def create_keyvault(client,
resource_group_name, vault_name, location=None, sku=SkuName.standard.value,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
no_self_perms=None,
tags=None):
from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters
from azure.cli.core._profile import Profile, CLOUD
from azure.graphrbac.models import GraphErrorException
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(
resource=CLOUD.endpoints.active_directory_graph_resource_id)
graph_client = GraphRbacManagementClient(
cred,
tenant_id,
base_url=CLOUD.endpoints.active_directory_graph_resource_id)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
permissions = Permissions(keys=[KeyPermissions.get,
KeyPermissions.create,
KeyPermissions.delete,
KeyPermissions.list,
KeyPermissions.update,
KeyPermissions.import_enum,
KeyPermissions.backup,
KeyPermissions.restore],
secrets=[SecretPermissions.all],
certificates=[CertificatePermissions.all])
try:
object_id = _get_current_user_object_id(graph_client)
except GraphErrorException:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError('Cannot create vault.\nUnable to query active directory for information '
'about the current user.\nYou may try the --no-self-perms flag to '
'create a vault without permissions.')
access_policies = [AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)]
properties = VaultProperties(tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def create_keyvault(
client,
resource_group_name,
vault_name,
location, #pylint:disable=too-many-arguments
sku=SkuName.standard.value,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
no_self_perms=False,
tags=None):
from azure.cli.core._profile import Profile
profile = Profile()
cred, _, tenant_id = profile.get_login_credentials(for_graph_client=True)
graph_client = GraphRbacManagementClient(cred, tenant_id)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
# TODO Use the enums instead of strings when new keyvault SDK is released
# https://github.com/Azure/azure-sdk-for-python/blob/dev/azure-mgmt-keyvault/
# azure/mgmt/keyvault/models/key_vault_management_client_enums.py
permissions = Permissions(keys=[
'get', 'create', 'delete', 'list', 'update', 'import', 'backup',
'restore'
],
secrets=['all'])
object_id = _get_current_user_object_id(graph_client)
if not object_id:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError('Cannot create vault.\n'
'Unable to query active directory for information '\
'about the current user.\n'
'You may try the --no-self-perms flag to create a vault'\
' without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def set_policy(
client,
resource_group_name,
vault_name, #pylint:disable=too-many-arguments
object_id=None,
spn=None,
upn=None,
key_permissions=None,
secret_permissions=None,
certificate_permissions=None):
object_id = _object_id_args_helper(object_id, spn, upn)
vault = client.get(resource_group_name=resource_group_name,
vault_name=vault_name)
# Find the existing policy to set
policy = next((p for p in vault.properties.access_policies \
if object_id.lower() == p.object_id.lower() and \
vault.properties.tenant_id.lower() == p.tenant_id.lower()), None)
if not policy:
# Add new policy as none found
vault.properties.access_policies.append(
AccessPolicyEntry(tenant_id=vault.properties.tenant_id,
object_id=object_id,
permissions=Permissions(
keys=key_permissions,
secrets=secret_permissions,
certificates=certificate_permissions)))
else:
# Modify existing policy.
# If key_permissions is not set, use prev. value (similarly with secret_permissions).
keys = policy.permissions.keys if key_permissions is None else key_permissions
secrets = policy.permissions.secrets if secret_permissions is None else secret_permissions
certs = policy.permissions.certificates \
if certificate_permissions is None else certificate_permissions
policy.permissions = Permissions(keys=keys,
secrets=secrets,
certificates=certs)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=VaultCreateOrUpdateParameters(
location=vault.location,
tags=vault.tags,
properties=vault.properties))
def create_vault(self):
"""
Creates a new key vault with a unique name, granting full permissions to the current credentials
:return: a newly created key vault
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
vault_name = get_name('vault')
# setup vault permissions for the access policy for the sample service principle
permissions = Permissions()
permissions.keys = KEY_PERMISSIONS_ALL
permissions.secrets = SECRET_PERMISSIONS_ALL
permissions.certificates = CERTIFICATE_PERMISSIONS_ALL
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=self.config.client_oid,
permissions=permissions)
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(name='standard'),
access_policies=[policy])
parameters = VaultCreateOrUpdateParameters(
location=self.config.location, properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
print('creating vault {}'.format(vault_name))
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, vault_name, parameters).result()
# wait for vault DNS entry to be created
# see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172
self._poll_for_vault_connection(vault.properties.vault_uri)
print('created vault {} {}'.format(vault_name,
vault.properties.vault_uri))
return vault
def create_recoverable_vault_sample(self):
"""
Provides a sample for creating a key vault which has recovery enable so that the vault as well as all of its keys,
certificates and secrets are recoverable
:return: a key vault which has been created with recovery enabled
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
self.setup_sample()
vault_name = KeyVaultSampleBase.get_unique_name()
permissions = Permissions()
permissions.keys = [KeyPermissions.all]
permissions.secrets = [SecretPermissions.all]
permissions.certificates = [CertificatePermissions.all]
policy = AccessPolicyEntry(self.config.tenant_id,
self.config.client_oid, permissions)
properties = VaultProperties(self.config.tenant_id,
Sku(name='standard'),
policies=[policy])
parameters = VaultCreateOrUpdateParameters(self.config.location,
properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
# this vault property controls whether recovery functionality is available on the vault itself as well as
# all keys, certificates and secrets in the vault as well
parameters.properties.enable_soft_delete = True
# create the vault
vault = self.keyvault_mgmt_client.vaults.create_or_update(
self.config.group_name, vault_name, parameters)
print(vault)
return vault
def create_vault_with_network(self):
"""
Creates a key vault with network access limited by a NetworkRuleSet
"""
vault_name = get_name('vault')
# setup vault permissions for the access policy for the sample service principle
permissions = Permissions(keys=KEY_PERMISSIONS_ALL,
secrets=SECRET_PERMISSIONS_ALL,
certificates=CERTIFICATE_PERMISSIONS_ALL,
storage=STORAGE_PERMISSIONS_ALL)
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=self.config.client_oid,
permissions=permissions)
# Network ACL definitions
# The only action supported for virtual network and IP rules is "allow".
# To deny an address, set the default action to 'deny' and do not explicitly allow the address.
network_acls = NetworkRuleSet(
# allow bypass of network ACL rules by other azure services. Valid values are azure_services or none
bypass=NetworkRuleBypassOptions.azure_services,
# the action to take if access attempt doesn't match any rule. Valid values are allow or deny
default_action=NetworkRuleAction.deny,
# IP rules (allowed IPv4 addresses / ranges)
ip_rules=[IPRule(value='0.0.0.0/0')
], # Allow access from a IP address range
# Virtual network rules(Allows access to Azure Virtual Networks by their Azure Resource ID)
virtual_network_rules=[
# To specifically allow access to a vnet, uncomment the line below and replace the id with the correct
# resource id for your vnet
# VirtualNetworkRule(id='/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1')
])
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(name='standard'),
access_policies=[policy],
network_acls=network_acls)
parameters = VaultCreateOrUpdateParameters(
location=self.config.location, properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
print('creating vault {}'.format(vault_name))
self.vault = self.mgmt_client.vaults.create_or_update(
resource_group_name=self.config.group_name,
vault_name=vault_name,
parameters=parameters).result()
def update_key_vault_access_policy(
self,
keyvault_client,
resource_group_name,
key_vault_name,
tenant_id,
app_object_id,
):
"""Updates Key Vault Access Policy
:param keyvault_client: Instance of the Azure KeyVaultManagementClient.
:param resource_group_name: The name of the resource group.
:param key_vault_name: Name of the Key Vault.
:param region: The location in which the Key Vault exists.
