def test_key_wrap_and_unwrap(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('keywrap')
key_id = KeyVaultId.create_key_id(vault_uri, key_name)
plain_text = self.plain_text
# import key
imported_key = self._import_test_key(vault, key_id)
key_id = KeyVaultId.parse_key_id(imported_key.key.kid)
# wrap without version
result = self.client.wrap_key(key_id.vault, key_id.name, '', 'RSA-OAEP', plain_text)
cipher_text = result.result
# unwrap without version
result = self.client.unwrap_key(key_id.vault, key_id.name, '', 'RSA-OAEP', cipher_text)
self.assertEqual(plain_text, result.result)
# wrap with version
result = self.client.wrap_key(key_id.vault, key_id.name, key_id.version, 'RSA-OAEP', plain_text)
cipher_text = result.result
# unwrap with version
result = self.client.unwrap_key(key_id.vault, key_id.name, key_id.version, 'RSA-OAEP', cipher_text)
self.assertEqual(plain_text, result.result)
def test_key_sign_and_verify(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('keysign')
key_id = KeyVaultId.create_key_id(vault_uri, key_name)
plain_text = self.plain_text
md = hashlib.sha256()
md.update(plain_text)
digest = md.digest()
# import key
imported_key = self._import_test_key(vault, key_id)
key_id = KeyVaultId.parse_key_id(imported_key.key.kid)
# sign without version
signature = self.client.sign(key_id.vault, key_id.name, '', 'RS256',
digest).result
# verify without version
result = self.client.verify(key_id.vault, key_id.name, '', 'RS256',
digest, signature)
self.assertTrue(result.value)
# sign with version
signature = self.client.sign(key_id.vault, key_id.name, '', 'RS256',
digest).result
# verify with version
result = self.client.verify(key_id.vault, key_id.name, key_id.version,
'RS256', digest, signature)
self.assertTrue(result.value)
def test_key_wrap_and_unwrap(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('keywrap')
key_id = KeyVaultId.create_key_id(vault_uri, key_name)
plain_text = self.plain_text
# import key
imported_key = self._import_test_key(vault, key_id)
key_id = KeyVaultId.parse_key_id(imported_key.key.kid)
# wrap without version
result = self.client.wrap_key(key_id.vault, key_id.name, '',
'RSA-OAEP', plain_text)
cipher_text = result.result
# unwrap without version
result = self.client.unwrap_key(key_id.vault, key_id.name, '',
'RSA-OAEP', cipher_text)
self.assertEqual(plain_text, result.result)
# wrap with version
result = self.client.wrap_key(key_id.vault, key_id.name,
key_id.version, 'RSA-OAEP', plain_text)
cipher_text = result.result
# unwrap with version
result = self.client.unwrap_key(key_id.vault, key_id.name,
key_id.version, 'RSA-OAEP',
cipher_text)
self.assertEqual(plain_text, result.result)
def test_key_recover_and_purge(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
keys = {}
# create keys to recover
for i in range(0, self.list_test_size):
key_name = self.get_resource_name('keyrec{}'.format(str(i)))
keys[key_name] = self.client.create_key(vault_uri, key_name, 'RSA')
# create keys to purge
for i in range(0, self.list_test_size):
key_name = self.get_resource_name('keyprg{}'.format(str(i)))
keys[key_name] = self.client.create_key(vault_uri, key_name, 'RSA')
# delete all keys
for key_name in keys.keys():
self.client.delete_key(vault_uri, key_name)
if not self.is_playback():
time.sleep(20)
# validate all our deleted keys are returned by get_deleted_keys
deleted = [
KeyVaultId.parse_key_id(s.kid).name
for s in self.client.get_deleted_keys(vault_uri)
]
self.assertTrue(all(s in deleted for s in keys.keys()))
# recover select keys
for key_name in [s for s in keys.keys() if s.startswith('keyrec')]:
self.client.recover_deleted_key(vault_uri, key_name)
# purge select keys
for key_name in [s for s in keys.keys() if s.startswith('keyprg')]:
self.client.purge_deleted_key(vault_uri, key_name)
if not self.is_playback():
time.sleep(20)
# validate none of our deleted keys are returned by get_deleted_keys
deleted = [
KeyVaultId.parse_key_id(s.kid).name
for s in self.client.get_deleted_keys(vault_uri)
]
self.assertTrue(not any(s in deleted for s in keys.keys()))
# validate the recovered keys
expected = {
k: v
for k, v in keys.items()
if k.startswith('key-') and k.endswith('-recover')
}
actual = {
k: self.client.get_key(vault_uri, k)
for k in expected.keys()
}
self.assertEqual(len(set(expected.keys()) & set(actual.keys())),
len(expected))
def _validate_certificate_issuer_list(self, issuers, expected):
for issuer in issuers:
KeyVaultId.parse_certificate_issuer_id(issuer.id)
provider = expected[issuer.id]
if provider:
self.assertEqual(provider, issuer.provider)
del expected[issuer.id]
def test_key_sign_and_verify(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('keysign')
key_id = KeyVaultId.create_key_id(vault_uri, key_name)
plain_text = self.plain_text
md = hashlib.sha256()
md.update(plain_text);
digest = md.digest();
# import key
imported_key = self._import_test_key(vault, key_id)
key_id = KeyVaultId.parse_key_id(imported_key.key.kid)
# sign without version
signature = self.client.sign(key_id.vault, key_id.name, '', 'RS256', digest).result
# verify without version
result = self.client.verify(key_id.vault, key_id.name, '', 'RS256', digest, signature)
self.assertTrue(result.value)
# sign with version
signature = self.client.sign(key_id.vault, key_id.name, '', 'RS256', digest).result
# verify with version
result = self.client.verify(key_id.vault, key_id.name, key_id.version, 'RS256', digest, signature)
self.assertTrue(result.value)
def test_recover_and_purge(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
certs = {}
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Self'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# create certificates to recover
