Azure · seankane-msft · Feb 9, 2022 · Jan 19, 2022 · Jan 19, 2022 · Jan 27, 2022
@@ -3,8 +3,15 @@
 ## 0.3.1 (Unreleased)
 
 ### Features Added
+* Adds the `ReleasePolicy` parameter to the `UpdateKeyPropertiesOptions` struct.
+* Adds the `Immutable` boolean to the `KeyReleasePolicy` model.
 
 ### Breaking Changes
+* Changed the `Data` to `EncodedPolicy` on the `KeyReleasePolicy` struct.
+* Changed the `Tags` properties from `map[string]*string` to `map[string]string`.
+* Changed the `Updated`, `Created`, and `Expires` properties to `UpdatedOn`, `CreatedOn`, and `ExpiresOn`.
+* Renamed `JSONWebKeyOperation` to `KeyOperation`.
+* Renamed `JSONWebKeyCurveName` to `KeyCurveName`
 
 ### Bugs Fixed
 

@@ -6,10 +6,10 @@ These settings apply only when `--go` is specified on the command line.
 go: true
 version: "^3.0.0"
 input-file:
-- https://github.com/Azure/azure-rest-api-specs/blob/ecdce42924ed0f7e60a32c74bc0eb674ca6d4aae/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/common.json
-- https://github.com/Azure/azure-rest-api-specs/blob/ecdce42924ed0f7e60a32c74bc0eb674ca6d4aae/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/keys.json
-- https://github.com/Azure/azure-rest-api-specs/blob/ecdce42924ed0f7e60a32c74bc0eb674ca6d4aae/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/rbac.json
-- https://github.com/Azure/azure-rest-api-specs/blob/ecdce42924ed0f7e60a32c74bc0eb674ca6d4aae/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/securitydomain.json
+- https://github.com/Azure/azure-rest-api-specs/blob/8a061f1e9031450b9eb5546d242f2a28c93eaa69/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/common.json
+- https://github.com/Azure/azure-rest-api-specs/blob/8a061f1e9031450b9eb5546d242f2a28c93eaa69/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/keys.json
+- https://github.com/Azure/azure-rest-api-specs/blob/8a061f1e9031450b9eb5546d242f2a28c93eaa69/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/rbac.json
+- https://github.com/Azure/azure-rest-api-specs/blob/8a061f1e9031450b9eb5546d242f2a28c93eaa69/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/securitydomain.json
 license-header: MICROSOFT_MIT_NO_VERSION
 clear-output-folder: true
 output-folder: internal/generated
@@ -18,6 +18,6 @@ openapi-type: "data-plane"
 security: "AADToken"
 security-scopes:  "https://vault.azure.net/.default"
 use: "@autorest/go@4.0.0-preview.35"
-module-version: 0.1.0
+module-version: 0.3.0
 export-clients: true
 ```
@@ -68,12 +68,12 @@ func NewClient(vaultUrl string, credential azcore.TokenCredential, options *Clie
 
 // CreateKeyOptions contains the optional parameters for the KeyVaultClient.CreateKey method.
 type CreateKeyOptions struct {
-	// Elliptic curve name. For valid values, see JsonWebKeyCurveName.
-	Curve *JSONWebKeyCurveName `json:"crv,omitempty"`
+	// Elliptic curve name. For valid values, see KeyCurveName.
+	Curve *KeyCurveName `json:"crv,omitempty"`
 
 	// The attributes of a key managed by the key vault service.
-	KeyAttributes *KeyAttributes         `json:"attributes,omitempty"`
-	KeyOps        []*JSONWebKeyOperation `json:"key_ops,omitempty"`
+	KeyAttributes *KeyAttributes  `json:"attributes,omitempty"`
+	KeyOperations []*KeyOperation `json:"key_ops,omitempty"`
 
 	// The key size in bits. For example: 2048, 3072, or 4096 for RSA.
