public void Test_UserManagement()
{
// Create the encrypted password for the user
AsymmetricEncryptedSecret encryptedSecret = Client.Devices.GetAsymmetricEncryptedSecretUsingActivationKey(TestConstants.GatewayResourceName, TestConstants.DefaultResourceGroupName, "Password1", TestConstants.GatewayActivationKey);
User user = new User()
{
EncryptedPassword = encryptedSecret
};
// Create user.
Client.Users.CreateOrUpdate(TestConstants.GatewayResourceName, "user1", TestConstants.DefaultResourceGroupName, encryptedSecret);
Client.Users.CreateOrUpdate(TestConstants.GatewayResourceName, "user2", TestConstants.DefaultResourceGroupName, encryptedSecret);
// Get user by name
var retrievedUser = Client.Users.Get(TestConstants.GatewayResourceName, "user1", TestConstants.DefaultResourceGroupName);
// List users in the device
string continuationToken = null;
var usersInDevice = TestUtilities.ListUsers(Client, TestConstants.GatewayResourceName, TestConstants.DefaultResourceGroupName, out continuationToken);
if (continuationToken != null)
{
usersInDevice.ToList().AddRange(TestUtilities.ListUsers(Client, TestConstants.GatewayResourceName, TestConstants.DefaultResourceGroupName, out continuationToken));
}
// Delete user
Client.Users.Delete(TestConstants.GatewayResourceName, "user2", TestConstants.DefaultResourceGroupName);
}
private AsymmetricEncryptedSecret EncryptSecretUsingDEK(string resourceGroupName, string managerName, string deviceName, string plainTextSecret)
{
PublicKey devicePublicEncryptionInfo = this.Client.Managers.GetDevicePublicEncryptionKey(deviceName.GetDoubleEncoded(), resourceGroupName, managerName);
var encryptedSecret = CryptoHelper.EncryptSecretRSAPKCS(plainTextSecret, devicePublicEncryptionInfo.Key);
AsymmetricEncryptedSecret secret = new AsymmetricEncryptedSecret(encryptedSecret, EncryptionAlgorithm.RSAESPKCS1V15, String.Empty);
return(secret);
}
public void TestConfigureCloudAppliance()
{
//checking for prerequisites
var device = Helpers.CheckAndGetDevice(this, DeviceType.Series8000VirtualAppliance, DeviceStatus.ReadyToSetup);
var deviceName = device.Name;
//the service data encryption key from rollovered device
var serviceDataEncryptionKey = "ZJOCJNA3k0g5WSHqskiMug==";
try
{
// Device admin password and snapshot manager password
AsymmetricEncryptedSecret deviceAdminpassword = this.Client.Managers.GetAsymmetricEncryptedSecret(this.ResourceGroupName, this.ManagerName, "test-adminp13");
AsymmetricEncryptedSecret snapshotmanagerPassword = this.Client.Managers.GetAsymmetricEncryptedSecret(this.ResourceGroupName, this.ManagerName, "test-ssmpas1235");
//cloud appliance settings
CloudApplianceSettings cloudApplianceSettings = new CloudApplianceSettings();
cloudApplianceSettings.ServiceDataEncryptionKey = EncryptSecretUsingDEK(this.ResourceGroupName, this.ManagerName, deviceName, serviceDataEncryptionKey);
var managerExtendedInfo = this.Client.Managers.GetExtendedInfo(this.ResourceGroupName, this.ManagerName);
cloudApplianceSettings.ChannelIntegrityKey = EncryptSecretUsingDEK(this.ResourceGroupName, this.ManagerName, deviceName, managerExtendedInfo.IntegrityKey);
//security settings patch
SecuritySettingsPatch securitySettingsPatch = new SecuritySettingsPatch()
{
DeviceAdminPassword = deviceAdminpassword,
SnapshotPassword = snapshotmanagerPassword,
CloudApplianceSettings = cloudApplianceSettings
};
//update security settings - this will configure the SCA too.
this.Client.DeviceSettings.UpdateSecuritySettings(
deviceName.GetDoubleEncoded(),
securitySettingsPatch,
this.ResourceGroupName,
this.ManagerName);
var securitySettings = this.Client.DeviceSettings.GetSecuritySettings(
deviceName.GetDoubleEncoded(),
this.ResourceGroupName,
this.ManagerName);
//validation
Assert.True(securitySettings != null, "Creation of Security Setting was not successful.");
//validate that SCA got configured, by checking device is online now.
