limit KeyType to be required only when create managed HSM key

Azure · Oct 16, 2020 · 49b9148 · 49b9148
1 parent 787210f
commit 49b9148
Show file tree

Hide file tree

Showing 5 changed files with 126 additions and 38 deletions.
diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.Tests.ps1
@@ -2,8 +2,72 @@ $here = Split-Path -Parent $MyInvocation.MyCommand.Path
 $sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.Tests\.', '.'
 . "$here\$sut"
 
-Describe "ManagedHsmDatePlaneTests" {
-    It "does something useful" {
-        $true | Should Be $false
+BeforeAll {
+    . $PSScriptRoot/ManagedHsmDatePlaneTests.ps1
+    ImportModules
+    $hsmName = GetAzManagedHsm
+}
+
+Describe "AddAzManagedHsmKey" {
+    It "Create a RSA key inside a managed HSM" {
+        $keyName = GetRandomName -Prefix "key"
+        $keyType = "RSA"
+        $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType
+        $rsaKey.VaultName | Should -BeExactly $hsmName
+        $rsaKey.Name | Should -BeExactly $keyName
+        $rsaKey.Attributes.KeyType | Should -Be "RSA-HSM"
+    }
+
+    It "Create an EC key with curve P-256 inside a managed HSM" {
+        $keyName = GetRandomName -Prefix "key"
+        $keyType = "EC"
+        $curveName = "P-256"
+        $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -CurveName $curveName
+        $rsaKey.VaultName | Should -BeExactly $hsmName
+        $rsaKey.Name | Should -BeExactly $keyName
+        $rsaKey.Attributes.KeyType | Should -Be "EC-HSM"
+        $rsaKey.Key.CurveName | Should -Be $curveName
+    }
+
+    It "Create an oct key inside a managed HSM" {
+        $keyName = GetRandomName -Prefix "key"
+        $keyType = "oct"
+        $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType
+        $rsaKey.VaultName | Should -BeExactly $hsmName
+        $rsaKey.Name | Should -BeExactly $keyName
+        $rsaKey.Attributes.KeyType | Should -Be "oct-HSM"
+    }
+
+     It "Create an oct key inside a managed HSM" {
+        $keyName = GetRandomName -Prefix "key"
+        $keyType = "oct"
+        $rsaKey = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType
+        $rsaKey.VaultName | Should -BeExactly $hsmName
+        $rsaKey.Name | Should -BeExactly $keyName
+        $rsaKey.Attributes.KeyType | Should -Be "oct-HSM"
+    }
+
+     It "Create a key with non-default values inside a managed HSM" {
+        $keyName = GetRandomName -Prefix "key"
+        $keyType = "RSA"
+        $KeyOps = 'decrypt', 'verify'
+        # Expires & NotBefore is hard to cmpare, may add in the furture
+        $Tags = @{'Severity' = 'high'; 'Accounting' = "true"}
+
+        $key = Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -KeyOps $KeyOps -Disable -Tag $Tags
+
+        $key.Attributes.KeyOps | Should -Be $KeyOps
+        $key.Tags.Count | Should -Be 2
+        $key.Enabled | Should -Be $false
+    }
+
+    It "Import a RSA key from pfx file into a managed HSM" {
+        $keyName = GetRandomName -Prefix "key"
+        $key = Add-AzManagedHsmKey -HsmName bezmhsm -Name $keyName -KeyFilePath $PSScriptRoot/sd1.pfx -KeyFilePassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -Force)
+        $key.Name | Should -BeExactly $keyName
     }
 }
+
+AfterAll {
+    RemoveHsmResourceGroup $hsmName
+}
diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1 b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/ManagedHsmDatePlaneTests.ps1
@@ -1,22 +1,40 @@
-function Test-AddAzManagedHsmKey {
-	Param(
-		[parameter(Mandatory=$true)]
-		[String]
-		$hsmName,
-		[parameter(Mandatory=$true)]
-		[String]
-		$keyName,
-		[parameter(Mandatory=$true)]
-		[String]
-		$keyType,
-		[parameter(Mandatory=$false)]
-		[String]
-		$curveName
-	)
-	if($keyType -eq "EC" || $keyType -eq "EC-HSM"){
-		Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType -CurveName $curveName
-	}
-	else {
-		Add-AzManagedHsmKey -HsmName $hsmName -Name $keyName -KeyType $keyType
-	}
+function GetAzManagedHsm{
+    Param(
+        [parameter(Mandatory=$false)]
+        [String]
+        $HsmName,
+        [parameter(Mandatory=$false)]
+        [String]
+        $ResourceGroupName,
+        [parameter(Mandatory=$false)]
+        [String]
+        $Location,
+        [parameter(Mandatory=$false)]
+        [String[]]
+        $Administrator
+    )
+    $hsmName = GetRandomName -Prefix "hsm"
+    $resourceGroupName = GetRandomName -Prefix "rg"
+    $Location = "eastus2euap"
+    $administrator = "c1be1392-39b8-4521-aafc-819a47008545"
+    $hsm = New-AzManagedHsm -Name $HsmName -ResourceGroupName $ResourceGroupName -Location $r -Administrator $Administrator
+    return $hsm
 }
+
+function GetRandomName{
+    Param(
+        [parameter(Mandatory=$false)]
+        [String]
+        $Prefix
+    )
+    $randomNum = Get-Random -Minimum 100 -Maximum 99999
+    return "$Prefix$randomNum"
+}
+
+function ImportModules{
+    $psd1Path = Join-Path $PSScriptRoot "../../../../../artifacts/Debug/" -Resolve
+    $accountsPsd1 = Join-Path $psd1Path "./Az.Accounts/Az.Accounts.psd1"
+    $keyVaultPsd1 = Join-Path $psd1Path "./Az.KeyVault/Az.KeyVault.psd1"
+    Import-Module $accountsPsd1
+    Import-Module $keyVaultPsd1
+}
diff --git a/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/sd1.pfx b/src/KeyVault/KeyVault.Test/ScenarioTests/PesterTests/sd1.pfx
diff --git a/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs b/src/KeyVault/KeyVault/Commands/AddAzureManagedHsmKey.cs
@@ -18,7 +18,7 @@ namespace Microsoft.Azure.Commands.KeyVault.Commands
      /// 3. Create a key from a .pfx file by importing key material
      /// </summary>
     [Cmdlet("Add", ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmKey", SupportsShouldProcess = true, DefaultParameterSetName = InteractiveCreateParameterSet)]
-    [OutputType(typeof(PSManagedHsm))]
+    [OutputType(typeof(PSKeyVaultKey))]
     public class AddAzureManagedHsmKey : KeyVaultCmdletBase
     {
         #region Parameter Set Names
@@ -123,6 +123,13 @@ public class AddAzureManagedHsmKey : KeyVaultCmdletBase
         /// key type
         /// </summary>
         [Parameter(Mandatory = true,
+            ParameterSetName = InteractiveCreateParameterSet,
+            HelpMessage = "Specifies the key type of this key.")]
+        [Parameter(Mandatory = true,
+            ParameterSetName = InputObjectCreateParameterSet,
+            HelpMessage = "Specifies the key type of this key.")]
+        [Parameter(Mandatory = true,
+            ParameterSetName = ResourceIdCreateParameterSet,
             HelpMessage = "Specifies the key type of this key.")]
         [PSArgumentCompleter("RSA", "EC", "oct")]
         public string KeyType { get; set; }
@@ -210,15 +217,14 @@ public override void ExecuteCmdlet()
                             CreateKeyAttributes(),
                             Size,
                             CurveName);
-                    this.WriteObject(keyBundle);
                 }
                 else
                 {
                     keyBundle = this.Track2DataClient.ImportManagedHsmKey(
                         HsmName, Name,
                         CreateWebKeyFromFile());
                 }
-
+                this.WriteObject(keyBundle);
             }
         }
         private void ValidateKeyExchangeKey()

