Edison/powerpoint-toolbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Heiko Joerg Schick
2025-03-07 19:22:02 +01:00
commit 4a98255d83
55743 changed files with 5280367 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
node_modules/@azure/msal-node/src/cache/ITokenCache.ts
Generated Vendored
+24
View File
@@ -0,0 +1,24 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { AccountInfo } from "@azure/msal-common/node";
/**
* Token cache interface for the client, giving access to cache APIs
* @public
*/
export interface ITokenCache {
/** API that retrieves all accounts currently in cache to the user */
getAllAccounts(): Promise<AccountInfo[]>;
/** Returns the signed in account matching homeAccountId */
getAccountByHomeId(homeAccountId: string): Promise<AccountInfo | null>;
/** Returns the signed in account matching localAccountId */
getAccountByLocalId(localAccountId: string): Promise<AccountInfo | null>;
/** API to remove a specific account and the relevant data from cache */
removeAccount(account: AccountInfo): Promise<void>;
}
node_modules/@azure/msal-node/src/cache/NodeStorage.ts
Generated Vendored
+551
View File
@@ -0,0 +1,551 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
TokenKeys,
AccountEntity,
IdTokenEntity,
AccessTokenEntity,
RefreshTokenEntity,
AppMetadataEntity,
ServerTelemetryEntity,
ThrottlingEntity,
CacheManager,
Logger,
ValidCacheType,
ICrypto,
AuthorityMetadataEntity,
ValidCredentialType,
StaticAuthorityOptions,
CacheHelpers,
} from "@azure/msal-common/node";
import { Deserializer } from "./serializer/Deserializer.js";
import { Serializer } from "./serializer/Serializer.js";
import {
InMemoryCache,
JsonCache,
CacheKVStore,
} from "./serializer/SerializerTypes.js";
/**
* This class implements Storage for node, reading cache from user specified storage location or an extension library
* @public
*/
export class NodeStorage extends CacheManager {
// Cache configuration, either set by user or default values.
private logger: Logger;
private cache: CacheKVStore = {};
private changeEmitters: Array<Function> = [];
constructor(
logger: Logger,
clientId: string,
cryptoImpl: ICrypto,
staticAuthorityOptions?: StaticAuthorityOptions
) {
super(clientId, cryptoImpl, logger, staticAuthorityOptions);
this.logger = logger;
}
/**
* Queue up callbacks
* @param func - a callback function for cache change indication
*/
registerChangeEmitter(func: () => void): void {
this.changeEmitters.push(func);
}
/**
* Invoke the callback when cache changes
*/
emitChange(): void {
this.changeEmitters.forEach((func) => func.call(null));
}
/**
* Converts cacheKVStore to InMemoryCache
* @param cache - key value store
*/
cacheToInMemoryCache(cache: CacheKVStore): InMemoryCache {
const inMemoryCache: InMemoryCache = {
accounts: {},
idTokens: {},
accessTokens: {},
refreshTokens: {},
appMetadata: {},
};
for (const key in cache) {
const value = cache[key];
if (typeof value !== "object") {
continue;
}
if (value instanceof AccountEntity) {
inMemoryCache.accounts[key] = value as AccountEntity;
} else if (CacheHelpers.isIdTokenEntity(value)) {
inMemoryCache.idTokens[key] = value as IdTokenEntity;
} else if (CacheHelpers.isAccessTokenEntity(value)) {
inMemoryCache.accessTokens[key] = value as AccessTokenEntity;
} else if (CacheHelpers.isRefreshTokenEntity(value)) {
inMemoryCache.refreshTokens[key] = value as RefreshTokenEntity;
} else if (CacheHelpers.isAppMetadataEntity(key, value)) {
inMemoryCache.appMetadata[key] = value as AppMetadataEntity;
} else {
continue;
}
}
return inMemoryCache;
}
/**
* converts inMemoryCache to CacheKVStore
* @param inMemoryCache - kvstore map for inmemory
*/
inMemoryCacheToCache(inMemoryCache: InMemoryCache): CacheKVStore {
// convert in memory cache to a flat Key-Value map
let cache = this.getCache();
cache = {
...cache,
...inMemoryCache.accounts,
...inMemoryCache.idTokens,
...inMemoryCache.accessTokens,
...inMemoryCache.refreshTokens,
...inMemoryCache.appMetadata,
};
// convert in memory cache to a flat Key-Value map
return cache;
}
/**
* gets the current in memory cache for the client
*/
getInMemoryCache(): InMemoryCache {
this.logger.trace("Getting in-memory cache");
// convert the cache key value store to inMemoryCache
const inMemoryCache = this.cacheToInMemoryCache(this.getCache());
return inMemoryCache;
}
/**
* sets the current in memory cache for the client
* @param inMemoryCache - key value map in memory
*/
setInMemoryCache(inMemoryCache: InMemoryCache): void {
this.logger.trace("Setting in-memory cache");
// convert and append the inMemoryCache to cacheKVStore
const cache = this.inMemoryCacheToCache(inMemoryCache);
this.setCache(cache);
this.emitChange();
}
/**
* get the current cache key-value store
*/
getCache(): CacheKVStore {
this.logger.trace("Getting cache key-value store");
return this.cache;
}
/**
* sets the current cache (key value store)
* @param cacheMap - key value map
*/
setCache(cache: CacheKVStore): void {
this.logger.trace("Setting cache key value store");
this.cache = cache;
// mark change in cache
this.emitChange();
}
/**
* Gets cache item with given key.
* @param key - lookup key for the cache entry
*/
getItem(key: string): ValidCacheType {
this.logger.tracePii(`Item key: ${key}`);
// read cache
const cache = this.getCache();
return cache[key];
}
/**
* Gets cache item with given key-value
* @param key - lookup key for the cache entry
* @param value - value of the cache entry
*/
setItem(key: string, value: ValidCacheType): void {
this.logger.tracePii(`Item key: ${key}`);
// read cache
const cache = this.getCache();
cache[key] = value;
// write to cache
this.setCache(cache);
}
getAccountKeys(): string[] {
const inMemoryCache = this.getInMemoryCache();
const accountKeys = Object.keys(inMemoryCache.accounts);
return accountKeys;
}
getTokenKeys(): TokenKeys {
const inMemoryCache = this.getInMemoryCache();
const tokenKeys = {
idToken: Object.keys(inMemoryCache.idTokens),
accessToken: Object.keys(inMemoryCache.accessTokens),
refreshToken: Object.keys(inMemoryCache.refreshTokens),
};
return tokenKeys;
}
/**
* fetch the account entity
* @param accountKey - lookup key to fetch cache type AccountEntity
*/
getAccount(accountKey: string): AccountEntity | null {
const accountEntity = this.getCachedAccountEntity(accountKey);
if (accountEntity && AccountEntity.isAccountEntity(accountEntity)) {
return this.updateOutdatedCachedAccount(accountKey, accountEntity);
}
return null;
}
/**
* Reads account from cache, builds it into an account entity and returns it.
* @param accountKey - lookup key to fetch cache type AccountEntity
* @returns
*/
getCachedAccountEntity(accountKey: string): AccountEntity | null {
const cachedAccount = this.getItem(accountKey);
return cachedAccount
? Object.assign(new AccountEntity(), this.getItem(accountKey))
: null;
}
/**
* set account entity
* @param account - cache value to be set of type AccountEntity
*/
setAccount(account: AccountEntity): void {
const accountKey = account.generateAccountKey();
this.setItem(accountKey, account);
}
/**
* fetch the idToken credential
* @param idTokenKey - lookup key to fetch cache type IdTokenEntity
*/
getIdTokenCredential(idTokenKey: string): IdTokenEntity | null {
const idToken = this.getItem(idTokenKey) as IdTokenEntity;
if (CacheHelpers.isIdTokenEntity(idToken)) {
return idToken;
}
return null;
}
/**
* set idToken credential
* @param idToken - cache value to be set of type IdTokenEntity
*/
setIdTokenCredential(idToken: IdTokenEntity): void {
const idTokenKey = CacheHelpers.generateCredentialKey(idToken);
this.setItem(idTokenKey, idToken);
}
/**
* fetch the accessToken credential
* @param accessTokenKey - lookup key to fetch cache type AccessTokenEntity
*/
getAccessTokenCredential(accessTokenKey: string): AccessTokenEntity | null {
const accessToken = this.getItem(accessTokenKey) as AccessTokenEntity;
if (CacheHelpers.isAccessTokenEntity(accessToken)) {
return accessToken;
}
return null;
}
/**
* set accessToken credential
* @param accessToken - cache value to be set of type AccessTokenEntity
*/
setAccessTokenCredential(accessToken: AccessTokenEntity): void {
const accessTokenKey = CacheHelpers.generateCredentialKey(accessToken);
this.setItem(accessTokenKey, accessToken);
}
/**
* fetch the refreshToken credential
* @param refreshTokenKey - lookup key to fetch cache type RefreshTokenEntity
*/
getRefreshTokenCredential(
refreshTokenKey: string
): RefreshTokenEntity | null {
const refreshToken = this.getItem(
refreshTokenKey
) as RefreshTokenEntity;
if (CacheHelpers.isRefreshTokenEntity(refreshToken)) {
return refreshToken as RefreshTokenEntity;
}
return null;
}
/**
* set refreshToken credential
* @param refreshToken - cache value to be set of type RefreshTokenEntity
*/
setRefreshTokenCredential(refreshToken: RefreshTokenEntity): void {
const refreshTokenKey =
CacheHelpers.generateCredentialKey(refreshToken);
this.setItem(refreshTokenKey, refreshToken);
}
/**
* fetch appMetadata entity from the platform cache
* @param appMetadataKey - lookup key to fetch cache type AppMetadataEntity
*/
getAppMetadata(appMetadataKey: string): AppMetadataEntity | null {
const appMetadata: AppMetadataEntity = this.getItem(
appMetadataKey
) as AppMetadataEntity;
if (CacheHelpers.isAppMetadataEntity(appMetadataKey, appMetadata)) {
return appMetadata;
}
return null;
}
/**
* set appMetadata entity to the platform cache
* @param appMetadata - cache value to be set of type AppMetadataEntity
*/
setAppMetadata(appMetadata: AppMetadataEntity): void {
const appMetadataKey = CacheHelpers.generateAppMetadataKey(appMetadata);
this.setItem(appMetadataKey, appMetadata);
}
/**
* fetch server telemetry entity from the platform cache
* @param serverTelemetrykey - lookup key to fetch cache type ServerTelemetryEntity
*/
getServerTelemetry(
serverTelemetrykey: string
): ServerTelemetryEntity | null {
const serverTelemetryEntity: ServerTelemetryEntity = this.getItem(
serverTelemetrykey
) as ServerTelemetryEntity;
if (
serverTelemetryEntity &&
CacheHelpers.isServerTelemetryEntity(
serverTelemetrykey,
serverTelemetryEntity
)
) {
return serverTelemetryEntity;
}
return null;
}
/**
* set server telemetry entity to the platform cache
* @param serverTelemetryKey - lookup key to fetch cache type ServerTelemetryEntity
* @param serverTelemetry - cache value to be set of type ServerTelemetryEntity
*/
setServerTelemetry(
serverTelemetryKey: string,
serverTelemetry: ServerTelemetryEntity
): void {
this.setItem(serverTelemetryKey, serverTelemetry);
}
/**
* fetch authority metadata entity from the platform cache
* @param key - lookup key to fetch cache type AuthorityMetadataEntity
*/
getAuthorityMetadata(key: string): AuthorityMetadataEntity | null {
const authorityMetadataEntity: AuthorityMetadataEntity = this.getItem(
key
) as AuthorityMetadataEntity;
if (
authorityMetadataEntity &&
CacheHelpers.isAuthorityMetadataEntity(key, authorityMetadataEntity)
) {
return authorityMetadataEntity;
}
return null;
}
/**
* Get all authority metadata keys
*/
getAuthorityMetadataKeys(): Array<string> {
return this.getKeys().filter((key) => {
return this.isAuthorityMetadata(key);
});
}
/**
* set authority metadata entity to the platform cache
* @param key - lookup key to fetch cache type AuthorityMetadataEntity
* @param metadata - cache value to be set of type AuthorityMetadataEntity
*/
setAuthorityMetadata(key: string, metadata: AuthorityMetadataEntity): void {
this.setItem(key, metadata);
}
/**
* fetch throttling entity from the platform cache
* @param throttlingCacheKey - lookup key to fetch cache type ThrottlingEntity
*/
getThrottlingCache(throttlingCacheKey: string): ThrottlingEntity | null {
const throttlingCache: ThrottlingEntity = this.getItem(
throttlingCacheKey
) as ThrottlingEntity;
if (
throttlingCache &&
CacheHelpers.isThrottlingEntity(throttlingCacheKey, throttlingCache)
) {
return throttlingCache;
}
return null;
}
/**
* set throttling entity to the platform cache
* @param throttlingCacheKey - lookup key to fetch cache type ThrottlingEntity
* @param throttlingCache - cache value to be set of type ThrottlingEntity
*/
setThrottlingCache(
throttlingCacheKey: string,
throttlingCache: ThrottlingEntity
): void {
this.setItem(throttlingCacheKey, throttlingCache);
}
/**
* Removes the cache item from memory with the given key.
* @param key - lookup key to remove a cache entity
* @param inMemory - key value map of the cache
*/
removeItem(key: string): boolean {
this.logger.tracePii(`Item key: ${key}`);
// read inMemoryCache
let result: boolean = false;
const cache = this.getCache();
if (!!cache[key]) {
delete cache[key];
result = true;
}
// write to the cache after removal
if (result) {
this.setCache(cache);
this.emitChange();
}
return result;
}
/**
* Remove account entity from the platform cache if it's outdated
* @param accountKey - lookup key to fetch cache type AccountEntity
*/
removeOutdatedAccount(accountKey: string): void {
this.removeItem(accountKey);
}
/**
* Checks whether key is in cache.
* @param key - look up key for a cache entity
*/
containsKey(key: string): boolean {
return this.getKeys().includes(key);
}
/**
* Gets all keys in window.
*/
getKeys(): string[] {
this.logger.trace("Retrieving all cache keys");
// read cache
const cache = this.getCache();
return [...Object.keys(cache)];
}
/**
* Clears all cache entries created by MSAL (except tokens).
*/
clear(): void {
this.logger.trace("Clearing cache entries created by MSAL");
// read inMemoryCache
const cacheKeys = this.getKeys();
// delete each element
cacheKeys.forEach((key) => {
this.removeItem(key);
});
this.emitChange();
}
/**
* Initialize in memory cache from an exisiting cache vault
* @param cache - blob formatted cache (JSON)
*/
static generateInMemoryCache(cache: string): InMemoryCache {
return Deserializer.deserializeAllCache(
Deserializer.deserializeJSONBlob(cache)
);
}
/**
* retrieves the final JSON
* @param inMemoryCache - itemised cache read from the JSON
*/
static generateJsonCache(inMemoryCache: InMemoryCache): JsonCache {
return Serializer.serializeAllCache(inMemoryCache);
}
/**
* Updates a credential's cache key if the current cache key is outdated
*/
updateCredentialCacheKey(
currentCacheKey: string,
credential: ValidCredentialType
): string {
const updatedCacheKey = CacheHelpers.generateCredentialKey(credential);
if (currentCacheKey !== updatedCacheKey) {
const cacheItem = this.getItem(currentCacheKey);
if (cacheItem) {
this.removeItem(currentCacheKey);
this.setItem(updatedCacheKey, cacheItem);
this.logger.verbose(
`Updated an outdated ${credential.credentialType} cache key`
);
return updatedCacheKey;
} else {
this.logger.error(
`Attempted to update an outdated ${credential.credentialType} cache key but no item matching the outdated key was found in storage`
);
}
}
return currentCacheKey;
}
}
node_modules/@azure/msal-node/src/cache/TokenCache.ts
Generated Vendored
+358
View File
@@ -0,0 +1,358 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { NodeStorage } from "./NodeStorage.js";
import {
AccountEntity,
AccountInfo,
Logger,
ISerializableTokenCache,
ICachePlugin,
TokenCacheContext,
} from "@azure/msal-common/node";
import {
InMemoryCache,
JsonCache,
SerializedAccountEntity,
SerializedAccessTokenEntity,
SerializedRefreshTokenEntity,
SerializedIdTokenEntity,
SerializedAppMetadataEntity,
CacheKVStore,
} from "./serializer/SerializerTypes.js";
import { Deserializer } from "./serializer/Deserializer.js";
import { Serializer } from "./serializer/Serializer.js";
import { ITokenCache } from "./ITokenCache.js";
const defaultSerializedCache: JsonCache = {
Account: {},
IdToken: {},
AccessToken: {},
RefreshToken: {},
AppMetadata: {},
};
/**
* In-memory token cache manager
* @public
*/
export class TokenCache implements ISerializableTokenCache, ITokenCache {
private storage: NodeStorage;
private cacheHasChanged: boolean;
private cacheSnapshot: string;
private readonly persistence: ICachePlugin;
private logger: Logger;
constructor(
storage: NodeStorage,
logger: Logger,
cachePlugin?: ICachePlugin
) {
this.cacheHasChanged = false;
this.storage = storage;
this.storage.registerChangeEmitter(this.handleChangeEvent.bind(this));
if (cachePlugin) {
this.persistence = cachePlugin;
}
this.logger = logger;
}
/**
* Set to true if cache state has changed since last time serialize or writeToPersistence was called
*/
hasChanged(): boolean {
return this.cacheHasChanged;
}
/**
* Serializes in memory cache to JSON
*/
serialize(): string {
this.logger.trace("Serializing in-memory cache");
let finalState = Serializer.serializeAllCache(
this.storage.getInMemoryCache() as InMemoryCache
);
// if cacheSnapshot not null or empty, merge
if (this.cacheSnapshot) {
this.logger.trace("Reading cache snapshot from disk");
finalState = this.mergeState(
JSON.parse(this.cacheSnapshot),
finalState
);
} else {
this.logger.trace("No cache snapshot to merge");
}
this.cacheHasChanged = false;
return JSON.stringify(finalState);
}
/**
* Deserializes JSON to in-memory cache. JSON should be in MSAL cache schema format
* @param cache - blob formatted cache
*/
deserialize(cache: string): void {
this.logger.trace("Deserializing JSON to in-memory cache");
this.cacheSnapshot = cache;
if (this.cacheSnapshot) {
this.logger.trace("Reading cache snapshot from disk");
const deserializedCache = Deserializer.deserializeAllCache(
this.overlayDefaults(JSON.parse(this.cacheSnapshot))
);
this.storage.setInMemoryCache(deserializedCache);
} else {
this.logger.trace("No cache snapshot to deserialize");
}
}
/**
* Fetches the cache key-value map
*/
getKVStore(): CacheKVStore {
return this.storage.getCache();
}
/**
* API that retrieves all accounts currently in cache to the user
*/
async getAllAccounts(): Promise<AccountInfo[]> {
this.logger.trace("getAllAccounts called");
let cacheContext;
try {
if (this.persistence) {
cacheContext = new TokenCacheContext(this, false);
await this.persistence.beforeCacheAccess(cacheContext);
}
return this.storage.getAllAccounts();
} finally {
if (this.persistence && cacheContext) {
await this.persistence.afterCacheAccess(cacheContext);
}
}
}
/**
* Returns the signed in account matching homeAccountId.
* (the account object is created at the time of successful login)
* or null when no matching account is found
* @param homeAccountId - unique identifier for an account (uid.utid)
*/
async getAccountByHomeId(
homeAccountId: string
): Promise<AccountInfo | null> {
const allAccounts = await this.getAllAccounts();
if (homeAccountId && allAccounts && allAccounts.length) {
return (
allAccounts.filter(
(accountObj) => accountObj.homeAccountId === homeAccountId
)[0] || null
);
} else {
return null;
}
}
/**
* Returns the signed in account matching localAccountId.
* (the account object is created at the time of successful login)
* or null when no matching account is found
* @param localAccountId - unique identifier of an account (sub/obj when homeAccountId cannot be populated)
*/
async getAccountByLocalId(
localAccountId: string
): Promise<AccountInfo | null> {
const allAccounts = await this.getAllAccounts();
if (localAccountId && allAccounts && allAccounts.length) {
return (
allAccounts.filter(
(accountObj) => accountObj.localAccountId === localAccountId
)[0] || null
);
} else {
return null;
}
}
/**
* API to remove a specific account and the relevant data from cache
* @param account - AccountInfo passed by the user
*/
async removeAccount(account: AccountInfo): Promise<void> {
this.logger.trace("removeAccount called");
let cacheContext;
try {
if (this.persistence) {
cacheContext = new TokenCacheContext(this, true);
await this.persistence.beforeCacheAccess(cacheContext);
}
await this.storage.removeAccount(
AccountEntity.generateAccountCacheKey(account)
);
} finally {
if (this.persistence && cacheContext) {
await this.persistence.afterCacheAccess(cacheContext);
}
}
}
/**
* Called when the cache has changed state.
*/
private handleChangeEvent() {
this.cacheHasChanged = true;
}
/**
* Merge in memory cache with the cache snapshot.
* @param oldState - cache before changes
* @param currentState - current cache state in the library
*/
private mergeState(
oldState: JsonCache,
currentState: JsonCache
): JsonCache {
this.logger.trace("Merging in-memory cache with cache snapshot");
const stateAfterRemoval = this.mergeRemovals(oldState, currentState);
return this.mergeUpdates(stateAfterRemoval, currentState);
}
/**
* Deep update of oldState based on newState values
* @param oldState - cache before changes
* @param newState - updated cache
*/
private mergeUpdates(oldState: object, newState: object): JsonCache {
Object.keys(newState).forEach((newKey: string) => {
const newValue = newState[newKey];
// if oldState does not contain value but newValue does, add it
if (!oldState.hasOwnProperty(newKey)) {
if (newValue !== null) {
oldState[newKey] = newValue;
}
} else {
// both oldState and newState contain the key, do deep update
const newValueNotNull = newValue !== null;
const newValueIsObject = typeof newValue === "object";
const newValueIsNotArray = !Array.isArray(newValue);
const oldStateNotUndefinedOrNull =
typeof oldState[newKey] !== "undefined" &&
oldState[newKey] !== null;
if (
newValueNotNull &&
newValueIsObject &&
newValueIsNotArray &&
oldStateNotUndefinedOrNull
) {
this.mergeUpdates(oldState[newKey], newValue);
} else {
oldState[newKey] = newValue;
}
}
});
return oldState as JsonCache;
}
/**
* Removes entities in oldState that the were removed from newState. If there are any unknown values in root of
* oldState that are not recognized, they are left untouched.
* @param oldState - cache before changes
* @param newState - updated cache
*/
private mergeRemovals(oldState: JsonCache, newState: JsonCache): JsonCache {
this.logger.trace("Remove updated entries in cache");
const accounts = oldState.Account
? this.mergeRemovalsDict<SerializedAccountEntity>(
oldState.Account,
newState.Account
)
: oldState.Account;
const accessTokens = oldState.AccessToken
? this.mergeRemovalsDict<SerializedAccessTokenEntity>(
oldState.AccessToken,
newState.AccessToken
)
: oldState.AccessToken;
const refreshTokens = oldState.RefreshToken
? this.mergeRemovalsDict<SerializedRefreshTokenEntity>(
oldState.RefreshToken,
newState.RefreshToken
)
: oldState.RefreshToken;
const idTokens = oldState.IdToken
? this.mergeRemovalsDict<SerializedIdTokenEntity>(
oldState.IdToken,
newState.IdToken
)
: oldState.IdToken;
const appMetadata = oldState.AppMetadata
? this.mergeRemovalsDict<SerializedAppMetadataEntity>(
oldState.AppMetadata,
newState.AppMetadata
)
: oldState.AppMetadata;
return {
...oldState,
Account: accounts,
AccessToken: accessTokens,
RefreshToken: refreshTokens,
IdToken: idTokens,
AppMetadata: appMetadata,
};
}
/**
* Helper to merge new cache with the old one
* @param oldState - cache before changes
* @param newState - updated cache
*/
private mergeRemovalsDict<T>(
oldState: Record<string, T>,
newState?: Record<string, T>
): Record<string, T> {
const finalState = { ...oldState };
Object.keys(oldState).forEach((oldKey) => {
if (!newState || !newState.hasOwnProperty(oldKey)) {
delete finalState[oldKey];
}
});
return finalState;
}
/**
* Helper to overlay as a part of cache merge
* @param passedInCache - cache read from the blob
*/
private overlayDefaults(passedInCache: JsonCache): JsonCache {
this.logger.trace("Overlaying input cache with the default cache");
return {
Account: {
...defaultSerializedCache.Account,
...passedInCache.Account,
},
IdToken: {
...defaultSerializedCache.IdToken,
...passedInCache.IdToken,
},
AccessToken: {
...defaultSerializedCache.AccessToken,
...passedInCache.AccessToken,
},
RefreshToken: {
...defaultSerializedCache.RefreshToken,
...passedInCache.RefreshToken,
},
AppMetadata: {
...defaultSerializedCache.AppMetadata,
...passedInCache.AppMetadata,
},
};
}
}
node_modules/@azure/msal-node/src/cache/distributed/DistributedCachePlugin.ts
Generated Vendored
+71
View File
@@ -0,0 +1,71 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AccountEntity,
ICachePlugin,
TokenCacheContext,
} from "@azure/msal-common/node";
import { TokenCache } from "../TokenCache.js";
import { IPartitionManager } from "./IPartitionManager.js";
import { ICacheClient } from "./ICacheClient.js";
/**
* Cache plugin that serializes data to the cache and deserializes data from the cache
* @public
*/
export class DistributedCachePlugin implements ICachePlugin {
private client: ICacheClient;
private partitionManager: IPartitionManager;
constructor(client: ICacheClient, partitionManager: IPartitionManager) {
this.client = client;
this.partitionManager = partitionManager;
}
/**
* Deserializes the cache before accessing it
* @param cacheContext - TokenCacheContext
*/
public async beforeCacheAccess(
cacheContext: TokenCacheContext
): Promise<void> {
const partitionKey = await this.partitionManager.getKey();
const cacheData = await this.client.get(partitionKey);
cacheContext.tokenCache.deserialize(cacheData);
}
/**
* Serializes the cache after accessing it
* @param cacheContext - TokenCacheContext
*/
public async afterCacheAccess(
cacheContext: TokenCacheContext
): Promise<void> {
if (cacheContext.cacheHasChanged) {
const kvStore = (
cacheContext.tokenCache as TokenCache
).getKVStore();
const accountEntities = Object.values(kvStore).filter((value) =>
AccountEntity.isAccountEntity(value as object)
);
let partitionKey: string;
if (accountEntities.length > 0) {
const accountEntity = accountEntities[0] as AccountEntity;
partitionKey = await this.partitionManager.extractKey(
accountEntity
);
} else {
partitionKey = await this.partitionManager.getKey();
}
await this.client.set(
partitionKey,
cacheContext.tokenCache.serialize()
);
}
}
}
node_modules/@azure/msal-node/src/cache/distributed/ICacheClient.ts
Generated Vendored
+27
View File
@@ -0,0 +1,27 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* Interface for the cache that defines a getter and setter
* @public
*/
export interface ICacheClient {
/**
* Retrieve the value from the cache
*
* @param key - key of item in the cache
* @returns Promise<string>
*/
get(key: string): Promise<string>;
/**
* Save the required value using the provided key to cache
*
* @param key - key of item in the cache
* @param value - value of item to be saved in the cache
* @returns Promise<string>
*/
set(key: string, value: string): Promise<string>;
}
node_modules/@azure/msal-node/src/cache/distributed/IPartitionManager.ts
Generated Vendored
+39
View File
@@ -0,0 +1,39 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { AccountEntity } from "@azure/msal-common/node";
/**
* Interface that defines getter methods to get keys used to identity data in the cache
* @public
*/
export interface IPartitionManager {
/**
* This function should return the correct key from which to read
* the specific user's information from cache.
