Azure
diff --git a/‎common/config/rush/pnpm-lock.yaml
Lines changed: 84 additions & 70 deletions b/‎common/config/rush/pnpm-lock.yaml
Lines changed: 84 additions & 70 deletions
diff --git a/‎sdk/identity/identity/CHANGELOG.md
Lines changed: 6 additions & 0 deletions b/‎sdk/identity/identity/CHANGELOG.md
Lines changed: 6 additions & 0 deletions
diff --git a/‎sdk/identity/identity/package.json
Lines changed: 2 additions & 2 deletions b/‎sdk/identity/identity/package.json
Lines changed: 2 additions & 2 deletions
diff --git a/‎sdk/identity/identity/src/constants.ts
Lines changed: 1 addition & 1 deletion b/‎sdk/identity/identity/src/constants.ts
Lines changed: 1 addition & 1 deletion
diff --git a/‎sdk/identity/identity/src/credentials/managedIdentityCredential/arcMsi.ts
Lines changed: 52 additions & 25 deletions b/‎sdk/identity/identity/src/credentials/managedIdentityCredential/arcMsi.ts
Lines changed: 52 additions & 25 deletions
@@ -1,5 +1,11 @@
 # Release History
 
+## 4.2.1 (2024-06-10)
+
+### Bugs Fixed
+
+- Managed identity bug fixes
+
 ## 4.2.0 (2024-04-30)
 
 ### Features Added
 
@@ -1,7 +1,7 @@
 {
   "name": "@azure/identity",
   "sdk-type": "client",
-  "version": "4.2.0",
+  "version": "4.2.1",
   "description": "Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID",
   "main": "dist/index.js",
   "module": "dist-esm/src/index.js",
@@ -115,7 +115,7 @@
     "@azure/core-util": "^1.3.0",
     "@azure/logger": "^1.0.0",
     "@azure/msal-browser": "^3.11.1",
-    "@azure/msal-node": "^2.6.6",
+    "@azure/msal-node": "^2.9.2",
     "events": "^3.0.0",
     "jws": "^4.0.0",
     "open": "^8.0.0",
 
@@ -4,7 +4,7 @@
 /**
  * Current version of the `@azure/identity` package.
  */
-export const SDK_VERSION = `4.2.0`;
+export const SDK_VERSION = `4.2.1`;
 
 /**
  * The default client ID for authentication
 
@@ -1,19 +1,20 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
+import { MSI, MSIConfiguration, MSIToken } from "./models";
 import {
   PipelineRequestOptions,
   createHttpHeaders,
   createPipelineRequest,
 } from "@azure/core-rest-pipeline";
-import { GetTokenOptions } from "@azure/core-auth";
-import { readFile } from "fs";
+
 import { AuthenticationError } from "../../errors";
-import { credentialLogger } from "../../util/logging";
+import { GetTokenOptions } from "@azure/core-auth";
 import { IdentityClient } from "../../client/identityClient";
-import { mapScopesToResource } from "./utils";
-import { MSI, MSIConfiguration, MSIToken } from "./models";
 import { azureArcAPIVersion } from "./constants";
+import { credentialLogger } from "../../util/logging";
+import fs from "node:fs";
+import { mapScopesToResource } from "./utils";
 
 const msiName = "ManagedIdentityCredential - Azure Arc MSI";
 const logger = credentialLogger(msiName);
@@ -60,21 +61,6 @@ function prepareRequestOptions(
   });
 }
 
-/**
- * Retrieves the file contents at the given path using promises.
- * Useful since `fs`'s readFileSync locks the thread, and to avoid extra dependencies.
- */
-function readFileAsync(path: string, options: { encoding: BufferEncoding }): Promise<string> {
-  return new Promise((resolve, reject) =>
-    readFile(path, options, (err, data) => {
-      if (err) {
-        reject(err);
-      }
-      resolve(data);
-    }),
-  );
-}
-
 /**
  * Does a request to the authentication provider that results in a file path.
  */
@@ -103,6 +89,50 @@ async function filePathRequest(
   }
 }
 
+export function platformToFilePath(): string {
+  switch (process.platform) {
+    case "win32":
+      if (!process.env.PROGRAMDATA) {
+        throw new Error(`${msiName}: PROGRAMDATA environment variable has no value.`);
+      }
+      return `${process.env.PROGRAMDATA}\\AzureConnectedMachineAgent\\Tokens`;
+    case "linux":
+      return "/var/opt/azcmagent/tokens";
+    default:
+      throw new Error(`${msiName}: Unsupported platform ${process.platform}.`);
+  }
+}
+
+/**
+ * Validates that a given Azure Arc MSI file path is valid for use.
+ *
+ * A valid file will:
+ * 1. Be in the expected path for the current platform.
+ * 2. Have a `.key` extension.
+ * 3. Be at most 4096 bytes in size.
+ */
+export function validateKeyFile(filePath?: string): asserts filePath is string {
+  if (!filePath) {
+    throw new Error(`${msiName}: Failed to find the token file.`);
+  }
+
+  if (!filePath.endsWith(".key")) {
+    throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);
+  }
+
+  const expectedPath = platformToFilePath();
+  if (!filePath.startsWith(expectedPath)) {
+    throw new Error(`${msiName}: unexpected file path from HIMDS service: ${filePath}.`);
+  }
+
+  const stats = fs.statSync(filePath);
+  if (stats.size > 4096) {
+    throw new Error(
+      `${msiName}: The file at ${filePath} is larger than expected at ${stats.size} bytes.`,
+    );
+  }
+}
+
 /**
  * Defines how to determine whether the Azure Arc MSI is available, and also how to retrieve a token from the Azure Arc MSI.
  */
@@ -150,12 +180,9 @@ export const arcMsi: MSI = {
     };
 
     const filePath = await filePathRequest(identityClient, requestOptions);
+    validateKeyFile(filePath);
 
-    if (!filePath) {
-      throw new Error(`${msiName}: Failed to find the token file.`);
-    }
-
-    const key = await readFileAsync(filePath, { encoding: "utf-8" });
+    const key = await fs.promises.readFile(filePath, { encoding: "utf-8" });
     requestOptions.headers?.set("Authorization", `Basic ${key}`);
 
     const request = createPipelineRequest({