@azure/identity 4.5.1-alpha.20241031.1 → 4.5.1-alpha.20241111.1

package/dist-esm/src/credentials/managedIdentityCredential/legacyMsiProvider.js

@@ -1,309 +0,0 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-import { ConfidentialClientApplication } from "@azure/msal-node";
-import { AuthenticationError, AuthenticationRequiredError, CredentialUnavailableError, } from "../../errors";
-import { cloudShellMsi } from "./cloudShellMsi";
-import { credentialLogger, formatError, formatSuccess } from "../../util/logging";
-import { DeveloperSignOnClientId } from "../../constants";
-import { IdentityClient } from "../../client/identityClient";
-import { appServiceMsi2017 } from "./appServiceMsi2017";
-import { appServiceMsi2019 } from "./appServiceMsi2019";
-import { arcMsi } from "./arcMsi";
-import { fabricMsi } from "./fabricMsi";
-import { getLogLevel } from "@azure/logger";
-import { getMSALLogLevel } from "../../msal/utils";
-import { imdsMsi } from "./imdsMsi";
-import { tokenExchangeMsi } from "./tokenExchangeMsi";
-import { tracingClient } from "../../util/tracing";
-const logger = credentialLogger("ManagedIdentityCredential");
-export class LegacyMsiProvider {
-    constructor(clientIdOrOptions, options) {
-        var _a, _b;
-        this.isEndpointUnavailable = null;
-        this.isAppTokenProviderInitialized = false;
-        this.msiRetryConfig = {
-            maxRetries: 5,
-            startDelayInMs: 800,
-            intervalIncrement: 2,
-        };
-        let _options;
-        if (typeof clientIdOrOptions === "string") {
-            this.clientId = clientIdOrOptions;
-            _options = options;
-        }
-        else {
-            this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
-            _options = clientIdOrOptions;
-        }
-        this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
-        // For JavaScript users.
-        if (this.clientId && this.resourceId) {
-            throw new Error(`ManagedIdentityCredential - Client Id and Resource Id can't be provided at the same time.`);
-        }
-        if (((_a = _options === null || _options === void 0 ? void 0 : _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
-            this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
-        }
-        this.identityClient = new IdentityClient(_options);
-        this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
-                maxRetries: 0,
-            } }));
-        /**  authority host validation and metadata discovery to be skipped in managed identity
-         * since this wasn't done previously before adding token cache support
-         */
-        this.confidentialApp = new ConfidentialClientApplication({
-            auth: {
-                authority: "https://login.microsoftonline.com/managed_identity",
-                clientId: (_b = this.clientId) !== null && _b !== void 0 ? _b : DeveloperSignOnClientId,
-                clientSecret: "dummy-secret",
-                cloudDiscoveryMetadata: '{"tenant_discovery_endpoint":"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration","api-version":"1.1","metadata":[{"preferred_network":"login.microsoftonline.com","preferred_cache":"login.windows.net","aliases":["login.microsoftonline.com","login.windows.net","login.microsoft.com","sts.windows.net"]},{"preferred_network":"login.partner.microsoftonline.cn","preferred_cache":"login.partner.microsoftonline.cn","aliases":["login.partner.microsoftonline.cn","login.chinacloudapi.cn"]},{"preferred_network":"login.microsoftonline.de","preferred_cache":"login.microsoftonline.de","aliases":["login.microsoftonline.de"]},{"preferred_network":"login.microsoftonline.us","preferred_cache":"login.microsoftonline.us","aliases":["login.microsoftonline.us","login.usgovcloudapi.net"]},{"preferred_network":"login-us.microsoftonline.com","preferred_cache":"login-us.microsoftonline.com","aliases":["login-us.microsoftonline.com"]}]}',
-                authorityMetadata: '{"token_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/common/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantid}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/common/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/common/kerberos","tenant_region_scope":null,"cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"}',
-                clientCapabilities: [],
-            },
-            system: {
-                loggerOptions: {
-                    logLevel: getMSALLogLevel(getLogLevel()),
-                },
-            },
-        });
-    }
-    async cachedAvailableMSI(scopes, getTokenOptions) {
-        if (this.cachedMSI) {
-            return this.cachedMSI;
-        }
-        const MSIs = [
-            arcMsi,
-            fabricMsi,
-            appServiceMsi2019,
-            appServiceMsi2017,
-            cloudShellMsi,
-            tokenExchangeMsi,
-            imdsMsi,
-        ];
-        for (const msi of MSIs) {
-            if (await msi.isAvailable({
-                scopes,
-                identityClient: this.isAvailableIdentityClient,
-                clientId: this.clientId,
-                resourceId: this.resourceId,
-                getTokenOptions,
-            })) {
-                this.cachedMSI = msi;
-                return msi;
-            }
-        }
-        throw new CredentialUnavailableError(`ManagedIdentityCredential - No MSI credential available`);
-    }
-    async authenticateManagedIdentity(scopes, getTokenOptions) {
-        const { span, updatedOptions } = tracingClient.startSpan(`ManagedIdentityCredential.authenticateManagedIdentity`, getTokenOptions);
-        try {
-            // Determining the available MSI, and avoiding checking for other MSIs while the program is running.
-            const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
-            return availableMSI.getToken({
-                identityClient: this.identityClient,
-                scopes,
-                clientId: this.clientId,
-                resourceId: this.resourceId,
-                retryConfig: this.msiRetryConfig,
-            }, updatedOptions);
-        }
-        catch (err) {
-            span.setStatus({
-                status: "error",
-                error: err,
-            });
-            throw err;
-        }
-        finally {
-            span.end();
-        }
-    }
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options) {
-        let result = null;
-        const { span, updatedOptions } = tracingClient.startSpan(`ManagedIdentityCredential.getToken`, options);
-        try {
-            // isEndpointAvailable can be true, false, or null,
-            // If it's null, it means we don't yet know whether
-            // the endpoint is available and need to check for it.
-            if (this.isEndpointUnavailable !== true) {
-                const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);
-                if (availableMSI.name === "tokenExchangeMsi") {
-                    result = await this.authenticateManagedIdentity(scopes, updatedOptions);
-                }
-                else {
-                    const appTokenParameters = {
-                        correlationId: this.identityClient.getCorrelationId(),
-                        tenantId: (options === null || options === void 0 ? void 0 : options.tenantId) || "managed_identity",
-                        scopes: Array.isArray(scopes) ? scopes : [scopes],
-                        claims: options === null || options === void 0 ? void 0 : options.claims,
-                    };
-                    // Added a check to see if SetAppTokenProvider was already defined.
-                    this.initializeSetAppTokenProvider();
-                    const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential(Object.assign({}, appTokenParameters));
-                    result = this.handleResult(scopes, authenticationResult || undefined);
-                }
-                if (result === null) {
-                    // If authenticateManagedIdentity returns null,
-                    // it means no MSI endpoints are available.
-                    // If so, we avoid trying to reach to them in future requests.
-                    this.isEndpointUnavailable = true;
-                    // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),
-                    // yet we had no access token. For this reason, we'll throw once with a specific message:
-                    const error = new CredentialUnavailableError("The managed identity endpoint was reached, yet no tokens were received.");
-                    logger.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
-                // Since `authenticateManagedIdentity` didn't throw, and the result was not null,
-                // We will assume that this endpoint is reachable from this point forward,
-                // and avoid pinging again to it.
-                this.isEndpointUnavailable = false;
-            }
-            else {
-                // We've previously determined that the endpoint was unavailable,
-                // either because it was unreachable or permanently unable to authenticate.
-                const error = new CredentialUnavailableError("The managed identity endpoint is not currently available");
-                logger.getToken.info(formatError(scopes, error));
-                throw error;
-            }
-            logger.getToken.info(formatSuccess(scopes));
-            return result;
-        }
-        catch (err) {
-            // CredentialUnavailable errors are expected to reach here.
-            // We intend them to bubble up, so that DefaultAzureCredential can catch them.
-            if (err.name === "AuthenticationRequiredError") {
-                throw err;
-            }
-            // Expected errors to reach this point:
-            // - Errors coming from a method unexpectedly breaking.
-            // - When identityClient.sendTokenRequest throws, in which case
-            //   if the status code was 400, it means that the endpoint is working,
-            //   but no identity is available.
-            span.setStatus({
-                status: "error",
-                error: err,
-            });
-            // If either the network is unreachable,
-            // we can safely assume the credential is unavailable.
-            if (err.code === "ENETUNREACH") {
-                const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`);
-                logger.getToken.info(formatError(scopes, error));
-                throw error;
-            }
-            // If either the host was unreachable,
-            // we can safely assume the credential is unavailable.
-            if (err.code === "EHOSTUNREACH") {
-                const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. No managed identity endpoint found. Message: ${err.message}`);
-                logger.getToken.info(formatError(scopes, error));
-                throw error;
-            }
-            // If err.statusCode has a value of 400, it comes from sendTokenRequest,
-            // and it means that the endpoint is working, but that no identity is available.
-            if (err.statusCode === 400) {
-                throw new CredentialUnavailableError(`ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`);
-            }
-            // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
-            // rather than just timing out, as expected.
