@microsoft/vscode-azext-azureauth 4.2.2 → 5.0.0

package/dist/esm/src/AzureDevOpsSubscriptionProvider.js

@@ -0,0 +1,211 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+import { Disposable } from 'vscode';
+import { getConfiguredAzureEnv } from './utils/configuredAzureEnv';
+let azureDevOpsSubscriptionProvider;
+export function createAzureDevOpsSubscriptionProviderFactory(initializer) {
+    return async () => {
+        azureDevOpsSubscriptionProvider ??= new AzureDevOpsSubscriptionProvider(initializer);
+        return azureDevOpsSubscriptionProvider;
+    };
+}
+/**
+ * AzureSubscriptionProvider implemented to authenticate via federated DevOps service connection, using workflow identity federation
+ * To learn how to configure your DevOps environment to use this provider, refer to the README.md
+ * NOTE: This provider is only available when running in an Azure DevOps pipeline
+ * Reference: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
+ */
+export class AzureDevOpsSubscriptionProvider {
+    _tokenCredential;
+    /**
+    * The resource ID of the Azure DevOps federated service connection,
+    *   which can be found on the `resourceId` field of the URL at the address bar
+    *   when viewing the service connection in the Azure DevOps portal
+    */
+    _SERVICE_CONNECTION_ID;
+    /**
+    * The `Tenant ID` field of the service connection properties
+    */
+    _DOMAIN;
+    /**
+    * The `Service Principal Id` field of the service connection properties
+    */
+    _CLIENT_ID;
+    constructor({ serviceConnectionId, domain, clientId }) {
+        if (!serviceConnectionId || !domain || !clientId) {
+            throw new Error(`Missing initializer values to identify Azure DevOps federated service connection\n
+                Values provided:\n
+                serviceConnectionId: ${serviceConnectionId ? "✅" : "❌"}\n
+                domain: ${domain ? "✅" : "❌"}\n
+                clientId: ${clientId ? "✅" : "❌"}\n
+            `);
+        }
+        this._SERVICE_CONNECTION_ID = serviceConnectionId;
+        this._DOMAIN = domain;
+        this._CLIENT_ID = clientId;
+    }
+    async getSubscriptions(_filter) {
+        // ignore the filter setting because not every consumer of this provider will use the Resources extension
+        const results = [];
+        for (const tenant of await this.getTenants()) {
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            const tenantId = tenant.tenantId;
+            results.push(...await this.getSubscriptionsForTenant(tenantId));
+        }
+        const sortSubscriptions = (subscriptions) => subscriptions.sort((a, b) => a.name.localeCompare(b.name));
+        return sortSubscriptions(results);
+    }
+    async isSignedIn() {
+        return !!this._tokenCredential;
+    }
+    async signIn() {
+        this._tokenCredential = await getTokenCredential(this._SERVICE_CONNECTION_ID, this._DOMAIN, this._CLIENT_ID);
+        return !!this._tokenCredential;
+    }
+    async signOut() {
+        this._tokenCredential = undefined;
+    }
+    async getTenants() {
+        return [{
+                tenantId: this._tokenCredential?.tenantId,
+                account: {
+                    id: "test-account-id",
+                    label: "test-account",
+                }
+            }];
+    }
+    /**
+     * Gets the subscriptions for a given tenant.
+     *
+     * @param tenantId The tenant ID to get subscriptions for.
+     *
+     * @returns The list of subscriptions for the tenant.
+     */
+    async getSubscriptionsForTenant(tenantId) {
+        const { client, credential, authentication } = await this.getSubscriptionClient(tenantId);
+        const environment = getConfiguredAzureEnv();
+        const subscriptions = [];
+        for await (const subscription of client.subscriptions.list()) {
+            subscriptions.push({
+                authentication,
+                environment: environment,
+                credential: credential,
+                isCustomCloud: environment.isCustomCloud,
+                /* eslint-disable @typescript-eslint/no-non-null-assertion */
+                name: subscription.displayName,
+                subscriptionId: subscription.subscriptionId,
+                /* eslint-enable @typescript-eslint/no-non-null-assertion */
+                tenantId,
+                account: {
+                    id: "test-account-id",
+                    label: "test-account",
+                },
+            });
+        }
+        return subscriptions;
+    }
+    /**
+     * Gets a fully-configured subscription client for a given tenant ID
+     *
+     * @param tenantId (Optional) The tenant ID to get a client for
+     *
+     * @returns A client, the credential used by the client, and the authentication function
+     */
+    async getSubscriptionClient(_tenantId, scopes) {
+        const armSubs = await import('@azure/arm-resources-subscriptions');
+        if (!this._tokenCredential) {
+            throw new Error('Not signed in');
