@azure/identity 4.8.1-alpha.20250410.1 → 4.9.1-alpha.20250416.4

package/dist/workerd/credentials/azureCliCredentialOptions.d.ts

@@ -0,0 +1,20 @@
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Options for the {@link AzureCliCredential}
+ */
+export interface AzureCliCredentialOptions extends MultiTenantTokenCredentialOptions {
+    /**
+     * Allows specifying a tenant ID
+     */
+    tenantId?: string;
+    /**
+     * Process timeout configurable for making token requests, provided in milliseconds
+     */
+    processTimeoutInMs?: number;
+    /**
+     * Subscription is the name or ID of a subscription. Set this to acquire tokens for an account other
+     * than the Azure CLI's current account.
+     */
+    subscription?: string;
+}
+//# sourceMappingURL=azureCliCredentialOptions.d.ts.map

package/dist/workerd/credentials/azureCliCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureCliCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureCliCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,yBAA0B,SAAQ,iCAAiC;IAClF;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB"}

package/dist/workerd/credentials/azureCliCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=azureCliCredentialOptions.js.map

package/dist/workerd/credentials/azureCliCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureCliCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/azureCliCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link AzureCliCredential}\n */\nexport interface AzureCliCredentialOptions extends MultiTenantTokenCredentialOptions {\n  /**\n   * Allows specifying a tenant ID\n   */\n  tenantId?: string;\n  /**\n   * Process timeout configurable for making token requests, provided in milliseconds\n   */\n  processTimeoutInMs?: number;\n  /**\n   * Subscription is the name or ID of a subscription. Set this to acquire tokens for an account other\n   * than the Azure CLI's current account.\n   */\n  subscription?: string;\n}\n"]}

package/dist/workerd/credentials/azureDeveloperCliCredential.d.ts

@@ -0,0 +1,71 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { AzureDeveloperCliCredentialOptions } from "./azureDeveloperCliCredentialOptions.js";
+/**
+ * Mockable reference to the Developer CLI credential cliCredentialFunctions
+ * @internal
+ */
+export declare const developerCliCredentialInternals: {
+    /**
+     * @internal
+     */
+    getSafeWorkingDir(): string;
+    /**
+     * Gets the access token from Azure Developer CLI
+     * @param scopes - The scopes to use when getting the token
+     * @internal
+     */
+    getAzdAccessToken(scopes: string[], tenantId?: string, timeout?: number): Promise<{
+        stdout: string;
+        stderr: string;
+        error: Error | null;
+    }>;
+};
+/**
+ * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy
+ * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific
+ * to Azure developers. It allows users to authenticate as a user and/or a service principal against
+ * <a href="https://learn.microsoft.com/entra/fundamentals/">Microsoft Entra ID</a>. The
+ * AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
+ * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or
+ * service principal and executes an Azure CLI command underneath to authenticate the application against
+ * Microsoft Entra ID.
+ *
+ * <h2> Configure AzureDeveloperCliCredential </h2>
+ *
+ * To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the
+ * commands below:
+ *
+ * <ol>
+ *     <li>Run "azd auth login" in Azure Developer CLI to authenticate interactively as a user.</li>
+ *     <li>Run "azd auth login --client-id clientID --client-secret clientSecret
+ *     --tenant-id tenantID" to authenticate as a service principal.</li>
+ * </ol>
+ *
+ * You may need to repeat this process after a certain time period, depending on the refresh token validity in your
+ * organization. Generally, the refresh token validity period is a few weeks to a few months.
+ * AzureDeveloperCliCredential will prompt you to sign in again.
+ */
+export declare class AzureDeveloperCliCredential implements TokenCredential {
+    private tenantId?;
+    private additionallyAllowedTenantIds;
+    private timeout?;
+    /**
+     * Creates an instance of the {@link AzureDeveloperCliCredential}.
+     *
+     * To use this credential, ensure that you have already logged
+     * in via the 'azd' tool using the command "azd auth login" from the commandline.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options?: AzureDeveloperCliCredentialOptions);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+//# sourceMappingURL=azureDeveloperCliCredential.d.ts.map

package/dist/workerd/credentials/azureDeveloperCliCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureDeveloperCliCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureDeveloperCliCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEtF,OAAO,KAAK,EAAE,kCAAkC,EAAE,MAAM,yCAAyC,CAAC;AAalG;;;GAGG;AACH,eAAO,MAAM,+BAA+B;IAC1C;;OAEG;yBACkB,MAAM;IAiB3B;;;;OAIG;8BAEO,MAAM,EAAE,aACL,MAAM,YACP,MAAM,GACf,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;KAAE,CAAC;CAiCpE,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,2BAA4B,YAAW,eAAe;IACjE,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,OAAO,CAAC,CAAS;IAEzB;;;;;;;OAOG;gBACS,OAAO,CAAC,EAAE,kCAAkC;IAWxD;;;;;;;OAOG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;CA4ExB"}

