@azure/identity 4.5.1-alpha.20241111.1 → 4.5.1-alpha.20241113.2

package/dist/commonjs/credentials/authorizationCodeCredential.d.ts

@@ -0,0 +1,73 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { AuthorizationCodeCredentialOptions } from "./authorizationCodeCredentialOptions.js";
+/**
+ * Enables authentication to Microsoft Entra ID using an authorization code
+ * that was obtained through the authorization code flow, described in more detail
+ * in the Microsoft Entra ID documentation:
+ *
+ * https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow
+ */
+export declare class AuthorizationCodeCredential implements TokenCredential {
+    private msalClient;
+    private disableAutomaticAuthentication?;
+    private authorizationCode;
+    private redirectUri;
+    private tenantId?;
+    private additionallyAllowedTenantIds;
+    private clientSecret?;
+    /**
+     * Creates an instance of AuthorizationCodeCredential with the details needed
+     * to request an access token using an authentication that was obtained
+     * from Microsoft Entra ID.
+     *
+     * It is currently necessary for the user of this credential to initiate
+     * the authorization code flow to obtain an authorization code to be used
+     * with this credential.  A full example of this flow is provided here:
+     *
+     * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts
+     *
+     * @param tenantId - The Microsoft Entra tenant (directory) ID or name.
+     *                 'common' may be used when dealing with multi-tenant scenarios.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param clientSecret - A client secret that was generated for the App Registration
+     * @param authorizationCode - An authorization code that was received from following the
+                                authorization code flow.  This authorization code must not
+                                have already been used to obtain an access token.
+     * @param redirectUri - The redirect URI that was used to request the authorization code.
+                          Must be the same URI that is configured for the App Registration.
+     * @param options - Options for configuring the client which makes the access token request.
+     */
+    constructor(tenantId: string | "common", clientId: string, clientSecret: string, authorizationCode: string, redirectUri: string, options?: AuthorizationCodeCredentialOptions);
+    /**
+     * Creates an instance of AuthorizationCodeCredential with the details needed
+     * to request an access token using an authentication that was obtained
+     * from Microsoft Entra ID.
+     *
+     * It is currently necessary for the user of this credential to initiate
+     * the authorization code flow to obtain an authorization code to be used
+     * with this credential.  A full example of this flow is provided here:
+     *
+     * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts
+     *
+     * @param tenantId - The Microsoft Entra tenant (directory) ID or name.
+     *                 'common' may be used when dealing with multi-tenant scenarios.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param authorizationCode - An authorization code that was received from following the
+                                authorization code flow.  This authorization code must not
+                                have already been used to obtain an access token.
+     * @param redirectUri - The redirect URI that was used to request the authorization code.
+                          Must be the same URI that is configured for the App Registration.
+     * @param options - Options for configuring the client which makes the access token request.
+     */
+    constructor(tenantId: string | "common", clientId: string, authorizationCode: string, redirectUri: string, options?: AuthorizationCodeCredentialOptions);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+//# sourceMappingURL=authorizationCodeCredential.d.ts.map

package/dist/commonjs/credentials/authorizationCodeCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorizationCodeCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/authorizationCodeCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAKtF,OAAO,KAAK,EAAE,kCAAkC,EAAE,MAAM,yCAAyC,CAAC;AAUlG;;;;;;GAMG;AACH,qBAAa,2BAA4B,YAAW,eAAe;IACjE,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,8BAA8B,CAAC,CAAU;IACjD,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,YAAY,CAAC,CAAS;IAE9B;;;;;;;;;;;;;;;;;;;;;OAqBG;gBAED,QAAQ,EAAE,MAAM,GAAG,QAAQ,EAC3B,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,EACpB,iBAAiB,EAAE,MAAM,EACzB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,kCAAkC;IAE9C;;;;;;;;;;;;;;;;;;;;OAoBG;gBAED,QAAQ,EAAE,MAAM,GAAG,QAAQ,EAC3B,QAAQ,EAAE,MAAM,EAChB,iBAAiB,EAAE,MAAM,EACzB,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE,kCAAkC;IA2C9C;;;;;;;OAOG;IACG,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,WAAW,CAAC;CA0B/F"}

package/dist/commonjs/credentials/authorizationCodeCredential.js

@@ -0,0 +1,64 @@
+"use strict";
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthorizationCodeCredential = void 0;
+const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js");
+const tenantIdUtils_js_2 = require("../util/tenantIdUtils.js");
+const logging_js_1 = require("../util/logging.js");
+const scopeUtils_js_1 = require("../util/scopeUtils.js");
+const tracing_js_1 = require("../util/tracing.js");
+const msalClient_js_1 = require("../msal/nodeFlows/msalClient.js");
+const logger = (0, logging_js_1.credentialLogger)("AuthorizationCodeCredential");
+/**
+ * Enables authentication to Microsoft Entra ID using an authorization code
+ * that was obtained through the authorization code flow, described in more detail
+ * in the Microsoft Entra ID documentation:
+ *
+ * https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow
+ */
+class AuthorizationCodeCredential {
+    /**
+     * @hidden
+     * @internal
+     */
+    constructor(tenantId, clientId, clientSecretOrAuthorizationCode, authorizationCodeOrRedirectUri, redirectUriOrOptions, options) {
+        (0, tenantIdUtils_js_2.checkTenantId)(logger, tenantId);
+        this.clientSecret = clientSecretOrAuthorizationCode;
+        if (typeof redirectUriOrOptions === "string") {
+            // the clientId+clientSecret constructor
+            this.authorizationCode = authorizationCodeOrRedirectUri;
+            this.redirectUri = redirectUriOrOptions;
+            // in this case, options are good as they come
+        }
+        else {
+            // clientId only
+            this.authorizationCode = clientSecretOrAuthorizationCode;
+            this.redirectUri = authorizationCodeOrRedirectUri;
+            this.clientSecret = undefined;
+            options = redirectUriOrOptions;
+        }
+        // TODO: Validate tenant if provided
+        this.tenantId = tenantId;
+        this.additionallyAllowedTenantIds = (0, tenantIdUtils_js_1.resolveAdditionallyAllowedTenantIds)(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.msalClient = (0, msalClient_js_1.createMsalClient)(clientId, tenantId, Object.assign(Object.assign({}, options), { logger, tokenCredentialOptions: options !== null && options !== void 0 ? options : {} }));
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracing_js_1.tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async (newOptions) => {
+            const tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, newOptions, this.additionallyAllowedTenantIds);
+            newOptions.tenantId = tenantId;
+            const arrayScopes = (0, scopeUtils_js_1.ensureScopes)(scopes);
+            return this.msalClient.getTokenByAuthorizationCode(arrayScopes, this.redirectUri, this.authorizationCode, this.clientSecret, Object.assign(Object.assign({}, newOptions), { disableAutomaticAuthentication: this.disableAutomaticAuthentication }));
+        });
+    }
+}
+exports.AuthorizationCodeCredential = AuthorizationCodeCredential;
+//# sourceMappingURL=authorizationCodeCredential.js.map