+        }
+        const accessToken = (await this._tokenCredential?.getToken("https://management.azure.com/.default"))?.token || '';
+        const getSession = () => {
+            return {
+                accessToken,
+                id: this._tokenCredential?.tenantId || '',
+                account: {
+                    id: this._tokenCredential?.tenantId || '',
+                    label: this._tokenCredential?.tenantId || '',
+                },
+                tenantId: this._tokenCredential?.tenantId || '',
+                scopes: scopes || [],
+            };
+        };
+        return {
+            client: new armSubs.SubscriptionClient(this._tokenCredential),
+            credential: this._tokenCredential,
+            authentication: {
+                getSession,
+                getSessionWithScopes: getSession,
+            }
+        };
+    }
+    onDidSignIn = () => { return new Disposable(() => { }); };
+    onDidSignOut = () => { return new Disposable(() => { }); };
+}
+/*
+* @param serviceConnectionId The resource ID of the Azure DevOps federated service connection,
+*   which can be found on the `resourceId` field of the URL at the address bar when viewing the service connection in the Azure DevOps portal
+* @param domain The `Tenant ID` field of the service connection properties
+* @param clientId The `Service Principal Id` field of the service connection properties
+*/
+async function getTokenCredential(serviceConnectionId, domain, clientId) {
+    if (!process.env.AGENT_BUILDDIRECTORY) {
+        // Assume that AGENT_BUILDDIRECTORY is set if running in an Azure DevOps pipeline.
+        // So when not running in an Azure DevOps pipeline, throw an error since we cannot use the DevOps federated service connection credential.
+        throw new Error(`Cannot create DevOps federated service connection credential outside of an Azure DevOps pipeline.`);
+    }
+    else {
+        console.log(`Creating DevOps federated service connection credential for service connection..`);
+        // Pre-defined DevOps variable reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops
+        const systemAccessToken = process.env.SYSTEM_ACCESSTOKEN;
+        const teamFoundationCollectionUri = process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI;
+        const teamProjectId = process.env.SYSTEM_TEAMPROJECTID;
+        const planId = process.env.SYSTEM_PLANID;
+        const jobId = process.env.SYSTEM_JOBID;
+        if (!systemAccessToken || !teamFoundationCollectionUri || !teamProjectId || !planId || !jobId) {
+            throw new Error(`Azure DevOps environment variables are not set.\n
+            process.env.SYSTEM_ACCESSTOKEN: ${process.env.SYSTEM_ACCESSTOKEN ? "✅" : "❌"}\n
+            process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI: ${process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI ? "✅" : "❌"}\n
+            process.env.SYSTEM_TEAMPROJECTID: ${process.env.SYSTEM_TEAMPROJECTID ? "✅" : "❌"}\n
+            process.env.SYSTEM_PLANID: ${process.env.SYSTEM_PLANID ? "✅" : "❌"}\n
+            process.env.SYSTEM_JOBID: ${process.env.SYSTEM_JOBID ? "✅" : "❌"}\n
+            REMEMBER: process.env.SYSTEM_ACCESSTOKEN must be explicitly mapped!\n
+            https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
+        `);
+        }
+        const oidcRequestUrl = `${teamFoundationCollectionUri}${teamProjectId}/_apis/distributedtask/hubs/build/plans/${planId}/jobs/${jobId}/oidctoken?api-version=7.1-preview.1&serviceConnectionId=${serviceConnectionId}`;
+        const { ClientAssertionCredential } = await import("@azure/identity");
+        return new ClientAssertionCredential(domain, clientId, async () => await requestOidcToken(oidcRequestUrl, systemAccessToken));
+    }
+}
+/**
+ * API reference: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create
+ */
+async function requestOidcToken(oidcRequestUrl, systemAccessToken) {
+    const { ServiceClient } = await import('@azure/core-client');
+    const { createHttpHeaders, createPipelineRequest } = await import('@azure/core-rest-pipeline');
+    const genericClient = new ServiceClient();
+    const request = createPipelineRequest({
+        url: oidcRequestUrl,
+        method: "POST",
+        headers: createHttpHeaders({
+            "Content-Type": "application/json",
+            "Authorization": `Bearer ${systemAccessToken}`
+        })
+    });
+    const response = await genericClient.sendRequest(request);
+    const body = response.bodyAsText?.toString() || "";
+    if (response.status !== 200) {
+        throw new Error(`Failed to get OIDC token:\n
+            Response status: ${response.status}\n
+            Response body: ${body}\n
+            Response headers: ${JSON.stringify(response.headers.toJSON())}
+        `);
+    }
+    else {
+        console.log(`Successfully got OIDC token with status ${response.status}`);
+    }
+    return JSON.parse(body).oidcToken;
+}
+//# sourceMappingURL=AzureDevOpsSubscriptionProvider.js.map