:param tenant_id: Azure tenant Id
:param app_object_id: Object Id of the application
:param stg_principal_id: Principal Id of the Storage Account
:type keyvault_client: object
:type resource_group_name: str
:type key_vault_name: str
:type region: str
:type tenant_id: str
:type app_object_id: str
:type stg_principal_id: str
:returns: None
:rtype: None
"""
access_policy_app = AccessPolicyEntry(
tenant_id=tenant_id,
object_id=app_object_id,
permissions=Permissions(secrets=[
SecretPermissions.GET,
SecretPermissions.LIST,
SecretPermissions.SET,
], ),
)
access_policy = [access_policy_app]
logging.info("Updating Key Vault Access Policy")
logging.info("executing keyvault_client.vaults.update_access_policy")
logging.info(f" resource_group_name={resource_group_name}")
logging.info(f" vault_name={key_vault_name}")
keyvault_client.vaults.update_access_policy(
resource_group_name=resource_group_name,
vault_name=key_vault_name,
operation_kind=AccessPolicyUpdateKind.ADD,
parameters=VaultAccessPolicyParameters(
properties=VaultAccessPolicyProperties(
access_policies=access_policy), ),
)
def _get_params(self):
"""Build the vault parameters block."""
oid = self.auth_client.user_oid
sec_perms_all = [perm.value for perm in SecretPermissions]
key_perms_all = [perm.value for perm in KeyPermissions]
cert_perms_all = [perm.value for perm in CertificatePermissions]
permissions = Permissions()
permissions.keys = key_perms_all
permissions.secrets = sec_perms_all
permissions.certificates = cert_perms_all
policy = AccessPolicyEntry(tenant_id=self.tenant_id,
object_id=oid,
permissions=permissions)
properties = VaultProperties(tenant_id=self.tenant_id,
sku=Sku(name="standard"),
access_policies=[policy])
parameters = VaultCreateOrUpdateParameters(location=self.azure_region,
properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
return parameters
def get_sample_vault(self):
"""
Creates a new key vault with a unique name, granting full permissions to the current credentials
:return: a newly created key vault
:rtype: :class:`Vault <azure.keyvault.generated.models.Vault>`
"""
if not self.config.vault:
keyvault_mgmt_client = KeyVaultManagementClient(
self.mgmt_client_creds, self.config.subscription_id)
if self.config.vault_name:
vault = keyvault_mgmt_client.vaults.get(
resource_group_name=self.config.group_name,
vault_name=self.config.vault_name)
else:
vault_name = get_name('vault')
# setup vault permissions for the access policy for the sample service principle
permissions = Permissions(
keys=KEY_PERMISSIONS_ALL,
secrets=SECRET_PERMISSIONS_ALL,
certificates=CERTIFICATE_PERMISSIONS_ALL,
storage=STORAGE_PERMISSIONS_ALL)
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=self.config.client_oid,
permissions=permissions)
properties = VaultProperties(tenant_id=self.config.tenant_id,
sku=Sku(name='standard'),
access_policies=[policy])
parameters = VaultCreateOrUpdateParameters(
location=self.config.location, properties=properties)
parameters.properties.enabled_for_deployment = True
parameters.properties.enabled_for_disk_encryption = True
parameters.properties.enabled_for_template_deployment = True
print('creating vault {}'.format(vault_name))
vault = keyvault_mgmt_client.vaults.create_or_update(
resource_group_name=self.config.group_name,
vault_name=vault_name,
parameters=parameters).result()
self.config.vault = vault
