| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139 |
- // Copyright (c) Microsoft Corporation. All rights reserved.
- // Licensed under the MIT License. See License.txt in the project root for license information.
- import { readFileSync } from "fs";
- import { createHash } from "crypto";
- import { ApplicationTokenCredentialsBase } from "./applicationTokenCredentialsBase";
- import { Environment } from "@azure/ms-rest-azure-env";
- import { AuthConstants, TokenAudience } from "../util/authConstants";
- import { TokenResponse, ErrorResponse, TokenCache } from "adal-node";
- import { AzureTokenCredentialsOptions } from "../login";
- export class ApplicationTokenCertificateCredentials extends ApplicationTokenCredentialsBase {
- readonly certificate: string;
- readonly thumbprint: string;
- /**
- * Creates a new ApplicationTokenCredentials object.
- * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
- * for detailed instructions on creating an Azure Active Directory application.
- * @constructor
- * @param {string} clientId The active directory application client id.
- * @param {string} domain The domain or tenant id containing this application.
- * @param {string} certificate A PEM encoded certificate private key.
- * @param {string} thumbprint A hex encoded thumbprint of the certificate.
- * @param {string} [tokenAudience] The audience for which the token is requested. Valid values are 'graph', 'batch', or any other resource like 'https://vault.azure.net/'.
- * If tokenAudience is 'graph' then domain should also be provided and its value should not be the default 'common' tenant. It must be a string (preferrably in a guid format).
- * @param {Environment} [environment] The azure environment to authenticate with.
- * @param {object} [tokenCache] The token cache. Default value is the MemoryCache object from adal.
- */
- public constructor(
- clientId: string,
- domain: string,
- certificate: string,
- thumbprint: string,
- tokenAudience?: TokenAudience,
- environment?: Environment,
- tokenCache?: TokenCache
- ) {
- if (!certificate || typeof certificate.valueOf() !== "string") {
- throw new Error("certificate must be a non empty string.");
- }
- if (!thumbprint || typeof thumbprint.valueOf() !== "string") {
- throw new Error("thumbprint must be a non empty string.");
- }
- super(clientId, domain, tokenAudience, environment, tokenCache);
- this.certificate = certificate;
- this.thumbprint = thumbprint;
- }
- /**
- * Tries to get the token from cache initially. If that is unsuccessfull then it tries to get the token from ADAL.
- * @returns {Promise<TokenResponse>} A promise that resolves to TokenResponse and rejects with an Error.
- */
- public async getToken(): Promise<TokenResponse> {
- try {
- const tokenResponse = await this.getTokenFromCache();
- return tokenResponse;
- } catch (error) {
- if (error.message.startsWith(AuthConstants.SDK_INTERNAL_ERROR)) {
- return Promise.reject(error);
- }
- return new Promise((resolve, reject) => {
- const resource = this.getActiveDirectoryResourceId();
- this.authContext.acquireTokenWithClientCertificate(
- resource,
- this.clientId,
- this.certificate,
- this.thumbprint,
- (error: any, tokenResponse: TokenResponse | ErrorResponse) => {
- if (error) {
- return reject(error);
- }
- if (tokenResponse.error || tokenResponse.errorDescription) {
- return reject(tokenResponse);
- }
- return resolve(tokenResponse as TokenResponse);
- }
- );
- });
- }
- }
- /**
- * Creates a new instance of ApplicationTokenCertificateCredentials.
- *
- * @param clientId The active directory application client id also known as the SPN (ServicePrincipal Name).
- * See {@link https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-dotnet/ Active Directory Quickstart for .Net}
- * for an example.
- * @param {string} certificateStringOrFilePath A PEM encoded certificate and private key OR an absolute filepath to the .pem file containing that information. For example:
- * - CertificateString: "-----BEGIN PRIVATE KEY-----\n<xxxxx>\n-----END PRIVATE KEY-----\n-----BEGIN CERTIFICATE-----\n<yyyyy>\n-----END CERTIFICATE-----\n"
- * - CertificateFilePath: **Absolute** file path of the .pem file.
- * @param domain The domain or tenant id containing this application.
- * @param options AzureTokenCredentialsOptions - Object representing optional parameters.
- *
- * @returns ApplicationTokenCertificateCredentials
- */
- public static create(
- clientId: string,
- certificateStringOrFilePath: string,
- domain: string,
- options: AzureTokenCredentialsOptions
- ): ApplicationTokenCertificateCredentials {
- if (
- !certificateStringOrFilePath ||
- typeof certificateStringOrFilePath.valueOf() !== "string"
- ) {
- throw new Error(
- "'certificateStringOrFilePath' must be a non empty string."
- );
- }
- if (!certificateStringOrFilePath.startsWith("-----BEGIN")) {
- certificateStringOrFilePath = readFileSync(
- certificateStringOrFilePath,
- "utf8"
- );
- }
- const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9\+\/\n\r]+\=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/;
- const matchCert = certificateStringOrFilePath.match(certificatePattern);
- const rawCertificate = matchCert ? matchCert[3] : "";
- if (!rawCertificate) {
- throw new Error(
- "Unable to correctly parse the certificate from the value provided in 'certificateStringOrFilePath' "
- );
- }
- const thumbprint = createHash("sha1")
- .update(Buffer.from(rawCertificate, "base64"))
- .digest("hex");
- return new ApplicationTokenCertificateCredentials(
- clientId,
- domain,
- certificateStringOrFilePath,
- thumbprint,
- options.tokenAudience,
- options.environment,
- options.tokenCache
- );
- }
- }
|