[Key Vault] Federated auth in test pipelines (#36766)

mccoyp · web-flow · commit 372fd7d0eee4 · 2024-08-16T14:35:34.000-07:00
diff --git a/sdk/keyvault/azure-keyvault-administration/tests.yml b/sdk/keyvault/azure-keyvault-administration/tests.yml
@@ -6,43 +6,28 @@ extends:
       ServiceDirectory: keyvault
       BuildTargetingString: "azure-keyvault-administration"
       JobName: azure_keyvault_administration
-      SupportedClouds: 'Public,UsGov,China'
+      SupportedClouds: 'Public'
       TestTimeoutInMinutes: 240
-      TestResourceDirectories:
-        - keyvault/
+      UseFederatedAuth: true
+      # Since we don't use HSMs in USGov or China clouds, just run Admin tests in Public.
       CloudConfig:
         Public:
+          Location: 'westus2'
+          SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources)
           ServiceConnection: azure-sdk-tests
           SubscriptionConfigurationFilePaths:
             - eng/common/TestResources/sub-config/AzurePublicMsft.json
-        UsGov:
-          ServiceConnection: usgov_azure-sdk-tests
-          SubscriptionConfigurationFilePaths:
-            - eng/common/TestResources/sub-config/AzureUsGovMsft.json
-          MatrixFilters:
-            - ArmTemplateParameters=^(?!.*enableHsm.*true)
-        China:
-          ServiceConnection: china_azure-sdk-tests
-          SubscriptionConfigurationFilePaths:
-            - eng/common/TestResources/sub-config/AzureChinaMsft.json
-          MatrixFilters:
-            - ArmTemplateParameters=^(?!.*enableHsm.*true)
-          Location: chinaeast2
-        # Test azure-keyvault-administration on *only* Managed HSM for weekly tests only
-        MatrixConfigs:
-          - Name: keyvault_admin_weekly_matrix
-            Path: sdk/keyvault/azure-keyvault-keys/platform-matrix.json
-            Selection: sparse
-            GenerateVMJobs: true
-        ${{ if not(contains(variables['Build.DefinitionName'], 'tests-weekly')) }}:
-          # For nightly tests, don't run live azure-keyvault-administration jobs since they require Managed HSM
-          MatrixFilters:
-            - OSVmImage=NonexistentImage
+      # HSMs are expensive and restricted in number so we only test them on one platform.
+      AdditionalMatrixConfigs:
+        - Name: keyvault_hsm_matrix_addons
+          Path: sdk/keyvault/azure-keyvault-keys/platform-matrix.json
+          Selection: sparse
+          GenerateVMJobs: true
+
+      # Due to the high cost of Managed HSMs, we only want to test using them weekly.
+      ${{ if not(contains(variables['Build.DefinitionName'], 'tests-weekly')) }}:
+        MatrixFilters:
+          - ArmTemplateParameters=^(?!.*enableHsm.*true)
       EnvVars:
         AZURE_TEST_RUN_LIVE: true
         AZURE_SKIP_LIVE_RECORDING: 'True'
-        AZURE_SUBSCRIPTION_ID: $(azure-subscription-id)
-        AZURE_TENANT_ID: $(aad-azure-sdk-test-tenant-id)
-        AZURE_CLIENT_ID: $(aad-azure-sdk-test-client-id)
-        AZURE_CLIENT_SECRET: $(aad-azure-sdk-test-client-secret)
-        AZURE_CLIENT_OID: $(aad-azure-sdk-test-client-oid)
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/_async_test_case.py b/sdk/keyvault/azure-keyvault-administration/tests/_async_test_case.py
@@ -19,10 +19,9 @@ def __init__(self, **kwargs) -> None:
 
         if self.is_live:
             self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL")
-            storage_name = os.environ.get("BLOB_STORAGE_ACCOUNT_NAME")
-            storage_endpoint_suffix = os.environ.get("KEYVAULT_STORAGE_ENDPOINT_SUFFIX")
+            storage_url = os.environ.get("BLOB_STORAGE_URL")
             container_name = os.environ.get("BLOB_CONTAINER_NAME")
-            self.container_uri = f"https://{storage_name}.blob.{storage_endpoint_suffix}/{container_name}"
+            self.container_uri = f"{storage_url}/{container_name}"
 
             self.sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN")
             
