Azure disk encryption updates

src/ResourceManager/Compute/Commands.Compute.Test/ScenarioTests/VirtualMachineExtensionTests.ps1

@@ -923,15 +923,15 @@ function Test-AzureDiskEncryptionExtension
 {
     # This test should be run in Live mode only not in Playback mode
 	#Pre-requisites to be filled in before running this test. The AAD app should belong to the directory as the user running the test.
-    $aadClientID = "";
-	$aadClientSecret = "";
-	#Fill in VM admin user and password
-	$adminUser = "";
-	$adminPassword = "";
-
+	$aadAppName = "detestaadapp";
+
 	#Resource group variables
-	$rgName = "detestrg";
-	$loc = "South Central US";
+	$rgName = Get-ComputeTestResourceName;
+	$loc = Get-ComputeVMLocation;
+
+	#Fill in VM admin user and password
+	$adminUser = "Foo12";
+	$adminPassword = "BaR@123" + $rgName;
 
 	#KeyVault config variables
 	$vaultName = "detestvault";
@@ -951,30 +951,54 @@ function Test-AzureDiskEncryptionExtension
     $osDiskName = 'osdisk' + $vmName;
 	$dataDiskName = 'datadisk' + $vmName;
     $osDiskCaching = 'ReadWrite';
+	$extraDataDiskName1 = $dataDiskName + '1';
+	$extraDataDiskName2 = $dataDiskName + '2';
 
 	#Network config variables
 	$vnetName = "detestvnet";
 	$subnetName = "detestsubnet";
 	$publicIpName = 'pubip' + $vmName;
 	$nicName = 'nic' + $vmName;
-
-
+
 	#Disk encryption variables
 	$keyEncryptionAlgorithm = "RSA-OAEP";
 	$volumeType = "All";
 
     try
     {
-        Login-AzureRmAccount;
-        # Create new resource group      
-        New-AzureRmResourceGroup -Name $rgname -Location $loc -Force;
+        # Create new resource group
+        New-AzureRmResourceGroup -Name $rgName -Location $loc -Force;
+
+		#Check if AAD app was already created
+		$SvcPrincipals = (Get-AzureRmADServicePrincipal -SearchString $aadAppName);
+		if(-not $SvcPrincipals)
+		{
+			# Create a new AD application if not created before
+			$identifierUri = [string]::Format("http://localhost:8080/{0}", $rgname);
+			$defaultHomePage = 'http://contoso.com';
+			$now = [System.DateTime]::Now;
+			$oneYearFromNow = $now.AddYears(1);
+			$aadClientSecret = Get-ResourceName;
+			$ADApp = New-AzureRmADApplication -DisplayName $aadAppName -HomePage $defaultHomePage -IdentifierUris $identifierUri  -StartDate $now -EndDate $oneYearFromNow -Password $aadClientSecret;
+			Assert-NotNull $ADApp;
+			$servicePrincipal = New-AzureRmADServicePrincipal -ApplicationId $ADApp.ApplicationId;
+			$SvcPrincipals = (Get-AzureRmADServicePrincipal -SearchString $aadAppName);
+			# Was AAD app created?
+			Assert-NotNull $SvcPrincipals;
+			$aadClientID = $servicePrincipal.ApplicationId;
+		}
+		else
+		{
+			# Was AAD app already created?
+			Assert-NotNull $aadClientSecret;
+			$aadClientID = $SvcPrincipals[0].ApplicationId;
+		}
 
 		# Create new KeyVault
 		$keyVault = New-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $rgname -Location $loc -Sku standard;
 		$keyVault = Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $rgname
 		#set enabledForDiskEncryption
-        Write-Host 'Press go to https://resources.azure.com and set enabledForDiskEncryption flag on KeyVault. [ENTER] to continue or [CTRL-C] to abort...'
-        Read-Host
+        Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $rgname -EnabledForDiskEncryption;
 		#set permissions to AAD app to write secrets and keys
 		Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ServicePrincipalName $aadClientID -PermissionsToKeys all -PermissionsToSecrets all 
 		#create a key in KeyVault to use as Kek
@@ -1019,17 +1043,69 @@ function Test-AzureDiskEncryptionExtension
 
         $p = Set-AzureRmVMOperatingSystem -VM $p -Windows -ComputerName $computerName -Credential $cred -ProvisionVMAgent;
         $p = Set-AzureRmVMSourceImage -VM $p -PublisherName $imagePublisher -Offer $imageOffer -Skus $imageSku -Version "latest";
-
-
+
         # Virtual Machine
         New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $p;
 