-            if (err.statusCode === 403 || err.code === 403) {
-                if (err.message.includes("unreachable")) {
-                    const error = new CredentialUnavailableError(`ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`);
-                    logger.getToken.info(formatError(scopes, error));
-                    throw error;
-                }
-            }
-            // If the error has no status code, we can assume there was no available identity.
-            // This will throw silently during any ChainedTokenCredential.
-            if (err.statusCode === undefined) {
-                throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`);
-            }
-            // Any other error should break the chain.
-            throw new AuthenticationError(err.statusCode, {
-                error: `ManagedIdentityCredential authentication failed.`,
-                error_description: err.message,
-            });
-        }
-        finally {
-            // Finally is always called, both if we return and if we throw in the above try/catch.
-            span.end();
-        }
-    }
-    /**
-     * Handles the MSAL authentication result.
-     * If the result has an account, we update the local account reference.
-     * If the token received is invalid, an error will be thrown depending on what's missing.
-     */
-    handleResult(scopes, result, getTokenOptions) {
-        var _a;
-        this.ensureValidMsalToken(scopes, result, getTokenOptions);
-        logger.getToken.info(formatSuccess(scopes));
-        return {
-            token: result.accessToken,
-            expiresOnTimestamp: result.expiresOn.getTime(),
-            refreshAfterTimestamp: (_a = result.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
-            tokenType: "Bearer",
-        };
-    }
-    /**
-     * Ensures the validity of the MSAL token
-     */
-    ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
-        const error = (message) => {
-            logger.getToken.info(message);
-            return new AuthenticationRequiredError({
-                scopes: Array.isArray(scopes) ? scopes : [scopes],
-                getTokenOptions,
-                message,
-            });
-        };
-        if (!msalToken) {
-            throw error("No response");
-        }
-        if (!msalToken.expiresOn) {
-            throw error(`Response had no "expiresOn" property.`);
-        }
-        if (!msalToken.accessToken) {
-            throw error(`Response had no "accessToken" property.`);
-        }
-    }
-    initializeSetAppTokenProvider() {
-        if (!this.isAppTokenProviderInitialized) {
-            this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters) => {
-                logger.info(`SetAppTokenProvider invoked with parameters- ${JSON.stringify(appTokenProviderParameters)}`);
-                const getTokenOptions = Object.assign({}, appTokenProviderParameters);
-                logger.info(`authenticateManagedIdentity invoked with scopes- ${JSON.stringify(appTokenProviderParameters.scopes)} and getTokenOptions - ${JSON.stringify(getTokenOptions)}`);
-                const resultToken = await this.authenticateManagedIdentity(appTokenProviderParameters.scopes, getTokenOptions);
-                if (resultToken) {
-                    logger.info(`SetAppTokenProvider will save the token in cache`);
-                    const expiresInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.expiresOnTimestamp)
-                        ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)
-                        : 0;
-                    const refreshInSeconds = (resultToken === null || resultToken === void 0 ? void 0 : resultToken.refreshAfterTimestamp)
-                        ? Math.floor((resultToken.refreshAfterTimestamp - Date.now()) / 1000)
-                        : 0;
-                    return {
-                        accessToken: resultToken === null || resultToken === void 0 ? void 0 : resultToken.token,
-                        expiresInSeconds,
-                        refreshInSeconds,
-                    };
-                }
-                else {
-                    logger.info(`SetAppTokenProvider token has "no_access_token_returned" as the saved token`);
-                    return {
-                        accessToken: "no_access_token_returned",
-                        expiresInSeconds: 0,
-                    };
-                }
-            });
-            this.isAppTokenProviderInitialized = true;
-        }
-    }
-}
-//# sourceMappingURL=legacyMsiProvider.js.map

package/dist-esm/src/credentials/managedIdentityCredential/legacyMsiProvider.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"legacyMsiProvider.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/legacyMsiProvider.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAIlC,OAAO,EAAE,6BAA6B,EAAE,MAAM,kBAAkB,CAAC;AACjE,OAAO,EACL,mBAAmB,EACnB,2BAA2B,EAC3B,0BAA0B,GAC3B,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAElF,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,MAAM,EAAE,MAAM,UAAU,CAAC;AAClC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;AA2B7D,MAAM,OAAO,iBAAiB;IAc5B,YACE,iBAA6D,EAC7D,OAAgC;;QAZ1B,0BAAqB,GAAmB,IAAI,CAAC;QAG7C,kCAA6B,GAAY,KAAK,CAAC;QAC/C,mBAAc,GAAoC;YACxD,UAAU,EAAE,CAAC;YACb,cAAc,EAAE,GAAG;YACnB,iBAAiB,EAAE,CAAC;SACrB,CAAC;QAMA,IAAI,QAA4C,CAAC;QACjD,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC;YAClC,QAAQ,GAAG,OAAO,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,QAAQ,GAAI,iBAAsD,aAAtD,iBAAiB,uBAAjB,iBAAiB,CAAuC,QAAQ,CAAC;YAClF,QAAQ,GAAG,iBAAiB,CAAC;QAC/B,CAAC;QACD,IAAI,CAAC,UAAU,GAAI,QAA6C,aAA7C,QAAQ,uBAAR,QAAQ,CAAuC,UAAU,CAAC;QAC7E,wBAAwB;QACxB,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;QACJ,CAAC;QACD,IAAI,CAAA,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,YAAY,0CAAE,UAAU,MAAK,SAAS,EAAE,CAAC;YACrD,IAAI,CAAC,cAAc,CAAC,UAAU,GAAG,QAAQ,CAAC,YAAY,CAAC,UAAU,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,yBAAyB,GAAG,IAAI,cAAc,iCAC9C,QAAQ,KACX,YAAY,EAAE;gBACZ,UAAU,EAAE,CAAC;aACd,IACD,CAAC;QAEH;;WAEG;QACH,IAAI,CAAC,eAAe,GAAG,IAAI,6BAA6B,CAAC;YACvD,IAAI,EAAE;gBACJ,SAAS,EAAE,oDAAoD;gBAC/D,QAAQ,EAAE,MAAA,IAAI,CAAC,QAAQ,mCAAI,uBAAuB;gBAClD,YAAY,EAAE,cAAc;gBAC5B,sBAAsB,EACpB,w7BAAw7B;gBAC17B,iBAAiB,EACf,6gDAA6gD;gBAC/gD,kBAAkB,EAAE,EAAE;aACvB;YACD,MAAM,EAAE;gBACN,aAAa,EAAE;oBACb,QAAQ,EAAE,eAAe,CAAC,WAAW,EAAE,CAAC;iBACzC;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAIO,KAAK,CAAC,kBAAkB,CAC9B,MAAyB,EACzB,eAAiC;QAEjC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;QAED,MAAM,IAAI,GAAG;YACX,MAAM;YACN,SAAS;YACT,iBAAiB;YACjB,iBAAiB;YACjB,aAAa;YACb,gBAAgB;YAChB,OAAO;SACR,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,IACE,MAAM,GAAG,CAAC,WAAW,CAAC;gBACpB,MAAM;gBACN,cAAc,EAAE,IAAI,CAAC,yBAAyB;gBAC9C,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,eAAe;aAChB,CAAC,EACF,CAAC;gBACD,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC;gBACrB,OAAO,GAAG,CAAC;YACb,CAAC;QACH,CAAC;QAED,MAAM,IAAI,0BAA0B,CAAC,yDAAyD,CAAC,CAAC;IAClG,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAyB,EACzB,eAAiC;QAEjC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,aAAa,CAAC,SAAS,CACtD,uDAAuD,EACvD,eAAe,CAChB,CAAC;QAEF,IAAI,CAAC;YACH,oGAAoG;YACpG,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;YAC3E,OAAO,YAAY,CAAC,QAAQ,CAC1B;gBACE,cAAc,EAAE,IAAI,CAAC,cAAc;gBACnC,MAAM;gBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;gBAC3B,WAAW,EAAE,IAAI,CAAC,cAAc;aACjC,EACD,cAAc,CACf,CAAC;QACJ,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,IAAI,CAAC,SAAS,CAAC;gBACb,MAAM,EAAE,OAAO;gBACf,KAAK,EAAE,GAAG;aACX,CAAC,CAAC;YACH,MAAM,GAAG,CAAC;QACZ,CAAC;gBAAS,CAAC;YACT,IAAI,CAAC,GAAG,EAAE,CAAC;QACb,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,OAAyB;QAEzB,IAAI,MAAM,GAAuB,IAAI,CAAC;QACtC,MAAM,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,aAAa,CAAC,SAAS,CACtD,oCAAoC,EACpC,OAAO,CACR,CAAC;QACF,IAAI,CAAC;YACH,mDAAmD;YACnD,mDAAmD;YACnD,sDAAsD;YACtD,IAAI,IAAI,CAAC,qBAAqB,KAAK,IAAI,EAAE,CAAC;gBACxC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;gBAC3E,IAAI,YAAY,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBAC7C,MAAM,GAAG,MAAM,IAAI,CAAC,2BAA2B,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;gBAC1E,CAAC;qBAAM,CAAC;oBACN,MAAM,kBAAkB,GAA+B;wBACrD,aAAa,EAAE,IAAI,CAAC,cAAc,CAAC,gBAAgB,EAAE;wBACrD,QAAQ,EAAE,CAAA,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,KAAI,kBAAkB;wBACjD,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;wBACjD,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,MAAM;qBACxB,CAAC;oBAEF,mEAAmE;oBACnE,IAAI,CAAC,6BAA6B,EAAE,CAAC;oBACrC,MAAM,oBAAoB,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,8BAA8B,mBACjF,kBAAkB,EACrB,CAAC;oBACH,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,oBAAoB,IAAI,SAAS,CAAC,CAAC