*
* Example: Your application may be partitioning the user's cache
* information for each user using the homeAccountId and thus
* this function would return the homeAccountId for
* the user in question
*
* @returns Promise<string>
*/
getKey(): Promise<string>;
/**
* This function should return the correct key being used to save each
* user's cache information to cache - given an AccountEntity
*
* Example: Your application may be partitioning the user's cache
* information for each user using the homeAccountId thus
* this function would return the homeAccountId from
* the provided AccountEntity
*
* @param accountEntity - AccountEntity
* @returns Promise<string>
*/
extractKey(accountEntity: AccountEntity): Promise<string>;
}
node_modules/@azure/msal-node/src/cache/serializer/Deserializer.ts
Generated Vendored
+218
View File
@@ -0,0 +1,218 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AccountCache,
IdTokenCache,
AccessTokenCache,
RefreshTokenCache,
AppMetadataCache,
AccountEntity,
IdTokenEntity,
AccessTokenEntity,
RefreshTokenEntity,
CacheManager,
CredentialType,
AuthenticationScheme,
} from "@azure/msal-common/node";
import {
JsonCache,
InMemoryCache,
SerializedAccountEntity,
SerializedIdTokenEntity,
SerializedAccessTokenEntity,
SerializedRefreshTokenEntity,
SerializedAppMetadataEntity,
} from "./SerializerTypes.js";
/**
* This class deserializes cache entities read from the file into in-memory object types defined internally
* @internal
*/
export class Deserializer {
/**
* Parse the JSON blob in memory and deserialize the content
* @param cachedJson - JSON blob cache
*/
static deserializeJSONBlob(jsonFile: string): JsonCache {
const deserializedCache = !jsonFile ? {} : JSON.parse(jsonFile);
return deserializedCache;
}
/**
* Deserializes accounts to AccountEntity objects
* @param accounts - accounts of type SerializedAccountEntity
*/
static deserializeAccounts(
accounts: Record<string, SerializedAccountEntity>
): AccountCache {
const accountObjects: AccountCache = {};
if (accounts) {
Object.keys(accounts).map(function (key) {
const serializedAcc = accounts[key];
const mappedAcc = {
homeAccountId: serializedAcc.home_account_id,
environment: serializedAcc.environment,
realm: serializedAcc.realm,
localAccountId: serializedAcc.local_account_id,
username: serializedAcc.username,
authorityType: serializedAcc.authority_type,
name: serializedAcc.name,
clientInfo: serializedAcc.client_info,
lastModificationTime: serializedAcc.last_modification_time,
lastModificationApp: serializedAcc.last_modification_app,
tenantProfiles: serializedAcc.tenantProfiles?.map(
(serializedTenantProfile) => {
return JSON.parse(serializedTenantProfile);
}
),
};
const account: AccountEntity = new AccountEntity();
CacheManager.toObject(account, mappedAcc);
accountObjects[key] = account;
});
}
return accountObjects;
}
/**
* Deserializes id tokens to IdTokenEntity objects
* @param idTokens - credentials of type SerializedIdTokenEntity
*/
static deserializeIdTokens(
idTokens: Record<string, SerializedIdTokenEntity>
): IdTokenCache {
const idObjects: IdTokenCache = {};
if (idTokens) {
Object.keys(idTokens).map(function (key) {
const serializedIdT = idTokens[key];
const idToken: IdTokenEntity = {
homeAccountId: serializedIdT.home_account_id,
environment: serializedIdT.environment,
credentialType:
serializedIdT.credential_type as CredentialType,
clientId: serializedIdT.client_id,
secret: serializedIdT.secret,
realm: serializedIdT.realm,
};
idObjects[key] = idToken;
});
}
return idObjects;
}
/**
* Deserializes access tokens to AccessTokenEntity objects
* @param accessTokens - access tokens of type SerializedAccessTokenEntity
*/
static deserializeAccessTokens(
accessTokens: Record<string, SerializedAccessTokenEntity>
): AccessTokenCache {
const atObjects: AccessTokenCache = {};
if (accessTokens) {
Object.keys(accessTokens).map(function (key) {
const serializedAT = accessTokens[key];
const accessToken: AccessTokenEntity = {
homeAccountId: serializedAT.home_account_id,
environment: serializedAT.environment,
credentialType:
serializedAT.credential_type as CredentialType,
clientId: serializedAT.client_id,
secret: serializedAT.secret,
realm: serializedAT.realm,
target: serializedAT.target,
cachedAt: serializedAT.cached_at,
expiresOn: serializedAT.expires_on,
extendedExpiresOn: serializedAT.extended_expires_on,
refreshOn: serializedAT.refresh_on,
keyId: serializedAT.key_id,
tokenType: serializedAT.token_type as AuthenticationScheme,
requestedClaims: serializedAT.requestedClaims,
requestedClaimsHash: serializedAT.requestedClaimsHash,
userAssertionHash: serializedAT.userAssertionHash,
};
atObjects[key] = accessToken;
});
}
return atObjects;
}
/**
* Deserializes refresh tokens to RefreshTokenEntity objects
* @param refreshTokens - refresh tokens of type SerializedRefreshTokenEntity
*/
static deserializeRefreshTokens(
refreshTokens: Record<string, SerializedRefreshTokenEntity>
): RefreshTokenCache {
const rtObjects: RefreshTokenCache = {};
if (refreshTokens) {
Object.keys(refreshTokens).map(function (key) {
const serializedRT = refreshTokens[key];
const refreshToken: RefreshTokenEntity = {
homeAccountId: serializedRT.home_account_id,
environment: serializedRT.environment,
credentialType:
serializedRT.credential_type as CredentialType,
clientId: serializedRT.client_id,
secret: serializedRT.secret,
familyId: serializedRT.family_id,
target: serializedRT.target,
realm: serializedRT.realm,
};
rtObjects[key] = refreshToken;
});
}
return rtObjects;
}
/**
* Deserializes appMetadata to AppMetaData objects
* @param appMetadata - app metadata of type SerializedAppMetadataEntity
*/
static deserializeAppMetadata(
appMetadata: Record<string, SerializedAppMetadataEntity>
): AppMetadataCache {
const appMetadataObjects: AppMetadataCache = {};
if (appMetadata) {
Object.keys(appMetadata).map(function (key) {
const serializedAmdt = appMetadata[key];
appMetadataObjects[key] = {
clientId: serializedAmdt.client_id,
environment: serializedAmdt.environment,
familyId: serializedAmdt.family_id,
};
});
}
return appMetadataObjects;
}
/**
* Deserialize an inMemory Cache
* @param jsonCache - JSON blob cache
*/
static deserializeAllCache(jsonCache: JsonCache): InMemoryCache {
return {
accounts: jsonCache.Account
? this.deserializeAccounts(jsonCache.Account)
: {},
idTokens: jsonCache.IdToken
? this.deserializeIdTokens(jsonCache.IdToken)
: {},
accessTokens: jsonCache.AccessToken
? this.deserializeAccessTokens(jsonCache.AccessToken)
: {},
refreshTokens: jsonCache.RefreshToken
? this.deserializeRefreshTokens(jsonCache.RefreshToken)
: {},
appMetadata: jsonCache.AppMetadata
? this.deserializeAppMetadata(jsonCache.AppMetadata)
: {},
};
}
}
node_modules/@azure/msal-node/src/cache/serializer/Serializer.ts
Generated Vendored
+182
View File
@@ -0,0 +1,182 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AccountCache,
IdTokenCache,
AccessTokenCache,
RefreshTokenCache,
AppMetadataCache,
} from "@azure/msal-common/node";
import {
InMemoryCache,
JsonCache,
SerializedAccountEntity,
SerializedIdTokenEntity,
SerializedAccessTokenEntity,
SerializedRefreshTokenEntity,
SerializedAppMetadataEntity,
} from "./SerializerTypes.js";
/**
* This class serializes cache entities to be saved into in-memory object types defined internally
* @internal
*/
export class Serializer {
/**
* serialize the JSON blob
* @param data - JSON blob cache
*/
static serializeJSONBlob(data: JsonCache): string {
return JSON.stringify(data);
}
/**
* Serialize Accounts
* @param accCache - cache of accounts
*/
static serializeAccounts(
accCache: AccountCache
): Record<string, SerializedAccountEntity> {
const accounts: Record<string, SerializedAccountEntity> = {};
Object.keys(accCache).map(function (key) {
const accountEntity = accCache[key];
accounts[key] = {
home_account_id: accountEntity.homeAccountId,
environment: accountEntity.environment,
realm: accountEntity.realm,
local_account_id: accountEntity.localAccountId,
username: accountEntity.username,
authority_type: accountEntity.authorityType,
name: accountEntity.name,
client_info: accountEntity.clientInfo,
last_modification_time: accountEntity.lastModificationTime,
last_modification_app: accountEntity.lastModificationApp,
tenantProfiles: accountEntity.tenantProfiles?.map(
(tenantProfile) => {
return JSON.stringify(tenantProfile);
}
),
};
});
return accounts;
}
/**
* Serialize IdTokens
* @param idTCache - cache of ID tokens
*/
static serializeIdTokens(
idTCache: IdTokenCache
): Record<string, SerializedIdTokenEntity> {
const idTokens: Record<string, SerializedIdTokenEntity> = {};
Object.keys(idTCache).map(function (key) {
const idTEntity = idTCache[key];
idTokens[key] = {
home_account_id: idTEntity.homeAccountId,
environment: idTEntity.environment,
credential_type: idTEntity.credentialType,
client_id: idTEntity.clientId,
secret: idTEntity.secret,
realm: idTEntity.realm,
};
});
return idTokens;
}
/**
* Serializes AccessTokens
* @param atCache - cache of access tokens
*/
static serializeAccessTokens(
atCache: AccessTokenCache
): Record<string, SerializedAccessTokenEntity> {
const accessTokens: Record<string, SerializedAccessTokenEntity> = {};
Object.keys(atCache).map(function (key) {
const atEntity = atCache[key];
accessTokens[key] = {
home_account_id: atEntity.homeAccountId,
environment: atEntity.environment,
credential_type: atEntity.credentialType,
client_id: atEntity.clientId,
secret: atEntity.secret,
realm: atEntity.realm,
target: atEntity.target,
cached_at: atEntity.cachedAt,
expires_on: atEntity.expiresOn,
extended_expires_on: atEntity.extendedExpiresOn,
refresh_on: atEntity.refreshOn,
key_id: atEntity.keyId,
token_type: atEntity.tokenType,
requestedClaims: atEntity.requestedClaims,
requestedClaimsHash: atEntity.requestedClaimsHash,
userAssertionHash: atEntity.userAssertionHash,
};
});
return accessTokens;
}
/**
* Serialize refreshTokens
* @param rtCache - cache of refresh tokens
*/
static serializeRefreshTokens(
rtCache: RefreshTokenCache
): Record<string, SerializedRefreshTokenEntity> {
const refreshTokens: Record<string, SerializedRefreshTokenEntity> = {};
Object.keys(rtCache).map(function (key) {
const rtEntity = rtCache[key];
refreshTokens[key] = {
home_account_id: rtEntity.homeAccountId,
environment: rtEntity.environment,
credential_type: rtEntity.credentialType,
client_id: rtEntity.clientId,
secret: rtEntity.secret,
family_id: rtEntity.familyId,
target: rtEntity.target,
realm: rtEntity.realm,
};
});
return refreshTokens;
}
/**
* Serialize amdtCache
* @param amdtCache - cache of app metadata
*/
static serializeAppMetadata(
amdtCache: AppMetadataCache
): Record<string, SerializedAppMetadataEntity> {
const appMetadata: Record<string, SerializedAppMetadataEntity> = {};
Object.keys(amdtCache).map(function (key) {
const amdtEntity = amdtCache[key];
appMetadata[key] = {
client_id: amdtEntity.clientId,
environment: amdtEntity.environment,
family_id: amdtEntity.familyId,
};
});
return appMetadata;
}
/**
* Serialize the cache
* @param inMemCache - itemised cache read from the JSON
*/
static serializeAllCache(inMemCache: InMemoryCache): JsonCache {
return {
Account: this.serializeAccounts(inMemCache.accounts),
IdToken: this.serializeIdTokens(inMemCache.idTokens),
AccessToken: this.serializeAccessTokens(inMemCache.accessTokens),
RefreshToken: this.serializeRefreshTokens(inMemCache.refreshTokens),
AppMetadata: this.serializeAppMetadata(inMemCache.appMetadata),
};
}
}
node_modules/@azure/msal-node/src/cache/serializer/SerializerTypes.ts
Generated Vendored
+122
View File
@@ -0,0 +1,122 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AccountCache,
IdTokenCache,
AccessTokenCache,
RefreshTokenCache,
AppMetadataCache,
ValidCacheType,
} from "@azure/msal-common/node";
/**
* Key value store for in-memory cache
* @public
*/
export type CacheKVStore = Record<string, ValidCacheType>;
/**
* Cache format read from the cache blob provided to the configuration during app instantiation
* @public
*/
export type JsonCache = {
Account: Record<string, SerializedAccountEntity>;
IdToken: Record<string, SerializedIdTokenEntity>;
AccessToken: Record<string, SerializedAccessTokenEntity>;
RefreshToken: Record<string, SerializedRefreshTokenEntity>;
AppMetadata: Record<string, SerializedAppMetadataEntity>;
};
/**
* Intermittent type to handle in-memory data objects with defined types
* @public
*/
export type InMemoryCache = {
accounts: AccountCache;
idTokens: IdTokenCache;
accessTokens: AccessTokenCache;
refreshTokens: RefreshTokenCache;
appMetadata: AppMetadataCache;
};
/**
* Account type
* @public
*/
export type SerializedAccountEntity = {
home_account_id: string;
environment: string;
realm: string;
local_account_id: string;
username: string;
authority_type: string;
name?: string;
client_info?: string;
last_modification_time?: string;
last_modification_app?: string;
tenantProfiles?: string[];
};
/**
* Idtoken credential type
* @public
*/
export type SerializedIdTokenEntity = {
home_account_id: string;
environment: string;
credential_type: string;
client_id: string;
secret: string;
realm: string;
};
/**
* Access token credential type
* @public
*/
export type SerializedAccessTokenEntity = {
home_account_id: string;
environment: string;
credential_type: string;
client_id: string;
secret: string;
realm: string;
target: string;
cached_at: string;
expires_on: string;
extended_expires_on?: string;
refresh_on?: string;
key_id?: string;
token_type?: string;
requestedClaims?: string;
requestedClaimsHash?: string;
userAssertionHash?: string;
};
/**
* Refresh token credential type
* @public
*/
export type SerializedRefreshTokenEntity = {
home_account_id: string;
environment: string;
credential_type: string;
client_id: string;
secret: string;
family_id?: string;
target?: string;
realm?: string;
};
/**
* AppMetadata type
* @public
*/
export type SerializedAppMetadataEntity = {
client_id: string;
environment: string;
family_id?: string;
};
node_modules/@azure/msal-node/src/client/ClientApplication.ts
Generated Vendored
+624
View File
@@ -0,0 +1,624 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AuthorizationCodeClient,
ClientConfiguration,
RefreshTokenClient,
AuthenticationResult,
Authority,
AuthorityFactory,
BaseAuthRequest,
SilentFlowClient,
Logger,
ServerTelemetryManager,
ServerTelemetryRequest,
CommonSilentFlowRequest,
CommonRefreshTokenRequest,
CommonAuthorizationCodeRequest,
CommonAuthorizationUrlRequest,
CommonUsernamePasswordRequest,
AuthenticationScheme,
ResponseMode,
AuthorityOptions,
OIDC_DEFAULT_SCOPES,
AzureRegionConfiguration,
AuthError,
AzureCloudOptions,
AuthorizationCodePayload,
Constants,
StringUtils,
createClientAuthError,
ClientAuthErrorCodes,
buildStaticAuthorityOptions,
ClientAssertion as ClientAssertionType,
getClientAssertion,
ClientAssertionCallback,
} from "@azure/msal-common/node";
import {
Configuration,
buildAppConfiguration,
NodeConfiguration,
} from "../config/Configuration.js";
import { CryptoProvider } from "../crypto/CryptoProvider.js";
import { NodeStorage } from "../cache/NodeStorage.js";
import { Constants as NodeConstants, ApiId } from "../utils/Constants.js";
import { TokenCache } from "../cache/TokenCache.js";
import { ClientAssertion } from "./ClientAssertion.js";
import { AuthorizationUrlRequest } from "../request/AuthorizationUrlRequest.js";
import { AuthorizationCodeRequest } from "../request/AuthorizationCodeRequest.js";
import { RefreshTokenRequest } from "../request/RefreshTokenRequest.js";
import { SilentFlowRequest } from "../request/SilentFlowRequest.js";
import { version, name } from "../packageMetadata.js";
import { UsernamePasswordRequest } from "../request/UsernamePasswordRequest.js";
import { NodeAuthError } from "../error/NodeAuthError.js";
import { UsernamePasswordClient } from "./UsernamePasswordClient.js";
/**
* Base abstract class for all ClientApplications - public and confidential
* @public
*/
export abstract class ClientApplication {
protected readonly cryptoProvider: CryptoProvider;
private tokenCache: TokenCache;
/**
* Platform storage object
*/
protected storage: NodeStorage;
/**
* Logger object to log the application flow
*/
protected logger: Logger;
/**
* Platform configuration initialized by the application
*/
protected config: NodeConfiguration;
/**
* Client assertion passed by the user for confidential client flows
*/
protected clientAssertion: ClientAssertion;
protected developerProvidedClientAssertion:
| string
| ClientAssertionCallback;
/**
* Client secret passed by the user for confidential client flows
*/
protected clientSecret: string;
/**
* Constructor for the ClientApplication
*/
protected constructor(configuration: Configuration) {
this.config = buildAppConfiguration(configuration);
this.cryptoProvider = new CryptoProvider();
this.logger = new Logger(
this.config.system.loggerOptions,
name,
version
);
this.storage = new NodeStorage(
this.logger,
this.config.auth.clientId,
this.cryptoProvider,
buildStaticAuthorityOptions(this.config.auth)
);
this.tokenCache = new TokenCache(
this.storage,
this.logger,
this.config.cache.cachePlugin
);
}
/**
* Creates the URL of the authorization request, letting the user input credentials and consent to the
* application. The URL targets the /authorize endpoint of the authority configured in the
* application object.
*
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
* `acquireTokenByCode(AuthorizationCodeRequest)`.
*/
async getAuthCodeUrl(request: AuthorizationUrlRequest): Promise<string> {
this.logger.info("getAuthCodeUrl called", request.correlationId);
const validRequest: CommonAuthorizationUrlRequest = {
...request,
...(await this.initializeBaseRequest(request)),
responseMode: request.responseMode || ResponseMode.QUERY,
authenticationScheme: AuthenticationScheme.BEARER,
};
const authClientConfig = await this.buildOauthClientConfiguration(
validRequest.authority,
validRequest.correlationId,
validRequest.redirectUri,
undefined,
undefined,
request.azureCloudOptions
);
const authorizationCodeClient = new AuthorizationCodeClient(
authClientConfig
);
this.logger.verbose(
"Auth code client created",
validRequest.correlationId
);
return authorizationCodeClient.getAuthCodeUrl(validRequest);
}
/**
* Acquires a token by exchanging the Authorization Code received from the first step of OAuth2.0
* Authorization Code flow.
*
* `getAuthCodeUrl(AuthorizationCodeUrlRequest)` can be used to create the URL for the first step of OAuth2.0
* Authorization Code flow. Ensure that values for redirectUri and scopes in AuthorizationCodeUrlRequest and
* AuthorizationCodeRequest are the same.
*/
async acquireTokenByCode(
request: AuthorizationCodeRequest,
authCodePayLoad?: AuthorizationCodePayload
): Promise<AuthenticationResult> {
this.logger.info("acquireTokenByCode called");
if (request.state && authCodePayLoad) {
this.logger.info("acquireTokenByCode - validating state");
this.validateState(request.state, authCodePayLoad.state || "");
// eslint-disable-next-line no-param-reassign
authCodePayLoad = { ...authCodePayLoad, state: "" };
}
const validRequest: CommonAuthorizationCodeRequest = {
...request,
...(await this.initializeBaseRequest(request)),
authenticationScheme: AuthenticationScheme.BEARER,
};
const serverTelemetryManager = this.initializeServerTelemetryManager(
ApiId.acquireTokenByCode,
validRequest.correlationId
);
try {
const authClientConfig = await this.buildOauthClientConfiguration(
validRequest.authority,
validRequest.correlationId,
validRequest.redirectUri,
serverTelemetryManager,
undefined,
request.azureCloudOptions
);
const authorizationCodeClient = new AuthorizationCodeClient(
authClientConfig
);
this.logger.verbose(
"Auth code client created",
validRequest.correlationId
);
return await authorizationCodeClient.acquireToken(
validRequest,
authCodePayLoad
);
} catch (e) {
if (e instanceof AuthError) {
e.setCorrelationId(validRequest.correlationId);
}
serverTelemetryManager.cacheFailedRequest(e);
throw e;
}
}
/**
* Acquires a token by exchanging the refresh token provided for a new set of tokens.
*
* This API is provided only for scenarios where you would like to migrate from ADAL to MSAL. Otherwise, it is
* recommended that you use `acquireTokenSilent()` for silent scenarios. When using `acquireTokenSilent()`, MSAL will
* handle the caching and refreshing of tokens automatically.
*/
async acquireTokenByRefreshToken(
request: RefreshTokenRequest
): Promise<AuthenticationResult | null> {
this.logger.info(
"acquireTokenByRefreshToken called",
request.correlationId
);
const validRequest: CommonRefreshTokenRequest = {
...request,
...(await this.initializeBaseRequest(request)),
authenticationScheme: AuthenticationScheme.BEARER,
};
const serverTelemetryManager = this.initializeServerTelemetryManager(
ApiId.acquireTokenByRefreshToken,
validRequest.correlationId
);
try {
const refreshTokenClientConfig =
await this.buildOauthClientConfiguration(
validRequest.authority,
validRequest.correlationId,
validRequest.redirectUri || "",
serverTelemetryManager,
undefined,
request.azureCloudOptions
);
const refreshTokenClient = new RefreshTokenClient(
refreshTokenClientConfig
);
this.logger.verbose(
"Refresh token client created",
validRequest.correlationId
);
return await refreshTokenClient.acquireToken(validRequest);
} catch (e) {
if (e instanceof AuthError) {
e.setCorrelationId(validRequest.correlationId);
}
serverTelemetryManager.cacheFailedRequest(e);
throw e;
}
}
/**
* Acquires a token silently when a user specifies the account the token is requested for.
*
* This API expects the user to provide an account object and looks into the cache to retrieve the token if present.
* There is also an optional "forceRefresh" boolean the user can send to bypass the cache for access_token and id_token.
* In case the refresh_token is expired or not found, an error is thrown
* and the guidance is for the user to call any interactive token acquisition API (eg: `acquireTokenByCode()`).
*/
async acquireTokenSilent(
request: SilentFlowRequest
): Promise<AuthenticationResult> {
const validRequest: CommonSilentFlowRequest = {
...request,
...(await this.initializeBaseRequest(request)),
forceRefresh: request.forceRefresh || false,
};
const serverTelemetryManager = this.initializeServerTelemetryManager(
ApiId.acquireTokenSilent,
validRequest.correlationId,
validRequest.forceRefresh
);
try {
const silentFlowClientConfig =
await this.buildOauthClientConfiguration(
validRequest.authority,
validRequest.correlationId,
validRequest.redirectUri || "",
serverTelemetryManager,
undefined,
request.azureCloudOptions
);
const silentFlowClient = new SilentFlowClient(
silentFlowClientConfig
);
this.logger.verbose(
"Silent flow client created",
validRequest.correlationId
);
return await silentFlowClient.acquireToken(validRequest);
} catch (e) {
if (e instanceof AuthError) {
e.setCorrelationId(validRequest.correlationId);
}
serverTelemetryManager.cacheFailedRequest(e as AuthError);
throw e;
}
}
/**
* Acquires tokens with password grant by exchanging client applications username and password for credentials
*
* The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely.
* More details on this recommendation at https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.4
* Microsoft's documentation and recommendations are at:
* https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#usernamepassword
*
* @param request - UsenamePasswordRequest
*/
async acquireTokenByUsernamePassword(
request: UsernamePasswordRequest
): Promise<AuthenticationResult | null> {
this.logger.info(
"acquireTokenByUsernamePassword called",
request.correlationId
);
const validRequest: CommonUsernamePasswordRequest = {
...request,
...(await this.initializeBaseRequest(request)),
};
const serverTelemetryManager = this.initializeServerTelemetryManager(
ApiId.acquireTokenByUsernamePassword,
validRequest.correlationId
);
try {
const usernamePasswordClientConfig =
await this.buildOauthClientConfiguration(
validRequest.authority,
validRequest.correlationId,
"",
serverTelemetryManager,
undefined,
request.azureCloudOptions
);
const usernamePasswordClient = new UsernamePasswordClient(
usernamePasswordClientConfig
);
this.logger.verbose(
"Username password client created",
validRequest.correlationId
);
return await usernamePasswordClient.acquireToken(validRequest);
} catch (e) {
if (e instanceof AuthError) {
e.setCorrelationId(validRequest.correlationId);
}
serverTelemetryManager.cacheFailedRequest(e);
throw e;
}
}
/**
* Gets the token cache for the application.
*/
getTokenCache(): TokenCache {
this.logger.info("getTokenCache called");
return this.tokenCache;
}
/**
* Validates OIDC state by comparing the user cached state with the state received from the server.
*
* This API is provided for scenarios where you would use OAuth2.0 state parameter to mitigate against
* CSRF attacks.
* For more information about state, visit https://datatracker.ietf.org/doc/html/rfc6819#section-3.6.
* @param state - Unique GUID generated by the user that is cached by the user and sent to the server during the first leg of the flow
* @param cachedState - This string is sent back by the server with the authorization code
*/
protected validateState(state: string, cachedState: string): void {
if (!state) {
throw NodeAuthError.createStateNotFoundError();
}
if (state !== cachedState) {
throw createClientAuthError(ClientAuthErrorCodes.stateMismatch);
}
}
/**
* Returns the logger instance
*/
getLogger(): Logger {
return this.logger;
}
/**
* Replaces the default logger set in configurations with new Logger with new configurations
* @param logger - Logger instance
*/
setLogger(logger: Logger): void {
this.logger = logger;
}
/**
* Builds the common configuration to be passed to the common component based on the platform configurarion
* @param authority - user passed authority in configuration
* @param serverTelemetryManager - initializes servertelemetry if passed
*/
protected async buildOauthClientConfiguration(
authority: string,
requestCorrelationId: string,
redirectUri: string,
serverTelemetryManager?: ServerTelemetryManager,
azureRegionConfiguration?: AzureRegionConfiguration,
azureCloudOptions?: AzureCloudOptions
): Promise<ClientConfiguration> {
this.logger.verbose(
"buildOauthClientConfiguration called",
requestCorrelationId
);
// precedence - azureCloudInstance + tenant >> authority and request >> config
const userAzureCloudOptions = azureCloudOptions
? azureCloudOptions
: this.config.auth.azureCloudOptions;
// using null assertion operator as we ensure that all config values have default values in buildConfiguration()
const discoveredAuthority = await this.createAuthority(
authority,
requestCorrelationId,
azureRegionConfiguration,
userAzureCloudOptions
);
this.logger.info(
`Building oauth client configuration with the following authority: ${discoveredAuthority.tokenEndpoint}.`,
requestCorrelationId
);
serverTelemetryManager?.updateRegionDiscoveryMetadata(
discoveredAuthority.regionDiscoveryMetadata
);
const clientConfiguration: ClientConfiguration = {
authOptions: {
clientId: this.config.auth.clientId,
authority: discoveredAuthority,
clientCapabilities: this.config.auth.clientCapabilities,
redirectUri,
},
loggerOptions: {
logLevel: this.config.system.loggerOptions.logLevel,
loggerCallback: this.config.system.loggerOptions.loggerCallback,
piiLoggingEnabled:
this.config.system.loggerOptions.piiLoggingEnabled,
correlationId: requestCorrelationId,
},
cacheOptions: {
claimsBasedCachingEnabled:
this.config.cache.claimsBasedCachingEnabled,
},
cryptoInterface: this.cryptoProvider,
networkInterface: this.config.system.networkClient,
storageInterface: this.storage,
serverTelemetryManager: serverTelemetryManager,
clientCredentials: {
clientSecret: this.clientSecret,
clientAssertion: await this.getClientAssertion(
discoveredAuthority
),
},
libraryInfo: {
sku: NodeConstants.MSAL_SKU,
version: version,
cpu: process.arch || Constants.EMPTY_STRING,
os: process.platform || Constants.EMPTY_STRING,
},
telemetry: this.config.telemetry,
persistencePlugin: this.config.cache.cachePlugin,
serializableCache: this.tokenCache,
};
return clientConfiguration;
}
private async getClientAssertion(
authority: Authority
): Promise<ClientAssertionType> {
if (this.developerProvidedClientAssertion) {
this.clientAssertion = ClientAssertion.fromAssertion(
await getClientAssertion(
this.developerProvidedClientAssertion,
this.config.auth.clientId,
authority.tokenEndpoint
)
);
}
return (
this.clientAssertion && {
assertion: this.clientAssertion.getJwt(
this.cryptoProvider,
this.config.auth.clientId,
authority.tokenEndpoint
),
assertionType: NodeConstants.JWT_BEARER_ASSERTION_TYPE,
}
);
}
/**
* Generates a request with the default scopes & generates a correlationId.
* @param authRequest - BaseAuthRequest for initialization
*/
protected async initializeBaseRequest(
authRequest: Partial<BaseAuthRequest>
): Promise<BaseAuthRequest> {
this.logger.verbose(
"initializeRequestScopes called",
authRequest.correlationId
);
// Default authenticationScheme to Bearer, log that POP isn't supported yet
if (
authRequest.authenticationScheme &&
authRequest.authenticationScheme === AuthenticationScheme.POP
) {
this.logger.verbose(
"Authentication Scheme 'pop' is not supported yet, setting Authentication Scheme to 'Bearer' for request",
authRequest.correlationId
);
}
authRequest.authenticationScheme = AuthenticationScheme.BEARER;
// Set requested claims hash if claims-based caching is enabled and claims were requested
if (
this.config.cache.claimsBasedCachingEnabled &&
authRequest.claims &&
// Checks for empty stringified object "{}" which doesn't qualify as requested claims
!StringUtils.isEmptyObj(authRequest.claims)
) {
authRequest.requestedClaimsHash =
await this.cryptoProvider.hashString(authRequest.claims);
}
return {
...authRequest,
scopes: [
...((authRequest && authRequest.scopes) || []),
...OIDC_DEFAULT_SCOPES,
],
correlationId:
(authRequest && authRequest.correlationId) ||
this.cryptoProvider.createNewGuid(),
authority: authRequest.authority || this.config.auth.authority,
};
}
/**
* Initializes the server telemetry payload
* @param apiId - Id for a specific request
* @param correlationId - GUID
* @param forceRefresh - boolean to indicate network call
*/
protected initializeServerTelemetryManager(
apiId: number,
correlationId: string,
forceRefresh?: boolean
): ServerTelemetryManager {
const telemetryPayload: ServerTelemetryRequest = {
clientId: this.config.auth.clientId,
correlationId: correlationId,
apiId: apiId,
forceRefresh: forceRefresh || false,
};
return new ServerTelemetryManager(telemetryPayload, this.storage);
}
/**
* Create authority instance. If authority not passed in request, default to authority set on the application
* object. If no authority set in application object, then default to common authority.
* @param authorityString - authority from user configuration
*/
private async createAuthority(
authorityString: string,
requestCorrelationId: string,
azureRegionConfiguration?: AzureRegionConfiguration,
azureCloudOptions?: AzureCloudOptions
): Promise<Authority> {
this.logger.verbose("createAuthority called", requestCorrelationId);
// build authority string based on auth params - azureCloudInstance is prioritized if provided
const authorityUrl = Authority.generateAuthority(
authorityString,
azureCloudOptions
);
const authorityOptions: AuthorityOptions = {
protocolMode: this.config.auth.protocolMode,
knownAuthorities: this.config.auth.knownAuthorities,
cloudDiscoveryMetadata: this.config.auth.cloudDiscoveryMetadata,
authorityMetadata: this.config.auth.authorityMetadata,
azureRegionConfiguration,
skipAuthorityMetadataCache:
this.config.auth.skipAuthorityMetadataCache,
};
return AuthorityFactory.createDiscoveredInstance(
authorityUrl,
this.config.system.networkClient,
this.storage,
authorityOptions,
this.logger,
requestCorrelationId
);
}
/**
* Clear the cache
*/
clearCache(): void {
this.storage.clear();
}
}
node_modules/@azure/msal-node/src/client/ClientAssertion.ts
Generated Vendored
+202
View File
@@ -0,0 +1,202 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import jwt from "jsonwebtoken";
import {
TimeUtils,
Constants,
createClientAuthError,
ClientAuthErrorCodes,
} from "@azure/msal-common/node";
import { CryptoProvider } from "../crypto/CryptoProvider.js";
import { EncodingUtils } from "../utils/EncodingUtils.js";
import { JwtConstants } from "../utils/Constants.js";
/**
* Client assertion of type jwt-bearer used in confidential client flows
* @public
*/
export class ClientAssertion {
private jwt: string;
private privateKey: string;
private thumbprint: string;
private useSha256: boolean;
private expirationTime: number;
private issuer: string;
private jwtAudience: string;
private publicCertificate: Array<string>;
/**
* Initialize the ClientAssertion class from the clientAssertion passed by the user
* @param assertion - refer https://tools.ietf.org/html/rfc7521
*/
public static fromAssertion(assertion: string): ClientAssertion {
const clientAssertion = new ClientAssertion();
clientAssertion.jwt = assertion;
return clientAssertion;
}
/**
* @deprecated Use fromCertificateWithSha256Thumbprint instead, with a SHA-256 thumprint
* Initialize the ClientAssertion class from the certificate passed by the user
* @param thumbprint - identifier of a certificate
* @param privateKey - secret key
* @param publicCertificate - electronic document provided to prove the ownership of the public key
*/
public static fromCertificate(
thumbprint: string,
privateKey: string,
publicCertificate?: string
): ClientAssertion {
const clientAssertion = new ClientAssertion();
clientAssertion.privateKey = privateKey;
clientAssertion.thumbprint = thumbprint;
clientAssertion.useSha256 = false;
if (publicCertificate) {
clientAssertion.publicCertificate =
this.parseCertificate(publicCertificate);
}
return clientAssertion;
}
/**
* Initialize the ClientAssertion class from the certificate passed by the user
* @param thumbprint - identifier of a certificate
* @param privateKey - secret key
* @param publicCertificate - electronic document provided to prove the ownership of the public key
*/
public static fromCertificateWithSha256Thumbprint(
thumbprint: string,
privateKey: string,
publicCertificate?: string
): ClientAssertion {
const clientAssertion = new ClientAssertion();
clientAssertion.privateKey = privateKey;
clientAssertion.thumbprint = thumbprint;
clientAssertion.useSha256 = true;
if (publicCertificate) {
clientAssertion.publicCertificate =
this.parseCertificate(publicCertificate);
}
return clientAssertion;
}
/**
* Update JWT for certificate based clientAssertion, if passed by the user, uses it as is
* @param cryptoProvider - library's crypto helper
* @param issuer - iss claim
* @param jwtAudience - aud claim
*/
public getJwt(
cryptoProvider: CryptoProvider,
issuer: string,
jwtAudience: string
): string {
// if assertion was created from certificate, check if jwt is expired and create new one.
if (this.privateKey && this.thumbprint) {
if (
this.jwt &&
!this.isExpired() &&
issuer === this.issuer &&
jwtAudience === this.jwtAudience
) {
return this.jwt;
}
return this.createJwt(cryptoProvider, issuer, jwtAudience);
}
/*
* if assertion was created by caller, then we just append it. It is up to the caller to
* ensure that it contains necessary claims and that it is not expired.