 		#Enable encryption on the VM
         Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId -Force;
         #Get encryption status
         $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+		#Verify encryption is enabled on OS volume and data volumes
+		$OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+		Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $true;
+		Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $true;
+		#verify diskencryption keyvault url & kek url are not null
+		Assert-NotNull $OsVolumeEncryptionSettings;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault;
+
+		#Add a couple of data volumes to encrypt them
+        $p = Add-AzureRmVMDataDisk -VM $p -Name $extraDataDiskName1 -Caching 'ReadOnly' -DiskSizeInGB 2 -Lun 1 -VhdUri $dataDiskVhdUri -CreateOption Empty;
+        $p = Add-AzureRmVMDataDisk -VM $p -Name $extraDataDiskName2 -Caching 'ReadOnly' -DiskSizeInGB 2 -Lun 1 -VhdUri $dataDiskVhdUri -CreateOption Empty;
+		#Enable encryption on the VM
+        Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId -Force;
+        #Get encryption status
+        $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+		#Verify encryption is enabled on OS volume and data volumes
+		$OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+		Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $true;
+		Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $true;
+		#verify diskencryption keyvault url & kek url are not null
+		Assert-NotNull $OsVolumeEncryptionSettings;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault;
+
+		#Disable encryption on the VM
+		Disable-AzureRmVMDiskEncryption -ResourceGroupName $rgname -VMName $vmName;
+		#Get encryption status
+        $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $p.StorageProfile.OSDisk.Name;
+		#Verify encryption is disabled on OS volume and data volumes
+		$OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+		Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $false;
+		Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $false;
+
         #Remove AzureDiskEncryption extension
         Remove-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName;
+        #Get encryption status again to make sure it's the same as before when the extension was installed
+        $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+		#Verify encryption is disabled on OS volume and data volumes
+		$OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+		Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $false;
+		Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $false;
+
+		#Enable encryption on the VM
+        Set-AzureRmVMDiskEncryptionExtension -ResourceGroupName $rgname -VMName $vmName -AadClientID $aadClientID -AadClientSecret $aadClientSecret -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $keyVaultResourceId -KeyEncryptionKeyUrl $keyEncryptionKeyUrl -KeyEncryptionKeyVaultId $keyVaultResourceId -Force;
+        #Get encryption status
+        $encryptionStatus = Get-AzureRmVmDiskEncryptionStatus -ResourceGroupName $rgname -VMName $vmName;
+		#Verify encryption is enabled on OS volume and data volumes
+		$OsVolumeEncryptionSettings = $encryptionStatus.OsVolumeEncryptionSettings;
+		Assert-AreEqual $encryptionStatus.OsVolumeEncrypted $true;
+		Assert-AreEqual $encryptionStatus.DataVolumesEncrypted $true;
+		#verify diskencryption keyvault url & kek url are not null
+		Assert-NotNull $OsVolumeEncryptionSettings;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl;
+		Assert-NotNull $OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault;
 
         #Remove the VM 
         Remove-AzureRmVm -ResourceGroupName $rgname -Name $vmName -Force;
@@ -1041,12 +1117,12 @@ function Test-AzureDiskEncryptionExtension
         $p = Set-AzureRmVMOSDisk -VM $p -Name $p.StorageProfile.OSDisk.Name -VhdUri $p.StorageProfile.OSDisk.Vhd.Uri -Caching ReadWrite -CreateOption attach -DiskEncryptionKeyUrl $encryptionStatus.OsVolumeEncryptionSettings.DiskEncryptionKey.SecretUrl -DiskEncryptionKeyVaultId $encryptionStatus.OsVolumeEncryptionSettings.DiskEncryptionKey.SourceVault.Id -Windows;
 
         New-AzureRmVM -ResourceGroupName $rgname -Location $loc -VM $p;
-
     }
     finally
     {
         # Cleanup
-        Remove-AzureRmResourceGroup -Name $rgname -Force;
+        Clean-ResourceGroup $rgname;
+		#Remove-AzureRmADApplication -ApplicationObjectId $ADApp.ApplicationId -Force;
     }
 }
 

src/ResourceManager/Compute/Commands.Compute/Commands.Compute.csproj

@@ -218,9 +218,11 @@
     <Compile Include="Extension\AEM\RemoveAzureRmVMAEMExtension.cs" />
     <Compile Include="Extension\AEM\SetAzureRmVMAEMExtension.cs" />
     <Compile Include="Extension\AEM\TestAzureRmVMAEMExtension.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\AzureDiskEncryptionExtensionConstants.cs" />
     <Compile Include="Extension\AzureDiskEncryption\AzureDiskEncryptionExtensionContext.cs" />
     <Compile Include="Extension\AzureDiskEncryption\AzureDiskEncryptionExtensionProtectedSettings.cs" />
     <Compile Include="Extension\AzureDiskEncryption\AzureDiskEncryptionExtensionPublicSettings.cs" />
+    <Compile Include="Extension\AzureDiskEncryption\DisableAzureDiskEncryption.cs" />
     <Compile Include="Extension\AzureDiskEncryption\GetAzureDiskEncryptionStatus.cs" />
     <Compile Include="Extension\AzureDiskEncryption\RemoveAzureDiskEncryptionExtension.cs" />
     <Compile Include="Extension\AzureDiskEncryption\SetAzureDiskEncryptionExtension.cs" />

src/ResourceManager/Compute/Commands.Compute/Common/ConstantStringTypes.cs

@@ -126,6 +126,7 @@ public static class ProfileNouns
         //AzureDiskEncryption
         public const string AzureDiskEncryptionExtension = "AzureRmVMDiskEncryptionExtension";
         public const string AzureDiskEncryptionStatus = "AzureRmVMDiskEncryptionStatus";
+        public const string AzureDiskEncryption = "AzureRmVMDiskEncryption";
 
