Skip to content

Commit 372fd7d

Browse files
authored
[Key Vault] Federated auth in test pipelines (#36766)
1 parent 197a75d commit 372fd7d

File tree

10 files changed

+101
-402
lines changed

10 files changed

+101
-402
lines changed

sdk/keyvault/azure-keyvault-administration/tests.yml

Lines changed: 16 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -6,43 +6,28 @@ extends:
66
ServiceDirectory: keyvault
77
BuildTargetingString: "azure-keyvault-administration"
88
JobName: azure_keyvault_administration
9-
SupportedClouds: 'Public,UsGov,China'
9+
SupportedClouds: 'Public'
1010
TestTimeoutInMinutes: 240
11-
TestResourceDirectories:
12-
- keyvault/
11+
UseFederatedAuth: true
12+
# Since we don't use HSMs in USGov or China clouds, just run Admin tests in Public.
1313
CloudConfig:
1414
Public:
15+
Location: 'westus2'
16+
SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources)
1517
ServiceConnection: azure-sdk-tests
1618
SubscriptionConfigurationFilePaths:
1719
- eng/common/TestResources/sub-config/AzurePublicMsft.json
18-
UsGov:
19-
ServiceConnection: usgov_azure-sdk-tests
20-
SubscriptionConfigurationFilePaths:
21-
- eng/common/TestResources/sub-config/AzureUsGovMsft.json
22-
MatrixFilters:
23-
- ArmTemplateParameters=^(?!.*enableHsm.*true)
24-
China:
25-
ServiceConnection: china_azure-sdk-tests
26-
SubscriptionConfigurationFilePaths:
27-
- eng/common/TestResources/sub-config/AzureChinaMsft.json
28-
MatrixFilters:
29-
- ArmTemplateParameters=^(?!.*enableHsm.*true)
30-
Location: chinaeast2
31-
# Test azure-keyvault-administration on *only* Managed HSM for weekly tests only
32-
MatrixConfigs:
33-
- Name: keyvault_admin_weekly_matrix
34-
Path: sdk/keyvault/azure-keyvault-keys/platform-matrix.json
35-
Selection: sparse
36-
GenerateVMJobs: true
37-
${{ if not(contains(variables['Build.DefinitionName'], 'tests-weekly')) }}:
38-
# For nightly tests, don't run live azure-keyvault-administration jobs since they require Managed HSM
39-
MatrixFilters:
40-
- OSVmImage=NonexistentImage
20+
# HSMs are expensive and restricted in number so we only test them on one platform.
21+
AdditionalMatrixConfigs:
22+
- Name: keyvault_hsm_matrix_addons
23+
Path: sdk/keyvault/azure-keyvault-keys/platform-matrix.json
24+
Selection: sparse
25+
GenerateVMJobs: true
26+
27+
# Due to the high cost of Managed HSMs, we only want to test using them weekly.
28+
${{ if not(contains(variables['Build.DefinitionName'], 'tests-weekly')) }}:
29+
MatrixFilters:
30+
- ArmTemplateParameters=^(?!.*enableHsm.*true)
4131
EnvVars:
4232
AZURE_TEST_RUN_LIVE: true
4333
AZURE_SKIP_LIVE_RECORDING: 'True'
44-
AZURE_SUBSCRIPTION_ID: $(azure-subscription-id)
45-
AZURE_TENANT_ID: $(aad-azure-sdk-test-tenant-id)
46-
AZURE_CLIENT_ID: $(aad-azure-sdk-test-client-id)
47-
AZURE_CLIENT_SECRET: $(aad-azure-sdk-test-client-secret)
48-
AZURE_CLIENT_OID: $(aad-azure-sdk-test-client-oid)

sdk/keyvault/azure-keyvault-administration/tests/_async_test_case.py

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,9 @@ def __init__(self, **kwargs) -> None:
1919

2020
if self.is_live:
2121
self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL")
22-
storage_name = os.environ.get("BLOB_STORAGE_ACCOUNT_NAME")
23-
storage_endpoint_suffix = os.environ.get("KEYVAULT_STORAGE_ENDPOINT_SUFFIX")
22+
storage_url = os.environ.get("BLOB_STORAGE_URL")
2423
container_name = os.environ.get("BLOB_CONTAINER_NAME")
25-
self.container_uri = f"https://{storage_name}.blob.{storage_endpoint_suffix}/{container_name}"
24+
self.container_uri = f"{storage_url}/{container_name}"
2625

2726
self.sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN")
2827

sdk/keyvault/azure-keyvault-administration/tests/_test_case.py

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,10 +20,9 @@ def __init__(self, **kwargs) -> None:
2020

