npm - @azure/identity - Versions diffs - 4.6.0 → 4.6.1-alpha.20250117.1 - Mend

@azure/identity 4.6.0 → 4.6.1-alpha.20250117.1

Files changed (1115) hide show

package/dist/commonjs/credentials/azurePipelinesCredential.js ADDED Viewed

@@ -0,0 +1,146 @@
+"use strict";
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzurePipelinesCredential = void 0;
+exports.handleOidcResponse = handleOidcResponse;
+const errors_js_1 = require("../errors.js");
+const core_rest_pipeline_1 = require("@azure/core-rest-pipeline");
+const clientAssertionCredential_js_1 = require("./clientAssertionCredential.js");
+const identityClient_js_1 = require("../client/identityClient.js");
+const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js");
+const logging_js_1 = require("../util/logging.js");
+const credentialName = "AzurePipelinesCredential";
+const logger = (0, logging_js_1.credentialLogger)(credentialName);
+const OIDC_API_VERSION = "7.1";
+/**
+ * This credential is designed to be used in Azure Pipelines with service connections
+ * as a setup for workload identity federation.
+ */
+class AzurePipelinesCredential {
+    /**
+     * AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections.
+     * @param tenantId - tenantId associated with the service connection
+     * @param clientId - clientId associated with the service connection
+     * @param serviceConnectionId - Unique ID for the service connection, as found in the querystring's resourceId key
+     * @param systemAccessToken - The pipeline's <see href="https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops%26tabs=yaml#systemaccesstoken">System.AccessToken</see> value.
+     * @param options - The identity client options to use for authentication.
+     */
+    constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options = {}) {
+        var _a, _b;
+        if (!clientId) {
+            throw new errors_js_1.CredentialUnavailableError(`${credentialName}: is unavailable. clientId is a required parameter.`);
+        }
+        if (!tenantId) {
+            throw new errors_js_1.CredentialUnavailableError(`${credentialName}: is unavailable. tenantId is a required parameter.`);
+        }
+        if (!serviceConnectionId) {
+            throw new errors_js_1.CredentialUnavailableError(`${credentialName}: is unavailable. serviceConnectionId is a required parameter.`);
+        }
+        if (!systemAccessToken) {
+            throw new errors_js_1.CredentialUnavailableError(`${credentialName}: is unavailable. systemAccessToken is a required parameter.`);
+        }
+        // Allow these headers to be logged for troubleshooting by AzurePipelines.
+        options.loggingOptions = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.loggingOptions), { additionalAllowedHeaderNames: [
+                ...((_b = (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.additionalAllowedHeaderNames) !== null && _b !== void 0 ? _b : []),
+                "x-vss-e2eid",
+                "x-msedge-ref",
+            ] });
+        this.identityClient = new identityClient_js_1.IdentityClient(options);
+        (0, tenantIdUtils_js_1.checkTenantId)(logger, tenantId);
+        logger.info(`Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, client ID: ${clientId}, and service connection ID: ${serviceConnectionId}`);
+        if (!process.env.SYSTEM_OIDCREQUESTURI) {
+            throw new errors_js_1.CredentialUnavailableError(`${credentialName}: is unavailable. Ensure that you're running this task in an Azure Pipeline, so that following missing system variable(s) can be defined- "SYSTEM_OIDCREQUESTURI"`);
+        }
+        const oidcRequestUrl = `${process.env.SYSTEM_OIDCREQUESTURI}?api-version=${OIDC_API_VERSION}&serviceConnectionId=${serviceConnectionId}`;
+        logger.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, client ID: ${clientId} and service connection ID: ${serviceConnectionId}`);
+        this.clientAssertionCredential = new clientAssertionCredential_js_1.ClientAssertionCredential(tenantId, clientId, this.requestOidcToken.bind(this, oidcRequestUrl, systemAccessToken), options);
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} or {@link AuthenticationError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options) {
+        if (!this.clientAssertionCredential) {
+            const errorMessage = `${credentialName}: is unavailable. To use Federation Identity in Azure Pipelines, the following parameters are required -
+      tenantId,
+      clientId,
+      serviceConnectionId,
+      systemAccessToken,
+      "SYSTEM_OIDCREQUESTURI".
+      See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
+            logger.error(errorMessage);
+            throw new errors_js_1.CredentialUnavailableError(errorMessage);
+        }
+        logger.info("Invoking getToken() of Client Assertion Credential");
+        return this.clientAssertionCredential.getToken(scopes, options);
+    }
+    /**
+     *
+     * @param oidcRequestUrl - oidc request url
+     * @param systemAccessToken - system access token
+     * @returns OIDC token from Azure Pipelines
+     */
+    async requestOidcToken(oidcRequestUrl, systemAccessToken) {
+        logger.info("Requesting OIDC token from Azure Pipelines...");
+        logger.info(oidcRequestUrl);
+        const request = (0, core_rest_pipeline_1.createPipelineRequest)({
+            url: oidcRequestUrl,
+            method: "POST",
+            headers: (0, core_rest_pipeline_1.createHttpHeaders)({
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${systemAccessToken}`,
+                // Prevents the service from responding with a redirect HTTP status code (useful for automation).
+                "X-TFS-FedAuthRedirect": "Suppress",
+            }),
+        });
+        const response = await this.identityClient.sendRequest(request);
+        return handleOidcResponse(response);
+    }
+}
+exports.AzurePipelinesCredential = AzurePipelinesCredential;
+function handleOidcResponse(response) {
+    // OIDC token is present in `bodyAsText` field
+    const text = response.bodyAsText;
+    if (!text) {
+        logger.error(`${credentialName}: Authentication Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
+        throw new errors_js_1.AuthenticationError(response.status, {
+            error: `${credentialName}: Authentication Failed. Received null token from OIDC request.`,
+            error_description: `${JSON.stringify(response)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
+        });
+    }
+    try {
+        const result = JSON.parse(text);
+        if (result === null || result === void 0 ? void 0 : result.oidcToken) {
+            return result.oidcToken;
+        }
+        else {
+            const errorMessage = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;
+            let errorDescription = ``;
+            if (response.status !== 200) {
+                errorDescription = `Response body = ${text}. Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
+            }
+            logger.error(errorMessage);
+            logger.error(errorDescription);
+            throw new errors_js_1.AuthenticationError(response.status, {
+                error: errorMessage,
+                error_description: errorDescription,
+            });
+        }
+    }
+    catch (e) {
+        const errorDetails = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;
+        logger.error(`Response from service = ${text}, Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")}
+      and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}, error message = ${e.message}`);
+        logger.error(errorDetails);
+        throw new errors_js_1.AuthenticationError(response.status, {
+            error: errorDetails,
+            error_description: `Response = ${text}. Response headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] =  ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
+        });
+    }
+}
+//# sourceMappingURL=azurePipelinesCredential.js.map

