[Key Vault] Test keys library against managed HSM (#17458)

sdk/keyvault/azure-keyvault-keys/dev_requirements.txt

@@ -4,4 +4,5 @@
 -e ../azure-mgmt-keyvault
 -e ../../../tools/azure-sdk-tools
 ../azure-keyvault-nspkg
-aiohttp>=3.0; python_version >= '3.5'
+aiohttp>=3.0; python_version >= '3.5'
+parameterized>=0.7.3

sdk/keyvault/azure-keyvault-keys/platform-matrix.json

@@ -0,0 +1,17 @@
+{
+  "include": [
+    {
+      "Agent": {
+          "ubuntu-18.04": {
+            "OSVmImage": "MMSUbuntu18.04",
+            "Pool": "azsdk-pool-mms-ubuntu-1804-general"
+          }
+      },
+      "HSM": {
+          "ArmTemplateParameters": "@{ enableHsm = $true }"
+      },
+      "PythonVersion": "3.9",
+      "CoverageArg": ""
+    }
+  ]
+}

sdk/keyvault/azure-keyvault-keys/tests/_test_case.py

@@ -0,0 +1,74 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+import os
+
+from azure.keyvault.keys._shared import HttpChallengeCache
+from devtools_testutils import AzureTestCase
+from parameterized import parameterized
+import pytest
+from six.moves.urllib_parse import urlparse
+
+
+def suffixed_test_name(testcase_func, param_num, param):
+    suffix = "mhsm" if param.kwargs.get("is_hsm") else "vault"
+    return "{}_{}".format(testcase_func.__name__, parameterized.to_safe_name(suffix))
+
+
+class KeysTestCase(AzureTestCase):
+    def setUp(self, *args, **kwargs):
+        vault_playback_url = "https://vaultname.vault.azure.net"
+        hsm_playback_url = "https://managedhsmname.managedhsm.azure.net"
+
+        if self.is_live:
+            self.vault_url = os.environ["AZURE_KEYVAULT_URL"]
+            self._scrub_url(real_url=self.vault_url, playback_url=vault_playback_url)
+
+            self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL")
+            if self.managed_hsm_url:
+                self._scrub_url(real_url=self.managed_hsm_url, playback_url=hsm_playback_url)
+        else:
+            self.vault_url = vault_playback_url
+            self.managed_hsm_url = hsm_playback_url
+
+        self._set_mgmt_settings_real_values()
+        super(KeysTestCase, self).setUp(*args, **kwargs)
+
+    def tearDown(self):
+        HttpChallengeCache.clear()
+        assert len(HttpChallengeCache._cache) == 0
+        super(KeysTestCase, self).tearDown()
+
+    def create_key_client(self, vault_uri, **kwargs):
+        if kwargs.pop("is_async", False):
+            from azure.keyvault.keys.aio import KeyClient
+            credential = self.get_credential(KeyClient, is_async=True)
+        else:
+            from azure.keyvault.keys import KeyClient
+            credential = self.get_credential(KeyClient)
+        return self.create_client_from_credential(KeyClient, credential=credential, vault_url=vault_uri, **kwargs)
+
+    def create_crypto_client(self, key,**kwargs):
+        if kwargs.pop("is_async", False):
+            from azure.keyvault.keys.crypto.aio import CryptographyClient
+            credential = self.get_credential(CryptographyClient, is_async=True)
+        else:
+            from azure.keyvault.keys.crypto import CryptographyClient
+            credential = self.get_credential(CryptographyClient)
+        return self.create_client_from_credential(CryptographyClient, credential=credential, key=key, **kwargs)
+
+    def _scrub_url(self, real_url, playback_url):
+        real = urlparse(real_url)
+        playback = urlparse(playback_url)
+        self.scrubber.register_name_pair(real.netloc, playback.netloc)
+
+    def _set_mgmt_settings_real_values(self):
+        if self.is_live:
+            os.environ["AZURE_TENANT_ID"] = os.environ["KEYVAULT_TENANT_ID"]
+            os.environ["AZURE_CLIENT_ID"] = os.environ["KEYVAULT_CLIENT_ID"]
+            os.environ["AZURE_CLIENT_SECRET"] = os.environ["KEYVAULT_CLIENT_SECRET"]
+
+    def _skip_if_not_configured(self, is_hsm):
+        if self.is_live and is_hsm and self.managed_hsm_url is None:
+            pytest.skip("No HSM endpoint for live testing")

sdk/keyvault/azure-keyvault-keys/tests/recordings/test_crypto_client.test_ec_key_id_mhsm.yaml

