@microsoft/vscode-azext-azureauth 4.2.2 → 5.1.0

package/dist/cjs/src/getSessionFromVSCode.js

@@ -0,0 +1,108 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+*  Copyright (c) Microsoft Corporation. All rights reserved.
+*  Licensed under the MIT License. See License.txt in the project root for license information.
+*--------------------------------------------------------------------------------------------*/
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSessionFromVSCode = getSessionFromVSCode;
+const vscode = __importStar(require("vscode"));
+const configuredAzureEnv_1 = require("./utils/configuredAzureEnv");
+const isAuthenticationWwwAuthenticateRequest_1 = require("./utils/isAuthenticationWwwAuthenticateRequest");
+function ensureEndingSlash(value) {
+    return value.endsWith('/') ? value : `${value}/`;
+}
+function getResourceScopes(scopes) {
+    if (scopes === undefined || scopes === "" || scopes.length === 0) {
+        scopes = ensureEndingSlash((0, configuredAzureEnv_1.getConfiguredAzureEnv)().managementEndpointUrl);
+    }
+    const arrScopes = (Array.isArray(scopes) ? scopes : [scopes])
+        .map((scope) => {
+        if (scope.endsWith('.default')) {
+            return scope;
+        }
+        else {
+            return `${scope}.default`;
+        }
+    });
+    return Array.from(new Set(arrScopes));
+}
+function addTenantIdScope(scopes, tenantId) {
+    const scopeSet = new Set(scopes);
+    scopeSet.add(`VSCODE_TENANT:${tenantId}`);
+    return Array.from(scopeSet);
+}
+function getModifiedScopes(scopes, tenantId) {
+    let scopeArr = getResourceScopes(scopes);
+    if (tenantId) {
+        scopeArr = addTenantIdScope(scopeArr, tenantId);
+    }
+    return scopeArr;
+}
+/**
+ * Deconstructs and rebuilds the scopes arg in order to use the above utils to modify the scopes array.
+ * And then returns the proper type to pass directly to vscode.authentication.getSession
+ */
+function formScopesArg(scopeOrListOrRequest, tenantId) {
+    const isChallenge = (0, isAuthenticationWwwAuthenticateRequest_1.isAuthenticationWwwAuthenticateRequest)(scopeOrListOrRequest);
+    let initialScopeList = undefined;
+    if (typeof scopeOrListOrRequest === 'string' && !!scopeOrListOrRequest) {
+        initialScopeList = [scopeOrListOrRequest];
+    }
+    else if (Array.isArray(scopeOrListOrRequest)) {
+        initialScopeList = scopeOrListOrRequest;
+    }
+    else if (isChallenge) {
+        // `scopeOrListOrRequest.fallbackScopes` being readonly forces us to rebuild the array
+        initialScopeList = scopeOrListOrRequest.fallbackScopes ? Array.from(scopeOrListOrRequest.fallbackScopes) : undefined;
+    }
+    const modifiedScopeList = getModifiedScopes(initialScopeList, tenantId);
+    return isChallenge ? { fallbackScopes: modifiedScopeList, wwwAuthenticate: scopeOrListOrRequest.wwwAuthenticate } : modifiedScopeList;
+}
+/**
+ * Wraps {@link vscode.authentication.getSession} and handles:
+ * * Passing the configured auth provider id
+ * * Getting the list of scopes, adding the tenant id to the scope list if needed
+ *
+ * @param scopeOrListOrRequest - top-level resource scopes (e.g. http://management.azure.com, http://storage.azure.com) or .default scopes. All resources/scopes will be normalized to the `.default` scope for each resource.
+ * Use `vscode.AuthenticationWwwAuthenticateRequest` if you need to pass in a challenge (WWW-Authenticate header). Note: Use of `vscode.AuthenticationWwwAuthenticateRequest` requires VS Code 1.105.0 or newer.
+ * @param tenantId - (Optional) The tenant ID, will be added to the scopes
+ * @param options - see {@link vscode.AuthenticationGetSessionOptions}
+ * @returns An authentication session if available, or undefined if there are no sessions
+ */
+async function getSessionFromVSCode(scopeOrListOrRequest, tenantId, options) {
+    return await vscode.authentication.getSession((0, configuredAzureEnv_1.getConfiguredAuthProviderId)(), formScopesArg(scopeOrListOrRequest, tenantId), options);
+}
+//# sourceMappingURL=getSessionFromVSCode.js.map