*/
if (this.jwt) {
return this.jwt;
}
throw createClientAuthError(ClientAuthErrorCodes.invalidAssertion);
}
/**
* JWT format and required claims specified: https://tools.ietf.org/html/rfc7523#section-3
*/
private createJwt(
cryptoProvider: CryptoProvider,
issuer: string,
jwtAudience: string
): string {
this.issuer = issuer;
this.jwtAudience = jwtAudience;
const issuedAt = TimeUtils.nowSeconds();
this.expirationTime = issuedAt + 600;
const algorithm = this.useSha256
? JwtConstants.PSS_256
: JwtConstants.RSA_256;
const header: jwt.JwtHeader = {
alg: algorithm,
};
const thumbprintHeader = this.useSha256
? JwtConstants.X5T_256
: JwtConstants.X5T;
Object.assign(header, {
[thumbprintHeader]: EncodingUtils.base64EncodeUrl(
this.thumbprint,
"hex"
),
} as Partial<jwt.JwtHeader>);
if (this.publicCertificate) {
Object.assign(header, {
[JwtConstants.X5C]: this.publicCertificate,
} as Partial<jwt.JwtHeader>);
}
const payload = {
[JwtConstants.AUDIENCE]: this.jwtAudience,
[JwtConstants.EXPIRATION_TIME]: this.expirationTime,
[JwtConstants.ISSUER]: this.issuer,
[JwtConstants.SUBJECT]: this.issuer,
[JwtConstants.NOT_BEFORE]: issuedAt,
[JwtConstants.JWT_ID]: cryptoProvider.createNewGuid(),
};
this.jwt = jwt.sign(payload, this.privateKey, { header });
return this.jwt;
}
/**
* Utility API to check expiration
*/
private isExpired(): boolean {
return this.expirationTime < TimeUtils.nowSeconds();
}
/**
* Extracts the raw certs from a given certificate string and returns them in an array.
* @param publicCertificate - electronic document provided to prove the ownership of the public key
*/
public static parseCertificate(publicCertificate: string): Array<string> {
/**
* This is regex to identify the certs in a given certificate string.
* We want to look for the contents between the BEGIN and END certificate strings, without the associated newlines.
* The information in parens "(.+?)" is the capture group to represent the cert we want isolated.
* "." means any string character, "+" means match 1 or more times, and "?" means the shortest match.
* The "g" at the end of the regex means search the string globally, and the "s" enables the "." to match newlines.
*/
const regexToFindCerts =
/-----BEGIN CERTIFICATE-----\r*\n(.+?)\r*\n-----END CERTIFICATE-----/gs;
const certs: string[] = [];
let matches;
while ((matches = regexToFindCerts.exec(publicCertificate)) !== null) {
// matches[1] represents the first parens capture group in the regex.
certs.push(matches[1].replace(/\r*\n/g, Constants.EMPTY_STRING));
}
return certs;
}
}
node_modules/@azure/msal-node/src/client/ClientCredentialClient.ts
Generated Vendored
+400
View File
@@ -0,0 +1,400 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AccessTokenEntity,
AuthenticationResult,
AuthenticationScheme,
Authority,
BaseClient,
CacheManager,
CacheOutcome,
ClientAuthErrorCodes,
ClientConfiguration,
CommonClientCredentialRequest,
Constants,
CredentialFilter,
CredentialType,
DEFAULT_TOKEN_RENEWAL_OFFSET_SEC,
GrantType,
IAppTokenProvider,
ICrypto,
RequestParameterBuilder,
RequestThumbprint,
ResponseHandler,
ScopeSet,
ServerAuthorizationTokenResponse,
ServerTelemetryManager,
StringUtils,
TimeUtils,
TokenCacheContext,
UrlString,
createClientAuthError,
ClientAssertion,
getClientAssertion,
} from "@azure/msal-common/node";
import {
ManagedIdentityConfiguration,
ManagedIdentityNodeConfiguration,
} from "../config/Configuration.js";
/**
* OAuth2.0 client credential grant
* @public
*/
export class ClientCredentialClient extends BaseClient {
private readonly appTokenProvider?: IAppTokenProvider;
constructor(
configuration: ClientConfiguration,
appTokenProvider?: IAppTokenProvider
) {
super(configuration);
this.appTokenProvider = appTokenProvider;
}
/**
* Public API to acquire a token with ClientCredential Flow for Confidential clients
* @param request - CommonClientCredentialRequest provided by the developer
*/
public async acquireToken(
request: CommonClientCredentialRequest
): Promise<AuthenticationResult | null> {
if (request.skipCache || request.claims) {
return this.executeTokenRequest(request, this.authority);
}
const [cachedAuthenticationResult, lastCacheOutcome] =
await this.getCachedAuthenticationResult(
request,
this.config,
this.cryptoUtils,
this.authority,
this.cacheManager,
this.serverTelemetryManager
);
if (cachedAuthenticationResult) {
// if the token is not expired but must be refreshed; get a new one in the background
if (lastCacheOutcome === CacheOutcome.PROACTIVELY_REFRESHED) {
this.logger.info(
"ClientCredentialClient:getCachedAuthenticationResult - Cached access token's refreshOn property has been exceeded'. It's not expired, but must be refreshed."
);
// refresh the access token in the background
const refreshAccessToken = true;
await this.executeTokenRequest(
request,
this.authority,
refreshAccessToken
);
}
// return the cached token
return cachedAuthenticationResult;
} else {
return this.executeTokenRequest(request, this.authority);
}
}
/**
* looks up cache if the tokens are cached already
*/
public async getCachedAuthenticationResult(
request: CommonClientCredentialRequest,
config: ClientConfiguration | ManagedIdentityConfiguration,
cryptoUtils: ICrypto,
authority: Authority,
cacheManager: CacheManager,
serverTelemetryManager?: ServerTelemetryManager | null
): Promise<[AuthenticationResult | null, CacheOutcome]> {
const clientConfiguration = config as ClientConfiguration;
const managedIdentityConfiguration =
config as ManagedIdentityNodeConfiguration;
let lastCacheOutcome: CacheOutcome = CacheOutcome.NOT_APPLICABLE;
// read the user-supplied cache into memory, if applicable
let cacheContext;
if (
clientConfiguration.serializableCache &&
clientConfiguration.persistencePlugin
) {
cacheContext = new TokenCacheContext(
clientConfiguration.serializableCache,
false
);
await clientConfiguration.persistencePlugin.beforeCacheAccess(
cacheContext
);
}
const cachedAccessToken = this.readAccessTokenFromCache(
authority,
managedIdentityConfiguration.managedIdentityId?.id ||
clientConfiguration.authOptions.clientId,
new ScopeSet(request.scopes || []),
cacheManager
);
if (
clientConfiguration.serializableCache &&
clientConfiguration.persistencePlugin &&
cacheContext
) {
await clientConfiguration.persistencePlugin.afterCacheAccess(
cacheContext
);
}
// must refresh due to non-existent access_token
if (!cachedAccessToken) {
serverTelemetryManager?.setCacheOutcome(
CacheOutcome.NO_CACHED_ACCESS_TOKEN
);
return [null, CacheOutcome.NO_CACHED_ACCESS_TOKEN];
}
// must refresh due to the expires_in value
if (
TimeUtils.isTokenExpired(
cachedAccessToken.expiresOn,
clientConfiguration.systemOptions?.tokenRenewalOffsetSeconds ||
DEFAULT_TOKEN_RENEWAL_OFFSET_SEC
)
) {
serverTelemetryManager?.setCacheOutcome(
CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED
);
return [null, CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED];
}
// must refresh (in the background) due to the refresh_in value
if (
cachedAccessToken.refreshOn &&
TimeUtils.isTokenExpired(cachedAccessToken.refreshOn.toString(), 0)
) {
lastCacheOutcome = CacheOutcome.PROACTIVELY_REFRESHED;
serverTelemetryManager?.setCacheOutcome(
CacheOutcome.PROACTIVELY_REFRESHED
);
}
return [
await ResponseHandler.generateAuthenticationResult(
cryptoUtils,
authority,
{
account: null,
idToken: null,
accessToken: cachedAccessToken,
refreshToken: null,
appMetadata: null,
},
true,
request
),
lastCacheOutcome,
];
}
/**
* Reads access token from the cache
*/
private readAccessTokenFromCache(
authority: Authority,
id: string,
scopeSet: ScopeSet,
cacheManager: CacheManager
): AccessTokenEntity | null {
const accessTokenFilter: CredentialFilter = {
homeAccountId: Constants.EMPTY_STRING,
environment:
authority.canonicalAuthorityUrlComponents.HostNameAndPort,
credentialType: CredentialType.ACCESS_TOKEN,
clientId: id,
realm: authority.tenant,
target: ScopeSet.createSearchScopes(scopeSet.asArray()),
};
const accessTokens =
cacheManager.getAccessTokensByFilter(accessTokenFilter);
if (accessTokens.length < 1) {
return null;
} else if (accessTokens.length > 1) {
throw createClientAuthError(
ClientAuthErrorCodes.multipleMatchingTokens
);
}
return accessTokens[0] as AccessTokenEntity;
}
/**
* Makes a network call to request the token from the service
* @param request - CommonClientCredentialRequest provided by the developer
* @param authority - authority object
*/
private async executeTokenRequest(
request: CommonClientCredentialRequest,
authority: Authority,
refreshAccessToken?: boolean
): Promise<AuthenticationResult | null> {
let serverTokenResponse: ServerAuthorizationTokenResponse;
let reqTimestamp: number;
if (this.appTokenProvider) {
this.logger.info("Using appTokenProvider extensibility.");
const appTokenPropviderParameters = {
correlationId: request.correlationId,
tenantId: this.config.authOptions.authority.tenant,
scopes: request.scopes,
claims: request.claims,
};
reqTimestamp = TimeUtils.nowSeconds();
const appTokenProviderResult = await this.appTokenProvider(
appTokenPropviderParameters
);
serverTokenResponse = {
access_token: appTokenProviderResult.accessToken,
expires_in: appTokenProviderResult.expiresInSeconds,
refresh_in: appTokenProviderResult.refreshInSeconds,
token_type: AuthenticationScheme.BEARER,
};
} else {
const queryParametersString =
this.createTokenQueryParameters(request);
const endpoint = UrlString.appendQueryString(
authority.tokenEndpoint,
queryParametersString
);
const requestBody = await this.createTokenRequestBody(request);
const headers: Record<string, string> =
this.createTokenRequestHeaders();
const thumbprint: RequestThumbprint = {
clientId: this.config.authOptions.clientId,
authority: request.authority,
scopes: request.scopes,
claims: request.claims,
authenticationScheme: request.authenticationScheme,
resourceRequestMethod: request.resourceRequestMethod,
resourceRequestUri: request.resourceRequestUri,
shrClaims: request.shrClaims,
sshKid: request.sshKid,
};
this.logger.info(
"Sending token request to endpoint: " + authority.tokenEndpoint
);
reqTimestamp = TimeUtils.nowSeconds();
const response = await this.executePostToTokenEndpoint(
endpoint,
requestBody,
headers,
thumbprint,
request.correlationId
);
serverTokenResponse = response.body;
serverTokenResponse.status = response.status;
}
const responseHandler = new ResponseHandler(
this.config.authOptions.clientId,
this.cacheManager,
this.cryptoUtils,
this.logger,
this.config.serializableCache,
this.config.persistencePlugin
);
responseHandler.validateTokenResponse(
serverTokenResponse,
refreshAccessToken
);
const tokenResponse = await responseHandler.handleServerTokenResponse(
serverTokenResponse,
this.authority,
reqTimestamp,
request
);
return tokenResponse;
}
/**
* generate the request to the server in the acceptable format
* @param request - CommonClientCredentialRequest provided by the developer
*/
private async createTokenRequestBody(
request: CommonClientCredentialRequest
): Promise<string> {
const parameterBuilder = new RequestParameterBuilder();
parameterBuilder.addClientId(this.config.authOptions.clientId);
parameterBuilder.addScopes(request.scopes, false);
parameterBuilder.addGrantType(GrantType.CLIENT_CREDENTIALS_GRANT);
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
parameterBuilder.addApplicationTelemetry(
this.config.telemetry.application
);
parameterBuilder.addThrottling();
if (this.serverTelemetryManager) {
parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
}
const correlationId =
request.correlationId ||
this.config.cryptoInterface.createNewGuid();
parameterBuilder.addCorrelationId(correlationId);
if (this.config.clientCredentials.clientSecret) {
parameterBuilder.addClientSecret(
this.config.clientCredentials.clientSecret
);
}
// Use clientAssertion from request, fallback to client assertion in base configuration
const clientAssertion: ClientAssertion | undefined =
request.clientAssertion ||
this.config.clientCredentials.clientAssertion;
if (clientAssertion) {
parameterBuilder.addClientAssertion(
await getClientAssertion(
clientAssertion.assertion,
this.config.authOptions.clientId,
request.resourceRequestUri
)
);
parameterBuilder.addClientAssertionType(
clientAssertion.assertionType
);
}
if (
!StringUtils.isEmptyObj(request.claims) ||
(this.config.authOptions.clientCapabilities &&
this.config.authOptions.clientCapabilities.length > 0)
) {
parameterBuilder.addClaims(
request.claims,
this.config.authOptions.clientCapabilities
);
}
return parameterBuilder.createQueryString();
}
}
node_modules/@azure/msal-node/src/client/ConfidentialClientApplication.ts
Generated Vendored
+298
View File
@@ -0,0 +1,298 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
// AADAuthorityConstants
import { ClientApplication } from "./ClientApplication.js";
import { Configuration } from "../config/Configuration.js";
import { ClientAssertion } from "./ClientAssertion.js";
import {
Constants as NodeConstants,
ApiId,
REGION_ENVIRONMENT_VARIABLE,
MSAL_FORCE_REGION,
} from "../utils/Constants.js";
import {
CommonClientCredentialRequest,
CommonOnBehalfOfRequest,
AuthenticationResult,
AzureRegionConfiguration,
AuthError,
IAppTokenProvider,
OIDC_DEFAULT_SCOPES,
UrlString,
AADAuthorityConstants,
createClientAuthError,
ClientAuthErrorCodes,
ClientAssertion as ClientAssertionType,
getClientAssertion,
AzureRegion,
} from "@azure/msal-common/node";
import { IConfidentialClientApplication } from "./IConfidentialClientApplication.js";
import { OnBehalfOfRequest } from "../request/OnBehalfOfRequest.js";
import { ClientCredentialRequest } from "../request/ClientCredentialRequest.js";
import { ClientCredentialClient } from "./ClientCredentialClient.js";
import { OnBehalfOfClient } from "./OnBehalfOfClient.js";
/**
* This class is to be used to acquire tokens for confidential client applications (webApp, webAPI). Confidential client applications
* will configure application secrets, client certificates/assertions as applicable
* @public
*/
export class ConfidentialClientApplication
extends ClientApplication
implements IConfidentialClientApplication
{
private appTokenProvider?: IAppTokenProvider;
/**
* Constructor for the ConfidentialClientApplication
*
* Required attributes in the Configuration object are:
* - clientID: the application ID of your application. You can obtain one by registering your application with our application registration portal
* - authority: the authority URL for your application.
* - client credential: Must set either client secret, certificate, or assertion for confidential clients. You can obtain a client secret from the application registration portal.
*
* In Azure AD, authority is a URL indicating of the form https://login.microsoftonline.com/\{Enter_the_Tenant_Info_Here\}.
* If your application supports Accounts in one organizational directory, replace "Enter_the_Tenant_Info_Here" value with the Tenant Id or Tenant name (for example, contoso.microsoft.com).
* If your application supports Accounts in any organizational directory, replace "Enter_the_Tenant_Info_Here" value with organizations.
* If your application supports Accounts in any organizational directory and personal Microsoft accounts, replace "Enter_the_Tenant_Info_Here" value with common.
* To restrict support to Personal Microsoft accounts only, replace "Enter_the_Tenant_Info_Here" value with consumers.
*
* In Azure B2C, authority is of the form https://\{instance\}/tfp/\{tenant\}/\{policyName\}/
* Full B2C functionality will be available in this library in future versions.
*
* @param Configuration - configuration object for the MSAL ConfidentialClientApplication instance
*/
constructor(configuration: Configuration) {
super(configuration);
this.setClientCredential();
this.appTokenProvider = undefined;
}
/**
* This extensibility point only works for the client_credential flow, i.e. acquireTokenByClientCredential and
* is meant for Azure SDK to enhance Managed Identity support.
*
* @param IAppTokenProvider - Extensibility interface, which allows the app developer to return a token from a custom source.
*/
SetAppTokenProvider(provider: IAppTokenProvider): void {
this.appTokenProvider = provider;
}
/**
* Acquires tokens from the authority for the application (not for an end user).
*/
public async acquireTokenByClientCredential(
request: ClientCredentialRequest
): Promise<AuthenticationResult | null> {
this.logger.info(
"acquireTokenByClientCredential called",
request.correlationId
);
// If there is a client assertion present in the request, it overrides the one present in the client configuration
let clientAssertion: ClientAssertionType | undefined;
if (request.clientAssertion) {
clientAssertion = {
assertion: await getClientAssertion(
request.clientAssertion,
this.config.auth.clientId
// tokenEndpoint will be undefined. resourceRequestUri is omitted in ClientCredentialRequest
),
assertionType: NodeConstants.JWT_BEARER_ASSERTION_TYPE,
};
}
const baseRequest = await this.initializeBaseRequest(request);
// valid base request should not contain oidc scopes in this grant type
const validBaseRequest = {
...baseRequest,
scopes: baseRequest.scopes.filter(
(scope: string) => !OIDC_DEFAULT_SCOPES.includes(scope)
),
};
const validRequest: CommonClientCredentialRequest = {
...request,
...validBaseRequest,
clientAssertion,
};
/*
* valid request should not have "common" or "organizations" in lieu of the tenant_id in the authority in the auth configuration
* example authority: "https://login.microsoftonline.com/TenantId",
*/
const authority = new UrlString(validRequest.authority);
const tenantId = authority.getUrlComponents().PathSegments[0];
if (
Object.values(AADAuthorityConstants).includes(
tenantId as AADAuthorityConstants
)
) {
throw createClientAuthError(
ClientAuthErrorCodes.missingTenantIdError
);
}
/*
* if this env variable is set, and the developer provided region isn't defined and isn't "DisableMsalForceRegion",
* MSAL shall opt-in to ESTS-R with the value of this variable
*/
const ENV_MSAL_FORCE_REGION: AzureRegion | undefined =
process.env[MSAL_FORCE_REGION];
let region: AzureRegion | undefined;
if (validRequest.azureRegion !== "DisableMsalForceRegion") {
if (!validRequest.azureRegion && ENV_MSAL_FORCE_REGION) {
region = ENV_MSAL_FORCE_REGION;
} else {
region = validRequest.azureRegion;
}
}
const azureRegionConfiguration: AzureRegionConfiguration = {
azureRegion: region,
environmentRegion: process.env[REGION_ENVIRONMENT_VARIABLE],
};
const serverTelemetryManager = this.initializeServerTelemetryManager(
ApiId.acquireTokenByClientCredential,
validRequest.correlationId,
validRequest.skipCache
);
try {
const clientCredentialConfig =
await this.buildOauthClientConfiguration(
validRequest.authority,
validRequest.correlationId,
"",
serverTelemetryManager,
azureRegionConfiguration,
request.azureCloudOptions
);
const clientCredentialClient = new ClientCredentialClient(
clientCredentialConfig,
this.appTokenProvider
);
this.logger.verbose(
"Client credential client created",
validRequest.correlationId
);
return await clientCredentialClient.acquireToken(validRequest);
} catch (e) {
if (e instanceof AuthError) {
e.setCorrelationId(validRequest.correlationId);
}
serverTelemetryManager.cacheFailedRequest(e);
throw e;
}
}
/**
* Acquires tokens from the authority for the application.
*
* Used in scenarios where the current app is a middle-tier service which was called with a token
* representing an end user. The current app can use the token (oboAssertion) to request another
* token to access downstream web API, on behalf of that user.
*
* The current middle-tier app has no user interaction to obtain consent.
* See how to gain consent upfront for your middle-tier app from this article.
* https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#gaining-consent-for-the-middle-tier-application
*/
public async acquireTokenOnBehalfOf(
request: OnBehalfOfRequest
): Promise<AuthenticationResult | null> {
this.logger.info(
"acquireTokenOnBehalfOf called",
request.correlationId
);
const validRequest: CommonOnBehalfOfRequest = {
...request,
...(await this.initializeBaseRequest(request)),
};
try {
const onBehalfOfConfig = await this.buildOauthClientConfiguration(
validRequest.authority,
validRequest.correlationId,
"",
undefined,
undefined,
request.azureCloudOptions
);
const oboClient = new OnBehalfOfClient(onBehalfOfConfig);
this.logger.verbose(
"On behalf of client created",
validRequest.correlationId
);
return await oboClient.acquireToken(validRequest);
} catch (e) {
if (e instanceof AuthError) {
e.setCorrelationId(validRequest.correlationId);
}
throw e;
}
}
private setClientCredential(): void {
const clientSecretNotEmpty = !!this.config.auth.clientSecret;
const clientAssertionNotEmpty = !!this.config.auth.clientAssertion;
const certificateNotEmpty =
(!!this.config.auth.clientCertificate?.thumbprint ||
!!this.config.auth.clientCertificate?.thumbprintSha256) &&
!!this.config.auth.clientCertificate?.privateKey;
/*
* If app developer configures this callback, they don't need a credential
* i.e. AzureSDK can get token from Managed Identity without a cert / secret
*/
if (this.appTokenProvider) {
return;
}
// Check that at most one credential is set on the application
if (
(clientSecretNotEmpty && clientAssertionNotEmpty) ||
(clientAssertionNotEmpty && certificateNotEmpty) ||
(clientSecretNotEmpty && certificateNotEmpty)
) {
throw createClientAuthError(
ClientAuthErrorCodes.invalidClientCredential
);
}
if (this.config.auth.clientSecret) {
this.clientSecret = this.config.auth.clientSecret;
return;
}
if (this.config.auth.clientAssertion) {
this.developerProvidedClientAssertion =
this.config.auth.clientAssertion;
return;
}
if (!certificateNotEmpty) {
throw createClientAuthError(
ClientAuthErrorCodes.invalidClientCredential
);
} else {
this.clientAssertion = !!this.config.auth.clientCertificate
.thumbprintSha256
? ClientAssertion.fromCertificateWithSha256Thumbprint(
this.config.auth.clientCertificate.thumbprintSha256,
this.config.auth.clientCertificate.privateKey,
this.config.auth.clientCertificate.x5c
)
: ClientAssertion.fromCertificate(
// guaranteed to be a string, due to prior error checking in this function
this.config.auth.clientCertificate.thumbprint as string,
this.config.auth.clientCertificate.privateKey,
this.config.auth.clientCertificate.x5c
);
}
}
}
node_modules/@azure/msal-node/src/client/DeviceCodeClient.ts
Generated Vendored
+378
View File
@@ -0,0 +1,378 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AuthErrorCodes,
AuthenticationResult,
BaseClient,
ClientAuthErrorCodes,
ClientConfiguration,
CommonDeviceCodeRequest,
Constants,
DeviceCodeResponse,
GrantType,
RequestParameterBuilder,
RequestThumbprint,
ResponseHandler,
ServerAuthorizationTokenResponse,
ServerDeviceCodeResponse,
StringUtils,
TimeUtils,
UrlString,
createAuthError,
createClientAuthError,
} from "@azure/msal-common/node";
/**
* OAuth2.0 Device code client
* @public
*/
export class DeviceCodeClient extends BaseClient {
constructor(configuration: ClientConfiguration) {
super(configuration);
}
/**
* Gets device code from device code endpoint, calls back to with device code response, and
* polls token endpoint to exchange device code for tokens
* @param request - developer provided CommonDeviceCodeRequest
*/
public async acquireToken(
request: CommonDeviceCodeRequest
): Promise<AuthenticationResult | null> {
const deviceCodeResponse: DeviceCodeResponse = await this.getDeviceCode(
request
);
request.deviceCodeCallback(deviceCodeResponse);
const reqTimestamp = TimeUtils.nowSeconds();
const response: ServerAuthorizationTokenResponse =
await this.acquireTokenWithDeviceCode(request, deviceCodeResponse);
const responseHandler = new ResponseHandler(
this.config.authOptions.clientId,
this.cacheManager,
this.cryptoUtils,
this.logger,
this.config.serializableCache,
this.config.persistencePlugin
);
// Validate response. This function throws a server error if an error is returned by the server.
responseHandler.validateTokenResponse(response);
return responseHandler.handleServerTokenResponse(
response,
this.authority,
reqTimestamp,
request
);
}
/**
* Creates device code request and executes http GET
* @param request - developer provided CommonDeviceCodeRequest
*/
private async getDeviceCode(
request: CommonDeviceCodeRequest
): Promise<DeviceCodeResponse> {
const queryParametersString = this.createExtraQueryParameters(request);
const endpoint = UrlString.appendQueryString(
this.authority.deviceCodeEndpoint,
queryParametersString
);
const queryString = this.createQueryString(request);
const headers = this.createTokenRequestHeaders();
const thumbprint: RequestThumbprint = {
clientId: this.config.authOptions.clientId,
authority: request.authority,
scopes: request.scopes,
claims: request.claims,
authenticationScheme: request.authenticationScheme,
resourceRequestMethod: request.resourceRequestMethod,
resourceRequestUri: request.resourceRequestUri,
shrClaims: request.shrClaims,
sshKid: request.sshKid,
};
return this.executePostRequestToDeviceCodeEndpoint(
endpoint,
queryString,
headers,
thumbprint,
request.correlationId
);
}
/**
* Creates query string for the device code request
* @param request - developer provided CommonDeviceCodeRequest
*/
public createExtraQueryParameters(
request: CommonDeviceCodeRequest
): string {
const parameterBuilder = new RequestParameterBuilder();
if (request.extraQueryParameters) {
parameterBuilder.addExtraQueryParameters(
request.extraQueryParameters
);
}
return parameterBuilder.createQueryString();
}
/**
* Executes POST request to device code endpoint
* @param deviceCodeEndpoint - token endpoint
* @param queryString - string to be used in the body of the request
* @param headers - headers for the request
* @param thumbprint - unique request thumbprint
* @param correlationId - correlation id to be used in the request
*/
private async executePostRequestToDeviceCodeEndpoint(
deviceCodeEndpoint: string,
queryString: string,
headers: Record<string, string>,
thumbprint: RequestThumbprint,
correlationId: string
): Promise<DeviceCodeResponse> {
const {
body: {
user_code: userCode,
device_code: deviceCode,
verification_uri: verificationUri,
expires_in: expiresIn,
interval,
message,
},
} = await this.sendPostRequest<ServerDeviceCodeResponse>(
thumbprint,
deviceCodeEndpoint,
{
body: queryString,
headers: headers,
},
correlationId
);
return {
userCode,
deviceCode,
verificationUri,
expiresIn,
interval,
message,
};
}
/**
* Create device code endpoint query parameters and returns string
* @param request - developer provided CommonDeviceCodeRequest
*/
private createQueryString(request: CommonDeviceCodeRequest): string {
const parameterBuilder: RequestParameterBuilder =
new RequestParameterBuilder();
parameterBuilder.addScopes(request.scopes);
parameterBuilder.addClientId(this.config.authOptions.clientId);
if (request.extraQueryParameters) {
parameterBuilder.addExtraQueryParameters(
request.extraQueryParameters
);
}
if (
request.claims ||
(this.config.authOptions.clientCapabilities &&
this.config.authOptions.clientCapabilities.length > 0)
) {
parameterBuilder.addClaims(
request.claims,
this.config.authOptions.clientCapabilities
);
}
return parameterBuilder.createQueryString();
}
/**
* Breaks the polling with specific conditions
* @param deviceCodeExpirationTime - expiration time for the device code request
* @param userSpecifiedTimeout - developer provided timeout, to be compared against deviceCodeExpirationTime
* @param userSpecifiedCancelFlag - boolean indicating the developer would like to cancel the request
*/
private continuePolling(
deviceCodeExpirationTime: number,
userSpecifiedTimeout?: number,
userSpecifiedCancelFlag?: boolean
): boolean {
if (userSpecifiedCancelFlag) {
this.logger.error(
"Token request cancelled by setting DeviceCodeRequest.cancel = true"
);
throw createClientAuthError(
ClientAuthErrorCodes.deviceCodePollingCancelled
);
} else if (
userSpecifiedTimeout &&
userSpecifiedTimeout < deviceCodeExpirationTime &&
TimeUtils.nowSeconds() > userSpecifiedTimeout
) {
this.logger.error(
`User defined timeout for device code polling reached. The timeout was set for ${userSpecifiedTimeout}`
);
throw createClientAuthError(
ClientAuthErrorCodes.userTimeoutReached
);
} else if (TimeUtils.nowSeconds() > deviceCodeExpirationTime) {
if (userSpecifiedTimeout) {
this.logger.verbose(
`User specified timeout ignored as the device code has expired before the timeout elapsed. The user specified timeout was set for ${userSpecifiedTimeout}`
);
}
this.logger.error(
`Device code expired. Expiration time of device code was ${deviceCodeExpirationTime}`
);
throw createClientAuthError(ClientAuthErrorCodes.deviceCodeExpired);
}
return true;
}
/**
* Creates token request with device code response and polls token endpoint at interval set by the device code response
* @param request - developer provided CommonDeviceCodeRequest
* @param deviceCodeResponse - DeviceCodeResponse returned by the security token service device code endpoint
*/
private async acquireTokenWithDeviceCode(
request: CommonDeviceCodeRequest,
deviceCodeResponse: DeviceCodeResponse
): Promise<ServerAuthorizationTokenResponse> {
const queryParametersString = this.createTokenQueryParameters(request);
const endpoint = UrlString.appendQueryString(
this.authority.tokenEndpoint,
queryParametersString
);
const requestBody = this.createTokenRequestBody(
request,
deviceCodeResponse
);
const headers: Record<string, string> =
this.createTokenRequestHeaders();
const userSpecifiedTimeout = request.timeout
? TimeUtils.nowSeconds() + request.timeout
: undefined;
const deviceCodeExpirationTime =
TimeUtils.nowSeconds() + deviceCodeResponse.expiresIn;
const pollingIntervalMilli = deviceCodeResponse.interval * 1000;
/*
* Poll token endpoint while (device code is not expired AND operation has not been cancelled by
* setting CancellationToken.cancel = true). POST request is sent at interval set by pollingIntervalMilli
*/
while (
this.continuePolling(
deviceCodeExpirationTime,
userSpecifiedTimeout,
request.cancel
)
) {
const thumbprint: RequestThumbprint = {
clientId: this.config.authOptions.clientId,
authority: request.authority,
scopes: request.scopes,
claims: request.claims,
authenticationScheme: request.authenticationScheme,
resourceRequestMethod: request.resourceRequestMethod,
resourceRequestUri: request.resourceRequestUri,
shrClaims: request.shrClaims,
sshKid: request.sshKid,
};
const response = await this.executePostToTokenEndpoint(
endpoint,
requestBody,
headers,
thumbprint,
request.correlationId
);
if (response.body && response.body.error) {
// user authorization is pending. Sleep for polling interval and try again
if (response.body.error === Constants.AUTHORIZATION_PENDING) {
this.logger.info(
"Authorization pending. Continue polling."