for i in range(0, self.list_test_size):
cert_name = self.get_resource_name('certrec{}'.format(str(i)))
certs[cert_name] = self._import_common_certificate(vault_uri, cert_name)
# create certificates to purge
for i in range(0, self.list_test_size):
cert_name = self.get_resource_name('certprg{}'.format(str(i)))
certs[cert_name] = self._import_common_certificate(vault_uri, cert_name)
# delete all certificates
for cert_name in certs.keys():
delcert = self.client.delete_certificate(vault_uri, cert_name)
print(delcert)
if not self.is_playback():
time.sleep(30)
# validate all our deleted certificates are returned by get_deleted_certificates
deleted = [KeyVaultId.parse_certificate_id(s.id).name for s in self.client.get_deleted_certificates(vault_uri)]
# self.assertTrue(all(s in deleted for s in certs.keys()))
# recover select secrets
for certificate_name in [s for s in certs.keys() if s.startswith('certrec')]:
self.client.recover_deleted_certificate(vault_uri, certificate_name)
# purge select secrets
for certificate_name in [s for s in certs.keys() if s.startswith('certprg')]:
self.client.purge_deleted_certificate(vault_uri, certificate_name)
if not self.is_playback():
time.sleep(30)
# validate none of our deleted certificates are returned by get_deleted_certificates
deleted = [KeyVaultId.parse_secret_id(s.id).name for s in self.client.get_deleted_certificates(vault_uri)]
self.assertTrue(not any(s in deleted for s in certs.keys()))
# validate the recovered certificates
expected = {k: v for k, v in certs.items() if k.startswith('certrec')}
actual = {k: self.client.get_certificate(vault_uri, k, KeyVaultId.version_none) for k in expected.keys()}
self.assertEqual(len(set(expected.keys()) & set(actual.keys())), len(expected))
def test_create_certificate_id(self):
expected = self._get_expected('certificates', 'myvault', 'mycert')
res = KeyVaultId.create_certificate_id('https://myvault.vault.azure.net', ' mycert', None)
self.assertEqual(res.__dict__, expected)
expected = self._get_expected('certificates', 'myvault', 'mycert', 'abc123')
res = KeyVaultId.create_certificate_id('https://myvault.vault.azure.net', 'mycert', ' abc123')
self.assertEqual(res.__dict__, expected)
def test_parse_key_id(self):
expected = self._get_expected('keys', 'myvault', 'mykey', 'abc123')
res = KeyVaultId.parse_key_id('https://myvault.vault.azure.net/keys/mykey/abc123')
self.assertEqual(res.__dict__, expected)
expected = self._get_expected('keys', 'myvault', 'mykey')
res = KeyVaultId.parse_key_id('https://myvault.vault.azure.net/keys/mykey')
self.assertEqual(res.__dict__, expected)
def test_parse_secret_id(self):
expected = self._get_expected('secrets', 'myvault', 'mysecret', 'abc123')
res = KeyVaultId.parse_secret_id('https://myvault.vault.azure.net/secrets/mysecret/abc123')
self.assertEqual(res.__dict__, expected)
expected = self._get_expected('secrets', 'myvault', 'mysecret')
res = KeyVaultId.parse_secret_id('https://myvault.vault.azure.net/secrets/mysecret')
self.assertEqual(res.__dict__, expected)
def test_crud_operations(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
cert_name = self.get_resource_name('cert')
cert_policy = CertificatePolicy(key_properties=KeyProperties(exportable=True,
key_type='RSA',
key_size=2048,
reuse_key=False),
secret_properties=SecretProperties(content_type='application/x-pkcs12'),
issuer_parameters=IssuerParameters(name='Self'),
x509_certificate_properties=X509CertificateProperties(
subject='CN=*.microsoft.com',
subject_alternative_names=SubjectAlternativeNames(
dns_names=['onedrive.microsoft.com', 'xbox.microsoft.com']
),
validity_in_months=24
))
# create certificate
interval_time = 5 if not self.is_playback() else 0
cert_operation = self.client.create_certificate(vault_uri, cert_name, cert_policy)
while True:
pending_cert = self.client.get_certificate_operation(vault_uri, cert_name)
self._validate_certificate_operation(pending_cert, vault_uri, cert_name, cert_policy)
if pending_cert.status.lower() == 'completed':
cert_id = KeyVaultId.parse_certificate_operation_id(pending_cert.target)
break
elif pending_cert.status.lower() != 'inprogress':
raise Exception('Unknown status code for pending certificate: {}'.format(pending_cert))
time.sleep(interval_time)
# get certificate
cert_bundle = self.client.get_certificate(cert_id.vault, cert_id.name, '')
self._validate_certificate_bundle(cert_bundle, vault_uri, cert_name, cert_policy)
# get certificate as secret
secret_id = KeyVaultId.parse_secret_id(cert_bundle.sid)
secret_bundle = self.client.get_secret(secret_id.vault, secret_id.name, secret_id.version)
# update certificate
cert_policy.tags = {'tag1': 'value1'}
cert_bundle = self.client.update_certificate(cert_id.vault, cert_id.name, cert_id.version, cert_policy)
self._validate_certificate_bundle(cert_bundle, vault_uri, cert_name, cert_policy)
# delete certificate
cert_bundle = self.client.delete_certificate(vault_uri, cert_name)
self._validate_certificate_bundle(cert_bundle, vault_uri, cert_name, cert_policy)
# get certificate returns not found
try:
self.client.get_certificate(cert_id.vault, cert_id.name, '')
self.fail('Get should fail')
except Exception as ex:
if not hasattr(ex, 'message') or 'not found' not in ex.message.lower():
raise ex
def test_parse_key_id(self):
expected = self._get_expected('keys', 'myvault', 'mykey', 'abc123')
res = KeyVaultId.parse_key_id(
'https://myvault.vault.azure.net/keys/mykey/abc123')
self.assertEqual(res.__dict__, expected)
expected = self._get_expected('keys', 'myvault', 'mykey')
res = KeyVaultId.parse_key_id(
