@microsoft/agents-hosting 1.6.0-beta.8.g226709c215 → 1.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/package.json +4 -9
- package/dist/src/agent-client/agentClient.js +2 -2
- package/dist/src/agent-client/agentClient.js.map +1 -1
- package/dist/src/agent-client/agentResponseHandler.js +2 -2
- package/dist/src/agent-client/agentResponseHandler.js.map +1 -1
- package/dist/src/app/agentApplication.js +28 -2
- package/dist/src/app/agentApplication.js.map +1 -1
- package/dist/src/app/agentApplicationOptions.d.ts +10 -0
- package/dist/src/app/attachmentDownloader.js +5 -10
- package/dist/src/app/attachmentDownloader.js.map +1 -1
- package/dist/src/app/auth/authorizationManager.d.ts +4 -0
- package/dist/src/app/auth/authorizationManager.js +94 -67
- package/dist/src/app/auth/authorizationManager.js.map +1 -1
- package/dist/src/app/auth/handlers/azureBotAuthorization.js +2 -2
- package/dist/src/app/auth/handlers/azureBotAuthorization.js.map +1 -1
- package/dist/src/app/proactive/createConversationOptionsBuilder.js +10 -6
- package/dist/src/app/proactive/createConversationOptionsBuilder.js.map +1 -1
- package/dist/src/app/proactive/proactive.d.ts +1 -0
- package/dist/src/app/proactive/proactive.js +30 -15
- package/dist/src/app/proactive/proactive.js.map +1 -1
- package/dist/src/app/teamsAttachmentDownloader.js +6 -8
- package/dist/src/app/teamsAttachmentDownloader.js.map +1 -1
- package/dist/src/auth/authConfiguration.d.ts +2 -143
- package/dist/src/auth/authConfiguration.js +301 -257
- package/dist/src/auth/authConfiguration.js.map +1 -1
- package/dist/src/auth/jwt-middleware.js +2 -1
- package/dist/src/auth/jwt-middleware.js.map +1 -1
- package/dist/src/auth/msalConnectionManager.js +27 -14
- package/dist/src/auth/msalConnectionManager.js.map +1 -1
- package/dist/src/auth/msalTokenProvider.d.ts +7 -0
- package/dist/src/auth/msalTokenProvider.js +188 -44
- package/dist/src/auth/msalTokenProvider.js.map +1 -1
- package/dist/src/auth/settings.d.ts +327 -0
- package/dist/src/auth/settings.js +158 -0
- package/dist/src/auth/settings.js.map +1 -0
- package/dist/src/cloudAdapter.d.ts +58 -1
- package/dist/src/cloudAdapter.js +232 -52
- package/dist/src/cloudAdapter.js.map +1 -1
- package/dist/src/connector-client/connectorClient.d.ts +12 -8
- package/dist/src/connector-client/connectorClient.js +99 -82
- package/dist/src/connector-client/connectorClient.js.map +1 -1
- package/dist/src/errorHelper.js +85 -7
- package/dist/src/errorHelper.js.map +1 -1
- package/dist/src/getProductInfo.d.ts +23 -0
- package/dist/src/getProductInfo.js +71 -1
- package/dist/src/getProductInfo.js.map +1 -1
- package/dist/src/headerPropagation.d.ts +17 -2
- package/dist/src/headerPropagation.js +46 -24
- package/dist/src/headerPropagation.js.map +1 -1
- package/dist/src/httpClient.d.ts +60 -0
- package/dist/src/httpClient.js +173 -0
- package/dist/src/httpClient.js.map +1 -0
- package/dist/src/index.d.ts +2 -1
- package/dist/src/index.js +7 -2
- package/dist/src/index.js.map +1 -1
- package/dist/src/oauth/userTokenClient.d.ts +5 -4
- package/dist/src/oauth/userTokenClient.js +97 -78
- package/dist/src/oauth/userTokenClient.js.map +1 -1
- package/dist/src/observability/traces.d.ts +11 -4
- package/dist/src/observability/traces.js +39 -7
- package/dist/src/observability/traces.js.map +1 -1
- package/dist/src/utils/env.d.ts +50 -0
- package/dist/src/utils/env.js +113 -0
- package/dist/src/utils/env.js.map +1 -0
- package/dist/src/utils.d.ts +10 -0
- package/dist/src/utils.js +18 -0
- package/dist/src/utils.js.map +1 -0
- package/package.json +4 -9
- package/src/agent-client/agentClient.ts +2 -2
- package/src/agent-client/agentResponseHandler.ts +2 -2
- package/src/app/agentApplication.ts +30 -3
- package/src/app/agentApplicationOptions.ts +11 -0
- package/src/app/attachmentDownloader.ts +6 -8
- package/src/app/auth/authorizationManager.ts +84 -41
