def create_resource(self, name, **kwargs): self.client_oid = self.test_class_instance.set_value_to_scrub( "CLIENT_OID", CLIENT_OID) if self.is_live: group = self._get_resource_group(**kwargs).name access_policies = [ AccessPolicyEntry( tenant_id=self.test_class_instance.get_settings_value( "TENANT_ID"), object_id=self.client_oid, permissions=self.permissions, ) ] properties = VaultProperties( tenant_id=self.test_class_instance.get_settings_value( "TENANT_ID"), sku=Sku(name=self.sku, family=SkuFamily.A) if SkuFamily else Sku(name=self.sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=self.enabled_for_deployment, enabled_for_disk_encryption=self.enabled_for_disk_encryption, enabled_for_template_deployment=self. enabled_for_template_deployment, enable_soft_delete=self.enable_soft_delete, enable_purge_protection=None, ) parameters = VaultCreateOrUpdateParameters(location=self.location, properties=properties) self.client = self.create_mgmt_client(KeyVaultManagementClient) # ARM may return not found at first even though the resource group has been created retries = 4 for i in range(retries): try: vault = self.client.vaults.begin_create_or_update( group, name, parameters).result() break except Exception as ex: if "VaultAlreadyExists" in str(ex): raise NameInUseError(name) if "ReservedResourceName" in str(ex): raise ReservedResourceNameError(name) if "ResourceGroupNotFound" not in str( ex) or i == retries - 1: raise time.sleep(3) self.test_class_instance.scrubber.register_name_pair( name, self.resource_moniker) vault_uri = vault.properties.vault_uri else: # playback => we need only the uri used in the recording vault_uri = "https://{}.vault.azure.net/".format(name) return {self.parameter_name: vault_uri}
def create_resource(self, name, **kwargs): if self.is_live: # create a vault with the management client group = self._get_resource_group(**kwargs).name access_policies = [ AccessPolicyEntry( tenant_id=self.test_class_instance.settings.TENANT_ID, object_id=self.test_class_instance.settings.CLIENT_OID, permissions=self.permissions, ) ] properties = VaultProperties( tenant_id=self.test_class_instance.settings.TENANT_ID, sku=Sku(name=self.sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=self.enabled_for_deployment, enabled_for_disk_encryption=self.enabled_for_disk_encryption, enabled_for_template_deployment=self.enabled_for_template_deployment, enable_soft_delete=self.enable_soft_delete, enable_purge_protection=None, ) parameters = VaultCreateOrUpdateParameters(location=self.location, properties=properties) self.management_client = self.create_mgmt_client(KeyVaultManagementClient) vault = self.management_client.vaults.create_or_update(group, name, parameters).result() vault_uri = vault.properties.vault_uri else: # playback => we need only the uri used in the recording vault_uri = "https://{}.vault.azure.net/".format(name) vault_credentials = self.test_class_instance.settings.get_credentials(resource="https://vault.azure.net") client = VaultClient(vault_uri, vault_credentials) return {self.parameter_name: client}
def create_vault(self): self.keyvault_mgmt_client.vaults.create_or_update() vault_name = KeyVaultSample.get_unique_name() permissions = Permissions() permissions.keys = [KeyPermissions.all] permissions.secrets = [SecretPermissions.all] permissions.certificates = [CertificatePermissions.all] policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions) properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), policies=[policy]) parameters = VaultCreateOrUpdateParameters(self.config.location, properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True vault = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_namne, vault_name, parameters) return vault
def _get_params(self): """Build the vault parameters block.""" oid = _user_oid(self.auth_client.legacy.token) sec_perms_all = [perm.value for perm in SecretPermissions] key_perms_all = [perm.value for perm in KeyPermissions] cert_perms_all = [perm.value for perm in CertificatePermissions] permissions = Permissions() permissions.keys = key_perms_all permissions.secrets = sec_perms_all permissions.certificates = cert_perms_all policy = AccessPolicyEntry(tenant_id=self.tenant_id, object_id=oid, permissions=permissions) properties = VaultProperties( tenant_id=self.tenant_id, sku=Sku(name="standard", family="A"), access_policies=[policy], ) parameters = VaultCreateOrUpdateParameters(location=self.azure_region, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True return parameters