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/_test_case.py b/sdk/keyvault/azure-keyvault-administration/tests/_test_case.py
@@ -20,10 +20,9 @@ def __init__(self, **kwargs) -> None:
 
         if self.is_live:
             self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL")
-            storage_name = os.environ.get("BLOB_STORAGE_ACCOUNT_NAME")
-            storage_endpoint_suffix = os.environ.get("KEYVAULT_STORAGE_ENDPOINT_SUFFIX")
+            storage_url = os.environ.get("BLOB_STORAGE_URL")
             container_name = os.environ.get("BLOB_CONTAINER_NAME")
-            self.container_uri = f"https://{storage_name}.blob.{storage_endpoint_suffix}/{container_name}"
+            self.container_uri = f"{storage_url}/{container_name}"
 
             self.sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN")
             
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/conftest.py b/sdk/keyvault/azure-keyvault-administration/tests/conftest.py
@@ -20,26 +20,24 @@
 
 @pytest.fixture(scope="session", autouse=True)
 def add_sanitizers(test_proxy):
-    azure_keyvault_url = os.getenv("AZURE_KEYVAULT_URL", "https://vaultname.vault.azure.net")
+    azure_keyvault_url = os.getenv("AZURE_KEYVAULT_URL", "https://Sanitized.vault.azure.net")
     azure_keyvault_url = azure_keyvault_url.rstrip("/")
     keyvault_tenant_id = os.getenv("KEYVAULT_TENANT_ID", "keyvault_tenant_id")
     keyvault_subscription_id = os.getenv("KEYVAULT_SUBSCRIPTION_ID", "keyvault_subscription_id")
-    azure_managedhsm_url = os.environ.get("AZURE_MANAGEDHSM_URL","https://managedhsmvaultname.managedhsm.azure.net")
+    azure_managedhsm_url = os.environ.get("AZURE_MANAGEDHSM_URL","https://Sanitized.managedhsm.azure.net")
     azure_managedhsm_url = azure_managedhsm_url.rstrip("/")
-    azure_attestation_uri = os.environ.get("AZURE_KEYVAULT_ATTESTATION_URL","https://fakeattestation.azurewebsites.net")
+    azure_attestation_uri = os.environ.get("AZURE_KEYVAULT_ATTESTATION_URL","https://Sanitized.azurewebsites.net")
     azure_attestation_uri = azure_attestation_uri.rstrip('/')
-    storage_name = os.environ.get("BLOB_STORAGE_ACCOUNT_NAME", "blob_storage_account_name")
-    storage_endpoint_suffix = os.environ.get("KEYVAULT_STORAGE_ENDPOINT_SUFFIX", "keyvault_endpoint_suffix")
+    storage_url = os.environ.get("BLOB_STORAGE_URL", "https://Sanitized.blob.core.windows.net")
     client_id = os.environ.get("KEYVAULT_CLIENT_ID", "service-principal-id")
     sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN","fake-sas")
 
