
|
|
|
1046
1050
|
async isAvailable({ scopes }) {
|
|
1047
1051
|
const resource = mapScopesToResource(scopes);
|
|
1048
1052
|
if (!resource) {
|
|
1049
|
-
logger$
|
|
1053
|
+
logger$o.info(`${msiName$6}: Unavailable. Multiple scopes are not supported.`);
|
|
1050
1054
|
return false;
|
|
1051
1055
|
}
|
|
1052
1056
|
const env = process.env;
|
|
1053
1057
|
const result = Boolean(env.MSI_ENDPOINT && env.MSI_SECRET);
|
|
1054
1058
|
if (!result) {
|
|
1055
|
-
logger$
|
|
1059
|
+
logger$o.info(`${msiName$6}: Unavailable. The environment variables needed are: MSI_ENDPOINT and MSI_SECRET.`);
|
|
1056
1060
|
}
|
|
1057
1061
|
return result;
|
|
1058
1062
|
},
|
|
1059
1063
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1060
1064
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1061
1065
|
if (resourceId) {
|
|
1062
|
-
logger$
|
|
1066
|
+
logger$o.warning(`${msiName$6}: managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
1063
1067
|
}
|
|
1064
|
-
logger$
|
|
1068
|
+
logger$o.info(`${msiName$6}: Using the endpoint and the secret coming form the environment variables: MSI_ENDPOINT=${process.env.MSI_ENDPOINT} and MSI_SECRET=[REDACTED].`);
|
|
1065
1069
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$5(scopes, clientId)), {
|
|
1066
1070
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1067
1071
|
allowInsecureConnection: true }));
|
|
@@ -1073,7 +1077,7 @@ const appServiceMsi2017 = {
|
|
|
1073
1077
|
// Copyright (c) Microsoft Corporation.
|
|
1074
1078
|
// Licensed under the MIT license.
|
|
1075
1079
|
const msiName$5 = "ManagedIdentityCredential - AppServiceMSI 2019";
|
|
1076
|
-
const logger$
|
|
1080
|
+
const logger$n = credentialLogger(msiName$5);
|
|
1077
1081
|
/**
|
|
1078
1082
|
* Generates the options used on the request for an access token.
|
|
1079
1083
|
*/
|
|
@@ -1117,19 +1121,19 @@ const appServiceMsi2019 = {
|
|
|
1117
1121
|
async isAvailable({ scopes }) {
|
|
1118
1122
|
const resource = mapScopesToResource(scopes);
|
|
1119
1123
|
if (!resource) {
|
|
1120
|
-
logger$
|
|
1124
|
+
logger$n.info(`${msiName$5}: Unavailable. Multiple scopes are not supported.`);
|
|
1121
1125
|
return false;
|
|
1122
1126
|
}
|
|
1123
1127
|
const env = process.env;
|
|
1124
1128
|
const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER);
|
|
1125
1129
|
if (!result) {
|
|
1126
|
-
logger$
|
|
1130
|
+
logger$n.info(`${msiName$5}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT and IDENTITY_HEADER.`);
|
|
1127
1131
|
}
|
|
1128
1132
|
return result;
|
|
1129
1133
|
},
|
|
1130
1134
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1131
1135
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1132
|
-
logger$
|
|
1136
|
+
logger$n.info(`${msiName$5}: Using the endpoint and the secret coming form the environment variables: IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT} and IDENTITY_HEADER=[REDACTED].`);
|
|
1133
1137
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$4(scopes, clientId, resourceId)), {
|
|
1134
1138
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1135
1139
|
allowInsecureConnection: true }));
|
|
@@ -1141,7 +1145,7 @@ const appServiceMsi2019 = {
|
|
|
1141
1145
|
// Copyright (c) Microsoft Corporation.
|
|
1142
1146
|
// Licensed under the MIT license.
|
|
1143
1147
|
const msiName$4 = "ManagedIdentityCredential - Azure Arc MSI";
|
|
1144
|
-
const logger$
|
|
1148
|
+
const logger$m = credentialLogger(msiName$4);
|
|
1145
1149
|
/**
|
|
1146
1150
|
* Generates the options used on the request for an access token.
|
|
1147
1151
|
*/
|
|
@@ -1215,12 +1219,12 @@ const arcMsi = {
|
|
|
1215
1219
|
async isAvailable({ scopes }) {
|
|
1216
1220
|
const resource = mapScopesToResource(scopes);
|
|
1217
1221
|
if (!resource) {
|
|
1218
|
-
logger$
|
|
1222
|
+
logger$m.info(`${msiName$4}: Unavailable. Multiple scopes are not supported.`);
|
|
1219
1223
|
return false;
|
|
1220
1224
|
}
|
|
1221
1225
|
const result = Boolean(process.env.IMDS_ENDPOINT && process.env.IDENTITY_ENDPOINT);
|
|
1222
1226
|
if (!result) {
|
|
1223
|
-
logger$
|
|
1227
|
+
logger$m.info(`${msiName$4}: The environment variables needed are: IMDS_ENDPOINT and IDENTITY_ENDPOINT`);
|
|
1224
1228
|
}
|
|
1225
1229
|
return result;
|
|
1226
1230
|
},
|
|
@@ -1228,12 +1232,12 @@ const arcMsi = {
|
|
|
1228
1232
|
var _a;
|
|
1229
1233
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1230
1234
|
if (clientId) {
|
|
1231
|
-
logger$
|
|
1235
|
+
logger$m.warning(`${msiName$4}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
1232
1236
|
}
|
|
1233
1237
|
if (resourceId) {
|
|
1234
|
-
logger$
|
|
1238
|
+
logger$m.warning(`${msiName$4}: user defined managed Identity by resource Id is not supported. Argument resourceId will be ignored.`);
|
|
1235
1239
|
}
|
|
1236
|
-
logger$
|
|
1240
|
+
logger$m.info(`${msiName$4}: Authenticating.`);
|
|
1237
1241
|
const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
|
|
1238
1242
|
const filePath = await filePathRequest(identityClient, requestOptions);
|
|
1239
1243
|
if (!filePath) {
|
|
@@ -1252,7 +1256,7 @@ const arcMsi = {
|
|
|
1252
1256
|
// Copyright (c) Microsoft Corporation.
|
|
1253
1257
|
// Licensed under the MIT license.
|
|
1254
1258
|
const msiName$3 = "ManagedIdentityCredential - CloudShellMSI";
|
|
1255
|
-
const logger$
|
|
1259
|
+
const logger$l = credentialLogger(msiName$3);
|
|
1256
1260
|
/**
|
|
1257
1261
|
* Generates the options used on the request for an access token.
|
|
1258
1262
|
*/
|
|
@@ -1295,24 +1299,24 @@ const cloudShellMsi = {
|
|
|
1295
1299
|
async isAvailable({ scopes }) {
|
|
1296
1300
|
const resource = mapScopesToResource(scopes);
|
|
1297
1301
|
if (!resource) {
|
|
1298
|
-
logger$
|
|
1302
|
+
logger$l.info(`${msiName$3}: Unavailable. Multiple scopes are not supported.`);
|
|
1299
1303
|
return false;
|
|
1300
1304
|
}
|
|
1301
1305
|
const result = Boolean(process.env.MSI_ENDPOINT);
|
|
1302
1306
|
if (!result) {
|
|
1303
|
-
logger$
|
|
1307
|
+
logger$l.info(`${msiName$3}: Unavailable. The environment variable MSI_ENDPOINT is needed.`);
|
|
1304
1308
|
}
|
|
1305
1309
|
return result;
|
|
1306
1310
|
},
|
|
1307
1311
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1308
1312
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1309
1313
|
if (clientId) {
|
|
1310
|
-
logger$
|
|
1314
|
+
logger$l.warning(`${msiName$3}: user-assigned identities not supported. The argument clientId might be ignored by the service.`);
|
|
1311
1315
|
}
|
|
1312
1316
|
if (resourceId) {
|
|
1313
|
-
logger$
|
|
1317
|
+
logger$l.warning(`${msiName$3}: user defined managed Identity by resource Id not supported. The argument resourceId might be ignored by the service.`);
|
|
1314
1318
|
}
|
|
1315
|
-
logger$
|
|
1319
|
+
logger$l.info(`${msiName$3}: Using the endpoint coming form the environment variable MSI_ENDPOINT = ${process.env.MSI_ENDPOINT}.`);
|
|
1316
1320
|
const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$2(scopes, clientId, resourceId)), {
|
|
1317
1321
|
// Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
|
|
1318
1322
|
allowInsecureConnection: true }));
|
|
@@ -1334,7 +1338,7 @@ const cloudShellMsi = {
|
|
|
1334
1338
|
// curl --insecure $IDENTITY_ENDPOINT'?api-version=2019-07-01-preview&resource=https://vault.azure.net/' -H "Secret: $IDENTITY_HEADER"
|
|
1335
1339
|
//
|
|
1336
1340
|
const msiName$2 = "ManagedIdentityCredential - Fabric MSI";
|
|
1337
|
-
const logger$
|
|
1341
|
+
const logger$k = credentialLogger(msiName$2);
|
|
1338
1342
|
/**
|
|
1339
1343
|
* Generates the options used on the request for an access token.
