def create_keyvault(client, resource_group_name, vault_name, location=None, sku=SkuName.standard.value, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, no_self_perms=None, tags=None): from azure.mgmt.keyvault.models import VaultCreateOrUpdateParameters from azure.cli.core._profile import Profile, CLOUD from azure.graphrbac.models import GraphErrorException profile = Profile() cred, _, tenant_id = profile.get_login_credentials( resource=CLOUD.endpoints.active_directory_graph_resource_id) graph_client = GraphRbacManagementClient( cred, tenant_id, base_url=CLOUD.endpoints.active_directory_graph_resource_id) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: permissions = Permissions(keys=[KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete, KeyPermissions.list, KeyPermissions.update, KeyPermissions.import_enum, KeyPermissions.backup, KeyPermissions.restore], secrets=[SecretPermissions.all], certificates=[CertificatePermissions.all]) try: object_id = _get_current_user_object_id(graph_client) except GraphErrorException: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError('Cannot create vault.\nUnable to query active directory for information ' 'about the current user.\nYou may try the --no-self-perms flag to ' 'create a vault without permissions.') access_policies = [AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions)] properties = VaultProperties(tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)
def create_keyvault( client, resource_group_name, vault_name, location, #pylint:disable=too-many-arguments sku=SkuName.standard.value, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, no_self_perms=False, tags=None): from azure.cli.core._profile import Profile profile = Profile() cred, _, tenant_id = profile.get_login_credentials(for_graph_client=True) graph_client = GraphRbacManagementClient(cred, tenant_id) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: # TODO Use the enums instead of strings when new keyvault SDK is released # https://github.com/Azure/azure-sdk-for-python/blob/dev/azure-mgmt-keyvault/ # azure/mgmt/keyvault/models/key_vault_management_client_enums.py permissions = Permissions(keys=[ 'get', 'create', 'delete', 'list', 'update', 'import', 'backup', 'restore' ], secrets=['all']) object_id = _get_current_user_object_id(graph_client) if not object_id: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError('Cannot create vault.\n' 'Unable to query active directory for information '\ 'about the current user.\n' 'You may try the --no-self-perms flag to create a vault'\ ' without permissions.') access_policies = [ AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions) ] properties = VaultProperties( tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)
def set_policy( client, resource_group_name, vault_name, #pylint:disable=too-many-arguments object_id=None, spn=None, upn=None, key_permissions=None, secret_permissions=None, certificate_permissions=None): object_id = _object_id_args_helper(object_id, spn, upn) vault = client.get(resource_group_name=resource_group_name, vault_name=vault_name) # Find the existing policy to set policy = next((p for p in vault.properties.access_policies \ if object_id.lower() == p.object_id.lower() and \ vault.properties.tenant_id.lower() == p.tenant_id.lower()), None) if not policy: # Add new policy as none found vault.properties.access_policies.append( AccessPolicyEntry(tenant_id=vault.properties.tenant_id, object_id=object_id, permissions=Permissions( keys=key_permissions, secrets=secret_permissions, certificates=certificate_permissions))) else: # Modify existing policy. # If key_permissions is not set, use prev. value (similarly with secret_permissions). keys = policy.permissions.keys if key_permissions is None else key_permissions secrets = policy.permissions.secrets if secret_permissions is None else secret_permissions certs = policy.permissions.certificates \ if certificate_permissions is None else certificate_permissions policy.permissions = Permissions(keys=keys, secrets=secrets, certificates=certs) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=VaultCreateOrUpdateParameters( location=vault.location, tags=vault.tags, properties=vault.properties))
