[KeyVault] - Fix sovereign cloud tests (#18350)

maorleger · web-flow · commit 34ba5441dba8 · 2021-10-27T10:53:06.000-07:00
## What - Suppress key rotation tests in sovereign clouds - Ensure AZURE_AUTHORITY_HOST env var is passed to the credential in tests - Suppress premium SKU tests when KV is not premium ## Why These are added to support sovereign cloud testing. The first is a must for us as key rotation is simply not available in all clouds yet as a preview feature. We still want to test this feature in public cloud though so suppressing it in government clouds is a reasonable approach. The second is necessary to authenticate correctly in different authorities. Finally, the third is a must as premium SKU is not available everywhere. Fixes #18142 Partially Fixes #18267 Fixes #18189
diff --git a/sdk/keyvault/keyvault-admin/test/utils/authentication.ts b/sdk/keyvault/keyvault-admin/test/utils/authentication.ts
@@ -2,7 +2,7 @@
 // Licensed under the MIT license.
 
 import { ClientSecretCredential } from "@azure/identity";
-import { isPlaybackMode, record, RecorderEnvironmentSetup } from "@azure-tools/test-recorder";
+import { env, isPlaybackMode, record, RecorderEnvironmentSetup } from "@azure-tools/test-recorder";
 import { KeyClient } from "@azure/keyvault-keys";
 import { v4 as uuidv4 } from "uuid";
 
@@ -61,7 +61,10 @@ export async function authenticate(that: any): Promise<any> {
   const credential = new ClientSecretCredential(
     getEnvironmentVariable("AZURE_TENANT_ID"),
     getEnvironmentVariable("AZURE_CLIENT_ID"),
-    getEnvironmentVariable("AZURE_CLIENT_SECRET")
+    getEnvironmentVariable("AZURE_CLIENT_SECRET"),
+    {
+      authorityHost: env.AZURE_AUTHORITY_HOST // undefined by default is expected
+    }
   );
 
   const keyVaultHsmUrl = getEnvironmentVariable("AZURE_MANAGEDHSM_URI");
diff --git a/sdk/keyvault/keyvault-certificates/karma.conf.js b/sdk/keyvault/keyvault-certificates/karma.conf.js
@@ -46,7 +46,8 @@ module.exports = function(config) {
       "AZURE_CLIENT_SECRET",
       "AZURE_TENANT_ID",
       "KEYVAULT_URI",
-      "TEST_MODE"
+      "TEST_MODE",
+      "AZURE_AUTHORITY_HOST"
     ],
 
     reporters: ["mocha", "coverage", "junit", "json-to-file"],
diff --git a/sdk/keyvault/keyvault-certificates/test/utils/testAuthentication.ts b/sdk/keyvault/keyvault-certificates/test/utils/testAuthentication.ts
@@ -31,10 +31,13 @@ export async function authenticate(that: Context): Promise<any> {
     queryParametersToSkip: []
   };
   const recorder = record(that, recorderEnvSetup);
-  const credential = await new ClientSecretCredential(
+  const credential = new ClientSecretCredential(
     env.AZURE_TENANT_ID,
     env.AZURE_CLIENT_ID,
-    env.AZURE_CLIENT_SECRET
+    env.AZURE_CLIENT_SECRET,
+    {
+      authorityHost: env.AZURE_AUTHORITY_HOST
+    }
   );
 
   const keyVaultUrl = env.KEYVAULT_URI;
diff --git a/sdk/keyvault/keyvault-keys/karma.conf.js b/sdk/keyvault/keyvault-keys/karma.conf.js
@@ -49,7 +49,8 @@ module.exports = function(config) {
       "KEYVAULT_URI",
       "AZURE_MANAGEDHSM_URI",
       "AZURE_KEYVAULT_ATTESTATION_URI",
-      "TEST_MODE"
+      "TEST_MODE",
+      "AZURE_AUTHORITY_HOST"
     ],
 
     reporters: ["mocha", "coverage", "junit", "json-to-file"],
diff --git a/sdk/keyvault/keyvault-keys/test/public/crypto.spec.ts b/sdk/keyvault/keyvault-keys/test/public/crypto.spec.ts
@@ -190,6 +190,12 @@ describe("CryptographyClient (all decrypts happen remotely)", () => {
 
