@microsoft/vscode-azext-azureauth 6.0.0-alpha.4 → 6.0.0-alpha.6

package/dist/cjs/src/index.js

@@ -26,6 +26,7 @@ __exportStar(require("./contracts/AzureTenant"), exports);
 // The `AzureDevOpsSubscriptionProvider` is intentionally not exported, it must be imported from `'@microsoft/vscode-azext-azureauth/azdo'`
 __exportStar(require("./providers/AzureSubscriptionProviderBase"), exports);
 __exportStar(require("./providers/VSCodeAzureSubscriptionProvider"), exports);
+__exportStar(require("./utils/BearerChallengePolicy"), exports);
 __exportStar(require("./utils/configuredAzureEnv"), exports);
 __exportStar(require("./utils/dedupeSubscriptions"), exports);
 __exportStar(require("./utils/getMetricsForTelemetry"), exports);

package/dist/cjs/src/providers/AzureSubscriptionProviderBase.js

@@ -38,6 +38,7 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AzureSubscriptionProviderBase = void 0;
+const BearerChallengePolicy_1 = require("../utils/BearerChallengePolicy");
 const util_1 = require("util");
 const vscode = __importStar(require("vscode"));
 const AzureSubscriptionProviderRequestOptions_1 = require("../contracts/AzureSubscriptionProviderRequestOptions");
@@ -115,12 +116,18 @@ class AzureSubscriptionProviderBase {
             // If silent, suppress with normal timeout
             this.silenceRefreshEvents();
         }
-        const session = await (0, getSessionFromVSCode_1.getSessionFromVSCode)(undefined, tenant?.tenantId, {
-            account: tenant?.account,
-            clearSessionPreference: options.clearSessionPreference ?? AzureSubscriptionProviderRequestOptions_1.DefaultSignInOptions.clearSessionPreference,
-            createIfNone: prompt,
-            silent: !prompt,
-        });
+        let session;
+        try {
+            session = await (0, getSessionFromVSCode_1.getSessionFromVSCode)(undefined, tenant?.tenantId, {
+                account: tenant?.account,
+                clearSessionPreference: options.clearSessionPreference ?? AzureSubscriptionProviderRequestOptions_1.DefaultSignInOptions.clearSessionPreference,
+                createIfNone: prompt,
+                silent: !prompt,
+            });
+        }
+        catch (err) {
+            throw maybeImproveSignInError(err, tenant?.tenantId);
+        }
         if (prompt) {
             // Interactive sign in can take a while, so silence events for a bit longer
             this.silenceRefreshEvents();
@@ -341,8 +348,15 @@ class AzureSubscriptionProviderBase {
             }
         };
         armSubs ??= await import('@azure/arm-resources-subscriptions');
+        const endpoint = (0, configuredAzureEnv_1.getConfiguredAzureEnv)().resourceManagerEndpointUrl;
+        const client = new armSubs.SubscriptionClient(credential, { endpoint });
+        client.pipeline.addPolicy(new BearerChallengePolicy_1.BearerChallengePolicy(async (challenge) => {
+            this.silenceRefreshEvents();
+            const session = await (0, getSessionFromVSCode_1.getSessionFromVSCode)(challenge, tenant.tenantId, { createIfNone: true, account: tenant.account });
+            return session?.accessToken;
+        }, endpoint), { phase: 'Sign', afterPolicies: ['bearerTokenAuthenticationPolicy'] });
         return {
-            client: new armSubs.SubscriptionClient(credential, { endpoint: (0, configuredAzureEnv_1.getConfiguredAzureEnv)().resourceManagerEndpointUrl }),
+            client,
             credential: credential,
             authentication: {
                 getSession: async () => {
@@ -368,13 +382,13 @@ class AzureSubscriptionProviderBase {
         };
     }
     log(message) {
-        this.logger?.debug(`[auth] ${message}`);
+        this.logger?.info(`[auth] ${message}`);
     }
     logForAccount(account, message) {
-        this.logger?.debug(`[auth] [account: ${(0, screen_1.screen)(account)}] ${message}`);
+        this.logger?.info(`[auth] [account: ${(0, screen_1.screen)(account)}] ${message}`);
     }
     logForTenant(tenant, message) {
-        this.logger?.debug(`[auth] [account: ${(0, screen_1.screen)(tenant.account)}] [tenant: ${(0, screen_1.screen)(tenant)}] ${message}`);
+        this.logger?.info(`[auth] [account: ${(0, screen_1.screen)(tenant.account)}] [tenant: ${(0, screen_1.screen)(tenant)}] ${message}`);
     }
     warnForAccount(account, message) {
         this.logger?.warn(`[auth] [account: ${(0, screen_1.screen)(account)}] ${message}`);
@@ -426,4 +440,28 @@ class AzureSubscriptionProviderBase {
     }
 }
 exports.AzureSubscriptionProviderBase = AzureSubscriptionProviderBase;
+/**
+ * Inspects an error thrown during sign-in and returns a more user-friendly
+ * error when possible (e.g. native broker errors), otherwise returns the
+ * original error unchanged.
+ */
+function maybeImproveSignInError(err, tenantId) {
+    if (!(err instanceof Error)) {
+        return err;
+    }
+    const message = err.message;
+    // The native MSAL broker surfaces opaque "platform_broker_error" messages
+    // that don't tell the user what went wrong. Re-wrap with actionable text.
+    if (message.includes('platform_broker_error')) {
+        const tenantHint = tenantId
+            ? vscode.l10n.t(' for tenant "{0}"', tenantId)
+            : '';
+        const improved = new Error(vscode.l10n.t('Sign-in failed{0}. The tenant may have expired or is no longer valid. Please verify the tenant is still active and try again.', tenantHint), { cause: err });
+        if (err.stack && improved.stack) {
+            improved.stack += `\nCaused by: ${err.stack}`;
+        }
+        return improved;
+    }
+    return err;
+}
 //# sourceMappingURL=AzureSubscriptionProviderBase.js.map

