@microsoft/windows-admin-center-sdk
Version:
Microsoft - Windows Admin Center Shell
855 lines (853 loc) • 35.7 kB
JavaScript
import { of, Subject, throwError } from 'rxjs';
import { map, mergeMap, take } from 'rxjs/operators';
import { Crypto } from '../data/crypto';
import { headerConstants } from '../data/http-constants';
import { Net } from '../data/net';
import { Logging } from '../diagnostics/logging';
import { RpcForwarder, RpcServiceForwarder } from '../rpc/rpc-forwarder';
import { SignOnManager } from './sign-on-manager';
/**
* Authorization Manager class. Handles SME authentication for service requests.
*/
export class AuthorizationManager extends RpcServiceForwarder {
authorize;
/**
* Cache key for session storage of authorization cache
*/
static cacheKey = 'AuthorizationManager.cache.v1';
/**
* If no laps local admin name is defined, it will default to 'administrator'
*/
static defaultLapsLocalAdminName = 'administrator';
static rpcCommands = {
setNodeToken: 'setNodeToken',
setNodeTokens: 'setNodeTokens',
manageAsToken: 'manageAsToken',
setNodeTokenError: 'setNodeTokenError',
setJeaContext: 'setJeaContext',
clearNodeTokens: 'clearNodeTokens',
getNewToken: 'getNewToken',
secureToken: 'secureToken',
encrypt: 'encrypt',
getSignOnToken: 'getSignOnToken',
setSignOnToken: 'setSignOnToken',
setSignOnTokenError: 'setSignOnTokenError'
};
/**
* Create a map of nodeNames to token objects to hold node specific tokens.
*/
nodeTokens;
/**
* The sign on operation manager.
*/
signOnManager;
/**
* The backing store fro the manageAsToken
*/
token;
/**
* The JSON Web Key. Single string with JSON.stringify format.
*/
jwk;
/**
* Credentials expiration time, used to determine the lifetime of new tokens. Value in milliseconds.
*/
credentialsExpirationTimeInMs;
/**
* Underlying implementation subject for credentialExpiration observable
*/
credentialExpirationChangedSubject;
/**
* Observable that emits whenever the credentials expiration has changed
*/
credentialExpirationChanged;
/**
* Set the admin configured expiration time in milliseconds
* If this is not set it will be defaulted to 365 days.
*/
set authExpirationInMs(expirationTimeInMs) {
this.credentialsExpirationTimeInMs = expirationTimeInMs;
this.credentialExpirationChangedSubject.next(expirationTimeInMs);
}
/**
* The logon user returned by gateway's api/user
*/
logOnUser;
/**
* Sets logon user and caches the value
*/
set shellLogOnUser(username) {
this.logOnUser = username;
this.updateCache();
}
/**
* The mapping of connections to PowershellEndpoints
*/
nodePowershellEndpoints;
/**
* The token awaiter subject.
*/
tokenAwaiter;
/**
* The subject observable of sign on token awaiter.
*/
signOnTokenAwaiter;
/**
* Sets the current manage as token
* If running with an Rpc child, notify of the change
*/
set manageAsToken(token) {
this.token = token;
this.nodePowershellEndpoints = {};
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.manageAsToken, token);
this.updateCache();
}
/**
* Gets the current manage as token
*/
get manageAsToken() {
return this.token;
}
/**
* Sets the gateway encryption certificate JWK.
* If this is not set by Shell/Add-Connection, it will send clear text password.
*/
set gatewayJwk(jwk) {
if (this.jwk !== jwk) {
this.resetAllTokens();
}
this.jwk = jwk;
this.gatewayJwkChangedSubject.next(jwk);
this.updateCache();
}
/**
* Observable that emits whenever the gateways Jwk has changed
*/
gatewayJwkChanged;
/**
* Underlying implementation subject for gatewayJwkChanged observable
*/
gatewayJwkChangedSubject;
/**
* Gets the gateway encryption certificate JWK.