package/dist/commonjs/credentials/authorizationCodeCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorizationCodeCredential.js","sourceRoot":"","sources":["../../../src/credentials/authorizationCodeCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAGlC,+DAGkC;AAElC,+DAAyD;AACzD,mDAAsD;AACtD,yDAAqD;AACrD,mDAAmD;AAEnD,mEAAmE;AAEnE,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,6BAA6B,CAAC,CAAC;AAE/D;;;;;;GAMG;AACH,MAAa,2BAA2B;IAmEtC;;;OAGG;IACH,YACE,QAA2B,EAC3B,QAAgB,EAChB,+BAAuC,EACvC,8BAAsC,EACtC,oBAA6E,EAC7E,OAA4C;QAE5C,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAChC,IAAI,CAAC,YAAY,GAAG,+BAA+B,CAAC;QAEpD,IAAI,OAAO,oBAAoB,KAAK,QAAQ,EAAE,CAAC;YAC7C,wCAAwC;YACxC,IAAI,CAAC,iBAAiB,GAAG,8BAA8B,CAAC;YACxD,IAAI,CAAC,WAAW,GAAG,oBAAoB,CAAC;YACxC,8CAA8C;QAChD,CAAC;aAAM,CAAC;YACN,gBAAgB;YAChB,IAAI,CAAC,iBAAiB,GAAG,+BAA+B,CAAC;YACzD,IAAI,CAAC,WAAW,GAAG,8BAAwC,CAAC;YAC5D,IAAI,CAAC,YAAY,GAAG,SAAS,CAAC;YAC9B,OAAO,GAAG,oBAA0D,CAAC;QACvE,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QAEF,IAAI,CAAC,UAAU,GAAG,IAAA,gCAAgB,EAAC,QAAQ,EAAE,QAAQ,kCAChD,OAAO,KACV,MAAM,EACN,sBAAsB,EAAE,OAAO,aAAP,OAAO,cAAP,OAAO,GAAI,EAAE,IACrC,CAAC;IACL,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,OAAO,0BAAa,CAAC,QAAQ,CAC3B,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EACnC,OAAO,EACP,KAAK,EAAE,UAAU,EAAE,EAAE;YACnB,MAAM,QAAQ,GAAG,IAAA,4CAAyB,EACxC,IAAI,CAAC,QAAQ,EACb,UAAU,EACV,IAAI,CAAC,4BAA4B,CAClC,CAAC;YACF,UAAU,CAAC,QAAQ,GAAG,QAAQ,CAAC;YAE/B,MAAM,WAAW,GAAG,IAAA,4BAAY,EAAC,MAAM,CAAC,CAAC;YACzC,OAAO,IAAI,CAAC,UAAU,CAAC,2BAA2B,CAChD,WAAW,EACX,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,iBAAiB,EACtB,IAAI,CAAC,YAAY,kCAEZ,UAAU,KACb,8BAA8B,EAAE,IAAI,CAAC,8BAA8B,IAEtE,CAAC;QACJ,CAAC,CACF,CAAC;IACJ,CAAC;CACF;AA9ID,kEA8IC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport type { AuthorizationCodeCredentialOptions } from \"./authorizationCodeCredentialOptions.js\";\nimport { checkTenantId } from \"../util/tenantIdUtils.js\";\nimport { credentialLogger } from \"../util/logging.js\";\nimport { ensureScopes } from \"../util/scopeUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport type { MsalClient } from \"../msal/nodeFlows/msalClient.js\";\nimport { createMsalClient } from \"../msal/nodeFlows/msalClient.js\";\n\nconst logger = credentialLogger(\"AuthorizationCodeCredential\");\n\n/**\n * Enables authentication to Microsoft Entra ID using an authorization code\n * that was obtained through the authorization code flow, described in more detail\n * in the Microsoft Entra ID documentation:\n *\n * https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow\n */\nexport class AuthorizationCodeCredential implements TokenCredential {\n  private msalClient: MsalClient;\n  private disableAutomaticAuthentication?: boolean;\n  private authorizationCode: string;\n  private redirectUri: string;\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private clientSecret?: string;\n\n  /**\n   * Creates an instance of AuthorizationCodeCredential with the details needed\n   * to request an access token using an authentication that was obtained\n   * from Microsoft Entra ID.\n   *\n   * It is currently necessary for the user of this credential to initiate\n   * the authorization code flow to obtain an authorization code to be used\n   * with this credential.  A full example of this flow is provided here:\n   *\n   * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID or name.\n   *                 'common' may be used when dealing with multi-tenant scenarios.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param clientSecret - A client secret that was generated for the App Registration\n   * @param authorizationCode - An authorization code that was received from following the\n                              authorization code flow.  This authorization code must not\n                              have already been used to obtain an access token.\n   * @param redirectUri - The redirect URI that was used to request the authorization code.\n                        Must be the same URI that is configured for the App Registration.\n   * @param options - Options for configuring the client which makes the access token request.\n   */\n  constructor(\n    tenantId: string | \"common\",\n    clientId: string,\n    clientSecret: string,\n    authorizationCode: string,\n    redirectUri: string,\n    options?: AuthorizationCodeCredentialOptions,\n  );\n  /**\n   * Creates an instance of AuthorizationCodeCredential with the details needed\n   * to request an access token using an authentication that was obtained\n   * from Microsoft Entra ID.\n   *\n   * It is currently necessary for the user of this credential to initiate\n   * the authorization code flow to obtain an authorization code to be used\n   * with this credential.  A full example of this flow is provided here:\n   *\n   * https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/identity/identity/samples/v2/manual/authorizationCodeSample.ts\n   *\n   * @param tenantId - The Microsoft Entra tenant (directory) ID or name.\n   *                 'common' may be used when dealing with multi-tenant scenarios.\n   * @param clientId - The client (application) ID of an App Registration in the tenant.\n   * @param authorizationCode - An authorization code that was received from following the\n                              authorization code flow.  This authorization code must not\n                              have already been used to obtain an access token.\n   * @param redirectUri - The redirect URI that was used to request the authorization code.\n                        Must be the same URI that is configured for the App Registration.\n   * @param options - Options for configuring the client which makes the access token request.\n   */\n  constructor(\n    tenantId: string | \"common\",\n    clientId: string,\n    authorizationCode: string,\n    redirectUri: string,\n    options?: AuthorizationCodeCredentialOptions,\n  );\n  /**\n   * @hidden\n   * @internal\n   */\n  constructor(\n    tenantId: string | \"common\",\n    clientId: string,\n    clientSecretOrAuthorizationCode: string,\n    authorizationCodeOrRedirectUri: string,\n    redirectUriOrOptions: string | AuthorizationCodeCredentialOptions | undefined,\n    options?: AuthorizationCodeCredentialOptions,\n  ) {\n    checkTenantId(logger, tenantId);\n    this.clientSecret = clientSecretOrAuthorizationCode;\n\n    if (typeof redirectUriOrOptions === \"string\") {\n      // the clientId+clientSecret constructor\n      this.authorizationCode = authorizationCodeOrRedirectUri;\n      this.redirectUri = redirectUriOrOptions;\n      // in this case, options are good as they come\n    } else {\n      // clientId only\n      this.authorizationCode = clientSecretOrAuthorizationCode;\n      this.redirectUri = authorizationCodeOrRedirectUri as string;\n      this.clientSecret = undefined;\n      options = redirectUriOrOptions as AuthorizationCodeCredentialOptions;\n    }\n\n    // TODO: Validate tenant if provided\n    this.tenantId = tenantId;\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n\n    this.msalClient = createMsalClient(clientId, tenantId, {\n      ...options,\n      logger,\n      tokenCredentialOptions: options ?? {},\n    });\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    return tracingClient.withSpan(\n      `${this.constructor.name}.getToken`,\n      options,\n      async (newOptions) => {\n        const tenantId = processMultiTenantRequest(\n          this.tenantId,\n          newOptions,\n          this.additionallyAllowedTenantIds,\n        );\n        newOptions.tenantId = tenantId;\n\n        const arrayScopes = ensureScopes(scopes);\n        return this.msalClient.getTokenByAuthorizationCode(\n          arrayScopes,\n          this.redirectUri,\n          this.authorizationCode,\n          this.clientSecret,\n          {\n            ...newOptions,\n            disableAutomaticAuthentication: this.disableAutomaticAuthentication,\n          },\n        );\n      },\n    );\n  }\n}\n"]}