;gBACxE,CAAC;gBACD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;oBACpB,+CAA+C;oBAC/C,2CAA2C;oBAC3C,8DAA8D;oBAC9D,IAAI,CAAC,qBAAqB,GAAG,IAAI,CAAC;oBAElC,qGAAqG;oBACrG,yFAAyF;oBACzF,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,yEAAyE,CAC1E,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBAED,iFAAiF;gBACjF,0EAA0E;gBAC1E,iCAAiC;gBACjC,IAAI,CAAC,qBAAqB,GAAG,KAAK,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACN,iEAAiE;gBACjE,2EAA2E;gBAC3E,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,0DAA0D,CAC3D,CAAC;gBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;YAED,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5C,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,2DAA2D;YAC3D,8EAA8E;YAC9E,IAAI,GAAG,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;gBAC/C,MAAM,GAAG,CAAC;YACZ,CAAC;YAED,uCAAuC;YACvC,uDAAuD;YACvD,+DAA+D;YAC/D,uEAAuE;YACvE,kCAAkC;YAElC,IAAI,CAAC,SAAS,CAAC;gBACb,MAAM,EAAE,OAAO;gBACf,KAAK,EAAE,GAAG;aACX,CAAC,CAAC;YAEH,wCAAwC;YACxC,sDAAsD;YACtD,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;gBAC/B,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,yEAAyE,GAAG,CAAC,OAAO,EAAE,CACvF,CAAC;gBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;YAED,sCAAsC;YACtC,sDAAsD;YACtD,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;gBAChC,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,wFAAwF,GAAG,CAAC,OAAO,EAAE,CACtG,CAAC;gBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;YACD,wEAAwE;YACxE,gFAAgF;YAChF,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC3B,MAAM,IAAI,0BAA0B,CAClC,kHAAkH,GAAG,CAAC,OAAO,EAAE,CAChI,CAAC;YACJ,CAAC;YAED,6NAA6N;YAC7N,4CAA4C;YAC5C,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC;gBAC/C,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;oBACxC,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,yEAAyE,GAAG,CAAC,OAAO,EAAE,CACvF,CAAC;oBAEF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;YACH,CAAC;YAED,kFAAkF;YAClF,8DAA8D;YAC9D,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;gBACjC,MAAM,IAAI,0BAA0B,CAClC,6DAA6D,GAAG,CAAC,OAAO,EAAE,CAC3E,CAAC;YACJ,CAAC;YAED,0CAA0C;YAC1C,MAAM,IAAI,mBAAmB,CAAC,GAAG,CAAC,UAAU,EAAE;gBAC5C,KAAK,EAAE,kDAAkD;gBACzD,iBAAiB,EAAE,GAAG,CAAC,OAAO;aAC/B,CAAC,CAAC;QACL,CAAC;gBAAS,CAAC;YACT,sFAAsF;YACtF,IAAI,CAAC,GAAG,EAAE,CAAC;QACb,CAAC;IACH,CAAC;IAED;;;;OAIG;IACK,YAAY,CAClB,MAAyB,EACzB,MAAmB,EACnB,eAAiC;;QAEjC,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC;QAC3D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;QAC5C,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,WAAW;YACzB,kBAAkB,EAAE,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE;YAC9C,qBAAqB,EAAE,MAAA,MAAM,CAAC,SAAS,0CAAE,OAAO,EAAE;YAClD,SAAS,EAAE,QAAQ;SACL,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,oBAAoB,CAC1B,MAAyB,EACzB,SAAqB,EACrB,eAAiC;QAEjC,MAAM,KAAK,GAAG,CAAC,OAAe,EAAS,EAAE;YACvC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9B,OAAO,IAAI,2BAA2B,CAAC;gBACrC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACjD,eAAe;gBACf,OAAO;aACR,CAAC,CAAC;QACL,CAAC,CAAC;QACF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,KAAK,CAAC,aAAa,CAAC,CAAC;QAC7B,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YACzB,MAAM,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YAC3B,MAAM,KAAK,CAAC,yCAAyC,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAEO,6BAA6B;QACnC,IAAI,CAAC,IAAI,CAAC,6BAA6B,EAAE,CAAC;YACxC,IAAI,CAAC,eAAe,CAAC,mBAAmB,CAAC,KAAK,EAAE,0BAA0B,EAAE,EAAE;gBAC5E,MAAM,CAAC,IAAI,CACT,gDAAgD,IAAI,CAAC,SAAS,CAC5D,0BAA0B,CAC3B,EAAE,CACJ,CAAC;gBACF,MAAM,eAAe,qBAChB,0BAA0B,CAC9B,CAAC;gBACF,MAAM,CAAC,IAAI,CACT,oDAAoD,IAAI,CAAC,SAAS,CAChE,0BAA0B,CAAC,MAAM,CAClC,0BAA0B,IAAI,CAAC,SAAS,CAAC,eAAe,CAAC,EAAE,CAC7D,CAAC;gBACF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,2BAA2B,CACxD,0BAA0B,CAAC,MAAM,EACjC,eAAe,CAChB,CAAC;gBAEF,IAAI,WAAW,EAAE,CAAC;oBAChB,MAAM,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;oBAEhE,MAAM,gBAAgB,GAAG,CAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,kBAAkB;wBACtD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,kBAAkB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;wBAClE,CAAC,CAAC,CAAC,CAAC;oBACN,MAAM,gBAAgB,GAAG,CAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,qBAAqB;wBACzD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,CAAC,qBAAqB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC;wBACrE,CAAC,CAAC,CAAC,CAAC;oBACN,OAAO;wBACL,WAAW,EAAE,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,KAAK;wBAC/B,gBAAgB;wBAChB,gBAAgB;qBACjB,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,CACT,6EAA6E,CAC9E,CAAC;oBACF,OAAO;wBACL,WAAW,EAAE,0BAA0B;wBACvC,gBAAgB,EAAE,CAAC;qBACpB,CAAC;gBACJ,CAAC;YACH,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,6BAA6B,GAAG,IAAI,CAAC;QAC5C,CAAC;IACH,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport type { AppTokenProviderParameters } from \"@azure/msal-node\";\nimport { ConfidentialClientApplication } from \"@azure/msal-node\";\nimport {\n  AuthenticationError,\n  AuthenticationRequiredError,\n  CredentialUnavailableError,\n} from \"../../errors\";\nimport type { MSI, MSIConfiguration, MSIToken } from \"./models\";\nimport type { MsalResult, MsalToken, ValidMsalToken } from \"../../msal/types\";\nimport { cloudShellMsi } from \"./cloudShellMsi\";\nimport { credentialLogger, formatError, formatSuccess } from \"../../util/logging\";\n\nimport { DeveloperSignOnClientId } from \"../../constants\";\nimport { IdentityClient } from \"../../client/identityClient\";\nimport type { TokenCredentialOptions } from \"../../tokenCredentialOptions\";\nimport { appServiceMsi2017 } from \"./appServiceMsi2017\";\nimport { appServiceMsi2019 } from \"./appServiceMsi2019\";\nimport { arcMsi } from \"./arcMsi\";\nimport { fabricMsi } from \"./fabricMsi\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { getMSALLogLevel } from \"../../msal/utils\";\nimport { imdsMsi } from \"./imdsMsi\";\nimport { tokenExchangeMsi } from \"./tokenExchangeMsi\";\nimport { tracingClient } from \"../../util/tracing\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential\");\n\n// As part of the migration of Managed Identity to MSAL, this legacy provider captures the existing behavior\n// ported over from the ManagedIdentityCredential verbatim. This is to ensure that the existing behavior\n// is maintained while the new implementation is being tested and validated.\n// https://github.com/Azure/azure-sdk-for-js/issues/30189  tracks deleting this provider once it is no longer needed.\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * Since this is an internal implementation, uses a looser interface than the public one.\n */\ninterface ManagedIdentityCredentialOptions extends TokenCredentialOptions {\n  /**\n   * The client ID of the user - assigned identity, or app registration(when working with AKS pod - identity).\n   */\n  clientId?: string;\n\n  /**\n   * Allows specifying a custom resource Id.\n   * In scenarios such as when user assigned identities are created using an ARM template,\n   * where the resource Id of the identity is known but the client Id can't be known ahead of time,\n   * this parameter allows programs to use these user assigned identities\n   * without having to first determine the client Id of the created identity.\n   */\n  resourceId?: string;\n}\n\nexport class LegacyMsiProvider {\n  private identityClient: IdentityClient;\n  private clientId: string | undefined;\n  private resourceId: string | undefined;\n  private isEndpointUnavailable: boolean | null = null;\n  private isAvailableIdentityClient: IdentityClient;\n  private confidentialApp: ConfidentialClientApplication;\n  private isAppTokenProviderInitialized: boolean = false;\n  private msiRetryConfig: MSIConfiguration[\"retryConfig\"] = {\n    maxRetries: 5,\n    startDelayInMs: 800,\n    intervalIncrement: 2,\n  };\n\n  constructor(\n    clientIdOrOptions?: string | ManagedIdentityCredentialOptions,\n    options?: TokenCredentialOptions,\n  ) {\n    let _options: TokenCredentialOptions | undefined;\n    if (typeof clientIdOrOptions === \"string\") {\n      this.clientId = clientIdOrOptions;\n      _options = options;\n    } else {\n      this.clientId = (clientIdOrOptions as ManagedIdentityCredentialOptions)?.clientId;\n      _options = clientIdOrOptions;\n    }\n    this.resourceId = (_options as ManagedIdentityCredentialOptions)?.resourceId;\n    // For JavaScript users.\n    if (this.clientId && this.resourceId) {\n      throw new Error(\n        `ManagedIdentityCredential - Client Id and Resource Id can't be provided at the same time.`,\n      );\n    }\n    if (_options?.retryOptions?.maxRetries !