public override void ExecuteCmdlet()
{
if (ParameterSetName.Equals(ParentObjectParameterSet, StringComparison.Ordinal))
{
ResourceIdentifier resourceIdentifier = new ResourceIdentifier(SqlDatabaseObject.Id);
ResourceGroupName = resourceIdentifier.ResourceGroupName;
DatabaseName = resourceIdentifier.ResourceName;
AccountName = ResourceIdentifierExtensions.GetDatabaseAccountName(resourceIdentifier);
}
KeyWrapMetadata encryptionKeyWrapMetadata;
if (KeyWrapMetadata != null)
{
encryptionKeyWrapMetadata = PSSqlKeyWrapMetadata.ToSDKModel(KeyWrapMetadata);
}
else
{
throw new ArgumentException("KeyWrapMetadata cannot be null");
}
if (!string.Equals(EncryptionAlgorithmName, "AEAD_AES_256_CBC_HMAC_SHA256"))
{
throw new ArgumentException($"Invalid encryption algorithm '{EncryptionAlgorithmName}' passed. Please refer to https://aka.ms/CosmosClientEncryption for more details.");
}
if (!string.Equals(encryptionKeyWrapMetadata.Algorithm, "RSA-OAEP"))
{
throw new ArgumentException($"Invalid key wrap algorithm '{encryptionKeyWrapMetadata.Algorithm}' passed. Please refer to https://aka.ms/CosmosClientEncryption for more details.");
}
if (string.Equals(encryptionKeyWrapMetadata.Type, "AZURE_KEY_VAULT") && KeyEncryptionKeyResolver == null)
{
// get the token credential for key vault audience.
TokenCredential tokenCredential = new CosmosDBSessionCredential(DefaultContext, AzureEnvironment.Endpoint.AzureKeyVaultServiceEndpointResourceId);
KeyEncryptionKeyResolver = new KeyResolver(tokenCredential);
}
else
{
if (KeyEncryptionKeyResolver == null)
{
throw new ArgumentException("KeyEncryptionKeyResolver cannot be null.");
}
}
byte[] plainTextDataEncryptionKey = new byte[32];
RandomNumberGenerator rng = RandomNumberGenerator.Create();
rng.GetBytes(plainTextDataEncryptionKey);
byte[] wrappedDataEncryptionKey = KeyEncryptionKeyResolver.Resolve(encryptionKeyWrapMetadata.Value)
.WrapKey(encryptionKeyWrapMetadata.Algorithm, plainTextDataEncryptionKey);
ClientEncryptionKeyResource clientEncryptionKeyResource = new ClientEncryptionKeyResource
{
Id = Name,
EncryptionAlgorithm = EncryptionAlgorithmName,
KeyWrapMetadata = encryptionKeyWrapMetadata,
WrappedDataEncryptionKey = wrappedDataEncryptionKey
};
ClientEncryptionKeyCreateUpdateParameters clientEncryptionKeyCreateUpdateParameters = new ClientEncryptionKeyCreateUpdateParameters
{
Resource = clientEncryptionKeyResource
};
if (ShouldProcess(Name, "Creating a new CosmosDB Client Encryption Key"))
{
// FIXME : This requires a backend fix since its not honoring If-None-Match header with a *. This is required to prevent a race which might result in
// accidental replace of a key. This is a best effort approach to check for resource conflict.
