def main(): try: # Enable logging enable_logging() # Setup some sample data sample_data = { "value1": "some value 1", "value2": "some value 2", "value3": "some value 3", "value4": "some value 4" } # Convert the dict to string, encode to bytes, and hash the data sample_data_hash = hashlib.sha512( json.dumps(sample_data).encode('UTF-8')).digest() # Obtain a credential from the system-assigned managed identity msi_credential = DefaultAzureCredential() # Get the key from Key Vault and setup a cryptography client key_client = KeyClient(KEY_VAULT_URL, msi_credential) key = key_client.get_key(CERTIFICATE_NAME) crypto_client = CryptographyClient(key, credential=msi_credential) # Use Key Vault to calculate a signature using RSASSA-PKCS1-v1_5 using SHA-512 data_signature = (crypto_client.sign(SignatureAlgorithm.rs512, sample_data_hash)).signature # Retrieve the certificate from Key Vault cert_client = CertificateClient(KEY_VAULT_URL, msi_credential) result = (cert_client.get_certificate(CERTIFICATE_NAME)).cer # Load the DER certificate returned into an x509 object and get the public key cert = load_der_x509_certificate(result, backend=default_backend()) public_key = cert.public_key() # Verify the signature try: public_key.verify(signature=data_signature, data=(json.dumps(sample_data)).encode('UTF-8'), padding=padding.PKCS1v15(), algorithm=hashes.SHA512()) logging.info('Payload verified successfully') print('Payload verified successfully!') except InvalidSignature: print('Payload and/or signature files failed verification') except Exception: logging.error('Execution error: ', exc_info=True)
class GetCertificateTest(PerfStressTest): def __init__(self, arguments): super().__init__(arguments) # Auth configuration self.credential = EnvironmentCredential() self.async_credential = AsyncEnvironmentCredential() # Create clients vault_url = self.get_from_env("AZURE_KEYVAULT_URL") self.client = CertificateClient(vault_url, self.credential) self.async_client = AsyncCertificateClient(vault_url, self.async_credential) async def global_setup(self): """The global setup is run only once.""" await super().global_setup() await self.async_client.create_certificate( "livekvtestperfcert", CertificatePolicy.get_default()) async def global_cleanup(self): """The global cleanup is run only once.""" await self.async_client.delete_certificate("livekvtestperfcert") await self.async_client.purge_deleted_certificate("livekvtestperfcert") await super().global_cleanup() async def close(self): """This is run after cleanup.""" await self.async_client.close() await self.async_credential.close() await super().close() def run_sync(self): """The synchronous perf test.""" self.client.get_certificate("livekvtestperfcert") async def run_async(self): """The asynchronous perf test.""" await self.async_client.get_certificate("livekvtestperfcert")
class KeyVaultCertificates: def __init__(self): # DefaultAzureCredential() expects the following environment variables: # * AZURE_CLIENT_ID # * AZURE_CLIENT_SECRET # * AZURE_TENANT_ID authority_host = os.environ.get('AZURE_AUTHORITY_HOST') or KnownAuthorities.AZURE_PUBLIC_CLOUD credential = DefaultAzureCredential(authority=authority_host) self.certificate_client = CertificateClient( vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential ) self.certificate_name = "cert-name-" + uuid.uuid1().hex def create_certificate(self): print("Creating certificate (name: {})".format(self.certificate_name)) create_poller = self.certificate_client.begin_create_certificate( certificate_name=self.certificate_name, policy=CertificatePolicy.get_default()) print("\twaiting...") create_poller.result() print("\tdone") def get_certificate(self): print("Getting a certificate...") certificate = self.certificate_client.get_certificate(certificate_name=self.certificate_name) print("\tdone, certificate: {}.".format(certificate.name)) def delete_certificate(self): print("Deleting a certificate...") poller = self.certificate_client.begin_delete_certificate(certificate_name=self.certificate_name) deleted_certificate = poller.result() print("\tdone: " + deleted_certificate.name) def run(self): print("") print("------------------------") print("Key Vault - Certificates\nIdentity - Credential") print("------------------------") print("1) Create a certificate") print("2) Get that certificate") print("3) Delete that certificate (Clean up the resource)") print("") try: self.create_certificate() self.get_certificate() finally: self.delete_certificate()
def get_certdate(): credential = DefaultAzureCredential() certificate_client = CertificateClient(vault_url=(os.environ.get('kvurl')), credential=credential) certificate = certificate_client.get_certificate( certificate_name=(os.environ.get('certname'))) cert_date = certificate.properties.expires_on.strftime("%d/%m/%Y") limit_date = (datetime.now() + timedelta(days=7)).strftime("%d/%m/%Y") slack_token = os.environ.get('slacktoken') if cert_date == limit_date: queue_build() slack_message('O certificate vai expirar') else: slack_message('O certificate não vai expirar')
class KeyVaultCertificates(KeyVaultBase): def __init__(self): credential = self.get_default_credential() self.certificate_client = CertificateClient( vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential) self.certificate_name = "cert-name-" + uuid.uuid1().hex def create_certificate(self): print("Creating certificate (name: {})".format(self.certificate_name)) create_poller = self.certificate_client.begin_create_certificate( certificate_name=self.certificate_name, policy=CertificatePolicy.get_default()) print("\twaiting...") create_poller.result() print("\tdone") def get_certificate(self): print("Getting a certificate...") certificate = self.certificate_client.get_certificate( certificate_name=self.certificate_name) print("\tdone, certificate: {}.".format(certificate.name)) def delete_certificate(self): print("Deleting a certificate...") poller = self.certificate_client.begin_delete_certificate( certificate_name=self.certificate_name) deleted_certificate = poller.result() print("\tdone: " + deleted_certificate.name) def run(self): print("") print("------------------------") print("Key Vault - Certificates\nIdentity - Credential") print("------------------------") print("1) Create a certificate") print("2) Get that certificate") print("3) Delete that certificate (Clean up the resource)") print("") try: self.create_certificate() self.get_certificate() finally: self.delete_certificate()