);
await TimeUtils.delay(pollingIntervalMilli);
} else {
// for any other error, throw
this.logger.info(
"Unexpected error in polling from the server"
);
throw createAuthError(
AuthErrorCodes.postRequestFailed,
response.body.error
);
}
} else {
this.logger.verbose(
"Authorization completed successfully. Polling stopped."
);
return response.body;
}
}
/*
* The above code should've thrown by this point, but to satisfy TypeScript,
* and in the rare case the conditionals in continuePolling() may not catch everything...
*/
this.logger.error("Polling stopped for unknown reasons.");
throw createClientAuthError(
ClientAuthErrorCodes.deviceCodeUnknownError
);
}
/**
* Creates query parameters and converts to string.
* @param request - developer provided CommonDeviceCodeRequest
* @param deviceCodeResponse - DeviceCodeResponse returned by the security token service device code endpoint
*/
private createTokenRequestBody(
request: CommonDeviceCodeRequest,
deviceCodeResponse: DeviceCodeResponse
): string {
const requestParameters: RequestParameterBuilder =
new RequestParameterBuilder();
requestParameters.addScopes(request.scopes);
requestParameters.addClientId(this.config.authOptions.clientId);
requestParameters.addGrantType(GrantType.DEVICE_CODE_GRANT);
requestParameters.addDeviceCode(deviceCodeResponse.deviceCode);
const correlationId =
request.correlationId ||
this.config.cryptoInterface.createNewGuid();
requestParameters.addCorrelationId(correlationId);
requestParameters.addClientInfo();
requestParameters.addLibraryInfo(this.config.libraryInfo);
requestParameters.addApplicationTelemetry(
this.config.telemetry.application
);
requestParameters.addThrottling();
if (this.serverTelemetryManager) {
requestParameters.addServerTelemetry(this.serverTelemetryManager);
}
if (
!StringUtils.isEmptyObj(request.claims) ||
(this.config.authOptions.clientCapabilities &&
this.config.authOptions.clientCapabilities.length > 0)
) {
requestParameters.addClaims(
request.claims,
this.config.authOptions.clientCapabilities
);
}
return requestParameters.createQueryString();
}
}
node_modules/@azure/msal-node/src/client/IConfidentialClientApplication.ts
Generated Vendored
+72
View File
@@ -0,0 +1,72 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AuthenticationResult,
IAppTokenProvider,
Logger,
} from "@azure/msal-common/node";
import { AuthorizationCodeRequest } from "../request/AuthorizationCodeRequest.js";
import { AuthorizationUrlRequest } from "../request/AuthorizationUrlRequest.js";
import { ClientCredentialRequest } from "../request/ClientCredentialRequest.js";
import { OnBehalfOfRequest } from "../request/OnBehalfOfRequest.js";
import { RefreshTokenRequest } from "../request/RefreshTokenRequest.js";
import { SilentFlowRequest } from "../request/SilentFlowRequest.js";
import { UsernamePasswordRequest } from "../request/UsernamePasswordRequest.js";
import { TokenCache } from "../cache/TokenCache.js";
/**
* Interface for the ConfidentialClientApplication class defining the public API signatures
* @public
*/
export interface IConfidentialClientApplication {
/** Creates the URL of the authorization request */
getAuthCodeUrl(request: AuthorizationUrlRequest): Promise<string>;
/** Acquires a token by exchanging the authorization code received from the first step of OAuth 2.0 Authorization Code Flow */
acquireTokenByCode(
request: AuthorizationCodeRequest
): Promise<AuthenticationResult>;
/** Acquires a token silently when a user specifies the account the token is requested for */
acquireTokenSilent(
request: SilentFlowRequest
): Promise<AuthenticationResult | null>;
/** Acquires a token by exchanging the refresh token provided for a new set of tokens */
acquireTokenByRefreshToken(
request: RefreshTokenRequest
): Promise<AuthenticationResult | null>;
/** Acquires tokens from the authority for the application (not for an end user) */
acquireTokenByClientCredential(
request: ClientCredentialRequest
): Promise<AuthenticationResult | null>;
/** Acquires tokens from the authority for the application */
acquireTokenOnBehalfOf(
request: OnBehalfOfRequest
): Promise<AuthenticationResult | null>;
/** Acquires tokens with password grant by exchanging client applications username and password for credentials */
acquireTokenByUsernamePassword(
request: UsernamePasswordRequest
): Promise<AuthenticationResult | null>;
/** Gets the token cache for the application */
getTokenCache(): TokenCache;
/** Returns the logger instance */
getLogger(): Logger;
/** Replaces the default logger set in configurations with new Logger with new configurations */
setLogger(logger: Logger): void;
/** Clear the cache */
clearCache(): void;
/** This extensibility point is meant for Azure SDK to enhance Managed Identity support */
SetAppTokenProvider(provider: IAppTokenProvider): void;
}
node_modules/@azure/msal-node/src/client/IPublicClientApplication.ts
Generated Vendored
+76
View File
@@ -0,0 +1,76 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AccountInfo,
AuthenticationResult,
Logger,
} from "@azure/msal-common/node";
import { AuthorizationCodeRequest } from "../request/AuthorizationCodeRequest.js";
import { AuthorizationUrlRequest } from "../request/AuthorizationUrlRequest.js";
import { DeviceCodeRequest } from "../request/DeviceCodeRequest.js";
import { RefreshTokenRequest } from "../request/RefreshTokenRequest.js";
import { SilentFlowRequest } from "../request/SilentFlowRequest.js";
import { UsernamePasswordRequest } from "../request/UsernamePasswordRequest.js";
import { TokenCache } from "../cache/TokenCache.js";
import { InteractiveRequest } from "../request/InteractiveRequest.js";
import { SignOutRequest } from "../request/SignOutRequest.js";
/**
* Interface for the PublicClientApplication class defining the public API signatures
* @public
*/
export interface IPublicClientApplication {
/** Creates the URL of the authorization request */
getAuthCodeUrl(request: AuthorizationUrlRequest): Promise<string>;
/** Acquires a token by exchanging the authorization code received from the first step of OAuth 2.0 Authorization Code Flow */
acquireTokenByCode(
request: AuthorizationCodeRequest
): Promise<AuthenticationResult>;
/** Acquires a token interactively */
acquireTokenInteractive(
request: InteractiveRequest
): Promise<AuthenticationResult>;
/** Acquires a token silently when a user specifies the account the token is requested for */
acquireTokenSilent(
request: SilentFlowRequest
): Promise<AuthenticationResult>;
/** Acquires a token by exchanging the refresh token provided for a new set of tokens */
acquireTokenByRefreshToken(
request: RefreshTokenRequest
): Promise<AuthenticationResult | null>;
/** Acquires a token from the authority using OAuth2.0 device code flow */
acquireTokenByDeviceCode(
request: DeviceCodeRequest
): Promise<AuthenticationResult | null>;
/** Acquires tokens with password grant by exchanging client applications username and password for credentials */
acquireTokenByUsernamePassword(
request: UsernamePasswordRequest
): Promise<AuthenticationResult | null>;
/** Gets the token cache for the application */
getTokenCache(): TokenCache;
/** Returns the logger instance */
getLogger(): Logger;
/** Replaces the default logger set in configurations with new Logger with new configurations */
setLogger(logger: Logger): void;
/** Clear the cache */
clearCache(): void;
/** Gets all cached accounts */
getAllAccounts(): Promise<AccountInfo[]>;
/** Removes cache artifacts associated with the given account */
signOut(request: SignOutRequest): Promise<void>;
}
node_modules/@azure/msal-node/src/client/ManagedIdentityApplication.ts
Generated Vendored
+204
View File
@@ -0,0 +1,204 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AuthOptions,
Authority,
AuthorityOptions,
CacheOutcome,
ClientConfiguration,
Constants,
DEFAULT_CRYPTO_IMPLEMENTATION,
INetworkModule,
Logger,
ProtocolMode,
StaticAuthorityOptions,
AuthenticationResult,
createClientConfigurationError,
ClientConfigurationErrorCodes,
} from "@azure/msal-common/node";
import {
ManagedIdentityConfiguration,
ManagedIdentityNodeConfiguration,
buildManagedIdentityConfiguration,
} from "../config/Configuration.js";
import { version, name } from "../packageMetadata.js";
import { ManagedIdentityRequest } from "../request/ManagedIdentityRequest.js";
import { CryptoProvider } from "../crypto/CryptoProvider.js";
import { ClientCredentialClient } from "./ClientCredentialClient.js";
import { ManagedIdentityClient } from "./ManagedIdentityClient.js";
import { ManagedIdentityRequestParams } from "../request/ManagedIdentityRequestParams.js";
import { NodeStorage } from "../cache/NodeStorage.js";
import {
DEFAULT_AUTHORITY_FOR_MANAGED_IDENTITY,
ManagedIdentitySourceNames,
} from "../utils/Constants.js";
/**
* Class to initialize a managed identity and identify the service
* @public
*/
export class ManagedIdentityApplication {
private config: ManagedIdentityNodeConfiguration;
private logger: Logger;
private static nodeStorage?: NodeStorage;
private networkClient: INetworkModule;
private cryptoProvider: CryptoProvider;
// authority needs to be faked to re-use existing functionality in msal-common: caching in responseHandler, etc.
private fakeAuthority: Authority;
// the ClientCredentialClient class needs to be faked to call it's getCachedAuthenticationResult method
private fakeClientCredentialClient: ClientCredentialClient;
private managedIdentityClient: ManagedIdentityClient;
constructor(configuration?: ManagedIdentityConfiguration) {
// undefined config means the managed identity is system-assigned
this.config = buildManagedIdentityConfiguration(configuration || {});
this.logger = new Logger(
this.config.system.loggerOptions,
name,
version
);
const fakeStatusAuthorityOptions: StaticAuthorityOptions = {
canonicalAuthority: Constants.DEFAULT_AUTHORITY,
};
if (!ManagedIdentityApplication.nodeStorage) {
ManagedIdentityApplication.nodeStorage = new NodeStorage(
this.logger,
this.config.managedIdentityId.id,
DEFAULT_CRYPTO_IMPLEMENTATION,
fakeStatusAuthorityOptions
);
}
this.networkClient = this.config.system.networkClient;
this.cryptoProvider = new CryptoProvider();
const fakeAuthorityOptions: AuthorityOptions = {
protocolMode: ProtocolMode.AAD,
knownAuthorities: [DEFAULT_AUTHORITY_FOR_MANAGED_IDENTITY],
cloudDiscoveryMetadata: "",
authorityMetadata: "",
};
this.fakeAuthority = new Authority(
DEFAULT_AUTHORITY_FOR_MANAGED_IDENTITY,
this.networkClient,
ManagedIdentityApplication.nodeStorage as NodeStorage,
fakeAuthorityOptions,
this.logger,
this.cryptoProvider.createNewGuid(), // correlationID
undefined,
true
);
this.fakeClientCredentialClient = new ClientCredentialClient({
authOptions: {
clientId: this.config.managedIdentityId.id,
authority: this.fakeAuthority,
} as AuthOptions,
} as ClientConfiguration);
this.managedIdentityClient = new ManagedIdentityClient(
this.logger,
ManagedIdentityApplication.nodeStorage as NodeStorage,
this.networkClient,
this.cryptoProvider
);
}
/**
* Acquire an access token from the cache or the managed identity
* @param managedIdentityRequest - the ManagedIdentityRequestParams object passed in by the developer
* @returns the access token
*/
public async acquireToken(
managedIdentityRequestParams: ManagedIdentityRequestParams
): Promise<AuthenticationResult> {
if (!managedIdentityRequestParams.resource) {
throw createClientConfigurationError(
ClientConfigurationErrorCodes.urlEmptyError
);
}
const managedIdentityRequest: ManagedIdentityRequest = {
forceRefresh: managedIdentityRequestParams.forceRefresh,
resource: managedIdentityRequestParams.resource.replace(
"/.default",
""
),
scopes: [
managedIdentityRequestParams.resource.replace("/.default", ""),
],
authority: this.fakeAuthority.canonicalAuthority,
correlationId: this.cryptoProvider.createNewGuid(),
};
if (
managedIdentityRequestParams.claims ||
managedIdentityRequest.forceRefresh
) {
// make a network call to the managed identity source
return this.managedIdentityClient.sendManagedIdentityTokenRequest(
managedIdentityRequest,
this.config.managedIdentityId,
this.fakeAuthority
);
}
const [cachedAuthenticationResult, lastCacheOutcome] =
await this.fakeClientCredentialClient.getCachedAuthenticationResult(
managedIdentityRequest,
this.config,
this.cryptoProvider,
this.fakeAuthority,
ManagedIdentityApplication.nodeStorage as NodeStorage
);
if (cachedAuthenticationResult) {
// if the token is not expired but must be refreshed; get a new one in the background
if (lastCacheOutcome === CacheOutcome.PROACTIVELY_REFRESHED) {
this.logger.info(
"ClientCredentialClient:getCachedAuthenticationResult - Cached access token's refreshOn property has been exceeded'. It's not expired, but must be refreshed."
);
// make a network call to the managed identity source; refresh the access token in the background
const refreshAccessToken = true;
await this.managedIdentityClient.sendManagedIdentityTokenRequest(
managedIdentityRequest,
this.config.managedIdentityId,
this.fakeAuthority,
refreshAccessToken
);
}
return cachedAuthenticationResult;
} else {
// make a network call to the managed identity source
return this.managedIdentityClient.sendManagedIdentityTokenRequest(
managedIdentityRequest,
this.config.managedIdentityId,
this.fakeAuthority
);
}
}
/**
* Determine the Managed Identity Source based on available environment variables. This API is consumed by Azure Identity SDK.
* @returns ManagedIdentitySourceNames - The Managed Identity source's name
*/
public getManagedIdentitySource(): ManagedIdentitySourceNames {
return (
ManagedIdentityClient.sourceName ||
this.managedIdentityClient.getManagedIdentitySource()
);
}
}
node_modules/@azure/msal-node/src/client/ManagedIdentityClient.ts
Generated Vendored
+162
View File
@@ -0,0 +1,162 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
Authority,
INetworkModule,
Logger,
AuthenticationResult,
} from "@azure/msal-common/node";
import { AppService } from "./ManagedIdentitySources/AppService.js";
import { AzureArc } from "./ManagedIdentitySources/AzureArc.js";
import { CloudShell } from "./ManagedIdentitySources/CloudShell.js";
import { Imds } from "./ManagedIdentitySources/Imds.js";
import { ServiceFabric } from "./ManagedIdentitySources/ServiceFabric.js";
import { CryptoProvider } from "../crypto/CryptoProvider.js";
import {
ManagedIdentityErrorCodes,
createManagedIdentityError,
} from "../error/ManagedIdentityError.js";
import { ManagedIdentityRequest } from "../request/ManagedIdentityRequest.js";
import { ManagedIdentityId } from "../config/ManagedIdentityId.js";
import { NodeStorage } from "../cache/NodeStorage.js";
import { BaseManagedIdentitySource } from "./ManagedIdentitySources/BaseManagedIdentitySource.js";
import { ManagedIdentitySourceNames } from "../utils/Constants.js";
/*
* Class to initialize a managed identity and identify the service.
* Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/ManagedIdentityClient.cs
*/
export class ManagedIdentityClient {
private logger: Logger;
private nodeStorage: NodeStorage;
private networkClient: INetworkModule;
private cryptoProvider: CryptoProvider;
private static identitySource?: BaseManagedIdentitySource;
public static sourceName?: ManagedIdentitySourceNames;
constructor(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider
) {
this.logger = logger;
this.nodeStorage = nodeStorage;
this.networkClient = networkClient;
this.cryptoProvider = cryptoProvider;
}
public async sendManagedIdentityTokenRequest(
managedIdentityRequest: ManagedIdentityRequest,
managedIdentityId: ManagedIdentityId,
fakeAuthority: Authority,
refreshAccessToken?: boolean
): Promise<AuthenticationResult> {
if (!ManagedIdentityClient.identitySource) {
ManagedIdentityClient.identitySource =
this.selectManagedIdentitySource(
this.logger,
this.nodeStorage,
this.networkClient,
this.cryptoProvider,
managedIdentityId
);
}
return ManagedIdentityClient.identitySource.acquireTokenWithManagedIdentity(
managedIdentityRequest,
managedIdentityId,
fakeAuthority,
refreshAccessToken
);
}
private allEnvironmentVariablesAreDefined(
environmentVariables: Array<string | undefined>
): boolean {
return Object.values(environmentVariables).every(
(environmentVariable) => {
return environmentVariable !== undefined;
}
);
}
/**
* Determine the Managed Identity Source based on available environment variables. This API is consumed by ManagedIdentityApplication's getManagedIdentitySource.
* @returns ManagedIdentitySourceNames - The Managed Identity source's name
*/
public getManagedIdentitySource(): ManagedIdentitySourceNames {
ManagedIdentityClient.sourceName =
this.allEnvironmentVariablesAreDefined(
ServiceFabric.getEnvironmentVariables()
)
? ManagedIdentitySourceNames.SERVICE_FABRIC
: this.allEnvironmentVariablesAreDefined(
AppService.getEnvironmentVariables()
)
? ManagedIdentitySourceNames.APP_SERVICE
: this.allEnvironmentVariablesAreDefined(
CloudShell.getEnvironmentVariables()
)
? ManagedIdentitySourceNames.CLOUD_SHELL
: this.allEnvironmentVariablesAreDefined(
AzureArc.getEnvironmentVariables()
)
? ManagedIdentitySourceNames.AZURE_ARC
: ManagedIdentitySourceNames.DEFAULT_TO_IMDS;
return ManagedIdentityClient.sourceName;
}
/**
* Tries to create a managed identity source for all sources
* @returns the managed identity Source
*/
private selectManagedIdentitySource(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider,
managedIdentityId: ManagedIdentityId
): BaseManagedIdentitySource {
const source =
ServiceFabric.tryCreate(
logger,
nodeStorage,
networkClient,
cryptoProvider,
managedIdentityId
) ||
AppService.tryCreate(
logger,
nodeStorage,
networkClient,
cryptoProvider
) ||
CloudShell.tryCreate(
logger,
nodeStorage,
networkClient,
cryptoProvider,
managedIdentityId
) ||
AzureArc.tryCreate(
logger,
nodeStorage,
networkClient,
cryptoProvider,
managedIdentityId
) ||
Imds.tryCreate(logger, nodeStorage, networkClient, cryptoProvider);
if (!source) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.unableToCreateSource
);
}
return source;
}
}
node_modules/@azure/msal-node/src/client/ManagedIdentitySources/AppService.ts
Generated Vendored
+129
View File
@@ -0,0 +1,129 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { INetworkModule, Logger } from "@azure/msal-common/node";
import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
import {
HttpMethod,
APP_SERVICE_SECRET_HEADER_NAME,
API_VERSION_QUERY_PARAMETER_NAME,
RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
ManagedIdentityEnvironmentVariableNames,
ManagedIdentitySourceNames,
ManagedIdentityIdType,
} from "../../utils/Constants.js";
import { CryptoProvider } from "../../crypto/CryptoProvider.js";
import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
import { NodeStorage } from "../../cache/NodeStorage.js";
// MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
const APP_SERVICE_MSI_API_VERSION: string = "2019-08-01";
/**
* Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/AppServiceManagedIdentitySource.cs
*/
export class AppService extends BaseManagedIdentitySource {
private identityEndpoint: string;
private identityHeader: string;
constructor(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider,
identityEndpoint: string,
identityHeader: string
) {
super(logger, nodeStorage, networkClient, cryptoProvider);
this.identityEndpoint = identityEndpoint;
this.identityHeader = identityHeader;
}
public static getEnvironmentVariables(): Array<string | undefined> {
const identityEndpoint: string | undefined =
process.env[
ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT
];
const identityHeader: string | undefined =
process.env[
ManagedIdentityEnvironmentVariableNames.IDENTITY_HEADER
];
return [identityEndpoint, identityHeader];
}
public static tryCreate(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider
): AppService | null {
const [identityEndpoint, identityHeader] =
AppService.getEnvironmentVariables();
// if either of the identity endpoint or identity header variables are undefined, this MSI provider is unavailable.
if (!identityEndpoint || !identityHeader) {
logger.info(
`[Managed Identity] ${ManagedIdentitySourceNames.APP_SERVICE} managed identity is unavailable because one or both of the '${ManagedIdentityEnvironmentVariableNames.IDENTITY_HEADER}' and '${ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT}' environment variables are not defined.`
);
return null;
}
const validatedIdentityEndpoint: string =
AppService.getValidatedEnvVariableUrlString(
ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT,
identityEndpoint,
ManagedIdentitySourceNames.APP_SERVICE,
logger
);
logger.info(
`[Managed Identity] Environment variables validation passed for ${ManagedIdentitySourceNames.APP_SERVICE} managed identity. Endpoint URI: ${validatedIdentityEndpoint}. Creating ${ManagedIdentitySourceNames.APP_SERVICE} managed identity.`
);
return new AppService(
logger,
nodeStorage,
networkClient,
cryptoProvider,
identityEndpoint,
identityHeader
);
}
public createRequest(
resource: string,
managedIdentityId: ManagedIdentityId
): ManagedIdentityRequestParameters {
const request: ManagedIdentityRequestParameters =
new ManagedIdentityRequestParameters(
HttpMethod.GET,
this.identityEndpoint
);
request.headers[APP_SERVICE_SECRET_HEADER_NAME] = this.identityHeader;
request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
APP_SERVICE_MSI_API_VERSION;
request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
resource;
if (
managedIdentityId.idType !== ManagedIdentityIdType.SYSTEM_ASSIGNED
) {
request.queryParameters[
this.getManagedIdentityUserAssignedIdQueryParameterKey(
managedIdentityId.idType
)
] = managedIdentityId.id;
}
// bodyParameters calculated in BaseManagedIdentity.acquireTokenWithManagedIdentity
return request;
}
}
node_modules/@azure/msal-node/src/client/ManagedIdentitySources/AzureArc.ts
Generated Vendored
+318
View File
@@ -0,0 +1,318 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AuthError,
ClientAuthErrorCodes,
createClientAuthError,
HttpStatus,
INetworkModule,
NetworkResponse,
NetworkRequestOptions,
Logger,
ServerAuthorizationTokenResponse,
} from "@azure/msal-common/node";
import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
import { CryptoProvider } from "../../crypto/CryptoProvider.js";
import {
ManagedIdentityErrorCodes,
createManagedIdentityError,
} from "../../error/ManagedIdentityError.js";
import {
API_VERSION_QUERY_PARAMETER_NAME,
AUTHORIZATION_HEADER_NAME,
AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES,
HttpMethod,
METADATA_HEADER_NAME,
ManagedIdentityEnvironmentVariableNames,
ManagedIdentityIdType,
ManagedIdentitySourceNames,
RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
} from "../../utils/Constants.js";
import { NodeStorage } from "../../cache/NodeStorage.js";
import {
accessSync,
constants as fsConstants,
readFileSync,
statSync,
} from "fs";
import { ManagedIdentityTokenResponse } from "../../response/ManagedIdentityTokenResponse.js";
import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
import path from "path";
export const ARC_API_VERSION: string = "2019-11-01";
export const DEFAULT_AZURE_ARC_IDENTITY_ENDPOINT: string =
"http://127.0.0.1:40342/metadata/identity/oauth2/token";
const HIMDS_EXECUTABLE_HELPER_STRING = "N/A: himds executable exists";
type FilePathMap = {
win32: string;
linux: string;
};
export const SUPPORTED_AZURE_ARC_PLATFORMS: FilePathMap = {
win32: `${process.env["ProgramData"]}\\AzureConnectedMachineAgent\\Tokens\\`,
linux: "/var/opt/azcmagent/tokens/",
};
export const AZURE_ARC_FILE_DETECTION: FilePathMap = {
win32: `${process.env["ProgramFiles"]}\\AzureConnectedMachineAgent\\himds.exe`,
linux: "/opt/azcmagent/bin/himds",
};
/**
* Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs
*/
export class AzureArc extends BaseManagedIdentitySource {
private identityEndpoint: string;
constructor(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider,
identityEndpoint: string
) {
super(logger, nodeStorage, networkClient, cryptoProvider);
this.identityEndpoint = identityEndpoint;
}
public static getEnvironmentVariables(): Array<string | undefined> {
let identityEndpoint: string | undefined =
process.env[
ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT
];
let imdsEndpoint: string | undefined =
process.env[ManagedIdentityEnvironmentVariableNames.IMDS_ENDPOINT];
// if either of the identity or imds endpoints are undefined, check if the himds executable exists
if (!identityEndpoint || !imdsEndpoint) {
// get the expected Windows or Linux file path of the himds executable
const fileDetectionPath: string =
AZURE_ARC_FILE_DETECTION[process.platform as keyof FilePathMap];
try {
/*
* check if the himds executable exists and its permissions allow it to be read
* returns undefined if true, throws an error otherwise
*/
accessSync(
fileDetectionPath,
fsConstants.F_OK | fsConstants.R_OK
);
identityEndpoint = DEFAULT_AZURE_ARC_IDENTITY_ENDPOINT;
imdsEndpoint = HIMDS_EXECUTABLE_HELPER_STRING;
} catch (err) {
/*
* do nothing
* accessSync returns undefined on success, and throws an error on failure
*/
}
}
return [identityEndpoint, imdsEndpoint];
}
public static tryCreate(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider,
managedIdentityId: ManagedIdentityId
): AzureArc | null {
const [identityEndpoint, imdsEndpoint] =
AzureArc.getEnvironmentVariables();
// if either of the identity or imds endpoints are undefined (even after himds file detection)
if (!identityEndpoint || !imdsEndpoint) {
logger.info(
`[Managed Identity] ${ManagedIdentitySourceNames.AZURE_ARC} managed identity is unavailable through environment variables because one or both of '${ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT}' and '${ManagedIdentityEnvironmentVariableNames.IMDS_ENDPOINT}' are not defined. ${ManagedIdentitySourceNames.AZURE_ARC} managed identity is also unavailable through file detection.`
);
return null;
}
// check if the imds endpoint is set to the default for file detection
if (imdsEndpoint === HIMDS_EXECUTABLE_HELPER_STRING) {
logger.info(
`[Managed Identity] ${ManagedIdentitySourceNames.AZURE_ARC} managed identity is available through file detection. Defaulting to known ${ManagedIdentitySourceNames.AZURE_ARC} endpoint: ${DEFAULT_AZURE_ARC_IDENTITY_ENDPOINT}. Creating ${ManagedIdentitySourceNames.AZURE_ARC} managed identity.`
);
} else {
// otherwise, both the identity and imds endpoints are defined without file detection; validate them
const validatedIdentityEndpoint: string =
AzureArc.getValidatedEnvVariableUrlString(
ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT,
identityEndpoint,
ManagedIdentitySourceNames.AZURE_ARC,
logger
);
// remove trailing slash
validatedIdentityEndpoint.endsWith("/")
? validatedIdentityEndpoint.slice(0, -1)
: validatedIdentityEndpoint;
AzureArc.getValidatedEnvVariableUrlString(
ManagedIdentityEnvironmentVariableNames.IMDS_ENDPOINT,
imdsEndpoint,
ManagedIdentitySourceNames.AZURE_ARC,
logger
);
logger.info(
`[Managed Identity] Environment variables validation passed for ${ManagedIdentitySourceNames.AZURE_ARC} managed identity. Endpoint URI: ${validatedIdentityEndpoint}. Creating ${ManagedIdentitySourceNames.AZURE_ARC} managed identity.`
);
}
if (
managedIdentityId.idType !== ManagedIdentityIdType.SYSTEM_ASSIGNED
) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.unableToCreateAzureArc
);
}
return new AzureArc(
logger,
nodeStorage,
networkClient,
cryptoProvider,
identityEndpoint
);
}
public createRequest(resource: string): ManagedIdentityRequestParameters {
const request: ManagedIdentityRequestParameters =
new ManagedIdentityRequestParameters(
HttpMethod.GET,
this.identityEndpoint.replace("localhost", "127.0.0.1")
);
request.headers[METADATA_HEADER_NAME] = "true";
request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
ARC_API_VERSION;
request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
resource;
// bodyParameters calculated in BaseManagedIdentity.acquireTokenWithManagedIdentity
return request;
}
public async getServerTokenResponseAsync(
originalResponse: NetworkResponse<ManagedIdentityTokenResponse>,
networkClient: INetworkModule,
networkRequest: ManagedIdentityRequestParameters,
networkRequestOptions: NetworkRequestOptions
): Promise<ServerAuthorizationTokenResponse> {
let retryResponse:
| NetworkResponse<ManagedIdentityTokenResponse>
| undefined;
if (originalResponse.status === HttpStatus.UNAUTHORIZED) {
const wwwAuthHeader: string =
originalResponse.headers["www-authenticate"];
if (!wwwAuthHeader) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.wwwAuthenticateHeaderMissing
);
}
if (!wwwAuthHeader.includes("Basic realm=")) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.wwwAuthenticateHeaderUnsupportedFormat
);
}
const secretFilePath = wwwAuthHeader.split("Basic realm=")[1];
// throw an error if the managed identity application is not being run on Windows or Linux
if (
!SUPPORTED_AZURE_ARC_PLATFORMS.hasOwnProperty(process.platform)
) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.platformNotSupported
);
}
// get the expected Windows or Linux file path
const expectedSecretFilePath: string =
SUPPORTED_AZURE_ARC_PLATFORMS[
process.platform as keyof FilePathMap
];
// throw an error if the file in the file path is not a .key file
const fileName: string = path.basename(secretFilePath);
if (!fileName.endsWith(".key")) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.invalidFileExtension
);
}
/*
* throw an error if the file path from the www-authenticate header does not match the
* expected file path for the platform (Windows or Linux) the managed identity application
* is running on
*/
if (expectedSecretFilePath + fileName !== secretFilePath) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.invalidFilePath
);
}
let secretFileSize;
// attempt to get the secret file's size, in bytes
try {
secretFileSize = await statSync(secretFilePath).size;
} catch (e) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.unableToReadSecretFile
);
}
// throw an error if the secret file's size is greater than 4096 bytes
if (secretFileSize > AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.invalidSecret
);
}
// attempt to read the contents of the secret file
let secret;
try {
secret = readFileSync(secretFilePath, "utf-8");
} catch (e) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.unableToReadSecretFile
);
}
const authHeaderValue = `Basic ${secret}`;
this.logger.info(
`[Managed Identity] Adding authorization header to the request.`
);
networkRequest.headers[AUTHORIZATION_HEADER_NAME] = authHeaderValue;
try {
retryResponse =
await networkClient.sendGetRequestAsync<ManagedIdentityTokenResponse>(
networkRequest.computeUri(),
networkRequestOptions
);
} catch (error) {
if (error instanceof AuthError) {
throw error;
} else {
throw createClientAuthError(
ClientAuthErrorCodes.networkError
);
}
}
}
return this.getServerTokenResponse(retryResponse || originalResponse);
}
}
node_modules/@azure/msal-node/src/client/ManagedIdentitySources/BaseManagedIdentitySource.ts
Generated Vendored
+252
View File
@@ -0,0 +1,252 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AuthError,
Authority,
ClientAuthErrorCodes,
Constants,
HeaderNames,
INetworkModule,
Logger,
NetworkRequestOptions,
NetworkResponse,
ResponseHandler,
ServerAuthorizationTokenResponse,
TimeUtils,
createClientAuthError,
AuthenticationResult,
UrlString,
} from "@azure/msal-common/node";
import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
import { CryptoProvider } from "../../crypto/CryptoProvider.js";
import { ManagedIdentityRequest } from "../../request/ManagedIdentityRequest.js";
import { HttpMethod, ManagedIdentityIdType } from "../../utils/Constants.js";
import { ManagedIdentityTokenResponse } from "../../response/ManagedIdentityTokenResponse.js";
import { NodeStorage } from "../../cache/NodeStorage.js";
import {
ManagedIdentityErrorCodes,
createManagedIdentityError,
} from "../../error/ManagedIdentityError.js";
/**
* Managed Identity User Assigned Id Query Parameter Names
*/
export const ManagedIdentityUserAssignedIdQueryParameterNames = {
MANAGED_IDENTITY_CLIENT_ID: "client_id",
MANAGED_IDENTITY_OBJECT_ID: "object_id",
MANAGED_IDENTITY_RESOURCE_ID: "mi_res_id",
} as const;
export type ManagedIdentityUserAssignedIdQueryParameterNames =
(typeof ManagedIdentityUserAssignedIdQueryParameterNames)[keyof typeof ManagedIdentityUserAssignedIdQueryParameterNames];
export abstract class BaseManagedIdentitySource {
protected logger: Logger;
private nodeStorage: NodeStorage;
private networkClient: INetworkModule;
private cryptoProvider: CryptoProvider;
constructor(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider
) {
this.logger = logger;
this.nodeStorage = nodeStorage;
this.networkClient = networkClient;
this.cryptoProvider = cryptoProvider;
}
abstract createRequest(
request: string,
managedIdentityId: ManagedIdentityId
): ManagedIdentityRequestParameters;
public async getServerTokenResponseAsync(
response: NetworkResponse<ManagedIdentityTokenResponse>,
// eslint-disable-next-line @typescript-eslint/no-unused-vars
_networkClient: INetworkModule,
// eslint-disable-next-line @typescript-eslint/no-unused-vars
_networkRequest: ManagedIdentityRequestParameters,
// eslint-disable-next-line @typescript-eslint/no-unused-vars
_networkRequestOptions: NetworkRequestOptions
): Promise<ServerAuthorizationTokenResponse> {
return this.getServerTokenResponse(response);
}
public getServerTokenResponse(
response: NetworkResponse<ManagedIdentityTokenResponse>
): ServerAuthorizationTokenResponse {
let refreshIn, expiresIn: number | undefined;
if (response.body.expires_on) {
expiresIn = response.body.expires_on - TimeUtils.nowSeconds();
// compute refresh_in as 1/2 of expires_in, but only if expires_in > 2h
if (expiresIn > 2 * 3600) {
refreshIn = expiresIn / 2;
}
}
const serverTokenResponse: ServerAuthorizationTokenResponse = {
status: response.status,
// success
access_token: response.body.access_token,
expires_in: expiresIn,
scope: response.body.resource,
token_type: response.body.token_type,
refresh_in: refreshIn,
// error
correlation_id:
response.body.correlation_id || response.body.correlationId,
error:
typeof response.body.error === "string"
? response.body.error
: response.body.error?.code,
error_description:
response.body.message ||
(typeof response.body.error === "string"
? response.body.error_description
: response.body.error?.message),
error_codes: response.body.error_codes,
timestamp: response.body.timestamp,
trace_id: response.body.trace_id,
};
return serverTokenResponse;
}
public async acquireTokenWithManagedIdentity(
managedIdentityRequest: ManagedIdentityRequest,
managedIdentityId: ManagedIdentityId,
fakeAuthority: Authority,
refreshAccessToken?: boolean
): Promise<AuthenticationResult> {
const networkRequest: ManagedIdentityRequestParameters =
this.createRequest(
managedIdentityRequest.resource,
managedIdentityId
);
const headers: Record<string, string> = networkRequest.headers;
headers[HeaderNames.CONTENT_TYPE] = Constants.URL_FORM_CONTENT_TYPE;
const networkRequestOptions: NetworkRequestOptions = { headers };
if (Object.keys(networkRequest.bodyParameters).length) {
networkRequestOptions.body =
networkRequest.computeParametersBodyString();
}
const reqTimestamp = TimeUtils.nowSeconds();
let response: NetworkResponse<ManagedIdentityTokenResponse>;
try {
// Sources that send POST requests: Cloud Shell
if (networkRequest.httpMethod === HttpMethod.POST) {
response =
await this.networkClient.sendPostRequestAsync<ManagedIdentityTokenResponse>(
networkRequest.computeUri(),
networkRequestOptions
);
// Sources that send GET requests: App Service, Azure Arc, IMDS, Service Fabric
} else {
response =
await this.networkClient.sendGetRequestAsync<ManagedIdentityTokenResponse>(
networkRequest.computeUri(),
networkRequestOptions
);
}
} catch (error) {
if (error instanceof AuthError) {
throw error;
} else {
throw createClientAuthError(ClientAuthErrorCodes.networkError);
}
}
const responseHandler = new ResponseHandler(
managedIdentityId.id,
this.nodeStorage,
this.cryptoProvider,
this.logger,
null,
null
);
const serverTokenResponse: ServerAuthorizationTokenResponse =
await this.getServerTokenResponseAsync(
response,
this.networkClient,
networkRequest,
networkRequestOptions
);
responseHandler.validateTokenResponse(
serverTokenResponse,
refreshAccessToken
);
// caches the token
return responseHandler.handleServerTokenResponse(
serverTokenResponse,
fakeAuthority,
reqTimestamp,
managedIdentityRequest
);
}
public getManagedIdentityUserAssignedIdQueryParameterKey(
managedIdentityIdType: ManagedIdentityIdType
): string {
switch (managedIdentityIdType) {
case ManagedIdentityIdType.USER_ASSIGNED_CLIENT_ID:
this.logger.info(
"[Managed Identity] Adding user assigned client id to the request."
