WIP - ledger ci

sdk/confidentialledger/azure-confidentialledger-certificate/README.md

@@ -1,4 +1,4 @@
-# Confidential Ledger Certificate client library for Python
+# Azure Confidential Ledger Certificate client library for Python
 
 The Confidential Ledger Certificate client library is used to retrieve the TLS certificate required for connecting to a Confidential Ledger.
 
@@ -10,11 +10,58 @@ The Confidential Ledger Certificate client library is used to retrieve the TLS c
 python -m pip install azure-confidentialledger-certificate
 ```
 
-#### Prequisites
+#### Prerequisites
 
 - Python 3.9 or later is required to use this package.
 - You need an [Azure subscription][azure_sub] to use this package.
-- An existing Confidential Ledger Certificate instance.
+- An existing Confidential Ledger instance.
+
+## Key concepts
+
+Clients may authenticate with a client certificate in mutual TLS instead of via an Azure Active Directory token. Use the `get_ledger_identity()` method on the `ConfidentialLedgerCertificateClient` to retrieve the certificate.
+
+## Examples
+
+Get a ledger certificate for authentication using the `ConfidentialLedgerCertificateClient` from the `azure-confidentialledger-certificate` package, save the certificate, pass the certificate path to the `ConfidentialLedgerCertificateCredential` from the `azure-confidentialledger` package, and pass the credential to the `ConfidentialLedgerClient` for authentication:
+
+```python
+from azure.confidentialledger.certificate import ConfidentialLedgerCertificateClient
+from azure.confidentialledger import (
+    ConfidentialLedgerCertificateCredential,
+    ConfidentialLedgerClient,
+)
+
+identity_client = ConfidentialLedgerCertificateClient()
+network_identity = identity_client.get_ledger_identity(
+    ledger_id="my-ledger-id"
+)
+
+ledger_tls_cert_file_name = "ledger_certificate.pem"
+with open(ledger_tls_cert_file_name, "w") as cert_file:
+    cert_file.write(network_identity["ledgerTlsCertificate"])
+
+credential = ConfidentialLedgerCertificateCredential(
+    certificate_path="Path to user certificate PEM file"
+)
+ledger_client = ConfidentialLedgerClient(
+    endpoint="https://my-ledger-id.confidential-ledger.azure.com",
+    credential=credential,
+    ledger_certificate_path=ledger_tls_cert_file_name
+)
+```
+
+## Troubleshooting
+
+Confidential Ledger clients raise exceptions defined in [azure-core][azure_core_exceptions].
+
+## Next steps
+
+Use the certificate retrieved using this library with the `azure-confidentialledger` package. The Azure Confidential Ledger client library has several code samples that show common scenario operations.
+
+### Additional Documentation
+
+For more extensive documentation on Azure Confidential Ledger, see the
+[API reference documentation][reference_docs]. You may also read more about Microsoft Research's open-source [Confidential Consortium Framework][ccf].
 
 ## Contributing
 
@@ -36,9 +83,11 @@ additional questions or comments.
 <!-- LINKS -->
 
 [code_of_conduct]: https://opensource.microsoft.com/codeofconduct/
+[azure_core_exceptions]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/core/azure-core#azure-core-library-exceptions
 [authenticate_with_token]: https://docs.microsoft.com/azure/cognitive-services/authentication?tabs=powershell#authenticate-with-an-authentication-token
 [azure_identity_credentials]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity#credentials
 [azure_identity_pip]: https://pypi.org/project/azure-identity/
-[default_azure_credential]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity#defaultazurecredential
 [pip]: https://pypi.org/project/pip/
 [azure_sub]: https://azure.microsoft.com/free/
+[reference_docs]: https://aka.ms/azsdk/python/confidentialledger/ref-docs
+[ccf]: https://github.com/Microsoft/CCF

sdk/confidentialledger/azure-confidentialledger-certificate/assets.json

@@ -0,0 +1,6 @@
+{
+  "AssetsRepo": "Azure/azure-sdk-assets",
+  "AssetsRepoPrefixPath": "python",
+  "TagPrefix": "python/confidentialledger/azure-confidentialledger-certificate",
+  "Tag": "python/confidentialledger/azure-confidentialledger-certificate_e868943cfa"
+}

sdk/confidentialledger/azure-confidentialledger-certificate/samples/README.md

@@ -0,0 +1,46 @@
+---
+page_type: sample
+languages:
+  - python
+products:
+  - azure
+  - azure-confidentialledger
+urlFragment: azure-confidentialledger-certificate-samples
+---
+
+# Azure Confidential Ledger Certificate client library for Python Samples
+
+These are code samples that show common scenario operations with the Azure Confidential Ledger Certificate client library.
