internal CertificateClient GetClient(TestRecording recording = null) { recording ??= Recording; CertificateClientOptions options = new CertificateClientOptions(_serviceVersion) { Diagnostics = { IsLoggingContentEnabled = Debugger.IsAttached, } }; return(InstrumentClient (new CertificateClient( new Uri(TestEnvironment.KeyVaultUrl), TestEnvironment.Credential, recording.InstrumentClientOptions(options)))); }
private Task <CertificateClient> GetClient() { if (_azureKeyVaultClient == null) { var credential = _options.UseMsi ? new ManagedIdentityCredential() : (TokenCredential) new ClientSecretCredential( _options.TenantId, _options.ClientId, _ssm.EvaluateSecret(_options.Secret?.Value)); var options = new CertificateClientOptions { Transport = new HttpClientTransport(_proxyService.GetHttpClient()) }; var client = new CertificateClient(new Uri($"https://{_options.VaultName}.vault.azure.net/"), credential, options); _azureKeyVaultClient = client; } return(Task.FromResult(_azureKeyVaultClient)); }
private CertificateClient CreateClient(HttpPipelineTransport transport) { CertificateClientOptions options = new CertificateClientOptions { Retry = { Delay = TimeSpan.FromMilliseconds(10), Mode = RetryMode.Fixed, }, Transport = transport, }; return(InstrumentClient( new CertificateClient( new Uri(VaultUri), new MockCredential(), options ))); }
internal CertificateClient GetClient() { CertificateClientOptions options = new CertificateClientOptions(_serviceVersion) { Diagnostics = { IsLoggingContentEnabled = Debugger.IsAttached || Mode == RecordedTestMode.Live, LoggedHeaderNames = { "x-ms-request-id", }, } }; return(InstrumentClient (new CertificateClient( new Uri(TestEnvironment.KeyVaultUrl), TestEnvironment.Credential, InstrumentClientOptions(options)))); }
public void OptionsTests() { var options = new CertificateClientOptions(CertificateClientOptions.ServiceVersion.V7_1); KeyVaultCertificates.ConfigureDiagnostics(options, "app1", true, true, true, true, 2000); KeyVaultCertificates.ConfigureRetries(options, RetryMode.Fixed, 3, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(4), TimeSpan.FromMinutes(2)); Assert.IsTrue(options.Retry.Delay == TimeSpan.FromMinutes(1), "Delay not expected"); Assert.IsTrue(options.Retry.MaxDelay == TimeSpan.FromMinutes(4), "Maximum delay not expected"); Assert.IsTrue(options.Retry.NetworkTimeout == TimeSpan.FromMinutes(2), "Network timeout not expected"); Assert.IsTrue(options.Retry.MaxRetries == 3, "Maximum retries not expected"); Assert.IsTrue(options.Retry.Mode == RetryMode.Fixed, "Retry mode not expected"); Assert.IsTrue(options.Diagnostics.IsLoggingContentEnabled, "Is logging content enabled not expected"); Assert.IsTrue(options.Diagnostics.IsLoggingEnabled, "Is logging enabled not expected"); Assert.IsTrue(options.Diagnostics.IsTelemetryEnabled, "Is telemetry enabled not expected"); Assert.IsTrue(options.Diagnostics.IsDistributedTracingEnabled, "Is distributed tracing enabled not expected"); Assert.IsTrue(options.Diagnostics.LoggedContentSizeLimit == 2000, "Logging content size not expected"); Assert.IsTrue(string.Equals(options.Diagnostics.ApplicationId, "app1", StringComparison.Ordinal), "Application id not expected"); }
private async Task MigrationGuide() { #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_Create CertificateClient client = new CertificateClient( new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential()); #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_Create #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions using (HttpClient httpClient = new HttpClient()) { CertificateClientOptions options = new CertificateClientOptions { Transport = new HttpClientTransport(httpClient) }; //@@CertificateClient client = new CertificateClient( /*@@*/ CertificateClient _ = new CertificateClient( new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential(), options); } #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy CertificatePolicy policy = new CertificatePolicy("issuer-name", "CN=customdomain.com") { ContentType = CertificateContentType.Pkcs12, KeyType = CertificateKeyType.Rsa, ReuseKey = true, KeyUsage = { CertificateKeyUsage.CrlSign, CertificateKeyUsage.DataEncipherment, CertificateKeyUsage.DigitalSignature, CertificateKeyUsage.KeyEncipherment, CertificateKeyUsage.KeyAgreement, CertificateKeyUsage.KeyCertSign }, ValidityInMonths = 12, LifetimeActions = { new LifetimeAction(CertificatePolicyAction.AutoRenew) { DaysBeforeExpiry = 90, } } }; #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy //@@CertificatePolicy policy = CertificatePolicy.Default; /*@@*/ policy = CertificatePolicy.Default; #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy { #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate // Start certificate creation. // Depending on the policy and your business process, this could even take days for manual signing. CertificateOperation createOperation = await client.StartCreateCertificateAsync("certificate-name", policy); KeyVaultCertificateWithPolicy certificate = await createOperation.WaitForCompletionAsync(TimeSpan.FromSeconds(20), CancellationToken.None); // If you need to restart the application you can recreate the operation and continue awaiting. createOperation = new CertificateOperation(client, "certificate-name"); certificate = await createOperation.WaitForCompletionAsync(TimeSpan.FromSeconds(20), CancellationToken.None); #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate } { #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate byte[] cer = File.ReadAllBytes("certificate.pfx"); ImportCertificateOptions importCertificateOptions = new ImportCertificateOptions("certificate-name", cer) { Policy = policy }; KeyVaultCertificateWithPolicy certificate = await client.ImportCertificateAsync(importCertificateOptions); #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate } { #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates // List all certificates asynchronously. await foreach (CertificateProperties item in client.GetPropertiesOfCertificatesAsync()) { KeyVaultCertificateWithPolicy certificate = await client.GetCertificateAsync(item.Name); } // List all certificates synchronously. foreach (CertificateProperties item in client.GetPropertiesOfCertificates()) { KeyVaultCertificateWithPolicy certificate = client.GetCertificate(item.Name); } #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates } { #region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate // Delete the certificate. DeleteCertificateOperation deleteOperation = await client.StartDeleteCertificateAsync("certificate-name"); // Purge or recover the deleted certificate if soft delete is enabled. if (deleteOperation.Value.RecoveryId != null) { // Deleting a certificate does not happen immediately. Wait for the certificate to be deleted. DeletedCertificate deletedCertificate = await deleteOperation.WaitForCompletionAsync(); // Purge the deleted certificate. await client.PurgeDeletedCertificateAsync(deletedCertificate.Name); // You can also recover the deleted certificate using StartRecoverDeletedCertificateAsync, // which returns RecoverDeletedCertificateOperation you can await like DeleteCertificateOperation above. } #endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate } }
public void DownloadSecretDenied() { CertificateClientOptions options = new CertificateClientOptions { Transport = new MockTransport(request => { if (request.Uri.Path.Contains("/certificates/")) { MockResponse response = new MockResponse(200); response.AddHeader(Core.HttpHeader.Common.JsonContentType); response.SetContent(@"{ ""id"": ""https://heathskeyvault.vault.azure.net/certificates/1611349050/548e19c596cf49779ca1706240a788e3"", ""kid"": ""https://heathskeyvault.vault.azure.net/keys/1611349050/548e19c596cf49779ca1706240a788e3"", ""sid"": ""https://heathskeyvault.vault.azure.net/secrets/1611349050/548e19c596cf49779ca1706240a788e3"", ""x5t"": ""SM_LGoask0yHvMVSk3h-0Kf3gqE"", ""cer"": ""MIIDKjCCAhKgAwIBAgIQYV16SxDIQkKURxXo6sQkUTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdkZWZhdWx0MB4XDTIwMTExMDA0MjYxNloXDTIxMTExMDA0MzYxNlowEjEQMA4GA1UEAxMHZGVmYXVsdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALrumIRenUa5LmJsRurAhrRoJP0hyCg8jQz5ujXFoyf/flklfyqxnau5/a2yS4mnfJm9fX1aFF1/OdEg5qxcyHSBR66\u002BdPV27oxIfM6JKVqbHBcaG07OVFHh\u002B2yWBwTjAiPZjOxCxEMw37tdgDctnEBQzaTackhFU21seBWnHCC74mF2N3Iy93itptOguvwIh6CnLcduvIeb6o9lfr72XJg0BjJ/Bmpf92W5VwMWinHUumomCeLjA5lnIiOGGrmVNqaRJWf1ezhg3JtzNJRSV0sbLjHoCmziKAL4pFLEiF6tz\u002B6apvz1voDufit6r0gKwez8YaOnQjUAmXetoZmSOQkCAwEAAaN8MHowDgYDVR0PAQH/BAQDAgSQMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFNwU63f97Oel4UIAJt6/nQ9Ka12HMB0GA1UdDgQWBBTcFOt3/eznpeFCACbev50PSmtdhzANBgkqhkiG9w0BAQsFAAOCAQEAcs\u002B0b3\u002BUI0AmrvwQZVugfnbngNN5jDpuEyP8gms4Txpg93auVXgXlgiNsrKUgIi2U2CQLY6pdUUSilBHifCdxM3lxgB7wIkYc8ihu8eVBI7m4KNo1io0Jxwsw9KKG3612NUXuKDz8oHMUsJ49Iq8IaRaJdVpiydZCA9ltwhajWpgauOTMRsxtZdkG\u002BlakSCehBCgmjGR04NRG0jGNRaTh4ANHNQgFqP4Vp6mkzDxQu8B4PI5YKZfhpusqEDOSb5HeM8nwLYntNH32in1XKx3s5BSMUmbrdmeihAIyYxR3Imal5LwjckXvu6eXlRfe6BynbDW1g3IwNASMIwt3u0dhQ=="", ""attributes"": { ""enabled"": true, ""nbf"": 1604982376, ""exp"": 1636518976, ""created"": 1604982976, ""updated"": 1604982976, ""recoveryLevel"": ""Recoverable\u002BPurgeable"", ""recoverableDays"": 90 }, ""policy"": { ""id"": ""https://heathskeyvault.vault.azure.net/certificates/1611349050/policy"", ""key_props"": { ""exportable"": true, ""kty"": ""RSA"", ""key_size"": 2048, ""reuse_key"": false }, ""secret_props"": { ""contentType"": ""application/x-pkcs12"" }, ""x509_props"": { ""subject"": ""CN=default"", ""ekus"": [ ""1.3.6.1.5.5.7.3.1"", ""1.3.6.1.5.5.7.3.2"" ], ""key_usage"": [ ""dataEncipherment"", ""digitalSignature"" ], ""validity_months"": 12, ""basic_constraints"": { ""ca"": false } }, ""lifetime_actions"": [ { ""trigger"": { ""lifetime_percentage"": 80 }, ""action"": { ""action_type"": ""AutoRenew"" } } ], ""issuer"": { ""name"": ""Self"", ""cert_transparency"": false }, ""attributes"": { ""enabled"": true, ""created"": 1604982971, ""updated"": 1604982971 } }, ""pending"": { ""id"": ""https://heathskeyvault.vault.azure.net/certificates/1611349050/pending"" } }"); return(response); } else if (request.Uri.Path.StartsWith("/secrets/1611349050/548e19c596cf49779ca1706240a788e3")) { MockResponse response = new MockResponse(403); response.AddHeader(Core.HttpHeader.Common.JsonContentType); response.SetContent(@"{ ""error"": { ""code"": ""Forbidden"", ""message"": ""The user, group or application 'appid=f9ab11db-b032-44b3-af0a-44713541cc40;oid=0aa95430-9a7f-4c8e-8cf6-579278e68947;iss=https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/' does not have secrets get permission on key vault 'heathskeyvault;location=westus2'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287"", ""innererror"": { ""code"": ""ForbiddenByPolicy"" } } }"); return(response); } else { return(new MockResponse(404)); } }), }; CertificateClient client = InstrumentClient(new CertificateClient(new Uri("https://heathskeyvault.vault.azure.net"), new DefaultAzureCredential(), options)); RequestFailedException ex = Assert.ThrowsAsync <RequestFailedException>(async() => await client.DownloadCertificateAsync("test")); Assert.AreEqual(403, ex.Status); Assert.AreEqual("Forbidden", ex.ErrorCode); }