Merge branch 'main' of https://github.com/Azure/AppConfiguration-JavaScriptProvider into zhiyuanliang/secret-refresh

Author: zhiyuanliang-ms

src/AzureAppConfigurationImpl.ts

@@ -35,8 +35,8 @@ import { FeatureFlagTracingOptions } from "./requestTracing/FeatureFlagTracingOp
 import { AIConfigurationTracingOptions } from "./requestTracing/AIConfigurationTracingOptions.js";
 import { KeyFilter, LabelFilter, SettingSelector } from "./types.js";
 import { ConfigurationClientManager } from "./ConfigurationClientManager.js";
-import { getFixedBackoffDuration, calculateBackoffDuration } from "./failover.js";
-import { InvalidOperationError, ArgumentError, isFailoverableError, isRetriableError, isArgumentError } from "./error.js";
+import { getFixedBackoffDuration, getExponentialBackoffDuration } from "./common/backoffUtils.js";
+import { InvalidOperationError, ArgumentError, isFailoverableError, isInputError } from "./common/error.js";
 
 const MIN_DELAY_FOR_UNHANDLED_FAILURE = 5_000; // 5 seconds
 
@@ -258,7 +258,7 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
                 })
             ]);
         } catch (error) {
-            if (!isArgumentError(error)) {
+            if (!isInputError(error)) {
                 const timeElapsed = Date.now() - startTimestamp;
                 if (timeElapsed < MIN_DELAY_FOR_UNHANDLED_FAILURE) {
                     // load() method is called in the application's startup code path.
@@ -267,7 +267,7 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
                     await new Promise(resolve => setTimeout(resolve, MIN_DELAY_FOR_UNHANDLED_FAILURE - timeElapsed));
                 }
             }
-            throw new Error(`Failed to load: ${error.message}`);
+            throw new Error("Failed to load.", { cause: error });
         } finally {
             clearTimeout(timeoutId); // cancel the timeout promise
         }
@@ -372,7 +372,7 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
                     this.#isInitialLoadCompleted = true;
                     break;
                 } catch (error) {
-                    if (!isRetriableError(error)) {
+                    if (isInputError(error)) {
                         throw error;
                     }
                     if (abortSignal.aborted) {
@@ -382,7 +382,7 @@ export class AzureAppConfigurationImpl implements AzureAppConfiguration {
                     let backoffDuration = getFixedBackoffDuration(timeElapsed);
                     if (backoffDuration === undefined) {
                         postAttempts += 1;
-                        backoffDuration = calculateBackoffDuration(postAttempts);
+                        backoffDuration = getExponentialBackoffDuration(postAttempts);
                     }
                     console.warn(`Failed to load. Error message: ${error.message}. Retrying in ${backoffDuration} ms.`);
                     await new Promise(resolve => setTimeout(resolve, backoffDuration));

src/ConfigurationClientManager.ts

@@ -7,12 +7,12 @@ import { TokenCredential } from "@azure/identity";
 import { AzureAppConfigurationOptions } from "./AzureAppConfigurationOptions.js";
 import { isBrowser, isWebWorker } from "./requestTracing/utils.js";
 import * as RequestTracing from "./requestTracing/constants.js";
-import { instanceOfTokenCredential, shuffleList } from "./common/utils.js";
-import { ArgumentError } from "./error.js";
+import { shuffleList, instanceOfTokenCredential } from "./common/utils.js";
+import { ArgumentError } from "./common/error.js";
 
 // Configuration client retry options
 const CLIENT_MAX_RETRIES = 2;
-const CLIENT_MAX_RETRY_DELAY = 60_000; // 1 minute in milliseconds
+const CLIENT_MAX_RETRY_DELAY_IN_MS = 60_000;
 
 const TCP_ORIGIN_KEY_NAME = "_origin._tcp";
 const ALT_KEY_NAME = "_alt";
@@ -21,9 +21,9 @@ const ENDPOINT_KEY_NAME = "Endpoint";
 const ID_KEY_NAME = "Id";
 const SECRET_KEY_NAME = "Secret";
 const TRUSTED_DOMAIN_LABELS = [".azconfig.", ".appconfig."];
-const FALLBACK_CLIENT_EXPIRE_INTERVAL = 60 * 60 * 1000; // 1 hour in milliseconds
-const MINIMAL_CLIENT_REFRESH_INTERVAL = 30_000; // 30 seconds in milliseconds
-const DNS_RESOLVER_TIMEOUT = 3_000; // 3 seconds in milliseconds, in most cases, dns resolution should be within 200 milliseconds
+const FALLBACK_CLIENT_EXPIRE_INTERVAL_IN_MS = 60 * 60 * 1000;
+const MINIMAL_CLIENT_REFRESH_INTERVAL_IN_MS = 30_000;
+const DNS_RESOLVER_TIMEOUT_IN_MS = 3_000;
 const DNS_RESOLVER_TRIES = 2;
 const MAX_ALTNATIVE_SRV_COUNT = 10;
 
