NpmAuthenticateV0 - Enable WIF for internal and external feeds (#20587)

* init

* bump version

* some refactoring

* reprioritize the service connection auth

* Add new strings

* fix npm auth

* remove unused warning

* Update Tasks/NpmAuthenticateV0/Strings/resources.resjson/en-US/resources.resjson

Co-authored-by: Alex Torres <[email protected]>

* update strings

---------

Co-authored-by: Alex Torres <[email protected]>

Author: embetten

Tasks/NpmAuthenticateV0/Strings/resources.resjson/en-US/resources.resjson

@@ -8,7 +8,7 @@
   "loc.input.label.customEndpoint": "Credentials for registries outside this organization/collection",
   "loc.input.help.customEndpoint": "Credentials to use for external registries located in the project's .npmrc. For registries in this organization/collection, leave this blank; the build’s credentials are used automatically.",
   "loc.input.label.workloadIdentityServiceConnection": "'Azure DevOps' Service Connection",
-  "loc.input.help.workloadIdentityServiceConnection": "If this is set, feedUrl is required. Service Connections for external organizations/collection and custom endpoints are not compatible.",
+  "loc.input.help.workloadIdentityServiceConnection": "Credentials to use for registries located a project's .npmrc file. Use with feedUrl to specify credentials used for the single registry in a .npmrc file. Not compatible with customEndpoint.",
   "loc.input.label.feedUrl": "Azure Artifacts URL",
   "loc.input.help.feedUrl": "If this is set, azureDevOpsServiceConnection is required. Not compatible with customEndpoint. Feed Url should be in the npm registry format, e.g. https://pkgs.dev.azure.com/{ORG_NAME}/{PROJECT}/_packaging/{FEED_NAME}/npm/registry/",
   "loc.messages.FoundBuildCredentials": "Found build credentials",
@@ -34,7 +34,7 @@
   "loc.messages.Info_AddingFederatedFeedAuth": "Adding auth information from service connection %s for feed %s",
   "loc.messages.Info_SuccessAddingFederatedFeedAuth": "Successfully added auth for feed %s.",
   "loc.messages.FailedToGetServiceConnectionAuth": "Unable to get federated credentials from service connection: %s.",
-  "loc.messages.MissingFeedUrlOrServiceConnection": "Both feed url and service connection need to be set and cannot be empty.",
+  "loc.messages.MissingFeedUrlOrServiceConnection": "If feed url is provided, the 'Azure DevOps' service connection must be provided and cannot be empty.",
   "loc.messages.SkippingParsingNpmrc": "Skipping parsing npmrc",
   "loc.messages.DuplicateCredentials": "Auth for the registry '%s' was previously set. Overwriting with new configuration.",
   "loc.messages.FoundEndpointCredentials": "Found set credentials for the '%s' service connection."

Tasks/NpmAuthenticateV0/npmauth.ts

@@ -83,48 +83,6 @@ async function main(): Promise<void> {
     let LocalNpmRegistries = await npmutil.getLocalNpmRegistries(workingDirectory, packagingLocation.PackagingUris);
     let npmrcFile = fs.readFileSync(npmrc, 'utf8').split(os.EOL);
 
-#if WIF
-    const feedUrl = npmrcparser.NormalizeRegistry(tl.getInput("feedUrl"));
-    const entraWifServiceConnectionName = tl.getInput("workloadIdentityServiceConnection");
-
-    // Skip npmrc parsing if we are using feed url and wif service connection
-    if (feedUrl && entraWifServiceConnectionName) {
-        tl.debug(tl.loc("Info_AddingFederatedFeedAuth", entraWifServiceConnectionName, feedUrl));
-        const feedTenant = await getFeedTenantId(feedUrl);
-        let token = await getFederatedWorkloadIdentityCredentials(entraWifServiceConnectionName, feedTenant);
-        if (token)
-        {
-            const nerfed = util.toNerfDart(feedUrl);
-            const auth = `${nerfed}:_authToken=${token}`;
-            tl.debug(tl.loc('AddingAuthRegistry', feedUrl));
-            npmutil.appendToNpmrc(npmrc, os.EOL + auth + os.EOL);
-            tl.debug(tl.loc('SuccessfulAppend'));
-            npmrcFile.push(os.EOL + auth + os.EOL);
-            federatedFeedAuthSuccessCount++;
-            tl.debug(tl.loc('SuccessfulPush'));    
-            console.log(tl.loc("Info_SuccessAddingFederatedFeedAuth", feedUrl));
-            console.log(tl.loc("SkippingParsingNpmrc"));
-
-            if (endpointsArray.includes(feedUrl)){
-                tl.warning(tl.loc('DuplicateCredentials', feedUrl));
-            }
-
-            else {
-                endpointsArray.push(feedUrl);
-                tl.setVariable('EXISTING_ENDPOINTS', endpointsArray.join(','), false);
-            }
-        } 
-        else
-        {
-            throw new Error(tl.loc("FailedToGetServiceConnectionAuth", entraWifServiceConnectionName)); 
-        }
-        return;
-    }
-    else if (feedUrl || entraWifServiceConnectionName) {
-        throw new Error(tl.loc("MissingFeedUrlOrServiceConnection"));
-    }
-#endif
-
     let endpointRegistries: npmregistry.INpmRegistry[] = [];
     let endpointIds = tl.getDelimitedInput(constants.NpmAuthenticateTaskInput.CustomEndpoint, ',');
     if (endpointIds && endpointIds.length > 0) {
@@ -144,10 +102,52 @@ async function main(): Promise<void> {
     }
 