Helpers.CheckAndGetConfiguredDevice(this, deviceName);
}
catch (Exception e)
{
Assert.Null(e);
}
}
public void Test_ARMUserPasswordUpdate()
{
// Get user by name
var retrievedUser = Client.Users.Get(TestConstants.EdgeResourceName, TestConstants.ARMLiteUserName, TestConstants.DefaultResourceGroupName);
// Create the encrypted password for the user
AsymmetricEncryptedSecret encryptedSecret = Client.Devices.GetAsymmetricEncryptedSecret(TestConstants.EdgeResourceName, TestConstants.DefaultResourceGroupName, "Password1", TestConstants.EdgeDeviceCIK);
retrievedUser.EncryptedPassword = encryptedSecret;
// Create user.
Client.Users.CreateOrUpdate(TestConstants.EdgeResourceName, TestConstants.ARMLiteUserName, retrievedUser, TestConstants.DefaultResourceGroupName);
}
private static ResourceModel InitStorageAccountCredentialObject(
string name,
string storageAccountName,
string accountType,
string sslStatus,
AsymmetricEncryptedSecret secret)
{
var storageAccountCredential = new ResourceModel(
name,
sslStatus,
accountType,
userName: storageAccountName,
accountKey: secret);
return(storageAccountCredential);
}
/// <summary>
/// Gets an iot role object
/// </summary>
/// <param name="iotDeviceSecret"></param>
/// <param name="iotEdgeDeviceSecret"></param>
/// <returns>IoTRole</returns>
public static IoTRole GetIoTRoleObject(AsymmetricEncryptedSecret iotDeviceSecret, AsymmetricEncryptedSecret iotEdgeDeviceSecret)
{
Authentication authentication = new Authentication()
{
SymmetricKey = new SymmetricKey(iotDeviceSecret)
};
IoTDeviceInfo ioTDeviceInfo = new IoTDeviceInfo("iotdevice", "iothub.azure-devices.net", authentication: authentication);
Authentication edgeAuthentication = new Authentication()
{
SymmetricKey = new SymmetricKey(iotEdgeDeviceSecret)
};
IoTDeviceInfo ioTEdgeDeviceInfo = new IoTDeviceInfo("iotdevice", "iothub.azure-devices.net", authentication: edgeAuthentication);
IoTRole ioTRole = new IoTRole("Linux", ioTDeviceInfo, ioTEdgeDeviceInfo, "Enabled");
return(ioTRole);
}
/// <summary>
/// Create SecuritySettings on the Device.
/// </summary>
private SecuritySettings CreateAndValidateSecuritySettings(string deviceName)
{
RemoteManagementSettingsPatch remoteManagementSettings = new RemoteManagementSettingsPatch(
RemoteManagementModeConfiguration.HttpsAndHttpEnabled);
AsymmetricEncryptedSecret deviceAdminpassword = this.Client.Managers.GetAsymmetricEncryptedSecret(
this.ResourceGroupName,
this.ManagerName,
"test-adminp13");
AsymmetricEncryptedSecret snapshotmanagerPassword = this.Client.Managers.GetAsymmetricEncryptedSecret(
this.ResourceGroupName,
this.ManagerName,
"test-ssmpas1235");
ChapSettings chapSettings = new ChapSettings(
"test-initiator-user",
this.Client.Managers.GetAsymmetricEncryptedSecret(this.ResourceGroupName, this.ManagerName, "chapsetInitP124"),
"test-target-user",
this.Client.Managers.GetAsymmetricEncryptedSecret(this.ResourceGroupName, this.ManagerName, "chapsetTargP1235"));
SecuritySettingsPatch securitySettingsPatch = new SecuritySettingsPatch(
remoteManagementSettings,
deviceAdminpassword,
snapshotmanagerPassword,
chapSettings);
this.Client.DeviceSettings.UpdateSecuritySettings(
deviceName.GetDoubleEncoded(),
securitySettingsPatch,
this.ResourceGroupName,
this.ManagerName);
var securitySettings = this.Client.DeviceSettings.GetSecuritySettings(
deviceName.GetDoubleEncoded(),
this.ResourceGroupName,
this.ManagerName);
//validation
Assert.True(securitySettings != null &&
securitySettings.RemoteManagementSettings.RemoteManagementMode.Equals(RemoteManagementModeConfiguration.HttpsAndHttpEnabled) &&
securitySettings.ChapSettings.InitiatorUser.Equals("test-initiator-user") &&
securitySettings.ChapSettings.TargetUser.Equals("test-target-user"), "Creation of Security Setting was not successful.");
return(securitySettings);
}
public void Test_IoTRoles()
{
AsymmetricEncryptedSecret iotDevicesecret = Client.Devices.GetAsymmetricEncryptedSecretUsingActivationKey(TestConstants.EdgeResourceName, TestConstants.DefaultResourceGroupName, "IotDeviceConnectionString", TestConstants.EdgeDeviceActivationKey);
