Cli credentials (#7637)

* change autorest.typescript version (#6519) (#6520)

* update for cliCredential

* update for cliCredential

* Cleanup and get building

* Clean up api exports a bit

* Remove unused span creation

* Use a protected method that's overridden rather than a set of interfaces

* Use a protected method that's overridden rather than a set of interfaces

* Improve the regex match

Co-authored-by: Zhanle Tu (MSFT) <35680310+tzhanl@users.noreply.github.com>
Co-authored-by: Ziheng Zhou(MSFT) <v-zihz@microsoft.com>
Co-authored-by: Ruijie Pei (MSFT) <49467823+JerryPei1997@users.noreply.github.com>

Author: 4 people

sdk/identity/identity/package.json

@@ -8,6 +8,7 @@
   "types": "./types/identity.d.ts",
   "browser": {
     "stream": "./node_modules/stream-browserify/index.js",
+    "./dist-esm/src/credentials/azureCliCredential.js": "./dist-esm/src/credentials/azureCliCredential.browser.js",
     "./dist-esm/src/credentials/environmentCredential.js": "./dist-esm/src/credentials/environmentCredential.browser.js",
     "./dist-esm/src/credentials/managedIdentityCredential.js": "./dist-esm/src/credentials/managedIdentityCredential.browser.js",
     "./dist-esm/src/credentials/clientCertificateCredential.js": "./dist-esm/src/credentials/clientCertificateCredential.browser.js",

sdk/identity/identity/review/identity.api.md

@@ -37,6 +37,13 @@ export class AuthorizationCodeCredential implements TokenCredential {
     getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null>;
     }
 
+// @public
+export class AzureCliCredential implements TokenCredential {
+    constructor();
+    protected getAzureCliAccessToken(resource: string): Promise<unknown>;
+    getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null>;
+}
+
 // @public
 export type BrowserLoginStyle = "redirect" | "popup";
 

sdk/identity/identity/rollup.base.config.js

@@ -12,7 +12,7 @@ const input = "dist-esm/src/index.js";
 const production = process.env.NODE_ENV === "production";
 
 export function nodeConfig(test = false) {
-  const externalNodeBuiltins = ["crypto", "events", "fs"];
+  const externalNodeBuiltins = ["crypto", "events", "fs", "child-process"];
   const baseConfig = {
     input: input,
     external: depNames.concat(externalNodeBuiltins),

sdk/identity/identity/src/credentials/azureCliCredential.browser.ts

@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+/* eslint-disable @typescript-eslint/no-unused-vars */
+
+import { AccessToken, TokenCredential, GetTokenOptions } from "@azure/core-http";
+import { TokenCredentialOptions } from "../client/identityClient";
+
+const BrowserNotSupportedError = new Error("AzureCliCredential is not supported in the browser.");
+
+export class AzureCliCredential implements TokenCredential {
+  constructor(options?: TokenCredentialOptions) {
+    throw BrowserNotSupportedError;
+  }
+
+  getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null> {
+    throw BrowserNotSupportedError;
+  }
+}

sdk/identity/identity/src/credentials/azureCliCredential.ts

@@ -0,0 +1,98 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+import { TokenCredential, GetTokenOptions, AccessToken } from "@azure/core-http";
+import { createSpan } from "../util/tracing";
+import { AuthenticationErrorName } from "../client/errors";
+import { CanonicalCode } from "@opentelemetry/types";
+import { logger } from "../util/logging";
+
+import * as child_process from "child_process";
+
+/**
+ * Provides the user access token and expire time
+ * with Azure CLI command "az account get-access-token".
+ */
+export class AzureCliCredential implements TokenCredential {
+  /**
+   * Creates an instance of the AzureCliCredential class.
+   */
+  constructor() {}
+
+  /**
+   * Gets the access token from Azure CLI
+   * @param resource The resource to use when getting the token
+   */
+  protected async getAzureCliAccessToken(resource: string) {
+    return new Promise((resolve, reject) => {
+      try {
+        child_process.exec(
+          `az account get-access-token --output json --resource ${resource}`,
+          (error, stdout, stderr) => {
+            resolve({ stdout: stdout, stderr: stderr });
+          }
+        );
+      } catch (err) {
+        reject(err);
+      }
+    });
+  }
+
+  /**
+   * Authenticates with Azure Active Directory and returns an access token if
+   * successful.  If authentication cannot be performed at this time, this method may
+   * return null.  If an error occurs during authentication, an {@link AuthenticationError}
+   * containing failure details will be thrown.
+   *
+   * @param scopes The list of scopes for which the token will have access.
+   * @param options The options used to configure any requests this
+   *                TokenCredential implementation might make.
+   */
+  public async getToken(
+    scopes: string | string[],
+    options?: GetTokenOptions
+  ): Promise<AccessToken | null> {
+    return new Promise((resolve, reject) => {
+      let scope: string;
+      scope = typeof scopes === "string" ? scopes : scopes[0];
+      logger.info(`use the scope ${scope}`);
+      const resource = scope.replace(/\/.default$/, "");
+      let responseData = "";
+
+      const { span } = createSpan("AzureCliCredential-getToken", options);
+      this.getAzureCliAccessToken(resource)
+        .then((obj: any) => {
+          if (obj.stderr) {
+            let isLoginError = obj.stderr.match("(.*)az login(.*)");
+            let isNotInstallError =
+              obj.stderr.match("az:(.*)not found") ||
+              obj.stderr.startsWith("'az' is not recognized");
+            if (isNotInstallError) {
+              throw new Error("Azure CLI could not be found.  Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
+            } else if (isLoginError) {
+              throw new Error("Please run 'az login' from a command prompt to authenticate before using this credential.");
+            }
+            throw new Error(obj.stderr);
+          } else {
+            responseData = obj.stdout;
+            const response: { accessToken: string; expiresOn: string } = JSON.parse(responseData);
+            resolve({
+              token: response.accessToken,
+              expiresOnTimestamp: new Date(response.expiresOn).getTime()
+            });
+          }
+        })
+        .catch((err) => {
+          const code =
+            err.name === AuthenticationErrorName
+              ? CanonicalCode.UNAUTHENTICATED
+              : CanonicalCode.UNKNOWN;
+          span.setStatus({
+            code,
+            message: err.message
+          });
+          reject(err);
+        });
+    });
+  }
+}

