Skip to content

Commit

Permalink
adding support for backing up and restoring of KeyVault secrets
Browse files Browse the repository at this point in the history
revising KeyVault backup/restore cmdlets:
    adding support for pipelining
    allowing overwriting of dest file
    using session data store for file operations
  • Loading branch information
Dragos Avadanei committed May 1, 2017
1 parent 94bfbcb commit dec4736
Show file tree
Hide file tree
Showing 18 changed files with 957 additions and 58 deletions.
4 changes: 3 additions & 1 deletion src/ResourceManager/KeyVault/AzureRM.KeyVault.psd1
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,9 @@ CmdletsToExport = 'Add-AzureKeyVaultCertificate',
'Set-AzureKeyVaultSecretAttribute',
'Get-AzureKeyVaultCertificatePolicy',
'New-AzureKeyVaultCertificateAdministratorDetails',
'New-AzureKeyVaultCertificateOrganizationDetails'
'New-AzureKeyVaultCertificateOrganizationDetails',
'Backup-AzureKeyVaultSecret',
'Restore-AzureKeyVaultSecret'

# Variables to export from this module
# VariablesToExport = @()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -408,7 +408,7 @@ function Test-SetRemoveAccessPolicyByUPN
Param($existingVaultName, $rgName, $upn)

$PermToKeys = @("encrypt", "decrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore")
$PermToSecrets = @("get", "list", "set", "delete")
$PermToSecrets = @("get", "list", "set", "delete", "backup", "restore")
$PermToCertificates = @("get", "list", "create", "delete")

$vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -UserPrincipalName $upn -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PermissionsToCertificates $PermToCertificates -PassThru
Expand Down Expand Up @@ -566,7 +566,7 @@ function Test-ModifyAccessPolicy

# Add some perms now
$PermToKeys = @("encrypt", "decrypt", "unwrapKey", "wrapKey", "verify", "sign", "get", "list", "update", "create", "import", "delete", "backup", "restore")
$PermToSecrets = @("get", "list", "set", "delete")
$PermToSecrets = @("get", "list", "set", "delete", "backup", "restore")
$PermToCertificates = @("list", "delete")
$vault = Set-AzureRmKeyVaultAccessPolicy -VaultName $existingVaultName -ResourceGroupName $rgName -ObjectId $objId -PermissionsToKeys $PermToKeys -PermissionsToSecrets $PermToSecrets -PermissionsToCertificates $PermToCertificates -PassThru

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -323,11 +323,12 @@ function Run-AllDataPlaneTests
Run-TestProtected { Run-KeyTest {Test_RemoveKeyInNoPermissionVault} "Test_RemoveKeyInNoPermissionVault" } "Test_RemoveKeyInNoPermissionVault"

# Backup-AzureKeyVaultKey and Restore-AzureKeyVaultKey tests.
Run-TestProtected { Run-KeyTest {Test_BackupRestoreKey} "Test_BackupRestoreKey" } "Test_BackupRestoreKey"
Run-TestProtected { Run-KeyTest {Test_BackupNonExisitingKey} "Test_BackupNonExisitingKey" } "Test_BackupNonExisitingKey"
Run-TestProtected { Run-KeyTest {Test_BackupToANamedFile} "Test_BackupToANamedFile" } "Test_BackupToANamedFile"
Run-TestProtected { Run-KeyTest {Test_BackupToExistingFile} "Test_BackupToExistingFile" } "Test_BackupToExistingFile"
Run-TestProtected { Run-KeyTest {Test_RestoreFromNonExistingFile} "Test_RestoreFromNonExistingFile" } "Test_RestoreFromNonExistingFile"
Run-TestProtected { Run-KeyTest {Test_BackupRestoreKeyByName} "Test_BackupRestoreKeyByName" } "Test_BackupRestoreKeyByName"
Run-TestProtected { Run-KeyTest {Test_BackupRestoreKeyByRef} "Test_BackupRestoreKeyByRef" } "Test_BackupRestoreKeyByRef"
Run-TestProtected { Run-KeyTest {Test_BackupNonExistingKey} "Test_BackupNonExistingKey" } "Test_BackupNonExistingKey"
Run-TestProtected { Run-KeyTest {Test_BackupKeyToANamedFile} "Test_BackupKeyToANamedFile" } "Test_BackupKeyToANamedFile"
Run-TestProtected { Run-KeyTest {Test_BackupKeyToExistingFile} "Test_BackupKeyToExistingFile" } "Test_BackupKeyToExistingFile"
Run-TestProtected { Run-KeyTest {Test_RestoreKeyFromNonExistingFile} "Test_RestoreKeyFromNonExistingFile" } "Test_RestoreKeyFromNonExistingFile"