 	KeySize *int32 `json:"key_size,omitempty"`
@@ -98,8 +98,11 @@ func (c *CreateKeyOptions) toKeyCreateParameters(keyType KeyType) generated.KeyC
 	}
 
 	var ops []*generated.JSONWebKeyOperation
-	for _, o := range c.KeyOps {
-		ops = append(ops, (*generated.JSONWebKeyOperation)(o))
+	if c.KeyOperations != nil {
+		ops = make([]*generated.JSONWebKeyOperation, len(c.KeyOperations))
+		for i, o := range c.KeyOperations {
+			ops[i] = (*generated.JSONWebKeyOperation)(o)
+		}
 	}
 
 	return generated.KeyCreateParameters{
@@ -151,8 +154,8 @@ func (c *Client) CreateKey(ctx context.Context, name string, keyType KeyType, op
 
 // CreateECKeyOptions contains the optional parameters for the KeyVaultClient.CreateECKey method
 type CreateECKeyOptions struct {
-	// Elliptic curve name. For valid values, see JsonWebKeyCurveName.
-	CurveName *JSONWebKeyCurveName `json:"crv,omitempty"`
+	// Elliptic curve name. For valid values, see KeyCurveName.
+	CurveName *KeyCurveName `json:"crv,omitempty"`
 
 	// Application specific metadata in the form of key-value pairs.
 	Tags map[string]string `json:"tags,omitempty"`
@@ -274,7 +277,7 @@ func (c *Client) CreateOCTKey(ctx context.Context, name string, options *CreateO
 // CreateRSAKeyOptions contains the optional parameters for the Client.CreateRSAKey method.
 type CreateRSAKeyOptions struct {
 	// Hardware Protected OCT Key
-	HardwareProtected bool
+	HardwareProtected *bool
 
 	// The key size in bits. For example: 2048, 3072, or 4096 for RSA.
 	KeySize *int32 `json:"key_size,omitempty"`
@@ -284,15 +287,36 @@ type CreateRSAKeyOptions struct {
 
 	// Application specific metadata in the form of key-value pairs.
 	Tags map[string]string `json:"tags,omitempty"`
+
+	// Elliptic curve name. For valid values, see KeyCurveName.
+	Curve *KeyCurveName `json:"crv,omitempty"`
+
+	// The attributes of a key managed by the key vault service.
+	KeyAttributes *KeyAttributes  `json:"attributes,omitempty"`
+	KeyOperations []*KeyOperation `json:"key_ops,omitempty"`
+
+	// The policy rules under which the key can be exported.
+	ReleasePolicy *KeyReleasePolicy `json:"release_policy,omitempty"`
 }
 
 // convert CreateRSAKeyOptions to generated.KeyCreateParameters
 func (c CreateRSAKeyOptions) toKeyCreateParameters(k KeyType) generated.KeyCreateParameters {
+	var keyOps []*generated.JSONWebKeyOperation
+	if c.KeyOperations != nil {
+		keyOps = make([]*generated.JSONWebKeyOperation, len(c.KeyOperations))
+		for i, k := range c.KeyOperations {
+			keyOps[i] = (*generated.JSONWebKeyOperation)(k)
+		}
+	}
 	return generated.KeyCreateParameters{
 		Kty:            k.toGenerated(),
+		Curve:          (*generated.JSONWebKeyCurveName)(c.Curve),
 		KeySize:        c.KeySize,
 		PublicExponent: c.PublicExponent,
 		Tags:           convertToGeneratedMap(c.Tags),
+		KeyAttributes:  c.KeyAttributes.toGenerated(),
+		KeyOps:         keyOps,
+		ReleasePolicy:  c.ReleasePolicy.toGenerated(),
 	}
 }
 
@@ -322,7 +346,7 @@ func createRSAKeyResponseFromGenerated(i generated.KeyVaultClientCreateKeyRespon
 func (c *Client) CreateRSAKey(ctx context.Context, name string, options *CreateRSAKeyOptions) (CreateRSAKeyResponse, error) {
 	keyType := RSA
 
-	if options != nil && options.HardwareProtected {
+	if options != nil && options.HardwareProtected != nil && *options.HardwareProtected {
 		keyType = RSAHSM
 	} else if options == nil {
 		options = &CreateRSAKeyOptions{}
@@ -877,8 +901,11 @@ type UpdateKeyPropertiesOptions struct {
 	// The attributes of a key managed by the key vault service.
