@microsoft/teamsfx 0.3.0-alpha.8101fb46.0 → 0.3.0-rc.0

package/README.md

@@ -112,16 +112,32 @@ TeamsFx SDK provides helper functions to ease the configuration for third-party
 
 API will throw `ErrorWithCode` if error happens. Each `ErrorWithCode` contains error code and error message.
 
-For example, to filter out all errors, you could use the following check:
+For example, to filter out specific error, you could use the following check:
+
+```ts
+try {
+  const credential = new TeamsUserCredential();
+  await credential.login("User.Read");
+} catch (err: unknown) {
+  if (err instanceof ErrorWithCode && err.code !== ErrorCode.ConsentFailed) {
+    throw err;
+  } else {
+    // Silently fail because user cancels the consent dialog
+    return;
+  }
+}
+```
+
+And if credential instance is used in other library like Microsoft Graph, it's possible that error is catched and transformed.
 
 ```ts
 try {
   const credential = new TeamsUserCredential();
   const graphClient = createMicrosoftGraphClient(credential, ["User.Read"]); // Initializes MS Graph SDK using our MsGraphAuthProvider
   const profile = await graphClient.api("/me").get();
-} catch (err) {
-  // Show login button when specific ErrorWithCode is caught.
-  if (err instanceof ErrorWithCode && err.code === ErrorCode.UiRequiredError) {
+} catch (err: unknown) {
+  // ErrorWithCode is handled by Graph client
+  if (err instanceof GraphError && err.code?.includes(ErrorCode.UiRequiredError)) {
     this.setState({
       showLoginBtn: true,
     });
@@ -237,8 +253,12 @@ dialogs.add(
 
 ### Configure log
 
-You can set custome log level and logger when using this library.
-The default log level is `info` and SDK will print log information to console.
+You can set custome log level and redirect outputs when using this library.
+Logging is turned off by default, you can turn it on by setting log level.
+
+#### Enable log by setting log level
+
+When log level is set, logging is enabled. It prints log information to console by default.
 
 Set log level using the snippet below:
 
@@ -247,28 +267,33 @@ Set log level using the snippet below:
 setLogLevel(LogLevel.Warn);
 ```
 
-Set a custome log function if you want to redirect output:
+You can redirect log output by setting custom logger or log function.
+
+##### Redirect by setting custom logger
+
+```ts
+setLogLevel(LogLevel.Info);
+// Set another logger if you want to redirect to Application Insights in Azure Function
+setLogger(context.log);
+```
+
+##### Redirect by setting custom log function
+
+Please note that log function will not take effect if you set a custom logger.
 
 ```ts
+setLogLevel(LogLevel.Info);
 // Only log error message to Application Insights in bot application.
-setLogFunction((level: LogLevel, ...args: any[]) => {
+setLogFunction((level: LogLevel, message: string) => {
   if (level === LogLevel.Error) {
-    const { format, ...rest } = args;
     this.telemetryClient.trackTrace({
-      message: util.format(format, ...rest),
+      message: message,
       severityLevel: Severity.Error,
     });
   }
 });
 ```
 
-Set a custome logger instance:
-
-```ts
-// context.log send messages to Application Insights in Azure Function
-setLogger(context.log);
-```
-
 ## Next steps
 
 Please take a look at the [Samples](https://github.com/OfficeDev/TeamsFx-Samples) project for detailed examples on how to use this library.

package/dist/index.js

@@ -3,14 +3,15 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var tslib = require('tslib');
-var identity = require('@azure/identity');
 var jwt_decode = require('jwt-decode');
+var crypto = require('crypto');
 var coreHttp = require('@azure/core-http');
 var msalNode = require('@azure/msal-node');
-var botbuilderCore = require('botbuilder-core');
+var botbuilder = require('botbuilder');
 var botbuilderDialogs = require('botbuilder-dialogs');
 var uuid = require('uuid');
 var microsoftGraphClient = require('@microsoft/microsoft-graph-client');
+var identity = require('@azure/identity');
 