     let addedRegistry = [];
-    for (let RegistryURLString of npmrcparser.GetRegistries(npmrc, /* saveNormalizedRegistries */ true)) {
+    let npmrcRegistries = npmrcparser.GetRegistries(npmrc, /* saveNormalizedRegistries */ true);
+
+#if WIF
+    const entraWifServiceConnectionName = tl.getInput("workloadIdentityServiceConnection");
+    const federatedAuthToken = await getAzureDevOpsServiceConnectionCredentials(entraWifServiceConnectionName)
+
+    const feedUrl = tl.getInput("feedUrl");
+    if (feedUrl && !entraWifServiceConnectionName) {
+        throw new Error(tl.loc("MissingFeedUrlOrServiceConnection"));
+    }
+
+    if(feedUrl){
+        npmrcRegistries = npmrcRegistries.filter(x=> util.toNerfDart(x) == util.toNerfDart(npmrcparser.NormalizeRegistry(feedUrl)));
+        if(npmrcRegistries.length == 0){
+            throw new Error(tl.loc("IgnoringRegistry", feedUrl));
+        }
+    }
+#endif
+
+    for (let RegistryURLString of npmrcRegistries) {
         let registryURL = URL.parse(RegistryURLString);
         let registry: npmregistry.NpmRegistry;
-        if (endpointRegistries && endpointRegistries.length > 0) {
+
+#if WIF
+        if (feedUrl && entraWifServiceConnectionName){
+            if (util.toNerfDart(npmrcparser.NormalizeRegistry(feedUrl)) == util.toNerfDart(RegistryURLString)) {
+                console.log(tl.loc("AddingEndpointCredentials", entraWifServiceConnectionName));
+                registry =  new npmregistry.NpmRegistry(RegistryURLString, `${util.toNerfDart(RegistryURLString)}:_authToken=${federatedAuthToken}`, true);
+                let url = URL.parse(RegistryURLString);
+                addedRegistry.push(url);
+                npmrcFile = clearFileOfReferences(npmrc, npmrcFile, url, addedRegistry);
+                federatedFeedAuthSuccessCount++;
+                console.log(tl.loc("Info_SuccessAddingFederatedFeedAuth", RegistryURLString));
+            }
+        } else if (!feedUrl && entraWifServiceConnectionName){
+            console.log(tl.loc("AddingEndpointCredentials", entraWifServiceConnectionName));
+            registry = new npmregistry.NpmRegistry(RegistryURLString, `${util.toNerfDart(RegistryURLString)}:_authToken=${federatedAuthToken}`, true)
+            let url = URL.parse(RegistryURLString);
+            addedRegistry.push(url);
+            npmrcFile = clearFileOfReferences(npmrc, npmrcFile, url, addedRegistry);
+            federatedFeedAuthSuccessCount++;
+            console.log(tl.loc("Info_SuccessAddingFederatedFeedAuth", RegistryURLString));
+        }
+#endif
+
+        if (!registry && endpointRegistries && endpointRegistries.length > 0) {
             for (let serviceEndpoint of endpointRegistries) {
                 if (util.toNerfDart(serviceEndpoint.url) == util.toNerfDart(RegistryURLString)) {
                     let serviceURL = URL.parse(serviceEndpoint.url);
@@ -160,10 +160,11 @@ async function main(): Promise<void> {
                 }
             }
         }
+
         if (!registry) {
             for (let localRegistry of LocalNpmRegistries) {
                 if (util.toNerfDart(localRegistry.url) == util.toNerfDart(RegistryURLString)) {
-                    // If a registry is found, but we previously added credentials for it, skip it
+                    // If a registry is found, but we previously added credentials for it warn and overwrite
                     if (endpointsArray.includes(localRegistry.url)) {
                         tl.warning(tl.loc('DuplicateCredentials', localRegistry.url));
                         tl.warning(tl.loc('FoundEndpointCredentials', registryURL.host));
@@ -206,6 +207,7 @@ main().catch(error => {
         "FederatedFeedAuthCount": federatedFeedAuthSuccessCount
     });
 });
+
 function clearFileOfReferences(npmrc: string, file: string[], url: URL.Url, addedRegistry: URL.Url[]) {
     let redoneFile = file;
     let warned = false;
@@ -224,3 +226,17 @@ function clearFileOfReferences(npmrc: string, file: string[], url: URL.Url, adde
     return redoneFile;
 }
 
+#if WIF
+async function getAzureDevOpsServiceConnectionCredentials(adoServiceConnection: string){
+    if(!adoServiceConnection){
+        return undefined;
+    }
+
+    let federatedAuthToken = await getFederatedWorkloadIdentityCredentials(adoServiceConnection);
+    if(!federatedAuthToken){
+        throw new Error(tl.loc("FailedToGetServiceConnectionAuth", adoServiceConnection)); 
+    }
+
+    return federatedAuthToken;
+}
+#endif