package/dist/commonjs/credentials/authorizationCodeCredentialOptions.d.ts

@@ -0,0 +1,8 @@
+import type { AuthorityValidationOptions } from "./authorityValidationOptions.js";
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Options for the {@link AuthorizationCodeCredential}
+ */
+export interface AuthorizationCodeCredentialOptions extends MultiTenantTokenCredentialOptions, AuthorityValidationOptions {
+}
+//# sourceMappingURL=authorizationCodeCredentialOptions.d.ts.map

package/dist/commonjs/credentials/authorizationCodeCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorizationCodeCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/authorizationCodeCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,kCACf,SAAQ,iCAAiC,EACvC,0BAA0B;CAAG"}

package/dist/commonjs/credentials/authorizationCodeCredentialOptions.js

@@ -0,0 +1,5 @@
+"use strict";
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=authorizationCodeCredentialOptions.js.map

package/dist/commonjs/credentials/authorizationCodeCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authorizationCodeCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/authorizationCodeCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link AuthorizationCodeCredential}\n */\nexport interface AuthorizationCodeCredentialOptions\n  extends MultiTenantTokenCredentialOptions,\n    AuthorityValidationOptions {}\n"]}

package/dist/commonjs/credentials/azureApplicationCredential.d.ts

@@ -0,0 +1,24 @@
+import type { AzureApplicationCredentialOptions } from "./azureApplicationCredentialOptions.js";
+import { ChainedTokenCredential } from "./chainedTokenCredential.js";
+/**
+ * Provides a default {@link ChainedTokenCredential} configuration that should
+ * work for most applications that use the Azure SDK.
+ */
+export declare class AzureApplicationCredential extends ChainedTokenCredential {
+    /**
+     * Creates an instance of the AzureApplicationCredential class.
+     *
+     * The AzureApplicationCredential provides a default {@link ChainedTokenCredential} configuration that should
+     * work for most applications deployed on Azure. The following credential types will be tried, in order:
+     *
+     * - {@link EnvironmentCredential}
+     * - {@link ManagedIdentityCredential}
+     *
+     * Consult the documentation of these credential types for more information
+     * on how they attempt authentication.
+     *
+     * @param options - Optional parameters. See {@link AzureApplicationCredentialOptions}.
+     */
+    constructor(options?: AzureApplicationCredentialOptions);
+}
+//# sourceMappingURL=azureApplicationCredential.d.ts.map