AsymmetricEncryptedSecret iotEdgeDevicesecret = Client.Devices.GetAsymmetricEncryptedSecretUsingActivationKey(TestConstants.EdgeResourceName, TestConstants.DefaultResourceGroupName, "IotEdgeDeviceConnectionString", TestConstants.EdgeDeviceActivationKey);
var iotRole = TestUtilities.GetIoTRoleObject(iotDevicesecret, iotEdgeDevicesecret);
// Create an iot role
Client.Roles.CreateOrUpdate(TestConstants.EdgeResourceName, "iot-1", iotRole, TestConstants.DefaultResourceGroupName);
// Get an iot role by name
Client.Roles.Get(TestConstants.EdgeResourceName, "iot-1", TestConstants.DefaultResourceGroupName);
// List iot Roles in the device
string continuationToken = null;
TestUtilities.ListRoles(Client, TestConstants.EdgeResourceName, TestConstants.DefaultResourceGroupName, out continuationToken);
// Delete iot role
Client.Roles.Delete(TestConstants.EdgeResourceName, "iot-1", TestConstants.DefaultResourceGroupName);
}
/// <summary>
/// Update SecuritySettings on the Device.
/// </summary>
private void ValidateCreateOrUpdateSecuritySettings(string deviceName)
{
AsymmetricEncryptedSecret deviceAdminpassword =
this.Client.Managers.GetAsymmetricEncryptedSecret(
this.ResourceGroupName,
this.ManagerName,
"test-adminp13");
SecuritySettings newSecuritySettings = new SecuritySettings()
{
DeviceAdminPassword = deviceAdminpassword
};
// Update security settings for the given device
this.Client.Devices.CreateOrUpdateSecuritySettings(
deviceName.GetDoubleEncoded(),
newSecuritySettings,
this.ResourceGroupName,
this.ManagerName);
// No validation since there isn't GET Security Settings API
}
public void Test_SACManagement()
{
//Create storage account credential
AsymmetricEncryptedSecret encryptedSecret = Client.Devices.GetAsymmetricEncryptedSecretUsingActivationKey(TestConstants.GatewayResourceName, TestConstants.DefaultResourceGroupName, "EyIbt0QelBmm4ggkWsvQGaGaijYv/JBXIRl5ZR7pwgCJCkLYQmKY+H5RV4COGhbi01dBRIC1dNSF1sbJoeAL1Q==", TestConstants.GatewayActivationKey);
StorageAccountCredential sac1 = TestUtilities.GetSACObject(encryptedSecret, "sac1");
Client.StorageAccountCredentials.CreateOrUpdate(TestConstants.GatewayResourceName, "sac1", sac1, TestConstants.DefaultResourceGroupName);
StorageAccountCredential sac2 = TestUtilities.GetSACObject(encryptedSecret, "sac2");
Client.StorageAccountCredentials.CreateOrUpdate(TestConstants.GatewayResourceName, "sac2", sac2, TestConstants.DefaultResourceGroupName);
//Get storage account credential by name.
Client.StorageAccountCredentials.Get(TestConstants.GatewayResourceName, "sac1", TestConstants.DefaultResourceGroupName);
//List storage account credentials in the device
string continuationToken = null;
var storageCredentials = TestUtilities.ListStorageAccountCredentials(Client, TestConstants.GatewayResourceName, TestConstants.DefaultResourceGroupName, out continuationToken);
//List storage account credentials in the device
Client.StorageAccountCredentials.Delete(TestConstants.GatewayResourceName, "sac2", TestConstants.DefaultResourceGroupName);
}
public static IoTRole GetIoTRoleObject(
string deviceId,
string edgeDeviceId,
string ioTHostHub,
string platform,
AsymmetricEncryptedSecret iotDeviceSecret,
AsymmetricEncryptedSecret iotEdgeDeviceSecret,
string roleStatus)
{
var authentication = new Authentication()
{
SymmetricKey = new SymmetricKey(iotDeviceSecret)
};
var ioTDeviceInfo = new IoTDeviceInfo(deviceId, ioTHostHub, authentication: authentication);
var edgeAuthentication = new Authentication()
{
SymmetricKey = new SymmetricKey(iotEdgeDeviceSecret)
};
var ioTEdgeDeviceInfo = new IoTDeviceInfo(edgeDeviceId, ioTHostHub, authentication: edgeAuthentication);
return(new IoTRole(platform, ioTDeviceInfo, ioTEdgeDeviceInfo, roleStatus));
}
/// <summary>
/// Use this method to encrypt the user secrets (Storage Account Access Key, Volume Container Encryption Key etc.)