         //AzureVMBackup
         public const string AzureVMBackup = "AzureRmVMBackup";

src/ResourceManager/Compute/Commands.Compute/Extension/AzureDiskEncryption/AzureDiskEncryptionExtensionConstants.cs

@@ -0,0 +1,39 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+namespace Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption
+{
+    /// <summary>
+    /// This class includes contant values used in AzureDiskEncryption
+    /// </summary>
+    public static class AzureDiskEncryptionExtensionConstants
+    {
+        public const string aadClientCertParameterSet = "AAD Client Cert Parameters";
+        public const string aadClientSecretParameterSet = "AAD Client Secret Parameters";
+        public const string enableEncryptionOperation = "EnableEncryption";
+        public const string disableEncryptionOperation = "DisableEncryption";
+        public const string aadClientIDKey = "AADClientID";
+        public const string aadClientSecretKey = "AADClientSecret";
+        public const string aadClientCertThumbprintKey = "AADClientCertThumbprint";
+        public const string keyVaultUrlKey = "KeyVaultURL";
+        public const string keyEncryptionKeyUrlKey = "KeyEncryptionKeyURL";
+        public const string keyEncryptionAlgorithmKey = "KeyEncryptionAlgorithm";
+        public const string volumeTypeKey = "VolumeType";
+        public const string encryptionOperationKey = "EncryptionOperation";
+        public const string sequenceVersionKey = "SequenceVersion";
+        public const string passphraseKey = "Passphrase";
+        public const string osTypeLinux = "Linux";
+        public const string osTypeWindows = "Windows";
+    }
+}

src/ResourceManager/Compute/Commands.Compute/Extension/AzureDiskEncryption/AzureDiskEncryptionExtensionContext.cs

@@ -12,9 +12,9 @@
 // limitations under the License.
 // ----------------------------------------------------------------------------------
 
+using Microsoft.Azure.Commands.Compute.Models;
 using Newtonsoft.Json;
 using System.Security;
-using Microsoft.Azure.Commands.Compute.Models;
 
 namespace Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption
 {
@@ -28,8 +28,11 @@ public class AzureDiskEncryptionExtensionContext : PSVirtualMachineExtension
         public const string LinuxExtensionDefaultVersion = "0.1";
 
         public const string ExtensionDefaultPublisher = "Microsoft.Azure.Security";
-        public const string ExtensionDefaultName = "AzureDiskEncryption";
-        public const string ExtensionDefaultVersion = "1.0";
+        // TODO: Uncomment these and remove ADETest/version strings once testing is completed
+        //public const string ExtensionDefaultName = "AzureDiskEncryption";
+        public const string ExtensionDefaultName = "ADETest";
+        //public const string ExtensionDefaultVersion = "1.0";
+        public const string ExtensionDefaultVersion = "1.4";
         public const string VolumeTypeOS = "OS";
         public const string VolumeTypeData = "Data";
         public const string VolumeTypeAll = "All";
@@ -44,7 +47,8 @@ public class AzureDiskEncryptionExtensionContext : PSVirtualMachineExtension
         public string VolumeType { get; set; }
         public string AadClientCertThumbprint { get; set; }
         public string SequenceVersion { get; set; }
-        public SecureString Passphrase { get; set; } 
+        public string EncryptionOperation { get; set; }
+        public SecureString Passphrase { get; set; }
 
         private static SecureString ConvertStringToSecureString(string str)
         {
@@ -74,6 +78,7 @@ private void InitializeAzureDiskEncryptionMembers(PSVirtualMachineExtension psEx
             VolumeType = (publicSettings == null) ? null : publicSettings.VolumeType;
             AadClientCertThumbprint = (publicSettings == null) ? null : publicSettings.AadClientCertThumbprint;
             SequenceVersion = (publicSettings == null) ? null : publicSettings.SequenceVersion;
+            EncryptionOperation = (publicSettings == null) ? null : publicSettings.EncryptionOperation;
             AadClientSecret = (protectedSettings == null) ? null : ConvertStringToSecureString(protectedSettings.AadClientSecret);
             Passphrase = (protectedSettings == null) ? null : ConvertStringToSecureString(protectedSettings.Passphrase);
         }

src/ResourceManager/Compute/Commands.Compute/Extension/AzureDiskEncryption/AzureDiskEncryptionExtensionPublicSettings.cs

@@ -24,5 +24,6 @@ public class AzureDiskEncryptionExtensionPublicSettings
         public string VolumeType { get; set; }
         public string AadClientCertThumbprint { get; set; }
         public string SequenceVersion { get; set; }
+        public string EncryptionOperation { get; set; }
     }
 }