@rockcarver/frodo-lib 0.17.0 → 0.17.2-0

package/esm/api/VariablesApi.test.mjs

@@ -1,65 +1,81 @@
+/**
+ * To record and update snapshots, you must perform 3 steps in order:
+ *
+ * 1. Record API responses & update ESM snapshots
+ *
+ *    To record and update ESM snapshots, you must call the test:record
+ *    script and override all the connection state variables required
+ *    to connect to the env to record from:
+ *
+ *        FRODO_DEBUG=1 FRODO_HOST=volker-dev npm run test:record VariablesApi
+ *
+ *    The above command assumes that you have a connection profile for
+ *    'volker-dev' on your development machine.
+ *
+ * 2. Update CJS snapshots
+ *
+ *    After recording, the ESM snapshots will already be updated as that happens
+ *    in one go, but you musty manually update the CJS snapshots by running:
+ *
+ *        FRODO_DEBUG=1 npm run test:update VariablesApi
+ *
+ * 3. Test your changes
+ *
+ *    If 1 and 2 didn't produce any errors, you are ready to run the tests in
+ *    replay mode and make sure they all succeed as well:
+ *
+ *        npm run test VariablesApi
+ *
+ * Note: FRODO_DEBUG=1 is optional and enables debug logging for some output
+ * in case things don't function as expected
+ */
 import { VariablesRaw } from '../index';
-import autoSetupPolly from '../utils/AutoSetupPolly';
-const pollyContext = autoSetupPolly();
+import { autoSetupPolly } from '../utils/AutoSetupPolly';
+autoSetupPolly();
 describe('VariablesApi', () => {
-  describe('VariablesApi - getVariables()', () => {
-    test('getVariables() 0: Method is implemented', async () => {
+  describe('getVariables()', () => {
+    test('0: Method is implemented', async () => {
       expect(VariablesRaw.getVariables).toBeDefined();
     });
-    test('getVariables() 1: Get all variables - success', async () => {
+    test('1: Get all variables - success', async () => {
       const response = await VariablesRaw.getVariables();
       expect(response).toMatchSnapshot();
     });
-    test('getVariables() 2: Get all variables - error', async () => {
-      try {
-        await VariablesRaw.getVariables();
-      } catch (error) {
-        expect(error.response.data).toMatchSnapshot();
-      }
-    });
   });
-  describe('VariablesApi - getVariable()', () => {
-    test('getVariable() 0: Method is implemented', async () => {
+  describe('getVariable()', () => {
+    test('0: Method is implemented', async () => {
       expect(VariablesRaw.getVariable).toBeDefined();
     });
-    test('getVariable() 1: Get existing variable: esv-volkerstestvariable1', async () => {
+    test('1: Get existing variable: esv-volkerstestvariable1', async () => {
       const response = await VariablesRaw.getVariable('esv-volkerstestvariable1');
       expect(response).toMatchSnapshot();
     });
-    test('getVariable() 2: Get non-existing variable: esv-does-not-exist', async () => {
+    test('2: Get non-existing variable: esv-does-not-exist', async () => {
       try {
         await VariablesRaw.getVariable('esv-does-not-exist');
       } catch (error) {
-        // expect(error.response.status).toBe(404);
         expect(error.response.data).toMatchSnapshot();
       }
     });
   });
-  describe('VariablesApi - putVariable()', () => {
-    test('putVariable() 0: Method is implemented', async () => {
+  describe('putVariable()', () => {
+    test('0: Method is implemented', async () => {
       expect(VariablesRaw.putVariable).toBeDefined();
     });
-    test('putVariable() 1: Create variable: esv-volkerstestvariable2 - success', async () => {
+    test('1: Create variable: esv-volkerstestvariable2 - success', async () => {
       const response = await VariablesRaw.putVariable('esv-volkerstestvariable2', "Volker's Test Variable Value", "Volker's Test Variable Description");
       expect(response).toMatchSnapshot();
     });
-    test('putVariable() 2: Create variable: esv-volkerstestvariable2 - error', async () => {
-      try {
-        await VariablesRaw.putVariable('esv-volkerstestvariable2', "Volker's Test Variable Value", "Volker's Test Variable Description");
-      } catch (error) {
-        expect(error.response.data).toMatchSnapshot();
-      }
-    });
   });
-  describe('VariablesApi - setVariableDescription()', () => {
-    test('setVariableDescription() 0: Method is implemented', async () => {
+  describe('setVariableDescription()', () => {
+    test('0: Method is implemented', async () => {
       expect(VariablesRaw.setVariableDescription).toBeDefined();
     });
-    test('setVariableDescription() 1: Set variable description: esv-volkerstestvariable2 - success', async () => {
+    test('1: Set variable description: esv-volkerstestvariable2 - success', async () => {
       const response = await VariablesRaw.setVariableDescription('esv-volkerstestvariable2', "Volker's Updated Test Secret Description");
       expect(response).toMatchSnapshot();
     });
-    test('setVariableDescription() 2: Set variable description: esv-volkerstestvariable3 - error', async () => {
+    test('2: Set variable description: esv-volkerstestvariable3 - error', async () => {
       try {
         await VariablesRaw.setVariableDescription('esv-volkerstestvariable3', "Volker's Updated Test Secret Description");
       } catch (error) {
@@ -67,15 +83,15 @@ describe('VariablesApi', () => {
       }
     });
   });
-  describe('VariablesApi - deleteVariable()', () => {
-    test('deleteVariable() 0: Method is implemented', async () => {
+  describe('deleteVariable()', () => {
+    test('0: Method is implemented', async () => {
       expect(VariablesRaw.deleteVariable).toBeDefined();
     });
-    test('deleteVariable() 1: Delete variable: esv-volkerstestvariable2 - success', async () => {
+    test('1: Delete variable: esv-volkerstestvariable2 - success', async () => {
       const response = await VariablesRaw.deleteVariable('esv-volkerstestvariable2');
       expect(response).toMatchSnapshot();
     });
-    test('deleteVariable() 2: Delete variable: esv-volkerstestvariable3 - error', async () => {
+    test('2: Delete variable: esv-volkerstestvariable3 - error', async () => {
       try {
         await VariablesRaw.deleteVariable('esv-volkerstestvariable3');
       } catch (error) {

package/esm/ops/AuthenticateOps.mjs

@@ -87,7 +87,7 @@ function checkAndHandle2FA(payload) {
  * @param {string} deploymentType deployment type
  */
 function determineDefaultRealm(deploymentType) {
-  if (state.getRealm() === globalConfig.DEFAULT_REALM_KEY) {
+  if (!state.getRealm() || state.getRealm() === globalConfig.DEFAULT_REALM_KEY) {
     state.setRealm(globalConfig.DEPLOYMENT_TYPE_REALM_MAP[deploymentType]);
   }
 }
@@ -238,6 +238,7 @@ async function getAuthCode(redirectURL, codeChallenge, codeChallengeMethod) {
  * @returns {Promise<string | null>} access token or null
  */
 async function getAccessTokenForUser() {
+  debugMessage(`AuthenticateOps.getAccessTokenForUser: start`);
   try {
     const verifier = encodeBase64Url(randomBytes(32));
     const challenge = encodeBase64Url(createHash('sha256').update(verifier).digest());
@@ -263,6 +264,7 @@ async function getAccessTokenForUser() {
       response = await accessToken(bodyFormData);
     }
     if ('access_token' in response.data) {
+      debugMessage(`AuthenticateOps.getAccessTokenForUser: end with token`);
       return response.data.access_token;
     }
     printMessage('No access token in response.', 'error');
@@ -271,6 +273,7 @@ async function getAccessTokenForUser() {
     debugMessage(`Error getting access token for user: ${error}`);
     debugMessage((_error$response2 = error.response) === null || _error$response2 === void 0 ? void 0 : _error$response2.data);
   }
+  debugMessage(`AuthenticateOps.getAccessTokenForUser: end without token`);
   return null;
 }
 function createPayload(serviceAccountId) {
@@ -328,6 +331,7 @@ async function determineDeploymentTypeAndDefaultRealmAndVersion() {
     state.setDeploymentType(await determineDeploymentType());
   }
   determineDefaultRealm(state.getDeploymentType());
+  debugMessage(`AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: realm=${state.getRealm()}, type=${state.getDeploymentType()}`);
   const versionInfo = (await getServerVersionInfo()).data;
 