package/dist/commonjs/credentials/azureApplicationCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureApplicationCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureApplicationCredential.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAChG,OAAO,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAErE;;;GAGG;AACH,qBAAa,0BAA2B,SAAQ,sBAAsB;IACpE;;;;;;;;;;;;;OAaG;gBACS,OAAO,CAAC,EAAE,iCAAiC;CAOxD"}

package/dist/commonjs/credentials/azureApplicationCredential.js

@@ -0,0 +1,36 @@
+"use strict";
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureApplicationCredential = void 0;
+const defaultAzureCredential_js_1 = require("./defaultAzureCredential.js");
+const chainedTokenCredential_js_1 = require("./chainedTokenCredential.js");
+/**
+ * Provides a default {@link ChainedTokenCredential} configuration that should
+ * work for most applications that use the Azure SDK.
+ */
+class AzureApplicationCredential extends chainedTokenCredential_js_1.ChainedTokenCredential {
+    /**
+     * Creates an instance of the AzureApplicationCredential class.
+     *
+     * The AzureApplicationCredential provides a default {@link ChainedTokenCredential} configuration that should
+     * work for most applications deployed on Azure. The following credential types will be tried, in order:
+     *
+     * - {@link EnvironmentCredential}
+     * - {@link ManagedIdentityCredential}
+     *
+     * Consult the documentation of these credential types for more information
+     * on how they attempt authentication.
+     *
+     * @param options - Optional parameters. See {@link AzureApplicationCredentialOptions}.
+     */
+    constructor(options) {
+        const credentialFunctions = [
+            defaultAzureCredential_js_1.createEnvironmentCredential,
+            defaultAzureCredential_js_1.createDefaultManagedIdentityCredential,
+        ];
+        super(...credentialFunctions.map((createCredentialFn) => createCredentialFn(options)));
+    }
+}
+exports.AzureApplicationCredential = AzureApplicationCredential;
+//# sourceMappingURL=azureApplicationCredential.js.map

package/dist/commonjs/credentials/azureApplicationCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureApplicationCredential.js","sourceRoot":"","sources":["../../../src/credentials/azureApplicationCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAElC,2EAGqC;AAGrC,2EAAqE;AAErE;;;GAGG;AACH,MAAa,0BAA2B,SAAQ,kDAAsB;IACpE;;;;;;;;;;;;;OAaG;IACH,YAAY,OAA2C;QACrD,MAAM,mBAAmB,GAAG;YAC1B,uDAA2B;YAC3B,kEAAsC;SACvC,CAAC;QACF,KAAK,CAAC,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC,kBAAkB,EAAE,EAAE,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IACzF,CAAC;CACF;AAtBD,gEAsBC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport {\n  createDefaultManagedIdentityCredential,\n  createEnvironmentCredential,\n} from \"./defaultAzureCredential.js\";\n\nimport type { AzureApplicationCredentialOptions } from \"./azureApplicationCredentialOptions.js\";\nimport { ChainedTokenCredential } from \"./chainedTokenCredential.js\";\n\n/**\n * Provides a default {@link ChainedTokenCredential} configuration that should\n * work for most applications that use the Azure SDK.\n */\nexport class AzureApplicationCredential extends ChainedTokenCredential {\n  /**\n   * Creates an instance of the AzureApplicationCredential class.\n   *\n   * The AzureApplicationCredential provides a default {@link ChainedTokenCredential} configuration that should\n   * work for most applications deployed on Azure. The following credential types will be tried, in order:\n   *\n   * - {@link EnvironmentCredential}\n   * - {@link ManagedIdentityCredential}\n   *\n   * Consult the documentation of these credential types for more information\n   * on how they attempt authentication.\n   *\n   * @param options - Optional parameters. See {@link AzureApplicationCredentialOptions}.\n   */\n  constructor(options?: AzureApplicationCredentialOptions) {\n    const credentialFunctions = [\n      createEnvironmentCredential,\n      createDefaultManagedIdentityCredential,\n    ];\n    super(...credentialFunctions.map((createCredentialFn) => createCredentialFn(options)));\n  }\n}\n"]}

package/dist/commonjs/credentials/azureApplicationCredentialOptions.d.ts

@@ -0,0 +1,13 @@
+import type { CredentialPersistenceOptions } from "./credentialPersistenceOptions.js";
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Provides options to configure the {@link AzureApplicationCredential} class.
+ */
+export interface AzureApplicationCredentialOptions extends MultiTenantTokenCredentialOptions, CredentialPersistenceOptions {
+    /**
+     * Optionally pass in a user assigned client ID to be used by the {@link ManagedIdentityCredential}.
+     * This client ID can also be passed through to the {@link ManagedIdentityCredential} through the environment variable: AZURE_CLIENT_ID.
+     */
+    managedIdentityClientId?: string;
+}
+//# sourceMappingURL=azureApplicationCredentialOptions.d.ts.map

package/dist/commonjs/credentials/azureApplicationCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureApplicationCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureApplicationCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACtF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,iCACf,SAAQ,iCAAiC,EACvC,4BAA4B;IAC9B;;;OAGG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAC;CAClC"}

package/dist/commonjs/credentials/azureApplicationCredentialOptions.js

@@ -0,0 +1,5 @@
+"use strict";
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=azureApplicationCredentialOptions.js.map

package/dist/commonjs/credentials/azureApplicationCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureApplicationCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/azureApplicationCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Provides options to configure the {@link AzureApplicationCredential} class.\n */\nexport interface AzureApplicationCredentialOptions\n  extends MultiTenantTokenCredentialOptions,\n    CredentialPersistenceOptions {\n  /**\n   * Optionally pass in a user assigned client ID to be used by the {@link ManagedIdentityCredential}.\n   * This client ID can also be passed through to the {@link ManagedIdentityCredential} through the environment variable: AZURE_CLIENT_ID.\n   */\n  managedIdentityClientId?: string;\n}\n"]}

