From 091a98de3d670d70dd1c856e5e242fbe8d755ca7 Mon Sep 17 00:00:00 2001 From: Beisi Zhou Date: Wed, 21 Oct 2020 14:53:19 +0800 Subject: [PATCH] Add pester test for RBAC and full-backup managed HSM --- .../ManagedHsmDatePlaneTests.Tests.ps1 | 114 ++++++++++++++++-- .../KeyVault/help/Backup-AzManagedHsm.md | 2 +- .../help/Get-AzManagedHsmRoleDefinition.md | 2 +- .../KeyVault/help/Restore-AzManagedHsm.md | 2 +- 4 files changed, 105 insertions(+), 15 deletions(-) diff --git a/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 b/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 index f9f714ede44a..17dafa82021b 100644 --- a/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 +++ b/src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 @@ -65,37 +65,35 @@ Describe "AddAzManagedHsmKey" { # $keyName = GetRandomName -Prefix "key" # $keyFilePath = Join-Path $PSScriptRoot ../Resources/testImportKey.pfx -Resolve # $keyFilePwd = $null - # $key = Add-AzManagedHsmKey -HsmName bezmhsm -Name $keyName -KeyFilePath $keyFilePath -KeyFilePassword $keyFilePwd + # $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyFilePath $keyFilePath -KeyFilePassword $keyFilePwd # $key.Name | Should -BeExactly $keyName # } } Describe "GetAzManagedHsmKey"{ - It "List all the keys in a managed HSM" { + BeforeEach{ + # Add a key $keyName = GetRandomName -Prefix "key" - Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" + } + + It "List all the keys in a managed HSM" { $keys = Get-AzManagedHsmKey -HsmName $hsmName $keys.Count | Should -BeGreaterThan 0 } It "Get a specific key in a managed HSM" { - $keyName = GetRandomName -Prefix "key" - $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" $got = Get-AzManagedHsmKey -HsmName $hsmName -KeyName $keyName $got.Id | Should -Be $key.Id } It "List all the keys that have been deleted in a managed HSM" { - $keyName = GetRandomName -Prefix "key" - $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" - Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName + Remove-AzManagedHsmKey -HsmName $hsmName -Name $keyName -Force $deletedKey = Get-AzManagedHsmKey -HsmName $hsmName -KeyName $keyName -InRemovedState $deletedKey.Id | Should -Be $key.Id } It "Download a key from a managed HSM" { - $keyName = GetRandomName -Prefix "key" - Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" $filePath = "$PSScriptRoot\public.pem" Get-AzManagedHsmKey -HsmName $hsmName -KeyName $keyName -OutFile $filePath $filePath | Should -Exist @@ -150,8 +148,8 @@ Describe "UndoAzManagedHsmKeyRemoval"{ } } -Describe "BackupAndRetoreAzManagedHsmKey"{ - It "Backup and retore a key" { +Describe "BackupAndRestoreAzManagedHsmKey"{ + It "Backup and restore a key" { $keyName = GetRandomName -Prefix "key" $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType "RSA" $filePath = "$PSScriptRoot/backupkey.blob" @@ -165,6 +163,98 @@ Describe "BackupAndRetoreAzManagedHsmKey"{ } } +Describe "BackupAndRestoreAzManagedHsm"{ + BeforeEach{ + $sasToken = ConvertTo-SecureString -AsPlainText -Force "?sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-10-21T13:11:01Z&st=2020-10-21T05:11:01Z&spr=https&sig=******" + $containerUri = "https://{accountName}.blob.core.windows.net/{containerName}" + } + + It "Backup a managed HSM" { + $uri = Backup-AzManagedHsm -Name $hsmName -StorageContainerUri $containerUri -SasToken $sasToken + $uri | Should -Not -Be $null + } + + It "Restore a managed HSM" { + $restoreResult = Restore-AzManagedHsm -Name $hsmName -StorageContainerUri $containerUri -BackupFolder "mhsm-$hsmName-2020102105402658" -SasToken $sasToken -PassThru + $restoreResult | Should -Be $True + } +} + +Describe "GetAzManagedHsmRoleDefinition"{ + It "List all the roles at '/keys' scope" { + $roles = Get-AzManagedHsmRoleDefinition -HsmName $hsmName -Scope "/keys" + $roles.Count | Should -BeGreaterThan 0 + } + + It "Get a specific role" { + $backupRole = Get-AzManagedHsmRoleDefinition -HsmName $hsmName -RoleDefinitionName "managed hsm backup" + $backupRole | Should -Not -Be $null + $backupRole.Permissions | Should -Not -Be $null + $backupRole.Permissions.AllowedDataActions | Should -Not -Be $null + } +} + +Describe "NewAzManagedHsmRoleAssignment"{ + BeforeEach{ + $signInName = "user@microsoft.com" + $roleDefinitionName = "Managed HSM Backup" + # Clean role + $roleAssignment = Get-AzManagedHsmRoleAssignment -HsmName $hsmName -RoleDefinitionName $roleDefinitionName -SignInName $signInName + if($roleAssignment){ + Remove-AzManagedHsmRoleAssignment -HsmName $hsmName -RoleDefinitionName $roleDefinitionName -SignInName $signInName + } + } + + It "Assign a role to user" { + # Assign role + $roleAssignment = New-AzManagedHsmRoleAssignment -HsmName $hsmName -RoleDefinitionName $roleDefinitionName -SignInName $signInName + $roleAssignment | Should -Not -Be $null + $roleAssignment.RoleDefinitionName | Should -Be $roleDefinitionName + } +} + +Describe "RemoveAzManagedHsmRoleAssignment"{ + BeforeEach{ + # Assign role + $signInName = "user@microsoft.com" + $roleDefinitionName = "Managed HSM Backup" + $roleAssignment = Get-AzManagedHsmRoleAssignment -HsmName $hsmName -RoleDefinitionName $roleDefinitionName -SignInName $signInName + if(!