   // https://github.com/rockcarver/frodo-cli/issues/109
@@ -351,6 +355,7 @@ async function getLoggedInSubject() {
  * @returns {Promise<boolean>} true if tokens were successfully obtained, false otherwise
  */
 export async function getTokens() {
+  debugMessage(`AuthenticateOps.getTokens: start`);
   if (!state.getHost()) {
     printMessage(`No host specified and FRODO_HOST env variable not set!`, 'error');
     return false;
@@ -393,10 +398,17 @@ export async function getTokens() {
       const token = await authenticate(state.getUsername(), state.getPassword());
       if (token) state.setCookieValue(token);
       await determineDeploymentTypeAndDefaultRealmAndVersion();
+      debugMessage(`AuthenticateOps.getTokens: before bearer`);
+      debugMessage(`AuthenticateOps.getTokens: cookie=${state.getCookieValue()}`);
+      debugMessage(`AuthenticateOps.getTokens: bearer=${state.getBearerToken()}`);
+      debugMessage(`AuthenticateOps.getTokens: type=${state.getDeploymentType()}`);
+      debugMessage(`AuthenticateOps.getTokens: condition=${state.getCookieValue() && !state.getBearerToken() && (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY || state.getDeploymentType() === globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY)}`);
       if (state.getCookieValue() && !state.getBearerToken() && (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY || state.getDeploymentType() === globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY)) {
+        debugMessage(`AuthenticateOps.getTokens: in bearer`);
         const accessToken = await getAccessTokenForUser();
         if (accessToken) state.setBearerToken(accessToken);
       }
+      debugMessage(`AuthenticateOps.getTokens: after bearer`);
     }
     // incomplete or no credentials
     else {
@@ -406,6 +418,7 @@ export async function getTokens() {
     if (state.getCookieValue() || state.getUseBearerTokenForAmApis() && state.getBearerToken()) {
       // https://github.com/rockcarver/frodo-cli/issues/102
       printMessage(`Connected to ${state.getHost()} [${state.getRealm() ? state.getRealm() : 'root'}] as ${await getLoggedInSubject()}`, 'info');
+      debugMessage(`AuthenticateOps.getTokens: end with tokens`);
       return true;
     }
   } catch (error) {
@@ -421,6 +434,7 @@ export async function getTokens() {
     // stack trace
     debugMessage(error.stack || new Error().stack);
   }
+  debugMessage(`AuthenticateOps.getTokens: end without tokens`);
   return false;
 }
 //# sourceMappingURL=AuthenticateOps.js.map

package/esm/ops/AuthenticateOps.test.mjs

@@ -1,16 +1,67 @@
+/**
+ * To record and update snapshots, you must perform 3 steps in order:
+ *
+ * 1. Record API responses & update ESM snapshots
+ *
+ *    To record and update ESM snapshots, you must call the test:record_noauth
+ *    script and override all the connection state variables supplied to the
+ *    getTokens() function by the test to connect to the env to record from:
+ *
+ *        FRODO_DEBUG=1 FRODO_HOST=https://openam-volker-dev.forgeblocks.com/am \
+ *        FRODO_USERNAME=volker.scheuber@forgerock.com FRODO_PASSWORD='S3cr3!S@uc3' \
+ *        npm run test:record_noauth AuthenticateOps
+ *
+ * 2. Update CJS snapshots
+ *
+ *    After recording, the ESM snapshots will already be updated as that happens
+ *    in one go, but you musty manually update the CJS snapshots by running:
+ *
+ *        FRODO_DEBUG=1 npm run test:update AuthenticateOps
+ *
+ * 3. Test your changes
+ *
+ *    If 1 and 2 didn't produce any errors, you are ready to run the tests in
+ *    replay mode and make sure they all succeed as well:
+ *
+ *        npm run test AuthenticateOps
+ *
+ * Note: FRODO_DEBUG=1 is optional and enables debug logging for some output
+ * in case things don't function as expected
+ */
+import { jest } from '@jest/globals';
 import { Authenticate, state } from '../index';
-describe('AuthenticationOps', () => {
-  test('getTokens() 1: ', async () => {
-    state.setHost(process.env.FRODO_HOST || 'frodo-dev');
-    state.setRealm('alpha');
-    if (process.env.FRODO_HOST && process.env.FRODO_USER && process.env.FRODO_PASSWORD) {
-      state.setUsername(process.env.FRODO_USER);
-      state.setPassword(process.env.FRODO_PASSWORD);
-    }
-    await Authenticate.getTokens();
-    expect(state.getCookieName()).toBeTruthy();
-    expect(state.getCookieValue()).toBeTruthy();
-    expect(state.getBearerToken()).toBeTruthy();
+import { autoSetupPolly, defaultMatchRequestsBy } from '../utils/AutoSetupPolly';
+
+// need to modify the default matching rules to allow the mocking to work for an authentication flow.
+const matchConfig = defaultMatchRequestsBy();
+matchConfig.body = false; // oauth flows are tricky because of the PKCE challenge, which is different for each request
+matchConfig.order = true; // since we instruct Polly not to match the body, we need to enable ordering of the requests
+
+autoSetupPolly(matchConfig);
+
+// Increase timeout for this test as pipeline keeps failing with error:
+// Timeout - Async callback was not invoked within the 5000 ms timeout specified by jest.setTimeout.
+jest.setTimeout(30000);
+describe('AuthenticateOps', () => {
+  describe('getTokens()', () => {
+    test('0: Method is implemented', async () => {
+      expect(Authenticate.getTokens).toBeDefined();
+    });
+    test('1: Authenticate successfully as user', async () => {
+      state.setHost(process.env.FRODO_HOST || 'https://openam-frodo-dev.forgeblocks.com/am');
+      state.setRealm(process.env.FRODO_REALM || 'alpha');
+      state.setUsername(process.env.FRODO_USERNAME || 'mockUser');
+      state.setPassword(process.env.FRODO_PASSWORD || 'mockPassword');
+      const result = await Authenticate.getTokens();
+      expect(result).toBe(true);
+      expect(state.getDeploymentType()).toEqual('cloud');
+      expect(state.getCookieName()).toBeTruthy();
+      expect(state.getCookieValue()).toBeTruthy();
+      expect(state.getBearerToken()).toBeTruthy();
+      expect(state.getCookieName()).toMatchSnapshot();
+      expect(state.getCookieValue()).toMatchSnapshot();
+      expect(state.getBearerToken()).toMatchSnapshot();
+    });
   });
 });
 //# sourceMappingURL=AuthenticateOps.test.js.map

