ibm-cloud-sdk-core 5.0.2 → 5.1.0

package/auth/authenticators/token-request-based-authenticator-immutable.js

@@ -0,0 +1,91 @@
+"use strict";
+/**
+ * (C) Copyright IBM Corp. 2024.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = function (d, b) {
+        extendStatics = Object.setPrototypeOf ||
+            ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+            function (d, b) { for (var p in b) if (Object.prototype.hasOwnProperty.call(b, p)) d[p] = b[p]; };
+        return extendStatics(d, b);
+    };
+    return function (d, b) {
+        if (typeof b !== "function" && b !== null)
+            throw new TypeError("Class extends value " + String(b) + " is not a constructor or null");
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenRequestBasedAuthenticatorImmutable = void 0;
+var extend_1 = __importDefault(require("extend"));
+var jwt_token_manager_1 = require("../token-managers/jwt-token-manager");
+var authenticator_1 = require("./authenticator");
+var logger_1 = __importDefault(require("../../lib/logger"));
+/**
+ * Class for common functionality shared by token-request authenticators.
+ * Token-request authenticators use token managers to retrieve, store,
+ * and refresh tokens. Not intended to be used as stand-alone authenticator,
+ * but as base class to authenticators that have their own token manager
+ * implementations.
+ *
+ * The token will be added as an Authorization header in the form:
+ *
+ *      Authorization: Bearer \<bearer-token\>
+ */
+var TokenRequestBasedAuthenticatorImmutable = /** @class */ (function (_super) {
+    __extends(TokenRequestBasedAuthenticatorImmutable, _super);
+    /**
+     * Create a new TokenRequestBasedAuthenticatorImmutable instance with an internal JwtTokenManager.
+     *
+     * @param options - Configuration options.
+     * This should be an object containing these fields:
+     * - url: (optional) the endpoint URL for the token service
+     * - disableSslVerification: (optional) a flag that indicates whether verification of the token server's SSL certificate
+     * should be disabled or not
+     * - headers: (optional) a set of HTTP headers to be sent with each request to the token service
+     */
+    function TokenRequestBasedAuthenticatorImmutable(options) {
+        var _this = _super.call(this) || this;
+        _this.disableSslVerification = Boolean(options.disableSslVerification);
+        _this.url = options.url;
+        // default to empty object
+        _this.headers = options.headers || {};
+        _this.tokenManager = new jwt_token_manager_1.JwtTokenManager(options);
+        return _this;
+    }
+    /**
+     * Adds bearer token information to "requestOptions". The bearer token information
+     * will be set in the Authorization property of "requestOptions.headers" in the form:
+     *
+     *     Authorization: Bearer \<bearer-token\>
+     *
+     * @param requestOptions - The request to augment with authentication information.
+     */
+    TokenRequestBasedAuthenticatorImmutable.prototype.authenticate = function (requestOptions) {
+        var _this = this;
+        return this.tokenManager.getToken().then(function (token) {
+            var authHeader = { Authorization: "Bearer ".concat(token) };
+            requestOptions.headers = (0, extend_1.default)(true, {}, requestOptions.headers, authHeader);
+            logger_1.default.debug("Authenticated outbound request (type=".concat(_this.authenticationType(), ")"));
+        });
+    };
+    return TokenRequestBasedAuthenticatorImmutable;
+}(authenticator_1.Authenticator));
+exports.TokenRequestBasedAuthenticatorImmutable = TokenRequestBasedAuthenticatorImmutable;

