Support compound identity access policy

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Commands.KeyVault.Test.csproj

@@ -62,7 +62,7 @@
     </Reference>
     <Reference Include="Microsoft.Azure.KeyVault, Version=0.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.0.9.0-preview\lib\net45\Microsoft.Azure.KeyVault.dll</HintPath>
+      <HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.0.9.1-preview\lib\net45\Microsoft.Azure.KeyVault.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.Gallery, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
@@ -76,7 +76,7 @@
     </Reference>
     <Reference Include="Microsoft.Azure.Management.KeyVault, Version=0.0.0.0, Culture=neutral, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>
-      <HintPath>..\..\..\packages\Microsoft.Azure.Management.KeyVault.0.9.0-preview\lib\net40\Microsoft.Azure.Management.KeyVault.dll</HintPath>
+      <HintPath>..\..\..\packages\Microsoft.Azure.Management.KeyVault.0.9.1-preview\lib\net40\Microsoft.Azure.Management.KeyVault.dll</HintPath>
     </Reference>
     <Reference Include="Microsoft.Azure.ResourceManager">
       <HintPath>..\..\..\packages\Microsoft.Azure.Management.Resources.2.18.0-preview\lib\net40\Microsoft.Azure.ResourceManager.dll</HintPath>
@@ -223,12 +223,21 @@
     <None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestRecreateVaultFails.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
+    <None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestRemoveAccessPolicyWithCompoundIdPolicies.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestRemoveNonExistentAccessPolicyDoesNotThrow.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestModifyAccessPolicyNegativeCases.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>
+    <None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestSetCompoundIdAccessPolicy.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+    <None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestSetRemoveAccessPolicyByCompoundId.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
     <None Include="SessionRecords\Microsoft.Azure.Commands.KeyVault.Test.ScenarioTests.KeyVaultManagementTests\TestSetRemoveAccessPolicyByObjectId.json">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </None>

src/ResourceManager/KeyVault/Commands.KeyVault.Test/ScenarioTests/KeyVaultManagementTests.cs

@@ -327,6 +327,81 @@ public void TestSetRemoveAccessPolicyByUPN()
                 );
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestSetRemoveAccessPolicyByCompoundId()
+        {
+            string upn = "";
+            Guid? appId = null;
+            data.ResetPreCreatedVault();
+            KeyVaultManagementController.NewInstance.RunPsTestWorkflow(
+                () =>
+                {
+                    return new[] { string.Format("{0} {1} {2} {3} {4}", "Test-SetRemoveAccessPolicyByCompoundId", data.preCreatedVault, data.resourceGroupName, upn, appId) };
+                },
+                (env) =>
+                {
+                    Initialize();
+                    upn = GetUser(env.GetTestEnvironment());
+                    appId = GetApplicationId(env.GetTestEnvironment(), 1);
+                },
+                null,
+                TestUtilities.GetCallingClass(),
+                TestUtilities.GetCurrentMethodName()
+                );
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestRemoveAccessPolicyWithCompoundIdPolicies()
+        {
+            string upn = "";
+            Guid? appId1 = null;
+            Guid? appId2 = null;
+            data.ResetPreCreatedVault();
+            KeyVaultManagementController.NewInstance.RunPsTestWorkflow(
+                () =>
+                {
+                    return new[] { string.Format("{0} {1} {2} {3} {4} {5}", "Test-RemoveAccessPolicyWithCompoundIdPolicies", data.preCreatedVault, data.resourceGroupName, upn, appId1, appId2) };
+                },
+                (env) =>
+                {
+                    Initialize();
+                    upn = GetUser(env.GetTestEnvironment());
+                    appId1 = GetApplicationId(env.GetTestEnvironment(), 1);
+                    appId2 = GetApplicationId(env.GetTestEnvironment(), 2);
+                },
+                null,
+                TestUtilities.GetCallingClass(),
+                TestUtilities.GetCurrentMethodName()
+                );
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestSetCompoundIdAccessPolicy()
+        {
+            string upn = "";
+            Guid? appId = null;
+            data.ResetPreCreatedVault();
+            KeyVaultManagementController.NewInstance.RunPsTestWorkflow(
+                () =>
+                {
+                    return new[] { string.Format("{0} {1} {2} {3} {4}", "Test-SetCompoundIdAccessPolicy", data.preCreatedVault, data.resourceGroupName, upn, appId) };
+                },
+                (env) =>
+                {
+                    Initialize();
+                    upn = GetUser(env.GetTestEnvironment());
+                    appId = GetApplicationId(env.GetTestEnvironment(), 1);
+                },
+                null,
+                TestUtilities.GetCallingClass(),
+                TestUtilities.GetCurrentMethodName()
+                );
+        }
+
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestSetRemoveAccessPolicyBySPN()
@@ -488,6 +563,24 @@ private string GetUser(TestEnvironment environment)
                 return HttpMockServer.Variables["User"];
             }
         }
+
+        private Guid GetApplicationId(TestEnvironment environment, int appNum)
+        {
+            if (appNum < 0)
+                throw new ArgumentException("Invalid appNum");
+            string variableName = "AppId" + appNum;
+            if (HttpMockServer.Mode == HttpRecorderMode.Record)
+            {
+                Guid appId = Guid.NewGuid();
+                HttpMockServer.Variables[variableName] = appId.ToString();
+                return appId;
+            }
+            else
+            {
+                return new Guid(HttpMockServer.Variables[variableName]);
+            }
+        }
+
         private Application CreateNewAdApp(KeyVaultManagementController controllerAdmin)
         {
             var appName = TestUtilities.GenerateName("adApplication");