@@ -120,11 +120,11 @@ export class ConfigurationClientManager {
         const currentTime = Date.now();
         // Filter static clients whose backoff time has ended
         let availableClients = this.#staticClients.filter(client => client.backoffEndTime <= currentTime);
-        if (currentTime >= this.#lastFallbackClientRefreshAttempt + MINIMAL_CLIENT_REFRESH_INTERVAL &&
+        if (currentTime >= this.#lastFallbackClientRefreshAttempt + MINIMAL_CLIENT_REFRESH_INTERVAL_IN_MS &&
             (!this.#dynamicClients ||
             // All dynamic clients are in backoff means no client is available
             this.#dynamicClients.every(client => currentTime < client.backoffEndTime) ||
-            currentTime >= this.#lastFallbackClientUpdateTime + FALLBACK_CLIENT_EXPIRE_INTERVAL)) {
+            currentTime >= this.#lastFallbackClientUpdateTime + FALLBACK_CLIENT_EXPIRE_INTERVAL_IN_MS)) {
             await this.#discoverFallbackClients(this.endpoint.hostname);
             return availableClients.concat(this.#dynamicClients);
         }
@@ -142,7 +142,7 @@ export class ConfigurationClientManager {
     async refreshClients() {
         const currentTime = Date.now();
         if (this.#isFailoverable &&
-            currentTime >= this.#lastFallbackClientRefreshAttempt + MINIMAL_CLIENT_REFRESH_INTERVAL) {
+            currentTime >= this.#lastFallbackClientRefreshAttempt + MINIMAL_CLIENT_REFRESH_INTERVAL_IN_MS) {
             await this.#discoverFallbackClients(this.endpoint.hostname);
         }
     }
@@ -185,7 +185,7 @@ export class ConfigurationClientManager {
 
         try {
             // https://nodejs.org/api/dns.html#dnspromisesresolvesrvhostname
-            const resolver = new this.#dns.Resolver({timeout: DNS_RESOLVER_TIMEOUT, tries: DNS_RESOLVER_TRIES});
+            const resolver = new this.#dns.Resolver({timeout: DNS_RESOLVER_TIMEOUT_IN_MS, tries: DNS_RESOLVER_TRIES});
             // On success, resolveSrv() returns an array of SrvRecord
             // On failure, resolveSrv() throws an error with code 'ENOTFOUND'.
             const originRecords = await resolver.resolveSrv(`${TCP_ORIGIN_KEY_NAME}.${host}`); // look up SRV records for the origin host
@@ -266,7 +266,7 @@ function getClientOptions(options?: AzureAppConfigurationOptions): AppConfigurat
     // retry options
     const defaultRetryOptions = {
         maxRetries: CLIENT_MAX_RETRIES,
-        maxRetryDelayInMs: CLIENT_MAX_RETRY_DELAY,
+        maxRetryDelayInMs: CLIENT_MAX_RETRY_DELAY_IN_MS,
     };
     const retryOptions = Object.assign({}, defaultRetryOptions, options?.clientOptions?.retryOptions);
 

src/ConfigurationClientWrapper.ts

@@ -2,7 +2,7 @@
 // Licensed under the MIT license.
 