2121
if self.is_live:
2222
self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL")
23-
storage_name = os.environ.get("BLOB_STORAGE_ACCOUNT_NAME")
24-
storage_endpoint_suffix = os.environ.get("KEYVAULT_STORAGE_ENDPOINT_SUFFIX")
23+
storage_url = os.environ.get("BLOB_STORAGE_URL")
2524
container_name = os.environ.get("BLOB_CONTAINER_NAME")
26-
self.container_uri = f"https://{storage_name}.blob.{storage_endpoint_suffix}/{container_name}"
25+
self.container_uri = f"{storage_url}/{container_name}"
2726

2827
self.sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN")
2928

sdk/keyvault/azure-keyvault-administration/tests/conftest.py

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -20,26 +20,24 @@
2020

2121
@pytest.fixture(scope="session", autouse=True)
2222
def add_sanitizers(test_proxy):
23-
azure_keyvault_url = os.getenv("AZURE_KEYVAULT_URL", "https://vaultname.vault.azure.net")
23+
azure_keyvault_url = os.getenv("AZURE_KEYVAULT_URL", "https://Sanitized.vault.azure.net")
2424
azure_keyvault_url = azure_keyvault_url.rstrip("/")
2525
keyvault_tenant_id = os.getenv("KEYVAULT_TENANT_ID", "keyvault_tenant_id")
2626
keyvault_subscription_id = os.getenv("KEYVAULT_SUBSCRIPTION_ID", "keyvault_subscription_id")
27-
azure_managedhsm_url = os.environ.get("AZURE_MANAGEDHSM_URL","https://managedhsmvaultname.managedhsm.azure.net")
27+
azure_managedhsm_url = os.environ.get("AZURE_MANAGEDHSM_URL","https://Sanitized.managedhsm.azure.net")
2828
azure_managedhsm_url = azure_managedhsm_url.rstrip("/")
29-
azure_attestation_uri = os.environ.get("AZURE_KEYVAULT_ATTESTATION_URL","https://fakeattestation.azurewebsites.net")
29+
azure_attestation_uri = os.environ.get("AZURE_KEYVAULT_ATTESTATION_URL","https://Sanitized.azurewebsites.net")
3030
azure_attestation_uri = azure_attestation_uri.rstrip('/')
31-
storage_name = os.environ.get("BLOB_STORAGE_ACCOUNT_NAME", "blob_storage_account_name")
32-
storage_endpoint_suffix = os.environ.get("KEYVAULT_STORAGE_ENDPOINT_SUFFIX", "keyvault_endpoint_suffix")
31+
storage_url = os.environ.get("BLOB_STORAGE_URL", "https://Sanitized.blob.core.windows.net")
3332
client_id = os.environ.get("KEYVAULT_CLIENT_ID", "service-principal-id")
3433
sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN","fake-sas")
3534

36-
add_general_string_sanitizer(target=azure_keyvault_url, value="https://vaultname.vault.azure.net")
35+
add_general_string_sanitizer(target=azure_keyvault_url, value="https://Sanitized.vault.azure.net")
3736
add_general_string_sanitizer(target=keyvault_tenant_id, value="00000000-0000-0000-0000-000000000000")
3837
add_general_string_sanitizer(target=keyvault_subscription_id, value="00000000-0000-0000-0000-000000000000")
39-
add_general_string_sanitizer(target=azure_managedhsm_url,value="https://managedhsmvaultname.managedhsm.azure.net")
40-
add_general_string_sanitizer(target=azure_attestation_uri,value="https://fakeattestation.azurewebsites.net")
41-
add_general_string_sanitizer(target=storage_name, value = "blob_storage_account_name")
42-
add_general_string_sanitizer(target=storage_endpoint_suffix, value = "keyvault_endpoint_suffix")
38+
add_general_string_sanitizer(target=azure_managedhsm_url,value="https://Sanitized.managedhsm.azure.net")
39+
add_general_string_sanitizer(target=azure_attestation_uri,value="https://Sanitized.azurewebsites.net")
40+
add_general_string_sanitizer(target=storage_url, value="https://Sanitized.blob.core.windows.net")
4341
add_general_string_sanitizer(target=sas_token, value="fake-sas")
4442
add_general_string_sanitizer(target=client_id, value = "service-principal-id")
4543
# Sanitize API versions of `azure-keyvault-keys` requests