def create_vault(self): """ Creates a new key vault with a unique name, granting full permissions to the current credentials :return: a newly created key vault :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ vault_name = get_name('vault') # setup vault permissions for the access policy for the sample service principle permissions = Permissions() permissions.keys = KEY_PERMISSIONS_ALL permissions.secrets = SECRET_PERMISSIONS_ALL permissions.certificates = CERTIFICATE_PERMISSIONS_ALL policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=self.config.client_oid, permissions=permissions) properties = VaultProperties(tenant_id=self.config.tenant_id, sku=Sku(name='standard'), access_policies=[policy]) parameters = VaultCreateOrUpdateParameters( location=self.config.location, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True print('creating vault {}'.format(vault_name)) vault = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_name, vault_name, parameters).result() # wait for vault DNS entry to be created # see issue: https://github.com/Azure/azure-sdk-for-python/issues/1172 self._poll_for_vault_connection(vault.properties.vault_uri) print('created vault {} {}'.format(vault_name, vault.properties.vault_uri)) return vault
def create_recoverable_vault_sample(self): """ Provides a sample for creating a key vault which has recovery enable so that the vault as well as all of its keys, certificates and secrets are recoverable :return: a key vault which has been created with recovery enabled :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ self.setup_sample() vault_name = KeyVaultSampleBase.get_unique_name() permissions = Permissions() permissions.keys = [KeyPermissions.all] permissions.secrets = [SecretPermissions.all] permissions.certificates = [CertificatePermissions.all] policy = AccessPolicyEntry(self.config.tenant_id, self.config.client_oid, permissions) properties = VaultProperties(self.config.tenant_id, Sku(name='standard'), policies=[policy]) parameters = VaultCreateOrUpdateParameters(self.config.location, properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True # this vault property controls whether recovery functionality is available on the vault itself as well as # all keys, certificates and secrets in the vault as well parameters.properties.enable_soft_delete = True # create the vault vault = self.keyvault_mgmt_client.vaults.create_or_update( self.config.group_name, vault_name, parameters) print(vault) return vault
def create_vault_with_network(self): """ Creates a key vault with network access limited by a NetworkRuleSet """ vault_name = get_name('vault') # setup vault permissions for the access policy for the sample service principle permissions = Permissions(keys=KEY_PERMISSIONS_ALL, secrets=SECRET_PERMISSIONS_ALL, certificates=CERTIFICATE_PERMISSIONS_ALL, storage=STORAGE_PERMISSIONS_ALL) policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=self.config.client_oid, permissions=permissions) # Network ACL definitions # The only action supported for virtual network and IP rules is "allow". # To deny an address, set the default action to 'deny' and do not explicitly allow the address. network_acls = NetworkRuleSet( # allow bypass of network ACL rules by other azure services. Valid values are azure_services or none bypass=NetworkRuleBypassOptions.azure_services, # the action to take if access attempt doesn't match any rule. Valid values are allow or deny default_action=NetworkRuleAction.deny, # IP rules (allowed IPv4 addresses / ranges) ip_rules=[IPRule(value='0.0.0.0/0') ], # Allow access from a IP address range # Virtual network rules(Allows access to Azure Virtual Networks by their Azure Resource ID) virtual_network_rules=[ # To specifically allow access to a vnet, uncomment the line below and replace the id with the correct # resource id for your vnet # VirtualNetworkRule(id='/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1') ]) properties = VaultProperties(tenant_id=self.config.tenant_id, sku=Sku(name='standard'), access_policies=[policy], network_acls=network_acls) parameters = VaultCreateOrUpdateParameters( location=self.config.location, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True print('creating vault {}'.format(vault_name)) self.vault = self.mgmt_client.vaults.create_or_update( resource_group_name=self.config.group_name, vault_name=vault_name, parameters=parameters).result()