diff --git a/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md b/src/KeyVault/KeyVault/help/Add-AzManagedHsmKey.md
@@ -22,9 +22,9 @@ Add-AzManagedHsmKey [-HsmName] <String> [-Name] <String> -KeyType <String> [-Cur
 ### InteractiveImport
 ```
 Add-AzManagedHsmKey [-HsmName] <String> [-Name] <String> -KeyFilePath <String>
- [-KeyFilePassword <SecureString>] -KeyType <String> [-CurveName <String>] [-Disable] [-KeyOps <String[]>]
- [-Expires <DateTime>] [-NotBefore <DateTime>] [-Tag <Hashtable>] [-DefaultProfile <IAzureContextContainer>]
- [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-KeyFilePassword <SecureString>] [-CurveName <String>] [-Disable] [-KeyOps <String[]>] [-Expires <DateTime>]
+ [-NotBefore <DateTime>] [-Tag <Hashtable>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
 ```
 
 ### InputObjectCreate
@@ -37,9 +37,9 @@ Add-AzManagedHsmKey [-InputObject] <PSManagedHsm> [-Name] <String> -KeyType <Str
 ### InputObjectImport
 ```
 Add-AzManagedHsmKey [-InputObject] <PSManagedHsm> [-Name] <String> -KeyFilePath <String>
- [-KeyFilePassword <SecureString>] -KeyType <String> [-CurveName <String>] [-Disable] [-KeyOps <String[]>]
- [-Expires <DateTime>] [-NotBefore <DateTime>] [-Tag <Hashtable>] [-DefaultProfile <IAzureContextContainer>]
- [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-KeyFilePassword <SecureString>] [-CurveName <String>] [-Disable] [-KeyOps <String[]>] [-Expires <DateTime>]
+ [-NotBefore <DateTime>] [-Tag <Hashtable>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
 ```
 
 ### ResourceIdCreate
@@ -52,9 +52,9 @@ Add-AzManagedHsmKey [-ResourceId] <String> [-Name] <String> -KeyType <String> [-
 ### ResourceIdImport
 ```
 Add-AzManagedHsmKey [-ResourceId] <String> [-Name] <String> -KeyFilePath <String>
- [-KeyFilePassword <SecureString>] -KeyType <String> [-CurveName <String>] [-Disable] [-KeyOps <String[]>]
- [-Expires <DateTime>] [-NotBefore <DateTime>] [-Tag <Hashtable>] [-DefaultProfile <IAzureContextContainer>]
- [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-KeyFilePassword <SecureString>] [-CurveName <String>] [-Disable] [-KeyOps <String[]>] [-Expires <DateTime>]
+ [-NotBefore <DateTime>] [-Tag <Hashtable>] [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -110,7 +110,7 @@ Tags           :
 
 This command creates a EC-HSM key named testkey using P-256 curve in the managed HSM testkey named testmhsm.
 
-### Example 3: Create a key with non-default values
+### Example 3: Create a oct-HSM key with non-default values
 ```powershell
 PS C:\> $KeyOperations = 'decrypt', 'verify'
 PS C:\> $Expires = (Get-Date).AddYears(2).ToUniversalTime()
@@ -291,7 +291,7 @@ Specifies the key type of this key.
 
 ```yaml
 Type: System.String
-Parameter Sets: (All)
+Parameter Sets: InteractiveCreate, InputObjectCreate, ResourceIdCreate
 Aliases:
 
 Required: True