 import { AppConfigurationClient } from "@azure/app-configuration";
-import { calculateBackoffDuration } from "./failover.js";
+import { getExponentialBackoffDuration } from "./common/backoffUtils.js";
 
 export class ConfigurationClientWrapper {
     endpoint: string;
@@ -21,7 +21,7 @@ export class ConfigurationClientWrapper {
             this.backoffEndTime = Date.now();
         } else {
             this.#failedAttempts += 1;
-            this.backoffEndTime = Date.now() + calculateBackoffDuration(this.#failedAttempts);
+            this.backoffEndTime = Date.now() + getExponentialBackoffDuration(this.#failedAttempts);
         }
     }
 }

src/StartupOptions.ts

@@ -1,7 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-export const DEFAULT_STARTUP_TIMEOUT_IN_MS = 100_000; // 100 seconds in milliseconds
+export const DEFAULT_STARTUP_TIMEOUT_IN_MS = 100_000;
 
 export interface StartupOptions {
     /**

src/common/backoffUtils.ts

@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+const MIN_BACKOFF_DURATION_IN_MS = 30_000;
+const MAX_BACKOFF_DURATION_IN_MS = 10 * 60 * 1000;
+const JITTER_RATIO = 0.25;
+
+export function getFixedBackoffDuration(timeElapsedInMs: number): number | undefined {
+    if (timeElapsedInMs < 100_000) {
+        return 5_000;
+    }
+    if (timeElapsedInMs < 200_000) {
+        return 10_000;
+    }
+    if (timeElapsedInMs < 10 * 60 * 1000) {
+        return MIN_BACKOFF_DURATION_IN_MS;
+    }
+    return undefined;
+}
+
+export function getExponentialBackoffDuration(failedAttempts: number): number {
+    if (failedAttempts <= 1) {
+        return MIN_BACKOFF_DURATION_IN_MS;
+    }
+
+    // exponential: minBackoff * 2 ^ (failedAttempts - 1)
+    // The right shift operator is not used in order to avoid potential overflow. Bitwise operations in JavaScript are limited to 32 bits.
+    let calculatedBackoffDuration = MIN_BACKOFF_DURATION_IN_MS * Math.pow(2, failedAttempts - 1);
+    if (calculatedBackoffDuration > MAX_BACKOFF_DURATION_IN_MS) {
+        calculatedBackoffDuration = MAX_BACKOFF_DURATION_IN_MS;
+    }
+
+    // jitter: random value between [-1, 1) * jitterRatio * calculatedBackoffMs
+    const jitter = JITTER_RATIO * (Math.random() * 2 - 1);
+
+    return calculatedBackoffDuration * (1 + jitter);
+}

src/error.ts renamed to src/common/error.ts

@@ -14,7 +14,7 @@ export class InvalidOperationError extends Error {
 }
 
 /**
- * Error thrown when an argument or configuration is invalid.
+ * Error thrown when an input argument is invalid.
  */
 export class ArgumentError extends Error {
     constructor(message: string) {
@@ -24,11 +24,11 @@ export class ArgumentError extends Error {
 }
 
 /**
- * Error thrown when it fails to get the secret from the Key Vault.
+ * Error thrown when a Key Vault reference cannot be resolved.
  */
 export class KeyVaultReferenceError extends Error {
-    constructor(message: string) {
-        super(message);
+    constructor(message: string, options?: ErrorOptions) {
+        super(message, options);
         this.name = "KeyVaultReferenceError";
     }
 }
@@ -37,8 +37,10 @@ export function isFailoverableError(error: any): boolean {
     if (!isRestError(error)) {
         return false;
     }
-    // ENOTFOUND: DNS lookup failed, ENOENT: no such file or directory
-    if (error.code === "ENOTFOUND" || error.code === "ENOENT") {
+    // https://nodejs.org/api/errors.html#common-system-errors
+    // ENOTFOUND: DNS lookup failed, ENOENT: no such file or directory, ECONNREFUSED: connection refused, ECONNRESET: connection reset by peer, ETIMEDOUT: connection timed out
+    if (error.code !== undefined &&
+        (error.code === "ENOTFOUND" || error.code === "ENOENT" || error.code === "ECONNREFUSED" || error.code === "ECONNRESET" || error.code === "ETIMEDOUT")) {
         return true;
     }
     // 401 Unauthorized, 403 Forbidden, 408 Request Timeout, 429 Too Many Requests, 5xx Server Errors
@@ -50,19 +52,11 @@ export function isFailoverableError(error: any): boolean {
     return false;
 }
 
-export function isRetriableError(error: any): boolean {
-    if (isArgumentError(error) ||
-        error instanceof RangeError) {
-        return false;
-    }
-    return true;
-}
-
-export function isArgumentError(error: any): boolean {
-    if (error instanceof ArgumentError ||
+/**
+ * Check if the error is an instance of ArgumentError, TypeError, or RangeError.
+ */
+export function isInputError(error: any): boolean {
+    return error instanceof ArgumentError ||
         error instanceof TypeError ||
-        error instanceof RangeError) {
-        return true;
-    }
-    return false;
+        error instanceof RangeError;
 }

src/failover.ts

@@ -1,33 +1,33 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT license.
 