== undefined) {\n      this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;\n    }\n    this.identityClient = new IdentityClient(_options);\n    this.isAvailableIdentityClient = new IdentityClient({\n      ..._options,\n      retryOptions: {\n        maxRetries: 0,\n      },\n    });\n\n    /**  authority host validation and metadata discovery to be skipped in managed identity\n     * since this wasn't done previously before adding token cache support\n     */\n    this.confidentialApp = new ConfidentialClientApplication({\n      auth: {\n        authority: \"https://login.microsoftonline.com/managed_identity\",\n        clientId: this.clientId ?? DeveloperSignOnClientId,\n        clientSecret: \"dummy-secret\",\n        cloudDiscoveryMetadata:\n          '{\"tenant_discovery_endpoint\":\"https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration\",\"api-version\":\"1.1\",\"metadata\":[{\"preferred_network\":\"login.microsoftonline.com\",\"preferred_cache\":\"login.windows.net\",\"aliases\":[\"login.microsoftonline.com\",\"login.windows.net\",\"login.microsoft.com\",\"sts.windows.net\"]},{\"preferred_network\":\"login.partner.microsoftonline.cn\",\"preferred_cache\":\"login.partner.microsoftonline.cn\",\"aliases\":[\"login.partner.microsoftonline.cn\",\"login.chinacloudapi.cn\"]},{\"preferred_network\":\"login.microsoftonline.de\",\"preferred_cache\":\"login.microsoftonline.de\",\"aliases\":[\"login.microsoftonline.de\"]},{\"preferred_network\":\"login.microsoftonline.us\",\"preferred_cache\":\"login.microsoftonline.us\",\"aliases\":[\"login.microsoftonline.us\",\"login.usgovcloudapi.net\"]},{\"preferred_network\":\"login-us.microsoftonline.com\",\"preferred_cache\":\"login-us.microsoftonline.com\",\"aliases\":[\"login-us.microsoftonline.com\"]}]}',\n        authorityMetadata:\n          '{\"token_endpoint\":\"https://login.microsoftonline.com/common/oauth2/v2.0/token\",\"token_endpoint_auth_methods_supported\":[\"client_secret_post\",\"private_key_jwt\",\"client_secret_basic\"],\"jwks_uri\":\"https://login.microsoftonline.com/common/discovery/v2.0/keys\",\"response_modes_supported\":[\"query\",\"fragment\",\"form_post\"],\"subject_types_supported\":[\"pairwise\"],\"id_token_signing_alg_values_supported\":[\"RS256\"],\"response_types_supported\":[\"code\",\"id_token\",\"code id_token\",\"id_token token\"],\"scopes_supported\":[\"openid\",\"profile\",\"email\",\"offline_access\"],\"issuer\":\"https://login.microsoftonline.com/{tenantid}/v2.0\",\"request_uri_parameter_supported\":false,\"userinfo_endpoint\":\"https://graph.microsoft.com/oidc/userinfo\",\"authorization_endpoint\":\"https://login.microsoftonline.com/common/oauth2/v2.0/authorize\",\"device_authorization_endpoint\":\"https://login.microsoftonline.com/common/oauth2/v2.0/devicecode\",\"http_logout_supported\":true,\"frontchannel_logout_supported\":true,\"end_session_endpoint\":\"https://login.microsoftonline.com/common/oauth2/v2.0/logout\",\"claims_supported\":[\"sub\",\"iss\",\"cloud_instance_name\",\"cloud_instance_host_name\",\"cloud_graph_host_name\",\"msgraph_host\",\"aud\",\"exp\",\"iat\",\"auth_time\",\"acr\",\"nonce\",\"preferred_username\",\"name\",\"tid\",\"ver\",\"at_hash\",\"c_hash\",\"email\"],\"kerberos_endpoint\":\"https://login.microsoftonline.com/common/kerberos\",\"tenant_region_scope\":null,\"cloud_instance_name\":\"microsoftonline.com\",\"cloud_graph_host_name\":\"graph.windows.net\",\"msgraph_host\":\"graph.microsoft.com\",\"rbac_url\":\"https://pas.windows.net\"}',\n        clientCapabilities: [],\n      },\n      system: {\n        loggerOptions: {\n          logLevel: getMSALLogLevel(getLogLevel()),\n        },\n      },\n    });\n  }\n\n  private cachedMSI: MSI | undefined;\n\n  private async cachedAvailableMSI(\n    scopes: string | string[],\n    getTokenOptions?: GetTokenOptions,\n  ): Promise<MSI> {\n    if (this.cachedMSI) {\n      return this.cachedMSI;\n    }\n\n    const MSIs = [\n      arcMsi,\n      fabricMsi,\n      appServiceMsi2019,\n      appServiceMsi2017,\n      cloudShellMsi,\n      tokenExchangeMsi,\n      imdsMsi,\n    ];\n\n    for (const msi of MSIs) {\n      if (\n        await msi.isAvailable({\n          scopes,\n          identityClient: this.isAvailableIdentityClient,\n          clientId: this.clientId,\n          resourceId: this.resourceId,\n          getTokenOptions,\n        })\n      ) {\n        this.cachedMSI = msi;\n        return msi;\n      }\n    }\n\n    throw new CredentialUnavailableError(`ManagedIdentityCredential - No MSI credential available`);\n  }\n\n  private async authenticateManagedIdentity(\n    scopes: string | string[],\n    getTokenOptions?: GetTokenOptions,\n  ): Promise<MSIToken | null> {\n    const { span, updatedOptions } = tracingClient.startSpan(\n      `ManagedIdentityCredential.authenticateManagedIdentity`,\n      getTokenOptions,\n    );\n\n    try {\n      // Determining the available MSI, and avoiding checking for other MSIs while the program is running.\n      const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);\n      return availableMSI.getToken(\n        {\n          identityClient: this.identityClient,\n          scopes,\n          clientId: this.clientId,\n          resourceId: this.resourceId,\n          retryConfig: this.msiRetryConfig,\n        },\n        updatedOptions,\n      );\n    } catch (err: any) {\n      span.setStatus({\n        status: \"error\",\n        error: err,\n      });\n      throw err;\n    } finally {\n      span.end();\n    }\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  public async getToken(\n    scopes: string | string[],\n    options?: GetTokenOptions,\n  ): Promise<AccessToken> {\n    let result: AccessToken | null = null;\n    const { span, updatedOptions } = tracingClient.startSpan(\n      `ManagedIdentityCredential.getToken`,\n      options,\n    );\n    try {\n      // isEndpointAvailable can be true, false, or null,\n      // If it's null, it means we don't yet know whether\n      // the endpoint is available and need to check for it.\n      if (this.isEndpointUnavailable !== true) {\n        const availableMSI = await this.cachedAvailableMSI(scopes, updatedOptions);\n        if (availableMSI.name === \"tokenExchangeMsi\") {\n          result = await this.authenticateManagedIdentity(scopes, updatedOptions);\n        } else {\n          const appTokenParameters: AppTokenProviderParameters = {\n            correlationId: this.identityClient.getCorrelationId(),\n            tenantId: options?.tenantId || \"managed_identity\",\n            scopes: Array.isArray(scopes) ? scopes : [scopes],\n            claims: options?.claims,\n          };\n\n          // Added a check to see if SetAppTokenProvider was already defined.\n          this.initializeSetAppTokenProvider();\n          const authenticationResult = await this.confidentialApp.acquireTokenByClientCredential({\n            ...appTokenParameters,\n          });\n          result = this.handleResult(scopes, authenticationResult || undefined);\n        }\n        if (result === null) {\n          // If authenticateManagedIdentity returns null,\n          // it means no MSI endpoints are available.\n          // If so, we avoid trying to reach to them in future requests.\n          this.isEndpointUnavailable = true;\n\n          // It also means that the endpoint answered with either 200 or 201 (see the sendTokenRequest method),\n          // yet we had no access token. For this reason, we'll throw once with a specific message:\n          const error = new CredentialUnavailableError(\n            \"The managed identity endpoint was reached, yet no tokens were received.\",\n          );\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n\n        // Since `authenticateManagedIdentity` didn't throw, and the result was not null,\n        // We will assume that this endpoint is reachable from this point forward,\n        // and avoid pinging again to it.\n        this.isEndpointUnavailable = false;\n      } else {\n        // We've previously determined that the endpoint was unavailable,\n        // either because it was unreachable or permanently unable to authenticate.\n        const error = new CredentialUnavailableError(\n          \"The managed identity endpoint is not currently available\",\n        );\n        logger.getToken.info(formatError(scopes, error));\n        throw error;\n      }\n\n      logger.getToken.info(formatSuccess(scopes));\n      return result;\n    } catch (err: any) {\n      // CredentialUnavailable errors are expected to reach here.\n      // We intend them to bubble up, so that DefaultAzureCredential can catch them.\n      if (err.name === \"AuthenticationRequiredError\") {\n        throw err;\n      }\n\n      // Expected errors to reach this point:\n      // - Errors coming from a method unexpectedly breaking.\n      // - When identityClient.sendTokenRequest throws, in which case\n      //   if the status code was 400, it means that the endpoint is working,\n      //   but no identity is available.