Kv2018 acl update

azure-mgmt-keyvault/src/main/java/com/microsoft/azure/management/keyvault/AccessPolicy.java

@@ -223,7 +223,7 @@ interface WithPermissions<ParentT> {
             /**
              * Allow all permissions for the Ad identity to access storage.
              * 
-             * @param the next stage of access policy definition
+             * @return the next stage of access policy definition
              */
             @Method
             WithAttach<ParentT> allowStorageAllPermissions();

azure-mgmt-keyvault/src/main/java/com/microsoft/azure/management/keyvault/Vault.java

@@ -108,6 +108,14 @@ public interface Vault extends
      */
     @Beta(SinceVersion.V1_11_0)
     CreateMode createMode();
+
+    /**
+     * Get the networkAcls value.
+     * 
+     * @return the networkAcls value
+     */
+    @Beta(SinceVersion.V1_11_0)
+    NetworkRuleSet networkRuleSet();
 
     /**************************************************************
      * Fluent interfaces to provision a Vault
@@ -179,6 +187,75 @@ interface WithAccessPolicy {
             @Method
             AccessPolicy.DefinitionStages.Blank<WithCreate> defineAccessPolicy();
         }
+
+        /**
+         * A key vault definition allowing the networkAcl to be set.
+         */
+        interface WithNetworkRuleSet {
+
+            /**
+             * Specifies that by default access to key vault should be allowed from all networks.
+             *
+             * @return the next stage of key vault definition
+             */
+            WithCreate withAccessFromAllNetworks();
+
+            /**
+             * Specifies that by default access to key vault should be denied from all networks.
+             * except from those networks specified via withVirtualNetworkRules, 
+             * withAccessFromIpAddressRange, withAccessFromIpAddress
+             * 
+             * @return the next stage of key vault definition
+             */
+            WithCreate withAccessFromSelectedNetworks();
+
+            /**
+             * Specifies that access to the key vault from the specific ip address should be allowed.
+             * 
+             * @param ipAddress the ip address
+             * @return the next stage of key vault definition
+             */
+            WithCreate withAccessFromIpAddress(String ipAddress);
+
+            /**
+             * Specifies that access to the key vault from the specific ip range should be allowed.
+             * @param ipAddressCidr
+             * @return the next stage of key vault definition
+             */
+            WithCreate withAccessFromIpAddressRange(String ipAddressCidr);
+
+            /**
+             * Specifies that access to the key vault should be allowed from applications running on 
+             * Microsoft azure services.
+             * 
+             * @return the next stage of key vault definition.
+             */
+            WithCreate withAccessFromAzureServices();
+
+            /**
+             * Set the bypass value.
+             *
+             * @param bypass the bypass value to set
+             * @return the next stage of key vault definition.
+             */
+            WithCreate withBypass(NetworkRuleBypassOptions bypass);
+
+            /**
+             * Set the defaultAction value.
+             *
+             * @param defaultAction the defaultAction value to set
+             * @return the next stage of key vault definition.
+             */
+            WithCreate withDefaultAction(NetworkRuleAction defaultAction);
+
+            /**
+             * Get the virtualNetworkRules value.
+             *
+             * @return the next stage of key vault definition.
+             */
+            WithCreate withVirtualNetworkRules(List<VirtualNetworkRule> virtualNetworkRules);
+
+        }
 
         /**
          * A key vault definition allowing various configurations to be set.
@@ -252,6 +329,7 @@ interface WithCreate extends
             Creatable<Vault>,
             GroupableResource.DefinitionWithTags<WithCreate>,
             DefinitionStages.WithSku,
+            DefinitionStages.WithNetworkRuleSet,
             DefinitionStages.WithConfigurations,
             DefinitionStages.WithAccessPolicy {
         }
@@ -298,6 +376,75 @@ interface WithAccessPolicy {
             AccessPolicy.Update updateAccessPolicy(String objectId);
         }
 