def test_remediate_soft_delete_none(self): client = Mock() action = KeyVaultIsRecoverable() client.vaults.get.return_value = Vault( location="westus", id= "/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/resgroup/providers/Microsoft.KeyVault/vaults/clarity1", name="clarity1", properties=VaultProperties( tenant_id="bhH874fgjeKJiphFGH873", sku=Sku( family="A", name="standard", ), enable_soft_delete=None, enable_purge_protection=None, ), ) assert action.remediate(client, "resource_group_name", "key_vault_name") == 0 assert client.vaults.update.call_count == 1 call_args = client.vaults.update.call_args updated_parameters = call_args[1]["parameters"] assert updated_parameters.properties.enable_soft_delete is True assert updated_parameters.properties.enable_purge_protection is True assert client.vaults.get.call_count == 1
def create_keyvault(client, resource_group_name, vault_name, location=None, sku=SkuName.standard.value, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, no_self_perms=None, tags=None): from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters from azure.cli.core._profile import Profile, CLOUD from azure.graphrbac.models import GraphErrorException profile = Profile() cred, _, tenant_id = profile.get_login_credentials( resource=CLOUD.endpoints.active_directory_graph_resource_id) graph_client = GraphRbacManagementClient( cred, tenant_id, base_url=CLOUD.endpoints.active_directory_graph_resource_id) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: permissions = Permissions(keys=[ KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete, KeyPermissions.list, KeyPermissions.update, KeyPermissions.import_enum, KeyPermissions.backup, KeyPermissions.restore ], secrets=[SecretPermissions.all], certificates=[CertificatePermissions.all]) try: object_id = _get_current_user_object_id(graph_client) except GraphErrorException: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError( 'Cannot create vault.\nUnable to query active directory for information ' 'about the current user.\nYou may try the --no-self-perms flag to ' 'create a vault without permissions.') access_policies = [ AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions) ] properties = VaultProperties( tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)
def create_resource(self, name, **kwargs): self.client_oid = self.test_class_instance.set_value_to_scrub( 'CLIENT_OID', CLIENT_OID) group = self._get_resource_group(**kwargs).name access_policies = [ AccessPolicyEntry( tenant_id=self.test_class_instance.settings.TENANT_ID, object_id=self.client_oid, permissions=self.permissions) ] properties = VaultProperties( tenant_id=self.test_class_instance.settings.TENANT_ID, sku=Sku(name=self.sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=self.enabled_for_deployment, enabled_for_disk_encryption=self.enabled_for_disk_encryption, enabled_for_template_deployment=self. enabled_for_template_deployment, enable_soft_delete=self.enable_soft_delete, enable_purge_protection=None) if self.is_live: self.client = self.create_mgmt_client(KeyVaultManagementClient) parameters = VaultCreateOrUpdateParameters(location=self.location, properties=properties) self.resource = self.client.vaults.create_or_update( group, name, parameters).result() else: properties.vault_uri = 'https://{}.vault.azure.net/'.format(name) self.resource = FakeVault(name=name, location=self.location, properties=properties) return {self.parameter_name: self.resource}
def create(self): secret_permissions = ['all'] permissions = Permissions(secrets=secret_permissions) access_policy = AccessPolicyEntry( tenant_id=self.config.tenant_id, object_id=self.config.client_object_id, permissions=permissions) sku = Sku(name="standard") properties = VaultProperties(tenant_id=self.config.tenant_id, sku=sku, access_policies=[access_policy]) vault_paramerters = VaultCreateOrUpdateParameters( location="eastus", properties=properties) client = self._get_kv_client() result = client.vaults.create_or_update( resource_group_name=self.config.resource_group_name, vault_name=self.config.key_vault_name, parameters=vault_paramerters) _poll_for_complete(result)
