diff --git a/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 b/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 new file mode 100644 index 000000000000..e662c9736738 --- /dev/null +++ b/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 @@ -0,0 +1,172 @@ +$here = Split-Path -Parent $MyInvocation.MyCommand.Path +$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.Tests\.', '.' +. "$here\$sut" + +BeforeAll { + . $PSScriptRoot/ManagedHsmDatePlaneTests.ps1 + ImportModules + $hsmName = GetAzManagedHsm +} + +Describe "AddAzManagedHsmKey" { + It "Create a RSA key inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "RSA" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "RSA-HSM" + } + + It "Create an EC key with curve P-256 inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "EC" + $curveName = "P-256" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -CurveName $curveName + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "EC-HSM" + $rsaKey.Key.CurveName | Should -Be $curveName + } + + It "Create an oct key inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "oct" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "oct-HSM" + } + + It "Create an oct key inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "oct" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "oct-HSM" + } + + It "Create a key with non-default values inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "RSA" + $KeyOps = 'decrypt', 'verify' + # Expires & NotBefore is hard to cmpare, may add in the furture + $Tags = @{'Severity' = 'high'; 'Accounting' = "true"} + + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -KeyOps $KeyOps -Disable -Tag $Tags + + $key.Attributes.KeyOps | Should -Be $KeyOps + $key.Tags.Count | Should -Be 2 + $key.Enabled | Should -Be $false + } + + It "Import a RSA key from pfx file into a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyFilePath = Join-Path $PSScriptRoot ../Resources/testImportKey.pfx -Resolve + $keyFilePwd = ConvertTo-SecureString "Passw0rd" -AsPlainText -Force + $key = Add-AzManagedHsmKey -HsmName bezmhsm -Name $keyName -KeyFilePath $keyFilePath -KeyFilePassword $keyFilePwd + $key.Name | Should -BeExactly $keyName + } +} + +Describe "GetAzManagedHsmKey"{ + It "List all the keys in a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $keys = Get-AzManagedHsmKey -HsmName $hsmName + $keys.Count | Should -BeGreaterThan 0 + } + + It "Get a specific key in a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $got = Get-AzManagedHsmKey -HsmName $hsmName -KeyName $keyName + $got.Id | Should -Be $key.Id + } + + It "List all the keys that have been deleted in a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName + $deletedKey = Get-AzManagedHsmKey -HsmName $hsmName -KeyName $keyName -InRemovedState + $deletedKey.Id | Should -Be $key.Id + } + + It "Download a key from a managed HSM" { + $keyName = GetRandomName -Prefix "key" + Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $filePath = "$PSScriptRoot\public.pem" + Get-AzManagedHsmKey -HsmName $hsmName -KeyName $keyName -OutFile $filePath + $filePath | Should -Exist + } +} + +Describe "RemoveAzManagedHsmKey"{ + It "Remove a key from a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $deletedKey = Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Force -PassThru + $deletedKey.Id | Should -Be $key.Id + } + + It "Purge a deleted key from a managed HSM" { + $keyName = GetRandomName -Prefix "key" + Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Force -PassThru + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -InRemovedState -Force -PassThru + $deletedKey = Get-AzManagedHsmKey -HsmName $hsmName -Name $keyName -InRemovedState + $deletedKey | Should -Be $null + } + + It "Remove keys by using piping" { + Get-AzManagedHsmKey -HsmName $hsmName | Remove-AzManagedHsmKey -Force + $keys = Get-AzManagedHsmKey -HsmName $hsmName + $keys.Count | Should -Be 0 + } +} + +Describe "UpdateAzManagedHsmKey"{ + It "Enable a key and set tags" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" -Disable + $Tags = @{'Severity' = 'high'; 'Accounting' = 'true'} + + $updatedKey = Update-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Enable $True -Tag $Tags -PassThru + + $updatedKey.Id | Should -Be $key.Id + $updatedKey.Enabled | Should -Be $True + $updatedKey.Tags.Count | Should -Be 2 + } +} + +Describe "UndoAzManagedHsmKeyRemoval"{ + It "Undo a key removal" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $deletedKey = Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Force -PassThru + $recoveredKey = $deletedKey | Undo-AzManagedHsmKeyRemoval + $recoveredKey.Id | Should -Be $key.Id + } +} + +Describe "BackupAndRetoreAzManagedHsmKey"{ + It "Backup and retore a key" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $filePath = "$PSScriptRoot/backupkey.blob" + $key | Backup-AzManagedHsmKey -OutputFile $filePath -Force + $filePath | Should -Exist + + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Force + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -InRemovedState -Force + $restoredKey = Restore-AzManagedHsmKey -HsmName $hsmName -InputFile $filePath + $restoredKey.Id | Should -Be $key.Id + } +} + +# to do: manually remove all stuffs in resource group +# AfterAll { + # $hsm = Get-AzManagedHsm -Name $hsmName + # Remove-AzResourceGroup -Name $hsm.ResourceGroupName -Force +# } \ No newline at end of file diff --git a/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.ps1 b/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.ps1 new file mode 100644 index 000000000000..2a8e8c802a22 --- /dev/null +++ b/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.ps1 @@ -0,0 +1,40 @@ +function GetAzManagedHsm{ + Param( + [parameter(Mandatory=$false)] + [String] + $HsmName, + [parameter(Mandatory=$false)] + [String] + $ResourceGroupName, + [parameter(Mandatory=$false)] + [String] + $Location, + [parameter(Mandatory=$false)] + [String[]] + $Administrator + ) + $hsmName = GetRandomName -Prefix "hsm" + $resourceGroupName = GetRandomName -Prefix "rg" + $Location = "eastus2euap" + $administrator = "c1be1392-39b8-4521-aafc-819a47008545" + $hsm = New-AzManagedHsm -Name $HsmName -ResourceGroupName $ResourceGroupName -Location $r -Administrator $Administrator + return $hsm +} + +function GetRandomName{ + Param( + [parameter(Mandatory=$false)] + [String] + $Prefix + ) + $randomNum = Get-Random -Minimum 100 -Maximum 99999 + return "$Prefix$randomNum" +} + +function ImportModules{ + $psd1Path = Join-Path $PSScriptRoot "../../../../artifacts/Debug/" -Resolve + $accountsPsd1 = Join-Path $psd1Path "./Az.Accounts/Az.Accounts.psd1" -Resolve + $keyVaultPsd1 = Join-Path $psd1Path "./Az.KeyVault/Az.KeyVault.psd1" -Resolve + Import-Module $accountsPsd1 + Import-Module $keyVaultPsd1 +} \ No newline at end of file diff --git a/src/KeyVault/KeyVault.Test/Resources/testImportKey.pfx b/src/KeyVault/KeyVault.Test/Resources/testImportKey.pfx new file mode 100644 index 000000000000..cc52a81925bb Binary files /dev/null and b/src/KeyVault/KeyVault.Test/Resources/testImportKey.pfx differ diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 deleted file mode 100644 index 098f3d04daa2..000000000000 --- a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 +++ /dev/null @@ -1,9 +0,0 @@ -$here = Split-Path -Parent $MyInvocation.MyCommand.Path -$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.Tests\.', '.' -. "$here\$sut" - -Describe "ManagedHsmDatePlaneTests" { - It "does something useful" { - $true | Should Be $false - } -} diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 deleted file mode 100644 index 86b7fbebb88f..000000000000 --- a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 +++ /dev/null @@ -1,22 +0,0 @@ -function Test-AddAzManagedHsmKey { - Param( - [parameter(Mandatory=$true)] - [String] - $hsmName, - [parameter(Mandatory=$true)] - [String] - $keyName, - [parameter(Mandatory=$true)] - [String] - $keyType, - [parameter(Mandatory=$false)] - [String] - $curveName - ) - if($keyType -eq "EC" || $keyType -eq "EC-HSM"){ - Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -CurveName $curveName - } - else { - Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType - } -} diff --git a/src/KeyVault/KeyVault/ChangeLog.md b/src/KeyVault/KeyVault/ChangeLog.md index de98936d679c..fc814aac0e54 100644 --- a/src/KeyVault/KeyVault/ChangeLog.md +++ b/src/KeyVault/KeyVault/ChangeLog.md @@ -19,7 +19,7 @@ --> ## Upcoming Release * Supported creating, removing, updating, getting, restoring, backup and undoing removal key inside managed HSM -* Enabled Managed HSM Management via *-AzKeyVault +* Supported creating, deleting, updating and getting managed HSM ## Version 2.0.0 * Removed two aliases: `New-AzKeyVaultCertificateAdministratorDetails` and `New-AzKeyVaultCertificateOrganizationDetails` diff --git a/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs b/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs index e67e2a516100..053bd351e0d1 100644 --- a/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs +++ b/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs @@ -18,7 +18,7 @@ namespace Microsoft.Azure.Commands.KeyVault.Commands /// 3. Create a key from a .pfx file by importing key material /// [Cmdlet("Add", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKey", SupportsShouldProcess = true, DefaultParameterSetName = InteractiveCreateParameterSet)] - [OutputType(typeof(PSManagedHsm))] + [OutputType(typeof(PSKeyVaultKey))] public class AddAzureManagedHsmKey : KeyVaultCmdletBase { #region Parameter Set Names @@ -123,6 +123,13 @@ public class AddAzureManagedHsmKey : KeyVaultCmdletBase /// key type /// [Parameter(Mandatory = true, + ParameterSetName = InteractiveCreateParameterSet, + HelpMessage = "Specifies the key type of this key.")] + [Parameter(Mandatory = true, + ParameterSetName = InputObjectCreateParameterSet, + HelpMessage = "Specifies the key type of this key.")] + [Parameter(Mandatory = true, + ParameterSetName = ResourceIdCreateParameterSet, HelpMessage = "Specifies the key type of this key.")] [PSArgumentCompleter("RSA", "EC", "oct")] public string KeyType { get; set; } @@ -210,7 +217,6 @@ public override void ExecuteCmdlet() CreateKeyAttributes(), Size, CurveName); - this.WriteObject(keyBundle); } else { @@ -218,7 +224,7 @@ public override void ExecuteCmdlet() HsmName, Name, CreateWebKeyFromFile()); } - + this.WriteObject(keyBundle); } } private void ValidateKeyExchangeKey() diff --git a/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md b/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md index b7cd69fd6360..98b233677141 100644 --- a/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md +++ b/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md @@ -22,9 +22,9 @@ Add-AzManagedHsmKey [-HsmName] [-Name] -KeyType [-Cur ### InteractiveImport ``` Add-AzManagedHsmKey [-HsmName] [-Name] -KeyFilePath - [-KeyFilePassword ] -KeyType [-CurveName ] [-Disable] [-KeyOps ] - [-Expires ] [-NotBefore ] [-Tag ] [-DefaultProfile ] - [-WhatIf] [-Confirm] [] + [-KeyFilePassword ] [-CurveName ] [-Disable] [-KeyOps ] [-Expires ] + [-NotBefore ] [-Tag ] [-DefaultProfile ] [-WhatIf] [-Confirm] + [] ``` ### InputObjectCreate @@ -37,9 +37,9 @@ Add-AzManagedHsmKey [-InputObject] [-Name] -KeyType [-Name] -KeyFilePath - [-KeyFilePassword ] -KeyType [-CurveName ] [-Disable] [-KeyOps ] - [-Expires ] [-NotBefore ] [-Tag ] [-DefaultProfile ] - [-WhatIf] [-Confirm] [] + [-KeyFilePassword ] [-CurveName ] [-Disable] [-KeyOps ] [-Expires ] + [-NotBefore ] [-Tag ] [-DefaultProfile ] [-WhatIf] [-Confirm] + [] ``` ### ResourceIdCreate @@ -52,9 +52,9 @@ Add-AzManagedHsmKey [-ResourceId] [-Name] -KeyType [- ### ResourceIdImport ``` Add-AzManagedHsmKey [-ResourceId] [-Name] -KeyFilePath - [-KeyFilePassword ] -KeyType [-CurveName ] [-Disable] [-KeyOps ] - [-Expires ] [-NotBefore ] [-Tag ] [-DefaultProfile ] - [-WhatIf] [-Confirm] [] + [-KeyFilePassword ] [-CurveName ] [-Disable] [-KeyOps ] [-Expires ] + [-NotBefore ] [-Tag ] [-DefaultProfile ] [-WhatIf] [-Confirm] + [] ``` ## DESCRIPTION @@ -110,7 +110,7 @@ Tags : This command creates a EC-HSM key named testkey using P-256 curve in the managed HSM testkey named testmhsm. -### Example 3: Create a key with non-default values +### Example 3: Create a oct-HSM key with non-default values ```powershell PS C:\> $KeyOperations = 'decrypt', 'verify' PS C:\> $Expires = (Get-Date).AddYears(2).ToUniversalTime() @@ -291,7 +291,7 @@ Specifies the key type of this key. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: InteractiveCreate, InputObjectCreate, ResourceIdCreate Aliases: Required: True