return self.config.vault
def grant_access_to_sample_vault(self, vault, oid):
keyvault_mgmt_client = KeyVaultManagementClient(
credentials=self.mgmt_client_creds,
subscription_id=self.config.subscription_id)
# setup vault permissions for the access policy for the oid
permissions = Permissions(keys=KEY_PERMISSIONS_ALL,
secrets=SECRET_PERMISSIONS_ALL,
certificates=CERTIFICATE_PERMISSIONS_ALL,
storage=STORAGE_PERMISSIONS_ALL)
policy = AccessPolicyEntry(tenant_id=self.config.tenant_id,
object_id=oid,
permissions=permissions)
vault.properties.access_policies.append(policy)
return keyvault_mgmt_client.vaults.create_or_update(
resource_group_name=self.config.group_name,
vault_name=vault.name,
parameters=vault).result()
import hashlib
import os
from azure.keyvault.keys import JsonWebKey, KeyCurveName, KeyVaultKey
from azure.keyvault.keys.crypto._client import _UTC
from azure.keyvault.keys.crypto.aio import CryptographyClient, EncryptionAlgorithm, KeyWrapAlgorithm, SignatureAlgorithm
from azure.mgmt.keyvault.models import KeyPermissions, Permissions
from devtools_testutils import ResourceGroupPreparer, KeyVaultPreparer
import pytest
from _shared.json_attribute_matcher import json_attribute_matcher
from _shared.test_case_async import KeyVaultTestCase
from crypto_client_preparer_async import CryptoClientPreparer
# without keys/get, a CryptographyClient created with a key ID performs all ops remotely
NO_GET = Permissions(
keys=[p.value for p in KeyPermissions if p.value != "get"])
class CryptoClientTests(KeyVaultTestCase):
def __init__(self, *args, **kwargs):
super().__init__(*args,
match_body=False,
custom_request_matchers=[json_attribute_matcher],
**kwargs)
plaintext = b"5063e6aaa845f150200547944fd199679c98ed6f99da0a0b2dafeaf1f4684496fd532c1c229968cb9dee44957fcef7ccef59ceda0b362e56bcd78fd3faee5781c623c0bb22b35beabde0664fd30e0e824aba3dd1b0afffc4a3d955ede20cf6a854d52cfd"
def _validate_rsa_key_bundle(self, key_attributes, vault, key_name, kty,
key_ops):
prefix = "/".join(s.strip("/") for s in [vault, "keys", key_name])
key = key_attributes.key
Sku,
SkuName,
AccessPolicyEntry,
VaultProperties,
VaultCreateOrUpdateParameters,
)
from azure_devtools.scenario_tests.exceptions import AzureTestError
from devtools_testutils import AzureMgmtPreparer, ResourceGroupPreparer
from devtools_testutils.resource_testcase import RESOURCE_GROUP_PARAM
from keys_vault_client import VaultClient
DEFAULT_PERMISSIONS = Permissions(
keys=[perm.value for perm in KeyPermissions],
secrets=[perm.value for perm in SecretPermissions],
certificates=[perm.value for perm in CertificatePermissions],
storage=[perm.value for perm in StoragePermissions],
)
DEFAULT_SKU = SkuName.premium.value
CLIENT_OID = '00000000-0000-0000-0000-000000000000'
class VaultClientPreparer(AzureMgmtPreparer):
def __init__(
self,
sku=None,
permissions=None,
enabled_for_deployment=True,
enabled_for_disk_encryption=True,
enabled_for_template_deployment=True,
enable_soft_delete=None,
def create_key_vault(
self,
keyvault_client,
resource_group_name,
key_vault_name,
region,
tenant_id,
app_object_id,
stg_principal_id,
):
"""Creates a Key Vault
:param keyvault_client: Instance of the Azure KeyVaultManagementClient.
:param resource_group_name: The name of the resource group.
:param key_vault_name: Name of the Key Vault.
:param region: location of the Key Vault.
