@azure/identity 4.5.1-alpha.20241031.1 → 4.5.1-alpha.20241112.1

package/dist/index.js

@@ -10,8 +10,8 @@ var coreTracing = require('@azure/core-tracing');
 var fs = require('fs');
 var os = require('os');
 var path = require('path');
-var abortController = require('@azure/abort-controller');
 var msalCommon = require('@azure/msal-node');
+var abortController = require('@azure/abort-controller');
 var open = require('open');
 var promises = require('fs/promises');
 var child_process = require('child_process');
@@ -499,12 +499,6 @@ const tracingClient = coreTracing.createTracingClient({
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 const DefaultScopeSuffix = "/.default";
-const imdsHost = "http://169.254.169.254";
-const imdsEndpointPath = "/metadata/identity/oauth2/token";
-const imdsApiVersion = "2018-02-01";
-
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
 /**
  * Most MSIs send requests to the IMDS endpoint, or a similar endpoint.
  * These are GET requests that require sending a `resource` parameter on the query.
@@ -1256,10 +1250,44 @@ function deserializeAuthenticationRecord(serializedRecord) {
     return parsed;
 }
 
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+// Matches the default retry configuration in expontentialRetryStrategy.ts
+const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;
+/**
+ * An additional policy that retries on 404 errors. The default retry policy does not retry on
+ * 404s, but the IMDS endpoint can return 404s when the token is not yet available. This policy
+ * will retry on 404s with an exponential backoff.
+ *
+ * @param msiRetryConfig - The retry configuration for the MSI credential.
+ * @returns - The policy that will retry on 404s.
+ */
+function imdsRetryPolicy(msiRetryConfig) {
+    return coreRestPipeline.retryPolicy([
+        {
+            name: "imdsRetryPolicy",
+            retry: ({ retryCount, response }) => {
+                if ((response === null || response === void 0 ? void 0 : response.status) !== 404) {
+                    return { skipStrategy: true };
+                }
+                return coreUtil.calculateRetryDelay(retryCount, {
+                    retryDelayInMs: msiRetryConfig.startDelayInMs,
+                    maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,
+                });
+            },
+        },
+    ], {
+        maxRetries: msiRetryConfig.maxRetries,
+    });
+}
+
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 const msiName$1 = "ManagedIdentityCredential - IMDS";
 const logger$i = credentialLogger(msiName$1);
+const imdsHost = "http://169.254.169.254";
+const imdsEndpointPath = "/metadata/identity/oauth2/token";
+const imdsApiVersion = "2018-02-01";
 /**
  * Generates the options used on the request for an access token.
  */
@@ -1304,11 +1332,14 @@ function prepareRequestOptions(scopes, clientId, resourceId, options) {
     };
 }
 /**
- * Defines how to determine whether the Azure IMDS MSI is available, and also how to retrieve a token from the Azure IMDS MSI.
+ * Defines how to determine whether the Azure IMDS MSI is available.
+ *
+ * Actually getting the token once we determine IMDS is available is handled by MSAL.
  */
 const imdsMsi = {
     name: "imdsMsi",
-    async isAvailable({ scopes, identityClient, clientId, resourceId, getTokenOptions = {}, }) {
+    async isAvailable(options) {
+        const { scopes, identityClient, clientId, resourceId, getTokenOptions } = options;
         const resource = mapScopesToResource(scopes);
         if (!resource) {
             logger$i.info(`${msiName$1}: Unavailable. Multiple scopes are not supported.`);
@@ -1325,16 +1356,16 @@ const imdsMsi = {
             skipMetadataHeader: true,
             skipQuery: true,
         });
-        return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions, async (options) => {
+        return tracingClient.withSpan("ManagedIdentityCredential-pingImdsEndpoint", getTokenOptions !== null && getTokenOptions !== void 0 ? getTokenOptions : {}, async (updatedOptions) => {
             var _a, _b;
-            requestOptions.tracingOptions = options.tracingOptions;
+            requestOptions.tracingOptions = updatedOptions.tracingOptions;
             // Create a request with a timeout since we expect that
             // not having a "Metadata" header should cause an error to be
             // returned quickly from the endpoint, proving its availability.
             const request = coreRestPipeline.createPipelineRequest(requestOptions);
             // Default to 1000 if the default of 0 is used.
             // Negative values can still be used to disable the timeout.