 function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
 
@@ -32,6 +33,10 @@ exports.ErrorCode = void 0;
      * Invalid configuration error.
      */
     ErrorCode["InvalidConfiguration"] = "InvalidConfiguration";
+    /**
+     * Invalid certificate error.
+     */
+    ErrorCode["InvalidCertificate"] = "InvalidCertificate";
     /**
      * Internal error.
      */
@@ -157,7 +162,7 @@ function getLogLevel() {
 }
 class InternalLogger {
     constructor() {
-        this.level = exports.LogLevel.Info;
+        this.level = undefined;
         this.defaultLogger = {
             verbose: console.debug,
             info: console.info,
@@ -184,7 +189,7 @@ class InternalLogger {
         const timestamp = new Date().toUTCString();
         const logHeader = `[${timestamp}] : @microsoft/teamsfx : ${exports.LogLevel[logLevel]} - `;
         const logMessage = `${logHeader}${message}`;
-        if (this.level <= logLevel) {
+        if (this.level !== undefined && this.level <= logLevel) {
             if (this.customLogger) {
                 logFunction(this.customLogger)(logMessage);
             }
@@ -204,10 +209,20 @@ class InternalLogger {
  */
 const internalLogger = new InternalLogger();
 /**
- * Set custom logger. Use the output function if it's set. Priority is higher than setLogFunction.
+ * Set custom logger. Use the output functions if it's set. Priority is higher than setLogFunction.
  *
  * @param {Logger} logger - custom logger. If it's undefined, custom logger will be cleared.
  *
+ * @example
+ * ```typescript
+ * setLogger({
+ *   verbose: console.debug,
+ *   info: console.info,
+ *   warn: console.warn,
+ *   error: console.error,
+ * });
+ * ```
+ *
  * @beta
  */
 function setLogger(logger) {
@@ -218,6 +233,15 @@ function setLogger(logger) {
  *
  * @param {LogFunction} logFunction - custom log function. If it's undefined, custom log function will be cleared.
  *
+ * @example
+ * ```typescript
+ * setLogFunction((level: LogLevel, message: string) => {
+ *   if (level === LogLevel.Error) {
+ *     console.log(message);
+ *   }
+ * });
+ * ```
+ *
  * @beta
  */
 function setLogFunction(logFunction) {
@@ -311,6 +335,43 @@ function validateScopesType(value) {
     internalLogger.error(errorMsg);
     throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidParameter);
 }
+/**
+ * @internal
+ */
+function getScopesArray(scopes) {
+    const scopesArray = typeof scopes === "string" ? scopes.split(" ") : scopes;
+    return scopesArray.filter((x) => x !== null && x !== "");
+}
+/**
+ * @internal
+ */
+function getAuthority(authorityHost, tenantId) {
+    const normalizedAuthorityHost = authorityHost.replace(/\/+$/g, "");
+    return normalizedAuthorityHost + "/" + tenantId;
+}
+/**
+ * @internal
+ */
+function parseCertificate(certificateContent) {
+    if (!certificateContent) {
+        return undefined;
+    }
+    const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/;
+    const match = certificatePattern.exec(certificateContent);
+    if (!match) {
+        const errorMsg = "The certificate content does not contain a PEM-encoded certificate.";
+        internalLogger.error(errorMsg);
+        throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidCertificate);
+    }
+    const thumbprint = crypto.createHash("sha1")
+        .update(Buffer.from(match[3], "base64"))
+        .digest("hex")
+        .toUpperCase();
+    return {
+        thumbprint: thumbprint,
+        privateKey: certificateContent,
+    };
+}
 
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
@@ -450,6 +511,27 @@ function getAuthenticationConfiguration() {
     throw new ErrorWithCode(formatString(ErrorMessage.ConfigurationNotExists, errorMsg), exports.ErrorCode.InvalidConfiguration);
 }
 