package/dist/commonjs/credentials/azureCliCredential.d.ts

@@ -0,0 +1,64 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { AzureCliCredentialOptions } from "./azureCliCredentialOptions.js";
+/**
+ * Mockable reference to the CLI credential cliCredentialFunctions
+ * @internal
+ */
+export declare const cliCredentialInternals: {
+    /**
+     * @internal
+     */
+    getSafeWorkingDir(): string;
+    /**
+     * Gets the access token from Azure CLI
+     * @param resource - The resource to use when getting the token
+     * @internal
+     */
+    getAzureCliAccessToken(resource: string, tenantId?: string, subscription?: string, timeout?: number): Promise<{
+        stdout: string;
+        stderr: string;
+        error: Error | null;
+    }>;
+};
+/**
+ * This credential will use the currently logged-in user login information
+ * via the Azure CLI ('az') commandline tool.
+ * To do so, it will read the user access token and expire time
+ * with Azure CLI command "az account get-access-token".
+ */
+export declare class AzureCliCredential implements TokenCredential {
+    private tenantId?;
+    private additionallyAllowedTenantIds;
+    private timeout?;
+    private subscription?;
+    /**
+     * Creates an instance of the {@link AzureCliCredential}.
+     *
+     * To use this credential, ensure that you have already logged
+     * in via the 'az' tool using the command "az login" from the commandline.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options?: AzureCliCredentialOptions);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+    /**
+     * Parses the raw JSON response from the Azure CLI into a usable AccessToken object
+     *
+     * @param rawResponse - The raw JSON response from the Azure CLI
+     * @returns An access token with the expiry time parsed from the raw response
+     *
+     * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:
+     *
+     * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.
+     */
+    private parseRawResponse;
+}
+//# sourceMappingURL=azureCliCredential.d.ts.map

package/dist/commonjs/credentials/azureCliCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureCliCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureCliCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAStF,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAMhF;;;GAGG;AACH,eAAO,MAAM,sBAAsB;IACjC;;OAEG;yBACkB,MAAM;IAW3B;;;;OAIG;qCAES,MAAM,aACL,MAAM,iBACF,MAAM,YACX,MAAM,GACf,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;KAAE,CAAC;CAkCpE,CAAC;AAIF;;;;;GAKG;AACH,qBAAa,kBAAmB,YAAW,eAAe;IACxD,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,OAAO,CAAC,CAAS;IACzB,OAAO,CAAC,YAAY,CAAC,CAAS;IAE9B;;;;;;;OAOG;gBACS,OAAO,CAAC,EAAE,yBAAyB;IAe/C;;;;;;;OAOG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;IAoEvB;;;;;;;;;OASG;IACH,OAAO,CAAC,gBAAgB;CA+BzB"}