-            request.timeout = ((_a = options.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
+            request.timeout = ((_a = updatedOptions.requestOptions) === null || _a === void 0 ? void 0 : _a.timeout) || 1000;
             // This MSI uses the imdsEndpoint to get the token, which only uses http://
             request.allowInsecureConnection = true;
             let response;
@@ -1365,65 +1396,8 @@ const imdsMsi = {
             return true;
         });
     },
-    async getToken(configuration, getTokenOptions = {}) {
-        const { identityClient, scopes, clientId, resourceId } = configuration;
-        if (process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST) {
-            logger$i.info(`${msiName$1}: Using the Azure IMDS endpoint coming from the environment variable AZURE_POD_IDENTITY_AUTHORITY_HOST=${process.env.AZURE_POD_IDENTITY_AUTHORITY_HOST}.`);
-        }
-        else {
-            logger$i.info(`${msiName$1}: Using the default Azure IMDS endpoint ${imdsHost}.`);
-        }
-        let nextDelayInMs = configuration.retryConfig.startDelayInMs;
-        for (let retries = 0; retries < configuration.retryConfig.maxRetries; retries++) {
-            try {
-                const request = coreRestPipeline.createPipelineRequest(Object.assign(Object.assign({ abortSignal: getTokenOptions.abortSignal }, prepareRequestOptions(scopes, clientId, resourceId)), { allowInsecureConnection: true }));
-                const tokenResponse = await identityClient.sendTokenRequest(request);
-                return (tokenResponse && tokenResponse.accessToken) || null;
-            }
-            catch (error) {
-                if (error.statusCode === 404) {
-                    await coreUtil.delay(nextDelayInMs);
-                    nextDelayInMs *= configuration.retryConfig.intervalIncrement;
-                    continue;
-                }
-                throw error;
-            }
-        }
-        throw new AuthenticationError(404, `${msiName$1}: Failed to retrieve IMDS token after ${configuration.retryConfig.maxRetries} retries.`);
-    },
 };
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-// Matches the default retry configuration in expontentialRetryStrategy.ts
-const DEFAULT_CLIENT_MAX_RETRY_INTERVAL = 1000 * 64;
-/**
- * An additional policy that retries on 404 errors. The default retry policy does not retry on
- * 404s, but the IMDS endpoint can return 404s when the token is not yet available. This policy
- * will retry on 404s with an exponential backoff.
- *
- * @param msiRetryConfig - The retry configuration for the MSI credential.
- * @returns - The policy that will retry on 404s.
- */
-function imdsRetryPolicy(msiRetryConfig) {
-    return coreRestPipeline.retryPolicy([
-        {
-            name: "imdsRetryPolicy",
-            retry: ({ retryCount, response }) => {
-                if ((response === null || response === void 0 ? void 0 : response.status) !== 404) {
-                    return { skipStrategy: true };
-                }
-                return coreUtil.calculateRetryDelay(retryCount, {
-                    retryDelayInMs: msiRetryConfig.startDelayInMs,
-                    maxRetryDelayInMs: DEFAULT_CLIENT_MAX_RETRY_INTERVAL,
-                });
-            },
-        },
-    ], {
-        maxRetries: msiRetryConfig.maxRetries,
-    });
-}
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 /**
@@ -2203,10 +2177,13 @@ const msiName = "ManagedIdentityCredential - Token Exchange";
 const logger$f = credentialLogger(msiName);
 /**
  * Defines how to determine whether the token exchange MSI is available, and also how to retrieve a token from the token exchange MSI.
+ *
+ * Token exchange MSI (used by AKS) is the only MSI implementation handled entirely by Azure Identity.
+ * The rest have been migrated to MSAL.
  */
 const tokenExchangeMsi = {
     name: "tokenExchangeMsi",
-    async isAvailable({ clientId }) {
+    async isAvailable(clientId) {
         const env = process.env;
         const result = Boolean((clientId || env.AZURE_CLIENT_ID) &&
             env.AZURE_TENANT_ID &&
@@ -2226,19 +2203,31 @@ const tokenExchangeMsi = {
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
-const logger$e = credentialLogger("ManagedIdentityCredential(MSAL)");
-class MsalMsiProvider {
-    constructor(clientIdOrOptions, options = {}) {
+const logger$e = credentialLogger("ManagedIdentityCredential");
+/**
+ * Attempts authentication using a managed identity available at the deployment environment.
+ * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
+ * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
+ *
+ * More information about configuring managed identities can be found here:
+ * https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
+ */
+class ManagedIdentityCredential {
+    /**
+     * @internal
+     * @hidden
+     */
+    constructor(clientIdOrOptions, options) {
         var _a, _b;
         this.msiRetryConfig = {
             maxRetries: 5,
             startDelayInMs: 800,
             intervalIncrement: 2,
         };
-        let _options = {};
+        let _options;
         if (typeof clientIdOrOptions === "string") {
             this.clientId = clientIdOrOptions;
-            _options = options;
+            _options = options !== null && options !== void 0 ? options : {};
         }
         else {
             this.clientId = clientIdOrOptions === null || clientIdOrOptions === void 0 ? void 0 : clientIdOrOptions.clientId;
@@ -2253,7 +2242,7 @@ class MsalMsiProvider {
         }
         // ManagedIdentity uses http for local requests
         _options.allowInsecureConnection = true;
-        if (((_a = _options === null || _options === void 0 ? void 0 : _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
+        if (((_a = _options.retryOptions) === null || _a === void 0 ? void 0 : _a.maxRetries) !== undefined) {
             this.msiRetryConfig.maxRetries = _options.retryOptions.maxRetries;
         }
         this.identityClient = new IdentityClient(Object.assign(Object.assign({}, _options), { additionalPolicies: [{ policy: imdsRetryPolicy(this.msiRetryConfig), position: "perCall" }] }));
@@ -2264,12 +2253,11 @@ class MsalMsiProvider {
                 userAssignedObjectId: this.objectId,
             },
             system: {
-                // todo: proxyUrl?
                 disableInternalRetries: true,
                 networkClient: this.identityClient,
                 loggerOptions: {
                     logLevel: getMSALLogLevel(logger$m.getLogLevel()),
-                    piiLoggingEnabled: (_b = options.loggingOptions) === null || _b === void 0 ? void 0 : _b.enableUnsafeSupportLogging,
+                    piiLoggingEnabled: (_b = _options.loggingOptions) === null || _b === void 0 ? void 0 : _b.enableUnsafeSupportLogging,
                     loggerCallback: defaultLoggerCallback(logger$e),
                 },
             },
@@ -2307,13 +2295,7 @@ class MsalMsiProvider {
         return tracingClient.withSpan("ManagedIdentityCredential.getToken", options, async () => {
             var _a;
             try {
-                const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable({
-                    scopes,
-                    clientId: this.clientId,
-                    getTokenOptions: options,
-                    identityClient: this.identityClient,
-                    resourceId: this.resourceId,
-                });
+                const isTokenExchangeMsi = await tokenExchangeMsi.isAvailable(this.clientId);
                 // Most scenarios are handled by MSAL except for two:
                 // AKS pod identity - MSAL does not implement the token exchange flow.
                 // IMDS Endpoint probing - MSAL does not do any probing before trying to get a token.
@@ -2425,42 +2407,6 @@ function isNetworkError(err) {
     return false;
 }
 
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-/**
- * Attempts authentication using a managed identity available at the deployment environment.
- * This authentication type works in Azure VMs, App Service instances, Azure Functions applications,
- * Azure Kubernetes Services, Azure Service Fabric instances and inside of the Azure Cloud Shell.
- *
- * More information about configuring managed identities can be found here:
- * https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- */
-class ManagedIdentityCredential {
-    /**
-     * @internal
-     * @hidden
-     */
-    constructor(clientIdOrOptions, options) {
-        // https://github.com/Azure/azure-sdk-for-js/issues/30189
-        // If needed, you may release a hotfix to quickly rollback to the legacy implementation by changing the following line to:
-        // this.implProvider = new LegacyMsiProvider(clientIdOrOptions, options);
-        // Once stabilized, you can remove the legacy implementation and inline the msalMsiProvider code here as a drop-in replacement.
-        this.implProvider = new MsalMsiProvider(clientIdOrOptions, options);
-    }
-    /**
-     * Authenticates with Microsoft Entra ID and returns an access token if successful.
-     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
-     * If an unexpected error occurs, an {@link AuthenticationError} will be thrown with the details of the failure.
-     *
-     * @param scopes - The list of scopes for which the token will have access.
-     * @param options - The options used to configure any requests this
-     *                TokenCredential implementation might make.
-     */
-    async getToken(scopes, options) {
-        return this.implProvider.getToken(scopes, options);
-    }
-}
-
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 /**