\n\n      span.setStatus({\n        status: \"error\",\n        error: err,\n      });\n\n      // If either the network is unreachable,\n      // we can safely assume the credential is unavailable.\n      if (err.code === \"ENETUNREACH\") {\n        const error = new CredentialUnavailableError(\n          `ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`,\n        );\n\n        logger.getToken.info(formatError(scopes, error));\n        throw error;\n      }\n\n      // If either the host was unreachable,\n      // we can safely assume the credential is unavailable.\n      if (err.code === \"EHOSTUNREACH\") {\n        const error = new CredentialUnavailableError(\n          `ManagedIdentityCredential: Unavailable. No managed identity endpoint found. Message: ${err.message}`,\n        );\n\n        logger.getToken.info(formatError(scopes, error));\n        throw error;\n      }\n      // If err.statusCode has a value of 400, it comes from sendTokenRequest,\n      // and it means that the endpoint is working, but that no identity is available.\n      if (err.statusCode === 400) {\n        throw new CredentialUnavailableError(\n          `ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`,\n        );\n      }\n\n      // This is a special case for Docker Desktop which responds with a 403 with a message that contains \"A socket operation was attempted to an unreachable network\" or \"A socket operation was attempted to an unreachable host\"\n      // rather than just timing out, as expected.\n      if (err.statusCode === 403 || err.code === 403) {\n        if (err.message.includes(\"unreachable\")) {\n          const error = new CredentialUnavailableError(\n            `ManagedIdentityCredential: Unavailable. Network unreachable. Message: ${err.message}`,\n          );\n\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n      }\n\n      // If the error has no status code, we can assume there was no available identity.\n      // This will throw silently during any ChainedTokenCredential.\n      if (err.statusCode === undefined) {\n        throw new CredentialUnavailableError(\n          `ManagedIdentityCredential: Authentication failed. Message ${err.message}`,\n        );\n      }\n\n      // Any other error should break the chain.\n      throw new AuthenticationError(err.statusCode, {\n        error: `ManagedIdentityCredential authentication failed.`,\n        error_description: err.message,\n      });\n    } finally {\n      // Finally is always called, both if we return and if we throw in the above try/catch.\n      span.end();\n    }\n  }\n\n  /**\n   * Handles the MSAL authentication result.\n   * If the result has an account, we update the local account reference.\n   * If the token received is invalid, an error will be thrown depending on what's missing.\n   */\n  private handleResult(\n    scopes: string | string[],\n    result?: MsalResult,\n    getTokenOptions?: GetTokenOptions,\n  ): AccessToken {\n    this.ensureValidMsalToken(scopes, result, getTokenOptions);\n    logger.getToken.info(formatSuccess(scopes));\n    return {\n      token: result.accessToken,\n      expiresOnTimestamp: result.expiresOn.getTime(),\n      refreshAfterTimestamp: result.refreshOn?.getTime(),\n      tokenType: \"Bearer\",\n    } as AccessToken;\n  }\n\n  /**\n   * Ensures the validity of the MSAL token\n   */\n  private ensureValidMsalToken(\n    scopes: string | string[],\n    msalToken?: MsalToken,\n    getTokenOptions?: GetTokenOptions,\n  ): asserts msalToken is ValidMsalToken {\n    const error = (message: string): Error => {\n      logger.getToken.info(message);\n      return new AuthenticationRequiredError({\n        scopes: Array.isArray(scopes) ? scopes : [scopes],\n        getTokenOptions,\n        message,\n      });\n    };\n    if (!msalToken) {\n      throw error(\"No response\");\n    }\n    if (!msalToken.expiresOn) {\n      throw error(`Response had no \"expiresOn\" property.`);\n    }\n    if (!msalToken.accessToken) {\n      throw error(`Response had no \"accessToken\" property.`);\n    }\n  }\n\n  private initializeSetAppTokenProvider(): void {\n    if (!this.isAppTokenProviderInitialized) {\n      this.confidentialApp.SetAppTokenProvider(async (appTokenProviderParameters) => {\n        logger.info(\n          `SetAppTokenProvider invoked with parameters- ${JSON.stringify(\n            appTokenProviderParameters,\n          )}`,\n        );\n        const getTokenOptions: GetTokenOptions = {\n          ...appTokenProviderParameters,\n        };\n        logger.info(\n          `authenticateManagedIdentity invoked with scopes- ${JSON.stringify(\n            appTokenProviderParameters.scopes,\n          )} and getTokenOptions - ${JSON.stringify(getTokenOptions)}`,\n        );\n        const resultToken = await this.authenticateManagedIdentity(\n          appTokenProviderParameters.scopes,\n          getTokenOptions,\n        );\n\n        if (resultToken) {\n          logger.info(`SetAppTokenProvider will save the token in cache`);\n\n          const expiresInSeconds = resultToken?.expiresOnTimestamp\n            ? Math.floor((resultToken.expiresOnTimestamp - Date.now()) / 1000)\n            : 0;\n          const refreshInSeconds = resultToken?.refreshAfterTimestamp\n            ? Math.floor((resultToken.refreshAfterTimestamp - Date.now()) / 1000)\n            : 0;\n          return {\n            accessToken: resultToken?.token,\n            expiresInSeconds,\n            refreshInSeconds,\n          };\n        } else {\n          logger.info(\n            `SetAppTokenProvider token has \"no_access_token_returned\" as the saved token`,\n          );\n          return {\n            accessToken: \"no_access_token_returned\",\n            expiresInSeconds: 0,\n          };\n        }\n      });\n      this.isAppTokenProviderInitialized = true;\n    }\n  }\n}\n"]}

package/dist-esm/src/credentials/managedIdentityCredential/msalMsiProvider.js

@@ -1,212 +0,0 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-import { AuthenticationRequiredError, CredentialUnavailableError } from "../../errors";
-import { credentialLogger, formatError, formatSuccess } from "../../util/logging";
-import { defaultLoggerCallback, getMSALLogLevel } from "../../msal/utils";
-import { IdentityClient } from "../../client/identityClient";
-import { ManagedIdentityApplication } from "@azure/msal-node";
-import { getLogLevel } from "@azure/logger";
-import { imdsMsi } from "./imdsMsi";
-import { imdsRetryPolicy } from "./imdsRetryPolicy";
-import { mapScopesToResource } from "./utils";
-import { tokenExchangeMsi } from "./tokenExchangeMsi";
-import { tracingClient } from "../../util/tracing";
-const logger = credentialLogger("ManagedIdentityCredential(MSAL)");
-export class MsalMsiProvider {
-    constructor(clientIdOrOptions, options = {}) {
-        var _a, _b;
-        this.msiRetryConfig = {
-            maxRetries: 5,
-            startDelayInMs: 800,
-            intervalIncrement: 2,
-        };
-        let _options = {};
-        if (typeof clientIdOrOptions === "string") {
-            this.clientId = clientIdOrOptions;
-            _options = options;
-        }
-        else {
-            this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
-            _options = clientIdOrOptions !== null && clientIdOrOptions !== void 0 ? clientIdOrOptions : {};
-        }
-        this.resourceId = _options === null || _options === void 0 ? void 0 : _options.resourceId;
-        this.objectId = _options === null || _options === void 0 ? void 0 : _options.objectId;
-        // For JavaScript users.
-        const providedIds = [this.clientId, this.resourceId, this.objectId].filter(Boolean);
-        if (providedIds.length > 1) {
-            throw new Error(`ManagedIdentityCredential: only one of 'clientId', 'resourceId', or 'objectId' can be provided. Received values: ${JSON.stringify({ clientId: this.clientId, resourceId: this.resourceId, objectId: this.objectId })}`);
-        }
-        // ManagedIdentity uses http for local requests
-        _options.allowInsecureConnection = true;
-        if (((_a = _options === null || _options === void 0 ? void 0 : _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
-            this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
-        }
-        this.identityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: "perCall" }] }));
-        this.managedIdentityApp = new ManagedIdentityApplication({
-            managedIdentityIdParams: {
-                userAssignedClientId: this.clientId,
-                userAssignedResourceId: this.resourceId,
-                userAssignedObjectId: this.objectId,
-            },
-            system: {
-                // todo: proxyUrl?