'https://myvault.vault.azure.net/keys/mykey')
self.assertEqual(res.__dict__, expected)
def test_create_object_id(self):
# success scenarios
expected = self._get_expected('keys', 'myvault', 'mykey')
res = KeyVaultId.create_object_id('keys',
'https://myvault.vault.azure.net',
' mykey', None)
self.assertEqual(res.__dict__, expected)
res = KeyVaultId.create_object_id('keys',
'https://myvault.vault.azure.net',
' mykey', ' ')
self.assertEqual(res.__dict__, expected)
expected = self._get_expected('keys', 'myvault', 'mykey', 'abc123')
res = KeyVaultId.create_object_id(' keys ',
'https://myvault.vault.azure.net',
' mykey ', ' abc123 ')
self.assertEqual(res.__dict__, expected)
# failure scenarios
with self.assertRaises(TypeError):
KeyVaultId.create_object_id('keys',
'https://myvault.vault.azure.net',
['stuff'], '')
with self.assertRaises(ValueError):
KeyVaultId.create_object_id('keys',
'https://myvault.vault.azure.net', ' ',
'')
with self.assertRaises(ValueError):
KeyVaultId.create_object_id('keys', 'myvault.vault.azure.net',
'mykey', '')
def test_create_secret_id(self):
expected = self._get_expected('secrets', 'myvault', 'mysecret')
res = KeyVaultId.create_secret_id('https://myvault.vault.azure.net',
' mysecret', None)
self.assertEqual(res.__dict__, expected)
expected = self._get_expected('secrets', 'myvault', 'mysecret',
'abc123')
res = KeyVaultId.create_secret_id('https://myvault.vault.azure.net',
' mysecret ', ' abc123 ')
self.assertEqual(res.__dict__, expected)
def test_parse_certificate_id(self):
expected = self._get_expected('certificates', 'myvault', 'mycert',
'abc123')
res = KeyVaultId.parse_certificate_id(
'https://myvault.vault.azure.net/certificates/mycert/abc123')
self.assertEqual(res.__dict__, expected)
expected = self._get_expected('certificates', 'myvault', 'mycert')
res = KeyVaultId.parse_certificate_id(
'https://myvault.vault.azure.net/certificates/mycert')
self.assertEqual(res.__dict__, expected)
def test_recover_purge(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
secrets = {}
# create secrets to recover
for i in range(0, self.list_test_size):
secret_name = self.get_resource_name('secrec{}'.format(str(i)))
secret_value = self.get_resource_name('secval{}'.format((str(i))))
secrets[secret_name] = self.client.set_secret(vault_uri, secret_name, secret_value)
# create secrets to purge
for i in range(0, self.list_test_size):
secret_name = self.get_resource_name('secprg{}'.format(str(i)))
secret_value = self.get_resource_name('secval{}'.format((str(i))))
secrets[secret_name] = self.client.set_secret(vault_uri, secret_name, secret_value)
# delete all secrets
for secret_name in secrets.keys():
self.client.delete_secret(vault_uri, secret_name)
if not self.is_playback():
time.sleep(20)
# validate all our deleted secrets are returned by get_deleted_secrets
deleted = [KeyVaultId.parse_secret_id(s.id).name for s in self.client.get_deleted_secrets(vault_uri)]
self.assertTrue(all(s in deleted for s in secrets.keys()))
# recover select secrets
for secret_name in [s for s in secrets.keys() if s.startswith('secrec')]:
self.client.recover_deleted_secret(vault_uri, secret_name)
# purge select secrets
for secret_name in [s for s in secrets.keys() if s.startswith('secprg')]:
self.client.purge_deleted_secret(vault_uri, secret_name)
if not self.is_playback():
time.sleep(20)
# validate none of our deleted secrets are returned by get_deleted_secrets
deleted = [KeyVaultId.parse_secret_id(s.id).name for s in self.client.get_deleted_secrets(vault_uri)]
self.assertTrue(not any(s in deleted for s in secrets.keys()))
# validate the recovered secrets
expected = {k: v for k, v in secrets.items() if k.startswith('secrec')}
actual = {k: self.client.get_secret(vault_uri, k, KeyVaultId.version_none) for k in expected.keys()}
self.assertEqual(len(set(expected.keys()) & set(actual.keys())), len(expected))
def test_recover_purge(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
secrets = {}
# create secrets to recover
for i in range(0, self.list_test_size):
secret_name = self.get_resource_name('secrec{}'.format(str(i)))
secret_value = self.get_resource_name('secval{}'.format((str(i))))
secrets[secret_name] = self.client.set_secret(vault_uri, secret_name, secret_value)
# create secrets to purge
for i in range(0, self.list_test_size):
secret_name = self.get_resource_name('secprg{}'.format(str(i)))
secret_value = self.get_resource_name('secval{}'.format((str(i))))
secrets[secret_name] = self.client.set_secret(vault_uri, secret_name, secret_value)
# delete all secrets
for secret_name in secrets.keys():
self.client.delete_secret(vault_uri, secret_name)
if not self.is_playback():
time.sleep(20)
# validate all our deleted secrets are returned by get_deleted_secrets
deleted = [KeyVaultId.parse_secret_id(s.id).name for s in self.client.get_deleted_secrets(vault_uri)]
self.assertTrue(all(s in deleted for s in secrets.keys()))
# recover select secrets
for secret_name in [s for s in secrets.keys() if s.startswith('secrec')]:
self.client.recover_deleted_secret(vault_uri, secret_name)
# purge select secrets
for secret_name in [s for s in secrets.keys() if s.startswith('secprg')]:
self.client.purge_deleted_secret(vault_uri, secret_name)
if not self.is_playback():
time.sleep(20)
# validate none of our deleted secrets are returned by get_deleted_secrets
deleted = [KeyVaultId.parse_secret_id(s.id).name for s in self.client.get_deleted_secrets(vault_uri)]
self.assertTrue(not any(s in deleted for s in secrets.keys()))
# validate the recovered secrets
expected = {k: v for k, v in secrets.items() if k.startswith('secrec')}
actual = {k: self.client.get_secret(vault_uri, k, KeyVaultId.version_none) for k in expected.keys()}