def create_vault(self): """ Creates a new key vault with a unique name, granting full permissions to the current credentials :return: a newly created key vault :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ vault_name = get_name('vault') # setup vault permissions for the access policy for the sample service principle permissions = Permissions() permissions.keys = KEY_PERMISSIONS_ALL permissions.secrets = SECRET_PERMISSIONS_ALL permissions.certificates = CERTIFICATE_PERMISSIONS_ALL policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions) properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), access_policies=[policy]) parameters = VaultCreateOrUpdateParameters(self.config.location, properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True print('creating vault {}'.format(vault_name)) vault = self.keyvault_mgmt_client.vaults.create_or_update(self.config.group_name, vault_name, parameters) # wait for vault DNS entry to be created # see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172 self._poll_for_vault_connection(vault.properties.vault_uri) print('created vault {} {}'.format(vault_name, vault.properties.vault_uri)) return vault
def _add_vault(self): name = input('\nenter vault name:') all_perms = Permissions() all_perms.keys = [KeyPermissions.all] all_perms.secrets = [SecretPermissions.all] all_perms.certificates = [CertificatePermissions.all] user_policy = AccessPolicyEntry(self._config.tenant_id, self._config.user_oid, all_perms) app_policy = AccessPolicyEntry(CLIENT_TENANT_ID, CLIENT_OID, all_perms) access_policies = [user_policy, app_policy] properties = VaultProperties(self._config.tenant_id, Sku(name='standard'), access_policies) properties.enabled_for_deployment = True properties.enabled_for_disk_encryption = True properties.enabled_for_template_deployment = True vault = VaultCreateOrUpdateParameters(self._config.location, properties) self._mgmt_client.vaults.create_or_update(self._config.resource_group, name, vault) print('vault %s created\n' % name)
def create_vault(self): """ Creates a new key vault with a unique name, granting full permissions to the current credentials :return: a newly created key vault :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ vault_name = KeyVaultSampleBase.get_unique_name() permissions = Permissions() permissions.keys = [KeyPermissions.all] permissions.secrets = [SecretPermissions.all] permissions.certificates = [CertificatePermissions.all] policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions) properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), policies=[policy]) parameters = VaultCreateOrUpdateParameters(self.config.location, properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True vault = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_namne, vault_name, parameters) return vault
def deleted_vault_recovery(self): """ a sample of enumerating, retrieving, recovering and purging deleted key vaults """ # create vaults enabling the soft delete feature on each vault_to_recover = self.create_vault() self._enable_soft_delete_for_vault(vault_to_recover) vault_to_purge = self.create_vault() self._enable_soft_delete_for_vault(vault_to_purge) print('created vaults {} and {}'.format(vault_to_recover.name, vault_to_purge.name)) # delete the vaults self.keyvault_mgmt_client.vaults.delete(self.config.group_name, vault_to_recover.name) self._wait_on_delete_completed(None, 'vault', vault_to_recover.name) print('Deleted vault: {}'.format(vault_to_recover.name)) self.keyvault_mgmt_client.vaults.delete(self.config.group_name, vault_to_purge.name) self._wait_on_delete_completed(None, 'vault', vault_to_purge.name) print('Deleted vault: {}'.format(vault_to_purge.name)) # list the deleted vaults deleted_vaults = self.keyvault_mgmt_client.vaults.list_deleted() print('Deleted Vaults: \n{}'.format(self._serialize(deleted_vaults))) # get the details of a specific deleted vault deleted_info = self.keyvault_mgmt_client.vaults.get_deleted( vault_to_recover.name, vault_to_recover.location) print('Deleted vault info for vault: {}\n{}'.format( vault_to_recover.name, deleted_info)) # to restore the vault simply supply the group, location, and name and set the 'create_mode' vault property to 'recover' # setting this property will cause other properties passed to create_or_update to be ignored and will simply # restore the vault in the state it was when it was deleted recovery_properties = VaultProperties(tenant_id=self.config.tenant_id, sku=Sku(SkuName.standard.name), access_policies=[], create_mode='recover') recovery_parameters = VaultCreateOrUpdateParameters( deleted_info.properties.location, recovery_properties) recovered = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_name, deleted_info.name, recovery_parameters) print('Recovered vault: {}'.format(recovered.name)) # list the deleted vaults again only the vault we intend to purge is still deleted deleted_vaults = self.keyvault_mgmt_client.vaults.list_deleted() print('Deleted Vaults: \n{}'.format(self._serialize(deleted_vaults))) # purge the last deleted vault self.keyvault_mgmt_client.vaults.purge_deleted(vault_to_purge.name, vault_to_purge.location) print('Purged vault: {}'.format(vault_to_recover.name)) # verify no deleted vaults remain deleted_vaults = self.keyvault_mgmt_client.vaults.list_deleted() print('Deleted Vaults: \n{}'.format(self._serialize(deleted_vaults)))
