[identity] Identity bug fix (#29982)

Identity bug fix
Azure · Jun 10, 2024 · c6aa75d · c6aa75d
1 parent f21039b
commit c6aa75d
Show file tree

Hide file tree

Showing 14 changed files with 614 additions and 503 deletions.
diff --git a/.vscode/cspell.json b/.vscode/cspell.json
@@ -189,7 +189,7 @@
         "sipx",
         "ssml",
         "unhold",
-		    "Unhold"
+        "Unhold"
       ]
     },
     {
@@ -287,6 +287,10 @@
       "filename": "sdk/identity/**/*.md",
       "words": ["MSAL", "PKCE"]
     },
+    {
+      "filename": "sdk/identity/**/*.ts",
+      "words": ["azcmagent", "HIMDS"]
+    },
     {
       "filename": "sdk/iot/iot-modelsrepository/review/**/*.md",
       "words": ["Dtmi", "dtmis"]

diff --git a/common/config/rush/pnpm-lock.yaml b/common/config/rush/pnpm-lock.yaml
diff --git a/sdk/communication/communication-identity/package.json b/sdk/communication/communication-identity/package.json
@@ -113,7 +113,7 @@
     "@azure/dev-tool": "^1.0.0",
     "@azure/eslint-plugin-azure-sdk": "^3.0.0",
     "@azure/identity": "^4.0.1",
-    "@azure/msal-node": "^2.7.0",
+    "@azure/msal-node": "^2.9.2",
     "@azure-tools/test-utils": "^1.0.1",
     "@microsoft/api-extractor": "^7.31.1",
     "@types/chai": "^4.1.6",

diff --git a/sdk/identity/identity-broker/CHANGELOG.md b/sdk/identity/identity-broker/CHANGELOG.md
@@ -1,15 +1,11 @@
 # Release History
 
-## 1.0.1 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
-
-### Bugs Fixed
+## 1.0.1 (2024-06-10)
 
 ### Other Changes
 
+- Upgraded @azure/msal-node to the latest version
+
 ## 1.0.0 (2023-11-07)
 
 ### Features Added

diff --git a/sdk/identity/identity-broker/package.json b/sdk/identity/identity-broker/package.json
@@ -59,7 +59,7 @@
   "dependencies": {
     "@azure/core-auth": "^1.4.0",
     "@azure/identity": "^4.0.1",
-    "@azure/msal-node": "^2.5.1",
+    "@azure/msal-node": "^2.9.2",
     "@azure/msal-node-extensions": "^1.0.7",
     "tslib": "^2.2.0"
   },

diff --git a/sdk/identity/identity-cache-persistence/CHANGELOG.md b/sdk/identity/identity-cache-persistence/CHANGELOG.md
@@ -1,15 +1,11 @@
 # Release History
 
-## 1.1.1 (Unreleased)
-
-### Features Added
-
-### Breaking Changes
-
-### Bugs Fixed
+## 1.1.1 (2024-06-10)
 
 ### Other Changes
 
+- Updated msal-node to the latest version
+
 ## 1.1.0 (2024-03-05)
 
 ### Other Changes

diff --git a/sdk/identity/identity-cache-persistence/package.json b/sdk/identity/identity-cache-persistence/package.json
@@ -61,7 +61,7 @@
   "dependencies": {
     "@azure/core-auth": "^1.5.0",
     "@azure/identity": "^4.0.1",
-    "@azure/msal-node": "^2.5.1",
+    "@azure/msal-node": "^2.9.2",
     "@azure/msal-node-extensions": "^1.0.8",
     "keytar": "^7.6.0",
     "tslib": "^2.2.0"

diff --git a/sdk/identity/identity/CHANGELOG.md b/sdk/identity/identity/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Release History
 
+## 4.3.0-beta.2 (2024-06-10)
+
+### Bugs Fixed
+
+- Managed identity bug fixes
+
 ## 4.3.0-beta.1 (2024-05-08)
 
