@azure/msal-node - npm Package Compare versions

Comparing version 2.9.1 to 2.9.2

dist/client/ManagedIdentitySources/AzureArc.d.ts

@@ -9,2 +9,6 @@ import { INetworkModule, NetworkResponse, NetworkRequestOptions, Logger, ServerAuthorizationTokenResponse } from "@azure/msal-common";
 export declare const ARC_API_VERSION: string;
+export declare const SUPPORTED_AZURE_ARC_PLATFORMS: {
+    win32: string;
+    linux: string;
+};
 /**
@@ -11,0 +15,0 @@ * Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs

dist/crypto/CryptoProvider.d.ts

@@ -13,2 +13,12 @@ import { ICrypto, PkceCodes } from "@azure/msal-common";
     /**
+     * base64 URL safe encoded string
+     */
+    base64UrlEncode(): string;
+    /**
+     * Stringifies and base64Url encodes input public key
+     * @param inputKid
+     * @returns Base64Url encoded public key
+     */
+    encodeKid(): string;
+    /**
      * Creates a new random GUID - used to populate state and nonce.
@@ -15,0 +25,0 @@ * @returns string (GUID)

dist/error/ManagedIdentityError.d.ts

@@ -8,3 +8,7 @@ import { AuthError } from "@azure/msal-common";
 export declare const ManagedIdentityErrorMessages: {
+    invalid_file_extension: string;
+    invalid_file_path: string;
     invalid_managed_identity_id_type: string;
+    invalid_secret: string;
+    platform_not_supported: string;
     missing_client_id: string;
@@ -11,0 +15,0 @@ azure_pod_identity_authority_host_url_malformed: string;

dist/error/ManagedIdentityErrorCodes.d.ts

@@ -0,4 +1,8 @@
+export declare const invalidFileExtension = "invalid_file_extension";
+export declare const invalidFilePath = "invalid_file_path";
 export declare const invalidManagedIdentityIdType = "invalid_managed_identity_id_type";
+export declare const invalidSecret = "invalid_secret";
 export declare const missingId = "missing_client_id";
 export declare const networkUnavailable = "network_unavailable";
+export declare const platformNotSupported = "platform_not_supported";
 export declare const unableToCreateAzureArc = "unable_to_create_azure_arc";
@@ -5,0 +9,0 @@ export declare const unableToCreateCloudShell = "unable_to_create_cloud_shell";

dist/packageMetadata.d.ts

 export declare const name = "@azure/msal-node";
-export declare const version = "2.9.1";
+export declare const version = "2.9.2";
 //# sourceMappingURL=packageMetadata.d.ts.map

dist/utils/Constants.d.ts

@@ -136,2 +136,3 @@ export declare const AUTHORIZATION_HEADER_NAME: string;
 };
+export declare const AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES = 4096;
 export declare const MANAGED_IDENTITY_MAX_RETRIES = 3;
@@ -138,0 +139,0 @@ export declare const MANAGED_IDENTITY_RETRY_DELAY = 1000;

package.json

 {
   "$schema": "https://json.schemastore.org/package.json",
   "name": "@azure/msal-node",
-  "version": "2.9.1",
+  "version": "2.9.2",
   "author": {
@@ -81,3 +81,3 @@ "name": "Microsoft",
   "dependencies": {
-    "@azure/msal-common": "14.11.0",
+    "@azure/msal-common": "14.12.0",
     "jsonwebtoken": "^9.0.0",
@@ -84,0 +84,0 @@ "uuid": "^8.3.0"

src/client/ManagedIdentitySources/AzureArc.ts

@@ -27,2 +27,3 @@ /*
     AUTHORIZATION_HEADER_NAME,
+    AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES,
     HttpMethod,
@@ -36,8 +37,14 @@ METADATA_HEADER_NAME,
 import { NodeStorage } from "../../cache/NodeStorage";
-import { readFileSync } from "fs";
+import { readFileSync, statSync } from "fs";
 import { ManagedIdentityTokenResponse } from "../../response/ManagedIdentityTokenResponse";
 import { ManagedIdentityId } from "../../config/ManagedIdentityId";
+import path from "path";
 
 export const ARC_API_VERSION: string = "2019-11-01";
 
+export const SUPPORTED_AZURE_ARC_PLATFORMS = {
+    win32: `${process.env["ProgramData"]}\\AzureConnectedMachineAgent\\Tokens\\`,
+    linux: "/var/opt/azcmagent/tokens/",
+};
+
 /**
@@ -173,6 +180,56 @@ * Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs
 