def update_key_vault_access_policy( self, keyvault_client, resource_group_name, key_vault_name, tenant_id, app_object_id, ): """Updates Key Vault Access Policy :param keyvault_client: Instance of the Azure KeyVaultManagementClient. :param resource_group_name: The name of the resource group. :param key_vault_name: Name of the Key Vault. :param region: The location in which the Key Vault exists. :param tenant_id: Azure tenant Id :param app_object_id: Object Id of the application :param stg_principal_id: Principal Id of the Storage Account :type keyvault_client: object :type resource_group_name: str :type key_vault_name: str :type region: str :type tenant_id: str :type app_object_id: str :type stg_principal_id: str :returns: None :rtype: None """ access_policy_app = AccessPolicyEntry( tenant_id=tenant_id, object_id=app_object_id, permissions=Permissions(secrets=[ SecretPermissions.GET, SecretPermissions.LIST, SecretPermissions.SET, ], ), ) access_policy = [access_policy_app] logging.info("Updating Key Vault Access Policy") logging.info("executing keyvault_client.vaults.update_access_policy") logging.info(f" resource_group_name={resource_group_name}") logging.info(f" vault_name={key_vault_name}") keyvault_client.vaults.update_access_policy( resource_group_name=resource_group_name, vault_name=key_vault_name, operation_kind=AccessPolicyUpdateKind.ADD, parameters=VaultAccessPolicyParameters( properties=VaultAccessPolicyProperties( access_policies=access_policy), ), )
def _get_params(self): """Build the vault parameters block.""" oid = self.auth_client.user_oid sec_perms_all = [perm.value for perm in SecretPermissions] key_perms_all = [perm.value for perm in KeyPermissions] cert_perms_all = [perm.value for perm in CertificatePermissions] permissions = Permissions() permissions.keys = key_perms_all permissions.secrets = sec_perms_all permissions.certificates = cert_perms_all policy = AccessPolicyEntry(tenant_id=self.tenant_id, object_id=oid, permissions=permissions) properties = VaultProperties(tenant_id=self.tenant_id, sku=Sku(name="standard"), access_policies=[policy]) parameters = VaultCreateOrUpdateParameters(location=self.azure_region, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True return parameters
def get_sample_vault(self): """ Creates a new key vault with a unique name, granting full permissions to the current credentials :return: a newly created key vault :rtype: :class:`Vault <azure.keyvault.generated.models.Vault>` """ if not self.config.vault: keyvault_mgmt_client = KeyVaultManagementClient( self.mgmt_client_creds, self.config.subscription_id) if self.config.vault_name: vault = keyvault_mgmt_client.vaults.get( resource_group_name=self.config.group_name, vault_name=self.config.vault_name) else: vault_name = get_name('vault') # setup vault permissions for the access policy for the sample service principle permissions = Permissions( keys=KEY_PERMISSIONS_ALL, secrets=SECRET_PERMISSIONS_ALL, certificates=CERTIFICATE_PERMISSIONS_ALL, storage=STORAGE_PERMISSIONS_ALL) policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=self.config.client_oid, permissions=permissions) properties = VaultProperties(tenant_id=self.config.tenant_id, sku=Sku(name='standard'), access_policies=[policy]) parameters = VaultCreateOrUpdateParameters( location=self.config.location, properties=properties) parameters.properties.enabled_for_deployment = True parameters.properties.enabled_for_disk_encryption = True parameters.properties.enabled_for_template_deployment = True print('creating vault {}'.format(vault_name)) vault = keyvault_mgmt_client.vaults.create_or_update( resource_group_name=self.config.group_name, vault_name=vault_name, parameters=parameters).result() self.config.vault = vault return self.config.vault
def grant_access_to_sample_vault(self, vault, oid): keyvault_mgmt_client = KeyVaultManagementClient( credentials=self.mgmt_client_creds, subscription_id=self.config.subscription_id) # setup vault permissions for the access policy for the oid permissions = Permissions(keys=KEY_PERMISSIONS_ALL, secrets=SECRET_PERMISSIONS_ALL, certificates=CERTIFICATE_PERMISSIONS_ALL, storage=STORAGE_PERMISSIONS_ALL) policy = AccessPolicyEntry(tenant_id=self.config.tenant_id, object_id=oid, permissions=permissions) vault.properties.access_policies.append(policy) return keyvault_mgmt_client.vaults.create_or_update( resource_group_name=self.config.group_name, vault_name=vault.name, parameters=vault).result()
