@microsoft/vscode-azext-azureauth 5.1.1 → 6.0.0-alpha.2

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
 
+## 6.0.0-alpha.2 - 2026-02-09
+
+* Fix copy all optional properties in `ExtendedEnvironment` constructor
+
+## 6.0.0 - 2025-12-15
+
+* [#2119](https://github.com/microsoft/vscode-azuretools/pull/2119) Complete rewrite of the auth package. Adds caching, parallelization, and smarter filtering.
+
 ## 5.1.1 - 2025-10-28
 
 * [#2111](https://github.com/microsoft/vscode-azuretools/pull/2111) Same as https://github.com/microsoft/vscode-azuretools/pull/2110 but a better fix.

package/README.md

@@ -4,79 +4,9 @@ This package provides a simple way to authenticate to Azure and receive Azure su
 
 ## Azure Subscription Provider
 
-The `AzureSubscriptionProvider` interface describes the functions of this package.
+The [`AzureSubscriptionProvider`](./src/contracts/AzureSubscriptionProvider.ts) interface describes the functions of this package.
 
-```typescript
-/**
- * An interface for obtaining Azure subscription information
- */
-export interface AzureSubscriptionProvider {
-    /**
-     * Gets a list of tenants available to the user.
-     * Use {@link isSignedIn} to check if the user is signed in to a particular tenant.
-     *
-     * @returns A list of tenants.
-     */
-    getTenants(): Promise<TenantIdDescription[]>;
-
-    /**
-     * Gets a list of Azure subscriptions available to the user.
-     *
-     * @param filter - Whether to filter the list returned. When:
-     * - `true`: according to the list returned by `getTenantFilters()` and `getSubscriptionFilters()`.
-     * - `false`: return all subscriptions.
-     * - `GetSubscriptionsFilter`: according to the values in the filter.
-     *
-     * Optional, default true.
-     *
-     * @returns A list of Azure subscriptions.
-     *
-     * @throws A {@link NotSignedInError} If the user is not signed in to Azure.
-     * Use {@link isSignedIn} and/or {@link signIn} before this method to ensure
-     * the user is signed in.
-     */
-    getSubscriptions(filter: boolean): Promise<AzureSubscription[]>;
-
-    /**
-     * Checks to see if a user is signed in.
-     *
-     * @param tenantId (Optional) Provide to check if a user is signed in to a specific tenant.
-     *
-     * @returns True if the user is signed in, false otherwise.
-     */
-    isSignedIn(tenantId?: string): Promise<boolean>;
-
-    /**
-     * Asks the user to sign in or pick an account to use.
-     *
-     * @param tenantId (Optional) Provide to sign in to a specific tenant.
-     *
-     * @returns True if the user is signed in, false otherwise.
-     */
-    signIn(tenantId?: string): Promise<boolean>;
-
-    /**
-     * An event that is fired when the user signs in. Debounced to fire at most once every 5 seconds.
-     */
-    onDidSignIn: vscode.Event<void>;
-
-    /**
-     * Signs the user out
-     *
-     * @deprecated Not currently supported by VS Code auth providers
-     *
-     * @throws Throws an {@link Error} every time
-     */
-    signOut(): Promise<void>;
-
-    /**
-     * An event that is fired when the user signs out. Debounced to fire at most once every 5 seconds.
-     */
-    onDidSignOut: vscode.Event<void>;
-}
-```
-
-If the caller calls `getSubscriptions()` when the user is not signed in, a `NotSignedInError` will be thrown. You can check to see if a caught error is an instance of this error with `isNotSignedInError()`.
+If the caller calls `getAvailableSubscriptions()` or `getAccounts()` when the user is not signed in, a `NotSignedInError` will be thrown. You can check to see if a caught error is an instance of this error with `isNotSignedInError()`.
 
 ## Azure Cloud Configuration
 Two methods are available for controlling the VSCode settings that determine what cloud is connected to when enumerating subscriptions.
@@ -104,7 +34,7 @@ export declare function setConfiguredAzureEnv(cloud: string | azureEnv.Environme
 
 ## Azure DevOps Subscription Provider
 
-The auth package also exports `AzureDevOpsSubscriptionProvider`, a class which implements the `AzureSubscriptionProvider` interface, which authenticates via
+The auth package also exports [`AzureDevOpsSubscriptionProvider`](./src/providers/AzureDevOpsSubscriptionProvider.ts), a class which implements the `AzureSubscriptionProvider` interface, which authenticates via
 a federated Azure DevOps service connection, using [workflow identity federation](https://learn.microsoft.com/entra/workload-id/workload-identity-federation).
 
