Skip to content

Commit d0719f5

Browse files
author
Yuhui Zhong
committed
Support compound identity access policy
- Update Set-AzureKeyVaultAccessPolicy and Remove-AzureKeyVaultAccessPolicy cmdlets - Add tests - Refer to SDK containing compound identity change.
1 parent d2fe114 commit d0719f5

17 files changed

+3964
-24
lines changed

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Commands.KeyVault.Test.csproj

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@
6262
</Reference>
6363
<Reference Include="Microsoft.Azure.KeyVault, Version=0.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
6464
<SpecificVersion>False</SpecificVersion>
65-
<HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.0.9.0-preview\lib\net45\Microsoft.Azure.KeyVault.dll</HintPath>
65+
<HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.0.9.1-preview\lib\net45\Microsoft.Azure.KeyVault.dll</HintPath>
6666
</Reference>
6767
<Reference Include="Microsoft.Azure.Gallery, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
6868
<SpecificVersion>False</SpecificVersion>
@@ -76,7 +76,7 @@
7676
</Reference>
7777
<Reference Include="Microsoft.Azure.Management.KeyVault, Version=0.0.0.0, Culture=neutral, processorArchitecture=MSIL">
7878
<SpecificVersion>False</SpecificVersion>
79-
<HintPath>..\..\..\packages\Microsoft.Azure.Management.KeyVault.0.9.0-preview\lib\net40\Microsoft.Azure.Management.KeyVault.dll</HintPath>
79+
<HintPath>..\..\..\packages\Microsoft.Azure.Management.KeyVault.0.9.1-preview\lib\net40\Microsoft.Azure.Management.KeyVault.dll</HintPath>
8080
</Reference>
8181
<Reference Include="Microsoft.Azure.ResourceManager">
8282
<HintPath>..\..\..\packages\Microsoft.Azure.Management.Resources.2.18.0-preview\lib\net40\Microsoft.Azure.ResourceManager.dll</HintPath>
@@ -223,12 +223,21 @@
223223
<None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestRecreateVaultFails.json">
224224
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
225225
</None>
226+
<None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestRemoveAccessPolicyWithCompoundIdPolicies.json">
227+
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
228+
</None>
226229
<None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestRemoveNonExistentAccessPolicyDoesNotThrow.json">
227230
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
228231
</None>
229232
<None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestModifyAccessPolicyNegativeCases.json">
230233
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
231234
</None>
235+
<None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestSetCompoundIdAccessPolicy.json">
236+
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
237+
</None>
238+
<None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestSetRemoveAccessPolicyByCompoundId.json">
239+
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
240+
</None>
232241
<None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestSetRemoveAccessPolicyByObjectId.json">
233242
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
234243
</None>

src/ResourceManager/KeyVault/Commands.KeyVault.Test/ScenarioTests/KeyVaultManagementTests.cs

Lines changed: 93 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -327,6 +327,81 @@ public void TestSetRemoveAccessPolicyByUPN()
327327
);
328328
}
329329