/// </summary>
/// <param name="deviceName">
/// The resource name.
/// </param>
/// <param name="resourceGroupName">
/// The resource group name.
/// </param>
/// <param name="plainTextSecret">
/// The plain text secret.
/// </param>
/// <returns>
/// The <see cref="AsymmetricEncryptedSecret"/>.
/// </returns>
/// <exception cref="ValidationException">
/// </exception>
/// <exception cref="InvalidOperationException">
/// </exception>
public static AsymmetricEncryptedSecret GetAsymmetricEncryptedSecretFromCIK(
this IDevicesOperations operations,
string deviceName,
string resourceGroupName,
string plainTextSecret,
string channelIntegrationKey)
{
if (string.IsNullOrWhiteSpace(plainTextSecret))
{
throw new Microsoft.Rest.ValidationException(Microsoft.Rest.ValidationRules.CannotBeNull, "plainTextSecret");
}
if (string.IsNullOrWhiteSpace(resourceGroupName))
{
throw new Microsoft.Rest.ValidationException(Microsoft.Rest.ValidationRules.CannotBeNull, "resourceGroupName");
}
if (string.IsNullOrWhiteSpace(deviceName))
{
throw new Microsoft.Rest.ValidationException(Microsoft.Rest.ValidationRules.CannotBeNull, "resourceName");
}
DataBoxEdgeDeviceExtendedInfo extendedInfo = operations.GetExtendedInformation(deviceName, resourceGroupName);
string encryptionKey = extendedInfo.EncryptionKey;
string encryptionKeyThumbprint = extendedInfo.EncryptionKeyThumbprint;
string ChannelEncryptionKey = CryptoUtilities.DecryptStringAES(encryptionKey, channelIntegrationKey);
var secret = new AsymmetricEncryptedSecret()
{
EncryptionAlgorithm = EncryptionAlgorithm.AES256,
EncryptionCertThumbprint = encryptionKeyThumbprint,
Value = CryptoUtilities.EncryptStringRsaPkcs1v15(plainTextSecret, ChannelEncryptionKey)
};
return(secret);
}
public void Test_SACManagement()
{
// There is a restriction that storage account name and SAC name has to be same. So the names are used interchanteable
string storageAccountName = "databoxedgeutdst";
//Create storage account credential
AsymmetricEncryptedSecret encryptedSecret = Client.Devices.GetAsymmetricEncryptedSecret(TestConstants.EdgeResourceName, TestConstants.DefaultResourceGroupName, "EyIbt0QelBmm4ggkWsvQGaGaijYv/JBXIRl5ZR7pwgCJCkLYQmKY+H5RV4COGhbi01dBRIC1dNSF1sbJoeAL1Q==", TestConstants.EdgeDeviceCIK);
StorageAccountCredential sac1 = TestUtilities.GetSACObject(encryptedSecret, storageAccountName);
Client.StorageAccountCredentials.CreateOrUpdate(TestConstants.EdgeResourceName, storageAccountName, sac1, TestConstants.DefaultResourceGroupName);
//Get storage account credential by name.
Client.StorageAccountCredentials.Get(TestConstants.EdgeResourceName, storageAccountName, TestConstants.DefaultResourceGroupName);
//List storage account credentials in the device
string continuationToken = null;
var storageCredentials = TestUtilities.ListStorageAccountCredentials(Client, TestConstants.EdgeResourceName, TestConstants.DefaultResourceGroupName, out continuationToken);
//List storage account credentials in the device
Client.StorageAccountCredentials.Delete(TestConstants.EdgeResourceName, storageAccountName, TestConstants.DefaultResourceGroupName);
//Create again as we want to keep the SAC object inresource
sac1 = TestUtilities.GetSACObject(encryptedSecret, storageAccountName);
Client.StorageAccountCredentials.CreateOrUpdate(TestConstants.EdgeResourceName, storageAccountName, sac1, TestConstants.DefaultResourceGroupName);
}
/// <summary>
/// Updates the security settings on a data box edge/gateway device.
/// </summary>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='deviceName'>
/// The device name.
