From cbac8aa59d407f5191da5d850482fbfc90447e6a Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Fri, 19 Jun 2020 13:39:02 -0700 Subject: [PATCH 1/7] models --- .../azure/keyvault/administration/_models.py | 166 ++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py new file mode 100644 index 000000000000..073ec7fe0c5f --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py @@ -0,0 +1,166 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from typing import Any + + +# pylint:disable=protected-access + +class KeyVaultPermission(object): + """Role definition permissions. + + :ivar list[str] actions: allowed actions + :ivar list[str] not_actions: denied actions + :ivar list[str] data_actions: allowed data actions + :ivar list[str] not_data_actions: denied data actions + """ + + def __init__(self, **kwargs): + # type: (**Any) -> None + self.actions = kwargs.get("actions") + self.not_actions = kwargs.get("not_actions") + self.data_actions = kwargs.get("data_actions") + self.not_data_actions = kwargs.get("not_data_actions") + + @classmethod + def _from_generated(cls, permissions): + return cls( + actions=permissions.actions, + not_actions=permissions.not_actions, + data_actions=permissions.data_actions, + not_data_actions=permissions.not_data_actions, + ) + + +class RoleAssignment(object): + """Represents the assignment to a principal of a role over a scope""" + + def __init__(self, **kwargs): + # type: (**Any) -> None + self._assignment_id = kwargs.get("assignment_id") + self._name = kwargs.get("name") + self._properties = kwargs.get("properties") + self._type = kwargs.get("assignment_type") + + def __repr__(self): + # type: () -> str + return "RoleAssignment<{}>".format(self._assignment_id) + + @property + def assignment_id(self): + # type: () -> str + """unique identifier for this assignment""" + return self._assignment_id + + @property + def name(self): + # type: () -> str + """name of the assignment""" + return self._name + + @property + def principal_id(self): + # type: () -> str + """ID of the principal this assignment applies to. + + This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. + """ + return self._properties.principal_id + + @property + def role_definition_id(self): + # type: () -> str + """ID of the role's definition""" + return self._properties.role_definition_id + + @property + def scope(self): + # type: () -> str + """scope of the assignment""" + return self._properties.scope + + @property + def type(self): + # type: () -> str + """the type of this assignment""" + return self._type + + @classmethod + def _from_generated(cls, role_assignment): + return cls( + assignment_id=role_assignment.id, + name=role_assignment.name, + assignment_type=role_assignment.type, + properties=RoleAssignmentProperties._from_generated(role_assignment.properties), + ) + + +class RoleAssignmentProperties(object): + def __init__(self, **kwargs): + # type: (**Any) -> None + self.principal_id = kwargs.get("principal_id") + self.role_definition_id = kwargs.get("role_definition_id") + self.scope = kwargs.get("scope") + + def __repr__(self): + # type: () -> str + return "RoleAssignmentProperties(principal_id={}, role_definition_id={}, scope={})".format( + self.principal_id, self.role_definition_id, self.scope + )[:1024] + + @classmethod + def _from_generated(cls, role_assignment_properties): + # the generated RoleAssignmentProperties and RoleAssignmentPropertiesWithScope + # models differ only in that the latter has a "scope" attribute + return cls( + principal_id=role_assignment_properties.principal_id, + role_definition_id=role_assignment_properties.role_definition_id, + scope=getattr(role_assignment_properties, "scope", None), + ) + + +class RoleDefinition(object): + """Role definition. + + :ivar str id: The role definition ID. + :ivar str name: The role definition name. + :ivar str type: The role definition type. + :ivar str role_name: The role name. + :ivar str description: The role definition description. + :ivar str role_type: The role type. + :ivar permissions: Role definition permissions. + :vartype permissions: list[KeyVaultPermission] + :ivar list[str] assignable_scopes: Role definition assignable scopes. + """ + + def __init__(self, **kwargs): + # type: (**Any) -> None + self.id = kwargs.get("id") + self.name = kwargs.get("name") + self.role_name = kwargs.get("role_name") + self.description = kwargs.get("description") + self.role_type = kwargs.get("role_type") + self.type = kwargs.get("type") + self.permissions = kwargs.get("permissions") + self.assignable_scopes = kwargs.get("assignable_scopes") + + def __repr__(self): + # type: () -> str + return "".format(self.role_name)[:1024] + + @classmethod + def _from_generated(cls, definition): + return cls( + assignable_scopes=definition.assignable_scopes, + description=definition.description, + id=definition.id, + name=definition.name, + permissions=[KeyVaultPermission._from_generated(p) for p in definition.permissions], + role_name=definition.role_name, + role_type=definition.role_type, + type=definition.type, + ) From 47902d25a528945026e20bc1f19b2cc635f90398 Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Fri, 19 Jun 2020 13:39:29 -0700 Subject: [PATCH 2/7] access control clients --- .../azure/keyvault/administration/__init__.py | 7 +- .../administration/_access_control_client.py | 112 ++++++++++++++++++ .../keyvault/administration/aio/__init__.py | 3 + .../aio/_access_control_client.py | 112 ++++++++++++++++++ 4 files changed, 233 insertions(+), 1 deletion(-) create mode 100644 sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py create mode 100644 sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py index 679ab6995134..e1cf68a13fb4 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py @@ -2,4 +2,9 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ -__path__ = __import__("pkgutil").extend_path(__path__, __name__) # type: ignore +from ._access_control_client import KeyVaultAccessControlClient +from ._internal.client_base import ApiVersion +from ._models import KeyVaultPermission, RoleAssignment, RoleDefinition + + +__all__ = ["ApiVersion", "KeyVaultAccessControlClient", "KeyVaultPermission", "RoleAssignment", "RoleDefinition"] diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py new file mode 100644 index 000000000000..5d73f5690f56 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py @@ -0,0 +1,112 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +from typing import TYPE_CHECKING + +from azure.core.tracing.decorator import distributed_trace + +from ._models import RoleAssignment, RoleDefinition +from ._internal import KeyVaultClientBase + +if TYPE_CHECKING: + from typing import Any, Iterable + + +class KeyVaultAccessControlClient(KeyVaultClientBase): + """Manages role-based access to Azure Key Vault. + + :param str vault_url: URL of the vault the client will manage. This is also called the vault's "DNS Name". + :param credential: an object which can provide an access token for the vault, such as a credential from + :mod:`azure.identity` + """ + + # pylint:disable=protected-access + + @distributed_trace + def create_role_assignment(self, role_scope, role_assignment_name, role_definition_id, principal_id, **kwargs): + # type: (str, str, str, str, **Any) -> RoleAssignment + """Create a role assignment. + + :param str role_scope: scope the role assignment will apply over + :param role_assignment_name: a name for the role assignment. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :param str role_definition_id: ID of the role's definition + :param str principal_id: ID of the principal which will be assigned the role. This maps to the ID inside the + Active Directory. It can point to a user, service principal, or security group. + :rtype: RoleAssignment + """ + create_parameters = self._client.role_assignments.models.RoleAssignmentCreateParameters( + properties=self._client.role_assignments.models.RoleAssignmentProperties( + principal_id=principal_id, role_definition_id=str(role_definition_id) + ) + ) + assignment = self._client.role_assignments.create( + vault_base_url=self._vault_url, + scope=role_scope, + role_assignment_name=role_assignment_name, + parameters=create_parameters, + **kwargs + ) + return RoleAssignment._from_generated(assignment) + + @distributed_trace + def delete_role_assignment(self, role_scope, role_assignment_name, **kwargs): + # type: (str, str, **Any) -> RoleAssignment + """Delete a role assignment. + + :param str role_scope: the assignment's scope + :param role_assignment_name: the assignment's name. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :returns: the deleted assignment + :rtype: RoleAssignment + """ + assignment = self._client.role_assignments.delete( + vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs + ) + return RoleAssignment._from_generated(assignment) + + @distributed_trace + def get_role_assignment(self, role_scope, role_assignment_name, **kwargs): + # type: (str, str, **Any) -> RoleAssignment + """Get a role assignment. + + :param str role_scope: the assignment's scope + :param role_assignment_name: the assignment's name. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :rtype: RoleAssignment + """ + assignment = self._client.role_assignments.get( + vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs + ) + return RoleAssignment._from_generated(assignment) + + @distributed_trace + def list_role_assignments(self, role_scope, **kwargs): + # type: (str, **Any) -> Iterable[RoleAssignment] + """List all role assignments for a scope. + + :param str role_scope: scope of the role assignments + :rtype: ~azure.core.paging.ItemPaged[RoleAssignment] + """ + return self._client.role_assignments.list_for_scope( + self._vault_url, + role_scope, + cls=lambda result: [RoleAssignment._from_generated(a) for a in result], + **kwargs + ) + + @distributed_trace + def list_role_definitions(self, role_scope, **kwargs): + # type: (str, **Any) -> Iterable[RoleDefinition] + """List all role definitions applicable at and above a scope. + + :param str role_scope: scope of the role definitions + :rtype: ~azure.core.paging.ItemPaged[RoleDefinition] + """ + return self._client.role_definitions.list( + self._vault_url, + role_scope, + cls=lambda result: [RoleDefinition._from_generated(d) for d in result], + **kwargs + ) diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/__init__.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/__init__.py index b74cfa3b899c..45ea36c883e7 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/__init__.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/__init__.py @@ -2,3 +2,6 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ +from ._access_control_client import KeyVaultAccessControlClient + +__all__ = ["KeyVaultAccessControlClient"] diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py new file mode 100644 index 000000000000..b9bf6e247894 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py @@ -0,0 +1,112 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +from typing import TYPE_CHECKING + +from azure.core.tracing.decorator import distributed_trace +from azure.core.tracing.decorator_async import distributed_trace_async + +from .._models import RoleAssignment, RoleDefinition +from .._internal import AsyncKeyVaultClientBase + +if TYPE_CHECKING: + from typing import Any, AsyncIterable + + +class KeyVaultAccessControlClient(AsyncKeyVaultClientBase): + """Manages role-based access to Azure Key Vault. + + :param str vault_url: URL of the vault the client will manage. This is also called the vault's "DNS Name". + :param credential: an object which can provide an access token for the vault, such as a credential from + :mod:`azure.identity` + """ + + # pylint:disable=protected-access + + @distributed_trace_async + async def create_role_assignment( + self, role_scope: str, role_assignment_name: str, role_definition_id: str, principal_id: str, **kwargs: "Any" + ) -> RoleAssignment: + """Create a role assignment. + + :param str role_scope: scope the role assignment will apply over + :param role_assignment_name: a name for the role assignment. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :param str role_definition_id: ID of the role's definition + :param str principal_id: ID of the principal which will be assigned the role. This maps to the ID inside the + Active Directory. It can point to a user, service principal, or security group. + :rtype: RoleAssignment + """ + create_parameters = self._client.role_assignments.models.RoleAssignmentCreateParameters( + properties=self._client.role_assignments.models.RoleAssignmentProperties( + principal_id=principal_id, role_definition_id=str(role_definition_id) + ) + ) + assignment = await self._client.role_assignments.create( + vault_base_url=self._vault_url, + scope=role_scope, + role_assignment_name=role_assignment_name, + parameters=create_parameters, + **kwargs + ) + return RoleAssignment._from_generated(assignment) + + @distributed_trace_async + async def delete_role_assignment( + self, role_scope: str, role_assignment_name: str, **kwargs: "Any" + ) -> RoleAssignment: + """Delete a role assignment. + + :param str role_scope: the assignment's scope + :param role_assignment_name: the assignment's name. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :returns: the deleted assignment + :rtype: RoleAssignment + """ + assignment = await self._client.role_assignments.delete( + vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs + ) + return RoleAssignment._from_generated(assignment) + + @distributed_trace_async + async def get_role_assignment(self, role_scope: str, role_assignment_name: str, **kwargs: "Any") -> RoleAssignment: + """Get a role assignment. + + :param str role_scope: the assignment's scope + :param role_assignment_name: the assignment's name. Must be a UUID. + :type role_assignment_name: str or uuid.UUID + :rtype: RoleAssignment + """ + assignment = await self._client.role_assignments.get( + vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs + ) + return RoleAssignment._from_generated(assignment) + + @distributed_trace + def list_role_assignments(self, role_scope: str, **kwargs: "Any") -> "AsyncIterable[RoleAssignment]": + """List all role assignments for a scope. + + :param str role_scope: scope of the role assignments + :rtype: ~azure.core.async_paging.AsyncItemPaged[RoleAssignment] + """ + return self._client.role_assignments.list_for_scope( + self._vault_url, + role_scope, + cls=lambda result: [RoleAssignment._from_generated(a) for a in result], + **kwargs + ) + + @distributed_trace + def list_role_definitions(self, role_scope: str, **kwargs: "Any") -> "AsyncIterable[RoleDefinition]": + """List all role definitions applicable at and above a scope. + + :param str role_scope: scope of the role definitions + :rtype: ~azure.core.async_paging.AsyncItemPaged[RoleDefinition] + """ + return self._client.role_definitions.list( + self._vault_url, + role_scope, + cls=lambda result: [RoleDefinition._from_generated(d) for d in result], + **kwargs + ) From 88c5ba6eaa1780ed2c502d24d183b144394a9e59 Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Fri, 19 Jun 2020 13:39:47 -0700 Subject: [PATCH 3/7] tests --- ...ss_control.test_list_role_definitions.yaml | 69 ++++++ ...t_access_control.test_role_assignment.yaml | 226 ++++++++++++++++++ ...trol_async.test_list_role_definitions.yaml | 54 +++++ ...ss_control_async.test_role_assignment.yaml | 145 +++++++++++ .../tests/test_access_control.py | 95 ++++++++ .../tests/test_access_control_async.py | 101 ++++++++ 6 files changed, 690 insertions(+) create mode 100644 sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_list_role_definitions.yaml create mode 100644 sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_role_assignment.yaml create mode 100644 sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_list_role_definitions.yaml create mode 100644 sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_role_assignment.yaml create mode 100644 sdk/keyvault/azure-keyvault-administration/tests/test_access_control.py create mode 100644 sdk/keyvault/azure-keyvault-administration/tests/test_access_control_async.py diff --git a/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_list_role_definitions.yaml b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_list_role_definitions.yaml new file mode 100644 index 000000000000..619557270b11 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_list_role_definitions.yaml @@ -0,0 +1,69 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + Content-Length: + - '0' + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: !!python/unicode OK + headers: + content-length: + - '2' + content-type: + - application/json + www-authenticate: + - Bearer authorization="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47", + resource="https://managedhsm.azure.net" + x-content-type-options: + - nosniff + status: + code: 401 + message: Unauthorized +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"value":[{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","name":"a290e904-7015-4bba-90c8-60543313cdb4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778","name":"515eb02d-2335-4d2d-92f2-b1cbdf9c3778","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Officer","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b","name":"21dbd100-6940-42c2-9190-5d6cb909625b","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto User","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4","name":"4bd23610-cdcf-4971-bdee-bdc562cc28e4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Policy Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","name":"2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Auditor","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/33413926-3206-4cdd-b39a-83574fe37a17","name":"33413926-3206-4cdd-b39a-83574fe37a17","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Service Encryption","type":""},"type":"Microsoft.Authorization/roleDefinitions"}]}' + headers: + content-length: + - '5517' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +version: 1 diff --git a/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_role_assignment.yaml b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_role_assignment.yaml new file mode 100644 index 000000000000..595db694da16 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control.test_role_assignment.yaml @@ -0,0 +1,226 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + Content-Length: + - '0' + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: !!python/unicode OK + headers: + content-length: + - '2' + content-type: + - application/json + www-authenticate: + - Bearer authorization="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47", + resource="https://managedhsm.azure.net" + x-content-type-options: + - nosniff + status: + code: 401 + message: Unauthorized +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"value":[{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","name":"a290e904-7015-4bba-90c8-60543313cdb4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778","name":"515eb02d-2335-4d2d-92f2-b1cbdf9c3778","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Officer","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b","name":"21dbd100-6940-42c2-9190-5d6cb909625b","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto User","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4","name":"4bd23610-cdcf-4971-bdee-bdc562cc28e4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Policy Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","name":"2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Auditor","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/33413926-3206-4cdd-b39a-83574fe37a17","name":"33413926-3206-4cdd-b39a-83574fe37a17","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Service Encryption","type":""},"type":"Microsoft.Authorization/roleDefinitions"}]}' + headers: + content-length: + - '5517' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +- request: + body: !!python/unicode '{"properties": {"roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4", + "principalId": "service-principal-id"}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + Content-Length: + - '200' + Content-Type: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: PUT + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: + - '398' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: + - '398' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/e1392147-41b5-498b-847d-ca061e8808a3","name":"e1392147-41b5-498b-847d-ca061e8808a3","properties":{"principalId":"67ca7f59-968b-4cde-8582-d6a5341fa721","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/f35aa2fd-545a-4f42-a44b-f862a530d4f1","name":"f35aa2fd-545a-4f42-a44b-f862a530d4f1","properties":{"principalId":"f84ae8f9-c979-4750-a2fe-b350a00bebff","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/457acfe4-7ff8-4608-b3ac-87139804539e","name":"457acfe4-7ff8-4608-b3ac-87139804539e","properties":{"principalId":"693a17da-7022-4cdd-9d4e-4e72e4ad449d","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/c6de6e40-d764-49e1-8e7c-be2f2a27de81","name":"c6de6e40-d764-49e1-8e7c-be2f2a27de81","properties":{"principalId":"3c1303ad-140b-493c-ab45-bed8ddbfa72c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/2f070682-b1a6-0ad3-acd3-7b891e5c79b0","name":"2f070682-b1a6-0ad3-acd3-7b891e5c79b0","properties":{"principalId":"bf0cee9f-b26b-4e25-b4ab-92ec7466cf33","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/0480f9fc-1294-4668-b31e-e5d8bae7d5b3","name":"0480f9fc-1294-4668-b31e-e5d8bae7d5b3","properties":{"principalId":"74677558-f369-4792-afe5-f99738b5fa7c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}' + headers: + content-length: + - '2804' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + Content-Length: + - '0' + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: DELETE + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: + - '398' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + Connection: + - keep-alive + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/2.7.15 (Windows-10-10.0.19041) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview + response: + body: + string: !!python/unicode '{"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/e1392147-41b5-498b-847d-ca061e8808a3","name":"e1392147-41b5-498b-847d-ca061e8808a3","properties":{"principalId":"67ca7f59-968b-4cde-8582-d6a5341fa721","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/f35aa2fd-545a-4f42-a44b-f862a530d4f1","name":"f35aa2fd-545a-4f42-a44b-f862a530d4f1","properties":{"principalId":"f84ae8f9-c979-4750-a2fe-b350a00bebff","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/457acfe4-7ff8-4608-b3ac-87139804539e","name":"457acfe4-7ff8-4608-b3ac-87139804539e","properties":{"principalId":"693a17da-7022-4cdd-9d4e-4e72e4ad449d","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/c6de6e40-d764-49e1-8e7c-be2f2a27de81","name":"c6de6e40-d764-49e1-8e7c-be2f2a27de81","properties":{"principalId":"3c1303ad-140b-493c-ab45-bed8ddbfa72c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/2f070682-b1a6-0ad3-acd3-7b891e5c79b0","name":"2f070682-b1a6-0ad3-acd3-7b891e5c79b0","properties":{"principalId":"bf0cee9f-b26b-4e25-b4ab-92ec7466cf33","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/0480f9fc-1294-4668-b31e-e5d8bae7d5b3","name":"0480f9fc-1294-4668-b31e-e5d8bae7d5b3","properties":{"principalId":"74677558-f369-4792-afe5-f99738b5fa7c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}' + headers: + content-length: + - '2405' + content-type: + - application/json + x-content-type-options: + - nosniff + x-ms-keyvault-network-info: + - addr=24.17.201.78 + x-ms-keyvault-region: + - EASTUS + status: + code: 200 + message: OK +version: 1 diff --git a/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_list_role_definitions.yaml b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_list_role_definitions.yaml new file mode 100644 index 000000000000..131a7d6c32bc --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_list_role_definitions.yaml @@ -0,0 +1,54 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + Content-Length: + - '0' + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: OK + headers: + content-length: '2' + content-type: application/json + www-authenticate: Bearer authorization="https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47", + resource="https://managedhsm.azure.net" + x-content-type-options: nosniff + status: + code: 401 + message: Unauthorized + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: '{"value":[{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","name":"a290e904-7015-4bba-90c8-60543313cdb4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778","name":"515eb02d-2335-4d2d-92f2-b1cbdf9c3778","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Officer","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b","name":"21dbd100-6940-42c2-9190-5d6cb909625b","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto User","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4","name":"4bd23610-cdcf-4971-bdee-bdc562cc28e4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Policy Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","name":"2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Auditor","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/33413926-3206-4cdd-b39a-83574fe37a17","name":"33413926-3206-4cdd-b39a-83574fe37a17","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Service Encryption","type":""},"type":"Microsoft.Authorization/roleDefinitions"}]}' + headers: + content-length: '5517' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview +version: 1 diff --git a/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_role_assignment.yaml b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_role_assignment.yaml new file mode 100644 index 000000000000..a884c896a2ea --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/recordings/test_access_control_async.test_role_assignment.yaml @@ -0,0 +1,145 @@ +interactions: +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview + response: + body: + string: '{"value":[{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","name":"a290e904-7015-4bba-90c8-60543313cdb4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/515eb02d-2335-4d2d-92f2-b1cbdf9c3778","name":"515eb02d-2335-4d2d-92f2-b1cbdf9c3778","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/restore/action","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/delete","Microsoft.KeyVault/managedHsm/keys/export/action","Microsoft.KeyVault/managedHsm/keys/import/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Officer","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/21dbd100-6940-42c2-9190-5d6cb909625b","name":"21dbd100-6940-42c2-9190-5d6cb909625b","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/write/action","Microsoft.KeyVault/managedHsm/keys/backup/action","Microsoft.KeyVault/managedHsm/keys/create","Microsoft.KeyVault/managedHsm/keys/encrypt/action","Microsoft.KeyVault/managedHsm/keys/decrypt/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action","Microsoft.KeyVault/managedHsm/keys/sign/action","Microsoft.KeyVault/managedHsm/keys/verify/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto User","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/4bd23610-cdcf-4971-bdee-bdc562cc28e4","name":"4bd23610-cdcf-4971-bdee-bdc562cc28e4","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/roleDefinitions/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/read/action","Microsoft.KeyVault/managedHsm/roleAssignments/write/action","Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Policy Administrator","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","name":"2c18b078-7c48-4d3a-af88-5a3a1b3f82b3","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Auditor","type":""},"type":"Microsoft.Authorization/roleDefinitions"},{"id":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/33413926-3206-4cdd-b39a-83574fe37a17","name":"33413926-3206-4cdd-b39a-83574fe37a17","properties":{"assignableScopes":["/"],"description":"","permissions":[{"actions":[],"dataActions":["Microsoft.KeyVault/managedHsm/keys/read/action","Microsoft.KeyVault/managedHsm/keys/wrap/action","Microsoft.KeyVault/managedHsm/keys/unwrap/action"],"notActions":[],"notDataActions":[]}],"roleName":"Azure + Key Vault Managed HSM Crypto Service Encryption","type":""},"type":"Microsoft.Authorization/roleDefinitions"}]}' + headers: + content-length: '5517' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleDefinitions?api-version=7.2-preview +- request: + body: '{"properties": {"roleDefinitionId": "Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4", + "principalId": "service-principal-id"}}' + headers: + Accept: + - application/json + Content-Length: + - '200' + Content-Type: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: PUT + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: '398' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 201 + message: Created + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/4af0820d-e870-4795-878e-1869f6f0888e?api-version=7.2-preview +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: '398' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/4af0820d-e870-4795-878e-1869f6f0888e?api-version=7.2-preview +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview + response: + body: + string: '{"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/e1392147-41b5-498b-847d-ca061e8808a3","name":"e1392147-41b5-498b-847d-ca061e8808a3","properties":{"principalId":"67ca7f59-968b-4cde-8582-d6a5341fa721","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/f35aa2fd-545a-4f42-a44b-f862a530d4f1","name":"f35aa2fd-545a-4f42-a44b-f862a530d4f1","properties":{"principalId":"f84ae8f9-c979-4750-a2fe-b350a00bebff","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/457acfe4-7ff8-4608-b3ac-87139804539e","name":"457acfe4-7ff8-4608-b3ac-87139804539e","properties":{"principalId":"693a17da-7022-4cdd-9d4e-4e72e4ad449d","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/c6de6e40-d764-49e1-8e7c-be2f2a27de81","name":"c6de6e40-d764-49e1-8e7c-be2f2a27de81","properties":{"principalId":"3c1303ad-140b-493c-ab45-bed8ddbfa72c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/2f070682-b1a6-0ad3-acd3-7b891e5c79b0","name":"2f070682-b1a6-0ad3-acd3-7b891e5c79b0","properties":{"principalId":"bf0cee9f-b26b-4e25-b4ab-92ec7466cf33","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/0480f9fc-1294-4668-b31e-e5d8bae7d5b3","name":"0480f9fc-1294-4668-b31e-e5d8bae7d5b3","properties":{"principalId":"74677558-f369-4792-afe5-f99738b5fa7c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}' + headers: + content-length: '2804' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: DELETE + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments/some-uuid?api-version=7.2-preview + response: + body: + string: '{"id":"/providers/Microsoft.Authorization/roleAssignments/some-uuid","name":"some-uuid","properties":{"principalId":"service-principal-id","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}' + headers: + content-length: '398' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments/4af0820d-e870-4795-878e-1869f6f0888e?api-version=7.2-preview +- request: + body: null + headers: + Accept: + - application/json + User-Agent: + - azsdk-python-keyvault-administration/1.0.0b1 Python/3.5.4 (Windows-10-10.0.19041-SP0) + method: GET + uri: https://vaultname.vault.