Skip to content

[Key Vault] Test keys library against managed HSM #17458

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mccoyp merged 12 commits into from
Mar 29, 2021
Merged

[Key Vault] Test keys library against managed HSM #17458

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
1192115
Parameterize test_key_client.py
mccoyp Mar 4, 2021
50615b1
Parameterize test_keys_async.py
mccoyp Mar 19, 2021
906ce07
Parameterize test_crypto_client.py
mccoyp Mar 19, 2021
a6827ba
Parameterize test_crypto_client_async.py
mccoyp Mar 19, 2021
26a14cf
Add HSM config to live keys tests
mccoyp Mar 20, 2021
b473e2b
Shared keys test classes
mccoyp Mar 24, 2021
9e1e0ab
Refactor tests
mccoyp Mar 24, 2021
c1e9392
Clean up test skipping helper
mccoyp Mar 25, 2021
a961e53
Base class for KeysTestCase
mccoyp Mar 25, 2021
edb30f3
Simplify base class logic
mccoyp Mar 26, 2021
06a603b
_test_case_base -> _test_case
mccoyp Mar 26, 2021
295f2b8
Drop PSH prep. in vault/hsm tests
mccoyp Mar 27, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion sdk/keyvault/azure-keyvault-keys/dev_requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,5 @@
-e ../azure-mgmt-keyvault
-e ../../../tools/azure-sdk-tools
../azure-keyvault-nspkg
aiohttp>=3.0; python_version >= '3.5'
aiohttp>=3.0; python_version >= '3.5'
parameterized>=0.7.3
17 changes: 17 additions & 0 deletions sdk/keyvault/azure-keyvault-keys/platform-matrix.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"include": [
{
"Agent": {
"ubuntu-18.04": {
"OSVmImage": "MMSUbuntu18.04",
"Pool": "azsdk-pool-mms-ubuntu-1804-general"
}
},
"HSM": {
"ArmTemplateParameters": "@{ enableHsm = $true }"
},
"PythonVersion": "3.9",
"CoverageArg": ""
}
]
}
52 changes: 52 additions & 0 deletions sdk/keyvault/azure-keyvault-keys/tests/_test_case.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# ------------------------------------
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
# ------------------------------------
import os

from azure.keyvault.keys import KeyClient
from azure.keyvault.keys.crypto import CryptographyClient
from azure.keyvault.keys._shared import HttpChallengeCache
from parameterized import parameterized
import pytest
from six.moves.urllib_parse import urlparse

from _shared.test_case import KeyVaultTestCase


def suffixed_test_name(testcase_func, param_num, param):
suffix = "mhsm" if param.kwargs.get("is_hsm") else "vault"
return "{}_{}".format(testcase_func.__name__, parameterized.to_safe_name(suffix))


class KeysTestCase(KeyVaultTestCase):
def setUp(self, *args, **kwargs):
playback_url = "https://managedhsmname.managedhsm.azure.net"
if self.is_live:
self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL")
if self.managed_hsm_url:
real = urlparse(self.managed_hsm_url)
playback = urlparse(playback_url)
self.scrubber.register_name_pair(real.netloc, playback.netloc)
else:
self.managed_hsm_url = playback_url
super(KeysTestCase, self).setUp(*args, **kwargs)

def tearDown(self):
HttpChallengeCache.clear()
assert len(HttpChallengeCache._cache) == 0
super(KeysTestCase, self).tearDown()

def create_key_client(self, vault_uri, **kwargs):
credential = self.get_credential(KeyClient)
return self.create_client_from_credential(KeyClient, credential=credential, vault_url=vault_uri, **kwargs)

def create_crypto_client(self, key, **kwargs):
credential = self.get_credential(CryptographyClient)
return self.create_client_from_credential(CryptographyClient, credential=credential, key=key, **kwargs)

def _skip_if_not_configured(self, is_hsm):
if self.is_live and is_hsm:
if self.managed_hsm_url is None:
pytest.skip("No HSM endpoint for live testing")
return False
52 changes: 52 additions & 0 deletions sdk/keyvault/azure-keyvault-keys/tests/_test_case_async.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# ------------------------------------
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
# ------------------------------------
import os
from urllib.parse import urlparse

