[KeyVault] adding soft-delete support for KeyVault certificates

src/ResourceManager/KeyVault/AzureRM.KeyVault.psd1

@@ -87,29 +87,39 @@ CmdletsToExport = 'Add-AzureKeyVaultCertificate',
                'Remove-AzureKeyVaultCertificateIssuer', 
                'Remove-AzureKeyVaultCertificateOperation', 
                'Set-AzureKeyVaultCertificateIssuer', 
-               'Set-AzureKeyVaultCertificatePolicy', 'Get-AzureRmKeyVault', 
-               'New-AzureRmKeyVault', 'Remove-AzureRmKeyVault', 
-               'Undo-AzureRmKeyVaultRemoval', 'Remove-AzureRmKeyVaultAccessPolicy', 
-               'Set-AzureRmKeyVaultAccessPolicy', 'Backup-AzureKeyVaultKey', 
-               'Get-AzureKeyVaultKey', 'Get-AzureKeyVaultSecret', 
-               'Undo-AzureKeyVaultKeyRemoval', 'Undo-AzureKeyVaultSecretRemoval', 
-               'Add-AzureKeyVaultKey', 'Remove-AzureKeyVaultKey', 
-               'Remove-AzureKeyVaultSecret', 'Restore-AzureKeyVaultKey', 
-               'Set-AzureKeyVaultKeyAttribute', 'Set-AzureKeyVaultSecret', 
+               'Set-AzureKeyVaultCertificatePolicy', 
+               'Get-AzureRmKeyVault', 
+               'New-AzureRmKeyVault', 
+               'Remove-AzureRmKeyVault', 
+               'Undo-AzureRmKeyVaultRemoval', 
+               'Remove-AzureRmKeyVaultAccessPolicy', 
+               'Set-AzureRmKeyVaultAccessPolicy', 
+               'Backup-AzureKeyVaultKey', 
+               'Get-AzureKeyVaultKey', 
+               'Get-AzureKeyVaultSecret', 
+               'Undo-AzureKeyVaultKeyRemoval', 
+               'Undo-AzureKeyVaultSecretRemoval', 
+               'Add-AzureKeyVaultKey', 
+               'Remove-AzureKeyVaultKey', 
+               'Remove-AzureKeyVaultSecret', 
+               'Restore-AzureKeyVaultKey', 
+               'Set-AzureKeyVaultKeyAttribute', 
+               'Set-AzureKeyVaultSecret', 
                'Set-AzureKeyVaultSecretAttribute', 
                'Get-AzureKeyVaultCertificatePolicy', 
                'New-AzureKeyVaultCertificateAdministratorDetails', 
                'New-AzureKeyVaultCertificateOrganizationDetails', 
-               'Backup-AzureKeyVaultSecret', 'Restore-AzureKeyVaultSecret', 
+               'Backup-AzureKeyVaultSecret', 
+               'Restore-AzureKeyVaultSecret', 
                'Get-AzureKeyVaultManagedStorageAccount', 
                'Add-AzureKeyVaultManagedStorageAccount', 
                'Remove-AzureKeyVaultManagedStorageAccount', 
                'Update-AzureKeyVaultManagedStorageAccount', 
                'Update-AzureKeyVaultManagedStorageAccountKey', 
                'Get-AzureKeyVaultManagedStorageSasDefinition', 
                'Set-AzureKeyVaultManagedStorageSasDefinition', 
-               'Remove-AzureKeyVaultManagedStorageSasDefinition'
-
+               'Remove-AzureKeyVaultManagedStorageSasDefinition',
+               'Undo-AzureKeyVaultCertificateRemoval'
 # Variables to export from this module
 # VariablesToExport = @()
 

src/ResourceManager/KeyVault/ChangeLog.md

@@ -24,6 +24,10 @@
 ## Version 3.3.0
 
 ## Version 3.2.1
+* New/updated Cmdlets to support soft-delete for KeyVault certificates
+  * Get-AzureKeyVaultCertificate
+  * Remove-AzureKeyVaultCertificate
+  * Undo-AzureKeyVaultCertificateRemoval
 
 ## Version 3.2.0
 * Remove email address from the directory query when -UserPrincipalName is specified to the Set-AzureRMKeyVaultAccessPolicy and Remove-AzureRMKeyVaultAccessPolicy cmdlets.