sdk/keyvault/azure-keyvault-keys/tests.yml

Lines changed: 16 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -8,42 +8,36 @@ extends:
88
JobName: azure_keyvault_keys
99
SupportedClouds: 'Public,UsGov,China'
1010
TestTimeoutInMinutes: 240
11-
TestResourceDirectories:
12-
- keyvault/
11+
UseFederatedAuth: true
1312
CloudConfig:
1413
Public:
14+
Location: 'westus2'
15+
SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources)
1516
ServiceConnection: azure-sdk-tests
1617
SubscriptionConfigurationFilePaths:
1718
- eng/common/TestResources/sub-config/AzurePublicMsft.json
1819
UsGov:
19-
ServiceConnection: usgov_azure-sdk-tests
20-
SubscriptionConfigurationFilePaths:
21-
- eng/common/TestResources/sub-config/AzureUsGovMsft.json
20+
SubscriptionConfiguration: $(sub-config-gov-test-resources)
2221
MatrixFilters:
2322
- ArmTemplateParameters=^(?!.*enableHsm.*true)
23+
ServiceConnection: usgov_azure-sdk-tests
2424
China:
25+
Location: chinaeast2
26+
SubscriptionConfiguration: $(sub-config-cn-test-resources)
2527
ServiceConnection: china_azure-sdk-tests
26-
SubscriptionConfigurationFilePaths:
27-
- eng/common/TestResources/sub-config/AzureChinaMsft.json
2828
MatrixFilters:
2929
- ArmTemplateParameters=^(?!.*enableHsm.*true)
30-
Location: chinaeast2
31-
${{ if contains(variables['Build.DefinitionName'], 'tests-weekly') }}:
32-
# Test azure-keyvault-keys on Managed HSM for weekly tests only
33-
AdditionalMatrixConfigs:
34-
- Name: keyvault_hsm_matrix_addons
35-
Path: sdk/keyvault/azure-keyvault-keys/platform-matrix.json
36-
Selection: sparse
37-
GenerateVMJobs: true
30+
# HSMs are expensive and restricted in number so we only test them on one platform.
31+
AdditionalMatrixConfigs:
32+
- Name: keyvault_hsm_matrix_addons
33+
Path: sdk/keyvault/azure-keyvault-keys/platform-matrix.json
34+
Selection: sparse
35+
GenerateVMJobs: true
36+
37+
# Due to the high cost of Managed HSMs, we only want to test using them weekly.
3838
${{ if not(contains(variables['Build.DefinitionName'], 'tests-weekly')) }}:
39-
# For nightly tests, don't run live azure-keyvault-administration jobs since they require Managed HSM
4039
MatrixFilters:
41-
- OSVmImage=NonexistentImage
40+
- ArmTemplateParameters=^(?!.*enableHsm.*true)
4241
EnvVars:
4342
AZURE_TEST_RUN_LIVE: true
4443
AZURE_SKIP_LIVE_RECORDING: 'True'
45-
AZURE_SUBSCRIPTION_ID: $(azure-subscription-id)
46-
AZURE_TENANT_ID: $(aad-azure-sdk-test-tenant-id)
47-
AZURE_CLIENT_ID: $(aad-azure-sdk-test-client-id)
48-
AZURE_CLIENT_SECRET: $(aad-azure-sdk-test-client-secret)
49-
AZURE_CLIENT_OID: $(aad-azure-sdk-test-client-oid)

sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth.py

Lines changed: 9 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -41,22 +41,11 @@ def test_multitenant_authentication(self, client, is_hsm, **kwargs):
4141
if not self.is_live:
4242
pytest.skip("This test is incompatible with test proxy in playback")
4343

44-
client_id = os.environ.get("KEYVAULT_CLIENT_ID")
45-
client_secret = os.environ.get("KEYVAULT_CLIENT_SECRET")
46-
4744
# we set up a client for this method to align with the async test, but we actually want to create a new client
4845
# this new client should use a credential with an initially fake tenant ID and still succeed with a real request
49-
if os.environ.get("AZURE_TEST_USE_PWSH_AUTH") == "true":
50-
credential = AzurePowerShellCredential(tenant_id=str(uuid4()), additionally_allowed_tenants="*")
51-
elif os.environ.get("AZURE_TEST_USE_CLI_AUTH") == "true":
52-
credential = AzureCliCredential(tenant_id=str(uuid4()), additionally_allowed_tenants="*")
53-
else:
54-
credential = ClientSecretCredential(
55-
tenant_id=str(uuid4()),
56-
client_id=client_id,
57-
client_secret=client_secret,
58-
additionally_allowed_tenants="*",
59-
)
46+
original_tenant = os.environ.get("AZURE_TENANT_ID")
47+
os.environ["AZURE_TENANT_ID"] = str(uuid4())
48+
credential = self.get_credential(KeyClient, additionally_allowed_tenants="*")
6049
managed_hsm_url = kwargs.pop("managed_hsm_url", None)
6150
keyvault_url = kwargs.pop("vault_url", None)
6251
vault_url = managed_hsm_url if is_hsm else keyvault_url
@@ -74,6 +63,12 @@ def test_multitenant_authentication(self, client, is_hsm, **kwargs):
7463
fetched_key = client.get_key(key_name)
7564
assert key.id == fetched_key.id
7665