# *-AzureRmKeyVaultKey pipeline tests.
Run-TestProtected { Run-KeyTest {Test_PipelineUpdateKeys} "Test_PipelineUpdateKeys" } "Test_PipelineUpdateKeys"
Expand Down Expand Up @@ -376,7 +377,15 @@ function Run-AllDataPlaneTests
Run-TestProtected { Run-SecretTest {Test_RemoveNonExistSecret} "Test_RemoveNonExistSecret" } "Test_RemoveNonExistSecret"
Run-TestProtected { Run-SecretTest {Test_RemoveSecretInNoPermissionVault} "Test_RemoveSecretInNoPermissionVault" } "Test_RemoveSecretInNoPermissionVault"

# *-AzureRmKeyVaultKey pipeline tests.
# Backup-AzureKeyVaultSecret and Restore-AzureKeyVaultSecret tests.
Run-TestProtected { Run-SecretTest {Test_BackupRestoreSecretByName} "Test_BackupRestoreSecretByName" } "Test_BackupRestoreSecretByName"
Run-TestProtected { Run-SecretTest {Test_BackupRestoreSecretByRef} "Test_BackupRestoreSecretByRef" } "Test_BackupRestoreSecretByRef"
Run-TestProtected { Run-SecretTest {Test_BackupNonExistingSecret} "Test_BackupNonExistingSecret" } "Test_BackupNonExistingSecret"
Run-TestProtected { Run-SecretTest {Test_BackupSecretToANamedFile} "Test_BackupSecretToANamedFile" } "Test_BackupSecretToANamedFile"
Run-TestProtected { Run-SecretTest {Test_BackupSecretToExistingFile} "Test_BackupSecretToExistingFile" } "Test_BackupSecretToExistingFile"
Run-TestProtected { Run-SecretTest {Test_RestoreSecretFromNonExistingFile} "Test_RestoreSecretFromNonExistingFile" } "Test_RestoreSecretFromNonExistingFile"

# *-AzureRmKeyVaultSecret pipeline tests.
Run-TestProtected { Run-SecretTest {Test_PipelineUpdateSecrets} "Test_PipelineUpdateSecrets" } "Test_PipelineUpdateSecrets"
Run-TestProtected { Run-SecretTest {Test_PipelineUpdateSecretAttributes} "Test_PipelineUpdateSecretAttributes" } "Test_PipelineUpdateSecretAttributes"
Run-TestProtected { Run-SecretTest {Test_PipelineUpdateSecretVersions} "Test_PipelineUpdateSecretVersions" } "Test_PipelineUpdateSecretVersions"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -838,9 +838,9 @@ function Test_RemoveKeyInNoPermissionVault

<#
.SYNOPSIS
Tests backup and restore a key
Tests backup and restore a key by name
#>
function Test_BackupRestoreKey
function Test_BackupRestoreKeyByName
{
$keyVault = Get-KeyVault
$keyname=Get-KeyName 'backuprestore'
Expand All @@ -858,9 +858,27 @@ function Test_BackupRestoreKey