330+
[Fact]
331+
[Trait(Category.AcceptanceType, Category.CheckIn)]
332+
public void TestSetRemoveAccessPolicyByCompoundId()
333+
{
334+
string upn = "";
335+
Guid? appId = null;
336+
data.ResetPreCreatedVault();
337+
KeyVaultManagementController.NewInstance.RunPsTestWorkflow(
338+
() =>
339+
{
340+
return new[] { string.Format("{0} {1} {2} {3} {4}", "Test-SetRemoveAccessPolicyByCompoundId", data.preCreatedVault, data.resourceGroupName, upn, appId) };
341+
},
342+
(env) =>
343+
{
344+
Initialize();
345+
upn = GetUser(env.GetTestEnvironment());
346+
appId = GetApplicationId(env.GetTestEnvironment(), 1);
347+
},
348+
null,
349+
TestUtilities.GetCallingClass(),
350+
TestUtilities.GetCurrentMethodName()
351+
);
352+
}
353+
354+
[Fact]
355+
[Trait(Category.AcceptanceType, Category.CheckIn)]
356+
public void TestRemoveAccessPolicyWithCompoundIdPolicies()
357+
{
358+
string upn = "";
359+
Guid? appId1 = null;
360+
Guid? appId2 = null;
361+
data.ResetPreCreatedVault();
362+
KeyVaultManagementController.NewInstance.RunPsTestWorkflow(
363+
() =>
364+
{
365+
return new[] { string.Format("{0} {1} {2} {3} {4} {5}", "Test-RemoveAccessPolicyWithCompoundIdPolicies", data.preCreatedVault, data.resourceGroupName, upn, appId1, appId2) };
366+
},
367+
(env) =>
368+
{
369+
Initialize();
370+
upn = GetUser(env.GetTestEnvironment());
371+
appId1 = GetApplicationId(env.GetTestEnvironment(), 1);
372+
appId2 = GetApplicationId(env.GetTestEnvironment(), 2);
373+
},
374+
null,
375+
TestUtilities.GetCallingClass(),
376+
TestUtilities.GetCurrentMethodName()
377+
);
378+
}
379+
380+
[Fact]
381+
[Trait(Category.AcceptanceType, Category.CheckIn)]
382+
public void TestSetCompoundIdAccessPolicy()
383+
{
384+
string upn = "";
385+
Guid? appId = null;
386+
data.ResetPreCreatedVault();
387+
KeyVaultManagementController.NewInstance.RunPsTestWorkflow(
388+
() =>
389+
{
390+
return new[] { string.Format("{0} {1} {2} {3} {4}", "Test-SetCompoundIdAccessPolicy", data.preCreatedVault, data.resourceGroupName, upn, appId) };
391+
},
392+
(env) =>
393+
{
394+
Initialize();
395+
upn = GetUser(env.GetTestEnvironment());
396+
appId = GetApplicationId(env.GetTestEnvironment(), 1);
397+
},
398+
null,
399+
TestUtilities.GetCallingClass(),
400+
TestUtilities.GetCurrentMethodName()
401+
);
402+
}
403+
404+
330405
[Fact]
331406
[Trait(Category.AcceptanceType, Category.CheckIn)]
332407
public void TestSetRemoveAccessPolicyBySPN()
@@ -488,6 +563,24 @@ private string GetUser(TestEnvironment environment)
488563
return HttpMockServer.Variables["User"];
489564
}
490565
}
566+
567+
private Guid GetApplicationId(TestEnvironment environment, int appNum)
568+
{
569+
if (appNum < 0)
570+
throw new ArgumentException("Invalid appNum");
571+
string variableName = "AppId" + appNum;
572+
if (HttpMockServer.Mode == HttpRecorderMode.Record)
573+
{
574+
Guid appId = Guid.NewGuid();
575+
HttpMockServer.Variables[variableName] = appId.ToString();
576+
return appId;
577+
}
578+
else
579+
{
580+
return new Guid(HttpMockServer.Variables[variableName]);
581+
}
582+
}
583+
491584
private Application CreateNewAdApp(KeyVaultManagementController controllerAdmin)
492585
{
493586
var appName = TestUtilities.GenerateName("adApplication");

src/ResourceManager/KeyVault/Commands.KeyVault.Test/ScenarioTests/KeyVaultManagementTests.ps1

Lines changed: 102 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -285,6 +285,107 @@ function Test-SetRemoveAccessPolicyByObjectId
285285
Assert-AreEqual 0 $vault.AccessPolicies.Count
286286
}
287287