def create_keyvault( client, resource_group_name, vault_name, location, #pylint:disable=too-many-arguments sku=SkuName.standard.value, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, no_self_perms=False, tags=None): from azure.cli.core._profile import Profile profile = Profile() cred, _, tenant_id = profile.get_login_credentials( resource=get_env()[ENDPOINT_URLS.ACTIVE_DIRECTORY_GRAPH_RESOURCE_ID]) graph_client = GraphRbacManagementClient(cred, tenant_id) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: permissions = Permissions(keys=[ KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete, KeyPermissions.list, KeyPermissions.update, KeyPermissions.import_enum, KeyPermissions.backup, KeyPermissions.restore ], secrets=[SecretPermissions.all], certificates=[CertificatePermissions.all]) object_id = _get_current_user_object_id(graph_client) if not object_id: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError('Cannot create vault.\n' 'Unable to query active directory for information '\ 'about the current user.\n' 'You may try the --no-self-perms flag to create a vault'\ ' without permissions.') access_policies = [ AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions) ] properties = VaultProperties( tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)
def create_keyvault( client, resource_group_name, vault_name, location, #pylint:disable=too-many-arguments sku=SkuName.standard.value, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, no_self_perms=False, tags=None): from azure.cli.core._profile import Profile profile = Profile() cred, _, tenant_id = profile.get_login_credentials(for_graph_client=True) graph_client = GraphRbacManagementClient(cred, tenant_id) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: # TODO Use the enums instead of strings when new keyvault SDK is released # https://github.com/Azure/azure-sdk-for-python/blob/dev/azure-mgmt-keyvault/ # azure/mgmt/keyvault/models/key_vault_management_client_enums.py permissions = Permissions(keys=[ 'get', 'create', 'delete', 'list', 'update', 'import', 'backup', 'restore' ], secrets=['all']) object_id = _get_current_user_object_id(graph_client) if not object_id: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError('Cannot create vault.\n' 'Unable to query active directory for information '\ 'about the current user.\n' 'You may try the --no-self-perms flag to create a vault'\ ' without permissions.') access_policies = [ AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions) ] properties = VaultProperties( tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)
def test_remediate_with_keyvault(self): graph_client = Mock() storage_client = Mock() keyvault_client = Mock() monitor_client = Mock() credentials = Mock() client_id = Mock() tenant_id = Mock() action = StorageAccountNotEncryptedWithCmk() action.create_key = Mock() action.check_key_vault = Mock() action.update_key_vault_access_policy = Mock() action.update_storage_account_encryption = Mock() action.ensure_identity_assigned = Mock() action.create_key.return_value = KeyVaultKey( key_id="https://stg-keyvault-rem.vault.azure.net/keys/rem-key1/0d7a89bd1f8447b4b65ce962212476b0", name="rem-key1", ) action.ensure_identity_assigned.return_value = ( "139bcf82-e14e-4773-bcf4-1da136674792" ) action.check_key_vault.return_value = Vault( id="/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/kshrutika-1/providers/Microsoft.KeyVault/vaults/stg-keyvault-rem", name="stg-keyvault-rem", properties=VaultProperties( tenant_id=tenant_id, sku=Sku(family="A", name="standard"), vault_uri="https://stg-keyvault-rem.vault.azure.net", ), ) assert ( action.remediate( monitor_client, graph_client, storage_client, keyvault_client, client_id, tenant_id, credentials, "resource_group_name", "account-name", "region", "subscription_id", ) == 0 ) assert action.ensure_identity_assigned.call_count == 1 assert action.check_key_vault.call_count == 1 assert action.create_key.call_count == 1 assert action.update_key_vault_access_policy.call_count == 1 assert action.update_storage_account_encryption.call_count == 1