@@ -0,0 +1,131 @@
+interactions:
+- request:
+    body: null
+    headers:
+      Accept:
+      - application/json
+      Accept-Encoding:
+      - gzip, deflate
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '0'
+      Content-Type:
+      - application/json
+      User-Agent:
+      - azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
+    method: POST
+    uri: https://managedhsmname.managedhsm.azure.net/keys/livekvtesteckey33180f9c/create?api-version=7.2-preview
+  response:
+    body:
+      string: ''
+    headers:
+      cache-control:
+      - no-cache
+      content-length:
+      - '0'
+      content-security-policy:
+      - default-src 'self'
+      content-type:
+      - application/json; charset=utf-8
+      strict-transport-security:
+      - max-age=31536000; includeSubDomains
+      www-authenticate:
+      - Bearer authorization="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47",
+        resource="https://managedhsm.azure.net"
+      x-content-type-options:
+      - nosniff
+      x-frame-options:
+      - SAMEORIGIN
+      x-ms-server-latency:
+      - '1'
+    status:
+      code: 401
+      message: Unauthorized
+- request:
+    body: '{"kty": "EC-HSM"}'
+    headers:
+      Accept:
+      - application/json
+      Accept-Encoding:
+      - gzip, deflate
+      Connection:
+      - keep-alive
+      Content-Length:
+      - '17'
+      Content-Type:
+      - application/json
+      User-Agent:
+      - azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
+    method: POST
+    uri: https://managedhsmname.managedhsm.azure.net/keys/livekvtesteckey33180f9c/create?api-version=7.2-preview
+  response:
+    body:
+      string: '{"attributes":{"created":1616194950,"enabled":true,"exportable":false,"recoverableDays":90,"recoveryLevel":"Recoverable+Purgeable","updated":1616194950},"key":{"crv":"P-256","key_ops":["verify","sign"],"kid":"https://managedhsmname.managedhsm.azure.net/keys/livekvtesteckey33180f9c/38f9028c28e24b9b80fe3b2800c5950d","kty":"EC-HSM","x":"aD-Od-CpwDHTx3T9XEPYR3-KxdmZg_wtFekJBlrAaSM","y":"exOWHTfjEM5Qwg6GAF09KXJpwN7Ov8LN_ZxxIlqpK9I"}}'
+    headers:
+      cache-control:
+      - no-cache
+      content-length:
+      - '433'
+      content-security-policy:
+      - default-src 'self'
+      content-type:
+      - application/json; charset=utf-8
+      strict-transport-security:
+      - max-age=31536000; includeSubDomains
+      x-content-type-options:
+      - nosniff
+      x-frame-options:
+      - SAMEORIGIN
+      x-ms-keyvault-network-info:
+      - addr=172.92.159.124
+      x-ms-keyvault-region:
+      - eastus2
+      x-ms-server-latency:
+      - '261'
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      Accept:
+      - application/json
+      Accept-Encoding:
+      - gzip, deflate
+      Connection:
+      - keep-alive
+      User-Agent:
+      - azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
+    method: GET
+    uri: https://managedhsmname.managedhsm.azure.net/keys/livekvtesteckey33180f9c/38f9028c28e24b9b80fe3b2800c5950d?api-version=7.2-preview
+  response:
+    body:
+      string: '{"attributes":{"created":1616194950,"enabled":true,"exportable":false,"recoverableDays":90,"recoveryLevel":"Recoverable+Purgeable","updated":1616194950},"key":{"crv":"P-256","key_ops":["verify","sign"],"kid":"https://managedhsmname.managedhsm.azure.net/keys/livekvtesteckey33180f9c/38f9028c28e24b9b80fe3b2800c5950d","kty":"EC-HSM","x":"aD-Od-CpwDHTx3T9XEPYR3-KxdmZg_wtFekJBlrAaSM","y":"exOWHTfjEM5Qwg6GAF09KXJpwN7Ov8LN_ZxxIlqpK9I"}}'
+    headers:
+      cache-control:
+      - no-cache
+      content-length:
+      - '433'
+      content-security-policy:
+      - default-src 'self'
+      content-type:
+      - application/json; charset=utf-8
+      strict-transport-security:
+      - max-age=31536000; includeSubDomains
+      x-content-type-options:
+      - nosniff
+      x-frame-options:
+      - SAMEORIGIN
+      x-ms-build-version:
+      - 1.0.20210306-1-6fb7c19a-develop
+      x-ms-keyvault-network-info:
+      - addr=172.92.159.124
+      x-ms-keyvault-region:
+      - eastus2
+      x-ms-server-latency:
+      - '126'
+    status:
+      code: 200
+      message: OK
+version: 1