+The async versions of the samples (the python sample files appended with `_async`) show asynchronous operations.
+
+## Prerequisites
+
+- Python 3.6 or later is required to use this package
+- You need an [Azure subscription][azure_sub], and a [Azure Confidential Ledger service instance][confidential_ledger_docs] to use this package.
+
+## Setup
+
+1. Install the Azure Confidential Ledger Certificate client library for Python with [pip](https://pypi.org/project/pip/):
+
+```bash
+pip install azure-confidentialledger-certificate
+```
+
+2. Clone or download this sample repository
+3. Open the sample folder in Visual Studio Code or your IDE of choice.
+
+## Running the samples
+
+1. Open a terminal window and `cd` to the directory that the samples are saved in.
+2. Set the environment variables specified in the sample file you wish to run.
+3. Follow the usage described in the file.
+
+## Next Steps
+
+Take a look at our [API Documentation][reference_docs] for more information about the APIs that are available in the clients.
+
+<!-- LINKS -->
+
+[azure_sub]: https://azure.microsoft.com/free/
+[confidential_ledger_docs]: https://aka.ms/confidentialledger-servicedocs
+[reference_docs]: https://aka.ms/azsdk/python/confidentialledger/ref-docs

sdk/confidentialledger/azure-confidentialledger-certificate/samples/get_certificate.py

@@ -0,0 +1,70 @@
+# -------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# --------------------------------------------------------------------------
+
+"""
+FILE: get_certificate.py
+DESCRIPTION:
+    This sample demonstrates how to get the certificate from the Confidential Ledger identity service.
+USAGE:
+    python get_certificate.py
+    Set the environment variables with your own values before running the sample:
+    1) CONFIDENTIALLEDGER_ENDPOINT - the endpoint of the Confidential Ledger.
+"""
+
+import logging
+import os
+import sys
+import tempfile
+
+from azure.confidentialledger.certificate import (
+    ConfidentialLedgerCertificateClient,
+)
+
+
+logging.basicConfig(level=logging.ERROR)
+LOG = logging.getLogger()
+
+
+def main():
+    # Set the values of the following environment variables before running the sample:
+    # CONFIDENTIALLEDGER_ENDPOINT
+    try:
+        ledger_endpoint = os.environ["CONFIDENTIALLEDGER_ENDPOINT"]
+    except KeyError:
+        LOG.error(
+            "Missing environment variable 'CONFIDENTIALLEDGER_ENDPOINT' - " "please set it before running the example"
+        )
+        sys.exit(1)
+
+    # Under the current URI format, the ledger id is the first part of the ledger endpoint.
+    # i.e. https://<ledger id>.confidential-ledger.azure.com
+    ledger_id = ledger_endpoint.replace("https://", "").split(".")[0]
+
+    identity_service_client = ConfidentialLedgerCertificateClient()  # type: ignore[call-arg]
+    ledger_certificate = identity_service_client.get_ledger_identity(ledger_id)
+
+    # The Confidential Ledger's TLS certificate must be written to a file to be used by the
+    # ConfidentialLedgerClient from the azure-confidentialledger package. Here, we write it to
+    # a temporary file so that is is cleaned up automatically when the program exits.
+    with tempfile.TemporaryDirectory() as tempdir:
+        ledger_cert_file = os.path.join(tempdir, f"{ledger_id}.pem")
+        with open(ledger_cert_file, "w") as outfile:
+            outfile.write(ledger_certificate["ledgerTlsCertificate"])
+
+        print(
+            f"Ledger certificate has been written to {ledger_cert_file}. "
+            "It will be deleted when the script completes."
+        )
+
+        print(
+            "The certificate can be used to create a ConfidentialLedgerClient instance."
+            "See samples for the azure-confidentialledger package for details:"
+            "https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/confidentialledger/azure-confidentialledger/samples"
+        )
+
+
+if __name__ == "__main__":
+    main()

sdk/confidentialledger/azure-confidentialledger-certificate/samples/get_certificate_async.py

@@ -0,0 +1,71 @@
+# -------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for
+# license information.
+# --------------------------------------------------------------------------
+
+"""
+FILE: get_certificate_async.py
+DESCRIPTION:
+    This sample demonstrates how to get the certificate from the Confidential Ledger identity service.
+USAGE:
+    python get_certificate_async.py
+    Set the environment variables with your own values before running the sample:
+    1) CONFIDENTIALLEDGER_ENDPOINT - the endpoint of the Confidential Ledger.