<#
.SYNOPSIS
Tests backup a none existing key
Tests backup and restore a key by object
#>
function Test_BackupNonExisitingKey
function Test_BackupRestoreKeyByRef
{
$keyVault = Get-KeyVault
$keyname=Get-KeyName 'backuprestore'
$key=Add-AzureKeyVaultKey -VaultName $keyVault -Name $keyname -Destination 'Software'
Assert-NotNull $key
$global:createdKeys += $keyname

$backupblob = Backup-AzureKeyVaultKey -Key $key
Remove-AzureKeyVaultKey -VaultName $keyVault -Name $keyname -Force -Confirm:$false
$restoredKey = Restore-AzureKeyVaultKey -VaultName $keyVault -InputFile $backupblob
Assert-KeyAttributes $restoredKey.Attributes 'RSA' $true $null $null $null
}

<#
.SYNOPSIS
Tests backup a non-existing key
#>
function Test_BackupNonExistingKey
{
$keyVault = Get-KeyVault
$keyname=Get-KeyName 'backupnonexisting'
Expand All @@ -872,7 +890,7 @@ function Test_BackupNonExisitingKey
.SYNOPSIS
Tests backup a key to a specific file and be able to restore
#>
function Test_BackupToANamedFile
function Test_BackupKeyToANamedFile
{
$keyVault = Get-KeyVault
$keyname=Get-KeyName 'backupnamedfile'
Expand All @@ -894,7 +912,7 @@ function Test_BackupToANamedFile
.SYNOPSIS
Tests backup a key to a specific file which exists
#>
function Test_BackupToExistingFile
function Test_BackupKeyToExistingFile
{
$keyVault = Get-KeyVault
$keyname=Get-KeyName 'backupexistingfile'
Expand All @@ -905,15 +923,15 @@ function Test_BackupToExistingFile
$backupfile='.\backup' + ([GUID]::NewGuid()).GUID.ToString() + '.blob'

Backup-AzureKeyVaultKey -VaultName $keyVault -KeyName $keyname -OutputFile $backupfile
Assert-Throws { Backup-AzureKeyVaultKey -VaultName $keyVault -KeyName $keyname -OutputFile $backupfile }
Backup-AzureKeyVaultKey -VaultName $keyVault -KeyName $keyname -OutputFile $backupfile -Force -Confirm:$false
}


<#
.SYNOPSIS
Tests restore a key from a none existing file
#>
function Test_RestoreFromNonExistingFile
function Test_RestoreKeyFromNonExistingFile
{
$keyVault = Get-KeyVault

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -656,6 +656,109 @@ function Test_RemoveSecretInNoPermissionVault
Assert-Throws {Remove-AzureKeyVaultSecret -VaultName $keyVault -Name $secretname -Force -Confirm:$false}
}

<#
.SYNOPSIS
Tests backup and restoring of a secret by name
#>
function Test_BackupRestoreSecretByName
{
$keyVault = Get-KeyVault
$name=Get-SecretName 'backuprestore'
$secret=Set-AzureKeyVaultSecret -VaultName $keyVault -Name $name -SecretValue $securedata
Assert-NotNull $secret
$global:createdSecrets += $name

$backupblob = Backup-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name
Remove-AzureKeyVaultSecret -VaultName $keyVault -Name $name -Force -Confirm:$false
$restoredSecret = Restore-AzureKeyVaultSecret -VaultName $keyVault -InputFile $backupblob

$retrievedSecret = Get-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name
Assert-AreEqual $retrievedSecret.SecretValueText $data
}

<#
.SYNOPSIS
Tests backup and restoring of a secret by object
#>
function Test_BackupRestoreSecretByRef
{
$keyVault = Get-KeyVault
$name=Get-SecretName 'backuprestore'
$secret=Set-AzureKeyVaultSecret -VaultName $keyVault -Name $name -SecretValue $securedata
Assert-NotNull $secret
$global:createdSecrets += $name