 	KeyAttributes *KeyAttributes `json:"attributes,omitempty"`
 
-	// Json web key operations. For more information on possible key operations, see JsonWebKeyOperation.
-	KeyOps []*JSONWebKeyOperation `json:"key_ops,omitempty"`
+	// Json web key operations. For more information on possible key operations, see KeyOperation.
+	KeyOps []*KeyOperation `json:"key_ops,omitempty"`
+
+	// The policy rules under which the key can be exported.
+	ReleasePolicy *KeyReleasePolicy `json:"release_policy,omitempty"`
 
 	// Application specific metadata in the form of key-value pairs.
 	Tags map[string]string `json:"tags,omitempty"`
@@ -892,13 +919,17 @@ func (u UpdateKeyPropertiesOptions) toKeyUpdateParameters() generated.KeyUpdateP
 	}
 
 	var ops []*generated.JSONWebKeyOperation
-	for _, o := range u.KeyOps {
-		ops = append(ops, (*generated.JSONWebKeyOperation)(o))
+	if u.KeyOps != nil {
+		ops = make([]*generated.JSONWebKeyOperation, len(u.KeyOps))
+		for i, o := range u.KeyOps {
+			ops[i] = (*generated.JSONWebKeyOperation)(o)
+		}
 	}
 
 	return generated.KeyUpdateParameters{
 		KeyOps:        ops,
 		KeyAttributes: attribs,
+		ReleasePolicy: u.ReleasePolicy.toGenerated(),
 		Tags:          convertToGeneratedMap(u.Tags),
 	}
 }
@@ -1393,9 +1424,9 @@ func (c *Client) ReleaseKey(ctx context.Context, name string, target string, opt
 		name,
 		options.Version,
 		generated.KeyReleaseParameters{
-			Target: &target,
-			Enc:    (*generated.KeyEncryptionAlgorithm)(options.Enc),
-			Nonce:  options.Nonce,
+			TargetAttestationToken: &target,
+			Enc:                    (*generated.KeyEncryptionAlgorithm)(options.Enc),
+			Nonce:                  options.Nonce,
 		},
 		&generated.KeyVaultClientReleaseOptions{},
 	)
@@ -1430,11 +1461,10 @@ func (u UpdateKeyRotationPolicyOptions) toGenerated() generated.KeyRotationPolic
 		attribs = u.Attributes.toGenerated()
 	}
 	var la []*generated.LifetimeActions
-	for _, l := range u.LifetimeActions {
-		if l == nil {
-			la = append(la, nil)
-		} else {
-			la = append(la, l.toGenerated())
+	if la != nil {
+		la = make([]*generated.LifetimeActions, len(u.LifetimeActions))
+		for i, l := range u.LifetimeActions {
+			la[i] = l.toGenerated()
 		}
 	}
 
@@ -1448,6 +1478,7 @@ func (u UpdateKeyRotationPolicyOptions) toGenerated() generated.KeyRotationPolic
 // UpdateKeyRotationPolicyResponse contains the response for the Client.UpdateKeyRotationPolicy function
 type UpdateKeyRotationPolicyResponse struct {
 	KeyRotationPolicy
+
 	// RawResponse contains the underlying HTTP response.