+/**
+ * @internal
+ */
+function createConfidentialClientApplication(authentication) {
+    const authority = getAuthority(authentication.authorityHost, authentication.tenantId);
+    const clientCertificate = parseCertificate(authentication.certificateContent);
+    const auth = {
+        clientId: authentication.clientId,
+        authority: authority,
+    };
+    if (clientCertificate) {
+        auth.clientCertificate = clientCertificate;
+    }
+    else {
+        auth.clientSecret = authentication.clientSecret;
+    }
+    return new msalNode.ConfidentialClientApplication({
+        auth,
+    });
+}
+
 // Copyright (c) Microsoft Corporation.
 /**
  * Represent Microsoft 365 tenant identity, and it is usually used when user is not involved like time-triggered automation job.
@@ -480,10 +562,7 @@ class M365TenantCredential {
     constructor() {
         internalLogger.info("Create M365 tenant credential");
         const config = this.loadAndValidateConfig();
-        const tokenCredentialOptions = {
-            authorityHost: config.authorityHost,
-        };
-        this.clientSecretCredential = new identity.ClientSecretCredential(config.tenantId, config.clientId, config.clientSecret, tokenCredentialOptions);
+        this.msalClient = createConfidentialClientApplication(config);
     }
     /**
      * Get access token for credential.
@@ -518,20 +597,21 @@ class M365TenantCredential {
             const scopesStr = typeof scopes === "string" ? scopes : scopes.join(" ");
             internalLogger.info("Get access token with scopes: " + scopesStr);
             try {
-                accessToken = yield this.clientSecretCredential.getToken(scopes);
+                const scopesArray = getScopesArray(scopes);
+                const authenticationResult = yield this.msalClient.acquireTokenByClientCredential({
+                    scopes: scopesArray,
+                });
+                if (authenticationResult) {
+                    accessToken = {
+                        token: authenticationResult.accessToken,
+                        expiresOnTimestamp: authenticationResult.expiresOn.getTime(),
+                    };
+                }
             }
             catch (err) {
-                if (err instanceof identity.AuthenticationError) {
-                    const authError = err;
-                    const errorMsg = `Get M365 tenant credential with authentication error: status code ${authError.statusCode}, error messages: ${authError.message}`;
-                    internalLogger.error(errorMsg);
-                    throw new ErrorWithCode(errorMsg, exports.ErrorCode.ServiceError);
-                }
-                else {
-                    const errorMsg = "Get M365 tenant credential failed with error: " + err.message;
-                    internalLogger.error(errorMsg);
-                    throw new ErrorWithCode(errorMsg, exports.ErrorCode.InternalError);
-                }
+                const errorMsg = "Get M365 tenant credential failed with error: " + err.message;
+                internalLogger.error(errorMsg);
+                throw new ErrorWithCode(errorMsg, exports.ErrorCode.ServiceError);
             }
             if (!accessToken) {
                 const errorMsg = "Get M365 tenant credential access token failed with empty access token";
@@ -552,15 +632,15 @@ class M365TenantCredential {
             internalLogger.error(ErrorMessage.AuthenticationConfigurationNotExists);
             throw new ErrorWithCode(ErrorMessage.AuthenticationConfigurationNotExists, exports.ErrorCode.InvalidConfiguration);
         }
-        if (config.clientId && config.clientSecret && config.tenantId) {
+        if (config.clientId && (config.clientSecret || config.certificateContent) && config.tenantId) {
             return config;
         }
         const missingValues = [];
         if (!config.clientId) {
             missingValues.push("clientId");
         }
-        if (!config.clientSecret) {
-            missingValues.push("clientSecret");
+        if (!config.clientSecret && !config.certificateContent) {
+            missingValues.push("clientSecret or certificateContent");
         }
         if (!config.tenantId) {
             missingValues.push("tenantId");
@@ -595,7 +675,7 @@ class OnBehalfOfUserCredential {
      *
      * @param {string} ssoToken - User token provided by Teams SSO feature.
      *
-     * @throws {@link ErrorCode|InvalidConfiguration} when client id, client secret, authority host or tenant id is not found in config.
+     * @throws {@link ErrorCode|InvalidConfiguration} when client id, client secret, certificate content, authority host or tenant id is not found in config.
      * @throws {@link ErrorCode|InternalError} when SSO token is not valid.
      * @throws {@link ErrorCode|RuntimeNotSupported} when runtime is browser.
      *
@@ -611,10 +691,10 @@ class OnBehalfOfUserCredential {