66+
# clear the fake tenant
67+
if original_tenant:
68+
os.environ["AZURE_TENANT_ID"] = original_tenant
69+
else:
70+
os.environ.pop("AZURE_TENANT_ID")
71+
7772
def empty_challenge_cache(fn):
7873
@functools.wraps(fn)
7974
def wrapper(**kwargs):

sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth_async.py

Lines changed: 9 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -42,22 +42,11 @@ async def test_multitenant_authentication(self, client, is_hsm, **kwargs):
4242
if not self.is_live:
4343
pytest.skip("This test is incompatible with vcrpy in playback")
4444

45-
client_id = os.environ.get("KEYVAULT_CLIENT_ID")
46-
client_secret = os.environ.get("KEYVAULT_CLIENT_SECRET")
47-
4845
# we set up a client for this method so it gets awaited, but we actually want to create a new client
4946
# this new client should use a credential with an initially fake tenant ID and still succeed with a real request
50-
if os.environ.get("AZURE_TEST_USE_PWSH_AUTH") == "true":
51-
credential = AzurePowerShellCredential(tenant_id=str(uuid4()), additionally_allowed_tenants="*")
52-
elif os.environ.get("AZURE_TEST_USE_CLI_AUTH") == "true":
53-
credential = AzureCliCredential(tenant_id=str(uuid4()), additionally_allowed_tenants="*")
54-
else:
55-
credential = ClientSecretCredential(
56-
tenant_id=str(uuid4()),
57-
client_id=client_id,
58-
client_secret=client_secret,
59-
additionally_allowed_tenants="*",
60-
)
47+
original_tenant = os.environ.get("AZURE_TENANT_ID")
48+
os.environ["AZURE_TENANT_ID"] = str(uuid4())
49+
credential = self.get_credential(KeyClient, additionally_allowed_tenants="*", is_async=True)
6150
managed_hsm_url = kwargs.pop("managed_hsm_url", None)
6251
keyvault_url = kwargs.pop("vault_url", None)
6352
vault_url = managed_hsm_url if is_hsm else keyvault_url
@@ -75,6 +64,12 @@ async def test_multitenant_authentication(self, client, is_hsm, **kwargs):
7564
fetched_key = await client.get_key(key_name)
7665
assert key.id == fetched_key.id
7766

67+
# clear the fake tenant
68+
if original_tenant:
69+
os.environ["AZURE_TENANT_ID"] = original_tenant
70+
else:
71+
os.environ.pop("AZURE_TENANT_ID")
72+
7873

7974
@pytest.mark.asyncio
8075
@empty_challenge_cache

sdk/keyvault/test-resources-post.ps1

Lines changed: 6 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,7 @@ Log 'Creating 3 X509 certificates to activate security domain'
8080
$wrappingFiles = foreach ($i in 0..2) {
8181
$certificate = New-X509Certificate2 "CN=$($hsmUrl.Host)"
8282

83-
$baseName = "$PSScriptRoot\$hsmName-certificate$i"
83+
$baseName = Join-Path -Path $PSScriptRoot -ChildPath "$hsmName-certificate$i"
8484
Export-X509Certificate2 "$baseName.pfx" $certificate
8585
Export-X509Certificate2PEM "$baseName.cer" $certificate
8686

@@ -89,7 +89,7 @@ $wrappingFiles = foreach ($i in 0..2) {
8989

9090
Log "Downloading security domain from '$hsmUrl'"
9191

92-
$sdPath = "$PSScriptRoot\$hsmName-security-domain.key"
92+
$sdPath = Join-Path -Path $PSScriptRoot -ChildPath "$hsmName-security-domain.key"
9393
if (Test-Path $sdpath) {
9494
Log "Deleting old security domain: $sdPath"
9595
Remove-Item $sdPath -Force
@@ -105,14 +105,9 @@ if ( !$? ) {
105105

106106
Log "Security domain downloaded to '$sdPath'; Managed HSM is now active at '$hsmUrl'"
107107

108-
# Force a sleep to wait for Managed HSM activation to propagate through Cosmos replication. Issue tracked in Azure DevOps.
109-
Log 'Sleeping for 120 seconds to allow activation to propagate...'
110-
Start-Sleep -Seconds 120
111-
112-
$testApplicationOid = $DeploymentOutputs['CLIENT_OBJECTID']
113-
114-
Log "Creating additional required role assignments for '$testApplicationOid'"
115-
$null = New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto Officer' -ObjectID $testApplicationOid
116-
$null = New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName 'Managed HSM Crypto User' -ObjectID $testApplicationOid
108+
$testApplicationOid = $DeploymentOutputs["CLIENT_OBJECTID"]
117109

110+
Log "Creating additional required role assignments for resource access."
111+
New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto Officer" -ObjectID $testApplicationOid
112+
New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto User" -ObjectID $testApplicationOid
118113
Log "Role assignments created for '$testApplicationOid'"

0 commit comments

Comments
 (0)