async def test_managed_identity_live(live_managed_identity_config):
credential = ManagedIdentityCredential(
client_id=live_managed_identity_config["client_id"])
# do something with Key Vault to verify the credential can get a valid token
client = SecretClient(live_managed_identity_config["vault_url"],
credential,
logging_enable=True)
async for _ in client.list_properties_of_secrets():
pass
class ListSecretsTest(PerfStressTest):
def __init__(self, arguments):
super().__init__(arguments)
# Auth configuration
self.credential = DefaultAzureCredential()
self.async_credential = AsyncDefaultAzureCredential()
# Create clients
vault_url = self.get_from_env("AZURE_KEYVAULT_URL")
self.client = SecretClient(vault_url, self.credential, **self._client_kwargs)
self.async_client = AsyncSecretClient(vault_url, self.async_credential, **self._client_kwargs)
self.secret_names = ["livekvtestlistperfsecret{}".format(i) for i in range(self.args.list_size)]
async def global_setup(self):
"""The global setup is run only once."""
await super().global_setup()
create = [self.async_client.set_secret(name, "secret-value") for name in self.secret_names]
await asyncio.wait(create)
async def global_cleanup(self):
"""The global cleanup is run only once."""
delete = [self.async_client.delete_secret(name) for name in self.secret_names]
await asyncio.wait(delete)
purge = [self.async_client.purge_deleted_secret(name) for name in self.secret_names]
await asyncio.wait(purge)
await super().global_cleanup()
async def close(self):
"""This is run after cleanup."""
await self.async_client.close()
await self.async_credential.close()
await super().close()
def run_sync(self):
"""The synchronous perf test."""
secret_properties = self.client.list_properties_of_secrets()
# enumerate secrets to exercise paging code
list(secret_properties)
async def run_async(self):
"""The asynchronous perf test."""
secret_properties = self.async_client.list_properties_of_secrets()
# enumerate secrets to exercise paging code
async for _ in secret_properties:
pass
@staticmethod
def add_arguments(parser):
super(ListSecretsTest, ListSecretsTest).add_arguments(parser)
parser.add_argument(
'--list-size', nargs='?', type=int, help='Number of secrets to list. Defaults to 10', default=10
)
async def test_managed_identity_live(live_managed_identity_config):
credential = ManagedIdentityCredential(client_id=live_managed_identity_config["client_id"])
# do something with Key Vault to verify the credential can get a valid token
client = SecretClient(live_managed_identity_config["vault_url"], credential, logging_enable=True)
secret = await client.set_secret("managed-identity-test-secret", "value")
await client.delete_secret(secret.name)
async def cred() -> Any:
credential = EnvironmentCredential()
vault = SecretClient(vault_url="https://aca-keys.vault.azure.net",
credential=credential)
yield await vault.get_secret("acastorage-key1")
await credential.close()
await vault.close()
async def run_sample():
# Instantiate a secret client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_ENDPOINT = os.environ["VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = SecretClient(vault_endpoint=VAULT_ENDPOINT, credential=credential)
try:
# Let's create a secret holding bank account credentials valid for 1 year.
# if the secret already exists in the key vault, then a new version of the secret is created.
print("\n.. Create Secret")
expires_on = datetime.datetime.utcnow() + datetime.timedelta(days=365)
secret = await client.set_secret("helloWorldSecretName",
"helloWorldSecretValue",
expires_on=expires_on)
print("Secret with name '{0}' created with value '{1}'".format(
secret.name, secret.value))
print("Secret with name '{0}' expires on '{1}'".format(
secret.name, secret.properties.expires_on))
# Let's get the bank secret using its name
print("\n.. Get a Secret by name")
bank_secret = await client.get_secret(secret.name)
print("Secret with name '{0}' was found with value '{1}'.".format(
bank_secret.name, bank_secret.value))
