internal CertificateClient GetClient(TestRecording recording = null)
{
recording ??= Recording;
CertificateClientOptions options = new CertificateClientOptions(_serviceVersion)
{
Diagnostics =
{
IsLoggingContentEnabled = Debugger.IsAttached,
}
};
return(InstrumentClient
(new CertificateClient(
new Uri(TestEnvironment.KeyVaultUrl),
TestEnvironment.Credential,
recording.InstrumentClientOptions(options))));
}
private Task <CertificateClient> GetClient()
{
if (_azureKeyVaultClient == null)
{
var credential = _options.UseMsi
? new ManagedIdentityCredential()
: (TokenCredential) new ClientSecretCredential(
_options.TenantId,
_options.ClientId,
_ssm.EvaluateSecret(_options.Secret?.Value));
var options = new CertificateClientOptions
{
Transport = new HttpClientTransport(_proxyService.GetHttpClient())
};
var client = new CertificateClient(new Uri($"https://{_options.VaultName}.vault.azure.net/"), credential, options);
_azureKeyVaultClient = client;
}
return(Task.FromResult(_azureKeyVaultClient));
}
private CertificateClient CreateClient(HttpPipelineTransport transport)
{
CertificateClientOptions options = new CertificateClientOptions
{
Retry =
{
Delay = TimeSpan.FromMilliseconds(10),
Mode = RetryMode.Fixed,
},
Transport = transport,
};
return(InstrumentClient(
new CertificateClient(
new Uri(VaultUri),
new MockCredential(),
options
)));
}
internal CertificateClient GetClient()
{
CertificateClientOptions options = new CertificateClientOptions(_serviceVersion)
{
Diagnostics =
{
IsLoggingContentEnabled = Debugger.IsAttached || Mode == RecordedTestMode.Live,
LoggedHeaderNames =
{
"x-ms-request-id",
},
}
};
return(InstrumentClient
(new CertificateClient(
new Uri(TestEnvironment.KeyVaultUrl),
TestEnvironment.Credential,
InstrumentClientOptions(options))));
}
public void OptionsTests()
{
var options = new CertificateClientOptions(CertificateClientOptions.ServiceVersion.V7_1);
KeyVaultCertificates.ConfigureDiagnostics(options, "app1", true, true, true, true, 2000);
KeyVaultCertificates.ConfigureRetries(options, RetryMode.Fixed, 3, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(4), TimeSpan.FromMinutes(2));
Assert.IsTrue(options.Retry.Delay == TimeSpan.FromMinutes(1), "Delay not expected");
Assert.IsTrue(options.Retry.MaxDelay == TimeSpan.FromMinutes(4), "Maximum delay not expected");
Assert.IsTrue(options.Retry.NetworkTimeout == TimeSpan.FromMinutes(2), "Network timeout not expected");
Assert.IsTrue(options.Retry.MaxRetries == 3, "Maximum retries not expected");
Assert.IsTrue(options.Retry.Mode == RetryMode.Fixed, "Retry mode not expected");
Assert.IsTrue(options.Diagnostics.IsLoggingContentEnabled, "Is logging content enabled not expected");
Assert.IsTrue(options.Diagnostics.IsLoggingEnabled, "Is logging enabled not expected");
Assert.IsTrue(options.Diagnostics.IsTelemetryEnabled, "Is telemetry enabled not expected");
Assert.IsTrue(options.Diagnostics.IsDistributedTracingEnabled, "Is distributed tracing enabled not expected");
Assert.IsTrue(options.Diagnostics.LoggedContentSizeLimit == 2000, "Logging content size not expected");
Assert.IsTrue(string.Equals(options.Diagnostics.ApplicationId, "app1", StringComparison.Ordinal), "Application id not expected");
}
private async Task MigrationGuide()
{
#region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_Create
CertificateClient client = new CertificateClient(
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential());
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_Create
#region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions
using (HttpClient httpClient = new HttpClient())
{
CertificateClientOptions options = new CertificateClientOptions
{
Transport = new HttpClientTransport(httpClient)
};
//@@CertificateClient client = new CertificateClient(
/*@@*/ CertificateClient _ = new CertificateClient(
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential(),
options);
}
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateWithOptions
#region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCustomPolicy
CertificatePolicy policy = new CertificatePolicy("issuer-name", "CN=customdomain.com")
{
ContentType = CertificateContentType.Pkcs12,
KeyType = CertificateKeyType.Rsa,
ReuseKey = true,
KeyUsage =
{
CertificateKeyUsage.CrlSign,
CertificateKeyUsage.DataEncipherment,
CertificateKeyUsage.DigitalSignature,
CertificateKeyUsage.KeyEncipherment,
CertificateKeyUsage.KeyAgreement,
CertificateKeyUsage.KeyCertSign
},
ValidityInMonths = 12,
LifetimeActions =
{
new LifetimeAction(CertificatePolicyAction.AutoRenew)
{
DaysBeforeExpiry = 90,
}
}
};
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy
#region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy
//@@CertificatePolicy policy = CertificatePolicy.Default;
/*@@*/ policy = CertificatePolicy.Default;
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateSelfSignedPolicy
{
#region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate
// Start certificate creation.
