[KeyVault] Onboard KeyVault Round 1

[tjprescott]

This is the first in a series of PRs which will onboard the KeyVault data plane commands. This PR:

• Updates management plane commands to enable certificates
• Adds majority of commands (and test scenarios) for keys and secrets
• Includes first draft of the Python convenience layer (which does NOT include the authentication piece)

Note that the client was generated in autorest and will be removed in favor of direct import once the Python SDK is approved and released.

@yugangw-msft for the changes to profile and @derekbekoe for the changes to the management plane commands. Anyone feel free to drop feedback on the commands themselves. 😄

[yugangw-msft]

i don't think we will need _graph_resource_uri and _key_vault_resource_uri, just remove

The rest change on Profile LGTM

[tjprescott]

Fixed.

[tjprescott]

keyvault group

Group
    az keyvault: Safeguard and maintain control of keys, secrets, and certificates.

Subgroups:
    certificate
    key
    secret

Commands:
    create       : Create a new Key Vault.
    delete       : Delete a Key Vault.
    delete-policy
    list         : List Key Vaults within a subscription or resource group.
    set-policy
    show         : Show details of a Key Vault.
    update       : Update properties of a Key Vault.

keyvault set-policy

Command
    az keyvault set-policy

Arguments
    --name -n      [Required]: Name of the key vault.
    --object-id              : A GUID that identifies the principal that will receive permissions.
    --resource-group -g      : Proceed only if Key Vault belongs to the specified resource group.
    --spn                    : Name of a service principal that will receive permissions.
    --upn                    : Name of a user principal that will receive permissions.

Permission Arguments
    --certificate-permissions: Space separated list. Possible values: all, get, list, delete,
                               create, import, update, managecontacts, getissuers, listissuers,
                               setissuers, deleteissuers, manageissuers.
    --key-permissions        : Space separated list. Possible values: all, encrypt, decrypt,
                               wrapKey, unwrapKey, sign, verify, get, list, create, update, import,
                               delete, backup, restore.
    --secret-permissions     : Space separated list. Possible values: all, get, list, set, delete.

keyvault key group

Group
    az keyvault key

Commands:
    create        : Creates a new, named, key in the specified vault.
    delete        : Deletes the specified key.
    list          : List keys in the specified vault.
    list-versions : List the versions of the specified key.
    set-attributes: Updates the Key Attributes associated with the specified key.
    show          : Retrieves the public portion of a key plus its attributes.

keyvault key create

Command
    az keyvault key create: Creates a new, named, key in the specified vault.

Arguments
    --name -n       [Required]: Name of the key.
    --protection -p [Required]: Specifies the type of key protection.  Allowed values: hsm,
                                software.
    --vault-name    [Required]: Name of the key vault.
    --disabled                : Create key in disabled state.
    --expires                 : Expiration UTC datetime  (Y-m-d'T'H:M'Z').
    --not-before              : Key not usable before the provided UTC datetime  (Y-m-d'T'H:M'Z').
    --ops                     : Space separated list of permitted JSON web key operations. Possible
                                values: encrypt, decrypt, sign, verify, wrapKey, unwrapKey.
    --size                    : The key size in bytes. e.g. 1024 or 2048.
    --tags                    : Space separated tags in 'key[=value]' format. Use "" to clear
                                existing tags.

keyvault key set-attributes

Command
    az keyvault key set-attributes: Updates the Key Attributes associated with the specified key.

Arguments
    --name -n    [Required]: Name of the key.
    --vault-name [Required]: Name of the key vault.
    --enabled              : Enable the key.  Allowed values: false, true.
    --expires              : Expiration UTC datetime  (Y-m-d'T'H:M'Z').
    --not-before           : Key not usable before the provided UTC datetime  (Y-m-d'T'H:M'Z').
    --ops                  : Space separated list of permitted JSON web key operations. Possible
                             values: encrypt, decrypt, sign, verify, wrapKey, unwrapKey.
    --tags                 : Space separated tags in 'key[=value]' format. Use "" to clear existing
                             tags.
    --version -v           : The key version. If omitted, uses the latest version.

keyvault secret group

Group
    az keyvault secret

Commands:
    delete        : Deletes a secret from the specified vault.
    list          : List secrets in the specified vault.
    list-versions : List the versions of the specified secret.
    set           : Sets a secret in the specified vault.
    set-attributes: Updates the attributes associated with the specified secret.
    show          : Gets a secret.

keyvault secret set

Command
    az keyvault secret set: Sets a secret in the specified vault.

Arguments
    --name -n    [Required]: Name of the secret.
    --value      [Required]: The value of the secret.
    --vault-name [Required]: Name of the key vault.
    --content-type         : Type of the secret value such as a password.
    --disabled             : Create secret in disabled state.
    --expires              : Expiration UTC datetime  (Y-m-d'T'H:M'Z').
    --not-before           : Key not usable before the provided UTC datetime  (Y-m-d'T'H:M'Z').
    --tags                 : Space separated tags in 'key[=value]' format. Use "" to clear existing
                             tags.

keyvault secret set-attributes

Command
    az keyvault secret set-attributes: Updates the attributes associated with the specified secret.