package/{out → dist/cjs}/src/index.js

@@ -20,9 +20,10 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./AzureAuthentication"), exports);
 __exportStar(require("./AzureDevOpsSubscriptionProvider"), exports);
-__exportStar(require("./AzureTenant"), exports);
 __exportStar(require("./AzureSubscription"), exports);
 __exportStar(require("./AzureSubscriptionProvider"), exports);
+__exportStar(require("./AzureTenant"), exports);
+__exportStar(require("./getSessionFromVSCode"), exports);
 __exportStar(require("./NotSignedInError"), exports);
 __exportStar(require("./signInToTenant"), exports);
 __exportStar(require("./utils/configuredAzureEnv"), exports);

package/dist/cjs/src/signInToTenant.js

@@ -0,0 +1,79 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+*  Copyright (c) Microsoft Corporation. All rights reserved.
+*  Licensed under the MIT License. See License.txt in the project root for license information.
+*--------------------------------------------------------------------------------------------*/
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signInToTenant = signInToTenant;
+const vscode = __importStar(require("vscode"));
+const getUnauthenticatedTenants_1 = require("./utils/getUnauthenticatedTenants");
+/**
+ * Prompts user to select from a list of unauthenticated tenants.
+ * Once selected, requests a new session from VS Code specifially for this tenant.
+ */
+async function signInToTenant(subscriptionProvider) {
+    const tenantId = await pickTenant(subscriptionProvider);
+    if (tenantId) {
+        await subscriptionProvider.signIn(tenantId);
+    }
+}
+async function pickTenant(subscriptionProvider) {
+    const pick = await vscode.window.showQuickPick(getPicks(subscriptionProvider), {
+        placeHolder: 'Select a Tenant (Directory) to Sign In To', // TODO: localize
+        matchOnDescription: true, // allow searching by tenantId
+        ignoreFocusOut: true,
+    });
+    return pick?.tenant.tenantId;
+}
+async function getPicks(subscriptionProvider) {
+    const unauthenticatedTenants = await (0, getUnauthenticatedTenants_1.getUnauthenticatedTenants)(subscriptionProvider);
+    const duplicateTenants = new Set(unauthenticatedTenants
+        .filter((tenant, index, self) => index !== self.findIndex(t => t.tenantId === tenant.tenantId))
+        .map(tenant => tenant.tenantId));
+    const isDuplicate = (tenantId) => duplicateTenants.has(tenantId);
+    const picks = unauthenticatedTenants
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+        .sort((a, b) => (a.displayName).localeCompare(b.displayName))
+        .map(tenant => ({
+        label: tenant.displayName ?? '',
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+        description: `${tenant.tenantId}${isDuplicate(tenant.tenantId) ? ` (${tenant.account.label})` : ''}`,
+        detail: tenant.defaultDomain ?? '',
+        tenant,
+    }));
+    return picks;
+}
+//# sourceMappingURL=signInToTenant.js.map