-                disableInternalRetries: true,
-                networkClient: this.identityClient,
-                loggerOptions: {
-                    logLevel: getMSALLogLevel(getLogLevel()),
-                    piiLoggingEnabled: (_b = options.loggingOptions) === null || _b === void 0 ? void 0 : _b.enableUnsafeSupportLogging,
-                    loggerCallback: defaultLoggerCallback(logger),
-                },
-            },
-        });
-        this.isAvailableIdentityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { retryOptions: {
-                maxRetries: 0,
-            } }));
-        // CloudShell MSI will ignore any user-assigned identity passed as parameters. To avoid confusion, we prevent this from happening as early as possible.
-        if (this.managedIdentityApp.getManagedIdentitySource() === "CloudShell") {
-            if (this.clientId || this.resourceId || this.objectId) {
-                logger.warning(`CloudShell MSI detected with user-provided IDs - throwing. Received values: ${JSON.stringify({
-                    clientId: this.clientId,
-                    resourceId: this.resourceId,
-                    objectId: this.objectId,
-                })}.`);
-                throw new CredentialUnavailableError("ManagedIdentityCredential: Specifying a user-assigned managed identity is not supported for CloudShell at runtime. When using Managed Identity in CloudShell, omit the clientId, resourceId, and objectId parameters.");
-            }
-        }
-    }
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options = {}) {
-        logger.getToken.info("Using the MSAL provider for Managed Identity.");
-        const resource = mapScopesToResource(scopes);
-        if (!resource) {
-            throw new CredentialUnavailableError(`ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(scopes)}`);
-        }
-        return tracingClient.withSpan("ManagedIdentityCredential.getToken", options, async () => {
-            var _a;
-            try {
-                const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable({
-                    scopes,
-                    clientId: this.clientId,
-                    getTokenOptions: options,
-                    identityClient: this.identityClient,
-                    resourceId: this.resourceId,
-                });
-                // Most scenarios are handled by MSAL except for two:
-                // AKS pod identity - MSAL does not implement the token exchange flow.
-                // IMDS Endpoint probing - MSAL does not do any probing before trying to get a token.
-                // As a DefaultAzureCredential optimization we probe the IMDS endpoint with a short timeout and no retries before actually trying to get a token
-                // We will continue to implement these features in the Identity library.
-                const identitySource = this.managedIdentityApp.getManagedIdentitySource();
-                const isImdsMsi = identitySource === "DefaultToImds" || identitySource === "Imds"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use.
-                logger.getToken.info(`MSAL Identity source: ${identitySource}`);
-                if (isTokenExchangeMsi) {
-                    // In the AKS scenario we will use the existing tokenExchangeMsi indefinitely.
-                    logger.getToken.info("Using the token exchange managed identity.");
-                    const result = await tokenExchangeMsi.getToken({
-                        scopes,
-                        clientId: this.clientId,
-                        identityClient: this.identityClient,
-                        retryConfig: this.msiRetryConfig,
-                        resourceId: this.resourceId,
-                    });
-                    if (result === null) {
-                        throw new CredentialUnavailableError("Attempted to use the token exchange managed identity, but received a null response.");
-                    }
-                    return result;
-                }
-                else if (isImdsMsi) {
-                    // In the IMDS scenario we will probe the IMDS endpoint to ensure it's available before trying to get a token.
-                    // If the IMDS endpoint is not available and this is the source that MSAL will use, we will fail-fast with an error that tells DAC to move to the next credential.
-                    logger.getToken.info("Using the IMDS endpoint to probe for availability.");
-                    const isAvailable = await imdsMsi.isAvailable({
-                        scopes,
-                        clientId: this.clientId,
-                        getTokenOptions: options,
-                        identityClient: this.isAvailableIdentityClient,
-                        resourceId: this.resourceId,
-                    });
-                    if (!isAvailable) {
-                        throw new CredentialUnavailableError(`Attempted to use the IMDS endpoint, but it is not available.`);
-                    }
-                }
-                // If we got this far, it means:
-                // - This is not a tokenExchangeMsi,
-                // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable.
-                // We can proceed normally by calling MSAL for a token.
-                logger.getToken.info("Calling into MSAL for managed identity token.");
-                const token = await this.managedIdentityApp.acquireToken({
-                    resource,
-                });
-                this.ensureValidMsalToken(scopes, token, options);
-                logger.getToken.info(formatSuccess(scopes));
-                return {
-                    expiresOnTimestamp: token.expiresOn.getTime(),
-                    token: token.accessToken,
-                    refreshAfterTimestamp: (_a = token.refreshOn) === null || _a === void 0 ? void 0 : _a.getTime(),
-                    tokenType: "Bearer",
-                };
-            }
-            catch (err) {
-                logger.getToken.error(formatError(scopes, err));
-                // AuthenticationRequiredError described as Error to enforce authentication after trying to retrieve a token silently.
-                // TODO: why would this _ever_ happen considering we're not trying the silent request in this flow?
-                if (err.name === "AuthenticationRequiredError") {
-                    throw err;
-                }
-                if (isNetworkError(err)) {
-                    throw new CredentialUnavailableError(`ManagedIdentityCredential: Network unreachable. Message: ${err.message}`, { cause: err });
-                }
-                throw new CredentialUnavailableError(`ManagedIdentityCredential: Authentication failed. Message ${err.message}`, { cause: err });
-            }
-        });
-    }
-    /**
-     * Ensures the validity of the MSAL token
-     */
-    ensureValidMsalToken(scopes, msalToken, getTokenOptions) {
-        const createError = (message) => {
-            logger.getToken.info(message);
-            return new AuthenticationRequiredError({
-                scopes: Array.isArray(scopes) ? scopes : [scopes],
-                getTokenOptions,
-                message,
-            });
-        };
-        if (!msalToken) {
-            throw createError("No response.");
-        }
-        if (!msalToken.expiresOn) {
-            throw createError(`Response had no "expiresOn" property.`);
-        }
-        if (!msalToken.accessToken) {
-            throw createError(`Response had no "accessToken" property.`);
-        }
-    }
-}
-function isNetworkError(err) {
-    // MSAL error
-    if (err.errorCode === "network_error") {
-        return true;
-    }
-    // Probe errors
-    if (err.code === "ENETUNREACH" || err.code === "EHOSTUNREACH") {
-        return true;
-    }
-    // This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network" or "A socket operation was attempted to an unreachable host"
-    // rather than just timing out, as expected.