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview + response: + body: + string: '{"value":[{"id":"/providers/Microsoft.Authorization/roleAssignments/e1392147-41b5-498b-847d-ca061e8808a3","name":"e1392147-41b5-498b-847d-ca061e8808a3","properties":{"principalId":"67ca7f59-968b-4cde-8582-d6a5341fa721","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/f35aa2fd-545a-4f42-a44b-f862a530d4f1","name":"f35aa2fd-545a-4f42-a44b-f862a530d4f1","properties":{"principalId":"f84ae8f9-c979-4750-a2fe-b350a00bebff","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/457acfe4-7ff8-4608-b3ac-87139804539e","name":"457acfe4-7ff8-4608-b3ac-87139804539e","properties":{"principalId":"693a17da-7022-4cdd-9d4e-4e72e4ad449d","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/c6de6e40-d764-49e1-8e7c-be2f2a27de81","name":"c6de6e40-d764-49e1-8e7c-be2f2a27de81","properties":{"principalId":"3c1303ad-140b-493c-ab45-bed8ddbfa72c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/2f070682-b1a6-0ad3-acd3-7b891e5c79b0","name":"2f070682-b1a6-0ad3-acd3-7b891e5c79b0","properties":{"principalId":"bf0cee9f-b26b-4e25-b4ab-92ec7466cf33","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"},{"id":"/providers/Microsoft.Authorization/roleAssignments/0480f9fc-1294-4668-b31e-e5d8bae7d5b3","name":"0480f9fc-1294-4668-b31e-e5d8bae7d5b3","properties":{"principalId":"74677558-f369-4792-afe5-f99738b5fa7c","roleDefinitionId":"Microsoft.KeyVault/providers/Microsoft.Authorization/roleDefinitions/a290e904-7015-4bba-90c8-60543313cdb4","scope":"/"},"type":"Microsoft.Authorization/roleAssignments"}]}' + headers: + content-length: '2405' + content-type: application/json + x-content-type-options: nosniff + x-ms-keyvault-network-info: addr=24.17.201.78 + x-ms-keyvault-region: EASTUS + status: + code: 200 + message: OK + url: https://eastus.clitest.managedhsm-preview.azure.net/providers/Microsoft.Authorization/roleAssignments?api-version=7.2-preview +version: 1 diff --git a/sdk/keyvault/azure-keyvault-administration/tests/test_access_control.py b/sdk/keyvault/azure-keyvault-administration/tests/test_access_control.py new file mode 100644 index 000000000000..1bdbf40fb365 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/test_access_control.py @@ -0,0 +1,95 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import functools +import os +import uuid + +from azure.keyvault.administration import KeyVaultAccessControlClient +from devtools_testutils import KeyVaultPreparer, ResourceGroupPreparer +import pytest + +from _shared.test_case import KeyVaultTestCase +from _shared.preparer import KeyVaultClientPreparer as _KeyVaultClientPreparer + +AccessControlClientPreparer = functools.partial(_KeyVaultClientPreparer, KeyVaultAccessControlClient) + + +class AccessControlTests(KeyVaultTestCase): + def __init__(self, *args, **kwargs): + super(AccessControlTests, self).__init__(*args, **kwargs) + if self.is_live: + pytest.skip("test infrastructure can't yet create a Key Vault supporting the RBAC API") + + def get_replayable_uuid(self, replay_value): + if self.is_live: + value = str(uuid.uuid4()) + self.scrubber.register_name_pair(value, replay_value) + return value + return replay_value + + def get_service_principal_id(self): + replay_value = "service-principal-id" + if self.is_live: + value = os.environ["AZURE_CLIENT_ID"] + self.scrubber.register_name_pair(value, replay_value) + return value + return replay_value + + @ResourceGroupPreparer(random_name_enabled=True) + @KeyVaultPreparer() + @AccessControlClientPreparer() + def test_list_role_definitions(self, client): + definitions = [d for d in client.list_role_definitions("/")] + assert len(definitions) + + for definition in definitions: + assert "/" in definition.assignable_scopes + assert definition.description is not None + assert definition.id is not None + assert definition.name is not None + assert len(definition.permissions) + assert definition.role_name is not None + assert definition.role_type is not None + assert definition.type is not None + + @ResourceGroupPreparer(random_name_enabled=True) + @KeyVaultPreparer() + @AccessControlClientPreparer() + def test_role_assignment(self, client): + scope = "/" + definitions = [d for d in client.list_role_definitions(scope)] + + # assign an arbitrary role to the service principal authenticating these requests + definition = definitions[0] + principal_id = self.get_service_principal_id() + name = self.get_replayable_uuid("some-uuid") + + created = client.create_role_assignment(scope, name, definition.id, principal_id) + assert created.name == name + assert created.principal_id == principal_id + assert created.role_definition_id == definition.id + assert created.scope == scope + + # should be able to get the new assignment + got = client.get_role_assignment(scope, name) + assert got.name == name + assert got.principal_id == principal_id + assert got.role_definition_id == definition.id + assert got.scope == scope + + # new assignment should be in the list of all assignments + matching_assignments = [ + a for a in client.list_role_assignments(scope) if a.assignment_id == created.assignment_id + ] + assert len(matching_assignments) == 1 + + # delete the assignment + deleted = client.delete_role_assignment(scope, created.name) + assert deleted.name == created.name + assert deleted.assignment_id == created.assignment_id + assert deleted.scope == scope + assert deleted.role_definition_id == created.role_definition_id + + assert not any(a for a in client.list_role_assignments(scope) if a.assignment_id == created.assignment_id) diff --git a/sdk/keyvault/azure-keyvault-administration/tests/test_access_control_async.py b/sdk/keyvault/azure-keyvault-administration/tests/test_access_control_async.py new file mode 100644 index 000000000000..feb85c5a1e98 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-administration/tests/test_access_control_async.py @@ -0,0 +1,101 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import functools +import os +import uuid + +from azure.keyvault.administration.aio import KeyVaultAccessControlClient +from devtools_testutils import KeyVaultPreparer, ResourceGroupPreparer +import pytest + +from _shared.test_case_async import KeyVaultTestCase +from _shared.preparer_async import KeyVaultClientPreparer as _KeyVaultClientPreparer + +AccessControlClientPreparer = functools.partial(_KeyVaultClientPreparer, KeyVaultAccessControlClient) + + +class AccessControlTests(KeyVaultTestCase): + def __init__(self, *args, **kwargs): + super(AccessControlTests, self).