+        /**
+         * A key vault update allowing the NetworkRuleSet to be set.
+         */
+        interface WithNetworkRuleSet {
+
+            /**
+             * Specifies that by default access to key vault should be allowed from all networks.
+             *
+             * @return the next stage of key vault definition
+             */
+            Update withAccessFromAllNetworks();
+
+            /**
+             * Specifies that by default access to key vault should be denied from all networks.
+             * except from those networks specified via withVirtualNetworkRules, withAccessFromIpAddressRange
+             * withAccesFromIpAddress
+             * 
+             * @return the update stage of key vault definition
+             */
+            Update withAccessFromSelectedNetworks();
+
+            /**
+             * Specifies that access to the key vault from the specific ip address should be allowed.
+             * 
+             * @param ipAddress the ip address
+             * @return the update stage of key vault definition
+             */
+            Update withAccessFromIpAddress(String ipAddress);
+
+            /**
+             * Specifies that access to the key vault from the specific ip range should be allowed.
+             * @param ipAddressCidr the idAddress range in Cidr format
+             * @return the update stage of key vault definition
+             */
+            Update withAccessFromIpAddressRange(String ipAddressCidr);
+
+            /**
+             * Specifies that access to the key vault should be allowed from applications running on 
+             * Microsoft azure services.
+             * 
+             * @return the update stage of key vault definition.
+             */
+            Update withAccessFromAzureServices();
+
+            /**
+             * Set the bypass value.
+             *
+             * @param bypass the bypass value to set
+             * @return the update stage of key vault definition.
+             */
+            Update withBypass(NetworkRuleBypassOptions bypass);
+
+            /**
+             * Set the defaultAction value.
+             *
+             * @param defaultAction the defaultAction value to set
+             * @return the update stage of key vault definition.
+             */
+            Update withDefaultAction(NetworkRuleAction defaultAction);
+
+            /**
+             * Get the virtualNetworkRules value.
+             * 
+             * @param virtualNetworkRules virtual network rules
+             * @return the update stage of key vault definition.
+             */
+            Update withVirtualNetworkRules(List<VirtualNetworkRule> virtualNetworkRules);
+        }
+
         /**
          * A key vault update allowing various configurations to be set.
          */
@@ -369,6 +516,7 @@ interface Update extends
             GroupableResource.UpdateWithTags<Update>,
             Appliable<Vault>,
             UpdateStages.WithAccessPolicy,
+            UpdateStages.WithNetworkRuleSet,
             UpdateStages.WithConfigurations {
     }
 }

azure-mgmt-keyvault/src/main/java/com/microsoft/azure/management/keyvault/implementation/VaultImpl.java

@@ -20,13 +20,18 @@
 import com.microsoft.azure.management.keyvault.AccessPolicy;
 import com.microsoft.azure.management.keyvault.AccessPolicyEntry;
 import com.microsoft.azure.management.keyvault.CreateMode;
+import com.microsoft.azure.management.keyvault.IPRule;
 import com.microsoft.azure.management.keyvault.Keys;
+import com.microsoft.azure.management.keyvault.NetworkRuleAction;
+import com.microsoft.azure.management.keyvault.NetworkRuleBypassOptions;
+import com.microsoft.azure.management.keyvault.NetworkRuleSet;
 import com.microsoft.azure.management.keyvault.Secrets;
 import com.microsoft.azure.management.keyvault.Sku;
 import com.microsoft.azure.management.keyvault.SkuName;
 import com.microsoft.azure.management.keyvault.Vault;
 import com.microsoft.azure.management.keyvault.VaultCreateOrUpdateParameters;
 import com.microsoft.azure.management.keyvault.VaultProperties;
+import com.microsoft.azure.management.keyvault.VirtualNetworkRule;
 import com.microsoft.azure.management.resources.fluentcore.arm.models.implementation.GroupableResourceImpl;
 import com.microsoft.azure.management.resources.fluentcore.utils.SdkContext;
 import com.microsoft.azure.management.resources.fluentcore.utils.Utils;
@@ -331,4 +336,99 @@ public CreateMode createMode() {
         return inner().properties().createMode();
     }
 