 ### Features Added

diff --git a/sdk/identity/identity/package.json b/sdk/identity/identity/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@azure/identity",
   "sdk-type": "client",
-  "version": "4.3.0-beta.1",
+  "version": "4.3.0-beta.2",
   "description": "Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID",
   "main": "dist/index.js",
   "module": "dist-esm/src/index.js",
@@ -116,7 +116,7 @@
     "@azure/core-util": "^1.3.0",
     "@azure/logger": "^1.0.0",
     "@azure/msal-browser": "^3.11.1",
-    "@azure/msal-node": "^2.6.6",
+    "@azure/msal-node": "^2.9.2",
     "events": "^3.0.0",
     "jws": "^4.0.0",
     "open": "^8.0.0",

diff --git a/sdk/identity/identity/src/constants.ts b/sdk/identity/identity/src/constants.ts
@@ -4,7 +4,7 @@
 /**
  * Current version of the `@azure/identity` package.
  */
-export const SDK_VERSION = `4.3.0-beta.1`;
+export const SDK_VERSION = `4.3.0-beta.2`;
 
 /**
  * The default client ID for authentication

diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/arcMsi.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/arcMsi.ts
@@ -1,19 +1,20 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
+import { MSI, MSIConfiguration, MSIToken } from "./models";
 import {
   PipelineRequestOptions,
   createHttpHeaders,
   createPipelineRequest,
 } from "@azure/core-rest-pipeline";
-import { GetTokenOptions } from "@azure/core-auth";
-import { readFile } from "fs";
+
 import { AuthenticationError } from "../../errors";
-import { credentialLogger } from "../../util/logging";
+import { GetTokenOptions } from "@azure/core-auth";
 import { IdentityClient } from "../../client/identityClient";
-import { mapScopesToResource } from "./utils";
-import { MSI, MSIConfiguration, MSIToken } from "./models";
 import { azureArcAPIVersion } from "./constants";
+import { credentialLogger } from "../../util/logging";
+import fs from "node:fs";
+import { mapScopesToResource } from "./utils";
 
 const msiName = "ManagedIdentityCredential - Azure Arc MSI";
 const logger = credentialLogger(msiName);
@@ -60,21 +61,6 @@ function prepareRequestOptions(
   });
 }
 
-/**
- * Retrieves the file contents at the given path using promises.
- * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
- */
-function readFileAsync(path: string, options: { encoding: BufferEncoding }): Promise<string> {
-  return new Promise((resolve, reject) =>
-    readFile(path, options, (err, data) => {
-      if (err) {
-        reject(err);
-      }
-      resolve(data);
-    }),
-  );
-}
-
 /**
  * Does a request to the authentication provider that results in a file path.
  */
@@ -103,6 +89,50 @@ async function filePathRequest(
   }
 }
 
+export function platformToFilePath(): string {
+  switch (process.platform) {
+    case "win32":
+      if (!process.env.PROGRAMDATA) {
+        throw new Error(`${msiName}: PROGRAMDATA environment variable has no value.`);
+      }
+      return `${process.env.PROGRAMDATA}\\AzureConnectedMachineAgent\\Tokens`;
+    case "linux":
+      return "/var/opt/azcmagent/tokens";
+    default:
+      throw new Error(`${msiName}: Unsupported platform ${process.platform}.`);
+  }
+}
+
+/**
+ * Validates that a given Azure Arc MSI file path is valid for use.
+ *
+ * A valid file will:
+ * 1. Be in the expected path for the current platform.
+ * 2. Have a `.key` extension.
+ * 3. Be at most 4096 bytes in size.
+ */
+export function validateKeyFile(filePath?: string): asserts filePath is string {
+  if (!filePath) {
+    throw new Error(`${msiName}: Failed to find the token file.`);
+  }
+
+  if (!filePath.endsWith(".key")) {
+    throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);
+  }
+
+  const expectedPath = platformToFilePath();
+  if (!filePath.startsWith(expectedPath)) {
+    throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);
+  }
+
+  const stats = fs.statSync(filePath);
+  if (stats.size > 4096) {
+    throw new Error(
+      `${msiName}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`,
+    );
+  }
+}
+
 /**
  * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
  */
@@ -150,12 +180,9 @@ export const arcMsi: MSI = {
     };
 
     const filePath = await filePathRequest(identityClient, requestOptions);
+    validateKeyFile(filePath);
 
-    if (!filePath) {
-      throw new Error(`${msiName}: Failed to find the token file.`);
-    }
-
-    const key = await readFileAsync(filePath, { encoding: "utf-8" });
+    const key = await fs.promises.readFile(filePath, { encoding: "utf-8" });
     requestOptions.headers?.set("Authorization", `Basic ${key}`);
 
     const request = createPipelineRequest({