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Commands.KeyVault.Test.csproj

@@ -65,12 +65,12 @@
     <Reference Include="Microsoft.Azure.Graph.RBAC">
       <HintPath>..\..\..\packages\Microsoft.Azure.Graph.RBAC.3.4.0-preview\lib\net452\Microsoft.Azure.Graph.RBAC.dll</HintPath>
     </Reference>
-    <Reference Include="Microsoft.Azure.KeyVault, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.2.3.0-preview\lib\net452\Microsoft.Azure.KeyVault.dll</HintPath>
+    <Reference Include="Microsoft.Azure.KeyVault">
+      <HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.2.3.2\lib\net452\Microsoft.Azure.KeyVault.dll</HintPath>
       <Private>True</Private>
     </Reference>
-    <Reference Include="Microsoft.Azure.KeyVault.WebKey, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
-      <HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.WebKey.2.0.6\lib\net452\Microsoft.Azure.KeyVault.WebKey.dll</HintPath>
+    <Reference Include="Microsoft.Azure.KeyVault.WebKey">
+      <HintPath>..\..\..\packages\Microsoft.Azure.KeyVault.WebKey.2.0.7\lib\net452\Microsoft.Azure.KeyVault.WebKey.dll</HintPath>
       <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.Azure.Management.Authorization">
@@ -138,9 +138,9 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\..\..\packages\Moq.4.2.1510.2205\lib\net40\Moq.dll</HintPath>
     </Reference>
-    <Reference Include="Newtonsoft.Json, Version=6.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
-      <SpecificVersion>False</SpecificVersion>
+    <Reference Include="Newtonsoft.Json">
       <HintPath>..\..\..\packages\Newtonsoft.Json.6.0.8\lib\net45\Newtonsoft.Json.dll</HintPath>
+      <Private>True</Private>
     </Reference>
     <Reference Include="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
       <SpecificVersion>False</SpecificVersion>

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/Common.ps1

@@ -207,7 +207,16 @@ function Cleanup-OldCertificates
     $certificatePattern = Get-CertificateName '*'
     Get-AzureKeyVaultCertificate $keyVault |
         Where-Object {$_.Name -like $certificatePattern} |
-        Remove-AzureKeyVaultCertificate -Force -Confirm:$false
+        Remove-AzureKeyVaultCertificate -Name $_.Name -VaultName $_.VaultName -Force -Confirm:$false
+
+    if($global:softDeleteEnabled -eq $true) 
+    {
+      Get-AzureKeyVaultCertificate -VaultName $keyVault -InRemovedState |
+      Where-Object {$_.Name -like $certificatePattern} | %{
+        Remove-AzureKeyVaultCertificate -Name $_.Name -VaultName $_.VaultName -InRemovedState -Force -Confirm:$false
+        Wait-Seconds 5;
+      }
+    }
 }
 
 <#
@@ -313,50 +322,49 @@ function Cleanup-SingleKeyTest
 
 function Cleanup-Key ([string]$keyName)
 {
-	$oldPref = $ErrorActionPreference	 
-	$ErrorActionPreference = "Stop"
-	try
+  $oldPref = $ErrorActionPreference	 
+  $ErrorActionPreference = "Stop"
+  try
+  {
+    $keyVault = Get-KeyVault
+    Write-Debug "Removing key with name $_ in vault $keyVault"
+    $catch = Remove-AzureKeyVaultKey $keyVault $keyName -Force -Confirm:$false
+    if($global:softDeleteEnabled -eq $true)
     {
-		$keyVault = Get-KeyVault
-		Write-Debug "Removing key with name $_ in vault $keyVault"
-		$catch = Remove-AzureKeyVaultKey $keyVault $keyName -Force -Confirm:$false
-		if($global:softDeleteEnabled -eq $true)
-		{
-			Wait-ForDeletedKey $keyVault $keyName
-			Remove-AzureKeyVaultKey $keyVault $keyName -Force -Confirm:$false -InRemovedState
-		}
+      Wait-ForDeletedKey $keyVault $keyName
+      Remove-AzureKeyVaultKey $keyVault $keyName -Force -Confirm:$false -InRemovedState
     }
-	catch {
-
-	}
-	finally 
-	{
-		$ErrorActionPreference = $oldPref	 
-	}
+  }
+  catch {
+
+  }
+  finally 
+  {
+    $ErrorActionPreference = $oldPref	 
+  }
 }
 