-const MIN_BACKOFF_DURATION = 30_000; // 30 seconds in milliseconds
-const MAX_BACKOFF_DURATION = 10 * 60 * 1000; // 10 minutes in milliseconds
+const MIN_BACKOFF_DURATION_IN_MS = 30_000;
+const MAX_BACKOFF_DURATION_IN_MS = 10 * 60 * 1000;
 const JITTER_RATIO = 0.25;
 
-export function getFixedBackoffDuration(timeElapsed: number): number | undefined {
-    if (timeElapsed <= 100_000) { // 100 seconds in milliseconds
-        return 5_000; // 5 seconds in milliseconds
+export function getFixedBackoffDuration(timeElapsedInMs: number): number | undefined {
+    if (timeElapsedInMs <= 100_000) {
+        return 5_000;
     }
-    if (timeElapsed <= 200_000) { // 200 seconds in milliseconds
-        return 10_000; // 10 seconds in milliseconds
+    if (timeElapsedInMs <= 200_000) {
+        return 10_000;
     }
-    if (timeElapsed <= 10 * 60 * 1000) { // 10 minutes in milliseconds
-        return MIN_BACKOFF_DURATION;
+    if (timeElapsedInMs <= 10 * 60 * 1000) {
+        return MIN_BACKOFF_DURATION_IN_MS;
     }
     return undefined;
 }
 
 export function calculateBackoffDuration(failedAttempts: number) {
     if (failedAttempts <= 1) {
-        return MIN_BACKOFF_DURATION;
+        return MIN_BACKOFF_DURATION_IN_MS;
     }
 
     // exponential: minBackoff * 2 ^ (failedAttempts - 1)
     // The right shift operator is not used in order to avoid potential overflow. Bitwise operations in JavaScript are limited to 32 bits.
-    let calculatedBackoffDuration = MIN_BACKOFF_DURATION * Math.pow(2, failedAttempts - 1);
-    if (calculatedBackoffDuration > MAX_BACKOFF_DURATION) {
-        calculatedBackoffDuration = MAX_BACKOFF_DURATION;
+    let calculatedBackoffDuration = MIN_BACKOFF_DURATION_IN_MS * Math.pow(2, failedAttempts - 1);
+    if (calculatedBackoffDuration > MAX_BACKOFF_DURATION_IN_MS) {
+        calculatedBackoffDuration = MAX_BACKOFF_DURATION_IN_MS;
     }
 
     // jitter: random value between [-1, 1) * jitterRatio * calculatedBackoffMs

src/keyvault/AzureKeyVaultKeyValueAdapter.ts

@@ -6,8 +6,10 @@ import { IKeyValueAdapter } from "../IKeyValueAdapter.js";
 import { AzureKeyVaultSecretProvider } from "./AzureKeyVaultSecretProvider.js";
 import { KeyVaultOptions } from "./KeyVaultOptions.js";
 import { RefreshTimer } from "../refresh/RefreshTimer.js";
-import { ArgumentError, KeyVaultReferenceError } from "../error.js";
-import { parseKeyVaultSecretIdentifier, KeyVaultSecretIdentifier } from "@azure/keyvault-secrets";
+import { ArgumentError, KeyVaultReferenceError } from "../common/error.js";
+import { KeyVaultSecretIdentifier, parseKeyVaultSecretIdentifier } from "@azure/keyvault-secrets";
+import { isRestError } from "@azure/core-rest-pipeline";
+import { AuthenticationError } from "@azure/identity";
 
 export class AzureKeyVaultKeyValueAdapter implements IKeyValueAdapter {
     #keyVaultOptions: KeyVaultOptions | undefined;
@@ -24,20 +26,25 @@ export class AzureKeyVaultKeyValueAdapter implements IKeyValueAdapter {
 
     async processKeyValue(setting: ConfigurationSetting): Promise<[string, unknown]> {
         if (!this.#keyVaultOptions) {
-            throw new ArgumentError("Failed to process the key vault reference. The keyVaultOptions is not configured.");
+            throw new ArgumentError("Failed to process the Key Vault reference because Key Vault options are not configured.");
+        }
+        let secretIdentifier: KeyVaultSecretIdentifier;
+        try {
+            secretIdentifier = parseKeyVaultSecretIdentifier(
+                parseSecretReference(setting).value.secretId
+            );
+        } catch (error) {
+            throw new KeyVaultReferenceError(buildKeyVaultReferenceErrorMessage("Invalid Key Vault reference.", setting), { cause: error });
         }
 