|
|
1340
1344
|
*/
|
|
@@ -1378,22 +1382,22 @@ const fabricMsi = {
|
|
|
1378
1382
|
async isAvailable({ scopes }) {
|
|
1379
1383
|
const resource = mapScopesToResource(scopes);
|
|
1380
1384
|
if (!resource) {
|
|
1381
|
-
logger$
|
|
1385
|
+
logger$k.info(`${msiName$2}: Unavailable. Multiple scopes are not supported.`);
|
|
1382
1386
|
return false;
|
|
1383
1387
|
}
|
|
1384
1388
|
const env = process.env;
|
|
1385
1389
|
const result = Boolean(env.IDENTITY_ENDPOINT && env.IDENTITY_HEADER && env.IDENTITY_SERVER_THUMBPRINT);
|
|
1386
1390
|
if (!result) {
|
|
1387
|
-
logger$
|
|
1391
|
+
logger$k.info(`${msiName$2}: Unavailable. The environment variables needed are: IDENTITY_ENDPOINT, IDENTITY_HEADER and IDENTITY_SERVER_THUMBPRINT`);
|
|
1388
1392
|
}
|
|
1389
1393
|
return result;
|
|
1390
1394
|
},
|
|
1391
1395
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1392
1396
|
const { scopes, identityClient, clientId, resourceId } = configuration;
|
|
1393
1397
|
if (resourceId) {
|
|
1394
|
-
logger$
|
|
1398
|
+
logger$k.warning(`${msiName$2}: user defined managed Identity by resource Id is not supported. Argument resourceId might be ignored by the service.`);
|
|
1395
1399
|
}
|
|
1396
|
-
logger$
|
|
1400
|
+
logger$k.info([
|
|
1397
1401
|
`${msiName$2}:`,
|
|
1398
1402
|
"Using the endpoint and the secret coming from the environment variables:",
|
|
1399
1403
|
`IDENTITY_ENDPOINT=${process.env.IDENTITY_ENDPOINT},`,
|
|
@@ -1416,7 +1420,7 @@ const fabricMsi = {
|
|
|
1416
1420
|
/**
|
|
1417
1421
|
* @internal
|
|
1418
1422
|
*/
|
|
1419
|
-
const logger$
|
|
1423
|
+
const logger$j = credentialLogger("IdentityUtils");
|
|
1420
1424
|
/**
|
|
1421
1425
|
* Latest AuthenticationRecord version
|
|
1422
1426
|
* @internal
|
|
@@ -1428,7 +1432,7 @@ const LatestAuthenticationRecordVersion = "1.0";
|
|
|
1428
1432
|
*/
|
|
1429
1433
|
function ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
|
|
1430
1434
|
const error = (message) => {
|
|
1431
|
-
logger$
|
|
1435
|
+
logger$j.getToken.info(message);
|
|
1432
1436
|
return new AuthenticationRequiredError({
|
|
1433
1437
|
scopes: Array.isArray(scopes) ? scopes : [scopes],
|
|
1434
1438
|
getTokenOptions,
|
|
@@ -1538,17 +1542,17 @@ function handleMsalError(scopes, error, getTokenOptions) {
|
|
|
1538
1542
|
const msalError = error;
|
|
1539
1543
|
switch (msalError.errorCode) {
|
|
1540
1544
|
case "endpoints_resolution_error":
|
|
1541
|
-
logger$
|
|
1545
|
+
logger$j.info(formatError(scopes, error.message));
|
|
1542
1546
|
return new CredentialUnavailableError(error.message);
|
|
1543
1547
|
case "device_code_polling_cancelled":
|
|
1544
1548
|
return new abortController.AbortError("The authentication has been aborted by the caller.");
|
|
1545
1549
|
case "consent_required":
|
|
1546
1550
|
case "interaction_required":
|
|
1547
1551
|
case "login_required":
|
|
1548
|
-
logger$
|
|
1552
|
+
logger$j.info(formatError(scopes, `Authentication returned errorCode ${msalError.errorCode}`));
|
|
1549
1553
|
break;
|
|
1550
1554
|
default:
|
|
1551
|
-
logger$
|
|
1555
|
+
logger$j.info(formatError(scopes, `Failed to acquire token: ${error.message}`));
|
|
1552
1556
|
break;
|
|
1553
1557
|
}
|
|
1554
1558
|
}
|
|
@@ -1558,7 +1562,7 @@ function handleMsalError(scopes, error, getTokenOptions) {
|
|
|
1558
1562
|
return error;
|
|
1559
1563
|
}
|
|
1560
1564
|
if (error.name === "NativeAuthError") {
|
|
1561
|
-
logger$
|
|
1565
|
+
logger$j.info(formatError(scopes, `Error from the native broker: ${error.message} with status code: ${error.statusCode}`));
|
|
1562
1566
|
return error;
|
|
1563
1567
|
}
|
|
1564
1568
|
return new AuthenticationRequiredError({ scopes, getTokenOptions, message: error.message });
|
|
@@ -1626,7 +1630,7 @@ function deserializeAuthenticationRecord(serializedRecord) {
|
|
|
1626
1630
|
// Copyright (c) Microsoft Corporation.
|
|
1627
1631
|
// Licensed under the MIT license.
|
|
1628
1632
|
const msiName$1 = "ManagedIdentityCredential - IMDS";
|
|
1629
|
-
const logger$
|
|
1633
|
+
const logger$i = credentialLogger(msiName$1);
|
|
1630
1634
|
/**
|
|
1631
1635
|
* Generates the options used on the request for an access token.
|
|
1632
1636
|
*/
|
|
@@ -1678,7 +1682,7 @@ const imdsMsi = {
|
|
|
1678
1682
|
async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
|
|
1679
1683
|
const resource = mapScopesToResource(scopes);
|
|
1680
1684
|
if (!resource) {
|
|
1681
|
-
logger$
|
|
1685
|
+
logger$i.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
|
|
1682
1686
|
return false;
|
|
1683
1687
|
}
|
|
1684
1688
|
// if the PodIdentityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
|
|
@@ -1706,39 +1710,39 @@ const imdsMsi = {
|
|
|
1706
1710
|
request.allowInsecureConnection = true;
|
|
1707
1711
|
let response;
|
|
1708
1712
|
try {
|
|
1709
|
-
logger$
|
|
1713
|
+
logger$i.info(`${msiName$1}: Pinging the Azure IMDS endpoint`);
|
|
1710
1714
|
response = await identityClient.sendRequest(request);
|
|
1711
1715
|
}
|
|
1712
1716
|
catch (err) {
|
|
1713
1717
|
// If the request failed, or Node.js was unable to establish a connection,
|
|
1714
1718
|
// or the host was down, we'll assume the IMDS endpoint isn't available.
|
|
1715
1719
|
if (coreUtil.isError(err)) {
|
|
1716
|
-
logger$
|
|
1720
|
+
logger$i.verbose(`${msiName$1}: Caught error ${err.name}: ${err.message}`);
|
|
1717
1721
|
}
|
|
1718
1722
|
// This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
|
|
1719
1723
|
// rather than just timing out, as expected.
|
|
1720
|
-
logger$
|
|
1724
|
+
logger$i.info(`${msiName$1}: The Azure IMDS endpoint is unavailable`);
|
|
1721
1725
|
return false;
|
|
1722
1726
|
}
|
|
1723
1727
|
if (response.status === 403) {
|
|
1724
1728
|
if ((_b = response.bodyAsText) === null || _b === void 0 ? void 0 : _b.includes("unreachable")) {
|
|
1725
|
-
logger$
|
|
1726
|
-
logger$
|
|
1729
|
+
logger$i.info(`${msiName$1}: The Azure IMDS endpoint is unavailable`);
|
|
1730
|
+
logger$i.info(`${msiName$1}: ${response.bodyAsText}`);
|
|
1727
1731
|
return false;
|
|
1728
1732
|
}
|
|
1729
1733
|
}
|
|
1730
1734
|
// If we received any response, the endpoint is available
|
|
1731
|
-
logger$
|
|
1735
|
+
logger$i.info(`${msiName$1}: The Azure IMDS endpoint is available`);
|
|
1732
1736
|
return true;
|
|
1733
1737
|
});
|
|
1734
1738
|
},
|
|
1735
1739
|
async getToken(configuration, getTokenOptions = {}) {
|
|
1736
1740
|
const { identityClient, scopes, clientId, resourceId } = configuration;
|
|
1737
1741
|
if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
|
|
1738
|
-
logger$
|
|
1742
|
+
logger$i.info(`${msiName$1}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
|
|
1739
1743
|
}
|
|
1740
1744
|
else {
|
|
1741
|
-
logger$
|
|
1745
|
+
logger$i.info(`${msiName$1}: Using the default Azure IMDS endpoint ${imdsHost}.`);
|
|
1742
1746
|
}
|
|
1743
1747
|
let nextDelayInMs = configuration.retryConfig.startDelayInMs;
|
|
1744
1748
|
for (let retries = 0; retries < configuration.retryConfig.maxRetries; retries++) {
|
|
@@ -1930,7 +1934,7 @@ function generateMsalConfiguration(clientId, tenantId, msalClientOptions = {}) {
|
|
|
1930
1934
|
networkClient: httpClient,
|
|
1931
1935
|
loggerOptions: {
|
|
1932
1936
|
loggerCallback: defaultLoggerCallback((_b = msalClientOptions.logger) !== null && _b !== void 0 ? _b : msalLogger),
|
|
1933
|
-
logLevel: getMSALLogLevel(logger$
|
|
1937
|
+
logLevel: getMSALLogLevel(logger$r.getLogLevel()),
|
|
1934
1938
|
piiLoggingEnabled: (_c = msalClientOptions.loggingOptions) === null || _c === void 0 ? void 0 : _c.enableUnsafeSupportLogging,
|
|
1935
1939
|
},
|
|
1936
1940
|
},
|
|
@@ -2098,7 +2102,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
|
|
|
2098
2102
|
|
|
2099
2103
|
// Copyright (c) Microsoft Corporation.
|
|
2100
2104
|
// Licensed under the MIT license.
