Skip to content

[keyvault] add scope enum #13516

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Sep 4, 2020
Merged

[keyvault] add scope enum #13516

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
41703f3
add KeyVaultRoleScope enum
iscai-msft Sep 2, 2020
4f0692b
add to tests
iscai-msft Sep 2, 2020
2fa74fd
remove 'we' from docstrings
iscai-msft Sep 3, 2020
1a6e04f
fix docstrings pt.2
iscai-msft Sep 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,9 @@
# ------------------------------------
from ._access_control_client import KeyVaultAccessControlClient
from ._internal.client_base import ApiVersion
from ._models import KeyVaultPermission, KeyVaultRoleAssignment, KeyVaultRoleDefinition
from ._models import (
KeyVaultPermission, KeyVaultRoleAssignment, KeyVaultRoleDefinition, KeyVaultRoleScope
)


__all__ = [
Expand All @@ -13,4 +15,5 @@
"KeyVaultPermission",
"KeyVaultRoleAssignment",
"KeyVaultRoleDefinition",
"KeyVaultRoleScope",
]
33 changes: 23 additions & 10 deletions ...ult/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
from typing import Any, Union
from uuid import UUID
from azure.core.paging import ItemPaged
from ._models import KeyVaultRoleScope


class KeyVaultAccessControlClient(KeyVaultClientBase):
Expand All @@ -27,10 +28,12 @@ class KeyVaultAccessControlClient(KeyVaultClientBase):

@distributed_trace
def create_role_assignment(self, role_scope, role_assignment_name, role_definition_id, principal_id, **kwargs):
# type: (str, Union[str, UUID], str, str, **Any) -> KeyVaultRoleAssignment
# type: (Union[str, KeyVaultRoleScope], Union[str, UUID], str, str, **Any) -> KeyVaultRoleAssignment
"""Create a role assignment.

:param str role_scope: scope the role assignment will apply over
:param role_scope: scope the role assignment will apply over. :class:`KeyVaultRoleScope` defines common broad
scopes. To list role definitions for a narrower scope, specify it as a string.
:type role_scope: str or KeyVaultRoleScope
:param role_assignment_name: a name for the role assignment. Must be a UUID.
:type role_assignment_name: str or uuid.UUID
:param str role_definition_id: ID of the role's definition
Expand All @@ -54,10 +57,13 @@ def create_role_assignment(self, role_scope, role_assignment_name, role_definiti

@distributed_trace
def delete_role_assignment(self, role_scope, role_assignment_name, **kwargs):
# type: (str, Union[str, UUID], **Any) -> KeyVaultRoleAssignment
# type: (Union[str, KeyVaultRoleScope], Union[str, UUID], **Any) -> KeyVaultRoleAssignment
"""Delete a role assignment.

:param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
:param role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
:class:`KeyVaultRoleScope` defines common broad scopes. To list role definitions for a narrower scope,
specify it as a string.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
:param role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
:class:`KeyVaultRoleScope` defines common broad scopes. To list role definitions for a narrower scope,
specify it as a string.
:param role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
:class:`KeyVaultRoleScope` defines common broad scopes.

:type role_scope: str or KeyVaultRoleScope
:param role_assignment_name: the assignment's name. Must be a UUID.
:type role_assignment_name: str or uuid.UUID
:returns: the deleted assignment
Expand All @@ -70,10 +76,13 @@ def delete_role_assignment(self, role_scope, role_assignment_name, **kwargs):

@distributed_trace
def get_role_assignment(self, role_scope, role_assignment_name, **kwargs):
# type: (str, Union[str, UUID], **Any) -> KeyVaultRoleAssignment
# type: (Union[str, KeyVaultRoleScope], Union[str, UUID], **Any) -> KeyVaultRoleAssignment
"""Get a role assignment.

:param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
:param role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
:class:`KeyVaultRoleScope` defines common broad scopes. To list role definitions for a narrower scope,
specify it as a string.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
:param role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
:class:`KeyVaultRoleScope` defines common broad scopes. To list role definitions for a narrower scope,
specify it as a string.
:param role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
:class:`KeyVaultRoleScope` defines common broad scopes. Specify a narrower scope as a string.

:type role_scope: str or KeyVaultRoleScope
:param role_assignment_name: the assignment's name. Must be a UUID.
:type role_assignment_name: str or uuid.UUID
:rtype: KeyVaultRoleAssignment
Expand All @@ -85,10 +94,12 @@ def get_role_assignment(self, role_scope, role_assignment_name, **kwargs):

@distributed_trace
def list_role_assignments(self, role_scope, **kwargs):
# type: (str, **Any) -> ItemPaged[KeyVaultRoleAssignment]
# type: (Union[str, KeyVaultRoleScope], **Any) -> ItemPaged[KeyVaultRoleAssignment]
"""List all role assignments for a scope.