package/esm/ops/ServiceAccountOps.test.mjs

@@ -1,3 +1,4 @@
+import { jest } from '@jest/globals';
 import axios from 'axios';
 import MockAdapter from 'axios-mock-adapter';
 import { state } from '../index';
@@ -7,6 +8,10 @@ import * as ServiceAccount from './ServiceAccountOps';
 import { mockCreateManagedObject } from '../test/mocks/ForgeRockApiMockEngine';
 import { isEqualJson } from './utils/OpsUtils';
 const mock = new MockAdapter(axios);
+
+// Increase timeout for this test as pipeline keeps failing with error:
+// Timeout - Async callback was not invoked within the 5000 ms timeout specified by jest.setTimeout.
+jest.setTimeout(30000);
 const outputHandler = message => {
   console.log(message);
 };

package/esm/shared/State.mjs

@@ -4,7 +4,47 @@ import { fileURLToPath } from 'url';
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(fs.readFileSync(path.resolve(__dirname, '../../package.json'), 'utf8'));
 const _state = {
-  authenticationHeaderOverrides: {}
+  authenticationHeaderOverrides: {},
+  printHandler: message => {
+    if (!message) return;
+    if (typeof message === 'object') {
+      console.dir(message, {
+        depth: 3
+      });
+    } else {
+      console.log(message);
+    }
+  },
+  verboseHandler: message => {
+    if (!message) return;
+    if (getVerbose()) {
+      if (typeof message === 'object') {
+        console.dir(message, {
+          depth: 3
+        });
+      } else {
+        console.log(message);
+      }
+    }
+  },
+  debugHandler: message => {
+    if (!message) return;
+    if (getDebug()) {
+      if (typeof message === 'object') {
+        console.dir(message, {
+          depth: 6
+        });
+      } else {
+        console.log(message);
+      }
+    }
+  },
+  curlirizeHandler: message => {
+    if (!message) return;
+    if (getDebug()) {
+      console.log(message);
+    }
+  }
 };
 export const setHost = host => _state.host = host;
 export const getHost = () => _state.host || process.env.FRODO_HOST;

package/esm/test/mocks/TreeApi/putTree/FrodoTest.json

@@ -1,6 +1,4 @@
 {
-  "_id": "FrodoTest",
-  "_rev": "189750709",
   "identityResource": "managed/alpha_user",
   "uiConfig": {
     "categories": "[]"

package/esm/utils/AutoSetupPolly.mjs

@@ -13,30 +13,57 @@ const {
 Polly.register(NodeHttpAdapter);
 Polly.register(FSPersister);
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
-state.setHost('https://openam-frodo-dev.forgeblocks.com/am');
-state.setRealm('alpha');
-let recordIfMissing = true;
+let recordIfMissing = false;
 let mode = MODES.REPLAY;
 
 // resolve "/home/sandeepc/work/ForgeRock/sources/frodo-lib/esm/api" to
 // "/home/sandeepc/work/ForgeRock/sources/frodo-lib/src/test/recordings"
 const recordingsDir = __dirname.replace(/^(.*\/frodo-\w{3})(.*)$/gi, '$1/src/test/mock-recordings');
 switch (process.env.FRODO_POLLY_MODE) {
+  // record mock responses from a real env: `npm run test:record`
   case 'record':
+    {
+      state.setHost(process.env.FRODO_HOST || 'https://openam-frodo-dev.forgeblocks.com/am');
+      state.setRealm(process.env.FRODO_REALM || 'alpha');
+      if (!(await getTokens())) throw new Error(`Unable to record mock responses from '${state.getHost()}'`);
+      mode = MODES.RECORD;
+      recordIfMissing = true;
+      break;
+    }
+  // record mock responses from authentication APIs (don't authenticate): `npm run test:record_noauth`
+  case 'record_noauth':
     mode = MODES.RECORD;
-    await getTokens();
-    break;
-  case 'replay':
-    mode = MODES.REPLAY;
-    state.default.session.setCookieName('cookieName');
-    state.default.session.setCookieValue('cookieValue');
+    recordIfMissing = true;
     break;
-  case 'offline':
-    mode = MODES.REPLAY;
-    recordIfMissing = false;
+  // replay mock responses: `npm test`
+  default:
+    state.setHost(process.env.FRODO_HOST || 'https://openam-frodo-dev.forgeblocks.com/am');
+    state.setRealm(process.env.FRODO_REALM || 'alpha');
+    state.setCookieName('cookieName');
+    state.setCookieValue('cookieValue');
     break;
 }
-export default function autoSetupPolly() {
+export function defaultMatchRequestsBy() {
+  return JSON.parse(JSON.stringify({
+    method: true,
+    headers: false,
+    // do not match headers, because "Authorization" header is sent only at recording time
+    body: true,
+    order: false,
+    url: {
+      protocol: true,
+      username: false,
+      password: false,
+      hostname: false,
+      // we will record from different envs but run tests always against `frodo-dev`
+      port: false,
+      pathname: true,
+      query: true,
+      hash: true
+    }
+  }));
+}
+export function autoSetupPolly(matchRequestsBy = defaultMatchRequestsBy()) {
   return setupPolly({
     adapters: ['node-http'],
     mode,
@@ -50,23 +77,7 @@ export default function autoSetupPolly() {
         recordingsDir
       }
     },
-    matchRequestsBy: {
-      method: true,
-      headers: false,
-      // do not match headers, because "Authorization" header is sent only at recording time
-      body: true,
-      order: false,
-      url: {
-        protocol: true,
-        username: false,
-        password: false,
-        hostname: true,
-        port: false,
-        pathname: true,
-        query: true,
-        hash: true
-      }
-    }
+    matchRequestsBy
   });
 }
 //# sourceMappingURL=AutoSetupPolly.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rockcarver/frodo-lib",
-  "version": "0.17.0",
+  "version": "0.17.2-0",
   "type": "commonjs",
   "main": "./cjs/index.js",
   "module": "./esm/index.mjs",
@@ -15,10 +15,10 @@
   "scripts": {
     "test": "npx gulp && node --no-warnings --experimental-vm-modules --experimental-specifier-resolution=node node_modules/jest/bin/jest.js --silent",
     "test:only": "node --no-warnings --experimental-vm-modules --experimental-specifier-resolution=node node_modules/jest/bin/jest.js --silent",
-    "test:record": "npm run test:record:esm && npm run test:update:cjs",
-    "test:record:esm": "FRODO_POLLY_MODE=record node --no-warnings --experimental-vm-modules --experimental-specifier-resolution=node node_modules/jest/bin/jest.js --silent esm -u",
-    "test:update:cjs": "node --no-warnings --experimental-vm-modules --experimental-specifier-resolution=node node_modules/jest/bin/jest.js --silent cjs -u",
     "test:debug": "node --no-warnings --experimental-vm-modules --experimental-specifier-resolution=node node_modules/jest/bin/jest.js --verbose=true --silent=false",
+    "test:record": "FRODO_POLLY_MODE=record node --no-warnings --experimental-vm-modules --experimental-specifier-resolution=node node_modules/jest/bin/jest.js --verbose=true --silent=false --updateSnapshot --testPathIgnorePatterns cjs --testPathPattern",
+    "test:record_noauth": "FRODO_POLLY_MODE=record_noauth node --no-warnings --experimental-vm-modules --experimental-specifier-resolution=node node_modules/jest/bin/jest.js --verbose=true --silent=false --updateSnapshot --testPathIgnorePatterns cjs --testPathPattern",
+    "test:update": "node --no-warnings --experimental-vm-modules --experimental-specifier-resolution=node node_modules/jest/bin/jest.js --verbose=true --silent=false --updateSnapshot --testPathIgnorePatterns esm --testPathPattern",
     "lint": "npx eslint --ext .ts --ignore-path .gitignore .",
     "build": "npx gulp",
     "watch": "npx gulp watch"