- package/src/app/auth/handlers/azureBotAuthorization.ts +2 -2
- package/src/app/proactive/createConversationOptionsBuilder.ts +8 -4
- package/src/app/proactive/proactive.ts +39 -23
- package/src/app/teamsAttachmentDownloader.ts +7 -6
- package/src/auth/authConfiguration.ts +317 -356
- package/src/auth/jwt-middleware.ts +1 -1
- package/src/auth/msalConnectionManager.ts +27 -10
- package/src/auth/msalTokenProvider.ts +180 -42
- package/src/auth/settings.ts +323 -0
- package/src/cloudAdapter.ts +291 -12
- package/src/connector-client/connectorClient.ts +116 -94
- package/src/errorHelper.ts +96 -7
- package/src/getProductInfo.ts +79 -1
- package/src/headerPropagation.ts +55 -23
- package/src/httpClient.ts +223 -0
- package/src/index.ts +5 -1
- package/src/oauth/userTokenClient.ts +103 -84
- package/src/observability/traces.ts +39 -8
- package/src/utils/env.ts +105 -0
- package/src/utils.ts +14 -0
|
@@ -0,0 +1,323 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3
|
+
* Licensed under the MIT License.
|
|
4
|
+
*/
|
|
5
|
+
|
|
6
|
+
import { debug } from '@microsoft/agents-telemetry'
|
|
7
|
+
import type { ConnectionMapItem } from './msalConnectionManager'
|
|
8
|
+
|
|
9
|
+
const logger = debug('agents:authConfiguration')
|
|
10
|
+
|
|
11
|
+
const DEFAULT_CONNECTION = 'serviceConnection'
|
|
12
|
+
const AUTHORITY_DEFAULT = 'https://login.microsoftonline.com'
|
|
13
|
+
|
|
14
|
+
export const DEFAULT_CONNECTION_MAP: ConnectionMapItem = { serviceUrl: '*', connection: DEFAULT_CONNECTION }
|
|
15
|
+
|
|
16
|
+
export type ConnectionKeys = keyof Omit<AuthConfiguration, 'connections' | 'connectionsMap'>
|
|
17
|
+
export type ConnectionMapKeys = keyof ConnectionMapItem
|
|
18
|
+
|
|
19
|
+
export interface LoadEnv {
|
|
20
|
+
[upperKey: string]: { key: string, value: any }
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
export function loadEnvSettings (callback: (key: string, value: string) => void) {
|
|
24
|
+
const env: LoadEnv = {}
|
|
25
|
+
for (const [envKey, envValue] of Object.entries(process.env)) {
|
|
26
|
+
if (!envValue?.trim()) {
|
|
27
|
+
continue
|
|
28
|
+
}
|
|
29
|
+
|
|
30
|
+
env[envKey.toUpperCase()] = { key: envKey, value: envValue }
|
|
31
|
+
|
|
32
|
+
callback(envKey, envValue)
|
|
33
|
+
}
|
|
34
|
+
|
|
35
|
+
return env
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
export function applyDefaultSettings (config: AuthConfiguration) {
|
|
39
|
+
const settings = { ...config }
|
|
40
|
+
settings.authorityEndpoint ??= settings.authority ?? AUTHORITY_DEFAULT
|
|
41
|
+
settings.issuers ??= getDefaultIssuers(settings.tenantId ?? '', settings.authorityEndpoint)
|
|
42
|
+
|
|
43
|
+
// For backward compatibility
|
|
44
|
+
if (settings.federatedClientId) {
|
|
45
|
+
settings.FICClientId = settings.federatedClientId
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
if (settings.scopes?.length) {
|
|
49
|
+
settings.scope = settings.scopes?.[0]
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
if (settings.authorityEndpoint) {
|
|
53
|
+
settings.authority = settings.authorityEndpoint
|
|
54
|
+
}
|
|
55
|
+
|
|
56
|
+
if (!settings.clientId && process.env.NODE_ENV?.toLowerCase() === 'production') {
|
|
57
|
+
throw new Error('ClientId required in production')
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
const defaultConnections = settings.connections?.size
|
|
61
|
+
? settings.connections
|
|
62
|
+
: new Map([[DEFAULT_CONNECTION, { ...settings }]])
|
|
63
|
+
const defaultConnectionsMap = settings.connectionsMap?.length
|
|
64
|
+
? settings.connectionsMap
|
|
65
|
+
: [DEFAULT_CONNECTION_MAP]
|
|
66
|
+
|
|
67
|
+
settings.connections = defaultConnections
|
|
68
|
+
settings.connectionsMap = defaultConnectionsMap
|
|
69
|
+
return settings
|
|
70
|
+
}
|
|
71
|
+
|
|
72
|
+
/**
|
|
73
|
+
* A type representing a parser settings object.