self.assertEqual(len(set(expected.keys()) & set(actual.keys())), len(expected))
def test_key_list_versions(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('key')
max_keys = self.list_test_size
expected = {}
# create many key versions
for x in range(0, max_keys):
key_bundle = None
error_count = 0
while not key_bundle:
try:
key_bundle = self.client.create_key(vault_uri, key_name, 'RSA')
kid = KeyVaultId.parse_key_id(key_bundle.key.kid).id.strip('/')
expected[kid] = key_bundle.attributes
except Exception as ex:
if hasattr(ex, 'message') and 'Throttled' in ex.message:
error_count += 1
time.sleep(2.5 * error_count)
continue
else:
raise ex
# list key versions
self._validate_key_list(list(self.client.get_key_versions(vault_uri, key_name)), expected)
def get_secret(self, name, version=''):
''' Gets an existing secret '''
secret_bundle = self.client.get_secret(self.keyvault_uri, name, version)
if secret_bundle:
secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
return dict(secret_id=secret_id.id, secret_value=secret_bundle.value)
return None
def test_list_versions(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
cert_name = self.get_resource_name('certver')
max_certificates = self.list_test_size
expected = {}
# import same certificates as different versions
for x in range(0, max_certificates):
cert_bundle = None
error_count = 0
while not cert_bundle:
try:
cert_bundle = self._import_common_certificate(vault_uri, cert_name)[0]
cid = KeyVaultId.parse_certificate_id(cert_bundle.id).id.strip('/')
expected[cid] = cert_bundle.attributes
except Exception as ex:
if hasattr(ex, 'message') and 'Throttled' in ex.message:
error_count += 1
time.sleep(2.5 * error_count)
continue
else:
raise ex
# list certificate versions
self._validate_certificate_list(list(self.client.get_certificate_versions(vault_uri, cert_name)), expected)
def _validate_certificate_operation(self, pending_cert, vault, cert_name, cert_policy):
self.assertIsNotNone(pending_cert)
self.assertIsNotNone(pending_cert.csr)
self.assertEqual(cert_policy.issuer_parameters.name, pending_cert.issuer_parameters.name)
pending_id = KeyVaultId.parse_certificate_operation_id(pending_cert.id)
self.assertEqual(pending_id.vault.strip('/'), vault.strip('/'))
self.assertEqual(pending_id.name, cert_name)
def test_secret_list(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
max_secrets = self.list_test_size
expected = {}
# create many secrets
for x in range(0, max_secrets):
secret_name = 'sec{}'.format(x)
secret_value = self.get_resource_name('secVal{}'.format(x))
secret_bundle = None
error_count = 0
while not secret_bundle:
try:
secret_bundle = self.client.set_secret(vault_uri, secret_name, secret_value)
sid = KeyVaultId.parse_secret_id(secret_bundle.id).base_id.strip('/')
expected[sid] = secret_bundle.attributes
except Exception as ex:
if hasattr(ex, 'message') and 'Throttled' in ex.message:
error_count += 1
time.sleep(2.5 * error_count)
continue
else:
raise ex
# list secrets
result = list(self.client.get_secrets(vault_uri, self.list_test_size))
self._validate_secret_list(result, expected)
def test_key_list_versions(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('key')
max_keys = self.list_test_size
expected = {}
# create many key versions
for x in range(0, max_keys):
key_bundle = None
error_count = 0
while not key_bundle:
try:
key_bundle = self.client.create_key(
vault_uri, key_name, 'RSA')
kid = KeyVaultId.parse_key_id(
key_bundle.key.kid).id.strip('/')
expected[kid] = key_bundle.attributes
except Exception as ex:
if hasattr(ex, 'message') and 'Throttled' in ex.message:
error_count += 1
time.sleep(2.5 * error_count)
continue
else:
raise ex
# list key versions
self._validate_key_list(
list(self.client.get_key_versions(vault_uri, key_name)), expected)
def test_secret_list(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
max_secrets = self.list_test_size
expected = {}
# create many secrets
for x in range(0, max_secrets):
secret_name = 'sec{}'.format(x)
secret_value = self.get_resource_name('secVal{}'.format(x))
secret_bundle = None
error_count = 0
while not secret_bundle:
try:
secret_bundle = self.client.set_secret(vault_uri, secret_name, secret_value)
sid = KeyVaultId.parse_secret_id(secret_bundle.id).base_id.strip('/')
expected[sid] = secret_bundle.attributes
except Exception as ex:
if hasattr(ex, 'message') and 'Throttled' in ex.message:
error_count += 1
time.sleep(2.5 * error_count)
continue
else:
raise ex
# list secrets
result = list(self.client.get_secrets(vault_uri, self.list_test_size))
self._validate_secret_list(result, expected)
def create_key(self, name, tags, kty='RSA'):
''' Creates a key '''
key_bundle = self.client.create_key(vault_base_url=self.keyvault_uri,
key_name=name,
kty=kty,
tags=tags)
key_id = KeyVaultId.parse_key_id(key_bundle.key.kid)
return key_id.id
def test_key_recover_and_purge(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
keys = {}
# create keys to recover
for i in range(0, self.list_test_size):
key_name = self.get_resource_name('keyrec{}'.format(str(i)))
keys[key_name] = self.client.create_key(vault_uri, key_name, 'RSA')
# create keys to purge
for i in range(0, self.list_test_size):
key_name = self.get_resource_name('keyprg{}'.format(str(i)))
keys[key_name] = self.client.create_key(vault_uri, key_name, 'RSA')
# delete all keys
for key_name in keys.keys():
self.client.delete_key(vault_uri, key_name)
if not self.is_playback():
time.sleep(20)
# validate all our deleted keys are returned by get_deleted_keys
deleted = [KeyVaultId.parse_key_id(s.kid).name for s in self.client.get_deleted_keys(vault_uri)]