/// </param>
/// <param name='resourceGroupName'>
/// The resource group name.
/// </param>
/// <param name='deviceAdminPassword'>
/// Device administrator password as an encrypted string (encrypted using RSA
/// PKCS #1) is used to sign into the local web UI of the device. The Actual
/// password should have at least 8 characters that are a combination of
/// uppercase, lowercase, numeric, and special characters.
/// </param>
/// <param name='cancellationToken'>
/// The cancellation token.
/// </param>
public static async Task BeginCreateOrUpdateSecuritySettingsAsync(this IDevicesOperations operations, string deviceName, string resourceGroupName, AsymmetricEncryptedSecret deviceAdminPassword, CancellationToken cancellationToken = default(CancellationToken))
{
(await operations.BeginCreateOrUpdateSecuritySettingsWithHttpMessagesAsync(deviceName, resourceGroupName, deviceAdminPassword, null, cancellationToken).ConfigureAwait(false)).Dispose();
}
/// <summary>
/// Updates the security settings on a data box edge/gateway device.
/// </summary>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='deviceName'>
/// The device name.
/// </param>
/// <param name='resourceGroupName'>
/// The resource group name.
/// </param>
/// <param name='deviceAdminPassword'>
/// Device administrator password as an encrypted string (encrypted using RSA
/// PKCS #1) is used to sign into the local web UI of the device. The Actual
/// password should have at least 8 characters that are a combination of
/// uppercase, lowercase, numeric, and special characters.
/// </param>
public static void BeginCreateOrUpdateSecuritySettings(this IDevicesOperations operations, string deviceName, string resourceGroupName, AsymmetricEncryptedSecret deviceAdminPassword)
{
operations.BeginCreateOrUpdateSecuritySettingsAsync(deviceName, resourceGroupName, deviceAdminPassword).GetAwaiter().GetResult();
}
/// <summary>
/// Gets a sac object
/// </summary>
/// <param name="secret"></param>
/// <param name="sacName"></param>
/// <returns>StorageAccountCredential</returns>
public static StorageAccountCredential GetSACObject(AsymmetricEncryptedSecret secret, string sacName)
{
StorageAccountCredential sac = new StorageAccountCredential(sacName, "Disabled", "BlobStorage", userName: sacName, accountKey: secret);
return(sac);
}
/// <summary>
/// Creates a new user or updates an existing user's information on a data box
/// edge/gateway device.
/// </summary>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='deviceName'>
/// The device name.
/// </param>
/// <param name='name'>
/// The user name.
/// </param>
/// <param name='resourceGroupName'>
/// The resource group name.
/// </param>
/// <param name='encryptedPassword'>
/// The password details.
/// </param>
/// <param name='shareAccessRights'>
/// List of shares that the user has rights on. This field should not be
/// specified during user creation.
/// </param>
/// <param name='cancellationToken'>
/// The cancellation token.
/// </param>
public static async Task <User> BeginCreateOrUpdateAsync(this IUsersOperations operations, string deviceName, string name, string resourceGroupName, AsymmetricEncryptedSecret encryptedPassword = default(AsymmetricEncryptedSecret), IList <ShareAccessRight> shareAccessRights = default(IList <ShareAccessRight>), CancellationToken cancellationToken = default(CancellationToken))
{
using (var _result = await operations.BeginCreateOrUpdateWithHttpMessagesAsync(deviceName, name, resourceGroupName, encryptedPassword, shareAccessRights, null, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
/// <summary>
/// Creates a new user or updates an existing user's information on a data box
/// edge/gateway device.
/// </summary>
/// <param name='operations'>
/// The operations group for this extension method.
/// </param>
/// <param name='deviceName'>
/// The device name.
/// </param>
/// <param name='name'>
/// The user name.
/// </param>
/// <param name='resourceGroupName'>
/// The resource group name.
/// </param>
/// <param name='encryptedPassword'>
/// The password details.
/// </param>
/// <param name='shareAccessRights'>
/// List of shares that the user has rights on. This field should not be
/// specified during user creation.
/// </param>
public static User BeginCreateOrUpdate(this IUsersOperations operations, string deviceName, string name, string resourceGroupName, AsymmetricEncryptedSecret encryptedPassword = default(AsymmetricEncryptedSecret), IList <ShareAccessRight> shareAccessRights = default(IList <ShareAccessRight>))
{
return(operations.BeginCreateOrUpdateAsync(deviceName, name, resourceGroupName, encryptedPassword, shareAccessRights).GetAwaiter().GetResult());
}