sdk/keyvault/azure-keyvault-keys/tests/recordings/test_crypto_client.test_ec_key_id.yaml → sdk/keyvault/azure-keyvault-keys/tests/recordings/test_crypto_client.test_ec_key_id_vault.yaml

@@ -13,9 +13,9 @@ interactions:
       Content-Type:
       - application/json
       User-Agent:
-      - azsdk-python-keyvault-keys/4.3.2 Python/3.5.3 (Windows-10-10.0.19041-SP0)
+      - azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
     method: POST
-    uri: https://vaultname.vault.azure.net/keys/livekvtesteckeye9470d88/create?api-version=7.2-preview
+    uri: https://vaultname.vault.azure.net/keys/livekvtesteckey433d1013/create?api-version=7.2-preview
   response:
     body:
       string: '{"error":{"code":"Unauthorized","message":"Request is missing a Bearer
@@ -28,7 +28,7 @@ interactions:
       content-type:
       - application/json; charset=utf-8
       date:
-      - Sat, 06 Feb 2021 02:20:10 GMT
+      - Fri, 19 Mar 2021 23:02:35 GMT
       expires:
       - '-1'
       pragma:
@@ -41,11 +41,11 @@ interactions:
       x-content-type-options:
       - nosniff
       x-ms-keyvault-network-info:
-      - conn_type=Ipv4;addr=174.127.232.53;act_addr_fam=InterNetwork;
+      - conn_type=Ipv4;addr=172.92.159.124;act_addr_fam=InterNetwork;
       x-ms-keyvault-region:
-      - northeurope
+      - eastus2
       x-ms-keyvault-service-version:
-      - 1.2.164.0
+      - 1.2.205.0
       x-powered-by:
       - ASP.NET
     status:
@@ -65,12 +65,12 @@ interactions:
       Content-Type:
       - application/json
       User-Agent:
-      - azsdk-python-keyvault-keys/4.3.2 Python/3.5.3 (Windows-10-10.0.19041-SP0)
+      - azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
     method: POST
-    uri: https://vaultname.vault.azure.net/keys/livekvtesteckeye9470d88/create?api-version=7.2-preview
+    uri: https://vaultname.vault.azure.net/keys/livekvtesteckey433d1013/create?api-version=7.2-preview
   response:
     body:
-      string: '{"key":{"kid":"https://vaultname.vault.azure.net/keys/livekvtesteckeye9470d88/41b7345af65e4e29b0ad3c16103c5cb1","kty":"EC","key_ops":["sign","verify"],"crv":"P-256","x":"xLeGJutfYRgRELSvq0-Yg-q5UmCVaJ8HyBQVi9s98Uk","y":"0MHnZ8jZjyGtp_WUdooqXwqn843uvWUL83SxCrY6nlg"},"attributes":{"enabled":true,"created":1612578012,"updated":1612578012,"recoveryLevel":"Recoverable+Purgeable","recoverableDays":90}}'
+      string: '{"key":{"kid":"https://vaultname.vault.azure.net/keys/livekvtesteckey433d1013/c2cbc14fdb0b405f9b4507100f85c84b","kty":"EC","key_ops":["sign","verify"],"crv":"P-256","x":"STISs3_goj91mOlIpNqFxzE1Kj2BPLKR640BCYKu9Fk","y":"CtMP7wzlWetR6NOzwJvpcKL2pRnUB7ziHsiNc763izQ"},"attributes":{"enabled":true,"created":1616194955,"updated":1616194955,"recoveryLevel":"Recoverable+Purgeable","recoverableDays":90}}'
     headers:
       cache-control:
       - no-cache
@@ -79,7 +79,7 @@ interactions:
       content-type:
       - application/json; charset=utf-8
       date:
-      - Sat, 06 Feb 2021 02:20:11 GMT
+      - Fri, 19 Mar 2021 23:02:35 GMT
       expires:
       - '-1'
       pragma:
@@ -89,11 +89,11 @@ interactions:
       x-content-type-options:
       - nosniff
       x-ms-keyvault-network-info:
-      - conn_type=Ipv4;addr=174.127.232.53;act_addr_fam=InterNetwork;
+      - conn_type=Ipv4;addr=172.92.159.124;act_addr_fam=InterNetwork;
       x-ms-keyvault-region:
-      - northeurope
+      - eastus2
       x-ms-keyvault-service-version:
-      - 1.2.164.0
+      - 1.2.205.0
       x-powered-by:
       - ASP.NET
     status:
@@ -109,12 +109,12 @@ interactions:
       Connection:
       - keep-alive
       User-Agent:
-      - azsdk-python-keyvault-keys/4.3.2 Python/3.5.3 (Windows-10-10.0.19041-SP0)
+      - azsdk-python-keyvault-keys/4.4.0b4 Python/3.5.3 (Windows-10-10.0.19041-SP0)
     method: GET
-    uri: https://vaultname.vault.azure.net/keys/livekvtesteckeye9470d88/41b7345af65e4e29b0ad3c16103c5cb1?api-version=7.2-preview
+    uri: https://vaultname.vault.azure.net/keys/livekvtesteckey433d1013/c2cbc14fdb0b405f9b4507100f85c84b?api-version=7.2-preview
   response:
     body:
-      string: '{"key":{"kid":"https://vaultname.vault.azure.net/keys/livekvtesteckeye9470d88/41b7345af65e4e29b0ad3c16103c5cb1","kty":"EC","key_ops":["sign","verify"],"crv":"P-256","x":"xLeGJutfYRgRELSvq0-Yg-q5UmCVaJ8HyBQVi9s98Uk","y":"0MHnZ8jZjyGtp_WUdooqXwqn843uvWUL83SxCrY6nlg"},"attributes":{"enabled":true,"created":1612578012,"updated":1612578012,"recoveryLevel":"Recoverable+Purgeable","recoverableDays":90}}'
+      string: '{"key":{"kid":"https://vaultname.vault.azure.net/keys/livekvtesteckey433d1013/c2cbc14fdb0b405f9b4507100f85c84b","kty":"EC","key_ops":["sign","verify"],"crv":"P-256","x":"STISs3_goj91mOlIpNqFxzE1Kj2BPLKR640BCYKu9Fk","y":"CtMP7wzlWetR6NOzwJvpcKL2pRnUB7ziHsiNc763izQ"},"attributes":{"enabled":true,"created":1616194955,"updated":1616194955,"recoveryLevel":"Recoverable+Purgeable","recoverableDays":90}}'
     headers:
       cache-control:
       - no-cache
@@ -123,7 +123,7 @@ interactions:
       content-type:
       - application/json; charset=utf-8
       date:
-      - Sat, 06 Feb 2021 02:20:12 GMT
+      - Fri, 19 Mar 2021 23:02:36 GMT
       expires:
       - '-1'
       pragma:
@@ -133,11 +133,11 @@ interactions:
       x-content-type-options:
       - nosniff
       x-ms-keyvault-network-info:
-      - conn_type=Ipv4;addr=174.127.232.53;act_addr_fam=InterNetwork;
+      - conn_type=Ipv4;addr=172.92.159.124;act_addr_fam=InterNetwork;
       x-ms-keyvault-region:
-      - northeurope
+      - eastus2
       x-ms-keyvault-service-version:
-      - 1.2.164.0
+      - 1.2.205.0
       x-powered-by:
       - ASP.NET
     status: