From 139052401baf1f08bdcc437bb2a3499e5292a09d Mon Sep 17 00:00:00 2001 From: Beisi Zhou Date: Fri, 16 Oct 2020 15:15:07 +0800 Subject: [PATCH 1/2] limit KeyType to be required only when create managed HSM key --- .../ManagedHsmDatePlaneTests.Tests.ps1 | 71 +++++++++++++++++- .../PesterTests/ManagedHsmDatePlaneTests.ps1 | 60 +++++++++------ .../ScenarioTests/PesterTests/sd1.pfx | Bin 0 -> 2469 bytes .../Commands/AddAzureManagedHsmKey.cs | 12 ++- .../KeyVault/help/Add-AzManagedHsmKey.md | 22 +++--- 5 files changed, 127 insertions(+), 38 deletions(-) create mode 100644 src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/sd1.pfx diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 index 098f3d04daa2..513b84c2851c 100644 --- a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 +++ b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 @@ -2,8 +2,73 @@ $here = Split-Path -Parent $MyInvocation.MyCommand.Path $sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.Tests\.', '.' . "$here\$sut" -Describe "ManagedHsmDatePlaneTests" { - It "does something useful" { - $true | Should Be $false +BeforeAll { + . $PSScriptRoot/ManagedHsmDatePlaneTests.ps1 + ImportModules + $hsmName = GetAzManagedHsm +} + +Describe "AddAzManagedHsmKey" { + It "Create a RSA key inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "RSA" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "RSA-HSM" + } + + It "Create an EC key with curve P-256 inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "EC" + $curveName = "P-256" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -CurveName $curveName + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "EC-HSM" + $rsaKey.Key.CurveName | Should -Be $curveName + } + + It "Create an oct key inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "oct" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "oct-HSM" + } + + It "Create an oct key inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "oct" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "oct-HSM" + } + + It "Create a key with non-default values inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "RSA" + $KeyOps = 'decrypt', 'verify' + # Expires & NotBefore is hard to cmpare, may add in the furture + $Tags = @{'Severity' = 'high'; 'Accounting' = "true"} + + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -KeyOps $KeyOps -Disable -Tag $Tags + + $key.Attributes.KeyOps | Should -Be $KeyOps + $key.Tags.Count | Should -Be 2 + $key.Enabled | Should -Be $false + } + + It "Import a RSA key from pfx file into a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName bezmhsm -Name $keyName -KeyFilePath $PSScriptRoot/sd1.pfx -KeyFilePassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -Force) + $key.Name | Should -BeExactly $keyName } } + +AfterAll { + $hsm = Get-AzManagedHsm -Name $hsmName + Remove-AzResourceGroup -Name $hsm.ResourceGroupName -Force +} \ No newline at end of file diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 index 86b7fbebb88f..6e395a6407cd 100644 --- a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 +++ b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 @@ -1,22 +1,40 @@ -function Test-AddAzManagedHsmKey { - Param( - [parameter(Mandatory=$true)] - [String] - $hsmName, - [parameter(Mandatory=$true)] - [String] - $keyName, - [parameter(Mandatory=$true)] - [String] - $keyType, - [parameter(Mandatory=$false)] - [String] - $curveName - ) - if($keyType -eq "EC" || $keyType -eq "EC-HSM"){ - Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -CurveName $curveName - } - else { - Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType - } +function GetAzManagedHsm{ + Param( + [parameter(Mandatory=$false)] + [String] + $HsmName, + [parameter(Mandatory=$false)] + [String] + $ResourceGroupName, + [parameter(Mandatory=$false)] + [String] + $Location, + [parameter(Mandatory=$false)] + [String[]] + $Administrator + ) + $hsmName = GetRandomName -Prefix "hsm" + $resourceGroupName = GetRandomName -Prefix "rg" + $Location = "eastus2euap" + $administrator = "c1be1392-39b8-4521-aafc-819a47008545" + $hsm = New-AzManagedHsm -Name $HsmName -ResourceGroupName $ResourceGroupName -Location $r -Administrator $Administrator + return $hsm } + +function GetRandomName{ + Param( + [parameter(Mandatory=$false)] + [String] + $Prefix + ) + $randomNum = Get-Random -Minimum 100 -Maximum 99999 + return "$Prefix$randomNum" +} + +function ImportModules{ + $psd1Path = Join-Path $PSScriptRoot "../../../../../artifacts/Debug/" -Resolve + $accountsPsd1 = Join-Path $psd1Path "./Az.Accounts/Az.Accounts.psd1" + $keyVaultPsd1 = Join-Path $psd1Path "./Az.KeyVault/Az.KeyVault.psd1" + Import-Module $accountsPsd1 + Import-Module $keyVaultPsd1 +} \ No newline at end of file diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/sd1.pfx b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/sd1.pfx new file mode 100644 index 0000000000000000000000000000000000000000..cc52a81925bb42421bd789db806b55e626f148cd GIT binary patch literal 2469 zcmV;W30n3rf(fAl0Ru3C31Mg}nTNh>FdLYD!HT;?;h_vp zwljzN4dPG)79t9g#!|rp&mABmZ0bk_BGww~rnX1N@ieivIV7~#H#KtiY$g{-pW3$P z^o)uy+R%R*eLWqQ5(bFMwHf$~U0Y0;RD=UwV?Hx{_-gYRs8PRvmN@49%qRye&;T=4 z%k0KsKiF!Ut3D@&L~Y0);S>e_2tYay+^6(sI6~0=all5!(+QVXsYUQsvP7M%r1atL zZoW_}V6FmU1OVaz54D#ekAUFaBy@sfe$9B8J#05(TelMfz6hLPM7)VYWhEEOE8Cae_bgQ3w1v@5c2 zGcDNb(6|j>MdTz-7p^!1NgH~kg22yiKsG*TwC9;swaXR1rNv0ObxZ;IZcdQe!*p9>pGAFFh(vT zHRoyZDS&#}{zj$!E=fD_Z0&jW)?;?Dd*-zHOqC{UvM;mw42P+CKkC-*Tk(|WS$wl> zJ4zZb?6$woLHtMTvu+&Q2pg9=S~pDw34n#~TzpSAgvE^x1OlYk>c64uVfzZZu+ODV zj^%qo#BQO^A<|+TLlspKb|G-YakfTKS%vwnpBowI?E{~o{iKv%7t}WY0vK0B!*yK>GBTXMYKAIIU@(XZD)q;OaPcR`$Z; z>QCAWN_$R?1Xijh!W<*_X{wEiRt4G!U>)2x3D(1qNrtIrM{)4v%#bqLB@{QR6}D7p zTaJjA0&(ql7?Qs+If<1IqYDU+Q$tih)7+Y~S4(e#m%;lq4uH8+;Kreq zDwmnK=D(_olE$evNg6w&smoyq>5aFR$^>2A#yf3hhTXQsXHBONGutG4Xtd&AbfEQV z1PJ%zYD#JsNJqN8+27RPUVDA`E$J%)8{5>#Nb_zrL9=U}FoFd^1_>&LNQUk zG}hFX(61B!w-s!Iaxu7p6O;{w$W^1N+?+VgzDR6|%GYWyDI1~9Hghp6q&BN(abm{B zjF#CKE*hl5YWTPYYXEL;|H95nO_J0KRD~!zNy)BU(a7pCuFyJYTxLubg^h7y#$e_sBTxg?h{Fo~NF&55&C47njdNGl zu@h=Yv_f@uo?N5-sL&n6GYM8+5^=jWvL7VK8s z(y8Mvq^=bNlEtFI@47wHdfskz|C^k^jkl*+&;ijr`j0j||EEZKk-t^__PN$r7` zMd9E928+EbFi#W+pqRoUWhw!^E1C8KSkZk92+*inv$^U7oexU1E$C0)(;NK(ndXKHZwbtM)SCVZ)tz&9gBp_fv118nW|j;IeVWztF>VEu1*K1y_8Wj zI@$Vo^7yTAK!x!46F(pp=}ZLF|1{0@8BC8usNd{#yN zo|UMb%8#qPDC z!xs6Y`&Ho4-=edY+iGMm48!Gu1m2EEiV8%!-7e8vYy@SFR#T9_B5WP~WBeaij@8~y zJQ9r2vMYQ0)O;s>OH0Q%iQ5raiLAhv2~EFE;<6m=CUXu|qtI_Y z$fgG`u6CNP7fbRCcl-Bs2P#^Ji*nfN2D<4`Z6VAsR8x=;yu=q7kY|1??(N5g4Xw~Z zFQCgjtjGEuP`w%AutIB1uG5%0vZJX1Qgg7 j&0k2UK}9<(-khP@ouaPe2&n`JM0BDdPaoG+0s;sCWJiz3 literal 0 HcmV?d00001 diff --git a/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs b/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs index e67e2a516100..053bd351e0d1 100644 --- a/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs +++ b/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs @@ -18,7 +18,7 @@ namespace Microsoft.Azure.Commands.KeyVault.Commands /// 3. Create a key from a .pfx file by importing key material /// [Cmdlet("Add", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKey", SupportsShouldProcess = true, DefaultParameterSetName = InteractiveCreateParameterSet)] - [OutputType(typeof(PSManagedHsm))] + [OutputType(typeof(PSKeyVaultKey))] public