package/types/ops/AuthenticateOps.d.ts.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/ops/AuthenticateOps.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,MAAM,EAAwB,MAAM,WAAW,CAAC;AA+SzD;;;;;GAKG;AACH,wBAAsB,+BAA+B,CACnD,gBAAgB,EAAE,MAAM,EACxB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqBxB;AAkCD;;;;GAIG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC,CA6GlD","file":"AuthenticateOps.d.ts","sourcesContent":["import url from 'url';\nimport { createHash, randomBytes } from 'crypto';\nimport readlineSync from 'readline-sync';\nimport { encodeBase64Url } from '../api/utils/Base64';\nimport * as state from '../shared/State';\nimport * as globalConfig from '../storage/StaticStorage';\nimport { debugMessage, printMessage, verboseMessage } from './utils/Console';\nimport { getServerInfo, getServerVersionInfo } from '../api/ServerInfoApi';\nimport { step } from '../api/AuthenticateApi';\nimport { accessToken, authorize } from '../api/OAuth2OIDCApi';\nimport { getConnectionProfile } from './ConnectionProfileOps';\nimport { v4 } from 'uuid';\nimport { parseUrl } from '../api/utils/ApiUtils';\nimport { JwkRsa, createSignedJwtToken } from './JoseOps';\nimport { getManagedObject } from '../api/ManagedObjectApi';\n\nconst adminClientPassword = 'doesnotmatter';\nconst redirectUrlTemplate = '/platform/appAuthHelperRedirect.html';\n\nconst idmAdminScopes = 'fr:idm:* openid';\nconst serviceAccountScopes = 'fr:am:* fr:idm:* fr:idc:esv:*';\n\nlet adminClientId = 'idmAdminClient';\n\n/**\n * Helper function to get cookie name\n * @returns {String} cookie name\n */\nasync function determineCookieName() {\n  try {\n    const { data } = await getServerInfo();\n    debugMessage(\n      `AuthenticateOps.getCookieName: cookieName=${data.cookieName}`\n    );\n    return data.cookieName;\n  } catch (error) {\n    printMessage(`Error getting cookie name: ${error}`, 'error');\n    debugMessage(error.stack);\n    return null;\n  }\n}\n\n/**\n * Helper function to determine if this is a setup mfa prompt in the ID Cloud tenant admin login journey\n * @param {Object} payload response from the previous authentication journey step\n * @returns {Object} an object indicating if 2fa is required and the original payload\n */\nfunction checkAndHandle2FA(payload) {\n  // let skippable = false;\n  if ('callbacks' in payload) {\n    for (const element of payload.callbacks) {\n      if (element.type === 'HiddenValueCallback') {\n        if (element.input[0].value.includes('skip')) {\n          // skippable = true;\n          element.input[0].value = 'Skip';\n          return {\n            need2fa: true,\n            payload,\n          };\n        }\n      }\n      if (element.type === 'NameCallback') {\n        if (element.output[0].value.includes('code')) {\n          // skippable = false;\n          printMessage('2FA is enabled and required for this user...');\n          const code = readlineSync.question(`${element.output[0].value}: `);\n          element.input[0].value = code;\n          return {\n            need2fa: true,\n            payload,\n          };\n        }\n      }\n    }\n    // console.info(\"NO2FA\");\n    return {\n      need2fa: false,\n      payload,\n    };\n  }\n  // console.info(\"NO2FA\");\n  return {\n    need2fa: false,\n    payload,\n  };\n}\n\n/**\n * Helper function to set the default realm by deployment type\n * @param {string} deploymentType deployment type\n */\nfunction determineDefaultRealm(deploymentType: string) {\n  if (state.getRealm() === globalConfig.DEFAULT_REALM_KEY) {\n    state.setRealm(globalConfig.DEPLOYMENT_TYPE_REALM_MAP[deploymentType]);\n  }\n}\n\n/**\n * Helper function to determine the deployment type\n * @returns {Promise<string>} deployment type\n */\nasync function determineDeploymentType(): Promise<string> {\n  const cookieValue = state.getCookieValue();\n  // https://bugster.forgerock.org/jira/browse/FRAAS-13018\n  // There is a chance that this will be blocked due to security concerns and thus is probably best not to keep active\n  // if (!cookieValue && getUseBearerTokenForAmApis()) {\n  //   const token = await getTokenInfo();\n  //   cookieValue = token.sessionToken;\n  //   setCookieValue(cookieValue);\n  // }\n\n  // if we are using a service account, we know it's cloud\n  if (state.getUseBearerTokenForAmApis())\n    return globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n\n  const fidcClientId = 'idmAdminClient';\n  const forgeopsClientId = 'idm-admin-ui';\n\n  const verifier = encodeBase64Url(randomBytes(32));\n  const challenge = encodeBase64Url(\n    createHash('sha256').update(verifier).digest()\n  );\n  const challengeMethod = 'S256';\n  const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n\n  const config = {\n    maxRedirects: 0,\n    headers: {\n      [state.getCookieName()]: state.getCookieValue(),\n    },\n  };\n  let bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${fidcClientId}&csrf=${cookieValue}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n\n  let deploymentType = globalConfig.CLASSIC_DEPLOYMENT_TYPE_KEY;\n  try {\n    await authorize(bodyFormData, config);\n  } catch (e) {\n    // debugMessage(e.response);\n    if (\n      e.response?.status === 302 &&\n      e.response.headers?.location?.indexOf('code=') > -1\n    ) {\n      verboseMessage(`ForgeRock Identity Cloud`['brightCyan'] + ` detected.`);\n      deploymentType = globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n    } else {\n      try {\n        bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${forgeopsClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n        await authorize(bodyFormData, config);\n      } catch (ex) {\n        if (\n          ex.response?.status === 302 &&\n          ex.response.headers?.location?.indexOf('code=') > -1\n        ) {\n          adminClientId = forgeopsClientId;\n          verboseMessage(`ForgeOps deployment`['brightCyan'] + ` detected.`);\n          deploymentType = globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY;\n        } else {\n          verboseMessage(`Classic deployment`['brightCyan'] + ` detected.`);\n        }\n      }\n    }\n  }\n  return deploymentType;\n}\n\n/**\n * Helper function to extract the semantic version string from a version info object\n * @param {Object} versionInfo version info object\n * @returns {String} semantic version\n */\nasync function getSemanticVersion(versionInfo) {\n  if ('version' in versionInfo) {\n    const versionString = versionInfo.version;\n    const rx = /([\\d]\\.[\\d]\\.[\\d](\\.