);
return ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_CLIENT_ID;
case ManagedIdentityIdType.USER_ASSIGNED_RESOURCE_ID:
this.logger.info(
"[Managed Identity] Adding user assigned resource id to the request."
);
return ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_RESOURCE_ID;
case ManagedIdentityIdType.USER_ASSIGNED_OBJECT_ID:
this.logger.info(
"[Managed Identity] Adding user assigned object id to the request."
);
return ManagedIdentityUserAssignedIdQueryParameterNames.MANAGED_IDENTITY_OBJECT_ID;
default:
throw createManagedIdentityError(
ManagedIdentityErrorCodes.invalidManagedIdentityIdType
);
}
}
public static getValidatedEnvVariableUrlString = (
envVariableStringName: string,
envVariable: string,
sourceName: string,
logger: Logger
): string => {
try {
return new UrlString(envVariable).urlString;
} catch (error) {
logger.info(
`[Managed Identity] ${sourceName} managed identity is unavailable because the '${envVariableStringName}' environment variable is malformed.`
);
throw createManagedIdentityError(
ManagedIdentityErrorCodes
.MsiEnvironmentVariableUrlMalformedErrorCodes[
envVariableStringName
]
);
}
};
}
node_modules/@azure/msal-node/src/client/ManagedIdentitySources/CloudShell.ts
Generated Vendored
+110
View File
@@ -0,0 +1,110 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { INetworkModule, Logger } from "@azure/msal-common/node";
import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
import { NodeStorage } from "../../cache/NodeStorage.js";
import { CryptoProvider } from "../../crypto/CryptoProvider.js";
import {
HttpMethod,
METADATA_HEADER_NAME,
ManagedIdentityEnvironmentVariableNames,
ManagedIdentityIdType,
ManagedIdentitySourceNames,
RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
} from "../../utils/Constants.js";
import {
ManagedIdentityErrorCodes,
createManagedIdentityError,
} from "../../error/ManagedIdentityError.js";
import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
/**
* Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/CloudShellManagedIdentitySource.cs
*/
export class CloudShell extends BaseManagedIdentitySource {
private msiEndpoint: string;
constructor(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider,
msiEndpoint: string
) {
super(logger, nodeStorage, networkClient, cryptoProvider);
this.msiEndpoint = msiEndpoint;
}
public static getEnvironmentVariables(): Array<string | undefined> {
const msiEndpoint: string | undefined =
process.env[ManagedIdentityEnvironmentVariableNames.MSI_ENDPOINT];
return [msiEndpoint];
}
public static tryCreate(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider,
managedIdentityId: ManagedIdentityId
): CloudShell | null {
const [msiEndpoint] = CloudShell.getEnvironmentVariables();
// if the msi endpoint environment variable is undefined, this MSI provider is unavailable.
if (!msiEndpoint) {
logger.info(
`[Managed Identity] ${ManagedIdentitySourceNames.CLOUD_SHELL} managed identity is unavailable because the '${ManagedIdentityEnvironmentVariableNames.MSI_ENDPOINT} environment variable is not defined.`
);
return null;
}
const validatedMsiEndpoint: string =
CloudShell.getValidatedEnvVariableUrlString(
ManagedIdentityEnvironmentVariableNames.MSI_ENDPOINT,
msiEndpoint,
ManagedIdentitySourceNames.CLOUD_SHELL,
logger
);
logger.info(
`[Managed Identity] Environment variable validation passed for ${ManagedIdentitySourceNames.CLOUD_SHELL} managed identity. Endpoint URI: ${validatedMsiEndpoint}. Creating ${ManagedIdentitySourceNames.CLOUD_SHELL} managed identity.`
);
if (
managedIdentityId.idType !== ManagedIdentityIdType.SYSTEM_ASSIGNED
) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.unableToCreateCloudShell
);
}
return new CloudShell(
logger,
nodeStorage,
networkClient,
cryptoProvider,
msiEndpoint
);
}
public createRequest(resource: string): ManagedIdentityRequestParameters {
const request: ManagedIdentityRequestParameters =
new ManagedIdentityRequestParameters(
HttpMethod.POST,
this.msiEndpoint
);
request.headers[METADATA_HEADER_NAME] = "true";
request.bodyParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
resource;
return request;
}
}
node_modules/@azure/msal-node/src/client/ManagedIdentitySources/Imds.ts
Generated Vendored
+126
View File
@@ -0,0 +1,126 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { INetworkModule, Logger } from "@azure/msal-common/node";
import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
import { CryptoProvider } from "../../crypto/CryptoProvider.js";
import {
API_VERSION_QUERY_PARAMETER_NAME,
HttpMethod,
METADATA_HEADER_NAME,
ManagedIdentityEnvironmentVariableNames,
ManagedIdentityIdType,
ManagedIdentitySourceNames,
RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
} from "../../utils/Constants.js";
import { NodeStorage } from "../../cache/NodeStorage.js";
// IMDS constants. Docs for IMDS are available here https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
const IMDS_TOKEN_PATH: string = "/metadata/identity/oauth2/token";
const DEFAULT_IMDS_ENDPOINT: string = `http://169.254.169.254${IMDS_TOKEN_PATH}`;
const IMDS_API_VERSION: string = "2018-02-01";
// Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/ImdsManagedIdentitySource.cs
export class Imds extends BaseManagedIdentitySource {
private identityEndpoint: string;
constructor(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider,
identityEndpoint: string
) {
super(logger, nodeStorage, networkClient, cryptoProvider);
this.identityEndpoint = identityEndpoint;
}
public static tryCreate(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider
): Imds {
let validatedIdentityEndpoint: string;
if (
process.env[
ManagedIdentityEnvironmentVariableNames
.AZURE_POD_IDENTITY_AUTHORITY_HOST
]
) {
logger.info(
`[Managed Identity] Environment variable ${
ManagedIdentityEnvironmentVariableNames.AZURE_POD_IDENTITY_AUTHORITY_HOST
} for ${ManagedIdentitySourceNames.IMDS} returned endpoint: ${
process.env[
ManagedIdentityEnvironmentVariableNames
.AZURE_POD_IDENTITY_AUTHORITY_HOST
]
}`
);
validatedIdentityEndpoint = Imds.getValidatedEnvVariableUrlString(
ManagedIdentityEnvironmentVariableNames.AZURE_POD_IDENTITY_AUTHORITY_HOST,
`${
process.env[
ManagedIdentityEnvironmentVariableNames
.AZURE_POD_IDENTITY_AUTHORITY_HOST
]
}${IMDS_TOKEN_PATH}`,
ManagedIdentitySourceNames.IMDS,
logger
);
} else {
logger.info(
`[Managed Identity] Unable to find ${ManagedIdentityEnvironmentVariableNames.AZURE_POD_IDENTITY_AUTHORITY_HOST} environment variable for ${ManagedIdentitySourceNames.IMDS}, using the default endpoint.`
);
validatedIdentityEndpoint = DEFAULT_IMDS_ENDPOINT;
}
return new Imds(
logger,
nodeStorage,
networkClient,
cryptoProvider,
validatedIdentityEndpoint
);
}
public createRequest(
resource: string,
managedIdentityId: ManagedIdentityId
): ManagedIdentityRequestParameters {
const request: ManagedIdentityRequestParameters =
new ManagedIdentityRequestParameters(
HttpMethod.GET,
this.identityEndpoint
);
request.headers[METADATA_HEADER_NAME] = "true";
request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
IMDS_API_VERSION;
request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
resource;
if (
managedIdentityId.idType !== ManagedIdentityIdType.SYSTEM_ASSIGNED
) {
request.queryParameters[
this.getManagedIdentityUserAssignedIdQueryParameterKey(
managedIdentityId.idType
)
] = managedIdentityId.id;
}
// bodyParameters calculated in BaseManagedIdentity.acquireTokenWithManagedIdentity
return request;
}
}
node_modules/@azure/msal-node/src/client/ManagedIdentitySources/ServiceFabric.ts
Generated Vendored
+147
View File
@@ -0,0 +1,147 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { INetworkModule, Logger } from "@azure/msal-common/node";
import { ManagedIdentityId } from "../../config/ManagedIdentityId.js";
import { ManagedIdentityRequestParameters } from "../../config/ManagedIdentityRequestParameters.js";
import { BaseManagedIdentitySource } from "./BaseManagedIdentitySource.js";
import { NodeStorage } from "../../cache/NodeStorage.js";
import { CryptoProvider } from "../../crypto/CryptoProvider.js";
import {
API_VERSION_QUERY_PARAMETER_NAME,
HttpMethod,
ManagedIdentityEnvironmentVariableNames,
ManagedIdentityIdType,
ManagedIdentitySourceNames,
RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
SERVICE_FABRIC_SECRET_HEADER_NAME,
} from "../../utils/Constants.js";
// MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
const SERVICE_FABRIC_MSI_API_VERSION: string = "2019-07-01-preview";
/**
* Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/ServiceFabricManagedIdentitySource.cs
*/
export class ServiceFabric extends BaseManagedIdentitySource {
private identityEndpoint: string;
private identityHeader: string;
constructor(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider,
identityEndpoint: string,
identityHeader: string
) {
super(logger, nodeStorage, networkClient, cryptoProvider);
this.identityEndpoint = identityEndpoint;
this.identityHeader = identityHeader;
}
public static getEnvironmentVariables(): Array<string | undefined> {
const identityEndpoint: string | undefined =
process.env[
ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT
];
const identityHeader: string | undefined =
process.env[
ManagedIdentityEnvironmentVariableNames.IDENTITY_HEADER
];
const identityServerThumbprint: string | undefined =
process.env[
ManagedIdentityEnvironmentVariableNames
.IDENTITY_SERVER_THUMBPRINT
];
return [identityEndpoint, identityHeader, identityServerThumbprint];
}
public static tryCreate(
logger: Logger,
nodeStorage: NodeStorage,
networkClient: INetworkModule,
cryptoProvider: CryptoProvider,
managedIdentityId: ManagedIdentityId
): ServiceFabric | null {
const [identityEndpoint, identityHeader, identityServerThumbprint] =
ServiceFabric.getEnvironmentVariables();
/*
* if either of the identity endpoint, identity header, or identity server thumbprint
* environment variables are undefined, this MSI provider is unavailable.
*/
if (!identityEndpoint || !identityHeader || !identityServerThumbprint) {
logger.info(
`[Managed Identity] ${ManagedIdentitySourceNames.SERVICE_FABRIC} managed identity is unavailable because one or all of the '${ManagedIdentityEnvironmentVariableNames.IDENTITY_HEADER}', '${ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT}' or '${ManagedIdentityEnvironmentVariableNames.IDENTITY_SERVER_THUMBPRINT}' environment variables are not defined.`
);
return null;
}
const validatedIdentityEndpoint: string =
ServiceFabric.getValidatedEnvVariableUrlString(
ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT,
identityEndpoint,
ManagedIdentitySourceNames.SERVICE_FABRIC,
logger
);
logger.info(
`[Managed Identity] Environment variables validation passed for ${ManagedIdentitySourceNames.SERVICE_FABRIC} managed identity. Endpoint URI: ${validatedIdentityEndpoint}. Creating ${ManagedIdentitySourceNames.SERVICE_FABRIC} managed identity.`
);
if (
managedIdentityId.idType !== ManagedIdentityIdType.SYSTEM_ASSIGNED
) {
logger.warning(
`[Managed Identity] ${ManagedIdentitySourceNames.SERVICE_FABRIC} user assigned managed identity is configured in the cluster, not during runtime. See also: https://learn.microsoft.com/en-us/azure/service-fabric/configure-existing-cluster-enable-managed-identity-token-service.`
);
}
return new ServiceFabric(
logger,
nodeStorage,
networkClient,
cryptoProvider,
identityEndpoint,
identityHeader
);
}
public createRequest(
resource: string,
managedIdentityId: ManagedIdentityId
): ManagedIdentityRequestParameters {
const request: ManagedIdentityRequestParameters =
new ManagedIdentityRequestParameters(
HttpMethod.GET,
this.identityEndpoint
);
request.headers[SERVICE_FABRIC_SECRET_HEADER_NAME] =
this.identityHeader;
request.queryParameters[API_VERSION_QUERY_PARAMETER_NAME] =
SERVICE_FABRIC_MSI_API_VERSION;
request.queryParameters[RESOURCE_BODY_OR_QUERY_PARAMETER_NAME] =
resource;
if (
managedIdentityId.idType !== ManagedIdentityIdType.SYSTEM_ASSIGNED
) {
request.queryParameters[
this.getManagedIdentityUserAssignedIdQueryParameterKey(
managedIdentityId.idType
)
] = managedIdentityId.id;
}
// bodyParameters calculated in BaseManagedIdentity.acquireTokenWithManagedIdentity
return request;
}
}
node_modules/@azure/msal-node/src/client/OnBehalfOfClient.ts
Generated Vendored
+379
View File
@@ -0,0 +1,379 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AADServerParamKeys,
AccessTokenEntity,
AccountEntity,
AccountInfo,
AuthenticationResult,
AuthenticationScheme,
Authority,
AuthToken,
BaseClient,
CacheOutcome,
ClientAuthErrorCodes,
ClientConfiguration,
CommonOnBehalfOfRequest,
Constants,
createClientAuthError,
CredentialFilter,
CredentialType,
GrantType,
IdTokenEntity,
RequestParameterBuilder,
RequestThumbprint,
ResponseHandler,
ScopeSet,
TimeUtils,
TokenClaims,
UrlString,
ClientAssertion,
getClientAssertion,
} from "@azure/msal-common/node";
import { EncodingUtils } from "../utils/EncodingUtils.js";
/**
* On-Behalf-Of client
* @public
*/
export class OnBehalfOfClient extends BaseClient {
private scopeSet: ScopeSet;
private userAssertionHash: string;
constructor(configuration: ClientConfiguration) {
super(configuration);
}
/**
* Public API to acquire tokens with on behalf of flow
* @param request - developer provided CommonOnBehalfOfRequest
*/
public async acquireToken(
request: CommonOnBehalfOfRequest
): Promise<AuthenticationResult | null> {
this.scopeSet = new ScopeSet(request.scopes || []);
// generate the user_assertion_hash for OBOAssertion
this.userAssertionHash = await this.cryptoUtils.hashString(
request.oboAssertion
);
if (request.skipCache || request.claims) {
return this.executeTokenRequest(
request,
this.authority,
this.userAssertionHash
);
}
try {
return await this.getCachedAuthenticationResult(request);
} catch (e) {
// Any failure falls back to interactive request, once we implement distributed cache, we plan to handle `createRefreshRequiredError` to refresh using the RT
return await this.executeTokenRequest(
request,
this.authority,
this.userAssertionHash
);
}
}
/**
* look up cache for tokens
* Find idtoken in the cache
* Find accessToken based on user assertion and account info in the cache
* Please note we are not yet supported OBO tokens refreshed with long lived RT. User will have to send a new assertion if the current access token expires
* This is to prevent security issues when the assertion changes over time, however, longlived RT helps retaining the session
* @param request - developer provided CommonOnBehalfOfRequest
*/
private async getCachedAuthenticationResult(
request: CommonOnBehalfOfRequest
): Promise<AuthenticationResult | null> {
// look in the cache for the access_token which matches the incoming_assertion
const cachedAccessToken = this.readAccessTokenFromCacheForOBO(
this.config.authOptions.clientId,
request
);
if (!cachedAccessToken) {
// Must refresh due to non-existent access_token.
this.serverTelemetryManager?.setCacheOutcome(
CacheOutcome.NO_CACHED_ACCESS_TOKEN
);
this.logger.info(
"SilentFlowClient:acquireCachedToken - No access token found in cache for the given properties."
);
throw createClientAuthError(
ClientAuthErrorCodes.tokenRefreshRequired
);
} else if (
TimeUtils.isTokenExpired(
cachedAccessToken.expiresOn,
this.config.systemOptions.tokenRenewalOffsetSeconds
)
) {
// Access token expired, will need to renewed
this.serverTelemetryManager?.setCacheOutcome(
CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED
);
this.logger.info(
`OnbehalfofFlow:getCachedAuthenticationResult - Cached access token is expired or will expire within ${this.config.systemOptions.tokenRenewalOffsetSeconds} seconds.`
);
throw createClientAuthError(
ClientAuthErrorCodes.tokenRefreshRequired
);
}
// fetch the idToken from cache
const cachedIdToken = this.readIdTokenFromCacheForOBO(
cachedAccessToken.homeAccountId
);
let idTokenClaims: TokenClaims | undefined;
let cachedAccount: AccountEntity | null = null;
if (cachedIdToken) {
idTokenClaims = AuthToken.extractTokenClaims(
cachedIdToken.secret,
EncodingUtils.base64Decode
);
const localAccountId = idTokenClaims.oid || idTokenClaims.sub;
const accountInfo: AccountInfo = {
homeAccountId: cachedIdToken.homeAccountId,
environment: cachedIdToken.environment,
tenantId: cachedIdToken.realm,
username: Constants.EMPTY_STRING,
localAccountId: localAccountId || Constants.EMPTY_STRING,
};
cachedAccount = this.cacheManager.readAccountFromCache(accountInfo);
}
// increment telemetry cache hit counter
if (this.config.serverTelemetryManager) {
this.config.serverTelemetryManager.incrementCacheHits();
}
return ResponseHandler.generateAuthenticationResult(
this.cryptoUtils,
this.authority,
{
account: cachedAccount,
accessToken: cachedAccessToken,
idToken: cachedIdToken,
refreshToken: null,
appMetadata: null,
},
true,
request,
idTokenClaims
);
}
/**
* read idtoken from cache, this is a specific implementation for OBO as the requirements differ from a generic lookup in the cacheManager
* Certain use cases of OBO flow do not expect an idToken in the cache/or from the service
* @param atHomeAccountId - account id
*/
private readIdTokenFromCacheForOBO(
atHomeAccountId: string
): IdTokenEntity | null {
const idTokenFilter: CredentialFilter = {
homeAccountId: atHomeAccountId,
environment:
this.authority.canonicalAuthorityUrlComponents.HostNameAndPort,
credentialType: CredentialType.ID_TOKEN,
clientId: this.config.authOptions.clientId,
realm: this.authority.tenant,
};
const idTokenMap: Map<string, IdTokenEntity> =
this.cacheManager.getIdTokensByFilter(idTokenFilter);
// When acquiring a token on behalf of an application, there might not be an id token in the cache
if (Object.values(idTokenMap).length < 1) {
return null;
}
return Object.values(idTokenMap)[0] as IdTokenEntity;
}
/**
* Fetches the cached access token based on incoming assertion
* @param clientId - client id
* @param request - developer provided CommonOnBehalfOfRequest
*/
private readAccessTokenFromCacheForOBO(
clientId: string,
request: CommonOnBehalfOfRequest
) {
const authScheme =
request.authenticationScheme || AuthenticationScheme.BEARER;
/*
* Distinguish between Bearer and PoP/SSH token cache types
* Cast to lowercase to handle "bearer" from ADFS
*/
const credentialType =
authScheme &&
authScheme.toLowerCase() !==
AuthenticationScheme.BEARER.toLowerCase()
? CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME
: CredentialType.ACCESS_TOKEN;
const accessTokenFilter: CredentialFilter = {
credentialType: credentialType,
clientId,
target: ScopeSet.createSearchScopes(this.scopeSet.asArray()),
tokenType: authScheme,
keyId: request.sshKid,
requestedClaimsHash: request.requestedClaimsHash,
userAssertionHash: this.userAssertionHash,
};
const accessTokens =
this.cacheManager.getAccessTokensByFilter(accessTokenFilter);
const numAccessTokens = accessTokens.length;
if (numAccessTokens < 1) {
return null;
} else if (numAccessTokens > 1) {
throw createClientAuthError(
ClientAuthErrorCodes.multipleMatchingTokens
);
}
return accessTokens[0] as AccessTokenEntity;
}
/**
* Make a network call to the server requesting credentials
* @param request - developer provided CommonOnBehalfOfRequest
* @param authority - authority object
*/
private async executeTokenRequest(
request: CommonOnBehalfOfRequest,
authority: Authority,
userAssertionHash: string
): Promise<AuthenticationResult | null> {
const queryParametersString = this.createTokenQueryParameters(request);
const endpoint = UrlString.appendQueryString(
authority.tokenEndpoint,
queryParametersString
);
const requestBody = await this.createTokenRequestBody(request);
const headers: Record<string, string> =
this.createTokenRequestHeaders();
const thumbprint: RequestThumbprint = {
clientId: this.config.authOptions.clientId,
authority: request.authority,
scopes: request.scopes,
claims: request.claims,
authenticationScheme: request.authenticationScheme,
resourceRequestMethod: request.resourceRequestMethod,
resourceRequestUri: request.resourceRequestUri,
shrClaims: request.shrClaims,
sshKid: request.sshKid,
};
const reqTimestamp = TimeUtils.nowSeconds();
const response = await this.executePostToTokenEndpoint(
endpoint,
requestBody,
headers,
thumbprint,
request.correlationId
);
const responseHandler = new ResponseHandler(
this.config.authOptions.clientId,
this.cacheManager,
this.cryptoUtils,
this.logger,
this.config.serializableCache,
this.config.persistencePlugin
);
responseHandler.validateTokenResponse(response.body);
const tokenResponse = await responseHandler.handleServerTokenResponse(
response.body,
this.authority,
reqTimestamp,
request,
undefined,
userAssertionHash
);
return tokenResponse;
}
/**
* generate a server request in accepable format
* @param request - developer provided CommonOnBehalfOfRequest
*/
private async createTokenRequestBody(
request: CommonOnBehalfOfRequest
): Promise<string> {
const parameterBuilder = new RequestParameterBuilder();
parameterBuilder.addClientId(this.config.authOptions.clientId);
parameterBuilder.addScopes(request.scopes);
parameterBuilder.addGrantType(GrantType.JWT_BEARER);
parameterBuilder.addClientInfo();
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
parameterBuilder.addApplicationTelemetry(
this.config.telemetry.application
);
parameterBuilder.addThrottling();
if (this.serverTelemetryManager) {
parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
}
const correlationId =
request.correlationId ||
this.config.cryptoInterface.createNewGuid();
parameterBuilder.addCorrelationId(correlationId);
parameterBuilder.addRequestTokenUse(AADServerParamKeys.ON_BEHALF_OF);
parameterBuilder.addOboAssertion(request.oboAssertion);
if (this.config.clientCredentials.clientSecret) {
parameterBuilder.addClientSecret(
this.config.clientCredentials.clientSecret
);
}
const clientAssertion: ClientAssertion | undefined =
this.config.clientCredentials.clientAssertion;
if (clientAssertion) {
parameterBuilder.addClientAssertion(
await getClientAssertion(
clientAssertion.assertion,
this.config.authOptions.clientId,
request.resourceRequestUri
)
);
parameterBuilder.addClientAssertionType(
clientAssertion.assertionType
);
}
if (
request.claims ||
(this.config.authOptions.clientCapabilities &&
this.config.authOptions.clientCapabilities.length > 0)
) {
parameterBuilder.addClaims(
request.claims,
this.config.authOptions.clientCapabilities
);
}
return parameterBuilder.createQueryString();
}
}
node_modules/@azure/msal-node/src/client/PublicClientApplication.ts
Generated Vendored
+352
View File
@@ -0,0 +1,352 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
ApiId,
Constants,
LOOPBACK_SERVER_CONSTANTS,
} from "../utils/Constants.js";
import {
AuthenticationResult,
CommonDeviceCodeRequest,
AuthError,
ResponseMode,
OIDC_DEFAULT_SCOPES,
CodeChallengeMethodValues,
Constants as CommonConstants,
ServerError,
NativeRequest,
NativeSignOutRequest,
AccountInfo,
INativeBrokerPlugin,
ServerAuthorizationCodeResponse,
AADServerParamKeys,
ServerTelemetryManager,
} from "@azure/msal-common/node";
import { Configuration } from "../config/Configuration.js";
import { ClientApplication } from "./ClientApplication.js";
import { IPublicClientApplication } from "./IPublicClientApplication.js";
import { DeviceCodeRequest } from "../request/DeviceCodeRequest.js";
import { AuthorizationUrlRequest } from "../request/AuthorizationUrlRequest.js";
import { AuthorizationCodeRequest } from "../request/AuthorizationCodeRequest.js";
import { InteractiveRequest } from "../request/InteractiveRequest.js";
import { NodeAuthError, NodeAuthErrorMessage } from "../error/NodeAuthError.js";
import { LoopbackClient } from "../network/LoopbackClient.js";
import { SilentFlowRequest } from "../request/SilentFlowRequest.js";
import { SignOutRequest } from "../request/SignOutRequest.js";
import { ILoopbackClient } from "../network/ILoopbackClient.js";
import { DeviceCodeClient } from "./DeviceCodeClient.js";
import { version } from "../packageMetadata.js";
/**
* This class is to be used to acquire tokens for public client applications (desktop, mobile). Public client applications
* are not trusted to safely store application secrets, and therefore can only request tokens in the name of an user.