 	RawResponse *http.Response
 }

@@ -8,6 +8,7 @@ package azkeys
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -52,7 +53,7 @@ func TestCreateKeyRSA(t *testing.T) {
 			require.NoError(t, err)
 			require.NotNil(t, resp.Key)
 
-			resp2, err := client.CreateRSAKey(ctx, key+"hsm", &CreateRSAKeyOptions{HardwareProtected: true})
+			resp2, err := client.CreateRSAKey(ctx, key+"hsm", &CreateRSAKeyOptions{HardwareProtected: to.BoolPtr(true)})
 			require.NoError(t, err)
 			require.NotNil(t, resp2.Key)
 
@@ -386,7 +387,7 @@ func TestUpdateKeyProperties(t *testing.T) {
 			key, err := createRandomName(t, "key")
 			require.NoError(t, err)
 
-			_, err = client.CreateRSAKey(ctx, key, nil)
+			_, err = client.CreateRSAKey(ctx, key, &CreateRSAKeyOptions{})
 			require.NoError(t, err)
 			defer cleanUpKey(t, client, key)
 
@@ -395,15 +396,13 @@ func TestUpdateKeyProperties(t *testing.T) {
 					"Tag1": "Val1",
 				},
 				KeyAttributes: &KeyAttributes{
-					Attributes: Attributes{
-						Expires: to.TimePtr(time.Now().AddDate(1, 0, 0)),
-					},
+					ExpiresOn: to.TimePtr(time.Now().AddDate(1, 0, 0)),
 				},
 			})
 			require.NoError(t, err)
 			require.NotNil(t, resp.Attributes)
 			require.Equal(t, resp.Tags["Tag1"], "Val1")
-			require.NotNil(t, resp.Attributes.Updated)
+			require.NotNil(t, resp.Attributes.UpdatedOn)
 
 			invalid, err := client.UpdateKeyProperties(ctx, "doesnotexist", nil)
 			require.Error(t, err)
@@ -412,6 +411,78 @@ func TestUpdateKeyProperties(t *testing.T) {
 	}
 }
 
+func TestUpdateKeyPropertiesImmutable(t *testing.T) {
+	for _, testType := range testTypes {
+		t.Run(fmt.Sprintf("%s_%s", t.Name(), testType), func(t *testing.T) {
+			if testType == HSMTEST {
+				t.Skip("HSM does not recognize immutable yet.")
+			}
+			stop := startTest(t)
+			defer stop()
+			err := recording.SetBodilessMatcher(t, nil)
+			require.NoError(t, err)
+
+			client, err := createClient(t, testType)
+			require.NoError(t, err)
+
+			key, err := createRandomName(t, "immuta")
+			require.NoError(t, err)
+
+			marshalledPolicy, err := json.Marshal(map[string]interface{}{
+				"anyOf": []map[string]interface{}{
+					{
+						"anyOf": []map[string]interface{}{
+							{
+								"claim":  "sdk-test",
+								"equals": "true",
+							}},
+						"authority": os.Getenv("AZURE_KEYVAULT_ATTESTATION_URL"),
+					},
+				},
+				"version": "1.0.0",
+			})
+			require.NoError(t, err)
+
+			_, err = client.CreateRSAKey(ctx, key, &CreateRSAKeyOptions{
+				HardwareProtected: to.BoolPtr(true),
+				KeyAttributes: &KeyAttributes{
+					Exportable: to.BoolPtr(true),
+				},
+				ReleasePolicy: &KeyReleasePolicy{
+					Immutable:     to.BoolPtr(true),
+					EncodedPolicy: marshalledPolicy,
+				},
+				KeyOperations: []*KeyOperation{KeyOperationEncrypt.ToPtr(), KeyOperationDecrypt.ToPtr()},
+			})
+			require.NoError(t, err)
+			defer cleanUpKey(t, client, key)
+
+			newMarshalledPolicy, err := json.Marshal(map[string]interface{}{
+				"anyOf": []map[string]interface{}{
+					{
+						"anyOf": []map[string]interface{}{
+							{
+								"claim":  "sdk-test",
+								"equals": "false",
+							}},
+						"authority": os.Getenv("AZURE_KEYVAULT_ATTESTATION_URL"),
+					},
+				},
+				"version": "1.0.0",
+			})
+			require.NoError(t, err)
+
+			_, err = client.UpdateKeyProperties(ctx, key, &UpdateKeyPropertiesOptions{
+				ReleasePolicy: &KeyReleasePolicy{
+					Immutable:     to.BoolPtr(true),
+					EncodedPolicy: newMarshalledPolicy,
+				},
+			})
+			require.Error(t, err)
+		})
+	}
+}
+
 func TestListDeletedKeys(t *testing.T) {
 	for _, testType := range testTypes {
 		t.Run(fmt.Sprintf("%s_%s", t.Name(), testType), func(t *testing.T) {

@@ -78,43 +78,43 @@ func recoveryLevelToGenerated(d *DeletionRecoveryLevel) *generated.DeletionRecov
 	}
 }
 
-// JSONWebKeyCurveName - Elliptic curve name. For valid values, see JsonWebKeyCurveName.