package/dist/commonjs/credentials/azureCliCredential.js

@@ -0,0 +1,194 @@
+"use strict";
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureCliCredential = exports.cliCredentialInternals = void 0;
+const tslib_1 = require("tslib");
+const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js");
+const logging_js_1 = require("../util/logging.js");
+const scopeUtils_js_1 = require("../util/scopeUtils.js");
+const errors_js_1 = require("../errors.js");
+const child_process_1 = tslib_1.__importDefault(require("child_process"));
+const tracing_js_1 = require("../util/tracing.js");
+const subscriptionUtils_js_1 = require("../util/subscriptionUtils.js");
+/**
+ * Mockable reference to the CLI credential cliCredentialFunctions
+ * @internal
+ */
+exports.cliCredentialInternals = {
+    /**
+     * @internal
+     */
+    getSafeWorkingDir() {
+        if (process.platform === "win32") {
+            if (!process.env.SystemRoot) {
+                throw new Error("Azure CLI credential expects a 'SystemRoot' environment variable");
+            }
+            return process.env.SystemRoot;
+        }
+        else {
+            return "/bin";
+        }
+    },
+    /**
+     * Gets the access token from Azure CLI
+     * @param resource - The resource to use when getting the token
+     * @internal
+     */
+    async getAzureCliAccessToken(resource, tenantId, subscription, timeout) {
+        let tenantSection = [];
+        let subscriptionSection = [];
+        if (tenantId) {
+            tenantSection = ["--tenant", tenantId];
+        }
+        if (subscription) {
+            // Add quotes around the subscription to handle subscriptions with spaces
+            subscriptionSection = ["--subscription", `"${subscription}"`];
+        }
+        return new Promise((resolve, reject) => {
+            try {
+                child_process_1.default.execFile("az", [
+                    "account",
+                    "get-access-token",
+                    "--output",
+                    "json",
+                    "--resource",
+                    resource,
+                    ...tenantSection,
+                    ...subscriptionSection,
+                ], { cwd: exports.cliCredentialInternals.getSafeWorkingDir(), shell: true, timeout }, (error, stdout, stderr) => {
+                    resolve({ stdout: stdout, stderr: stderr, error });
+                });
+            }
+            catch (err) {
+                reject(err);
+            }
+        });
+    },
+};
+const logger = (0, logging_js_1.credentialLogger)("AzureCliCredential");
+/**
+ * This credential will use the currently logged-in user login information
+ * via the Azure CLI ('az') commandline tool.
+ * To do so, it will read the user access token and expire time
+ * with Azure CLI command "az account get-access-token".
+ */
+class AzureCliCredential {
+    /**
+     * Creates an instance of the {@link AzureCliCredential}.
+     *
+     * To use this credential, ensure that you have already logged
+     * in via the 'az' tool using the command "az login" from the commandline.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options) {
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            (0, tenantIdUtils_js_1.checkTenantId)(logger, options === null || options === void 0 ? void 0 : options.tenantId);
+            this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        }
+        if (options === null || options === void 0 ? void 0 : options.subscription) {
+            (0, subscriptionUtils_js_1.checkSubscription)(logger, options === null || options === void 0 ? void 0 : options.subscription);
+            this.subscription = options === null || options === void 0 ? void 0 : options.subscription;
+        }
+        this.additionallyAllowedTenantIds = (0, tenantIdUtils_js_1.resolveAdditionallyAllowedTenantIds)(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        const tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, options, this.additionallyAllowedTenantIds);
+        if (tenantId) {
+            (0, tenantIdUtils_js_1.checkTenantId)(logger, tenantId);
+        }
+        if (this.subscription) {
+            (0, subscriptionUtils_js_1.checkSubscription)(logger, this.subscription);
+        }
+        const scope = typeof scopes === "string" ? scopes : scopes[0];
+        logger.getToken.info(`Using the scope ${scope}`);
+        return tracing_js_1.tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
+            var _a, _b, _c, _d;
+            try {
+                (0, scopeUtils_js_1.ensureValidScopeForDevTimeCreds)(scope, logger);
+                const resource = (0, scopeUtils_js_1.getScopeResource)(scope);
+                const obj = await exports.cliCredentialInternals.getAzureCliAccessToken(resource, tenantId, this.subscription, this.timeout);
+                const specificScope = (_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("(.*)az login --scope(.*)");
+                const isLoginError = ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("(.*)az login(.*)")) && !specificScope;
+                const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("az:(.*)not found")) || ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'az' is not recognized"));
+                if (isNotInstallError) {
+                    const error = new errors_js_1.CredentialUnavailableError("Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
+                    logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
+                    throw error;
+                }
+                if (isLoginError) {
+                    const error = new errors_js_1.CredentialUnavailableError("Please run 'az login' from a command prompt to authenticate before using this credential.");
+                    logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
+                    throw error;
+                }
+                try {
+                    const responseData = obj.stdout;
+                    const response = this.parseRawResponse(responseData);
+                    logger.getToken.info((0, logging_js_1.formatSuccess)(scopes));
+                    return response;
+                }
+                catch (e) {
+                    if (obj.stderr) {
+                        throw new errors_js_1.CredentialUnavailableError(obj.stderr);
+                    }
+                    throw e;
+                }
+            }
+            catch (err) {
+                const error = err.name === "CredentialUnavailableError"
+                    ? err
+                    : new errors_js_1.CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
+                logger.getToken.info((0, logging_js_1.formatError)(scopes, error));
+                throw error;
+            }
+        });
+    }
+    /**
+     * Parses the raw JSON response from the Azure CLI into a usable AccessToken object
+     *
+     * @param rawResponse - The raw JSON response from the Azure CLI
+     * @returns An access token with the expiry time parsed from the raw response
+     *
+     * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:
+     *
+     * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.
+     */
+    parseRawResponse(rawResponse) {
+        const response = JSON.parse(rawResponse);
+        const token = response.accessToken;
+        // if available, expires_on will be a number representing seconds since epoch.
+        // ensure it's a number or NaN
+        let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;
+        if (!isNaN(expiresOnTimestamp)) {
+            logger.getToken.info("expires_on is available and is valid, using it");
+            return {
+                token,
+                expiresOnTimestamp,
+                tokenType: "Bearer",
+            };
+        }
+        // fallback to the older expiresOn - an RFC3339 date string
+        expiresOnTimestamp = new Date(response.expiresOn).getTime();
+        // ensure expiresOn is well-formatted
+        if (isNaN(expiresOnTimestamp)) {
+            throw new errors_js_1.CredentialUnavailableError(`Unexpected response from Azure CLI when getting token. Expected "expiresOn" to be a RFC3339 date string. Got: "${response.expiresOn}"`);
+        }
+        return {
+            token,
+            expiresOnTimestamp,
+            tokenType: "Bearer",
+        };
+    }
+}
+exports.AzureCliCredential = AzureCliCredential;
+//# sourceMappingURL=azureCliCredential.js.map