+"""
+
+import asyncio
+import logging
+import os
+import sys
+import tempfile
+
+from azure.confidentialledger.certificate.aio import (
+    ConfidentialLedgerCertificateClient,
+)
+
+
+logging.basicConfig(level=logging.ERROR)
+LOG = logging.getLogger()
+
+
+async def main():
+    # Set the values of the following environment variables before running the sample:
+    # CONFIDENTIALLEDGER_ENDPOINT
+    try:
+        ledger_endpoint = os.environ["CONFIDENTIALLEDGER_ENDPOINT"]
+    except KeyError:
+        LOG.error(
+            "Missing environment variable 'CONFIDENTIALLEDGER_ENDPOINT' - " "please set it before running the example"
+        )
+        sys.exit(1)
+
+    # Under the current URI format, the ledger id is the first part of the ledger endpoint.
+    # i.e. https://<ledger id>.confidential-ledger.azure.com
+    ledger_id = ledger_endpoint.replace("https://", "").split(".")[0]
+
+    identity_service_client = ConfidentialLedgerCertificateClient()  # type: ignore[call-arg]
+    async with identity_service_client:
+        ledger_certificate = await identity_service_client.get_ledger_identity(ledger_id)
+
+    # The Confidential Ledger's TLS certificate must be written to a file to be used by the
+    # ConfidentialLedgerClient. Here, we write it to a temporary file so that is is cleaned up
+    # automatically when the program exits.
+    with tempfile.TemporaryDirectory() as tempdir:
+        ledger_cert_file = os.path.join(tempdir, f"{ledger_id}.pem")
+        with open(ledger_cert_file, "w") as outfile:
+            outfile.write(ledger_certificate["ledgerTlsCertificate"])
+
+        print(
+            f"Ledger certificate has been written to {ledger_cert_file}. "
+            "It will be deleted when the script completes."
+        )
+
+        print(
+            "The certificate can be used to create a ConfidentialLedgerClient instance."
+            "See samples for the azure-confidentialledger package for details:"
+            "https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/confidentialledger/azure-confidentialledger/samples"
+        )
+
+if __name__ == "__main__":
+    asyncio.run(main())

sdk/confidentialledger/azure-confidentialledger-certificate/tests/_shared/constants.py

@@ -0,0 +1,74 @@
+# pylint: disable=line-too-long,useless-suppression
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+
+import os
+
+TEST_PROXY_CERT = os.path.abspath(
+    os.path.join(
+        os.path.dirname(__file__), "..", "..", "..", "..", "..", "eng", "common", "testproxy", "dotnet-devcert.crt"
+    )
+)
+
+# Duplicate certificate from KeyVault.
+# https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-certificates/tests/ca.crt
+USER_CERTIFICATE_PUBLIC_KEY = """-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIUYju9zymmCCF7rCaROzfZs0pNgmkwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTA4MjgyMjU0MTNaFw0xOTA5
+MjcyMjU0MTNaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQD0YrMz5atoPmTTxLtCO69kM3E97bdjJgyAVZJS9mP3
+HQyHkFNb09eDeAAzcZLR5nYXX7yweowTWVcIe3k9+Z/tUeVrAlOVe2COaIHAUZIh
