@azure/identity 4.8.1-alpha.20250410.1 → 4.9.1-alpha.20250416.4

package/dist/workerd/credentials/azurePowerShellCredential.d.ts

@@ -0,0 +1,75 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { AzurePowerShellCredentialOptions } from "./azurePowerShellCredentialOptions.js";
+/**
+ * Returns a platform-appropriate command name by appending ".exe" on Windows.
+ *
+ * @internal
+ */
+export declare function formatCommand(commandName: string): string;
+/**
+ * Known PowerShell errors
+ * @internal
+ */
+export declare const powerShellErrors: {
+    login: string;
+    installed: string;
+};
+/**
+ * Messages to use when throwing in this credential.
+ * @internal
+ */
+export declare const powerShellPublicErrorMessages: {
+    login: string;
+    installed: string;
+    troubleshoot: string;
+};
+/**
+ * The PowerShell commands to be tried, in order.
+ *
+ * @internal
+ */
+export declare const commandStack: string[];
+/**
+ * This credential will use the currently logged-in user information from the
+ * Azure PowerShell module. To do so, it will read the user access token and
+ * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
+ */
+export declare class AzurePowerShellCredential implements TokenCredential {
+    private tenantId?;
+    private additionallyAllowedTenantIds;
+    private timeout?;
+    /**
+     * Creates an instance of the {@link AzurePowerShellCredential}.
+     *
+     * To use this credential:
+     * - Install the Azure Az PowerShell module with:
+     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+     * - You have already logged in to Azure PowerShell using the command
+     * `Connect-AzAccount` from the command line.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options?: AzurePowerShellCredentialOptions);
+    /**
+     * Gets the access token from Azure PowerShell
+     * @param resource - The resource to use when getting the token
+     */
+    private getAzurePowerShellAccessToken;
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+/**
+ *
+ * @internal
+ */
+export declare function parseJsonToken(result: string): Promise<{
+    Token: string;
+    ExpiresOn: string;
+}>;
+//# sourceMappingURL=azurePowerShellCredential.d.ts.map

package/dist/workerd/credentials/azurePowerShellCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azurePowerShellCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAStF,OAAO,KAAK,EAAE,gCAAgC,EAAE,MAAM,uCAAuC,CAAC;AAS9F;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAMzD;AAuBD;;;GAGG;AACH,eAAO,MAAM,gBAAgB;;;CAI5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,6BAA6B;;;;CAKzC,CAAC;AAUF;;;;GAIG;AACH,eAAO,MAAM,YAAY,UAA0B,CAAC;AAMpD;;;;GAIG;AACH,qBAAa,yBAA0B,YAAW,eAAe;IAC/D,OAAO,CAAC,QAAQ,CAAC,CAAS;IAC1B,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,OAAO,CAAC,CAAS;IAEzB;;;;;;;;;;OAUG;gBACS,OAAO,CAAC,EAAE,gCAAgC;IAWtD;;;OAGG;YACW,6BAA6B;IA2D3C;;;;;;OAMG;IACU,QAAQ,CACnB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EACzB,OAAO,GAAE,eAAoB,GAC5B,OAAO,CAAC,WAAW,CAAC;CAwCxB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAAC,CAyB/C"}