package/dist/commonjs/credentials/azureCliCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureCliCredential.js","sourceRoot":"","sources":["../../../src/credentials/azureCliCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;;AAGlC,+DAIkC;AAClC,mDAAkF;AAClF,yDAA0F;AAG1F,4CAA0D;AAC1D,0EAA0C;AAC1C,mDAAmD;AACnD,uEAAiE;AAEjE;;;GAGG;AACU,QAAA,sBAAsB,GAAG;IACpC;;OAEG;IACH,iBAAiB;QACf,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;YACtF,CAAC;YACD,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,sBAAsB,CAC1B,QAAgB,EAChB,QAAiB,EACjB,YAAqB,EACrB,OAAgB;QAEhB,IAAI,aAAa,GAAa,EAAE,CAAC;QACjC,IAAI,mBAAmB,GAAa,EAAE,CAAC;QACvC,IAAI,QAAQ,EAAE,CAAC;YACb,aAAa,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,YAAY,EAAE,CAAC;YACjB,yEAAyE;YACzE,mBAAmB,GAAG,CAAC,gBAAgB,EAAE,IAAI,YAAY,GAAG,CAAC,CAAC;QAChE,CAAC;QACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC;gBACH,uBAAa,CAAC,QAAQ,CACpB,IAAI,EACJ;oBACE,SAAS;oBACT,kBAAkB;oBAClB,UAAU;oBACV,MAAM;oBACN,YAAY;oBACZ,QAAQ;oBACR,GAAG,aAAa;oBAChB,GAAG,mBAAmB;iBACvB,EACD,EAAE,GAAG,EAAE,8BAAsB,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EACzE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;oBACxB,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;gBACrD,CAAC,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,oBAAoB,CAAC,CAAC;AAEtD;;;;;GAKG;AACH,MAAa,kBAAkB;IAM7B;;;;;;;OAOG;IACH,YAAY,OAAmC;QAC7C,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,EAAE,CAAC;YACtB,IAAA,gCAAa,EAAC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,YAAY,EAAE,CAAC;YAC1B,IAAA,wCAAiB,EAAC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,YAAY,CAAC,CAAC;YACjD,IAAI,CAAC,YAAY,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,YAAY,CAAC;QAC5C,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,QAAQ,GAAG,IAAA,4CAAyB,EACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;QACF,IAAI,QAAQ,EAAE,CAAC;YACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,IAAA,wCAAiB,EAAC,MAAM,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC9D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;QAEjD,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;;YACrF,IAAI,CAAC;gBACH,IAAA,+CAA+B,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBAC/C,MAAM,QAAQ,GAAG,IAAA,gCAAgB,EAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,GAAG,GAAG,MAAM,8BAAsB,CAAC,sBAAsB,CAC7D,QAAQ,EACR,QAAQ,EACR,IAAI,CAAC,YAAY,EACjB,IAAI,CAAC,OAAO,CACb,CAAC;gBACF,MAAM,aAAa,GAAG,MAAA,GAAG,CAAC,MAAM,0CAAE,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBACpE,MAAM,YAAY,GAAG,CAAA,MAAA,GAAG,CAAC,MAAM,0CAAE,KAAK,CAAC,kBAAkB,CAAC,KAAI,CAAC,aAAa,CAAC;gBAC7E,MAAM,iBAAiB,GACrB,CAAA,MAAA,GAAG,CAAC,MAAM,0CAAE,KAAK,CAAC,kBAAkB,CAAC,MAAI,MAAA,GAAG,CAAC,MAAM,0CAAE,UAAU,CAAC,wBAAwB,CAAC,CAAA,CAAC;gBAE5F,IAAI,iBAAiB,EAAE,CAAC;oBACtB,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,kLAAkL,CACnL,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,IAAI,YAAY,EAAE,CAAC;oBACjB,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,2FAA2F,CAC5F,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,IAAI,CAAC;oBACH,MAAM,YAAY,GAAG,GAAG,CAAC,MAAM,CAAC;oBAChC,MAAM,QAAQ,GAAgB,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC;oBAClE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;oBAC5C,OAAO,QAAQ,CAAC;gBAClB,CAAC;gBAAC,OAAO,CAAM,EAAE,CAAC;oBAChB,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;wBACf,MAAM,IAAI,sCAA0B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBACnD,CAAC;oBACD,MAAM,CAAC,CAAC;gBACV,CAAC;YACH,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,KAAK,GACT,GAAG,CAAC,IAAI,KAAK,4BAA4B;oBACvC,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,IAAI,sCAA0B,CAC3B,GAAa,CAAC,OAAO,IAAI,yDAAyD,CACpF,CAAC;gBACR,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;OASG;IACK,gBAAgB,CAAC,WAAmB;QAC1C,MAAM,QAAQ,GAAQ,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC;QACnC,8EAA8E;QAC9E,8BAA8B;QAC9B,IAAI,kBAAkB,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC;QACzE,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC/B,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YACvE,OAAO;gBACL,KAAK;gBACL,kBAAkB;gBAClB,SAAS,EAAE,QAAQ;aACpB,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,kBAAkB,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QAE5D,qCAAqC;QACrC,IAAI,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,sCAA0B,CAClC,kHAAkH,QAAQ,CAAC,SAAS,GAAG,CACxI,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK;YACL,kBAAkB;YAClB,SAAS,EAAE,QAAQ;SACpB,CAAC;IACJ,CAAC;CACF;AArJD,gDAqJC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  checkTenantId,\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport { ensureValidScopeForDevTimeCreds, getScopeResource } from \"../util/scopeUtils.js\";\n\nimport type { AzureCliCredentialOptions } from \"./azureCliCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport child_process from \"child_process\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport { checkSubscription } from \"../util/subscriptionUtils.js\";\n\n/**\n * Mockable reference to the CLI credential cliCredentialFunctions\n * @internal\n */\nexport const cliCredentialInternals = {\n  /**\n   * @internal\n   */\n  getSafeWorkingDir(): string {\n    if (process.platform === \"win32\") {\n      if (!process.env.SystemRoot) {\n        throw new Error(\"Azure CLI credential expects a 'SystemRoot' environment variable\");\n      }\n      return process.env.SystemRoot;\n    } else {\n      return \"/bin\";\n    }\n  },\n\n  /**\n   * Gets the access token from Azure CLI\n   * @param resource - The resource to use when getting the token\n   * @internal\n   */\n  async getAzureCliAccessToken(\n    resource: string,\n    tenantId?: string,\n    subscription?: string,\n    timeout?: number,\n  ): Promise<{ stdout: string; stderr: string; error: Error | null }> {\n    let tenantSection: string[] = [];\n    let subscriptionSection: string[] = [];\n    if (tenantId) {\n      tenantSection = [\"--tenant\", tenantId];\n    }\n    if (subscription) {\n      // Add quotes around the subscription to handle subscriptions with spaces\n      subscriptionSection = [\"--subscription\", `\"${subscription}\"`];\n    }\n    return new Promise((resolve, reject) => {\n      try {\n        child_process.execFile(\n          \"az\",\n          [\n            \"account\",\n            \"get-access-token\",\n            \"--output\",\n            \"json\",\n            \"--resource\",\n            resource,\n            ...tenantSection,\n            ...subscriptionSection,\n          ],\n          { cwd: cliCredentialInternals.getSafeWorkingDir(), shell: true, timeout },\n          (error, stdout, stderr) => {\n            resolve({ stdout: stdout, stderr: stderr, error });\n          },\n        );\n      } catch (err: any) {\n        reject(err);\n      }\n    });\n  },\n};\n\nconst logger = credentialLogger(\"AzureCliCredential\");\n\n/**\n * This credential will use the currently logged-in user login information\n * via the Azure CLI ('az') commandline tool.\n * To do so, it will read the user access token and expire time\n * with Azure CLI command \"az account get-access-token\".\n */\nexport class AzureCliCredential implements TokenCredential {\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private timeout?: number;\n  private subscription?: string;\n\n  /**\n   * Creates an instance of the {@link AzureCliCredential}.\n   *\n   * To use this credential, ensure that you have already logged\n   * in via the 'az' tool using the command \"az login\" from the commandline.\n   *\n   * @param options - Options, to optionally allow multi-tenant requests.\n   */\n  constructor(options?: AzureCliCredentialOptions) {\n    if (options?.tenantId) {\n      checkTenantId(logger, options?.tenantId);\n      this.tenantId = options?.tenantId;\n    }\n    if (options?.subscription) {\n      checkSubscription(logger, options?.subscription);\n      this.subscription = options?.subscription;\n    }\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    this.timeout = options?.processTimeoutInMs;\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  public async getToken(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    const tenantId = processMultiTenantRequest(\n      this.tenantId,\n      options,\n      this.additionallyAllowedTenantIds,\n    );\n    if (tenantId) {\n      checkTenantId(logger, tenantId);\n    }\n    if (this.subscription) {\n      checkSubscription(logger, this.subscription);\n    }\n    const scope = typeof scopes === \"string\" ? scopes : scopes[0];\n    logger.getToken.info(`Using the scope ${scope}`);\n\n    return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n      try {\n        ensureValidScopeForDevTimeCreds(scope, logger);\n        const resource = getScopeResource(scope);\n        const obj = await cliCredentialInternals.getAzureCliAccessToken(\n          resource,\n          tenantId,\n          this.subscription,\n          this.timeout,\n        );\n        const specificScope = obj.stderr?.match(\"(.*)az login --scope(.*)\");\n        const isLoginError = obj.stderr?.match(\"(.*)az login(.*)\") && !specificScope;\n        const isNotInstallError =\n          obj.stderr?.match(\"az:(.*)not found\") || obj.stderr?.startsWith(\"'az' is not recognized\");\n\n        if (isNotInstallError) {\n          const error = new CredentialUnavailableError(\n            \"Azure CLI could not be found. Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.\",\n          );\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n        if (isLoginError) {\n          const error = new CredentialUnavailableError(\n            \"Please run 'az login' from a command prompt to authenticate before using this credential.\",\n          );\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n        try {\n          const responseData = obj.stdout;\n          const response: AccessToken = this.parseRawResponse(responseData);\n          logger.getToken.info(formatSuccess(scopes));\n          return response;\n        } catch (e: any) {\n          if (obj.stderr) {\n            throw new CredentialUnavailableError(obj.stderr);\n          }\n          throw e;\n        }\n      } catch (err: any) {\n        const error =\n          err.name === \"CredentialUnavailableError\"\n            ? err\n            : new CredentialUnavailableError(\n                (err as Error).message || \"Unknown error while trying to retrieve the access token\",\n              );\n        logger.getToken.info(formatError(scopes, error));\n        throw error;\n      }\n    });\n  }\n\n  /**\n   * Parses the raw JSON response from the Azure CLI into a usable AccessToken object\n   *\n   * @param rawResponse - The raw JSON response from the Azure CLI\n   * @returns An access token with the expiry time parsed from the raw response\n   *\n   * The expiryTime of the credential's access token, in milliseconds, is calculated as follows:\n   *\n   * When available, expires_on (introduced in Azure CLI v2.54.0) will be preferred. Otherwise falls back to expiresOn.\n   */\n  private parseRawResponse(rawResponse: string): AccessToken {\n    const response: any = JSON.parse(rawResponse);\n    const token = response.accessToken;\n    // if available, expires_on will be a number representing seconds since epoch.\n    // ensure it's a number or NaN\n    let expiresOnTimestamp = Number.parseInt(response.expires_on, 10) * 1000;\n    if (!isNaN(expiresOnTimestamp)) {\n      logger.getToken.info(\"expires_on is available and is valid, using it\");\n      return {\n        token,\n        expiresOnTimestamp,\n        tokenType: \"Bearer\",\n      };\n    }\n\n    // fallback to the older expiresOn - an RFC3339 date string\n    expiresOnTimestamp = new Date(response.expiresOn).getTime();\n\n    // ensure expiresOn is well-formatted\n    if (isNaN(expiresOnTimestamp)) {\n      throw new CredentialUnavailableError(\n        `Unexpected response from Azure CLI when getting token. Expected \"expiresOn\" to be a RFC3339 date string. Got: \"${response.expiresOn}\"`,\n      );\n    }\n\n    return {\n      token,\n      expiresOnTimestamp,\n      tokenType: \"Bearer\",\n    };\n  }\n}\n"]}