# After one year, the bank account is still active, we need to update the expiry time of the secret.
# The update method can be used to update the expiry attribute of the secret. It cannot be used to update
# the value of the secret.
print("\n.. Update a Secret by name")
expires_on = bank_secret.properties.expires_on + datetime.timedelta(
days=365)
updated_secret_properties = await client.update_secret_properties(
secret.name, expires_on=expires_on)
print("Secret with name '{0}' was updated on date '{1}'".format(
updated_secret_properties.name,
updated_secret_properties.updated_on))
print("Secret with name '{0}' was updated to expire on '{1}'".format(
updated_secret_properties.name,
updated_secret_properties.expires_on))
# Bank forced a password update for security purposes. Let's change the value of the secret in the key vault.
# To achieve this, we need to create a new version of the secret in the key vault. The update operation cannot
# change the value of the secret.
new_secret = await client.set_secret(secret.name, "newSecretValue")
print("Secret with name '{0}' created with value '{1}'".format(
new_secret.name, new_secret.value))
# The bank account was closed, need to delete its credentials from the Key Vault.
print("\n.. Deleting Secret...")
deleted_secret = await client.delete_secret(secret.name)
print("Secret with name '{0}' was deleted.".format(
deleted_secret.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
async def test_close():
transport = AsyncMockTransport()
client = SecretClient(vault_url="https://localhost", credential=object(), transport=transport)
await client.close()
assert transport.__aenter__.call_count == 0
assert transport.__aexit__.call_count == 1
def __init__(self):
credential = self.get_default_credential()
self.secret_client = SecretClient(
vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential
)
self.secret_name = "secret-name-" + uuid.uuid1().hex
self.secret_value = "secret-value"
def test_service_headers_allowed_in_logs():
service_headers = {
"x-ms-keyvault-network-info", "x-ms-keyvault-region",
"x-ms-keyvault-service-version"
}
client = SecretClient("...", object())
assert service_headers.issubset(
client._client._config.http_logging_policy.allowed_header_names)
async def test_context_manager():
transport = AsyncMockTransport()
client = SecretClient(vault_url="https://localhost", credential=object(), transport=transport)
async with client:
assert transport.__aenter__.call_count == 1
assert transport.__aenter__.call_count == 1
assert transport.__aexit__.call_count == 1
async def run_sample():
# Instantiate a secret client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_ENDPOINT = os.environ["VAULT_ENDPOINT"]
credential = DefaultAzureCredential()
client = SecretClient(vault_endpoint=VAULT_ENDPOINT, credential=credential)
try:
# Let's create secrets holding storage and bank accounts credentials. If the secret
# already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
bank_secret = await client.set_secret("recoverPurgeBankSecretName",
"recoverPurgeSecretValue1")
storage_secret = await client.set_secret(
"recoverPurgeStorageSecretName", "recoverPurgeSecretValue2")
print("Secret with name '{0}' was created.".format(bank_secret.name))
print("Secret with name '{0}' was created.".format(
storage_secret.name))
# The storage account was closed, need to delete its credentials from the Key Vault.
print("\n.. Delete a Secret")
secret = await client.delete_secret(bank_secret.name)
await asyncio.sleep(20)
print("Secret with name '{0}' was deleted on date {1}.".format(
secret.name, secret.deleted_date))
# We accidentally deleted the bank account secret. Let's recover it.
# A deleted secret can only be recovered if the Key Vault is soft-delete enabled.
print("\n.. Recover Deleted Secret")
recovered_secret = await client.recover_deleted_secret(bank_secret.name
)
print("Recovered Secret with name '{0}'.".format(
recovered_secret.name))
# Let's delete storage account now.
# If the keyvault is soft-delete enabled, then for permanent deletion deleted secret needs to be purged.
await client.delete_secret(storage_secret.name)
# To ensure secret is deleted on the server side.
print("\nDeleting Storage Secret...")
await asyncio.sleep(20)
# To ensure permanent deletion, we might need to purge the secret.
print("\n.. Purge Deleted Secret")
await client.purge_deleted_secret(storage_secret.name)
print("Secret has been permanently deleted.")
except HttpResponseError as e:
if "(NotSupported)" in e.message:
print(
"\n{0} Please enable soft delete on Key Vault to perform this operation."