*/
get gatewayJwk() {
return this.jwk;
}
/**
* Gets an observable the emits when the authorization token is ready
*/
get authAwaiter() {
if (this.tokenAwaiter && !this.tokenAwaiter.closed) {
// return the global token
return this.tokenAwaiter;
}
// return the global token
return of({ appliesTo: null, token: this.manageAsToken });
}
/**
* Initializes a new instance of the Authorization Manager class
* @param authorize An AuthorizationHandler with which to retrieve user credentials
* @param rpc The rpc to forward auth requests to a parent window
*/
constructor(authorize, rpc) {
super('authorization-manager', rpc);
this.authorize = authorize;
this.gatewayJwkChangedSubject = new Subject();
this.gatewayJwkChanged = this.gatewayJwkChangedSubject.asObservable();
this.credentialExpirationChangedSubject = new Subject();
this.credentialExpirationChanged = this.credentialExpirationChangedSubject.asObservable();
this.nodeTokens = {};
this.nodePowershellEndpoints = {};
if (MsftSme.isShell()) {
// attempt to restore from storage if this is a shell instance
const cachedDataString = MsftSme.SessionStorageHandler.getItem(AuthorizationManager.cacheKey);
if (!MsftSme.isNullOrWhiteSpace(cachedDataString)) {
try {
const cachedData = JSON.parse(cachedDataString);
// verify data and set properties
this.jwk = cachedData.jwk || null;
this.manageAsToken = cachedData.manageAsToken || null;
this.nodeTokens = cachedData.nodeTokens || {};
this.nodePowershellEndpoints = cachedData.nodePowershellEndpoints || {};
this.logOnUser = cachedData.logOnUser;
}
catch (error) {
MsftSme.SessionStorageHandler.removeItem(AuthorizationManager.cacheKey);
}
}
}
this.signOnManager = new SignOnManager(() => this.refreshSignOnToken());
}
/**
* defines the conditions under which the AuthorizationManager can handle an ajax error
*/
canHandleAjaxFailure(code, error) {
// we can handle ajax errors if we have a getter defined, and the code is Unauthorized (401) or we get a cim authorization failure
return this.authorize && Net.isUnauthorized(error);
}
/**
* When canHandle returns true for an ajax error, this method can be called to handle that error.
*/
handleAjaxFailure(code, request, error, nodeName) {
const errorData = this.getErrorData(code, error);
return this.getNewToken(nodeName, errorData)
.pipe(mergeMap(response => {
// There may be multiple nodes requesting authentication, but we can only ask the user for one.
// check if the result if for our node, otherwise try again.
// It looks for inside of array only for first name.
const names = response.appliesTo;
const isTokenForNode = !names || names === nodeName || (Array.isArray(names) && names[0] === nodeName);
if (isTokenForNode) {
// this token applies to our node, so continue
this.addAuthorizationRequestHeader(request, nodeName);
return of(request);
}
else {
// this token did not apply to our node. Ask again.
return this.handleAjaxFailure(code, request, error, nodeName);
}
}));
}
/**
* Check if it can handle the error.
*
* @param response the response of CIM stream query.
*/
canHandleStreamFailure(response) {
// access denied case.
return response && response.response && response.response.statusCode === 401 /* HttpStatusCode.Unauthorized */;
}
/**
* When canHandle returns true for an ajax error, this method can be called to handle that error.
