public async Task UpdateKeyRotationPolicy()
{
string name = Recording.GenerateId();
await Client.CreateRsaKeyAsync(new CreateRsaKeyOptions(name));
RegisterForCleanup(name);
KeyRotationPolicy policy = new()
{
ExpiresIn = "P90D",
LifetimeActions =
{
new KeyRotationLifetimeAction(KeyRotationPolicyAction.Rotate)
{
TimeBeforeExpiry = "P10D",
}
}
};
KeyRotationPolicy updatedPolicy = await Client.UpdateKeyRotationPolicyAsync(name, policy);
Assert.AreEqual(policy.ExpiresIn, updatedPolicy.ExpiresIn);
// Notify policy is always present and can only be updated.
Assert.That(updatedPolicy.LifetimeActions, Has.One.Matches <KeyRotationLifetimeAction>(action => action.Action == KeyRotationPolicyAction.Notify));
KeyRotationLifetimeAction rotateAction = updatedPolicy.LifetimeActions.Single(p => p.Action == KeyRotationPolicyAction.Rotate);
Assert.AreEqual(policy.LifetimeActions[0].Action, rotateAction.Action);
Assert.AreEqual(policy.LifetimeActions[0].TimeAfterCreate, rotateAction.TimeAfterCreate);
Assert.AreEqual(policy.LifetimeActions[0].TimeBeforeExpiry, rotateAction.TimeBeforeExpiry);
}
public void KeyRotationSync()
{
// Environment variable with the Key Vault endpoint.
string keyVaultUrl = TestEnvironment.KeyVaultUrl;
#region Snippet:KeysSample8KeyClient
var keyClient = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
#endregion
#region Snippet:KeysSample8CreateKey
string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}";
var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false)
{
KeySize = 2048,
};
KeyVaultKey cloudRsaKey = keyClient.CreateRsaKey(rsaKey);
Debug.WriteLine($"{cloudRsaKey.KeyType} key is returned with name {cloudRsaKey.Name} and version {cloudRsaKey.Properties.Version}");
#endregion
#region Snippet:KeysSample8UpdateRotationPolicy
KeyRotationPolicy policy = new KeyRotationPolicy()
{
ExpiresIn = TimeSpan.FromDays(90),
LifetimeActions =
{
new KeyRotationLifetimeAction()
{
Action = KeyRotationPolicyAction.Rotate,
TimeBeforeExpiry = TimeSpan.FromDays(30)
}
}
};
keyClient.UpdateKeyRotationPolicy(rsaKeyName, policy);
#endregion
#region Snippet:KeysSample8RotateKey
KeyVaultKey newRsaKey = keyClient.RotateKey(rsaKeyName);
Debug.WriteLine($"Rotated key {newRsaKey.Name} with version {newRsaKey.Properties.Version}");
#endregion
DeleteKeyOperation operation = keyClient.StartDeleteKey(rsaKeyName);
// You only need to wait for completion if you want to purge or recover the key.
while (!operation.HasCompleted)
{
Thread.Sleep(2000);
operation.UpdateStatus();
}
// If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged.
keyClient.PurgeDeletedKey(rsaKeyName);
}
public async Task GetKeyRotationPolicyReturnsDefault()
{
string name = Recording.GenerateId();
await Client.CreateRsaKeyAsync(new CreateRsaKeyOptions(name));
RegisterForCleanup(name);
KeyRotationPolicy policy = await Client.GetKeyRotationPolicyAsync(name);
Assert.That(policy.LifetimeActions, Has.One.Matches <KeyRotationLifetimeAction>(action => action.Action == KeyRotationPolicyAction.Notify));
}
public PSKeyRotationPolicy(KeyRotationPolicy keyRotationPolicy, string vaultName, string keyName)
{
Id = keyRotationPolicy.Id?.ToString();
VaultName = vaultName;
KeyName = keyName;
LifetimeActions = new List <PSKeyRotationLifetimeAction>();
foreach (var action in keyRotationPolicy.LifetimeActions)
{
LifetimeActions.Add(new PSKeyRotationLifetimeAction(action));
}
ExpiresIn = keyRotationPolicy.ExpiresIn;
CreatedOn = keyRotationPolicy.CreatedOn;
UpdatedOn = keyRotationPolicy.UpdatedOn;
}
public async Task KeyRotationAsync()
{
// Environment variable with the Key Vault endpoint.
string keyVaultUrl = TestEnvironment.KeyVaultUrl;
var keyClient = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}";
var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false)
{
KeySize = 2048,
};
KeyVaultKey cloudRsaKey = await keyClient.CreateRsaKeyAsync(rsaKey);
Debug.WriteLine($"{cloudRsaKey.KeyType} key is returned with name {cloudRsaKey.Name} and version {cloudRsaKey.Properties.Version}");
KeyRotationPolicy policy = new KeyRotationPolicy()
{
ExpiresIn = "P90D",
LifetimeActions =
{
new KeyRotationLifetimeAction()
{
Action = KeyRotationPolicyAction.Rotate,
TimeBeforeExpiry = "P30D"
}
}
};
await keyClient.UpdateKeyRotationPolicyAsync(rsaKeyName, policy);
KeyVaultKey newRsaKey = await keyClient.RotateKeyAsync(rsaKeyName);
Debug.WriteLine($"Rotated key {newRsaKey.Name} with version {newRsaKey.Properties.Version}");
DeleteKeyOperation operation = await keyClient.StartDeleteKeyAsync(rsaKeyName);
// You only need to wait for completion if you want to purge or recover the key.
await operation.WaitForCompletionAsync();
// If the keyvault is soft-delete enabled, then for permanent deletion, deleted key needs to be purged.
keyClient.PurgeDeletedKey(rsaKeyName);
}
internal PSKeyRotationPolicy SetKeyRotationPolicy(PSKeyRotationPolicy psKeyRotationPolicy)
{
var client = CreateKeyClient(psKeyRotationPolicy.VaultName);
var policy = new KeyRotationPolicy()
{
ExpiresIn = psKeyRotationPolicy.ExpiresIn,
LifetimeActions = { }
};
psKeyRotationPolicy.LifetimeActions?.ForEach(
psKeyRotationLifetimeAction => policy.LifetimeActions.Add(
new KeyRotationLifetimeAction(new KeyRotationPolicyAction(psKeyRotationLifetimeAction.Action))
{
TimeAfterCreate = psKeyRotationLifetimeAction.TimeAfterCreate,
TimeBeforeExpiry = psKeyRotationLifetimeAction.TimeBeforeExpiry
}
));
return(SetKeyRotationPolicy(client, psKeyRotationPolicy.VaultName, psKeyRotationPolicy.KeyName, policy));
}
private PSKeyRotationPolicy SetKeyRotationPolicy(KeyClient client, string managedHsmName, string keyName, KeyRotationPolicy keyRotationPolicy)
{
return(new PSKeyRotationPolicy(client.UpdateKeyRotationPolicy(keyName, keyRotationPolicy), managedHsmName, keyName));
}
private PSKeyRotationPolicy SetKeyRotationPolicy(KeyClient client, string vaultName, string keyName, KeyRotationPolicy policy)
{
return(new PSKeyRotationPolicy(client.UpdateKeyRotationPolicy(keyName, policy), vaultName, keyName));
}