package/dist/cjs/src/utils/BearerChallengePolicy.js

@@ -0,0 +1,41 @@
+"use strict";
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BearerChallengePolicy = void 0;
+exports.getDefaultScopeFromEndpoint = getDefaultScopeFromEndpoint;
+function getDefaultScopeFromEndpoint(endpoint) {
+    let base = endpoint ?? 'https://management.azure.com/';
+    base = base.replace(/\/+$/, '');
+    return `${base}/.default`;
+}
+const challengeRetriedRequests = new WeakSet();
+class BearerChallengePolicy {
+    getTokenForChallenge;
+    endpoint;
+    name = 'BearerChallengePolicy';
+    constructor(getTokenForChallenge, endpoint) {
+        this.getTokenForChallenge = getTokenForChallenge;
+        this.endpoint = endpoint;
+    }
+    async sendRequest(request, next) {
+        const initial = await next(request);
+        if (initial.status === 401 && !challengeRetriedRequests.has(request)) {
+            const header = initial.headers.get('WWW-Authenticate') || initial.headers.get('www-authenticate');
+            if (header) {
+                const scopes = [getDefaultScopeFromEndpoint(this.endpoint)];
+                challengeRetriedRequests.add(request);
+                const token = await this.getTokenForChallenge({ wwwAuthenticate: header, fallbackScopes: scopes });
+                if (token) {
+                    request.headers.set('Authorization', `Bearer ${token}`);
+                    return await next(request);
+                }
+            }
+        }
+        return initial;
+    }
+}
+exports.BearerChallengePolicy = BearerChallengePolicy;
+//# sourceMappingURL=BearerChallengePolicy.js.map

package/dist/esm/src/index.d.ts

@@ -6,6 +6,7 @@ export type * from './contracts/AzureSubscriptionProviderRequestOptions';
 export * from './contracts/AzureTenant';
 export * from './providers/AzureSubscriptionProviderBase';
 export * from './providers/VSCodeAzureSubscriptionProvider';
+export * from './utils/BearerChallengePolicy';
 export * from './utils/configuredAzureEnv';
 export * from './utils/dedupeSubscriptions';
 export * from './utils/getMetricsForTelemetry';

