def test_manual_enrolled(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
cert_name = 'unknownIssuerCert'
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Unknown'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# get pending certificate signing request
cert_operation = self.client.create_certificate(vault_uri, cert_name, cert_policy)
pending_version_csr = self.client.get_pending_certificate_signing_request(vault_uri, cert_name)
try:
self.assertEqual(cert_operation.csr, pending_version_csr)
except Exception as ex:
pass
finally:
self.client.delete_certificate(vault_uri, cert_name)
def _scaffold_certificate_profile():
template = CertificatePolicy(
key_properties=KeyProperties(
exportable=True,
key_type=u'(optional) RSA or RSA-HSM (default RSA)',
key_size=2048,
reuse_key=True),
secret_properties=SecretProperties(
content_type=u'application/x-pkcs12 or application/x-pem-file'),
x509_certificate_properties=X509CertificateProperties(
key_usage=[
KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
],
subject_alternative_names=SubjectAlternativeNames(
emails=[u'*****@*****.**'],
dns_names=[u'hr.contoso.com', u'm.contoso.com'],
upns=[]),
subject=
u'C=US, ST=WA, L=Redmond, O=Contoso, OU=Contoso HR, CN=www.contoso.com',
ekus=[u'1.3.6.1.5.5.7.3.1'],
validity_in_months=24),
lifetime_actions=[
LifetimeAction(trigger=Trigger(days_before_expiry=90),
action=Action(action_type=ActionType.auto_renew))
],
issuer_parameters=IssuerParameters(
name=u'Unknown, Self, or {IssuerName}',
certificate_type=u'(optional) DigiCert, GlobalSign or WoSign'),
attributes=CertificateAttributes(enabled=True))
del template.id
del template.attributes
return template
def _default_certificate_profile():
template = CertificatePolicy(
key_properties=KeyProperties(exportable=True,
key_type=u'RSA',
key_size=2048,
reuse_key=True),
secret_properties=SecretProperties(
content_type=u'application/x-pkcs12'),
x509_certificate_properties=X509CertificateProperties(
key_usage=[
KeyUsageType.c_rl_sign, KeyUsageType.data_encipherment,
KeyUsageType.digital_signature, KeyUsageType.key_encipherment,
KeyUsageType.key_agreement, KeyUsageType.key_cert_sign
],
subject=u'CN=CLIGetDefaultPolicy',
validity_in_months=12),
lifetime_actions=[
LifetimeAction(trigger=Trigger(days_before_expiry=90),
action=Action(action_type=ActionType.auto_renew))
],
issuer_parameters=IssuerParameters(name=u'Self', ),
attributes=CertificateAttributes(enabled=True))
del template.id
del template.attributes
del template.issuer_parameters.certificate_type
del template.lifetime_actions[0].trigger.lifetime_percentage
del template.x509_certificate_properties.subject_alternative_names
del template.x509_certificate_properties.ekus
return template
def test_recover_and_purge(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
certs = {}
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Self'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# create certificates to recover
for i in range(0, self.list_test_size):
cert_name = self.get_resource_name('certrec{}'.format(str(i)))
certs[cert_name] = self._import_common_certificate(vault_uri, cert_name)
# create certificates to purge
for i in range(0, self.list_test_size):
cert_name = self.get_resource_name('certprg{}'.format(str(i)))
certs[cert_name] = self._import_common_certificate(vault_uri, cert_name)
# delete all certificates
for cert_name in certs.keys():
delcert = self.client.delete_certificate(vault_uri, cert_name)
print(delcert)
if not self.is_playback():
time.sleep(30)
# validate all our deleted certificates are returned by get_deleted_certificates
deleted = [KeyVaultId.parse_certificate_id(s.id).name for s in self.client.get_deleted_certificates(vault_uri)]
# self.assertTrue(all(s in deleted for s in certs.keys()))
# recover select secrets
for certificate_name in [s for s in certs.keys() if s.startswith('certrec')]:
self.client.recover_deleted_certificate(vault_uri, certificate_name)
# purge select secrets
for certificate_name in [s for s in certs.keys() if s.startswith('certprg')]:
self.client.purge_deleted_certificate(vault_uri, certificate_name)
if not self.is_playback():
time.sleep(30)
# validate none of our deleted certificates are returned by get_deleted_certificates
deleted = [KeyVaultId.parse_secret_id(s.id).name for s in self.client.get_deleted_certificates(vault_uri)]
self.assertTrue(not any(s in deleted for s in certs.keys()))
# validate the recovered certificates
expected = {k: v for k, v in certs.items() if k.startswith('certrec')}
actual = {k: self.client.get_certificate(vault_uri, k, KeyVaultId.version_none) for k in expected.keys()}
self.assertEqual(len(set(expected.keys()) & set(actual.keys())), len(expected))
def test_crud_operations(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
cert_name = self.get_resource_name('cert')
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Self'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# create certificate
interval_time = 5 if not self.is_playback() else 0
cert_operation = self.client.create_certificate(vault_uri, cert_name, cert_policy)
while True:
pending_cert = self.client.get_certificate_operation(vault_uri, cert_name)
self._validate_certificate_operation(pending_cert, vault_uri, cert_name, cert_policy)
if pending_cert.status.lower() == 'completed':
cert_id = KeyVaultId.parse_certificate_operation_id(pending_cert.target)
break
elif pending_cert.status.lower() != 'inprogress':
raise Exception('Unknown status code for pending certificate: {}'.format(pending_cert))
time.sleep(interval_time)
# get certificate
cert_bundle = self.client.get_certificate(cert_id.vault, cert_id.name, '')
self._validate_certificate_bundle(cert_bundle, vault_uri, cert_name, cert_policy)
# get certificate as secret
secret_id = KeyVaultId.parse_secret_id(cert_bundle.sid)
secret_bundle = self.client.get_secret(secret_id.vault, secret_id.name, secret_id.version)
# update certificate
cert_policy.tags = {'tag1': 'value1'}
cert_bundle = self.client.update_certificate(cert_id.vault, cert_id.name, cert_id.version, cert_policy)
self._validate_certificate_bundle(cert_bundle, vault_uri, cert_name, cert_policy)
# delete certificate
cert_bundle = self.client.delete_certificate(vault_uri, cert_name)
self._validate_certificate_bundle(cert_bundle, vault_uri, cert_name, cert_policy)
# get certificate returns not found
try:
self.client.get_certificate(cert_id.vault, cert_id.name, '')
self.fail('Get should fail')
except Exception as ex:
if not hasattr(ex, 'message') or 'not found' not in ex.message.lower():
raise ex
def test_async_request_cancellation_and_deletion(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
cert_name = 'asyncCanceledDeletedCert'
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Self'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# create certificate
self.client.create_certificate(vault_uri, cert_name, cert_policy)
# cancel certificate operation
cancel_operation = self.client.update_certificate_operation(vault_uri, cert_name, True)
self.assertTrue(hasattr(cancel_operation, 'cancellation_requested'))
self.assertTrue(cancel_operation.cancellation_requested)
self._validate_certificate_operation(cancel_operation, vault_uri, cert_name, cert_policy)
retrieved_operation = self.client.get_certificate_operation(vault_uri, cert_name)
self.assertTrue(hasattr(retrieved_operation, 'cancellation_requested'))
self.assertTrue(retrieved_operation.cancellation_requested)
self._validate_certificate_operation(retrieved_operation, vault_uri, cert_name, cert_policy)
# delete certificate operation
deleted_operation = self.client.delete_certificate_operation(vault_uri, cert_name)
self.assertIsNotNone(deleted_operation)
self._validate_certificate_operation(deleted_operation, vault_uri, cert_name, cert_policy)
try:
self.client.get_certificate_operation(vault_uri, cert_name)
self.fail('Get should fail')
except Exception as ex:
if not hasattr(ex, 'message') or 'not found' not in ex.message.lower():
raise ex
# delete cancelled certificate operation
self.client.delete_certificate(vault_uri, cert_name)