package/dist/workerd/credentials/azurePowerShellCredential.js

@@ -0,0 +1,229 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { checkTenantId, processMultiTenantRequest, resolveAdditionallyAllowedTenantIds, } from "../util/tenantIdUtils.js";
+import { credentialLogger, formatError, formatSuccess } from "../util/logging.js";
+import { ensureValidScopeForDevTimeCreds, getScopeResource } from "../util/scopeUtils.js";
+import { CredentialUnavailableError } from "../errors.js";
+import { processUtils } from "../util/processUtils.js";
+import { tracingClient } from "../util/tracing.js";
+const logger = credentialLogger("AzurePowerShellCredential");
+const isWindows = process.platform === "win32";
+/**
+ * Returns a platform-appropriate command name by appending ".exe" on Windows.
+ *
+ * @internal
+ */
+export function formatCommand(commandName) {
+    if (isWindows) {
+        return `${commandName}.exe`;
+    }
+    else {
+        return commandName;
+    }
+}
+/**
+ * Receives a list of commands to run, executes them, then returns the outputs.
+ * If anything fails, an error is thrown.
+ * @internal
+ */
+async function runCommands(commands, timeout) {
+    const results = [];
+    for (const command of commands) {
+        const [file, ...parameters] = command;
+        const result = (await processUtils.execFile(file, parameters, {
+            encoding: "utf8",
+            timeout,
+        }));
+        results.push(result);
+    }
+    return results;
+}
+/**
+ * Known PowerShell errors
+ * @internal
+ */
+export const powerShellErrors = {
+    login: "Run Connect-AzAccount to login",
+    installed: "The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory",
+};
+/**
+ * Messages to use when throwing in this credential.
+ * @internal
+ */
+export const powerShellPublicErrorMessages = {
+    login: "Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.",
+    installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: "Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force".`,
+    troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,
+};
+// PowerShell Azure User not logged in error check.
+const isLoginError = (err) => err.message.match(`(.*)${powerShellErrors.login}(.*)`);
+// Az Module not Installed in Azure PowerShell check.
+const isNotInstalledError = (err) => err.message.match(powerShellErrors.installed);
+/**
+ * The PowerShell commands to be tried, in order.
+ *
+ * @internal
+ */
+export const commandStack = [formatCommand("pwsh")];
+if (isWindows) {
+    commandStack.push(formatCommand("powershell"));
+}
+/**
+ * This credential will use the currently logged-in user information from the
+ * Azure PowerShell module. To do so, it will read the user access token and
+ * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`
+ */
+export class AzurePowerShellCredential {
+    /**
+     * Creates an instance of the {@link AzurePowerShellCredential}.
+     *
+     * To use this credential:
+     * - Install the Azure Az PowerShell module with:
+     *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.
+     * - You have already logged in to Azure PowerShell using the command
+     * `Connect-AzAccount` from the command line.
+     *
+     * @param options - Options, to optionally allow multi-tenant requests.
+     */
+    constructor(options) {
+        if (options === null || options === void 0 ? void 0 : options.tenantId) {
+            checkTenantId(logger, options === null || options === void 0 ? void 0 : options.tenantId);
+            this.tenantId = options === null || options === void 0 ? void 0 : options.tenantId;
+        }
+        this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(options === null || options === void 0 ? void 0 : options.additionallyAllowedTenants);
+        this.timeout = options === null || options === void 0 ? void 0 : options.processTimeoutInMs;
+    }
+    /**
+     * Gets the access token from Azure PowerShell
+     * @param resource - The resource to use when getting the token
+     */
+    async getAzurePowerShellAccessToken(resource, tenantId, timeout) {
+        // Clone the stack to avoid mutating it while iterating
+        for (const powerShellCommand of [...commandStack]) {
+            try {
+                await runCommands([[powerShellCommand, "/?"]], timeout);
+            }
+            catch (e) {
+                // Remove this credential from the original stack so that we don't try it again.
+                commandStack.shift();
+                continue;
+            }
+            const results = await runCommands([
+                [
+                    powerShellCommand,
+                    "-NoProfile",
+                    "-NonInteractive",
+                    "-Command",
+                    `
+          $tenantId = "${tenantId !== null && tenantId !== void 0 ? tenantId : ""}"
+          $m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru
+          $useSecureString = $m.Version -ge [version]'2.17.0'
+
+          $params = @{
+            ResourceUrl = "${resource}"
+          }
+
+          if ($tenantId.Length -gt 0) {
+            $params["TenantId"] = $tenantId
+          }
+
+          if ($useSecureString) {
+            $params["AsSecureString"] = $true
+          }
+
+          $token = Get-AzAccessToken @params
+
+          $result = New-Object -TypeName PSObject
+          $result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn
+          if ($useSecureString) {
+            $result | Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token)
+          } else {
+            $result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token
+          }
+
+          Write-Output (ConvertTo-Json $result)
+          `,
+                ],
+            ]);
+            const result = results[0];
+            return parseJsonToken(result);
+        }
+        throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);
+    }
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this TokenCredential implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {
+            const tenantId = processMultiTenantRequest(this.tenantId, options, this.additionallyAllowedTenantIds);
+            const scope = typeof scopes === "string" ? scopes : scopes[0];
+            if (tenantId) {
+                checkTenantId(logger, tenantId);
+            }
+            try {
+                ensureValidScopeForDevTimeCreds(scope, logger);
+                logger.getToken.info(`Using the scope ${scope}`);
+                const resource = getScopeResource(scope);
+                const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);
+                logger.getToken.info(formatSuccess(scopes));
+                return {
+                    token: response.Token,
+                    expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),
+                    tokenType: "Bearer",
+                };
+            }
+            catch (err) {
+                if (isNotInstalledError(err)) {
+                    const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);
+                    logger.getToken.info(formatError(scope, error));
+                    throw error;
+                }
+                else if (isLoginError(err)) {
+                    const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);
+                    logger.getToken.info(formatError(scope, error));
+                    throw error;
+                }
+                const error = new CredentialUnavailableError(`${err}. ${powerShellPublicErrorMessages.troubleshoot}`);
+                logger.getToken.info(formatError(scope, error));
+                throw error;
+            }
+        });
+    }
+}
+/**
+ *
+ * @internal
+ */
+export async function parseJsonToken(result) {
+    const jsonRegex = /{[^{}]*}/g;
+    const matches = result.match(jsonRegex);
+    let resultWithoutToken = result;
+    if (matches) {
+        try {
+            for (const item of matches) {
+                try {
+                    const jsonContent = JSON.parse(item);
+                    if (jsonContent === null || jsonContent === void 0 ? void 0 : jsonContent.Token) {
+                        resultWithoutToken = resultWithoutToken.replace(item, "");
+                        if (resultWithoutToken) {
+                            logger.getToken.warning(resultWithoutToken);
+                        }
+                        return jsonContent;
+                    }
+                }
+                catch (e) {
+                    continue;
+                }
+            }
+        }
+        catch (e) {
+            throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);
+        }
+    }
+    throw new Error(`No access token found in the output. Received output: ${result}`);
+}
+//# sourceMappingURL=azurePowerShellCredential.js.map