package/dist/workerd/credentials/azureDeveloperCliCredential.js

@@ -0,0 +1,173 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { credentialLogger, formatError, formatSuccess } from "../util/logging.js";
+import { CredentialUnavailableError } from "../errors.js";
+import child_process from "child_process";
+import { checkTenantId, processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils.js";
+import { tracingClient } from "../util/tracing.js";
+import { ensureValidScopeForDevTimeCreds } from "../util/scopeUtils.js";
+const logger = credentialLogger("AzureDeveloperCliCredential");
+/**
+ * Mockable reference to the Developer CLI credential cliCredentialFunctions
+ * @internal
+ */
+export const developerCliCredentialInternals = {
+    /**
+     * @internal
+     */
+    getSafeWorkingDir() {
+        if (process.platform === "win32") {
+            let systemRoot = process.env.SystemRoot || process.env["SYSTEMROOT"];
+            if (!systemRoot) {
+                logger.getToken.warning("The SystemRoot environment variable is not set. This may cause issues when using the Azure Developer CLI credential.");
+                systemRoot = "C:\\Windows";
+            }
+            return systemRoot;
+        }
+        else {
+            return "/bin";
+        }
+    },
+    /**
+     * Gets the access token from Azure Developer CLI
+     * @param scopes - The scopes to use when getting the token
+     * @internal
+     */
+    async getAzdAccessToken(scopes, tenantId, timeout) {
+        let tenantSection = [];
+        if (tenantId) {
+            tenantSection = ["--tenant-id", tenantId];
+        }
+        return new Promise((resolve, reject) => {
+            try {
+                child_process.execFile("azd", [
+                    "auth",
+                    "token",
+                    "--output",
+                    "json",
+                    ...scopes.reduce((previous, current) => previous.concat("--scope", current), []),
+                    ...tenantSection,
+                ], {
+                    cwd: developerCliCredentialInternals.getSafeWorkingDir(),
+                    timeout,
+                }, (error, stdout, stderr) => {
+                    resolve({ stdout, stderr, error });
+                });
+            }
+            catch (err) {
+                reject(err);
+            }
+        });
+    },
+};
+/**
+ * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy
+ * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific
+ * to Azure developers. It allows users to authenticate as a user and/or a service principal against
+ * <a href="https://learn.microsoft.com/entra/fundamentals/">Microsoft Entra ID</a>. The
+ * AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of
+ * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or
+ * service principal and executes an Azure CLI command underneath to authenticate the application against
+ * Microsoft Entra ID.
+ *
+ * <h2> Configure AzureDeveloperCliCredential </h2>
+ *
+ * To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the
+ * commands below:
+ *
+ * <ol>
+ *     <li>Run "azd auth login" in Azure Developer CLI to authenticate interactively as a user.</li>
+ *     <li>Run "azd auth login --client-id clientID --client-secret clientSecret
+ *     --tenant-id tenantID" to authenticate as a service principal.</li>
+ * </ol>
+ *
+ * You may need to repeat this process after a certain time period, depending on the refresh token validity in your
+ * organization. Generally, the refresh token validity period is a few weeks to a few months.
+ * AzureDeveloperCliCredential will prompt you to sign in again.
+ */
+export class AzureDeveloperCliCredential {
+    /**
+     * Creates an instance of the {@link AzureDeveloperCliCredential}.
+     *
+     * To use this credential, ensure that you have already logged
+     * in via the 'azd' tool using the command "azd auth login" from the commandline.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options) {
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            checkTenantId(logger, options === null || options === void 0 ? void 0 : options.tenantId);
+            this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        }
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
+        if (tenantId) {
+            checkTenantId(logger, tenantId);
+        }
+        let scopeList;
+        if (typeof scopes === "string") {
+            scopeList = [scopes];
+        }
+        else {
+            scopeList = scopes;
+        }
+        logger.getToken.info(`Using the scopes ${scopes}`);
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
+            var _a, _b, _c, _d;
+            try {
+                scopeList.forEach((scope) => {
+                    ensureValidScopeForDevTimeCreds(scope, logger);
+                });
+                const obj = await developerCliCredentialInternals.getAzdAccessToken(scopeList, tenantId, this.timeout);
+                const isNotLoggedInError = ((_a = obj.stderr) === null || _a === void 0 ? void 0 : _a.match("not logged in, run `azd login` to login")) ||
+                    ((_b = obj.stderr) === null || _b === void 0 ? void 0 : _b.match("not logged in, run `azd auth login` to login"));
+                const isNotInstallError = ((_c = obj.stderr) === null || _c === void 0 ? void 0 : _c.match("azd:(.*)not found")) ||
+                    ((_d = obj.stderr) === null || _d === void 0 ? void 0 : _d.startsWith("'azd' is not recognized"));
+                if (isNotInstallError || (obj.error && obj.error.code === "ENOENT")) {
+                    const error = new CredentialUnavailableError("Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
+                    logger.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+                if (isNotLoggedInError) {
+                    const error = new CredentialUnavailableError("Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.");
+                    logger.getToken.info(formatError(scopes, error));
+                    throw error;
+                }
+                try {
+                    const resp = JSON.parse(obj.stdout);
+                    logger.getToken.info(formatSuccess(scopes));
+                    return {
+                        token: resp.token,
+                        expiresOnTimestamp: new Date(resp.expiresOn).getTime(),
+                        tokenType: "Bearer",
+                    };
+                }
+                catch (e) {
+                    if (obj.stderr) {
+                        throw new CredentialUnavailableError(obj.stderr);
+                    }
+                    throw e;
+                }
+            }
+            catch (err) {
+                const error = err.name === "CredentialUnavailableError"
+                    ? err
+                    : new CredentialUnavailableError(err.message || "Unknown error while trying to retrieve the access token");
+                logger.getToken.info(formatError(scopes, error));
+                throw error;
+            }
+        });
+    }
+}
+//# sourceMappingURL=azureDeveloperCliCredential.js.map