+
+    @Override
+    public NetworkRuleSet networkRuleSet() {
+        return inner().properties().networkAcls();
+    }
+
+    @Override
+    public VaultImpl withAccessFromAllNetworks() {
+        if (inner().properties().networkAcls() == null) {
+            inner().properties().withNetworkAcls(new NetworkRuleSet());
+        }
+        inner().properties().networkAcls().withDefaultAction(NetworkRuleAction.ALLOW);
+        return this;
+    }
+
+    @Override
+    public VaultImpl withAccessFromSelectedNetworks() {
+        if (inner().properties().networkAcls() == null) {
+            inner().properties().withNetworkAcls(new NetworkRuleSet());
+        }
+        inner().properties().networkAcls().withDefaultAction(NetworkRuleAction.DENY);
+        return this;
+    }
+
+    /**
+     * Specifies that access to the storage account should be allowed from the given ip address or ip address range.
+     *
+     * @param ipAddressOrRange the ip address or ip address range in cidr format
+     * @return VaultImpl
+     */
+    private VaultImpl withAccessAllowedFromIpAddressOrRange(String ipAddressOrRange) {
+        NetworkRuleSet networkRuleSet = inner().properties().networkAcls();
+        if (networkRuleSet.ipRules() == null) {
+            networkRuleSet.withIpRules(new ArrayList<IPRule>());
+        }
+        boolean found = false;
+        for (IPRule rule: networkRuleSet.ipRules()) {
+            if (rule.value().equalsIgnoreCase(ipAddressOrRange)) {
+                found = true;
+                break;
+            }
+        }
+        if (!found) {
+            networkRuleSet.ipRules().add(new IPRule()
+                    .withValue(ipAddressOrRange));
+        }
+        return this;
+    }
+
+    @Override
+    public VaultImpl withAccessFromIpAddress(String ipAddress) {
+        return withAccessAllowedFromIpAddressOrRange(ipAddress);
+    }
+
+    @Override
+    public VaultImpl withAccessFromIpAddressRange(String ipAddressCidr) {
+        return withAccessAllowedFromIpAddressOrRange(ipAddressCidr);
+    }
+
+    @Override
+    public VaultImpl withAccessFromAzureServices() {
+        if (inner().properties().networkAcls() == null) {
+            inner().properties().withNetworkAcls(new NetworkRuleSet());
+        }
+        inner().properties().networkAcls().withBypass(NetworkRuleBypassOptions.AZURE_SERVICES);
+        return this;
+    }
+
+    @Override
+    public VaultImpl withBypass(NetworkRuleBypassOptions bypass) {
+        if (inner().properties().networkAcls() == null) {
+            inner().properties().withNetworkAcls(new NetworkRuleSet());
+        }
+        inner().properties().networkAcls().withBypass(bypass);
+        return this;
+    }
+
+    @Override
+    public VaultImpl withDefaultAction(NetworkRuleAction defaultAction) {
+        if (inner().properties().networkAcls() == null) {
+            inner().properties().withNetworkAcls(new NetworkRuleSet());
+        }
+        inner().properties().networkAcls().withDefaultAction(defaultAction);
+        return this;
+    }
+
+    @Override
+    public VaultImpl withVirtualNetworkRules(List<VirtualNetworkRule> virtualNetworkRules) {
+        if (inner().properties().networkAcls() == null) {
+            inner().properties().withNetworkAcls(new NetworkRuleSet());
+        }
+        inner().properties().networkAcls().withVirtualNetworkRules(virtualNetworkRules);
+        return this;
+    }
+
 }

azure-mgmt-keyvault/src/test/java/com/microsoft/azure/management/keyvault/VaultTests.java

@@ -6,6 +6,7 @@
 
 package com.microsoft.azure.management.keyvault;
 
+import java.util.Arrays;
 import java.util.List;
 
 import org.junit.Assert;
@@ -50,9 +51,14 @@ public void canCRUDVault() throws Exception {
                         .allowSecretAllPermissions()
                         .allowCertificatePermissions(CertificatePermissions.GET, CertificatePermissions.LIST, CertificatePermissions.CREATE)
                         .attach()
+                    //.withBypass(NetworkRuleBypassOptions.AZURE_SERVICES)
+                    .withAccessFromAzureServices()
+                    .withAccessFromIpAddress("0.0.0.0/0")
                     .create();
             Assert.assertNotNull(vault);
             Assert.assertFalse(vault.softDeleteEnabled());
+            Assert.assertEquals(vault.networkRuleSet().bypass(), NetworkRuleBypassOptions.AZURE_SERVICES);
+
             // GET
             vault = keyVaultManager.vaults().getByResourceGroup(RG_NAME, VAULT_NAME);
             Assert.assertNotNull(vault);