package/dist/cjs/src/utils/configuredAzureEnv.js

@@ -0,0 +1,128 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getConfiguredAzureEnv = getConfiguredAzureEnv;
+exports.setConfiguredAzureEnv = setConfiguredAzureEnv;
+exports.getConfiguredAuthProviderId = getConfiguredAuthProviderId;
+const azureEnv = __importStar(require("@azure/ms-rest-azure-env")); // This package is so small that it's not worth lazy loading
+const vscode = __importStar(require("vscode"));
+// These strings come from https://github.com/microsoft/vscode/blob/eac16e9b63a11885b538db3e0b533a02a2fb8143/extensions/microsoft-authentication/package.json#L40-L99
+const CustomCloudConfigurationSection = 'microsoft-sovereign-cloud';
+const CloudEnvironmentSettingName = 'environment';
+const CustomEnvironmentSettingName = 'customEnvironment';
+var CloudEnvironmentSettingValue;
+(function (CloudEnvironmentSettingValue) {
+    CloudEnvironmentSettingValue["ChinaCloud"] = "ChinaCloud";
+    CloudEnvironmentSettingValue["USGovernment"] = "USGovernment";
+    CloudEnvironmentSettingValue["Custom"] = "custom";
+})(CloudEnvironmentSettingValue || (CloudEnvironmentSettingValue = {}));
+/**
+ * Gets the configured Azure environment.
+ *
+ * @returns The configured Azure environment from the settings in the built-in authentication provider extension
+ */
+function getConfiguredAzureEnv() {
+    const authProviderConfig = vscode.workspace.getConfiguration(CustomCloudConfigurationSection);
+    const environmentSettingValue = authProviderConfig.get(CloudEnvironmentSettingName);
+    if (environmentSettingValue === CloudEnvironmentSettingValue.ChinaCloud) {
+        return {
+            ...azureEnv.Environment.ChinaCloud,
+            isCustomCloud: false,
+        };
+    }
+    else if (environmentSettingValue === CloudEnvironmentSettingValue.USGovernment) {
+        return {
+            ...azureEnv.Environment.USGovernment,
+            isCustomCloud: false,
+        };
+    }
+    else if (environmentSettingValue === CloudEnvironmentSettingValue.Custom) {
+        const customCloud = authProviderConfig.get(CustomEnvironmentSettingName);
+        if (customCloud) {
+            return {
+                ...new azureEnv.Environment(customCloud),
+                isCustomCloud: true,
+            };
+        }
+        throw new Error(vscode.l10n.t('The custom cloud choice is not configured. Please configure the setting `{0}.{1}`.', CustomCloudConfigurationSection, CustomEnvironmentSettingName));
+    }
+    return {
+        ...azureEnv.Environment.get(azureEnv.Environment.AzureCloud.name),
+        isCustomCloud: false,
+    };
+}
+/**
+ * Sets the configured Azure cloud.
+ *
+ * @param cloud Use `'AzureCloud'` or `undefined` for public Azure cloud, `'ChinaCloud'` for Azure China, or `'USGovernment'` for Azure US Government.
+ * These are the same values as the cloud names in `@azure/ms-rest-azure-env`. For a custom cloud, use an instance of the `@azure/ms-rest-azure-env` {@link azureEnv.EnvironmentParameters}.
+ *
+ * @param target (Optional) The configuration target to use, by default {@link vscode.ConfigurationTarget.Global}.
+ */
+async function setConfiguredAzureEnv(cloud, target = vscode.ConfigurationTarget.Global) {
+    const authProviderConfig = vscode.workspace.getConfiguration(CustomCloudConfigurationSection);
+    if (typeof cloud === 'undefined' || !cloud) {
+        // Use public cloud implicitly--set `environment` setting to `undefined`
+        await authProviderConfig.update(CloudEnvironmentSettingName, undefined, target);
+    }
+    else if (typeof cloud === 'string' && cloud === 'AzureCloud') {
+        // Use public cloud explicitly--set `environment` setting to `undefined`
+        await authProviderConfig.update(CloudEnvironmentSettingName, undefined, target);
+    }
+    else if (typeof cloud === 'string') {
+        // Use a sovereign cloud--set the `environment` setting to the specified value
+        await authProviderConfig.update(CloudEnvironmentSettingName, cloud, target);
+    }
+    else if (typeof cloud === 'object') {
+        // use a custom cloud--set the `environment` setting to `custom` and the `customEnvironment` setting to the specified value
+        await authProviderConfig.update(CloudEnvironmentSettingName, CloudEnvironmentSettingValue.Custom, target);
+        await authProviderConfig.update(CustomEnvironmentSettingName, cloud, target);
+    }
+    else {
+        throw new Error(`Invalid cloud value: ${JSON.stringify(cloud)}`);
+    }
+}
+/**
+ * Gets the ID of the authentication provider configured to be used
+ * @returns The provider ID to use, either `'microsoft'` or `'microsoft-sovereign-cloud'`
+ */
+function getConfiguredAuthProviderId() {
+    return getConfiguredAzureEnv().name === azureEnv.Environment.AzureCloud.name ? 'microsoft' : 'microsoft-sovereign-cloud';
+}
+//# sourceMappingURL=configuredAzureEnv.js.map