package/dist/esm/src/AzureSubscription.d.ts

@@ -0,0 +1,49 @@
+import type { TokenCredential } from '@azure/core-auth';
+import type { Environment } from '@azure/ms-rest-azure-env';
+import * as vscode from "vscode";
+import { AzureAuthentication } from './AzureAuthentication';
+/**
+ * A type representing an Azure subscription ID, not including the tenant ID.
+ */
+export type SubscriptionId = string;
+/**
+ * A type representing an Azure tenant ID.
+ */
+export type TenantId = string;
+/**
+ * Represents an Azure subscription.
+ */
+export interface AzureSubscription {
+    /**
+     * Access to the authentication session associated with this subscription.
+     */
+    readonly authentication: AzureAuthentication;
+    /**
+     * The Azure environment to which this subscription belongs.
+     */
+    readonly environment: Environment;
+    /**
+     * Whether this subscription belongs to a custom cloud.
+     */
+    readonly isCustomCloud: boolean;
+    /**
+     * The display name of this subscription.
+     */
+    readonly name: string;
+    /**
+     * The ID of this subscription.
+     */
+    readonly subscriptionId: SubscriptionId;
+    /**
+     * The ID of the tenant to which this subscription belongs.
+     */
+    readonly tenantId: TenantId;
+    /**
+     * The credential for authentication to this subscription. Compatible with Azure track 2 SDKs.
+     */
+    readonly credential: TokenCredential;
+    /**
+     * The account associated with this subscription.
+     */
+    readonly account: vscode.AuthenticationSessionAccountInformation;
+}

package/dist/esm/src/AzureSubscription.js

@@ -0,0 +1,6 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+export {};
+//# sourceMappingURL=AzureSubscription.js.map

package/dist/esm/src/AzureSubscriptionProvider.d.ts

@@ -0,0 +1,82 @@
+import type * as vscode from 'vscode';
+import type { AzureSubscription } from './AzureSubscription';
+import type { AzureTenant } from './AzureTenant';
+/**
+ * A filter for {@link AzureSubscriptionProvider.getSubscriptions}
+ */
+export type GetSubscriptionsFilter = {
+    /**
+     * The account to get subscriptions for. If not provided, all accounts the extension
+     * currently has access to are used.
+     */
+    account?: vscode.AuthenticationSessionAccountInformation;
+    /**
+     * The tenant to get subscriptions for. If not provided, all tenants for each account
+     * are used.
+     */
+    tenantId?: string;
+};
+/**
+ * An interface for obtaining Azure subscription information
+ */
+export interface AzureSubscriptionProvider {
+    /**
+     * Gets a list of tenants available to the user.
+     * Use {@link isSignedIn} to check if the user is signed in to a particular tenant.
+     *
+     * @param account - Optionally pass in a specific account to get tenants for.
+     *
+     * @returns A list of tenants.
+     */
+    getTenants(account?: vscode.AuthenticationSessionAccountInformation): Promise<AzureTenant[]>;
+    /**
+     * Gets a list of Azure subscriptions available to the user.
+     *
+     * @param filter - Whether to filter the list returned. When:
+     * - `true`: according to the list returned by `getTenantFilters()` and `getSubscriptionFilters()`.
+     * - `false`: return all subscriptions.
+     * - `GetSubscriptionsFilter`: according to the values in the filter.
+     *
+     * Optional, default true.
+     *
+     * @returns A list of Azure subscriptions.
+     *
+     * @throws A {@link NotSignedInError} If the user is not signed in to Azure.
+     * Use {@link isSignedIn} and/or {@link signIn} before this method to ensure
+     * the user is signed in.
+     */
+    getSubscriptions(filter: boolean | GetSubscriptionsFilter): Promise<AzureSubscription[]>;
+    /**
+     * Checks to see if a user is signed in.
+     *
+     * @param tenantId (Optional) Provide to check if a user is signed in to a specific tenant.
+     *
+     * @returns True if the user is signed in, false otherwise.
+     */
+    isSignedIn(tenantId?: string, account?: vscode.AuthenticationSessionAccountInformation): Promise<boolean>;
+    /**
+     * Asks the user to sign in or pick an account to use.
+     *
+     * @param tenantId (Optional) Provide to sign in to a specific tenant.
+     * @param account (Optional) Provide to sign in to a specific account.
+     *
+     * @returns True if the user is signed in, false otherwise.
+     */
+    signIn(tenantId?: string, account?: vscode.AuthenticationSessionAccountInformation): Promise<boolean>;
+    /**
+     * An event that is fired when the user signs in. Debounced to fire at most once every 5 seconds.
+     */
+    onDidSignIn: vscode.Event<void>;
+    /**
+     * Signs the user out
+     *
+     * @deprecated Not currently supported by VS Code auth providers
+     *
+     * @throws Throws an {@link Error} every time
+     */
+    signOut(): Promise<void>;
+    /**
+     * An event that is fired when the user signs out. Debounced to fire at most once every 5 seconds.
+     */
+    onDidSignOut: vscode.Event<void>;
+}