:param str role_scope: scope of the role assignments
:param role_scope: scope of the role assignments. :class:`KeyVaultRoleScope` defines common broad
scopes. To list role definitions for a narrower scope, specify it as a string.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
:param role_scope: scope of the role assignments. :class:`KeyVaultRoleScope` defines common broad
scopes. To list role definitions for a narrower scope, specify it as a string.
:param role_scope: scope of the role assignments. :class:`KeyVaultRoleScope` defines common broad
scopes. To list role assignments for a narrower scope, specify it as a string.

:type role_scope: str or KeyVaultRoleScope
:rtype: ~azure.core.paging.ItemPaged[KeyVaultRoleAssignment]
"""
return self._client.role_assignments.list_for_scope(
Expand All @@ -100,10 +111,12 @@ def list_role_assignments(self, role_scope, **kwargs):

@distributed_trace
def list_role_definitions(self, role_scope, **kwargs):
# type: (str, **Any) -> ItemPaged[KeyVaultRoleDefinition]
# type: (Union[str, KeyVaultRoleScope], **Any) -> ItemPaged[KeyVaultRoleDefinition]
"""List all role definitions applicable at and above a scope.

:param str role_scope: scope of the role definitions
:param role_scope: scope of the role definitions. :class:`KeyVaultRoleScope` defines common broad
scopes. To list role definitions for a narrower scope, specify it as a string.
:type role_scope: str or KeyVaultRoleScope
:rtype: ~azure.core.paging.ItemPaged[KeyVaultRoleDefinition]
"""
return self._client.role_definitions.list(
Expand Down
9 changes: 9 additions & 0 deletions sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
# ------------------------------------
from enum import Enum
from typing import TYPE_CHECKING

if TYPE_CHECKING:
Expand All @@ -11,6 +12,14 @@
# pylint:disable=protected-access


class KeyVaultRoleScope(str, Enum):
"""Collection of well known role scopes. This list is not exhaustive"""

global_value = "/" #: use this if you want role assignments to apply to everything on the resource

keys_value = "/keys" #: use this if you want role assignments to apply to all keys


class KeyVaultPermission(object):
"""Role definition permissions.

Expand Down
37 changes: 27 additions & 10 deletions ...azure-keyvault-administration/azure/keyvault/administration/aio/_access_control_client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
from typing import Any, Union
from uuid import UUID
from azure.core.async_paging import AsyncItemPaged
from .._models import KeyVaultRoleScope


class KeyVaultAccessControlClient(AsyncKeyVaultClientBase):
Expand All @@ -29,15 +30,17 @@ class KeyVaultAccessControlClient(AsyncKeyVaultClientBase):
@distributed_trace_async
async def create_role_assignment(
self,
role_scope: str,
role_scope: "Union[str, KeyVaultRoleScope]",
role_assignment_name: "Union[str, UUID]",
role_definition_id: str,
principal_id: str,
**kwargs: "Any"
) -> KeyVaultRoleAssignment:
"""Create a role assignment.

:param str role_scope: scope the role assignment will apply over
:param role_scope: scope the role assignment will apply over. :class:`KeyVaultRoleScope` defines common broad
scopes. To list role definitions for a narrower scope, specify it as a string.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
:param role_scope: scope the role assignment will apply over. :class:`KeyVaultRoleScope` defines common broad
scopes. To list role definitions for a narrower scope, specify it as a string.
:param role_scope: scope the role assignment will apply over. :class:`KeyVaultRoleScope` defines common broad
scopes. Specify a narrower scope as a string.

:type role_scope: str or KeyVaultRoleScope
:param role_assignment_name: a name for the role assignment. Must be a UUID.
:type role_assignment_name: str or uuid.UUID
:param str role_definition_id: ID of the role's definition
Expand All @@ -61,11 +64,14 @@ async def create_role_assignment(

@distributed_trace_async
async def delete_role_assignment(
self, role_scope: str, role_assignment_name: "Union[str, UUID]", **kwargs: "Any"
self, role_scope: "Union[str, KeyVaultRoleScope]", role_assignment_name: "Union[str, UUID]", **kwargs: "Any"
) -> KeyVaultRoleAssignment:
"""Delete a role assignment.

:param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
:param role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>".
:class:`KeyVaultRoleScope` defines common broad scopes. To list role definitions for a narrower scope,
specify it as a string.
:type role_scope: str or KeyVaultRoleScope
:param role_assignment_name: the assignment's name. Must be a UUID.
:type role_assignment_name: str or uuid.UUID
:returns: the deleted assignment
Expand All @@ -78,11 +84,14 @@ async def delete_role_assignment(

@distributed_trace_async
async def get_role_assignment(
self, role_scope: str, role_assignment_name: "Union[str, UUID]", **kwargs: "Any"
self, role_scope: "Union[str, KeyVaultRoleScope]", role_assignment_name: "Union[str, UUID]", **kwargs: "Any"
) -> KeyVaultRoleAssignment:
"""Get a role assignment.