package/dist/workerd/credentials/azureDeveloperCliCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureDeveloperCliCredential.js","sourceRoot":"","sources":["../../../src/credentials/azureDeveloperCliCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAElF,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,aAAa,MAAM,eAAe,CAAC;AAC1C,OAAO,EACL,aAAa,EACb,yBAAyB,EACzB,mCAAmC,GACpC,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,+BAA+B,EAAE,MAAM,uBAAuB,CAAC;AAExE,MAAM,MAAM,GAAG,gBAAgB,CAAC,6BAA6B,CAAC,CAAC;AAE/D;;;GAGG;AACH,MAAM,CAAC,MAAM,+BAA+B,GAAG;IAC7C;;OAEG;IACH,iBAAiB;QACf,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,IAAI,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YACrE,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,CAAC,QAAQ,CAAC,OAAO,CACrB,sHAAsH,CACvH,CAAC;gBAEF,UAAU,GAAG,aAAa,CAAC;YAC7B,CAAC;YAED,OAAO,UAAU,CAAC;QACpB,CAAC;aAAM,CAAC;YACN,OAAO,MAAM,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,iBAAiB,CACrB,MAAgB,EAChB,QAAiB,EACjB,OAAgB;QAEhB,IAAI,aAAa,GAAa,EAAE,CAAC;QACjC,IAAI,QAAQ,EAAE,CAAC;YACb,aAAa,GAAG,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,IAAI,CAAC;gBACH,aAAa,CAAC,QAAQ,CACpB,KAAK,EACL;oBACE,MAAM;oBACN,OAAO;oBACP,UAAU;oBACV,MAAM;oBACN,GAAG,MAAM,CAAC,MAAM,CACd,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,EAC1D,EAAE,CACH;oBACD,GAAG,aAAa;iBACjB,EACD;oBACE,GAAG,EAAE,+BAA+B,CAAC,iBAAiB,EAAE;oBACxD,OAAO;iBACR,EACD,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;oBACxB,OAAO,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;gBACrC,CAAC,CACF,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,OAAO,2BAA2B;IAKtC;;;;;;;OAOG;IACH,YAAY,OAA4C;QACtD,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,EAAE,CAAC;YACtB,aAAa,CAAC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,mCAAmC,CACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,MAAM,QAAQ,GAAG,yBAAyB,CACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;QACF,IAAI,QAAQ,EAAE,CAAC;YACb,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,SAAmB,CAAC;QACxB,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC/B,SAAS,GAAG,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,SAAS,GAAG,MAAM,CAAC;QACrB,CAAC;QACD,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,oBAAoB,MAAM,EAAE,CAAC,CAAC;QAEnD,OAAO,aAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;;YACrF,IAAI,CAAC;gBACH,SAAS,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;oBAC1B,+BAA+B,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBACjD,CAAC,CAAC,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,+BAA+B,CAAC,iBAAiB,CACjE,SAAS,EACT,QAAQ,EACR,IAAI,CAAC,OAAO,CACb,CAAC;gBACF,MAAM,kBAAkB,GACtB,CAAA,MAAA,GAAG,CAAC,MAAM,0CAAE,KAAK,CAAC,yCAAyC,CAAC;qBAC5D,MAAA,GAAG,CAAC,MAAM,0CAAE,KAAK,CAAC,8CAA8C,CAAC,CAAA,CAAC;gBACpE,MAAM,iBAAiB,GACrB,CAAA,MAAA,GAAG,CAAC,MAAM,0CAAE,KAAK,CAAC,mBAAmB,CAAC;qBACtC,MAAA,GAAG,CAAC,MAAM,0CAAE,UAAU,CAAC,yBAAyB,CAAC,CAAA,CAAC;gBAEpD,IAAI,iBAAiB,IAAI,CAAC,GAAG,CAAC,KAAK,IAAK,GAAG,CAAC,KAAa,CAAC,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;oBAC7E,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,wKAAwK,CACzK,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBAED,IAAI,kBAAkB,EAAE,CAAC;oBACvB,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,+NAA+N,CAChO,CAAC;oBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjD,MAAM,KAAK,CAAC;gBACd,CAAC;gBAED,IAAI,CAAC;oBACH,MAAM,IAAI,GAAyC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBAC1E,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;oBAC5C,OAAO;wBACL,KAAK,EAAE,IAAI,CAAC,KAAK;wBACjB,kBAAkB,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;wBACtD,SAAS,EAAE,QAAQ;qBACL,CAAC;gBACnB,CAAC;gBAAC,OAAO,CAAM,EAAE,CAAC;oBAChB,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;wBACf,MAAM,IAAI,0BAA0B,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;oBACnD,CAAC;oBACD,MAAM,CAAC,CAAC;gBACV,CAAC;YACH,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,KAAK,GACT,GAAG,CAAC,IAAI,KAAK,4BAA4B;oBACvC,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,IAAI,0BAA0B,CAC3B,GAAa,CAAC,OAAO,IAAI,yDAAyD,CACpF,CAAC;gBACR,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACjD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport type { AzureDeveloperCliCredentialOptions } from \"./azureDeveloperCliCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport child_process from \"child_process\";\nimport {\n  checkTenantId,\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\nimport { ensureValidScopeForDevTimeCreds } from \"../util/scopeUtils.js\";\n\nconst logger = credentialLogger(\"AzureDeveloperCliCredential\");\n\n/**\n * Mockable reference to the Developer CLI credential cliCredentialFunctions\n * @internal\n */\nexport const developerCliCredentialInternals = {\n  /**\n   * @internal\n   */\n  getSafeWorkingDir(): string {\n    if (process.platform === \"win32\") {\n      let systemRoot = process.env.SystemRoot || process.env[\"SYSTEMROOT\"];\n      if (!systemRoot) {\n        logger.getToken.warning(\n          \"The SystemRoot environment variable is not set. This may cause issues when using the Azure Developer CLI credential.\",\n        );\n\n        systemRoot = \"C:\\\\Windows\";\n      }\n\n      return systemRoot;\n    } else {\n      return \"/bin\";\n    }\n  },\n\n  /**\n   * Gets the access token from Azure Developer CLI\n   * @param scopes - The scopes to use when getting the token\n   * @internal\n   */\n  async getAzdAccessToken(\n    scopes: string[],\n    tenantId?: string,\n    timeout?: number,\n  ): Promise<{ stdout: string; stderr: string; error: Error | null }> {\n    let tenantSection: string[] = [];\n    if (tenantId) {\n      tenantSection = [\"--tenant-id\", tenantId];\n    }\n    return new Promise((resolve, reject) => {\n      try {\n        child_process.execFile(\n          \"azd\",\n          [\n            \"auth\",\n            \"token\",\n            \"--output\",\n            \"json\",\n            ...scopes.reduce<string[]>(\n              (previous, current) => previous.concat(\"--scope\", current),\n              [],\n            ),\n            ...tenantSection,\n          ],\n          {\n            cwd: developerCliCredentialInternals.getSafeWorkingDir(),\n            timeout,\n          },\n          (error, stdout, stderr) => {\n            resolve({ stdout, stderr, error });\n          },\n        );\n      } catch (err: any) {\n        reject(err);\n      }\n    });\n  },\n};\n\n/**\n * Azure Developer CLI is a command-line interface tool that allows developers to create, manage, and deploy\n * resources in Azure. It's built on top of the Azure CLI and provides additional functionality specific\n * to Azure developers. It allows users to authenticate as a user and/or a service principal against\n * <a href=\"https://learn.microsoft.com/entra/fundamentals/\">Microsoft Entra ID</a>. The\n * AzureDeveloperCliCredential authenticates in a development environment and acquires a token on behalf of\n * the logged-in user or service principal in the Azure Developer CLI. It acts as the Azure Developer CLI logged in user or\n * service principal and executes an Azure CLI command underneath to authenticate the application against\n * Microsoft Entra ID.\n *\n * <h2> Configure AzureDeveloperCliCredential </h2>\n *\n * To use this credential, the developer needs to authenticate locally in Azure Developer CLI using one of the\n * commands below:\n *\n * <ol>\n *     <li>Run \"azd auth login\" in Azure Developer CLI to authenticate interactively as a user.</li>\n *     <li>Run \"azd auth login --client-id clientID --client-secret clientSecret\n *     --tenant-id tenantID\" to authenticate as a service principal.</li>\n * </ol>\n *\n * You may need to repeat this process after a certain time period, depending on the refresh token validity in your\n * organization. Generally, the refresh token validity period is a few weeks to a few months.\n * AzureDeveloperCliCredential will prompt you to sign in again.\n */\nexport class AzureDeveloperCliCredential implements TokenCredential {\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private timeout?: number;\n\n  /**\n   * Creates an instance of the {@link AzureDeveloperCliCredential}.\n   *\n   * To use this credential, ensure that you have already logged\n   * in via the 'azd' tool using the command \"azd auth login\" from the commandline.\n   *\n   * @param options - Options, to optionally allow multi-tenant requests.\n   */\n  constructor(options?: AzureDeveloperCliCredentialOptions) {\n    if (options?.tenantId) {\n      checkTenantId(logger, options?.tenantId);\n      this.tenantId = options?.tenantId;\n    }\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    this.timeout = options?.processTimeoutInMs;\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  public async getToken(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    const tenantId = processMultiTenantRequest(\n      this.tenantId,\n      options,\n      this.additionallyAllowedTenantIds,\n    );\n    if (tenantId) {\n      checkTenantId(logger, tenantId);\n    }\n    let scopeList: string[];\n    if (typeof scopes === \"string\") {\n      scopeList = [scopes];\n    } else {\n      scopeList = scopes;\n    }\n    logger.getToken.info(`Using the scopes ${scopes}`);\n\n    return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n      try {\n        scopeList.forEach((scope) => {\n          ensureValidScopeForDevTimeCreds(scope, logger);\n        });\n        const obj = await developerCliCredentialInternals.getAzdAccessToken(\n          scopeList,\n          tenantId,\n          this.timeout,\n        );\n        const isNotLoggedInError =\n          obj.stderr?.match(\"not logged in, run `azd login` to login\") ||\n          obj.stderr?.match(\"not logged in, run `azd auth login` to login\");\n        const isNotInstallError =\n          obj.stderr?.match(\"azd:(.*)not found\") ||\n          obj.stderr?.startsWith(\"'azd' is not recognized\");\n\n        if (isNotInstallError || (obj.error && (obj.error as any).code === \"ENOENT\")) {\n          const error = new CredentialUnavailableError(\n            \"Azure Developer CLI couldn't be found. To mitigate this issue, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.\",\n          );\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n\n        if (isNotLoggedInError) {\n          const error = new CredentialUnavailableError(\n            \"Please run 'azd auth login' from a command prompt to authenticate before using this credential. For more information, see the troubleshooting guidelines at https://aka.ms/azsdk/js/identity/azdevclicredential/troubleshoot.\",\n          );\n          logger.getToken.info(formatError(scopes, error));\n          throw error;\n        }\n\n        try {\n          const resp: { token: string; expiresOn: string } = JSON.parse(obj.stdout);\n          logger.getToken.info(formatSuccess(scopes));\n          return {\n            token: resp.token,\n            expiresOnTimestamp: new Date(resp.expiresOn).getTime(),\n            tokenType: \"Bearer\",\n          } as AccessToken;\n        } catch (e: any) {\n          if (obj.stderr) {\n            throw new CredentialUnavailableError(obj.stderr);\n          }\n          throw e;\n        }\n      } catch (err: any) {\n        const error =\n          err.name === \"CredentialUnavailableError\"\n            ? err\n            : new CredentialUnavailableError(\n                (err as Error).message || \"Unknown error while trying to retrieve the access token\",\n              );\n        logger.getToken.info(formatError(scopes, error));\n        throw error;\n      }\n    });\n  }\n}\n"]}

