public async Task EncryptionResourceTokenAuthRestricted() { TestDoc testDoc = await EncryptionTests.CreateItemAsync(EncryptionTests.itemContainerCore, EncryptionTests.dekId, TestDoc.PathsToEncrypt); User restrictedUser = EncryptionTests.databaseCore.GetUser(Guid.NewGuid().ToString()); await EncryptionTests.databaseCore.CreateUserAsync(restrictedUser.Id); PermissionProperties restrictedUserPermission = await restrictedUser.CreatePermissionAsync( new PermissionProperties(Guid.NewGuid().ToString(), PermissionMode.All, EncryptionTests.itemContainer)); CosmosDataEncryptionKeyProvider dekProvider = new CosmosDataEncryptionKeyProvider(new TestKeyWrapProvider()); TestEncryptor encryptor = new TestEncryptor(dekProvider); (string endpoint, string _) = TestCommon.GetAccountInfo(); CosmosClient clientForRestrictedUser = new CosmosClientBuilder(endpoint, restrictedUserPermission.Token) .WithEncryptor(encryptor) .Build(); Database databaseForRestrictedUser = clientForRestrictedUser.GetDatabase(EncryptionTests.databaseCore.Id); Container containerForRestrictedUser = databaseForRestrictedUser.GetContainer(EncryptionTests.itemContainer.Id); await EncryptionTests.PerformForbiddenOperationAsync(() => dekProvider.InitializeAsync(databaseForRestrictedUser, EncryptionTests.keyContainer.Id), "CosmosDekProvider.InitializeAsync"); await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() => dekProvider.DataEncryptionKeyContainer.ReadDataEncryptionKeyAsync(EncryptionTests.dekId), "DEK.ReadAsync"); await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() => containerForRestrictedUser.ReadItemAsync <TestDoc>(testDoc.Id, new PartitionKey(testDoc.PK)), "ReadItemAsync"); await EncryptionTests.PerformOperationOnUninitializedDekProviderAsync(() => containerForRestrictedUser.ReadItemStreamAsync(testDoc.Id, new PartitionKey(testDoc.PK)), "ReadItemStreamAsync"); }