pnp · martinlingstuyl · Aug 22, 2024 · Aug 23, 2024 · waldekmastykarz · Aug 23, 2024
diff --git a/src/Auth.ts b/src/Auth.ts
@@ -108,7 +108,8 @@ export enum AuthType {
   Certificate,
   Identity,
   Browser,
-  Secret
+  Secret,
+  AccessToken
 }
 
 export enum CertificateType {
@@ -199,19 +200,17 @@ export class Auth {
   }
 
   public async ensureAccessToken(resource: string, logger: Logger, debug: boolean = false, fetchNew: boolean = false): Promise<string> {
-    const now: Date = new Date();
     const accessToken: AccessToken | undefined = this.connection.accessTokens[resource];
-    const expiresOn: Date = accessToken && accessToken.expiresOn ?
-      // if expiresOn is serialized from the service file, it's set as a string
-      // if it's coming from MSAL, it's a Date
-      typeof accessToken.expiresOn === 'string' ? new Date(accessToken.expiresOn) : accessToken.expiresOn
-      : new Date(0);
 
-    if (!fetchNew && accessToken && expiresOn > now) {
+    if (!fetchNew && accessToken && !this.accessTokenExpired(accessToken)) {
       if (debug) {
         await logger.logToStderr(`Existing access token ${accessToken.accessToken} still valid. Returning...`);
       }
-      return accessToken.accessToken;
+
+      // If the authType is accessToken, we handle returning the token later on.
+      if (this.connection.authType !== AuthType.AccessToken) {
+        return accessToken.accessToken;
+      }
     }
     else {
       if (debug) {
@@ -229,10 +228,12 @@ export class Auth {
     // When using an application identity, you can't retrieve the access token silently, because there is
     // no account. Also (for cert auth) clientApplication is instantiated later
     // after inspecting the specified cert and calculating thumbprint if one
-    // wasn't specified
+    // wasn't specified. For accessToken auth, we can't fetch a new token, 
+    // as the tokens are passed in through the login command.
     if (this.connection.authType !== AuthType.Certificate &&
       this.connection.authType !== AuthType.Secret &&
-      this.connection.authType !== AuthType.Identity) {
+      this.connection.authType !== AuthType.Identity &&
+      this.connection.authType !== AuthType.AccessToken) {
       this.clientApplication = await this.getPublicClient(logger, debug);
       if (this.clientApplication) {
         const accounts = await this.clientApplication.getTokenCache().getAllAccounts();
@@ -263,6 +264,9 @@ export class Auth {
         case AuthType.Secret:
           getTokenPromise = this.ensureAccessTokenWithSecret.bind(this);
           break;
+        case AuthType.AccessToken:
+          getTokenPromise = this.returnValidAccessTokenForResource.bind(this);
+          break;
       }
     }
 
@@ -304,6 +308,17 @@ export class Auth {
     return response.accessToken;
   }
 
+  public accessTokenExpired(accessToken: AccessToken): boolean {
+    const now: Date = new Date();
+    const expiresOn: Date = accessToken && accessToken.expiresOn ?
+      // if expiresOn is serialized from the service file, it's set as a string
+      // if it's coming from MSAL, it's a Date
+      typeof accessToken.expiresOn === 'string' ? new Date(accessToken.expiresOn) : accessToken.expiresOn
+      : new Date(0);
+
+    return expiresOn <= now;
+  }
+
   private async getAuthClientConfiguration(logger: Logger, debug: boolean, certificateThumbprint?: string, certificatePrivateKey?: string, clientSecret?: string): Promise<Msal.Configuration> {
     const msal: typeof Msal = await import('@azure/msal-node');
     const { LogLevel } = msal;
@@ -420,13 +435,13 @@ export class Auth {
     }
 
     // Asserting identityId because it is expected to be available at this point.
-    assert(this.connection.identityId !== undefined);
+    assert(this.connection.identityId !== undefined, 'identityId is undefined');
 
     const account = await (this.clientApplication as Msal.ClientApplication)
       .getTokenCache().getAccountByLocalId(this.connection.identityId);
 
     // Asserting account because it is expected to be available at this point.
-    assert(account !== null);
+    assert(account !== null, 'account is null');
 
     return (this.clientApplication as Msal.ClientApplication).acquireTokenSilent({
       account: account,
@@ -507,7 +522,7 @@ export class Auth {
         const pemObjs = pem.decode(cert);
 
         if (this.connection.thumbprint === undefined) {
-          const pemCertObj = pemObjs.find(pem => pem.type === "CERTIFICATE");
+          const pemCertObj = pemObjs.find(pem => pem.type === 'CERTIFICATE');
           const pemCertStr: string = pem.encode(pemCertObj!);
           const pemCert = pki.certificateFromPem(pemCertStr);
 