288+
function Test-SetRemoveAccessPolicyByCompoundId
289+
{
290+
Param($existingVaultName, $rgName, $upn, $appId)
291+
292+
Assert-NotNull $appId
293+
294+
$user = Get-AzureADUser -UserPrincipalName $upn
295+
if ($user -eq $null)
296+
{
297+
$user = Get-AzureADUser -Mail $upn
298+
}
299+
Assert-NotNull $user
300+
$objId = $user.Id
301+
302+
$PermToKeys = @("encrypt", "decrypt")
303+
$PermToSecrets = @()
304+
$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys $PermToKeys -PassThru
305+
306+
CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
307+
308+
Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
309+
Assert-AreEqual $appId $vault.AccessPolicies[0].ApplicationId
310+
311+
$vault = Remove-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PassThru
312+
Assert-AreEqual 0 $vault.AccessPolicies.Count
313+
}
314+
315+
function Test-RemoveAccessPolicyWithCompoundIdPolicies
316+
{
317+
Param($existingVaultName, $rgName, $upn, $appId1, $appId2)
318+
319+
Assert-NotNull $appId1
320+
Assert-NotNull $appId2
321+
322+
$user = Get-AzureADUser -UserPrincipalName $upn
323+
if ($user -eq $null)
324+
{
325+
$user = Get-AzureADUser -Mail $upn
326+
}
327+
Assert-NotNull $user
328+
$objId = $user.Id
329+
330+
# Add three access policies: ObjectId, (ObjectId, App1), (ObjectId, App2)
331+
$PermToKeys = @("encrypt", "decrypt")
332+
$PermToSecrets = @()
333+
$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PassThru
334+
$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId1 -PermissionsToKeys $PermToKeys -PassThru
335+
$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId2 -PermissionsToKeys $PermToKeys -PassThru
336+
Assert-AreEqual 3 $vault.AccessPolicies.Count
337+
338+
# Remove one policy if specify compound id
339+
$vault = Remove-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId1 -PassThru
340+
Assert-AreEqual 2 $vault.AccessPolicies.Count
341+
342+
# Remove remaining two policies if specify object id
343+
$vault = Remove-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PassThru
344+
Assert-AreEqual 0 $vault.AccessPolicies.Count
345+
}
346+
347+
function Test-SetCompoundIdAccessPolicy
348+
{
349+
Param($existingVaultName, $rgName, $upn, $appId)
350+
351+
Assert-NotNull $appId
352+
353+
$user = Get-AzureADUser -UserPrincipalName $upn
354+
if ($user -eq $null)
355+
{
356+
$user = Get-AzureADUser -Mail $upn
357+
}
358+
Assert-NotNull $user
359+
$objId = $user.Id
360+
361+
# Add one compound id policy
362+
$PermToKeys = @("encrypt", "decrypt")
363+
$PermToSecrets = @()
364+
$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys $PermToKeys -PassThru
365+
366+
CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
367+
368+
Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
369+
Assert-AreEqual $appId $vault.AccessPolicies[0].ApplicationId
370+
371+
# Add one object id policy
372+
$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PassThru
373+
Assert-AreEqual 2 $vault.AccessPolicies.Count
374+
375+
# Change compound id policy shall not affect object id policy
376+
$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys @("encrypt") -PassThru
377+
Assert-AreEqual 2 $vault.AccessPolicies.Count
378+
$vault = Remove-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PassThru
379+
CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
380+
Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
381+
Assert-AreEqual $vault.AccessPolicies[0].ApplicationId $null
382+
383+
$vault = Remove-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PassThru
384+
Assert-AreEqual 0 $vault.AccessPolicies.Count
385+
}
386+
387+
388+
288389
function Test-ModifyAccessPolicy
289390
{
290391
Param($existingVaultName, $rgName, $upn)
@@ -416,4 +517,4 @@ function CheckVaultAccessPolicy
416517
Assert-Null $compare
417518
$compare = Compare-Object $vault.AccessPolicies[0].PermissionsToSecrets $expectedPermsToSecrets
418519
Assert-Null $compare
419-
}
520+
}

0 commit comments

Comments
 (0)