 function Cleanup-Secret ([string]$secretName)
 {
-	$oldPref = $ErrorActionPreference	 
-	$ErrorActionPreference = "Stop"
-	try
-    {
-		$keyVault = Get-KeyVault
-		Write-Debug "Removing secret with name $_ in vault $keyVault"
-		$catch = Remove-AzureKeyVaultSecret $keyVault $secretName -Force -Confirm:$false
-		if($global:softDeleteEnabled -eq $true)
-		{
-			Wait-ForDeletedSecret $keyVault $secretName
-			Remove-AzureKeyVaultSecret $keyVault $secretName -Force -Confirm:$false -InRemovedState
-		}
-    }
-	catch {
-
-	}
-    finally 
+  $oldPref = $ErrorActionPreference	 
+  $ErrorActionPreference = "Stop"
+  try
+  {
+    $keyVault = Get-KeyVault
+    Write-Debug "Removing secret with name $_ in vault $keyVault"
+    $catch = Remove-AzureKeyVaultSecret $keyVault $secretName -Force -Confirm:$false
+    if($global:softDeleteEnabled -eq $true)
     {
-		$ErrorActionPreference = $oldPref
+      Wait-ForDeletedSecret $keyVault $secretName
+      Remove-AzureKeyVaultSecret $keyVault $secretName -Force -Confirm:$false -InRemovedState
     }
+  }
+  catch {
+  }
+  finally 
+  {
+    $ErrorActionPreference = $oldPref
+  }
 }
 
 <#
@@ -389,6 +397,11 @@ function Cleanup-SingleCertificateTest
             $keyVault = Get-KeyVault
             Write-Debug "Removing certificate with name $_ in vault $keyVault"
             $catch = Remove-AzureKeyVaultCertificate $keyVault $_ -Force -Confirm:$false
+		    if($global:softDeleteEnabled -eq $true)
+		    {
+			    Wait-ForDeletedCertificate $keyVault $_
+			    Remove-AzureKeyVaultCertificate $keyVault $_ -Force -Confirm:$false -InRemovedState
+		    }
          }
          catch 
          {
@@ -452,6 +465,30 @@ function Wait-ForDeletedSecret ([string] $vault, [string] $secretName)
 	return $secret
 }
 
+<#
+.SYNOPSIS
+Waits for a deleted certificate to show up.
+#>
+function Wait-ForDeletedCertificate ([string] $vault, [string] $certName)
+{
+	$cert = $null
+	do {
+		try
+		{
+			$cert = Get-AzureKeyVaultCertificate -VaultName $vault -Name $certName -InRemovedState
+		}
+		catch
+		{
+			# Certificate is not found.
+			$cert = $null
+			Write-Host "Sleeping for 5 seconds to wait for deleted certificate $certName"
+			Wait-Seconds 5
+		}
+	} while($cert -ne $null)
+
+	return $cert
+}
+
 <#
 .SYNOPSIS
 Removes all managed storage accounts.

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/ControlPlane/KeyVaultManagementTests.ps1

@@ -62,7 +62,8 @@ function Get-AllCertPermissions
         "listissuers",
         "managecontacts", 
         "manageissuers", 
-        "setissuers"
+        "setissuers",
+        "recover"
     )
 }
 

src/ResourceManager/KeyVault/Commands.KeyVault.Test/Scripts/RunKeyVaultTests.ps1

@@ -29,6 +29,10 @@ If true, then tests that require a premium vault are skipped (optional).
 The object ID of the user (optional). If no object ID is provided, then
 the object ID is extracted from whomever is currently logged in.
 
+.PARAMETER SoftDeleteEnabled
+If true, turns on 'soft-delete' mode for tests: vault is created as soft-delete-enabled (if not exists), soft-delete 
+tests are executed, delete + purge sequence is used for clean-up. 
+
 .PARAMETER NoADCmdLetMode
 If true, then active directory related tests are skipped.
 