$roleAssignment){ + $roleAssignment = New-AzManagedHsmRoleAssignment -HsmName $hsmName -RoleDefinitionName $roleDefinitionName -SignInName $signInName + } + } + + It "Revoke a role from user at '/keys' scope" { + Remove-AzManagedHsmRoleAssignment -HsmName $hsmName -RoleDefinitionName $roleDefinitionName -SignInName $signInName -Scope "/keys" + $roleAssignment = Get-AzManagedHsmRoleAssignment -HsmName $hsmName -RoleDefinitionName $roleDefinitionName -SignInName $signInName + $roleAssignment | Should -Be $null + } +} + +Describe "GetAzManagedHsmRoleAssignment"{ + BeforeEach{ + # Assign role + $signInName = "user@microsoft.com" + $roleDefinitionName = "Managed HSM Backup" + $roleAssignment = Get-AzManagedHsmRoleAssignment -HsmName $hsmName -RoleDefinitionName $roleDefinitionName -SignInName $signInName + if(!$roleAssignment){ + $roleAssignment = New-AzManagedHsmRoleAssignment -HsmName $hsmName -RoleDefinitionName $roleDefinitionName -SignInName $signInName + } + } + + It "List all role assignmentss in a managed HSM" { + $roleAssignments = Get-AzManagedHsmRoleAssignment -HsmName $hsmName + $roleAssignments | Should -Not -Be $null + $roleAssignments.Count | Should -BeGreaterThan 0 + } + + It "List a user's role assignments in a managed HSM on '/keys' scope" { + $roleAssignments = Get-AzManagedHsmRoleAssignment -HsmName $hsmName -SignInName $signInName -Scope "/keys" + $roleAssignments | Should -Not -Be $null + $roleAssignments.Count | Should -BeGreaterThan 0 + } +} + # to do: manually remove all stuffs in resource group # AfterAll { # $hsm = Get-AzManagedHsm -Name $hsmName diff --git a/src/KeyVault/KeyVault/help/Backup-AzManagedHsm.md b/src/KeyVault/KeyVault/help/Backup-AzManagedHsm.md index 99658d17bbe0..7a79ba14bb39 100644 --- a/src/KeyVault/KeyVault/help/Backup-AzManagedHsm.md +++ b/src/KeyVault/KeyVault/help/Backup-AzManagedHsm.md @@ -46,7 +46,7 @@ Use `Restore-AzManagedHsm` to restore the backup. ```powershell PS C:\> $sasToken = ConvertTo-SecureString -AsPlainText -Force "?sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-10-12T14:42:19Z&st=2020-10-12T06:42:19Z&spr=https&sig=******" -PS C:\> Backup-AzManagedHsm -Name myHsm -BlobStorageUri "https://{accountName}.blob.core.windows.net/{containerName}" -SasToken $sasToken +PS C:\> Backup-AzManagedHsm -Name myHsm -StorageContainerUri "https://{accountName}.blob.core.windows.net/{containerName}" -SasToken $sasToken https://{accountName}.blob.core.windows.net/{containerName}/{backupFolder} ``` diff --git a/src/KeyVault/KeyVault/help/Get-AzManagedHsmRoleDefinition.md b/src/KeyVault/KeyVault/help/Get-AzManagedHsmRoleDefinition.md index 565445317bde..3053501dd9e8 100644 --- a/src/KeyVault/KeyVault/help/Get-AzManagedHsmRoleDefinition.md +++ b/src/KeyVault/KeyVault/help/Get-AzManagedHsmRoleDefinition.md @@ -48,7 +48,7 @@ The example lists all the roles at "/keys" scope. ### Example 2 ```powershell -PS C:\> $backupRole = Get-AzManagedHsmRoleDefinition -HsmName bezmhsm -RoleDefinitionName "managed hsm backup" +PS C:\> $backupRole = Get-AzManagedHsmRoleDefinition -HsmName myHsm -RoleDefinitionName "managed hsm backup" PS C:\> $backupRole.Permissions diff --git a/src/KeyVault/KeyVault/help/Restore-AzManagedHsm.md b/src/KeyVault/KeyVault/help/Restore-AzManagedHsm.md index 965324f7395b..3fba4c0300be 100644 --- a/src/KeyVault/KeyVault/help/Restore-AzManagedHsm.md +++ b/src/KeyVault/KeyVault/help/Restore-AzManagedHsm.md @@ -47,7 +47,7 @@ Use `Backup-AzManagedHsm` to backup. ### Example 1 ```powershell PS C:\> $sasToken = ConvertTo-SecureString -AsPlainText -Force "?sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-10-12T14:42:19Z&st=2020-10-12T06:42:19Z&spr=https&sig=******" -PS C:\> Restore-AzManagedHsm -Name myHsm -BlobStorageUri "https://{accountName}.blob.core.windows.net/{containerName}" -BackupFolder "mhsm-myHsm-2020101308504935" -SasToken $sasToken +PS C:\> Restore-AzManagedHsm -Name myHsm -StorageContainerUri "https://{accountName}.blob.core.windows.net/{containerName}" -BackupFolder "mhsm-myHsm-2020101308504935" -SasToken $sasToken ``` The example restores a backup stored in a folder named "mhsm-myHsm-2020101308504935" of a storage container "https://{accountName}.blob.core.windows.net/{containerName}".