*/
handleStreamFailure(nodeName, options, response) {
let message = response.response.error && response.response.error.message;
if (!message) {
const errors = response.response.errors;
if (errors && errors.length > 0) {
message = errors[0].message;
}
}
const errorData = {
statusCode: response.response.statusCode,
errorCode: 'Unauthorized',
errorMessage: message
};
return this.getNewToken(nodeName, errorData)
.pipe(mergeMap(result => {
const names = result.appliesTo;
const isTokenForNode = !names || names === nodeName || (Array.isArray(names) && names[0] === nodeName);
if (isTokenForNode) {
const token = this.getSavedNodeToken(nodeName);
if (token) {
if (options) {
options.authToken = token;
}
else {
options = { authToken: token };
}
}
return of(options);
}
else {
return this.handleStreamFailure(nodeName, options, response);
}
}));
}
saveJeaContext(nodeName, endpoint) {
Logging.trace({
view: 'sme-ui-control',
instance: 'saveJeaContext',
action: 'command-click',
data: { message: 'Establishing session using JEA endpoint' }
});
this.setJeaEndpoint(nodeName, endpoint);
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setJeaContext, { nodeName: nodeName, endpoint: endpoint });
}
getJeaEndpoint(nodeName) {
return this.nodePowershellEndpoints[nodeName.toLocaleLowerCase()];
}
/**
* Associates a node to use a specified JEA endpoint
*/
setJeaEndpoint(nodeName, endpoint) {
this.nodePowershellEndpoints[nodeName.toLocaleLowerCase()] = endpoint;
this.updateCache();
}
getNewToken(nodeNames, errorData) {
// if we are already awaiting a token, then hook into the current request and try using that token
if (this.tokenAwaiter && !this.tokenAwaiter.closed) {
return this.tokenAwaiter;
}
// ensure input is an array only if not null.
if (nodeNames && !Array.isArray(nodeNames)) {
nodeNames = [nodeNames];
}
// define a new subject for multiple requests to wait on
this.tokenAwaiter = new Subject();
// try to forward execute getNewToken from our parent
const parentExecuter = this.forwardExecute(0 /* RpcRelationshipType.Parent */, AuthorizationManager.rpcCommands.getNewToken, [nodeNames, errorData]);
if (parentExecuter) {
return this.tokenAwaiter;
}
// Need to clear the endpoints before we acquire a new token,
// because we must try new credentials in an admin context before any fallback happens.
if (nodeNames) {
for (const node of nodeNames) {
this.setJeaEndpoint(node, null);
}
}
// since we could not forward the request We must ask for the auth token ourselves
this.authorize(nodeNames, errorData)
.pipe(mergeMap(credentials => {
if (credentials.applyToAllNodes) {
this.nodeTokens = {};
this.updateCache();
const forward = this.forwardExecute(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.clearNodeTokens, []);
if (forward) {
return forward.pipe(map(() => credentials));
}
}
return of(credentials);
}), mergeMap(credentials => {
const appliesTo = credentials.applyToAllNodes ? null : nodeNames || null;
return this.createSecureToken({
username: credentials.username,
password: credentials.password,
useLaps: credentials.useLaps,
lapsLocalAdminName: credentials.lapsLocalAdminName
}).pipe(map(token => {
return {
token: token,
appliesTo: appliesTo
};
}));
}),
// take the next 1 result and use it for our token.
// We can now notify anyone waiting for auth and save the token
take(1))
.subscribe({
next: result => {
this.completeTokenAwaiter(result);
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setNodeToken, result);
},
error: error => {
this.completeTokenAwaiter(null, error);
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setNodeTokenError, RpcForwarder.ensureSerializable(error));
}
});
return this.tokenAwaiter;
}
refreshSignOnToken() {
// if we are already awaiting a token, then hook into the current request and try using that token
if (this.signOnTokenAwaiter) {
return this.signOnTokenAwaiter;
}
// define a new subject for multiple requests to wait on
this.signOnTokenAwaiter = new Subject();
// try to forward execute getSignOnToken from our parent.
const now = Date.now();
const parentExecuter = this.forwardExecute(0 /* RpcRelationshipType.Parent */, AuthorizationManager.rpcCommands.getSignOnToken, [now]);
if (parentExecuter) {
return this.signOnTokenAwaiter;
}
// since we could not forward the request We must ask for the signon token ourselves
this.signOnManager.requestSignOnRefresh()
.subscribe({
next: response => {
this.completeSignOnTokenAwaiter(response);
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setSignOnToken, RpcForwarder.ensureSerializable(response));
},
error: error => {
this.completeSignOnTokenAwaiter(null, error);
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setSignOnTokenError, RpcForwarder.ensureSerializable(error));
}
});
return this.signOnTokenAwaiter;
}
/**
* Forward Sign On Token to child frame.