package/dist/commonjs/credentials/azurePipelinesCredential.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"azurePipelinesCredential.js","sourceRoot":"","sources":["../../../src/credentials/azurePipelinesCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAoJlC,gDA6CC;AA9LD,4CAA+E;AAC/E,kEAAqF;AAGrF,iFAA2E;AAC3E,mEAA6D;AAE7D,+DAAyD;AACzD,mDAAsD;AAEtD,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAClD,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,cAAc,CAAC,CAAC;AAChD,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAE/B;;;GAGG;AACH,MAAa,wBAAwB;IAInC;;;;;;;OAOG;IACH,YACE,QAAgB,EAChB,QAAgB,EAChB,mBAA2B,EAC3B,iBAAyB,EACzB,UAA2C,EAAE;;QAE7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qDAAqD,CACvE,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,qDAAqD,CACvE,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,gEAAgE,CAClF,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,8DAA8D,CAChF,CAAC;QACJ,CAAC;QAED,0EAA0E;QAC1E,OAAO,CAAC,cAAc,mCACjB,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,cAAc,KAC1B,4BAA4B,EAAE;gBAC5B,GAAG,CAAC,MAAA,MAAA,OAAO,CAAC,cAAc,0CAAE,4BAA4B,mCAAI,EAAE,CAAC;gBAC/D,aAAa;gBACb,cAAc;aACf,GACF,CAAC;QAEF,IAAI,CAAC,cAAc,GAAG,IAAI,kCAAc,CAAC,OAAO,CAAC,CAAC;QAClD,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAChC,MAAM,CAAC,IAAI,CACT,qDAAqD,QAAQ,gBAAgB,QAAQ,gCAAgC,mBAAmB,EAAE,CAC3I,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,CAAC;YACvC,MAAM,IAAI,sCAA0B,CAClC,GAAG,cAAc,mKAAmK,CACrL,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,gBAAgB,gBAAgB,wBAAwB,mBAAmB,EAAE,CAAC;QACzI,MAAM,CAAC,IAAI,CACT,sDAAsD,QAAQ,gBAAgB,QAAQ,+BAA+B,mBAAmB,EAAE,CAC3I,CAAC;QACF,IAAI,CAAC,yBAAyB,GAAG,IAAI,wDAAyB,CAC5D,QAAQ,EACR,QAAQ,EACR,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,EAAE,iBAAiB,CAAC,EACnE,OAAO,CACR,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,OAAyB;QAEzB,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACpC,MAAM,YAAY,GAAG,GAAG,cAAc;;;;;;iIAMqF,CAAC;YAC5H,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAC3B,MAAM,IAAI,sCAA0B,CAAC,YAAY,CAAC,CAAC;QACrD,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,yBAAyB,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClE,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,gBAAgB,CAC5B,cAAsB,EACtB,iBAAyB;QAEzB,MAAM,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QAC7D,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC5B,MAAM,OAAO,GAAG,IAAA,0CAAqB,EAAC;YACpC,GAAG,EAAE,cAAc;YACnB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAA,sCAAiB,EAAC;gBACzB,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,iBAAiB,EAAE;gBAC5C,iGAAiG;gBACjG,uBAAuB,EAAE,UAAU;aACpC,CAAC;SACH,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAChE,OAAO,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;CACF;AA7HD,4DA6HC;AAED,SAAgB,kBAAkB,CAAC,QAA0B;IAC3D,8CAA8C;IAC9C,MAAM,IAAI,GAAG,QAAQ,CAAC,UAAU,CAAC;IACjC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,KAAK,CACV,GAAG,cAAc,oFACf,QAAQ,CAAC,MACX,yBAAyB,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CACpD,CAAC;QACF,MAAM,IAAI,+BAAmB,CAAC,QAAQ,CAAC,MAAM,EAAE;YAC7C,KAAK,EAAE,GAAG,cAAc,iEAAiE;YACzF,iBAAiB,EAAE,GAAG,IAAI,CAAC,SAAS,CAClC,QAAQ,CACT,8HAA8H;SAChI,CAAC,CAAC;IACL,CAAC;IACD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE,CAAC;YACtB,OAAO,MAAM,CAAC,SAAS,CAAC;QAC1B,CAAC;aAAM,CAAC;YACN,MAAM,YAAY,GAAG,GAAG,cAAc,wEAAwE,CAAC;YAC/G,IAAI,gBAAgB,GAAG,EAAE,CAAC;YAC1B,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,gBAAgB,GAAG,mBAAmB,IAAI,wCAAwC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,2BAA2B,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,8HAA8H,CAAC;YACrT,CAAC;YACD,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAC3B,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAC/B,MAAM,IAAI,+BAAmB,CAAC,QAAQ,CAAC,MAAM,EAAE;gBAC7C,KAAK,EAAE,YAAY;gBACnB,iBAAiB,EAAE,gBAAgB;aACpC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,MAAM,YAAY,GAAG,GAAG,cAAc,wEAAwE,CAAC;QAC/G,MAAM,CAAC,KAAK,CACV,2BAA2B,IAAI,wCAAwC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;+BACjF,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,qBAAqB,CAAC,CAAC,OAAO,EAAE,CAC9F,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAC3B,MAAM,IAAI,+BAAmB,CAAC,QAAQ,CAAC,MAAM,EAAE;YAC7C,KAAK,EAAE,YAAY;YACnB,iBAAiB,EAAE,cAAc,IAAI,wCAAwC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,4BAA4B,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,8HAA8H;SAC/S,CAAC,CAAC;IACL,CAAC;AACH,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { AuthenticationError, CredentialUnavailableError } from \"../errors.js\";\nimport { createHttpHeaders, createPipelineRequest } from \"@azure/core-rest-pipeline\";\n\nimport type { AzurePipelinesCredentialOptions } from \"./azurePipelinesCredentialOptions.js\";\nimport { ClientAssertionCredential } from \"./clientAssertionCredential.js\";\nimport { IdentityClient } from \"../client/identityClient.js\";\nimport type { PipelineResponse } from \"@azure/core-rest-pipeline\";\nimport { checkTenantId } from \"../util/tenantIdUtils.js\";\nimport { credentialLogger } from \"../util/logging.js\";\n\nconst credentialName = \"AzurePipelinesCredential\";\nconst logger = credentialLogger(credentialName);\nconst OIDC_API_VERSION = \"7.1\";\n\n/**\n * This credential is designed to be used in Azure Pipelines with service connections\n * as a setup for workload identity federation.\n */\nexport class AzurePipelinesCredential implements TokenCredential {\n private clientAssertionCredential: ClientAssertionCredential | undefined;\n private identityClient: IdentityClient;\n\n /**\n * AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections.\n * @param tenantId - tenantId associated with the service connection\n * @param clientId - clientId associated with the service connection\n * @param serviceConnectionId - Unique ID for the service connection, as found in the querystring's resourceId key\n * @param systemAccessToken - The pipeline's <see href=\"https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops%26tabs=yaml#systemaccesstoken\">System.AccessToken</see> value.