class KeyVaultCertificates: def __init__(self): # DefaultAzureCredential() expects the following environment variables: # * AZURE_CLIENT_ID # * AZURE_CLIENT_SECRET # * AZURE_TENANT_ID credential = DefaultAzureCredential() self.certificate_client = CertificateClient( vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential) self.certificate_name = "cert-name-" + uuid.uuid1().hex def create_certificate(self): self.certificate_client.begin_create_certificate( name=self.certificate_name, policy=CertificatePolicy.get_default()).wait() print("\tdone") def get_certificate(self): print("Getting a certificate...") certificate = self.certificate_client.get_certificate( name=self.certificate_name) print(f"\tdone, certificate: {certificate.name}.") def delete_certificate(self): print("Deleting a certificate...") deleted_certificate = self.certificate_client.delete_certificate( name=self.certificate_name) print("\tdone: " + deleted_certificate.name) def run(self): print("") print("------------------------") print("Key Vault - Certificates\nIdentity - Credential") print("------------------------") print("1) Create a certificate") print("2) Get that certificate") print("3) Delete that certificate (Clean up the resource)") print("") try: self.create_certificate() self.get_certificate() finally: self.delete_certificate()
reuse_key=False, content_type=CertificateContentType.pkcs12, validity_in_months=24, ) cert_name = "HelloWorldCertificate" # begin_create_certificate returns a poller. Calling result() on the poller will return the certificate # as a KeyVaultCertificate if creation is successful, and the CertificateOperation if not. The wait() # call on the poller will wait until the long running operation is complete. certificate = client.begin_create_certificate(certificate_name=cert_name, policy=cert_policy).result() print("Certificate with name '{0}' created".format(certificate.name)) # Let's get the bank certificate using its name print("\n.. Get a certificate by name") bank_certificate = client.get_certificate(cert_name) print("Certificate with name '{0}' was found'.".format( bank_certificate.name)) # After one year, the bank account is still active, and we have decided to update the tags. print("\n.. Update a certificate by name") tags = {"a": "b"} updated_certificate = client.update_certificate_properties( certificate_name=bank_certificate.name, tags=tags) print("Certificate with name '{0}' was updated on date '{1}'".format( bank_certificate.name, updated_certificate.properties.updated_on)) print("Certificate with name '{0}' was updated with tags '{1}'".format( bank_certificate.name, updated_certificate.properties.tags)) # The bank account was closed, need to delete its credentials from the Key Vault. print("\n.. Delete certificate")
def obtain_access_token(key_vault_url, msi_credential, certificate_name, tenant_id, client_id, resource): # Get certificate from Key Vault, load the DER certificate it returns, and calculate the thumbprint cert_client = CertificateClient(key_vault_url, msi_credential) result = (cert_client.get_certificate(certificate_name)).cer cert = load_der_x509_certificate(result, backend=default_backend()) thumbprint = base64.urlsafe_b64encode(cert.fingerprint( hashes.SHA1())).decode('UTF-8') # Create the headers for the JWT headers = {"alg": "RS256", "typ": "JWT", "x5t": thumbprint} encoded_header = (base64.urlsafe_b64encode( bytes(json.dumps(headers), 'UTF-8'))).decode('UTF-8') # Generate a nonce nonce = uuid4().hex # Create the JWT payload claims = { "aud": f"https://login.microsoftonline.com/{tenant_id}/oauth2/token", "iss": client_id, "sub": client_id, "jti": nonce, "nbf": int(time.time()), "exp": int(time.time() + (7 * 86400)) } encoded_claims = (base64.urlsafe_b64encode( bytes(json.dumps(claims), 'UTF-8'))).decode('UTF-8').rstrip('=') # Issue the request to Key Vault to sign the data key_client = KeyClient(key_vault_url, msi_credential) key = key_client.get_key(certificate_name) crypto_client = CryptographyClient(key, credential=msi_credential) data_hash = hashlib.sha256( bytes((encoded_header + '.' + encoded_claims), 'UTF-8')).digest() # Use Key Vault to calculate a signature using RSASSA-PKCS1-v1_5 using SHA-256 jws_signature = (crypto_client.sign(SignatureAlgorithm.rs256, data_hash)).signature encoded_jws_signature = ( base64.urlsafe_b64encode(jws_signature)).decode('UTF-8').rstrip('=') assertion = encoded_header + '.' + encoded_claims + '.' + encoded_jws_signature payload = { "grant_type": "client_credentials", "client_id": client_id, "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "client_assertion": assertion, "resource": resource } # Post the request for the access token result = requests.post( url=f"https://login.microsoftonline.com/{tenant_id}/oauth2/token", data=payload) # Validate that access token was returned if result.status_code == 200: logging.info('Access token successfully obtained') return ((json.loads(result.text))['access_token']) else: error = json.loads(result.text) logging.error('Unable to obtain access token') logging.error(f"Error was: {error['error']}") logging.error(f"Error description was: {error['error_description']}") logging.error(f"Error correlation_id was: {error['correlation_id']}") raise Exception('Failed to obtain access token')