from azure.keyvault.keys.aio import KeyClient
from azure.keyvault.keys.crypto.aio import CryptographyClient
from azure.keyvault.keys._shared import HttpChallengeCache
from parameterized import parameterized
import pytest

from _shared.test_case_async import KeyVaultTestCase


def suffixed_test_name(testcase_func, param_num, param):
suffix = "mhsm" if param.kwargs.get("is_hsm") else "vault"
return "{}_{}".format(testcase_func.__name__, parameterized.to_safe_name(suffix))


class KeysTestCase(KeyVaultTestCase):
def setUp(self, *args, **kwargs):
playback_url = "https://managedhsmname.managedhsm.azure.net"
if self.is_live:
self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL")
if self.managed_hsm_url:
real = urlparse(self.managed_hsm_url)
playback = urlparse(playback_url)
self.scrubber.register_name_pair(real.netloc, playback.netloc)
else:
self.managed_hsm_url = playback_url
super().setUp(*args, **kwargs)

def tearDown(self):
HttpChallengeCache.clear()
assert len(HttpChallengeCache._cache) == 0
super().tearDown()

def create_key_client(self, vault_uri, **kwargs):
credential = self.get_credential(KeyClient, is_async=True)
return self.create_client_from_credential(KeyClient, credential=credential, vault_url=vault_uri, **kwargs)

def create_crypto_client(self, key, **kwargs):
credential = self.get_credential(CryptographyClient, is_async=True)
return self.create_client_from_credential(CryptographyClient, credential=credential, key=key, **kwargs)