* @public
*/
export class PublicClientApplication
extends ClientApplication
implements IPublicClientApplication
{
private nativeBrokerPlugin?: INativeBrokerPlugin;
private readonly skus: string;
/**
* Important attributes in the Configuration object for auth are:
* - clientID: the application ID of your application. You can obtain one by registering your application with our Application registration portal.
* - authority: the authority URL for your application.
*
* AAD authorities are of the form https://login.microsoftonline.com/\{Enter_the_Tenant_Info_Here\}.
* - If your application supports Accounts in one organizational directory, replace "Enter_the_Tenant_Info_Here" value with the Tenant Id or Tenant name (for example, contoso.microsoft.com).
* - If your application supports Accounts in any organizational directory, replace "Enter_the_Tenant_Info_Here" value with organizations.
* - If your application supports Accounts in any organizational directory and personal Microsoft accounts, replace "Enter_the_Tenant_Info_Here" value with common.
* - To restrict support to Personal Microsoft accounts only, replace "Enter_the_Tenant_Info_Here" value with consumers.
*
* Azure B2C authorities are of the form https://\{instance\}/\{tenant\}/\{policy\}. Each policy is considered
* its own authority. You will have to set the all of the knownAuthorities at the time of the client application
* construction.
*
* ADFS authorities are of the form https://\{instance\}/adfs.
*/
constructor(configuration: Configuration) {
super(configuration);
if (this.config.broker.nativeBrokerPlugin) {
if (this.config.broker.nativeBrokerPlugin.isBrokerAvailable) {
this.nativeBrokerPlugin = this.config.broker.nativeBrokerPlugin;
this.nativeBrokerPlugin.setLogger(
this.config.system.loggerOptions
);
} else {
this.logger.warning(
"NativeBroker implementation was provided but the broker is unavailable."
);
}
}
this.skus = ServerTelemetryManager.makeExtraSkuString({
libraryName: Constants.MSAL_SKU,
libraryVersion: version,
});
}
/**
* Acquires a token from the authority using OAuth2.0 device code flow.
* This flow is designed for devices that do not have access to a browser or have input constraints.
* The authorization server issues a DeviceCode object with a verification code, an end-user code,
* and the end-user verification URI. The DeviceCode object is provided through a callback, and the end-user should be
* instructed to use another device to navigate to the verification URI to input credentials.
* Since the client cannot receive incoming requests, it polls the authorization server repeatedly
* until the end-user completes input of credentials.
*/
public async acquireTokenByDeviceCode(
request: DeviceCodeRequest
): Promise<AuthenticationResult | null> {
this.logger.info(
"acquireTokenByDeviceCode called",
request.correlationId
);
const validRequest: CommonDeviceCodeRequest = Object.assign(
request,
await this.initializeBaseRequest(request)
);
const serverTelemetryManager = this.initializeServerTelemetryManager(
ApiId.acquireTokenByDeviceCode,
validRequest.correlationId
);
try {
const deviceCodeConfig = await this.buildOauthClientConfiguration(
validRequest.authority,
validRequest.correlationId,
"",
serverTelemetryManager,
undefined,
request.azureCloudOptions
);
const deviceCodeClient = new DeviceCodeClient(deviceCodeConfig);
this.logger.verbose(
"Device code client created",
validRequest.correlationId
);
return await deviceCodeClient.acquireToken(validRequest);
} catch (e) {
if (e instanceof AuthError) {
e.setCorrelationId(validRequest.correlationId);
}
serverTelemetryManager.cacheFailedRequest(e as AuthError);
throw e;
}
}
/**
* Acquires a token interactively via the browser by requesting an authorization code then exchanging it for a token.
*/
async acquireTokenInteractive(
request: InteractiveRequest
): Promise<AuthenticationResult> {
const correlationId =
request.correlationId || this.cryptoProvider.createNewGuid();
this.logger.trace("acquireTokenInteractive called", correlationId);
const {
openBrowser,
successTemplate,
errorTemplate,
windowHandle,
loopbackClient: customLoopbackClient,
...remainingProperties
} = request;
if (this.nativeBrokerPlugin) {
const brokerRequest: NativeRequest = {
...remainingProperties,
clientId: this.config.auth.clientId,
scopes: request.scopes || OIDC_DEFAULT_SCOPES,
redirectUri: `${Constants.HTTP_PROTOCOL}${Constants.LOCALHOST}`,
authority: request.authority || this.config.auth.authority,
correlationId: correlationId,
extraParameters: {
...remainingProperties.extraQueryParameters,
...remainingProperties.tokenQueryParameters,
[AADServerParamKeys.X_CLIENT_EXTRA_SKU]: this.skus,
},
accountId: remainingProperties.account?.nativeAccountId,
};
return this.nativeBrokerPlugin.acquireTokenInteractive(
brokerRequest,
windowHandle
);
}
const { verifier, challenge } =
await this.cryptoProvider.generatePkceCodes();
const loopbackClient: ILoopbackClient =
customLoopbackClient || new LoopbackClient();
let authCodeResponse: ServerAuthorizationCodeResponse = {};
let authCodeListenerError: AuthError | null = null;
try {
const authCodeListener = loopbackClient
.listenForAuthCode(successTemplate, errorTemplate)
.then((response) => {
authCodeResponse = response;
})
.catch((e) => {
// Store the promise instead of throwing so we can control when its thrown
authCodeListenerError = e;
});
// Wait for server to be listening
const redirectUri = await this.waitForRedirectUri(loopbackClient);
const validRequest: AuthorizationUrlRequest = {
...remainingProperties,
correlationId: correlationId,
scopes: request.scopes || OIDC_DEFAULT_SCOPES,
redirectUri: redirectUri,
responseMode: ResponseMode.QUERY,
codeChallenge: challenge,
codeChallengeMethod: CodeChallengeMethodValues.S256,
};
const authCodeUrl = await this.getAuthCodeUrl(validRequest);
await openBrowser(authCodeUrl);
await authCodeListener;
if (authCodeListenerError) {
throw authCodeListenerError;
}
if (authCodeResponse.error) {
throw new ServerError(
authCodeResponse.error,
authCodeResponse.error_description,
authCodeResponse.suberror
);
} else if (!authCodeResponse.code) {
throw NodeAuthError.createNoAuthCodeInResponseError();
}
const clientInfo = authCodeResponse.client_info;
const tokenRequest: AuthorizationCodeRequest = {
code: authCodeResponse.code,
codeVerifier: verifier,
clientInfo: clientInfo || CommonConstants.EMPTY_STRING,
...validRequest,
};
return await this.acquireTokenByCode(tokenRequest); // Await this so the server doesn't close prematurely
} finally {
loopbackClient.closeServer();
}
}
/**
* Returns a token retrieved either from the cache or by exchanging the refresh token for a fresh access token. If brokering is enabled the token request will be serviced by the broker.
* @param request - developer provided SilentFlowRequest
* @returns
*/
async acquireTokenSilent(
request: SilentFlowRequest
): Promise<AuthenticationResult> {
const correlationId =
request.correlationId || this.cryptoProvider.createNewGuid();
this.logger.trace("acquireTokenSilent called", correlationId);
if (this.nativeBrokerPlugin) {
const brokerRequest: NativeRequest = {
...request,
clientId: this.config.auth.clientId,
scopes: request.scopes || OIDC_DEFAULT_SCOPES,
redirectUri: `${Constants.HTTP_PROTOCOL}${Constants.LOCALHOST}`,
authority: request.authority || this.config.auth.authority,
correlationId: correlationId,
extraParameters: {
...request.tokenQueryParameters,
[AADServerParamKeys.X_CLIENT_EXTRA_SKU]: this.skus,
},
accountId: request.account.nativeAccountId,
forceRefresh: request.forceRefresh || false,
};
return this.nativeBrokerPlugin.acquireTokenSilent(brokerRequest);
}
return super.acquireTokenSilent(request);
}
/**
* Removes cache artifacts associated with the given account
* @param request - developer provided SignOutRequest
* @returns
*/
async signOut(request: SignOutRequest): Promise<void> {
if (this.nativeBrokerPlugin && request.account.nativeAccountId) {
const signoutRequest: NativeSignOutRequest = {
clientId: this.config.auth.clientId,
accountId: request.account.nativeAccountId,
correlationId:
request.correlationId ||
this.cryptoProvider.createNewGuid(),
};
await this.nativeBrokerPlugin.signOut(signoutRequest);
}
await this.getTokenCache().removeAccount(request.account);
}
/**
* Returns all cached accounts for this application. If brokering is enabled this request will be serviced by the broker.
* @returns
*/
async getAllAccounts(): Promise<AccountInfo[]> {
if (this.nativeBrokerPlugin) {
const correlationId = this.cryptoProvider.createNewGuid();
return this.nativeBrokerPlugin.getAllAccounts(
this.config.auth.clientId,
correlationId
);
}
return this.getTokenCache().getAllAccounts();
}
/**
* Attempts to retrieve the redirectUri from the loopback server. If the loopback server does not start listening for requests within the timeout this will throw.
* @param loopbackClient - developer provided custom loopback server implementation
* @returns
*/
private async waitForRedirectUri(
loopbackClient: ILoopbackClient
): Promise<string> {
return new Promise<string>((resolve, reject) => {
let ticks = 0;
const id = setInterval(() => {
if (
LOOPBACK_SERVER_CONSTANTS.TIMEOUT_MS /
LOOPBACK_SERVER_CONSTANTS.INTERVAL_MS <
ticks
) {
clearInterval(id);
reject(NodeAuthError.createLoopbackServerTimeoutError());
return;
}
try {
const r = loopbackClient.getRedirectUri();
clearInterval(id);
resolve(r);
return;
} catch (e) {
if (
e instanceof AuthError &&
e.errorCode ===
NodeAuthErrorMessage.noLoopbackServerExists.code
) {
// Loopback server is not listening yet
ticks++;
return;
}
clearInterval(id);
reject(e);
return;
}
}, LOOPBACK_SERVER_CONSTANTS.INTERVAL_MS);
});
}
}
node_modules/@azure/msal-node/src/client/UsernamePasswordClient.ts
Generated Vendored
+190
View File
@@ -0,0 +1,190 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
AuthenticationResult,
Authority,
BaseClient,
CcsCredentialType,
ClientAssertion,
ClientConfiguration,
CommonUsernamePasswordRequest,
GrantType,
NetworkResponse,
RequestParameterBuilder,
RequestThumbprint,
ResponseHandler,
ServerAuthorizationTokenResponse,
StringUtils,
TimeUtils,
UrlString,
getClientAssertion,
} from "@azure/msal-common/node";
/**
* Oauth2.0 Password grant client
* Note: We are only supporting public clients for password grant and for purely testing purposes
* @public
*/
export class UsernamePasswordClient extends BaseClient {
constructor(configuration: ClientConfiguration) {
super(configuration);
}
/**
* API to acquire a token by passing the username and password to the service in exchage of credentials
* password_grant
* @param request - CommonUsernamePasswordRequest
*/
async acquireToken(
request: CommonUsernamePasswordRequest
): Promise<AuthenticationResult | null> {
this.logger.info("in acquireToken call in username-password client");
const reqTimestamp = TimeUtils.nowSeconds();
const response = await this.executeTokenRequest(
this.authority,
request
);
const responseHandler = new ResponseHandler(
this.config.authOptions.clientId,
this.cacheManager,
this.cryptoUtils,
this.logger,
this.config.serializableCache,
this.config.persistencePlugin
);
// Validate response. This function throws a server error if an error is returned by the server.
responseHandler.validateTokenResponse(response.body);
const tokenResponse = responseHandler.handleServerTokenResponse(
response.body,
this.authority,
reqTimestamp,
request
);
return tokenResponse;
}
/**
* Executes POST request to token endpoint
* @param authority - authority object
* @param request - CommonUsernamePasswordRequest provided by the developer
*/
private async executeTokenRequest(
authority: Authority,
request: CommonUsernamePasswordRequest
): Promise<NetworkResponse<ServerAuthorizationTokenResponse>> {
const queryParametersString = this.createTokenQueryParameters(request);
const endpoint = UrlString.appendQueryString(
authority.tokenEndpoint,
queryParametersString
);
const requestBody = await this.createTokenRequestBody(request);
const headers: Record<string, string> = this.createTokenRequestHeaders({
credential: request.username,
type: CcsCredentialType.UPN,
});
const thumbprint: RequestThumbprint = {
clientId: this.config.authOptions.clientId,
authority: authority.canonicalAuthority,
scopes: request.scopes,
claims: request.claims,
authenticationScheme: request.authenticationScheme,
resourceRequestMethod: request.resourceRequestMethod,
resourceRequestUri: request.resourceRequestUri,
shrClaims: request.shrClaims,
sshKid: request.sshKid,
};
return this.executePostToTokenEndpoint(
endpoint,
requestBody,
headers,
thumbprint,
request.correlationId
);
}
/**
* Generates a map for all the params to be sent to the service
* @param request - CommonUsernamePasswordRequest provided by the developer
*/
private async createTokenRequestBody(
request: CommonUsernamePasswordRequest
): Promise<string> {
const parameterBuilder = new RequestParameterBuilder();
parameterBuilder.addClientId(this.config.authOptions.clientId);
parameterBuilder.addUsername(request.username);
parameterBuilder.addPassword(request.password);
parameterBuilder.addScopes(request.scopes);
parameterBuilder.addResponseTypeForTokenAndIdToken();
parameterBuilder.addGrantType(GrantType.RESOURCE_OWNER_PASSWORD_GRANT);
parameterBuilder.addClientInfo();
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
parameterBuilder.addApplicationTelemetry(
this.config.telemetry.application
);
parameterBuilder.addThrottling();
if (this.serverTelemetryManager) {
parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
}
const correlationId =
request.correlationId ||
this.config.cryptoInterface.createNewGuid();
parameterBuilder.addCorrelationId(correlationId);
if (this.config.clientCredentials.clientSecret) {
parameterBuilder.addClientSecret(
this.config.clientCredentials.clientSecret
);
}
const clientAssertion: ClientAssertion | undefined =
this.config.clientCredentials.clientAssertion;
if (clientAssertion) {
parameterBuilder.addClientAssertion(
await getClientAssertion(
clientAssertion.assertion,
this.config.authOptions.clientId,
request.resourceRequestUri
)
);
parameterBuilder.addClientAssertionType(
clientAssertion.assertionType
);
}
if (
!StringUtils.isEmptyObj(request.claims) ||
(this.config.authOptions.clientCapabilities &&
this.config.authOptions.clientCapabilities.length > 0)
) {
parameterBuilder.addClaims(
request.claims,
this.config.authOptions.clientCapabilities
);
}
if (
this.config.systemOptions.preventCorsPreflight &&
request.username
) {
parameterBuilder.addCcsUpn(request.username);
}
return parameterBuilder.createQueryString();
}
}
node_modules/@azure/msal-node/src/config/Configuration.ts
Generated Vendored
+299
View File
@@ -0,0 +1,299 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
LoggerOptions,
INetworkModule,
LogLevel,
ProtocolMode,
ICachePlugin,
Constants,
AzureCloudInstance,
AzureCloudOptions,
ApplicationTelemetry,
INativeBrokerPlugin,
ClientAssertionCallback,
} from "@azure/msal-common/node";
import { HttpClient } from "../network/HttpClient.js";
import http from "http";
import https from "https";
import { ManagedIdentityId } from "./ManagedIdentityId.js";
import {
MANAGED_IDENTITY_HTTP_STATUS_CODES_TO_RETRY_ON,
MANAGED_IDENTITY_MAX_RETRIES,
MANAGED_IDENTITY_RETRY_DELAY,
} from "../utils/Constants.js";
import { LinearRetryPolicy } from "../retry/LinearRetryPolicy.js";
import { HttpClientWithRetries } from "../network/HttpClientWithRetries.js";
import { NodeAuthError } from "../error/NodeAuthError.js";
/**
* - clientId - Client id of the application.
* - authority - Url of the authority. If no value is set, defaults to https://login.microsoftonline.com/common.
* - knownAuthorities - Needed for Azure B2C and ADFS. All authorities that will be used in the client application. Only the host of the authority should be passed in.
* - clientSecret - Secret string that the application uses when requesting a token. Only used in confidential client applications. Can be created in the Azure app registration portal.
* - clientAssertion - A ClientAssertion object containing an assertion string or a callback function that returns an assertion string that the application uses when requesting a token, as well as the assertion's type (urn:ietf:params:oauth:client-assertion-type:jwt-bearer). Only used in confidential client applications.
* - clientCertificate - Certificate that the application uses when requesting a token. Only used in confidential client applications. Requires hex encoded X.509 SHA-1 or SHA-256 thumbprint of the certificate, and the PEM encoded private key (string should contain -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- )
* - protocolMode - Enum that represents the protocol that msal follows. Used for configuring proper endpoints.
* - skipAuthorityMetadataCache - A flag to choose whether to use or not use the local metadata cache during authority initialization. Defaults to false.
* @public
*/
export type NodeAuthOptions = {
clientId: string;
authority?: string;
clientSecret?: string;
clientAssertion?: string | ClientAssertionCallback;
clientCertificate?: {
/**
* @deprecated Use thumbprintSha2 property instead. Thumbprint needs to be computed with SHA-256 algorithm.
* SHA-1 is only needed for backwards compatibility with older versions of ADFS.
*/
thumbprint?: string;
thumbprintSha256?: string;
privateKey: string;
x5c?: string;
};
knownAuthorities?: Array<string>;
cloudDiscoveryMetadata?: string;
authorityMetadata?: string;
clientCapabilities?: Array<string>;
protocolMode?: ProtocolMode;
azureCloudOptions?: AzureCloudOptions;
skipAuthorityMetadataCache?: boolean;
};
/**
* Use this to configure the below cache configuration options:
*
* - cachePlugin - Plugin for reading and writing token cache to disk.
* @public
*/
export type CacheOptions = {
cachePlugin?: ICachePlugin;
/**
* @deprecated claims-based-caching functionality will be removed in the next version of MSALJS
*/
claimsBasedCachingEnabled?: boolean;
};
/**
* Use this to configure the below broker options:
* - nativeBrokerPlugin - Native broker implementation (should be imported from msal-node-extensions)
*
* Note: These options are only available for PublicClientApplications using the Authorization Code Flow
* @public
*/
export type BrokerOptions = {
nativeBrokerPlugin?: INativeBrokerPlugin;
};
/**
* Type for configuring logger and http client options
*
* - logger - Used to initialize the Logger object; TODO: Expand on logger details or link to the documentation on logger
* - networkClient - Http client used for all http get and post calls. Defaults to using MSAL's default http client.
* @public
*/
export type NodeSystemOptions = {
loggerOptions?: LoggerOptions;
networkClient?: INetworkModule;
proxyUrl?: string;
customAgentOptions?: http.AgentOptions | https.AgentOptions;
disableInternalRetries?: boolean;
};
/** @public */
export type NodeTelemetryOptions = {
application?: ApplicationTelemetry;
};
/**
* Use the configuration object to configure MSAL and initialize the client application object
*
* - auth: this is where you configure auth elements like clientID, authority used for authenticating against the Microsoft Identity Platform
* - broker: this is where you configure broker options
* - cache: this is where you configure cache location
* - system: this is where you can configure the network client, logger
* - telemetry: this is where you can configure telemetry options
* @public
*/
export type Configuration = {
auth: NodeAuthOptions;
broker?: BrokerOptions;
cache?: CacheOptions;
system?: NodeSystemOptions;
telemetry?: NodeTelemetryOptions;
};
/** @public */
export type ManagedIdentityIdParams = {
userAssignedClientId?: string;
userAssignedResourceId?: string;
userAssignedObjectId?: string;
};
/** @public */
export type ManagedIdentityConfiguration = {
managedIdentityIdParams?: ManagedIdentityIdParams;
system?: NodeSystemOptions;
};
const DEFAULT_AUTH_OPTIONS: Required<NodeAuthOptions> = {
clientId: Constants.EMPTY_STRING,
authority: Constants.DEFAULT_AUTHORITY,
clientSecret: Constants.EMPTY_STRING,
clientAssertion: Constants.EMPTY_STRING,
clientCertificate: {
thumbprint: Constants.EMPTY_STRING,
thumbprintSha256: Constants.EMPTY_STRING,
privateKey: Constants.EMPTY_STRING,
x5c: Constants.EMPTY_STRING,
},
knownAuthorities: [],
cloudDiscoveryMetadata: Constants.EMPTY_STRING,
authorityMetadata: Constants.EMPTY_STRING,
clientCapabilities: [],
protocolMode: ProtocolMode.AAD,
azureCloudOptions: {
azureCloudInstance: AzureCloudInstance.None,
tenant: Constants.EMPTY_STRING,
},
skipAuthorityMetadataCache: false,
};
const DEFAULT_CACHE_OPTIONS: CacheOptions = {
claimsBasedCachingEnabled: false,
};
const DEFAULT_LOGGER_OPTIONS: LoggerOptions = {
loggerCallback: (): void => {
// allow users to not set logger call back
},
piiLoggingEnabled: false,
logLevel: LogLevel.Info,
};
const DEFAULT_SYSTEM_OPTIONS: Required<NodeSystemOptions> = {
loggerOptions: DEFAULT_LOGGER_OPTIONS,
networkClient: new HttpClient(),
proxyUrl: Constants.EMPTY_STRING,
customAgentOptions: {} as http.AgentOptions | https.AgentOptions,
disableInternalRetries: false,
};
const DEFAULT_TELEMETRY_OPTIONS: Required<NodeTelemetryOptions> = {
application: {
appName: Constants.EMPTY_STRING,
appVersion: Constants.EMPTY_STRING,
},
};
/** @internal */
export type NodeConfiguration = {
auth: Required<NodeAuthOptions>;
broker: BrokerOptions;
cache: CacheOptions;
system: Required<NodeSystemOptions>;
telemetry: Required<NodeTelemetryOptions>;
};
/**
* Sets the default options when not explicitly configured from app developer
*
* @param auth - Authentication options
* @param cache - Cache options
* @param system - System options
* @param telemetry - Telemetry options
*
* @returns Configuration
* @internal
*/
export function buildAppConfiguration({
auth,
broker,
cache,
system,
telemetry,
}: Configuration): NodeConfiguration {
const systemOptions: Required<NodeSystemOptions> = {
...DEFAULT_SYSTEM_OPTIONS,
networkClient: new HttpClient(
system?.proxyUrl,
system?.customAgentOptions as http.AgentOptions | https.AgentOptions
),
loggerOptions: system?.loggerOptions || DEFAULT_LOGGER_OPTIONS,
disableInternalRetries: system?.disableInternalRetries || false,
};
// if client certificate was provided, ensure that at least one of the SHA-1 or SHA-256 thumbprints were provided
if (
!!auth.clientCertificate &&
!!!auth.clientCertificate.thumbprint &&
!!!auth.clientCertificate.thumbprintSha256
) {
throw NodeAuthError.createStateNotFoundError();
}
return {
auth: { ...DEFAULT_AUTH_OPTIONS, ...auth },
broker: { ...broker },
cache: { ...DEFAULT_CACHE_OPTIONS, ...cache },
system: { ...systemOptions, ...system },
telemetry: { ...DEFAULT_TELEMETRY_OPTIONS, ...telemetry },
};
}
/** @internal */
export type ManagedIdentityNodeConfiguration = {
managedIdentityId: ManagedIdentityId;
system: Required<
Pick<NodeSystemOptions, "loggerOptions" | "networkClient">
>;
};
export function buildManagedIdentityConfiguration({
managedIdentityIdParams,
system,
}: ManagedIdentityConfiguration): ManagedIdentityNodeConfiguration {
const managedIdentityId: ManagedIdentityId = new ManagedIdentityId(
managedIdentityIdParams
);
const loggerOptions: LoggerOptions =
system?.loggerOptions || DEFAULT_LOGGER_OPTIONS;
let networkClient: INetworkModule;
// use developer provided network client if passed in
if (system?.networkClient) {
networkClient = system.networkClient;
// otherwise, create a new one
} else {
networkClient = new HttpClient(
system?.proxyUrl,
system?.customAgentOptions as http.AgentOptions | https.AgentOptions
);
}
// wrap the network client with a retry policy if the developer has not disabled the option to do so
if (!system?.disableInternalRetries) {
const linearRetryPolicy: LinearRetryPolicy = new LinearRetryPolicy(
MANAGED_IDENTITY_MAX_RETRIES,
MANAGED_IDENTITY_RETRY_DELAY,
MANAGED_IDENTITY_HTTP_STATUS_CODES_TO_RETRY_ON
);
networkClient = new HttpClientWithRetries(
networkClient,
linearRetryPolicy
);
}
return {
managedIdentityId: managedIdentityId,
system: {
loggerOptions,
networkClient,
},
};
}
node_modules/@azure/msal-node/src/config/ManagedIdentityId.ts
Generated Vendored
+73
View File
@@ -0,0 +1,73 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
ManagedIdentityErrorCodes,
createManagedIdentityError,
} from "../error/ManagedIdentityError.js";
import {
DEFAULT_MANAGED_IDENTITY_ID,
ManagedIdentityIdType,
} from "../utils/Constants.js";
import { ManagedIdentityIdParams } from "./Configuration.js";
export class ManagedIdentityId {
private _id: string;
public get id(): string {
return this._id;
}
private set id(value: string) {
this._id = value;
}
private _idType: ManagedIdentityIdType;
public get idType(): ManagedIdentityIdType {
return this._idType;
}
private set idType(value: ManagedIdentityIdType) {
this._idType = value;
}
constructor(managedIdentityIdParams?: ManagedIdentityIdParams) {
const userAssignedClientId =
managedIdentityIdParams?.userAssignedClientId;
const userAssignedResourceId =
managedIdentityIdParams?.userAssignedResourceId;
const userAssignedObjectId =
managedIdentityIdParams?.userAssignedObjectId;
if (userAssignedClientId) {
if (userAssignedResourceId || userAssignedObjectId) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.invalidManagedIdentityIdType
);
}
this.id = userAssignedClientId;
this.idType = ManagedIdentityIdType.USER_ASSIGNED_CLIENT_ID;
} else if (userAssignedResourceId) {
if (userAssignedClientId || userAssignedObjectId) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.invalidManagedIdentityIdType
);
}
this.id = userAssignedResourceId;
this.idType = ManagedIdentityIdType.USER_ASSIGNED_RESOURCE_ID;
} else if (userAssignedObjectId) {
if (userAssignedClientId || userAssignedResourceId) {
throw createManagedIdentityError(
ManagedIdentityErrorCodes.invalidManagedIdentityIdType
);
}
this.id = userAssignedObjectId;
this.idType = ManagedIdentityIdType.USER_ASSIGNED_OBJECT_ID;
} else {
this.id = DEFAULT_MANAGED_IDENTITY_ID;
this.idType = ManagedIdentityIdType.SYSTEM_ASSIGNED;
}
}
}
node_modules/@azure/msal-node/src/config/ManagedIdentityRequestParameters.ts
Generated Vendored
+48
View File
@@ -0,0 +1,48 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { RequestParameterBuilder, UrlString } from "@azure/msal-common/node";
import { HttpMethod } from "../utils/Constants.js";
export class ManagedIdentityRequestParameters {
private _baseEndpoint: string;
public httpMethod: HttpMethod;
public headers: Record<string, string>;
public bodyParameters: Record<string, string>;
public queryParameters: Record<string, string>;
constructor(httpMethod: HttpMethod, endpoint: string) {
this.httpMethod = httpMethod;
this._baseEndpoint = endpoint;
this.headers = {} as Record<string, string>;
this.bodyParameters = {} as Record<string, string>;
this.queryParameters = {} as Record<string, string>;
}
public computeUri(): string {
const parameterBuilder = new RequestParameterBuilder();
if (this.queryParameters) {
parameterBuilder.addExtraQueryParameters(this.queryParameters);
}
const queryParametersString = parameterBuilder.createQueryString();
return UrlString.appendQueryString(
this._baseEndpoint,
queryParametersString
);
}
public computeParametersBodyString(): string {
const parameterBuilder = new RequestParameterBuilder();
if (this.bodyParameters) {
parameterBuilder.addExtraQueryParameters(this.bodyParameters);
}
return parameterBuilder.createQueryString();
}
}
node_modules/@azure/msal-node/src/crypto/CryptoProvider.ts
Generated Vendored
+113
View File
@@ -0,0 +1,113 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { ICrypto, PkceCodes } from "@azure/msal-common/node";
import { GuidGenerator } from "./GuidGenerator.js";
import { EncodingUtils } from "../utils/EncodingUtils.js";
import { PkceGenerator } from "./PkceGenerator.js";
import { HashUtils } from "./HashUtils.js";
/**
* This class implements MSAL node's crypto interface, which allows it to perform base64 encoding and decoding, generating cryptographically random GUIDs and
* implementing Proof Key for Code Exchange specs for the OAuth Authorization Code Flow using PKCE (rfc here: https://tools.ietf.org/html/rfc7636).
* @public
*/
export class CryptoProvider implements ICrypto {
private pkceGenerator: PkceGenerator;
private guidGenerator: GuidGenerator;
private hashUtils: HashUtils;
constructor() {
// Browser crypto needs to be validated first before any other classes can be set.
this.pkceGenerator = new PkceGenerator();
this.guidGenerator = new GuidGenerator();
this.hashUtils = new HashUtils();
}
/**
* base64 URL safe encoded string
*/
base64UrlEncode(): string {
throw new Error("Method not implemented.");
}
/**
* Stringifies and base64Url encodes input public key
* @param inputKid - public key id
* @returns Base64Url encoded public key
*/
encodeKid(): string {
throw new Error("Method not implemented.");
}
/**
* Creates a new random GUID - used to populate state and nonce.
* @returns string (GUID)
*/
createNewGuid(): string {
return this.guidGenerator.generateGuid();
}
/**
* Encodes input string to base64.
* @param input - string to be encoded
*/
base64Encode(input: string): string {
return EncodingUtils.base64Encode(input);
}
/**
* Decodes input string from base64.
* @param input - string to be decoded
*/
base64Decode(input: string): string {
return EncodingUtils.base64Decode(input);
}
/**
* Generates PKCE codes used in Authorization Code Flow.
*/
generatePkceCodes(): Promise<PkceCodes> {
return this.pkceGenerator.generatePkceCodes();
}
/**
* Generates a keypair, stores it and returns a thumbprint - not yet implemented for node
*/
getPublicKeyThumbprint(): Promise<string> {
throw new Error("Method not implemented.");
}
/**
* Removes cryptographic keypair from key store matching the keyId passed in
* @param kid - public key id
*/
removeTokenBindingKey(): Promise<boolean> {
throw new Error("Method not implemented.");
}
/**
* Removes all cryptographic keys from Keystore
*/
clearKeystore(): Promise<boolean> {
throw new Error("Method not implemented.");
}
/**
* Signs the given object as a jwt payload with private key retrieved by given kid - currently not implemented for node
*/
signJwt(): Promise<string> {
throw new Error("Method not implemented.");
}
/**
* Returns the SHA-256 hash of an input string
*/
async hashString(plainText: string): Promise<string> {
return EncodingUtils.base64EncodeUrl(
this.hashUtils.sha256(plainText).toString("base64"),
"base64"
);
}
}
node_modules/@azure/msal-node/src/crypto/GuidGenerator.ts
Generated Vendored
+28
View File
@@ -0,0 +1,28 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { IGuidGenerator } from "@azure/msal-common/node";
import { v4 as uuidv4 } from "uuid";
export class GuidGenerator implements IGuidGenerator {
/**
*
* RFC4122: The version 4 UUID is meant for generating UUIDs from truly-random or pseudo-random numbers.