         if (!((_b = config === null || config === void 0 ? void 0 : config.authentication) === null || _b === void 0 ? void 0 : _b.authorityHost)) {
             missingConfigurations.push("authorityHost");
         }
-        if (!((_c = config === null || config === void 0 ? void 0 : config.authentication) === null || _c === void 0 ? void 0 : _c.clientSecret)) {
-            missingConfigurations.push("clientSecret");
+        if (!((_c = config === null || config === void 0 ? void 0 : config.authentication) === null || _c === void 0 ? void 0 : _c.clientSecret) && !((_d = config === null || config === void 0 ? void 0 : config.authentication) === null || _d === void 0 ? void 0 : _d.certificateContent)) {
+            missingConfigurations.push("clientSecret or certificateContent");
         }
-        if (!((_d = config === null || config === void 0 ? void 0 : config.authentication) === null || _d === void 0 ? void 0 : _d.tenantId)) {
+        if (!((_e = config === null || config === void 0 ? void 0 : config.authentication) === null || _e === void 0 ? void 0 : _e.tenantId)) {
             missingConfigurations.push("tenantId");
         }
         if (missingConfigurations.length != 0) {
@@ -622,15 +702,7 @@ class OnBehalfOfUserCredential {
             internalLogger.error(errorMsg);
             throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidConfiguration);
         }
-        const normalizedAuthorityHost = config.authentication.authorityHost.replace(/\/+$/g, "");
-        const authority = normalizedAuthorityHost + "/" + ((_e = config.authentication) === null || _e === void 0 ? void 0 : _e.tenantId);
-        this.msalClient = new msalNode.ConfidentialClientApplication({
-            auth: {
-                clientId: config.authentication.clientId,
-                authority: authority,
-                clientSecret: config.authentication.clientSecret,
-            },
-        });
+        this.msalClient = createConfidentialClientApplication(config.authentication);
         const decodedSsoToken = parseJwt(ssoToken);
         this.ssoToken = {
             token: ssoToken,
@@ -675,8 +747,7 @@ class OnBehalfOfUserCredential {
     getToken(scopes, options) {
         return tslib.__awaiter(this, void 0, void 0, function* () {
             validateScopesType(scopes);
-            let scopesArray = typeof scopes === "string" ? scopes.split(" ") : scopes;
-            scopesArray = scopesArray.filter((x) => x !== null && x !== "");
+            const scopesArray = getScopesArray(scopes);
             let result;
             if (!scopesArray.length) {
                 internalLogger.info("Get SSO token.");
@@ -1022,7 +1093,7 @@ class TeamsBotSsoPrompt extends botbuilderDialogs.Dialog {
             this.ensureMsTeamsChannel(dc);
             // Check for timeout
             const state = (_a = dc.activeDialog) === null || _a === void 0 ? void 0 : _a.state;
-            const isMessage = dc.context.activity.type === botbuilderCore.ActivityTypes.Message;
+            const isMessage = dc.context.activity.type === botbuilder.ActivityTypes.Message;
             const isTimeoutActivityType = isMessage ||
                 this.isTeamsVerificationInvoke(dc.context) ||
                 this.isTokenExchangeRequestInvoke(dc.context);
@@ -1057,7 +1128,7 @@ class TeamsBotSsoPrompt extends botbuilderDialogs.Dialog {
      * @internal
      */
     ensureMsTeamsChannel(dc) {
-        if (dc.context.activity.channelId != botbuilderCore.Channels.Msteams) {
+        if (dc.context.activity.channelId != botbuilder.Channels.Msteams) {
             const errorMsg = formatString(ErrorMessage.OnlyMSTeamsChannelSupported, "Teams Bot SSO Prompt");
             internalLogger.error(errorMsg);
             throw new ErrorWithCode(errorMsg, exports.ErrorCode.ChannelNotSupported);
@@ -1072,10 +1143,13 @@ class TeamsBotSsoPrompt extends botbuilderDialogs.Dialog {
     sendOAuthCardAsync(context) {
         return tslib.__awaiter(this, void 0, void 0, function* () {
             internalLogger.verbose("Send OAuth card to get SSO token");
-            const signInResource = this.getSignInResource();
-            const card = botbuilderCore.CardFactory.oauthCard("", "Teams SSO Sign In", "Sign In", signInResource.signInLink, signInResource.tokenExchangeResource);
-            card.content.buttons[0].type = botbuilderCore.ActionTypes.Signin;
-            const msg = botbuilderCore.MessageFactory.attachment(card);
+            const account = yield botbuilder.TeamsInfo.getMember(context, context.activity.from.id);
+            internalLogger.verbose("Get Teams member account user principal name: " + account.userPrincipalName);
+            const loginHint = account.userPrincipalName ? account.userPrincipalName : "";
+            const signInResource = this.getSignInResource(loginHint);
+            const card = botbuilder.CardFactory.oauthCard("", "Teams SSO Sign In", "Sign In", signInResource.signInLink, signInResource.tokenExchangeResource);