def _skip_if_not_configured(self, is_hsm):
if self.is_live and is_hsm:
if self.managed_hsm_url is None:
pytest.skip("No HSM endpoint for live testing")
return False
131 changes: 131 additions & 0 deletions ...keyvault/azure-keyvault-keys/tests/recordings/test_crypto_client.test_ec_key_id_mhsm.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
interactions:
- request:
body: null
headers:
Accept:
- application/json
Accept-Encoding:
- gzip, deflate
Connection:
- keep-alive
Content-Length:
- '0'
Content-Type:
- application/json
User-Agent:
- azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
method: POST
uri: https://managedhsmname.managedhsm.azure.net/keys/livekvtesteckey33180f9c/create?api-version=7.2-preview
response:
body:
string: ''
headers:
cache-control:
- no-cache
content-length:
- '0'
content-security-policy:
- default-src 'self'
content-type:
- application/json; charset=utf-8
strict-transport-security:
- max-age=31536000; includeSubDomains
www-authenticate:
- Bearer authorization="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47",
resource="https://managedhsm.azure.net"
x-content-type-options:
- nosniff
x-frame-options:
- SAMEORIGIN
x-ms-server-latency:
- '1'
status:
code: 401
message: Unauthorized
- request:
body: '{"kty": "EC-HSM"}'
headers:
Accept:
- application/json
Accept-Encoding:
- gzip, deflate
Connection:
- keep-alive
Content-Length:
- '17'
Content-Type:
- application/json
User-Agent:
- azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
method: POST
uri: https://managedhsmname.managedhsm.azure.net/keys/livekvtesteckey33180f9c/create?api-version=7.2-preview
response:
body:
string: '{"attributes":{"created":1616194950,"enabled":true,"exportable":false,"recoverableDays":90,"recoveryLevel":"Recoverable+Purgeable","updated":1616194950},"key":{"crv":"P-256","key_ops":["verify","sign"],"kid":"https://managedhsmname.managedhsm.azure.net/keys/livekvtesteckey33180f9c/38f9028c28e24b9b80fe3b2800c5950d","kty":"EC-HSM","x":"aD-Od-CpwDHTx3T9XEPYR3-KxdmZg_wtFekJBlrAaSM","y":"exOWHTfjEM5Qwg6GAF09KXJpwN7Ov8LN_ZxxIlqpK9I"}}'
headers:
cache-control:
- no-cache
content-length:
- '433'
content-security-policy:
- default-src 'self'
content-type:
- application/json; charset=utf-8
strict-transport-security:
- max-age=31536000; includeSubDomains
x-content-type-options:
- nosniff
x-frame-options:
- SAMEORIGIN
x-ms-keyvault-network-info:
- addr=172.92.159.124
x-ms-keyvault-region:
- eastus2
x-ms-server-latency:
- '261'
status:
code: 200
message: OK
- request:
body: null
headers:
Accept:
- application/json
Accept-Encoding:
- gzip, deflate
Connection:
- keep-alive
User-Agent:
- azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
method: GET
uri: https://managedhsmname.managedhsm.azure.net/keys/livekvtesteckey33180f9c/38f9028c28e24b9b80fe3b2800c5950d?api-version=7.2-preview
response:
body:
string: '{"attributes":{"created":1616194950,"enabled":true,"exportable":false,"recoverableDays":90,"recoveryLevel":"Recoverable+Purgeable","updated":1616194950},"key":{"crv":"P-256","key_ops":["verify","sign"],"kid":"https://managedhsmname.managedhsm.azure.net/keys/livekvtesteckey33180f9c/38f9028c28e24b9b80fe3b2800c5950d","kty":"EC-HSM","x":"aD-Od-CpwDHTx3T9XEPYR3-KxdmZg_wtFekJBlrAaSM","y":"exOWHTfjEM5Qwg6GAF09KXJpwN7Ov8LN_ZxxIlqpK9I"}}'
headers:
cache-control:
- no-cache
content-length:
- '433'
content-security-policy:
- default-src 'self'
content-type:
- application/json; charset=utf-8
strict-transport-security:
- max-age=31536000; includeSubDomains
x-content-type-options:
- nosniff
x-frame-options:
- SAMEORIGIN
x-ms-build-version:
- 1.0.20210306-1-6fb7c19a-develop
x-ms-keyvault-network-info:
- addr=172.92.159.124
x-ms-keyvault-region:
- eastus2
x-ms-server-latency:
- '126'
status:
code: 200
message: OK
version: 1
40 changes: 20 additions & 20 deletions ...gs/test_crypto_client.test_ec_key_id.yaml → ...t_crypto_client.test_ec_key_id_vault.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ interactions:
Content-Type:
- application/json
User-Agent:
- azsdk-python-keyvault-keys/4.3.2 Python/3.5.3 (Windows-10-10.0.19041-SP0)
- azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
method: POST
uri: https://vaultname.vault.azure.net/keys/livekvtesteckeye9470d88/create?api-version=7.2-preview
uri: https://vaultname.vault.azure.net/keys/livekvtesteckey433d1013/create?api-version=7.2-preview
response:
body:
string: '{"error":{"code":"Unauthorized","message":"Request is missing a Bearer
Expand All @@ -28,7 +28,7 @@ interactions:
content-type:
- application/json; charset=utf-8
date:
- Sat, 06 Feb 2021 02:20:10 GMT
- Fri, 19 Mar 2021 23:02:35 GMT
expires:
- '-1'
pragma:
Expand All @@ -41,11 +41,11 @@ interactions:
x-content-type-options:
- nosniff
x-ms-keyvault-network-info:
- conn_type=Ipv4;addr=174.127.232.53;act_addr_fam=InterNetwork;
- conn_type=Ipv4;addr=172.92.159.124;act_addr_fam=InterNetwork;
x-ms-keyvault-region:
- northeurope
- eastus2
x-ms-keyvault-service-version:
- 1.2.164.0
- 1.2.205.0
x-powered-by:
- ASP.NET
status:
Expand All @@ -65,12 +65,12 @@ interactions:
Content-Type:
- application/json
User-Agent:
- azsdk-python-keyvault-keys/4.3.2 Python/3.5.3 (Windows-10-10.0.19041-SP0)
- azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
method: POST
uri: https://vaultname.vault.azure.net/keys/livekvtesteckeye9470d88/create?api-version=7.2-preview
uri: https://vaultname.vault.azure.net/keys/livekvtesteckey433d1013/create?api-version=7.2-preview
response:
body:
string: '{"key":{"kid":"https://vaultname.vault.azure.net/keys/livekvtesteckeye9470d88/41b7345af65e4e29b0ad3c16103c5cb1","kty":"EC","key_ops":["sign","verify"],"crv":"P-256","x":"xLeGJutfYRgRELSvq0-Yg-q5UmCVaJ8HyBQVi9s98Uk","y":"0MHnZ8jZjyGtp_WUdooqXwqn843uvWUL83SxCrY6nlg"},"attributes":{"enabled":true,"created":1612578012,"updated":1612578012,"recoveryLevel":"Recoverable+Purgeable","recoverableDays":90}}'
string: '{"key":{"kid":"https://vaultname.vault.azure.net/keys/livekvtesteckey433d1013/c2cbc14fdb0b405f9b4507100f85c84b","kty":"EC","key_ops":["sign","verify"],"crv":"P-256","x":"STISs3_goj91mOlIpNqFxzE1Kj2BPLKR640BCYKu9Fk","y":"CtMP7wzlWetR6NOzwJvpcKL2pRnUB7ziHsiNc763izQ"},"attributes":{"enabled":true,"created":1616194955,"updated":1616194955,"recoveryLevel":"Recoverable+Purgeable","recoverableDays":90}}'
headers:
cache-control:
- no-cache
Expand All @@ -79,7 +79,7 @@ interactions:
content-type:
- application/json; charset=utf-8
date:
- Sat, 06 Feb 2021 02:20:11 GMT
- Fri, 19 Mar 2021 23:02:35 GMT
expires:
- '-1'
pragma:
Expand All @@ -89,11 +89,11 @@ interactions:
x-content-type-options:
- nosniff
x-ms-keyvault-network-info:
- conn_type=Ipv4;addr=174.127.232.53;act_addr_fam=InterNetwork;
- conn_type=Ipv4;addr=172.92.159.124;act_addr_fam=InterNetwork;
x-ms-keyvault-region:
- northeurope
- eastus2
x-ms-keyvault-service-version:
- 1.2.164.0
- 1.2.205.0
x-powered-by:
- ASP.NET
status:
Expand All @@ -109,12 +109,12 @@ interactions:
Connection:
- keep-alive
User-Agent:
- azsdk-python-keyvault-keys/4.3.2 Python/3.5.3 (Windows-10-10.0.19041-SP0)
- azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
method: GET
uri: https://vaultname.vault.azure.net/keys/livekvtesteckeye9470d88/41b7345af65e4e29b0ad3c16103c5cb1?api-version=7.2-preview
uri: https://vaultname.vault.azure.net/keys/livekvtesteckey433d1013/c2cbc14fdb0b405f9b4507100f85c84b?api-version=7.2-preview
response:
body:
string: '{"key":{"kid":"https://vaultname.vault.azure.net/keys/livekvtesteckeye9470d88/41b7345af65e4e29b0ad3c16103c5cb1","kty":"EC","key_ops":["sign","verify"],"crv":"P-256","x":"xLeGJutfYRgRELSvq0-Yg-q5UmCVaJ8HyBQVi9s98Uk","y":"0MHnZ8jZjyGtp_WUdooqXwqn843uvWUL83SxCrY6nlg"},"attributes":{"enabled":true,"created":1612578012,"updated":1612578012,"recoveryLevel":"Recoverable+Purgeable","recoverableDays":90}}'
string: '{"key":{"kid":"https://vaultname.vault.azure.net/keys/livekvtesteckey433d1013/c2cbc14fdb0b405f9b4507100f85c84b","kty":"EC","key_ops":["sign","verify"],"crv":"P-256","x":"STISs3_goj91mOlIpNqFxzE1Kj2BPLKR640BCYKu9Fk","y":"CtMP7wzlWetR6NOzwJvpcKL2pRnUB7ziHsiNc763izQ"},"attributes":{"enabled":true,"created":1616194955,"updated":1616194955,"recoveryLevel":"Recoverable+Purgeable","recoverableDays":90}}'
headers:
cache-control:
- no-cache
Expand All @@ -123,7 +123,7 @@ interactions:
content-type:
- application/json; charset=utf-8
date:
- Sat, 06 Feb 2021 02:20:12 GMT
- Fri, 19 Mar 2021 23:02:36 GMT
expires:
- '-1'
pragma:
Expand All @@ -133,11 +133,11 @@ interactions:
x-content-type-options:
- nosniff
x-ms-keyvault-network-info:
- conn_type=Ipv4;addr=174.127.232.53;act_addr_fam=InterNetwork;
- conn_type=Ipv4;addr=172.92.159.124;act_addr_fam=InterNetwork;
x-ms-keyvault-region:
- northeurope
- eastus2
x-ms-keyvault-service-version:
- 1.2.164.0
- 1.2.205.0
x-powered-by:
- ASP.NET
status:
Expand Down
Loading