Supported "all" as an option when setting key vault access policies (#13524)

isra-fel · web-flow · commit 8f95819201d9 · 2020-11-26T10:09:48.000+08:00
* Supported "all" as an option when setting key vault access policies

* minor fix in docs

* fix test
diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/AccessPolicyTests.cs b/src/KeyVault/KeyVault.Test/ScenarioTests/AccessPolicyTests.cs
@@ -0,0 +1,19 @@
+﻿using Microsoft.WindowsAzure.Commands.ScenarioTest;
+using Xunit;
+
+namespace Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests
+{
+    public class AccessPolicyTests : KeyVaultTestRunner
+    {
+        public AccessPolicyTests(Xunit.Abstractions.ITestOutputHelper output) : base(output)
+        {
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestSetAllAccessPolicies()
+        {
+            TestRunner.RunTestScript("Test-SetAllAccessPolicies");
+        }
+    }
+}
diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/AccessPolicyTests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/AccessPolicyTests.ps1
@@ -0,0 +1,24 @@
+﻿function Test-SetAllAccessPolicies()
+{
+    $rg = Get-ResourceGroupName
+    $vaultName = GetAssetName
+    $rgLocation = Get-Location "Microsoft.Resources" "resourceGroups" "West US"
+    $vaultLocation = Get-Location "Microsoft.KeyVault" "vault" "West US"
+    $objectId = "d7e17135-d5a7-4b8b-89e5-252aa15b7e01"
+    New-AzResourceGroup -Name $rg -Location $rgLocation
+
+    try {
+        New-AzKeyVault -ResourceGroupName $rg -VaultName $vaultName -Location $vaultLocation
+        Set-AzKeyVaultAccessPolicy -VaultName $vaultName -ObjectId $objectId -PermissionsToCertificates all -PermissionsToKeys all -PermissionsToSecrets all -PermissionsToStorage all -BypassObjectIdValidation
+        $vault = Get-AzKeyVault -ResourceGroupName $rg -VaultName $vaultName
+        $accessPolicy = $vault.AccessPolicies | ? {$_.ObjectId -eq $objectId}
+        Assert-NotNull $accessPolicy
+        Assert-AreEqual "all" $accessPolicy.PermissionsToCertificatesStr
+        Assert-AreEqual "all" $accessPolicy.PermissionsToKeysStr
+        Assert-AreEqual "all" $accessPolicy.PermissionsToSecretsStr
+        Assert-AreEqual "all" $accessPolicy.PermissionsToStorageStr
+    }
+    finally {
+        Remove-AzResourceGroup -Name $rg -Force
+    }
+}
diff --git a/src/KeyVault/KeyVault.Test/SessionRecords/Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.AccessPolicyTests/TestSetAllAccessPolicies.json b/src/KeyVault/KeyVault.Test/SessionRecords/Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.AccessPolicyTests/TestSetAllAccessPolicies.json
diff --git a/src/KeyVault/KeyVault.sln b/src/KeyVault/KeyVault.sln
@@ -38,6 +38,10 @@ Global
 		{142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{142D7B0B-388A-4CEB-A228-7F6D423C5C2E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{6BD6B80A-06AF-4B5B-9230-69CCFC6C8D64}.Release|Any CPU.Build.0 = Release|Any CPU
 		{FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{FF81DC73-B8EC-4082-8841-4FBF2B16E7CE}.Release|Any CPU.ActiveCfg = Release|Any CPU
diff --git a/src/KeyVault/KeyVault/ChangeLog.md b/src/KeyVault/KeyVault/ChangeLog.md
@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Supported "all" as an option when setting key vault access policies
 * Supported new version of SecretManagement module [#13366]
 * Supported ByteArray, String, PSCredential and Hashtable for `SecretValue` in SecretManagementModule [#12190]
 
diff --git a/src/KeyVault/KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs b/src/KeyVault/KeyVault/Commands/SetAzureKeyVaultAccessPolicy.cs
@@ -281,7 +281,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         [Parameter(Mandatory = false,
             ParameterSetName = ResourceIdByEmailAddress,
             HelpMessage = "Specifies key operation permissions to grant to a user or service principal.")]
-        [ValidateSet("decrypt", "encrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore", "recover", "purge")]
+        [ValidateSet("all", "decrypt", "encrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore", "recover", "purge")]
         public string[] PermissionsToKeys { get; set; }
 
         /// <summary>
@@ -323,7 +323,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         [Parameter(Mandatory = false,
             ParameterSetName = ResourceIdByEmailAddress,
             HelpMessage = "Specifies secret operation permissions to grant to a user or service principal.")]
-        [ValidateSet("get", "list", "set", "delete", "backup", "restore", "recover", "purge")]
+        [ValidateSet("all", "get", "list", "set", "delete", "backup", "restore", "recover", "purge")]
         public string[] PermissionsToSecrets { get; set; }
 