@@ -249,16 +253,24 @@ function Run-AllDataPlaneTests
         Run-TestProtected { Run-KeyTest {Test_GetDeletedKeys} "Test_GetDeletedKeys" } "Test_GetDeletedKeys"
         Run-TestProtected { Run-KeyTest {Test_UndoRemoveKey} "Test_UndoRemoveKey" } "Test_UndoRemoveKey"
         Run-TestProtected { Run-KeyTest {Test_RemoveDeletedKey} "Test_RemoveDeletedKey" } "Test_RemoveDeletedKey"
-        Run-TestProtected { Run-KeyTest {Test_RemoveNonExistKey} "Test_RemoveNonExistDeletedKey" } "Test_RemoveNonExistDeletedKey"
+        Run-TestProtected { Run-KeyTest {Test_RemoveNonExistDeletedKey} "Test_RemoveNonExistDeletedKey" } "Test_RemoveNonExistDeletedKey"
         Run-TestProtected { Run-KeyTest {Test_PipelineRemoveDeletedKeys} "Test_PipelineRemoveDeletedKeys" } "Test_PipelineRemoveDeletedKeys"
 
         # Secret soft delete tests
-        Run-TestProtected { Run-KeyTest {Test_GetDeletedKey} "Test_GetDeletedSecret" } "Test_GetDeletedKey"
+        Run-TestProtected { Run-KeyTest {Test_GetDeletedKey} "Test_GetDeletedSecret" } "Test_GetDeletedSecret"
         Run-TestProtected { Run-KeyTest {Test_GetDeletedKeys} "Test_GetDeletedSecrets" } "Test_GetDeletedSecrets"
-        Run-TestProtected { Run-KeyTest {Test_UndoRemoveKey} "Test_UndoRemoveSecret" } "Test_UndoRemoveSecret"
-        Run-TestProtected { Run-KeyTest {Test_RemoveDeletedKey} "Test_RemoveDeletedSecret" } "Test_RemoveDeletedSecret"
-        Run-TestProtected { Run-KeyTest {Test_RemoveNonExistKey} "Test_RemoveNonExistDeletedSecret" } "Test_RemoveNonExistDeletedSecret"
-        Run-TestProtected { Run-KeyTest {Test_PipelineRemoveDeletedKeys} "Test_PipelineRemoveDeletedSecrets" } "Test_PipelineRemoveDeletedSecrets"
+        Run-TestProtected { Run-KeyTest {Test_UndoRemoveSecret} "Test_UndoRemoveSecret" } "Test_UndoRemoveSecret"
+        Run-TestProtected { Run-KeyTest {Test_RemoveDeletedSecret} "Test_RemoveDeletedSecret" } "Test_RemoveDeletedSecret"
+        Run-TestProtected { Run-KeyTest {Test_RemoveNonExistDeletedSecret} "Test_RemoveNonExistDeletedSecret" } "Test_RemoveNonExistDeletedSecret"
+        Run-TestProtected { Run-KeyTest {Test_PipelineRemoveDeletedSecrets} "Test_PipelineRemoveDeletedSecrets" } "Test_PipelineRemoveDeletedSecrets"
+
+        # certificate soft delete tests
+        Run-TestProtected { Run-KeyTest {Test_GetDeletedCertificate} "Test_GetDeletedCertificate" } "Test_GetDeletedCertificate"
+        Run-TestProtected { Run-KeyTest {Test_GetDeletedCertificates} "Test_GetDeletedCertificates" } "Test_GetDeletedCertificates"
+        Run-TestProtected { Run-KeyTest {Test_UndoRemoveCertificate} "Test_UndoRemoveCertificate" } "Test_UndoRemoveCertificate"
+        Run-TestProtected { Run-KeyTest {Test_RemoveDeletedCertificate} "Test_RemoveDeletedCertificate" } "Test_RemoveDeletedCertificate"
+        Run-TestProtected { Run-KeyTest {Test_RemoveNonExistDeletedCertificate} "Test_RemoveNonExistDeletedCertificate" } "Test_RemoveNonExistDeletedCertificate"
+        Run-TestProtected { Run-KeyTest {Test_PipelineRemoveDeletedCertificates} "Test_PipelineRemoveDeletedCertificate" } "Test_PipelineRemoveDeletedCertificates"
     }
 
     # Add-AzureKeyVaultKey tests.