.format(e.message))
else:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
def test_custom_hook_policy():
class CustomHookPolicy(object):
pass
client = SecretClient("...",
object(),
custom_hook_policy=CustomHookPolicy())
assert isinstance(client._client._config.custom_hook_policy,
CustomHookPolicy)
def test_create_secret_client():
vault_url = "vault_url"
# pylint:disable=unused-variable
# [START create_secret_client]
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.secrets.aio import SecretClient
# Create a SecretClient using default Azure credentials
credentials = DefaultAzureCredential()
secret_client = SecretClient(vault_url, credentials)
def __init__(self):
# DefaultAzureCredential() expects the following environment variables:
# * AZURE_CLIENT_ID
# * AZURE_CLIENT_SECRET
# * AZURE_TENANT_ID
credential = DefaultAzureCredential()
self.secret_client = SecretClient(
vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential
)
self.secret_name = "secret-name-" + uuid.uuid1().hex
self.secret_value = "secret-value"
def __init__(self):
# DefaultAzureCredential() expects the following environment variables:
# * AZURE_CLIENT_ID
# * AZURE_CLIENT_SECRET
# * AZURE_TENANT_ID
authority_host = os.environ.get(
'AZURE_AUTHORITY_HOST') or KnownAuthorities.AZURE_PUBLIC_CLOUD
credential = DefaultAzureCredential(authority=authority_host)
self.secret_client = SecretClient(
vault_url=os.environ["AZURE_PROJECT_URL"], credential=credential)
self.secret_name = "secret-name-" + uuid.uuid1().hex
self.secret_value = "secret-value"
def __init__(self, arguments):
super().__init__(arguments)
# Auth configuration
self.credential = DefaultAzureCredential()
self.async_credential = AsyncDefaultAzureCredential()
# Create clients
vault_url = self.get_from_env("AZURE_KEYVAULT_URL")
self.client = SecretClient(vault_url, self.credential, **self._client_kwargs)
self.async_client = AsyncSecretClient(vault_url, self.async_credential, **self._client_kwargs)
self.secret_names = ["livekvtestlistperfsecret{}".format(i) for i in range(self.args.list_size)]
def __init__(self, env_file) -> None:
self.settings = AzureHandler.Settings(_env_file=env_file)
self.credential = ClientSecretCredential(
str(self.settings.tenant_id),
str(self.settings.client_id),
self.settings.client_secret.get_secret_value(),
)
# Create File and KeyVault Secret Clients
self.secret_index = {}
self.secretsclient = SecretClient(self.settings.keyvault_url,
self.credential)
self.fileclient = FileService(
self.settings.storage_name,
sas_token=self.settings.storage_sas.get_secret_value(),
)
try:
self.fileclient.create_share("lootmarshal")
self.fileclient.create_directory("lootmarshal", "binary_dumps")
asyncio.create_task(self.build_secret_index())
except Exception as e:
raise e
async def test_create_secret_client():
vault_url = "vault_url"
# pylint:disable=unused-variable
# [START create_secret_client]
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.secrets.aio import SecretClient
# Create a SecretClient using default Azure credentials
credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url, credential)
# the client and credential should be closed when no longer needed
# (both are also async context managers)
await secret_client.close()
await credential.close()
def __init__(self,
vault_url: str,
credential: "TokenCredential",
transport: HttpTransport = None,
api_version: str = None,
**kwargs: Any) -> None:
super(VaultClient, self).__init__(vault_url,
credential,
transport=transport,
api_version=api_version,
**kwargs)
self._secrets = SecretClient(self.vault_url,
credential,
generated_client=self._client,
**kwargs)
async def run_sample():
# Instantiate a secret client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credential)
try:
# Let's create a secret holding storage account credentials.
# if the secret already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
secret = await client.set_secret("backupRestoreSecretName",
"backupRestoreSecretValue")
print("Secret with name '{0}' created with value '{1}'".format(
secret.name, secret.value))
# Backups are good to have, if in case secrets gets deleted accidentally.
# For long term storage, it is ideal to write the backup to a file.
print("\n.. Create a backup for an existing Secret")
secret_backup = await client.backup_secret(secret.name)
print("Backup created for secret with name '{0}'.".format(secret.name))
# The storage account secret is no longer in use, so you delete it.
print("\n.. Deleting secret...")