def create_vault_with_network(self): """ Creates a key vault with network access limited by a NetworkRuleSet """ vault_name = get_name('vault') # setup vault permissions for the access policy for the sample service principle permissions = Permissions(keys=KEY_PERMISSIONS_ALL, secrets=SECRET_PERMISSIONS_ALL, certificates=CERTIFICATE_PERMISSIONS_ALL, storage=STORAGE_PERMISSIONS_ALL) policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=self.config.client_oid, permissions=permissions) # Network ACL definitions # The only action supported for virtual network and IP rules is "allow". # To deny an address, set the default action to 'deny' and do not explicitly allow the address. network_acls = NetworkRuleSet( # allow bypass of network ACL rules by other azure services. Valid values are azure_services or none bypass=NetworkRuleBypassOptions.azure_services, # the action to take if access attempt doesn't match any rule. Valid values are allow or deny default_action=NetworkRuleAction.deny, # IP rules (allowed IPv4 addresses / ranges) ip_rules=[IPRule(value='0.0.0.0/0') ], # Allow access from a IP address range # Virtual network rules(Allows access to Azure Virtual Networks by their Azure Resource ID) virtual_network_rules=[ # To specifically allow access to a vnet, uncomment the line below and replace the id with the correct # resource id for your vnet # VirtualNetworkRule(id='/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1') ]) properties = VaultProperties(tenant_id=self.config.tenant_id, sku=Sku(name='standard'), access_policies=[policy], network_acls=network_acls) parameters = VaultCreateOrUpdateParameters( location=self.config.location, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True print('creating vault {}'.format(vault_name)) self.vault = self.mgmt_client.vaults.create_or_update( resource_group_name=self.config.group_name, vault_name=vault_name, parameters=parameters).result()
def create_resource(self, name, **kwargs): self.client_oid = self.test_class_instance.set_value_to_scrub( 'CLIENT_OID', CLIENT_OID) if self.is_live: # create a vault with the management client group = self._get_resource_group(**kwargs).name access_policies = [ AccessPolicyEntry( tenant_id=self.test_class_instance.settings.TENANT_ID, object_id=self.client_oid, permissions=self.permissions, ) ] properties = VaultProperties( tenant_id=self.test_class_instance.settings.TENANT_ID, sku=Sku(name=self.sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=self.enabled_for_deployment, enabled_for_disk_encryption=self.enabled_for_disk_encryption, enabled_for_template_deployment=self. enabled_for_template_deployment, enable_soft_delete=self.enable_soft_delete, enable_purge_protection=None, ) parameters = VaultCreateOrUpdateParameters(location=self.location, properties=properties) self.management_client = self.create_mgmt_client( KeyVaultManagementClient) # ARM may return not found at first even though the resource group has been created retries = 4 for i in range(retries): try: vault = self.management_client.vaults.create_or_update( group, name, parameters).result() except Exception as ex: if "ResourceGroupNotFound" not in str( ex) or i == retries - 1: raise time.sleep(3) vault_uri = vault.properties.vault_uri else: # playback => we need only the uri used in the recording vault_uri = "https://{}.vault.azure.net/".format(name) client = self.create_vault_client(vault_uri) return {self.parameter_name: client}
def test_remediate_success_without_stg_without_keyvault(self): client_id = Mock() tenant_id = Mock() storage_client = Mock() keyvault_client = Mock() monitor_client = Mock() graph_client = Mock() credentials = Mock() action = EnableKeyVaultLogging() action.check_stg_account = Mock() action.check_key_vault = Mock() action.create_key = Mock() action.create_key_vault = Mock() action.create_diagnostic_setting = Mock() action.create_storage_account = Mock() action.create_key_vault.return_value = Vault( id= "/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/kshrutika-1/providers/Microsoft.KeyVault/vaults/stg-keyvault-rem", name="stg-keyvault-rem", properties=VaultProperties( tenant_id=tenant_id, sku=Sku(family="A", name="standard"), vault_uri="https://stg-keyvault-rem.vault.azure.net", ), ) action.create_key.return_value = KeyVaultKey( key_id= "https://stg-keyvault-rem.vault.azure.net/keys/rem-key1/0d7a89bd1f8447b4b65ce962212476b0", name="rem-key1", ) action.check_stg_account.return_value = None action.check_key_vault.return_value = None assert (action.remediate( client_id, tenant_id, keyvault_client, monitor_client, storage_client, graph_client, credentials, "resource_group", "key_vault_name", "region", "subscription_id", ) == 0) assert action.create_diagnostic_setting.call_count == 2 assert action.create_storage_account.call_count == 1 assert action.create_key_vault.call_count == 1 assert action.create_key.call_count == 1