class AddAzureManagedHsmKey : KeyVaultCmdletBase { #region Parameter Set Names @@ -123,6 +123,13 @@ public class AddAzureManagedHsmKey : KeyVaultCmdletBase /// key type /// [Parameter(Mandatory = true, + ParameterSetName = InteractiveCreateParameterSet, + HelpMessage = "Specifies the key type of this key.")] + [Parameter(Mandatory = true, + ParameterSetName = InputObjectCreateParameterSet, + HelpMessage = "Specifies the key type of this key.")] + [Parameter(Mandatory = true, + ParameterSetName = ResourceIdCreateParameterSet, HelpMessage = "Specifies the key type of this key.")] [PSArgumentCompleter("RSA", "EC", "oct")] public string KeyType { get; set; } @@ -210,7 +217,6 @@ public override void ExecuteCmdlet() CreateKeyAttributes(), Size, CurveName); - this.WriteObject(keyBundle); } else { @@ -218,7 +224,7 @@ public override void ExecuteCmdlet() HsmName, Name, CreateWebKeyFromFile()); } - + this.WriteObject(keyBundle); } } private void ValidateKeyExchangeKey() diff --git a/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md b/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md index b7cd69fd6360..98b233677141 100644 --- a/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md +++ b/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md @@ -22,9 +22,9 @@ Add-AzManagedHsmKey [-HsmName] [-Name] -KeyType [-Cur ### InteractiveImport ``` Add-AzManagedHsmKey [-HsmName] [-Name] -KeyFilePath - [-KeyFilePassword ] -KeyType [-CurveName ] [-Disable] [-KeyOps ] - [-Expires ] [-NotBefore ] [-Tag ] [-DefaultProfile ] - [-WhatIf] [-Confirm] [] + [-KeyFilePassword ] [-CurveName ] [-Disable] [-KeyOps ] [-Expires ] + [-NotBefore ] [-Tag ] [-DefaultProfile ] [-WhatIf] [-Confirm] + [] ``` ### InputObjectCreate @@ -37,9 +37,9 @@ Add-AzManagedHsmKey [-InputObject] [-Name] -KeyType [-Name] -KeyFilePath - [-KeyFilePassword ] -KeyType [-CurveName ] [-Disable] [-KeyOps ] - [-Expires ] [-NotBefore ] [-Tag ] [-DefaultProfile ] - [-WhatIf] [-Confirm] [] + [-KeyFilePassword ] [-CurveName ] [-Disable] [-KeyOps ] [-Expires ] + [-NotBefore ] [-Tag ] [-DefaultProfile ] [-WhatIf] [-Confirm] + [] ``` ### ResourceIdCreate @@ -52,9 +52,9 @@ Add-AzManagedHsmKey [-ResourceId] [-Name] -KeyType [- ### ResourceIdImport ``` Add-AzManagedHsmKey [-ResourceId] [-Name] -KeyFilePath - [-KeyFilePassword ] -KeyType [-CurveName ] [-Disable] [-KeyOps ] - [-Expires ] [-NotBefore ] [-Tag ] [-DefaultProfile ] - [-WhatIf] [-Confirm] [] + [-KeyFilePassword ] [-CurveName ] [-Disable] [-KeyOps ] [-Expires ] + [-NotBefore ] [-Tag ] [-DefaultProfile ] [-WhatIf] [-Confirm] + [] ``` ## DESCRIPTION @@ -110,7 +110,7 @@ Tags : This command creates a EC-HSM key named testkey using P-256 curve in the managed HSM testkey named testmhsm. -### Example 3: Create a key with non-default values +### Example 3: Create a oct-HSM key with non-default values ```powershell PS C:\> $KeyOperations = 'decrypt', 'verify' PS C:\> $Expires = (Get-Date).AddYears(2).ToUniversalTime() @@ -291,7 +291,7 @@ Specifies the key type of this key. ```yaml Type: System.String -Parameter Sets: (All) +Parameter Sets: InteractiveCreate, InputObjectCreate, ResourceIdCreate Aliases: Required: True From e247feced97f4c4d4a3f70cbb7381844f365d1f2 Mon Sep 17 00:00:00 2001 From: Beisi Zhou Date: Mon, 19 Oct 2020 12:23:20 +0800 Subject: [PATCH 2/2] add pester test --- .../ManagedHsmDatePlaneTests.Tests.ps1 | 172 ++++++++++++++++++ .../PesterTests/ManagedHsmDatePlaneTests.ps1 | 6 +- .../sd1.pfx => Resources/testImportKey.pfx} | Bin .../ManagedHsmDatePlaneTests.Tests.ps1 | 74 -------- src/KeyVault/KeyVault/ChangeLog.md | 2 +- 5 files changed, 176 insertions(+), 78 deletions(-) create mode 100644 src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 rename src/KeyVault/KeyVault.Test/{ScenarioTests => }/PesterTests/ManagedHsmDatePlaneTests.ps1 (90%) rename src/KeyVault/KeyVault.Test/{ScenarioTests/PesterTests/sd1.pfx => Resources/testImportKey.pfx} (100%) delete mode 100644 src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 diff --git a/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 b/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 new file mode 100644 index 000000000000..e662c9736738 --- /dev/null +++ b/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 @@ -0,0 +1,172 @@ +$here = Split-Path -Parent $MyInvocation.MyCommand.Path +$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.Tests\.', '.' +. "$here\$sut" + +BeforeAll { + . $PSScriptRoot/ManagedHsmDatePlaneTests.ps1 + ImportModules + $hsmName = GetAzManagedHsm +} + +Describe "AddAzManagedHsmKey" { + It "Create a RSA key inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "RSA" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "RSA-HSM" + } + + It "Create an EC key with curve P-256 inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "EC" + $curveName = "P-256" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -CurveName $curveName + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "EC-HSM" + $rsaKey.Key.CurveName | Should -Be $curveName + } + + It "Create an oct key inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "oct" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "oct-HSM" + } + + It "Create an oct key inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "oct" + $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType + $rsaKey.VaultName | Should -BeExactly $hsmName + $rsaKey.Name | Should -BeExactly $keyName + $rsaKey.Attributes.KeyType | Should -Be "oct-HSM" + } + + It "Create a key with non-default values inside a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyType = "RSA" + $KeyOps = 'decrypt', 'verify' + # Expires & NotBefore is hard to cmpare, may add in the furture + $Tags = @{'Severity' = 'high'; 'Accounting' = "true"} + + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -KeyOps $KeyOps -Disable -Tag $Tags + + $key.Attributes.KeyOps | Should -Be $KeyOps + $key.Tags.Count | Should -Be 2 + $key.Enabled | Should -Be $false + } + + It "Import a RSA key from pfx file into a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $keyFilePath = Join-Path $PSScriptRoot ../Resources/testImportKey.pfx -Resolve + $keyFilePwd = ConvertTo-SecureString "Passw0rd" -AsPlainText -Force + $key = Add-AzManagedHsmKey -HsmName bezmhsm -Name $keyName -KeyFilePath $keyFilePath -KeyFilePassword $keyFilePwd + $key.Name | Should -BeExactly $keyName + } +} + +Describe "GetAzManagedHsmKey"{ + It "List all the keys in a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $keys = Get-AzManagedHsmKey -HsmName $hsmName + $keys.Count | Should -BeGreaterThan 0 + } + + It "Get a specific key in a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $got = Get-AzManagedHsmKey -HsmName $hsmName -KeyName $keyName + $got.Id | Should -Be $key.Id + } + + It "List all the keys that have been deleted in a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName + $deletedKey = Get-AzManagedHsmKey -HsmName $hsmName -KeyName $keyName -InRemovedState + $deletedKey.Id | Should -Be $key.Id + } + + It "Download a key from a managed HSM" { + $keyName = GetRandomName -Prefix "key" + Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $filePath = "$PSScriptRoot\public.pem" + Get-AzManagedHsmKey -HsmName $hsmName -KeyName $keyName -OutFile $filePath + $filePath | Should -Exist + } +} + +Describe "RemoveAzManagedHsmKey"{ + It "Remove a key from a managed HSM" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $deletedKey = Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Force -PassThru + $deletedKey.Id | Should -Be $key.Id + } + + It "Purge a deleted key from a managed HSM" { + $keyName = GetRandomName -Prefix "key" + Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Force -PassThru + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -InRemovedState -Force -PassThru + $deletedKey = Get-AzManagedHsmKey -HsmName $hsmName -Name $keyName -InRemovedState + $deletedKey | Should -Be $null + } + + It "Remove keys by using piping" { + Get-AzManagedHsmKey -HsmName $hsmName | Remove-AzManagedHsmKey -Force + $keys = Get-AzManagedHsmKey -HsmName $hsmName + $keys.Count | Should -Be 0 + } +} + +Describe "UpdateAzManagedHsmKey"{ + It "Enable a key and set tags" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" -Disable + $Tags = @{'Severity' = 'high'; 'Accounting' = 'true'} + + $updatedKey = Update-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Enable $True -Tag $Tags -PassThru + + $updatedKey.Id | Should -Be $key.Id + $updatedKey.Enabled | Should -Be $True + $updatedKey.Tags.Count | Should -Be 2 + } +} + +Describe "UndoAzManagedHsmKeyRemoval"{ + It "Undo a key removal" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $deletedKey = Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Force -PassThru + $recoveredKey = $deletedKey | Undo-AzManagedHsmKeyRemoval + $recoveredKey.Id | Should -Be $key.Id + } +} + +Describe "BackupAndRetoreAzManagedHsmKey"{ + It "Backup and retore a key" { + $keyName = GetRandomName -Prefix "key" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $filePath = "$PSScriptRoot/backupkey.blob" + $key | Backup-AzManagedHsmKey -OutputFile $filePath -Force + $filePath | Should -Exist + + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Force + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -InRemovedState -Force + $restoredKey = Restore-AzManagedHsmKey -HsmName $hsmName -InputFile $filePath + $restoredKey.Id | Should -Be $key.Id + } +} + +# to do: manually remove all stuffs in resource group +# AfterAll { + # $hsm = Get-AzManagedHsm -Name $hsmName + # Remove-AzResourceGroup -Name $hsm.ResourceGroupName -Force +# } \ No newline at end of file diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 b/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.ps1 similarity index 90% rename from src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 rename to src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.ps1 index 6e395a6407cd..2a8e8c802a22 100644 --- a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 +++ b/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.ps1 @@ -32,9 +32,9 @@ function GetRandomName{ } function ImportModules{ - $psd1Path = Join-Path $PSScriptRoot "../../../../../artifacts/Debug/" -Resolve - $accountsPsd1 = Join-Path $psd1Path "./Az.Accounts/Az.Accounts.psd1" - $keyVaultPsd1 = Join-Path $psd1Path "./Az.KeyVault/Az.KeyVault.psd1" + $psd1Path = Join-Path $PSScriptRoot "../../../../artifacts/Debug/" -Resolve + $accountsPsd1 = Join-Path $psd1Path "./Az.Accounts/Az.Accounts.psd1" -Resolve + $keyVaultPsd1 = Join-Path $psd1Path "./Az.KeyVault/Az.KeyVault.psd1" -Resolve Import-Module $accountsPsd1 Import-Module $keyVaultPsd1 } \ No newline at end of file diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/sd1.pfx b/src/KeyVault/KeyVault.Test/Resources/testImportKey.pfx