package/dist/workerd/credentials/azureDeveloperCliCredentialOptions.d.ts

@@ -0,0 +1,15 @@
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Options for the {@link AzureDeveloperCliCredential}
+ */
+export interface AzureDeveloperCliCredentialOptions extends MultiTenantTokenCredentialOptions {
+    /**
+     * Allows specifying a tenant ID
+     */
+    tenantId?: string;
+    /**
+     * Process timeout configurable for making token requests, provided in milliseconds
+     */
+    processTimeoutInMs?: number;
+}
+//# sourceMappingURL=azureDeveloperCliCredentialOptions.d.ts.map

package/dist/workerd/credentials/azureDeveloperCliCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureDeveloperCliCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/azureDeveloperCliCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,kCAAmC,SAAQ,iCAAiC;IAC3F;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B"}

package/dist/workerd/credentials/azureDeveloperCliCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=azureDeveloperCliCredentialOptions.js.map

package/dist/workerd/credentials/azureDeveloperCliCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azureDeveloperCliCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/azureDeveloperCliCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link AzureDeveloperCliCredential}\n */\nexport interface AzureDeveloperCliCredentialOptions extends MultiTenantTokenCredentialOptions {\n  /**\n   * Allows specifying a tenant ID\n   */\n  tenantId?: string;\n  /**\n   * Process timeout configurable for making token requests, provided in milliseconds\n   */\n  processTimeoutInMs?: number;\n}\n"]}