package/dist/workerd/credentials/azurePowerShellCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azurePowerShellCredential.js","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EACL,aAAa,EACb,yBAAyB,EACzB,mCAAmC,GACpC,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAClF,OAAO,EAAE,+BAA+B,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAG1F,OAAO,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,MAAM,MAAM,GAAG,gBAAgB,CAAC,2BAA2B,CAAC,CAAC;AAE7D,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;AAE/C;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,WAAmB;IAC/C,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,GAAG,WAAW,MAAM,CAAC;IAC9B,CAAC;SAAM,CAAC;QACN,OAAO,WAAW,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,WAAW,CAAC,QAAoB,EAAE,OAAgB;IAC/D,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,EAAE,GAAG,UAAU,CAAC,GAAG,OAAO,CAAC;QACtC,MAAM,MAAM,GAAG,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,EAAE;YAC5D,QAAQ,EAAE,MAAM;YAChB,OAAO;SACR,CAAC,CAAW,CAAC;QAEd,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,KAAK,EAAE,gCAAgC;IACvC,SAAS,EACP,uIAAuI;CAC1I,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAG;IAC3C,KAAK,EACH,8FAA8F;IAChG,SAAS,EAAE,4KAA4K;IACvL,YAAY,EAAE,4FAA4F;CAC3G,CAAC;AAEF,mDAAmD;AACnD,MAAM,YAAY,GAA4C,CAAC,GAAU,EAAE,EAAE,CAC3E,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,KAAK,MAAM,CAAC,CAAC;AAEzD,qDAAqD;AACrD,MAAM,mBAAmB,GAA4C,CAAC,GAAU,EAAE,EAAE,CAClF,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;AAEhD;;;;GAIG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;AAEpD,IAAI,SAAS,EAAE,CAAC;IACd,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,OAAO,yBAAyB;IAKpC;;;;;;;;;;OAUG;IACH,YAAY,OAA0C;QACpD,IAAI,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,EAAE,CAAC;YACtB,aAAa,CAAC,MAAM,EAAE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,CAAC,QAAQ,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,QAAQ,CAAC;QACpC,CAAC;QACD,IAAI,CAAC,4BAA4B,GAAG,mCAAmC,CACrE,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,0BAA0B,CACpC,CAAC;QACF,IAAI,CAAC,OAAO,GAAG,OAAO,aAAP,OAAO,uBAAP,OAAO,CAAE,kBAAkB,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACK,KAAK,CAAC,6BAA6B,CACzC,QAAgB,EAChB,QAAiB,EACjB,OAAgB;QAEhB,uDAAuD;QACvD,KAAK,MAAM,iBAAiB,IAAI,CAAC,GAAG,YAAY,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC;gBACH,MAAM,WAAW,CAAC,CAAC,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;YAC1D,CAAC;YAAC,OAAO,CAAM,EAAE,CAAC;gBAChB,gFAAgF;gBAChF,YAAY,CAAC,KAAK,EAAE,CAAC;gBACrB,SAAS;YACX,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC;gBAChC;oBACE,iBAAiB;oBACjB,YAAY;oBACZ,iBAAiB;oBACjB,UAAU;oBACV;yBACe,QAAQ,aAAR,QAAQ,cAAR,QAAQ,GAAI,EAAE;;;;;6BAKV,QAAQ;;;;;;;;;;;;;;;;;;;;;;WAsB1B;iBACF;aACF,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAC1B,OAAO,cAAc,CAAC,MAAM,CAAC,CAAC;QAChC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;IAC9F,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,QAAQ,CACnB,MAAyB,EACzB,UAA2B,EAAE;QAE7B,OAAO,aAAa,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,WAAW,EAAE,OAAO,EAAE,KAAK,IAAI,EAAE;YACrF,MAAM,QAAQ,GAAG,yBAAyB,CACxC,IAAI,CAAC,QAAQ,EACb,OAAO,EACP,IAAI,CAAC,4BAA4B,CAClC,CAAC;YACF,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC9D,IAAI,QAAQ,EAAE,CAAC;gBACb,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YAClC,CAAC;YACD,IAAI,CAAC;gBACH,+BAA+B,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;gBAC/C,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,mBAAmB,KAAK,EAAE,CAAC,CAAC;gBACjD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;gBACzC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,6BAA6B,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC5F,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,kBAAkB,EAAE,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE;oBAC1D,SAAS,EAAE,QAAQ;iBACL,CAAC;YACnB,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,IAAI,mBAAmB,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAAC,6BAA6B,CAAC,SAAS,CAAC,CAAC;oBACtF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;oBAChD,MAAM,KAAK,CAAC;gBACd,CAAC;qBAAM,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC7B,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAAC,6BAA6B,CAAC,KAAK,CAAC,CAAC;oBAClF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;oBAChD,MAAM,KAAK,CAAC;gBACd,CAAC;gBACD,MAAM,KAAK,GAAG,IAAI,0BAA0B,CAC1C,GAAG,GAAG,KAAK,6BAA6B,CAAC,YAAY,EAAE,CACxD,CAAC;gBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;gBAChD,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAc;IAEd,MAAM,SAAS,GAAG,WAAW,CAAC;IAC9B,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,kBAAkB,GAAG,MAAM,CAAC;IAChC,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBACrC,IAAI,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,KAAK,EAAE,CAAC;wBACvB,kBAAkB,GAAG,kBAAkB,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;wBAC1D,IAAI,kBAAkB,EAAE,CAAC;4BACvB,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;wBAC9C,CAAC;wBACD,OAAO,WAAW,CAAC;oBACrB,CAAC;gBACH,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,SAAS;gBACX,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,8DAA8D,MAAM,EAAE,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,yDAAyD,MAAM,EAAE,CAAC,CAAC;AACrF,CAAC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport {\n  checkTenantId,\n  processMultiTenantRequest,\n  resolveAdditionallyAllowedTenantIds,\n} from \"../util/tenantIdUtils.js\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport { ensureValidScopeForDevTimeCreds, getScopeResource } from \"../util/scopeUtils.js\";\n\nimport type { AzurePowerShellCredentialOptions } from \"./azurePowerShellCredentialOptions.js\";\nimport { CredentialUnavailableError } from \"../errors.js\";\nimport { processUtils } from \"../util/processUtils.js\";\nimport { tracingClient } from \"../util/tracing.js\";\n\nconst logger = credentialLogger(\"AzurePowerShellCredential\");\n\nconst isWindows = process.platform === \"win32\";\n\n/**\n * Returns a platform-appropriate command name by appending \".exe\" on Windows.\n *\n * @internal\n */\nexport function formatCommand(commandName: string): string {\n  if (isWindows) {\n    return `${commandName}.exe`;\n  } else {\n    return commandName;\n  }\n}\n\n/**\n * Receives a list of commands to run, executes them, then returns the outputs.\n * If anything fails, an error is thrown.\n * @internal\n */\nasync function runCommands(commands: string[][], timeout?: number): Promise<string[]> {\n  const results: string[] = [];\n\n  for (const command of commands) {\n    const [file, ...parameters] = command;\n    const result = (await processUtils.execFile(file, parameters, {\n      encoding: \"utf8\",\n      timeout,\n    })) as string;\n\n    results.push(result);\n  }\n\n  return results;\n}\n\n/**\n * Known PowerShell errors\n * @internal\n */\nexport const powerShellErrors = {\n  login: \"Run Connect-AzAccount to login\",\n  installed:\n    \"The specified module 'Az.Accounts' with version '2.2.0' was not loaded because no valid module file was found in any module directory\",\n};\n\n/**\n * Messages to use when throwing in this credential.\n * @internal\n */\nexport const powerShellPublicErrorMessages = {\n  login:\n    \"Please run 'Connect-AzAccount' from PowerShell to authenticate before using this credential.