package/dist/esm/src/AzureSubscriptionProvider.js

@@ -0,0 +1,6 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+export {};
+//# sourceMappingURL=AzureSubscriptionProvider.js.map

package/dist/esm/src/AzureTenant.d.ts

@@ -0,0 +1,5 @@
+import { TenantIdDescription } from "@azure/arm-resources-subscriptions";
+import * as vscode from 'vscode';
+export interface AzureTenant extends TenantIdDescription {
+    account: vscode.AuthenticationSessionAccountInformation;
+}

package/dist/esm/src/AzureTenant.js

@@ -0,0 +1,6 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+export {};
+//# sourceMappingURL=AzureTenant.js.map

package/dist/esm/src/NotSignedInError.d.ts

@@ -0,0 +1,15 @@
+/**
+ * An error indicating the user is not signed in.
+ */
+export declare class NotSignedInError extends Error {
+    readonly isNotSignedInError = true;
+    constructor();
+}
+/**
+ * Tests if an object is a `NotSignedInError`. This should be used instead of `instanceof`.
+ *
+ * @param error The object to test
+ *
+ * @returns True if the object is a NotSignedInError, false otherwise
+ */
+export declare function isNotSignedInError(error: unknown): error is NotSignedInError;

package/{out → dist/esm}/src/NotSignedInError.js

@@ -1,22 +1,17 @@
-"use strict";
 /*---------------------------------------------------------------------------------------------
  *  Copyright (c) Microsoft Corporation. All rights reserved.
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.NotSignedInError = void 0;
-exports.isNotSignedInError = isNotSignedInError;
-const vscode = require("vscode");
+import * as vscode from 'vscode';
 /**
  * An error indicating the user is not signed in.
  */
-class NotSignedInError extends Error {
+export class NotSignedInError extends Error {
+    isNotSignedInError = true;
     constructor() {
         super(vscode.l10n.t('You are not signed in to an Azure account. Please sign in.'));
-        this.isNotSignedInError = true;
     }
 }
-exports.NotSignedInError = NotSignedInError;
 /**
  * Tests if an object is a `NotSignedInError`. This should be used instead of `instanceof`.
  *
@@ -24,7 +19,7 @@ exports.NotSignedInError = NotSignedInError;
  *
  * @returns True if the object is a NotSignedInError, false otherwise
  */
-function isNotSignedInError(error) {
+export function isNotSignedInError(error) {
     return !!error && typeof error === 'object' && error.isNotSignedInError === true;
 }
 //# sourceMappingURL=NotSignedInError.js.map