*/
forwardSignOnToken() {
const data = { time: Date.now(), token: this.signOnManager.signedHttpRequestToken };
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setSignOnToken, data);
}
/**
* @deprecated use createSecureToken() after configured gatewayJwk property.
*
* Creates a token from the given options that may be used for node authentication
* @param options The token creation options
*/
createToken(options, passwordEncryptedWith = null) {
// ensure a valid value for laps local admin name
if (MsftSme.isNullOrWhiteSpace(options.lapsLocalAdminName)) {
options.lapsLocalAdminName = AuthorizationManager.defaultLapsLocalAdminName;
}
// ensure username has a valid value
if (MsftSme.isNullOrWhiteSpace(options.username)) {
options.username = null;
}
if (options.useLaps || !options.username) {
return {
value: null,
username: null,
useLaps: options.useLaps,
lapsLocalAdminName: options.lapsLocalAdminName
};
}
// ensure password has a valid value
if (MsftSme.isNullOrWhiteSpace(options.password)) {
options.password = null;
}
let username;
if (options.username.indexOf('@') >= 0) {
// domain is empty if UPN is used.
username = ["", options.username];
}
else {
username = options.username.split('\\');
}
const token = Net.createEncodedAuthenticationHeader(username, options.password, passwordEncryptedWith);
return {
value: token,
username: options.username,
useLaps: false,
lapsLocalAdminName: null
};
}
/**
* Creates a secure token from the given options that may be used for node authentication
*
* @param options The token creation options
*/
createSecureToken(options) {
const forward = this.forwardExecute(0 /* RpcRelationshipType.Parent */, AuthorizationManager.rpcCommands.secureToken, [options]);
if (forward) {
return forward;
}
else {
return this.secureToken(options);
}
}
/**
* Get the saved Auth token for a node.
*
* @param nodeName The nodeName to get token for.
*/
getSavedNodeToken(nodeName) {
if (nodeName && this.nodeTokens[nodeName.toLocaleLowerCase()]) {
return this.nodeTokens[nodeName.toLocaleLowerCase()];
}
return this.manageAsToken;
}
/**
* Sets a token on the given nodes
* @param token The token to use for the given nodes
* @param nodeName The names of the nodes to set the token for. If empty or null, the token will be used as the global manageAs token
* @returns an Observable indicating that the token has been set.
*/
setNodeTokens(token, nodeNames) {
// if we have a parent instance, just forward it and return the result
const forward = this.forwardExecute(0 /* RpcRelationshipType.Parent */, AuthorizationManager.rpcCommands.setNodeTokens, [token, nodeNames]);
if (forward) {
return forward;
}
// otherwise process the token
const childSetTokenResponse = { token: token };
if (!nodeNames || !Array.isArray(nodeNames) || nodeNames.length === 0) {
this.manageAsToken = token;
}
else {
childSetTokenResponse.appliesTo = nodeNames;
nodeNames.forEach(nodeName => this.nodeTokens[nodeName.toLocaleLowerCase()] = token);
}
this.updateCache();
// notify all child instances of the token change.
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setNodeToken, childSetTokenResponse, true);
// return a null observable, indicating we are done.
return of(null);
}
/**
* Adds a authorization header to a request given a node with a manageAsToken
* @param request The request to add headers to
* @param nodeName optional. The node to add headers for if not provided, the global token will be used
* @param token optional. The token to use for the headers. if provided, the nodeName is not used.