\",\n  installed: `The 'Az.Account' module >= 2.2.0 is not installed. Install the Azure Az PowerShell module with: \"Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force\".`,\n  troubleshoot: `To troubleshoot, visit https://aka.ms/azsdk/js/identity/powershellcredential/troubleshoot.`,\n};\n\n// PowerShell Azure User not logged in error check.\nconst isLoginError: (err: Error) => RegExpMatchArray | null = (err: Error) =>\n  err.message.match(`(.*)${powerShellErrors.login}(.*)`);\n\n// Az Module not Installed in Azure PowerShell check.\nconst isNotInstalledError: (err: Error) => RegExpMatchArray | null = (err: Error) =>\n  err.message.match(powerShellErrors.installed);\n\n/**\n * The PowerShell commands to be tried, in order.\n *\n * @internal\n */\nexport const commandStack = [formatCommand(\"pwsh\")];\n\nif (isWindows) {\n  commandStack.push(formatCommand(\"powershell\"));\n}\n\n/**\n * This credential will use the currently logged-in user information from the\n * Azure PowerShell module. To do so, it will read the user access token and\n * expire time with Azure PowerShell command `Get-AzAccessToken -ResourceUrl {ResourceScope}`\n */\nexport class AzurePowerShellCredential implements TokenCredential {\n  private tenantId?: string;\n  private additionallyAllowedTenantIds: string[];\n  private timeout?: number;\n\n  /**\n   * Creates an instance of the {@link AzurePowerShellCredential}.\n   *\n   * To use this credential:\n   * - Install the Azure Az PowerShell module with:\n   *   `Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force`.\n   * - You have already logged in to Azure PowerShell using the command\n   * `Connect-AzAccount` from the command line.\n   *\n   * @param options - Options, to optionally allow multi-tenant requests.\n   */\n  constructor(options?: AzurePowerShellCredentialOptions) {\n    if (options?.tenantId) {\n      checkTenantId(logger, options?.tenantId);\n      this.tenantId = options?.tenantId;\n    }\n    this.additionallyAllowedTenantIds = resolveAdditionallyAllowedTenantIds(\n      options?.additionallyAllowedTenants,\n    );\n    this.timeout = options?.processTimeoutInMs;\n  }\n\n  /**\n   * Gets the access token from Azure PowerShell\n   * @param resource - The resource to use when getting the token\n   */\n  private async getAzurePowerShellAccessToken(\n    resource: string,\n    tenantId?: string,\n    timeout?: number,\n  ): Promise<{ Token: string; ExpiresOn: string }> {\n    // Clone the stack to avoid mutating it while iterating\n    for (const powerShellCommand of [...commandStack]) {\n      try {\n        await runCommands([[powerShellCommand, \"/?\"]], timeout);\n      } catch (e: any) {\n        // Remove this credential from the original stack so that we don't try it again.\n        commandStack.shift();\n        continue;\n      }\n\n      const results = await runCommands([\n        [\n          powerShellCommand,\n          \"-NoProfile\",\n          \"-NonInteractive\",\n          \"-Command\",\n          `\n          $tenantId = \"${tenantId ?? \"\"}\"\n          $m = Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru\n          $useSecureString = $m.Version -ge [version]'2.17.0'\n\n          $params = @{\n            ResourceUrl = \"${resource}\"\n          }\n\n          if ($tenantId.Length -gt 0) {\n            $params[\"TenantId\"] = $tenantId\n          }\n\n          if ($useSecureString) {\n            $params[\"AsSecureString\"] = $true\n          }\n\n          $token = Get-AzAccessToken @params\n\n          $result = New-Object -TypeName PSObject\n          $result | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn\n          if ($useSecureString) {\n            $result | Add-Member -MemberType NoteProperty -Name Token -Value (ConvertFrom-SecureString -AsPlainText $token.Token)\n          } else {\n            $result | Add-Member -MemberType NoteProperty -Name Token -Value $token.Token\n          }\n\n          Write-Output (ConvertTo-Json $result)\n          `,\n        ],\n      ]);\n\n      const result = results[0];\n      return parseJsonToken(result);\n    }\n    throw new Error(`Unable to execute PowerShell. Ensure that it is installed in your system`);\n  }\n\n  /**\n   * Authenticates with Microsoft Entra ID and returns an access token if successful.\n   * If the authentication cannot be performed through PowerShell, a {@link CredentialUnavailableError} will be thrown.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this TokenCredential implementation might make.\n   */\n  public async getToken(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<AccessToken> {\n    return tracingClient.withSpan(`${this.constructor.name}.getToken`, options, async () => {\n      const tenantId = processMultiTenantRequest(\n        this.tenantId,\n        options,\n        this.additionallyAllowedTenantIds,\n      );\n      const scope = typeof scopes === \"string\" ? scopes : scopes[0];\n      if (tenantId) {\n        checkTenantId(logger, tenantId);\n      }\n      try {\n        ensureValidScopeForDevTimeCreds(scope, logger);\n        logger.getToken.info(`Using the scope ${scope}`);\n        const resource = getScopeResource(scope);\n        const response = await this.getAzurePowerShellAccessToken(resource, tenantId, this.timeout);\n        logger.getToken.info(formatSuccess(scopes));\n        return {\n          token: response.Token,\n          expiresOnTimestamp: new Date(response.ExpiresOn).getTime(),\n          tokenType: \"Bearer\",\n        } as AccessToken;\n      } catch (err: any) {\n        if (isNotInstalledError(err)) {\n          const error = new CredentialUnavailableError(powerShellPublicErrorMessages.installed);\n          logger.getToken.info(formatError(scope, error));\n          throw error;\n        } else if (isLoginError(err)) {\n          const error = new CredentialUnavailableError(powerShellPublicErrorMessages.login);\n          logger.getToken.info(formatError(scope, error));\n          throw error;\n        }\n        const error = new CredentialUnavailableError(\n          `${err}. ${powerShellPublicErrorMessages.troubleshoot}`,\n        );\n        logger.getToken.info(formatError(scope, error));\n        throw error;\n      }\n    });\n  }\n}\n\n/**\n *\n * @internal\n */\nexport async function parseJsonToken(\n  result: string,\n): Promise<{ Token: string; ExpiresOn: string }> {\n  const jsonRegex = /{[^{}]*}/g;\n  const matches = result.match(jsonRegex);\n  let resultWithoutToken = result;\n  if (matches) {\n    try {\n      for (const item of matches) {\n        try {\n          const jsonContent = JSON.parse(item);\n          if (jsonContent?.Token) {\n            resultWithoutToken = resultWithoutToken.replace(item, \"\");\n            if (resultWithoutToken) {\n              logger.getToken.warning(resultWithoutToken);\n            }\n            return jsonContent;\n          }\n        } catch (e) {\n          continue;\n        }\n      }\n    } catch (e: any) {\n      throw new Error(`Unable to parse the output of PowerShell. Received output: ${result}`);\n    }\n  }\n  throw new Error(`No access token found in the output. Received output: ${result}`);\n}\n"]}

package/dist/workerd/credentials/azurePowerShellCredentialOptions.d.ts

@@ -0,0 +1,15 @@
+import type { MultiTenantTokenCredentialOptions } from "./multiTenantTokenCredentialOptions.js";
+/**
+ * Options for the {@link AzurePowerShellCredential}
+ */
+export interface AzurePowerShellCredentialOptions extends MultiTenantTokenCredentialOptions {
+    /**
+     * Allows specifying a tenant ID
+     */
+    tenantId?: string;
+    /**
+     * Process timeout configurable for making token requests, provided in milliseconds
+     */
+    processTimeoutInMs?: number;
+}
+//# sourceMappingURL=azurePowerShellCredentialOptions.d.ts.map

package/dist/workerd/credentials/azurePowerShellCredentialOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azurePowerShellCredentialOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredentialOptions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,iCAAiC,EAAE,MAAM,wCAAwC,CAAC;AAEhG;;GAEG;AACH,MAAM,WAAW,gCAAiC,SAAQ,iCAAiC;IACzF;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B"}

package/dist/workerd/credentials/azurePowerShellCredentialOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=azurePowerShellCredentialOptions.js.map

package/dist/workerd/credentials/azurePowerShellCredentialOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azurePowerShellCredentialOptions.js","sourceRoot":"","sources":["../../../src/credentials/azurePowerShellCredentialOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { MultiTenantTokenCredentialOptions } from \"./multiTenantTokenCredentialOptions.js\";\n\n/**\n * Options for the {@link AzurePowerShellCredential}\n */\nexport interface AzurePowerShellCredentialOptions extends MultiTenantTokenCredentialOptions {\n  /**\n   * Allows specifying a tenant ID\n   */\n  tenantId?: string;\n  /**\n   * Process timeout configurable for making token requests, provided in milliseconds\n   */\n  processTimeoutInMs?: number;\n}\n"]}

package/dist/workerd/credentials/brokerAuthOptions.d.ts

@@ -0,0 +1,13 @@
+import type { BrokerOptions } from "../msal/nodeFlows/brokerOptions.js";
+/**
+ * Configuration options for InteractiveBrowserCredential
+ * to support WAM Broker Authentication.
+ */
+export interface BrokerAuthOptions {
+    /**
+     * Options to allow broker authentication when using InteractiveBrowserCredential
+     *
+     */
+    brokerOptions?: BrokerOptions;
+}
+//# sourceMappingURL=brokerAuthOptions.d.ts.map

package/dist/workerd/credentials/brokerAuthOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"brokerAuthOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/brokerAuthOptions.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAExE;;;GAGG;AAEH,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,aAAa,CAAC,EAAE,aAAa,CAAC;CAC/B"}

package/dist/workerd/credentials/brokerAuthOptions.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=brokerAuthOptions.js.map

package/dist/workerd/credentials/brokerAuthOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"brokerAuthOptions.js","sourceRoot":"","sources":["../../../src/credentials/brokerAuthOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\nimport type { BrokerOptions } from \"../msal/nodeFlows/brokerOptions.js\";\n\n/**\n * Configuration options for InteractiveBrowserCredential\n * to support WAM Broker Authentication.\n */\n\nexport interface BrokerAuthOptions {\n  /**\n   * Options to allow broker authentication when using InteractiveBrowserCredential\n   *\n   */\n  brokerOptions?: BrokerOptions;\n}\n"]}

package/dist/workerd/credentials/browserCustomizationOptions.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Shared configuration options for browser customization
+ */
+export interface BrowserCustomizationOptions {
+    /**
+     * Shared configuration options for browser customization
+     */
+    browserCustomizationOptions?: {
+        /**
+         * Format for error messages for display in browser
+         */
+        errorMessage?: string;
+        /**
+         * Format for success messages for display in browser
+         */
+        successMessage?: string;
+    };
+}
+//# sourceMappingURL=browserCustomizationOptions.d.ts.map

package/dist/workerd/credentials/browserCustomizationOptions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"browserCustomizationOptions.d.ts","sourceRoot":"","sources":["../../../src/credentials/browserCustomizationOptions.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,WAAW,2BAA2B;IAC1C;;OAEG;IACH,2BAA2B,CAAC,EAAE;QAC5B;;WAEG;QACH,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB;;WAEG;QACH,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;CACH"}

package/dist/workerd/credentials/browserCustomizationOptions.js

@@ -0,0 +1,4 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+export {};
+//# sourceMappingURL=browserCustomizationOptions.js.map

package/dist/workerd/credentials/browserCustomizationOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"browserCustomizationOptions.js","sourceRoot":"","sources":["../../../src/credentials/browserCustomizationOptions.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\n/**\n * Shared configuration options for browser customization\n */\nexport interface BrowserCustomizationOptions {\n  /**\n   * Shared configuration options for browser customization\n   */\n  browserCustomizationOptions?: {\n    /**\n     * Format for error messages for display in browser\n     */\n    errorMessage?: string;\n    /**\n     * Format for success messages for display in browser\n     */\n    successMessage?: string;\n  };\n}\n"]}

package/dist/workerd/credentials/chainedTokenCredential.d.ts

@@ -0,0 +1,51 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+/**
+ * @internal
+ */
+export declare const logger: import("../util/logging.js").CredentialLogger;
+/**
+ * Enables multiple `TokenCredential` implementations to be tried in order until
+ * one of the getToken methods returns an access token. For more information, see
+ * [ChainedTokenCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-chainedtokencredential-for-granularity).
+ */
+export declare class ChainedTokenCredential implements TokenCredential {
+    private _sources;
+    /**
+     * Creates an instance of ChainedTokenCredential using the given credentials.
+     *
+     * @param sources - `TokenCredential` implementations to be tried in order.
+     *
+     * Example usage:
+     * ```ts snippet:chained_token_credential_example
+     * import { ClientSecretCredential, ChainedTokenCredential } from "@azure/identity";
+     *
+     * const tenantId = "<tenant-id>";
+     * const clientId = "<client-id>";
+     * const clientSecret = "<client-secret>";
+     * const anotherClientId = "<another-client-id>";
+     * const anotherSecret = "<another-client-secret>";
+     *
+     * const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
+     * const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
+     *
+     * const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
+     * ```
+     */
+    constructor(...sources: TokenCredential[]);
+    /**
+     * Returns the first access token returned by one of the chained
+     * `TokenCredential` implementations.  Throws an {@link AggregateAuthenticationError}
+     * when one or more credentials throws an {@link AuthenticationError} and
+     * no credentials have returned an access token.
+     *
+     * This method is called automatically by Azure SDK client libraries. You may call this method
+     * directly, but you must also handle token caching and token refreshing.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                `TokenCredential` implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+    private getTokenInternal;
+}
+//# sourceMappingURL=chainedTokenCredential.d.ts.map

package/dist/workerd/credentials/chainedTokenCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chainedTokenCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/chainedTokenCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAKtF;;GAEG;AACH,eAAO,MAAM,MAAM,+CAA6C,CAAC;AAEjE;;;;GAIG;AACH,qBAAa,sBAAuB,YAAW,eAAe;IAC5D,OAAO,CAAC,QAAQ,CAAyB;IAEzC;;;;;;;;;;;;;;;;;;;;OAoBG;gBACS,GAAG,OAAO,EAAE,eAAe,EAAE;IAIzC;;;;;;;;;;;;OAYG;IACG,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,WAAW,CAAC;YAKhF,gBAAgB;CAiD/B"}