-    add_general_string_sanitizer(target=azure_keyvault_url, value="https://vaultname.vault.azure.net")
+    add_general_string_sanitizer(target=azure_keyvault_url, value="https://Sanitized.vault.azure.net")
     add_general_string_sanitizer(target=keyvault_tenant_id, value="00000000-0000-0000-0000-000000000000")
     add_general_string_sanitizer(target=keyvault_subscription_id, value="00000000-0000-0000-0000-000000000000")
-    add_general_string_sanitizer(target=azure_managedhsm_url,value="https://managedhsmvaultname.managedhsm.azure.net")
-    add_general_string_sanitizer(target=azure_attestation_uri,value="https://fakeattestation.azurewebsites.net")
-    add_general_string_sanitizer(target=storage_name, value = "blob_storage_account_name")
-    add_general_string_sanitizer(target=storage_endpoint_suffix, value = "keyvault_endpoint_suffix")
+    add_general_string_sanitizer(target=azure_managedhsm_url,value="https://Sanitized.managedhsm.azure.net")
+    add_general_string_sanitizer(target=azure_attestation_uri,value="https://Sanitized.azurewebsites.net")
+    add_general_string_sanitizer(target=storage_url, value="https://Sanitized.blob.core.windows.net")
     add_general_string_sanitizer(target=sas_token, value="fake-sas")
     add_general_string_sanitizer(target=client_id, value = "service-principal-id")
     # Sanitize API versions of `azure-keyvault-keys` requests
diff --git a/sdk/keyvault/azure-keyvault-keys/tests.yml b/sdk/keyvault/azure-keyvault-keys/tests.yml
@@ -8,42 +8,36 @@ extends:
       JobName: azure_keyvault_keys
       SupportedClouds: 'Public,UsGov,China'
       TestTimeoutInMinutes: 240
-      TestResourceDirectories:
-        - keyvault/
+      UseFederatedAuth: true
       CloudConfig:
         Public:
+          Location: 'westus2'
+          SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources)
           ServiceConnection: azure-sdk-tests
           SubscriptionConfigurationFilePaths:
             - eng/common/TestResources/sub-config/AzurePublicMsft.json
         UsGov:
-          ServiceConnection: usgov_azure-sdk-tests
-          SubscriptionConfigurationFilePaths:
-            - eng/common/TestResources/sub-config/AzureUsGovMsft.json
+          SubscriptionConfiguration: $(sub-config-gov-test-resources)
           MatrixFilters:
             - ArmTemplateParameters=^(?!.*enableHsm.*true)
+          ServiceConnection: usgov_azure-sdk-tests
         China:
+          Location: chinaeast2
+          SubscriptionConfiguration: $(sub-config-cn-test-resources)
           ServiceConnection: china_azure-sdk-tests
-          SubscriptionConfigurationFilePaths:
-            - eng/common/TestResources/sub-config/AzureChinaMsft.json
           MatrixFilters:
             - ArmTemplateParameters=^(?!.*enableHsm.*true)
-          Location: chinaeast2
-      ${{ if contains(variables['Build.DefinitionName'], 'tests-weekly') }}:
-        # Test azure-keyvault-keys on Managed HSM for weekly tests only
-        AdditionalMatrixConfigs:
-          - Name: keyvault_hsm_matrix_addons
-            Path: sdk/keyvault/azure-keyvault-keys/platform-matrix.json
-            Selection: sparse
-            GenerateVMJobs: true
+      # HSMs are expensive and restricted in number so we only test them on one platform.
+      AdditionalMatrixConfigs:
+        - Name: keyvault_hsm_matrix_addons
+          Path: sdk/keyvault/azure-keyvault-keys/platform-matrix.json
+          Selection: sparse
+          GenerateVMJobs: true
+
+      # Due to the high cost of Managed HSMs, we only want to test using them weekly.
       ${{ if not(contains(variables['Build.DefinitionName'], 'tests-weekly')) }}:
-        # For nightly tests, don't run live azure-keyvault-administration jobs since they require Managed HSM
         MatrixFilters:
-          - OSVmImage=NonexistentImage
+          - ArmTemplateParameters=^(?!.*enableHsm.*true)
       EnvVars:
         AZURE_TEST_RUN_LIVE: true
         AZURE_SKIP_LIVE_RECORDING: 'True'
-        AZURE_SUBSCRIPTION_ID: $(azure-subscription-id)
-        AZURE_TENANT_ID: $(aad-azure-sdk-test-tenant-id)
-        AZURE_CLIENT_ID: $(aad-azure-sdk-test-client-id)
-        AZURE_CLIENT_SECRET: $(aad-azure-sdk-test-client-secret)
-        AZURE_CLIENT_OID: $(aad-azure-sdk-test-client-oid)
diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth.py b/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth.py
@@ -41,22 +41,11 @@ def test_multitenant_authentication(self, client, is_hsm, **kwargs):
         if not self.is_live:
             pytest.skip("This test is incompatible with test proxy in playback")
 
-        client_id = os.environ.get("KEYVAULT_CLIENT_ID")
-        client_secret = os.environ.get("KEYVAULT_CLIENT_SECRET")
-
         # we set up a client for this method to align with the async test, but we actually want to create a new client
         # this new client should use a credential with an initially fake tenant ID and still succeed with a real request
-        if os.environ.get("AZURE_TEST_USE_PWSH_AUTH") == "true":
-            credential = AzurePowerShellCredential(tenant_id=str(uuid4()), additionally_allowed_tenants="*")
-        elif os.environ.get("AZURE_TEST_USE_CLI_AUTH") == "true":
-            credential = AzureCliCredential(tenant_id=str(uuid4()), additionally_allowed_tenants="*")
-        else:
-            credential = ClientSecretCredential(
-                tenant_id=str(uuid4()),
-                client_id=client_id,
-                client_secret=client_secret,
-                additionally_allowed_tenants="*",
-            )
+        original_tenant = os.environ.get("AZURE_TENANT_ID")
+        os.environ["AZURE_TENANT_ID"] = str(uuid4())
+        credential = self.get_credential(KeyClient, additionally_allowed_tenants="*")
         managed_hsm_url = kwargs.pop("managed_hsm_url", None)
         keyvault_url = kwargs.pop("vault_url", None)
         vault_url = managed_hsm_url if is_hsm else keyvault_url
@@ -74,6 +63,12 @@ def test_multitenant_authentication(self, client, is_hsm, **kwargs):
         fetched_key = client.get_key(key_name)
         assert key.id == fetched_key.id
 