self.assertTrue(all(s in deleted for s in keys.keys()))
# recover select keys
for key_name in [s for s in keys.keys() if s.startswith('keyrec')]:
self.client.recover_deleted_key(vault_uri, key_name)
# purge select keys
for key_name in [s for s in keys.keys() if s.startswith('keyprg')]:
self.client.purge_deleted_key(vault_uri, key_name)
if not self.is_playback():
time.sleep(20)
# validate none of our deleted keys are returned by get_deleted_keys
deleted = [KeyVaultId.parse_key_id(s.kid).name for s in self.client.get_deleted_keys(vault_uri)]
self.assertTrue(not any(s in deleted for s in keys.keys()))
# validate the recovered keys
expected = {k: v for k, v in keys.items() if k.startswith('key-') and k.endswith('-recover')}
actual = {k: self.client.get_key(vault_uri, k) for k in expected.keys()}
self.assertEqual(len(set(expected.keys()) & set(actual.keys())), len(expected))
def azure_decrypt(config, logger, session, encrypted_field):
data = config[encrypted_field] # type: str
if type(data) is dict:
kv_session = session.get_session_for_resource(resource=RESOURCE_VAULT)
secret_id = KeyVaultId.parse_secret_id(data['secret'])
kv_client = kv_session.client('azure.keyvault.KeyVaultClient')
return kv_client.get_secret(secret_id.vault, secret_id.name, secret_id.version).value
return data
def create_update_secret(self, name, secret, tags, content_type):
''' Creates/Updates a secret '''
secret_bundle = self.client.set_secret(self.keyvault_uri,
name,
secret,
tags=tags,
content_type=content_type)
secret_id = KeyVaultId.parse_secret_id(secret_bundle.id)
return secret_id.id
def test_secret_crud_operations(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
secret_name = 'crud-secret'
secret_value = self.get_resource_name('crud_secret_value')
# create secret
secret_bundle = self.client.set_secret(vault_uri, secret_name,
secret_value)
self._validate_secret_bundle(secret_bundle, vault_uri, secret_name,
secret_value)
created_bundle = secret_bundle
secret_id = KeyVaultId.parse_secret_id(created_bundle.id)
# get secret without version
self.assertEqual(
created_bundle,
self.client.get_secret(secret_id.vault, secret_id.name, ''))
# get secret with version
self.assertEqual(
created_bundle,
self.client.get_secret(secret_id.vault, secret_id.name,
secret_id.version))
def _update_secret(secret_uri):
updating_bundle = copy.deepcopy(created_bundle)
updating_bundle.content_type = 'text/plain'
updating_bundle.attributes.expires = date_parse.parse(
'2050-02-02T08:00:00.000Z')
updating_bundle.tags = {'foo': 'updated tag'}
sid = KeyVaultId.parse_secret_id(secret_uri)
secret_bundle = self.client.update_secret(
sid.vault, sid.name, sid.version, updating_bundle.content_type,
updating_bundle.attributes, updating_bundle.tags)
self.assertEqual(updating_bundle.tags, secret_bundle.tags)
self.assertEqual(updating_bundle.id, secret_bundle.id)
self.assertNotEqual(str(updating_bundle.attributes.updated),
str(secret_bundle.attributes.updated))
return secret_bundle
# update secret without version
secret_bundle = _update_secret(secret_id.base_id)
# update secret with version
secret_bundle = _update_secret(secret_id.id)
# delete secret
self.client.delete_secret(secret_id.vault, secret_id.name)
# get secret returns not found
try:
self.client.get_secret(secret_id.vault, secret_id.name, '')
except Exception as ex:
if not hasattr(ex,
'message') or 'not found' not in ex.message.lower():
raise ex
def secretitem_to_dict(secretitem):
return dict(sid=secretitem.id,
version=KeyVaultId.parse_secret_id(secretitem.id).version,
tags=secretitem.tags,
attributes=dict(
enabled=secretitem.attributes.enabled,
not_before=secretitem.attributes.not_before,
expires=secretitem.attributes.expires,
created=secretitem.attributes.created,
updated=secretitem.attributes.updated,
recovery_level=secretitem.attributes.recovery_level))
def _validate_certificate_bundle(self, cert, vault, cert_name, cert_policy):
cert_id = KeyVaultId.parse_certificate_id(cert.id)
self.assertEqual(cert_id.vault.strip('/'), vault.strip('/'))
self.assertEqual(cert_id.name, cert_name)
self.assertIsNotNone(cert)
self.assertIsNotNone(cert.x509_thumbprint)
self.assertIsNotNone(cert.cer)
self.assertIsNotNone(cert.attributes)
self.assertIsNotNone(cert.policy)
self.assertIsNotNone(cert.policy.id)
self.assertIsNotNone(cert.policy.issuer_parameters)
self.assertIsNotNone(cert.policy.lifetime_actions)
self.assertEqual(cert.policy.key_properties, cert_policy.key_properties)
self.assertEqual(cert.policy.secret_properties, cert_policy.secret_properties)
self.assertIsNotNone(cert.policy.x509_certificate_properties)
if cert_policy.x509_certificate_properties:
self.assertEqual(cert.policy.x509_certificate_properties.validity_in_months,
cert_policy.x509_certificate_properties.validity_in_months)
KeyVaultId.parse_secret_id(cert.sid)
KeyVaultId.parse_key_id(cert.kid)
def test_key_import(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('keyimp')
key_id = KeyVaultId.create_key_id(vault_uri, key_name)
# import to software
self._import_test_key(vault, key_id, False)
# import to hardware
self._import_test_key(vault, key_id, True)
def _update_key(key_uri):
updating_bundle = copy.deepcopy(created_bundle)
updating_bundle.attributes.expires = date_parse.parse('2050-02-02T08:00:00.000Z')
updating_bundle.key.key_ops = ['encrypt', 'decrypt']
updating_bundle.tags = {'foo': 'updated tag'}
kid = KeyVaultId.parse_key_id(key_uri)
key_bundle = self.client.update_key(
kid.vault, kid.name, kid.version, updating_bundle.key.key_ops, updating_bundle.attributes,
updating_bundle.tags)
self.assertEqual(updating_bundle.tags, key_bundle.tags)
