@azure/identity 4.3.0-alpha.20240520.1 → 4.3.0-beta.2

package/dist/index.js

@@ -12,6 +12,7 @@ var fs = require('fs');
 var os = require('os');
 var path = require('path');
 var msalCommon = require('@azure/msal-node');
+var fs$1 = require('node:fs');
 var https = require('https');
 var promises = require('fs/promises');
 var child_process = require('child_process');
@@ -44,7 +45,7 @@ var child_process__namespace = /*#__PURE__*/_interopNamespaceDefault(child_proce
 /**
  * Current version of the `@azure/identity` package.
  */
-const SDK_VERSION = `4.3.0-beta.1`;
+const SDK_VERSION = `4.3.0-beta.2`;
 /**
  * The default client ID for authentication
  * @internal
@@ -1179,18 +1180,6 @@ function prepareRequestOptions$3(scopes, clientId, resourceId) {
         }),
     });
 }
-/**
- * Retrieves the file contents at the given path using promises.
- * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
- */
-function readFileAsync$1(path, options) {
-    return new Promise((resolve, reject) => fs.readFile(path, options, (err, data) => {
-        if (err) {
-            reject(err);
-        }
-        resolve(data);
-    }));
-}
 /**
  * Does a request to the authentication provider that results in a file path.
  */
@@ -1211,6 +1200,43 @@ async function filePathRequest(identityClient, requestPrepareOptions) {
         throw Error(`Invalid www-authenticate header format: ${authHeader}`);
     }
 }
+function platformToFilePath() {
+    switch (process.platform) {
+        case "win32":
+            if (!process.env.PROGRAMDATA) {
+                throw new Error(`${msiName$4}: PROGRAMDATA environment variable has no value.`);
+            }
+            return `${process.env.PROGRAMDATA}\\AzureConnectedMachineAgent\\Tokens`;
+        case "linux":
+            return "/var/opt/azcmagent/tokens";
+        default:
+            throw new Error(`${msiName$4}: Unsupported platform ${process.platform}.`);
+    }
+}
+/**
+ * Validates that a given Azure Arc MSI file path is valid for use.
+ *
+ * A valid file will:
+ * 1. Be in the expected path for the current platform.
+ * 2. Have a `.key` extension.
+ * 3. Be at most 4096 bytes in size.
+ */
+function validateKeyFile(filePath) {
+    if (!filePath) {
+        throw new Error(`${msiName$4}: Failed to find the token file.`);
+    }
+    if (!filePath.endsWith(".key")) {
+        throw new Error(`${msiName$4}: unexpected file path from HIMDS service: ${filePath}.`);
+    }
+    const expectedPath = platformToFilePath();
+    if (!filePath.startsWith(expectedPath)) {
+        throw new Error(`${msiName$4}: unexpected file path from HIMDS service: ${filePath}.`);
+    }
+    const stats = fs$1.statSync(filePath);
+    if (stats.size > 4096) {
+        throw new Error(`${msiName$4}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`);
+    }
+}
 /**
  * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
  */
@@ -1240,10 +1266,8 @@ const arcMsi = {
         logger$m.info(`${msiName$4}: Authenticating.`);
         const requestOptions = Object.assign(Object.assign({ disableJsonStringifyOnBody: true, deserializationMapper: undefined, abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions$3(scopes, clientId, resourceId)), { allowInsecureConnection: true });
         const filePath = await filePathRequest(identityClient, requestOptions);
-        if (!filePath) {
-            throw new Error(`${msiName$4}: Failed to find the token file.`);
-        }
-        const key = await readFileAsync$1(filePath, { encoding: "utf-8" });
+        validateKeyFile(filePath);
+        const key = await fs$1.promises.readFile(filePath, { encoding: "utf-8" });
         (_a = requestOptions.headers) === null || _a === void 0 ? void 0 : _a.set("Authorization", `Basic ${key}`);
         const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({}, requestOptions), { 
             // Generally, MSI endpoints use the HTTP protocol, without transport layer security (TLS).
@@ -2185,6 +2209,28 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         }
         return msalToPublic(clientId, state.cachedAccount);
     }
+    async function getTokenByAuthorizationCode(scopes, redirectUri, authorizationCode, clientSecret, options = {}) {
+        msalLogger.getToken.info(`Attempting to acquire token using authorization code`);
+        let msalApp;
+        if (clientSecret) {
+            // If a client secret is provided, we need to use a confidential client application
+            // See https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-access-token-with-a-client_secret
+            state.msalConfig.auth.clientSecret = clientSecret;
+            msalApp = await getConfidentialApp(options);
+        }
+        else {
+            msalApp = await getPublicApp(options);
+        }
+        return withSilentAuthentication(msalApp, scopes, options, () => {
+            return msalApp.acquireTokenByCode({
+                scopes,
+                redirectUri,
+                code: authorizationCode,
+                authority: state.msalConfig.auth.authority,
+                claims: options === null || options === void 0 ? void 0 : options.claims,
+            });
+        });
+    }
     return {
         getActiveAccount,
         getTokenByClientSecret,
@@ -2192,6 +2238,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         getTokenByClientCertificate,
         getTokenByDeviceCode,
         getTokenByUsernamePassword,
+        getTokenByAuthorizationCode,
     };
 }
 