-        const secretIdentifier: KeyVaultSecretIdentifier = parseKeyVaultSecretIdentifier(
-            parseSecretReference(setting).value.secretId
-        );
         try {
             const secretValue = await this.#keyVaultSecretProvider.getSecretValue(secretIdentifier);
             return [setting.key, secretValue];
         } catch (error) {
-            if (error instanceof ArgumentError) {
-                throw error;
+            if (isRestError(error) || error instanceof AuthenticationError) {
+                throw new KeyVaultReferenceError(buildKeyVaultReferenceErrorMessage("Failed to resolve Key Vault reference.", setting, secretIdentifier.sourceId), { cause: error });
             }
-            throw new KeyVaultReferenceError(buildKeyVaultReferenceErrorMessage(error.message, setting, secretIdentifier.sourceId));
+            throw error;
         }
     }
 
@@ -48,5 +55,5 @@ export class AzureKeyVaultKeyValueAdapter implements IKeyValueAdapter {
 }
 
 function buildKeyVaultReferenceErrorMessage(message: string, setting: ConfigurationSetting, secretIdentifier?: string ): string {
-    return `${message} Key: '${setting.key}' Label: '${setting.label ?? ""}' ETag: '${setting.etag ?? ""}' SecretIdentifier: '${secretIdentifier ?? ""}'`;
+    return `${message} Key: '${setting.key}' Label: '${setting.label ?? ""}' ETag: '${setting.etag ?? ""}' ${secretIdentifier ? ` SecretIdentifier: '${secretIdentifier}'` : ""}`;
 }

src/keyvault/AzureKeyVaultSecretProvider.ts

@@ -3,7 +3,7 @@
 
 import { KeyVaultOptions } from "./KeyVaultOptions.js";
 import { RefreshTimer } from "../refresh/RefreshTimer.js";
-import { ArgumentError } from "../error.js";
+import { ArgumentError } from "../common/error.js";
 import { SecretClient, KeyVaultSecretIdentifier } from "@azure/keyvault-secrets";
 
 export class AzureKeyVaultSecretProvider {
@@ -68,8 +68,7 @@ export class AzureKeyVaultSecretProvider {
             return await this.#keyVaultOptions.secretResolver(new URL(sourceId));
         }
         // When code reaches here, it means that the key vault reference cannot be resolved in all possible ways.
-        throw new ArgumentError("Failed to get secret value. No key vault secret client, credential or secret resolver callback is available to resolve the secret.");
-
+        throw new ArgumentError("Failed to process the key vault reference. No key vault secret client, credential or secret resolver callback is available to resolve the secret.");
     }
 
     #getSecretClient(vaultUrl: URL): SecretClient | undefined {

src/load.ts

@@ -8,7 +8,7 @@ import { AzureAppConfigurationOptions } from "./AzureAppConfigurationOptions.js"
 import { ConfigurationClientManager } from "./ConfigurationClientManager.js";
 import { instanceOfTokenCredential } from "./common/utils.js";
 
-const MIN_DELAY_FOR_UNHANDLED_ERROR: number = 5_000; // 5 seconds
+const MIN_DELAY_FOR_UNHANDLED_ERROR_IN_MS: number = 5_000;
 
 /**
  * Loads the data from Azure App Configuration service and returns an instance of AzureAppConfiguration.
@@ -49,7 +49,7 @@ export async function load(
         // load() method is called in the application's startup code path.
         // Unhandled exceptions cause application crash which can result in crash loops as orchestrators attempt to restart the application.
         // Knowing the intended usage of the provider in startup code path, we mitigate back-to-back crash loops from overloading the server with requests by waiting a minimum time to propagate fatal errors.
-        const delay = MIN_DELAY_FOR_UNHANDLED_ERROR - (Date.now() - startTimestamp);
+        const delay = MIN_DELAY_FOR_UNHANDLED_ERROR_IN_MS - (Date.now() - startTimestamp);
         if (delay > 0) {
             await new Promise((resolve) => setTimeout(resolve, delay));
         }