-    if (err.statusCode === 403 || err.code === 403) {
-        if (err.message.includes("unreachable")) {
-            return true;
-        }
-    }
-    return false;
-}
-//# sourceMappingURL=msalMsiProvider.js.map

package/dist-esm/src/credentials/managedIdentityCredential/msalMsiProvider.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"msalMsiProvider.js","sourceRoot":"","sources":["../../../../src/credentials/managedIdentityCredential/msalMsiProvider.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,2BAA2B,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAEvF,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAClF,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAE1E,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D,OAAO,EAAE,0BAA0B,EAAE,MAAM,kBAAkB,CAAC;AAE9D,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAC9C,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,MAAM,MAAM,GAAG,gBAAgB,CAAC,iCAAiC,CAAC,CAAC;AA4BnE,MAAM,OAAO,eAAe;IAa1B,YACE,iBAA6D,EAC7D,UAA4C,EAAE;;QATxC,mBAAc,GAAoC;YACxD,UAAU,EAAE,CAAC;YACb,cAAc,EAAE,GAAG;YACnB,iBAAiB,EAAE,CAAC;SACrB,CAAC;QAOA,IAAI,QAAQ,GAAqC,EAAE,CAAC;QACpD,IAAI,OAAO,iBAAiB,KAAK,QAAQ,EAAE,CAAC;YAC1C,IAAI,CAAC,QAAQ,GAAG,iBAAiB,CAAC;YAClC,QAAQ,GAAG,OAAO,CAAC;QACrB,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,QAAQ,GAAG,iBAAiB,aAAjB,iBAAiB,uBAAjB,iBAAiB,CAAE,QAAQ,CAAC;YAC5C,QAAQ,GAAG,iBAAiB,aAAjB,iBAAiB,cAAjB,iBAAiB,GAAI,EAAE,CAAC;QACrC,CAAC;QACD,IAAI,CAAC,UAAU,GAAG,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,UAAU,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,QAAQ,CAAC;QAEnC,wBAAwB;QACxB,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACpF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,oHAAoH,IAAI,CAAC,SAAS,CAChI,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAClF,EAAE,CACJ,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,QAAQ,CAAC,uBAAuB,GAAG,IAAI,CAAC;QAExC,IAAI,CAAA,MAAA,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,YAAY,0CAAE,UAAU,MAAK,SAAS,EAAE,CAAC;YACrD,IAAI,CAAC,cAAc,CAAC,UAAU,GAAG,QAAQ,CAAC,YAAY,CAAC,UAAU,CAAC;QACpE,CAAC;QAED,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,iCACnC,QAAQ,KACX,kBAAkB,EAAE,CAAC,EAAE,MAAM,EAAE,eAAe,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,IAC3F,CAAC;QAEH,IAAI,CAAC,kBAAkB,GAAG,IAAI,0BAA0B,CAAC;YACvD,uBAAuB,EAAE;gBACvB,oBAAoB,EAAE,IAAI,CAAC,QAAQ;gBACnC,sBAAsB,EAAE,IAAI,CAAC,UAAU;gBACvC,oBAAoB,EAAE,IAAI,CAAC,QAAQ;aACpC;YACD,MAAM,EAAE;gBACN,kBAAkB;gBAClB,sBAAsB,EAAE,IAAI;gBAC5B,aAAa,EAAE,IAAI,CAAC,cAAc;gBAClC,aAAa,EAAE;oBACb,QAAQ,EAAE,eAAe,CAAC,WAAW,EAAE,CAAC;oBACxC,iBAAiB,EAAE,MAAA,OAAO,CAAC,cAAc,0CAAE,0BAA0B;oBACrE,cAAc,EAAE,qBAAqB,CAAC,MAAM,CAAC;iBAC9C;aACF;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,yBAAyB,GAAG,IAAI,cAAc,iCAC9C,QAAQ,KACX,YAAY,EAAE;gBACZ,UAAU,EAAE,CAAC;aACd,IACD,CAAC;QAEH,uJAAuJ;QACvJ,IAAI,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,EAAE,KAAK,YAAY,EAAE,CAAC;YACxE,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACtD,MAAM,CAAC,OAAO,CACZ,+EAA+E,IAAI,CAAC,SAAS,CAC3F;oBACE,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;iBACxB,CACF,GAAG,CACL,CAAC;gBACF,MAAM,IAAI,0BAA0B,CAClC,uNAAuN,CACxN,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QACtE,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,0BAA0B,CAClC,yEAAyE,IAAI,CAAC,SAAS,CACrF,MAAM,CACP,EAAE,CACJ,CAAC;QACJ,CAAC;QAED,OAAO,aAAa,CAAC,QAAQ,CAAC,oCAAoC,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;;YACtF,IAAI,CAAC;gBACH,MAAM,kBAAkB,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC;oBAC5D,MAAM;oBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,eAAe,EAAE,OAAO;oBACxB,cAAc,EAAE,IAAI,CAAC,cAAc;oBACnC,UAAU,EAAE,IAAI,CAAC,UAAU;iBAC5B,CAAC,CAAC;gBAEH,qDAAqD;gBACrD,sEAAsE;gBACtE,qFAAqF;gBACrF,gJAAgJ;gBAChJ,wEAAwE;gBAExE,MAAM,cAAc,GAAG,IAAI,CAAC,kBAAkB,CAAC,wBAAwB,EAAE,CAAC;gBAC1E,MAAM,SAAS,GAAG,cAAc,KAAK,eAAe,IAAI,cAAc,KAAK,MAAM,CAAC,CAAC,kHAAkH;gBAErM,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,yBAAyB,cAAc,EAAE,CAAC,CAAC;gBAEhE,IAAI,kBAAkB,EAAE,CAAC;oBACvB,8EAA8E;oBAC9E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;oBACnE,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,QAAQ,CAAC;wBAC7C,MAAM;wBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,cAAc,EAAE,IAAI,CAAC,cAAc;wBACnC,WAAW,EAAE,IAAI,CAAC,cAAc;wBAChC,UAAU,EAAE,IAAI,CAAC,UAAU;qBAC5B,CAAC,CAAC;oBAEH,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;wBACpB,MAAM,IAAI,0BAA0B,CAClC,qFAAqF,CACtF,CAAC;oBACJ,CAAC;oBAED,OAAO,MAAM,CAAC;gBAChB,CAAC;qBAAM,IAAI,SAAS,EAAE,CAAC;oBACrB,8GAA8G;oBAC9G,kKAAkK;oBAClK,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;oBAC3E,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC;wBAC5C,MAAM;wBACN,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,eAAe,EAAE,OAAO;wBACxB,cAAc,EAAE,IAAI,CAAC,yBAAyB;wBAC9C,UAAU,EAAE,IAAI,CAAC,UAAU;qBAC5B,CAAC,CAAC;oBAEH,IAAI,CAAC,WAAW,EAAE,CAAC;wBACjB,MAAM,IAAI,0BAA0B,CAClC,8DAA8D,CAC/D,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,gCAAgC;gBAChC,oCAAoC;gBACpC,0FAA0F;gBAC1F,uDAAuD;gBACvD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;gBACtE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC;oBACvD,QAAQ;iBACT,CAAC,CAAC;gBAEH,IAAI,CAAC,oBAAoB,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;gBAClD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;gBAE5C,OAAO;oBACL,kBAAkB,EAAE,KAAK,CAAC,SAAS,CAAC,OAAO,EAAE;oBAC7C,KAAK,EAAE,KAAK,CAAC,WAAW;oBACxB,qBAAqB,EAAE,MAAA,KAAK,CAAC,SAAS,0CAAE,OAAO,EAAE;oBACjD,SAAS,EAAE,QAAQ;iBACL,CAAC;YACnB,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;gBAEhD,sHAAsH;gBACtH,mGAAmG;gBACnG,IAAI,GAAG,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;oBAC/C,MAAM,GAAG,CAAC;gBACZ,CAAC;gBAED,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;oBACxB,MAAM,IAAI,0BAA0B,CAClC,4DAA4D,GAAG,CAAC,OAAO,EAAE,EACzE,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,0BAA0B,CAClC,6DAA6D,GAAG,CAAC,OAAO,EAAE,EAC1E,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,oBAAoB,CAC1B,MAAyB,EACzB,SAAqB,EACrB,eAAiC;QAEjC,MAAM,WAAW,GAAG,CAAC,OAAe,EAAS,EAAE;YAC7C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9B,OAAO,IAAI,2BAA2B,CAAC;gBACrC,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACjD,eAAe;gBACf,OAAO;aACR,CAAC,CAAC;QACL,CAAC,CAAC;QACF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,WAAW,CAAC,cAAc,CAAC,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC;YACzB,MAAM,WAAW,CAAC,uCAAuC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;YAC3B,MAAM,WAAW,CAAC,yCAAyC,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;CACF;AAED,SAAS,cAAc,CAAC,GAAQ;IAC9B,aAAa;IACb,IAAI,GAAG,CAAC,SAAS,KAAK,eAAe,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,eAAe;IACf,IAAI,GAAG,CAAC,IAAI,KAAK,aAAa,IAAI,GAAG,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6NAA6N;IAC7N,4CAA4C;IAC5C,IAAI,GAAG,CAAC,UAAU,KAAK,GAAG,IAAI,GAAG,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC;QAC/C,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions } from \"@azure/core-auth\";\nimport { AuthenticationRequiredError, CredentialUnavailableError } from \"../../errors\";\nimport type { MsalToken, ValidMsalToken } from \"../../msal/types\";\nimport { credentialLogger, formatError, formatSuccess } from \"../../util/logging\";\nimport { defaultLoggerCallback, getMSALLogLevel } from \"../../msal/utils\";\n\nimport { IdentityClient } from \"../../client/identityClient\";\nimport type { MSIConfiguration } from \"./models\";\nimport { ManagedIdentityApplication } from \"@azure/msal-node\";\nimport type { TokenCredentialOptions } from \"../../tokenCredentialOptions\";\nimport { getLogLevel } from \"@azure/logger\";\nimport { imdsMsi } from \"./imdsMsi\";\nimport { imdsRetryPolicy } from \"./imdsRetryPolicy\";\nimport { mapScopesToResource } from \"./utils\";\nimport { tokenExchangeMsi } from \"./tokenExchangeMsi\";\nimport { tracingClient } from \"../../util/tracing\";\n\nconst logger = credentialLogger(\"ManagedIdentityCredential(MSAL)\");\n\n/**\n * Options to send on the {@link ManagedIdentityCredential} constructor.\n * Since this is an internal implementation, uses a looser interface than the public one.\n */\ninterface ManagedIdentityCredentialOptions extends TokenCredentialOptions {\n  /**\n   * The client ID of the user - assigned identity, or app registration(when working with AKS pod - identity).\n   */\n  clientId?: string;\n\n  /**\n   * Allows specifying a custom resource Id.\n   * In scenarios such as when user assigned identities are created using an ARM template,\n   * where the resource Id of the identity is known but the client Id can't be known ahead of time,\n   * this parameter allows programs to use these user assigned identities\n   * without having to first determine the client Id of the created identity.\n   */\n  resourceId?: string;\n\n  /**\n   * Allows specifying the object ID of the underlying service principal used to authenticate a user-assigned managed identity.\n   * This is an alternative to providing a client ID and is not required for system-assigned managed identities.