__init__(*args, **kwargs) + if self.is_live: + pytest.skip("test infrastructure can't yet create a Key Vault supporting the RBAC API") + + def get_replayable_uuid(self, replay_value): + if self.is_live: + value = str(uuid.uuid4()) + self.scrubber.register_name_pair(value, replay_value) + return value + return replay_value + + def get_service_principal_id(self): + replay_value = "service-principal-id" + if self.is_live: + value = os.environ["AZURE_CLIENT_ID"] + self.scrubber.register_name_pair(value, replay_value) + return value + return replay_value + + @ResourceGroupPreparer(random_name_enabled=True) + @KeyVaultPreparer() + @AccessControlClientPreparer() + async def test_list_role_definitions(self, client): + definitions = [] + async for definition in client.list_role_definitions("/"): + definitions.append(definition) + assert len(definitions) + + for definition in definitions: + assert "/" in definition.assignable_scopes + assert definition.description is not None + assert definition.id is not None + assert definition.name is not None + assert len(definition.permissions) + assert definition.role_name is not None + assert definition.role_type is not None + assert definition.type is not None + + @ResourceGroupPreparer(random_name_enabled=True) + @KeyVaultPreparer() + @AccessControlClientPreparer() + async def test_role_assignment(self, client): + scope = "/" + definitions = [] + async for definition in client.list_role_definitions("/"): + definitions.append(definition) + + # assign an arbitrary role to the service principal authenticating these requests + definition = definitions[0] + principal_id = self.get_service_principal_id() + name = self.get_replayable_uuid("some-uuid") + + created = await client.create_role_assignment(scope, name, definition.id, principal_id) + assert created.name == name + assert created.principal_id == principal_id + assert created.role_definition_id == definition.id + assert created.scope == scope + + # should be able to get the new assignment + got = await client.get_role_assignment(scope, name) + assert got.name == name + assert got.principal_id == principal_id + assert got.role_definition_id == definition.id + assert got.scope == scope + + # new assignment should be in the list of all assignments + matching_assignments = [] + async for assignment in client.list_role_assignments(scope): + if assignment.assignment_id == created.assignment_id: + matching_assignments.append(assignment) + assert len(matching_assignments) == 1 + + # delete the assignment + deleted = await client.delete_role_assignment(scope, created.name) + assert deleted.name == created.name + assert deleted.assignment_id == created.assignment_id + assert deleted.scope == scope + assert deleted.role_definition_id == created.role_definition_id + + async for assignment in client.list_role_assignments(scope): + assert assignment.assignment_id != created.assignment_id, "the role assignment should have been deleted" From 90f4ccc44416642ffa7b851d053d8d2cee74bb3c Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Thu, 27 Aug 2020 10:43:56 -0700 Subject: [PATCH 4/7] correct type annotations --- .../administration/_access_control_client.py | 14 +++++++------ .../aio/_access_control_client.py | 21 +++++++++++++------ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py index 5d73f5690f56..a4334418b4c5 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py @@ -10,7 +10,9 @@ from ._internal import KeyVaultClientBase if TYPE_CHECKING: - from typing import Any, Iterable + from typing import Any, Union + from uuid import UUID + from azure.core.paging import ItemPaged class KeyVaultAccessControlClient(KeyVaultClientBase): @@ -25,7 +27,7 @@ class KeyVaultAccessControlClient(KeyVaultClientBase): @distributed_trace def create_role_assignment(self, role_scope, role_assignment_name, role_definition_id, principal_id, **kwargs): - # type: (str, str, str, str, **Any) -> RoleAssignment + # type: (str, Union[str, UUID], str, str, **Any) -> RoleAssignment """Create a role assignment. :param str role_scope: scope the role assignment will apply over @@ -52,7 +54,7 @@ def create_role_assignment(self, role_scope, role_assignment_name, role_definiti @distributed_trace def delete_role_assignment(self, role_scope, role_assignment_name, **kwargs): - # type: (str, str, **Any) -> RoleAssignment + # type: (str, Union[str, UUID], **Any) -> RoleAssignment """Delete a role assignment. :param str role_scope: the assignment's scope @@ -68,7 +70,7 @@ def delete_role_assignment(self, role_scope, role_assignment_name, **kwargs): @distributed_trace def get_role_assignment(self, role_scope, role_assignment_name, **kwargs): - # type: (str, str, **Any) -> RoleAssignment + # type: (str, Union[str, UUID], **Any) -> RoleAssignment """Get a role assignment. :param str role_scope: the assignment's scope @@ -83,7 +85,7 @@ def get_role_assignment(self, role_scope, role_assignment_name, **kwargs): @distributed_trace def list_role_assignments(self, role_scope, **kwargs): - # type: (str, **Any) -> Iterable[RoleAssignment] + # type: (str, **Any) -> ItemPaged[RoleAssignment] """List all role assignments for a scope. :param str role_scope: scope of the role assignments @@ -98,7 +100,7 @@ def list_role_assignments(self, role_scope, **kwargs): @distributed_trace def list_role_definitions(self, role_scope, **kwargs): - # type: (str, **Any) -> Iterable[RoleDefinition] + # type: (str, **Any) -> ItemPaged[RoleDefinition] """List all role definitions applicable at and above a scope. :param str role_scope: scope of the role definitions diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py index b9bf6e247894..ba7f15193dcc 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py @@ -11,7 +11,9 @@ from .._internal import AsyncKeyVaultClientBase if TYPE_CHECKING: - from typing import Any, AsyncIterable + from typing import Any, Union + from uuid import UUID + from azure.core.async_paging import AsyncItemPaged class KeyVaultAccessControlClient(AsyncKeyVaultClientBase): @@ -26,7 +28,12 @@ class KeyVaultAccessControlClient(AsyncKeyVaultClientBase): @distributed_trace_async async def create_role_assignment( - self, role_scope: str, role_assignment_name: str, role_definition_id: str, principal_id: str, **kwargs: "Any" + self, + role_scope: str, + role_assignment_name: "Union[str, UUID]", + role_definition_id: str, + principal_id: str, + **kwargs: "Any" ) -> RoleAssignment: """Create a role assignment. @@ -54,7 +61,7 @@ async def create_role_assignment( @distributed_trace_async async def delete_role_assignment( - self, role_scope: str, role_assignment_name: str, **kwargs: "Any" + self, role_scope: str, role_assignment_name: "Union[str, UUID]", **kwargs: "Any" ) -> RoleAssignment: """Delete a role assignment. @@ -70,7 +77,9 @@ async def delete_role_assignment( return RoleAssignment._from_generated(assignment) @distributed_trace_async - async def get_role_assignment(self, role_scope: str, role_assignment_name: str, **kwargs: "Any") -> RoleAssignment: + async def get_role_assignment( + self, role_scope: str, role_assignment_name: "Union[str, UUID]", **kwargs: "Any" + ) -> RoleAssignment: """Get a role assignment. :param str role_scope: the assignment's scope @@ -84,7 +93,7 @@ async def get_role_assignment(self, role_scope: str, role_assignment_name: str, return RoleAssignment._from_generated(assignment) @distributed_trace - def list_role_assignments(self, role_scope: str, **kwargs: "Any") -> "AsyncIterable[RoleAssignment]": + def list_role_assignments(self, role_scope: str, **kwargs: "Any") -> "AsyncItemPaged[RoleAssignment]": """List all role assignments for a scope. :param str role_scope: scope of the role assignments @@ -98,7 +107,7 @@ def list_role_assignments(self, role_scope: str, **kwargs: "Any") -> "AsyncItera ) @distributed_trace - def list_role_definitions(self, role_scope: str, **kwargs: "Any") -> "AsyncIterable[RoleDefinition]": + def list_role_definitions(self, role_scope: str, **kwargs: "Any") -> "AsyncItemPaged[RoleDefinition]": """List all role definitions applicable at and above a scope. :param str role_scope: scope of the role definitions From 9765bfe4de5b7181cac1b01de3e1318ebec1524d Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Fri, 28 Aug 2020 15:07:36 -0700 Subject: [PATCH 5/7] prefix models with "KeyVault" --- .../azure/keyvault/administration/__init__.py | 10 ++++-- .../administration/_access_control_client.py | 32 +++++++++---------- .../azure/keyvault/administration/_models.py | 15 +++++---- .../aio/_access_control_client.py | 32 +++++++++---------- 4 files changed, 48 insertions(+), 41 deletions(-) diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py index e1cf68a13fb4..008faf70ac0d 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py @@ -4,7 +4,13 @@ # ------------------------------------ from ._access_control_client import KeyVaultAccessControlClient from ._internal.client_base import ApiVersion -from ._models import KeyVaultPermission, RoleAssignment, RoleDefinition +from ._models import KeyVaultPermission, KeyVaultRoleAssignment, KeyVaultRoleDefinition -__all__ = ["ApiVersion", "KeyVaultAccessControlClient", "KeyVaultPermission", "RoleAssignment", "RoleDefinition"] +__all__ = [ + "ApiVersion", + "KeyVaultAccessControlClient", + "KeyVaultPermission", + "KeyVaultRoleAssignment", + "KeyVaultRoleDefinition", +] diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py index a4334418b4c5..49d8c10fcbc6 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py @@ -6,7 +6,7 @@ from azure.core.tracing.decorator import distributed_trace -from ._models import RoleAssignment, RoleDefinition +from ._models import KeyVaultRoleAssignment, KeyVaultRoleDefinition from ._internal import KeyVaultClientBase if TYPE_CHECKING: @@ -27,7 +27,7 @@ class KeyVaultAccessControlClient(KeyVaultClientBase): @distributed_trace def create_role_assignment(self, role_scope, role_assignment_name, role_definition_id, principal_id, **kwargs): - # type: (str, Union[str, UUID], str, str, **Any) -> RoleAssignment + # type: (str, Union[str, UUID], str, str, **Any) -> KeyVaultRoleAssignment """Create a role assignment. :param str role_scope: scope the role assignment will apply over @@ -36,7 +36,7 @@ def create_role_assignment(self, role_scope, role_assignment_name, role_definiti :param str role_definition_id: ID of the role's definition :param str principal_id: ID of the principal which will be assigned the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. - :rtype: RoleAssignment + :rtype: KeyVaultRoleAssignment """ create_parameters = self._client.role_assignments.models.RoleAssignmentCreateParameters( properties=self._client.role_assignments.models.RoleAssignmentProperties( @@ -50,65 +50,65 @@ def create_role_assignment(self, role_scope, role_assignment_name, role_definiti parameters=create_parameters, **kwargs ) - return RoleAssignment._from_generated(assignment) + return KeyVaultRoleAssignment._from_generated(assignment) @distributed_trace def delete_role_assignment(self, role_scope, role_assignment_name, **kwargs): - # type: (str, Union[str, UUID], **Any) -> RoleAssignment + # type: (str, Union[str, UUID], **Any) -> KeyVaultRoleAssignment """Delete a role assignment. :param str role_scope: the assignment's scope :param role_assignment_name: the assignment's name. Must be a UUID. :type role_assignment_name: str or uuid.UUID :returns: the deleted assignment - :rtype: RoleAssignment + :rtype: KeyVaultRoleAssignment """ assignment = self._client.role_assignments.delete( vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs ) - return RoleAssignment._from_generated(assignment) + return KeyVaultRoleAssignment._from_generated(assignment) @distributed_trace def get_role_assignment(self, role_scope, role_assignment_name, **kwargs): - # type: (str, Union[str, UUID], **Any) -> RoleAssignment + # type: (str, Union[str, UUID], **Any) -> KeyVaultRoleAssignment """Get a role assignment. :param str role_scope: the assignment's scope :param role_assignment_name: the assignment's name. Must be a UUID. :type role_assignment_name: str or uuid.UUID - :rtype: RoleAssignment + :rtype: KeyVaultRoleAssignment """ assignment = self._client.role_assignments.get( vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs ) - return RoleAssignment._from_generated(assignment) + return KeyVaultRoleAssignment._from_generated(assignment) @distributed_trace def list_role_assignments(self, role_scope, **kwargs): - # type: (str, **Any) -> ItemPaged[RoleAssignment] + # type: (str, **Any) -> ItemPaged[KeyVaultRoleAssignment] """List all role assignments for a scope. :param str role_scope: scope of the role assignments - :rtype: ~azure.core.paging.ItemPaged[RoleAssignment] + :rtype: ~azure.core.paging.ItemPaged[KeyVaultRoleAssignment] """ return self._client.role_assignments.list_for_scope( self._vault_url, role_scope, - cls=lambda result: [RoleAssignment._from_generated(a) for a in result], + cls=lambda result: [KeyVaultRoleAssignment._from_generated(a) for a in result], **kwargs ) @distributed_trace def list_role_definitions(self, role_scope, **kwargs): - # type: (str, **Any) -> ItemPaged[RoleDefinition] + # type: (str, **Any) -> ItemPaged[KeyVaultRoleDefinition] """List all role definitions applicable at and above a scope. :param str role_scope: scope of the role definitions - :rtype: ~azure.core.paging.ItemPaged[RoleDefinition] + :rtype: ~azure.core.paging.ItemPaged[KeyVaultRoleDefinition] """ return self._client.role_definitions.list( self._vault_url, role_scope, - cls=lambda result: [RoleDefinition._from_generated(d) for d in result], + cls=lambda result: [KeyVaultRoleDefinition._from_generated(d) for d in result], **kwargs ) diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py index 073ec7fe0c5f..81d9b1165a3e 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py @@ -10,6 +10,7 @@ # pylint:disable=protected-access + class KeyVaultPermission(object): """Role definition permissions. @@ -36,7 +37,7 @@ def _from_generated(cls, permissions): ) -class RoleAssignment(object): +class KeyVaultRoleAssignment(object): """Represents the assignment to a principal of a role over a scope""" def __init__(self, **kwargs): @@ -48,7 +49,7 @@ def __init__(self, **kwargs): def __repr__(self): # type: () -> str - return "RoleAssignment<{}>".format(self._assignment_id) + return "KeyVaultRoleAssignment<{}>".format(self._assignment_id) @property def assignment_id(self): @@ -95,11 +96,11 @@ def _from_generated(cls, role_assignment): assignment_id=role_assignment.id, name=role_assignment.name, assignment_type=role_assignment.type, - properties=RoleAssignmentProperties._from_generated(role_assignment.properties), + properties=KeyVaultRoleAssignmentProperties._from_generated(role_assignment.properties), ) -class RoleAssignmentProperties(object): +class KeyVaultRoleAssignmentProperties(object): def __init__(self, **kwargs): # type: (**Any) -> None self.principal_id = kwargs.get("principal_id") @@ -108,7 +109,7 @@ def __init__(self, **kwargs): def __repr__(self): # type: () -> str - return "RoleAssignmentProperties(principal_id={}, role_definition_id={}, scope={})".format( + return "KeyVaultRoleAssignmentProperties(principal_id={}, role_definition_id={}, scope={})".format( self.principal_id, self.role_definition_id, self.scope )[:1024] @@ -123,7 +124,7 @@ def _from_generated(cls, role_assignment_properties): ) -class RoleDefinition(object): +class KeyVaultRoleDefinition(object): """Role definition. :ivar str id: The role definition ID. @@ -150,7 +151,7 @@ def __init__(self, **kwargs): def __repr__(self): # type: () -> str - return "".format(self.role_name)[:1024] + return "".format(self.role_name)[:1024] @classmethod def _from_generated(cls, definition): diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py index ba7f15193dcc..496d608546f1 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py @@ -7,7 +7,7 @@ from azure.core.tracing.decorator import distributed_trace from azure.core.tracing.decorator_async import distributed_trace_async -from .._models import RoleAssignment, RoleDefinition +from .._models import KeyVaultRoleAssignment, KeyVaultRoleDefinition from .._internal import AsyncKeyVaultClientBase if TYPE_CHECKING: @@ -34,7 +34,7 @@ async def create_role_assignment( role_definition_id: str, principal_id: str, **kwargs: "Any" - ) -> RoleAssignment: + ) -> KeyVaultRoleAssignment: """Create a role assignment. :param str role_scope: scope the role assignment will apply over @@ -43,7 +43,7 @@ async def create_role_assignment( :param str role_definition_id: ID of the role's definition :param str principal_id: ID of the