package/dist/cjs/src/utils/getUnauthenticatedTenants.js

@@ -0,0 +1,23 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+*  Copyright (c) Microsoft Corporation. All rights reserved.
+*  Licensed under the MIT License. See License.txt in the project root for license information.
+*--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getUnauthenticatedTenants = getUnauthenticatedTenants;
+/**
+ * @param subscriptionProvider The {@link AzureSubscriptionProvider} to use
+ * @param account (Optional) The account to get unauthenticated tenants for
+ * @returns list of tenants that VS Code doesn't have sessions for
+ */
+async function getUnauthenticatedTenants(subscriptionProvider, account) {
+    const tenants = await subscriptionProvider.getTenants(account);
+    const unauthenticatedTenants = [];
+    for await (const tenant of tenants) {
+        if (!await subscriptionProvider.isSignedIn(tenant.tenantId, tenant.account)) {
+            unauthenticatedTenants.push(tenant);
+        }
+    }
+    return unauthenticatedTenants;
+}
+//# sourceMappingURL=getUnauthenticatedTenants.js.map

package/dist/cjs/src/utils/isGetSubscriptionsFilter.js

@@ -0,0 +1,27 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.md in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isGetSubscriptionsTenantFilter = isGetSubscriptionsTenantFilter;
+exports.isGetSubscriptionsAccountFilter = isGetSubscriptionsAccountFilter;
+/**
+ * Check if an object is a {@link GetSubscriptionsFilter} with a tenantId.
+ */
+function isGetSubscriptionsTenantFilter(obj) {
+    if (typeof obj === 'object' && !!obj && 'tenantId' in obj && typeof obj.tenantId === 'string' && !!obj.tenantId) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check if an object is a {@link GetSubscriptionsFilter} with an account.
+ */
+function isGetSubscriptionsAccountFilter(obj) {
+    if (typeof obj === 'object' && !!obj && 'account' in obj && typeof obj.account === 'object' && !!obj.account) {
+        return true;
+    }
+    return false;
+}
+//# sourceMappingURL=isGetSubscriptionsFilter.js.map

package/{out → dist/esm}/src/AzureAuthentication.d.ts

@@ -13,9 +13,9 @@ export interface AzureAuthentication {
     /**
      * Gets a VS Code authentication session for an Azure subscription.
      *
-     * @param scopes - The scopes for which the authentication is needed.
+     * @param scopeListOrRequest - The scopes or request for which the authentication is needed.
      *
      * @returns A VS Code authentication session or undefined, if none could be obtained.
      */
-    getSessionWithScopes(scopes: string[] | vscode.AuthenticationWwwAuthenticateRequest): vscode.ProviderResult<vscode.AuthenticationSession>;
+    getSessionWithScopes(scopeListOrRequest: string[] | vscode.AuthenticationWwwAuthenticateRequest): vscode.ProviderResult<vscode.AuthenticationSession>;
 }