@@ -657,11 +672,11 @@ export class Auth {
       let isNotFoundResponse = false;
       if (e.error && e.error.Message) {
         // check if it is Azure Function api 'not found' response
-        isNotFoundResponse = (e.error.Message.indexOf("No Managed Identity found") !== -1);
+        isNotFoundResponse = (e.error.Message.indexOf('No Managed Identity found') !== -1);
       }
       else if (e.error && e.error.error_description) {
         // check if it is Azure VM api 'not found' response
-        isNotFoundResponse = (e.error.error_description === "Identity not found");
+        isNotFoundResponse = (e.error.error_description === 'Identity not found');
       }
 
       if (!isNotFoundResponse) {
@@ -706,6 +721,24 @@ export class Auth {
     });
   }
 
+  private async returnValidAccessTokenForResource(resource: string, logger: Logger, debug: boolean): Promise<AccessToken | null> {
+    const accessToken: AccessToken | undefined = this.connection.accessTokens[resource];
+
+    if (!accessToken) {
+      throw `No token found for resource ${resource}.`;
+    }
+
+    if (this.accessTokenExpired(accessToken)) {
+      throw `Access token for resource '${resource}' expired. ExpiresAt: ${accessToken.expiresOn}`;
+    }
+
+    if (debug) {
+      await logger.logToStderr(`Existing access token ${accessToken.accessToken} still valid. Returning...`);
+    }
+
+    return accessToken;
+  }
+
   private async calculateThumbprint(certificate: NodeForge.pki.Certificate): Promise<string> {
     const nodeForge = (await import('node-forge')).default;
     const { md, asn1, pki } = nodeForge;
@@ -878,8 +911,8 @@ export class Auth {
 
   public getConnectionDetails(connection: Connection): ConnectionDetails {
     // Asserting name and identityId because they are optional, but required at this point.    
-    assert(connection.identityName !== undefined);
-    assert(connection.name !== undefined);
+    assert(connection.identityName !== undefined, 'identity name is undefined');
+    assert(connection.name !== undefined, 'connection name is undefined');
 
     const details: ConnectionDetails = {
       connectionName: connection.name,

diff --git a/src/Command.ts b/src/Command.ts
@@ -513,11 +513,12 @@ export default abstract class Command {
   }
 
   private loadValuesFromAccessToken(args: CommandArgs): void {
-    if (!auth.connection.accessTokens[auth.defaultResource]) {
+    const resource = Object.keys(auth.connection.accessTokens)[0];
+    if (!auth.connection.accessTokens[resource]) {
       return;
     }
 
-    const token = auth.connection.accessTokens[auth.defaultResource].accessToken;
+    const token = auth.connection.accessTokens[resource].accessToken;
     const optionNames: string[] = Object.getOwnPropertyNames(args.options);
     optionNames.forEach(option => {
       const value = args.options[option];
@@ -527,7 +528,7 @@ export default abstract class Command {
 
       const lowerCaseValue = value.toLowerCase().trim();
       if (lowerCaseValue === '@meid' || lowerCaseValue === '@meusername') {
-        const isAppOnlyAccessToken = accessToken.isAppOnlyAccessToken(auth.connection.accessTokens[auth.defaultResource].accessToken);
+        const isAppOnlyAccessToken = accessToken.isAppOnlyAccessToken(auth.connection.accessTokens[resource].accessToken);
         if (isAppOnlyAccessToken) {
           throw `It's not possible to use ${value} with application permissions`;
         }

diff --git a/src/config.ts b/src/config.ts
@@ -6,6 +6,7 @@ export default {
   applicationName: `CLI for Microsoft 365 v${app.packageJson().version}`,
   delimiter: 'm365\$',
   cliEntraAppId: process.env.CLIMICROSOFT365_ENTRAAPPID || process.env.CLIMICROSOFT365_AADAPPID || cliEntraAppId,
+  cliEnvEntraAppId: process.env.CLIMICROSOFT365_ENTRAAPPID || process.env.CLIMICROSOFT365_AADAPPID,
   tenant: process.env.CLIMICROSOFT365_TENANT || 'common',
   configstoreName: 'cli-m365-config'
 };
diff --git a/src/m365/commands/login.ts b/src/m365/commands/login.ts
@@ -10,10 +10,11 @@ import config from '../../config.js';
 import { settingsNames } from '../../settingsNames.js';
 import { zod } from '../../utils/zod.js';
 import commands from './commands.js';
+import { accessToken as accessTokenUtil } from '../../utils/accessToken.js';
 