await client.delete_secret(secret.name)
print("Deleted secret with name '{0}'".format(secret.name))
# Purge the deleted secret.
# The purge will take some time, so wait before restoring the backup to avoid a conflict.
print("\n.. Purge the secret")
await client.purge_deleted_secret(secret.name)
await asyncio.sleep(60)
print("Purged secret with name '{0}'".format(secret.name))
# In the future, if the secret is required again, we can use the backup value to restore it in the Key Vault.
print("\n.. Restore the secret using the backed up secret bytes")
secret = await client.restore_secret_backup(secret_backup)
print("Restored secret with name '{0}'".format(secret.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
await credential.close()
await client.close()
async def run_sample():
# Instantiate a secret client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credential)
# Let's create secrets holding storage and bank accounts credentials. If the secret
# already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
bank_secret = await client.set_secret("recoverPurgeBankSecretName",
"recoverPurgeSecretValue1")
storage_secret = await client.set_secret("recoverPurgeStorageSecretName",
"recoverPurgeSecretValue2")
print("Secret with name '{0}' was created.".format(bank_secret.name))
print("Secret with name '{0}' was created.".format(storage_secret.name))
# The storage account was closed, need to delete its credentials from the Key Vault.
print("\n.. Delete a Secret")
secret = await client.delete_secret(bank_secret.name)
print("Secret with name '{0}' was deleted on date {1}.".format(
secret.name, secret.deleted_date))
# We accidentally deleted the bank account secret. Let's recover it.
# A deleted secret can only be recovered if the Key Vault is soft-delete enabled.
print("\n.. Recover Deleted Secret")
recovered_secret = await client.recover_deleted_secret(bank_secret.name)
print("Recovered Secret with name '{0}'.".format(recovered_secret.name))
# Let's delete storage account now.
# If the keyvault is soft-delete enabled, then for permanent deletion, the deleted secret needs to be purged.
print("\n.. Deleting secret...")
await client.delete_secret(storage_secret.name)
# Secrets will still purge eventually on their scheduled purge date, but calling `purge_deleted_secret` immediately
# purges.
print("\n.. Purge Deleted Secret")
await client.purge_deleted_secret(storage_secret.name)
print("Secret has been permanently deleted.")
print("\nrun_sample done")
await credential.close()
await client.close()
async def main(req: func.HttpRequest) -> func.HttpResponse:
# capture interesting environment variables for debugging
env = "\n".join(f"{var}: {os.environ.get(var)}"
for var in EXPECTED_VARIABLES)
try:
credential = ManagedIdentityCredential(client_id=os.environ.get(
"AZURE_IDENTITY_TEST_MANAGED_IDENTITY_CLIENT_ID"))
# do something with Key Vault to verify the credential can get a valid token
client = SecretClient(os.environ["AZURE_IDENTITY_TEST_VAULT_URL"],
credential,
logging_enable=True)
secret = await client.set_secret("managed-identity-test-secret",
"value")
await client.delete_secret(secret.name)
return func.HttpResponse("test passed")
except Exception as ex:
return func.HttpResponse("test failed: " + repr(ex) + "\n" * 3 + env)
class ListSecretsTest(PerfStressTest):
def __init__(self, arguments):
super().__init__(arguments)
# Auth configuration
self.credential = DefaultAzureCredential()
self.async_credential = AsyncDefaultAzureCredential()
# Create clients
vault_url = self.get_from_env("AZURE_KEYVAULT_URL")
self.client = SecretClient(vault_url, self.credential,
**self._client_kwargs)
self.async_client = AsyncSecretClient(vault_url, self.async_credential,
**self._client_kwargs)
self.secret_names = [
"livekvtestlistperfsecret{}".format(i)
for i in range(self.args.count)
]
async def global_setup(self):
"""The global setup is run only once."""