[\\d])*)/g;\n    const version = versionString.match(rx);\n    return version[0];\n  }\n  throw new Error('Cannot extract semantic version from version info object.');\n}\n\n/**\n * Helper function to authenticate and obtain and store session cookie\n * @returns {string} Session token or null\n */\nasync function authenticate(\n  username: string,\n  password: string\n): Promise<string> {\n  const config = {\n    headers: {\n      'X-OpenAM-Username': username,\n      'X-OpenAM-Password': password,\n    },\n  };\n  const response1 = await step({}, config);\n  const skip2FA = checkAndHandle2FA(response1);\n  let response2 = {};\n  if (skip2FA.need2fa) {\n    response2 = await step(skip2FA.payload);\n  } else {\n    response2 = skip2FA.payload;\n  }\n  if ('tokenId' in response2) {\n    return response2['tokenId'] as string;\n  }\n  return null;\n}\n\n/**\n * Helper function to obtain an oauth2 authorization code\n * @param {string} redirectURL oauth2 redirect uri\n * @param {string} codeChallenge PKCE code challenge\n * @param {string} codeChallengeMethod PKCE code challenge method\n * @returns {string} oauth2 authorization code or null\n */\nasync function getAuthCode(redirectURL, codeChallenge, codeChallengeMethod) {\n  try {\n    const bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${adminClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${codeChallenge}&code_challenge_method=${codeChallengeMethod}`;\n    const config = {\n      headers: {\n        'Content-Type': 'application/x-www-form-urlencoded',\n      },\n      maxRedirects: 0,\n    };\n    let response = undefined;\n    try {\n      response = await authorize(bodyFormData, config);\n    } catch (error) {\n      response = error.response;\n    }\n    if (response.status < 200 || response.status > 399) {\n      printMessage('error getting auth code', 'error');\n      printMessage(\n        'likely cause: mismatched parameters with OAuth client config',\n        'error'\n      );\n      return null;\n    }\n    const redirectLocationURL = response.headers?.location;\n    const queryObject = url.parse(redirectLocationURL, true).query;\n    if ('code' in queryObject) {\n      return queryObject.code;\n    }\n    printMessage('auth code not found', 'error');\n    return null;\n  } catch (error) {\n    printMessage(`error getting auth code - ${error.message}`, 'error');\n    printMessage(error.response?.data, 'error');\n    debugMessage(error.stack);\n    return null;\n  }\n}\n\n/**\n * Helper function to obtain oauth2 access token\n * @returns {Promise<string | null>} access token or null\n */\nasync function getAccessTokenForUser(): Promise<string | null> {\n  try {\n    const verifier = encodeBase64Url(randomBytes(32));\n    const challenge = encodeBase64Url(\n      createHash('sha256').update(verifier).digest()\n    );\n    const challengeMethod = 'S256';\n    const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n    const authCode = await getAuthCode(redirectURL, challenge, challengeMethod);\n    if (authCode == null) {\n      printMessage('error getting auth code', 'error');\n      return null;\n    }\n    let response = null;\n    if (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY) {\n      const config = {\n        auth: {\n          username: adminClientId,\n          password: adminClientPassword,\n        },\n      };\n      const bodyFormData = `redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n      response = await accessToken(bodyFormData, config);\n    } else {\n      const bodyFormData = `client_id=${adminClientId}&redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n      response = await accessToken(bodyFormData);\n    }\n    if ('access_token' in response.data) {\n      return response.data.access_token;\n    }\n    printMessage('No access token in response.', 'error');\n  } catch (error) {\n    debugMessage(`Error getting access token for user: ${error}`);\n    debugMessage(error.response?.data);\n  }\n  return null;\n}\n\nfunction createPayload(serviceAccountId: string) {\n  const u = parseUrl(state.getHost());\n  const aud = `${u.origin}:${\n    u.port ? u.port : u.protocol === 'https' ? '443' : '80'\n  }${u.pathname}/oauth2/access_token`;\n\n  // Cross platform way of setting JWT expiry time 3 minutes in the future, expressed as number of seconds since EPOCH\n  const exp = Math.floor(new Date().getTime() / 1000 + 180);\n\n  // A unique ID for the JWT which is required when requesting the openid scope\n  const jti = v4();\n\n  const iss = serviceAccountId;\n  const sub = serviceAccountId;\n\n  // Create the payload for our bearer token\n  const payload = { iss, sub, aud, exp, jti };\n\n  return payload;\n}\n\n/**\n * Get access token for service account\n * @param {string} serviceAccountId UUID of service account\n * @param {JwkRsa} jwk Java Wek Key\n * @returns {string | null} Access token or null\n */\nexport async function getAccessTokenForServiceAccount(\n  serviceAccountId: string,\n  jwk: JwkRsa\n): Promise<string | null> {\n  debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: start`);\n  const payload = createPayload(serviceAccountId);\n  debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: payload:`);\n  debugMessage(payload);\n  const jwt = await createSignedJwtToken(payload, jwk);\n  debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: jwt:`);\n  debugMessage(jwt);\n  const bodyFormData = `assertion=${jwt}&client_id=service-account&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&scope=${serviceAccountScopes}`;\n  const response = await accessToken(bodyFormData);\n  if ('access_token' in response.data) {\n    debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: token:`);\n    debugMessage(response.data.access_token);\n    debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n    return response.data.access_token;\n  }\n  debugMessage(\n    `AuthenticateOps.getAccessTokenForServiceAccount: No access token in response.`\n  );\n  debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n  return null;\n}\n\nasync function determineDeploymentTypeAndDefaultRealmAndVersion() {\n  debugMessage(\n    `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: start`\n  );\n  if (!state.getDeploymentType()) {\n    state.setDeploymentType(await determineDeploymentType());\n  }\n  determineDefaultRealm(state.getDeploymentType());\n\n  const versionInfo = (await getServerVersionInfo()).data;\n\n  // https://github.com/rockcarver/frodo-cli/issues/109\n  debugMessage(`Full version: ${versionInfo.fullVersion}`);\n\n  const version = await getSemanticVersion(versionInfo);\n  state.setAmVersion(version);\n  debugMessage(\n    `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: end`\n  );\n}\n\nasync function getLoggedInSubject(): Promise<string> {\n  let subjectString = `user ${state.getUsername()}`;\n  if (state.getUseBearerTokenForAmApis()) {\n    const name = (\n      await getManagedObject('svcacct', state.getServiceAccountId(), ['name'])\n    ).data.name;\n    subjectString = `service account ${name} [${state.getServiceAccountId()}]`;\n  }\n  return subjectString;\n}\n\n/**\n * Get tokens\n * @param {boolean} save true to save a connection profile upon successful authentication, false otherwise\n * @returns {Promise<boolean>} true if tokens were successfully obtained, false otherwise\n */\nexport async function getTokens(): Promise<boolean> {\n  if (!state.getHost()) {\n    printMessage(\n      `No host specified and FRODO_HOST env variable not set!`,\n      'error'\n    );\n    return false;\n  }\n  try {\n    // if username/password on cli are empty, try to read from connections.json\n    if (\n      state.getUsername() == null &&\n      state.getPassword() == null &&\n      !state.getServiceAccountId() &&\n      !state.getServiceAccountJwk()\n    ) {\n      const conn = await getConnectionProfile();\n      if (conn) {\n        state.setHost(conn.tenant);\n        state.setUsername(conn.username);\n        state.setPassword(conn.password);\n        state.setAuthenticationService(conn.authenticationService);\n        state.setAuthenticationHeaderOverrides(\n          conn.authenticationHeaderOverrides\n        );\n        state.setServiceAccountId(conn.svcacctId);\n        state.setServiceAccountJwk(conn.svcacctJwk);\n      } else {\n        return false;\n      }\n    }\n    // now that we have the full tenant URL we can lookup the cookie name\n    state.setCookieName(await determineCookieName());\n\n    // use service account to login?