|
|
2101
|
-
const logger$
|
|
2105
|
+
const logger$h = credentialLogger("ClientAssertionCredential");
|
|
2102
2106
|
/**
|
|
2103
2107
|
* Authenticates a service principal with a JWT assertion.
|
|
2104
2108
|
*/
|
|
@@ -2121,7 +2125,7 @@ class ClientAssertionCredential {
|
|
|
2121
2125
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
2122
2126
|
this.options = options;
|
|
2123
2127
|
this.getAssertion = getAssertion;
|
|
2124
|
-
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$
|
|
2128
|
+
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$h, tokenCredentialOptions: this.options }));
|
|
2125
2129
|
}
|
|
2126
2130
|
/**
|
|
2127
2131
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -2133,7 +2137,7 @@ class ClientAssertionCredential {
|
|
|
2133
2137
|
*/
|
|
2134
2138
|
async getToken(scopes, options = {}) {
|
|
2135
2139
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
2136
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$
|
|
2140
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$h);
|
|
2137
2141
|
const clientAssertion = await this.getAssertion();
|
|
2138
2142
|
const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
|
|
2139
2143
|
return this.msalClient.getTokenByClientAssertion(arrayScopes, clientAssertion, newOptions);
|
|
@@ -2143,7 +2147,7 @@ class ClientAssertionCredential {
|
|
|
2143
2147
|
|
|
2144
2148
|
// Copyright (c) Microsoft Corporation.
|
|
2145
2149
|
// Licensed under the MIT license.
|
|
2146
|
-
const credentialName$
|
|
2150
|
+
const credentialName$4 = "WorkloadIdentityCredential";
|
|
2147
2151
|
/**
|
|
2148
2152
|
* Contains the list of all supported environment variable names so that an
|
|
2149
2153
|
* appropriate error message can be generated when no credentials can be
|
|
@@ -2156,7 +2160,7 @@ const SupportedWorkloadEnvironmentVariables = [
|
|
|
2156
2160
|
"AZURE_CLIENT_ID",
|
|
2157
2161
|
"AZURE_FEDERATED_TOKEN_FILE",
|
|
2158
2162
|
];
|
|
2159
|
-
const logger$
|
|
2163
|
+
const logger$g = credentialLogger(credentialName$4);
|
|
2160
2164
|
/**
|
|
2161
2165
|
* Workload Identity authentication is a feature in Azure that allows applications running on virtual machines (VMs)
|
|
2162
2166
|
* to access other Azure resources without the need for a service principal or managed identity. With Workload Identity
|
|
@@ -2182,17 +2186,17 @@ class WorkloadIdentityCredential {
|
|
|
2182
2186
|
this.cacheDate = undefined;
|
|
2183
2187
|
// Logging environment variables for error details
|
|
2184
2188
|
const assignedEnv = processEnvVars(SupportedWorkloadEnvironmentVariables).assigned.join(", ");
|
|
2185
|
-
logger$
|
|
2189
|
+
logger$g.info(`Found the following environment variables: ${assignedEnv}`);
|
|
2186
2190
|
const workloadIdentityCredentialOptions = options !== null && options !== void 0 ? options : {};
|
|
2187
2191
|
const tenantId = workloadIdentityCredentialOptions.tenantId || process.env.AZURE_TENANT_ID;
|
|
2188
2192
|
const clientId = workloadIdentityCredentialOptions.clientId || process.env.AZURE_CLIENT_ID;
|
|
2189
2193
|
this.federatedTokenFilePath =
|
|
2190
2194
|
workloadIdentityCredentialOptions.tokenFilePath || process.env.AZURE_FEDERATED_TOKEN_FILE;
|
|
2191
2195
|
if (tenantId) {
|
|
2192
|
-
checkTenantId(logger$
|
|
2196
|
+
checkTenantId(logger$g, tenantId);
|
|
2193
2197
|
}
|
|
2194
2198
|
if (clientId && tenantId && this.federatedTokenFilePath) {
|
|
2195
|
-
logger$
|
|
2199
|
+
logger$g.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${workloadIdentityCredentialOptions.clientId} and federated token path: [REDACTED]`);
|
|
2196
2200
|
this.client = new ClientAssertionCredential(tenantId, clientId, this.readFileContents.bind(this), options);
|
|
2197
2201
|
}
|
|
2198
2202
|
}
|
|
@@ -2206,15 +2210,15 @@ class WorkloadIdentityCredential {
|
|
|
2206
2210
|
*/
|
|
2207
2211
|
async getToken(scopes, options) {
|
|
2208
2212
|
if (!this.client) {
|
|
2209
|
-
const errorMessage = `${credentialName$
|
|
2213
|
+
const errorMessage = `${credentialName$4}: is unavailable. tenantId, clientId, and federatedTokenFilePath are required parameters.
|
|
2210
2214
|
In DefaultAzureCredential and ManagedIdentityCredential, these can be provided as environment variables -
|
|
2211
2215
|
"AZURE_TENANT_ID",
|
|
2212
2216
|
"AZURE_CLIENT_ID",
|
|
2213
2217
|
"AZURE_FEDERATED_TOKEN_FILE". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/workloadidentitycredential/troubleshoot `;
|
|
2214
|
-
logger$
|
|
2218
|
+
logger$g.info(errorMessage);
|
|
2215
2219
|
throw new CredentialUnavailableError(errorMessage);
|
|
2216
2220
|
}
|
|
2217
|
-
logger$
|
|
2221
|
+
logger$g.info("Invoking getToken() of Client Assertion Credential");
|
|
2218
2222
|
return this.client.getToken(scopes, options);
|
|
2219
2223
|
}
|
|
2220
2224
|
async readFileContents() {
|
|
@@ -2223,13 +2227,13 @@ class WorkloadIdentityCredential {
|
|
|
2223
2227
|
this.azureFederatedTokenFileContent = undefined;
|
|
2224
2228
|
}
|
|
2225
2229
|
if (!this.federatedTokenFilePath) {
|
|
2226
|
-
throw new CredentialUnavailableError(`${credentialName$
|
|
2230
|
+
throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. Invalid file path provided ${this.federatedTokenFilePath}.`);
|
|
2227
2231
|
}
|
|
2228
2232
|
if (!this.azureFederatedTokenFileContent) {
|
|
2229
2233
|
const file = await promises.readFile(this.federatedTokenFilePath, "utf8");
|
|
2230
2234
|
const value = file.trim();
|
|
2231
2235
|
if (!value) {
|
|
2232
|
-
throw new CredentialUnavailableError(`${credentialName$
|
|
2236
|
+
throw new CredentialUnavailableError(`${credentialName$4}: is unavailable. No content on the file ${this.federatedTokenFilePath}.`);
|
|
2233
2237
|
}
|
|
2234
2238
|
else {
|
|
2235
2239
|
this.azureFederatedTokenFileContent = value;
|
|
@@ -2243,7 +2247,7 @@ class WorkloadIdentityCredential {
|
|
|
2243
2247
|
// Copyright (c) Microsoft Corporation.
|
|
2244
2248
|
// Licensed under the MIT license.
|
|
2245
2249
|
const msiName = "ManagedIdentityCredential - Token Exchange";
|
|
2246
|
-
const logger$
|
|
2250
|
+
const logger$f = credentialLogger(msiName);
|
|
2247
2251
|
/**
|
|
2248
2252
|
* Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
|
|
2249
2253
|
*/
|
|
@@ -2256,7 +2260,7 @@ function tokenExchangeMsi() {
|
|
|
2256
2260
|
env.AZURE_TENANT_ID &&
|
|
2257
2261
|
process.env.AZURE_FEDERATED_TOKEN_FILE);
|
|
2258
2262
|
if (!result) {
|
|
2259
|
-
logger$
|
|
2263
|
+
logger$f.info(`${msiName}: Unavailable. The environment variables needed are: AZURE_CLIENT_ID (or the client ID sent through the parameters), AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE`);
|
|
2260
2264
|
}
|
|
2261
2265
|
return result;
|
|
2262
2266
|
},
|
|
@@ -2272,7 +2276,7 @@ function tokenExchangeMsi() {
|
|
|
2272
2276
|
|
|
2273
2277
|
// Copyright (c) Microsoft Corporation.
|
|
2274
2278
|
// Licensed under the MIT license.
|
|
2275
|
-
const logger$
|
|
2279
|
+
const logger$e = credentialLogger("ManagedIdentityCredential");
|
|
2276
2280
|
/**
|
|
2277
2281
|
* Attempts authentication using a managed identity available at the deployment environment.
|
|
2278
2282
|
* This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
|
|
@@ -2330,7 +2334,7 @@ class ManagedIdentityCredential {
|
|
|
2330
2334
|
},
|
|
2331
2335
|
system: {
|
|
2332
2336
|
loggerOptions: {
|
|
2333
|
-
logLevel: getMSALLogLevel(logger$
|
|
2337
|
+
logLevel: getMSALLogLevel(logger$r.getLogLevel()),
|
|
2334
2338
|
},
|
|
2335
2339
|
},
|
|
2336
2340
|
});
|
|
@@ -2427,7 +2431,7 @@ class ManagedIdentityCredential {
|
|
|
2427
2431
|
// It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
|
|
2428
2432
|
// yet we had no access token. For this reason, we'll throw once with a specific message:
|
|
2429
2433
|
const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
|
|
2430
|
-
logger$
|
|
2434
|
+
logger$e.getToken.info(formatError(scopes, error));
|
|
2431
2435
|
throw error;
|
|
2432
2436
|
}
|
|
2433
2437
|
// Since `authenticateManagedIdentity` didn't throw, and the result was not null,
|
|
@@ -2439,10 +2443,10 @@ class ManagedIdentityCredential {
|
|
|
2439
2443
|
// We've previously determined that the endpoint was unavailable,
|
|
2440
2444
|
// either because it was unreachable or permanently unable to authenticate.
