diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py index 679ab6995134..008faf70ac0d 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py @@ -2,4 +2,15 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ -__path__ = __import__("pkgutil").extend_path(__path__, __name__) # type: ignore +from ._access_control_client import KeyVaultAccessControlClient +from ._internal.client_base import ApiVersion +from ._models import KeyVaultPermission, KeyVaultRoleAssignment, KeyVaultRoleDefinition + + +__all__ = [ + "ApiVersion", + "KeyVaultAccessControlClient", + "KeyVaultPermission", + "KeyVaultRoleAssignment", + "KeyVaultRoleDefinition", +] diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py new file mode 100644 index 000000000000..862fc8cea88c --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py @@ -0,0 +1,114 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +from typing import TYPE_CHECKING + +from azure.core.tracing.decorator import distributed_trace + +from ._models import KeyVaultRoleAssignment, KeyVaultRoleDefinition +from ._internal import KeyVaultClientBase + +if TYPE_CHECKING: + from typing import Any, Union + from uuid import UUID + from azure.core.paging import ItemPaged + + +class KeyVaultAccessControlClient(KeyVaultClientBase): + """Manages role-based access to Azure Key Vault. + + :param str vault_url: URL of the vault the client will manage. This is also called the vault's "DNS Name". + :param credential: an object which can provide an access token for the vault, such as a credential from + :mod:`azure.identity` + """ + + # pylint:disable=protected-access + + @distributed_trace + def create_role_assignment(self, role_scope, role_assignment_name, role_definition_id, principal_id, **kwargs): + # type: (str, Union[str, UUID], str, str, **Any) -> KeyVaultRoleAssignment + """Create a role assignment. + + :param str role_scope: scope the role assignment will apply over + :param role_assignment_name: a name for the role assignment. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :param str role_definition_id: ID of the role's definition + :param str principal_id: Azure Active Directory object ID of the principal which will be assigned the role. The + principal can be a user, service principal, or security group. + :rtype: KeyVaultRoleAssignment + """ + create_parameters = self._client.role_assignments.models.RoleAssignmentCreateParameters( + properties=self._client.role_assignments.models.RoleAssignmentProperties( + principal_id=principal_id, role_definition_id=str(role_definition_id) + ) + ) + assignment = self._client.role_assignments.create( + vault_base_url=self._vault_url, + scope=role_scope, + role_assignment_name=role_assignment_name, + parameters=create_parameters, + **kwargs + ) + return KeyVaultRoleAssignment._from_generated(assignment) + + @distributed_trace + def delete_role_assignment(self, role_scope, role_assignment_name, **kwargs): + # type: (str, Union[str, UUID], **Any) -> KeyVaultRoleAssignment + """Delete a role assignment. + + :param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/" + :param role_assignment_name: the assignment's name. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :returns: the deleted assignment + :rtype: KeyVaultRoleAssignment + """ + assignment = self._client.role_assignments.delete( + vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs + ) + return KeyVaultRoleAssignment._from_generated(assignment) + + @distributed_trace + def get_role_assignment(self, role_scope, role_assignment_name, **kwargs): + # type: (str, Union[str, UUID], **Any) -> KeyVaultRoleAssignment + """Get a role assignment. + + :param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/" + :param role_assignment_name: the assignment's name. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :rtype: KeyVaultRoleAssignment + """ + assignment = self._client.role_assignments.get( + vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs + ) + return KeyVaultRoleAssignment._from_generated(assignment) + + @distributed_trace + def list_role_assignments(self, role_scope, **kwargs): + # type: (str, **Any) -> ItemPaged[KeyVaultRoleAssignment] + """List all role assignments for a scope. + + :param str role_scope: scope of the role assignments + :rtype: ~azure.core.paging.ItemPaged[KeyVaultRoleAssignment] + """ + return self._client.role_assignments.list_for_scope( + self._vault_url, + role_scope, + cls=lambda result: [KeyVaultRoleAssignment._from_generated(a) for a in result], + **kwargs + ) + + @distributed_trace + def list_role_definitions(self, role_scope, **kwargs): + # type: (str, **Any) -> ItemPaged[KeyVaultRoleDefinition] + """List all role definitions applicable at and above a scope. + + :param str role_scope: scope of the role definitions + :rtype: ~azure.core.paging.ItemPaged[KeyVaultRoleDefinition] + """ + return self._client.role_definitions.list( + self._vault_url, + role_scope, + cls=lambda result: [KeyVaultRoleDefinition._from_generated(d) for d in result], + **kwargs + ) diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py new file mode 100644 index 000000000000..81d9b1165a3e --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py @@ -0,0 +1,167 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from typing import Any + + +# pylint:disable=protected-access + + +class KeyVaultPermission(object): + """Role definition permissions. + + :ivar list[str] actions: allowed actions + :ivar list[str] not_actions: denied actions + :ivar list[str] data_actions: allowed data actions + :ivar list[str] not_data_actions: denied data actions + """ + + def __init__(self, **kwargs): + # type: (**Any) -> None + self.actions = kwargs.get("actions") + self.not_actions = kwargs.get("not_actions") + self.data_actions = kwargs.get("data_actions") + self.not_data_actions = kwargs.get("not_data_actions") + + @classmethod + def _from_generated(cls, permissions): + return cls( + actions=permissions.actions, + not_actions=permissions.not_actions, + data_actions=permissions.data_actions, + not_data_actions=permissions.not_data_actions, + ) + + +class KeyVaultRoleAssignment(object): + """Represents the assignment to a principal of a role over a scope""" + + def __init__(self, **kwargs): + # type: (**Any) -> None + self._assignment_id = kwargs.get("assignment_id") + self._name = kwargs.get("name") + self._properties = kwargs.get("properties") + self._type = kwargs.get("assignment_type") + + def __repr__(self): + # type: () -> str + return "KeyVaultRoleAssignment<{}>".format(self._assignment_id) + + @property + def assignment_id(self): + # type: () -> str + """unique identifier for this assignment""" + return self._assignment_id + + @property + def name(self): + # type: () -> str + """name of the assignment""" + return self._name + + @property + def principal_id(self): + # type: () -> str + """ID of the principal this assignment applies to. + + This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. + """ + return self._properties.principal_id + + @property + def role_definition_id(self): + # type: () -> str + """ID of the role's definition""" + return self._properties.role_definition_id + + @property + def scope(self): + # type: () -> str + """scope of the assignment""" + return self._properties.scope + + @property + def type(self): + # type: () -> str + """the type of this assignment""" + return self._type + + @classmethod + def _from_generated(cls, role_assignment): + return cls( + assignment_id=role_assignment.id, + name=role_assignment.name, + assignment_type=role_assignment.type, + properties=KeyVaultRoleAssignmentProperties._from_generated(role_assignment.properties), + ) + + +class KeyVaultRoleAssignmentProperties(object): + def __init__(self, **kwargs): + # type: (**Any) -> None + self.principal_id = kwargs.get("principal_id") + self.role_definition_id = kwargs.get("role_definition_id") + self.scope = kwargs.get("scope") + + def __repr__(self): + # type: () -> str + return "KeyVaultRoleAssignmentProperties(principal_id={}, role_definition_id={}, scope={})".format( + self.principal_id, self.role_definition_id, self.scope + )[:1024] + + @classmethod + def _from_generated(cls, role_assignment_properties): + # the generated RoleAssignmentProperties and RoleAssignmentPropertiesWithScope + # models differ only in that the latter has a "scope" attribute + return cls( + principal_id=role_assignment_properties.principal_id, + role_definition_id=role_assignment_properties.role_definition_id, + scope=getattr(role_assignment_properties, "scope", None), + ) + + +class KeyVaultRoleDefinition(object): + """Role definition. + + :ivar str id: The role definition ID. + :ivar str name: The role definition name. + :ivar str type: The role definition type. + :ivar str role_name: The role name. + :ivar str description: The role definition description. + :ivar str role_type: The role type. + :ivar permissions: Role definition permissions. + :vartype permissions: list[KeyVaultPermission] + :ivar list[str] assignable_scopes: Role definition assignable scopes. + """ + + def __init__(self, **kwargs): + # type: (**Any) -> None + self.id = kwargs.get("id") + self.name = kwargs.get("name") + self.role_name = kwargs.get("role_name") + self.description = kwargs.get("description") + self.role_type = kwargs.get("role_type") + self.type = kwargs.get("type") + self.permissions = kwargs.get("permissions") + self.assignable_scopes = kwargs.get("assignable_scopes") + + def __repr__(self): + # type: () -> str + return "".format(self.role_name)[:1024] + + @classmethod + def _from_generated(cls, definition): + return cls( + assignable_scopes=definition.assignable_scopes, + description=definition.description, + id=definition.id, + name=definition.name, + permissions=[KeyVaultPermission._from_generated(p) for p in definition.permissions], + role_name=definition.role_name, + role_type=definition.role_type, + type=definition.type, + ) diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/__init__.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/__init__.py index b74cfa3b899c..45ea36c883e7 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/__init__.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/__init__.py @@ -2,3 +2,6 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ +from ._access_control_client import KeyVaultAccessControlClient + +__all__ = ["KeyVaultAccessControlClient"] diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py new file mode 100644 index 000000000000..a9cd70ffcd66 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py @@ -0,0 +1,121 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +from typing import TYPE_CHECKING + +from azure.core.tracing.decorator import distributed_trace +from azure.core.tracing.decorator_async import distributed_trace_async + +from .._models import KeyVaultRoleAssignment, KeyVaultRoleDefinition +from .._internal import AsyncKeyVaultClientBase + +if TYPE_CHECKING: + from typing import Any, Union + from uuid import UUID + from azure.core.async_paging import AsyncItemPaged + + +class KeyVaultAccessControlClient(AsyncKeyVaultClientBase): + """Manages role-based access to Azure Key Vault. + + :param str vault_url: URL of the vault the client will manage. This is also called the vault's "DNS Name". + :param credential: an object which can provide an access token for the vault, such as a credential from + :mod:`azure.identity` + """ + + # pylint:disable=protected-access + + @distributed_trace_async + async def create_role_assignment( + self, + role_scope: str, + role_assignment_name: "Union[str, UUID]", + role_definition_id: str, + principal_id: str, + **kwargs: "Any" + ) -> KeyVaultRoleAssignment: + """Create a role assignment. + + :param str role_scope: scope the role assignment will apply over + :param role_assignment_name: a name for the role assignment. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :param str role_definition_id: ID of the role's definition + :param str principal_id: Azure Active Directory object ID of the principal which will be assigned the role. The + principal can be a user, service principal, or security group. + :rtype: KeyVaultRoleAssignment + """ + create_parameters = self._client.role_assignments.models.RoleAssignmentCreateParameters( + properties=self._client.role_assignments.models.RoleAssignmentProperties( + principal_id=principal_id, role_definition_id=str(role_definition_id) + ) + ) + assignment = await self._client.role_assignments.create( + vault_base_url=self._vault_url, + scope=role_scope, + role_assignment_name=role_assignment_name, + parameters=create_parameters, + **kwargs + ) + return KeyVaultRoleAssignment._from_generated(assignment) + + @distributed_trace_async + async def delete_role_assignment( + self, role_scope: str, role_assignment_name: "Union[str, UUID]", **kwargs: "Any" + ) -> KeyVaultRoleAssignment: + """Delete a role assignment. + + :param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/" + :param role_assignment_name: the assignment's name. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :returns: the deleted assignment + :rtype: KeyVaultRoleAssignment + """ + assignment = await self._client.role_assignments.delete( + vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs + ) + return KeyVaultRoleAssignment._from_generated(assignment) + + @distributed_trace_async + async def get_role_assignment( + self, role_scope: str, role_assignment_name: "Union[str, UUID]", **kwargs: "Any" + ) -> KeyVaultRoleAssignment: + """Get a role assignment. + + :param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/" + :param role_assignment_name: the assignment's name. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :rtype: KeyVaultRoleAssignment + """ + assignment = await self._client.role_assignments.get( + vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs + ) + return KeyVaultRoleAssignment._from_generated(assignment) + + @distributed_trace + def list_role_assignments(self, role_scope: str, **kwargs: "Any") -> "AsyncItemPaged[KeyVaultRoleAssignment]": + """List all role assignments for a scope. + + :param str role_scope: scope of the role assignments + :rtype: ~azure.core.async_paging.AsyncItemPaged[KeyVaultRoleAssignment] + """ + return self._client.role_assignments.list_for_scope( + self._vault_url, + role_scope, + cls=lambda result: [KeyVaultRoleAssignment._from_generated(a) for a in result], + **kwargs + ) + + @distributed_trace + def list_role_definitions(self, role_scope: str, **kwargs: "Any") -> "AsyncItemPaged[KeyVaultRoleDefinition]": + """List all role definitions applicable at and above a scope. + + :param str role_scope: scope of the role definitions + :rtype: ~azure.core.async_paging.AsyncItemPaged[KeyVaultRoleDefinition] + """ + return self._client.role_definitions.list( + self._vault_url, + role_scope, + cls=lambda result: [KeyVaultRoleDefinition._from_generated(d) for d in result], + **kwargs + ) diff --git a/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_list_role_definitions.yaml b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_list_role_definitions.yaml new file mode 100644 index 000000000000..619557270b11 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_list_role_definitions.yaml @@ -0,0 +1,69 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + Content-Length: + - '0' + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: !!python/unicode OK + headers: + content-length: + - '2' + content-type: + - application/json + www-authenticate: + - Bearer authorization="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47", + resource="https://managedhsm.azure.net" + x-content-type-options: + - nosniff + status: + code: 401 + message: Unauthorized +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"value":[{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","name":"a290e904-7015-4bba-90c8-60543313cdb4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778","name":"515eb02d-2335-4d2d-92f2-b1cbdf9c3778","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Officer","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b","name":"21dbd100-6940-42c2-9190-5d6cb909625b","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto User","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4","name":"4bd23610-cdcf-4971-bdee-bdc562cc28e4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Policy Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","name":"2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Auditor","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/33413926-3206-4cdd-b39a-83574fe37a17","name":"33413926-3206-4cdd-b39a-83574fe37a17","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Service Encryption","type":""},"type":"Microsoft.Authorization/roleDefinitions"}]}' + headers: + content-length: + - '5517' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +version: 1 diff --git a/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_role_assignment.yaml b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_role_assignment.yaml new file mode 100644 index 000000000000..595db694da16 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_role_assignment.yaml @@ -0,0 +1,226 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + Content-Length: + - '0' + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: !!python/unicode OK + headers: + content-length: + - '2' + content-type: + - application/json + www-authenticate: + - Bearer authorization="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47", + resource="https://managedhsm.azure.net" + x-content-type-options: + - nosniff + status: + code: 401 + message: Unauthorized +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"value":[{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","name":"a290e904-7015-4bba-90c8-60543313cdb4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778","name":"515eb02d-2335-4d2d-92f2-b1cbdf9c3778","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Officer","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b","name":"21dbd100-6940-42c2-9190-5d6cb909625b","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto User","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4","name":"4bd23610-cdcf-4971-bdee-bdc562cc28e4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Policy Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","name":"2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Auditor","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/33413926-3206-4cdd-b39a-83574fe37a17","name":"33413926-3206-4cdd-b39a-83574fe37a17","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Service