package/dist/workerd/credentials/chainedTokenCredential.js

@@ -0,0 +1,92 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+import { AggregateAuthenticationError, CredentialUnavailableError } from "../errors.js";
+import { credentialLogger, formatError, formatSuccess } from "../util/logging.js";
+import { tracingClient } from "../util/tracing.js";
+/**
+ * @internal
+ */
+export const logger = credentialLogger("ChainedTokenCredential");
+/**
+ * Enables multiple `TokenCredential` implementations to be tried in order until
+ * one of the getToken methods returns an access token. For more information, see
+ * [ChainedTokenCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-chainedtokencredential-for-granularity).
+ */
+export class ChainedTokenCredential {
+    /**
+     * Creates an instance of ChainedTokenCredential using the given credentials.
+     *
+     * @param sources - `TokenCredential` implementations to be tried in order.
+     *
+     * Example usage:
+     * ```ts snippet:chained_token_credential_example
+     * import { ClientSecretCredential, ChainedTokenCredential } from "@azure/identity";
+     *
+     * const tenantId = "<tenant-id>";
+     * const clientId = "<client-id>";
+     * const clientSecret = "<client-secret>";
+     * const anotherClientId = "<another-client-id>";
+     * const anotherSecret = "<another-client-secret>";
+     *
+     * const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
+     * const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);
+     *
+     * const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);
+     * ```
+     */
+    constructor(...sources) {
+        this._sources = [];
+        this._sources = sources;
+    }
+    /**
+     * Returns the first access token returned by one of the chained
+     * `TokenCredential` implementations.  Throws an {@link AggregateAuthenticationError}
+     * when one or more credentials throws an {@link AuthenticationError} and
+     * no credentials have returned an access token.
+     *
+     * This method is called automatically by Azure SDK client libraries. You may call this method
+     * directly, but you must also handle token caching and token refreshing.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                `TokenCredential` implementation might make.
+     */
+    async getToken(scopes, options = {}) {
+        const { token } = await this.getTokenInternal(scopes, options);
+        return token;
+    }
+    async getTokenInternal(scopes, options = {}) {
+        let token = null;
+        let successfulCredential;
+        const errors = [];
+        return tracingClient.withSpan("ChainedTokenCredential.getToken", options, async (updatedOptions) => {
+            for (let i = 0; i < this._sources.length && token === null; i++) {
+                try {
+                    token = await this._sources[i].getToken(scopes, updatedOptions);
+                    successfulCredential = this._sources[i];
+                }
+                catch (err) {
+                    if (err.name === "CredentialUnavailableError" ||
+                        err.name === "AuthenticationRequiredError") {
+                        errors.push(err);
+                    }
+                    else {
+                        logger.getToken.info(formatError(scopes, err));
+                        throw err;
+                    }
+                }
+            }
+            if (!token && errors.length > 0) {
+                const err = new AggregateAuthenticationError(errors, "ChainedTokenCredential authentication failed.");
+                logger.getToken.info(formatError(scopes, err));
+                throw err;
+            }
+            logger.getToken.info(`Result for ${successfulCredential.constructor.name}: ${formatSuccess(scopes)}`);
+            if (token === null) {
+                throw new CredentialUnavailableError("Failed to retrieve a valid token");
+            }
+            return { token, successfulCredential };
+        });
+    }
+}
+//# sourceMappingURL=chainedTokenCredential.js.map

package/dist/workerd/credentials/chainedTokenCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chainedTokenCredential.js","sourceRoot":"","sources":["../../../src/credentials/chainedTokenCredential.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,kCAAkC;AAGlC,OAAO,EAAE,4BAA4B,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AACxF,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAClF,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD;;GAEG;AACH,MAAM,CAAC,MAAM,MAAM,GAAG,gBAAgB,CAAC,wBAAwB,CAAC,CAAC;AAEjE;;;;GAIG;AACH,MAAM,OAAO,sBAAsB;IAGjC;;;;;;;;;;;;;;;;;;;;OAoBG;IACH,YAAY,GAAG,OAA0B;QAvBjC,aAAQ,GAAsB,EAAE,CAAC;QAwBvC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;IAC1B,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,QAAQ,CAAC,MAAyB,EAAE,UAA2B,EAAE;QACrE,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC/D,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,KAAK,CAAC,gBAAgB,CAC5B,MAAyB,EACzB,UAA2B,EAAE;QAE7B,IAAI,KAAK,GAAuB,IAAI,CAAC;QACrC,IAAI,oBAAqC,CAAC;QAC1C,MAAM,MAAM,GAAY,EAAE,CAAC;QAE3B,OAAO,aAAa,CAAC,QAAQ,CAC3B,iCAAiC,EACjC,OAAO,EACP,KAAK,EAAE,cAAc,EAAE,EAAE;YACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;gBAChE,IAAI,CAAC;oBACH,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;oBAChE,oBAAoB,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;gBAC1C,CAAC;gBAAC,OAAO,GAAQ,EAAE,CAAC;oBAClB,IACE,GAAG,CAAC,IAAI,KAAK,4BAA4B;wBACzC,GAAG,CAAC,IAAI,KAAK,6BAA6B,EAC1C,CAAC;wBACD,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBACnB,CAAC;yBAAM,CAAC;wBACN,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;wBAC/C,MAAM,GAAG,CAAC;oBACZ,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAChC,MAAM,GAAG,GAAG,IAAI,4BAA4B,CAC1C,MAAM,EACN,+CAA+C,CAChD,CAAC;gBACF,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC;gBAC/C,MAAM,GAAG,CAAC;YACZ,CAAC;YAED,MAAM,CAAC,QAAQ,CAAC,IAAI,CAClB,cAAc,oBAAoB,CAAC,WAAW,CAAC,IAAI,KAAK,aAAa,CAAC,MAAM,CAAC,EAAE,CAChF,CAAC;YAEF,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBACnB,MAAM,IAAI,0BAA0B,CAAC,kCAAkC,CAAC,CAAC;YAC3E,CAAC;YACD,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC;QACzC,CAAC,CACF,CAAC;IACJ,CAAC;CACF","sourcesContent":["// Copyright (c) Microsoft Corporation.\n// Licensed under the MIT License.\n\nimport type { AccessToken, GetTokenOptions, TokenCredential } from \"@azure/core-auth\";\nimport { AggregateAuthenticationError, CredentialUnavailableError } from \"../errors.js\";\nimport { credentialLogger, formatError, formatSuccess } from \"../util/logging.js\";\nimport { tracingClient } from \"../util/tracing.js\";\n\n/**\n * @internal\n */\nexport const logger = credentialLogger(\"ChainedTokenCredential\");\n\n/**\n * Enables multiple `TokenCredential` implementations to be tried in order until\n * one of the getToken methods returns an access token. For more information, see\n * [ChainedTokenCredential overview](https://aka.ms/azsdk/js/identity/credential-chains#use-chainedtokencredential-for-granularity).\n */\nexport class ChainedTokenCredential implements TokenCredential {\n  private _sources: TokenCredential[] = [];\n\n  /**\n   * Creates an instance of ChainedTokenCredential using the given credentials.\n   *\n   * @param sources - `TokenCredential` implementations to be tried in order.\n   *\n   * Example usage:\n   * ```ts snippet:chained_token_credential_example\n   * import { ClientSecretCredential, ChainedTokenCredential } from \"@azure/identity\";\n   *\n   * const tenantId = \"<tenant-id>\";\n   * const clientId = \"<client-id>\";\n   * const clientSecret = \"<client-secret>\";\n   * const anotherClientId = \"<another-client-id>\";\n   * const anotherSecret = \"<another-client-secret>\";\n   *\n   * const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);\n   * const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);\n   *\n   * const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);\n   * ```\n   */\n  constructor(...sources: TokenCredential[]) {\n    this._sources = sources;\n  }\n\n  /**\n   * Returns the first access token returned by one of the chained\n   * `TokenCredential` implementations.  Throws an {@link AggregateAuthenticationError}\n   * when one or more credentials throws an {@link AuthenticationError} and\n   * no credentials have returned an access token.\n   *\n   * This method is called automatically by Azure SDK client libraries. You may call this method\n   * directly, but you must also handle token caching and token refreshing.\n   *\n   * @param scopes - The list of scopes for which the token will have access.\n   * @param options - The options used to configure any requests this\n   *                `TokenCredential` implementation might make.\n   */\n  async getToken(scopes: string | string[], options: GetTokenOptions = {}): Promise<AccessToken> {\n    const { token } = await this.getTokenInternal(scopes, options);\n    return token;\n  }\n\n  private async getTokenInternal(\n    scopes: string | string[],\n    options: GetTokenOptions = {},\n  ): Promise<{ token: AccessToken; successfulCredential: TokenCredential }> {\n    let token: AccessToken | null = null;\n    let successfulCredential: TokenCredential;\n    const errors: Error[] = [];\n\n    return tracingClient.withSpan(\n      \"ChainedTokenCredential.getToken\",\n      options,\n      async (updatedOptions) => {\n        for (let i = 0; i < this._sources.length && token === null; i++) {\n          try {\n            token = await this._sources[i].getToken(scopes, updatedOptions);\n            successfulCredential = this._sources[i];\n          } catch (err: any) {\n            if (\n              err.name === \"CredentialUnavailableError\" ||\n              err.name === \"AuthenticationRequiredError\"\n            ) {\n              errors.push(err);\n            } else {\n              logger.getToken.info(formatError(scopes, err));\n              throw err;\n            }\n          }\n        }\n\n        if (!token && errors.length > 0) {\n          const err = new AggregateAuthenticationError(\n            errors,\n            \"ChainedTokenCredential authentication failed.\",\n          );\n          logger.getToken.info(formatError(scopes, err));\n          throw err;\n        }\n\n        logger.getToken.info(\n          `Result for ${successfulCredential.constructor.name}: ${formatSuccess(scopes)}`,\n        );\n\n        if (token === null) {\n          throw new CredentialUnavailableError(\"Failed to retrieve a valid token\");\n        }\n        return { token, successfulCredential };\n      },\n    );\n  }\n}\n"]}

