class GetRoleDefinitionTest(PerfStressTest):
def __init__(self, arguments):
super().__init__(arguments)
# Auth configuration
self.credential = DefaultAzureCredential()
self.async_credential = AsyncDefaultAzureCredential()
# Create clients
vault_url = self.get_from_env("AZURE_MANAGEDHSM_URL")
self.client = KeyVaultAccessControlClient(vault_url, self.credential,
**self._client_kwargs)
self.async_client = AsyncKeyVaultAccessControlClient(
vault_url, self.async_credential, **self._client_kwargs)
self.role_name = uuid.uuid4()
self.scope = KeyVaultRoleScope.GLOBAL
self.permissions = [
KeyVaultPermission(
data_actions=[KeyVaultDataAction.CREATE_HSM_KEY])
]
async def global_setup(self):
"""The global setup is run only once."""
await super().global_setup()
await self.async_client.set_role_definition(
scope=self.scope,
name=self.role_name,
permissions=self.permissions)
async def global_cleanup(self):
"""The global cleanup is run only once."""
await self.async_client.delete_role_definition(scope=self.scope,
name=self.role_name)
await super().global_cleanup()
async def close(self):
"""This is run after cleanup."""
await self.async_client.close()
await self.async_credential.close()
await super().close()
def run_sync(self):
"""The synchronous perf test."""
self.client.get_role_definition(self.scope, self.role_name)
async def run_async(self):
"""The asynchronous perf test."""
await self.async_client.get_role_definition(self.scope, self.role_name)
def data_plane_azure_keyvault_administration_access_control_client(
cli_ctx, command_args):
from azure.keyvault.administration import KeyVaultAccessControlClient
vault_url, credential, version = _prepare_data_plane_azure_keyvault_client(
cli_ctx, command_args,
ResourceType.DATA_KEYVAULT_ADMINISTRATION_ACCESS_CONTROL)
return KeyVaultAccessControlClient(vault_url=vault_url,
credential=credential,
api_version=version)
def __init__(self, arguments):
super().__init__(arguments)
# Auth configuration
self.credential = DefaultAzureCredential()
self.async_credential = AsyncDefaultAzureCredential()
# Create clients
vault_url = self.get_from_env("AZURE_MANAGEDHSM_URL")
self.client = KeyVaultAccessControlClient(vault_url, self.credential,
**self._client_kwargs)
self.async_client = AsyncKeyVaultAccessControlClient(
vault_url, self.async_credential, **self._client_kwargs)
self.role_name = uuid.uuid4()
self.scope = KeyVaultRoleScope.GLOBAL
self.permissions = [
KeyVaultPermission(
data_actions=[KeyVaultDataAction.CREATE_HSM_KEY])
]
def data_plane_azure_keyvault_administration_access_control_client(
cli_ctx, command_args):
from azure.keyvault.administration import KeyVaultAccessControlClient
version = str(
get_api_version(
cli_ctx, ResourceType.DATA_KEYVAULT_ADMINISTRATION_ACCESS_CONTROL))
profile = Profile(cli_ctx=cli_ctx)
credential, _, _ = profile.get_login_credentials(
resource='https://managedhsm.azure.net')
vault_url = command_args['hsm_name']
if not vault_url:
vault_url = command_args['vault_base_url']
return KeyVaultAccessControlClient(vault_url=vault_url,
credential=credential,
api_version=version)
def test_role_assignment(self):
client = KeyVaultAccessControlClient(self.managed_hsm["url"],
self.credential)
scope = KeyVaultRoleScope.GLOBAL
definitions = [d for d in client.list_role_definitions(scope)]
# assign an arbitrary role to the service principal authenticating these requests
definition = definitions[0]
principal_id = self.get_service_principal_id()
name = self.get_replayable_uuid("some-uuid")
created = client.create_role_assignment(scope,
definition.id,
principal_id,
name=name)
assert created.name == name
assert created.properties.principal_id == principal_id
assert created.properties.role_definition_id == definition.id
assert created.properties.scope == scope
# should be able to get the new assignment
got = client.get_role_assignment(scope, name)
assert got.name == name
assert got.properties.principal_id == principal_id
assert got.properties.role_definition_id == definition.id
assert got.properties.scope == scope
# new assignment should be in the list of all assignments
matching_assignments = [
a for a in client.list_role_assignments(scope)
if a.role_assignment_id == created.role_assignment_id
]
assert len(matching_assignments) == 1
# delete the assignment
client.delete_role_assignment(scope, created.name)
