Key vault work - RNG and rotation policy (#3560)

* one commit to rule them all * work in progress * tests for serialize deserialize * typos * to lower * enable test * guard live * typos, types, and many more * maybe now ? please ... * PR comments
Azure · Apr 21, 2022 · dcb7548 · dcb7548
1 parent 74397dd
commit dcb7548
Show file tree

Hide file tree

Showing 14 changed files with 732 additions and 18 deletions.
diff --git a/sdk/keyvault/azure-security-keyvault-keys/CMakeLists.txt b/sdk/keyvault/azure-security-keyvault-keys/CMakeLists.txt
@@ -100,6 +100,8 @@ set(
     src/keyvault_key.cpp
     src/keyvault_protocol.cpp
     src/recover_deleted_key_operation.cpp
+    src/key_rotation_policy.cpp
+    src/key_get_random_bytes.cpp
 )
 
 add_library(azure-security-keyvault-keys

diff --git a/sdk/keyvault/azure-security-keyvault-keys/inc/azure/keyvault/keys/key_client.hpp b/sdk/keyvault/azure-security-keyvault-keys/inc/azure/keyvault/keys/key_client.hpp
@@ -190,6 +190,7 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
      * @param options The #GetPropertiesOfKeysOptions object to for setting the operation
      * up.
      * @param context A #Azure::Core::Context controlling the request lifetime.
+     * @return KeyPropertiesPagedResponse
      */
     KeyPropertiesPagedResponse GetPropertiesOfKeys(
         GetPropertiesOfKeysOptions const& options = GetPropertiesOfKeysOptions(),
@@ -212,6 +213,7 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
      * @param options The #GetPropertiesOfKeyVersionsOptions object to for setting the
      * operation up.
      * @param context A #Azure::Core::Context controlling the request lifetime.
+     * @return KeyPropertiesPagedResponse
      */
     KeyPropertiesPagedResponse GetPropertiesOfKeyVersions(
         std::string const& name,
@@ -283,6 +285,7 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
      *
      * @param name The name of the key.
      * @param context A #Azure::Core::Context controlling the request lifetime.
+     * @return Azure::Response<PurgedKey>
      */
     Azure::Response<PurgedKey> PurgeDeletedKey(
         std::string const& name,
@@ -342,6 +345,7 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
      *
      * @param name The name of the key.
      * @param context A #Azure::Core::Context controlling the request lifetime.
+     * @return Azure::Response<Azure::Security::KeyVault::Keys::BackupKeyResult>
      */
     Azure::Response<Azure::Security::KeyVault::Keys::BackupKeyResult> BackupKey(
         std::string const& name,
@@ -364,6 +368,7 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
      *
      * @param backup The backup blob associated with a key.
      * @param context A #Azure::Core::Context controlling the request lifetime.
+     * @return Azure::Response<KeyVaultKey>
      */
     Azure::Response<KeyVaultKey> RestoreKeyBackup(
         std::vector<uint8_t> const& backup,
@@ -398,11 +403,55 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
      * @param importKeyOptions The key import configuration object containing information about
      * the #JsonWebKey being imported.
      * @param context A #Azure::Core::Context controlling the request lifetime.
+     * @return Azure::Response<KeyVaultKey>
      */
     Azure::Response<KeyVaultKey> ImportKey(
         ImportKeyOptions const& importKeyOptions,
         Azure::Core::Context const& context = Azure::Core::Context()) const;
 
+    /**
+     * @brief Lists the policy for a key.
+     *
+     * @remark The GetKeyRotationPolicy operation returns the specified key policy resources in the
+     * specified key vault. This operation requires the keys/get permission.
+     *
+     * @param name The name of the key in a given key vault.
+     * @param context A #Azure::Core::Context controlling the request lifetime.
+     * @return Azure::Response<KeyRotationPolicy>
+     */
+    Azure::Response<KeyRotationPolicy> GetKeyRotationPolicy(
+        std::string const& name,
+        Azure::Core::Context const& context = Azure::Core::Context()) const;
+
+    /**
+     * @brief Updates the rotation policy for a key.
+     *
+     * @remark Set specified members in the key policy. Leave others as undefined. This operation
+     * requires the keys/update permission.
+     *
+     * @param name The name of the key in a given key vault.
+     * @param rotationPolicy The policy for the key.
+     * @param context A #Azure::Core::Context controlling the request lifetime.
+     * @return Azure::Response<KeyRotationPolicy>
+     */
+    Azure::Response<KeyRotationPolicy> PutKeyRotationPolicy(
+        std::string const& name,
+        KeyRotationPolicy const& rotationPolicy,
+        Azure::Core::Context const& context = Azure::Core::Context()) const;
+
+    /**
+     * @brief Get the requested number of bytes containing random values.
+     *
+     * @remark Get the requested number of bytes containing random values from a managed HSM.
+     *
+     * @param options The request object to get random bytes.
+     * @param context A #Azure::Core::Context controlling the request lifetime.
+     * @return Azure::Response<std::vector<uint8_t>>
+     */
+    Azure::Response<GetRandomBytesResult> GetRandomBytes(
+        GetRandomBytesOptions const& options,
+        Azure::Core::Context const& context = Azure::Core::Context()) const;
+
     /**
      * @brief Gets the key client's primary URL endpoint.
      *

diff --git a/sdk/keyvault/azure-security-keyvault-keys/inc/azure/keyvault/keys/key_client_models.hpp b/sdk/keyvault/azure-security-keyvault-keys/inc/azure/keyvault/keys/key_client_models.hpp
@@ -120,8 +120,8 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
     AZ_SECURITY_KEYVAULT_KEYS_DLLEXPORT static const KeyOperation WrapKey;
 
     /**
-     * @brief The key can be used to unwrap another key with the UnwrapKey(KeyWrapAlgorithm, Byte[],
-     * CancellationToken) method.
+     * @brief The key can be used to unwrap another key with the UnwrapKey(KeyWrapAlgorithm,
+     * Byte[], CancellationToken) method.
      */
     AZ_SECURITY_KEYVAULT_KEYS_DLLEXPORT static const KeyOperation UnwrapKey;
 
@@ -420,8 +420,8 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
     std::string Version;
 
     /**
-     * @brief Indicate whether the key's lifetime is managed by Key Vault. If this key is backing a
-     * Key Vault certificate, the value will be true.
+     * @brief Indicate whether the key's lifetime is managed by Key Vault. If this key is backing
+     * a Key Vault certificate, the value will be true.
      *
      */
     bool Managed = false;
@@ -505,7 +505,8 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
     virtual ~KeyVaultKey() = default;
 
     /**
-     * @brief The cryptographic key, the key type, and the operations you can perform using the key.
+     * @brief The cryptographic key, the key type, and the operations you can perform using the
+     * key.
      *
      */
     JsonWebKey Key;
@@ -670,7 +671,8 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
      *
      * @param deletedKeyProperties A previously created #DeletedKeyPagedResponse that is used to
      * init this new instance.
-     * @param rawResponse The HTTP raw response from where the #DeletedKeyPagedResponse was parsed.
+     * @param rawResponse The HTTP raw response from where the #DeletedKeyPagedResponse was
+     * parsed.
      * @param keyClient A key client required for getting the next pages.
      */
     DeletedKeyPagedResponse(
@@ -713,8 +715,8 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
     std::string m_continuationToken;
 
     /* This is the implementation for checking the status of a deleted key. The key is considered
-     * deleted if querying /deletedkeys/keyName returns 200 from server. Or whenever soft-delete is
-     * disabled.*/
+     * deleted if querying /deletedkeys/keyName returns 200 from server. Or whenever soft-delete
+     * is disabled.*/
     std::unique_ptr<Azure::Core::Http::RawResponse> PollInternal(
         Azure::Core::Context const& context) override;
 
@@ -776,7 +778,8 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
     Azure::Security::KeyVault::Keys::DeletedKey Value() const override { return m_value; }
 
     /**
-     * @brief Get an Url as string which can be used to get the status of the delete key operation.
+     * @brief Get an Url as string which can be used to get the status of the delete key
+     * operation.
      *
      * @return std::string
      */
@@ -789,7 +792,8 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
      * @remark After the operation is initialized, it is used to poll the last update from the
      * server using the \p context.
      *
-     * @param resumeToken A previously generated token used to resume the polling of the operation.
+     * @param resumeToken A previously generated token used to resume the polling of the
+     * operation.
      * @param client A #KeyClient that is used for getting status updates.
      * @param context A #Azure::Core::Context controlling the request lifetime.
      * @return DeleteKeyOperation
@@ -837,8 +841,8 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
     }
 
     /*
-     * Only friend classes are permitted to construct a RecoverDeletedKeyOperation. This is because
-     * a KeyVaultPipelne is required and it is not exposed to customers.
+     * Only friend classes are permitted to construct a RecoverDeletedKeyOperation. This is
+     * because a KeyVaultPipelne is required and it is not exposed to customers.
      *
      * Since C++ doesn't offer `internal` access, we use friends-only instead.
      */
@@ -875,7 +879,8 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
     Azure::Security::KeyVault::Keys::KeyVaultKey Value() const override { return m_value; }
 
     /**
-     * @brief Get an Url as string which can be used to get the status of the delete key operation.
+     * @brief Get an Url as string which can be used to get the status of the delete key
+     * operation.
      *
      * @return std::string
      */
@@ -888,7 +893,8 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
      * @remark After the operation is initialized, it is used to poll the last update from the
      * server using the \p context.
      *
-     * @param resumeToken A previously generated token used to resume the polling of the operation.
+     * @param resumeToken A previously generated token used to resume the polling of the
+     * operation.
      * @param client A #KeyClient that is used for getting status updates.
      * @param context A #Azure::Core::Context controlling the request lifetime.
      * @return DeleteKeyOperation
@@ -899,4 +905,124 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
         Azure::Core::Context const& context = Azure::Core::Context());
   };
 
+  /**
+   * @brief LifeTime action type
+   *
+   */
+  enum class LifetimeActionType
+  {
+    /**
+     * @brief Rotate the key based on the key policy.
+     *
+     */
+    Rotate,
+
+    /**
+     * @brief Trigger event grid events. For preview, the notification time is not configurable
+     * and it is default to 30 days before expiry.
+     *
+     */
+    Notify
+  };
+
+  /**
+   * @brief A condition to be satisfied for an action to be executed.
+   */
+  struct LifetimeActionsTrigger final
+  {
+    /**
+     * @brief Time after creation to attempt to rotate. It only applies to rotate. It will be in
+     * ISO 8601 duration format. Example: 90 days : "P90D"
+     *
+     */
+    Azure::Nullable<std::string> TimeAfterCreate;
+    /**
+     * @brief Time before expiry to attempt to rotate or notify. It will be in ISO 8601 duration
+     * format. Example: 90 days : "P90D"
+     *
+     */
+    Azure::Nullable<std::string> TimeBeforeExpiry;
+  };
+
+  /**
+   * @brief Action and its trigger that will be performed by Key Vault over the lifetime of a key.
+   *
+   */
+  struct LifetimeActionsType final
+  {
+    /**
+     * @brief The condition that will execute the action.
+     *
+     */
+    LifetimeActionsTrigger Trigger;
+
+    /**
+     * @brief The action that will be executed.
+     */
+    LifetimeActionType Action;
+  };
+
+  /**
+   * @brief The key rotation policy attributes.
+   *
+   */
+  struct KeyRotationPolicyAttributes final
+  {
+    /**
+     * @brief The expiryTime will be applied on the new key version. It should be at least 28
+     * days. It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours:
+     * PT48H, 1 year and 10 days: P1Y10D
+     */
+    Azure::Nullable<std::string> ExpiryTime;
+
+    /**
+     * @brief The key rotation policy created time in UTC.
+     *
+     */
+    Azure::Nullable<Azure::DateTime> Created;
+
+    /**
+     * @brief The key rotation policy's last updated time in UTC.
+     *
+     */
+    Azure::Nullable<Azure::DateTime> Updated;
+  };
+
+  /**
+   * @brief Rotation policy for a key.
+   */
+  struct KeyRotationPolicy final
+  {
+    /**
+     * @brief The key policy id.
+     */
+    std::string Id;
+
+    /**
+     * @brief Actions that will be performed by Key Vault over the lifetime of a key. For preview,
+     * lifetimeActions can only have two items at maximum: one for rotate, one for notify.
+     * Notification time would be default to 30 days before expiry and it is not configurable.
+     *
+     */
+    std::vector<LifetimeActionsType> LifetimeActions;
+
+    /**
+     * @brief The key rotation policy attributes.
+     */
+    KeyRotationPolicyAttributes Attributes;
+  };
+
+  /**
+   * @brief The GetRandomBytes result type containing the random bytes bytes.
+   *
+   */
+  struct GetRandomBytesResult final
+  {
+    /**
+     * @brief The random generated bytes.
+     *
+     */
+    std::vector<uint8_t> RandomBytes;
+  };
+
 }}}} // namespace Azure::Security::KeyVault::Keys
diff --git a/sdk/keyvault/azure-security-keyvault-keys/inc/azure/keyvault/keys/key_client_options.hpp b/sdk/keyvault/azure-security-keyvault-keys/inc/azure/keyvault/keys/key_client_options.hpp
@@ -401,4 +401,17 @@ namespace Azure { namespace Security { namespace KeyVault { namespace Keys {
     std::string const& Name() const { return Properties.Name; }
   };
 
+  /**
+   * @brief Get Random Bytes options
+   *
+   */
+  struct GetRandomBytesOptions final
+  {
+    /**
+     * @brief The requested number of random bytes.
+     *
+     */
+    int32_t Count;
+  };
+
 }}}} // namespace Azure::Security::KeyVault::Keys