|
|
2441
2445
|
const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
|
|
2442
|
-
logger$
|
|
2446
|
+
logger$e.getToken.info(formatError(scopes, error));
|
|
2443
2447
|
throw error;
|
|
2444
2448
|
}
|
|
2445
|
-
logger$
|
|
2449
|
+
logger$e.getToken.info(formatSuccess(scopes));
|
|
2446
2450
|
return result;
|
|
2447
2451
|
}
|
|
2448
2452
|
catch (err) {
|
|
@@ -2464,14 +2468,14 @@ class ManagedIdentityCredential {
|
|
|
2464
2468
|
// we can safely assume the credential is unavailable.
|
|
2465
2469
|
if (err.code === "ENETUNREACH") {
|
|
2466
2470
|
const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
|
|
2467
|
-
logger$
|
|
2471
|
+
logger$e.getToken.info(formatError(scopes, error));
|
|
2468
2472
|
throw error;
|
|
2469
2473
|
}
|
|
2470
2474
|
// If either the host was unreachable,
|
|
2471
2475
|
// we can safely assume the credential is unavailable.
|
|
2472
2476
|
if (err.code === "EHOSTUNREACH") {
|
|
2473
2477
|
const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
|
|
2474
|
-
logger$
|
|
2478
|
+
logger$e.getToken.info(formatError(scopes, error));
|
|
2475
2479
|
throw error;
|
|
2476
2480
|
}
|
|
2477
2481
|
// If err.statusCode has a value of 400, it comes from sendTokenRequest,
|
|
@@ -2484,7 +2488,7 @@ class ManagedIdentityCredential {
|
|
|
2484
2488
|
if (err.statusCode === 403 || err.code === 403) {
|
|
2485
2489
|
if (err.message.includes("unreachable")) {
|
|
2486
2490
|
const error = new CredentialUnavailableError(`${ManagedIdentityCredential.name}: Unavailable. Network unreachable. Message: ${err.message}`);
|
|
2487
|
-
logger$
|
|
2491
|
+
logger$e.getToken.info(formatError(scopes, error));
|
|
2488
2492
|
throw error;
|
|
2489
2493
|
}
|
|
2490
2494
|
}
|
|
@@ -2511,7 +2515,7 @@ class ManagedIdentityCredential {
|
|
|
2511
2515
|
*/
|
|
2512
2516
|
handleResult(scopes, result, getTokenOptions) {
|
|
2513
2517
|
this.ensureValidMsalToken(scopes, result, getTokenOptions);
|
|
2514
|
-
logger$
|
|
2518
|
+
logger$e.getToken.info(formatSuccess(scopes));
|
|
2515
2519
|
return {
|
|
2516
2520
|
token: result.accessToken,
|
|
2517
2521
|
expiresOnTimestamp: result.expiresOn.getTime(),
|
|
@@ -2522,7 +2526,7 @@ class ManagedIdentityCredential {
|
|
|
2522
2526
|
*/
|
|
2523
2527
|
ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
|
|
2524
2528
|
const error = (message) => {
|
|
2525
|
-
logger$
|
|
2529
|
+
logger$e.getToken.info(message);
|
|
2526
2530
|
return new AuthenticationRequiredError({
|
|
2527
2531
|
scopes: Array.isArray(scopes) ? scopes : [scopes],
|
|
2528
2532
|
getTokenOptions,
|
|
@@ -2542,12 +2546,12 @@ class ManagedIdentityCredential {
|
|
|
2542
2546
|
initializeSetAppTokenProvider() {
|
|
2543
2547
|
if (!this.isAppTokenProviderInitialized) {
|
|
2544
2548
|
this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters) => {
|
|
2545
|
-
logger$
|
|
2549
|
+
logger$e.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
|
|
2546
2550
|
const getTokenOptions = Object.assign({}, appTokenProviderParameters);
|
|
2547
|
-
logger$
|
|
2551
|
+
logger$e.info(`authenticateManagedIdentity invoked with scopes- ${JSON.stringify(appTokenProviderParameters.scopes)} and getTokenOptions - ${JSON.stringify(getTokenOptions)}`);
|
|
2548
2552
|
const resultToken = await this.authenticateManagedIdentity(appTokenProviderParameters.scopes, getTokenOptions);
|
|
2549
2553
|
if (resultToken) {
|
|
2550
|
-
logger$
|
|
2554
|
+
logger$e.info(`SetAppTokenProvider will save the token in cache`);
|
|
2551
2555
|
const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
|
|
2552
2556
|
? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
|
|
2553
2557
|
: 0;
|
|
@@ -2557,7 +2561,7 @@ class ManagedIdentityCredential {
|
|
|
2557
2561
|
};
|
|
2558
2562
|
}
|
|
2559
2563
|
else {
|
|
2560
|
-
logger$
|
|
2564
|
+
logger$e.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
|
|
2561
2565
|
return {
|
|
2562
2566
|
accessToken: "no_access_token_returned",
|
|
2563
2567
|
expiresInSeconds: 0,
|
|
@@ -2648,7 +2652,7 @@ const cliCredentialInternals = {
|
|
|
2648
2652
|
});
|
|
2649
2653
|
},
|
|
2650
2654
|
};
|
|
2651
|
-
const logger$
|
|
2655
|
+
const logger$d = credentialLogger("AzureCliCredential");
|
|
2652
2656
|
/**
|
|
2653
2657
|
* This credential will use the currently logged-in user login information
|
|
2654
2658
|
* via the Azure CLI ('az') commandline tool.
|
|
@@ -2666,7 +2670,7 @@ class AzureCliCredential {
|
|
|
2666
2670
|
*/
|
|
2667
2671
|
constructor(options) {
|
|
2668
2672
|
if (options === null || options === void 0 ? void 0 : options.tenantId) {
|
|
2669
|
-
checkTenantId(logger$
|
|
2673
|
+
checkTenantId(logger$d, options === null || options === void 0 ? void 0 : options.tenantId);
|
|
2670
2674
|
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
|
2671
2675
|
}
|
|
2672
2676
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
@@ -2683,14 +2687,14 @@ class AzureCliCredential {
|
|
|
2683
2687
|
async getToken(scopes, options = {}) {
|
|
2684
2688
|
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
|
2685
2689
|
if (tenantId) {
|
|
2686
|
-
checkTenantId(logger$
|
|
2690
|
+
checkTenantId(logger$d, tenantId);
|
|
2687
2691
|
}
|
|
2688
2692
|
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
|
2689
|
-
logger$
|
|
2693
|
+
logger$d.getToken.info(`Using the scope ${scope}`);
|
|
2690
2694
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
|
2691
2695
|
var _a, _b, _c, _d;
|
|
2692
2696
|
try {
|
|
2693
|
-
ensureValidScopeForDevTimeCreds(scope, logger$
|
|
2697
|
+
ensureValidScopeForDevTimeCreds(scope, logger$d);
|
|
2694
2698
|
const resource = getScopeResource(scope);
|
|
2695
2699
|
const obj = await cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.timeout);
|
|
2696
2700
|
const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
|
|
@@ -2698,18 +2702,18 @@ class AzureCliCredential {
|
|
|
2698
2702
|
const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
|
|
2699
2703
|
if (isNotInstallError) {
|
|
2700
2704
|
const error = new CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
|
|
2701
|
-
logger$
|
|
2705
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2702
2706
|
throw error;
|
|
2703
2707
|
}
|
|
2704
2708
|
if (isLoginError) {
|
|
2705
2709
|
const error = new CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
|
|
2706
|
-
logger$
|
|
2710
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2707
2711
|
throw error;
|
|
2708
2712
|
}
|
|
2709
2713
|
try {
|
|
2710
2714
|
const responseData = obj.stdout;
|
|
2711
2715
|
const response = this.parseRawResponse(responseData);
|
|
2712
|
-
logger$
|
|
2716
|
+
logger$d.getToken.info(formatSuccess(scopes));
|
|
2713
2717
|
return response;
|
|
2714
2718
|
}
|
|
2715
2719
|
catch (e) {
|
|
@@ -2723,7 +2727,7 @@ class AzureCliCredential {
|
|
|
2723
2727
|
const error = err.name === "CredentialUnavailableError"
|
|
2724
2728
|
? err
|
|
2725
2729
|
: new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
|
|
2726
|
-
logger$
|
|
2730
|
+
logger$d.getToken.info(formatError(scopes, error));
|
|
2727
2731
|
throw error;
|
|
2728
2732
|
}
|
|
2729
2733
|
});
|
|
@@ -2745,7 +2749,7 @@ class AzureCliCredential {
|
|
|
2745
2749
|
// ensure it's a number or NaN
|
|
2746
2750
|
let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;
|
|
2747
2751
|
if (!isNaN(expiresOnTimestamp)) {
|
|
2748
|
-
logger$
|
|
2752
|
+
logger$d.getToken.info("expires_on is available and is valid, using it");
|
|
2749
2753
|
return {
|
|
2750
2754
|
token,
|
|
2751
2755
|
expiresOnTimestamp,
|
|
