/// <summary>
/// Configures the retries on an options instance
/// </summary>
/// <param name="options">The options instance</param>
/// <param name="mode">The retry mode</param>
/// <param name="maximumRetries">The maximum retries to be performed</param>
/// <param name="delay">The delay before invoking the first retry</param>
/// <param name="maximumDelay">The maximum delay allowed between retries</param>
/// <param name="networkTimeout">The network timeout for a single operation</param>
public static void ConfigureRetries(KeyClientOptions options, RetryMode mode, int maximumRetries, TimeSpan delay, TimeSpan maximumDelay, TimeSpan networkTimeout)
{
options.Retry.Delay = delay;
options.Retry.MaxDelay = maximumDelay;
options.Retry.MaxRetries = maximumRetries;
options.Retry.NetworkTimeout = networkTimeout;
options.Retry.Mode = mode;
}
/// <summary>
/// Initializes a new instance of the type
/// </summary>
/// <param name="keyVault">The key vault URI</param>
/// <param name="credential">Oauth token credentials</param>
/// <param name="options">The options used to access the keys</param>
public KeyVaultKeys(Uri keyVault, TokenCredential credential, KeyClientOptions options)
{
Guard.NotNull(nameof(credential), credential);
Guard.NotNull(nameof(options), options);
Guard.NotNull(nameof(keyVault), keyVault);
Client = new KeyClient(keyVault, credential, options);
}
public KeyClientTests(bool isAsync) : base(isAsync)
{
KeyClientOptions options = new KeyClientOptions
{
Transport = new MockTransport(),
};
Client = InstrumentClient(new KeyClient(new Uri("http://localhost"), new DefaultAzureCredential(), options));
}
/// <summary>
/// Configures the diagnostics information associated with a key option
/// </summary>
/// <param name="options">The option instance</param>
/// <param name="applicationId">The application id</param>
/// <param name="isDistributedTracingEnabled">True if distributed tracing is in use</param>
/// <param name="isLoggingContentEnabled">True if logging of content is enabled</param>
/// <param name="isLoggingEnabled">True if logging is enabled</param>
/// <param name="isTelemetryEnabled">True if telemetry is enabled</param>
/// <param name="loggingContentSizeLimit">The maximum size of the content being logged</param>
public static void ConfigureDiagnostics(KeyClientOptions options, string applicationId, bool isDistributedTracingEnabled, bool isLoggingContentEnabled, bool isLoggingEnabled, bool isTelemetryEnabled, int loggingContentSizeLimit)
{
options.Diagnostics.ApplicationId = applicationId;
options.Diagnostics.IsDistributedTracingEnabled = isDistributedTracingEnabled;
options.Diagnostics.IsLoggingContentEnabled = isLoggingContentEnabled;
options.Diagnostics.IsLoggingEnabled = isLoggingEnabled;
options.Diagnostics.IsTelemetryEnabled = isTelemetryEnabled;
options.Diagnostics.LoggedContentSizeLimit = loggingContentSizeLimit;
}
internal KeyClient GetClient()
{
KeyClientOptions options = InstrumentClientOptions(new KeyClientOptions(_serviceVersion)
{
Diagnostics =
{
LoggedHeaderNames =
{
"x-ms-request-id",
},
},
});
// Until https://github.com/Azure/azure-sdk-for-net/issues/8575 is fixed,
// we need to delay creation of keys due to aggressive service limits on key creation:
// https://docs.microsoft.com/azure/key-vault/key-vault-service-limits
IInterceptor[] interceptors = new[] { new DelayCreateKeyInterceptor(Mode) };
return(InstrumentClient(new KeyClient(Uri, TestEnvironment.Credential, options), interceptors));
}
public void OptionsTests()
{
var options = new KeyClientOptions(KeyClientOptions.ServiceVersion.V7_1);
KeyVaultKeys.ConfigureDiagnostics(options, "app1", true, true, true, true, 2000);
KeyVaultKeys.ConfigureRetries(options, RetryMode.Fixed, 3, TimeSpan.FromMinutes(1), TimeSpan.FromMinutes(4), TimeSpan.FromMinutes(2));
Assert.IsTrue(options.Retry.Delay == TimeSpan.FromMinutes(1), "Delay not expected");
Assert.IsTrue(options.Retry.MaxDelay == TimeSpan.FromMinutes(4), "Maximum delay not expected");
Assert.IsTrue(options.Retry.NetworkTimeout == TimeSpan.FromMinutes(2), "Network timeout not expected");
Assert.IsTrue(options.Retry.MaxRetries == 3, "Maximum retries not expected");
Assert.IsTrue(options.Retry.Mode == RetryMode.Fixed, "Retry mode not expected");
Assert.IsTrue(options.Diagnostics.IsLoggingContentEnabled, "Is logging content enabled not expected");