def recover_keyvault(client, vault_name, resource_group_name, location): from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters, CreateMode from azure.cli.core._profile import Profile, CLOUD profile = Profile() _, _, tenant_id = profile.get_login_credentials( resource=CLOUD.endpoints.active_directory_graph_resource_id) params = VaultCreateOrUpdateParameters(location, properties={'tenant_id': tenant_id, 'sku': Sku(name=SkuName.standard.value), 'create_mode': CreateMode.recover.value}) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=params)
def get_sample_vault(self): """ Creates a new key vault with a unique name, granting full permissions to the current credentials :return: a newly created key vault :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ if not self.config.vault: keyvault_mgmt_client = KeyVaultManagementClient( self.mgmt_client_creds, self.config.subscription_id) if self.config.vault_name: vault = keyvault_mgmt_client.vaults.get( resource_group_name=self.config.group_name, vault_name=self.config.vault_name) else: vault_name = get_name('vault') # setup vault permissions for the access policy for the sample service principle permissions = Permissions( keys=KEY_PERMISSIONS_ALL, secrets=SECRET_PERMISSIONS_ALL, certificates=CERTIFICATE_PERMISSIONS_ALL, storage=STORAGE_PERMISSIONS_ALL) policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=self.config.client_oid, permissions=permissions) properties = VaultProperties(tenant_id=self.config.tenant_id, sku=Sku(name='standard'), access_policies=[policy]) parameters = VaultCreateOrUpdateParameters( location=self.config.location, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True print('creating vault {}'.format(vault_name)) vault = keyvault_mgmt_client.vaults.create_or_update( resource_group_name=self.config.group_name, vault_name=vault_name, parameters=parameters).result() self.config.vault = vault return self.config.vault
def create_soft_delete_enabled_vault(self): """ creates a key vault which has soft delete enabled so that the vault as well as all of its keys, certificates and secrets are recoverable """ vault_name = get_name('vault') permissions = Permissions() permissions.keys = KEY_PERMISSIONS_ALL permissions.secrets = SECRET_PERMISSIONS_ALL permissions.certificates = CERTIFICATE_PERMISSIONS_ALL policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=self.config.client_oid, permissions=permissions) properties = VaultProperties(tenant_id=self.config.tenant_id, sku=Sku(name='standard'), access_policies=[policy]) parameters = VaultCreateOrUpdateParameters( location=self.config.location, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True # this vault property controls whether recovery functionality is available on the vault itself as well as # all keys, certificates and secrets in the vault as well # NOTE: This value should only None or True, setting the value to false will cause a service validation error # once soft delete has been enabled on the vault it cannot be disabled parameters.properties.enable_soft_delete = True print('creating soft delete enabled vault: {}'.format(vault_name)) # create the vault vault = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_name, vault_name, parameters) # wait for vault DNS entry to be created # see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172 self._poll_for_vault_connection(vault.properties.vault_uri) print('vault {} created enable_soft_delete={}'.format( vault.name, vault.properties.enable_soft_delete))