@@ -2817,7 +2821,7 @@ const developerCliCredentialInternals = {
|
|
|
2817
2821
|
});
|
|
2818
2822
|
},
|
|
2819
2823
|
};
|
|
2820
|
-
const logger$
|
|
2824
|
+
const logger$c = credentialLogger("AzureDeveloperCliCredential");
|
|
2821
2825
|
/**
|
|
2822
2826
|
* Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy
|
|
2823
2827
|
* resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific
|
|
@@ -2854,7 +2858,7 @@ class AzureDeveloperCliCredential {
|
|
|
2854
2858
|
*/
|
|
2855
2859
|
constructor(options) {
|
|
2856
2860
|
if (options === null || options === void 0 ? void 0 : options.tenantId) {
|
|
2857
|
-
checkTenantId(logger$
|
|
2861
|
+
checkTenantId(logger$c, options === null || options === void 0 ? void 0 : options.tenantId);
|
|
2858
2862
|
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
|
2859
2863
|
}
|
|
2860
2864
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
@@ -2871,7 +2875,7 @@ class AzureDeveloperCliCredential {
|
|
|
2871
2875
|
async getToken(scopes, options = {}) {
|
|
2872
2876
|
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
|
2873
2877
|
if (tenantId) {
|
|
2874
|
-
checkTenantId(logger$
|
|
2878
|
+
checkTenantId(logger$c, tenantId);
|
|
2875
2879
|
}
|
|
2876
2880
|
let scopeList;
|
|
2877
2881
|
if (typeof scopes === "string") {
|
|
@@ -2880,12 +2884,12 @@ class AzureDeveloperCliCredential {
|
|
|
2880
2884
|
else {
|
|
2881
2885
|
scopeList = scopes;
|
|
2882
2886
|
}
|
|
2883
|
-
logger$
|
|
2887
|
+
logger$c.getToken.info(`Using the scopes ${scopes}`);
|
|
2884
2888
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
|
|
2885
2889
|
var _a, _b, _c, _d;
|
|
2886
2890
|
try {
|
|
2887
2891
|
scopeList.forEach((scope) => {
|
|
2888
|
-
ensureValidScopeForDevTimeCreds(scope, logger$
|
|
2892
|
+
ensureValidScopeForDevTimeCreds(scope, logger$c);
|
|
2889
2893
|
});
|
|
2890
2894
|
const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
|
|
2891
2895
|
const isNotLoggedInError = ((_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login")) ||
|
|
@@ -2894,17 +2898,17 @@ class AzureDeveloperCliCredential {
|
|
|
2894
2898
|
((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'azd' is not recognized"));
|
|
2895
2899
|
if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
|
|
2896
2900
|
const error = new CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
|
|
2897
|
-
logger$
|
|
2901
|
+
logger$c.getToken.info(formatError(scopes, error));
|
|
2898
2902
|
throw error;
|
|
2899
2903
|
}
|
|
2900
2904
|
if (isNotLoggedInError) {
|
|
2901
2905
|
const error = new CredentialUnavailableError("Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
|
|
2902
|
-
logger$
|
|
2906
|
+
logger$c.getToken.info(formatError(scopes, error));
|
|
2903
2907
|
throw error;
|
|
2904
2908
|
}
|
|
2905
2909
|
try {
|
|
2906
2910
|
const resp = JSON.parse(obj.stdout);
|
|
2907
|
-
logger$
|
|
2911
|
+
logger$c.getToken.info(formatSuccess(scopes));
|
|
2908
2912
|
return {
|
|
2909
2913
|
token: resp.token,
|
|
2910
2914
|
expiresOnTimestamp: new Date(resp.expiresOn).getTime(),
|
|
@@ -2921,7 +2925,7 @@ class AzureDeveloperCliCredential {
|
|
|
2921
2925
|
const error = err.name === "CredentialUnavailableError"
|
|
2922
2926
|
? err
|
|
2923
2927
|
: new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
|
|
2924
|
-
logger$
|
|
2928
|
+
logger$c.getToken.info(formatError(scopes, error));
|
|
2925
2929
|
throw error;
|
|
2926
2930
|
}
|
|
2927
2931
|
});
|
|
@@ -2961,7 +2965,7 @@ const processUtils = {
|
|
|
2961
2965
|
|
|
2962
2966
|
// Copyright (c) Microsoft Corporation.
|
|
2963
2967
|
// Licensed under the MIT license.
|
|
2964
|
-
const logger$
|
|
2968
|
+
const logger$b = credentialLogger("AzurePowerShellCredential");
|
|
2965
2969
|
const isWindows = process.platform === "win32";
|
|
2966
2970
|
/**
|
|
2967
2971
|
* Returns a platform-appropriate command name by appending ".exe" on Windows.
|
|
@@ -3042,7 +3046,7 @@ class AzurePowerShellCredential {
|
|
|
3042
3046
|
*/
|
|
3043
3047
|
constructor(options) {
|
|
3044
3048
|
if (options === null || options === void 0 ? void 0 : options.tenantId) {
|
|
3045
|
-
checkTenantId(logger$
|
|
3049
|
+
checkTenantId(logger$b, options === null || options === void 0 ? void 0 : options.tenantId);
|
|
3046
3050
|
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
|
3047
3051
|
}
|
|
3048
3052
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
@@ -3105,14 +3109,14 @@ class AzurePowerShellCredential {
|
|
|
3105
3109
|
const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
|
|
3106
3110
|
const scope = typeof scopes === "string" ? scopes : scopes[0];
|
|
3107
3111
|
if (tenantId) {
|
|
3108
|
-
checkTenantId(logger$
|
|
3112
|
+
checkTenantId(logger$b, tenantId);
|
|
3109
3113
|
}
|
|
3110
3114
|
try {
|
|
3111
|
-
ensureValidScopeForDevTimeCreds(scope, logger$
|
|
3112
|
-
logger$
|
|
3115
|
+
ensureValidScopeForDevTimeCreds(scope, logger$b);
|
|
3116
|
+
logger$b.getToken.info(`Using the scope ${scope}`);
|
|
3113
3117
|
const resource = getScopeResource(scope);
|
|
3114
3118
|
const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);
|
|
3115
|
-
logger$
|
|
3119
|
+
logger$b.getToken.info(formatSuccess(scopes));
|
|
3116
3120
|
return {
|
|
3117
3121
|
token: response.Token,
|
|
3118
3122
|
expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
|
|
@@ -3121,16 +3125,16 @@ class AzurePowerShellCredential {
|
|
|
3121
3125
|
catch (err) {
|
|
3122
3126
|
if (isNotInstalledError(err)) {
|
|
3123
3127
|
const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
|
|
3124
|
-
logger$
|
|
3128
|
+
logger$b.getToken.info(formatError(scope, error));
|
|
3125
3129
|
throw error;
|
|
3126
3130
|
}
|
|
3127
3131
|
else if (isLoginError(err)) {
|
|
3128
3132
|
const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
|
|
3129
|
-
logger$
|
|
3133
|
+
logger$b.getToken.info(formatError(scope, error));
|
|
3130
3134
|
throw error;
|
|
3131
3135
|
}
|
|
3132
3136
|
const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
|
|
3133
|
-
logger$
|
|
3137
|
+
logger$b.getToken.info(formatError(scope, error));
|
|
3134
3138
|
throw error;
|
|
3135
3139
|
}
|
|
3136
3140
|
});
|
|
@@ -3142,7 +3146,7 @@ class AzurePowerShellCredential {
|
|
|
3142
3146
|
/**
|
|
3143
3147
|
* @internal
|
|
3144
3148
|
*/
|
|
3145
|
-
const logger$
|
|
3149
|
+
const logger$a = credentialLogger("ChainedTokenCredential");
|
|
3146
3150
|
/**
|
|
3147
3151
|
* Enables multiple `TokenCredential` implementations to be tried in order
|
|
3148
3152
|
* until one of the getToken methods returns an access token.
|
|
@@ -3197,17 +3201,17 @@ class ChainedTokenCredential {
|
|
|
3197
3201
|
errors.push(err);
|
|
3198
3202
|
}
|
|
3199
3203
|
else {
|
|
3200
|
-
logger$
|
|
3204
|
+
logger$a.getToken.info(formatError(scopes, err));
|
|
3201
3205
|
throw err;
|
|
3202
3206
|
}
|
|
3203
3207
|
}
|
|
3204
3208
|
}
|
|
3205
3209
|
if (!token && errors.length > 0) {
|
|
3206
3210
|
const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
|
|
3207
|
-
logger$
|
|
3211
|
+
logger$a.getToken.info(formatError(scopes, err));
|
|
3208
3212
|
throw err;
|
|
3209
3213
|
}
|
|
3210
|
-
logger$
|
|
3214
|
+
logger$a.getToken.info(`Result for ${successfulCredential.constructor.name}: ${formatSuccess(scopes)}`);
|
|
3211
3215
|
if (token === null) {
|
|
3212
3216
|
throw new CredentialUnavailableError("Failed to retrieve a valid token");
|
|
3213
3217
|
}
|
|
@@ -3218,8 +3222,8 @@ class ChainedTokenCredential {
|
|
|
3218
3222
|
|
|
3219
3223
|
// Copyright (c) Microsoft Corporation.
|
|
3220
3224
|
// Licensed under the MIT license.
|
|
3221
|
-
const credentialName$
|
|
3222
|
-
const logger$
|
|
3225
|
+
const credentialName$3 = "ClientCertificateCredential";
|
|
3226
|
+
const logger$9 = credentialLogger(credentialName$3);
|
|
3223
3227
|
/**
|
|
3224
3228
|
* Enables authentication to Microsoft Entra ID using a PEM-encoded
|
|
3225
3229
|
* certificate that is assigned to an App Registration. More information
|
|
@@ -3231,7 +3235,7 @@ const logger$8 = credentialLogger(credentialName$2);
|
|
|
3231
3235
|
class ClientCertificateCredential {
|
|
3232
3236
|
constructor(tenantId, clientId, certificatePathOrConfiguration, options = {}) {
|
|
3233
3237
|
if (!tenantId || !clientId) {
|
|
3234
|
-
throw new Error(`${credentialName$
|
|
3238
|
+
throw new Error(`${credentialName$3}: tenantId and clientId are required parameters.`);
|
|
3235
3239
|
}
|
|
3236
3240
|
this.tenantId = tenantId;
|
|
3237
3241
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
@@ -3244,12 +3248,12 @@ class ClientCertificateCredential {
|
|
|
3244
3248
|
const certificate = this.certificateConfiguration.certificate;
|
|
3245
3249
|
const certificatePath = this.certificateConfiguration.certificatePath;
|
|
3246
3250
|
if (!this.certificateConfiguration || !(certificate || certificatePath)) {
|
|
3247
|
-
throw new Error(`${credentialName$
|
|
3251
|
+
throw new Error(`${credentialName$3}: Provide either a PEM certificate in string form, or the path to that certificate in the filesystem. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
|
3248
3252
|
}
|
|
3249
3253
|
if (certificate && certificatePath) {
|
|
3250
|
-
throw new Error(`${credentialName$
|
|
3254
|
+
throw new Error(`${credentialName$3}: To avoid unexpected behaviors, providing both the contents of a PEM certificate and the path to a PEM certificate is forbidden. To troubleshoot, visit https://aka.ms/azsdk/js/identity/serviceprincipalauthentication/troubleshoot.`);
|
|
3251
3255
|
}
|
|
3252
|
-
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$
|
|
3256
|
+
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$9, tokenCredentialOptions: options }));
|
|
3253
3257
|
}
|
|
3254
3258
|
/**
|
|
3255
3259
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -3260,8 +3264,8 @@ class ClientCertificateCredential {
|
|
|
3260
3264
|
* TokenCredential implementation might make.
|
|
3261
3265
|
*/
|
|
3262
3266
|
async getToken(scopes, options = {}) {
|
|
3263
|
-
return tracingClient.withSpan(`${credentialName$
|
|
3264
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$
|
|
3267
|
+
return tracingClient.withSpan(`${credentialName$3}.getToken`, options, async (newOptions) => {
|
|
3268
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$9);
|
|
3265
3269
|
const arrayScopes = Array.isArray(scopes) ? scopes : [scopes];
|
|
3266
3270
|
const certificate = await this.buildClientCertificate();
|
|
3267
3271
|
return this.msalClient.getTokenByClientCertificate(arrayScopes, certificate, newOptions);
|
|
@@ -3323,7 +3327,7 @@ class ClientCertificateCredential {
|
|
|
3323
3327
|
|
|
3324
3328
|
// Copyright (c) Microsoft Corporation.
|
|
3325
3329
|
// Licensed under the MIT license.
|
|
3326
|
-
const logger$
|
|
3330
|
+
const logger$8 = credentialLogger("ClientSecretCredential");
|
|
3327
3331
|
/**
|
|
3328
3332
|
* Enables authentication to Microsoft Entra ID using a client secret
|
|
3329
3333
|
* that was generated for an App Registration. More information on how
|
|
@@ -3350,7 +3354,7 @@ class ClientSecretCredential {
|
|
|
3350
3354
|
this.clientSecret = clientSecret;
|
|
3351
3355
|
this.tenantId = tenantId;
|
|
3352
3356
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
3353
|
-
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$
|
|
3357
|
+
this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$8, tokenCredentialOptions: options }));
|
|
3354
3358
|
}
|
|
3355
3359
|
/**
|
|
3356
3360
|
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
@@ -3362,7 +3366,7 @@ class ClientSecretCredential {
|
|
|
3362
3366
|
*/
|
|
3363
3367
|
async getToken(scopes, options = {}) {
|
|
3364
3368
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
3365
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$
|
|
3369
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$8);
|
|
3366
3370
|
const arrayScopes = ensureScopes(scopes);
|
|
3367
3371
|
return this.msalClient.getTokenByClientSecret(arrayScopes, this.clientSecret, newOptions);
|
|
3368
3372
|
});
|
|
@@ -3447,7 +3451,7 @@ class MsalNode {
|
|
|
3447
3451
|
networkClient: this.identityClient,
|
|
3448
3452
|
loggerOptions: {
|
|
3449
3453
|
loggerCallback: defaultLoggerCallback(options.logger),
|
|
3450
|
-
logLevel: getMSALLogLevel(logger$
|
|
3454
|
+
logLevel: getMSALLogLevel(logger$r.getLogLevel()),
|
|
3451
3455
|
piiLoggingEnabled: (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.enableUnsafeSupportLogging,
|
|
3452
3456
|
},
|
|
3453
3457
|
},
|
|
@@ -3713,7 +3717,7 @@ class MsalUsernamePassword extends MsalNode {
|
|
|
3713
3717
|
|
|
3714
3718
|
// Copyright (c) Microsoft Corporation.
|
|
3715
3719
|
// Licensed under the MIT license.
|
|
3716
|
-
const logger$
|
|
3720
|
+
const logger$7 = credentialLogger("UsernamePasswordCredential");
|
|
3717
3721
|
/**
|
|
3718
3722
|
* Enables authentication to Microsoft Entra ID with a user's
|
|
3719
3723
|
* username and password. This credential requires a high degree of
|
|
@@ -3738,7 +3742,7 @@ class UsernamePasswordCredential {
|
|
|
3738
3742
|
}
|
|
3739
3743
|
this.tenantId = tenantId;
|
|
3740
3744
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
3741
|
-
this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$
|
|
3745
|
+
this.msalFlow = new MsalUsernamePassword(Object.assign(Object.assign({}, options), { logger: logger$7,
|
|
3742
3746
|
clientId,
|
|
3743
3747
|
tenantId,
|
|
3744
3748
|
username,
|
|
@@ -3758,7 +3762,7 @@ class UsernamePasswordCredential {
|
|
|
3758
3762
|
*/
|
|
3759
3763
|
async getToken(scopes, options = {}) {
|
|
3760
3764
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
3761
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$
|
|
3765
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$7);
|
|
3762
3766
|
const arrayScopes = ensureScopes(scopes);
|
|
3763
3767
|
return this.msalFlow.getToken(arrayScopes, newOptions);
|
|
3764
3768
|
});
|
|
@@ -3789,8 +3793,8 @@ function getAdditionallyAllowedTenants() {
|
|
|
3789
3793
|
const additionallyAllowedValues = (_a = process.env.AZURE_ADDITIONALLY_ALLOWED_TENANTS) !== null && _a !== void 0 ? _a : "";
|
|
3790
3794
|
return additionallyAllowedValues.split(";");
|
|
3791
3795
|
}
|
|
3792
|
-
const credentialName$
|
|
3793
|
-
const logger$
|
|
3796
|
+
const credentialName$2 = "EnvironmentCredential";
|
|
3797
|
+
const logger$6 = credentialLogger(credentialName$2);
|
|
3794
3798
|
/**
|
|
3795
3799
|
* Enables authentication to Microsoft Entra ID using a client secret or certificate, or as a user
|
|
3796
3800
|
* with a username and password.
|
|
@@ -3824,29 +3828,29 @@ class EnvironmentCredential {
|
|
|
3824
3828
|
// Keep track of any missing environment variables for error details
|
|
3825
3829
|
this._credential = undefined;
|
|
3826
3830
|
const assigned = processEnvVars(AllSupportedEnvironmentVariables).assigned.join(", ");
|
|
3827
|
-
logger$
|
|
3831
|
+
logger$6.info(`Found the following environment variables: ${assigned}`);
|
|
3828
3832
|
const tenantId = process.env.AZURE_TENANT_ID, clientId = process.env.AZURE_CLIENT_ID, clientSecret = process.env.AZURE_CLIENT_SECRET;
|
|
3829
3833
|
const additionallyAllowedTenantIds = getAdditionallyAllowedTenants();
|
|
3830
3834
|
const newOptions = Object.assign(Object.assign({}, options), { additionallyAllowedTenantIds });
|
|
3831
3835
|
if (tenantId) {
|
|
3832
|
-
checkTenantId(logger$
|
|
3836
|
+
checkTenantId(logger$6, tenantId);
|
|
3833
3837
|
}
|
|
3834
3838
|
if (tenantId && clientId && clientSecret) {
|
|
3835
|
-
logger$
|
|
3839
|
+
logger$6.info(`Invoking ClientSecretCredential with tenant ID: ${tenantId}, clientId: ${clientId} and clientSecret: [REDACTED]`);
|
|
3836
3840
|
this._credential = new ClientSecretCredential(tenantId, clientId, clientSecret, newOptions);
|
|
3837
3841
|
return;
|
|
3838
3842
|
}
|
|
3839
3843
|
const certificatePath = process.env.AZURE_CLIENT_CERTIFICATE_PATH;
|
|
3840
3844
|
const certificatePassword = process.env.AZURE_CLIENT_CERTIFICATE_PASSWORD;
|
|
3841
3845
|
if (tenantId && clientId && certificatePath) {
|
|
3842
|
-
logger$
|
|
3846
|
+
logger$6.info(`Invoking ClientCertificateCredential with tenant ID: ${tenantId}, clientId: ${clientId} and certificatePath: ${certificatePath}`);
|
|
3843
3847
|
this._credential = new ClientCertificateCredential(tenantId, clientId, { certificatePath, certificatePassword }, newOptions);
|
|
3844
3848
|
return;
|
|
3845
3849
|
}
|
|
3846
3850
|
const username = process.env.AZURE_USERNAME;
|
|
3847
3851
|
const password = process.env.AZURE_PASSWORD;
|
|
3848
3852
|
if (tenantId && clientId && username && password) {
|
|
3849
|
-
logger$
|
|
3853
|
+
logger$6.info(`Invoking UsernamePasswordCredential with tenant ID: ${tenantId}, clientId: ${clientId} and username: ${username}`);
|
|
3850
3854
|
this._credential = new UsernamePasswordCredential(tenantId, clientId, username, password, newOptions);
|
|
3851
3855
|
}
|
|
3852
3856
|
}
|
|
@@ -3857,30 +3861,30 @@ class EnvironmentCredential {
|
|
|
3857
3861
|
* @param options - Optional parameters. See {@link GetTokenOptions}.
