def _validate(ns):
from azure.keyvault.key_vault_id import KeyVaultIdentifier
pure_entity_type = entity_type.replace('deleted', '')
name = getattr(ns, pure_entity_type + '_name', None)
vault = getattr(ns, 'vault_base_url', None)
if not vault:
vault = getattr(ns, 'hsm_name', None)
identifier = getattr(ns, 'identifier', None)
if identifier:
vault_base_url = getattr(ns, 'vault_base_url', None)
hsm_name = getattr(ns, 'hsm_name', None)
if vault_base_url:
raise CLIError('--vault-name and --id are mutually exclusive.')
if hsm_name:
raise CLIError('--hsm-name and --id are mutually exclusive.')
ident = KeyVaultIdentifier(uri=identifier,
collection=entity_type + 's')
setattr(ns, pure_entity_type + '_name', ident.name)
setattr(ns, 'vault_base_url', ident.vault)
if ident.version and hasattr(ns, pure_entity_type + '_version'):
setattr(ns, pure_entity_type + '_version', ident.version)
elif not (name and vault):
raise CLIError(
'incorrect usage: --id ID | --vault-name/--hsm-name VAULT/HSM '
'--name/-n NAME [--version VERSION]')
def __read_kv_from_app_service(cmd, appservice_account, prefix_to_add="", content_type=None):
try:
key_values = []
from azure.cli.command_modules.appservice.custom import get_app_settings
settings = get_app_settings(
cmd, resource_group_name=appservice_account["resource_group"], name=appservice_account["name"], slot=None)
for item in settings:
key = prefix_to_add + item['name']
if validate_import_key(key):
tags = {'AppService:SlotSetting': str(item['slotSetting']).lower()} if item['slotSetting'] else {}
value = item['value']
# Value will look like one of the following if it is a KeyVault reference:
# @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
# @Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=ec96f02080254f109c51a1f14cdb1931)
if value and value.strip().lower().startswith(KeyVaultConstants.APPSVC_KEYVAULT_PREFIX.lower()):
try:
# Strip all whitespaces from value string.
# Valid values of SecretUri, VaultName, SecretName or SecretVersion will never have whitespaces.
value = value.replace(" ", "")
appsvc_value_dict = dict(x.split('=') for x in value[len(KeyVaultConstants.APPSVC_KEYVAULT_PREFIX) + 1: -1].split(';'))
appsvc_value_dict = {k.lower(): v for k, v in appsvc_value_dict.items()}
secret_identifier = appsvc_value_dict.get('secreturi')
if not secret_identifier:
# Construct secreturi
vault_name = appsvc_value_dict.get('vaultname')
secret_name = appsvc_value_dict.get('secretname')
secret_version = appsvc_value_dict.get('secretversion')
secret_identifier = "https://{0}.vault.azure.net/secrets/{1}/{2}".format(vault_name, secret_name, secret_version)
try:
from azure.keyvault.key_vault_id import KeyVaultIdentifier
# this throws an exception for invalid format of secret identifier
KeyVaultIdentifier(uri=secret_identifier)
kv = KeyValue(key=key,
value=json.dumps({"uri": secret_identifier}, ensure_ascii=False, separators=(',', ':')),
tags=tags,
content_type=KeyVaultConstants.KEYVAULT_CONTENT_TYPE)
key_values.append(kv)
continue
except (TypeError, ValueError) as e:
logger.debug(
'Exception while validating the format of KeyVault identifier. Key "%s" with value "%s" will be treated like a regular key-value.\n%s', key, value, str(e))
except (AttributeError, TypeError, ValueError) as e:
logger.debug(
'Key "%s" with value "%s" is not a well-formatted KeyVault reference. It will be treated like a regular key-value.\n%s', key, value, str(e))
elif content_type and __is_json_content_type(content_type):
# If appservice values are being imported with JSON content type,
# we need to validate that values are in valid JSON format.
try:
json.loads(value)
except ValueError:
raise CLIError('Value "{}" for key "{}" is not a valid JSON object, which conflicts with the provided content type "{}".'.format(value, key, content_type))
kv = KeyValue(key=key, value=value, tags=tags)
key_values.append(kv)
return key_values
except Exception as exception:
raise CLIError("Failed to read key-values from appservice.\n" + str(exception))
def validate_secret_identifier(namespace):
""" Validate the format of keyvault reference secret identifier """
from azure.keyvault.key_vault_id import KeyVaultIdentifier
identifier = getattr(namespace, 'secret_identifier', None)
try:
# this throws an exception for invalid format of secret identifier
KeyVaultIdentifier(uri=identifier)
except Exception as e:
raise CLIError("Received an exception while validating the format of secret identifier.\n{0}".format(str(e)))
def _validate(ns):
from azure.keyvault.key_vault_id import KeyVaultIdentifier
name = getattr(ns, entity_type.replace('deleted', '') + '_name', None)
vault = getattr(ns, 'vault_base_url', None)
identifier = getattr(ns, 'identifier', None)
if identifier:
ident = KeyVaultIdentifier(uri=identifier, collection=entity_type + 's')
setattr(ns, entity_type + '_name', ident.name)
setattr(ns, 'vault_base_url', ident.vault)
if hasattr(ns, entity_type + '_version'):
setattr(ns, entity_type + '_version', ident.version)
elif not (name and vault):
raise CLIError('incorrect usage: --id ID | --vault-name VAULT --name NAME [--version VERSION]')
