KeyVault improvements #5654
KeyVault improvements #5654
Conversation
dragav
left a comment
dragav
left a comment
There was a problem hiding this comment.
Many thanks for the thorough refreshing of the KV cmdlets. :-)
| HelpMessage = "Specifies the email address of the contact.")] | ||
| [ValidateNotNullOrEmpty] | ||
| public string EmailAddress { get; set; } | ||
| public string[] EmailAddress { get; set; } |
There was a problem hiding this comment.
I assume this is marked as a breaking change.
There was a problem hiding this comment.
@dragav For PowerShell, this is not a breaking change - this parameter will bind to a string or a list of strings.
| VaultName = parsedResourceId.ResourceName; | ||
| } | ||
|
|
||
| foreach (String email in EmailAddress) |
There was a problem hiding this comment.
This seems inefficient; we shouldn't have to make an outbound call to the service to get the current contacts for each email address. Furthermore, the cmdlet should validate the input list of emails does not contain duplicates before making an (expensive) service call. I would suggest adding the emails to a hashset, then merging the hashset into the existing contact list, skipping pre-existing, duplicate contacts.
There was a problem hiding this comment.
Good catch - does this fix look better?
| /// Vault name | ||
| /// </summary> | ||
| [Parameter(Mandatory = true, | ||
| [Parameter(Mandatory = false, |
There was a problem hiding this comment.
I'm trying to understand the behavior of the cmdlet after this change. We should be able to:
- retrieve a vault by name (alone) -> name is required
- list the vaults in a resource group -> name is optional, rg name is optional but indicates a scoped search
- list the vaults in a subscription -> no parameters required
Does your change guarantee this behavior?
There was a problem hiding this comment.
Yes. By making VaultName option in the GetVault parameter set, I have enable the user to pass in just the resourcegroupname using this parameter. Thus, the parameter set with just resourcegroupname set as mandatory is no longer needed. Check out the help file to see the change a little more clearly if you still have questions.
|
|
||
| private const string InputObjectByVaultNameParameterSet = "ByNameInputObject"; | ||
| private const string InputObjectByCertificateNameandVersionParameterSet = "ByCertificateNameAndVersionInputObject"; | ||
| private const string InputObjectByCertificateVersionsParameterSet = "ByCertificateAllVersionsInputObject"; |
There was a problem hiding this comment.
What is the scenario that gets a certificate given an input of a) list of certificate versions or b) a certificate itself?
There was a problem hiding this comment.
There was never a scenario where the cmdlet accepted a list of versions, only a single version. Is this a scenario we want to enable? Additionally, why would we want to pass in a certificate itself to a get cmdlet? If we have the certificate, it seems unlikely we'd want to "get" it again. All I have done here is remodel the parameter sets so that we could eliminate one unnecessary extra parameter set (see the help file for the new syntax), and add an "inputobject" parameter set for each existing parameter set that would accept a vault object instead of a vault name.
There was a problem hiding this comment.
I wasn't suggesting any new scenario; it seemed odd to me to have an "cert all versions input object" parameter set - it implied that "cert all versions" can be the input. Thanks for clarifying.
| ParameterSetName = InputObjectByCertificateNameandVersionParameterSet, | ||
| Position = 0, | ||
| ValueFromPipeline = true, | ||
| HelpMessage = "KeyVault object.")] |
There was a problem hiding this comment.
I think this is confusing. The only supported input object should be a vault identifier or a vault. Accepting any other object merely to extract the vault name is misleading as to what the cmdlet returns. Did I misunderstand the effect of this change?
There was a problem hiding this comment.
This inputobject accepts a vault, and extracts the needed information from that vault object. Does that answer your question?
There was a problem hiding this comment.
Yes, thank you for the clarification.
| /// </summary> | ||
| [Parameter( Mandatory = false, | ||
| HelpMessage = "Permanently remove the previously deleted certificate." )] | ||
| [Parameter(Mandatory = false, |
There was a problem hiding this comment.
(nitpick) I've seen that elsewhere in this changeset the InRemovedState parameter was marked as mandatory for the 'deleted' parameter set. Here it seems to be missing. Would you consider adding the 'deleted' parameter set to this cmdlet as well, and maintain consistency with other cmdlets?
There was a problem hiding this comment.
