Implementation Based on Feature Request (#7151)

Author: Robbie-Microsoft

change/@azure-msal-node-dbe642e7-1446-4b2d-9173-11242e9f5734.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Implementation Based on Feature Request #7151",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-node/src/client/ManagedIdentitySources/AzureArc.ts

@@ -24,6 +24,7 @@ import {
 import {
     API_VERSION_QUERY_PARAMETER_NAME,
     AUTHORIZATION_HEADER_NAME,
+    AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES,
     HttpMethod,
     METADATA_HEADER_NAME,
     ManagedIdentityEnvironmentVariableNames,
@@ -32,12 +33,18 @@ import {
     RESOURCE_BODY_OR_QUERY_PARAMETER_NAME,
 } from "../../utils/Constants";
 import { NodeStorage } from "../../cache/NodeStorage";
-import { readFileSync } from "fs";
+import { readFileSync, statSync } from "fs";
 import { ManagedIdentityTokenResponse } from "../../response/ManagedIdentityTokenResponse";
 import { ManagedIdentityId } from "../../config/ManagedIdentityId";
+import path from "path";
 
 export const ARC_API_VERSION: string = "2019-11-01";
 
+export const SUPPORTED_AZURE_ARC_PLATFORMS = {
+    win32: `${process.env["ProgramData"]}\\AzureConnectedMachineAgent\\Tokens\\`,
+    linux: "/var/opt/azcmagent/tokens/",
+};
+
 /**
  * Original source of code: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs
  */
@@ -168,10 +175,60 @@ export class AzureArc extends BaseManagedIdentitySource {
                 );
             }
 
-            const secretFile = wwwAuthHeader.split("Basic realm=")[1];
+            const secretFilePath = wwwAuthHeader.split("Basic realm=")[1];
+
+            // throw an error if the managed identity application is not being run on Windows or Linux
+            if (
+                !SUPPORTED_AZURE_ARC_PLATFORMS.hasOwnProperty(process.platform)
+            ) {
+                throw createManagedIdentityError(
+                    ManagedIdentityErrorCodes.platformNotSupported
+                );
+            }
+
+            // get the expected Windows or Linux file path)
+            const expectedSecretFilePath: string =
+                SUPPORTED_AZURE_ARC_PLATFORMS[process.platform as string];
+
+            // throw an error if the file in the file path is not a .key file
+            const fileName: string = path.basename(secretFilePath);
+            if (!fileName.endsWith(".key")) {
+                throw createManagedIdentityError(
+                    ManagedIdentityErrorCodes.invalidFileExtension
+                );
+            }
+
+            /*
+             * throw an error if the file path from the www-authenticate header does not match the
+             * expected file path for the platform (Windows or Linux) the managed identity application
+             * is running on
+             */
+            if (expectedSecretFilePath + fileName !== secretFilePath) {
+                throw createManagedIdentityError(
+                    ManagedIdentityErrorCodes.invalidFilePath
+                );
+            }
+
+            let secretFileSize;
+            // attempt to get the secret file's size, in bytes
+            try {
+                secretFileSize = await statSync(secretFilePath).size;
+            } catch (e) {
+                throw createManagedIdentityError(
+                    ManagedIdentityErrorCodes.unableToReadSecretFile
+                );
+            }
+            // throw an error if the secret file's size is greater than 4096 bytes
+            if (secretFileSize > AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES) {
+                throw createManagedIdentityError(
+                    ManagedIdentityErrorCodes.invalidSecret
+                );
+            }
+
+            // attempt to read the contents of the secret file
             let secret;
             try {
-                secret = readFileSync(secretFile, "utf-8");
+                secret = readFileSync(secretFilePath, "utf-8");
             } catch (e) {
                 throw createManagedIdentityError(
                     ManagedIdentityErrorCodes.unableToReadSecretFile

lib/msal-node/src/error/ManagedIdentityError.ts

@@ -12,8 +12,16 @@ export { ManagedIdentityErrorCodes };
  * ManagedIdentityErrorMessage class containing string constants used by error codes and messages.
  */
 export const ManagedIdentityErrorMessages = {
+    [ManagedIdentityErrorCodes.invalidFileExtension]:
+        "The file path in the WWW-Authenticate header does not contain a .key file.",
+    [ManagedIdentityErrorCodes.invalidFilePath]:
+        "The file path in the WWW-Authenticate header is not in a valid Windows or Linux Format.",
     [ManagedIdentityErrorCodes.invalidManagedIdentityIdType]:
         "More than one ManagedIdentityIdType was provided.",
+    [ManagedIdentityErrorCodes.invalidSecret]:
+        "The secret in the file on the file path in the WWW-Authenticate header is greater than 4096 bytes.",
+    [ManagedIdentityErrorCodes.platformNotSupported]:
+        "The platform is not supported by Azure Arc. Azure Arc only supports Windows and Linux.",
     [ManagedIdentityErrorCodes.missingId]:
         "A ManagedIdentityId id was not provided.",
     [ManagedIdentityErrorCodes.MsiEnvironmentVariableUrlMalformedErrorCodes

lib/msal-node/src/error/ManagedIdentityErrorCodes.ts

@@ -5,9 +5,13 @@
 
 import { ManagedIdentityEnvironmentVariableNames } from "../utils/Constants";
 
+export const invalidFileExtension = "invalid_file_extension";
+export const invalidFilePath = "invalid_file_path";
 export const invalidManagedIdentityIdType = "invalid_managed_identity_id_type";
+export const invalidSecret = "invalid_secret";
 export const missingId = "missing_client_id";
 export const networkUnavailable = "network_unavailable";
+export const platformNotSupported = "platform_not_supported";
 export const unableToCreateAzureArc = "unable_to_create_azure_arc";
 export const unableToCreateCloudShell = "unable_to_create_cloud_shell";
 export const unableToCreateSource = "unable_to_create_source";

lib/msal-node/src/utils/Constants.ts

@@ -161,6 +161,8 @@ export const LOOPBACK_SERVER_CONSTANTS = {
     TIMEOUT_MS: 5000,
 };
 
+export const AZURE_ARC_SECRET_FILE_MAX_SIZE_BYTES = 4096; // 4 KB
+
 export const MANAGED_IDENTITY_MAX_RETRIES = 3;
 export const MANAGED_IDENTITY_RETRY_DELAY = 1000;
 export const MANAGED_IDENTITY_HTTP_STATUS_CODES_TO_RETRY_ON = [