src/ResourceManager/KeyVault/Commands.KeyVault.Test/ScenarioTests/KeyVaultManagementTests.ps1

@@ -285,6 +285,107 @@ function Test-SetRemoveAccessPolicyByObjectId
 	Assert-AreEqual 0 $vault.AccessPolicies.Count
 }
 
+function Test-SetRemoveAccessPolicyByCompoundId
+{
+	Param($existingVaultName, $rgName, $upn, $appId)
+
+	Assert-NotNull $appId
+
+	$user = Get-AzureADUser -UserPrincipalName $upn
+	if ($user -eq $null)
+	{
+		$user = Get-AzureADUser -Mail $upn
+	}
+	Assert-NotNull $user
+	$objId = $user.Id
+
+	$PermToKeys = @("encrypt", "decrypt")
+	$PermToSecrets = @()
+	$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys $PermToKeys -PassThru
+
+	CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
+
+	Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
+	Assert-AreEqual $appId $vault.AccessPolicies[0].ApplicationId	
+
+	$vault = Remove-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PassThru
+	Assert-AreEqual 0 $vault.AccessPolicies.Count
+}
+
+function Test-RemoveAccessPolicyWithCompoundIdPolicies
+{
+	Param($existingVaultName, $rgName, $upn, $appId1, $appId2)
+
+	Assert-NotNull $appId1
+	Assert-NotNull $appId2
+
+	$user = Get-AzureADUser -UserPrincipalName $upn
+	if ($user -eq $null)
+	{
+		$user = Get-AzureADUser -Mail $upn
+	}
+	Assert-NotNull $user
+	$objId = $user.Id
+
+	# Add three access policies: ObjectId, (ObjectId, App1), (ObjectId, App2)
+	$PermToKeys = @("encrypt", "decrypt")
+	$PermToSecrets = @()
+	$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PassThru
+	$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId1 -PermissionsToKeys $PermToKeys -PassThru
+	$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId2 -PermissionsToKeys $PermToKeys -PassThru
+	Assert-AreEqual 3 $vault.AccessPolicies.Count
+
+	# Remove one policy if specify compound id
+	$vault = Remove-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId1 -PassThru
+	Assert-AreEqual 2 $vault.AccessPolicies.Count
+
+	# Remove remaining two policies if specify object id
+	$vault = Remove-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PassThru	
+	Assert-AreEqual 0 $vault.AccessPolicies.Count
+}
+
+function Test-SetCompoundIdAccessPolicy
+{
+	Param($existingVaultName, $rgName, $upn, $appId)
+
+	Assert-NotNull $appId
+
+	$user = Get-AzureADUser -UserPrincipalName $upn
+	if ($user -eq $null)
+	{
+		$user = Get-AzureADUser -Mail $upn
+	}
+	Assert-NotNull $user
+	$objId = $user.Id
+
+	# Add one compound id policy
+	$PermToKeys = @("encrypt", "decrypt")
+	$PermToSecrets = @()
+	$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys $PermToKeys -PassThru
+
+	CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
+
+	Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
+	Assert-AreEqual $appId $vault.AccessPolicies[0].ApplicationId	
+
+	# Add one object id policy	
+	$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PassThru
+	Assert-AreEqual 2 $vault.AccessPolicies.Count
+
+	# Change compound id policy shall not affect object id policy		
+	$vault = Set-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PermissionsToKeys @("encrypt") -PassThru
+	Assert-AreEqual 2 $vault.AccessPolicies.Count
+	$vault = Remove-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -ApplicationId $appId -PassThru
+	CheckVaultAccessPolicy $vault $PermToKeys $PermToSecrets
+	Assert-AreEqual $objId $vault.AccessPolicies[0].ObjectId
+	Assert-AreEqual $vault.AccessPolicies[0].ApplicationId $null
+
+	$vault = Remove-AzureKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PassThru	
+	Assert-AreEqual 0 $vault.AccessPolicies.Count
+}
+
+
+
 function Test-ModifyAccessPolicy
 {
 	Param($existingVaultName, $rgName, $upn)
@@ -416,4 +517,4 @@ function CheckVaultAccessPolicy
 	Assert-Null $compare 
 	$compare = Compare-Object $vault.AccessPolicies[0].PermissionsToSecrets $expectedPermsToSecrets
     Assert-Null $compare
-}
+}