import hashlib import os from azure.keyvault.keys import JsonWebKey, KeyCurveName, KeyVaultKey from azure.keyvault.keys.crypto._client import _UTC from azure.keyvault.keys.crypto.aio import CryptographyClient, EncryptionAlgorithm, KeyWrapAlgorithm, SignatureAlgorithm from azure.mgmt.keyvault.models import KeyPermissions, Permissions from devtools_testutils import ResourceGroupPreparer, KeyVaultPreparer import pytest from _shared.json_attribute_matcher import json_attribute_matcher from _shared.test_case_async import KeyVaultTestCase from crypto_client_preparer_async import CryptoClientPreparer # without keys/get, a CryptographyClient created with a key ID performs all ops remotely NO_GET = Permissions( keys=[p.value for p in KeyPermissions if p.value != "get"]) class CryptoClientTests(KeyVaultTestCase): def __init__(self, *args, **kwargs): super().__init__(*args, match_body=False, custom_request_matchers=[json_attribute_matcher], **kwargs) plaintext = b"5063e6aaa845f150200547944fd199679c98ed6f99da0a0b2dafeaf1f4684496fd532c1c229968cb9dee44957fcef7ccef59ceda0b362e56bcd78fd3faee5781c623c0bb22b35beabde0664fd30e0e824aba3dd1b0afffc4a3d955ede20cf6a854d52cfd" def _validate_rsa_key_bundle(self, key_attributes, vault, key_name, kty, key_ops): prefix = "/".join(s.strip("/") for s in [vault, "keys", key_name]) key = key_attributes.key
Sku, SkuName, AccessPolicyEntry, VaultProperties, VaultCreateOrUpdateParameters, ) from azure_devtools.scenario_tests.exceptions import AzureTestError from devtools_testutils import AzureMgmtPreparer, ResourceGroupPreparer from devtools_testutils.resource_testcase import RESOURCE_GROUP_PARAM from keys_vault_client import VaultClient DEFAULT_PERMISSIONS = Permissions( keys=[perm.value for perm in KeyPermissions], secrets=[perm.value for perm in SecretPermissions], certificates=[perm.value for perm in CertificatePermissions], storage=[perm.value for perm in StoragePermissions], ) DEFAULT_SKU = SkuName.premium.value CLIENT_OID = '00000000-0000-0000-0000-000000000000' class VaultClientPreparer(AzureMgmtPreparer): def __init__( self, sku=None, permissions=None, enabled_for_deployment=True, enabled_for_disk_encryption=True, enabled_for_template_deployment=True, enable_soft_delete=None,
def create_key_vault( self, keyvault_client, resource_group_name, key_vault_name, region, tenant_id, app_object_id, stg_principal_id, ): """Creates a Key Vault :param keyvault_client: Instance of the Azure KeyVaultManagementClient. :param resource_group_name: The name of the resource group. :param key_vault_name: Name of the Key Vault. :param region: location of the Key Vault. :param tenant_id: Azure tenant Id :param app_object_id: Object Id of the application :param stg_principal_id: Principal Id of the Storage Account :type keyvault_client: object :type resource_group_name: str :type key_vault_name: str :type region: str :type tenant_id: str :type app_object_id: str :type stg_principal_id: str :returns: Vault object :rtype: object """ access_policy_storage_account = AccessPolicyEntry( tenant_id=tenant_id, object_id=stg_principal_id, permissions=Permissions(keys=[ KeyPermissions.GET, KeyPermissions.UNWRAP_KEY, KeyPermissions.WRAP_KEY, ], ), ) access_policy_app = AccessPolicyEntry( tenant_id=tenant_id, object_id=app_object_id, permissions=Permissions(keys=[ KeyPermissions.GET, KeyPermissions.LIST, KeyPermissions.CREATE, KeyPermissions.UPDATE, KeyPermissions.DELETE, KeyPermissions.BACKUP, KeyPermissions.RESTORE, KeyPermissions.RECOVER, ], ), ) key_vault_properties = VaultCreateOrUpdateParameters( location=region, tags={"Created By": "CHSS"}, properties=VaultProperties( tenant_id=tenant_id, sku=Sku( family="A", name="standard", ), access_policies=[ access_policy_storage_account, access_policy_app ], soft_delete_retention_in_days=90, enabled_for_disk_encryption=False, enabled_for_deployment=False, enabled_for_template_deployment=False, enable_soft_delete=True, enable_purge_protection=True, ), ) logging.info("creating a key vault") logging.info("executing keyvault_client.vaults.begin_create_or_update") logging.info(f" resource_group_name={resource_group_name}") logging.info(f" vault_name={key_vault_name}") vault = keyvault_client.vaults.begin_create_or_update( resource_group_name=resource_group_name, vault_name=key_vault_name, parameters=key_vault_properties, ).result() return vault