 This provider only works when running in the context of an Azure DevOps pipeline. It can be used to run end-to-end tests that require authentication to Azure,
@@ -114,19 +44,19 @@ The constructor expects an initializer object with three values set to identify
 These are:
 
 - `serviceConnectionId`: The resource ID of your service connection, which can be found on the `resourceId` field of the URL at the address bar, when viewing the service connection in the Azure DevOps portal
-- `domain`: The `Tenant ID` field of the service connection properties, which can be accessed by clicking "Edit" on the service connection page
+- `tenantId`: The `Tenant ID` field of the service connection properties, which can be accessed by clicking "Edit" on the service connection page
 - `clientId`: The `Service Principal Id` field of the service connection properties, which can be accessed by clicking "Edit" on the service connection page
 
 Here is an example code of how you might use `AzureDevOpsSubscriptionProvider`:
 
 ```typescript
-import { AzureDevOpsSubscriptionProviderInitializer, AzureDevOpsSubscriptionProvider } from "@microsoft/vscode-azext-azureauth";
+import { AzureDevOpsSubscriptionProviderInitializer, AzureDevOpsSubscriptionProvider } from "@microsoft/vscode-azext-azureauth/azdo";
 
 const initializer: AzureDevOpsSubscriptionProviderInitializer = {
     serviceConnectionId: "<REPLACE_WITH_SERVICE_CONNECTION_ID>",
-    domain: "<REPLACE_WITH_DOMAIN>",
+    tenantId: "<REPLACE_WITH_TENANT_ID>",
     clientId: "<REPLACE_WITH_CLIENT_ID>",
-}
+};
 
 const subscriptionProvider = new AzureDevOpsSubscriptionProvider(initializer);
 
@@ -135,9 +65,9 @@ if (!signedIn) {
     throw new Error("Couldn't sign in");
 }
 
-const subscriptions = await subscriptionProvider.getSubscriptions();
+const subscriptions = await subscriptionProvider.getAvailableSubscriptions();
 
-// logic on the subscriptions object
+// logic on the subscriptions objects
 ```
 
 For more detailed steps on how to setup your Azure environment to use workflow identity federation and use this `AzureDevOpsSubscriptionProvider` object effectively,

package/dist/cjs/src/contracts/AzureAccount.js

@@ -0,0 +1,7 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=AzureAccount.js.map

package/dist/cjs/src/contracts/AzureSubscriptionProviderRequestOptions.js

@@ -0,0 +1,48 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultOptions = exports.DefaultSignInOptions = void 0;
+exports.getCoalescenceKey = getCoalescenceKey;
+/**
+ * Default options for signing in to a tenant
+ */
+exports.DefaultSignInOptions = {
+    clearSessionPreference: false,
+    promptIfNeeded: true,
+};
+/**
+ * The default options when getting available subscriptions.
+ * @note This same value also is passed as the default to all the get* methods, since it
+ * is a superset of all of the available options.
+ */
+exports.DefaultOptions = {
+    filter: true,
+    noCache: false,
+    token: undefined,
+    dedupe: true,
+    maximumTenants: 10,
+};
+/**
+ * Gets a promise coalescence key for the given {@link GetAvailableSubscriptionsOptions}.
+ * @param options The options to get the key for
+ * @returns A string key for coalescing promises, or undefined if coalescing is not applicable
+ * @internal This should not be used by external code. This is placed here so it can be adjacent
+ * to the {@link GetAvailableSubscriptionsOptions} type, but should be used only by internal
+ * implementations
+ */
+function getCoalescenceKey(options) {
+    // Never coalesce if there is a cancellation token--no way to do it safely
+    if (options.token) {
+        return undefined;
+    }
+    return Object
+        .keys(options)
+        .filter(k => k !== 'token') // ignore token
+        .sort()
+        .map(k => `${k}:${options[k] ?? exports.DefaultOptions[k]}`)
+        .join(',');
+}
+//# sourceMappingURL=AzureSubscriptionProviderRequestOptions.js.map