package/dist/esm/src/AzureAuthentication.js

@@ -0,0 +1,6 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+export {};
+//# sourceMappingURL=AzureAuthentication.js.map

package/{out → dist/esm}/src/AzureDevOpsSubscriptionProvider.d.ts

@@ -1,7 +1,7 @@
-import { Event } from 'vscode';
-import { AzureSubscription } from './AzureSubscription';
-import { AzureSubscriptionProvider, GetSubscriptionsFilter } from './AzureSubscriptionProvider';
-import { AzureTenant } from './AzureTenant';
+import type * as vscode from 'vscode';
+import type { AzureSubscription } from './AzureSubscription';
+import type { AzureSubscriptionProvider, GetSubscriptionsFilter } from './AzureSubscriptionProvider';
+import type { AzureTenant } from './AzureTenant';
 export interface AzureDevOpsSubscriptionProviderInitializer {
     /**
     * The resource ID of the Azure DevOps federated service connection,
@@ -63,6 +63,6 @@ export declare class AzureDevOpsSubscriptionProvider implements AzureSubscriptio
      * @returns A client, the credential used by the client, and the authentication function
      */
     private getSubscriptionClient;
-    onDidSignIn: Event<void>;
-    onDidSignOut: Event<void>;
+    onDidSignIn: vscode.Event<void>;
+    onDidSignOut: vscode.Event<void>;
 }