 const options = globalOptionsZod
   .extend({
-    authType: zod.alias('t', z.enum(['certificate', 'deviceCode', 'password', 'identity', 'browser', 'secret']).optional()),
+    authType: zod.alias('t', z.enum(['certificate', 'deviceCode', 'password', 'identity', 'browser', 'secret', 'accessToken']).optional()),
     cloud: z.nativeEnum(CloudType).optional().default(CloudType.Public),
     userName: zod.alias('u', z.string().optional()),
     password: zod.alias('p', z.string().optional()),
@@ -26,6 +27,7 @@ const options = globalOptionsZod
     appId: z.string().optional(),
     tenant: z.string().optional(),
     secret: zod.alias('s', z.string().optional()),
+    accessToken: zod.alias('a', z.string().or(z.array(z.string())).optional()),
     connectionName: z.string().optional()
   })
   .strict();
@@ -64,6 +66,21 @@ class LoginCommand extends Command {
       })
       .refine(options => options.authType !== 'secret' || options.secret, {
         message: 'Secret is required when using secret authentication'
+      })
+      .refine(options => options.authType !== 'accessToken' || options.accessToken, {
+        message: 'accessToken is required when using accessToken authentication'
+      })
+      .refine(options => !(options.authType === 'accessToken' && options.accessToken && !this.validatesAccessTokensAreForSingleTenant(options)), {
+        message: 'The provided accessToken is not for the specified tenant or the access tokens are not for the same tenant'
+      })
+      .refine(options => !(options.authType === 'accessToken' && options.accessToken && !this.validatesAccessTokensAreForSingleApp(options)), {
+        message: 'The provided access token is not for the specified app or the access tokens are not for the same app'
+      })
+      .refine(options => !(options.authType === 'accessToken' && options.accessToken && !this.validatesAccessTokensAreForSingleResource(options)), {
+        message: 'Specify access tokens that are not for the same resource'
+      })
+      .refine(options => !(options.authType === 'accessToken' && options.accessToken && !this.validatesAccessTokensNotExpired(options)), {
+        message: 'The provided access token has expired'
       });
   }
 
@@ -107,13 +124,37 @@ class LoginCommand extends Command {
         case 'secret':
           auth.connection.authType = AuthType.Secret;
           auth.connection.secret = args.options.secret;
+          break;
+        case 'accessToken':
+          const accessTokens = typeof args.options.accessToken === 'string' ? [args.options.accessToken] : args.options.accessToken as string[];
+          auth.connection.authType = AuthType.AccessToken;
+          auth.connection.appId = accessTokenUtil.getTenantIdFromAccessToken(accessTokens[0]);
+          auth.connection.tenant = accessTokenUtil.getAppIdFromAccessToken(accessTokens[0]);
+
+          for (const token of accessTokens) {
+            const resource = accessTokenUtil.getAudienceFromAccessToken(token);
+            const expiresOn = accessTokenUtil.getExpirationFromAccessToken(token);
+
+            auth.connection.accessTokens[resource] = {
+              expiresOn: expiresOn as Date || null,
+              accessToken: token
+            };
+          };
+
           break;
       }
 
       auth.connection.cloudType = args.options.cloud;
 
       try {
-        await auth.ensureAccessToken(auth.defaultResource, logger, this.debug);
+        if (auth.connection.authType !== AuthType.AccessToken) {
+          await auth.ensureAccessToken(auth.defaultResource, logger, this.debug);
+        }
+        else {
+          for (const resource of Object.keys(auth.connection.accessTokens)) {
+            await auth.ensureAccessToken(resource, logger, this.debug);
+          }
+        }
         auth.connection.active = true;
       }
       catch (error: any) {
@@ -123,7 +164,12 @@ class LoginCommand extends Command {
           await logger.logToStderr('');
         }
 