\n    if (state.getServiceAccountId() && state.getServiceAccountJwk()) {\n      debugMessage(\n        `AuthenticateOps.getTokens: Authenticating with service account ${state.getServiceAccountId()}`\n      );\n      try {\n        const token = await getAccessTokenForServiceAccount(\n          state.getServiceAccountId(),\n          state.getServiceAccountJwk()\n        );\n        state.setBearerToken(token);\n        state.setUseBearerTokenForAmApis(true);\n        await determineDeploymentTypeAndDefaultRealmAndVersion();\n      } catch (saErr) {\n        throw new Error(\n          `Service account login error: ${\n            saErr.response?.data?.error_description ||\n            saErr.response?.data?.message\n          }`\n        );\n      }\n    }\n    // use user account to login\n    else if (state.getUsername() && state.getPassword()) {\n      debugMessage(\n        `AuthenticateOps.getTokens: Authenticating with user account ${state.getUsername()}`\n      );\n      const token = await authenticate(\n        state.getUsername(),\n        state.getPassword()\n      );\n      if (token) state.setCookieValue(token);\n      await determineDeploymentTypeAndDefaultRealmAndVersion();\n      if (\n        state.getCookieValue() &&\n        !state.getBearerToken() &&\n        (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY ||\n          state.getDeploymentType() ===\n            globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY)\n      ) {\n        const accessToken = await getAccessTokenForUser();\n        if (accessToken) state.setBearerToken(accessToken);\n      }\n    }\n    // incomplete or no credentials\n    else {\n      printMessage(`Incomplete or no credentials!`, 'error');\n      return false;\n    }\n    if (\n      state.getCookieValue() ||\n      (state.getUseBearerTokenForAmApis() && state.getBearerToken())\n    ) {\n      // https://github.com/rockcarver/frodo-cli/issues/102\n      printMessage(\n        `Connected to ${state.getHost()} [${\n          state.getRealm() ? state.getRealm() : 'root'\n        }] as ${await getLoggedInSubject()}`,\n        'info'\n      );\n      return true;\n    }\n  } catch (error) {\n    // regular error\n    printMessage(error.message, 'error');\n    // axios error am api\n    printMessage(error.response?.data?.message, 'error');\n    // axios error am oauth2 api\n    printMessage(error.response?.data?.error_description, 'error');\n    // axios error data\n    debugMessage(error.response?.data);\n    // stack trace\n    debugMessage(error.stack || new Error().stack);\n  }\n  return false;\n}\n"]}
+{"version":3,"sources":["../src/ops/AuthenticateOps.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,MAAM,EAAwB,MAAM,WAAW,CAAC;AAqTzD;;;;;GAKG;AACH,wBAAsB,+BAA+B,CACnD,gBAAgB,EAAE,MAAM,EACxB,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAqBxB;AAqCD;;;;GAIG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,OAAO,CAAC,CAsIlD","file":"AuthenticateOps.d.ts","sourcesContent":["import url from 'url';\nimport { createHash, randomBytes } from 'crypto';\nimport readlineSync from 'readline-sync';\nimport { encodeBase64Url } from '../api/utils/Base64';\nimport * as state from '../shared/State';\nimport * as globalConfig from '../storage/StaticStorage';\nimport { debugMessage, printMessage, verboseMessage } from './utils/Console';\nimport { getServerInfo, getServerVersionInfo } from '../api/ServerInfoApi';\nimport { step } from '../api/AuthenticateApi';\nimport { accessToken, authorize } from '../api/OAuth2OIDCApi';\nimport { getConnectionProfile } from './ConnectionProfileOps';\nimport { v4 } from 'uuid';\nimport { parseUrl } from '../api/utils/ApiUtils';\nimport { JwkRsa, createSignedJwtToken } from './JoseOps';\nimport { getManagedObject } from '../api/ManagedObjectApi';\n\nconst adminClientPassword = 'doesnotmatter';\nconst redirectUrlTemplate = '/platform/appAuthHelperRedirect.html';\n\nconst idmAdminScopes = 'fr:idm:* openid';\nconst serviceAccountScopes = 'fr:am:* fr:idm:* fr:idc:esv:*';\n\nlet adminClientId = 'idmAdminClient';\n\n/**\n * Helper function to get cookie name\n * @returns {String} cookie name\n */\nasync function determineCookieName() {\n  try {\n    const { data } = await getServerInfo();\n    debugMessage(\n      `AuthenticateOps.getCookieName: cookieName=${data.cookieName}`\n    );\n    return data.cookieName;\n  } catch (error) {\n    printMessage(`Error getting cookie name: ${error}`, 'error');\n    debugMessage(error.stack);\n    return null;\n  }\n}\n\n/**\n * Helper function to determine if this is a setup mfa prompt in the ID Cloud tenant admin login journey\n * @param {Object} payload response from the previous authentication journey step\n * @returns {Object} an object indicating if 2fa is required and the original payload\n */\nfunction checkAndHandle2FA(payload) {\n  // let skippable = false;\n  if ('callbacks' in payload) {\n    for (const element of payload.callbacks) {\n      if (element.type === 'HiddenValueCallback') {\n        if (element.input[0].value.includes('skip')) {\n          // skippable = true;\n          element.input[0].value = 'Skip';\n          return {\n            need2fa: true,\n            payload,\n          };\n        }\n      }\n      if (element.type === 'NameCallback') {\n        if (element.output[0].value.includes('code')) {\n          // skippable = false;\n          printMessage('2FA is enabled and required for this user...');\n          const code = readlineSync.question(`${element.output[0].value}: `);\n          element.input[0].value = code;\n          return {\n            need2fa: true,\n            payload,\n          };\n        }\n      }\n    }\n    // console.info(\"NO2FA\");\n    return {\n      need2fa: false,\n      payload,\n    };\n  }\n  // console.info(\"NO2FA\");\n  return {\n    need2fa: false,\n    payload,\n  };\n}\n\n/**\n * Helper function to set the default realm by deployment type\n * @param {string} deploymentType deployment type\n */\nfunction determineDefaultRealm(deploymentType: string) {\n  if (\n    !state.getRealm() ||\n    state.getRealm() === globalConfig.DEFAULT_REALM_KEY\n  ) {\n    state.setRealm(globalConfig.DEPLOYMENT_TYPE_REALM_MAP[deploymentType]);\n  }\n}\n\n/**\n * Helper function to determine the deployment type\n * @returns {Promise<string>} deployment type\n */\nasync function determineDeploymentType(): Promise<string> {\n  const cookieValue = state.getCookieValue();\n  // https://bugster.forgerock.org/jira/browse/FRAAS-13018\n  // There is a chance that this will be blocked due to security concerns and thus is probably best not to keep active\n  // if (!cookieValue && getUseBearerTokenForAmApis()) {\n  //   const token = await getTokenInfo();\n  //   cookieValue = token.sessionToken;\n  //   setCookieValue(cookieValue);\n  // }\n\n  // if we are using a service account, we know it's cloud\n  if (state.getUseBearerTokenForAmApis())\n    return globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n\n  const fidcClientId = 'idmAdminClient';\n  const forgeopsClientId = 'idm-admin-ui';\n\n  const verifier = encodeBase64Url(randomBytes(32));\n  const challenge = encodeBase64Url(\n    createHash('sha256').update(verifier).digest()\n  );\n  const challengeMethod = 'S256';\n  const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n\n  const config = {\n    maxRedirects: 0,\n    headers: {\n      [state.getCookieName()]: state.getCookieValue(),\n    },\n  };\n  let bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${fidcClientId}&csrf=${cookieValue}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n\n  let deploymentType = globalConfig.CLASSIC_DEPLOYMENT_TYPE_KEY;\n  try {\n    await authorize(bodyFormData, config);\n  } catch (e) {\n    // debugMessage(e.response);\n    if (\n      e.response?.status === 302 &&\n      e.response.headers?.location?.indexOf('code=') > -1\n    ) {\n      verboseMessage(`ForgeRock Identity Cloud`['brightCyan'] + ` detected.