self.assertEqual(updating_bundle.key.kid, key_bundle.key.kid)
return key_bundle
def test_key_import(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('keyimp')
key_id = KeyVaultId.create_key_id(vault_uri, key_name)
# import to software
self._import_test_key(vault, key_id, False)
# import to hardware
self._import_test_key(vault, key_id, True)
def test_key_crud_operations(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('key')
# create key
created_bundle = self.client.create_key(vault_uri, key_name, 'RSA')
self._validate_rsa_key_bundle(created_bundle, vault_uri, key_name,
'RSA')
key_id = KeyVaultId.parse_key_id(created_bundle.key.kid)
# get key without version
self.assertEqual(created_bundle,
self.client.get_key(key_id.vault, key_id.name, ''))
# get key with version
self.assertEqual(
created_bundle,
self.client.get_key(key_id.vault, key_id.name, key_id.version))
def _update_key(key_uri):
updating_bundle = copy.deepcopy(created_bundle)
updating_bundle.attributes.expires = date_parse.parse(
'2050-02-02T08:00:00.000Z')
updating_bundle.key.key_ops = ['encrypt', 'decrypt']
updating_bundle.tags = {'foo': 'updated tag'}
kid = KeyVaultId.parse_key_id(key_uri)
key_bundle = self.client.update_key(kid.vault, kid.name,
kid.version,
updating_bundle.key.key_ops,
updating_bundle.attributes,
updating_bundle.tags)
self.assertEqual(updating_bundle.tags, key_bundle.tags)
self.assertEqual(updating_bundle.key.kid, key_bundle.key.kid)
return key_bundle
# update key without version
created_bundle = _update_key(key_id.base_id)
# update key with version
created_bundle = _update_key(key_id.id)
# delete key
self.client.delete_key(key_id.vault, key_id.name)
# get key returns not found
try:
self.client.get_key(key_id.vault, key_id.name, '')
self.fail('Get should fail')
except Exception as ex:
if not hasattr(ex,
'message') or 'not found' not in ex.message.lower():
raise ex
def keyitem_to_dict(keyitem):
return dict(kid=keyitem.kid,
version=KeyVaultId.parse_key_id(keyitem.kid).version,
tags=keyitem.tags,
manged=keyitem.managed,
attributes=dict(
enabled=keyitem.attributes.enabled,
not_before=keyitem.attributes.not_before,
expires=keyitem.attributes.expires,
created=keyitem.attributes.created,
updated=keyitem.attributes.updated,
recovery_level=keyitem.attributes.recovery_level))
def _update_secret(secret_uri):
updating_bundle = copy.deepcopy(created_bundle)
updating_bundle.content_type = 'text/plain'
updating_bundle.attributes.expires = date_parse.parse('2050-02-02T08:00:00.000Z')
updating_bundle.tags = {'foo': 'updated tag'}
sid = KeyVaultId.parse_secret_id(secret_uri)
secret_bundle = self.client.update_secret(
sid.vault, sid.name, sid.version, updating_bundle.content_type, updating_bundle.attributes,
updating_bundle.tags)
self.assertEqual(updating_bundle.tags, secret_bundle.tags)
self.assertEqual(updating_bundle.id, secret_bundle.id)
self.assertNotEqual(str(updating_bundle.attributes.updated), str(secret_bundle.attributes.updated))
return secret_bundle
def secretbundle_to_dict(bundle):
return dict(tags=bundle.tags,
attributes=dict(
enabled=bundle.attributes.enabled,
not_before=bundle.attributes.not_before,
expires=bundle.attributes.expires,
created=bundle.attributes.created,
updated=bundle.attributes.updated,
recovery_level=bundle.attributes.recovery_level),
sid=bundle.id,
version=KeyVaultId.parse_secret_id(bundle.id).version,
content_type=bundle.content_type,
secret=bundle.value)
def _update_secret(secret_uri):
updating_bundle = copy.deepcopy(created_bundle)
updating_bundle.content_type = 'text/plain'
updating_bundle.attributes.expires = date_parse.parse('2050-02-02T08:00:00.000Z')
updating_bundle.tags = {'foo': 'updated tag'}
sid = KeyVaultId.parse_secret_id(secret_uri)
secret_bundle = self.client.update_secret(
sid.vault, sid.name, sid.version, updating_bundle.content_type, updating_bundle.attributes,
updating_bundle.tags)
self.assertEqual(updating_bundle.tags, secret_bundle.tags)
self.assertEqual(updating_bundle.id, secret_bundle.id)
self.assertNotEqual(str(updating_bundle.attributes.updated), str(secret_bundle.attributes.updated))
return secret_bundle
def test_create_object_id(self):
# success scenarios
expected = self._get_expected('keys', 'myvault', 'mykey')
res = KeyVaultId.create_object_id('keys', 'https://myvault.vault.azure.net', ' mykey', None)
self.assertEqual(res.__dict__, expected)
res = KeyVaultId.create_object_id('keys', 'https://myvault.vault.azure.net', ' mykey', ' ')
self.assertEqual(res.__dict__, expected)
expected = self._get_expected('keys', 'myvault', 'mykey', 'abc123')
res = KeyVaultId.create_object_id(' keys ', 'https://myvault.vault.azure.net', ' mykey ', ' abc123 ')
self.assertEqual(res.__dict__, expected)
# failure scenarios
with self.assertRaises(TypeError):
KeyVaultId.create_object_id('keys', 'https://myvault.vault.azure.net', ['stuff'], '')
with self.assertRaises(ValueError):
KeyVaultId.create_object_id('keys', 'https://myvault.vault.azure.net', ' ', '')
with self.assertRaises(ValueError):
KeyVaultId.create_object_id('keys', 'myvault.vault.azure.net', 'mykey', '')
def test_parse_object_id(self):
# success scenarios
expected = self._get_expected('keys', 'myvault', 'mykey', 'abc123')
res = KeyVaultId.parse_object_id('keys', 'https://myvault.vault.azure.net/keys/mykey/abc123')
self.assertEqual(res.__dict__, expected)
expected = self._get_expected('keys', 'myvault', 'mykey')
res = KeyVaultId.parse_object_id('keys', 'https://myvault.vault.azure.net/keys/mykey')
self.assertEqual(res.__dict__, expected)
# failure scenarios
with self.assertRaises(ValueError):
KeyVaultId.parse_object_id('secret', 'https://myvault.vault.azure.net/keys/mykey/abc123')
with self.assertRaises(ValueError):
KeyVaultId.parse_object_id('keys', 'https://myvault.vault.azure.net/keys/mykey/abc123/extra')
with self.assertRaises(ValueError):
KeyVaultId.parse_object_id('keys', 'https://myvault.vault.azure.net')
def _update_key(key_uri):
updating_bundle = copy.deepcopy(created_bundle)
updating_bundle.attributes.expires = date_parse.parse(
'2050-02-02T08:00:00.000Z')
updating_bundle.key.key_ops = ['encrypt', 'decrypt']
updating_bundle.tags = {'foo': 'updated tag'}
kid = KeyVaultId.parse_key_id(key_uri)
key_bundle = self.client.update_key(kid.vault, kid.name,
kid.version,
updating_bundle.key.key_ops,
updating_bundle.attributes,
updating_bundle.tags)
self.assertEqual(updating_bundle.tags, key_bundle.tags)
self.assertEqual(updating_bundle.key.kid, key_bundle.key.kid)
return key_bundle
def test_secret_crud_operations(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
secret_name = 'crud-secret'
secret_value = self.get_resource_name('crud_secret_value')
# create secret
secret_bundle = self.client.set_secret(vault_uri, secret_name, secret_value)
self._validate_secret_bundle(secret_bundle, vault_uri, secret_name, secret_value)
created_bundle = secret_bundle
secret_id = KeyVaultId.parse_secret_id(created_bundle.id)
# get secret without version
self.assertEqual(created_bundle, self.client.get_secret(secret_id.vault, secret_id.name, ''))
# get secret with version
self.assertEqual(created_bundle, self.client.get_secret(secret_id.vault, secret_id.name, secret_id.version))
def _update_secret(secret_uri):
updating_bundle = copy.deepcopy(created_bundle)
updating_bundle.content_type = 'text/plain'
updating_bundle.attributes.expires = date_parse.parse('2050-02-02T08:00:00.000Z')
updating_bundle.tags = {'foo': 'updated tag'}
sid = KeyVaultId.parse_secret_id(secret_uri)
secret_bundle = self.client.update_secret(
sid.vault, sid.name, sid.version, updating_bundle.content_type, updating_bundle.attributes,
updating_bundle.tags)
self.assertEqual(updating_bundle.tags, secret_bundle.tags)
self.assertEqual(updating_bundle.id, secret_bundle.id)
self.assertNotEqual(str(updating_bundle.attributes.updated), str(secret_bundle.attributes.updated))
return secret_bundle
# update secret without version
secret_bundle = _update_secret(secret_id.base_id)
# update secret with version
secret_bundle = _update_secret(secret_id.id)
# delete secret
self.client.delete_secret(secret_id.vault, secret_id.name)
# get secret returns not found
try:
self.client.get_secret(secret_id.vault, secret_id.name, '')
except Exception as ex:
if not hasattr(ex, 'message') or 'not found' not in ex.message.lower():
raise ex
def test_key_backup_and_restore(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('keybak')
# create key
created_bundle = self.client.create_key(vault_uri, key_name, 'RSA')
key_id = KeyVaultId.parse_key_id(created_bundle.key.kid)
# backup key
key_backup = self.client.backup_key(key_id.vault, key_id.name).value
# delete key
self.client.delete_key(key_id.vault, key_id.name)
# restore key
self.assertEqual(created_bundle, self.client.restore_key(vault_uri, key_backup))
def get_keyvault_secret(user_identity_id, keyvault_secret_id):
secret_id = KeyVaultId.parse_secret_id(keyvault_secret_id)
access_token = None
# Use UAI if client_id is provided
if user_identity_id:
msi = MSIAuthentication(client_id=user_identity_id,
resource=RESOURCE_VAULT)
else:
msi = MSIAuthentication(resource=RESOURCE_VAULT)
access_token = AccessToken(token=msi.token['access_token'])
credentials = KeyVaultAuthentication(lambda _1, _2, _3: access_token)
kv_client = KeyVaultClient(credentials)
return kv_client.get_secret(secret_id.vault, secret_id.name,
secret_id.version).value
def test_key_crud_operations(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('key')
# create key
created_bundle = self.client.create_key(vault_uri, key_name, 'RSA')
self._validate_rsa_key_bundle(created_bundle, vault_uri, key_name, 'RSA')
key_id = KeyVaultId.parse_key_id(created_bundle.key.kid)
# get key without version
self.assertEqual(created_bundle, self.client.get_key(key_id.vault, key_id.name, ''))
# get key with version
self.assertEqual(created_bundle, self.client.get_key(key_id.vault, key_id.name, key_id.version))
def _update_key(key_uri):
updating_bundle = copy.deepcopy(created_bundle)
updating_bundle.attributes.expires = date_parse.parse('2050-02-02T08:00:00.000Z')
updating_bundle.key.key_ops = ['encrypt', 'decrypt']
updating_bundle.tags = {'foo': 'updated tag'}
kid = KeyVaultId.parse_key_id(key_uri)
key_bundle = self.client.update_key(
kid.vault, kid.name, kid.version, updating_bundle.key.key_ops, updating_bundle.attributes,
updating_bundle.tags)
self.assertEqual(updating_bundle.tags, key_bundle.tags)
self.assertEqual(updating_bundle.key.kid, key_bundle.key.kid)
return key_bundle
# update key without version
created_bundle = _update_key(key_id.base_id)
# update key with version
created_bundle = _update_key(key_id.id)
# delete key
self.client.delete_key(key_id.vault, key_id.name)
# get key returns not found
try:
self.client.get_key(key_id.vault, key_id.name, '')
self.fail('Get should fail')
except Exception as ex:
if not hasattr(ex, 'message') or 'not found' not in ex.message.lower():
raise ex
def _validate_issuer_bundle(self, bundle, vault, name, provider, credentials, org_details):
self.assertIsNotNone(bundle)
self.assertIsNotNone(bundle.attributes)
self.assertIsNotNone(bundle.organization_details)
self.assertEqual(bundle.provider, provider)
issuer_id = KeyVaultId.parse_certificate_issuer_id(bundle.id)
self.assertEqual(issuer_id.vault.strip('/'), vault.strip('/'))