|
|
74
|
+
*/
|
|
75
|
+
type ParserSettings<K extends string> = {
|
|
76
|
+
[key in K]: (value: string) => { key?: string, value?: any } | undefined
|
|
77
|
+
}
|
|
78
|
+
|
|
79
|
+
/**
|
|
80
|
+
* Creates an environment variable parser that maps the variable keys to parsing functions.
|
|
81
|
+
* @param settings An object where each key is an environment variable name and the value is a function
|
|
82
|
+
* that takes the variable value as input and returns an object with optional `key` and `value` properties.
|
|
83
|
+
* @remarks
|
|
84
|
+
* The `key` property in the returned object can be used to rename the environment variable key,
|
|
85
|
+
* while the `value` property contains the parsed value.
|
|
86
|
+
* @returns An object with a `parse` method that takes an environment variable key and value,
|
|
87
|
+
* and returns the parsed result.
|
|
88
|
+
*/
|
|
89
|
+
export function envParser<K extends string> (settings: ParserSettings<K> & ThisType<ParserSettings<K>>) {
|
|
90
|
+
const keys = Object.keys(settings) as K[]
|
|
91
|
+
const upperKeys = keys.reduce((acc, key) => {
|
|
92
|
+
acc[key.toUpperCase()] = key
|
|
93
|
+
return acc
|
|
94
|
+
}, {} as Record<string, K>)
|
|
95
|
+
return {
|
|
96
|
+
keys,
|
|
97
|
+
/**
|
|
98
|
+
* Parses the given environment variable key and value using the provided settings.
|
|
99
|
+
* @param key The environment variable key.
|
|
100
|
+
* @param value The environment variable value.
|
|
101
|
+
* @returns The parsed result with optional renamed key and parsed value.
|
|
102
|
+
*/
|
|
103
|
+
parse (key: K, value: string) {
|
|
104
|
+
const match = upperKeys[key.toUpperCase()]
|
|
105
|
+
if (!match) {
|
|
106
|
+
return {}
|
|
107
|
+
}
|
|
108
|
+
|
|
109
|
+
const result = settings[match](value)
|
|
110
|
+
return { key: result?.key ?? match, value: result?.value }
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
|
|
115
|
+
/**
|
|
116
|
+
* Utility functions for environment variable parsers.
|
|
117
|
+
*/
|
|
118
|
+
export const envParserUtils = {
|
|
119
|
+
/**
|
|
120
|
+
* Bypass parser that returns the value as is.
|
|
121
|
+
* @param value The environment variable value.
|
|
122
|
+
* @returns An object with the original value.
|
|
123
|
+
*/
|
|
124
|
+
bypass: (value: string) => ({ value }),
|
|
125
|
+
/**
|
|
126
|
+
* Redirects the parsing to another parser for a specific key.
|
|
127
|
+
* @param parser The target parser to redirect to.
|
|
128
|
+
* @param key The key to use in the target parser.
|
|
129
|
+
* @returns A function that takes the environment variable value and returns the parsed result from the target parser.
|
|
130
|
+
*/
|
|
131
|
+
redirect: <Parser extends ReturnType<typeof envParser>>(parser: Parser, key: Parameters<Parser['parse']>[0]) => (value: string) => parser.parse(key, value)
|
|
132
|
+
}
|
|
133
|
+
|
|
134
|
+
/**
|
|
135
|
+
* Resolves the full authority URL including the tenant ID.
|
|
136
|
+
* Supports both patterns:
|
|
137
|
+
* - Tenant embedded in authority: https://login.microsoftonline.com/my-tenant
|
|
138
|
+
* - Authority + separate tenantId: https://login.microsoftonline.com + tenantId
|
|
139
|
+
* Also handles trailing slashes on authority.
|
|
140
|
+
*/
|
|
141
|
+
export function resolveAuthority (authority?: string, tenantId?: string): string {
|
|
142
|
+
const base = trimTrailingSlashes(authority ?? AUTHORITY_DEFAULT)
|
|
143
|
+
const url = new URL(base)
|
|
144
|
+
const hasPathSegment = url.pathname !== '/'
|
|
145
|
+
if (hasPathSegment) {
|
|
146
|
+
return base
|
|
147
|
+
}
|
|
148
|
+
return `${base}/${tenantId ?? 'botframework.com'}`
|
|
149
|
+
}
|
|
150
|
+
|
|
151
|
+
function trimTrailingSlashes (value: string): string {
|
|
152
|
+
let end = value.length
|
|
153
|
+
while (end > 0 && value.charCodeAt(end - 1) === 47) {
|
|
154
|
+
end--
|
|
155
|
+
}
|
|
156
|
+
|
|
157
|
+
return end === value.length ? value : value.slice(0, end)
|
|
158
|
+
}
|
|
159
|
+
|
|
160
|
+
function getDefaultIssuers (tenantId: string, authority: string) : string[] {
|
|
161
|
+
// Convert empty string to undefined so resolveAuthority applies its 'botframework.com' default
|
|
162
|
+
const t = tenantId || undefined
|
|
163
|
+
if (!t) {
|
|
164
|
+
logger.warn('tenantId is not configured, defaulting to botframework.com')
|
|
165
|
+
}
|
|
166
|
+
return [
|
|
167
|
+
'https://api.botframework.com',
|
|
168
|
+
`${resolveAuthority('https://sts.windows.net', t)}/`,
|
|
169
|
+
`${resolveAuthority(authority, t)}/v2.0`
|
|
170
|
+
]
|
|
171
|
+
}
|
|
172
|
+
|
|
173
|
+
/**
|
|
174
|
+
* Represents the authentication configuration.
|
|
175
|
+
*/
|
|
176
|
+
export interface AuthConfiguration {
|
|
177
|
+
/**
|
|
178
|
+
* The tenant ID for the authentication configuration.
|
|
179
|
+
*/
|
|
180
|
+
tenantId?: string
|
|
181
|
+
|
|
182
|
+
/**
|
|
183
|
+
* The client ID for the authentication configuration. Required in production.
|
|
184
|
+
*/
|
|
185
|
+
clientId?: string
|
|
186
|
+
|
|
187
|
+
/**
|
|
188
|
+
* The client secret for the authentication configuration.
|
|
189
|
+
*/
|
|
190
|
+
clientSecret?: string
|
|
191
|
+
|
|
192
|
+
/**
|
|
193
|
+
* The path to the certificate PEM file.
|
|
194
|
+
*/
|
|
195
|
+
certPemFile?: string
|
|
196
|
+
|
|
197
|
+
/**
|
|
198
|
+
* The path to the certificate key file.
|
|
199
|
+
*/
|
|
200
|
+
certKeyFile?: string
|
|
201
|
+
|
|
202
|
+
/**
|
|
203
|
+
* Indicates whether to send the X5C param or not (for SNI authentication).
|
|
204
|
+
*/
|
|
205
|
+
sendX5C?: boolean
|
|
206
|
+
|
|
207
|
+
/**
|
|
208
|
+
* A list of valid issuers for the authentication configuration.
|
|
209
|
+
*/
|
|
210
|
+
issuers?: string[]
|
|
211
|
+
|
|
212
|
+
/**
|
|
213
|
+
* The connection name for the authentication configuration.
|
|
214
|
+
*/
|
|
215
|
+
connectionName?: string
|
|
216
|
+
|
|
217
|
+
/**
|
|
218
|
+
* @deprecated Use federatedClientId instead.
|
|
219
|
+
*
|
|
220
|
+
* The FIC (First-Party Integration Channel) client ID.
|
|
221
|
+
*/
|
|
222
|
+
FICClientId?: string,
|
|
223
|
+
|
|
224
|
+
/**
|
|
225
|
+
* @deprecated Use authorityEndpoint instead.
|
|
226
|
+
*
|
|
227
|
+
* Entra Authentication Endpoint to use.
|
|
228
|
+
*
|
|
229
|
+
* @remarks
|
|
230
|
+
* If not populated the Entra Public Cloud endpoint is assumed.
|
|
231
|
+
* This example of Public Cloud Endpoint is https://login.microsoftonline.com
|
|
232
|
+
* see also https://learn.microsoft.com/entra/identity-platform/authentication-national-cloud
|
|
233
|
+
*/
|
|
234
|
+
authority?: string
|
|
235
|
+
|
|
236
|
+
/**
|
|
237
|
+
* @deprecated Use scopes instead.