|
|
3858
3862
|
*/
|
|
3859
3863
|
async getToken(scopes, options = {}) {
|
|
3860
|
-
return tracingClient.withSpan(`${credentialName$
|
|
3864
|
+
return tracingClient.withSpan(`${credentialName$2}.getToken`, options, async (newOptions) => {
|
|
3861
3865
|
if (this._credential) {
|
|
3862
3866
|
try {
|
|
3863
3867
|
const result = await this._credential.getToken(scopes, newOptions);
|
|
3864
|
-
logger$
|
|
3868
|
+
logger$6.getToken.info(formatSuccess(scopes));
|
|
3865
3869
|
return result;
|
|
3866
3870
|
}
|
|
3867
3871
|
catch (err) {
|
|
3868
3872
|
const authenticationError = new AuthenticationError(400, {
|
|
3869
|
-
error: `${credentialName$
|
|
3873
|
+
error: `${credentialName$2} authentication failed. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`,
|
|
3870
3874
|
error_description: err.message.toString().split("More details:").join(""),
|
|
3871
3875
|
});
|
|
3872
|
-
logger$
|
|
3876
|
+
logger$6.getToken.info(formatError(scopes, authenticationError));
|
|
3873
3877
|
throw authenticationError;
|
|
3874
3878
|
}
|
|
3875
3879
|
}
|
|
3876
|
-
throw new CredentialUnavailableError(`${credentialName$
|
|
3880
|
+
throw new CredentialUnavailableError(`${credentialName$2} is unavailable. No underlying credential could be used. To troubleshoot, visit https://aka.ms/azsdk/js/identity/environmentcredential/troubleshoot.`);
|
|
3877
3881
|
});
|
|
3878
3882
|
}
|
|
3879
3883
|
}
|
|
3880
3884
|
|
|
3881
3885
|
// Copyright (c) Microsoft Corporation.
|
|
3882
3886
|
// Licensed under the MIT license.
|
|
3883
|
-
const logger$
|
|
3887
|
+
const logger$5 = credentialLogger("DefaultAzureCredential");
|
|
3884
3888
|
/**
|
|
3885
3889
|
* Creates a {@link ManagedIdentityCredential} from the provided options.
|
|
3886
3890
|
* @param options - Options to configure the credential.
|
|
@@ -3985,7 +3989,7 @@ class UnavailableDefaultCredential {
|
|
|
3985
3989
|
this.credentialUnavailableErrorMessage = message;
|
|
3986
3990
|
}
|
|
3987
3991
|
getToken() {
|
|
3988
|
-
logger$
|
|
3992
|
+
logger$5.getToken.info(`Skipping ${this.credentialName}, reason: ${this.credentialUnavailableErrorMessage}`);
|
|
3989
3993
|
return Promise.resolve(null);
|
|
3990
3994
|
}
|
|
3991
3995
|
}
|
|
@@ -4013,7 +4017,7 @@ class DefaultAzureCredential extends ChainedTokenCredential {
|
|
|
4013
4017
|
return createCredentialFn(options);
|
|
4014
4018
|
}
|
|
4015
4019
|
catch (err) {
|
|
4016
|
-
logger$
|
|
4020
|
+
logger$5.warning(`Skipped ${createCredentialFn.name} because of an error creating the credential: ${err}`);
|
|
4017
4021
|
return new UnavailableDefaultCredential(createCredentialFn.name, err.message);
|
|
4018
4022
|
}
|
|
4019
4023
|
});
|
|
@@ -4131,7 +4135,7 @@ class MsalOpenBrowser extends MsalNode {
|
|
|
4131
4135
|
|
|
4132
4136
|
// Copyright (c) Microsoft Corporation.
|
|
4133
4137
|
// Licensed under the MIT license.
|
|
4134
|
-
const logger$
|
|
4138
|
+
const logger$4 = credentialLogger("InteractiveBrowserCredential");
|
|
4135
4139
|
/**
|
|
4136
4140
|
* Enables authentication to Microsoft Entra ID inside of the web browser
|
|
4137
4141
|
* using the interactive login flow.
|
|
@@ -4162,7 +4166,7 @@ class InteractiveBrowserCredential {
|
|
|
4162
4166
|
throw new Error("In order to do WAM authentication, `parentWindowHandle` under `brokerOptions` is a required parameter");
|
|
4163
4167
|
}
|
|
4164
4168
|
else {
|
|
4165
|
-
this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$
|
|
4169
|
+
this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$4,
|
|
4166
4170
|
redirectUri, browserCustomizationOptions: ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.browserCustomizationOptions, brokerOptions: {
|
|
4167
4171
|
enabled: true,
|
|
4168
4172
|
parentWindowHandle: ibcNodeOptions.brokerOptions.parentWindowHandle,
|
|
@@ -4172,7 +4176,7 @@ class InteractiveBrowserCredential {
|
|
|
4172
4176
|
}
|
|
4173
4177
|
}
|
|
4174
4178
|
else {
|
|
4175
|
-
this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$
|
|
4179
|
+
this.msalFlow = new MsalOpenBrowser(Object.assign(Object.assign({}, options), { tokenCredentialOptions: options, logger: logger$4,
|
|
4176
4180
|
redirectUri, browserCustomizationOptions: ibcNodeOptions === null || ibcNodeOptions === void 0 ? void 0 : ibcNodeOptions.browserCustomizationOptions }));
|
|
4177
4181
|
}
|
|
4178
4182
|
this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
|
|
@@ -4191,7 +4195,7 @@ class InteractiveBrowserCredential {
|
|
|
4191
4195
|
*/
|
|
4192
4196
|
async getToken(scopes, options = {}) {
|
|
4193
4197
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
4194
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$
|
|
4198
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$4);
|
|
4195
4199
|
const arrayScopes = ensureScopes(scopes);
|
|
4196
4200
|
return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
|
|
4197
4201
|
});
|
|
@@ -4253,7 +4257,7 @@ class MsalDeviceCode extends MsalNode {
|
|
|
4253
4257
|
|
|
4254
4258
|
// Copyright (c) Microsoft Corporation.
|
|
4255
4259
|
// Licensed under the MIT license.
|
|
4256
|
-
const logger$
|
|
4260
|
+
const logger$3 = credentialLogger("DeviceCodeCredential");
|
|
4257
4261
|
/**
|
|
4258
4262
|
* Method that logs the user code from the DeviceCodeCredential.
|
|
4259
4263
|
* @param deviceCodeInfo - The device code.
|
|
@@ -4289,7 +4293,7 @@ class DeviceCodeCredential {
|
|
|
4289
4293
|
constructor(options) {
|
|
4290
4294
|
this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
|
|
4291
4295
|
this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
|
|
4292
|
-
this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$
|
|
4296
|
+
this.msalFlow = new MsalDeviceCode(Object.assign(Object.assign({}, options), { logger: logger$3, userPromptCallback: (options === null || options === void 0 ? void 0 : options.userPromptCallback) || defaultDeviceCodePromptCallback, tokenCredentialOptions: options || {} }));
|
|
4293
4297
|
this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
|
|
4294
4298
|
}
|
|
4295
4299
|
/**
|
|
@@ -4306,7 +4310,7 @@ class DeviceCodeCredential {
|
|
|
4306
4310
|
*/
|
|
4307
4311
|
async getToken(scopes, options = {}) {
|
|
4308
4312
|
return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
|
|
4309
|
-
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$
|
|
4313
|
+
newOptions.tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds, logger$3);
|
|
4310
4314
|
const arrayScopes = ensureScopes(scopes);
|
|
4311
4315
|
return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
|
|
4312
4316
|
});
|
|
@@ -4330,6 +4334,130 @@ class DeviceCodeCredential {
|
|
|
4330
4334
|
}
|
|
4331
4335
|
}
|
|
4332
4336
|
|
|
4337
|
+
// Copyright (c) Microsoft Corporation.
|
|
4338
|
+
// Licensed under the MIT license.
|
|
4339
|
+
const credentialName$1 = "AzurePipelinesServiceConnectionCredential";
|
|
4340
|
+
const OIDC_API_VERSION = "7.1";
|
|
4341
|
+
const logger$2 = credentialLogger(credentialName$1);
|
|
4342
|
+
/**
|
|
4343
|
+
* This credential is designed to be used in ADO Pipelines with service connections
|
|
4344
|
+
* as a setup for workload identity federation.
|
|
4345
|
+
*/
|
|
4346
|
+
class AzurePipelinesServiceConnectionCredential {
|
|
4347
|
+
/**
|
|
4348
|
+
* AzurePipelinesServiceConnectionCredential supports Federated Identity on Azure Pipelines through Service Connections.
|
|
4349
|
+
* @param tenantId - tenantId associated with the service connection
|
|
4350
|
+
* @param clientId - clientId associated with the service connection
|
|
4351
|
+
* @param serviceConnectionId - id for the service connection
|
|
4352
|
+
* @param options - The identity client options to use for authentication.