\n   */\n  objectId?: string;\n}\n\nexport class MsalMsiProvider {\n  private managedIdentityApp: ManagedIdentityApplication;\n  private identityClient: IdentityClient;\n  private clientId?: string;\n  private resourceId?: string;\n  private objectId?: string;\n  private msiRetryConfig: MSIConfiguration[\"retryConfig\"] = {\n    maxRetries: 5,\n    startDelayInMs: 800,\n    intervalIncrement: 2,\n  };\n  private isAvailableIdentityClient: IdentityClient;\n\n  constructor(\n    clientIdOrOptions?: string | ManagedIdentityCredentialOptions,\n    options: ManagedIdentityCredentialOptions = {},\n  ) {\n    let _options: ManagedIdentityCredentialOptions = {};\n    if (typeof clientIdOrOptions === \"string\") {\n      this.clientId = clientIdOrOptions;\n      _options = options;\n    } else {\n      this.clientId = clientIdOrOptions?.clientId;\n      _options = clientIdOrOptions ?? {};\n    }\n    this.resourceId = _options?.resourceId;\n    this.objectId = _options?.objectId;\n\n    // For JavaScript users.\n    const providedIds = [this.clientId, this.resourceId, this.objectId].filter(Boolean);\n    if (providedIds.length > 1) {\n      throw new Error(\n        `ManagedIdentityCredential: only one of 'clientId', 'resourceId', or 'objectId' can be provided. Received values: ${JSON.stringify(\n          { clientId: this.clientId, resourceId: this.resourceId, objectId: this.objectId },\n        )}`,\n      );\n    }\n\n    // ManagedIdentity uses http for local requests\n    _options.allowInsecureConnection = true;\n\n    if (_options?.retryOptions?.maxRetries !== undefined) {\n      this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;\n    }\n\n    this.identityClient = new IdentityClient({\n      ..._options,\n      additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: \"perCall\" }],\n    });\n\n    this.managedIdentityApp = new ManagedIdentityApplication({\n      managedIdentityIdParams: {\n        userAssignedClientId: this.clientId,\n        userAssignedResourceId: this.resourceId,\n        userAssignedObjectId: this.objectId,\n      },\n      system: {\n        // todo: proxyUrl?\n        disableInternalRetries: true,\n        networkClient: this.identityClient,\n        loggerOptions: {\n          logLevel: getMSALLogLevel(getLogLevel()),\n          piiLoggingEnabled: options.loggingOptions?.enableUnsafeSupportLogging,\n          loggerCallback: defaultLoggerCallback(logger),\n        },\n      },\n    });\n\n    this.isAvailableIdentityClient = new IdentityClient({\n      ..._options,\n      retryOptions: {\n        maxRetries: 0,\n      },\n    });\n\n    // CloudShell MSI will ignore any user-assigned identity passed as parameters. To avoid confusion, we prevent this from happening as early as possible.\n    if (this.managedIdentityApp.getManagedIdentitySource() === \"CloudShell\") {\n      if (this.clientId || this.resourceId || this.objectId) {\n        logger.warning(\n          `CloudShell MSI detected with user-provided IDs - throwing. Received values: ${JSON.stringify(\n            {\n              clientId: this.clientId,\n              resourceId: this.resourceId,\n              objectId: this.objectId,\n            },\n          )}.`,\n        );\n        throw new CredentialUnavailableError(\n          \"ManagedIdentityCredential: Specifying a user-assigned managed identity is not supported for CloudShell at runtime. When using Managed Identity in CloudShell, omit the clientId, resourceId, and objectId parameters.\",\n        );\n      }\n    }\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  public async getToken(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    logger.getToken.info(\"Using the MSAL provider for Managed Identity.\");\n    const resource = mapScopesToResource(scopes);\n    if (!resource) {\n      throw new CredentialUnavailableError(\n        `ManagedIdentityCredential: Multiple scopes are not supported. Scopes: ${JSON.stringify(\n          scopes,\n        )}`,\n      );\n    }\n\n    return tracingClient.withSpan(\"ManagedIdentityCredential.getToken\", options, async () => {\n      try {\n        const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable({\n          scopes,\n          clientId: this.clientId,\n          getTokenOptions: options,\n          identityClient: this.identityClient,\n          resourceId: this.resourceId,\n        });\n\n        // Most scenarios are handled by MSAL except for two:\n        // AKS pod identity - MSAL does not implement the token exchange flow.\n        // IMDS Endpoint probing - MSAL does not do any probing before trying to get a token.\n        // As a DefaultAzureCredential optimization we probe the IMDS endpoint with a short timeout and no retries before actually trying to get a token\n        // We will continue to implement these features in the Identity library.\n\n        const identitySource = this.managedIdentityApp.getManagedIdentitySource();\n        const isImdsMsi = identitySource === \"DefaultToImds\" || identitySource === \"Imds\"; // Neither actually checks that IMDS endpoint is available, just that it's the source the MSAL _would_ try to use.\n\n        logger.getToken.info(`MSAL Identity source: ${identitySource}`);\n\n        if (isTokenExchangeMsi) {\n          // In the AKS scenario we will use the existing tokenExchangeMsi indefinitely.\n          logger.getToken.info(\"Using the token exchange managed identity.\");\n          const result = await tokenExchangeMsi.getToken({\n            scopes,\n            clientId: this.clientId,\n            identityClient: this.identityClient,\n            retryConfig: this.msiRetryConfig,\n            resourceId: this.resourceId,\n          });\n\n          if (result === null) {\n            throw new CredentialUnavailableError(\n              \"Attempted to use the token exchange managed identity, but received a null response.\",\n            );\n          }\n\n          return result;\n        } else if (isImdsMsi) {\n          // In the IMDS scenario we will probe the IMDS endpoint to ensure it's available before trying to get a token.\n          // If the IMDS endpoint is not available and this is the source that MSAL will use, we will fail-fast with an error that tells DAC to move to the next credential.\n          logger.getToken.info(\"Using the IMDS endpoint to probe for availability.\");\n          const isAvailable = await imdsMsi.isAvailable({\n            scopes,\n            clientId: this.clientId,\n            getTokenOptions: options,\n            identityClient: this.isAvailableIdentityClient,\n            resourceId: this.resourceId,\n          });\n\n          if (!isAvailable) {\n            throw new CredentialUnavailableError(\n              `Attempted to use the IMDS endpoint, but it is not available.`,\n            );\n          }\n        }\n\n        // If we got this far, it means:\n        // - This is not a tokenExchangeMsi,\n        // - We already probed for IMDS endpoint availability and failed-fast if it's unreachable.\n        // We can proceed normally by calling MSAL for a token.\n        logger.getToken.info(\"Calling into MSAL for managed identity token.\");\n        const token = await this.managedIdentityApp.acquireToken({\n          resource,\n        });\n\n        this.ensureValidMsalToken(scopes, token, options);\n        logger.getToken.info(formatSuccess(scopes));\n\n        return {\n          expiresOnTimestamp: token.expiresOn.getTime(),\n          token: token.accessToken,\n          refreshAfterTimestamp: token.refreshOn?.getTime(),\n          tokenType: \"Bearer\",\n        } as AccessToken;\n      } catch (err: any) {\n        logger.getToken.error(formatError(scopes, err));\n\n        // AuthenticationRequiredError described as Error to enforce authentication after trying to retrieve a token silently.\n        // TODO: why would this _ever_ happen considering we're not trying the silent request in this flow?\n        if (err.name === \"AuthenticationRequiredError\") {\n          throw err;\n        }\n\n        if (isNetworkError(err)) {\n          throw new CredentialUnavailableError(\n            `ManagedIdentityCredential: Network unreachable. Message: ${err.message}`,\n            { cause: err },\n          );\n        }\n\n        throw new CredentialUnavailableError(\n          `ManagedIdentityCredential: Authentication failed. Message ${err.message}`,\n          { cause: err },\n        );\n      }\n    });\n  }\n\n  /**\n   * Ensures the validity of the MSAL token\n   */\n  private ensureValidMsalToken(\n    scopes: string | string[],\n    msalToken?: MsalToken,\n    getTokenOptions?: GetTokenOptions,\n  ): asserts msalToken is ValidMsalToken {\n    const createError = (message: string): Error => {\n      logger.getToken.info(message);\n      return new AuthenticationRequiredError({\n        scopes: Array.isArray(scopes) ? scopes : [scopes],\n        getTokenOptions,\n        message,\n      });\n    };\n    if (!msalToken) {\n      throw createError(\"No response.\");\n    }\n    if (!msalToken.expiresOn) {\n      throw createError(`Response had no \"expiresOn\" property.`);\n    }\n    if (!msalToken.accessToken) {\n      throw createError(`Response had no \"accessToken\" property.`);\n    }\n  }\n}\n\nfunction isNetworkError(err: any): boolean {\n  // MSAL error\n  if (err.errorCode === \"network_error\") {\n    return true;\n  }\n\n  // Probe errors\n  if (err.code === \"ENETUNREACH\" || err.code === \"EHOSTUNREACH\") {\n    return true;\n  }\n\n  // This is a special case for Docker Desktop which responds with a 403 with a message that contains \"A socket operation was attempted to an unreachable network\" or \"A socket operation was attempted to an unreachable host\"\n  // rather than just timing out, as expected.\n  if (err.statusCode === 403 || err.code === 403) {\n    if (err.message.includes(\"unreachable\")) {\n      return true;\n    }\n  }\n\n  return false;\n}\n"]}