$backupblob = Backup-AzureKeyVaultSecret -Secret $secret
Remove-AzureKeyVaultSecret -VaultName $keyVault -Name $name -Force -Confirm:$false
$restoredSecret = Restore-AzureKeyVaultSecret -VaultName $keyVault -InputFile $backupblob

$retrievedSecret = Get-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name
Assert-AreEqual $retrievedSecret.SecretValueText $data
}

<#
.SYNOPSIS
Tests backup of a non-existing secret
#>
function Test_BackupNonExistingSecret
{
$keyVault = Get-KeyVault
$name=Get-SecretName 'backupnonexisting'

Assert-Throws { Backup-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name }
}

<#
.SYNOPSIS
Tests backup of a secret to a specific file and ability to restore
#>
function Test_BackupSecretToANamedFile
{
$keyVault = Get-KeyVault
$name=Get-SecretName 'backupnamedfile'
$secret=Set-AzureKeyVaultSecret -VaultName $keyVault -Name $name -SecretValue $securedata
Assert-NotNull $secret
$global:createdSecrets += $name

$backupfile='.\backup' + ([GUID]::NewGuid()).GUID.ToString() + '.blob'

Backup-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name -OutputFile $backupfile
Remove-AzureKeyVaultSecret -VaultName $keyVault -Name $name -Force -Confirm:$false
$restoredSecret = Restore-AzureKeyVaultSecret -VaultName $keyVault -InputFile $backupfile

$retrievedSecret = Get-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name
Assert-AreEqual $retrievedSecret.SecretValueText $data
}

<#
.SYNOPSIS
Tests backup of a key to a specific, existing file
#>
function Test_BackupSecretToExistingFile
{
$keyVault = Get-KeyVault
$name=Get-SecretName 'backupexistingfile'
$secret=Set-AzureKeyVaultSecret -VaultName $keyVault -Name $name -SecretValue $securedata
Assert-NotNull $secret
$global:createdSecrets += $name

$backupfile='.\backup' + ([GUID]::NewGuid()).GUID.ToString() + '.blob'
Backup-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name -OutputFile $backupfile
Backup-AzureKeyVaultSecret -VaultName $keyVault -SecretName $name -OutputFile $backupfile -Force -Confirm:$false
}


<#
.SYNOPSIS
Tests restoring a secret from a non-existing file
#>
function Test_RestoreSecretFromNonExistingFile
{
$keyVault = Get-KeyVault

Assert-Throws { Restore-AzureKeyVaultSecret -VaultName $keyVault -InputFile c:\nonexisting.blob }
}

<#
.SYNOPSIS
Tests pipeline commands to update values of multiple secrets
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,8 @@
</PropertyGroup>
<ItemGroup>
<Compile Include="Commands\AddAzureKeyVaultCertificate.cs" />
<Compile Include="Commands\BackupAzureKeyVaultSecret.cs" />
<Compile Include="Commands\RestoreAzureKeyVaultSecret.cs" />
<Compile Include="Commands\SetAzureKeyVaultCertificateAttribute.cs" />
<Compile Include="Commands\StopAzureKeyVaultCertificateOperation.cs" />
<Compile Include="Commands\GetAzureKeyVaultCertificateOperation.cs" />
Expand Down Expand Up @@ -261,6 +263,10 @@
<Project>{3819d8a7-c62c-4c47-8ddd-0332d9ce1252}</Project>
<Name>Commands.ResourceManager.Common</Name>
</ProjectReference>
<ProjectReference Include="..\..\Profile\Commands.Profile\Commands.Profile.csproj">
<Project>{142d7b0b-388a-4ceb-a228-7f6d423c5c2e}</Project>
<Name>Commands.Profile</Name>
</ProjectReference>
<ProjectReference Include="..\..\Resources\Commands.Resources\Commands.Resources.csproj">
<Project>{e1f5201d-6067-430e-b303-4e367652991b}</Project>
<Name>Commands.Resources</Name>
Expand Down
Loading

0 comments on commit dec4736

Please sign in to comment.