Merge pull request #3705 from iclanton/rush-azure-storage-plugin-refactor

[rush] Refactor @rushstack/rush-azure-storage-build-cache-plugin to expose an API for generating and caching Azure credentials for other workloads, in addition to Storage.

Author: iclanton

common/changes/@microsoft/rush/rush-azure-storage-plugin-refactor_2022-10-17-21-12.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@microsoft/rush",
+      "comment": "Refactor @rushstack/rush-azure-storage-build-cache-plugin to expose an API for generating and caching Azure credentials for other workloads, in addition to Storage.",
+      "type": "none"
+    }
+  ],
+  "packageName": "@microsoft/rush"
+}

common/reviews/api/rush-azure-storage-build-cache-plugin.api.md

@@ -5,40 +5,69 @@
 ```ts
 
 import { AzureAuthorityHosts } from '@azure/identity';
+import { DeviceCodeCredential } from '@azure/identity';
 import type { IRushPlugin } from '@rushstack/rush-sdk';
 import type { ITerminal } from '@rushstack/node-core-library';
 import type { RushConfiguration } from '@rushstack/rush-sdk';
 import type { RushSession } from '@rushstack/rush-sdk';
 
+// @public (undocumented)
+export abstract class AzureAuthenticationBase {
+    constructor(options: IAzureAuthenticationBaseOptions);
+    // (undocumented)
+    protected readonly _azureEnvironment: AzureEnvironmentName;
+    // (undocumented)
+    protected abstract readonly _credentialKindForLogging: string;
+    // (undocumented)
+    protected abstract readonly _credentialNameForCache: string;
+    // (undocumented)
+    protected abstract readonly _credentialUpdateCommandForLogging: string | undefined;
+    // (undocumented)
+    deleteCachedCredentialsAsync(terminal: ITerminal): Promise<void>;
+    protected abstract _getCacheIdParts(): string[];
+    // (undocumented)
+    protected abstract _getCredentialFromDeviceCodeAsync(terminal: ITerminal, deviceCodeCredential: DeviceCodeCredential): Promise<ICredentialResult>;
+    // (undocumented)
+    tryGetCachedCredentialAsync(doNotThrowIfExpired?: boolean): Promise<string | undefined>;
+    // (undocumented)
+    updateCachedCredentialAsync(terminal: ITerminal, credential: string): Promise<void>;
+    updateCachedCredentialInteractiveAsync(terminal: ITerminal, onlyIfExistingCredentialExpiresAfter?: Date): Promise<void>;
+}
+
 // @public (undocumented)
 export type AzureEnvironmentName = keyof typeof AzureAuthorityHosts;
 
 // @public (undocumented)
-export class AzureStorageAuthentication {
+export class AzureStorageAuthentication extends AzureAuthenticationBase {
     constructor(options: IAzureStorageAuthenticationOptions);
     // (undocumented)
-    protected readonly _azureEnvironment: AzureEnvironmentName;
+    protected readonly _credentialKindForLogging: string;
     // (undocumented)
-    deleteCachedCredentialsAsync(terminal: ITerminal): Promise<void>;
+    protected readonly _credentialNameForCache: string;
+    // (undocumented)
+    protected readonly _credentialUpdateCommandForLogging: string;
+    // (undocumented)
+    protected _getCacheIdParts(): string[];
+    // (undocumented)
+    protected _getCredentialFromDeviceCodeAsync(terminal: ITerminal, deviceCodeCredential: DeviceCodeCredential): Promise<ICredentialResult>;
     // (undocumented)
     protected readonly _isCacheWriteAllowedByConfiguration: boolean;
     // (undocumented)
     protected readonly _storageAccountName: string;
     // (undocumented)
-    protected get _storageAccountUrl(): string;
+    protected readonly _storageAccountUrl: string;
     // (undocumented)
     protected readonly _storageContainerName: string;
-    // (undocumented)
-    tryGetCachedCredentialAsync(): Promise<string | undefined>;
-    // (undocumented)
-    updateCachedCredentialAsync(terminal: ITerminal, credential: string): Promise<void>;
-    updateCachedCredentialInteractiveAsync(terminal: ITerminal, onlyIfExistingCredentialExpiresAfter?: Date): Promise<void>;
 }
 
 // @public (undocumented)
-export interface IAzureStorageAuthenticationOptions {
+export interface IAzureAuthenticationBaseOptions {
     // (undocumented)
     azureEnvironment?: AzureEnvironmentName;
+}
+
+// @public (undocumented)
+export interface IAzureStorageAuthenticationOptions extends IAzureAuthenticationBaseOptions {
     // (undocumented)
     isCacheWriteAllowed: boolean;
     // (undocumented)
@@ -47,6 +76,14 @@ export interface IAzureStorageAuthenticationOptions {
     storageContainerName: string;
 }
 
+// @public (undocumented)
+export interface ICredentialResult {
+    // (undocumented)
+    credentialString: string;
+    // (undocumented)
+    expiresOn: Date | undefined;
+}
+
 // @public (undocumented)
 class RushAzureStorageBuildCachePlugin implements IRushPlugin {
     // (undocumented)

rush-plugins/rush-azure-storage-build-cache-plugin/src/AzureAuthenticationBase.ts

@@ -0,0 +1,175 @@
+// Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
+// See LICENSE in the project root for license information.
+
+import { DeviceCodeCredential, type DeviceCodeInfo, AzureAuthorityHosts } from '@azure/identity';
+import type { ITerminal } from '@rushstack/node-core-library';
+import { CredentialCache, type ICredentialCacheEntry } from '@rushstack/rush-sdk';
+import { PrintUtilities } from '@rushstack/terminal';
+
+/**
+ * @public
+ */
+export type AzureEnvironmentName = keyof typeof AzureAuthorityHosts;
+
+/**
+ * @public
+ */