package/dist/esm/src/AzureDevOpsSubscriptionProvider.js

@@ -0,0 +1,210 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+import { getConfiguredAzureEnv } from './utils/configuredAzureEnv';
+let azureDevOpsSubscriptionProvider;
+export function createAzureDevOpsSubscriptionProviderFactory(initializer) {
+    return async () => {
+        azureDevOpsSubscriptionProvider ??= new AzureDevOpsSubscriptionProvider(initializer);
+        return azureDevOpsSubscriptionProvider;
+    };
+}
+/**
+ * AzureSubscriptionProvider implemented to authenticate via federated DevOps service connection, using workflow identity federation
+ * To learn how to configure your DevOps environment to use this provider, refer to the README.md
+ * NOTE: This provider is only available when running in an Azure DevOps pipeline
+ * Reference: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
+ */
+export class AzureDevOpsSubscriptionProvider {
+    _tokenCredential;
+    /**
+    * The resource ID of the Azure DevOps federated service connection,
+    *   which can be found on the `resourceId` field of the URL at the address bar
+    *   when viewing the service connection in the Azure DevOps portal
+    */
+    _SERVICE_CONNECTION_ID;
+    /**
+    * The `Tenant ID` field of the service connection properties
+    */
+    _DOMAIN;
+    /**
+    * The `Service Principal Id` field of the service connection properties
+    */
+    _CLIENT_ID;
+    constructor({ serviceConnectionId, domain, clientId }) {
+        if (!serviceConnectionId || !domain || !clientId) {
+            throw new Error(`Missing initializer values to identify Azure DevOps federated service connection\n
+                Values provided:\n
+                serviceConnectionId: ${serviceConnectionId ? "✅" : "❌"}\n
+                domain: ${domain ? "✅" : "❌"}\n
+                clientId: ${clientId ? "✅" : "❌"}\n
+            `);
+        }
+        this._SERVICE_CONNECTION_ID = serviceConnectionId;
+        this._DOMAIN = domain;
+        this._CLIENT_ID = clientId;
+    }
+    async getSubscriptions(_filter) {
+        // ignore the filter setting because not every consumer of this provider will use the Resources extension
+        const results = [];
+        for (const tenant of await this.getTenants()) {
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            const tenantId = tenant.tenantId;
+            results.push(...await this.getSubscriptionsForTenant(tenantId));
+        }
+        const sortSubscriptions = (subscriptions) => subscriptions.sort((a, b) => a.name.localeCompare(b.name));
+        return sortSubscriptions(results);
+    }
+    async isSignedIn() {
+        return !!this._tokenCredential;
+    }
+    async signIn() {
+        this._tokenCredential = await getTokenCredential(this._SERVICE_CONNECTION_ID, this._DOMAIN, this._CLIENT_ID);
+        return !!this._tokenCredential;
+    }
+    async signOut() {
+        this._tokenCredential = undefined;
+    }
+    async getTenants() {
+        return [{
+                tenantId: this._tokenCredential?.tenantId,
+                account: {
+                    id: "test-account-id",
+                    label: "test-account",
+                }
+            }];
+    }
+    /**
+     * Gets the subscriptions for a given tenant.
+     *
+     * @param tenantId The tenant ID to get subscriptions for.
+     *
+     * @returns The list of subscriptions for the tenant.
+     */
+    async getSubscriptionsForTenant(tenantId) {
+        const { client, credential, authentication } = await this.getSubscriptionClient(tenantId);
+        const environment = getConfiguredAzureEnv();
+        const subscriptions = [];
+        for await (const subscription of client.subscriptions.list()) {
+            subscriptions.push({
+                authentication,
+                environment: environment,
+                credential: credential,
+                isCustomCloud: environment.isCustomCloud,
+                /* eslint-disable @typescript-eslint/no-non-null-assertion */
+                name: subscription.displayName,
+                subscriptionId: subscription.subscriptionId,
+                /* eslint-enable @typescript-eslint/no-non-null-assertion */
+                tenantId,
+                account: {
+                    id: "test-account-id",
+                    label: "test-account",
+                },
+            });
+        }
+        return subscriptions;
+    }
+    /**
+     * Gets a fully-configured subscription client for a given tenant ID
+     *
+     * @param tenantId (Optional) The tenant ID to get a client for
+     *
+     * @returns A client, the credential used by the client, and the authentication function
+     */
+    async getSubscriptionClient(_tenantId, scopes) {
+        const armSubs = await import('@azure/arm-resources-subscriptions');
+        if (!this._tokenCredential) {
+            throw new Error('Not signed in');
+        }
+        const accessToken = (await this._tokenCredential?.getToken("https://management.azure.com/.default"))?.token || '';
+        const getSession = () => {
+            return {
+                accessToken,
+                id: this._tokenCredential?.tenantId || '',
+                account: {
+                    id: this._tokenCredential?.tenantId || '',
+                    label: this._tokenCredential?.tenantId || '',
+                },