# Validate that vault contains 0 secrets (including soft-deleted secrets), since additional secrets
# (including soft-deleted) impact performance.
async for secret in self.async_client.list_properties_of_secrets():
raise Exception(
"KeyVault %s must contain 0 secrets (including soft-deleted) before starting perf test"
% self.async_client.vault_url)
async for secret in self.async_client.list_deleted_secrets():
raise Exception(
"KeyVault %s must contain 0 secrets (including soft-deleted) before starting perf test"
% self.async_client.vault_url)
await super().global_setup()
create = [
self.async_client.set_secret(name, "secret-value")
for name in self.secret_names
]
await asyncio.wait(create)
async def global_cleanup(self):
"""The global cleanup is run only once."""
delete = [
self.async_client.delete_secret(name) for name in self.secret_names
]
await asyncio.wait(delete)
purge = [
self.async_client.purge_deleted_secret(name)
for name in self.secret_names
]
await asyncio.wait(purge)
await super().global_cleanup()
async def close(self):
"""This is run after cleanup."""
await self.async_client.close()
await self.async_credential.close()
await super().close()
def run_sync(self):
"""The synchronous perf test."""
secret_properties = self.client.list_properties_of_secrets()
# enumerate secrets to exercise paging code
list(secret_properties)
async def run_async(self):
"""The asynchronous perf test."""
secret_properties = self.async_client.list_properties_of_secrets()
# enumerate secrets to exercise paging code
async for _ in secret_properties:
pass
@staticmethod
def add_arguments(parser):
super(ListSecretsTest, ListSecretsTest).add_arguments(parser)
parser.add_argument("--count",
nargs="?",
type=int,
help="Number of secrets to list. Defaults to 10",
default=10)
raise EnvironmentError("Missing a Key Vault URL")
if "KEYVAULT_TENANT_ID" not in os.environ:
raise EnvironmentError("Missing a tenant ID for Key Vault")
if "KEYVAULT_CLIENT_ID" not in os.environ:
raise EnvironmentError("Missing a client ID for Key Vault")
if "KEYVAULT_CLIENT_SECRET" not in os.environ:
raise EnvironmentError("Missing a client secret for Key Vault")
credential = ClientSecretCredential(
tenant_id=os.environ["KEYVAULT_TENANT_ID"],
client_id=os.environ["KEYVAULT_CLIENT_ID"],
client_secret=os.environ["KEYVAULT_CLIENT_SECRET"])
cert_client = CertificateClient(os.environ["AZURE_KEYVAULT_URL"], credential)
key_client = KeyClient(os.environ["AZURE_KEYVAULT_URL"], credential)
secret_client = SecretClient(os.environ["AZURE_KEYVAULT_URL"], credential)
async def delete_certificates():
coroutines = []
test_certificates = cert_client.list_properties_of_certificates()
async for certificate in test_certificates:
if certificate.name.startswith("livekvtest"):
coroutines.append(cert_client.delete_certificate(certificate.name))
return await asyncio.gather(*coroutines)
async def delete_keys_and_secrets():
coroutines = []
def __init__(self):
args = self.get_client_args()
self.secret_client = SecretClient(**args)
self.secret_name = "secret-name-" + uuid.uuid1().hex
self.secret_value = "secret-value"
async def run_sample():
# Instantiate a secret client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
client = SecretClient(vault_url=VAULT_URL, credential=credential)
try:
# Let's create secrets holding storage and bank accounts credentials. If the secret
# already exists in the Key Vault, then a new version of the secret is created.
print("\n.. Create Secret")
bank_secret = await client.set_secret("listOpsBankSecretName",
"listOpsSecretValue1")
storage_secret = await client.set_secret("listOpsStorageSecretName",
"listOpsSecretValue2")
print("Secret with name '{0}' was created.".format(bank_secret.name))
print("Secret with name '{0}' was created.".format(
storage_secret.name))