package/dist/workerd/credentials/azurePipelinesCredential.d.ts

@@ -0,0 +1,38 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { AzurePipelinesCredentialOptions } from "./azurePipelinesCredentialOptions.js";
+import type { PipelineResponse } from "@azure/core-rest-pipeline";
+/**
+ * This credential is designed to be used in Azure Pipelines with service connections
+ * as a setup for workload identity federation.
+ */
+export declare class AzurePipelinesCredential implements TokenCredential {
+    private clientAssertionCredential;
+    private identityClient;
+    /**
+     * AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections.
+     * @param tenantId - tenantId associated with the service connection
+     * @param clientId - clientId associated with the service connection
+     * @param serviceConnectionId - Unique ID for the service connection, as found in the querystring's resourceId key
+     * @param systemAccessToken - The pipeline's <see href="https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops%26tabs=yaml#systemaccesstoken">System.AccessToken</see> value.
+     * @param options - The identity client options to use for authentication.
+     */
+    constructor(tenantId: string, clientId: string, serviceConnectionId: string, systemAccessToken: string, options?: AzurePipelinesCredentialOptions);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} or {@link AuthenticationError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+    /**
+     *
+     * @param oidcRequestUrl - oidc request url
+     * @param systemAccessToken - system access token
+     * @returns OIDC token from Azure Pipelines
+     */
+    private requestOidcToken;
+}
+export declare function handleOidcResponse(response: PipelineResponse): string;
+//# sourceMappingURL=azurePipelinesCredential.d.ts.map

package/dist/workerd/credentials/azurePipelinesCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azurePipelinesCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azurePipelinesCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAItF,OAAO,KAAK,EAAE,+BAA+B,EAAE,MAAM,sCAAsC,CAAC;AAG5F,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAQlE;;;GAGG;AACH,qBAAa,wBAAyB,YAAW,eAAe;IAC9D,OAAO,CAAC,yBAAyB,CAAwC;IACzE,OAAO,CAAC,cAAc,CAAiB;IAEvC;;;;;;;OAOG;gBAED,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,mBAAmB,EAAE,MAAM,EAC3B,iBAAiB,EAAE,MAAM,EACzB,OAAO,GAAE,+BAAoC;IAwD/C;;;;;;;OAOG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,WAAW,CAAC;IAgBvB;;;;;OAKG;YACW,gBAAgB;CAmB/B;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,MAAM,CA6CrE"}

package/dist/workerd/credentials/azurePipelinesCredential.js

@@ -0,0 +1,141 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { AuthenticationError, CredentialUnavailableError } from "../errors.js";
+import { createHttpHeaders, createPipelineRequest } from "@azure/core-rest-pipeline";
+import { ClientAssertionCredential } from "./clientAssertionCredential.js";
+import { IdentityClient } from "../client/identityClient.js";
+import { checkTenantId } from "../util/tenantIdUtils.js";
+import { credentialLogger } from "../util/logging.js";
+const credentialName = "AzurePipelinesCredential";
+const logger = credentialLogger(credentialName);
+const OIDC_API_VERSION = "7.1";
+/**
+ * This credential is designed to be used in Azure Pipelines with service connections
+ * as a setup for workload identity federation.
+ */
+export class AzurePipelinesCredential {
+    /**
+     * AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections.
+     * @param tenantId - tenantId associated with the service connection
+     * @param clientId - clientId associated with the service connection
+     * @param serviceConnectionId - Unique ID for the service connection, as found in the querystring's resourceId key
+     * @param systemAccessToken - The pipeline's <see href="https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops%26tabs=yaml#systemaccesstoken">System.AccessToken</see> value.
+     * @param options - The identity client options to use for authentication.
+     */
+    constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options = {}) {
+        var _a, _b;
+        if (!clientId) {
+            throw new CredentialUnavailableError(`${credentialName}: is unavailable. clientId is a required parameter.`);
+        }
+        if (!tenantId) {
+            throw new CredentialUnavailableError(`${credentialName}: is unavailable. tenantId is a required parameter.`);
+        }
+        if (!serviceConnectionId) {
+            throw new CredentialUnavailableError(`${credentialName}: is unavailable. serviceConnectionId is a required parameter.`);
+        }
+        if (!systemAccessToken) {
+            throw new CredentialUnavailableError(`${credentialName}: is unavailable. systemAccessToken is a required parameter.`);
+        }
+        // Allow these headers to be logged for troubleshooting by AzurePipelines.
+        options.loggingOptions = Object.assign(Object.assign({}, options === null || options === void 0 ? void 0 : options.loggingOptions), { additionalAllowedHeaderNames: [
+                ...((_b = (_a = options.loggingOptions) === null || _a === void 0 ? void 0 : _a.additionalAllowedHeaderNames) !== null && _b !== void 0 ? _b : []),
+                "x-vss-e2eid",
+                "x-msedge-ref",
+            ] });
+        this.identityClient = new IdentityClient(options);
+        checkTenantId(logger, tenantId);
+        logger.info(`Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, client ID: ${clientId}, and service connection ID: ${serviceConnectionId}`);
+        if (!process.env.SYSTEM_OIDCREQUESTURI) {
+            throw new CredentialUnavailableError(`${credentialName}: is unavailable. Ensure that you're running this task in an Azure Pipeline, so that following missing system variable(s) can be defined- "SYSTEM_OIDCREQUESTURI"`);
+        }
+        const oidcRequestUrl = `${process.env.SYSTEM_OIDCREQUESTURI}?api-version=${OIDC_API_VERSION}&serviceConnectionId=${serviceConnectionId}`;
+        logger.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, client ID: ${clientId} and service connection ID: ${serviceConnectionId}`);
+        this.clientAssertionCredential = new ClientAssertionCredential(tenantId, clientId, this.requestOidcToken.bind(this, oidcRequestUrl, systemAccessToken), options);
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} or {@link AuthenticationError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    async getToken(scopes, options) {
+        if (!this.clientAssertionCredential) {
+            const errorMessage = `${credentialName}: is unavailable. To use Federation Identity in Azure Pipelines, the following parameters are required - 
+      tenantId,
+      clientId,
+      serviceConnectionId,
+      systemAccessToken,
+      "SYSTEM_OIDCREQUESTURI".      
+      See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
+            logger.error(errorMessage);
+            throw new CredentialUnavailableError(errorMessage);
+        }
+        logger.info("Invoking getToken() of Client Assertion Credential");
+        return this.clientAssertionCredential.getToken(scopes, options);
+    }
+    /**
+     *
+     * @param oidcRequestUrl - oidc request url
+     * @param systemAccessToken - system access token
+     * @returns OIDC token from Azure Pipelines
+     */
+    async requestOidcToken(oidcRequestUrl, systemAccessToken) {
+        logger.info("Requesting OIDC token from Azure Pipelines...");
+        logger.info(oidcRequestUrl);
+        const request = createPipelineRequest({
+            url: oidcRequestUrl,
+            method: "POST",
+            headers: createHttpHeaders({
+                "Content-Type": "application/json",
+                Authorization: `Bearer ${systemAccessToken}`,
+                // Prevents the service from responding with a redirect HTTP status code (useful for automation).
+                "X-TFS-FedAuthRedirect": "Suppress",
+            }),
+        });
+        const response = await this.identityClient.sendRequest(request);
+        return handleOidcResponse(response);
+    }
+}
+export function handleOidcResponse(response) {
+    // OIDC token is present in `bodyAsText` field
+    const text = response.bodyAsText;
+    if (!text) {
+        logger.error(`${credentialName}: Authentication Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`);
+        throw new AuthenticationError(response.status, {
+            error: `${credentialName}: Authentication Failed. Received null token from OIDC request.`,
+            error_description: `${JSON.stringify(response)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
+        });
+    }
+    try {
+        const result = JSON.parse(text);
+        if (result === null || result === void 0 ? void 0 : result.oidcToken) {
+            return result.oidcToken;
+        }
+        else {
+            const errorMessage = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;
+            let errorDescription = ``;
+            if (response.status !== 200) {
+                errorDescription = `Response body = ${text}. Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;
+            }
+            logger.error(errorMessage);
+            logger.error(errorDescription);
+            throw new AuthenticationError(response.status, {
+                error: errorMessage,
+                error_description: errorDescription,
+            });
+        }
+    }
+    catch (e) {
+        const errorDetails = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;
+        logger.error(`Response from service = ${text}, Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} 
+      and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}, error message = ${e.message}`);
+        logger.error(errorDetails);
+        throw new AuthenticationError(response.status, {
+            error: errorDetails,
+            error_description: `Response = ${text}. Response headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] =  ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,
+        });
+    }
+}
+//# sourceMappingURL=azurePipelinesCredential.js.map