package/dist/esm/src/VSCodeAzureSubscriptionProvider.d.ts

@@ -0,0 +1,117 @@
+import * as vscode from 'vscode';
+import { AzureSubscription, SubscriptionId, TenantId } from './AzureSubscription';
+import { AzureSubscriptionProvider, GetSubscriptionsFilter } from './AzureSubscriptionProvider';
+import { AzureTenant } from './AzureTenant';
+/**
+ * A class for obtaining Azure subscription information using VSCode's built-in authentication
+ * provider.
+ */
+export declare class VSCodeAzureSubscriptionProvider extends vscode.Disposable implements AzureSubscriptionProvider {
+    private readonly logger?;
+    private readonly onDidSignInEmitter;
+    private lastSignInEventFired;
+    private suppressSignInEvents;
+    private readonly onDidSignOutEmitter;
+    private lastSignOutEventFired;
+    constructor(logger?: vscode.LogOutputChannel | undefined);
+    /**
+     * Gets a list of tenants available to the user.
+     * Use {@link isSignedIn} to check if the user is signed in to a particular tenant.
+     *
+     * @param account (Optional) A specific account to get tenants for. If not provided, all accounts will be used.
+     *
+     * @returns A list of tenants.
+     */
+    getTenants(account?: vscode.AuthenticationSessionAccountInformation): Promise<AzureTenant[]>;
+    /**
+     * Gets a list of Azure subscriptions available to the user.
+     *
+     * @param filter - Whether to filter the list returned. When:
+     * - `true`: according to the list returned by `getTenantFilters()` and `getSubscriptionFilters()`.
+     * - `false`: return all subscriptions.
+     * - `GetSubscriptionsFilter`: according to the values in the filter.
+     *
+     * Optional, default true.
+     *
+     * @returns A list of Azure subscriptions. The list is sorted by subscription name.
+     * The list can contain duplicate subscriptions if they come from different accounts.
+     *
+     * @throws A {@link NotSignedInError} If the user is not signed in to Azure.
+     * Use {@link isSignedIn} and/or {@link signIn} before this method to ensure
+     * the user is signed in.
+     */
+    getSubscriptions(filter?: boolean | GetSubscriptionsFilter): Promise<AzureSubscription[]>;
+    /**
+     * Checks to see if a user is signed in.
+     *
+     * @param tenantId (Optional) Provide to check if a user is signed in to a specific tenant.
+     * @param account (Optional) Provide to check if a user is signed in to a specific account.
+     *
+     * @returns True if the user is signed in, false otherwise.
+     *
+     * If no tenant or account is provided, then
+     * checks all accounts for a session.
+     */
+    isSignedIn(tenantId?: string, account?: vscode.AuthenticationSessionAccountInformation): Promise<boolean>;
+    /**
+     * Asks the user to sign in or pick an account to use.
+     *
+     * @param tenantId (Optional) Provide to sign in to a specific tenant.
+     * @param account (Optional) Provide to sign in to a specific account.
+     *
+     * @returns True if the user is signed in, false otherwise.
+     */
+    signIn(tenantId?: string, account?: vscode.AuthenticationSessionAccountInformation): Promise<boolean>;
+    /**
+     * An event that is fired when the user signs in. Debounced to fire at most once every 5 seconds.
+     */
+    readonly onDidSignIn: vscode.Event<void>;
+    /**
+     * Signs the user out
+     *
+     * @deprecated Not currently supported by VS Code auth providers
+     */
+    signOut(): Promise<void>;
+    /**
+     * An event that is fired when the user signs out. Debounced to fire at most once every 5 seconds.
+     */
+    readonly onDidSignOut: vscode.Event<void>;
+    /**
+     * Gets the tenant filters that are configured in `azureResourceGroups.selectedSubscriptions`. To
+     * override the settings with a custom filter, implement a child class with `getSubscriptionFilters()`
+     * and/or `getTenantFilters()` overridden.
+     *
+     * If no values are returned by `getTenantFilters()`, then all tenants will be scanned for subscriptions.
+     *
+     * @returns A list of tenant IDs that are configured in `azureResourceGroups.selectedSubscriptions`.
+     */
+    protected getTenantFilters(): Promise<TenantId[]>;
+    /**
+     * Gets the subscription filters that are configured in `azureResourceGroups.selectedSubscriptions`. To
+     * override the settings with a custom filter, implement a child class with `getSubscriptionFilters()`
+     * and/or `getTenantFilters()` overridden.
+     *
+     * If no values are returned by `getSubscriptionFilters()`, then all subscriptions will be returned.
+     *
+     * @returns A list of subscription IDs that are configured in `azureResourceGroups.selectedSubscriptions`.
+     */
+    protected getSubscriptionFilters(): Promise<SubscriptionId[]>;
+    /**
+     * Gets the subscriptions for a given tenant.
+     *
+     * @param tenantId The tenant ID to get subscriptions for.
+     * @param account The account to get the subscriptions for.
+     *
+     * @returns The list of subscriptions for the tenant.
+     */
+    private getSubscriptionsForTenant;
+    /**
+     * Gets a fully-configured subscription client for a given tenant ID
+     *
+     * @param tenantId (Optional) The tenant ID to get a client for
+     * @param account The account that you would like to get the session for
+     *
+     * @returns A client, the credential used by the client, and the authentication function
+     */
+    private getSubscriptionClient;
+}