* uuidv4 generates guids from cryprtographically-string random
*/
generateGuid(): string {
return uuidv4();
}
/**
* verifies if a string is GUID
* @param guid
*/
isGuid(guid: string): boolean {
const regexGuid =
/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
return regexGuid.test(guid);
}
}
node_modules/@azure/msal-node/src/crypto/HashUtils.ts
Generated Vendored
+17
View File
@@ -0,0 +1,17 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { Hash } from "../utils/Constants.js";
import crypto from "crypto";
export class HashUtils {
/**
* generate 'SHA256' hash
* @param buffer
*/
sha256(buffer: string): Buffer {
return crypto.createHash(Hash.SHA256).update(buffer).digest();
}
}
node_modules/@azure/msal-node/src/crypto/PkceGenerator.ts
Generated Vendored
+63
View File
@@ -0,0 +1,63 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { Constants, PkceCodes } from "@azure/msal-common/node";
import { CharSet, RANDOM_OCTET_SIZE } from "../utils/Constants.js";
import { EncodingUtils } from "../utils/EncodingUtils.js";
import { HashUtils } from "./HashUtils.js";
import crypto from "crypto";
/**
* https://tools.ietf.org/html/rfc7636#page-8
*/
export class PkceGenerator {
private hashUtils: HashUtils;
constructor() {
this.hashUtils = new HashUtils();
}
/**
* generates the codeVerfier and the challenge from the codeVerfier
* reference: https://tools.ietf.org/html/rfc7636#section-4.1 and https://tools.ietf.org/html/rfc7636#section-4.2
*/
async generatePkceCodes(): Promise<PkceCodes> {
const verifier = this.generateCodeVerifier();
const challenge = this.generateCodeChallengeFromVerifier(verifier);
return { verifier, challenge };
}
/**
* generates the codeVerfier; reference: https://tools.ietf.org/html/rfc7636#section-4.1
*/
private generateCodeVerifier(): string {
const charArr = [];
const maxNumber = 256 - (256 % CharSet.CV_CHARSET.length);
while (charArr.length <= RANDOM_OCTET_SIZE) {
const byte = crypto.randomBytes(1)[0];
if (byte >= maxNumber) {
/*
* Ignore this number to maintain randomness.
* Including it would result in an unequal distribution of characters after doing the modulo
*/
continue;
}
const index = byte % CharSet.CV_CHARSET.length;
charArr.push(CharSet.CV_CHARSET[index]);
}
const verifier: string = charArr.join(Constants.EMPTY_STRING);
return EncodingUtils.base64EncodeUrl(verifier);
}
/**
* generate the challenge from the codeVerfier; reference: https://tools.ietf.org/html/rfc7636#section-4.2
* @param codeVerifier
*/
private generateCodeChallengeFromVerifier(codeVerifier: string): string {
return EncodingUtils.base64EncodeUrl(
this.hashUtils.sha256(codeVerifier).toString("base64"),
"base64"
);
}
}
node_modules/@azure/msal-node/src/error/ManagedIdentityError.ts
Generated Vendored
+65
View File
@@ -0,0 +1,65 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { AuthError } from "@azure/msal-common/node";
import * as ManagedIdentityErrorCodes from "./ManagedIdentityErrorCodes.js";
import { ManagedIdentityEnvironmentVariableNames } from "../utils/Constants.js";
export { ManagedIdentityErrorCodes };
/**
* ManagedIdentityErrorMessage class containing string constants used by error codes and messages.
*/
export const ManagedIdentityErrorMessages = {
[ManagedIdentityErrorCodes.invalidFileExtension]:
"The file path in the WWW-Authenticate header does not contain a .key file.",
[ManagedIdentityErrorCodes.invalidFilePath]:
"The file path in the WWW-Authenticate header is not in a valid Windows or Linux Format.",
[ManagedIdentityErrorCodes.invalidManagedIdentityIdType]:
"More than one ManagedIdentityIdType was provided.",
[ManagedIdentityErrorCodes.invalidSecret]:
"The secret in the file on the file path in the WWW-Authenticate header is greater than 4096 bytes.",
[ManagedIdentityErrorCodes.platformNotSupported]:
"The platform is not supported by Azure Arc. Azure Arc only supports Windows and Linux.",
[ManagedIdentityErrorCodes.missingId]:
"A ManagedIdentityId id was not provided.",
[ManagedIdentityErrorCodes.MsiEnvironmentVariableUrlMalformedErrorCodes
.AZURE_POD_IDENTITY_AUTHORITY_HOST]: `The Managed Identity's '${ManagedIdentityEnvironmentVariableNames.AZURE_POD_IDENTITY_AUTHORITY_HOST}' environment variable is malformed.`,
[ManagedIdentityErrorCodes.MsiEnvironmentVariableUrlMalformedErrorCodes
.IDENTITY_ENDPOINT]: `The Managed Identity's '${ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT}' environment variable is malformed.`,
[ManagedIdentityErrorCodes.MsiEnvironmentVariableUrlMalformedErrorCodes
.IMDS_ENDPOINT]: `The Managed Identity's '${ManagedIdentityEnvironmentVariableNames.IMDS_ENDPOINT}' environment variable is malformed.`,
[ManagedIdentityErrorCodes.MsiEnvironmentVariableUrlMalformedErrorCodes
.MSI_ENDPOINT]: `The Managed Identity's '${ManagedIdentityEnvironmentVariableNames.MSI_ENDPOINT}' environment variable is malformed.`,
[ManagedIdentityErrorCodes.networkUnavailable]:
"Authentication unavailable. The request to the managed identity endpoint timed out.",
[ManagedIdentityErrorCodes.unableToCreateAzureArc]:
"Azure Arc Managed Identities can only be system assigned.",
[ManagedIdentityErrorCodes.unableToCreateCloudShell]:
"Cloud Shell Managed Identities can only be system assigned.",
[ManagedIdentityErrorCodes.unableToCreateSource]:
"Unable to create a Managed Identity source based on environment variables.",
[ManagedIdentityErrorCodes.unableToReadSecretFile]:
"Unable to read the secret file.",
[ManagedIdentityErrorCodes.userAssignedNotAvailableAtRuntime]:
"Service Fabric user assigned managed identity ClientId or ResourceId is not configurable at runtime.",
[ManagedIdentityErrorCodes.wwwAuthenticateHeaderMissing]:
"A 401 response was received form the Azure Arc Managed Identity, but the www-authenticate header is missing.",
[ManagedIdentityErrorCodes.wwwAuthenticateHeaderUnsupportedFormat]:
"A 401 response was received form the Azure Arc Managed Identity, but the www-authenticate header is in an unsupported format.",
};
export class ManagedIdentityError extends AuthError {
constructor(errorCode: string) {
super(errorCode, ManagedIdentityErrorMessages[errorCode]);
this.name = "ManagedIdentityError";
Object.setPrototypeOf(this, ManagedIdentityError.prototype);
}
}
export function createManagedIdentityError(
errorCode: string
): ManagedIdentityError {
return new ManagedIdentityError(errorCode);
}
node_modules/@azure/msal-node/src/error/ManagedIdentityErrorCodes.ts
Generated Vendored
+37
View File
@@ -0,0 +1,37 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { ManagedIdentityEnvironmentVariableNames } from "../utils/Constants.js";
export const invalidFileExtension = "invalid_file_extension";
export const invalidFilePath = "invalid_file_path";
export const invalidManagedIdentityIdType = "invalid_managed_identity_id_type";
export const invalidSecret = "invalid_secret";
export const missingId = "missing_client_id";
export const networkUnavailable = "network_unavailable";
export const platformNotSupported = "platform_not_supported";
export const unableToCreateAzureArc = "unable_to_create_azure_arc";
export const unableToCreateCloudShell = "unable_to_create_cloud_shell";
export const unableToCreateSource = "unable_to_create_source";
export const unableToReadSecretFile = "unable_to_read_secret_file";
export const urlParseError = "url_parse_error";
export const userAssignedNotAvailableAtRuntime =
"user_assigned_not_available_at_runtime";
export const wwwAuthenticateHeaderMissing = "www_authenticate_header_missing";
export const wwwAuthenticateHeaderUnsupportedFormat =
"www_authenticate_header_unsupported_format";
export const MsiEnvironmentVariableUrlMalformedErrorCodes = {
[ManagedIdentityEnvironmentVariableNames.AZURE_POD_IDENTITY_AUTHORITY_HOST]:
"azure_pod_identity_authority_host_url_malformed",
[ManagedIdentityEnvironmentVariableNames.IDENTITY_ENDPOINT]:
"identity_endpoint_url_malformed",
[ManagedIdentityEnvironmentVariableNames.IMDS_ENDPOINT]:
"imds_endpoint_url_malformed",
[ManagedIdentityEnvironmentVariableNames.MSI_ENDPOINT]:
"msi_endpoint_url_malformed",
} as const;
export type MsiEnvironmentVariableErrorCodes =
(typeof MsiEnvironmentVariableUrlMalformedErrorCodes)[keyof typeof MsiEnvironmentVariableUrlMalformedErrorCodes];
node_modules/@azure/msal-node/src/error/NodeAuthError.ts
Generated Vendored
+131
View File
@@ -0,0 +1,131 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { AuthError } from "@azure/msal-common/node";
/**
* NodeAuthErrorMessage class containing string constants used by error codes and messages.
*/
export const NodeAuthErrorMessage = {
invalidLoopbackAddressType: {
code: "invalid_loopback_server_address_type",
desc: "Loopback server address is not type string. This is unexpected.",
},
unableToLoadRedirectUri: {
code: "unable_to_load_redirectUrl",
desc: "Loopback server callback was invoked without a url. This is unexpected.",
},
noAuthCodeInResponse: {
code: "no_auth_code_in_response",
desc: "No auth code found in the server response. Please check your network trace to determine what happened.",
},
noLoopbackServerExists: {
code: "no_loopback_server_exists",
desc: "No loopback server exists yet.",
},
loopbackServerAlreadyExists: {
code: "loopback_server_already_exists",
desc: "Loopback server already exists. Cannot create another.",
},
loopbackServerTimeout: {
code: "loopback_server_timeout",
desc: "Timed out waiting for auth code listener to be registered.",
},
stateNotFoundError: {
code: "state_not_found",
desc: "State not found. Please verify that the request originated from msal.",
},
thumbprintMissing: {
code: "thumbprint_missing_from_client_certificate",
desc: "Client certificate does not contain a SHA-1 or SHA-256 thumbprint.",
},
};
export class NodeAuthError extends AuthError {
constructor(errorCode: string, errorMessage?: string) {
super(errorCode, errorMessage);
this.name = "NodeAuthError";
}
/**
* Creates an error thrown if loopback server address is of type string.
*/
static createInvalidLoopbackAddressTypeError(): NodeAuthError {
return new NodeAuthError(
NodeAuthErrorMessage.invalidLoopbackAddressType.code,
`${NodeAuthErrorMessage.invalidLoopbackAddressType.desc}`
);
}
/**
* Creates an error thrown if the loopback server is unable to get a url.
*/
static createUnableToLoadRedirectUrlError(): NodeAuthError {
return new NodeAuthError(
NodeAuthErrorMessage.unableToLoadRedirectUri.code,
`${NodeAuthErrorMessage.unableToLoadRedirectUri.desc}`
);
}
/**
* Creates an error thrown if the server response does not contain an auth code.
*/
static createNoAuthCodeInResponseError(): NodeAuthError {
return new NodeAuthError(
NodeAuthErrorMessage.noAuthCodeInResponse.code,
`${NodeAuthErrorMessage.noAuthCodeInResponse.desc}`
);
}
/**
* Creates an error thrown if the loopback server has not been spun up yet.
*/
static createNoLoopbackServerExistsError(): NodeAuthError {
return new NodeAuthError(
NodeAuthErrorMessage.noLoopbackServerExists.code,
`${NodeAuthErrorMessage.noLoopbackServerExists.desc}`
);
}
/**
* Creates an error thrown if a loopback server already exists when attempting to create another one.
*/
static createLoopbackServerAlreadyExistsError(): NodeAuthError {
return new NodeAuthError(
NodeAuthErrorMessage.loopbackServerAlreadyExists.code,
`${NodeAuthErrorMessage.loopbackServerAlreadyExists.desc}`
);
}
/**
* Creates an error thrown if the loopback server times out registering the auth code listener.
*/
static createLoopbackServerTimeoutError(): NodeAuthError {
return new NodeAuthError(
NodeAuthErrorMessage.loopbackServerTimeout.code,
`${NodeAuthErrorMessage.loopbackServerTimeout.desc}`
);
}
/**
* Creates an error thrown when the state is not present.
*/
static createStateNotFoundError(): NodeAuthError {
return new NodeAuthError(
NodeAuthErrorMessage.stateNotFoundError.code,
NodeAuthErrorMessage.stateNotFoundError.desc
);
}
/**
* Creates an error thrown when client certificate was provided, but neither the SHA-1 or SHA-256 thumbprints were provided
*/
static createThumbprintMissingError(): NodeAuthError {
return new NodeAuthError(
NodeAuthErrorMessage.thumbprintMissing.code,
NodeAuthErrorMessage.thumbprintMissing.desc
);
}
}
node_modules/@azure/msal-node/src/index.ts
Generated Vendored
+133
View File
@@ -0,0 +1,133 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* @packageDocumentation
* @module @azure/msal-node
*/
/**
* Warning: This set of exports is purely intended to be used by other MSAL libraries, and should be considered potentially unstable. We strongly discourage using them directly, you do so at your own risk.
* Breaking changes to these APIs will be shipped under a minor version, instead of a major version.
*/
import * as internals from "./internals.js";
export { internals };
// Interfaces
export { IPublicClientApplication } from "./client/IPublicClientApplication.js";
export { IConfidentialClientApplication } from "./client/IConfidentialClientApplication.js";
export { ITokenCache } from "./cache/ITokenCache.js";
export { ICacheClient } from "./cache/distributed/ICacheClient.js";
export { IPartitionManager } from "./cache/distributed/IPartitionManager.js";
export { ILoopbackClient } from "./network/ILoopbackClient.js";
// Clients and Configuration
export { PublicClientApplication } from "./client/PublicClientApplication.js";
export { ConfidentialClientApplication } from "./client/ConfidentialClientApplication.js";
export { ClientApplication } from "./client/ClientApplication.js";
export { ClientCredentialClient } from "./client/ClientCredentialClient.js";
export { DeviceCodeClient } from "./client/DeviceCodeClient.js";
export { OnBehalfOfClient } from "./client/OnBehalfOfClient.js";
export { ManagedIdentityApplication } from "./client/ManagedIdentityApplication.js";
export { UsernamePasswordClient } from "./client/UsernamePasswordClient.js";
export {
Configuration,
ManagedIdentityConfiguration,
ManagedIdentityIdParams,
NodeAuthOptions,
NodeSystemOptions,
BrokerOptions,
NodeTelemetryOptions,
CacheOptions,
} from "./config/Configuration.js";
export { ClientAssertion } from "./client/ClientAssertion.js";
// Cache and Storage
export { TokenCache } from "./cache/TokenCache.js";
export { NodeStorage } from "./cache/NodeStorage.js";
export {
CacheKVStore,
JsonCache,
InMemoryCache,
SerializedAccountEntity,
SerializedIdTokenEntity,
SerializedAccessTokenEntity,
SerializedAppMetadataEntity,
SerializedRefreshTokenEntity,
} from "./cache/serializer/SerializerTypes.js";
export { DistributedCachePlugin } from "./cache/distributed/DistributedCachePlugin.js";
// Constants
export { ManagedIdentitySourceNames } from "./utils/Constants.js";
// Crypto
export { CryptoProvider } from "./crypto/CryptoProvider.js";
// Request objects
export type { AuthorizationCodeRequest } from "./request/AuthorizationCodeRequest.js";
export type { AuthorizationUrlRequest } from "./request/AuthorizationUrlRequest.js";
export type { ClientCredentialRequest } from "./request/ClientCredentialRequest.js";
export type { DeviceCodeRequest } from "./request/DeviceCodeRequest.js";
export type { OnBehalfOfRequest } from "./request/OnBehalfOfRequest.js";
export type { UsernamePasswordRequest } from "./request/UsernamePasswordRequest.js";
export type { RefreshTokenRequest } from "./request/RefreshTokenRequest.js";
export type { SilentFlowRequest } from "./request/SilentFlowRequest.js";
export type { InteractiveRequest } from "./request/InteractiveRequest.js";
export type { SignOutRequest } from "./request/SignOutRequest.js";
export type { ManagedIdentityRequestParams } from "./request/ManagedIdentityRequestParams.js";
// Common Object Formats
export {
// Request
PromptValue,
ResponseMode,
AuthorizationCodePayload,
// Response
AuthenticationResult,
ServerAuthorizationCodeResponse,
IdTokenClaims,
// Cache
AccountInfo,
ValidCacheType,
// Error
AuthError,
AuthErrorMessage,
AuthErrorCodes,
ClientAuthError,
ClientAuthErrorCodes,
ClientAuthErrorMessage,
ClientConfigurationError,
ClientConfigurationErrorCodes,
ClientConfigurationErrorMessage,
InteractionRequiredAuthError,
InteractionRequiredAuthErrorCodes,
InteractionRequiredAuthErrorMessage,
ServerError,
// Network Interface
INetworkModule,
NetworkRequestOptions,
NetworkResponse,
// Logger
Logger,
LogLevel,
// ProtocolMode enum
ProtocolMode,
ICachePlugin,
TokenCacheContext,
ISerializableTokenCache,
// AzureCloudInstance enum
AzureCloudInstance,
AzureCloudOptions,
// IAppTokenProvider
IAppTokenProvider,
AppTokenProviderParameters,
AppTokenProviderResult,
INativeBrokerPlugin,
ClientAssertionCallback,
} from "@azure/msal-common/node";
export { version } from "./packageMetadata.js";
node_modules/@azure/msal-node/src/internals.ts
Generated Vendored
+12
View File
@@ -0,0 +1,12 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* Warning: This set of exports is purely intended to be used by other MSAL libraries, and should be considered potentially unstable. We strongly discourage using them directly, you do so at your own risk.
* Breaking changes to these APIs will be shipped under a minor version, instead of a major version.
*/
export { Serializer } from "./cache/serializer/Serializer.js";
export { Deserializer } from "./cache/serializer/Deserializer.js";
node_modules/@azure/msal-node/src/network/HttpClient.ts
Generated Vendored
+425
View File
@@ -0,0 +1,425 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
INetworkModule,
NetworkRequestOptions,
NetworkResponse,
HttpStatus,
} from "@azure/msal-common/node";
import { HttpMethod, Constants, ProxyStatus } from "../utils/Constants.js";
import { NetworkUtils } from "../utils/NetworkUtils.js";
import http from "http";
import https from "https";
/**
* This class implements the API for network requests.
*/
export class HttpClient implements INetworkModule {
private proxyUrl: string;
private customAgentOptions: http.AgentOptions | https.AgentOptions;
constructor(
proxyUrl?: string,
customAgentOptions?: http.AgentOptions | https.AgentOptions
) {
this.proxyUrl = proxyUrl || "";
this.customAgentOptions = customAgentOptions || {};
}
/**
* Http Get request
* @param url
* @param options
*/
async sendGetRequestAsync<T>(
url: string,
options?: NetworkRequestOptions,
timeout?: number
): Promise<NetworkResponse<T>> {
if (this.proxyUrl) {
return networkRequestViaProxy(
url,
this.proxyUrl,
HttpMethod.GET,
options,
this.customAgentOptions as http.AgentOptions,
timeout
);
} else {
return networkRequestViaHttps(
url,
HttpMethod.GET,
options,
this.customAgentOptions as https.AgentOptions,
timeout
);
}
}
/**
* Http Post request
* @param url
* @param options
*/
async sendPostRequestAsync<T>(
url: string,
options?: NetworkRequestOptions
): Promise<NetworkResponse<T>> {
if (this.proxyUrl) {
return networkRequestViaProxy(
url,
this.proxyUrl,
HttpMethod.POST,
options,
this.customAgentOptions as http.AgentOptions
);
} else {
return networkRequestViaHttps(
url,
HttpMethod.POST,
options,
this.customAgentOptions as https.AgentOptions
);
}
}
}
const networkRequestViaProxy = <T>(
destinationUrlString: string,
proxyUrlString: string,
httpMethod: string,
options?: NetworkRequestOptions,
agentOptions?: http.AgentOptions,
timeout?: number
): Promise<NetworkResponse<T>> => {
const destinationUrl = new URL(destinationUrlString);
const proxyUrl = new URL(proxyUrlString);
// "method: connect" must be used to establish a connection to the proxy
const headers = options?.headers || ({} as Record<string, string>);
const tunnelRequestOptions: https.RequestOptions = {
host: proxyUrl.hostname,
port: proxyUrl.port,
method: "CONNECT",
path: destinationUrl.hostname,
headers: headers,
};
if (agentOptions && Object.keys(agentOptions).length) {
tunnelRequestOptions.agent = new http.Agent(agentOptions);
}
// compose a request string for the socket
let postRequestStringContent: string = "";
if (httpMethod === HttpMethod.POST) {
const body = options?.body || "";
postRequestStringContent =
"Content-Type: application/x-www-form-urlencoded\r\n" +
`Content-Length: ${body.length}\r\n` +
`\r\n${body}`;
} else {
// optional timeout is only for get requests (regionDiscovery, for example)
if (timeout) {
tunnelRequestOptions.timeout = timeout;
}
}
const outgoingRequestString =
`${httpMethod.toUpperCase()} ${destinationUrl.href} HTTP/1.1\r\n` +
`Host: ${destinationUrl.host}\r\n` +
"Connection: close\r\n" +
postRequestStringContent +
"\r\n";
return new Promise<NetworkResponse<T>>((resolve, reject) => {
const request = http.request(tunnelRequestOptions);
if (timeout) {
request.on("timeout", () => {
request.destroy();
reject(new Error("Request time out"));
});
}
request.end();
// establish connection to the proxy
request.on("connect", (response, socket) => {
const proxyStatusCode =
response?.statusCode || ProxyStatus.SERVER_ERROR;
if (
proxyStatusCode < ProxyStatus.SUCCESS_RANGE_START ||
proxyStatusCode > ProxyStatus.SUCCESS_RANGE_END
) {
request.destroy();
socket.destroy();
reject(
new Error(
`Error connecting to proxy. Http status code: ${
response.statusCode
}. Http status message: ${
response?.statusMessage || "Unknown"
}`
)
);
}
// make a request over an HTTP tunnel
socket.write(outgoingRequestString);
const data: Buffer[] = [];
socket.on("data", (chunk) => {
data.push(chunk);
});
socket.on("end", () => {
// combine all received buffer streams into one buffer, and then into a string
const dataString = Buffer.concat([...data]).toString();
// separate each line into it's own entry in an arry
const dataStringArray = dataString.split("\r\n");
// the first entry will contain the statusCode and statusMessage
const httpStatusCode = parseInt(
dataStringArray[0].split(" ")[1]
);
// remove "HTTP/1.1" and the status code to get the status message
const statusMessage = dataStringArray[0]
.split(" ")
.slice(2)
.join(" ");
// the last entry will contain the body
const body = dataStringArray[dataStringArray.length - 1];
// everything in between the first and last entries are the headers
const headersArray = dataStringArray.slice(
1,
dataStringArray.length - 2
);
// build an object out of all the headers
const entries = new Map();
headersArray.forEach((header) => {
/**
* the header might look like "Content-Length: 1531", but that is just a string
* it needs to be converted to a key/value pair
* split the string at the first instance of ":"
* there may be more than one ":" if the value of the header is supposed to be a JSON object
*/
const headerKeyValue = header.split(new RegExp(/:\s(.*)/s));
const headerKey = headerKeyValue[0];
let headerValue = headerKeyValue[1];
// check if the value of the header is supposed to be a JSON object
try {
const object = JSON.parse(headerValue);
// if it is, then convert it from a string to a JSON object
if (object && typeof object === "object") {
headerValue = object;
}
} catch (e) {
// otherwise, leave it as a string
}
entries.set(headerKey, headerValue);
});
const headers = Object.fromEntries(entries);
const parsedHeaders = headers as Record<string, string>;
const networkResponse = NetworkUtils.getNetworkResponse(
parsedHeaders,
parseBody(
httpStatusCode,
statusMessage,
parsedHeaders,
body
) as T,
httpStatusCode
);
if (
(httpStatusCode < HttpStatus.SUCCESS_RANGE_START ||
httpStatusCode > HttpStatus.SUCCESS_RANGE_END) &&
// do not destroy the request for the device code flow
networkResponse.body["error"] !==
Constants.AUTHORIZATION_PENDING
) {
request.destroy();
}
resolve(networkResponse);
});
socket.on("error", (chunk) => {
request.destroy();
socket.destroy();
reject(new Error(chunk.toString()));
});
});
request.on("error", (chunk) => {
request.destroy();
reject(new Error(chunk.toString()));
});
});
};
const networkRequestViaHttps = <T>(
urlString: string,
httpMethod: string,
options?: NetworkRequestOptions,
agentOptions?: https.AgentOptions,
timeout?: number
): Promise<NetworkResponse<T>> => {
const isPostRequest = httpMethod === HttpMethod.POST;
const body: string = options?.body || "";
const url = new URL(urlString);
const headers = options?.headers || ({} as Record<string, string>);
const customOptions: https.RequestOptions = {
method: httpMethod,
headers: headers,
...NetworkUtils.urlToHttpOptions(url),
};
if (agentOptions && Object.keys(agentOptions).length) {
customOptions.agent = new https.Agent(agentOptions);
}
if (isPostRequest) {
// needed for post request to work
customOptions.headers = {
...customOptions.headers,
"Content-Length": body.length,
};
} else {
// optional timeout is only for get requests (regionDiscovery, for example)
if (timeout) {
customOptions.timeout = timeout;
}
}
return new Promise<NetworkResponse<T>>((resolve, reject) => {
let request: http.ClientRequest;
// managed identity sources use http instead of https
if (customOptions.protocol === "http:") {
request = http.request(customOptions);
} else {
request = https.request(customOptions);
}
if (isPostRequest) {
request.write(body);
}
if (timeout) {
request.on("timeout", () => {
request.destroy();
reject(new Error("Request time out"));
});
}
request.end();
request.on("response", (response) => {
const headers = response.headers;
const statusCode = response.statusCode as number;
const statusMessage = response.statusMessage;
const data: Buffer[] = [];
response.on("data", (chunk) => {
data.push(chunk);
});
response.on("end", () => {
// combine all received buffer streams into one buffer, and then into a string
const body = Buffer.concat([...data]).toString();
const parsedHeaders = headers as Record<string, string>;
const networkResponse = NetworkUtils.getNetworkResponse(
parsedHeaders,
parseBody(
statusCode,
statusMessage,
parsedHeaders,
body
) as T,
statusCode
);
if (
(statusCode < HttpStatus.SUCCESS_RANGE_START ||
statusCode > HttpStatus.SUCCESS_RANGE_END) &&
// do not destroy the request for the device code flow
networkResponse.body["error"] !==
Constants.AUTHORIZATION_PENDING
) {
request.destroy();
}
resolve(networkResponse);
});
});
request.on("error", (chunk) => {
request.destroy();
reject(new Error(chunk.toString()));
});
});
};
/**
* Check if extra parsing is needed on the repsonse from the server
* @param statusCode {number} the status code of the response from the server
* @param statusMessage {string | undefined} the status message of the response from the server
* @param headers {Record<string, string>} the headers of the response from the server
* @param body {string} the body from the response of the server
* @returns {Object} JSON parsed body or error object
*/
const parseBody = (
statusCode: number,
statusMessage: string | undefined,
headers: Record<string, string>,
body: string
) => {
/*
* Informational responses (100 199)
* Successful responses (200 299)
* Redirection messages (300 399)
* Client error responses (400 499)
* Server error responses (500 599)
*/
let parsedBody;
try {
parsedBody = JSON.parse(body);
} catch (error) {
let errorType;
let errorDescriptionHelper;
if (
statusCode >= HttpStatus.CLIENT_ERROR_RANGE_START &&
statusCode <= HttpStatus.CLIENT_ERROR_RANGE_END
) {
errorType = "client_error";
errorDescriptionHelper = "A client";
} else if (
statusCode >= HttpStatus.SERVER_ERROR_RANGE_START &&
statusCode <= HttpStatus.SERVER_ERROR_RANGE_END
) {
errorType = "server_error";
errorDescriptionHelper = "A server";
} else {
errorType = "unknown_error";
errorDescriptionHelper = "An unknown";
}
parsedBody = {
error: errorType,
error_description: `${errorDescriptionHelper} error occured.\nHttp status code: ${statusCode}\nHttp status message: ${
statusMessage || "Unknown"
}\nHeaders: ${JSON.stringify(headers)}`,
};
}
return parsedBody;
};
node_modules/@azure/msal-node/src/network/HttpClientWithRetries.ts
Generated Vendored
+80
View File
@@ -0,0 +1,80 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
HeaderNames,
INetworkModule,
NetworkRequestOptions,
NetworkResponse,
} from "@azure/msal-common/node";
import { IHttpRetryPolicy } from "../retry/IHttpRetryPolicy.js";
import { HttpMethod } from "../utils/Constants.js";
export class HttpClientWithRetries implements INetworkModule {
private httpClientNoRetries: INetworkModule;
private retryPolicy: IHttpRetryPolicy;
constructor(
httpClientNoRetries: INetworkModule,
retryPolicy: IHttpRetryPolicy
) {
this.httpClientNoRetries = httpClientNoRetries;
this.retryPolicy = retryPolicy;
}
private async sendNetworkRequestAsyncHelper<T>(
httpMethod: HttpMethod,
url: string,
options?: NetworkRequestOptions
): Promise<NetworkResponse<T>> {
if (httpMethod === HttpMethod.GET) {
return this.httpClientNoRetries.sendGetRequestAsync(url, options);
} else {
return this.httpClientNoRetries.sendPostRequestAsync(url, options);
}
}
private async sendNetworkRequestAsync<T>(
httpMethod: HttpMethod,
url: string,
options?: NetworkRequestOptions
): Promise<NetworkResponse<T>> {
// the underlying network module (custom or HttpClient) will make the call
let response: NetworkResponse<T> =
await this.sendNetworkRequestAsyncHelper(httpMethod, url, options);
let currentRetry: number = 0;
while (
await this.retryPolicy.pauseForRetry(
response.status,
currentRetry,
response.headers[HeaderNames.RETRY_AFTER]
)
) {
response = await this.sendNetworkRequestAsyncHelper(
httpMethod,
url,
options
);
currentRetry++;
}
return response;
}
public async sendGetRequestAsync<T>(
url: string,
options?: NetworkRequestOptions
): Promise<NetworkResponse<T>> {
return this.sendNetworkRequestAsync(HttpMethod.GET, url, options);
}
public async sendPostRequestAsync<T>(
url: string,
options?: NetworkRequestOptions
): Promise<NetworkResponse<T>> {
return this.sendNetworkRequestAsync(HttpMethod.POST, url, options);
}
}
node_modules/@azure/msal-node/src/network/ILoopbackClient.ts
Generated Vendored
+19
View File
@@ -0,0 +1,19 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { ServerAuthorizationCodeResponse } from "@azure/msal-common/node";
/**
* Interface for LoopbackClient allowing to replace the default loopback server with a custom implementation.