ClientEncryptionKeyGetResults readClientEncryptionKeyGetResults = null;
try
{
readClientEncryptionKeyGetResults = CosmosDBManagementClient.SqlResources.GetClientEncryptionKey(ResourceGroupName, AccountName, DatabaseName, Name);
}
catch (CloudException e)
{
if (e.Response.StatusCode != System.Net.HttpStatusCode.NotFound)
{
throw;
}
}
if (readClientEncryptionKeyGetResults != null)
{
throw new ConflictingResourceException(message: string.Format(ExceptionMessage.Conflict, Name));
}
ClientEncryptionKeyGetResults clientEncryptionKeyGetResults = CosmosDBManagementClient.SqlResources.CreateUpdateClientEncryptionKeyWithHttpMessagesAsync(ResourceGroupName, AccountName, DatabaseName, Name, clientEncryptionKeyCreateUpdateParameters).GetAwaiter().GetResult().Body;
WriteObject(new PSSqlClientEncryptionKeyGetResults(clientEncryptionKeyGetResults));
}
}
public override void ExecuteCmdlet()
{
if (ParameterSetName.Equals(ParentObjectParameterSet, StringComparison.Ordinal))
{
ResourceIdentifier resourceIdentifier = new ResourceIdentifier(SqlDatabaseObject.Id);
ResourceGroupName = resourceIdentifier.ResourceGroupName;
DatabaseName = resourceIdentifier.ResourceName;
AccountName = ResourceIdentifierExtensions.GetDatabaseAccountName(resourceIdentifier);
}
else if (ParameterSetName.Equals(ObjectParameterSet, StringComparison.Ordinal))
{
ResourceIdentifier resourceIdentifier = new ResourceIdentifier(InputObject.Id);
ResourceGroupName = resourceIdentifier.ResourceGroupName;
DatabaseName = ResourceIdentifierExtensions.GetSqlDatabaseName(resourceIdentifier);
AccountName = ResourceIdentifierExtensions.GetDatabaseAccountName(resourceIdentifier);
Name = InputObject.Name;
}
KeyWrapMetadata newEncryptionKeyWrapMetadata;
if (KeyWrapMetadata != null)
{
newEncryptionKeyWrapMetadata = PSSqlKeyWrapMetadata.ToSDKModel(KeyWrapMetadata);
}
else
{
throw new ArgumentException("KeyWrapMetadata cannot be null");
}
ClientEncryptionKeyGetResults readClientEncryptionKeyGetResults = null;
try
{
readClientEncryptionKeyGetResults = CosmosDBManagementClient.SqlResources.GetClientEncryptionKey(ResourceGroupName, AccountName, DatabaseName, Name);
}
catch (CloudException e)
{
if (e.Response.StatusCode == System.Net.HttpStatusCode.NotFound)
{
throw new ResourceNotFoundException(message: string.Format(ExceptionMessage.NotFound, Name), innerException: e);
}
}
ClientEncryptionKeyResource clientEncryptionKeyResource = UpdateAzCosmosDbClientEncryptionKey.PopulateSqlClientEncryptionKeyResource(readClientEncryptionKeyGetResults.Resource);
if (!string.Equals(newEncryptionKeyWrapMetadata.Algorithm, "RSA-OAEP"))
{
throw new ArgumentException($"Invalid key wrap algorithm '{newEncryptionKeyWrapMetadata.Algorithm}' passed. Please refer to https://aka.ms/CosmosClientEncryption for more details.");
}
byte[] rewrappedKey;
if (string.Equals(clientEncryptionKeyResource.KeyWrapMetadata.Type, "AZURE_KEY_VAULT") && KeyEncryptionKeyResolver == null)
{
if (!string.Equals(newEncryptionKeyWrapMetadata.Type, "AZURE_KEY_VAULT"))
{
throw new ArgumentException("KeyEncryptionKeyResolver type cannot be changed during rewrap operations. Please refer to https://aka.ms/CosmosClientEncryption for more details.");
}
// get the token credential for key vault audience.
TokenCredential tokenCredential = new CosmosDBSessionCredential(DefaultContext, AzureEnvironment.Endpoint.AzureKeyVaultServiceEndpointResourceId);
KeyEncryptionKeyResolver = new KeyResolver(tokenCredential);
}
else
{
if (KeyEncryptionKeyResolver == null)
{
throw new ArgumentException("KeyEncryptionKeyResolver cannot be null.");
}
}
byte[] unwrappedKey = KeyEncryptionKeyResolver.Resolve(clientEncryptionKeyResource.KeyWrapMetadata.Value)
.UnwrapKey(clientEncryptionKeyResource.KeyWrapMetadata.Algorithm, clientEncryptionKeyResource.WrappedDataEncryptionKey);
rewrappedKey = KeyEncryptionKeyResolver.Resolve(newEncryptionKeyWrapMetadata.Value)
.WrapKey(newEncryptionKeyWrapMetadata.Algorithm, unwrappedKey);
clientEncryptionKeyResource = new ClientEncryptionKeyResource
{
Id = Name,
EncryptionAlgorithm = clientEncryptionKeyResource.EncryptionAlgorithm,
KeyWrapMetadata = newEncryptionKeyWrapMetadata,
WrappedDataEncryptionKey = rewrappedKey
};
ClientEncryptionKeyCreateUpdateParameters clientEncryptionKeyCreateUpdateParameters = new ClientEncryptionKeyCreateUpdateParameters
{
Resource = clientEncryptionKeyResource
};
if (ShouldProcess(Name, "Updating an existing CosmosDB Client Encryption Key"))
{
ClientEncryptionKeyGetResults clientEncryptionKeyGetResults = CosmosDBManagementClient.SqlResources.CreateUpdateClientEncryptionKeyWithHttpMessagesAsync(ResourceGroupName, AccountName, DatabaseName, Name, clientEncryptionKeyCreateUpdateParameters).GetAwaiter().GetResult().Body;
WriteObject(new PSSqlClientEncryptionKeyGetResults(clientEncryptionKeyGetResults));
}
}