So here, -InRemovedState is optional because the user can use the parameter set to either delete an existing certificate (if -inremovedstate is not specified) or to purge a deleted certificate (if -inremovedstate is specified). I could split this into two parameter sets, but there is not reason to as both deleting and purging certificates take the same parameters. Does that make sense? Remove-Key and Remove-Secret are also formatted like this, and were in the past.
| public override void ExecuteCmdlet() | ||
| { | ||
| if (ShouldProcess(EmailAddress, Properties.Resources.RemoveCertificateContact)) | ||
| foreach (string email in EmailAddress) |
There was a problem hiding this comment.
Same observation as in the matching AddCertContact cmdlet - consider storing the input email addresses in a hashset, making a single call to the service to retrieve the contacts, and then updating the contacts in a single pass.
There was a problem hiding this comment.
Good call, fixed.
| HelpMessage = "Input file. The input file containing the backed-up blob")] | ||
| [ValidateNotNullOrEmpty] | ||
| public string InputFile { get; set; } | ||
| public string[] InputFile { get; set; } |
There was a problem hiding this comment.
Why an array? Is there a scenario that requires the batching of multiple Restore cmdlets in a single one? I get the convenience factor, but I'm concerned that error scenarios will lead to confusion: what was restored, which one failed and why, and do we continue on error or stop at the first one?
There was a problem hiding this comment.
Okay, if you believe this scenario will cause more confusion then convenience then I will remove - I simply was adding arrays where I thought it might be useful to customers, but you have a better idea of where it is actually useful.
| ParameterSetName = InputObjectByEmailAddress, | ||
| ValueFromPipelineByPropertyName = true, | ||
| HelpMessage = "Specifies certificate operation permissions to grant to a user or service principal.")] | ||
| [ValidateSet("get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover", "purge", "all")] |
There was a problem hiding this comment.
As an aside, we wanted to deprecate 'all' as a permission for some time. Since this is a deprecating change, we should just remove it with this commit. If you'd rather not, that's perfectly fine - we'll follow up. Thanks.
There was a problem hiding this comment.
This is not a breaking change, but we should deprecate anything we would like to remove at the next breaking change release
There was a problem hiding this comment.
I will add this to the list of breaking change and take care of it with the breaking change release, and the deprecation with the next PR where I will add deprecation to other upcoming breaking changes. Do you want "all" removed from each validateset, or only from "PermissionsToCertificates"?
There was a problem hiding this comment.
All occurrences of "All" as a permission should be removed. Thanks.
There was a problem hiding this comment.
Added to list of breaking changes - will be included in my next PR.
| [Parameter(Mandatory = true, | ||
| ValueFromPipelineByPropertyName = true, | ||
| ParameterSetName = ExpandedRenewNumberParameterSet, | ||
| HelpMessage = "Specifies the number of days after which the automatic process for the certificate renewal begins.")] |
There was a problem hiding this comment.
"the number of days before expiration when automatic renewal should start".
| VaultName = parsedResourceId.ResourceName; | ||
| } | ||
|
|
||
| foreach (String email in EmailAddress) |
There was a problem hiding this comment.
Good catch - does this fix look better?
| /// Vault name | ||
| /// </summary> | ||
| [Parameter(Mandatory = true, | ||
| [Parameter(Mandatory = false, |
There was a problem hiding this comment.
Yes. By making VaultName option in the GetVault parameter set, I have enable the user to pass in just the resourcegroupname using this parameter. Thus, the parameter set with just resourcegroupname set as mandatory is no longer needed. Check out the help file to see the change a little more clearly if you still have questions.
| ParameterSetName = InputObjectByCertificateNameandVersionParameterSet, | ||
| Position = 0, | ||
| ValueFromPipeline = true, | ||
| HelpMessage = "KeyVault object.")] |
There was a problem hiding this comment.
This inputobject accepts a vault, and extracts the needed information from that vault object. Does that answer your question?
|
|
||
| private const string InputObjectByVaultNameParameterSet = "ByNameInputObject"; | ||
| private const string InputObjectByCertificateNameandVersionParameterSet = "ByCertificateNameAndVersionInputObject"; | ||
| private const string InputObjectByCertificateVersionsParameterSet = "ByCertificateAllVersionsInputObject"; |
There was a problem hiding this comment.
There was never a scenario where the cmdlet accepted a list of versions, only a single version. Is this a scenario we want to enable? Additionally, why would we want to pass in a certificate itself to a get cmdlet? If we have the certificate, it seems unlikely we'd want to "get" it again. All I have done here is remodel the parameter sets so that we could eliminate one unnecessary extra parameter set (see the help file for the new syntax), and add an "inputobject" parameter set for each existing parameter set that would accept a vault object instead of a vault name.
| break; | ||
|
|
||
| case ByVaultNameParameterSet: | ||
| if (!string.IsNullOrEmpty(Version)) |
There was a problem hiding this comment.