:param tenant_id: Azure tenant Id
:param app_object_id: Object Id of the application
:param stg_principal_id: Principal Id of the Storage Account
:type keyvault_client: object
:type resource_group_name: str
:type key_vault_name: str
:type region: str
:type tenant_id: str
:type app_object_id: str
:type stg_principal_id: str
:returns: Vault object
:rtype: object
"""
access_policy_storage_account = AccessPolicyEntry(
tenant_id=tenant_id,
object_id=stg_principal_id,
permissions=Permissions(keys=[
KeyPermissions.GET,
KeyPermissions.UNWRAP_KEY,
KeyPermissions.WRAP_KEY,
], ),
)
access_policy_app = AccessPolicyEntry(
tenant_id=tenant_id,
object_id=app_object_id,
permissions=Permissions(keys=[
KeyPermissions.GET,
KeyPermissions.LIST,
KeyPermissions.CREATE,
KeyPermissions.UPDATE,
KeyPermissions.DELETE,
KeyPermissions.BACKUP,
KeyPermissions.RESTORE,
KeyPermissions.RECOVER,
], ),
)
key_vault_properties = VaultCreateOrUpdateParameters(
location=region,
tags={"Created By": "CHSS"},
properties=VaultProperties(
tenant_id=tenant_id,
sku=Sku(
family="A",
name="standard",
),
access_policies=[
access_policy_storage_account, access_policy_app
],
soft_delete_retention_in_days=90,
enabled_for_disk_encryption=False,
enabled_for_deployment=False,
enabled_for_template_deployment=False,
enable_soft_delete=True,
enable_purge_protection=True,
),
)
logging.info("creating a key vault")
logging.info("executing keyvault_client.vaults.begin_create_or_update")
logging.info(f" resource_group_name={resource_group_name}")
logging.info(f" vault_name={key_vault_name}")
vault = keyvault_client.vaults.begin_create_or_update(
resource_group_name=resource_group_name,
vault_name=key_vault_name,
parameters=key_vault_properties,
).result()
return vault
class AzureKeyVaultTestCase(AzureMgmtTestCase):
shared_vault = None
default_group = 'azkv-pytest'
default_vault = 'pytest-shared-vault'
default_permissions = Permissions(keys=[
KeyPermissions.encrypt,
KeyPermissions.decrypt,
KeyPermissions.wrap_key,
KeyPermissions.unwrap_key,
KeyPermissions.sign,
KeyPermissions.verify,
KeyPermissions.get,
KeyPermissions.list,
KeyPermissions.create,
KeyPermissions.update,
KeyPermissions.import_enum,
KeyPermissions.delete,
KeyPermissions.backup,
KeyPermissions.restore,
KeyPermissions.recover,
KeyPermissions.purge],
secrets=[
SecretPermissions.get,
SecretPermissions.list,
SecretPermissions.set,
SecretPermissions.delete,
SecretPermissions.backup,
SecretPermissions.restore,
SecretPermissions.recover,
SecretPermissions.purge],
certificates=[
CertificatePermissions.get,
CertificatePermissions.list,
CertificatePermissions.delete,
CertificatePermissions.create,
CertificatePermissions.import_enum,
CertificatePermissions.update,
CertificatePermissions.managecontacts,
CertificatePermissions.getissuers,
CertificatePermissions.listissuers,
CertificatePermissions.setissuers,
CertificatePermissions.deleteissuers,
CertificatePermissions.manageissuers,
CertificatePermissions.recover,
CertificatePermissions.purge],
storage=[
StoragePermissions.get,
StoragePermissions.list,
StoragePermissions.delete,
StoragePermissions.set,
StoragePermissions.update,
StoragePermissions.regeneratekey,
StoragePermissions.setsas,
StoragePermissions.listsas,
StoragePermissions.getsas,
StoragePermissions.deletesas])
def setUp(self):
self.working_folder = os.path.dirname(__file__)
super(AzureKeyVaultTestCase, self).setUp()
def mock_key_vault_auth_base(self, request):
challenge = HttpBearerChallenge(request.url, 'Bearer authorization=fake-url,resource=https://vault.azure.net')
self.set_authorization_header(request, challenge)
return request
self.fake_settings = fake_settings
if TestMode.is_playback(self.test_mode):
self.settings = self.fake_settings
KeyVaultAuthBase.__call__ = mock_key_vault_auth_base
else:
import tests.mgmt_settings_real as real_settings
self.settings = real_settings
self.client = self.create_keyvault_client()
self.mgmt_client = self.create_mgmt_client(azure.mgmt.keyvault.KeyVaultManagementClient)
if not self.is_playback():
self.create_resource_group()
def tearDown(self):
return super(AzureKeyVaultTestCase, self).tearDown()
def create_keyvault_client(self):
def _auth_callback(server, resource, scope):
if TestMode.is_playback(self.test_mode):
return ('Bearer', 'fake-token')
credentials = self.settings.get_credentials()
credentials.resource = resource
credentials.set_token()
return credentials.scheme, credentials.__dict__['token']['access_token']
return KeyVaultClient(KeyVaultAuthentication(_auth_callback))
def _ensure_resource_group(self, group_name):
return self.resource_client.resource_groups.create_or_update(
group_name,
{
'location': self.region
}
)
def setup_shared_vault(self):
if not self.is_playback():
self._ensure_resource_group(self.default_group)
if not AzureKeyVaultTestCase.shared_vault:
AzureKeyVaultTestCase.shared_vault = self.create_vault(self.default_group, self.default_vault)
return AzureKeyVaultTestCase.shared_vault;
def setup_private_vault(self, permissions=None, enabled_for_deployment=True, enabled_for_disk_encryption=True,
enabled_for_template_deployment=True, enable_soft_delete=None, sku=None):
vault_name = self.get_resource_name('vault-')
vault = self.create_vault(self.group_name, vault_name,
permissions=permissions,enabled_for_deployment=enabled_for_deployment,
enabled_for_template_deployment=enabled_for_template_deployment, enable_soft_delete=enable_soft_delete,
sku=sku)
return vault
def create_vault(self, group_name, vault_name, permissions=None, enabled_for_deployment=True, enabled_for_disk_encryption=True,
enabled_for_template_deployment=True, enable_soft_delete=None, sku=None):
creds = self.settings.get_credentials()
access_policies = [AccessPolicyEntry(tenant_id=self.settings.TENANT_ID,
object_id=self.settings.CLIENT_OID,
permissions=permissions or self.default_permissions)]
properties = VaultProperties(tenant_id=self.settings.TENANT_ID,
sku=Sku(sku or SkuName.premium.value),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment,
enable_soft_delete=enable_soft_delete)
parameters = VaultCreateOrUpdateParameters(location='westus',
properties=properties)
vault = self.mgmt_client.vaults.create_or_update(group_name, vault_name, parameters)
if not self.is_playback():
self.sleep(10)
return vault
def cleanup_private_vault(self, vault):
# we only need to cleanup if the vault has soft delete enabled otherwise base teardown will
# delete when the resource group is deleted
if not self.is_playback() and vault.properties.enable_soft_delete:
self.mgmt_client.vaults.delete(self.group_name, vault.name)
self.sleep(10)
self.mgmt_client.vaults.purge_deleted(vault.name, vault.location)
def _scrub_sensitive_request_info(self, request):
request = super(AzureKeyVaultTestCase, self)._scrub_sensitive_request_info(request)
# prevents URI mismatch between Python 2 and 3 if request URI has extra / chars
request.uri = re.sub('//', '/', request.uri)
request.uri = re.sub('/', '//', request.uri, count=1)
# do not record token requests
if '/oauth2/token' in request.uri:
request = None
return request
def _scrub_sensitive_response_info(self, response):
from pprint import pprint
response = super(AzureKeyVaultTestCase, self)._scrub_sensitive_response_info(response)
# ignore any 401 responses during playback
if response['status']['code'] == 401:
response = None
return response
def _scrub(self, val):
val = super(AzureKeyVaultTestCase, self)._scrub(val)
real_to_fake_dict = {
self.settings.SUBSCRIPTION_ID: self.fake_settings.SUBSCRIPTION_ID,
self.settings.AD_DOMAIN: self.fake_settings.AD_DOMAIN
}
val = self._scrub_using_dict(val, real_to_fake_dict)
return val
def create_keyvault(
cmd,
client, # pylint: disable=too-many-locals
resource_group_name,
vault_name,
location=None,
sku=None,
enabled_for_deployment=None,
enabled_for_disk_encryption=None,
enabled_for_template_deployment=None,
enable_soft_delete=None,
no_self_perms=None,
tags=None):
from azure.mgmt.keyvault.models import (
VaultCreateOrUpdateParameters, Permissions, KeyPermissions,
SecretPermissions, CertificatePermissions, StoragePermissions,
AccessPolicyEntry, Sku, VaultProperties)
from azure.cli.core._profile import Profile
from azure.graphrbac.models import GraphErrorException
from azure.graphrbac import GraphRbacManagementClient
profile = Profile(cli_ctx=cmd.cli_ctx)
cred, _, tenant_id = profile.get_login_credentials(
resource=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id
)
graph_client = GraphRbacManagementClient(
cred,
tenant_id,
base_url=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id
)
subscription = profile.get_subscription()
if no_self_perms:
access_policies = []
else:
permissions = Permissions(
keys=[
KeyPermissions.get, KeyPermissions.create,
KeyPermissions.delete, KeyPermissions.list,
KeyPermissions.update, KeyPermissions.import_enum,
KeyPermissions.backup, KeyPermissions.restore,
KeyPermissions.recover
],
secrets=[
SecretPermissions.get, SecretPermissions.list,
SecretPermissions.set, SecretPermissions.delete,
SecretPermissions.backup, SecretPermissions.restore,
SecretPermissions.recover
],
certificates=[
CertificatePermissions.get, CertificatePermissions.list,
CertificatePermissions.delete, CertificatePermissions.create,
CertificatePermissions.import_enum,
CertificatePermissions.update,
CertificatePermissions.managecontacts,
CertificatePermissions.getissuers,
CertificatePermissions.listissuers,
CertificatePermissions.setissuers,
CertificatePermissions.deleteissuers,
CertificatePermissions.manageissuers,
CertificatePermissions.recover
],
storage=[
StoragePermissions.get, StoragePermissions.list,
StoragePermissions.delete, StoragePermissions.set,
StoragePermissions.update, StoragePermissions.regeneratekey,
StoragePermissions.setsas, StoragePermissions.listsas,
StoragePermissions.getsas, StoragePermissions.deletesas
])
try:
object_id = _get_current_user_object_id(graph_client)
except GraphErrorException:
object_id = _get_object_id(graph_client, subscription=subscription)
if not object_id:
raise CLIError(
'Cannot create vault.\nUnable to query active directory for information '
'about the current user.\nYou may try the --no-self-perms flag to '
'create a vault without permissions.')
access_policies = [
AccessPolicyEntry(tenant_id=tenant_id,
object_id=object_id,
permissions=permissions)
]
properties = VaultProperties(
tenant_id=tenant_id,
sku=Sku(name=sku),
access_policies=access_policies,
vault_uri=None,
enabled_for_deployment=enabled_for_deployment,
enabled_for_disk_encryption=enabled_for_disk_encryption,
enabled_for_template_deployment=enabled_for_template_deployment,
enable_soft_delete=enable_soft_delete)
parameters = VaultCreateOrUpdateParameters(location=location,
tags=tags,
properties=properties)
return client.create_or_update(resource_group_name=resource_group_name,
vault_name=vault_name,
parameters=parameters)
def test_create_kafka_cluster_with_disk_encryption(self, resource_group, location, storage_account,
storage_account_key, vault):