principal which will be assigned the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group. - :rtype: RoleAssignment + :rtype: KeyVaultRoleAssignment """ create_parameters = self._client.role_assignments.models.RoleAssignmentCreateParameters( properties=self._client.role_assignments.models.RoleAssignmentProperties( @@ -57,65 +57,65 @@ async def create_role_assignment( parameters=create_parameters, **kwargs ) - return RoleAssignment._from_generated(assignment) + return KeyVaultRoleAssignment._from_generated(assignment) @distributed_trace_async async def delete_role_assignment( self, role_scope: str, role_assignment_name: "Union[str, UUID]", **kwargs: "Any" - ) -> RoleAssignment: + ) -> KeyVaultRoleAssignment: """Delete a role assignment. :param str role_scope: the assignment's scope :param role_assignment_name: the assignment's name. Must be a UUID. :type role_assignment_name: str or uuid.UUID :returns: the deleted assignment - :rtype: RoleAssignment + :rtype: KeyVaultRoleAssignment """ assignment = await self._client.role_assignments.delete( vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs ) - return RoleAssignment._from_generated(assignment) + return KeyVaultRoleAssignment._from_generated(assignment) @distributed_trace_async async def get_role_assignment( self, role_scope: str, role_assignment_name: "Union[str, UUID]", **kwargs: "Any" - ) -> RoleAssignment: + ) -> KeyVaultRoleAssignment: """Get a role assignment. :param str role_scope: the assignment's scope :param role_assignment_name: the assignment's name. Must be a UUID. :type role_assignment_name: str or uuid.UUID - :rtype: RoleAssignment + :rtype: KeyVaultRoleAssignment """ assignment = await self._client.role_assignments.get( vault_base_url=self._vault_url, scope=role_scope, role_assignment_name=str(role_assignment_name), **kwargs ) - return RoleAssignment._from_generated(assignment) + return KeyVaultRoleAssignment._from_generated(assignment) @distributed_trace - def list_role_assignments(self, role_scope: str, **kwargs: "Any") -> "AsyncItemPaged[RoleAssignment]": + def list_role_assignments(self, role_scope: str, **kwargs: "Any") -> "AsyncItemPaged[KeyVaultRoleAssignment]": """List all role assignments for a scope. :param str role_scope: scope of the role assignments - :rtype: ~azure.core.async_paging.AsyncItemPaged[RoleAssignment] + :rtype: ~azure.core.async_paging.AsyncItemPaged[KeyVaultRoleAssignment] """ return self._client.role_assignments.list_for_scope( self._vault_url, role_scope, - cls=lambda result: [RoleAssignment._from_generated(a) for a in result], + cls=lambda result: [KeyVaultRoleAssignment._from_generated(a) for a in result], **kwargs ) @distributed_trace - def list_role_definitions(self, role_scope: str, **kwargs: "Any") -> "AsyncItemPaged[RoleDefinition]": + def list_role_definitions(self, role_scope: str, **kwargs: "Any") -> "AsyncItemPaged[KeyVaultRoleDefinition]": """List all role definitions applicable at and above a scope. :param str role_scope: scope of the role definitions - :rtype: ~azure.core.async_paging.AsyncItemPaged[RoleDefinition] + :rtype: ~azure.core.async_paging.AsyncItemPaged[KeyVaultRoleDefinition] """ return self._client.role_definitions.list( self._vault_url, role_scope, - cls=lambda result: [RoleDefinition._from_generated(d) for d in result], + cls=lambda result: [KeyVaultRoleDefinition._from_generated(d) for d in result], **kwargs ) From f675ce747e1d9166a2323c7489201b64af2aea9f Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Fri, 28 Aug 2020 15:25:54 -0700 Subject: [PATCH 6/7] clearer documentation of principal_id --- .../azure/keyvault/administration/_access_control_client.py | 4 ++-- .../keyvault/administration/aio/_access_control_client.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py index 49d8c10fcbc6..9eee173ce6e1 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py @@ -34,8 +34,8 @@ def create_role_assignment(self, role_scope, role_assignment_name, role_definiti :param role_assignment_name: a name for the role assignment. Must be a UUID. :type role_assignment_name: str or uuid.UUID :param str role_definition_id: ID of the role's definition - :param str principal_id: ID of the principal which will be assigned the role. This maps to the ID inside the - Active Directory. It can point to a user, service principal, or security group. + :param str principal_id: Azure Active Directory object ID of the principal which will be assigned the role. The + principal can be a user, service principal, or security group. :rtype: KeyVaultRoleAssignment """ create_parameters = self._client.role_assignments.models.RoleAssignmentCreateParameters( diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py index 496d608546f1..a10dd5d1aa1b 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py @@ -41,8 +41,8 @@ async def create_role_assignment( :param role_assignment_name: a name for the role assignment. Must be a UUID. :type role_assignment_name: str or uuid.UUID :param str role_definition_id: ID of the role's definition - :param str principal_id: ID of the principal which will be assigned the role. This maps to the ID inside the - Active Directory. It can point to a user, service principal, or security group. + :param str principal_id: Azure Active Directory object ID of the principal which will be assigned the role. The + principal can be a user, service principal, or security group. :rtype: KeyVaultRoleAssignment """ create_parameters = self._client.role_assignments.models.RoleAssignmentCreateParameters( From 79ee5de467537add38a96d1d5117ce94fad95249 Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Fri, 28 Aug 2020 15:50:28 -0700 Subject: [PATCH 7/7] document the form of role_scope --- .../azure/keyvault/administration/_access_control_client.py | 4 ++-- .../keyvault/administration/aio/_access_control_client.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py index 9eee173ce6e1..862fc8cea88c 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py @@ -57,7 +57,7 @@ def delete_role_assignment(self, role_scope, role_assignment_name, **kwargs): # type: (str, Union[str, UUID], **Any) -> KeyVaultRoleAssignment """Delete a role assignment. - :param str role_scope: the assignment's scope + :param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/" :param role_assignment_name: the assignment's name. Must be a UUID. :type role_assignment_name: str or uuid.UUID :returns: the deleted assignment @@ -73,7 +73,7 @@ def get_role_assignment(self, role_scope, role_assignment_name, **kwargs): # type: (str, Union[str, UUID], **Any) -> KeyVaultRoleAssignment """Get a role assignment. - :param str role_scope: the assignment's scope + :param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/" :param role_assignment_name: the assignment's name. Must be a UUID. :type role_assignment_name: str or uuid.UUID :rtype: KeyVaultRoleAssignment diff --git a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py index a10dd5d1aa1b..a9cd70ffcd66 100644 --- a/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py +++ b/sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py @@ -65,7 +65,7 @@ async def delete_role_assignment( ) -> KeyVaultRoleAssignment: """Delete a role assignment. - :param str role_scope: the assignment's scope + :param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/" :param role_assignment_name: the assignment's name. Must be a UUID. :type role_assignment_name: str or uuid.UUID :returns: the deleted assignment @@ -82,7 +82,7 @@ async def get_role_assignment( ) -> KeyVaultRoleAssignment: """Get a role assignment. - :param str role_scope: the assignment's scope + :param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/" :param role_assignment_name: the assignment's name. Must be a UUID. :type role_assignment_name: str or uuid.UUID :rtype: KeyVaultRoleAssignment