If you go through each of these if statements, each one covers one case that you list above. I had to change to this structure because of the additional "inputobject" parameter sets.
| /// </summary> | ||
| [Parameter( Mandatory = false, | ||
| HelpMessage = "Permanently remove the previously deleted certificate." )] | ||
| [Parameter(Mandatory = false, |
There was a problem hiding this comment.
So here, -InRemovedState is optional because the user can use the parameter set to either delete an existing certificate (if -inremovedstate is not specified) or to purge a deleted certificate (if -inremovedstate is specified). I could split this into two parameter sets, but there is not reason to as both deleting and purging certificates take the same parameters. Does that make sense? Remove-Key and Remove-Secret are also formatted like this, and were in the past.
| public override void ExecuteCmdlet() | ||
| { | ||
| if (ShouldProcess(EmailAddress, Properties.Resources.RemoveCertificateContact)) | ||
| foreach (string email in EmailAddress) |
There was a problem hiding this comment.
Good call, fixed.
| HelpMessage = "Input file. The input file containing the backed-up blob")] | ||
| [ValidateNotNullOrEmpty] | ||
| public string InputFile { get; set; } | ||
| public string[] InputFile { get; set; } |
There was a problem hiding this comment.
Okay, if you believe this scenario will cause more confusion then convenience then I will remove - I simply was adding arrays where I thought it might be useful to customers, but you have a better idea of where it is actually useful.
| HelpMessage = "Input file. The input file containing the backed-up blob" )] | ||
| [ValidateNotNullOrEmpty] | ||
| public string InputFile { get; set; } | ||
| public string[] InputFile { get; set; } |
There was a problem hiding this comment.
Removed the array here as well - let me know if you think it should be added back here.
| ParameterSetName = InputObjectByEmailAddress, | ||
| ValueFromPipelineByPropertyName = true, | ||
| HelpMessage = "Specifies certificate operation permissions to grant to a user or service principal.")] | ||
| [ValidateSet("get", "list", "delete", "create", "import", "update", "managecontacts", "getissuers", "listissuers", "setissuers", "deleteissuers", "manageissuers", "recover", "purge", "all")] |
There was a problem hiding this comment.
I will add this to the list of breaking change and take care of it with the breaking change release, and the deprecation with the next PR where I will add deprecation to other upcoming breaking changes. Do you want "all" removed from each validateset, or only from "PermissionsToCertificates"?
| /// Key version. | ||
| /// </summary> | ||
| [Parameter(Mandatory = false, | ||
| [Parameter(Mandatory = true, |
There was a problem hiding this comment.
@maddieclayton do you know if this parameter set worked without providing the Version parameter before?
There was a problem hiding this comment.
Same q. Are we breaking any existing scenarios?
There was a problem hiding this comment.
If you look at the help file, I added an optional "Name" parameter to the first parameter set, which will take care of the case where -Version is not provided to this parameter set. This leaves all scenarios working, and I believed that the parameter sets made more sense.
| /// Secret version | ||
| /// </summary> | ||
| [Parameter(Mandatory = false, | ||
| [Parameter(Mandatory = true, |
There was a problem hiding this comment.
@maddieclayton do you know if this parameter set worked before without providing the Version parameter?
There was a problem hiding this comment.
Same comment here. I added an optional "Name" parameter to the first parameter set, which will take care of the case where -Version is not provided to this parameter set. This leaves all scenarios working, and I believed that the parameter sets made more sense.
| /// </summary> | ||
| [Parameter(Mandatory = true, | ||
| Position = 2, | ||
| ValueFromPipelineByPropertyName = true, |
There was a problem hiding this comment.
Good call, thanks for the catch.
| /// If present, operate on the deleted vault entity. | ||
| /// </summary> | ||
| [Parameter(Mandatory = false, | ||
| [Parameter(Mandatory = true, |
There was a problem hiding this comment.
@maddieclayton do we know if this parameter set worked previously if the user did not provide InRemovedState?
There was a problem hiding this comment.
If they provided all the parameters except -InRemovedState, it would default to the first parameter set, because the first is the default and contains all the parameters in the second.
| ValueFromPipeline = true, | ||
| ParameterSetName = ImportWithPrivateKeyFromCollectionParameterSet, | ||
| HelpMessage = "Specifies the certificate collection to add to key vault.")] | ||
| [Alias("InputObject")] |
There was a problem hiding this comment.