# create managed identities for Azure resources.
msi_name = self.get_resource_name('hdipyuai')
msi_principal_id = "00000000-0000-0000-0000-000000000000"
msi_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/{}/providers/microsoft.managedidentity/userassignedidentities/{}".format(
resource_group.name, msi_name)
if self.is_live:
msi = self.msi_client.user_assigned_identities.create_or_update(resource_group.name, msi_name, location)
msi_id = msi.id
msi_principal_id = msi.principal_id
# add managed identity to vault
required_permissions = Permissions(
keys=[KeyPermissions.get, KeyPermissions.wrap_key, KeyPermissions.unwrap_key],
secrets=[SecretPermissions.get, SecretPermissions.set, SecretPermissions.delete])
vault.properties.access_policies.append(
AccessPolicyEntry(tenant_id=self.tenant_id,
object_id=msi_principal_id,
permissions=required_permissions)
)
update_params = VaultCreateOrUpdateParameters(location=location,
properties=vault.properties)
vault = self.vault_mgmt_client.vaults.begin_create_or_update(resource_group.name, vault.name,
update_params).result()
self.assertIsNotNone(vault)
# create keyclient
key_client_credential = self.settings.get_azure_core_credentials(scope="https://vault.azure.net/.default")
self.vault_client = KeyClient(vault_url=vault.properties.vault_uri, credential=key_client_credential)
# create key
key_name = self.get_resource_name('hdipykey1')
vault_key = self.vault_client.create_key(key_name, 'RSA')
# create a new key for test rotate
new_key_name = self.get_resource_name('hdipykey2')
new_vault_key = self.vault_client.create_key(new_key_name, 'RSA')
# create HDInsight cluster with Kafka disk encryption
rg_name = resource_group.name
cluster_name = self.get_resource_name('hdisdk-kafka-byok')
create_params = self.get_cluster_create_params(location, cluster_name, storage_account, storage_account_key)
create_params.properties.cluster_definition.kind = 'Kafka'
workernode = next(item for item in create_params.properties.compute_profile.roles if item.name == 'workernode')
workernode.data_disks_groups = [
DataDisksGroups(
disks_per_node=8
)
]
create_params.identity = ClusterIdentity(
type=ResourceIdentityType.user_assigned,
user_assigned_identities={msi_id: ClusterIdentityUserAssignedIdentitiesValue()}
)
create_params.properties.disk_encryption_properties = DiskEncryptionProperties(
vault_uri=vault_key.properties.vault_url,
key_name=vault_key.name,
key_version=vault_key.properties.version,
msi_resource_id=msi_id
)
cluster = self.hdinsight_client.clusters.begin_create(resource_group.name, cluster_name, create_params).result()
self.validate_cluster(cluster_name, create_params, cluster)
# check disk encryption properties
self.assertIsNotNone(cluster.properties.disk_encryption_properties)
self.assertEqual(create_params.properties.disk_encryption_properties.vault_uri,
cluster.properties.disk_encryption_properties.vault_uri)
self.assertEqual(create_params.properties.disk_encryption_properties.key_name,
cluster.properties.disk_encryption_properties.key_name)
self.assertEqual(create_params.properties.disk_encryption_properties.msi_resource_id.lower(),
cluster.properties.disk_encryption_properties.msi_resource_id.lower())
rotate_params = ClusterDiskEncryptionParameters(
vault_uri=new_vault_key.properties.vault_url,
key_name=new_vault_key.name,
key_version=new_vault_key.properties.version
)
# rotate cluster key
self.hdinsight_client.clusters.rotate_disk_encryption_key(rg_name, cluster_name, rotate_params).wait()
cluster = self.hdinsight_client.clusters.get(rg_name, cluster_name)
# check disk encryption properties
self.assertIsNotNone(cluster.properties.disk_encryption_properties)
self.assertEqual(rotate_params.vault_uri, cluster.properties.disk_encryption_properties.vault_uri)
self.assertEqual(rotate_params.key_name, cluster.properties.disk_encryption_properties.key_name)
self.assertEqual(msi_id.lower(), cluster.properties.disk_encryption_properties.msi_resource_id.lower())