+                tenantId: this._tokenCredential?.tenantId || '',
+                scopes: scopes || [],
+            };
+        };
+        return {
+            client: new armSubs.SubscriptionClient(this._tokenCredential),
+            credential: this._tokenCredential,
+            authentication: {
+                getSession,
+                getSessionWithScopes: getSession,
+            }
+        };
+    }
+    onDidSignIn = () => { return { dispose() { } }; };
+    onDidSignOut = () => { return { dispose() { } }; };
+}
+/*
+* @param serviceConnectionId The resource ID of the Azure DevOps federated service connection,
+*   which can be found on the `resourceId` field of the URL at the address bar when viewing the service connection in the Azure DevOps portal
+* @param domain The `Tenant ID` field of the service connection properties
+* @param clientId The `Service Principal Id` field of the service connection properties
+*/
+async function getTokenCredential(serviceConnectionId, domain, clientId) {
+    if (!process.env.AGENT_BUILDDIRECTORY) {
+        // Assume that AGENT_BUILDDIRECTORY is set if running in an Azure DevOps pipeline.
+        // So when not running in an Azure DevOps pipeline, throw an error since we cannot use the DevOps federated service connection credential.
+        throw new Error(`Cannot create DevOps federated service connection credential outside of an Azure DevOps pipeline.`);
+    }
+    else {
+        console.log(`Creating DevOps federated service connection credential for service connection..`);
+        // Pre-defined DevOps variable reference: https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops
+        const systemAccessToken = process.env.SYSTEM_ACCESSTOKEN;
+        const teamFoundationCollectionUri = process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI;
+        const teamProjectId = process.env.SYSTEM_TEAMPROJECTID;
+        const planId = process.env.SYSTEM_PLANID;
+        const jobId = process.env.SYSTEM_JOBID;
+        if (!systemAccessToken || !teamFoundationCollectionUri || !teamProjectId || !planId || !jobId) {
+            throw new Error(`Azure DevOps environment variables are not set.\n
+            process.env.SYSTEM_ACCESSTOKEN: ${process.env.SYSTEM_ACCESSTOKEN ? "✅" : "❌"}\n
+            process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI: ${process.env.SYSTEM_TEAMFOUNDATIONCOLLECTIONURI ? "✅" : "❌"}\n
+            process.env.SYSTEM_TEAMPROJECTID: ${process.env.SYSTEM_TEAMPROJECTID ? "✅" : "❌"}\n
+            process.env.SYSTEM_PLANID: ${process.env.SYSTEM_PLANID ? "✅" : "❌"}\n
+            process.env.SYSTEM_JOBID: ${process.env.SYSTEM_JOBID ? "✅" : "❌"}\n
+            REMEMBER: process.env.SYSTEM_ACCESSTOKEN must be explicitly mapped!\n
+            https://learn.microsoft.com/en-us/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
+        `);
+        }
+        const oidcRequestUrl = `${teamFoundationCollectionUri}${teamProjectId}/_apis/distributedtask/hubs/build/plans/${planId}/jobs/${jobId}/oidctoken?api-version=7.1-preview.1&serviceConnectionId=${serviceConnectionId}`;
+        const { ClientAssertionCredential } = await import("@azure/identity");
+        return new ClientAssertionCredential(domain, clientId, async () => await requestOidcToken(oidcRequestUrl, systemAccessToken));
+    }
+}
+/**
+ * API reference: https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/oidctoken/create
+ */
+async function requestOidcToken(oidcRequestUrl, systemAccessToken) {
+    const { ServiceClient } = await import('@azure/core-client');
+    const { createHttpHeaders, createPipelineRequest } = await import('@azure/core-rest-pipeline');
+    const genericClient = new ServiceClient();
+    const request = createPipelineRequest({
+        url: oidcRequestUrl,
+        method: "POST",
+        headers: createHttpHeaders({
+            "Content-Type": "application/json",
+            "Authorization": `Bearer ${systemAccessToken}`
+        })
+    });
+    const response = await genericClient.sendRequest(request);
+    const body = response.bodyAsText?.toString() || "";
+    if (response.status !== 200) {
+        throw new Error(`Failed to get OIDC token:\n
+            Response status: ${response.status}\n
+            Response body: ${body}\n
+            Response headers: ${JSON.stringify(response.headers.toJSON())}
+        `);
+    }
+    else {
+        console.log(`Successfully got OIDC token with status ${response.status}`);
+    }
+    return JSON.parse(body).oidcToken;
+}
+//# sourceMappingURL=AzureDevOpsSubscriptionProvider.js.map

package/{out → dist/esm}/src/AzureSubscription.d.ts

@@ -1,7 +1,7 @@
 import type { TokenCredential } from '@azure/core-auth';
 import type { Environment } from '@azure/ms-rest-azure-env';
-import * as vscode from "vscode";
-import { AzureAuthentication } from './AzureAuthentication';
+import type * as vscode from "vscode";
+import type { AzureAuthentication } from './AzureAuthentication';
 /**
  * A type representing an Azure subscription ID, not including the tenant ID.
  */

package/dist/esm/src/AzureSubscription.js

@@ -0,0 +1,6 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+export {};
+//# sourceMappingURL=AzureSubscription.js.map

package/dist/esm/src/AzureSubscriptionProvider.js

@@ -0,0 +1,6 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+export {};
+//# sourceMappingURL=AzureSubscriptionProvider.js.map