* @public
*/
export interface ILoopbackClient {
listenForAuthCode(
successTemplate?: string,
errorTemplate?: string
): Promise<ServerAuthorizationCodeResponse>;
getRedirectUri(): string;
closeServer(): void;
}
node_modules/@azure/msal-node/src/network/LoopbackClient.ts
Generated Vendored
+120
View File
@@ -0,0 +1,120 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
Constants as CommonConstants,
ServerAuthorizationCodeResponse,
HttpStatus,
UrlUtils,
} from "@azure/msal-common/node";
import http from "http";
import { NodeAuthError } from "../error/NodeAuthError.js";
import { Constants } from "../utils/Constants.js";
import { ILoopbackClient } from "./ILoopbackClient.js";
export class LoopbackClient implements ILoopbackClient {
private server: http.Server | undefined;
/**
* Spins up a loopback server which returns the server response when the localhost redirectUri is hit
* @param successTemplate
* @param errorTemplate
* @returns
*/
async listenForAuthCode(
successTemplate?: string,
errorTemplate?: string
): Promise<ServerAuthorizationCodeResponse> {
if (this.server) {
throw NodeAuthError.createLoopbackServerAlreadyExistsError();
}
return new Promise<ServerAuthorizationCodeResponse>(
(resolve, reject) => {
this.server = http.createServer(
(req: http.IncomingMessage, res: http.ServerResponse) => {
const url = req.url;
if (!url) {
res.end(
errorTemplate ||
"Error occurred loading redirectUrl"
);
reject(
NodeAuthError.createUnableToLoadRedirectUrlError()
);
return;
} else if (url === CommonConstants.FORWARD_SLASH) {
res.end(
successTemplate ||
"Auth code was successfully acquired. You can close this window now."
);
return;
}
const redirectUri = this.getRedirectUri();
const parsedUrl = new URL(url, redirectUri);
const authCodeResponse =
UrlUtils.getDeserializedResponse(
parsedUrl.search
) || {};
if (authCodeResponse.code) {
res.writeHead(HttpStatus.REDIRECT, {
location: redirectUri,
}); // Prevent auth code from being saved in the browser history
res.end();
}
if (authCodeResponse.error) {
res.end(
errorTemplate ||
`Error occurred: ${authCodeResponse.error}`
);
}
resolve(authCodeResponse);
}
);
this.server.listen(0, "127.0.0.1"); // Listen on any available port
}
);
}
/**
* Get the port that the loopback server is running on
* @returns
*/
getRedirectUri(): string {
if (!this.server || !this.server.listening) {
throw NodeAuthError.createNoLoopbackServerExistsError();
}
const address = this.server.address();
if (!address || typeof address === "string" || !address.port) {
this.closeServer();
throw NodeAuthError.createInvalidLoopbackAddressTypeError();
}
const port = address && address.port;
return `${Constants.HTTP_PROTOCOL}${Constants.LOCALHOST}:${port}`;
}
/**
* Close the loopback server
*/
closeServer(): void {
if (this.server) {
// Only stops accepting new connections, server will close once open/idle connections are closed.
this.server.close();
if (typeof this.server.closeAllConnections === "function") {
/*
* Close open/idle connections. This API is available in Node versions 18.2 and higher
*/
this.server.closeAllConnections();
}
this.server.unref();
this.server = undefined;
}
}
}
node_modules/@azure/msal-node/src/packageMetadata.ts
Generated Vendored
+3
View File
@@ -0,0 +1,3 @@
/* eslint-disable header/header */
export const name = "@azure/msal-node";
export const version = "2.16.2";
node_modules/@azure/msal-node/src/request/AuthorizationCodeRequest.ts
Generated Vendored
+39
View File
@@ -0,0 +1,39 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { CommonAuthorizationCodeRequest } from "@azure/msal-common/node";
/**
* Request object passed by user to acquire a token from the server exchanging a valid authorization code (second leg of OAuth2.0 Authorization Code flow)
*
* - scopes - Array of scopes the application is requesting access to.
* - claims - A stringified claims request which will be added to all /authorize and /token calls
* - authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests.
* - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
* - redirectUri - The redirect URI of your app, where the authority will redirect to after the user inputs credentials and consents. It must exactly match one of the redirect URIs you registered in the portal.
* - tokenQueryParameters - String to string map of custom query parameters added to the /token call
* - code - The authorization_code that the user acquired in the first leg of the flow.
* - codeVerifier - The same code_verifier that was used to obtain the authorization_code. Required if PKCE was used in the authorization code grant request.For more information, see the PKCE RFC: https://tools.ietf.org/html/rfc7636
* - state - Unique GUID generated by the user that is cached by the user and sent to the server during the first leg of the flow. This string is sent back by the server with the authorization code. The user cached state is then compared with the state received from the server to mitigate the risk of CSRF attacks. See https://datatracker.ietf.org/doc/html/rfc6819#section-3.6.
* @public
*/
export type AuthorizationCodeRequest = Partial<
Omit<
CommonAuthorizationCodeRequest,
| "scopes"
| "redirectUri"
| "code"
| "authenticationScheme"
| "resourceRequestMethod"
| "resourceRequestUri"
| "requestedClaimsHash"
| "storeInCache"
>
> & {
scopes: Array<string>;
redirectUri: string;
code: string;
state?: string;
};
node_modules/@azure/msal-node/src/request/AuthorizationUrlRequest.ts
Generated Vendored
+50
View File
@@ -0,0 +1,50 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { CommonAuthorizationUrlRequest } from "@azure/msal-common/node";
/**
* Request object passed by user to retrieve a Code from the server (first leg of authorization code grant flow)
*
* - scopes - Array of scopes the application is requesting access to.
* - claims - A stringified claims request which will be added to all /authorize and /token calls
* - authority - Url of the authority which the application acquires tokens from.
* - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
* - redirectUri - The redirect URI where authentication responses can be received by your application. It must exactly match one of the redirect URIs registered in the Azure portal.
* - extraScopesToConsent - Scopes for a different resource when the user needs consent upfront.
* - responseMode - Specifies the method that should be used to send the authentication result to your app. Can be query, form_post, or fragment. If no value is passed in, it defaults to query.
* - codeChallenge - Used to secure authorization code grant via Proof of Key for Code Exchange (PKCE). For more information, see the PKCE RCF:https://tools.ietf.org/html/rfc7636
* - codeChallengeMethod - The method used to encode the code verifier for the code challenge parameter. Can be "plain" or "S256". If excluded, code challenge is assumed to be plaintext. For more information, see the PKCE RCF: https://tools.ietf.org/html/rfc7636
* - state - A value included in the request that is also returned in the token response. A randomly generated unique value is typically used for preventing cross site request forgery attacks. The state is also used to encode information about the user's state in the app before the authentication request occurred.
* - prompt - Indicates the type of user interaction that is required.
* login: will force the user to enter their credentials on that request, negating single-sign on
* none: will ensure that the user isn't presented with any interactive prompt. if request can't be completed via single-sign on, the endpoint will return an interaction_required error
* consent: will the trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app
* select_account: will interrupt single sign-=on providing account selection experience listing all the accounts in session or any remembered accounts or an option to choose to use a different account
* create: will direct the user to the account creation experience instead of the log in experience
* - account - AccountInfo obtained from a getAccount API. Will be used in certain scenarios to generate login_hint if both loginHint and sid params are not provided.
* - loginHint - Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know the username/email address ahead of time. Often apps use this parameter during re-authentication, having already extracted the username from a previous sign-in using the preferred_username claim.
* - sid - Session ID, unique identifier for the session. Available as an optional claim on ID tokens.
* - domainHint - Provides a hint about the tenant or domain that the user should use to sign in. The value of the domain hint is a registered domain for the tenant.
* - extraQueryParameters - String to string map of custom query parameters added to the /authorize call
* - tokenQueryParameters - String to string map of custom query parameters added to the /token call
* - nonce - A value included in the request that is returned in the id token. A randomly generated unique value is typically used to mitigate replay attacks.
* @public
*/
export type AuthorizationUrlRequest = Partial<
Omit<
CommonAuthorizationUrlRequest,
| "scopes"
| "redirectUri"
| "resourceRequestMethod"
| "resourceRequestUri"
| "authenticationScheme"
| "requestedClaimsHash"
| "storeInCache"
>
> & {
scopes: Array<string>;
redirectUri: string;
};
node_modules/@azure/msal-node/src/request/ClientCredentialRequest.ts
Generated Vendored
+32
View File
@@ -0,0 +1,32 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
ClientAssertionCallback,
CommonClientCredentialRequest,
} from "@azure/msal-common/node";
/**
* CommonClientCredentialRequest
* - scopes - Array of scopes the application is requesting access to. Typically contains only the .default scope for a single resource. See: https://learn.microsoft.com/azure/active-directory/develop/scopes-oidc#the-default-scope
* - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
* - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
* - skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.
* - clientAssertion - An assertion string or a callback function that returns an assertion string (both are Base64Url-encoded signed JWTs) used in the Client Credential flow
* - tokenQueryParameters - String to string map of custom query parameters added to the /token call
* @public
*/
export type ClientCredentialRequest = Partial<
Omit<
CommonClientCredentialRequest,
| "resourceRequestMethod"
| "resourceRequestUri"
| "requestedClaimsHash"
| "clientAssertion"
| "storeInCache"
>
> & {
clientAssertion?: string | ClientAssertionCallback;
};
node_modules/@azure/msal-node/src/request/DeviceCodeRequest.ts
Generated Vendored
+34
View File
@@ -0,0 +1,34 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import {
CommonDeviceCodeRequest,
DeviceCodeResponse,
} from "@azure/msal-common/node";
/**
* Parameters for Oauth2 device code flow.
* - scopes - Array of scopes the application is requesting access to.
* - authority: - URL of the authority, the security token service (STS) from which MSAL will acquire tokens. If authority is set on client application object, this will override that value. Overriding the value will cause for authority validation to happen each time. If the same authority will be used for all request, set on the application object instead of the requests.
* - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
* - deviceCodeCallback - Callback containing device code response. Message should be shown to end user. End user can then navigate to the verification_uri, input the user_code, and input credentials.
* - cancel - Boolean to cancel polling of device code endpoint. While the user authenticates on a separate device, MSAL polls the the token endpoint of security token service for the interval specified in the device code response (usually 15 minutes). To stop polling and cancel the request, set cancel=true.
* - extraQueryParameters - String to string map of custom query parameters added to the query string
* @public
*/
export type DeviceCodeRequest = Partial<
Omit<
CommonDeviceCodeRequest,
| "scopes"
| "deviceCodeCallback"
| "resourceRequestMethod"
| "resourceRequestUri"
| "requestedClaimsHash"
| "storeInCache"
>
> & {
scopes: Array<string>;
deviceCodeCallback: (response: DeviceCodeResponse) => void;
};
node_modules/@azure/msal-node/src/request/InteractiveRequest.ts
Generated Vendored
+32
View File
@@ -0,0 +1,32 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { CommonAuthorizationUrlRequest } from "@azure/msal-common/node";
import { ILoopbackClient } from "../network/ILoopbackClient.js";
/**
* Request object passed by user to configure acquireTokenInteractive API
*
* - openBrowser - Function to open a browser instance on user's system.
* - scopes - Array of scopes the application is requesting access to.
* - successTemplate: - Template to be displayed on the opened browser instance upon successful token acquisition.
* - errorTemplate - Template to be displayed on the opened browser instance upon token acquisition failure.
* - windowHandle - Used in native broker flows to properly parent the native broker window
* - loopbackClient - Custom implementation for a loopback server to listen for authorization code response.
* @public
*/
export type InteractiveRequest = Partial<
Omit<
CommonAuthorizationUrlRequest,
"scopes" | "redirectUri" | "requestedClaimsHash" | "storeInCache"
>
> & {
openBrowser: (url: string) => Promise<void>;
scopes?: Array<string>;
successTemplate?: string;
errorTemplate?: string;
windowHandle?: Buffer; // Relevant only to brokered requests
loopbackClient?: ILoopbackClient;
};
node_modules/@azure/msal-node/src/request/ManagedIdentityRequest.ts
Generated Vendored
+15
View File
@@ -0,0 +1,15 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { CommonClientCredentialRequest } from "@azure/msal-common/node";
import { ManagedIdentityRequestParams } from "./ManagedIdentityRequestParams.js";
/**
* ManagedIdentityRequest
* - forceRefresh - forces managed identity requests to skip the cache and make network calls if true
* - resource - resource requested to access the protected API. It should be of the form "{ResourceIdUri}" or {ResourceIdUri/.default}. For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default
*/
export type ManagedIdentityRequest = ManagedIdentityRequestParams &
CommonClientCredentialRequest;
node_modules/@azure/msal-node/src/request/ManagedIdentityRequestParams.ts
Generated Vendored
+17
View File
@@ -0,0 +1,17 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
/**
* ManagedIdentityRequest
* - claims - a stringified claims request which will be used to determine whether or not the cache should be skipped
* - forceRefresh - forces managed identity requests to skip the cache and make network calls if true
* - resource - resource requested to access the protected API. It should be of the form "ResourceIdUri" or "ResourceIdUri/.default". For instance https://management.azure.net or, for Microsoft Graph, https://graph.microsoft.com/.default
* @public
*/
export type ManagedIdentityRequestParams = {
claims?: string;
forceRefresh?: boolean;
resource: string;
};
node_modules/@azure/msal-node/src/request/OnBehalfOfRequest.ts
Generated Vendored
+30
View File
@@ -0,0 +1,30 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { CommonOnBehalfOfRequest } from "@azure/msal-common/node";
/**
* - scopes - Array of scopes the application is requesting access to.
* - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
* - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
* - oboAssertion - The access token that was sent to the middle-tier API. This token must have an audience of the app making this OBO request.
* - skipCache - Skip token cache lookup and force request to authority to get a a new token. Defaults to false.
* - tokenQueryParameters - String to string map of custom query parameters added to the /token call
* @public
*/
export type OnBehalfOfRequest = Partial<
Omit<
CommonOnBehalfOfRequest,
| "oboAssertion"
| "scopes"
| "resourceRequestMethod"
| "resourceRequestUri"
| "requestedClaimsHash"
| "storeInCache"
>
> & {
oboAssertion: string;
scopes: Array<string>;
};
node_modules/@azure/msal-node/src/request/RefreshTokenRequest.ts
Generated Vendored
+34
View File
@@ -0,0 +1,34 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { CommonRefreshTokenRequest } from "@azure/msal-common/node";
/**
* CommonRefreshTokenRequest
* - scopes - Array of scopes the application is requesting access to.
* - claims - A stringified claims request which will be added to all /authorize and /token calls
* - authority - URL of the authority, the security token service (STS) from which MSAL will acquire tokens.
* - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
* - refreshToken - A refresh token returned from a previous request to the Identity provider.
* - tokenQueryParameters - String to string map of custom query parameters added to the /token call
* - forceCache - Force MSAL to cache a refresh token flow response when there is no account in the cache. Used for migration scenarios.
* @public
*/
export type RefreshTokenRequest = Partial<
Omit<
CommonRefreshTokenRequest,
| "scopes"
| "refreshToken"
| "authenticationScheme"
| "resourceRequestMethod"
| "resourceRequestUri"
| "requestedClaimsHash"
| "storeInCache"
>
> & {
scopes: Array<string>;
refreshToken: string;
forceCache?: boolean;
};
node_modules/@azure/msal-node/src/request/SignOutRequest.ts
Generated Vendored
+12
View File
@@ -0,0 +1,12 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { AccountInfo } from "@azure/msal-common/node";
/** @public */
export type SignOutRequest = {
account: AccountInfo;
correlationId?: string;
};
node_modules/@azure/msal-node/src/request/SilentFlowRequest.ts
Generated Vendored
+27
View File
@@ -0,0 +1,27 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { AccountInfo, CommonSilentFlowRequest } from "@azure/msal-common/node";
/**
* SilentFlow parameters passed by the user to retrieve credentials silently
* - scopes - Array of scopes the application is requesting access to.
* - claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed.
* - authority - Url of the authority which the application acquires tokens from.
* - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
* - tokenQueryParameters - String to string map of custom query parameters added to the /token call
* - account - Account entity to lookup the credentials.
* - forceRefresh - Forces silent requests to make network calls if true.
* @public
*/
export type SilentFlowRequest = Partial<
Omit<
CommonSilentFlowRequest,
"account" | "scopes" | "requestedClaimsHash" | "storeInCache"
>
> & {
account: AccountInfo;
scopes: Array<string>;
};
node_modules/@azure/msal-node/src/request/UsernamePasswordRequest.ts
Generated Vendored
+36
View File
@@ -0,0 +1,36 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { CommonUsernamePasswordRequest } from "@azure/msal-common/node";
/**
* UsernamePassword parameters passed by the user to retrieve credentials
* Note: The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely. This flow is added for internal testing.
*
* - scopes - Array of scopes the application is requesting access to.
* - claims - A stringified claims request which will be added to all /authorize and /token calls. When included on a silent request, cache lookup will be skipped and token will be refreshed.
* - authority - Url of the authority which the application acquires tokens from.
* - correlationId - Unique GUID set per request to trace a request end-to-end for telemetry purposes.
* - username - username of the client
* - password - credentials
* - tokenQueryParameters - String to string map of custom query parameters added to the /token call
* @public
*/
export type UsernamePasswordRequest = Partial<
Omit<
CommonUsernamePasswordRequest,
| "scopes"
| "resourceRequestMethod"
| "resourceRequestUri"
| "username"
| "password"
| "requestedClaimsHash"
| "storeInCache"
>
> & {
scopes: Array<string>;
username: string;
password: string;
};
node_modules/@azure/msal-node/src/response/ManagedIdentityTokenResponse.ts
Generated Vendored
+55
View File
@@ -0,0 +1,55 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { AuthenticationScheme } from "@azure/msal-common/node";
/**
* Deserialized response object from server managed identity request.
*
* In case of success:
* - access_token - The requested access token. When called via a secured REST API, the token is embedded in the Authorization request header field as a "bearer" token, allowing the API to authenticate the caller
* - client_id - A unique identifier generated by Azure AD for the Azure Resource. The Client ID is a GUID value that uniquely identifies the application and its configuration within the identity platform
* - expires_on - The timespan when the access token expires. The date is represented as the number of seconds from "1970-01-01T0:0:0Z UTC" (corresponds to the token's exp claim)
* - resource - The resource the access token was requested for. It matches the resource query string parameter of the request
* - token_type - The type of token returned by the Managed Identity endpoint. It's a "Bearer" access token, which means the resource can give access to the bearer of this token
*
* In case of error:
* - message: A specific error message that can help a developer identify the root cause of an authentication error.
* - correlationId: A unique identifier for the request that can help in diagnostics across components.
*/
export type ManagedIdentityTokenResponse = {
// success
access_token?: string;
client_id?: string;
expires_on?: number; // will be converted to expires_in
resource?: string; // equivalent to ServerAuthorizationTokenResponse's "scope" field
token_type?: AuthenticationScheme;
// error
/*
* (Web/Function) App Service
* 500 errors can return this from all MI sources as well
*/
message?: string;
correlationId?: string;
// IMDS, Azure Arc, Service Fabric (unconfirmed)
error?: string | ErrorObject;
error_description?: string;
error_codes?: Array<string>;
correlation_id?: string;
timestamp?: string;
trace_id?: string;
};
/*
* This is the only error property that exists for Cloud Shell
* It can also be the only thing App Service will return
*/
export type ErrorObject = {
code: string;
message: string;
};
node_modules/@azure/msal-node/src/retry/IHttpRetryPolicy.ts
Generated Vendored
+18
View File
@@ -0,0 +1,18 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import http from "http";
export interface IHttpRetryPolicy {
/*
* if retry conditions occur, pauses and returns true
* otherwise return false
*/
pauseForRetry(
httpStatusCode: number,
currentRetry: number,
retryAfterHeader: http.IncomingHttpHeaders["retry-after"]
): Promise<boolean>;
}
node_modules/@azure/msal-node/src/retry/LinearRetryPolicy.ts
Generated Vendored
+71
View File
@@ -0,0 +1,71 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import http from "http";
import { IHttpRetryPolicy } from "./IHttpRetryPolicy.js";
export class LinearRetryPolicy implements IHttpRetryPolicy {
maxRetries: number;
retryDelay: number;
httpStatusCodesToRetryOn: Array<number>;
constructor(
maxRetries: number,
retryDelay: number,
httpStatusCodesToRetryOn: Array<number>
) {
this.maxRetries = maxRetries;
this.retryDelay = retryDelay;
this.httpStatusCodesToRetryOn = httpStatusCodesToRetryOn;
}
private retryAfterMillisecondsToSleep(
retryHeader: http.IncomingHttpHeaders["retry-after"]
): number {
if (!retryHeader) {
return 0;
}
// retry-after header is in seconds
let millisToSleep = Math.round(parseFloat(retryHeader) * 1000);
/*
* retry-after header is in HTTP Date format
* <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
*/
if (isNaN(millisToSleep)) {
millisToSleep = Math.max(
0,
// .valueOf() is needed to subtract dates in TypeScript
new Date(retryHeader).valueOf() - new Date().valueOf()
);
}
return millisToSleep;
}
async pauseForRetry(
httpStatusCode: number,
currentRetry: number,
retryAfterHeader: http.IncomingHttpHeaders["retry-after"]
): Promise<boolean> {
if (
this.httpStatusCodesToRetryOn.includes(httpStatusCode) &&
currentRetry < this.maxRetries
) {
const retryAfterDelay: number =
this.retryAfterMillisecondsToSleep(retryAfterHeader);
await new Promise((resolve) => {
// retryAfterHeader value of 0 evaluates to false, and this.retryDelay will be used
return setTimeout(resolve, retryAfterDelay || this.retryDelay);
});
return true;
}
return false;
}
}
node_modules/@azure/msal-node/src/utils/Constants.ts
Generated Vendored
+178
View File
@@ -0,0 +1,178 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { HttpStatus } from "@azure/msal-common/node";
// MSI Constants. Docs for MSI are available here https://docs.microsoft.com/azure/app-service/overview-managed-identity
export const AUTHORIZATION_HEADER_NAME: string = "Authorization";
export const METADATA_HEADER_NAME: string = "Metadata";
export const APP_SERVICE_SECRET_HEADER_NAME: string = "X-IDENTITY-HEADER";
export const SERVICE_FABRIC_SECRET_HEADER_NAME: string = "secret";
export const API_VERSION_QUERY_PARAMETER_NAME: string = "api-version";
export const RESOURCE_BODY_OR_QUERY_PARAMETER_NAME: string = "resource";
export const DEFAULT_MANAGED_IDENTITY_ID = "system_assigned_managed_identity";
export const MANAGED_IDENTITY_DEFAULT_TENANT = "managed_identity";
export const DEFAULT_AUTHORITY_FOR_MANAGED_IDENTITY = `https://login.microsoftonline.com/${MANAGED_IDENTITY_DEFAULT_TENANT}/`;
/**
* Managed Identity Environment Variable Names
*/
export const ManagedIdentityEnvironmentVariableNames = {
AZURE_POD_IDENTITY_AUTHORITY_HOST: "AZURE_POD_IDENTITY_AUTHORITY_HOST",
IDENTITY_ENDPOINT: "IDENTITY_ENDPOINT",
IDENTITY_HEADER: "IDENTITY_HEADER",
IDENTITY_SERVER_THUMBPRINT: "IDENTITY_SERVER_THUMBPRINT",
IMDS_ENDPOINT: "IMDS_ENDPOINT",
MSI_ENDPOINT: "MSI_ENDPOINT",
} as const;
export type ManagedIdentityEnvironmentVariableNames =
(typeof ManagedIdentityEnvironmentVariableNames)[keyof typeof ManagedIdentityEnvironmentVariableNames];
/**
* Managed Identity Source Names
* @public
*/
export const ManagedIdentitySourceNames = {
APP_SERVICE: "AppService",
AZURE_ARC: "AzureArc",
CLOUD_SHELL: "CloudShell",
DEFAULT_TO_IMDS: "DefaultToImds",
IMDS: "Imds",
SERVICE_FABRIC: "ServiceFabric",
} as const;
/**
* The ManagedIdentitySourceNames type
* @public
*/
export type ManagedIdentitySourceNames =
(typeof ManagedIdentitySourceNames)[keyof typeof ManagedIdentitySourceNames];
/**
* Managed Identity Ids
*/
export const ManagedIdentityIdType = {
SYSTEM_ASSIGNED: "system-assigned",
USER_ASSIGNED_CLIENT_ID: "user-assigned-client-id",
USER_ASSIGNED_RESOURCE_ID: "user-assigned-resource-id",
USER_ASSIGNED_OBJECT_ID: "user-assigned-object-id",
} as const;
export type ManagedIdentityIdType =
(typeof ManagedIdentityIdType)[keyof typeof ManagedIdentityIdType];
/**
* http methods
*/
export const HttpMethod = {
GET: "get",
POST: "post",
} as const;
export type HttpMethod = (typeof HttpMethod)[keyof typeof HttpMethod];
export const ProxyStatus = {
SUCCESS: HttpStatus.SUCCESS,
SUCCESS_RANGE_START: HttpStatus.SUCCESS_RANGE_START,
SUCCESS_RANGE_END: HttpStatus.SUCCESS_RANGE_END,
SERVER_ERROR: HttpStatus.SERVER_ERROR,
} as const;
export type ProxyStatus = (typeof ProxyStatus)[keyof typeof ProxyStatus];
/**
* Constants used for region discovery
*/
export const REGION_ENVIRONMENT_VARIABLE = "REGION_NAME";
export const MSAL_FORCE_REGION = "MSAL_FORCE_REGION";
/**
* Constant used for PKCE
*/
export const RANDOM_OCTET_SIZE = 32;
/**
* Constants used in PKCE
*/
export const Hash = {
SHA256: "sha256",
};
/**
* Constants for encoding schemes
*/
export const CharSet = {
CV_CHARSET:
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~",
};
/**
* Cache Constants
*/
export const CACHE = {
FILE_CACHE: "fileCache",
EXTENSION_LIB: "extenstion_library",
};
/**
* Constants
*/
export const Constants = {
MSAL_SKU: "msal.js.node",
JWT_BEARER_ASSERTION_TYPE:
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
AUTHORIZATION_PENDING: "authorization_pending",
HTTP_PROTOCOL: "http://",
LOCALHOST: "localhost",
};
/**
* API Codes for Telemetry purposes.
* Before adding a new code you must claim it in the MSAL Telemetry tracker as these number spaces are shared across all MSALs
* 0-99 Silent Flow
* 600-699 Device Code Flow
* 800-899 Auth Code Flow
*/
export const ApiId = {
acquireTokenSilent: 62,
acquireTokenByUsernamePassword: 371,
acquireTokenByDeviceCode: 671,
acquireTokenByClientCredential: 771,
acquireTokenByCode: 871,
acquireTokenByRefreshToken: 872,
};
export type ApiId = (typeof ApiId)[keyof typeof ApiId];
/**
* JWT constants
*/
export const JwtConstants = {
ALGORITHM: "alg",
RSA_256: "RS256",
PSS_256: "PS256",
X5T_256: "x5t#S256",
X5T: "x5t",
X5C: "x5c",
AUDIENCE: "aud",
EXPIRATION_TIME: "exp",
ISSUER: "iss",
SUBJECT: "sub",
NOT_BEFORE: "nbf",
JWT_ID: "jti",
};
export const LOOPBACK_SERVER_CONSTANTS = {
INTERVAL_MS: 100,
TIMEOUT_MS: 5000,
};
export const AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES = 4096; // 4 KB
export const MANAGED_IDENTITY_MAX_RETRIES = 3;
export const MANAGED_IDENTITY_RETRY_DELAY = 1000;
export const MANAGED_IDENTITY_HTTP_STATUS_CODES_TO_RETRY_ON = [
HttpStatus.NOT_FOUND,
HttpStatus.REQUEST_TIMEOUT,
HttpStatus.TOO_MANY_REQUESTS,
HttpStatus.SERVER_ERROR,
HttpStatus.SERVICE_UNAVAILABLE,
HttpStatus.GATEWAY_TIMEOUT,
];
node_modules/@azure/msal-node/src/utils/EncodingUtils.ts
Generated Vendored
+50
View File
@@ -0,0 +1,50 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { Constants } from "@azure/msal-common/node";
export class EncodingUtils {
/**
* 'utf8': Multibyte encoded Unicode characters. Many web pages and other document formats use UTF-8.
* 'base64': Base64 encoding.
*
* @param str text
*/
static base64Encode(str: string, encoding?: BufferEncoding): string {
return Buffer.from(str, encoding).toString("base64");
}
/**
* encode a URL
* @param str
*/
static base64EncodeUrl(str: string, encoding?: BufferEncoding): string {
return EncodingUtils.base64Encode(str, encoding)
.replace(/=/g, Constants.EMPTY_STRING)
.replace(/\+/g, "-")
.replace(/\//g, "_");
}
/**
* 'utf8': Multibyte encoded Unicode characters. Many web pages and other document formats use UTF-8.
* 'base64': Base64 encoding.
*
* @param base64Str Base64 encoded text
*/
static base64Decode(base64Str: string): string {
return Buffer.from(base64Str, "base64").toString("utf8");
}
/**
* @param base64Str Base64 encoded Url
*/
static base64DecodeUrl(base64Str: string): string {
let str = base64Str.replace(/-/g, "+").replace(/_/g, "/");
while (str.length % 4) {
str += "=";
}
return EncodingUtils.base64Decode(str);
}
}
node_modules/@azure/msal-node/src/utils/NetworkUtils.ts
Generated Vendored
+61
View File
@@ -0,0 +1,61 @@
/*
* Copyright (c) Microsoft Corporation. All rights reserved.
* Licensed under the MIT License.
*/
import { NetworkResponse } from "@azure/msal-common/node";
export type UrlToHttpRequestOptions = {
protocol: string;
hostname: string;
hash: string;
search: string;
pathname: string;
path: string;
href: string;
port?: number;
auth?: string;
};
export class NetworkUtils {
static getNetworkResponse<T>(
headers: Record<string, string>,
body: T,
statusCode: number
): NetworkResponse<T> {
return {
headers: headers,
body: body,
status: statusCode,
};
}
/*
* Utility function that converts a URL object into an ordinary options object as expected by the
* http.request and https.request APIs.
* https://github.com/nodejs/node/blob/main/lib/internal/url.js#L1090
*/
static urlToHttpOptions(url: URL): UrlToHttpRequestOptions {
const options: UrlToHttpRequestOptions = {
protocol: url.protocol,
hostname:
url.hostname && url.hostname.startsWith("[")
? url.hostname.slice(1, -1)
: url.hostname,
hash: url.hash,
search: url.search,
pathname: url.pathname,
path: `${url.pathname || ""}${url.search || ""}`,
href: url.href,
};
if (url.port !== "") {
options.port = Number(url.port);
}
if (url.username || url.password) {
options.auth = `${decodeURIComponent(
url.username
)}:${decodeURIComponent(url.password)}`;
}
return options;
}
}