@@ -4326,7 +4373,7 @@ class DeviceCodeCredential {
         const clientId = (_a = options === null || options === void 0 ? void 0 : options.clientId) !== null && _a !== void 0 ? _a : DeveloperSignOnClientId;
         const tenantId = resolveTenantId(logger$3, options === null || options === void 0 ? void 0 : options.tenantId, clientId);
         this.userPromptCallback = (_b = options === null || options === void 0 ? void 0 : options.userPromptCallback) !== null && _b !== void 0 ? _b : defaultDeviceCodePromptCallback;
-        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { tokenCredentialOptions: options || {} }));
+        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$3, tokenCredentialOptions: options || {} }));
         this.disableAutomaticAuthentication = options === null || options === void 0 ? void 0 : options.disableAutomaticAuthentication;
     }
     /**
@@ -4492,50 +4539,6 @@ class AzurePipelinesCredential {
     }
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT license.
-/**
- * This MSAL client sets up a web server to listen for redirect callbacks, then calls to the MSAL's public application's `acquireTokenByDeviceCode` during `doGetToken`
- * to trigger the authentication flow, and then respond based on the values obtained from the redirect callback
- * @internal
- */
-class MsalAuthorizationCode extends MsalNode {
-    constructor(options) {
-        super(options);
-        this.logger = credentialLogger("Node.js MSAL Authorization Code");
-        this.redirectUri = options.redirectUri;
-        this.authorizationCode = options.authorizationCode;
-        if (options.clientSecret) {
-            this.msalConfig.auth.clientSecret = options.clientSecret;
-        }
-    }
-    async getAuthCodeUrl(options) {
-        await this.init();
-        return this.getApp("confidentialFirst", options.enableCae).getAuthCodeUrl({
-            scopes: options.scopes,
-            redirectUri: options.redirectUri,
-        });
-    }
-    async doGetToken(scopes, options) {
-        try {
-            const result = await this.getApp("confidentialFirst", options === null || options === void 0 ? void 0 : options.enableCae).acquireTokenByCode({
-                scopes,
-                redirectUri: this.redirectUri,
-                code: this.authorizationCode,
-                correlationId: options === null || options === void 0 ? void 0 : options.correlationId,
-                authority: options === null || options === void 0 ? void 0 : options.authority,
-                claims: options === null || options === void 0 ? void 0 : options.claims,
-            });
-            // The Client Credential flow does not return an account,
-            // so each time getToken gets called, we will have to acquire a new token through the service.
-            return this.handleResult(scopes, result || undefined);
-        }
-        catch (err) {
-            throw handleMsalError(scopes, err, options);
-        }
-    }
-}
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 const logger$1 = credentialLogger("AuthorizationCodeCredential");
@@ -4553,7 +4556,7 @@ class AuthorizationCodeCredential {
      */
     constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
         checkTenantId(logger$1, tenantId);
-        let clientSecret = clientSecretOrAuthorizationCode;
+        this.clientSecret = clientSecretOrAuthorizationCode;
         if (typeof redirectUriOrOptions === "string") {
             // the clientId+clientSecret constructor
             this.authorizationCode = authorizationCodeOrRedirectUri;
@@ -4564,15 +4567,13 @@ class AuthorizationCodeCredential {
             // clientId only
             this.authorizationCode = clientSecretOrAuthorizationCode;
             this.redirectUri = authorizationCodeOrRedirectUri;
-            clientSecret = undefined;
+            this.clientSecret = undefined;
             options = redirectUriOrOptions;
         }
         // TODO: Validate tenant if provided
         this.tenantId = tenantId;
         this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
-        this.msalFlow = new MsalAuthorizationCode(Object.assign(Object.assign({}, options), { clientSecret,
-            clientId,
-            tenantId, tokenCredentialOptions: options || {}, logger: logger$1, redirectUri: this.redirectUri, authorizationCode: this.authorizationCode }));
+        this.msalClient = createMsalClient(clientId, tenantId, Object.assign(Object.assign({}, options), { logger: logger$1, tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
     }
     /**
      * Authenticates with Microsoft Entra ID and returns an access token if successful.
@@ -4587,7 +4588,7 @@ class AuthorizationCodeCredential {
             const tenantId = processMultiTenantRequest(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
             newOptions.tenantId = tenantId;
             const arrayScopes = ensureScopes(scopes);
-            return this.msalFlow.getToken(arrayScopes, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
+            return this.msalClient.getTokenByAuthorizationCode(arrayScopes, this.redirectUri, this.authorizationCode, this.clientSecret, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
         });
     }
 }