\n * @param options - The identity client options to use for authentication.\n */\n constructor(\n tenantId: string,\n clientId: string,\n serviceConnectionId: string,\n systemAccessToken: string,\n options: AzurePipelinesCredentialOptions = {},\n ) {\n if (!clientId) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. clientId is a required parameter.`,\n );\n }\n if (!tenantId) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. tenantId is a required parameter.`,\n );\n }\n if (!serviceConnectionId) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. serviceConnectionId is a required parameter.`,\n );\n }\n if (!systemAccessToken) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. systemAccessToken is a required parameter.`,\n );\n }\n\n // Allow these headers to be logged for troubleshooting by AzurePipelines.\n options.loggingOptions = {\n ...options?.loggingOptions,\n additionalAllowedHeaderNames: [\n ...(options.loggingOptions?.additionalAllowedHeaderNames ?? []),\n \"x-vss-e2eid\",\n \"x-msedge-ref\",\n ],\n };\n\n this.identityClient = new IdentityClient(options);\n checkTenantId(logger, tenantId);\n logger.info(\n `Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, client ID: ${clientId}, and service connection ID: ${serviceConnectionId}`,\n );\n if (!process.env.SYSTEM_OIDCREQUESTURI) {\n throw new CredentialUnavailableError(\n `${credentialName}: is unavailable. Ensure that you're running this task in an Azure Pipeline, so that following missing system variable(s) can be defined- \"SYSTEM_OIDCREQUESTURI\"`,\n );\n }\n\n const oidcRequestUrl = `${process.env.SYSTEM_OIDCREQUESTURI}?api-version=${OIDC_API_VERSION}&serviceConnectionId=${serviceConnectionId}`;\n logger.info(\n `Invoking ClientAssertionCredential with tenant ID: ${tenantId}, client ID: ${clientId} and service connection ID: ${serviceConnectionId}`,\n );\n this.clientAssertionCredential = new ClientAssertionCredential(\n tenantId,\n clientId,\n this.requestOidcToken.bind(this, oidcRequestUrl, systemAccessToken),\n options,\n );\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If authentication fails, a {@link CredentialUnavailableError} or {@link AuthenticationError} will be thrown with the details of the failure.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this\n * TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options?: GetTokenOptions,\n ): Promise<AccessToken> {\n if (!this.clientAssertionCredential) {\n const errorMessage = `${credentialName}: is unavailable. To use Federation Identity in Azure Pipelines, the following parameters are required - \n tenantId,\n clientId,\n serviceConnectionId,\n systemAccessToken,\n \"SYSTEM_OIDCREQUESTURI\". \n See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;\n logger.error(errorMessage);\n throw new CredentialUnavailableError(errorMessage);\n }\n logger.info(\"Invoking getToken() of Client Assertion Credential\");\n return this.clientAssertionCredential.getToken(scopes, options);\n }\n\n /**\n *\n * @param oidcRequestUrl - oidc request url\n * @param systemAccessToken - system access token\n * @returns OIDC token from Azure Pipelines\n */\n private async requestOidcToken(\n oidcRequestUrl: string,\n systemAccessToken: string,\n ): Promise<string> {\n logger.info(\"Requesting OIDC token from Azure Pipelines...\");\n logger.info(oidcRequestUrl);\n const request = createPipelineRequest({\n url: oidcRequestUrl,\n method: \"POST\",\n headers: createHttpHeaders({\n \"Content-Type\": \"application/json\",\n Authorization: `Bearer ${systemAccessToken}`,\n // Prevents the service from responding with a redirect HTTP status code (useful for automation).\n \"X-TFS-FedAuthRedirect\": \"Suppress\",\n }),\n });\n const response = await this.identityClient.sendRequest(request);\n return handleOidcResponse(response);\n }\n}\n\nexport function handleOidcResponse(response: PipelineResponse): string {\n // OIDC token is present in `bodyAsText` field\n const text = response.bodyAsText;\n if (!text) {\n logger.error(\n `${credentialName}: Authentication Failed. Received null token from OIDC request. Response status- ${\n response.status\n }. Complete response - ${JSON.stringify(response)}`,\n );\n throw new AuthenticationError(response.status, {\n error: `${credentialName}: Authentication Failed. Received null token from OIDC request.`,\n error_description: `${JSON.stringify(\n response,\n )}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,\n });\n }\n try {\n const result = JSON.parse(text);\n if (result?.oidcToken) {\n return result.oidcToken;\n } else {\n const errorMessage = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;\n let errorDescription = ``;\n if (response.status !== 200) {\n errorDescription = `Response body = ${text}. Response Headers [\"x-vss-e2eid\"] = ${response.headers.get(\"x-vss-e2eid\")} and [\"x-msedge-ref\"] = ${response.headers.get(\"x-msedge-ref\")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;\n }\n logger.error(errorMessage);\n logger.error(errorDescription);\n throw new AuthenticationError(response.status, {\n error: errorMessage,\n error_description: errorDescription,\n });\n }\n } catch (e: any) {\n const errorDetails = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;\n logger.error(\n `Response from service = ${text}, Response Headers [\"x-vss-e2eid\"] = ${response.headers.get(\"x-vss-e2eid\")} \n and [\"x-msedge-ref\"] = ${response.headers.get(\"x-msedge-ref\")}, error message = ${e.message}`,\n );\n logger.error(errorDetails);\n throw new AuthenticationError(response.status, {\n error: errorDetails,\n error_description: `Response = ${text}. Response headers [\"x-vss-e2eid\"] = ${response.headers.get(\"x-vss-e2eid\")} and [\"x-msedge-ref\"] = ${response.headers.get(\"x-msedge-ref\")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,\n });\n }\n}\n"]}