package/dist/esm/src/index.js

@@ -10,6 +10,7 @@ export * from './contracts/AzureTenant';
 // The `AzureDevOpsSubscriptionProvider` is intentionally not exported, it must be imported from `'@microsoft/vscode-azext-azureauth/azdo'`
 export * from './providers/AzureSubscriptionProviderBase';
 export * from './providers/VSCodeAzureSubscriptionProvider';
+export * from './utils/BearerChallengePolicy';
 export * from './utils/configuredAzureEnv';
 export * from './utils/dedupeSubscriptions';
 export * from './utils/getMetricsForTelemetry';

package/dist/esm/src/providers/AzureSubscriptionProviderBase.js

@@ -2,6 +2,7 @@
  *  Copyright (c) Microsoft Corporation. All rights reserved.
  *  Licensed under the MIT License. See License.txt in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
+import { BearerChallengePolicy } from '../utils/BearerChallengePolicy';
 import { inspect } from 'util';
 import * as vscode from 'vscode';
 import { DefaultOptions, DefaultSignInOptions } from '../contracts/AzureSubscriptionProviderRequestOptions';
@@ -79,12 +80,18 @@ export class AzureSubscriptionProviderBase {
             // If silent, suppress with normal timeout
             this.silenceRefreshEvents();
         }
-        const session = await getSessionFromVSCode(undefined, tenant?.tenantId, {
-            account: tenant?.account,
-            clearSessionPreference: options.clearSessionPreference ?? DefaultSignInOptions.clearSessionPreference,
-            createIfNone: prompt,
-            silent: !prompt,
-        });
+        let session;
+        try {
+            session = await getSessionFromVSCode(undefined, tenant?.tenantId, {
+                account: tenant?.account,
+                clearSessionPreference: options.clearSessionPreference ?? DefaultSignInOptions.clearSessionPreference,
+                createIfNone: prompt,
+                silent: !prompt,
+            });
+        }
+        catch (err) {
+            throw maybeImproveSignInError(err, tenant?.tenantId);
+        }
         if (prompt) {
             // Interactive sign in can take a while, so silence events for a bit longer
             this.silenceRefreshEvents();
@@ -305,8 +312,15 @@ export class AzureSubscriptionProviderBase {
             }
         };
         armSubs ??= await import('@azure/arm-resources-subscriptions');
+        const endpoint = getConfiguredAzureEnv().resourceManagerEndpointUrl;
+        const client = new armSubs.SubscriptionClient(credential, { endpoint });
+        client.pipeline.addPolicy(new BearerChallengePolicy(async (challenge) => {
+            this.silenceRefreshEvents();
+            const session = await getSessionFromVSCode(challenge, tenant.tenantId, { createIfNone: true, account: tenant.account });
+            return session?.accessToken;
+        }, endpoint), { phase: 'Sign', afterPolicies: ['bearerTokenAuthenticationPolicy'] });
         return {
-            client: new armSubs.SubscriptionClient(credential, { endpoint: getConfiguredAzureEnv().resourceManagerEndpointUrl }),
+            client,
             credential: credential,
             authentication: {
                 getSession: async () => {
@@ -332,13 +346,13 @@ export class AzureSubscriptionProviderBase {
         };
     }
     log(message) {
-        this.logger?.debug(`[auth] ${message}`);
+        this.logger?.info(`[auth] ${message}`);
     }
     logForAccount(account, message) {
-        this.logger?.debug(`[auth] [account: ${screen(account)}] ${message}`);
+        this.logger?.info(`[auth] [account: ${screen(account)}] ${message}`);
     }
     logForTenant(tenant, message) {
-        this.logger?.debug(`[auth] [account: ${screen(tenant.account)}] [tenant: ${screen(tenant)}] ${message}`);
+        this.logger?.info(`[auth] [account: ${screen(tenant.account)}] [tenant: ${screen(tenant)}] ${message}`);
     }
     warnForAccount(account, message) {
         this.logger?.warn(`[auth] [account: ${screen(account)}] ${message}`);
@@ -389,4 +403,28 @@ export class AzureSubscriptionProviderBase {
         throw err;
     }
 }
+/**
+ * Inspects an error thrown during sign-in and returns a more user-friendly
+ * error when possible (e.g. native broker errors), otherwise returns the
+ * original error unchanged.
+ */
+function maybeImproveSignInError(err, tenantId) {
+    if (!(err instanceof Error)) {
+        return err;
+    }
+    const message = err.message;
+    // The native MSAL broker surfaces opaque "platform_broker_error" messages
+    // that don't tell the user what went wrong. Re-wrap with actionable text.
+    if (message.includes('platform_broker_error')) {
+        const tenantHint = tenantId
+            ? vscode.l10n.t(' for tenant "{0}"', tenantId)
+            : '';
+        const improved = new Error(vscode.l10n.t('Sign-in failed{0}. The tenant may have expired or is no longer valid. Please verify the tenant is still active and try again.', tenantHint), { cause: err });
+        if (err.stack && improved.stack) {
+            improved.stack += `\nCaused by: ${err.stack}`;
+        }
+        return improved;
+    }
+    return err;
+}
 //# sourceMappingURL=AzureSubscriptionProviderBase.js.map

package/dist/esm/src/utils/BearerChallengePolicy.d.ts

@@ -0,0 +1,10 @@
+import type { PipelinePolicy, PipelineRequest, PipelineResponse, SendRequest } from '@azure/core-rest-pipeline';
+import type * as vscode from 'vscode';
+export declare function getDefaultScopeFromEndpoint(endpoint?: string): string;
+export declare class BearerChallengePolicy implements PipelinePolicy {
+    private readonly getTokenForChallenge;
+    private readonly endpoint?;
+    readonly name = "BearerChallengePolicy";
+    constructor(getTokenForChallenge: (request: vscode.AuthenticationWwwAuthenticateRequest) => Promise<string | undefined>, endpoint?: string | undefined);
+    sendRequest(request: PipelineRequest, next: SendRequest): Promise<PipelineResponse>;
+}

package/dist/esm/src/utils/BearerChallengePolicy.js

@@ -0,0 +1,36 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+export function getDefaultScopeFromEndpoint(endpoint) {
+    let base = endpoint ?? 'https://management.azure.com/';
+    base = base.replace(/\/+$/, '');
+    return `${base}/.default`;
+}
+const challengeRetriedRequests = new WeakSet();
+export class BearerChallengePolicy {
+    getTokenForChallenge;
+    endpoint;
+    name = 'BearerChallengePolicy';
+    constructor(getTokenForChallenge, endpoint) {
+        this.getTokenForChallenge = getTokenForChallenge;
+        this.endpoint = endpoint;
+    }
+    async sendRequest(request, next) {
+        const initial = await next(request);
+        if (initial.status === 401 && !challengeRetriedRequests.has(request)) {
+            const header = initial.headers.get('WWW-Authenticate') || initial.headers.get('www-authenticate');
+            if (header) {
+                const scopes = [getDefaultScopeFromEndpoint(this.endpoint)];
+                challengeRetriedRequests.add(request);
+                const token = await this.getTokenForChallenge({ wwwAuthenticate: header, fallbackScopes: scopes });
+                if (token) {
+                    request.headers.set('Authorization', `Bearer ${token}`);
+                    return await next(request);
+                }
+            }
+        }
+        return initial;
+    }
+}
+//# sourceMappingURL=BearerChallengePolicy.js.map

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@microsoft/vscode-azext-azureauth",
     "author": "Microsoft Corporation",
-    "version": "6.0.0-alpha.4",
+    "version": "6.0.0-alpha.6",
     "description": "Azure authentication helpers for Visual Studio Code",
     "tags": [
         "azure",
@@ -55,6 +55,7 @@
     },
     "dependencies": {
         "@azure/arm-resources-subscriptions": "^2.1.0",
+        "@azure/core-rest-pipeline": "^1.22.2",
         "@azure/identity": "^4.13.0",
         "@azure/ms-rest-azure-env": "^2.0.0"
     },