similarity index 100% rename from src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/sd1.pfx rename to src/KeyVault/KeyVault.Test/Resources/testImportKey.pfx diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 deleted file mode 100644 index 513b84c2851c..000000000000 --- a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 +++ /dev/null @@ -1,74 +0,0 @@ -$here = Split-Path -Parent $MyInvocation.MyCommand.Path -$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.Tests\.', '.' -. "$here\$sut" - -BeforeAll { - . $PSScriptRoot/ManagedHsmDatePlaneTests.ps1 - ImportModules - $hsmName = GetAzManagedHsm -} - -Describe "AddAzManagedHsmKey" { - It "Create a RSA key inside a managed HSM" { - $keyName = GetRandomName -Prefix "key" - $keyType = "RSA" - $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType - $rsaKey.VaultName | Should -BeExactly $hsmName - $rsaKey.Name | Should -BeExactly $keyName - $rsaKey.Attributes.KeyType | Should -Be "RSA-HSM" - } - - It "Create an EC key with curve P-256 inside a managed HSM" { - $keyName = GetRandomName -Prefix "key" - $keyType = "EC" - $curveName = "P-256" - $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -CurveName $curveName - $rsaKey.VaultName | Should -BeExactly $hsmName - $rsaKey.Name | Should -BeExactly $keyName - $rsaKey.Attributes.KeyType | Should -Be "EC-HSM" - $rsaKey.Key.CurveName | Should -Be $curveName - } - - It "Create an oct key inside a managed HSM" { - $keyName = GetRandomName -Prefix "key" - $keyType = "oct" - $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType - $rsaKey.VaultName | Should -BeExactly $hsmName - $rsaKey.Name | Should -BeExactly $keyName - $rsaKey.Attributes.KeyType | Should -Be "oct-HSM" - } - - It "Create an oct key inside a managed HSM" { - $keyName = GetRandomName -Prefix "key" - $keyType = "oct" - $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType - $rsaKey.VaultName | Should -BeExactly $hsmName - $rsaKey.Name | Should -BeExactly $keyName - $rsaKey.Attributes.KeyType | Should -Be "oct-HSM" - } - - It "Create a key with non-default values inside a managed HSM" { - $keyName = GetRandomName -Prefix "key" - $keyType = "RSA" - $KeyOps = 'decrypt', 'verify' - # Expires & NotBefore is hard to cmpare, may add in the furture - $Tags = @{'Severity' = 'high'; 'Accounting' = "true"} - - $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -KeyOps $KeyOps -Disable -Tag $Tags - - $key.Attributes.KeyOps | Should -Be $KeyOps - $key.Tags.Count | Should -Be 2 - $key.Enabled | Should -Be $false - } - - It "Import a RSA key from pfx file into a managed HSM" { - $keyName = GetRandomName -Prefix "key" - $key = Add-AzManagedHsmKey -HsmName bezmhsm -Name $keyName -KeyFilePath $PSScriptRoot/sd1.pfx -KeyFilePassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -Force) - $key.Name | Should -BeExactly $keyName - } -} - -AfterAll { - $hsm = Get-AzManagedHsm -Name $hsmName - Remove-AzResourceGroup -Name $hsm.ResourceGroupName -Force -} \ No newline at end of file diff --git a/src/KeyVault/KeyVault/ChangeLog.md b/src/KeyVault/KeyVault/ChangeLog.md index de98936d679c..fc814aac0e54 100644 --- a/src/KeyVault/KeyVault/ChangeLog.md +++ b/src/KeyVault/KeyVault/ChangeLog.md @@ -19,7 +19,7 @@ --> ## Upcoming Release * Supported creating, removing, updating, getting, restoring, backup and undoing removal key inside managed HSM -* Enabled Managed HSM Management via *-AzKeyVault +* Supported creating, deleting, updating and getting managed HSM ## Version 2.0.0 * Removed two aliases: `New-AzKeyVaultCertificateAdministratorDetails` and `New-AzKeyVaultCertificateOrganizationDetails`