# You need to check if any of the secrets are sharing same values.
# Let's list the secrets and print their values.
# List operations don 't return the secrets with value information.
# So, for each returned secret we call get_secret to get the secret with its value information.
print("\n.. List secrets from the Key Vault")
secrets = client.list_secrets()
async for secret in secrets:
retrieved_secret = await client.get_secret(secret.name)
print("Secret with name '{0}' with value '{1}' was found.".format(
retrieved_secret.name, retrieved_secret.value))
# The bank account password got updated, so you want to update the secret in Key Vault to ensure it reflects the
# new password. Calling set_secret on an existing secret creates a new version of the secret in the Key Vault
# with the new value.
updated_secret = await client.set_secret(bank_secret.name,
"newSecretValue")
print("Secret with name '{0}' was updated with new value '{1}'".format(
updated_secret.name, updated_secret.value))
# You need to check all the different values your bank account password secret had previously. Lets print all
# the versions of this secret.
print("\n.. List versions of the secret using its name")
secret_versions = client.list_secret_versions(bank_secret.name)
async for secret in secret_versions:
print("Bank Secret with name '{0}' has version: '{1}'".format(
secret.name, secret.version))
# The bank account and storage accounts got closed. Let's delete bank and storage accounts secrets.
await client.delete_secret(bank_secret.name)
await client.delete_secret(storage_secret.name)
# To ensure secret is deleted on the server side.
print("\nDeleting secrets...")
await asyncio.sleep(20)
# You can list all the deleted and non-purged secrets, assuming Key Vault is soft-delete enabled.
print("\n.. List deleted secrets from the Key Vault")
deleted_secrets = client.list_deleted_secrets()
async for deleted_secret in deleted_secrets:
print("Secret with name '{0}' has recovery id '{1}'".format(
deleted_secret.name, deleted_secret.recovery_id))
except HttpResponseError as e:
if "(NotSupported)" in e.message:
print(
"\n{0} Please enable soft delete on Key Vault to perform this operation."
.format(e.message))
else:
print("\nrun_sample has caught an error. {0}".format(e.message))
finally:
print("\nrun_sample done")
async def run_sample():
# Instantiate a certificate client that will be used to call the service.
# Notice that the client is using default Azure credentials.
# To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
# 'AZURE_CLIENT_SECRET' and 'AZURE_TENANT_ID' are set with the service principal credentials.
VAULT_URL = os.environ["VAULT_URL"]
credential = DefaultAzureCredential()
certificate_client = CertificateClient(vault_url=VAULT_URL,
credential=credential)
# Instantiate a secret client that will be used to call the service.
# Notice that this client can reuse the credential object created above.
secret_client = SecretClient(vault_url=VAULT_URL, credential=credential)
try:
# Let's create a certificate in the vault.
# If the certificate already exists in the Key Vault, then a new version of the certificate is created.
print("\n.. Create certificate")
# Before creating your certificate, let's create the management policy for your certificate.
# Here we use the default policy.
cert_name = "PrivateKeyCertificate"
cert_policy = CertificatePolicy.get_default()
# Awaiting create_certificate will return the certificate as a KeyVaultCertificate
# if creation is successful, and the CertificateOperation if not.
created_certificate = await certificate_client.create_certificate(
certificate_name=cert_name, policy=cert_policy)
print("Certificate with name '{}' was created".format(
created_certificate.name))
# Key Vault also creates a secret with the same name as the created certificate.
# This secret contains protected information about the certificate, such as its private key.
print("\n.. Get a secret by name")
certificate_secret = await secret_client.get_secret(name=cert_name)
print("Certificate secret with name '{}' was found.".format(
certificate_secret.name))