*/
addAuthorizationRequestHeader(request, nodeName, token) {
if (!token) {
token = this.getSavedNodeToken(nodeName);
}
if (token) {
if (token.value) {
// If username and password are explicitly provided, we only add the Authorization header.
request.headers[headerConstants.SME_AUTHORIZATION] = token.value;
}
else {
// If not, we add useLaps header.
request.headers[headerConstants.USE_LAPS] = token.useLaps;
request.headers[headerConstants.LAPS_LOCALADMINNAME] = token.lapsLocalAdminName;
}
}
}
/**
* Create token headers.
*
* @param nodeName the node name.
* @param token the token to override current setting (optional).
*/
createTokenHeaders(nodeName, token) {
const headers = {};
token = token || this.getSavedNodeToken(nodeName);
if (token) {
if (token.value) {
// If username and password are explicitly provided, we only add the Authorization header.
headers[headerConstants.SME_AUTHORIZATION] = token.value;
}
else {
// If not, we add useLaps header.
headers[headerConstants.USE_LAPS] = token.useLaps ? 'true' : 'false';
headers[headerConstants.LAPS_LOCALADMINNAME] = token.lapsLocalAdminName;
}
}
return headers;
}
/**
* Adds a authorization header to a request given a node with a manageAsToken
*/
addAuthorizationTokensToMultiPartBody(body, nodeName, token) {
if (!token) {
token = this.getSavedNodeToken(nodeName);
}
if (token) {
if (token.value) {
// If username and password are explicitly provided, we only add the Authorization header.
body.push(headerConstants.SME_AUTHORIZATION + ': ' + token.value);
}
else {
// If not, we add useLaps header.
body.push(headerConstants.USE_LAPS + ': ' + token.useLaps);
body.push(headerConstants.LAPS_LOCALADMINNAME + ': ' + token.lapsLocalAdminName);
}
}
}
resetAllTokens() {
this.manageAsToken = null;
this.nodePowershellEndpoints = {};
this.nodeTokens = {};
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.manageAsToken, null);
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.clearNodeTokens, []);
this.updateCache();
}
/**
* Encrypts a string value using the jwk from the gateway
*/
encrypt(value) {
const forward = this.forwardExecute(0 /* RpcRelationshipType.Parent */, AuthorizationManager.rpcCommands.encrypt, [value]);
if (forward) {
return forward;
}
return Crypto.encryptRsaSha1(this.jwk, value);
}
/**
* Called on a child service instance when onForwardInit returns from the parent
* @param data The response from the forwardInit call
*/
onForwardInitResponse(data) {
if (data && data.error) {
// if there is an error, we cannot continue, so throw it
throw data.error;
}
this.manageAsToken = data.result.manageAsToken;
this.nodeTokens = data.result.nodeTokens;
this.nodePowershellEndpoints = data.result.nodePowershellEndpoints;
this.signOnManager.signedHttpRequestToken = data.result.signOnToken;
}
/**
* Called when a new instance of the service in another window is initialized and needs to synchronize with its parent
* @param from The RpcRelationshipType that this request is from
* @returns an observable for the all the values needed to initialize the service
*/
onForwardInit() {
// authorization manager doesn't pass any properties to child services at this time.