// Depending on the policy and your business process, this could even take days for manual signing.
CertificateOperation createOperation = await client.StartCreateCertificateAsync("certificate-name", policy);
KeyVaultCertificateWithPolicy certificate = await createOperation.WaitForCompletionAsync(TimeSpan.FromSeconds(20), CancellationToken.None);
// If you need to restart the application you can recreate the operation and continue awaiting.
createOperation = new CertificateOperation(client, "certificate-name");
certificate = await createOperation.WaitForCompletionAsync(TimeSpan.FromSeconds(20), CancellationToken.None);
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_CreateCertificate
}
{
#region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate
byte[] cer = File.ReadAllBytes("certificate.pfx");
ImportCertificateOptions importCertificateOptions = new ImportCertificateOptions("certificate-name", cer)
{
Policy = policy
};
KeyVaultCertificateWithPolicy certificate = await client.ImportCertificateAsync(importCertificateOptions);
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ImportCertificate
}
{
#region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates
// List all certificates asynchronously.
await foreach (CertificateProperties item in client.GetPropertiesOfCertificatesAsync())
{
KeyVaultCertificateWithPolicy certificate = await client.GetCertificateAsync(item.Name);
}
// List all certificates synchronously.
foreach (CertificateProperties item in client.GetPropertiesOfCertificates())
{
KeyVaultCertificateWithPolicy certificate = client.GetCertificate(item.Name);
}
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_ListCertificates
}
{
#region Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate
// Delete the certificate.
DeleteCertificateOperation deleteOperation = await client.StartDeleteCertificateAsync("certificate-name");
// Purge or recover the deleted certificate if soft delete is enabled.
if (deleteOperation.Value.RecoveryId != null)
{
// Deleting a certificate does not happen immediately. Wait for the certificate to be deleted.
DeletedCertificate deletedCertificate = await deleteOperation.WaitForCompletionAsync();
// Purge the deleted certificate.
await client.PurgeDeletedCertificateAsync(deletedCertificate.Name);
// You can also recover the deleted certificate using StartRecoverDeletedCertificateAsync,
// which returns RecoverDeletedCertificateOperation you can await like DeleteCertificateOperation above.
}
#endregion Snippet:Azure_Security_KeyVault_Certificates_Snippets_MigrationGuide_DeleteCertificate
}
}
public void DownloadSecretDenied()
{
CertificateClientOptions options = new CertificateClientOptions
{
Transport = new MockTransport(request =>
{
if (request.Uri.Path.Contains("/certificates/"))
{
MockResponse response = new MockResponse(200);
response.AddHeader(Core.HttpHeader.Common.JsonContentType);
response.SetContent(@"{
""id"": ""https://heathskeyvault.vault.azure.net/certificates/1611349050/548e19c596cf49779ca1706240a788e3"",
""kid"": ""https://heathskeyvault.vault.azure.net/keys/1611349050/548e19c596cf49779ca1706240a788e3"",
""sid"": ""https://heathskeyvault.vault.azure.net/secrets/1611349050/548e19c596cf49779ca1706240a788e3"",
""x5t"": ""SM_LGoask0yHvMVSk3h-0Kf3gqE"",