# Now we can extract the private key and public certificate from the secret using the cryptography
# package. `additional_certificates` will be empty since the secret only contains one certificate.
# This example shows how to parse a certificate in PKCS12 format since it's the default in Key Vault,
# but PEM certificates are supported as well. With a PEM certificate, you could use load_pem_private_key
# in place of load_key_and_certificates.
cert_bytes = base64.b64decode(certificate_secret.value)
private_key, public_certificate, additional_certificates = pkcs12.load_key_and_certificates(
data=cert_bytes, password=None)
print("Certificate with name '{}' was parsed.".format(
certificate_secret.name))
# Now we can clean up the vault by deleting, then purging, the certificate.
print("\n.. Delete certificate")
deleted_certificate = await certificate_client.delete_certificate(
certificate_name=cert_name)
print("Certificate with name '{}' was deleted.".format(
deleted_certificate.name))
await certificate_client.purge_deleted_certificate(
certificate_name=deleted_certificate.name)
print("Certificate with name '{}' is being purged.".format(
deleted_certificate.name))
except HttpResponseError as e:
print("\nrun_sample has caught an error. {}".format(e.message))
finally:
print("\nrun_sample done")
await credential.close()
await certificate_client.close()
await secret_client.close()
class AzureHandler(Handler):
class Settings(BaseSettings):
client_id: UUID
client_secret: SecretStr
keyvault_url: HttpUrl
storage_blob_url: HttpUrl
tenant_id: UUID
storage_name: str
storage_share_name: str
storage_sas: SecretStr
def __init__(self, env_file) -> None:
self.settings = AzureHandler.Settings(_env_file=env_file)
self.credential = ClientSecretCredential(
str(self.settings.tenant_id),
str(self.settings.client_id),
self.settings.client_secret.get_secret_value(),
)
# Create File and KeyVault Secret Clients
self.secret_index = {}
self.secretsclient = SecretClient(self.settings.keyvault_url,
self.credential)
self.fileclient = FileService(
self.settings.storage_name,
sas_token=self.settings.storage_sas.get_secret_value(),
)
try:
self.fileclient.create_share("lootmarshal")
self.fileclient.create_directory("lootmarshal", "binary_dumps")
asyncio.create_task(self.build_secret_index())
except Exception as e:
raise e
async def validate(self) -> bool:
try:
if not len(self.fileclient.list_shares(num_results=1)):
raise Exception(
"Azure FileService Client could not list shares! Verify authentication."
)
[p async for p in self.secretsclient.list_properties_of_secrets()]
return True
except Exception as e:
raise e
async def build_secret_index(self):
while True:
try:
self.secret_index = [{
"name": p.name,
"content_type": p.content_type,
"tags": p.tags
} async for p in self.secretsclient.list_properties_of_secrets(
)]
except Exception as e:
raise e
await asyncio.sleep(10)
def write_file(self, directory: str, name: str, file: bytes):
name = f"{name}_{time.strftime('%Y%m%d-%H%M%S')}"
logging.info(
f"Writing {name} ({len(file)} bytes) to {directory}/{name}.")
self.fileclient.create_file_from_bytes(
self.settings.storage_share_name, directory, name, file)
async def read_secret(self, name) -> dict:
try:
secret = await self.secretsclient.get_secret(name)
formatted = {
"name": secret.name,
"value": secret.value,
"content_type": secret.properties.content_type,
"tags": secret.properties.tags,
}
return formatted
except Exception as e:
raise HTTPException(status_code=404, detail=str(e))
async def write_secret(self, name, value, content_type, tags):
try:
return await self.secretsclient.set_secret(
name, value, content_type=content_type, tags=tags)
except Exception as e:
raise HTTPException(status_code=404, detail=str(e))
async def list_secrets(self):
try:
secret_list = []
async for props in self.secretsclient.list_properties_of_secrets():
secret = await self.secretsclient.get_secret(props.name)
formatted = {
"name": secret.name,
"value": secret.value,
"content_type": secret.properties.content_type,
"tags": secret.properties.tags,
}
secret_list.append(formatted)
return json.dumps(secret_list, indent=4)
except Exception as e:
raise HTTPException(status_code=404, detail=str(e))