+jELq/u8257/8MqqbKXhsyrWNAVDyKndDgvbbgxNsUTbMoAe9BCL/5fzowsnPLaCI
+MCYRaQJUySbIoTmKi11hF09CFFSkL9nvfQODFyEde6JHPWrVRse2lioPLJeC9LoU
+GNNZnbqry+UbHp4vORPp6OQTqBTm1ZVWPzCuYuWUmEe27K7zghEJr/Yx0OLq9kI5
+H960CSOkdhsOTcBkORfhivSQnmOn2RnCPIEsUTzjwXNZAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQIAunu6y1BmFSDfFNfTnqFggB0gzAfBgNVHSMEGDAWgBQIAunu6y1BmFSD
+fFNfTnqFggB0gzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAr
++RM7gbqWRXnWJwE/hV/ZI2hXAhDN4RYQ4fWMJfg/E9wcLeqqRtJhXbqpJW08IZWp
+QKcWfrFcfZ3ZxVAi5Ey+iuvD2VeBf9v5RZI4c9JqswS9xG2A1x/BeGcUk1y/q9E5
+4whf5fLSJQVxK+C53yemoHPrBg8zVhLJv5SG7Uw7jcqiQvu2aHGGWPLiO7mmMPtP
+qO/I+6FjXuBpNomTqM897MY3Qzg43rpoCilpOpkRtMHknfhFxt05p+Fn73Fb60ru
+ZsFRA52lsEBxGmI0QmXGjwkUZFwQTXEDUWwId3VJxoHRZwv1gmHfwhkYt+mNWJDa
+mU7AMDzlQRwGC8hpWJRT
+-----END CERTIFICATE-----"""
+
+# https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/azure-keyvault-certificates/tests/ca.key
+USER_CERTIFICATE_PRIVATE_KEY = (
+    "-----BEGIN RSA PRIVATE KEY-----\n"  # [SuppressMessage("Microsoft.Security", "CS001:SecretInline", Justification="Test secret that is found elsewhere in this repo")]
+    """MIIEpQIBAAKCAQEA9GKzM+WraD5k08S7QjuvZDNxPe23YyYMgFWSUvZj9x0Mh5BT
+W9PXg3gAM3GS0eZ2F1+8sHqME1lXCHt5Pfmf7VHlawJTlXtgjmiBwFGSIYxC6v7v
+Nue//DKqmyl4bMq1jQFQ8ip3Q4L224MTbFE2zKAHvQQi/+X86MLJzy2giDAmEWkC
+VMkmyKE5iotdYRdPQhRUpC/Z730DgxchHXuiRz1q1UbHtpYqDyyXgvS6FBjTWZ26
+q8vlGx6eLzkT6ejkE6gU5tWVVj8wrmLllJhHtuyu84IRCa/2MdDi6vZCOR/etAkj
+pHYbDk3AZDkX4Yr0kJ5jp9kZwjyBLFE848FzWQIDAQABAoIBAHrhegv5SrOy083r
+mODX0/wFJcam1dRD2HtbC6UtgNxLPfaYKmH85duUJj23uMRUJkLgf6cZJ3+/J1T7
+iN4Ru0mAKWQiGlcKX2WbxMon+dtmhGtW3n90DgPIkiJMuuGxF5Kb+9CYa7mFi4ya
+ntSTDYPcX6e6AcM8KGv9La4/2f0/hQKCN3jZbnQ/GqjnJdxrAV1KV0IMoNPpZmat
+Sa0EZ9eiR57/xAe1OxceEt0nO7hAl+jX7tFEGvaNClKG2OMgZ+oHOxI+s9jW8DyD
+wRJbd0hxUl/KXLxzyeFTBdLxB+SQtlcr4w5khyt3AvlKd4Iveqkq2FBCtfATYitt
++Ic61IUCgYEA/j4mMdo+qokzACmGJWEquC6yNoUI5aYsHTRVvX0sLpBX7MapIEwM
+zHdvMEFBxw8rs7ll1xELW+dnbIZqj/ou43E3+PSgovdFGOA8kQlPpcIIutTEZQh7
+dlWzvAVZr0iO4xfXY2gFQot41fY4yRy8Q14ayo/VjQK4uKlnGqqlmwsCgYEA9hMc
+FIAYpit7779tKD+O4vEkMoTkIxqSAZUuOZ5qB5UaF4Y/+MIGZUnrjJlGLnoFQmsP
+CVPVMOQKV7yjg0LBadeDHEjESwHJNk0qxPSXWuXGlu01yVkqUehNumSBdnSLBmjR
+jNIxPVEmW9d6+eAzIFiTkwqM9cAuLb75DL++iasCgYEAxhqzNEE0dzl0zfmNF29B
+FEb+glDi/96dnRv8eywf0yCSAmNBwXLAvkmKD/WpRWxixyX9XrlfOntzMTMDsbBl
+/L9pt8kVqiY2Zw3C49h3gVdR6hKD/Z3AZhKdfDJHEbfd7sHTCRgykQmQXFgBI2QK
+pguboJ627atjODB3sGWrqMUCgYEA2QoJ3lsNYqM/8TpaQQGuOaSPVK+5uOyakyLN
+XqzGwGFWXiFfEz2u/m+wfpZCPIQLV4WuAYAbrb+1D6WmYwPiLESVs8DKwY2Vt3tg
+mc9SIC5CdqRKqIkoto264Qf82En6xXB2Q0qxe2+z8ZWhNfv1nDYEE9FeevNCx76F
+VCVbHXkCgYEA4+FD1q6iwl9wsAOKFVo+W044/MhKHDsyIED3YOzeRTAWRl2w/KX0
+c5ty2KecGu0cVXoAv2YUttHsuMZfm/QdosZr9UB4CR2lmzRys3LSx6QzCkZeMb/s
+QOMs6SYCPXggdXCAu9EVf5+TtYQg7aQNTTuYErlyq2g/tk3un8bHTwI=
+-----END RSA PRIVATE KEY-----"""
+)
+
+USER_CERTIFICATE = f"{USER_CERTIFICATE_PUBLIC_KEY}\n{USER_CERTIFICATE_PRIVATE_KEY}"
+
+USER_CERTIFICATE_THUMBPRINT = (
+    "5F:23:3D:26:E2:28:88:9C:06:E0:88:21:FA:C7:B2:9A:F8:81:30:6B:F9:15:41:F2:34:05:05:44:4C:AD:5A:B5"
+)