package/dist/workerd/credentials/azurePipelinesCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azurePipelinesCredential.js","sourceRoot":"","sources":["../../../src/credentials/azurePipelinesCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,mBAAmB,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAC/E,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAGrF,OAAO,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAE7D,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AAEtD,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAClD,MAAM,MAAM,GAAG,gBAAgB,CAAC,cAAc,CAAC,CAAC;AAChD,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAE/B;;;GAGG;AACH,MAAM,OAAO,wBAAwB;IAInC;;;;;;;OAOG;IACH,YACE,QAAgB,EAChB,QAAgB,EAChB,mBAA2B,EAC3B,iBAAyB,EACzB,UAA2C,EAAE;;QAE7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,0BAA0B,CAClC,GAAG,cAAc,qDAAqD,CACvE,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,0BAA0B,CAClC,GAAG,cAAc,qDAAqD,CACvE,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,mBAAmB,EAAE,CAAC;YACzB,MAAM,IAAI,0BAA0B,CAClC,GAAG,cAAc,gEAAgE,CAClF,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,MAAM,IAAI,0BAA0B,CAClC,GAAG,cAAc,8DAA8D,CAChF,CAAC;QACJ,CAAC;QAED,0EAA0E;QAC1E,OAAO,CAAC,cAAc,mCACjB,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,cAAc,KAC1B,4BAA4B,EAAE;gBAC5B,GAAG,CAAC,MAAA,MAAA,OAAO,CAAC,cAAc,0CAAE,4BAA4B,mCAAI,EAAE,CAAC;gBAC/D,aAAa;gBACb,cAAc;aACf,GACF,CAAC;QAEF,IAAI,CAAC,cAAc,GAAG,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;QAClD,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAChC,MAAM,CAAC,IAAI,CACT,qDAAqD,QAAQ,gBAAgB,QAAQ,gCAAgC,mBAAmB,EAAE,CAC3I,CAAC;QACF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,EAAE,CAAC;YACvC,MAAM,IAAI,0BAA0B,CAClC,GAAG,cAAc,mKAAmK,CACrL,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,gBAAgB,gBAAgB,wBAAwB,mBAAmB,EAAE,CAAC;QACzI,MAAM,CAAC,IAAI,CACT,sDAAsD,QAAQ,gBAAgB,QAAQ,+BAA+B,mBAAmB,EAAE,CAC3I,CAAC;QACF,IAAI,CAAC,yBAAyB,GAAG,IAAI,yBAAyB,CAC5D,QAAQ,EACR,QAAQ,EACR,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,EAAE,iBAAiB,CAAC,EACnE,OAAO,CACR,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,OAAyB;QAEzB,IAAI,CAAC,IAAI,CAAC,yBAAyB,EAAE,CAAC;YACpC,MAAM,YAAY,GAAG,GAAG,cAAc;;;;;;iIAMqF,CAAC;YAC5H,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAC3B,MAAM,IAAI,0BAA0B,CAAC,YAAY,CAAC,CAAC;QACrD,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,yBAAyB,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClE,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,gBAAgB,CAC5B,cAAsB,EACtB,iBAAyB;QAEzB,MAAM,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;QAC7D,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC5B,MAAM,OAAO,GAAG,qBAAqB,CAAC;YACpC,GAAG,EAAE,cAAc;YACnB,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,iBAAiB,CAAC;gBACzB,cAAc,EAAE,kBAAkB;gBAClC,aAAa,EAAE,UAAU,iBAAiB,EAAE;gBAC5C,iGAAiG;gBACjG,uBAAuB,EAAE,UAAU;aACpC,CAAC;SACH,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAChE,OAAO,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;CACF;AAED,MAAM,UAAU,kBAAkB,CAAC,QAA0B;IAC3D,8CAA8C;IAC9C,MAAM,IAAI,GAAG,QAAQ,CAAC,UAAU,CAAC;IACjC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,KAAK,CACV,GAAG,cAAc,oFACf,QAAQ,CAAC,MACX,yBAAyB,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CACpD,CAAC;QACF,MAAM,IAAI,mBAAmB,CAAC,QAAQ,CAAC,MAAM,EAAE;YAC7C,KAAK,EAAE,GAAG,cAAc,iEAAiE;YACzF,iBAAiB,EAAE,GAAG,IAAI,CAAC,SAAS,CAClC,QAAQ,CACT,8HAA8H;SAChI,CAAC,CAAC;IACL,CAAC;IACD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAChC,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE,CAAC;YACtB,OAAO,MAAM,CAAC,SAAS,CAAC;QAC1B,CAAC;aAAM,CAAC;YACN,MAAM,YAAY,GAAG,GAAG,cAAc,wEAAwE,CAAC;YAC/G,IAAI,gBAAgB,GAAG,EAAE,CAAC;YAC1B,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,gBAAgB,GAAG,mBAAmB,IAAI,wCAAwC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,2BAA2B,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,8HAA8H,CAAC;YACrT,CAAC;YACD,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAC3B,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAC/B,MAAM,IAAI,mBAAmB,CAAC,QAAQ,CAAC,MAAM,EAAE;gBAC7C,KAAK,EAAE,YAAY;gBACnB,iBAAiB,EAAE,gBAAgB;aACpC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,MAAM,YAAY,GAAG,GAAG,cAAc,wEAAwE,CAAC;QAC/G,MAAM,CAAC,KAAK,CACV,2BAA2B,IAAI,wCAAwC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;+BACjF,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,qBAAqB,CAAC,CAAC,OAAO,EAAE,CAC9F,CAAC;QACF,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAC3B,MAAM,IAAI,mBAAmB,CAAC,QAAQ,CAAC,MAAM,EAAE;YAC7C,KAAK,EAAE,YAAY;YACnB,iBAAiB,EAAE,cAAc,IAAI,wCAAwC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,4BAA4B,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,8HAA8H;SAC/S,CAAC,CAAC;IACL,CAAC;AACH,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { AuthenticationError, CredentialUnavailableError } from \"../errors.js\";\nimport { createHttpHeaders, createPipelineRequest } from \"@azure/core-rest-pipeline\";\n\nimport type { AzurePipelinesCredentialOptions } from \"./azurePipelinesCredentialOptions.js\";\nimport { ClientAssertionCredential } from \"./clientAssertionCredential.js\";\nimport { IdentityClient } from \"../client/identityClient.js\";\nimport type { PipelineResponse } from \"@azure/core-rest-pipeline\";\nimport { checkTenantId } from \"../util/tenantIdUtils.js\";\nimport { credentialLogger } from \"../util/logging.js\";\n\nconst credentialName = \"AzurePipelinesCredential\";\nconst logger = credentialLogger(credentialName);\nconst OIDC_API_VERSION = \"7.1\";\n\n/**\n * This credential is designed to be used in Azure Pipelines with service connections\n * as a setup for workload identity federation.\n */\nexport class AzurePipelinesCredential implements TokenCredential {\n  private clientAssertionCredential: ClientAssertionCredential | undefined;\n  private identityClient: IdentityClient;\n\n  /**\n   * AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections.\n   * @param tenantId - tenantId associated with the service connection\n   * @param clientId - clientId associated with the service connection\n   * @param serviceConnectionId - Unique ID for the service connection, as found in the querystring's resourceId key\n   * @param systemAccessToken - The pipeline's <see href=\"https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops%26tabs=yaml#systemaccesstoken\">System.AccessToken</see> value.\n   * @param options - The identity client options to use for authentication.