package/dist/commonjs/credentials/azureCliCredentialOptions.d.ts

@@ -0,0 +1,20 @@
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Options for the {@link AzureCliCredential}
+ */
+export interface AzureCliCredentialOptions extends MultiTenantTokenCredentialOptions {
+    /**
+     * Allows specifying a tenant ID
+     */
+    tenantId?: string;
+    /**
+     * Process timeout configurable for making token requests, provided in milliseconds
+     */
+    processTimeoutInMs?: number;
+    /**
+     * Subscription is the name or ID of a subscription. Set this to acquire tokens for an account other
+     * than the Azure CLI's current account.
+     */
+    subscription?: string;
+}
+//# sourceMappingURL=azureCliCredentialOptions.d.ts.map

package/dist/commonjs/credentials/azureCliCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureCliCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureCliCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,yBAA0B,SAAQ,iCAAiC;IAClF;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB"}

package/dist/commonjs/credentials/azureCliCredentialOptions.js

@@ -0,0 +1,5 @@
+"use strict";
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=azureCliCredentialOptions.js.map

package/dist/commonjs/credentials/azureCliCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureCliCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/azureCliCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link AzureCliCredential}\n */\nexport interface AzureCliCredentialOptions extends MultiTenantTokenCredentialOptions {\n  /**\n   * Allows specifying a tenant ID\n   */\n  tenantId?: string;\n  /**\n   * Process timeout configurable for making token requests, provided in milliseconds\n   */\n  processTimeoutInMs?: number;\n  /**\n   * Subscription is the name or ID of a subscription. Set this to acquire tokens for an account other\n   * than the Azure CLI's current account.\n   */\n  subscription?: string;\n}\n"]}