Added region env variable functionality

AzureAD · Oct 1, 2024 · 3c6853f · 3c6853f
1 parent b29b5b1
commit 3c6853f
Show file tree

Hide file tree

Showing 3 changed files with 106 additions and 8 deletions.
diff --git a/lib/msal-node/src/client/ConfidentialClientApplication.ts b/lib/msal-node/src/client/ConfidentialClientApplication.ts
@@ -12,6 +12,7 @@ import {
     Constants as NodeConstants,
     ApiId,
     REGION_ENVIRONMENT_VARIABLE,
+    MSAL_FORCE_REGION,
 } from "../utils/Constants.js";
 import {
     CommonClientCredentialRequest,
@@ -27,6 +28,7 @@ import {
     ClientAuthErrorCodes,
     ClientAssertion as ClientAssertionType,
     getClientAssertion,
+    AzureRegion,
 } from "@azure/msal-common/node";
 import { IConfidentialClientApplication } from "./IConfidentialClientApplication.js";
 import { OnBehalfOfRequest } from "../request/OnBehalfOfRequest.js";
@@ -136,8 +138,17 @@ export class ConfidentialClientApplication
             );
         }
 
+        // if this env variable is set, MSAL shall opt-in to ESTS-R with the value of this variable
+        const ENV_MSAL_FORCE_REGION: AzureRegion | undefined =
+            process.env[MSAL_FORCE_REGION];
+        const region: AzureRegion | undefined =
+            !validRequest.azureRegion &&
+            ENV_MSAL_FORCE_REGION &&
+            ENV_MSAL_FORCE_REGION !== "DisableMsalForceRegion"
+                ? ENV_MSAL_FORCE_REGION
+                : validRequest.azureRegion;
         const azureRegionConfiguration: AzureRegionConfiguration = {
-            azureRegion: validRequest.azureRegion,
+            azureRegion: region,
             environmentRegion: process.env[REGION_ENVIRONMENT_VARIABLE],
         };
 

diff --git a/lib/msal-node/src/utils/Constants.ts b/lib/msal-node/src/utils/Constants.ts
@@ -82,6 +82,7 @@ export type ProxyStatus = (typeof ProxyStatus)[keyof typeof ProxyStatus];
  * Constants used for region discovery
  */
 export const REGION_ENVIRONMENT_VARIABLE = "REGION_NAME";
+export const MSAL_FORCE_REGION = "MSAL_FORCE_REGION";
 
 /**
  * Constant used for PKCE

diff --git a/lib/msal-node/test/client/ConfidentialClientApplication.spec.ts b/lib/msal-node/test/client/ConfidentialClientApplication.spec.ts
@@ -20,7 +20,7 @@ import {
     DEFAULT_OPENID_CONFIG_RESPONSE,
     ID_TOKEN_CLAIMS,
     TEST_CONSTANTS,
-} from "../utils/TestConstants";
+} from "../utils/TestConstants.js";
 import {
     ConfidentialClientApplication,
     OnBehalfOfRequest,
@@ -32,19 +32,22 @@ import {
     RefreshTokenRequest,
     SilentFlowRequest,
     ClientApplication,
-} from "../../src";
+} from "../../src/index.js";
 import {
     CAE_CONSTANTS,
     CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT,
     TEST_CONFIG,
     TEST_TOKENS,
-} from "../test_kit/StringConstants";
-import { mockNetworkClient } from "../utils/MockNetworkClient";
-import { ClientTestUtils, getClientAssertionCallback } from "./ClientTestUtils";
+} from "../test_kit/StringConstants.js";
+import { mockNetworkClient } from "../utils/MockNetworkClient.js";
+import {
+    ClientTestUtils,
+    getClientAssertionCallback,
+} from "./ClientTestUtils.js";
 import { buildAccountFromIdTokenClaims } from "msal-test-utils";
-import { Constants } from "../../src/utils/Constants";
+import { Constants, MSAL_FORCE_REGION } from "../../src/utils/Constants.js";
 import jwt from "jsonwebtoken";
-import { NodeAuthError } from "../../src/error/NodeAuthError";
+import { NodeAuthError } from "../../src/error/NodeAuthError.js";
 
 jest.mock("jsonwebtoken");
 
@@ -340,6 +343,89 @@ describe("ConfidentialClientApplication", () => {
             );
         });
 
+        describe("region is determined correctly", () => {
+            let acquireTokenByClientCredentialSpy: jest.SpyInstance;
+            let buildOauthClientConfigurationSpy: jest.SpyInstance;
+            let client: ConfidentialClientApplication;
+            let request: ClientCredentialRequest;
+            beforeEach(() => {
+                acquireTokenByClientCredentialSpy = jest.spyOn(
+                    ConfidentialClientApplication.prototype,
+                    <any>"acquireTokenByClientCredential"
+                );
+
+                buildOauthClientConfigurationSpy = jest.spyOn(
+                    ConfidentialClientApplication.prototype,
+                    <any>"buildOauthClientConfiguration"
+                );
+
+                client = new ConfidentialClientApplication(config);
+
+                request = {
+                    scopes: TEST_CONSTANTS.DEFAULT_GRAPH_SCOPE,
+                    skipCache: false,
+                };
+
+                process.env[MSAL_FORCE_REGION] = "eastus";
+            });
+
+            afterEach(() => {
+                delete process.env[MSAL_FORCE_REGION];
+            });
+
+            test("region is not passed in through the request, the MSAL_FORCE_REGION environment variable is used", async () => {
+                const authResult = (await client.acquireTokenByClientCredential(
+                    request
+                )) as AuthenticationResult;
+                expect(authResult.accessToken).toEqual(
+                    CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body.access_token
+                );
+                expect(acquireTokenByClientCredentialSpy).toHaveBeenCalledTimes(
+                    1
+                );
+                expect(
+                    buildOauthClientConfigurationSpy.mock.lastCall[3]
+                        .azureRegion
+                ).toEqual(process.env[MSAL_FORCE_REGION]);
+            });
+
+            test("region is passed in through the request, the MSAL_FORCE_REGION environment variable is not used", async () => {
+                const region = "westus";
+
+                const authResult = (await client.acquireTokenByClientCredential(
+                    { ...request, azureRegion: region }
+                )) as AuthenticationResult;
+                expect(authResult.accessToken).toEqual(
+                    CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body.access_token
+                );
+                expect(acquireTokenByClientCredentialSpy).toHaveBeenCalledTimes(
+                    1
+                );
+                expect(
+                    buildOauthClientConfigurationSpy.mock.lastCall[3]
+                        .azureRegion
+                ).toEqual(region);
+            });
+
+            test('region is not passed in through the request, the MSAL_FORCE_REGION environment variable is set to "DisableMsalForceRegion"', async () => {
+                process.env[MSAL_FORCE_REGION] = "DisableMsalForceRegion";
+
+                const authResult = (await client.acquireTokenByClientCredential(
+                    request
+                )) as AuthenticationResult;
+                expect(authResult.accessToken).toEqual(
+                    CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body.access_token
+                );
+                expect(acquireTokenByClientCredentialSpy).toHaveBeenCalledTimes(
+                    1
+                );
+                expect(
+                    buildOauthClientConfigurationSpy.mock.lastCall[3]
+                        .azureRegion
+                ).toBeUndefined();
+            });
+        });
+
         test("acquireTokenByClientCredential request does not contain OIDC scopes", async () => {
             const request: ClientCredentialRequest = {
                 scopes: TEST_CONSTANTS.DEFAULT_GRAPH_SCOPE,