UNPKG

ruchy-syntax-tools

Version:

Comprehensive syntax highlighting and language support for the Ruchy programming language

github.com/noahgift/ruchy-syntax-tools

noahgift/ruchy-syntax-tools

145 lines 8.41 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
// Copyright (c) Microsoft Corporation. // Licensed under the MIT License. import { AuthenticationError, CredentialUnavailableError } from "../errors.js"; import { createHttpHeaders, createPipelineRequest } from "@azure/core-rest-pipeline"; import { ClientAssertionCredential } from "./clientAssertionCredential.js"; import { IdentityClient } from "../client/identityClient.js"; import { checkTenantId } from "../util/tenantIdUtils.js"; import { credentialLogger } from "../util/logging.js"; const credentialName = "AzurePipelinesCredential"; const logger = credentialLogger(credentialName); const OIDC_API_VERSION = "7.1"; /** * This credential is designed to be used in Azure Pipelines with service connections * as a setup for workload identity federation. */ export class AzurePipelinesCredential { clientAssertionCredential; identityClient; /** * AzurePipelinesCredential supports Federated Identity on Azure Pipelines through Service Connections. * @param tenantId - tenantId associated with the service connection * @param clientId - clientId associated with the service connection * @param serviceConnectionId - Unique ID for the service connection, as found in the querystring's resourceId key * @param systemAccessToken - The pipeline's <see href="https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops%26tabs=yaml#systemaccesstoken">System.AccessToken</see> value. * @param options - The identity client options to use for authentication. */ constructor(tenantId, clientId, serviceConnectionId, systemAccessToken, options = {}) { if (!clientId) { throw new CredentialUnavailableError(`${credentialName}: is unavailable. clientId is a required parameter.`); } if (!tenantId) { throw new CredentialUnavailableError(`${credentialName}: is unavailable. tenantId is a required parameter.`); } if (!serviceConnectionId) { throw new CredentialUnavailableError(`${credentialName}: is unavailable. serviceConnectionId is a required parameter.`); } if (!systemAccessToken) { throw new CredentialUnavailableError(`${credentialName}: is unavailable. systemAccessToken is a required parameter.`); } // Allow these headers to be logged for troubleshooting by AzurePipelines. options.loggingOptions = { ...options?.loggingOptions, additionalAllowedHeaderNames: [ ...(options.loggingOptions?.additionalAllowedHeaderNames ?? []), "x-vss-e2eid", "x-msedge-ref", ], }; this.identityClient = new IdentityClient(options); checkTenantId(logger, tenantId); logger.info(`Invoking AzurePipelinesCredential with tenant ID: ${tenantId}, client ID: ${clientId}, and service connection ID: ${serviceConnectionId}`); if (!process.env.SYSTEM_OIDCREQUESTURI) { throw new CredentialUnavailableError(`${credentialName}: is unavailable. Ensure that you're running this task in an Azure Pipeline, so that following missing system variable(s) can be defined- "SYSTEM_OIDCREQUESTURI"`); } const oidcRequestUrl = `${process.env.SYSTEM_OIDCREQUESTURI}?api-version=${OIDC_API_VERSION}&serviceConnectionId=${serviceConnectionId}`; logger.info(`Invoking ClientAssertionCredential with tenant ID: ${tenantId}, client ID: ${clientId} and service connection ID: ${serviceConnectionId}`); this.clientAssertionCredential = new ClientAssertionCredential(tenantId, clientId, this.requestOidcToken.bind(this, oidcRequestUrl, systemAccessToken), options); } /** * Authenticates with Microsoft Entra ID and returns an access token if successful. * If authentication fails, a {@link CredentialUnavailableError} or {@link AuthenticationError} will be thrown with the details of the failure. * * @param scopes - The list of scopes for which the token will have access. * @param options - The options used to configure any requests this * TokenCredential implementation might make. */ async getToken(scopes, options) { if (!this.clientAssertionCredential) { const errorMessage = `${credentialName}: is unavailable. To use Federation Identity in Azure Pipelines, the following parameters are required - tenantId, clientId, serviceConnectionId, systemAccessToken, "SYSTEM_OIDCREQUESTURI". See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`; logger.error(errorMessage); throw new CredentialUnavailableError(errorMessage); } logger.info("Invoking getToken() of Client Assertion Credential"); return this.clientAssertionCredential.getToken(scopes, options); } /** * * @param oidcRequestUrl - oidc request url * @param systemAccessToken - system access token * @returns OIDC token from Azure Pipelines */ async requestOidcToken(oidcRequestUrl, systemAccessToken) { logger.info("Requesting OIDC token from Azure Pipelines..."); logger.info(oidcRequestUrl); const request = createPipelineRequest({ url: oidcRequestUrl, method: "POST", headers: createHttpHeaders({ "Content-Type": "application/json", Authorization: `Bearer ${systemAccessToken}`, // Prevents the service from responding with a redirect HTTP status code (useful for automation). "X-TFS-FedAuthRedirect": "Suppress", }), }); const response = await this.identityClient.sendRequest(request); return handleOidcResponse(response); } } export function handleOidcResponse(response) { // OIDC token is present in `bodyAsText` field const text = response.bodyAsText; if (!text) { logger.error(`${credentialName}: Authentication Failed. Received null token from OIDC request. Response status- ${response.status}. Complete response - ${JSON.stringify(response)}`); throw new AuthenticationError(response.status, { error: `${credentialName}: Authentication Failed. Received null token from OIDC request.`, error_description: `${JSON.stringify(response)}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`, }); } try { const result = JSON.parse(text); if (result?.oidcToken) { return result.oidcToken; } else { const errorMessage = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`; let errorDescription = ``; if (response.status !== 200) { errorDescription = `Response body = ${text}. Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`; } logger.error(errorMessage); logger.error(errorDescription); throw new AuthenticationError(response.status, { error: errorMessage, error_description: errorDescription, }); } } catch (e) { const errorDetails = `${credentialName}: Authentication Failed. oidcToken field not detected in the response.`; logger.error(`Response from service = ${text}, Response Headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}, error message = ${e.message}`); logger.error(errorDetails); throw new AuthenticationError(response.status, { error: errorDetails, error_description: `Response = ${text}. Response headers ["x-vss-e2eid"] = ${response.headers.get("x-vss-e2eid")} and ["x-msedge-ref"] = ${response.headers.get("x-msedge-ref")}. See the troubleshooting guide for more information: https://aka.ms/azsdk/js/identity/azurepipelinescredential/troubleshoot`, }); } } //# sourceMappingURL=azurePipelinesCredential.js.map