\n   */\n  constructor(\n    tenantId: string,\n    clientId: string,\n    serviceConnectionId: string,\n    systemAccessToken: string,\n    options: AzurePipelinesCredentialOptions = {},\n  ) {\n    if (!clientId) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: is unavailable. clientId is a required parameter.`,\n      );\n    }\n    if (!tenantId) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: is unavailable. tenantId is a required parameter.`,\n      );\n    }\n    if (!serviceConnectionId) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: is unavailable. serviceConnectionId is a required parameter.`,\n      );\n    }\n    if (!systemAccessToken) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: is unavailable. systemAccessToken is a required parameter.`,\n      );\n    }\n\n    // Allow these headers to be logged for troubleshooting by AzurePipelines.\n    options.loggingOptions = {\n      ...options?.loggingOptions,\n      additionalAllowedHeaderNames: [\n        ...(options.loggingOptions?.additionalAllowedHeaderNames ?? []),\n        \"x-vss-e2eid\",\n        \"x-msedge-ref\",\n      ],\n    };\n\n    this.identityClient = new IdentityClient(options);\n    checkTenantId(logger, tenantId);\n    logger.info(\n      `Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, client ID: ${clientId}, and service connection ID: ${serviceConnectionId}`,\n    );\n    if (!process.env.SYSTEM_OIDCREQUESTURI) {\n      throw new CredentialUnavailableError(\n        `${credentialName}: is unavailable. Ensure that you're running this task in an Azure Pipeline, so that following missing system variable(s) can be defined- \"SYSTEM_OIDCREQUESTURI\"`,\n      );\n    }\n\n    const oidcRequestUrl = `${process.env.SYSTEM_OIDCREQUESTURI}?api-version=${OIDC_API_VERSION}&serviceConnectionId=${serviceConnectionId}`;\n    logger.info(\n      `Invoking ClientAssertionCredential with tenant ID: ${tenantId}, client ID: ${clientId} and service connection ID: ${serviceConnectionId}`,\n    );\n    this.clientAssertionCredential = new ClientAssertionCredential(\n      tenantId,\n      clientId,\n      this.requestOidcToken.bind(this, oidcRequestUrl, systemAccessToken),\n      options,\n    );\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If authentication fails, a {@link CredentialUnavailableError} or {@link AuthenticationError} will be thrown with the details of the failure.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                TokenCredential implementation might make.\n   */\n  public async getToken(\n    scopes: string | string[],\n    options?: GetTokenOptions,\n  ): Promise<AccessToken> {\n    if (!this.clientAssertionCredential) {\n      const errorMessage = `${credentialName}: is unavailable. To use Federation Identity in Azure Pipelines, the following parameters are required - \n      tenantId,\n      clientId,\n      serviceConnectionId,\n      systemAccessToken,\n      \"SYSTEM_OIDCREQUESTURI\".      \n      See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;\n      logger.error(errorMessage);\n      throw new CredentialUnavailableError(errorMessage);\n    }\n    logger.info(\"Invoking getToken() of Client Assertion Credential\");\n    return this.clientAssertionCredential.getToken(scopes, options);\n  }\n\n  /**\n   *\n   * @param oidcRequestUrl - oidc request url\n   * @param systemAccessToken - system access token\n   * @returns OIDC token from Azure Pipelines\n   */\n  private async requestOidcToken(\n    oidcRequestUrl: string,\n    systemAccessToken: string,\n  ): Promise<string> {\n    logger.info(\"Requesting OIDC token from Azure Pipelines...\");\n    logger.info(oidcRequestUrl);\n    const request = createPipelineRequest({\n      url: oidcRequestUrl,\n      method: \"POST\",\n      headers: createHttpHeaders({\n        \"Content-Type\": \"application/json\",\n        Authorization: `Bearer ${systemAccessToken}`,\n        // Prevents the service from responding with a redirect HTTP status code (useful for automation).\n        \"X-TFS-FedAuthRedirect\": \"Suppress\",\n      }),\n    });\n    const response = await this.identityClient.sendRequest(request);\n    return handleOidcResponse(response);\n  }\n}\n\nexport function handleOidcResponse(response: PipelineResponse): string {\n  // OIDC token is present in `bodyAsText` field\n  const text = response.bodyAsText;\n  if (!text) {\n    logger.error(\n      `${credentialName}: Authentication Failed. Received null token from OIDC request. Response status- ${\n        response.status\n      }. Complete response - ${JSON.stringify(response)}`,\n    );\n    throw new AuthenticationError(response.status, {\n      error: `${credentialName}: Authentication Failed. Received null token from OIDC request.`,\n      error_description: `${JSON.stringify(\n        response,\n      )}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,\n    });\n  }\n  try {\n    const result = JSON.parse(text);\n    if (result?.oidcToken) {\n      return result.oidcToken;\n    } else {\n      const errorMessage = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;\n      let errorDescription = ``;\n      if (response.status !== 200) {\n        errorDescription = `Response body = ${text}. Response Headers [\"x-vss-e2eid\"] = ${response.headers.get(\"x-vss-e2eid\")} and [\"x-msedge-ref\"] = ${response.headers.get(\"x-msedge-ref\")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`;\n      }\n      logger.error(errorMessage);\n      logger.error(errorDescription);\n      throw new AuthenticationError(response.status, {\n        error: errorMessage,\n        error_description: errorDescription,\n      });\n    }\n  } catch (e: any) {\n    const errorDetails = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`;\n    logger.error(\n      `Response from service = ${text}, Response Headers [\"x-vss-e2eid\"] = ${response.headers.get(\"x-vss-e2eid\")} \n      and [\"x-msedge-ref\"] = ${response.headers.get(\"x-msedge-ref\")}, error message = ${e.message}`,\n    );\n    logger.error(errorDetails);\n    throw new AuthenticationError(response.status, {\n      error: errorDetails,\n      error_description: `Response = ${text}. Response headers [\"x-vss-e2eid\"] = ${response.headers.get(\"x-vss-e2eid\")} and [\"x-msedge-ref\"] =  ${response.headers.get(\"x-msedge-ref\")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`,\n    });\n  }\n}\n"]}