+            card.content.buttons[0].type = botbuilder.ActionTypes.Signin;
+            const msg = botbuilder.MessageFactory.attachment(card);
             // Send prompt
             yield context.sendActivity(msg);
         });
@@ -1087,7 +1161,7 @@ class TeamsBotSsoPrompt extends botbuilderDialogs.Dialog {
      *
      * @internal
      */
-    getSignInResource() {
+    getSignInResource(loginHint) {
         var _a, _b, _c, _d, _e;
         internalLogger.verbose("Get sign in authentication configuration");
         const missingConfigurations = [];
@@ -1108,7 +1182,7 @@ class TeamsBotSsoPrompt extends botbuilderDialogs.Dialog {
             internalLogger.error(errorMsg);
             throw new ErrorWithCode(errorMsg, exports.ErrorCode.InvalidConfiguration);
         }
-        const signInLink = `${config.authentication.initiateLoginEndpoint}?scope=${encodeURI(this.settings.scopes.join(" "))}&clientId=${config.authentication.clientId}&tenantId=${config.authentication.tenantId}`;
+        const signInLink = `${config.authentication.initiateLoginEndpoint}?scope=${encodeURI(this.settings.scopes.join(" "))}&clientId=${config.authentication.clientId}&tenantId=${config.authentication.tenantId}&loginHint=${loginHint}`;
         internalLogger.verbose("Sign in link: " + signInLink);
         const tokenExchangeResource = {
             id: uuid.v4(),
@@ -1133,7 +1207,7 @@ class TeamsBotSsoPrompt extends botbuilderDialogs.Dialog {
                 if (!(context.activity.value && this.isTokenExchangeRequest(context.activity.value))) {
                     const warningMsg = "The bot received an InvokeActivity that is missing a TokenExchangeInvokeRequest value. This is required to be sent with the InvokeActivity.";
                     internalLogger.warn(warningMsg);
-                    yield context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilderCore.StatusCodes.BAD_REQUEST, warningMsg));
+                    yield context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilder.StatusCodes.BAD_REQUEST, warningMsg));
                 }
                 else {
                     const ssoToken = context.activity.value.token;
@@ -1142,7 +1216,7 @@ class TeamsBotSsoPrompt extends botbuilderDialogs.Dialog {
                     try {
                         exchangedToken = yield credential.getToken(this.settings.scopes);
                         if (exchangedToken) {
-                            yield context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilderCore.StatusCodes.OK, "", context.activity.value.id));
+                            yield context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilder.StatusCodes.OK, "", context.activity.value.id));
                             const ssoTokenExpiration = parseJwt(ssoToken).exp;
                             tokenResponse = {
                                 ssoToken: ssoToken,
@@ -1156,14 +1230,14 @@ class TeamsBotSsoPrompt extends botbuilderDialogs.Dialog {
                     catch (error) {
                         const warningMsg = "The bot is unable to exchange token. Ask for user consent.";
                         internalLogger.info(warningMsg);
-                        yield context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilderCore.StatusCodes.PRECONDITION_FAILED, warningMsg, context.activity.value.id));
+                        yield context.sendActivity(this.getTokenExchangeInvokeResponse(botbuilder.StatusCodes.PRECONDITION_FAILED, warningMsg, context.activity.value.id));
                     }
                 }
             }
             else if (this.isTeamsVerificationInvoke(context)) {
                 internalLogger.verbose("Receive Teams state verification request");
                 yield this.sendOAuthCardAsync(dc.context);
-                yield context.sendActivity({ type: invokeResponseType, value: { status: botbuilderCore.StatusCodes.OK } });
+                yield context.sendActivity({ type: invokeResponseType, value: { status: botbuilder.StatusCodes.OK } });
             }
             return tokenResponse !== undefined
                 ? { succeeded: true, value: tokenResponse }
@@ -1185,14 +1259,14 @@ class TeamsBotSsoPrompt extends botbuilderDialogs.Dialog {
      */
     isTeamsVerificationInvoke(context) {
         const activity = context.activity;
-        return activity.type === botbuilderCore.ActivityTypes.Invoke && activity.name === botbuilderCore.verifyStateOperationName;
+        return activity.type === botbuilder.ActivityTypes.Invoke && activity.name === botbuilder.verifyStateOperationName;
     }
     /**
      * @internal
      */
     isTokenExchangeRequestInvoke(context) {
         const activity = context.activity;
-        return activity.type === botbuilderCore.ActivityTypes.Invoke && activity.name === botbuilderCore.tokenExchangeOperationName;
+        return activity.type === botbuilder.ActivityTypes.Invoke && activity.name === botbuilder.tokenExchangeOperationName;
     }
     /**
      * @internal