package/dist/commonjs/credentials/azurePipelinesCredentialOptions.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { AuthorityValidationOptions } from "./authorityValidationOptions.js";
+import type { CredentialPersistenceOptions } from "./credentialPersistenceOptions.js";
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Optional parameters for the {@link AzurePipelinesCredential} class.
+ */
+export interface AzurePipelinesCredentialOptions extends MultiTenantTokenCredentialOptions, CredentialPersistenceOptions, AuthorityValidationOptions {
+}
+//# sourceMappingURL=azurePipelinesCredentialOptions.d.ts.map

package/dist/commonjs/credentials/azurePipelinesCredentialOptions.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"azurePipelinesCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/azurePipelinesCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACtF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,+BACf,SAAQ,iCAAiC,EACvC,4BAA4B,EAC5B,0BAA0B;CAAG"}

package/dist/commonjs/credentials/azurePipelinesCredentialOptions.js ADDED Viewed

@@ -0,0 +1,5 @@
+"use strict";
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=azurePipelinesCredentialOptions.js.map

package/dist/commonjs/credentials/azurePipelinesCredentialOptions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"azurePipelinesCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/azurePipelinesCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Optional parameters for the {@link AzurePipelinesCredential} class.\n */\nexport interface AzurePipelinesCredentialOptions\n extends MultiTenantTokenCredentialOptions,\n CredentialPersistenceOptions,\n AuthorityValidationOptions {}\n"]}

package/dist/commonjs/credentials/azurePowerShellCredential.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { AzurePowerShellCredentialOptions } from "./azurePowerShellCredentialOptions.js";
+/**
+ * Returns a platform-appropriate command name by appending ".exe" on Windows.
+ *
+ * @internal
+ */
+export declare function formatCommand(commandName: string): string;
+/**
+ * Known PowerShell errors
+ * @internal
+ */
+export declare const powerShellErrors: {
+    login: string;
+    installed: string;
+};
+/**
+ * Messages to use when throwing in this credential.
+ * @internal
+ */
+export declare const powerShellPublicErrorMessages: {
+    login: string;
+    installed: string;
+    troubleshoot: string;
+};
+/**
+ * The PowerShell commands to be tried, in order.
+ *
+ * @internal
+ */
+export declare const commandStack: string[];
+/**
+ * This credential will use the currently logged-in user information from the
+ * Azure PowerShell module. To do so, it will read the user access token and
+ * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
+ */
+export declare class AzurePowerShellCredential implements TokenCredential {
+    private tenantId?;
+    private additionallyAllowedTenantIds;
+    private timeout?;
+    /**
+     * Creates an instance of the {@link AzurePowerShellCredential}.
+     *
+     * To use this credential:
+     * - Install the Azure Az PowerShell module with:
+     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+     * - You have already logged in to Azure PowerShell using the command
+     * `Connect-AzAccount` from the command line.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options?: AzurePowerShellCredentialOptions);
+    /**
+     * Gets the access token from Azure PowerShell
+     * @param resource - The resource to use when getting the token
+     */
+    private getAzurePowerShellAccessToken;
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+/**
+ *
+ * @internal
+ */
+export declare function parseJsonToken(result: string): Promise<{
+    Token: string;
+    ExpiresOn: string;
+}>;
+//# sourceMappingURL=azurePowerShellCredential.d.ts.map

package/dist/commonjs/credentials/azurePowerShellCredential.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"azurePowerShellCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAStF,OAAO,KAAK,EAAE,gCAAgC,EAAE,MAAM,uCAAuC,CAAC;AAS9F;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAMzD;AAuBD;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;CAI5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAKzC,CAAC;AAUF;;;;GAIG;AACH,eAAO,MAAM,YAAY,UAA0B,CAAC;AAMpD;;;;GAIG;AACH,qBAAa,yBAA0B,YAAW,eAAe;IAC/D,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,OAAO,CAAC,CAAS;IAEzB;;;;;;;;;;OAUG;gBACS,OAAO,CAAC,EAAE,gCAAgC;IAWtD;;;OAGG;YACW,6BAA6B;IA2D3C;;;;;;OAMG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;CAwCxB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAyB/C"}