return of({
manageAsToken: this.manageAsToken,
nodeTokens: this.nodeTokens,
nodePowershellEndpoints: this.nodePowershellEndpoints,
signOnToken: this.signOnManager.signedHttpRequestToken
});
}
/**
* Called when the forwarded services counterpart wants to get data from the parent
* @param from The RpcRelationshipType that this request is from
* @param name The name of the method to forward to
* @param args The arguments of the method
* @returns an observable for the result of the method call
*/
onForwardExecute(from, name, args) {
// command comes from child
if (from === 1 /* RpcRelationshipType.Child */) {
switch (name) {
case AuthorizationManager.rpcCommands.getNewToken: {
// start getting the new token, but return immediately to avoid timeout
const subscription = this.getNewToken(args ? args[0] : null, args ? args[1] : null)
.subscribe({
next: () => subscription.unsubscribe(),
error: error => {
subscription.unsubscribe();
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setNodeTokenError, RpcForwarder.ensureSerializable(error));
}
});
return of(null);
}
case AuthorizationManager.rpcCommands.secureToken: {
const options = args && args[0];
if (!options) {
return of(null);
}
return this.secureToken(options);
}
case AuthorizationManager.rpcCommands.encrypt: {
const options = args && args[0];
if (!options) {
return of(null);
}
return this.encrypt(options);
}
case AuthorizationManager.rpcCommands.setNodeTokens: {
const token = args && args[0];
const nodes = args && args[1];
if (!token) {
return of(null);
}
return this.setNodeTokens(token, nodes);
}
case AuthorizationManager.rpcCommands.getSignOnToken: {
const subscription = this.refreshSignOnToken()
.subscribe({
next: () => subscription.unsubscribe(),
error: error => {
subscription.unsubscribe(),
this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setSignOnTokenError, RpcForwarder.ensureSerializable(error));
}
});
return of(null);
}
}
}
// command comes from parent
if (from === 0 /* RpcRelationshipType.Parent */) {
if (name === AuthorizationManager.rpcCommands.clearNodeTokens) {
this.nodeTokens = {};
this.nodePowershellEndpoints = {};
// if we also have children, forward the request on
const forward = this.forwardExecute(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.clearNodeTokens, args);
return forward || of(null);
}
}
// command not implemented
return this.nameNotFound(name);
}
/**
* Called when the forwarded services counterpart sends a notify message
* @param from The RpcRelationshipType that this request is from
* @param name The name of the property to change
* @param value The new value of the property
* @returns an observable that completes when the property has been changed.
*/
onForwardNotify(from, name, value) {
// allow our parent to give us a new token.
if (from === 0 /* RpcRelationshipType.Parent */) {
if (name === AuthorizationManager.rpcCommands.manageAsToken) {
this.manageAsToken = value;
// if we also have children, forward the notification on
const forward = this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.manageAsToken, value);
return forward || of(null);
}
if (name === AuthorizationManager.rpcCommands.setNodeToken) {
if (!value) {
const message = MsftSme.getStrings().MsftSmeShell.Core.Error.InvalidValue.message;
return throwError(() => message.format(AuthorizationManager.rpcCommands.setNodeToken));
}
this.completeTokenAwaiter(value);
const forward = this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setNodeToken, value);
return forward || of(null);
}
if (name === AuthorizationManager.rpcCommands.setNodeTokenError) {
if (!value) {
const message = MsftSme.getStrings().MsftSmeShell.Core.Error.InvalidValue.message;
return throwError(() => message.format(AuthorizationManager.rpcCommands.setNodeTokenError));
}
this.completeTokenAwaiter(null, value);
const forward = this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setNodeTokenError, value);
return forward || of(null);
}
if (name === AuthorizationManager.rpcCommands.setJeaContext) {
if (!value) {
const message = MsftSme.getStrings().MsftSmeShell.Core.Error.InvalidValue.message;
return throwError(() => message.format(AuthorizationManager.rpcCommands.setJeaContext));
}
this.saveJeaContext(value.nodeName, value.endpoint);
const forward = this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setJeaContext, value);
return forward || of(null);
}
if (name === AuthorizationManager.rpcCommands.setSignOnToken) {
if (!value) {
const message = MsftSme.getStrings().MsftSmeShell.Core.Error.InvalidValue.message;
return throwError(() => message.format(AuthorizationManager.rpcCommands.setNodeToken));
}
this.completeSignOnTokenAwaiter(value);
const forward = this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setSignOnToken, value);
return forward || of(null);
}
if (name === AuthorizationManager.rpcCommands.setSignOnTokenError) {
if (!value) {
const message = MsftSme.getStrings().MsftSmeShell.Core.Error.InvalidValue.message;
return throwError(() => message.format(AuthorizationManager.rpcCommands.setNodeTokenError));
}
this.completeSignOnTokenAwaiter(null, value);
const forward = this.forwardNotify(1 /* RpcRelationshipType.Child */, AuthorizationManager.rpcCommands.setSignOnTokenError, value);
return forward || of(null);
}
}
return this.nameNotFound(name);
}
/**
* Creates a secure token from the given options that may be used for node authentication
*
* @param options The token creation options
*/
secureToken(options) {
// ensure a valid value for laps local admin name
if (MsftSme.isNullOrWhiteSpace(options.lapsLocalAdminName)) {
options.lapsLocalAdminName = AuthorizationManager.defaultLapsLocalAdminName;
}
// ensure username has a valid value
if (MsftSme.isNullOrWhiteSpace(options.username)) {
options.username = null;
}
if (options.useLaps || !options.username) {
return of({
value: null,
username: null,
useLaps: options.useLaps,
lapsLocalAdminName: options.lapsLocalAdminName
});
}
// ensure password has a valid value
if (MsftSme.isNullOrWhiteSpace(options.password)) {
options.password = null;
}
let username;
if (options.username.indexOf('@') >= 0) {
// domain is empty if UPN is used.