`);\n      deploymentType = globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY;\n    } else {\n      try {\n        bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${forgeopsClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${challenge}&code_challenge_method=${challengeMethod}`;\n        await authorize(bodyFormData, config);\n      } catch (ex) {\n        if (\n          ex.response?.status === 302 &&\n          ex.response.headers?.location?.indexOf('code=') > -1\n        ) {\n          adminClientId = forgeopsClientId;\n          verboseMessage(`ForgeOps deployment`['brightCyan'] + ` detected.`);\n          deploymentType = globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY;\n        } else {\n          verboseMessage(`Classic deployment`['brightCyan'] + ` detected.`);\n        }\n      }\n    }\n  }\n  return deploymentType;\n}\n\n/**\n * Helper function to extract the semantic version string from a version info object\n * @param {Object} versionInfo version info object\n * @returns {String} semantic version\n */\nasync function getSemanticVersion(versionInfo) {\n  if ('version' in versionInfo) {\n    const versionString = versionInfo.version;\n    const rx = /([\\d]\\.[\\d]\\.[\\d](\\.[\\d])*)/g;\n    const version = versionString.match(rx);\n    return version[0];\n  }\n  throw new Error('Cannot extract semantic version from version info object.');\n}\n\n/**\n * Helper function to authenticate and obtain and store session cookie\n * @returns {string} Session token or null\n */\nasync function authenticate(\n  username: string,\n  password: string\n): Promise<string> {\n  const config = {\n    headers: {\n      'X-OpenAM-Username': username,\n      'X-OpenAM-Password': password,\n    },\n  };\n  const response1 = await step({}, config);\n  const skip2FA = checkAndHandle2FA(response1);\n  let response2 = {};\n  if (skip2FA.need2fa) {\n    response2 = await step(skip2FA.payload);\n  } else {\n    response2 = skip2FA.payload;\n  }\n  if ('tokenId' in response2) {\n    return response2['tokenId'] as string;\n  }\n  return null;\n}\n\n/**\n * Helper function to obtain an oauth2 authorization code\n * @param {string} redirectURL oauth2 redirect uri\n * @param {string} codeChallenge PKCE code challenge\n * @param {string} codeChallengeMethod PKCE code challenge method\n * @returns {string} oauth2 authorization code or null\n */\nasync function getAuthCode(redirectURL, codeChallenge, codeChallengeMethod) {\n  try {\n    const bodyFormData = `redirect_uri=${redirectURL}&scope=${idmAdminScopes}&response_type=code&client_id=${adminClientId}&csrf=${state.getCookieValue()}&decision=allow&code_challenge=${codeChallenge}&code_challenge_method=${codeChallengeMethod}`;\n    const config = {\n      headers: {\n        'Content-Type': 'application/x-www-form-urlencoded',\n      },\n      maxRedirects: 0,\n    };\n    let response = undefined;\n    try {\n      response = await authorize(bodyFormData, config);\n    } catch (error) {\n      response = error.response;\n    }\n    if (response.status < 200 || response.status > 399) {\n      printMessage('error getting auth code', 'error');\n      printMessage(\n        'likely cause: mismatched parameters with OAuth client config',\n        'error'\n      );\n      return null;\n    }\n    const redirectLocationURL = response.headers?.location;\n    const queryObject = url.parse(redirectLocationURL, true).query;\n    if ('code' in queryObject) {\n      return queryObject.code;\n    }\n    printMessage('auth code not found', 'error');\n    return null;\n  } catch (error) {\n    printMessage(`error getting auth code - ${error.message}`, 'error');\n    printMessage(error.response?.data, 'error');\n    debugMessage(error.stack);\n    return null;\n  }\n}\n\n/**\n * Helper function to obtain oauth2 access token\n * @returns {Promise<string | null>} access token or null\n */\nasync function getAccessTokenForUser(): Promise<string | null> {\n  debugMessage(`AuthenticateOps.getAccessTokenForUser: start`);\n  try {\n    const verifier = encodeBase64Url(randomBytes(32));\n    const challenge = encodeBase64Url(\n      createHash('sha256').update(verifier).digest()\n    );\n    const challengeMethod = 'S256';\n    const redirectURL = url.resolve(state.getHost(), redirectUrlTemplate);\n    const authCode = await getAuthCode(redirectURL, challenge, challengeMethod);\n    if (authCode == null) {\n      printMessage('error getting auth code', 'error');\n      return null;\n    }\n    let response = null;\n    if (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY) {\n      const config = {\n        auth: {\n          username: adminClientId,\n          password: adminClientPassword,\n        },\n      };\n      const bodyFormData = `redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n      response = await accessToken(bodyFormData, config);\n    } else {\n      const bodyFormData = `client_id=${adminClientId}&redirect_uri=${redirectURL}&grant_type=authorization_code&code=${authCode}&code_verifier=${verifier}`;\n      response = await accessToken(bodyFormData);\n    }\n    if ('access_token' in response.data) {\n      debugMessage(`AuthenticateOps.getAccessTokenForUser: end with token`);\n      return response.data.access_token;\n    }\n    printMessage('No access token in response.', 'error');\n  } catch (error) {\n    debugMessage(`Error getting access token for user: ${error}`);\n    debugMessage(error.response?.data);\n  }\n  debugMessage(`AuthenticateOps.getAccessTokenForUser: end without token`);\n  return null;\n}\n\nfunction createPayload(serviceAccountId: string) {\n  const u = parseUrl(state.getHost());\n  const aud = `${u.origin}:${\n    u.port ? u.port : u.protocol === 'https' ? '443' : '80'\n  }${u.pathname}/oauth2/access_token`;\n\n  // Cross platform way of setting JWT expiry time 3 minutes in the future, expressed as number of seconds since EPOCH\n  const exp = Math.floor(new Date().getTime() / 1000 + 180);\n\n  // A unique ID for the JWT which is required when requesting the openid scope\n  const jti = v4();\n\n  const iss = serviceAccountId;\n  const sub = serviceAccountId;\n\n  // Create the payload for our bearer token\n  const payload = { iss, sub, aud, exp, jti };\n\n  return payload;\n}\n\n/**\n * Get access token for service account\n * @param {string} serviceAccountId UUID of service account\n * @param {JwkRsa} jwk Java Wek Key\n * @returns {string | null} Access token or null\n */\nexport async function getAccessTokenForServiceAccount(\n  serviceAccountId: string,\n  jwk: JwkRsa\n): Promise<string | null> {\n  debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: start`);\n  const payload = createPayload(serviceAccountId);\n  debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: payload:`);\n  debugMessage(payload);\n  const jwt = await createSignedJwtToken(payload, jwk);\n  debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: jwt:`);\n  debugMessage(jwt);\n  const bodyFormData = `assertion=${jwt}&client_id=service-account&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&scope=${serviceAccountScopes}`;\n  const response = await accessToken(bodyFormData);\n  if ('access_token' in response.data) {\n    debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: token:`);\n    debugMessage(response.data.access_token);\n    debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n    return response.data.access_token;\n  }\n  debugMessage(\n    `AuthenticateOps.getAccessTokenForServiceAccount: No access token in response.