|
|
238
|
+
*/
|
|
239
|
+
scope?: string
|
|
240
|
+
|
|
241
|
+
/**
|
|
242
|
+
* A map of connection names to their respective authentication configurations.
|
|
243
|
+
*/
|
|
244
|
+
connections?: Map<string, AuthConfiguration>
|
|
245
|
+
|
|
246
|
+
/**
|
|
247
|
+
* A list of connection map items to map service URLs to connection names.
|
|
248
|
+
*/
|
|
249
|
+
connectionsMap?: ConnectionMapItem[],
|
|
250
|
+
|
|
251
|
+
/**
|
|
252
|
+
* An optional alternative blueprint Connection name used when constructing a connector client.
|
|
253
|
+
*/
|
|
254
|
+
altBlueprintConnectionName?: string
|
|
255
|
+
|
|
256
|
+
/**
|
|
257
|
+
* @deprecated Use `authType` set to `'WorkloadIdentity'` and `federatedTokenFile` instead.
|
|
258
|
+
*
|
|
259
|
+
* The path to K8s provided token.
|
|
260
|
+
*/
|
|
261
|
+
WIDAssertionFile?: string
|
|
262
|
+
|
|
263
|
+
/**
|
|
264
|
+
* The Azure region for ESTS-R regional token acquisition (e.g. 'westus', 'eastus').
|
|
265
|
+
* When set, MSAL routes token requests to the specified regional endpoint.
|
|
266
|
+
* See https://learn.microsoft.com/en-us/entra/msal/javascript/node/regional-authorities for details.
|
|
267
|
+
*/
|
|
268
|
+
azureRegion?: string
|
|
269
|
+
|
|
270
|
+
/**
|
|
271
|
+
* The authentication type for the connection.
|
|
272
|
+
*/
|
|
273
|
+
authType?: AuthType | string
|
|
274
|
+
|
|
275
|
+
/**
|
|
276
|
+
* The path to the federated token file used for Workload Identity authentication.
|
|
277
|
+
*/
|
|
278
|
+
federatedTokenFile?: string
|
|
279
|
+
|
|
280
|
+
/**
|
|
281
|
+
* Sets the resource URL for Identity Proxy Manager (IDPM).
|
|
282
|
+
*
|
|
283
|
+
* @remarks
|
|
284
|
+
* Set this to the appropriate resource identifier when the application is running in an environment,
|
|
285
|
+
* such as a Foundry container, that exposes Managed Identity through a container-specific IMDS endpoint.
|
|
286
|
+
* This setting is only meaningful when using Identity Proxy Manager (AuthType.IdentityProxyManager) for authentication.
|
|
287
|
+
*/
|
|
288
|
+
idpmResource?: string
|
|
289
|
+
|
|
290
|
+
/**
|
|
291
|
+
* Entra Authentication Endpoint to use.
|
|
292
|
+
*
|
|
293
|
+
* @remarks
|
|
294
|
+
* If not populated the Entra Public Cloud endpoint is assumed.
|
|
295
|
+
* This example of Public Cloud Endpoint is https://login.microsoftonline.com
|
|
296
|
+
* see also https://learn.microsoft.com/entra/identity-platform/authentication-national-cloud
|
|
297
|
+
*/
|
|
298
|
+
authorityEndpoint?: string
|
|
299
|
+
|
|
300
|
+
/**
|
|
301
|
+
* The federated client ID for the authentication configuration, used for workload identity federation scenarios.
|
|
302
|
+
*/
|
|
303
|
+
federatedClientId?: string
|
|
304
|
+
|
|
305
|
+
/**
|
|
306
|
+
* The scopes for the authentication configuration.
|
|
307
|
+
*/
|
|
308
|
+
scopes?: string[]
|
|
309
|
+
}
|
|
310
|
+
|
|
311
|
+
/**
|
|
312
|
+
* Supported authentication types for agent connections.
|
|
313
|
+
*/
|
|
314
|
+
export enum AuthType {
|
|
315
|
+
Certificate = 'Certificate',
|
|
316
|
+
CertificateSubjectName = 'CertificateSubjectName',
|
|
317
|
+
ClientSecret = 'ClientSecret',
|
|
318
|
+
UserManagedIdentity = 'UserManagedIdentity',
|
|
319
|
+
SystemManagedIdentity = 'SystemManagedIdentity',
|
|
320
|
+
FederatedCredentials = 'FederatedCredentials',
|
|
321
|
+
WorkloadIdentity = 'WorkloadIdentity',
|
|
322
|
+
IdentityProxyManager = 'IdentityProxyManager'
|
|
323
|
+
}
|