Encryption","type":""},"type":"Microsoft.Authorization/roleDefinitions"}]}' + headers: + content-length: + - '5517' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +- request: + body: !!python/unicode '{"properties": {"roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4", + "principalId": "service-principal-id"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + Content-Length: + - '200' + Content-Type: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: PUT + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: + - '398' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: + - '398' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/e1392147-41b5-498b-847d-ca061e8808a3","name":"e1392147-41b5-498b-847d-ca061e8808a3","properties":{"principalId":"67ca7f59-968b-4cde-8582-d6a5341fa721","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/f35aa2fd-545a-4f42-a44b-f862a530d4f1","name":"f35aa2fd-545a-4f42-a44b-f862a530d4f1","properties":{"principalId":"f84ae8f9-c979-4750-a2fe-b350a00bebff","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/457acfe4-7ff8-4608-b3ac-87139804539e","name":"457acfe4-7ff8-4608-b3ac-87139804539e","properties":{"principalId":"693a17da-7022-4cdd-9d4e-4e72e4ad449d","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/c6de6e40-d764-49e1-8e7c-be2f2a27de81","name":"c6de6e40-d764-49e1-8e7c-be2f2a27de81","properties":{"principalId":"3c1303ad-140b-493c-ab45-bed8ddbfa72c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/2f070682-b1a6-0ad3-acd3-7b891e5c79b0","name":"2f070682-b1a6-0ad3-acd3-7b891e5c79b0","properties":{"principalId":"bf0cee9f-b26b-4e25-b4ab-92ec7466cf33","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/0480f9fc-1294-4668-b31e-e5d8bae7d5b3","name":"0480f9fc-1294-4668-b31e-e5d8bae7d5b3","properties":{"principalId":"74677558-f369-4792-afe5-f99738b5fa7c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}' + headers: + content-length: + - '2804' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + Content-Length: + - '0' + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: DELETE + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: + - '398' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/e1392147-41b5-498b-847d-ca061e8808a3","name":"e1392147-41b5-498b-847d-ca061e8808a3","properties":{"principalId":"67ca7f59-968b-4cde-8582-d6a5341fa721","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/f35aa2fd-545a-4f42-a44b-f862a530d4f1","name":"f35aa2fd-545a-4f42-a44b-f862a530d4f1","properties":{"principalId":"f84ae8f9-c979-4750-a2fe-b350a00bebff","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/457acfe4-7ff8-4608-b3ac-87139804539e","name":"457acfe4-7ff8-4608-b3ac-87139804539e","properties":{"principalId":"693a17da-7022-4cdd-9d4e-4e72e4ad449d","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/c6de6e40-d764-49e1-8e7c-be2f2a27de81","name":"c6de6e40-d764-49e1-8e7c-be2f2a27de81","properties":{"principalId":"3c1303ad-140b-493c-ab45-bed8ddbfa72c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/2f070682-b1a6-0ad3-acd3-7b891e5c79b0","name":"2f070682-b1a6-0ad3-acd3-7b891e5c79b0","properties":{"principalId":"bf0cee9f-b26b-4e25-b4ab-92ec7466cf33","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/0480f9fc-1294-4668-b31e-e5d8bae7d5b3","name":"0480f9fc-1294-4668-b31e-e5d8bae7d5b3","properties":{"principalId":"74677558-f369-4792-afe5-f99738b5fa7c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}' + headers: + content-length: + - '2405' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +version: 1 diff --git a/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_list_role_definitions.yaml b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_list_role_definitions.yaml new file mode 100644 index 000000000000..131a7d6c32bc --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_list_role_definitions.yaml @@ -0,0 +1,54 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Content-Length: + - '0' + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: OK + headers: + content-length: '2' + content-type: application/json + www-authenticate: Bearer authorization="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47", + resource="https://managedhsm.azure.net" + x-content-type-options: nosniff + status: + code: 401 + message: Unauthorized + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: '{"value":[{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","name":"a290e904-7015-4bba-90c8-60543313cdb4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778","name":"515eb02d-2335-4d2d-92f2-b1cbdf9c3778","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Officer","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b","name":"21dbd100-6940-42c2-9190-5d6cb909625b","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto User","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4","name":"4bd23610-cdcf-4971-bdee-bdc562cc28e4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Policy Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","name":"2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Auditor","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/33413926-3206-4cdd-b39a-83574fe37a17","name":"33413926-3206-4cdd-b39a-83574fe37a17","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Service Encryption","type":""},"type":"Microsoft.Authorization/roleDefinitions"}]}' + headers: + content-length: '5517' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview +version: 1 diff --git a/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_role_assignment.yaml b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_role_assignment.yaml new file mode 100644 index 000000000000..a884c896a2ea --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_role_assignment.yaml @@ -0,0 +1,145 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: '{"value":[{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","name":"a290e904-7015-4bba-90c8-60543313cdb4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778","name":"515eb02d-2335-4d2d-92f2-b1cbdf9c3778","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Officer","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b","name":"21dbd100-6940-42c2-9190-5d6cb909625b","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto User","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4","name":"4bd23610-cdcf-4971-bdee-bdc562cc28e4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Policy Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","name":"2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Auditor","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/33413926-3206-4cdd-b39a-83574fe37a17","name":"33413926-3206-4cdd-b39a-83574fe37a17","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Service Encryption","type":""},"type":"Microsoft.Authorization/roleDefinitions"}]}' + headers: + content-length: '5517' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview +- request: + body: '{"properties": {"roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4", + "principalId": "service-principal-id"}}' + headers: + Accept: + - application/json + Content-Length: + - '200' + Content-Type: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: PUT + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: '398' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 201 + message: Created + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/4af0820d-e870-4795-878e-1869f6f0888e?api-version=7.2-preview +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: '398' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/4af0820d-e870-4795-878e-1869f6f0888e?api-version=7.2-preview +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview + response: + body: + string: '{"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/e1392147-41b5-498b-847d-ca061e8808a3","name":"e1392147-41b5-498b-847d-ca061e8808a3","properties":{"principalId":"67ca7f59-968b-4cde-8582-d6a5341fa721","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/f35aa2fd-545a-4f42-a44b-f862a530d4f1","name":"f35aa2fd-545a-4f42-a44b-f862a530d4f1","properties":{"principalId":"f84ae8f9-c979-4750-a2fe-b350a00bebff","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/457acfe4-7ff8-4608-b3ac-87139804539e","name":"457acfe4-7ff8-4608-b3ac-87139804539e","properties":{"principalId":"693a17da-7022-4cdd-9d4e-4e72e4ad449d","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/c6de6e40-d764-49e1-8e7c-be2f2a27de81","name":"c6de6e40-d764-49e1-8e7c-be2f2a27de81","properties":{"principalId":"3c1303ad-140b-493c-ab45-bed8ddbfa72c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/2f070682-b1a6-0ad3-acd3-7b891e5c79b0","name":"2f070682-b1a6-0ad3-acd3-7b891e5c79b0","properties":{"principalId":"bf0cee9f-b26b-4e25-b4ab-92ec7466cf33","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/0480f9fc-1294-4668-b31e-e5d8bae7d5b3","name":"0480f9fc-1294-4668-b31e-e5d8bae7d5b3","properties":{"principalId":"74677558-f369-4792-afe5-f99738b5fa7c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}' + headers: + content-length: '2804' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: DELETE + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: '398' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/4af0820d-e870-4795-878e-1869f6f0888e?api-version=7.2-preview +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview + response: + body: + string: '{"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/e1392147-41b5-498b-847d-ca061e8808a3","name":"e1392147-41b5-498b-847d-ca061e8808a3","properties":{"principalId":"67ca7f59-968b-4cde-8582-d6a5341fa721","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/f35aa2fd-545a-4f42-a44b-f862a530d4f1","name":"f35aa2fd-545a-4f42-a44b-f862a530d4f1","properties":{"principalId":"f84ae8f9-c979-4750-a2fe-b350a00bebff","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/457acfe4-7ff8-4608-b3ac-87139804539e","name":"457acfe4-7ff8-4608-b3ac-87139804539e","properties":{"principalId":"693a17da-7022-4cdd-9d4e-4e72e4ad449d","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/c6de6e40-d764-49e1-8e7c-be2f2a27de81","name":"c6de6e40-d764-49e1-8e7c-be2f2a27de81","properties":{"principalId":"3c1303ad-140b-493c-ab45-bed8ddbfa72c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/2f070682-b1a6-0ad3-acd3-7b891e5c79b0","name":"2f070682-b1a6-0ad3-acd3-7b891e5c79b0","properties":{"principalId":"bf0cee9f-b26b-4e25-b4ab-92ec7466cf33","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/0480f9fc-1294-4668-b31e-e5d8bae7d5b3","name":"0480f9fc-1294-4668-b31e-e5d8bae7d5b3","properties":{"principalId":"74677558-f369-4792-afe5-f99738b5fa7c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}' + headers: + content-length: '2405' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview +version: 1 diff --git a/sdk/keyvault/azure-keyvault-administration/tests/test_access_control.py b/sdk/keyvault/azure-keyvault-administration/tests/test_access_control.py new file mode 100644 index 000000000000..1bdbf40fb365 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/test_access_control.py @@ -0,0 +1,95 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import functools +import os +import uuid + +from azure.keyvault.administration import KeyVaultAccessControlClient +from devtools_testutils import KeyVaultPreparer, ResourceGroupPreparer +import pytest + +from _shared.test_case import KeyVaultTestCase +from _shared.preparer import KeyVaultClientPreparer as _KeyVaultClientPreparer + +AccessControlClientPreparer = functools.partial(_KeyVaultClientPreparer, KeyVaultAccessControlClient) + + +class AccessControlTests(KeyVaultTestCase): + def __init__(self, *args, **kwargs): + super(AccessControlTests, self).__init__(*args, **kwargs) + if self.is_live: + pytest.skip("test infrastructure can't yet create a Key Vault supporting the RBAC API") + + def get_replayable_uuid(self, replay_value): + if self.is_live: + value = str(uuid.uuid4()) + self.scrubber.register_name_pair(value, replay_value) + return value + return replay_value + + def get_service_principal_id(self): + replay_value = "service-principal-id" + if self.is_live: + value = os.environ["AZURE_CLIENT_ID"] + self.scrubber.register_name_pair(value, replay_value) + return value + return replay_value + + @ResourceGroupPreparer(random_name_enabled=True) + @KeyVaultPreparer() + @AccessControlClientPreparer() + def test_list_role_definitions(self, client): + definitions = [d for d in client.list_role_definitions("/")] + assert len(definitions) + + for definition in definitions: + assert "/" in definition.assignable_scopes + assert definition.description is not None + assert definition.id is not None + assert definition.name is not None + assert len(definition.permissions) + assert definition.role_name is not None + assert definition.role_type is not None + assert definition.type is not None + + @ResourceGroupPreparer(random_name_enabled=True) + @KeyVaultPreparer() + @AccessControlClientPreparer() + def test_role_assignment(self, client): + scope = "/" + definitions = [d for d in client.list_role_definitions(scope)] + + # assign an arbitrary role to the service principal authenticating these requests + definition = definitions[0] + principal_id = self.get_service_principal_id() + name = self.get_replayable_uuid("some-uuid") + + created = client.create_role_assignment(scope, name, definition.id, principal_id) + assert created.name == name + assert created.principal_id == principal_id + assert created.role_definition_id == definition.id + assert created.scope == scope + + # should be able to get the new assignment + got = client.get_role_assignment(scope, name) + assert got.name == name + assert got.principal_id == principal_id + assert got.role_definition_id == definition.id + assert got.scope == scope + + # new assignment should be in the list of all assignments + matching_assignments = [ + a for a in client.list_role_assignments(scope) if a.assignment_id == created.assignment_id + ] + assert len(matching_assignments) == 1 + + # delete the assignment + deleted = client.delete_role_assignment(scope, created.name) + assert deleted.name == created.name + assert deleted.assignment_id == created.assignment_id + assert deleted.scope == scope + assert deleted.role_definition_id == created.role_definition_id + + assert not any(a for a in client.list_role_assignments(scope) if a.assignment_id == created.assignment_id) diff --git a/sdk/keyvault/azure-keyvault-administration/tests/test_access_control_async.py b/sdk/keyvault/azure-keyvault-administration/tests/test_access_control_async.py new file mode 100644 index 000000000000..feb85c5a1e98 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/test_access_control_async.py @@ -0,0 +1,101 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import functools +import os +import uuid + +from azure.keyvault.administration.aio import KeyVaultAccessControlClient +from devtools_testutils import KeyVaultPreparer, ResourceGroupPreparer +import pytest + +from _shared.test_case_async import KeyVaultTestCase +from _shared.preparer_async import KeyVaultClientPreparer as _KeyVaultClientPreparer + +AccessControlClientPreparer = functools.partial(_KeyVaultClientPreparer, KeyVaultAccessControlClient) + + +class AccessControlTests(KeyVaultTestCase): + def __init__(self, *args, **kwargs): + super(AccessControlTests, self).__init__(*args, **kwargs) + if self.is_live: + pytest.skip("test infrastructure can't yet create a Key Vault supporting the RBAC API") + + def get_replayable_uuid(self, replay_value): + if self.is_live: + value = str(uuid.uuid4()) + self.scrubber.register_name_pair(value, replay_value) + return value + return replay_value + + def get_service_principal_id(self): + replay_value = "service-principal-id" + if self.is_live: + value = os.environ["AZURE_CLIENT_ID"] + self.scrubber.register_name_pair(value, replay_value) + return value + return replay_value + + @ResourceGroupPreparer(random_name_enabled=True) + @KeyVaultPreparer() + @AccessControlClientPreparer() + async def test_list_role_definitions(self, client): + definitions = [] + async for definition in client.list_role_definitions("/"): + definitions.append(definition) + assert len(definitions) + + for definition in definitions: + assert "/" in definition.assignable_scopes + assert definition.description is not None + assert definition.id is not None + assert definition.name is not None + assert len(definition.permissions) + assert definition.role_name is not None + assert definition.role_type is not None + assert definition.type is not None + + @ResourceGroupPreparer(random_name_enabled=True) + @KeyVaultPreparer() + @AccessControlClientPreparer() + async def test_role_assignment(self, client): + scope = "/" + definitions = [] + async for definition in client.list_role_definitions("/"): + definitions.append(definition) + + # assign an arbitrary role to the service principal authenticating these requests + definition = definitions[0] + principal_id = self.get_service_principal_id() + name = self.get_replayable_uuid("some-uuid") + + created = await client.create_role_assignment(scope, name, definition.id, principal_id) + assert created.name == name + assert created.principal_id == principal_id + assert created.role_definition_id == definition.id + assert created.scope == scope + + # should be able to get the new assignment + got = await client.get_role_assignment(scope, name) + assert got.name == name + assert got.principal_id == principal_id + assert got.role_definition_id == definition.id + assert got.scope == scope + + # new assignment should be in the list of all assignments + matching_assignments = [] + async for assignment in client.list_role_assignments(scope): + if assignment.assignment_id == created.assignment_id: + matching_assignments.append(assignment) + assert len(matching_assignments) == 1 + + # delete the assignment + deleted = await client.delete_role_assignment(scope, created.name) + assert deleted.name == created.name + assert deleted.assignment_id == created.assignment_id + assert deleted.scope == scope + assert deleted.role_definition_id == created.role_definition_id + + async for assignment in client.list_role_assignments(scope): + assert assignment.assignment_id != created.assignment_id, "the role assignment should have been deleted"