         /// <summary>
@@ -365,7 +365,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         [Parameter(Mandatory = false,
             ParameterSetName = ResourceIdByEmailAddress,
             HelpMessage = "Specifies certificate operation permissions to grant to a user or service principal.")]
-        [ValidateSet("get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover", "purge", "backup", "restore")]
+        [ValidateSet("all", "get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover", "purge", "backup", "restore")]
         public string[] PermissionsToCertificates { get; set; }
 
         /// <summary>
@@ -407,7 +407,7 @@ public class SetAzureKeyVaultAccessPolicy : KeyVaultManagementCmdletBase
         [Parameter(Mandatory = false,
             ParameterSetName = ResourceIdByEmailAddress,
             HelpMessage = "Specifies managed storage account and sas definition  operation permissions to grant to a user or service principal.")]
-        [ValidateSet("get", "list", "delete", "set", "update", "regeneratekey", "getsas", "listsas", "deletesas", "setsas", "recover", "backup", "restore", "purge")]
+        [ValidateSet("all", "get", "list", "delete", "set", "update", "regeneratekey", "getsas", "listsas", "deletesas", "setsas", "recover", "backup", "restore", "purge")]
         public string[] PermissionsToStorage { get; set; }
 
         [Parameter(Mandatory = false,
diff --git a/src/KeyVault/KeyVault/help/Get-AzKeyVault.md b/src/KeyVault/KeyVault/help/Get-AzKeyVault.md
@@ -240,7 +240,7 @@ Required: False
 Position: 1
 Default value: None
 Accept pipeline input: True (ByPropertyName)
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ### -Tag
@@ -271,7 +271,7 @@ Required: False
 Position: 0
 Default value: None
 Accept pipeline input: True (ByPropertyName)
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ```yaml
@@ -283,7 +283,7 @@ Required: True
 Position: 0
 Default value: None
 Accept pipeline input: True (ByPropertyName)
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ### CommonParameters
diff --git a/src/KeyVault/KeyVault/help/Get-AzKeyVaultCertificate.md b/src/KeyVault/KeyVault/help/Get-AzKeyVaultCertificate.md
@@ -318,7 +318,7 @@ Required: False
 Position: 1
 Default value: None
 Accept pipeline input: False
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ```yaml
@@ -330,7 +330,7 @@ Required: True
 Position: 1
 Default value: None
 Accept pipeline input: False
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ### -ResourceId
diff --git a/src/KeyVault/KeyVault/help/Get-AzKeyVaultCertificateIssuer.md b/src/KeyVault/KeyVault/help/Get-AzKeyVaultCertificateIssuer.md
@@ -115,7 +115,7 @@ Required: False
 Position: 1
 Default value: None
 Accept pipeline input: False
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ### -ResourceId
diff --git a/src/KeyVault/KeyVault/help/Get-AzKeyVaultKey.md b/src/KeyVault/KeyVault/help/Get-AzKeyVaultKey.md
@@ -333,7 +333,7 @@ Required: False
 Position: 1
 Default value: None
 Accept pipeline input: False
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ```yaml
@@ -345,7 +345,7 @@ Required: True
 Position: 1
 Default value: None
 Accept pipeline input: False
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ### -OutFile
diff --git a/src/KeyVault/KeyVault/help/Get-AzKeyVaultManagedStorageAccount.md b/src/KeyVault/KeyVault/help/Get-AzKeyVaultManagedStorageAccount.md
@@ -113,7 +113,7 @@ Required: False
 Position: 1
 Default value: None
 Accept pipeline input: False
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ### -DefaultProfile
diff --git a/src/KeyVault/KeyVault/help/Get-AzKeyVaultSecret.md b/src/KeyVault/KeyVault/help/Get-AzKeyVaultSecret.md
@@ -353,7 +353,7 @@ Required: False
 Position: 1
 Default value: None
 Accept pipeline input: False
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ```yaml
@@ -365,7 +365,7 @@ Required: True
 Position: 1
 Default value: None
 Accept pipeline input: False
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ### -ResourceId
diff --git a/src/KeyVault/KeyVault/help/Get-AzManagedHsm.md b/src/KeyVault/KeyVault/help/Get-AzManagedHsm.md
@@ -99,7 +99,7 @@ Required: False
 Position: 0
 Default value: None
 Accept pipeline input: True (ByPropertyName)
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ### -ResourceGroupName
@@ -114,7 +114,7 @@ Required: False
 Position: 1
 Default value: None
 Accept pipeline input: True (ByPropertyName)
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ### -Tag
diff --git a/src/KeyVault/KeyVault/help/Get-AzManagedHsmKey.md b/src/KeyVault/KeyVault/help/Get-AzManagedHsmKey.md
@@ -353,7 +353,7 @@ Required: False
 Position: 1
 Default value: None
 Accept pipeline input: False
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ```yaml
@@ -365,7 +365,7 @@ Required: True
 Position: 1
 Default value: None
 Accept pipeline input: False
-Accept wildcard characters: False
+Accept wildcard characters: True
 ```
 
 ### -OutFile
diff --git a/src/KeyVault/KeyVault/help/Set-AzKeyVaultAccessPolicy.md b/src/KeyVault/KeyVault/help/Set-AzKeyVaultAccessPolicy.md
@@ -440,6 +440,7 @@ Accept wildcard characters: False
 ### -PermissionsToCertificates
 Specifies an array of certificate permissions to grant to a user or service principal.
 The acceptable values for this parameter:
+- All
 - Get
 - List
 - Delete
@@ -461,7 +462,7 @@ The acceptable values for this parameter:
 Type: System.String[]
 Parameter Sets: ByUserPrincipalName, ByObjectId, ByServicePrincipalName, ByEmailAddress, InputObjectByObjectId, InputObjectByServicePrincipalName, InputObjectByUserPrincipalName, InputObjectByEmailAddress, ResourceIdByObjectId, ResourceIdByServicePrincipalName, ResourceIdByUserPrincipalName, ResourceIdByEmailAddress
 Aliases:
-Accepted values: get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge, backup, restore
+Accepted values: all, get, list, delete, create, import, update, managecontacts, getissuers, listissuers, setissuers, deleteissuers, manageissuers, recover, purge, backup, restore
 
 Required: False
 Position: Named
@@ -473,6 +474,7 @@ Accept wildcard characters: False
 ### -PermissionsToKeys
 Specifies an array of key operation permissions to grant to a user or service principal.
 The acceptable values for this parameter:
+- All
 - Decrypt
 - Encrypt
 - UnwrapKey
@@ -494,7 +496,7 @@ The acceptable values for this parameter:
 Type: System.String[]
 Parameter Sets: ByUserPrincipalName, ByObjectId, ByServicePrincipalName, ByEmailAddress, InputObjectByObjectId, InputObjectByServicePrincipalName, InputObjectByUserPrincipalName, InputObjectByEmailAddress, ResourceIdByObjectId, ResourceIdByServicePrincipalName, ResourceIdByUserPrincipalName, ResourceIdByEmailAddress
 Aliases:
-Accepted values: decrypt, encrypt, unwrapKey, wrapKey, verify, sign, get, list, update, create, import, delete, backup, restore, recover, purge
+Accepted values: all, decrypt, encrypt, unwrapKey, wrapKey, verify, sign, get, list, update, create, import, delete, backup, restore, recover, purge
 
 Required: False
 Position: Named
@@ -506,6 +508,7 @@ Accept wildcard characters: False
 ### -PermissionsToSecrets
 Specifies an array of secret operation permissions to grant to a user or service principal.
 The acceptable values for this parameter:
+- All
 - Get
 - List
 - Set
@@ -519,7 +522,7 @@ The acceptable values for this parameter:
 Type: System.String[]
 Parameter Sets: ByUserPrincipalName, ByObjectId, ByServicePrincipalName, ByEmailAddress, InputObjectByObjectId, InputObjectByServicePrincipalName, InputObjectByUserPrincipalName, InputObjectByEmailAddress, ResourceIdByObjectId, ResourceIdByServicePrincipalName, ResourceIdByUserPrincipalName, ResourceIdByEmailAddress
 Aliases:
-Accepted values: get, list, set, delete, backup, restore, recover, purge
+Accepted values: all, get, list, set, delete, backup, restore, recover, purge
 
 Required: False
 Position: Named
@@ -530,12 +533,28 @@ Accept wildcard characters: False
 
 ### -PermissionsToStorage
 Specifies managed storage account and SaS-definition operation permissions to grant to a user or service principal.
+The acceptable values for this parameter:
+- all
+- get
+- list
+- delete
+- set
+- update
+- regeneratekey
+- getsas
+- listsas
+- deletesas
+- setsas
+- recover
+- backup
+- restore
+- purge
 
 ```yaml
 Type: System.String[]
 Parameter Sets: ByUserPrincipalName, ByObjectId, ByServicePrincipalName, ByEmailAddress, InputObjectByObjectId, InputObjectByServicePrincipalName, InputObjectByUserPrincipalName, InputObjectByEmailAddress, ResourceIdByObjectId, ResourceIdByServicePrincipalName, ResourceIdByUserPrincipalName, ResourceIdByEmailAddress
 Aliases:
-Accepted values: get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, backup, restore, purge
+Accepted values: all, get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, backup, restore, purge
 
 Required: False
 Position: Named