package/dist/cjs/src/index.js

@@ -18,15 +18,18 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./AzureAuthentication"), exports);
-__exportStar(require("./AzureDevOpsSubscriptionProvider"), exports);
-__exportStar(require("./AzureSubscription"), exports);
-__exportStar(require("./AzureSubscriptionProvider"), exports);
-__exportStar(require("./AzureTenant"), exports);
-__exportStar(require("./getSessionFromVSCode"), exports);
-__exportStar(require("./NotSignedInError"), exports);
-__exportStar(require("./signInToTenant"), exports);
+__exportStar(require("./contracts/AzureAccount"), exports);
+__exportStar(require("./contracts/AzureAuthentication"), exports);
+__exportStar(require("./contracts/AzureSubscription"), exports);
+__exportStar(require("./contracts/AzureSubscriptionProvider"), exports);
+__exportStar(require("./contracts/AzureTenant"), exports);
+// The `AzureDevOpsSubscriptionProvider` is intentionally not exported, it must be imported from `'@microsoft/vscode-azext-azureauth/azdo'`
+__exportStar(require("./providers/AzureSubscriptionProviderBase"), exports);
+__exportStar(require("./providers/VSCodeAzureSubscriptionProvider"), exports);
 __exportStar(require("./utils/configuredAzureEnv"), exports);
-__exportStar(require("./utils/getUnauthenticatedTenants"), exports);
-__exportStar(require("./VSCodeAzureSubscriptionProvider"), exports);
+__exportStar(require("./utils/dedupeSubscriptions"), exports);
+__exportStar(require("./utils/getMetricsForTelemetry"), exports);
+__exportStar(require("./utils/getSessionFromVSCode"), exports);
+__exportStar(require("./utils/NotSignedInError"), exports);
+__exportStar(require("./utils/signInToTenant"), exports);
 //# sourceMappingURL=index.js.map