def create_recoverable_vault_sample(self): """ Provides a sample for creating a key vault which has recovery enable so that the vault as well as all of its keys, certificates and secrets are recoverable :return: a key vault which has been created with recovery enabled :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ self.setup_sample() vault_name = KeyVaultSampleBase.get_unique_name() permissions = Permissions() permissions.keys = [KeyPermissions.all] permissions.secrets = [SecretPermissions.all] permissions.certificates = [CertificatePermissions.all] policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions) properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), policies=[policy]) parameters = VaultCreateOrUpdateParameters(self.config.location, properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True # this vault property controls whether recovery functionality is available on the vault itself as well as # all keys, certificates and secrets in the vault as well parameters.properties.enable_soft_delete = True # create the vault vault = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_name, vault_name, parameters) print(vault) return vault
def create_vault(self, group_name, vault_name, permissions=None, enabled_for_deployment=True, enabled_for_disk_encryption=True, enabled_for_template_deployment=True, enable_soft_delete=None, sku=None): creds = self.settings.get_credentials() access_policies = [AccessPolicyEntry(tenant_id=self.settings.TENANT_ID, object_id=self.settings.CLIENT_OID, permissions=permissions or self.default_permissions)] properties = VaultProperties(tenant_id=self.settings.TENANT_ID, sku=Sku(sku or SkuName.premium.value), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment, enable_soft_delete=enable_soft_delete) parameters = VaultCreateOrUpdateParameters(location='westus', properties=properties) vault = self.mgmt_client.vaults.create_or_update(group_name, vault_name, parameters) if not self.is_playback(): self.sleep(10) return vault
def create_key_vault( self, keyvault_client, resource_group_name, key_vault_name, region, tenant_id, app_object_id, stg_principal_id, ): """Creates a Key Vault :param keyvault_client: Instance of the Azure KeyVaultManagementClient. :param resource_group_name: The name of the resource group. :param key_vault_name: Name of the Key Vault. :param region: location of the Key Vault. :param tenant_id: Azure tenant Id :param app_object_id: Object Id of the application :param stg_principal_id: Principal Id of the Storage Account :type keyvault_client: object :type resource_group_name: str :type key_vault_name: str :type region: str :type tenant_id: str :type app_object_id: str :type stg_principal_id: str :returns: Vault object :rtype: object """ access_policy_storage_account = AccessPolicyEntry( tenant_id=tenant_id, object_id=stg_principal_id, permissions=Permissions(keys=[ KeyPermissions.GET, KeyPermissions.UNWRAP_KEY, KeyPermissions.WRAP_KEY, ], ), ) access_policy_app = AccessPolicyEntry( tenant_id=tenant_id, object_id=app_object_id, permissions=Permissions(keys=[ KeyPermissions.GET, KeyPermissions.LIST, KeyPermissions.CREATE, KeyPermissions.UPDATE, KeyPermissions.DELETE, KeyPermissions.BACKUP, KeyPermissions.RESTORE, KeyPermissions.RECOVER, ], ), ) key_vault_properties = VaultCreateOrUpdateParameters( location=region, tags={"Created By": "CHSS"}, properties=VaultProperties( tenant_id=tenant_id, sku=Sku( family="A", name="standard", ), access_policies=[ access_policy_storage_account, access_policy_app ], soft_delete_retention_in_days=90, enabled_for_disk_encryption=False, enabled_for_deployment=False, enabled_for_template_deployment=False, enable_soft_delete=True, enable_purge_protection=True, ), ) logging.info("creating a key vault") logging.info("executing keyvault_client.vaults.begin_create_or_update") logging.info(f" resource_group_name={resource_group_name}") logging.info(f" vault_name={key_vault_name}") vault = keyvault_client.vaults.begin_create_or_update( resource_group_name=resource_group_name, vault_name=key_vault_name, parameters=key_vault_properties, ).result() return vault
def test_remediate_without_stg_without_keyvault(self): client = Mock() client_authorization = Mock() client_storage = Mock() keyvault_client = Mock() monitor_client = Mock() graph_client = Mock() credentials = Mock() client_id = Mock() tenant_id = Mock() action = SqlServerEnableBlobAuditingPolicy() action.create_key = Mock() action.create_key_vault = Mock() action.check_key_vault = Mock() action.check_stg_account = Mock() action.update_storage_account_encryption = Mock() action.create_diagnostic_setting = Mock() action.create_storage_account = Mock() action.ensure_identity_assigned = Mock() action.create_role_assignment = Mock() action.create_server_blob_auditing_policy = Mock() identity = Identity( principal_id="139bcf82-e14e-4773-bcf4-1da136674792", type="SystemAssigned", tenant_id="b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0", ) action.ensure_identity_assigned.return_value = ( "139bcf82-e14e-4773-bcf4-1da136674792") action.create_key_vault.return_value = Vault( id= "/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/kshrutika-1/providers/Microsoft.KeyVault/vaults/stg-keyvault-rem", name="stg-keyvault-rem", properties=VaultProperties( tenant_id=tenant_id, sku=Sku(family="A", name="standard"), vault_uri="https://stg-keyvault-rem.vault.azure.net", ), ) action.create_key.return_value = KeyVaultKey( key_id= "https://stg-keyvault-rem.vault.azure.net/keys/rem-key1/0d7a89bd1f8447b4b65ce962212476b0", name="rem-key1", ) action.create_storage_account.return_value = StorageAccount( id= "/subscriptions/d687b1a3-9b78-43b1-a17b-7de297fd1fce/resourceGroups/accelerators-team-resources/providers/Microsoft.Sql/servers/remserver5", name="remstg5", type="Microsoft.Storage/storageAccounts", location="eastus", identity=identity, ) action.check_stg_account.return_value = None action.check_key_vault.return_value = None assert (action.remediate( client_id, tenant_id, credentials, client, client_storage, keyvault_client, graph_client, monitor_client, client_authorization, "resource_group_name", "sql_server_name", "region", "subscription_id", ) == 0) assert action.ensure_identity_assigned.call_count == 1 assert action.check_key_vault.call_count == 1 assert action.check_stg_account.call_count == 1 assert action.create_key.call_count == 1 assert action.update_storage_account_encryption.call_count == 1 assert action.create_storage_account.call_count == 1 assert action.create_key_vault.call_count == 1 assert action.create_diagnostic_setting.call_count == 1 assert action.create_role_assignment.call_count == 1 assert action.create_server_blob_auditing_policy.call_count == 1
def create_keyvault( cmd, client, # pylint: disable=too-many-locals resource_group_name, vault_name, location=None, sku=None, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, enable_soft_delete=None, no_self_perms=None, tags=None): from azure.mgmt.keyvault.models import ( VaultCreateOrUpdateParameters, Permissions, KeyPermissions, SecretPermissions, CertificatePermissions, StoragePermissions, AccessPolicyEntry, Sku, VaultProperties) from azure.cli.core._profile import Profile from azure.graphrbac.models import GraphErrorException from azure.graphrbac import GraphRbacManagementClient profile = Profile(cli_ctx=cmd.cli_ctx) cred, _, tenant_id = profile.get_login_credentials( resource=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id ) graph_client = GraphRbacManagementClient( cred, tenant_id, base_url=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id ) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: permissions = Permissions( keys=[ KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete, KeyPermissions.list, KeyPermissions.update, KeyPermissions.import_enum, KeyPermissions.backup, KeyPermissions.restore, KeyPermissions.recover ], secrets=[ SecretPermissions.get, SecretPermissions.list, SecretPermissions.set, SecretPermissions.delete, SecretPermissions.backup, SecretPermissions.restore, SecretPermissions.recover ], certificates=[ CertificatePermissions.get, CertificatePermissions.list, CertificatePermissions.delete, CertificatePermissions.create, CertificatePermissions.import_enum, CertificatePermissions.update, CertificatePermissions.managecontacts, CertificatePermissions.getissuers, CertificatePermissions.listissuers, CertificatePermissions.setissuers, CertificatePermissions.deleteissuers, CertificatePermissions.manageissuers, CertificatePermissions.recover ], storage=[ StoragePermissions.get, StoragePermissions.list, StoragePermissions.delete, StoragePermissions.set, StoragePermissions.update, StoragePermissions.regeneratekey, StoragePermissions.setsas, StoragePermissions.listsas, StoragePermissions.getsas, StoragePermissions.deletesas ]) try: object_id = _get_current_user_object_id(graph_client) except GraphErrorException: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError( 'Cannot create vault.\nUnable to query active directory for information ' 'about the current user.\nYou may try the --no-self-perms flag to ' 'create a vault without permissions.') access_policies = [ AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions) ] properties = VaultProperties( tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment, enable_soft_delete=enable_soft_delete) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)