package/dist/commonjs/credentials/azurePowerShellCredential.js ADDED Viewed

@@ -0,0 +1,235 @@
+"use strict";
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzurePowerShellCredential = exports.commandStack = exports.powerShellPublicErrorMessages = exports.powerShellErrors = void 0;
+exports.formatCommand = formatCommand;
+exports.parseJsonToken = parseJsonToken;
+const tenantIdUtils_js_1 = require("../util/tenantIdUtils.js");
+const logging_js_1 = require("../util/logging.js");
+const scopeUtils_js_1 = require("../util/scopeUtils.js");
+const errors_js_1 = require("../errors.js");
+const processUtils_js_1 = require("../util/processUtils.js");
+const tracing_js_1 = require("../util/tracing.js");
+const logger = (0, logging_js_1.credentialLogger)("AzurePowerShellCredential");
+const isWindows = process.platform === "win32";
+/**
+ * Returns a platform-appropriate command name by appending ".exe" on Windows.
+ *
+ * @internal
+ */
+function formatCommand(commandName) {
+    if (isWindows) {
+        return `${commandName}.exe`;
+    }
+    else {
+        return commandName;
+    }
+}
+/**
+ * Receives a list of commands to run, executes them, then returns the outputs.
+ * If anything fails, an error is thrown.
+ * @internal
+ */
+async function runCommands(commands, timeout) {
+    const results = [];
+    for (const command of commands) {
+        const [file, ...parameters] = command;
+        const result = (await processUtils_js_1.processUtils.execFile(file, parameters, {
+            encoding: "utf8",
+            timeout,
+        }));
+        results.push(result);
+    }
+    return results;
+}
+/**
+ * Known PowerShell errors
+ * @internal
+ */
+exports.powerShellErrors = {
+    login: "Run Connect-AzAccount to login",
+    installed: "The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory",
+};
+/**
+ * Messages to use when throwing in this credential.
+ * @internal
+ */
+exports.powerShellPublicErrorMessages = {
+    login: "Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.",
+    installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`,
+    troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,
+};
+// PowerShell Azure User not logged in error check.
+const isLoginError = (err) => err.message.match(`(.*)${exports.powerShellErrors.login}(.*)`);
+// Az Module not Installed in Azure PowerShell check.
+const isNotInstalledError = (err) => err.message.match(exports.powerShellErrors.installed);
+/**
+ * The PowerShell commands to be tried, in order.
+ *
+ * @internal
+ */
+exports.commandStack = [formatCommand("pwsh")];
+if (isWindows) {
+    exports.commandStack.push(formatCommand("powershell"));
+}
+/**
+ * This credential will use the currently logged-in user information from the
+ * Azure PowerShell module. To do so, it will read the user access token and
+ * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
+ */
+class AzurePowerShellCredential {
+    /**
+     * Creates an instance of the {@link AzurePowerShellCredential}.
+     *
+     * To use this credential:
+     * - Install the Azure Az PowerShell module with:
+     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+     * - You have already logged in to Azure PowerShell using the command
+     * `Connect-AzAccount` from the command line.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options) {
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            (0, tenantIdUtils_js_1.checkTenantId)(logger, options === null || options === void 0 ? void 0 : options.tenantId);
+            this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        }
+        this.additionallyAllowedTenantIds = (0, tenantIdUtils_js_1.resolveAdditionallyAllowedTenantIds)(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
+    }
+    /**
+     * Gets the access token from Azure PowerShell
+     * @param resource - The resource to use when getting the token
+     */
+    async getAzurePowerShellAccessToken(resource, tenantId, timeout) {
+        // Clone the stack to avoid mutating it while iterating
+        for (const powerShellCommand of [...exports.commandStack]) {
+            try {
+                await runCommands([[powerShellCommand, "/?"]], timeout);
+            }
+            catch (e) {
+                // Remove this credential from the original stack so that we don't try it again.
+                exports.commandStack.shift();
+                continue;
+            }
+            const results = await runCommands([
+                [
+                    powerShellCommand,
+                    "-NoProfile",
+                    "-NonInteractive",
+                    "-Command",
+                    `
+          $tenantId = "${tenantId !== null && tenantId !== void 0 ? tenantId : ""}"
+          $m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru
+          $useSecureString = $m.Version -ge [version]'2.17.0'
+          $params = @{
+            ResourceUrl = "${resource}"
+          }
+          if ($tenantId.Length -gt 0) {
+            $params["TenantId"] = $tenantId
+          }
+          if ($useSecureString) {
+            $params["AsSecureString"] = $true
+          }
+          $token = Get-AzAccessToken @params
+          $result = New-Object -TypeName PSObject
+          $result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn
+          if ($useSecureString) {
+            $result | Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token)
+          } else {
+            $result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token
+          }
+          Write-Output (ConvertTo-Json $result)
+          `,
+                ],
+            ]);
+            const result = results[0];
+            return parseJsonToken(result);
+        }
+        throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracing_js_1.tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
+            const tenantId = (0, tenantIdUtils_js_1.processMultiTenantRequest)(this.tenantId, options, this.additionallyAllowedTenantIds);
+            const scope = typeof scopes === "string" ? scopes : scopes[0];
+            if (tenantId) {
+                (0, tenantIdUtils_js_1.checkTenantId)(logger, tenantId);
+            }
+            try {
+                (0, scopeUtils_js_1.ensureValidScopeForDevTimeCreds)(scope, logger);
+                logger.getToken.info(`Using the scope ${scope}`);
+                const resource = (0, scopeUtils_js_1.getScopeResource)(scope);
+                const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);
+                logger.getToken.info((0, logging_js_1.formatSuccess)(scopes));
+                return {
+                    token: response.Token,
+                    expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
+                    tokenType: "Bearer",
+                };
+            }
+            catch (err) {
+                if (isNotInstalledError(err)) {
+                    const error = new errors_js_1.CredentialUnavailableError(exports.powerShellPublicErrorMessages.installed);
+                    logger.getToken.info((0, logging_js_1.formatError)(scope, error));
+                    throw error;
+                }
+                else if (isLoginError(err)) {
+                    const error = new errors_js_1.CredentialUnavailableError(exports.powerShellPublicErrorMessages.login);
+                    logger.getToken.info((0, logging_js_1.formatError)(scope, error));
+                    throw error;
+                }
+                const error = new errors_js_1.CredentialUnavailableError(`${err}. ${exports.powerShellPublicErrorMessages.troubleshoot}`);
+                logger.getToken.info((0, logging_js_1.formatError)(scope, error));
+                throw error;
+            }
+        });
+    }
+}
+exports.AzurePowerShellCredential = AzurePowerShellCredential;
+/**
+ *
+ * @internal
+ */
+async function parseJsonToken(result) {
+    const jsonRegex = /{[^{}]*}/g;
+    const matches = result.match(jsonRegex);
+    let resultWithoutToken = result;
+    if (matches) {
+        try {
+            for (const item of matches) {
+                try {
+                    const jsonContent = JSON.parse(item);
+                    if (jsonContent === null || jsonContent === void 0 ? void 0 : jsonContent.Token) {
+                        resultWithoutToken = resultWithoutToken.replace(item, "");
+                        if (resultWithoutToken) {
+                            logger.getToken.warning(resultWithoutToken);
+                        }
+                        return jsonContent;
+                    }
+                }
+                catch (e) {
+                    continue;
+                }
+            }
+        }
+        catch (e) {
+            throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
+        }
+    }
+    throw new Error(`No access token found in the output. Received output: ${result}`);
+}
+//# sourceMappingURL=azurePowerShellCredential.js.map