`\n  );\n  debugMessage(`AuthenticateOps.getAccessTokenForServiceAccount: end`);\n  return null;\n}\n\nasync function determineDeploymentTypeAndDefaultRealmAndVersion() {\n  debugMessage(\n    `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: start`\n  );\n  if (!state.getDeploymentType()) {\n    state.setDeploymentType(await determineDeploymentType());\n  }\n  determineDefaultRealm(state.getDeploymentType());\n  debugMessage(\n    `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: realm=${state.getRealm()}, type=${state.getDeploymentType()}`\n  );\n\n  const versionInfo = (await getServerVersionInfo()).data;\n\n  // https://github.com/rockcarver/frodo-cli/issues/109\n  debugMessage(`Full version: ${versionInfo.fullVersion}`);\n\n  const version = await getSemanticVersion(versionInfo);\n  state.setAmVersion(version);\n  debugMessage(\n    `AuthenticateOps.determineDeploymentTypeAndDefaultRealmAndVersion: end`\n  );\n}\n\nasync function getLoggedInSubject(): Promise<string> {\n  let subjectString = `user ${state.getUsername()}`;\n  if (state.getUseBearerTokenForAmApis()) {\n    const name = (\n      await getManagedObject('svcacct', state.getServiceAccountId(), ['name'])\n    ).data.name;\n    subjectString = `service account ${name} [${state.getServiceAccountId()}]`;\n  }\n  return subjectString;\n}\n\n/**\n * Get tokens\n * @param {boolean} save true to save a connection profile upon successful authentication, false otherwise\n * @returns {Promise<boolean>} true if tokens were successfully obtained, false otherwise\n */\nexport async function getTokens(): Promise<boolean> {\n  debugMessage(`AuthenticateOps.getTokens: start`);\n  if (!state.getHost()) {\n    printMessage(\n      `No host specified and FRODO_HOST env variable not set!`,\n      'error'\n    );\n    return false;\n  }\n  try {\n    // if username/password on cli are empty, try to read from connections.json\n    if (\n      state.getUsername() == null &&\n      state.getPassword() == null &&\n      !state.getServiceAccountId() &&\n      !state.getServiceAccountJwk()\n    ) {\n      const conn = await getConnectionProfile();\n      if (conn) {\n        state.setHost(conn.tenant);\n        state.setUsername(conn.username);\n        state.setPassword(conn.password);\n        state.setAuthenticationService(conn.authenticationService);\n        state.setAuthenticationHeaderOverrides(\n          conn.authenticationHeaderOverrides\n        );\n        state.setServiceAccountId(conn.svcacctId);\n        state.setServiceAccountJwk(conn.svcacctJwk);\n      } else {\n        return false;\n      }\n    }\n    // now that we have the full tenant URL we can lookup the cookie name\n    state.setCookieName(await determineCookieName());\n\n    // use service account to login?\n    if (state.getServiceAccountId() && state.getServiceAccountJwk()) {\n      debugMessage(\n        `AuthenticateOps.getTokens: Authenticating with service account ${state.getServiceAccountId()}`\n      );\n      try {\n        const token = await getAccessTokenForServiceAccount(\n          state.getServiceAccountId(),\n          state.getServiceAccountJwk()\n        );\n        state.setBearerToken(token);\n        state.setUseBearerTokenForAmApis(true);\n        await determineDeploymentTypeAndDefaultRealmAndVersion();\n      } catch (saErr) {\n        throw new Error(\n          `Service account login error: ${\n            saErr.response?.data?.error_description ||\n            saErr.response?.data?.message\n          }`\n        );\n      }\n    }\n    // use user account to login\n    else if (state.getUsername() && state.getPassword()) {\n      debugMessage(\n        `AuthenticateOps.getTokens: Authenticating with user account ${state.getUsername()}`\n      );\n      const token = await authenticate(\n        state.getUsername(),\n        state.getPassword()\n      );\n      if (token) state.setCookieValue(token);\n      await determineDeploymentTypeAndDefaultRealmAndVersion();\n      debugMessage(`AuthenticateOps.getTokens: before bearer`);\n      debugMessage(\n        `AuthenticateOps.getTokens: cookie=${state.getCookieValue()}`\n      );\n      debugMessage(\n        `AuthenticateOps.getTokens: bearer=${state.getBearerToken()}`\n      );\n      debugMessage(\n        `AuthenticateOps.getTokens: type=${state.getDeploymentType()}`\n      );\n      debugMessage(\n        `AuthenticateOps.getTokens: condition=${\n          state.getCookieValue() &&\n          !state.getBearerToken() &&\n          (state.getDeploymentType() ===\n            globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY ||\n            state.getDeploymentType() ===\n              globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY)\n        }`\n      );\n      if (\n        state.getCookieValue() &&\n        !state.getBearerToken() &&\n        (state.getDeploymentType() === globalConfig.CLOUD_DEPLOYMENT_TYPE_KEY ||\n          state.getDeploymentType() ===\n            globalConfig.FORGEOPS_DEPLOYMENT_TYPE_KEY)\n      ) {\n        debugMessage(`AuthenticateOps.getTokens: in bearer`);\n        const accessToken = await getAccessTokenForUser();\n        if (accessToken) state.setBearerToken(accessToken);\n      }\n      debugMessage(`AuthenticateOps.getTokens: after bearer`);\n    }\n    // incomplete or no credentials\n    else {\n      printMessage(`Incomplete or no credentials!`, 'error');\n      return false;\n    }\n    if (\n      state.getCookieValue() ||\n      (state.getUseBearerTokenForAmApis() && state.getBearerToken())\n    ) {\n      // https://github.com/rockcarver/frodo-cli/issues/102\n      printMessage(\n        `Connected to ${state.getHost()} [${\n          state.getRealm() ? state.getRealm() : 'root'\n        }] as ${await getLoggedInSubject()}`,\n        'info'\n      );\n      debugMessage(`AuthenticateOps.getTokens: end with tokens`);\n      return true;\n    }\n  } catch (error) {\n    // regular error\n    printMessage(error.message, 'error');\n    // axios error am api\n    printMessage(error.response?.data?.message, 'error');\n    // axios error am oauth2 api\n    printMessage(error.response?.data?.error_description, 'error');\n    // axios error data\n    debugMessage(error.response?.data);\n    // stack trace\n    debugMessage(error.stack || new Error().stack);\n  }\n  debugMessage(`AuthenticateOps.getTokens: end without tokens`);\n  return false;\n}\n"]}