self.assertEqual(issuer_id.name, name)
if credentials:
self.assertEqual(bundle.credentials.account_id, credentials.account_id)
if org_details:
# To Accomodate tiny change in == semantic in msrest 0.4.20
org_details.additional_properties = {}
bundle.organization_details.additional_properties = {}
self.assertEqual(bundle.organization_details, org_details)
def test_backup_restore(self, vault, **kwargs):
self.assertIsNotNone(vault)
vault_uri = vault.properties.vault_uri
secret_name = self.get_resource_name('secbak')
secret_value = self.get_resource_name('secVal')
# create secret
created_bundle = self.client.set_secret(vault_uri, secret_name, secret_value)
secret_id = KeyVaultId.parse_secret_id(created_bundle.id)
# backup secret
secret_backup = self.client.backup_secret(secret_id.vault, secret_id.name).value
# delete secret
self.client.delete_secret(secret_id.vault, secret_id.name)
# restore secret
self.assertEqual(created_bundle.attributes, self.client.restore_secret(vault_uri, secret_backup).attributes)
def test_parse_certificate_issuer_id(self):
expected = self._get_expected('certificates', 'myvault', 'myissuer')
res = KeyVaultId.parse_certificate_issuer_id('https://myvault.vault.azure.net/certificates/issuers/myissuer')
self.assertEqual(res.__dict__, expected)
def test_parse_certificate_operation_id(self):
expected = self._get_expected('certificates', 'myvault', 'mycert', 'pending')
res = KeyVaultId.parse_certificate_operation_id('https://myvault.vault.azure.net/certificates/mycert/pending')
self.assertEqual(res.__dict__, expected)
def create_key(self, name, tags, kty='RSA'):
''' Creates a key '''
key_bundle = self.client.create_key(self.keyvault_uri, name, kty, tags=tags)
key_id = KeyVaultId.parse_key_id(key_bundle.key.kid)
return key_id.id
def delete_key(self, name):
''' Deletes a key '''
deleted_key = self.client.delete_key(self.keyvault_uri, name)
key_id = KeyVaultId.parse_key_id(deleted_key.key.kid)
return key_id.id
def test_create_kafka_cluster_with_disk_encryption(self, resource_group, location, storage_account, storage_account_key, vault):
# create managed identities for Azure resources.
msi_name = self.get_resource_name('hdipyuai')
msi = self.msi_client.user_assigned_identities.create_or_update(resource_group.name, msi_name, location)
# add managed identity to vault
required_permissions = Permissions(keys=[KeyPermissions.get, KeyPermissions.wrap_key, KeyPermissions.unwrap_key],
secrets=[SecretPermissions.get, SecretPermissions.set,SecretPermissions.delete])
vault.properties.access_policies.append(
AccessPolicyEntry(tenant_id=self.tenant_id,
object_id=msi.principal_id,
permissions=required_permissions)
)
update_params = VaultCreateOrUpdateParameters(location=location,
properties=vault.properties)
vault = self.vault_mgmt_client.vaults.create_or_update(resource_group.name, vault.name, update_params).result()
self.assertIsNotNone(vault)
# create key
vault_uri = vault.properties.vault_uri
key_name = self.get_resource_name('hdipykey1')
created_bundle = self.vault_client.create_key(vault_uri, key_name, 'RSA')
vault_key = KeyVaultId.parse_key_id(created_bundle.key.kid)
# create HDInsight cluster with Kafka disk encryption
rg_name = resource_group.name
cluster_name = self.get_resource_name('hdisdk-kafka-byok')
create_params = self.get_cluster_create_params(location, cluster_name, storage_account, storage_account_key)
create_params.properties.cluster_definition.kind = 'Kafka'
workernode = next(item for item in create_params.properties.compute_profile.roles if item.name == 'workernode')
workernode.data_disks_groups = [
DataDisksGroups(
disks_per_node=8
)
]
create_params.identity = ClusterIdentity(
type=ResourceIdentityType.user_assigned,
user_assigned_identities={msi.id: ClusterIdentityUserAssignedIdentitiesValue()}
)
create_params.properties.disk_encryption_properties = DiskEncryptionProperties(
vault_uri=vault_key.vault,
key_name=vault_key.name,
key_version=vault_key.version,
msi_resource_id=msi.id
)
cluster = self.hdinsight_client.clusters.create(resource_group.name, cluster_name, create_params).result()
self.validate_cluster(cluster_name, create_params, cluster)
# check disk encryption properties
self.assertIsNotNone(cluster.properties.disk_encryption_properties)
self.assertEqual(create_params.properties.disk_encryption_properties.vault_uri, cluster.properties.disk_encryption_properties.vault_uri)
self.assertEqual(create_params.properties.disk_encryption_properties.key_name, cluster.properties.disk_encryption_properties.key_name)
self.assertEqual(create_params.properties.disk_encryption_properties.msi_resource_id.lower(), cluster.properties.disk_encryption_properties.msi_resource_id.lower())
# create a new key
new_key_name = self.get_resource_name('hdipykey2')
created_bundle = self.vault_client.create_key(vault_uri, new_key_name, 'RSA')
new_vault_key = KeyVaultId.parse_key_id(created_bundle.key.kid)
rotate_params = ClusterDiskEncryptionParameters(
vault_uri=new_vault_key.vault,
key_name=new_vault_key.name,
key_version=new_vault_key.version
)
# rotate cluster key
self.hdinsight_client.clusters.rotate_disk_encryption_key(rg_name, cluster_name, rotate_params).wait()
cluster = self.hdinsight_client.clusters.get(rg_name, cluster_name)
# check disk encryption properties
self.assertIsNotNone(cluster.properties.disk_encryption_properties)
self.assertEqual(rotate_params.vault_uri, cluster.properties.disk_encryption_properties.vault_uri)
self.assertEqual(rotate_params.key_name, cluster.properties.disk_encryption_properties.key_name)
self.assertEqual(msi.id.lower(), cluster.properties.disk_encryption_properties.msi_resource_id.lower())