package/dist/commonjs/credentials/azurePowerShellCredential.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"azurePowerShellCredential.js","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredential.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC;;;AAyBlC,sCAMC;AAsND,wCA2BC;AA7QD,+DAIkC;AAClC,mDAAkF;AAClF,yDAA0F;AAG1F,4CAA0D;AAC1D,6DAAuD;AACvD,mDAAmD;AAEnD,MAAM,MAAM,GAAG,IAAA,6BAAgB,EAAC,2BAA2B,CAAC,CAAC;AAE7D,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;AAE/C;;;;GAIG;AACH,SAAgB,aAAa,CAAC,WAAmB;IAC/C,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,GAAG,WAAW,MAAM,CAAC;IAC9B,CAAC;SAAM,CAAC;QACN,OAAO,WAAW,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,WAAW,CAAC,QAAoB,EAAE,OAAgB;IAC/D,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,EAAE,GAAG,UAAU,CAAC,GAAG,OAAO,CAAC;QACtC,MAAM,MAAM,GAAG,CAAC,MAAM,8BAAY,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,EAAE;YAC5D,QAAQ,EAAE,MAAM;YAChB,OAAO;SACR,CAAC,CAAW,CAAC;QAEd,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACU,QAAA,gBAAgB,GAAG;IAC9B,KAAK,EAAE,gCAAgC;IACvC,SAAS,EACP,uIAAuI;CAC1I,CAAC;AAEF;;;GAGG;AACU,QAAA,6BAA6B,GAAG;IAC3C,KAAK,EACH,8FAA8F;IAChG,SAAS,EAAE,4KAA4K;IACvL,YAAY,EAAE,4FAA4F;CAC3G,CAAC;AAEF,mDAAmD;AACnD,MAAM,YAAY,GAA4C,CAAC,GAAU,EAAE,EAAE,CAC3E,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,wBAAgB,CAAC,KAAK,MAAM,CAAC,CAAC;AAEzD,qDAAqD;AACrD,MAAM,mBAAmB,GAA4C,CAAC,GAAU,EAAE,EAAE,CAClF,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,wBAAgB,CAAC,SAAS,CAAC,CAAC;AAEhD;;;;GAIG;AACU,QAAA,YAAY,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;AAEpD,IAAI,SAAS,EAAE,CAAC;IACd,oBAAY,CAAC,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAa,yBAAyB;IAKpC;;;;;;;;;;OAUG;IACH,YAAY,OAA0C;QACpD,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,EAAE,CAAC;YACtB,IAAA,gCAAa,EAAC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,IAAA,sDAAmC,EACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,6BAA6B,CACzC,QAAgB,EAChB,QAAiB,EACjB,OAAgB;QAEhB,uDAAuD;QACvD,KAAK,MAAM,iBAAiB,IAAI,CAAC,GAAG,oBAAY,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC;gBACH,MAAM,WAAW,CAAC,CAAC,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;YAC1D,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,gFAAgF;gBAChF,oBAAY,CAAC,KAAK,EAAE,CAAC;gBACrB,SAAS;YACX,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC;gBAChC;oBACE,iBAAiB;oBACjB,YAAY;oBACZ,iBAAiB;oBACjB,UAAU;oBACV;yBACe,QAAQ,aAAR,QAAQ,cAAR,QAAQ,GAAI,EAAE;;;;;6BAKV,QAAQ;;;;;;;;;;;;;;;;;;;;;;WAsB1B;iBACF;aACF,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAC1B,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;IAC9F,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,OAAO,0BAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACrF,MAAM,QAAQ,GAAG,IAAA,4CAAyB,EACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;YACF,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC9D,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAA,gCAAa,EAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YAClC,CAAC;YACD,IAAI,CAAC;gBACH,IAAA,+CAA+B,EAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBAC/C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;gBACjD,MAAM,QAAQ,GAAG,IAAA,gCAAgB,EAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,6BAA6B,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC5F,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,0BAAa,EAAC,MAAM,CAAC,CAAC,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,kBAAkB,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;oBAC1D,SAAS,EAAE,QAAQ;iBACL,CAAC;YACnB,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,IAAI,mBAAmB,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,qCAA6B,CAAC,SAAS,CAAC,CAAC;oBACtF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;oBAChD,MAAM,KAAK,CAAC;gBACd,CAAC;qBAAM,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAAC,qCAA6B,CAAC,KAAK,CAAC,CAAC;oBAClF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;oBAChD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,MAAM,KAAK,GAAG,IAAI,sCAA0B,CAC1C,GAAG,GAAG,KAAK,qCAA6B,CAAC,YAAY,EAAE,CACxD,CAAC;gBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAA,wBAAW,EAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;gBAChD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AA5ID,8DA4IC;AAED;;;GAGG;AACI,KAAK,UAAU,cAAc,CAClC,MAAc;IAEd,MAAM,SAAS,GAAG,WAAW,CAAC;IAC9B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,kBAAkB,GAAG,MAAM,CAAC;IAChC,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrC,IAAI,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,KAAK,EAAE,CAAC;wBACvB,kBAAkB,GAAG,kBAAkB,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;wBAC1D,IAAI,kBAAkB,EAAE,CAAC;4BACvB,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;wBAC9C,CAAC;wBACD,OAAO,WAAW,CAAC;oBACrB,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,SAAS;gBACX,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,8DAA8D,MAAM,EAAE,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,yDAAyD,MAAM,EAAE,CAAC,CAAC;AACrF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n checkTenantId,\n processMultiTenantRequest,\n resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport { ensureValidScopeForDevTimeCreds, getScopeResource } from \"../util/scopeUtils.js\";\n\nimport type { AzurePowerShellCredentialOptions } from \"./azurePowerShellCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport { processUtils } from \"../util/processUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\n\nconst logger = credentialLogger(\"AzurePowerShellCredential\");\n\nconst isWindows = process.platform === \"win32\";\n\n/**\n * Returns a platform-appropriate command name by appending \".exe\" on Windows.\n *\n * @internal\n */\nexport function formatCommand(commandName: string): string {\n if (isWindows) {\n return `${commandName}.exe`;\n } else {\n return commandName;\n }\n}\n\n/**\n * Receives a list of commands to run, executes them, then returns the outputs.\n * If anything fails, an error is thrown.\n * @internal\n */\nasync function runCommands(commands: string[][], timeout?: number): Promise<string[]> {\n const results: string[] = [];\n\n for (const command of commands) {\n const [file, ...parameters] = command;\n const result = (await processUtils.execFile(file, parameters, {\n encoding: \"utf8\",\n timeout,\n })) as string;\n\n results.push(result);\n }\n\n return results;\n}\n\n/**\n * Known PowerShell errors\n * @internal\n */\nexport const powerShellErrors = {\n login: \"Run Connect-AzAccount to login\",\n installed:\n \"The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory\",\n};\n\n/**\n * Messages to use when throwing in this credential.