package/auth/authenticators/token-request-based-authenticator.d.ts

@@ -1,5 +1,5 @@
 /**
- * (C) Copyright IBM Corp. 2019, 2023.
+ * (C) Copyright IBM Corp. 2019, 2024.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,23 +15,9 @@
  */
 /// <reference types="node" />
 import { OutgoingHttpHeaders } from 'http';
-import { JwtTokenManager } from '../token-managers/jwt-token-manager';
-import { Authenticator } from './authenticator';
-import { AuthenticateOptions } from './authenticator-interface';
+import { TokenRequestBasedAuthenticatorImmutable } from './token-request-based-authenticator-immutable';
 /** Configuration options for token-based authentication. */
-export type BaseOptions = {
-    /** Headers to be sent with every outbound HTTP requests to token services. */
-    headers?: OutgoingHttpHeaders;
-    /**
-     * A flag that indicates whether verification of the token server's SSL
-     * certificate should be disabled or not.
-     */
-    disableSslVerification?: boolean;
-    /** Endpoint for HTTP token requests. */
-    url?: string;
-    /** Allow additional request config parameters */
-    [propName: string]: any;
-};
+export { BaseOptions } from './token-request-based-authenticator-immutable';
 /**
  * Class for common functionality shared by token-request authenticators.
  * TokenRequestBasedAuthenticators use token managers to retrieve, store,
@@ -43,22 +29,7 @@ export type BaseOptions = {
  *
  *      Authorization: Bearer \<bearer-token\>
  */
-export declare class TokenRequestBasedAuthenticator extends Authenticator {
-    protected tokenManager: JwtTokenManager;
-    protected url: string;
-    protected headers: OutgoingHttpHeaders;
-    protected disableSslVerification: boolean;
-    /**
-     * Create a new TokenRequestBasedAuthenticator instance with an internal JwtTokenManager.
-     *
-     * @param options - Configuration options.
-     * This should be an object containing these fields:
-     * - url: (optional) the endpoint URL for the token service
-     * - disableSslVerification: (optional) a flag that indicates whether verification of the token server's SSL certificate
-     * should be disabled or not
-     * - headers: (optional) a set of HTTP headers to be sent with each request to the token service
-     */
-    constructor(options: BaseOptions);
+export declare class TokenRequestBasedAuthenticator extends TokenRequestBasedAuthenticatorImmutable {
     /**
      * Set the flag that indicates whether verification of the server's SSL
      * certificate should be disabled or not.
@@ -74,13 +45,4 @@ export declare class TokenRequestBasedAuthenticator extends Authenticator {
      * Overwrites previous default headers.
      */
     setHeaders(headers: OutgoingHttpHeaders): void;
-    /**
-     * Adds bearer token information to "requestOptions". The bearer token information
-     * will be set in the Authorization property of "requestOptions.headers" in the form:
-     *
-     *     Authorization: Bearer \<bearer-token\>
-     *
-     * @param requestOptions - The request to augment with authentication information.
-     */
-    authenticate(requestOptions: AuthenticateOptions): Promise<void>;
 }

package/auth/authenticators/token-request-based-authenticator.js

@@ -1,6 +1,6 @@
 "use strict";
 /**
- * (C) Copyright IBM Corp. 2019, 2023.
+ * (C) Copyright IBM Corp. 2019, 2024.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,15 +29,9 @@ var __extends = (this && this.__extends) || (function () {
         d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
     };
 })();
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.TokenRequestBasedAuthenticator = void 0;
-var extend_1 = __importDefault(require("extend"));
-var jwt_token_manager_1 = require("../token-managers/jwt-token-manager");
-var authenticator_1 = require("./authenticator");
-var logger_1 = __importDefault(require("../../lib/logger"));
+var token_request_based_authenticator_immutable_1 = require("./token-request-based-authenticator-immutable");
 /**
  * Class for common functionality shared by token-request authenticators.
  * TokenRequestBasedAuthenticators use token managers to retrieve, store,
@@ -51,24 +45,8 @@ var logger_1 = __importDefault(require("../../lib/logger"));
  */
 var TokenRequestBasedAuthenticator = /** @class */ (function (_super) {
     __extends(TokenRequestBasedAuthenticator, _super);
-    /**
-     * Create a new TokenRequestBasedAuthenticator instance with an internal JwtTokenManager.
-     *
-     * @param options - Configuration options.
-     * This should be an object containing these fields:
-     * - url: (optional) the endpoint URL for the token service
-     * - disableSslVerification: (optional) a flag that indicates whether verification of the token server's SSL certificate
-     * should be disabled or not
-     * - headers: (optional) a set of HTTP headers to be sent with each request to the token service
-     */
-    function TokenRequestBasedAuthenticator(options) {
-        var _this = _super.call(this) || this;
-        _this.disableSslVerification = Boolean(options.disableSslVerification);
-        _this.url = options.url;
-        // default to empty object
-        _this.headers = options.headers || {};
-        _this.tokenManager = new jwt_token_manager_1.JwtTokenManager(options);
-        return _this;
+    function TokenRequestBasedAuthenticator() {
+        return _super !== null && _super.apply(this, arguments) || this;
     }
     /**
      * Set the flag that indicates whether verification of the server's SSL
@@ -97,22 +75,6 @@ var TokenRequestBasedAuthenticator = /** @class */ (function (_super) {
         this.headers = headers;
         this.tokenManager.setHeaders(this.headers);
     };
-    /**
-     * Adds bearer token information to "requestOptions". The bearer token information
-     * will be set in the Authorization property of "requestOptions.headers" in the form:
-     *
-     *     Authorization: Bearer \<bearer-token\>
-     *
-     * @param requestOptions - The request to augment with authentication information.
-     */
-    TokenRequestBasedAuthenticator.prototype.authenticate = function (requestOptions) {
-        var _this = this;
-        return this.tokenManager.getToken().then(function (token) {
-            var authHeader = { Authorization: "Bearer ".concat(token) };
-            requestOptions.headers = (0, extend_1.default)(true, {}, requestOptions.headers, authHeader);
-            logger_1.default.debug("Authenticated outbound request (type=".concat(_this.authenticationType(), ")"));
-        });
-    };
     return TokenRequestBasedAuthenticator;
-}(authenticator_1.Authenticator));
+}(token_request_based_authenticator_immutable_1.TokenRequestBasedAuthenticatorImmutable));
 exports.TokenRequestBasedAuthenticator = TokenRequestBasedAuthenticator;

package/auth/token-managers/container-token-manager.d.ts

@@ -65,6 +65,12 @@ export declare class ContainerTokenManager extends IamRequestBasedTokenManager {
      * @param iamProfileId - the ID of the IAM trusted profile
      */
     setIamProfileId(iamProfileId: string): void;
+    /**
+     * Returns the most recently stored refresh token.
+     *
+     * @returns the refresh token
+     */
+    getRefreshToken(): string;
     /**
      * Request an IAM token using a compute resource token.
      */

package/auth/token-managers/container-token-manager.js

@@ -29,42 +29,6 @@ var __extends = (this && this.__extends) || (function () {
         d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
     };
 })();
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __generator = (this && this.__generator) || function (thisArg, body) {
-    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
-    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
-    function verb(n) { return function (v) { return step([n, v]); }; }
-    function step(op) {
-        if (f) throw new TypeError("Generator is already executing.");
-        while (g && (g = 0, op[0] && (_ = 0)), _) try {
-            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
-            if (y = 0, t) op = [op[0] & 2, t.value];
-            switch (op[0]) {
-                case 0: case 1: t = op; break;
-                case 4: _.label++; return { value: op[1], done: false };
-                case 5: _.label++; y = op[1]; op = [0]; continue;
-                case 7: op = _.ops.pop(); _.trys.pop(); continue;
-                default:
-                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
-                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
-                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
-                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
-                    if (t[2]) _.ops.pop();
-                    _.trys.pop(); continue;
-            }
-            op = body.call(thisArg, _);
-        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
-        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
-    }
-};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ContainerTokenManager = void 0;
 var helpers_1 = require("../utils/helpers");
@@ -143,24 +107,28 @@ var ContainerTokenManager = /** @class */ (function (_super) {
     ContainerTokenManager.prototype.setIamProfileId = function (iamProfileId) {
         this.iamProfileId = iamProfileId;
     };
+    /**
+     * Returns the most recently stored refresh token.
+     *
+     * @returns the refresh token
+     */
+    ContainerTokenManager.prototype.getRefreshToken = function () {
+        return this.refreshToken;
+    };
     /**
      * Request an IAM token using a compute resource token.
      */
     ContainerTokenManager.prototype.requestToken = function () {
-        return __awaiter(this, void 0, void 0, function () {
-            return __generator(this, function (_a) {
-                this.formData.cr_token = this.getCrToken();
-                // these member variables can be reset, set them in the form data right
-                // before making the request to ensure they're up to date
-                if (this.iamProfileName) {
-                    this.formData.profile_name = this.iamProfileName;
-                }
-                if (this.iamProfileId) {
-                    this.formData.profile_id = this.iamProfileId;
-                }
-                return [2 /*return*/, _super.prototype.requestToken.call(this)];
-            });
-        });
+        this.formData.cr_token = this.getCrToken();
+        // these member variables can be reset, set them in the form data right
+        // before making the request to ensure they're up to date
+        if (this.iamProfileName) {
+            this.formData.profile_name = this.iamProfileName;
+        }
+        if (this.iamProfileId) {
+            this.formData.profile_id = this.iamProfileId;
+        }
+        return _super.prototype.requestToken.call(this);
     };
     /**
      * Retrieves the CR token from a file using this search order:

package/auth/token-managers/iam-assume-token-manager.d.ts

@@ -0,0 +1,101 @@
+/**
+ * (C) Copyright IBM Corp. 2024.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/// <reference types="node" />
+import { OutgoingHttpHeaders } from 'http';
+import { IamRequestBasedTokenManager, IamRequestOptions } from './iam-request-based-token-manager';
+/** Configuration options for IAM Assume token retrieval. */
+interface Options extends IamRequestOptions {
+    apikey: string;
+    iamProfileId?: string;
+    iamProfileCrn?: string;
+    iamProfileName?: string;
+    iamAccountId?: string;
+}
+/**
+ * The IamAssumeTokenManager takes an api key, along with trusted profile information, and performs
+ * the necessary interactions with the IAM token service to obtain and store a suitable bearer token
+ * that "assumes" the identify of the trusted profile.
+ */
+export declare class IamAssumeTokenManager extends IamRequestBasedTokenManager {
+    protected requiredOptions: string[];
+    private iamProfileId;
+    private iamProfileCrn;
+    private iamProfileName;
+    private iamAccountId;
+    private iamDelegate;
+    /**
+     *
+     * Create a new IamAssumeTokenManager instance.
+     *
+     * @param options - Configuration options.
+     * This should be an object containing these fields:
+     * - apikey: (required) the IAM api key
+     * - iamProfileId: (optional) the ID of the trusted profile to use
+     * - iamProfileCrn: (optional) the CRN of the trusted profile to use
+     * - iamProfileName: (optional) the name of the trusted profile to use (must be specified with iamAccountId)
+     * - iamAccountId: (optional) the ID of the account the trusted profile is in (must be specified with iamProfileName)
+     * - url: (optional) the endpoint URL for the IAM token service (default value: "https://iam.cloud.ibm.com")
+     * - disableSslVerification: (optional) a flag that indicates whether verification of the token server's SSL certificate
+     * should be disabled or not
+     * - headers: (optional) a set of HTTP headers to be sent with each request to the token service
+     * - clientId: (optional) the "clientId" and "clientSecret" fields are used to form a Basic
+     * Authorization header to be included in each request to the token service
+     * - clientSecret: (optional) the "clientId" and "clientSecret" fields are used to form a Basic
+     * Authorization header to be included in each request to the token service
+     * - scope: (optional) the "scope" parameter to use when fetching the bearer token from the token service
+     *
+     * @throws Error: the configuration options are not valid.
+     */
+    constructor(options: Options);
+    /**
+     * Request an IAM token using a standard access token and a trusted profile.
+     */
+    protected requestToken(): Promise<any>;
+    /**
+     * Extend this method from the parent class to erase the refresh token from
+     * the class - we do not want to expose it for IAM Assume authentication.
+     *
+     * @param tokenResponse - the response object from JWT service request
+     */
+    protected saveTokenInfo(tokenResponse: any): void;
+    /**
+     * Sets the IAM "scope" value.
+     * This value is sent as the "scope" form parameter in the IAM delegate request.
+     *
+     * @param scope - a space-separated string that contains one or more scope names
+     */
+    setScope(scope: string): void;
+    /**
+     * Sets the IAM "clientId" and "clientSecret" values for the IAM delegate.
+     *
+     * @param clientId - the client id.
+     * @param clientSecret - the client secret.
+     */
+    setClientIdAndSecret(clientId: string, clientSecret: string): void;
+    /**
+     * Sets the "disableSslVerification" property for the IAM delegate.
+     *
+     * @param value - the new value for the disableSslVerification property
+     */
+    setDisableSslVerification(value: boolean): void;
+    /**
+     * Sets the headers to be included in the IAM delegate's requests.
+     *
+     * @param headers - the set of headers to send with each request to the token server
+     */
+    setHeaders(headers: OutgoingHttpHeaders): void;
+}
+export {};

package/auth/token-managers/iam-assume-token-manager.js

@@ -0,0 +1,220 @@
+"use strict";
+/**
+ * (C) Copyright IBM Corp. 2024.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+var __extends = (this && this.__extends) || (function () {
+    var extendStatics = function (d, b) {
+        extendStatics = Object.setPrototypeOf ||
+            ({ __proto__: [] } instanceof Array && function (d, b) { d.__proto__ = b; }) ||
+            function (d, b) { for (var p in b) if (Object.prototype.hasOwnProperty.call(b, p)) d[p] = b[p]; };
+        return extendStatics(d, b);
+    };
+    return function (d, b) {
+        if (typeof b !== "function" && b !== null)
+            throw new TypeError("Class extends value " + String(b) + " is not a constructor or null");
+        extendStatics(d, b);
+        function __() { this.constructor = d; }
+        d.prototype = b === null ? Object.create(b) : (__.prototype = b.prototype, new __());
+    };
+})();
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IamAssumeTokenManager = void 0;
+var helpers_1 = require("../utils/helpers");
+var build_user_agent_1 = require("../../lib/build-user-agent");
+var iam_request_based_token_manager_1 = require("./iam-request-based-token-manager");
+var iam_token_manager_1 = require("./iam-token-manager");
+/**
+ * The IamAssumeTokenManager takes an api key, along with trusted profile information, and performs
+ * the necessary interactions with the IAM token service to obtain and store a suitable bearer token
+ * that "assumes" the identify of the trusted profile.
+ */
+var IamAssumeTokenManager = /** @class */ (function (_super) {
+    __extends(IamAssumeTokenManager, _super);
+    /**
+     *
+     * Create a new IamAssumeTokenManager instance.
+     *
+     * @param options - Configuration options.
+     * This should be an object containing these fields:
+     * - apikey: (required) the IAM api key
+     * - iamProfileId: (optional) the ID of the trusted profile to use
+     * - iamProfileCrn: (optional) the CRN of the trusted profile to use
+     * - iamProfileName: (optional) the name of the trusted profile to use (must be specified with iamAccountId)
+     * - iamAccountId: (optional) the ID of the account the trusted profile is in (must be specified with iamProfileName)
+     * - url: (optional) the endpoint URL for the IAM token service (default value: "https://iam.cloud.ibm.com")
+     * - disableSslVerification: (optional) a flag that indicates whether verification of the token server's SSL certificate
+     * should be disabled or not
+     * - headers: (optional) a set of HTTP headers to be sent with each request to the token service
+     * - clientId: (optional) the "clientId" and "clientSecret" fields are used to form a Basic
+     * Authorization header to be included in each request to the token service
+     * - clientSecret: (optional) the "clientId" and "clientSecret" fields are used to form a Basic
+     * Authorization header to be included in each request to the token service
+     * - scope: (optional) the "scope" parameter to use when fetching the bearer token from the token service
+     *
+     * @throws Error: the configuration options are not valid.
+     */
+    function IamAssumeTokenManager(options) {
+        var _this = _super.call(this, options) || this;
+        _this.requiredOptions = ['apikey'];
+        // This just verifies that the API key is provided and is free of common issues.
+        (0, helpers_1.validateInput)(options, _this.requiredOptions);
+        // This validates the assume-specific fields.
+        // Only one of the following three options may be specified.
+        if (!(0, helpers_1.onlyOne)(options.iamProfileId, options.iamProfileCrn, options.iamProfileName)) {
+            throw new Error('Exactly one of `iamProfileName`, `iamProfileCrn`, or `iamProfileId` must be specified.');
+        }
+        // `iamAccountId` may only be specified if `iamProfileName` is also specified.
+        if (Boolean(options.iamProfileName) !== Boolean(options.iamAccountId)) {
+            throw new Error('`iamProfileName` and `iamAccountId` must be provided together, or not at all.');
+        }
+        // Set class variables from options. If they are 'undefined' in options,
+        // they won't be changed, as they are 'undefined' to begin with.
+        _this.iamProfileId = options.iamProfileId;
+        _this.iamProfileCrn = options.iamProfileCrn;
+        _this.iamProfileName = options.iamProfileName;
+        _this.iamAccountId = options.iamAccountId;
+        _this.iamDelegate = options.iamDelegate;
+        // Create an instance of the IamTokenManager, which will be used to obtain
+        // an IAM access token for use in the "assume" token exchange. Most option
+        // names are shared between these token manager, and extraneous options will
+        // be ignored, so we can pass the options structure to that constructor as-is.
+        _this.iamDelegate = new iam_token_manager_1.IamTokenManager(options);
+        // These options are used by the delegate token manager
+        // but they are not supported by this token manager.
+        _this.clientId = undefined;
+        _this.clientSecret = undefined;
+        _this.scope = undefined;
+        // Set the grant type and user agent for this flavor of authentication.
+        _this.formData.grant_type = 'urn:ibm:params:oauth:grant-type:assume';
+        _this.userAgent = (0, build_user_agent_1.buildUserAgent)('iam-assume-authenticator');
+        return _this;
+    }
+    /**
+     * Request an IAM token using a standard access token and a trusted profile.
+     */
+    IamAssumeTokenManager.prototype.requestToken = function () {
+        return __awaiter(this, void 0, void 0, function () {
+            var _a;
+            return __generator(this, function (_b) {
+                switch (_b.label) {
+                    case 0:
+                        // First, retrieve a standard IAM access token from the delegate and set it in the form data.
+                        _a = this.formData;
+                        return [4 /*yield*/, this.iamDelegate.getToken()];
+                    case 1:
+                        // First, retrieve a standard IAM access token from the delegate and set it in the form data.
+                        _a.access_token = _b.sent();
+                        if (this.iamProfileCrn) {
+                            this.formData.profile_crn = this.iamProfileCrn;
+                        }
+                        else if (this.iamProfileId) {
+                            this.formData.profile_id = this.iamProfileId;
+                        }
+                        else {
+                            this.formData.profile_name = this.iamProfileName;
+                            this.formData.account = this.iamAccountId;
+                        }
+                        return [2 /*return*/, _super.prototype.requestToken.call(this)];
+                }
+            });
+        });
+    };
+    /**
+     * Extend this method from the parent class to erase the refresh token from
+     * the class - we do not want to expose it for IAM Assume authentication.
+     *
+     * @param tokenResponse - the response object from JWT service request
+     */
+    IamAssumeTokenManager.prototype.saveTokenInfo = function (tokenResponse) {
+        _super.prototype.saveTokenInfo.call(this, tokenResponse);
+        this.refreshToken = undefined;
+    };
+    // Override the inherited "setters". This token manager does not store these options
+    // but they can adjust properties on the stored IAM delegate.
+    /**
+     * Sets the IAM "scope" value.
+     * This value is sent as the "scope" form parameter in the IAM delegate request.
+     *
+     * @param scope - a space-separated string that contains one or more scope names
+     */
+    IamAssumeTokenManager.prototype.setScope = function (scope) {
+        this.iamDelegate.setScope(scope);
+    };
+    /**
+     * Sets the IAM "clientId" and "clientSecret" values for the IAM delegate.
+     *
+     * @param clientId - the client id.
+     * @param clientSecret - the client secret.
+     */
+    IamAssumeTokenManager.prototype.setClientIdAndSecret = function (clientId, clientSecret) {
+        this.iamDelegate.setClientIdAndSecret(clientId, clientSecret);
+    };
+    /**
+     * Sets the "disableSslVerification" property for the IAM delegate.
+     *
+     * @param value - the new value for the disableSslVerification property
+     */
+    IamAssumeTokenManager.prototype.setDisableSslVerification = function (value) {
+        _super.prototype.setDisableSslVerification.call(this, value);
+        this.iamDelegate.setDisableSslVerification(value);
+    };
+    /**
+     * Sets the headers to be included in the IAM delegate's requests.
+     *
+     * @param headers - the set of headers to send with each request to the token server
+     */
+    IamAssumeTokenManager.prototype.setHeaders = function (headers) {
+        _super.prototype.setHeaders.call(this, headers);
+        this.iamDelegate.setHeaders(headers);
+    };
+    return IamAssumeTokenManager;
+}(iam_request_based_token_manager_1.IamRequestBasedTokenManager));
+exports.IamAssumeTokenManager = IamAssumeTokenManager;