:param str role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
:param role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>".
:class:`KeyVaultRoleScope` defines common broad scopes. To list role definitions for a narrower scope,
specify it as a string.
:type role_scope: str or KeyVaultRoleScope
:param role_assignment_name: the assignment's name. Must be a UUID.
:type role_assignment_name: str or uuid.UUID
:rtype: KeyVaultRoleAssignment
Expand All @@ -93,10 +102,14 @@ async def get_role_assignment(
return KeyVaultRoleAssignment._from_generated(assignment)

@distributed_trace
def list_role_assignments(self, role_scope: str, **kwargs: "Any") -> "AsyncItemPaged[KeyVaultRoleAssignment]":
def list_role_assignments(
self, role_scope: "Union[str, KeyVaultRoleScope]", **kwargs: "Any"
) -> "AsyncItemPaged[KeyVaultRoleAssignment]":
"""List all role assignments for a scope.

:param str role_scope: scope of the role assignments
:param role_scope: scope of the role assignments. :class:`KeyVaultRoleScope` defines common broad
scopes. To list role definitions for a narrower scope, specify it as a string.
:type role_scope: str or KeyVaultRoleScope
:rtype: ~azure.core.async_paging.AsyncItemPaged[KeyVaultRoleAssignment]
"""
return self._client.role_assignments.list_for_scope(
Expand All @@ -107,10 +120,14 @@ def list_role_assignments(self, role_scope: str, **kwargs: "Any") -> "AsyncItemP
)

@distributed_trace
def list_role_definitions(self, role_scope: str, **kwargs: "Any") -> "AsyncItemPaged[KeyVaultRoleDefinition]":
def list_role_definitions(
self, role_scope: "Union[str, KeyVaultRoleScope]", **kwargs: "Any"
) -> "AsyncItemPaged[KeyVaultRoleDefinition]":
"""List all role definitions applicable at and above a scope.

:param str role_scope: scope of the role definitions
:param role_scope: scope of the role definitions. :class:`KeyVaultRoleScope` defines common broad
scopes. To list role definitions for a narrower scope, specify it as a string.
:type role_scope: str or KeyVaultRoleScope
:rtype: ~azure.core.async_paging.AsyncItemPaged[KeyVaultRoleDefinition]
"""
return self._client.role_definitions.list(
Expand Down
6 changes: 3 additions & 3 deletions sdk/keyvault/azure-keyvault-administration/tests/test_access_control.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
import os
import uuid

from azure.keyvault.administration import KeyVaultAccessControlClient
from azure.keyvault.administration import KeyVaultAccessControlClient, KeyVaultRoleScope
from devtools_testutils import KeyVaultPreparer, ResourceGroupPreparer
import pytest

Expand Down Expand Up @@ -41,7 +41,7 @@ def get_service_principal_id(self):
@KeyVaultPreparer()
@AccessControlClientPreparer()
def test_list_role_definitions(self, client):
definitions = [d for d in client.list_role_definitions("/")]
definitions = [d for d in client.list_role_definitions(KeyVaultRoleScope.global_value)]
assert len(definitions)

for definition in definitions:
Expand All @@ -58,7 +58,7 @@ def test_list_role_definitions(self, client):
@KeyVaultPreparer()
@AccessControlClientPreparer()
def test_role_assignment(self, client):
scope = "/"
scope = KeyVaultRoleScope.global_value
definitions = [d for d in client.list_role_definitions(scope)]

# assign an arbitrary role to the service principal authenticating these requests
Expand Down
7 changes: 4 additions & 3 deletions sdk/keyvault/azure-keyvault-administration/tests/test_access_control_async.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
import os
import uuid

from azure.keyvault.administration import KeyVaultRoleScope
from azure.keyvault.administration.aio import KeyVaultAccessControlClient
from devtools_testutils import KeyVaultPreparer, ResourceGroupPreparer
import pytest
Expand Down Expand Up @@ -42,7 +43,7 @@ def get_service_principal_id(self):
@AccessControlClientPreparer()
async def test_list_role_definitions(self, client):
definitions = []
async for definition in client.list_role_definitions("/"):
async for definition in client.list_role_definitions(KeyVaultRoleScope.global_value):
definitions.append(definition)
assert len(definitions)

Expand All @@ -60,9 +61,9 @@ async def test_list_role_definitions(self, client):
@KeyVaultPreparer()
@AccessControlClientPreparer()
async def test_role_assignment(self, client):
scope = "/"
scope = KeyVaultRoleScope.global_value
definitions = []
async for definition in client.list_role_definitions("/"):
async for definition in client.list_role_definitions(scope):
definitions.append(definition)

# assign an arbitrary role to the service principal authenticating these requests
Expand Down