\n * @internal\n */\nexport const powerShellPublicErrorMessages = {\n login:\n \"Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.\",\n installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: \"Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force\".`,\n troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,\n};\n\n// PowerShell Azure User not logged in error check.\nconst isLoginError: (err: Error) => RegExpMatchArray | null = (err: Error) =>\n err.message.match(`(.*)${powerShellErrors.login}(.*)`);\n\n// Az Module not Installed in Azure PowerShell check.\nconst isNotInstalledError: (err: Error) => RegExpMatchArray | null = (err: Error) =>\n err.message.match(powerShellErrors.installed);\n\n/**\n * The PowerShell commands to be tried, in order.\n *\n * @internal\n */\nexport const commandStack = [formatCommand(\"pwsh\")];\n\nif (isWindows) {\n commandStack.push(formatCommand(\"powershell\"));\n}\n\n/**\n * This credential will use the currently logged-in user information from the\n * Azure PowerShell module. To do so, it will read the user access token and\n * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`\n */\nexport class AzurePowerShellCredential implements TokenCredential {\n private tenantId?: string;\n private additionallyAllowedTenantIds: string[];\n private timeout?: number;\n\n /**\n * Creates an instance of the {@link AzurePowerShellCredential}.\n *\n * To use this credential:\n * - Install the Azure Az PowerShell module with:\n * `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.\n * - You have already logged in to Azure PowerShell using the command\n * `Connect-AzAccount` from the command line.\n *\n * @param options - Options, to optionally allow multi-tenant requests.\n */\n constructor(options?: AzurePowerShellCredentialOptions) {\n if (options?.tenantId) {\n checkTenantId(logger, options?.tenantId);\n this.tenantId = options?.tenantId;\n }\n this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n options?.additionallyAllowedTenants,\n );\n this.timeout = options?.processTimeoutInMs;\n }\n\n /**\n * Gets the access token from Azure PowerShell\n * @param resource - The resource to use when getting the token\n */\n private async getAzurePowerShellAccessToken(\n resource: string,\n tenantId?: string,\n timeout?: number,\n ): Promise<{ Token: string; ExpiresOn: string }> {\n // Clone the stack to avoid mutating it while iterating\n for (const powerShellCommand of [...commandStack]) {\n try {\n await runCommands([[powerShellCommand, \"/?\"]], timeout);\n } catch (e: any) {\n // Remove this credential from the original stack so that we don't try it again.\n commandStack.shift();\n continue;\n }\n\n const results = await runCommands([\n [\n powerShellCommand,\n \"-NoProfile\",\n \"-NonInteractive\",\n \"-Command\",\n `\n $tenantId = \"${tenantId ?? \"\"}\"\n $m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru\n $useSecureString = $m.Version -ge [version]'2.17.0'\n\n $params = @{\n ResourceUrl = \"${resource}\"\n }\n\n if ($tenantId.Length -gt 0) {\n $params[\"TenantId\"] = $tenantId\n }\n\n if ($useSecureString) {\n $params[\"AsSecureString\"] = $true\n }\n\n $token = Get-AzAccessToken @params\n\n $result = New-Object -TypeName PSObject\n $result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn\n if ($useSecureString) {\n $result | Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token)\n } else {\n $result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token\n }\n\n Write-Output (ConvertTo-Json $result)\n `,\n ],\n ]);\n\n const result = results[0];\n return parseJsonToken(result);\n }\n throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);\n }\n\n /**\n * Authenticates with Microsoft Entra ID and returns an access token if successful.\n * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.\n *\n * @param scopes - The list of scopes for which the token will have access.\n * @param options - The options used to configure any requests this TokenCredential implementation might make.\n */\n public async getToken(\n scopes: string | string[],\n options: GetTokenOptions = {},\n ): Promise<AccessToken> {\n return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n const tenantId = processMultiTenantRequest(\n this.tenantId,\n options,\n this.additionallyAllowedTenantIds,\n );\n const scope = typeof scopes === \"string\" ? scopes : scopes[0];\n if (tenantId) {\n checkTenantId(logger, tenantId);\n }\n try {\n ensureValidScopeForDevTimeCreds(scope, logger);\n logger.getToken.info(`Using the scope ${scope}`);\n const resource = getScopeResource(scope);\n const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);\n logger.getToken.info(formatSuccess(scopes));\n return {\n token: response.Token,\n expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),\n tokenType: \"Bearer\",\n } as AccessToken;\n } catch (err: any) {\n if (isNotInstalledError(err)) {\n const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);\n logger.getToken.info(formatError(scope, error));\n throw error;\n } else if (isLoginError(err)) {\n const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);\n logger.getToken.info(formatError(scope, error));\n throw error;\n }\n const error = new CredentialUnavailableError(\n `${err}. ${powerShellPublicErrorMessages.troubleshoot}`,\n );\n logger.getToken.info(formatError(scope, error));\n throw error;\n }\n });\n }\n}\n\n/**\n *\n * @internal\n */\nexport async function parseJsonToken(\n result: string,\n): Promise<{ Token: string; ExpiresOn: string }> {\n const jsonRegex = /{[^{}]*}/g;\n const matches = result.match(jsonRegex);\n let resultWithoutToken = result;\n if (matches) {\n try {\n for (const item of matches) {\n try {\n const jsonContent = JSON.parse(item);\n if (jsonContent?.Token) {\n resultWithoutToken = resultWithoutToken.replace(item, \"\");\n if (resultWithoutToken) {\n logger.getToken.warning(resultWithoutToken);\n }\n return jsonContent;\n }\n } catch (e) {\n continue;\n }\n }\n } catch (e: any) {\n throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);\n }\n }\n throw new Error(`No access token found in the output. Received output: ${result}`);\n}\n"]}