Arguments
    --name -n    [Required]: Name of the secret.
    --vault-name [Required]: Name of the key vault.
    --content-type         : Type of the secret value such as a password.
    --enabled              : Enable the secret.  Allowed values: false, true.
    --expires              : Expiration UTC datetime  (Y-m-d'T'H:M'Z').
    --not-before           : Key not usable before the provided UTC datetime  (Y-m-d'T'H:M'Z').
    --tags                 : Space separated tags in 'key[=value]' format. Use "" to clear existing
                             tags.
    --version -v           : The secret version. If omitted, uses the latest version.

[tjprescott]

Issue #1029 is preventing this from passing the CI. Please still review. 😅

[tjprescott]

cc/ @pomortaz for review and feedback (authentication will be incorporated in a later PR)

[derekbekoe]

Added a few different comments.

[derekbekoe]

This file is in the root directory.
Think it should be moved to src/command_modules/azure-cli-keyvault/tests or something like that if it's needed for a keyvault test.

[tjprescott]

It will eventually be moved there. Right now I'm using it for development of the key import command.

[derekbekoe]

Same with this: think it should move from root project directory.

[derekbekoe]

Same with this: think it should move from root project directory.

[derekbekoe]

My PR that just merged has this change so we should remove this change (and rebase) to prevent a conflict.

[tjprescott]

Done

[derekbekoe]

@yugangw-msft Are you okay with having service endpoints defined in the azure.cli.core package like this?
You're more familiar with the endpoint urls so want to get your input.

[tjprescott]

This was where they already were defined. I added the endpoint for KeyVault. But this will need to change once the challenge piece is in the convenience layer. Also, I'm definitely not sure about the values I put in for the other hard-coded clouds (which really don't seem like they should be hard coded).

[yugangw-msft]

Yes, i am okay to have the service endpoints to defined here (in one single file), the same pattern used by xplat. When our profile design consolidated, we can do any appropriate change we like

[derekbekoe]

really nitpicky but capital C for challenge like everywhere else?

[derekbekoe]

Will the client work with multiple API versions? (I'm thinking of the multi-cloud story)

[tjprescott]

Ultimately, this will be packaged with the data plane SDK, so it will be revved and versioned along with the SDK.

[derekbekoe]

KeyVaultCredential? - https://www.python.org/dev/peps/pep-0008/#class-names

[tjprescott]

It looks like I must have pressed a funky shortcut in VS because it seems to have made this file all lowercase. Currently it's not used by anything (though it may be used in the convenience layer auth later on).

[derekbekoe]

Whilst HTTP headers are case-insensitive, I'd recommend 'Authorization' and 'Bearer'.
It could/potentially/maybe cause an obscure issue in the future.
Here they use the capitalized form: https://msdn.microsoft.com/en-us/library/azure/dn903615.aspx

[tjprescott]

Fixed. 'Twas the lowercase shortcut key.

[derekbekoe]

Shouldn't print to stdout here.
Do you need to print the Authorization header? If so, consider using logging.

[tjprescott]

No, this was part of debugging. I'll remove it.

[tjprescott]

@yugangw-msft how do I verify this URL?

[yugangw-msft]

Just cross check from xplat environment.js where keyvault team put in the endpoints themselves. If still missing, please ask @karlaugsten

[karlaugsten]

@tjprescott the endpoint for KeyVault in china is https://vault.azure.cn

[derekbekoe]

@tjprescott: I have worked out why your recent build failed - https://travis-ci.org/Azure/azure-cli/jobs/165952645.

In src/command_modules/azure-cli-keyvault/setup.py, you should list the packages you want to be included in the packages array in the setup(...) function.
You are getting the error ImportError: No module named 'azure.cli.command_modules.keyvault.keyvaultclient' because azure.cli.command_modules.keyvault.keyvaultclient is not in this list of packages.
There may be others if you added other new packages as well.

When I list azure/cli/command_modules/keyvault after the package_verify that the CI runs, I don't see a keyvaultclient directory and that's because of the above.

root@230334cde9c1:/usr/local/lib/python3.5/site-packages/azure/cli/command_modules/keyvault# ls -l
total 56
-rw-r--r-- 1 root staff   632 Oct  7 23:43 __init__.py
drwxr-sr-x 2 root staff  4096 Oct  7 23:45 __pycache__
-rw-r--r-- 1 root staff  3447 Oct  7 23:43 _command_type.py
-rw-r--r-- 1 root staff  1236 Oct  7 23:43 _help.py
-rw-r--r-- 1 root staff  7832 Oct  7 23:43 _params.py
-rw-r--r-- 1 root staff  4431 Oct  7 23:43 _validators.py
-rw-r--r-- 1 root staff 14423 Oct  7 23:43 custom.py
-rw-r--r-- 1 root staff  6038 Oct  7 23:43 generated.py

See this other setup.py file as an example - https://github.com/Azure/azure-cli/blob/master/src/command_modules/azure-cli-network/setup.py#L51.

[tjprescott]

@derekbekoe you're a genius! Thank you 😄