username = ["", options.username];
}
else {
username = options.username.split('\\');
}
const tokenData = {
value: undefined,
username: options.username,
useLaps: false,
lapsLocalAdminName: null
};
if (this.jwk) {
return Net.createEncryptedAuthenticationHeader(this.jwk, username, options.password, this.logOnUser, this.credentialsExpirationTimeInMs)
.pipe(map(newToken => {
tokenData.value = newToken;
return tokenData;
}));
}
tokenData.value = Net.createEncodedAuthenticationHeader(username, options.password);
return of(tokenData);
}
/**
* Completes the token awaiter
*/
completeTokenAwaiter(result, error) {
if (error) {
if (this.tokenAwaiter) {
const awaiter = this.tokenAwaiter;
this.tokenAwaiter = null;
awaiter.error(error);
}
}
else {
if (!result.appliesTo) {
this.manageAsToken = result.token;
}
else if (Array.isArray(result.appliesTo)) {
result.appliesTo.forEach(nodeName => {
this.nodeTokens[nodeName.toLocaleLowerCase()] = result.token;
});
this.updateCache();
}
else {
this.nodeTokens[result.appliesTo.toLocaleLowerCase()] = result.token;
this.updateCache();
}
if (this.tokenAwaiter) {
const awaiter = this.tokenAwaiter;
this.tokenAwaiter = null;
awaiter.next(result);
awaiter.complete();
}
}
}
/**
* Completes the sign on token awaiter
*/
completeSignOnTokenAwaiter(result, error) {
const awaiter = this.signOnTokenAwaiter;
if (awaiter) {
this.signOnTokenAwaiter = null;
}
if (error) {
if (awaiter) {
awaiter.error(error);
}
return;
}
if (result.token) {
this.signOnManager.signedHttpRequestToken = result.token;
}
else {
Logging.logError('Shell.AuthorizationManager', 'Null token was passed.');
}
if (awaiter) {
awaiter.next(result);
awaiter.complete();
}
}
/**
* Gets the error data.
* @param code the http status code.
* @param error the AJAX error object.
*/
getErrorData(code, error) {
return {
statusCode: code,
errorCode: error && error.xhr && error.xhr.response && error.xhr.response.error && error.xhr.response.error.code,
errorMessage: Net.getErrorMessage(error)
};
}
/**
* Updates the authorization cache. Does nothing if we are not running in shell
*/
updateCache() {
if (!MsftSme.isShell()) {
// ignore if not shell
return;
}
// update cached data
const cacheData = {
jwk: this.jwk,
manageAsToken: this.manageAsToken,
nodePowershellEndpoints: this.nodePowershellEndpoints,
nodeTokens: this.nodeTokens
};
MsftSme.SessionStorageHandler.setItem(AuthorizationManager.cacheKey, JSON.stringify(cacheData));
}
}
//# sourceMappingURL=authorization-manager.js.map