|
|
4353
|
+
*/
|
|
4354
|
+
constructor(tenantId, clientId, serviceConnectionId, options) {
|
|
4355
|
+
if (!clientId || !tenantId || !serviceConnectionId) {
|
|
4356
|
+
throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. tenantId, clientId, and serviceConnectionId are required parameters.`);
|
|
4357
|
+
}
|
|
4358
|
+
checkTenantId(logger$2, tenantId);
|
|
4359
|
+
logger$2.info(`Invoking AzurePipelinesServiceConnectionCredential with tenant ID: ${tenantId}, clientId: ${clientId} and service connection id: ${serviceConnectionId}`);
|
|
4360
|
+
if (clientId && tenantId && serviceConnectionId) {
|
|
4361
|
+
this.ensurePipelinesSystemVars();
|
|
4362
|
+
const oidcRequestUrl = `${process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI}${process.env.SYSTEM_TEAMPROJECTID}/_apis/distributedtask/hubs/build/plans/${process.env.SYSTEM_PLANID}/jobs/${process.env.SYSTEM_JOBID}/oidctoken?api-version=${OIDC_API_VERSION}&serviceConnectionId=${this.serviceConnectionId}`;
|
|
4363
|
+
const systemAccessToken = `${process.env.SYSTEM_ACCESSTOKEN}`;
|
|
4364
|
+
logger$2.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, clientId: ${clientId} and service connection id: ${serviceConnectionId}`);
|
|
4365
|
+
this.clientAssertionCredential = new ClientAssertionCredential(tenantId, clientId, this.requestOidcToken.bind(this, oidcRequestUrl, systemAccessToken), options);
|
|
4366
|
+
}
|
|
4367
|
+
}
|
|
4368
|
+
/**
|
|
4369
|
+
* Authenticates with Microsoft Entra ID and returns an access token if successful.
|
|
4370
|
+
* If authentication fails, a {@link CredentialUnavailableError} or {@link AuthenticationError} will be thrown with the details of the failure.
|
|
4371
|
+
*
|
|
4372
|
+
* @param scopes - The list of scopes for which the token will have access.
|
|
4373
|
+
* @param options - The options used to configure any requests this
|
|
4374
|
+
* TokenCredential implementation might make.
|
|
4375
|
+
*/
|
|
4376
|
+
async getToken(scopes, options) {
|
|
4377
|
+
if (!this.clientAssertionCredential) {
|
|
4378
|
+
const errorMessage = `${credentialName$1}: is unavailable. tenantId, clientId, and serviceConnectionId are required parameters.
|
|
4379
|
+
To use Federation Identity in Azure Pipelines, these are required as inputs / env variables -
|
|
4380
|
+
tenantId,
|
|
4381
|
+
clientId,
|
|
4382
|
+
serviceConnectionId,
|
|
4383
|
+
"SYSTEM_TEAMFOUNDATIONCOLLECTIONURI" &&
|
|
4384
|
+
"SYSTEM_TEAMPROJECTID" &&
|
|
4385
|
+
"SYSTEM_PLANID" &&
|
|
4386
|
+
"SYSTEM_JOBID" &&
|
|
4387
|
+
"SYSTEM_ACCESSTOKEN"
|
|
4388
|
+
See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/troubleshoot`;
|
|
4389
|
+
logger$2.error(errorMessage);
|
|
4390
|
+
throw new CredentialUnavailableError(errorMessage);
|
|
4391
|
+
}
|
|
4392
|
+
logger$2.info("Invoking getToken() of Client Assertion Credential");
|
|
4393
|
+
return this.clientAssertionCredential.getToken(scopes, options);
|
|
4394
|
+
}
|
|
4395
|
+
/**
|
|
4396
|
+
*
|
|
4397
|
+
* @param oidcRequestUrl - oidc request url
|
|
4398
|
+
* @param systemAccessToken - system access token
|
|
4399
|
+
* @returns OIDC token from Azure Pipelines
|
|
4400
|
+
*/
|
|
4401
|
+
async requestOidcToken(oidcRequestUrl, systemAccessToken) {
|
|
4402
|
+
logger$2.info("Requesting OIDC token from Azure Pipelines...");
|
|
4403
|
+
logger$2.info(oidcRequestUrl);
|
|
4404
|
+
const httpClient = coreRestPipeline.createDefaultHttpClient();
|
|
4405
|
+
const request = coreRestPipeline.createPipelineRequest({
|
|
4406
|
+
url: oidcRequestUrl,
|
|
4407
|
+
method: "POST",
|
|
4408
|
+
headers: coreRestPipeline.createHttpHeaders({
|
|
4409
|
+
"Content-Type": "application/json",
|
|
4410
|
+
Authorization: `Bearer ${systemAccessToken}`,
|
|
4411
|
+
}),
|
|
4412
|
+
});
|
|
4413
|
+
const response = await httpClient.sendRequest(request);
|
|
4414
|
+
const text = response.bodyAsText;
|
|
4415
|
+
if (!text) {
|
|
4416
|
+
throw new AuthenticationError(response.status, `${credentialName$1}: Authenticated Failed. Received null token from OIDC request.`);
|
|
4417
|
+
}
|
|
4418
|
+
const result = JSON.parse(text);
|
|
4419
|
+
if (result === null || result === void 0 ? void 0 : result.oidcToken) {
|
|
4420
|
+
return result.oidcToken;
|
|
4421
|
+
}
|
|
4422
|
+
else {
|
|
4423
|
+
throw new AuthenticationError(response.status, `${credentialName$1}: Authentication Failed. oidcToken field not detected in the response. Response = ${JSON.stringify(result)}`);
|
|
4424
|
+
}
|
|
4425
|
+
}
|
|
4426
|
+
/**
|
|
4427
|
+
* Ensures all system env vars are there to form the request uri for OIDC token
|
|
4428
|
+
* @returns void
|
|
4429
|
+
* @throws CredentialUnavailableError
|
|
4430
|
+
*/
|
|
4431
|
+
ensurePipelinesSystemVars() {
|
|
4432
|
+
if (process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI &&
|
|
4433
|
+
process.env.SYSTEM_TEAMPROJECTID &&
|
|
4434
|
+
process.env.SYSTEM_PLANID &&
|
|
4435
|
+
process.env.SYSTEM_JOBID &&
|
|
4436
|
+
process.env.SYSTEM_ACCESSTOKEN) {
|
|
4437
|
+
return;
|
|
4438
|
+
}
|
|
4439
|
+
const missingEnvVars = [];
|
|
4440
|
+
let errorMessage = "";
|
|
4441
|
+
if (!process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI) {
|
|
4442
|
+
missingEnvVars.push("SYSTEM_TEAMFOUNDATIONCOLLECTIONURI");
|
|
4443
|
+
}
|
|
4444
|
+
if (!process.env.SYSTEM_TEAMPROJECTID)
|
|
4445
|
+
missingEnvVars.push("SYSTEM_TEAMPROJECTID");
|
|
4446
|
+
if (!process.env.SYSTEM_PLANID)
|
|
4447
|
+
missingEnvVars.push("SYSTEM_PLANID");
|
|
4448
|
+
if (!process.env.SYSTEM_JOBID)
|
|
4449
|
+
missingEnvVars.push("SYSTEM_JOBID");
|
|
4450
|
+
if (!process.env.SYSTEM_ACCESSTOKEN) {
|
|
4451
|
+
errorMessage +=
|
|
4452
|
+
"\nPlease ensure that the system access token is available in the SYSTEM_ACCESSTOKEN value; this is often most easily achieved by adding a block to the end of your pipeline yaml for the task with:\n env: \n- SYSTEM_ACCESSTOKEN: $(System.AccessToken)";
|
|
4453
|
+
missingEnvVars.push("SYSTEM_ACCESSTOKEN");
|
|
4454
|
+
}
|
|
4455
|
+
if (missingEnvVars.length > 0) {
|
|
4456
|
+
throw new CredentialUnavailableError(`${credentialName$1}: is unavailable. Ensure that you're running this task in an Azure Pipeline, so that following missing system variable(s) can be defined- ${missingEnvVars.join(", ")}.${errorMessage}`);
|
|
4457
|
+
}
|
|
4458
|
+
}
|
|
4459
|
+
}
|
|
4460
|
+
|
|
4333
4461
|
// Copyright (c) Microsoft Corporation.
|
|
4334
4462
|
// Licensed under the MIT license.
|
|
4335
4463
|
/**
|
|
@@ -4630,6 +4758,7 @@ exports.AuthenticationRequiredError = AuthenticationRequiredError;
|
|
|
4630
4758
|
exports.AuthorizationCodeCredential = AuthorizationCodeCredential;
|
|
4631
4759
|
exports.AzureCliCredential = AzureCliCredential;
|
|
4632
4760
|
exports.AzureDeveloperCliCredential = AzureDeveloperCliCredential;
|
|
4761
|
+
exports.AzurePipelinesServiceConnectionCredential = AzurePipelinesServiceConnectionCredential;
|
|
4633
4762
|
exports.AzurePowerShellCredential = AzurePowerShellCredential;
|
|
4634
4763
|
exports.ChainedTokenCredential = ChainedTokenCredential;
|
|
4635
4764
|
exports.ClientAssertionCredential = ClientAssertionCredential;
|
|
@@ -4649,7 +4778,7 @@ exports.WorkloadIdentityCredential = WorkloadIdentityCredential;
|
|
|
4649
4778
|
exports.deserializeAuthenticationRecord = deserializeAuthenticationRecord;
|
|
4650
4779
|
exports.getBearerTokenProvider = getBearerTokenProvider;
|
|
4651
4780
|
exports.getDefaultAzureCredential = getDefaultAzureCredential;
|
|
4652
|
-
exports.logger = logger$
|
|
4781
|
+
exports.logger = logger$q;
|
|
4653
4782
|
exports.serializeAuthenticationRecord = serializeAuthenticationRecord;
|
|
4654
4783
|
exports.useIdentityPlugin = useIdentityPlugin;
|
|
4655
4784
|
//# sourceMappingURL=index.js.map
|