-            const secretFile = wwwAuthHeader.split("Basic realm=")[1];
+            const secretFilePath = wwwAuthHeader.split("Basic realm=")[1];
+
+            // throw an error if the managed identity application is not being run on Windows or Linux
+            if (
+                !SUPPORTED_AZURE_ARC_PLATFORMS.hasOwnProperty(process.platform)
+            ) {
+                throw createManagedIdentityError(
+                    ManagedIdentityErrorCodes.platformNotSupported
+                );
+            }
+
+            // get the expected Windows or Linux file path)
+            const expectedSecretFilePath: string =
+                SUPPORTED_AZURE_ARC_PLATFORMS[process.platform as string];
+
+            // throw an error if the file in the file path is not a .key file
+            const fileName: string = path.basename(secretFilePath);
+            if (!fileName.endsWith(".key")) {
+                throw createManagedIdentityError(
+                    ManagedIdentityErrorCodes.invalidFileExtension
+                );
+            }
+
+            /*
+             * throw an error if the file path from the www-authenticate header does not match the
+             * expected file path for the platform (Windows or Linux) the managed identity application
+             * is running on
+             */
+            if (expectedSecretFilePath + fileName !== secretFilePath) {
+                throw createManagedIdentityError(
+                    ManagedIdentityErrorCodes.invalidFilePath
+                );
+            }
+
+            let secretFileSize;
+            // attempt to get the secret file's size, in bytes
+            try {
+                secretFileSize = await statSync(secretFilePath).size;
+            } catch (e) {
+                throw createManagedIdentityError(
+                    ManagedIdentityErrorCodes.unableToReadSecretFile
+                );
+            }
+            // throw an error if the secret file's size is greater than 4096 bytes
+            if (secretFileSize > AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES) {
+                throw createManagedIdentityError(
+                    ManagedIdentityErrorCodes.invalidSecret
+                );
+            }
+
+            // attempt to read the contents of the secret file
             let secret;
             try {
-                secret = readFileSync(secretFile, "utf-8");
+                secret = readFileSync(secretFilePath, "utf-8");
             } catch (e) {
@@ -179,0 +236,0 @@ throw createManagedIdentityError(

src/crypto/CryptoProvider.ts

@@ -30,2 +30,17 @@ /*
     /**
+     * base64 URL safe encoded string
+     */
+    base64UrlEncode(): string {
+        throw new Error("Method not implemented.");
+    }
+    /**
+     * Stringifies and base64Url encodes input public key
+     * @param inputKid
+     * @returns Base64Url encoded public key
+     */
+    encodeKid(): string {
+        throw new Error("Method not implemented.");
+    }
+
+    /**
      * Creates a new random GUID - used to populate state and nonce.
@@ -32,0 +47,0 @@ * @returns string (GUID)

src/error/ManagedIdentityError.ts

@@ -15,4 +15,12 @@ /*
 export const ManagedIdentityErrorMessages = {
+    [ManagedIdentityErrorCodes.invalidFileExtension]:
+        "The file path in the WWW-Authenticate header does not contain a .key file.",
+    [ManagedIdentityErrorCodes.invalidFilePath]:
+        "The file path in the WWW-Authenticate header is not in a valid Windows or Linux Format.",
     [ManagedIdentityErrorCodes.invalidManagedIdentityIdType]:
         "More than one ManagedIdentityIdType was provided.",
+    [ManagedIdentityErrorCodes.invalidSecret]:
+        "The secret in the file on the file path in the WWW-Authenticate header is greater than 4096 bytes.",
+    [ManagedIdentityErrorCodes.platformNotSupported]:
+        "The platform is not supported by Azure Arc. Azure Arc only supports Windows and Linux.",
     [ManagedIdentityErrorCodes.missingId]:
@@ -19,0 +27,0 @@ "A ManagedIdentityId id was not provided.",

src/error/ManagedIdentityErrorCodes.ts

@@ -8,5 +8,9 @@ /*
 
+export const invalidFileExtension = "invalid_file_extension";
+export const invalidFilePath = "invalid_file_path";
 export const invalidManagedIdentityIdType = "invalid_managed_identity_id_type";
+export const invalidSecret = "invalid_secret";
 export const missingId = "missing_client_id";
 export const networkUnavailable = "network_unavailable";
+export const platformNotSupported = "platform_not_supported";
 export const unableToCreateAzureArc = "unable_to_create_azure_arc";
@@ -13,0 +17,0 @@ export const unableToCreateCloudShell = "unable_to_create_cloud_shell";

src/packageMetadata.ts

 /* eslint-disable header/header */
 export const name = "@azure/msal-node";
-export const version = "2.9.1";
+export const version = "2.9.2";

src/utils/Constants.ts

@@ -164,2 +164,4 @@ /*
 
+export const AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES = 4096; // 4 KB
+
 export const MANAGED_IDENTITY_MAX_RETRIES = 3;
@@ -166,0 +168,0 @@ export const MANAGED_IDENTITY_RETRY_DELAY = 1000;

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

1157539

increased by1.33%

Lines of code

18969

increased by1.21%

Worsened metrics

Number of low supply chain risk alerts

28

increased by7.69%

Dependency changes

• + Added@azure/msal-common@14.12.0(transitive)

• - Removed@azure/msal-common@14.11.0(transitive)

• Updated@azure/msal-common@14.12.0