assert not any(a.role_assignment_id == created.role_assignment_id
for a in client.list_role_assignments(scope))
def data_plane_azure_keyvault_administration_access_control_client(
cli_ctx, command_args):
from azure.keyvault.administration import KeyVaultAccessControlClient
version = str(
get_api_version(
cli_ctx, ResourceType.DATA_KEYVAULT_ADMINISTRATION_ACCESS_CONTROL))
profile = Profile(cli_ctx=cli_ctx)
credential, _, _ = profile.get_login_credentials(
resource='https://managedhsm.azure.net')
vault_url = \
command_args.get('hsm_name', None) or \
command_args.get('vault_base_url', None) or \
command_args.get('identifier', None)
if not vault_url:
raise RequiredArgumentMissingError('Please specify --hsm-name or --id')
return KeyVaultAccessControlClient(vault_url=vault_url,
credential=credential,
api_version=version)
#
# 2. Update a role definition (set_role_definition)
#
# 3. Create a role assignment (create_role_assignment)
#
# 4. Delete a role assignment (delete_role_assignment)
#
# 5. Delete a role definition (delete_role_definition)
# ----------------------------------------------------------------------------------------------------------
MANAGED_HSM_URL = os.environ["MANAGED_HSM_URL"]
# Instantiate an access control client that will be used to call the service.
# Here we use the DefaultAzureCredential, but any azure-identity credential can be used.
credential = DefaultAzureCredential()
client = KeyVaultAccessControlClient(vault_url=MANAGED_HSM_URL,
credential=credential)
# Let's first create a custom role definition. This role permits creating keys in a Managed HSM.
# We'll provide a friendly role name, and let a unique role definition name (a GUID) be generated for us.
print("\n.. Create a role definition")
role_name = "customRole"
scope = KeyVaultRoleScope.GLOBAL
permissions = [
KeyVaultPermission(data_actions=[KeyVaultDataAction.CREATE_HSM_KEY])
]
role_definition = client.set_role_definition(scope=scope,
role_name=role_name,
permissions=permissions)
print("Role definition '{}' created successfully.".format(
role_definition.role_name))
def test_role_definitions(self):
client = KeyVaultAccessControlClient(self.managed_hsm["url"],
self.credential)
# list initial role definitions
scope = KeyVaultRoleScope.GLOBAL
original_definitions = [d for d in client.list_role_definitions(scope)]
assert len(original_definitions)
# create custom role definition
role_name = self.get_resource_name("role-name")
definition_name = self.get_replayable_uuid("definition-name")
permissions = [
KeyVaultPermission(
allowed_data_actions=[KeyVaultDataAction.READ_HSM_KEY])
]
created_definition = client.set_role_definition(
role_scope=scope,
permissions=permissions,
role_name=role_name,
role_definition_name=definition_name,
description="test")
assert "/" in created_definition.assignable_scopes
assert created_definition.role_name == role_name
assert created_definition.name == definition_name
assert created_definition.description == "test"
assert len(created_definition.permissions) == 1
assert created_definition.permissions[0].allowed_data_actions == [
KeyVaultDataAction.READ_HSM_KEY
]
# update custom role definition
permissions = [
KeyVaultPermission(
allowed_data_actions=[],
denied_data_actions=[KeyVaultDataAction.READ_HSM_KEY])
]
updated_definition = client.set_role_definition(
role_scope=scope,
permissions=permissions,
role_definition_name=definition_name)
assert updated_definition.role_name == ""
assert updated_definition.description == ""
assert len(updated_definition.permissions) == 1
assert len(updated_definition.permissions[0].allowed_data_actions) == 0
assert updated_definition.permissions[0].denied_data_actions == [
KeyVaultDataAction.READ_HSM_KEY
]
# assert that the created role definition isn't duplicated
matching_definitions = [
d for d in client.list_role_definitions(scope)
if d.id == updated_definition.id
]
assert len(matching_definitions) == 1
# get custom role definition
definition = client.get_role_definition(
role_scope=scope, role_definition_name=definition_name)
assert_role_definitions_equal(definition, updated_definition)
# delete custom role definition
deleted_definition = client.delete_role_definition(
scope, definition_name)
assert_role_definitions_equal(deleted_definition, definition)
assert not any(d.id == deleted_definition.id
for d in client.list_role_definitions(scope))