class AzureKeyVaultTestCase(AzureMgmtTestCase): shared_vault = None default_group = 'azkv-pytest' default_vault = 'pytest-shared-vault' default_permissions = Permissions(keys=[ KeyPermissions.encrypt, KeyPermissions.decrypt, KeyPermissions.wrap_key, KeyPermissions.unwrap_key, KeyPermissions.sign, KeyPermissions.verify, KeyPermissions.get, KeyPermissions.list, KeyPermissions.create, KeyPermissions.update, KeyPermissions.import_enum, KeyPermissions.delete, KeyPermissions.backup, KeyPermissions.restore, KeyPermissions.recover, KeyPermissions.purge], secrets=[ SecretPermissions.get, SecretPermissions.list, SecretPermissions.set, SecretPermissions.delete, SecretPermissions.backup, SecretPermissions.restore, SecretPermissions.recover, SecretPermissions.purge], certificates=[ CertificatePermissions.get, CertificatePermissions.list, CertificatePermissions.delete, CertificatePermissions.create, CertificatePermissions.import_enum, CertificatePermissions.update, CertificatePermissions.managecontacts, CertificatePermissions.getissuers, CertificatePermissions.listissuers, CertificatePermissions.setissuers, CertificatePermissions.deleteissuers, CertificatePermissions.manageissuers, CertificatePermissions.recover, CertificatePermissions.purge], storage=[ StoragePermissions.get, StoragePermissions.list, StoragePermissions.delete, StoragePermissions.set, StoragePermissions.update, StoragePermissions.regeneratekey, StoragePermissions.setsas, StoragePermissions.listsas, StoragePermissions.getsas, StoragePermissions.deletesas]) def setUp(self): self.working_folder = os.path.dirname(__file__) super(AzureKeyVaultTestCase, self).setUp() def mock_key_vault_auth_base(self, request): challenge = HttpBearerChallenge(request.url, 'Bearer authorization=fake-url,resource=https://vault.azure.net') self.set_authorization_header(request, challenge) return request self.fake_settings = fake_settings if TestMode.is_playback(self.test_mode): self.settings = self.fake_settings KeyVaultAuthBase.__call__ = mock_key_vault_auth_base else: import tests.mgmt_settings_real as real_settings self.settings = real_settings self.client = self.create_keyvault_client() self.mgmt_client = self.create_mgmt_client(azure.mgmt.keyvault.KeyVaultManagementClient) if not self.is_playback(): self.create_resource_group() def tearDown(self): return super(AzureKeyVaultTestCase, self).tearDown() def create_keyvault_client(self): def _auth_callback(server, resource, scope): if TestMode.is_playback(self.test_mode): return ('Bearer', 'fake-token') credentials = self.settings.get_credentials() credentials.resource = resource credentials.set_token() return credentials.scheme, credentials.__dict__['token']['access_token'] return KeyVaultClient(KeyVaultAuthentication(_auth_callback)) def _ensure_resource_group(self, group_name): return self.resource_client.resource_groups.create_or_update( group_name, { 'location': self.region } ) def setup_shared_vault(self): if not self.is_playback(): self._ensure_resource_group(self.default_group) if not AzureKeyVaultTestCase.shared_vault: AzureKeyVaultTestCase.shared_vault = self.create_vault(self.default_group, self.default_vault) return AzureKeyVaultTestCase.shared_vault; def setup_private_vault(self, permissions=None, enabled_for_deployment=True, enabled_for_disk_encryption=True, enabled_for_template_deployment=True, enable_soft_delete=None, sku=None): vault_name = self.get_resource_name('vault-') vault = self.create_vault(self.group_name, vault_name, permissions=permissions,enabled_for_deployment=enabled_for_deployment, enabled_for_template_deployment=enabled_for_template_deployment, enable_soft_delete=enable_soft_delete, sku=sku) return vault def create_vault(self, group_name, vault_name, permissions=None, enabled_for_deployment=True, enabled_for_disk_encryption=True, enabled_for_template_deployment=True, enable_soft_delete=None, sku=None): creds = self.settings.get_credentials() access_policies = [AccessPolicyEntry(tenant_id=self.settings.TENANT_ID, object_id=self.settings.CLIENT_OID, permissions=permissions or self.default_permissions)] properties = VaultProperties(tenant_id=self.settings.TENANT_ID, sku=Sku(sku or SkuName.premium.value), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment, enable_soft_delete=enable_soft_delete) parameters = VaultCreateOrUpdateParameters(location='westus', properties=properties) vault = self.mgmt_client.vaults.create_or_update(group_name, vault_name, parameters) if not self.is_playback(): self.sleep(10) return vault def cleanup_private_vault(self, vault): # we only need to cleanup if the vault has soft delete enabled otherwise base teardown will # delete when the resource group is deleted if not self.is_playback() and vault.properties.enable_soft_delete: self.mgmt_client.vaults.delete(self.group_name, vault.name) self.sleep(10) self.mgmt_client.vaults.purge_deleted(vault.name, vault.location) def _scrub_sensitive_request_info(self, request): request = super(AzureKeyVaultTestCase, self)._scrub_sensitive_request_info(request) # prevents URI mismatch between Python 2 and 3 if request URI has extra / chars request.uri = re.sub('//', '/', request.uri) request.uri = re.sub('/', '//', request.uri, count=1) # do not record token requests if '/oauth2/token' in request.uri: request = None return request def _scrub_sensitive_response_info(self, response): from pprint import pprint response = super(AzureKeyVaultTestCase, self)._scrub_sensitive_response_info(response) # ignore any 401 responses during playback if response['status']['code'] == 401: response = None return response def _scrub(self, val): val = super(AzureKeyVaultTestCase, self)._scrub(val) real_to_fake_dict = { self.settings.SUBSCRIPTION_ID: self.fake_settings.SUBSCRIPTION_ID, self.settings.AD_DOMAIN: self.fake_settings.AD_DOMAIN } val = self._scrub_using_dict(val, real_to_fake_dict) return val
def create_keyvault( cmd, client, # pylint: disable=too-many-locals resource_group_name, vault_name, location=None, sku=None, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, enable_soft_delete=None, no_self_perms=None, tags=None): from azure.mgmt.keyvault.models import ( VaultCreateOrUpdateParameters, Permissions, KeyPermissions, SecretPermissions, CertificatePermissions, StoragePermissions, AccessPolicyEntry, Sku, VaultProperties) from azure.cli.core._profile import Profile from azure.graphrbac.models import GraphErrorException from azure.graphrbac import GraphRbacManagementClient profile = Profile(cli_ctx=cmd.cli_ctx) cred, _, tenant_id = profile.get_login_credentials( resource=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id ) graph_client = GraphRbacManagementClient( cred, tenant_id, base_url=cmd.cli_ctx.cloud.endpoints.active_directory_graph_resource_id ) subscription = profile.get_subscription() if no_self_perms: access_policies = [] else: permissions = Permissions( keys=[ KeyPermissions.get, KeyPermissions.create, KeyPermissions.delete, KeyPermissions.list, KeyPermissions.update, KeyPermissions.import_enum, KeyPermissions.backup, KeyPermissions.restore, KeyPermissions.recover ], secrets=[ SecretPermissions.get, SecretPermissions.list, SecretPermissions.set, SecretPermissions.delete, SecretPermissions.backup, SecretPermissions.restore, SecretPermissions.recover ], certificates=[ CertificatePermissions.get, CertificatePermissions.list, CertificatePermissions.delete, CertificatePermissions.create, CertificatePermissions.import_enum, CertificatePermissions.update, CertificatePermissions.managecontacts, CertificatePermissions.getissuers, CertificatePermissions.listissuers, CertificatePermissions.setissuers, CertificatePermissions.deleteissuers, CertificatePermissions.manageissuers, CertificatePermissions.recover ], storage=[ StoragePermissions.get, StoragePermissions.list, StoragePermissions.delete, StoragePermissions.set, StoragePermissions.update, StoragePermissions.regeneratekey, StoragePermissions.setsas, StoragePermissions.listsas, StoragePermissions.getsas, StoragePermissions.deletesas ]) try: object_id = _get_current_user_object_id(graph_client) except GraphErrorException: object_id = _get_object_id(graph_client, subscription=subscription) if not object_id: raise CLIError( 'Cannot create vault.\nUnable to query active directory for information ' 'about the current user.\nYou may try the --no-self-perms flag to ' 'create a vault without permissions.') access_policies = [ AccessPolicyEntry(tenant_id=tenant_id, object_id=object_id, permissions=permissions) ] properties = VaultProperties( tenant_id=tenant_id, sku=Sku(name=sku), access_policies=access_policies, vault_uri=None, enabled_for_deployment=enabled_for_deployment, enabled_for_disk_encryption=enabled_for_disk_encryption, enabled_for_template_deployment=enabled_for_template_deployment, enable_soft_delete=enable_soft_delete) parameters = VaultCreateOrUpdateParameters(location=location, tags=tags, properties=properties) return client.create_or_update(resource_group_name=resource_group_name, vault_name=vault_name, parameters=parameters)