sdk/identity/identity/src/credentials/defaultAzureCredential.ts

@@ -5,6 +5,7 @@ import { TokenCredentialOptions } from "../client/identityClient";
 import { ChainedTokenCredential } from "./chainedTokenCredential";
 import { EnvironmentCredential } from "./environmentCredential";
 import { ManagedIdentityCredential } from "./managedIdentityCredential";
+import { AzureCliCredential } from "./azureCliCredential";
 
 /**
  * Provides a default {@link ChainedTokenCredential} configuration for
@@ -26,7 +27,8 @@ export class DefaultAzureCredential extends ChainedTokenCredential {
   constructor(tokenCredentialOptions?: TokenCredentialOptions) {
     super(
       new EnvironmentCredential(tokenCredentialOptions),
-      new ManagedIdentityCredential(tokenCredentialOptions)
+      new ManagedIdentityCredential(tokenCredentialOptions),
+      new AzureCliCredential()
     );
   }
 }

sdk/identity/identity/src/index.ts

@@ -7,6 +7,7 @@ import { DefaultAzureCredential } from "./credentials/defaultAzureCredential";
 export { ChainedTokenCredential } from "./credentials/chainedTokenCredential";
 export { TokenCredentialOptions } from "./client/identityClient";
 export { EnvironmentCredential } from "./credentials/environmentCredential";
+export { AzureCliCredential } from "./credentials/azureCliCredential";
 export { ClientSecretCredential } from "./credentials/clientSecretCredential";
 export { ClientCertificateCredential } from "./credentials/clientCertificateCredential";
 export { InteractiveBrowserCredential } from "./credentials/interactiveBrowserCredential";

sdk/identity/identity/test/mockAzureCliCredentialClient.ts

@@ -0,0 +1,31 @@
+import {
+  AzureCliCredential
+} from "../src/credentials/azureCliCredential";
+
+interface MockCredentialClient {
+  stdout: string;
+  stderr: string;
+}
+
+export class MockAzureCliCredentialClient extends AzureCliCredential {
+  private stdout: string;
+  private stderr: string;
+
+  constructor(options: MockCredentialClient) {
+    super();
+    this.stdout = options.stdout;
+    this.stderr = options.stderr;
+  }
+
+  /**
+   * Replace the work of getting the access token with a mocked method
+   * that will used mocked data instead of the output from the real `az`
+   * command.
+   * @param resource The resources to use when accessing token
+   */
+  protected getAzureCliAccessToken(resource: string) {
+    return new Promise((resolve) => {
+      resolve({ stdout: this.stdout, stderr: this.stderr });
+    });
+  }
+}

sdk/identity/identity/test/node/azureCliCredential.spec.ts

@@ -0,0 +1,68 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+import assert from "assert";
+import {
+  MockAzureCliCredentialClient
+} from "../mockAzureCliCredentialClient";
+
+describe("AzureCliCredential", function() {
+  it("get access token without error", async function() {
+    var mockCliCredentialClient = new MockAzureCliCredentialClient({
+      stdout: '{"accessToken": "token","expiresOn": "01/01/1900 00:00:00 +00:00"}',
+      stderr: ""
+    });
+    let actualToken = await mockCliCredentialClient.getToken("https://service/.default");
+    assert.equal(actualToken!.token, "token");
+  });
+
+  it("get access token when azure cli not installed", async () => {
+    if (process.platform == "linux" || process.platform == "darwin") {
+      var mockCliCredentialClient = new MockAzureCliCredentialClient({
+        stdout: "",
+        stderr: "az: command not found"
+      });
+
+      try {
+        await mockCliCredentialClient.getToken("https://service/.default");
+      } catch (error) {
+        assert.equal(error.message, "Azure CLI could not be found.  Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
+      }
+    } else {
+      var mockCliCredentialClient = new MockAzureCliCredentialClient({
+        stdout: "",
+        stderr: "'az' is not recognized"
+      });
+
+      try {
+        await mockCliCredentialClient.getToken("https://service/.default");
+      } catch (error) {
+        assert.equal(error.message, "Azure CLI could not be found.  Please visit https://aka.ms/azure-cli for installation instructions and then, once installed, authenticate to your Azure account using 'az login'.");
+      }
+    }
+  });
+
+  it("get access token when azure cli not login in", async () => {
+    var mockCliCredentialClient = new MockAzureCliCredentialClient({
+      stdout: "",
+      stderr: "Please run 'az login' from a command prompt to authenticate before using this credential."
+    });
+    try {
+      await mockCliCredentialClient.getToken("https://service/.default");
+    } catch (error) {
+      assert.equal(error.message, "Please run 'az login' from a command prompt to authenticate before using this credential.");
+    }
+  });
+
+  it("get access token when having other access token error", async () => {
+    var mockCliCredentialClient = new MockAzureCliCredentialClient({
+      stdout: "",
+      stderr: "mock other access token error"
+    });
+    try {
+      await mockCliCredentialClient.getToken("https://service/.default");
+    } catch (error) {
+      assert.equal(error.message, "mock other access token error");
+    }
+  });
+});