package/dist/workerd/credentials/clientAssertionCredential.d.ts

@@ -0,0 +1,33 @@
+import type { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-auth";
+import type { ClientAssertionCredentialOptions } from "./clientAssertionCredentialOptions.js";
+/**
+ * Authenticates a service principal with a JWT assertion.
+ */
+export declare class ClientAssertionCredential implements TokenCredential {
+    private msalClient;
+    private tenantId;
+    private additionallyAllowedTenantIds;
+    private getAssertion;
+    private options;
+    /**
+     * Creates an instance of the ClientAssertionCredential with the details
+     * needed to authenticate against Microsoft Entra ID with a client
+     * assertion provided by the developer through the `getAssertion` function parameter.
+     *
+     * @param tenantId - The Microsoft Entra tenant (directory) ID.
+     * @param clientId - The client (application) ID of an App Registration in the tenant.
+     * @param getAssertion - A function that retrieves the assertion for the credential to use.
+     * @param options - Options for configuring the client which makes the authentication request.
+     */
+    constructor(tenantId: string, clientId: string, getAssertion: () => Promise<string>, options?: ClientAssertionCredentialOptions);
+    /**
+     * Authenticates with Microsoft Entra ID and returns an access token if successful.
+     * If authentication fails, a {@link CredentialUnavailableError} will be thrown with the details of the failure.
+     *
+     * @param scopes - The list of scopes for which the token will have access.
+     * @param options - The options used to configure any requests this
+     *                TokenCredential implementation might make.
+     */
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken>;
+}
+//# sourceMappingURL=clientAssertionCredential.d.ts.map

package/dist/workerd/credentials/clientAssertionCredential.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"clientAssertionCredential.d.ts","sourceRoot":"","sources":["../../../src/credentials/clientAssertionCredential.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAQtF,OAAO,KAAK,EAAE,gCAAgC,EAAE,MAAM,uCAAuC,CAAC;AAO9F;;GAEG;AACH,qBAAa,yBAA0B,YAAW,eAAe;IAC/D,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,4BAA4B,CAAW;IAC/C,OAAO,CAAC,YAAY,CAAwB;IAC5C,OAAO,CAAC,OAAO,CAAmC;IAElD;;;;;;;;;OASG;gBAED,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,EACnC,OAAO,GAAE,gCAAqC;IAiChD;;;;;;;OAOG;IACG,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,EAAE,OAAO,GAAE,eAAoB,GAAG,OAAO,CAAC,WAAW,CAAC;CAqB/F"}