package/dist/commonjs/credentials/azurePowerShellCredentialOptions.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Options for the {@link AzurePowerShellCredential}
+ */
+export interface AzurePowerShellCredentialOptions extends MultiTenantTokenCredentialOptions {
+    /**
+     * Allows specifying a tenant ID
+     */
+    tenantId?: string;
+    /**
+     * Process timeout configurable for making token requests, provided in milliseconds
+     */
+    processTimeoutInMs?: number;
+}
+//# sourceMappingURL=azurePowerShellCredentialOptions.d.ts.map

package/dist/commonjs/credentials/azurePowerShellCredentialOptions.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"azurePowerShellCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,gCAAiC,SAAQ,iCAAiC;IACzF;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B"}

package/dist/commonjs/credentials/azurePowerShellCredentialOptions.js ADDED Viewed

@@ -0,0 +1,5 @@
+"use strict";
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=azurePowerShellCredentialOptions.js.map

package/dist/commonjs/credentials/azurePowerShellCredentialOptions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"azurePowerShellCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredentialOptions.ts"],"names":[],"mappings":";AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link AzurePowerShellCredential}\n */\nexport interface AzurePowerShellCredentialOptions extends MultiTenantTokenCredentialOptions {\n /**\n * Allows specifying a tenant ID\n */\n tenantId?: string;\n /**\n * Process timeout configurable for making token requests, provided in milliseconds\n */\n processTimeoutInMs?: number;\n}\n"]}

package/dist/commonjs/credentials/brokerAuthOptions.d.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { BrokerOptions } from "../msal/nodeFlows/brokerOptions.js";
+/**
+ * Configuration options for InteractiveBrowserCredential
+ * to support WAM Broker Authentication.
+ */
+export interface BrokerAuthOptions {
+    /**
+     * Options to allow broker authentication when using InteractiveBrowserCredential
+     *
+     */
+    brokerOptions?: BrokerOptions;
+}
+//# sourceMappingURL=brokerAuthOptions.d.ts.map

package/dist/commonjs/credentials/brokerAuthOptions.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"brokerAuthOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/brokerAuthOptions.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAExE;;;GAGG;AAEH,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,aAAa,CAAC,EAAE,aAAa,CAAC;CAC/B"}

package/dist/commonjs/credentials/brokerAuthOptions.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=brokerAuthOptions.js.map

package/dist/commonjs/credentials/brokerAuthOptions.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"brokerAuthOptions.js","sourceRoot":"","sources":["../../../src/credentials/brokerAuthOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\nimport type { BrokerOptions } from \"../msal/nodeFlows/brokerOptions.js\";\n\n/**\n * Configuration options for InteractiveBrowserCredential\n * to support WAM Broker Authentication.\n */\n\nexport interface BrokerAuthOptions {\n /**\n * Options to allow broker authentication when using InteractiveBrowserCredential\n *\n */\n brokerOptions?: BrokerOptions;\n}\n"]}

package/dist/commonjs/credentials/browserCustomizationOptions.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Shared configuration options for browser customization
+ */
+export interface BrowserCustomizationOptions {
+    /**
+     * Shared configuration options for browser customization
+     */
+    browserCustomizationOptions?: {
+        /**
+         * Format for error messages for display in browser
+         */
+        errorMessage?: string;
+        /**
+         * Format for success messages for display in browser
+         */
+        successMessage?: string;
+    };
+}
+//# sourceMappingURL=browserCustomizationOptions.d.ts.map

package/dist/commonjs/credentials/browserCustomizationOptions.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"browserCustomizationOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/browserCustomizationOptions.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C;;OAEG;IACH,2BAA2B,CAAC,EAAE;QAC5B;;WAEG;QACH,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB;;WAEG;QACH,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;CACH"}