Adding federated token logs & optional audience parameter (#159)

* cherry pick changes

* added audience field option in input params

* added js

* removed extra spaces

* Adding logs to surface AZ-CLI and powershell errors (#171)

* removing token logs

action.yml

@@ -26,6 +26,10 @@ inputs:
     description: 'Set this value to true to enable support for accessing tenants without subscriptions'
     required: false
     default: false
+  audience:
+    description: 'Provide audience field for access-token. Default value is api://AzureADTokenExchange' 
+    required: false
+    default: 'api://AzureADTokenExchange'
 branding:
   icon: 'login.svg'
   color: 'blue'

lib/PowerShell/ServicePrincipalLogin.js

@@ -59,10 +59,18 @@ class ServicePrincipalLogin {
     login() {
         return __awaiter(this, void 0, void 0, function* () {
             let output = "";
+            let commandStdErr = false;
             const options = {
                 listeners: {
                     stdout: (data) => {
                         output += data.toString();
+                    },
+                    stderr: (data) => {
+                        let error = data.toString();
+                        if (error && error.trim().length !== 0) {
+                            commandStdErr = true;
+                            core.error(error);
+                        }
                     }
                 }
             };

lib/PowerShell/Utilities/PowerShellToolRunner.js

@@ -40,6 +40,7 @@ class PowerShellToolRunner {
     }
     static executePowerShellScriptBlock(scriptBlock, options = {}) {
         return __awaiter(this, void 0, void 0, function* () {
+            //Options for error handling
             yield exec.exec(`"${PowerShellToolRunner.psPath}" -Command`, [scriptBlock], options);
         });
     }

lib/main.js

@@ -1,14 +1,14 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function (o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
-}) : (function(o, m, k, k2) {
+    Object.defineProperty(o, k2, { enumerable: true, get: function () { return m[k]; } });
+}) : (function (o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
 }));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function (o, v) {
     Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
+}) : function (o, v) {
     o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
@@ -39,6 +39,27 @@ var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREP
 function main() {
     return __awaiter(this, void 0, void 0, function* () {
         try {
+            //Options for error handling
+            let commandStdErr = false;
+            const loginOptions = {
+                silent: true,
+                ignoreReturnCode: true,
+                failOnStdErr: true,
+                listeners: {
+                    stderr: (data) => {
+                        let error = data.toString();
+                        //removing the keyword 'ERROR' to avoid duplicates while throwing error
+                        if (error.toLowerCase().startsWith('error')) {
+                            error = error.slice(5);
+                        }
+                        // printing error
+                        if (error && error.trim().length !== 0) {
+                            commandStdErr = true;
+                            core.error(error);
+                        }
+                    }
+                }
+            };
             // Set user agent variable
             var isAzCLISuccess = false;
             let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`;
@@ -73,7 +94,6 @@ function main() {
             const allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
             //Check for the credentials in individual parameters in the workflow.
             var servicePrincipalId = core.getInput('client-id', { required: false });
-            ;
             var servicePrincipalKey = null;
             var tenantId = core.getInput('tenant-id', { required: false });
             var subscriptionId = core.getInput('subscription-id', { required: false });
@@ -84,7 +104,7 @@ function main() {
             if (servicePrincipalId || tenantId || subscriptionId) {
                 //If few of the individual credentials (clent_id, tenat_id, subscription_id) are missing in action inputs.
                 if (!(servicePrincipalId && tenantId && (subscriptionId || allowNoSubscriptionsLogin)))
-                    throw new Error("Few credentials are missing. ClientId,tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
+                    throw new Error("Few credentials are missing. ClientId, tenantId are mandatory. SubscriptionId is also mandatory if allow-no-subscriptions is not set.");
             }
             else {
                 if (creds) {
@@ -115,7 +135,8 @@ function main() {
             if (enableOIDC) {
                 console.log('Using OIDC authentication...');
                 //generating ID-token
-                federatedToken = yield core.getIDToken('api://AzureADTokenExchange');
+                let audience = core.getInput('audience', { required: false });
+                federatedToken = yield core.getIDToken(audience);
                 if (!!federatedToken) {
                     if (environment != "azurecloud")
                         throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
@@ -169,13 +190,13 @@ function main() {
             else {
                 commonArgs = commonArgs.concat("-p", servicePrincipalKey);
             }
-            yield executeAzCliCommand(`login`, true, {}, commonArgs);
+            yield executeAzCliCommand(`login`, true, loginOptions, commonArgs);
             if (!allowNoSubscriptionsLogin) {
                 var args = [
                     "--subscription",
                     subscriptionId
                 ];
-                yield executeAzCliCommand(`account set`, true, {}, args);
+                yield executeAzCliCommand(`account set`, true, loginOptions, args);
             }
             isAzCLISuccess = true;
             if (enableAzPSSession) {
@@ -190,12 +211,11 @@ function main() {
         }
         catch (error) {
             if (!isAzCLISuccess) {
-                core.error("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
+                core.setFailed("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
             }
             else {
-                core.error(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
+                core.setFailed(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
             }
-            core.setFailed(error);
         }
         finally {
             // Reset AZURE_HTTP_USER_AGENT
@@ -207,12 +227,7 @@ function main() {
 function executeAzCliCommand(command, silent, execOptions = {}, args = []) {
     return __awaiter(this, void 0, void 0, function* () {
         execOptions.silent = !!silent;
-        try {
-            yield exec.exec(`"${azPath}" ${command}`, args, execOptions);
-        }
-        catch (error) {
-            throw new Error(error);
-        }
+        yield exec.exec(`"${azPath}" ${command}`, args, execOptions);
     });
 }
 main();