package/dist/cjs/src/providers/AzureDevOpsSubscriptionProvider.js

@@ -0,0 +1,178 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzureDevOpsSubscriptionProvider = void 0;
+exports.createAzureDevOpsSubscriptionProviderFactory = createAzureDevOpsSubscriptionProviderFactory;
+const azureEnv = __importStar(require("@azure/ms-rest-azure-env")); // This package is so small that it's not worth lazy loading
+const crypto = __importStar(require("crypto"));
+const isAuthenticationWwwAuthenticateRequest_1 = require("../utils/isAuthenticationWwwAuthenticateRequest");
+const NotSignedInError_1 = require("../utils/NotSignedInError");
+const AzureSubscriptionProviderBase_1 = require("./AzureSubscriptionProviderBase");
+let azureDevOpsSubscriptionProvider;
+function createAzureDevOpsSubscriptionProviderFactory(initializer) {
+    return () => {
+        azureDevOpsSubscriptionProvider ??= new AzureDevOpsSubscriptionProvider(initializer);
+        return Promise.resolve(azureDevOpsSubscriptionProvider);
+    };
+}
+let armSubs;
+let azIdentity;
+/**
+ * AzureSubscriptionProvider implemented to authenticate via federated DevOps service connection, using workflow identity federation
+ * To learn how to configure your DevOps environment to use this provider, refer to the README.md
+ * NOTE: This provider is only available when running in an Azure DevOps pipeline
+ * Reference: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation
+ */
+class AzureDevOpsSubscriptionProvider extends AzureSubscriptionProviderBase_1.AzureSubscriptionProviderBase {
+    _tokenCredential;
+    _serviceConnectionId;
+    _tenantId;
+    _clientId;
+    constructor({ serviceConnectionId, tenantId, clientId }, logger) {
+        super(logger);
+        if (!serviceConnectionId || !tenantId || !clientId) {
+            throw new Error(`Missing initializer values to identify Azure DevOps federated service connection\n
+                Values provided:\n
+                serviceConnectionId: ${serviceConnectionId ? "✅" : "❌"}\n
+                tenantId: ${tenantId ? "✅" : "❌"}\n
+                clientId: ${clientId ? "✅" : "❌"}\n
+            `);
+        }
+        this._serviceConnectionId = serviceConnectionId;
+        this._tenantId = tenantId;
+        this._clientId = clientId;
+    }
+    /**
+     * For {@link AzureSubscriptionProviderBase}, this event will never fire
+     */
+    onRefreshSuggested = () => { return { dispose: () => { } }; };
+    /**
+     * For {@link AzureSubscriptionProviderBase}, this returns a single account with a fixed ID and label
+     */
+    getAccounts() {
+        return Promise.resolve([
+            {
+                id: 'test-account-id',
+                label: 'test-account',
+            }
+        ]);
+    }
+    /**
+     * For {@link AzureSubscriptionProviderBase}, this returns an empty array
+     */
+    getUnauthenticatedTenantsForAccount() {
+        // For DevOps federated service connection, there is only one tenant associated with the service principal, and we will be authenticated
+        return Promise.resolve([]);
+    }
+    /**
+     * For {@link AzureSubscriptionProviderBase}, this returns a single tenant associated with the service principal
+     */
+    getTenantsForAccount(account) {
+        return Promise.resolve([{
+                tenantId: this._tenantId,
+                account: account,
+            }]);
+    }
+    /**
+     * @inheritdoc
+     */
+    async signIn() {
+        this._tokenCredential ??= await getTokenCredential(this._serviceConnectionId, this._tenantId, this._clientId);
+        return !!this._tokenCredential;
+    }
+    /**
+     * @inheritdoc
+     */
+    async getSubscriptionClient(tenant) {
+        if (!this._tokenCredential) {
+            throw new NotSignedInError_1.NotSignedInError();
+        }
+        const getSessionWithScopes = async (scopes) => {
+            if ((0, isAuthenticationWwwAuthenticateRequest_1.isAuthenticationWwwAuthenticateRequest)(scopes)) {
+                throw new Error('Getting session with challenge is not supported in AzureDevOpsSubscriptionProvider.');
+            }
+            const token = await this._tokenCredential?.getToken(scopes);
+            if (!token) {
+                throw new NotSignedInError_1.NotSignedInError();
+            }
+            return {
+                accessToken: token.token,
+                id: crypto.randomUUID(),
+                account: tenant.account,
+                scopes: scopes,
+            };
+        };
+        armSubs ??= await import('@azure/arm-resources-subscriptions');
+        return {
+            client: new armSubs.SubscriptionClient(this._tokenCredential),
+            credential: this._tokenCredential,
+            authentication: {
+                getSession: () => {
+                    return getSessionWithScopes([azureEnv.Environment.AzureCloud.managementEndpointUrl + '/.default']);
+                },
+                getSessionWithScopes: getSessionWithScopes,
+            }
+        };
+    }
+}
+exports.AzureDevOpsSubscriptionProvider = AzureDevOpsSubscriptionProvider;
+/**
+* @param serviceConnectionId The resource ID of the Azure DevOps federated service connection,
+*   which can be found on the `resourceId` field of the URL at the address bar when viewing the service connection in the Azure DevOps portal
+* @param tenantId The `Tenant ID` field of the service connection properties
+* @param clientId The `Service Principal Id` field of the service connection properties
+*/
+async function getTokenCredential(serviceConnectionId, tenantId, clientId) {
+    if (!process.env.AGENT_BUILDDIRECTORY) {
+        // Assume that AGENT_BUILDDIRECTORY is set if running in an Azure DevOps pipeline.
+        // So when not running in an Azure DevOps pipeline, throw an error since we cannot use the DevOps federated service connection credential.
+        throw new Error('Cannot create DevOps federated service connection credential outside of an Azure DevOps pipeline.');
+    }
+    else if (!process.env.SYSTEM_ACCESSTOKEN) {
+        throw new Error('Cannot create DevOps federated service connection credential because the SYSTEM_ACCESSTOKEN environment variable is not set.');
+    }
+    else {
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore @azure/identity contains a bug where this type mismatches between CJS and ESM, we must ignore it. We also can't do @ts-expect-error because the error only happens when building CJS.
+        azIdentity ??= await import('@azure/identity');
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion, @typescript-eslint/no-unnecessary-type-assertion
+        return new azIdentity.AzurePipelinesCredential(tenantId, clientId, serviceConnectionId, process.env.SYSTEM_ACCESSTOKEN);
+    }
+}
+//# sourceMappingURL=AzureDevOpsSubscriptionProvider.js.map