""cer"": ""MIIDKjCCAhKgAwIBAgIQYV16SxDIQkKURxXo6sQkUTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwdkZWZhdWx0MB4XDTIwMTExMDA0MjYxNloXDTIxMTExMDA0MzYxNlowEjEQMA4GA1UEAxMHZGVmYXVsdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALrumIRenUa5LmJsRurAhrRoJP0hyCg8jQz5ujXFoyf/flklfyqxnau5/a2yS4mnfJm9fX1aFF1/OdEg5qxcyHSBR66\u002BdPV27oxIfM6JKVqbHBcaG07OVFHh\u002B2yWBwTjAiPZjOxCxEMw37tdgDctnEBQzaTackhFU21seBWnHCC74mF2N3Iy93itptOguvwIh6CnLcduvIeb6o9lfr72XJg0BjJ/Bmpf92W5VwMWinHUumomCeLjA5lnIiOGGrmVNqaRJWf1ezhg3JtzNJRSV0sbLjHoCmziKAL4pFLEiF6tz\u002B6apvz1voDufit6r0gKwez8YaOnQjUAmXetoZmSOQkCAwEAAaN8MHowDgYDVR0PAQH/BAQDAgSQMAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFNwU63f97Oel4UIAJt6/nQ9Ka12HMB0GA1UdDgQWBBTcFOt3/eznpeFCACbev50PSmtdhzANBgkqhkiG9w0BAQsFAAOCAQEAcs\u002B0b3\u002BUI0AmrvwQZVugfnbngNN5jDpuEyP8gms4Txpg93auVXgXlgiNsrKUgIi2U2CQLY6pdUUSilBHifCdxM3lxgB7wIkYc8ihu8eVBI7m4KNo1io0Jxwsw9KKG3612NUXuKDz8oHMUsJ49Iq8IaRaJdVpiydZCA9ltwhajWpgauOTMRsxtZdkG\u002BlakSCehBCgmjGR04NRG0jGNRaTh4ANHNQgFqP4Vp6mkzDxQu8B4PI5YKZfhpusqEDOSb5HeM8nwLYntNH32in1XKx3s5BSMUmbrdmeihAIyYxR3Imal5LwjckXvu6eXlRfe6BynbDW1g3IwNASMIwt3u0dhQ=="",
""attributes"": {
""enabled"": true,
""nbf"": 1604982376,
""exp"": 1636518976,
""created"": 1604982976,
""updated"": 1604982976,
""recoveryLevel"": ""Recoverable\u002BPurgeable"",
""recoverableDays"": 90
},
""policy"": {
""id"": ""https://heathskeyvault.vault.azure.net/certificates/1611349050/policy"",
""key_props"": {
""exportable"": true,
""kty"": ""RSA"",
""key_size"": 2048,
""reuse_key"": false
},
""secret_props"": {
""contentType"": ""application/x-pkcs12""
},
""x509_props"": {
""subject"": ""CN=default"",
""ekus"": [
""1.3.6.1.5.5.7.3.1"",
""1.3.6.1.5.5.7.3.2""
],
""key_usage"": [
""dataEncipherment"",
""digitalSignature""
],
""validity_months"": 12,
""basic_constraints"": {
""ca"": false
}
},
""lifetime_actions"": [
{
""trigger"": {
""lifetime_percentage"": 80
},
""action"": {
""action_type"": ""AutoRenew""
}
}
],
""issuer"": {
""name"": ""Self"",
""cert_transparency"": false
},
""attributes"": {
""enabled"": true,
""created"": 1604982971,
""updated"": 1604982971
}
},
""pending"": {
""id"": ""https://heathskeyvault.vault.azure.net/certificates/1611349050/pending""
}
}");
return(response);
}
else if (request.Uri.Path.StartsWith("/secrets/1611349050/548e19c596cf49779ca1706240a788e3"))
{
MockResponse response = new MockResponse(403);
response.AddHeader(Core.HttpHeader.Common.JsonContentType);
response.SetContent(@"{
""error"": {
""code"": ""Forbidden"",
""message"": ""The user, group or application 'appid=f9ab11db-b032-44b3-af0a-44713541cc40;oid=0aa95430-9a7f-4c8e-8cf6-579278e68947;iss=https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/' does not have secrets get permission on key vault 'heathskeyvault;location=westus2'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287"",
""innererror"": {
""code"": ""ForbiddenByPolicy""
}
}
}");
return(response);
}
else
{
return(new MockResponse(404));
}
}),
};
CertificateClient client = InstrumentClient(new CertificateClient(new Uri("https://heathskeyvault.vault.azure.net"), new DefaultAzureCredential(), options));
RequestFailedException ex = Assert.ThrowsAsync <RequestFailedException>(async() => await client.DownloadCertificateAsync("test"));
Assert.AreEqual(403, ex.Status);
Assert.AreEqual("Forbidden", ex.ErrorCode);
}