+export interface IAzureAuthenticationBaseOptions {
+  azureEnvironment?: AzureEnvironmentName;
+}
+
+/**
+ * @public
+ */ export interface ICredentialResult {
+  credentialString: string;
+  expiresOn: Date | undefined;
+}
+
+/**
+ * @public
+ */
+export abstract class AzureAuthenticationBase {
+  protected abstract readonly _credentialNameForCache: string;
+  protected abstract readonly _credentialKindForLogging: string;
+  protected abstract readonly _credentialUpdateCommandForLogging: string | undefined;
+
+  protected readonly _azureEnvironment: AzureEnvironmentName;
+
+  private __credentialCacheId: string | undefined;
+  private get _credentialCacheId(): string {
+    if (!this.__credentialCacheId) {
+      const cacheIdParts: string[] = [
+        this._credentialNameForCache,
+        this._azureEnvironment,
+        ...this._getCacheIdParts()
+      ];
+
+      this.__credentialCacheId = cacheIdParts.join('|');
+    }
+
+    return this.__credentialCacheId;
+  }
+
+  public constructor(options: IAzureAuthenticationBaseOptions) {
+    this._azureEnvironment = options.azureEnvironment || 'AzurePublicCloud';
+  }
+
+  public async updateCachedCredentialAsync(terminal: ITerminal, credential: string): Promise<void> {
+    await CredentialCache.usingAsync(
+      {
+        supportEditing: true
+      },
+      async (credentialsCache: CredentialCache) => {
+        credentialsCache.setCacheEntry(this._credentialCacheId, credential);
+        await credentialsCache.saveIfModifiedAsync();
+      }
+    );
+  }
+
+  /**
+   * Launches an interactive flow to renew a cached credential.
+   *
+   * @param terminal - The terminal to log output to
+   * @param onlyIfExistingCredentialExpiresAfter - If specified, and a cached credential exists that is still valid
+   * after the date specified, no action will be taken.
+   */
+  public async updateCachedCredentialInteractiveAsync(
+    terminal: ITerminal,
+    onlyIfExistingCredentialExpiresAfter?: Date
+  ): Promise<void> {
+    await CredentialCache.usingAsync(
+      {
+        supportEditing: true
+      },
+      async (credentialsCache: CredentialCache) => {
+        if (onlyIfExistingCredentialExpiresAfter) {
+          const existingCredentialExpiration: Date | undefined = credentialsCache.tryGetCacheEntry(
+            this._credentialCacheId
+          )?.expires;
+          if (
+            existingCredentialExpiration &&
+            existingCredentialExpiration > onlyIfExistingCredentialExpiresAfter
+          ) {
+            return;
+          }
+        }
+
+        const credential: ICredentialResult = await this._getCredentialAsync(terminal);
+        credentialsCache.setCacheEntry(
+          this._credentialCacheId,
+          credential.credentialString,
+          credential.expiresOn
+        );
+        await credentialsCache.saveIfModifiedAsync();
+      }
+    );
+  }
+
+  public async deleteCachedCredentialsAsync(terminal: ITerminal): Promise<void> {
+    await CredentialCache.usingAsync(
+      {
+        supportEditing: true
+      },
+      async (credentialsCache: CredentialCache) => {
+        credentialsCache.deleteCacheEntry(this._credentialCacheId);
+        await credentialsCache.saveIfModifiedAsync();
+      }
+    );
+  }
+
+  public async tryGetCachedCredentialAsync(doNotThrowIfExpired?: boolean): Promise<string | undefined> {
+    let cacheEntry: ICredentialCacheEntry | undefined;
+    await CredentialCache.usingAsync(
+      {
+        supportEditing: false
+      },
+      (credentialsCache: CredentialCache) => {
+        cacheEntry = credentialsCache.tryGetCacheEntry(this._credentialCacheId);
+      }
+    );
+
+    const expirationTime: number | undefined = cacheEntry?.expires?.getTime();
+    if (expirationTime && expirationTime < Date.now()) {
+      if (!doNotThrowIfExpired) {
+        let errorMessage: string = `Cached Azure ${this._credentialKindForLogging} credentials have expired.`;
+        if (this._credentialUpdateCommandForLogging) {
+          errorMessage += ` Update the credentials by running "${this._credentialUpdateCommandForLogging}".`;
+        }
+
+        throw new Error(errorMessage);
+      } else {
+        return undefined;
+      }
+    } else {
+      return cacheEntry?.credential;
+    }
+  }
+
+  /**
+   * Get parts of the cache ID that are specific to the credential type. Note that this should
+   * not contain the Azure environment or the {@link AzureAuthenticationBase._credentialNameForCache}
+   * value, as those are added automatically.
+   */
+  protected abstract _getCacheIdParts(): string[];
+
+  protected abstract _getCredentialFromDeviceCodeAsync(
+    terminal: ITerminal,
+    deviceCodeCredential: DeviceCodeCredential
+  ): Promise<ICredentialResult>;
+
+  private async _getCredentialAsync(terminal: ITerminal): Promise<ICredentialResult> {
+    const authorityHost: string | undefined = AzureAuthorityHosts[this._azureEnvironment];
+    if (!authorityHost) {
+      throw new Error(`Unexpected Azure environment: ${this._azureEnvironment}`);
+    }
+
+    const deviceCodeCredential: DeviceCodeCredential = new DeviceCodeCredential({
+      authorityHost: authorityHost,
+      userPromptCallback: (deviceCodeInfo: DeviceCodeInfo) => {
+        PrintUtilities.printMessageInBox(deviceCodeInfo.message, terminal);
+      }
+    });
+
+    return await this._getCredentialFromDeviceCodeAsync(terminal, deviceCodeCredential);
+  }
+}