-type JSONWebKeyCurveName string
+// KeyCurveName - Elliptic curve name. For valid values, see KeyCurveName.
+type KeyCurveName string
 
 const (
-	// JSONWebKeyCurveNameP256 - The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.
-	JSONWebKeyCurveNameP256 JSONWebKeyCurveName = "P-256"
+	// KeyCurveNameP256 - The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.
+	KeyCurveNameP256 KeyCurveName = "P-256"
 
-	// JSONWebKeyCurveNameP256K - The SECG SECP256K1 elliptic curve.
-	JSONWebKeyCurveNameP256K JSONWebKeyCurveName = "P-256K"
+	// KeyCurveNameP256K - The SECG SECP256K1 elliptic curve.
+	KeyCurveNameP256K KeyCurveName = "P-256K"
 
-	// JSONWebKeyCurveNameP384 - The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.
-	JSONWebKeyCurveNameP384 JSONWebKeyCurveName = "P-384"
+	// KeyCurveNameP384 - The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.
+	KeyCurveNameP384 KeyCurveName = "P-384"
 
-	// JSONWebKeyCurveNameP521 - The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.
-	JSONWebKeyCurveNameP521 JSONWebKeyCurveName = "P-521"
+	// KeyCurveNameP521 - The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.
+	KeyCurveNameP521 KeyCurveName = "P-521"
 )
 
-// ToPtr returns a *JSONWebKeyCurveName pointing to the current value.
-func (c JSONWebKeyCurveName) ToPtr() *JSONWebKeyCurveName {
+// ToPtr returns a *KeyCurveName pointing to the current value.
+func (c KeyCurveName) ToPtr() *KeyCurveName {
 	return &c
 }
 
-// JSONWebKeyOperation - JSON web key operations. For more information, see JsonWebKeyOperation.
-type JSONWebKeyOperation string
+// KeyOperation - JSON web key operations. For more information, see KeyOperation.
+type KeyOperation string
 
 const (
-	JSONWebKeyOperationDecrypt   JSONWebKeyOperation = "decrypt"
-	JSONWebKeyOperationEncrypt   JSONWebKeyOperation = "encrypt"
-	JSONWebKeyOperationImport    JSONWebKeyOperation = "import"
-	JSONWebKeyOperationSign      JSONWebKeyOperation = "sign"
-	JSONWebKeyOperationUnwrapKey JSONWebKeyOperation = "unwrapKey"
-	JSONWebKeyOperationVerify    JSONWebKeyOperation = "verify"
-	JSONWebKeyOperationWrapKey   JSONWebKeyOperation = "wrapKey"
+	KeyOperationDecrypt   KeyOperation = "decrypt"
+	KeyOperationEncrypt   KeyOperation = "encrypt"
+	KeyOperationImport    KeyOperation = "import"
+	KeyOperationSign      KeyOperation = "sign"
+	KeyOperationUnwrapKey KeyOperation = "unwrapKey"
+	KeyOperationVerify    KeyOperation = "verify"
+	KeyOperationWrapKey   KeyOperation = "wrapKey"
 )
 
-// ToPtr returns a *JSONWebKeyOperation pointing to the current value.
-func (c JSONWebKeyOperation) ToPtr() *JSONWebKeyOperation {
+// ToPtr returns a *KeyOperation pointing to the current value.
+func (c KeyOperation) ToPtr() *KeyOperation {
 	return &c
 }