def test_create_kafka_cluster_with_disk_encryption(self, resource_group, location, storage_account, storage_account_key, vault): # create managed identities for Azure resources. msi_name = self.get_resource_name('hdipyuai') msi_principal_id = "00000000-0000-0000-0000-000000000000" msi_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/{}/providers/microsoft.managedidentity/userassignedidentities/{}".format( resource_group.name, msi_name) if self.is_live: msi = self.msi_client.user_assigned_identities.create_or_update(resource_group.name, msi_name, location) msi_id = msi.id msi_principal_id = msi.principal_id # add managed identity to vault required_permissions = Permissions( keys=[KeyPermissions.get, KeyPermissions.wrap_key, KeyPermissions.unwrap_key], secrets=[SecretPermissions.get, SecretPermissions.set, SecretPermissions.delete]) vault.properties.access_policies.append( AccessPolicyEntry(tenant_id=self.tenant_id, object_id=msi_principal_id, permissions=required_permissions) ) update_params = VaultCreateOrUpdateParameters(location=location, properties=vault.properties) vault = self.vault_mgmt_client.vaults.begin_create_or_update(resource_group.name, vault.name, update_params).result() self.assertIsNotNone(vault) # create keyclient key_client_credential = self.settings.get_azure_core_credentials(scope="https://vault.azure.net/.default") self.vault_client = KeyClient(vault_url=vault.properties.vault_uri, credential=key_client_credential) # create key key_name = self.get_resource_name('hdipykey1') vault_key = self.vault_client.create_key(key_name, 'RSA') # create a new key for test rotate new_key_name = self.get_resource_name('hdipykey2') new_vault_key = self.vault_client.create_key(new_key_name, 'RSA') # create HDInsight cluster with Kafka disk encryption rg_name = resource_group.name cluster_name = self.get_resource_name('hdisdk-kafka-byok') create_params = self.get_cluster_create_params(location, cluster_name, storage_account, storage_account_key) create_params.properties.cluster_definition.kind = 'Kafka' workernode = next(item for item in create_params.properties.compute_profile.roles if item.name == 'workernode') workernode.data_disks_groups = [ DataDisksGroups( disks_per_node=8 ) ] create_params.identity = ClusterIdentity( type=ResourceIdentityType.user_assigned, user_assigned_identities={msi_id: ClusterIdentityUserAssignedIdentitiesValue()} ) create_params.properties.disk_encryption_properties = DiskEncryptionProperties( vault_uri=vault_key.properties.vault_url, key_name=vault_key.name, key_version=vault_key.properties.version, msi_resource_id=msi_id ) cluster = self.hdinsight_client.clusters.begin_create(resource_group.name, cluster_name, create_params).result() self.validate_cluster(cluster_name, create_params, cluster) # check disk encryption properties self.assertIsNotNone(cluster.properties.disk_encryption_properties) self.assertEqual(create_params.properties.disk_encryption_properties.vault_uri, cluster.properties.disk_encryption_properties.vault_uri) self.assertEqual(create_params.properties.disk_encryption_properties.key_name, cluster.properties.disk_encryption_properties.key_name) self.assertEqual(create_params.properties.disk_encryption_properties.msi_resource_id.lower(), cluster.properties.disk_encryption_properties.msi_resource_id.lower()) rotate_params = ClusterDiskEncryptionParameters( vault_uri=new_vault_key.properties.vault_url, key_name=new_vault_key.name, key_version=new_vault_key.properties.version ) # rotate cluster key self.hdinsight_client.clusters.rotate_disk_encryption_key(rg_name, cluster_name, rotate_params).wait() cluster = self.hdinsight_client.clusters.get(rg_name, cluster_name) # check disk encryption properties self.assertIsNotNone(cluster.properties.disk_encryption_properties) self.assertEqual(rotate_params.vault_uri, cluster.properties.disk_encryption_properties.vault_uri) self.assertEqual(rotate_params.key_name, cluster.properties.disk_encryption_properties.key_name) self.assertEqual(msi_id.lower(), cluster.properties.disk_encryption_properties.msi_resource_id.lower())