package/dist/workerd/credentials/azurePipelinesCredentialOptions.d.ts

@@ -0,0 +1,9 @@
+import type { AuthorityValidationOptions } from "./authorityValidationOptions.js";
+import type { CredentialPersistenceOptions } from "./credentialPersistenceOptions.js";
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Optional parameters for the {@link AzurePipelinesCredential} class.
+ */
+export interface AzurePipelinesCredentialOptions extends MultiTenantTokenCredentialOptions, CredentialPersistenceOptions, AuthorityValidationOptions {
+}
+//# sourceMappingURL=azurePipelinesCredentialOptions.d.ts.map

package/dist/workerd/credentials/azurePipelinesCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azurePipelinesCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/azurePipelinesCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,iCAAiC,CAAC;AAClF,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,mCAAmC,CAAC;AACtF,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,+BACf,SAAQ,iCAAiC,EACvC,4BAA4B,EAC5B,0BAA0B;CAAG"}

package/dist/workerd/credentials/azurePipelinesCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=azurePipelinesCredentialOptions.js.map

package/dist/workerd/credentials/azurePipelinesCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azurePipelinesCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/azurePipelinesCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AuthorityValidationOptions } from \"./authorityValidationOptions.js\";\nimport type { CredentialPersistenceOptions } from \"./credentialPersistenceOptions.js\";\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Optional parameters for the {@link AzurePipelinesCredential} class.\n */\nexport interface AzurePipelinesCredentialOptions\n  extends MultiTenantTokenCredentialOptions,\n    CredentialPersistenceOptions,\n    AuthorityValidationOptions {}\n"]}