-        throw new CommandError(error.message);
+        if (error instanceof Error) {
+          throw new CommandError(error.message);
+        }
+        else {
+          throw new CommandError(error);
+        }
       }
 
       const details = auth.getConnectionDetails(auth.connection);
@@ -151,6 +197,80 @@ class LoginCommand extends Command {
     await this.initAction(args, logger);
     await this.commandAction(logger, args);
   }
+
+  private validatesAccessTokensAreForSingleTenant(options: Options): boolean {
+    const accessTokens = typeof options.accessToken === 'string' ? [options.accessToken] : options.accessToken as string[];
+    let tenant = options.tenant || config.tenant;
+
+    for (const token of accessTokens) {
+      const tenantIdInAccessToken = accessTokenUtil.getTenantIdFromAccessToken(token);
+
+      if (tenant !== 'common' && tenant !== tenantIdInAccessToken) {
+        return false;
+      }
+
+      tenant = tenantIdInAccessToken;
+    };
+
+    return true;
+  }
+
+  private validatesAccessTokensAreForSingleApp(options: Options): boolean {
+    const accessTokens = typeof options.accessToken === 'string' ? [options.accessToken] : options.accessToken as string[];
+    let appId = options.appId || config.cliEnvEntraAppId || '';
+
+    for (const token of accessTokens) {
+      const appIdInAccessToken = accessTokenUtil.getAppIdFromAccessToken(token);
+
+      if (appId !== '' && appId !== appIdInAccessToken) {
+        return false;
+      }
+
+      appId = appIdInAccessToken;
+    };
+
+    return true;
+  }
+
+  private validatesAccessTokensAreForSingleResource(options: Options): boolean {
+    const accessTokens = typeof options.accessToken === 'string' ? [options.accessToken] : options.accessToken as string[];
+    const resources: string[] = [];
+
+    if (accessTokens.length === 1) {
+      return true;
+    }
+
+    for (const token of accessTokens) {
+      const resource = accessTokenUtil.getAudienceFromAccessToken(token);
+
+      if (resources.indexOf(resource) > -1) {
+        return false;
+      }
+
+      resources.push(resource);
+    };
+
+    return true;
+  }
+
+  private validatesAccessTokensNotExpired(options: Options): boolean {
+    const accessTokens = typeof options.accessToken === 'string' ? [options.accessToken] : options.accessToken as string[];
+
+    for (const token of accessTokens) {
+      const expiresOn = accessTokenUtil.getExpirationFromAccessToken(token);
+
+      const accessToken = {
+        expiresOn: expiresOn as Date || null,
+        accessToken: token
+      };
+
+      if (auth.accessTokenExpired(accessToken)) {
+        return false;
+      }
+    };
+
+    return true;
+  }
 }
 
 export default new LoginCommand();
diff --git a/src/m365/commands/status.ts b/src/m365/commands/status.ts
@@ -1,4 +1,4 @@
-import auth from '../../Auth.js';
+import auth, { AuthType } from '../../Auth.js';
 import { Logger } from '../../cli/Logger.js';
 import Command, { CommandArgs, CommandError } from '../../Command.js';
 import commands from './commands.js';
@@ -15,7 +15,14 @@ class StatusCommand extends Command {
   public async commandAction(logger: Logger): Promise<void> {
     if (auth.connection.active) {
       try {
-        await auth.ensureAccessToken(auth.defaultResource, logger, this.debug);
+        if (auth.connection.authType !== AuthType.AccessToken) {
+          await auth.ensureAccessToken(auth.defaultResource, logger, this.debug);
+        }
+        else {
+          for (const resource of Object.keys(auth.connection.accessTokens)) {
+            await auth.ensureAccessToken(resource, logger, this.debug);
+          }
+        }
       }
       catch (err: any) {
         if (this.debug) {

diff --git a/src/m365/entra/commands/app/app-add.ts b/src/m365/entra/commands/app/app-add.ts
@@ -268,7 +268,7 @@ class EntraAppAddCommand extends GraphCommand {
       // directory. If we in the future extend the command with allowing
       // users to create Microsoft Entra app in a different directory, we'll need to
       // adjust this
-      appInfo.tenantId = accessToken.getTenantIdFromAccessToken(auth.connection.accessTokens[auth.defaultResource].accessToken);
+      appInfo.tenantId = accessToken.getTenantIdFromAccessToken(auth.connection.accessTokens[Object.keys(auth.connection.accessTokens)[0]].accessToken);
       appInfo = await this.updateAppFromManifest(args, appInfo);
       appInfo = await this.grantAdminConsent(appInfo, args.options.grantAdminConsent, logger);
       appInfo = await this.configureUri(args, appInfo, logger);