+        # clear the fake tenant
+        if original_tenant:
+            os.environ["AZURE_TENANT_ID"] = original_tenant
+        else:
+            os.environ.pop("AZURE_TENANT_ID")
+
 def empty_challenge_cache(fn):
     @functools.wraps(fn)
     def wrapper(**kwargs):
diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth_async.py b/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth_async.py
@@ -42,22 +42,11 @@ async def test_multitenant_authentication(self, client, is_hsm, **kwargs):
         if not self.is_live:
             pytest.skip("This test is incompatible with vcrpy in playback")
 
-        client_id = os.environ.get("KEYVAULT_CLIENT_ID")
-        client_secret = os.environ.get("KEYVAULT_CLIENT_SECRET")
-
         # we set up a client for this method so it gets awaited, but we actually want to create a new client
         # this new client should use a credential with an initially fake tenant ID and still succeed with a real request
-        if os.environ.get("AZURE_TEST_USE_PWSH_AUTH") == "true":
-            credential = AzurePowerShellCredential(tenant_id=str(uuid4()), additionally_allowed_tenants="*")
-        elif os.environ.get("AZURE_TEST_USE_CLI_AUTH") == "true":
-            credential = AzureCliCredential(tenant_id=str(uuid4()), additionally_allowed_tenants="*")
-        else:
-            credential = ClientSecretCredential(
-                tenant_id=str(uuid4()),
-                client_id=client_id,
-                client_secret=client_secret,
-                additionally_allowed_tenants="*",
-            )
+        original_tenant = os.environ.get("AZURE_TENANT_ID")
+        os.environ["AZURE_TENANT_ID"] = str(uuid4())
+        credential = self.get_credential(KeyClient, additionally_allowed_tenants="*", is_async=True)
         managed_hsm_url = kwargs.pop("managed_hsm_url", None)
         keyvault_url = kwargs.pop("vault_url", None)
         vault_url = managed_hsm_url if is_hsm else keyvault_url
@@ -75,6 +64,12 @@ async def test_multitenant_authentication(self, client, is_hsm, **kwargs):
         fetched_key = await client.get_key(key_name)
         assert key.id == fetched_key.id
 
+        # clear the fake tenant
+        if original_tenant:
+            os.environ["AZURE_TENANT_ID"] = original_tenant
+        else:
+            os.environ.pop("AZURE_TENANT_ID")
+
 
 @pytest.mark.asyncio
 @empty_challenge_cache
diff --git a/sdk/keyvault/test-resources-post.ps1 b/sdk/keyvault/test-resources-post.ps1
@@ -80,7 +80,7 @@ Log 'Creating 3 X509 certificates to activate security domain'
 $wrappingFiles = foreach ($i in 0..2) {
     $certificate = New-X509Certificate2 "CN=$($hsmUrl.Host)"
 
-    $baseName = "$PSScriptRoot\$hsmName-certificate$i"
+    $baseName = Join-Path -Path $PSScriptRoot -ChildPath "$hsmName-certificate$i"
     Export-X509Certificate2 "$baseName.pfx" $certificate
     Export-X509Certificate2PEM "$baseName.cer" $certificate
 
@@ -89,7 +89,7 @@ $wrappingFiles = foreach ($i in 0..2) {
 
 Log "Downloading security domain from '$hsmUrl'"
 
-$sdPath = "$PSScriptRoot\$hsmName-security-domain.key"
+$sdPath = Join-Path -Path $PSScriptRoot -ChildPath "$hsmName-security-domain.key"
 if (Test-Path $sdpath) {
     Log "Deleting old security domain: $sdPath"
     Remove-Item $sdPath -Force
@@ -105,14 +105,9 @@ if ( !$? ) {
 
 Log "Security domain downloaded to '$sdPath'; Managed HSM is now active at '$hsmUrl'"
 
-# Force a sleep to wait for Managed HSM activation to propagate through Cosmos replication. Issue tracked in Azure DevOps.
-Log 'Sleeping for 120 seconds to allow activation to propagate...'
-Start-Sleep -Seconds 120
-
-$testApplicationOid = $DeploymentOutputs['CLIENT_OBJECTID']
-
-Log "Creating additional required role assignments for '$testApplicationOid'"
-$null = New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto Officer' -ObjectID $testApplicationOid
-$null = New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto User' -ObjectID $testApplicationOid
+$testApplicationOid = $DeploymentOutputs["CLIENT_OBJECTID"]
 
+Log "Creating additional required role assignments for resource access."
+New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto Officer" -ObjectID $testApplicationOid
+New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto User" -ObjectID $testApplicationOid
 Log "Role assignments created for '$testApplicationOid'"
diff --git a/sdk/keyvault/test-resources.json b/sdk/keyvault/test-resources.json
diff --git a/sdk/keyvault/tests.yml b/sdk/keyvault/tests.yml