Assert.IsTrue(options.Diagnostics.IsLoggingEnabled, "Is logging enabled not expected");
Assert.IsTrue(options.Diagnostics.IsTelemetryEnabled, "Is telemetry enabled not expected");
Assert.IsTrue(options.Diagnostics.IsDistributedTracingEnabled, "Is distributed tracing enabled not expected");
Assert.IsTrue(options.Diagnostics.LoggedContentSizeLimit == 2000, "Logging content size not expected");
Assert.IsTrue(string.Equals(options.Diagnostics.ApplicationId, "app1", StringComparison.Ordinal), "Application id not expected");
}
private async Task MigrationGuide()
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create
KeyClient client = new KeyClient(
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential());
CryptographyClient cryptoClient = new CryptographyClient(
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential());
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
using (HttpClient httpClient = new HttpClient())
{
KeyClientOptions options = new KeyClientOptions
{
Transport = new HttpClientTransport(httpClient)
};
#if SNIPPET
KeyClient client = new KeyClient(
#else
client = new KeyClient(
#endif
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential(),
options);
CryptographyClientOptions cryptoOptions = new CryptographyClientOptions
{
Transport = new HttpClientTransport(httpClient)
};
#if SNIPPET
CryptographyClient cryptoClient = new CryptographyClient(
#else
cryptoClient = new CryptographyClient(
#endif
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential(),
cryptoOptions);
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys
// Create RSA key.
CreateRsaKeyOptions createRsaOptions = new CreateRsaKeyOptions("rsa-key-name")
{
KeySize = 4096
};
KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(createRsaOptions);
// Create Elliptic-Curve key.
CreateEcKeyOptions createEcOptions = new CreateEcKeyOptions("ec-key-name")
{
CurveName = KeyCurveName.P256
};
KeyVaultKey ecKey = await client.CreateEcKeyAsync(createEcOptions);
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
// List all keys asynchronously.
await foreach (KeyProperties item in client.GetPropertiesOfKeysAsync())
{
KeyVaultKey key = await client.GetKeyAsync(item.Name);
}
// List all keys synchronously.
foreach (KeyProperties item in client.GetPropertiesOfKeys())
{
KeyVaultKey key = client.GetKey(item.Name);
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
// Delete the key.
DeleteKeyOperation deleteOperation = await client.StartDeleteKeyAsync("key-name");
// Purge or recover the deleted key if soft delete is enabled.
if (deleteOperation.Value.RecoveryId != null)
{
// Deleting a key does not happen immediately. Wait for the key to be deleted.
DeletedKey deletedKey = await deleteOperation.WaitForCompletionAsync();
// Purge the deleted key.
await client.PurgeDeletedKeyAsync(deletedKey.Name);
// You can also recover the deleted key using StartRecoverDeletedKeyAsync,
// which returns RecoverDeletedKeyOperation you can await like DeleteKeyOperation above.
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
// Encrypt a message. The plaintext must be small enough for the chosen algorithm.
byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt");
EncryptResult encrypted = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep256, plaintext);
// Decrypt the message.
DecryptResult decrypted = await cryptoClient.DecryptAsync(encrypted.Algorithm, encrypted.Ciphertext);
string message = Encoding.UTF8.GetString(decrypted.Plaintext);
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap
using (Aes aes = Aes.Create())
{
// Use a symmetric key to encrypt large amounts of data, possibly streamed...
// Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data.
WrapResult wrapped = await cryptoClient.WrapKeyAsync(KeyWrapAlgorithm.RsaOaep256, aes.Key);
// Read the IV and the encrypted key from the payload, then unwrap the key.
UnwrapResult unwrapped = await cryptoClient.UnwrapKeyAsync(wrapped.Algorithm, wrapped.EncryptedKey);
aes.Key = unwrapped.Key;
// Decrypt the payload with the symmetric key.
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap
}
}
public AttestationClient(Uri endpoint, KeyClientOptions options)
{
_endpoint = endpoint;
_diagnostics = new ClientDiagnostics(options);
_pipeline = HttpPipelineBuilder.Build(options);
}