@maddieclayton any reason we don't want to call this parameter InputObject with an alias to CertificateCollection like we do for all other cmdlets?
There was a problem hiding this comment.
Deleting alias as it doesn't really make sense in this context.
| HelpMessage = "Specifies the certificate issuer to set.")] | ||
| [ValidateNotNullOrEmpty] | ||
| public KeyVaultCertificateIssuer Issuer { get; set; } | ||
| public PSKeyVaultCertificateIssuerIdentityItem Issuer { get; set; } |
There was a problem hiding this comment.
@maddieclayton do we want to name this InputObject with an alias to Issuer?
| @@ -1,4 +1,4 @@ | |||
| --- | |||
There was a problem hiding this comment.
@maddieclayton it looks like the underlying call for this cmdlet is a PATCH, so we should look at renaming this cmdlet to Update-AzureKeyVaultCertificateAttribute with an alias to Set-*
There was a problem hiding this comment.
Please don't do this. There is no separate command for adding or importing a secret - Set fits the intended profile here.
There was a problem hiding this comment.
I'm going to skip doing these aliases for now and we will discuss again for the breaking change PR - I think some of these aliases might make sense while others do not.
| @@ -1,4 +1,4 @@ | |||
| --- | |||
There was a problem hiding this comment.
@maddieclayton same comment about this call being a PATCH, so we should change the verb to Update
There was a problem hiding this comment.
Same comment as above - there is no Add-Policy, and we don't want one. A Set creates the policy if missing, and overwrites it if existing.
| @@ -1,4 +1,4 @@ | |||
| --- | |||
There was a problem hiding this comment.
@maddieclayton same comment about this call being a PATCH, so we should change the verb to Update
| @@ -1,4 +1,4 @@ | |||
| --- | |||
There was a problem hiding this comment.
@maddieclayton same comment about this call being a PATCH, so we should change the verb to Update
There was a problem hiding this comment.
Going to rename to Update-AzureKeyVaultSecret as I will combine this with Set-AzureKeyVaultSecret at the breaking change release and I don't want to aliases to get out of control.
markcowl
left a comment
markcowl
left a comment
There was a problem hiding this comment.
a couple of questions and potential changes
| /// </summary> | ||
| [Parameter(Mandatory = false, | ||
| Position = 1, | ||
| ValueFromPipelineByPropertyName = true, |
There was a problem hiding this comment.
We should be removing these valuefrompipelinebypropertyname for the interactive parameter sets, right? I assume this is happening in the breaking change update.
There was a problem hiding this comment.
Yes, this will be happening for the breaking change update.
| /// Key version. | ||
| /// </summary> | ||
| [Parameter(Mandatory = false, | ||
| [Parameter(Mandatory = true, |
There was a problem hiding this comment.
Same q. Are we breaking any existing scenarios?
| ParameterSetName = DNSNamesParameterSet, | ||
| ValueFromPipelineByPropertyName = true, | ||
| HelpMessage = "Specifies the DNS names in the certificate.")] | ||
| public List<string> DnsNames { get; set; } |
There was a problem hiding this comment.
should rename as DnsName, with alias to old name DnsNames (and deprecate)
There was a problem hiding this comment.
Why? This parameter does take a list..
There was a problem hiding this comment.
@dragav it comes from the Strongly Encouraged Developer Guidelines for PowerShell cmdlets:
Avoid using plural names for parameters whose value is a single element. This includes parameters that take arrays or lists because the user might supply an array or list with only one element.
There was a problem hiding this comment.
I disagree. We don't have a parameter called "PermissionToSecrets" - plural is appropriate here as it conveys the fact that the certificate accepts an enumeration of DNS names. Having a suggestively named parameter outweighs a convention based solely on the parameter's type.
There was a problem hiding this comment.
@dragav I agree that this convention is silly, but it is one that we enforce for new changes across all modules and one that has been brought up by users numerous times (e.g., this issue).
Going back to the guidelines mentioned above, as long as the user can provide a single object to the list/array parameter, than the parameter noun should be singular. If, however, you can do extra validation to ensure that the user always provides more than one object, then having a plural noun is allowed:
Plural parameter names should be used only in those cases where the value of the parameter is always a multiple-element value. In these cases, the cmdlet should verify that multiple elements are supplied, and the cmdlet should display a warning to the user if multiple elements are not supplied.
Description
#5496
Checklist
CONTRIBUTING.mdplatyPSmodule