[KeyVault] Shifted the location of key CVM release policy to GitHub (#20005)

* Shifted the location of key CVM release policy to GitHub

* Throw exception with more details if get default CVM Policy failed

Author: BethanyZhou

src/KeyVault/KeyVault/ChangeLog.md

@@ -18,6 +18,8 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Shifted the location of key CVM release policy to GitHub [#19984]
+* Added fallback logic (reading default CVM policy from a local copy) if fetching default CVM Policy from GitHub failed.
 
 ## Version 4.9.0
 * Bumped API version to 2022-07-01

src/KeyVault/KeyVault/Commands/Key/AddAzureKeyVaultKey.cs

@@ -28,6 +28,7 @@
 using System.Linq;
 using System.Management.Automation;
 using System.Net.Http;
+using System.Reflection;
 using System.Security;
 using Track2Sdk = Azure.Security.KeyVault.Keys;
 
@@ -73,10 +74,11 @@ public class AddAzureKeyVaultKey : KeyVaultCmdletBase
 
         #region Constants 
 
-        private const string DefaultCVMPolicyUrl = "https://cvmprivatepreviewsa.blob.core.windows.net/cvmpublicpreviewcontainer/skr-policy.json";
-        
+        private const string DefaultCVMPolicyUrl = "https://raw.githubusercontent.com/Azure/confidential-computing-cvm/main/cvm_deployment/key/skr-policy.json";
+        private const string DefaultCVMPolicyPath = "Microsoft.Azure.Commands.KeyVault.Resources.skr-policy.json";
+
         #endregion
-        
+
         #region Input Parameter Definitions
 
         /// <summary>
@@ -445,22 +447,11 @@ private void NormalizeKeySourceParameters()
 
             if (this.UseDefaultCVMPolicy.IsPresent)
             {
-                try
+                ReleasePolicy = new PSKeyReleasePolicy()
                 {
-                    using (var client = new HttpClient())
-                    {
-                        ReleasePolicy = new PSKeyReleasePolicy()
-                        {
-                            PolicyContent = client.GetStringAsync(DefaultCVMPolicyUrl).ConfigureAwait(true).GetAwaiter().GetResult(),
-                            Immutable = this.Immutable.IsPresent
-                        };
-                    }
-                }
-                catch(Exception e)
-                {
-                    // Swallow exception to fetch default policy
-                    WriteWarning(string.Format(Resources.FetchDefaultCVMPolicyFailed, e.Message));
-                }
+                    PolicyContent = GetDefaultCVMPolicy(),
+                    Immutable = this.Immutable.IsPresent
+                };
             }
 
             if(this.IsParameterBound(c => c.ReleasePolicyPath))
@@ -629,5 +620,36 @@ internal Track2Sdk.JsonWebKey CreateTrack2WebKeyFromFile()
 
             return converterChain.ConvertToTrack2SdkKeyFromFile(keyFile, KeyFilePassword, converterExtraInfo);
         }
+        
+        private string GetDefaultCVMPolicy()
+        {
+            string defaultCVMPolicy = null;
+
+            try
+            {
+                using (var client = new HttpClient())
+                {
+                    defaultCVMPolicy = client.GetStringAsync(DefaultCVMPolicyUrl).ConfigureAwait(true).GetAwaiter().GetResult();
+                }
+
+            }
+            catch (Exception e)
+            {
+                WriteWarning(string.Format(Resources.FetchDefaultCVMPolicyFromLocal, e.Message));
+                try
+                {
+                    using (var stream = Assembly.GetExecutingAssembly().GetManifestResourceStream(DefaultCVMPolicyPath))
+                    using (var reader = new StreamReader(stream))
+                    {
+                        defaultCVMPolicy = reader.ReadToEnd();
+                    }
+                }
+                catch (Exception ex)
+                {
+                    throw new AzPSArgumentException(string.Format(Resources.FetchDefaultCVMPolicyFailedWithErrorMessage, ex.Message), nameof(UseDefaultCVMPolicy));
+                };
+            }
+            return defaultCVMPolicy;
+        }
     }
 }

src/KeyVault/KeyVault/KeyVault.csproj

@@ -35,6 +35,10 @@
     <None Update="Az.KeyVault.Extension\*" CopyToOutputDirectory="PreserveNewest" />
   </ItemGroup>
 
+  <ItemGroup>
+    <EmbeddedResource Include="Resources\skr-policy.json" />
+  </ItemGroup>
+  
   <ItemGroup>
     <Compile Update="Properties\Resources.Designer.cs">
       <DesignTime>True</DesignTime>

src/KeyVault/KeyVault/Properties/Resources.Designer.cs

@@ -606,10 +606,13 @@ You can find the object ID using Azure Active Directory Module for Windows Power
   <data name="PurgeManagedHsmWarningWhatIf" xml:space="preserve">
     <value>Purge managed HSM</value>
   </data>
-  <data name="FetchDefaultCVMPolicyFailed" xml:space="preserve">
+  <data name="FetchDefaultCVMPolicyFailedWithErrorMessage" xml:space="preserve">
     <value>Fetch default CVM Policy failed, {0}</value>
   </data>
   <data name="RecoverHsm" xml:space="preserve">
     <value>Recover HSM?</value>
   </data>
+  <data name="FetchDefaultCVMPolicyFromLocal" xml:space="preserve">
+    <value>Fetching default CVM policy from remote failed because {0}. Trying to fetch default CVM policy from local backup copy.</value>
+  </data>
 </root>

src/KeyVault/KeyVault/Properties/Resources.resx

@@ -0,0 +1,57 @@
+{
+  "anyOf": [
+    {
+      "allOf": [
+        {
+          "claim": "x-ms-attestation-type",
+          "equals": "sevsnpvm"
+        },
+        {
+          "claim": "x-ms-compliance-status",
+          "equals": "azure-compliant-cvm"
+        }
+      ],
+      "authority": "https://sharedeus.eus.attest.azure.net/"
+    },
+    {
+      "allOf": [
+        {
+          "claim": "x-ms-attestation-type",
+          "equals": "sevsnpvm"
+        },
+        {
+          "claim": "x-ms-compliance-status",
+          "equals": "azure-compliant-cvm"
+        }
+      ],
+      "authority": "https://sharedwus.wus.attest.azure.net/"
+    },
+    {
+      "allOf": [
+        {
+          "claim": "x-ms-attestation-type",
+          "equals": "sevsnpvm"
+        },
+        {
+          "claim": "x-ms-compliance-status",
+          "equals": "azure-compliant-cvm"
+        }
+      ],
+      "authority": "https://sharedneu.neu.attest.azure.net/"
+    },
+    {
+      "allOf": [
+        {
+          "claim": "x-ms-attestation-type",
+          "equals": "sevsnpvm"
+        },
+        {
+          "claim": "x-ms-compliance-status",
+          "equals": "azure-compliant-cvm"
+        }
+      ],
+      "authority": "https://sharedweu.weu.attest.azure.net/"
+    }
+  ],
+  "version": "1.0.0"
+}