   describe("RSA-HSM keys", () => {
     beforeEach(async function(this: Context) {
+      if (isLiveMode() && env.KEYVAULT_SKU !== "premium") {
+        // RSA-HSM keys are only available in the premium KeyVault SKU which is not
+        // available in all clouds.
+        this.skip();
+      }
+
       const authentication = await authenticate(this, getServiceVersion());
       client = authentication.client;
       recorder = authentication.recorder;
@@ -205,7 +211,7 @@ describe("CryptographyClient (all decrypts happen remotely)", () => {
       if (!this.currentTest?.isPending()) {
         await testClient.flushKey(keyName);
       }
-      await recorder.stop();
+      await recorder?.stop();
     });
 
     it("encrypt & decrypt with an RSA-HSM key and the RSA-OAEP algorithm", async function(this: Context) {
diff --git a/sdk/keyvault/keyvault-keys/test/public/keyClient.spec.ts b/sdk/keyvault/keyvault-keys/test/public/keyClient.spec.ts
@@ -3,19 +3,26 @@
 
 import chai, { assert } from "chai";
 import chaiExclude from "chai-exclude";
+import chaiAsPromised from "chai-as-promised";
 chai.use(chaiExclude);
+chai.use(chaiAsPromised);
 import { Context } from "mocha";
 import { RestError } from "@azure/core-http";
 import { AbortController } from "@azure/abort-controller";
-import { env, Recorder } from "@azure-tools/test-recorder";
+import { env, isPlaybackMode, isRecordMode, Recorder } from "@azure-tools/test-recorder";
 
 import {
   KeyClient,
   CreateEcKeyOptions,
   UpdateKeyPropertiesOptions,
   GetKeyOptions
 } from "../../src";
-import { assertThrowsAbortError, getServiceVersion, onVersions } from "../utils/utils.common";
+import {
+  assertThrowsAbortError,
+  getServiceVersion,
+  isPublicCloud,
+  onVersions
+} from "../utils/utils.common";
 import { testPollerProperties } from "../utils/recorderUtils";
 import { authenticate } from "../utils/testAuthentication";
 import TestClient from "../utils/testClient";
@@ -401,132 +408,136 @@ describe("Keys client - create, read, update and delete operations", () => {
   });
 
   onVersions({ minVer: "7.3-preview" }).describe("key rotation", () => {
-    it("rotateKey supports rotating a key", async () => {
-      const keyName = recorder.getUniqueName("keyrotate");
-      const key = await client.createKey(keyName, "RSA");
-      const rotatedKey = await client.rotateKey(keyName);
-
-      // The rotated key should have mostly the same data, excluding properties that are rotated.
-      assert.deepEqualExcludingEvery(rotatedKey, key, ["id", "kid", "version", "n", "e"] as any);
-
-      // A new version is created, and the key material is rotated (RSA key, check n and e).
-      assert.notEqual(rotatedKey.id, key.id);
-      assert.notEqual(rotatedKey.properties.version, key.properties.version);
-      assert.notDeepEqual(rotatedKey.key?.n, key.key?.n);
-    });
-
-    it("rotateKey supports tracing", async () => {
-      const keyName = recorder.getUniqueName("keyrotatetracing");
-      const key = await client.createKey(keyName, "RSA");
+    if (isPublicCloud() || isRecordMode() || isPlaybackMode()) {
+      // Key Rotation is a preview feature that is not supported in all clouds yet.
+      // Once 7.3 GAs we should be able to run this unconditionally.
+      it("rotateKey supports rotating a key", async () => {
+        const keyName = recorder.getUniqueName("keyrotate");
+        const key = await client.createKey(keyName, "RSA");
+        const rotatedKey = await client.rotateKey(keyName);
+
+        // The rotated key should have mostly the same data, excluding properties that are rotated.
+        assert.deepEqualExcludingEvery(rotatedKey, key, ["id", "kid", "version", "n", "e"] as any);
+
+        // A new version is created, and the key material is rotated (RSA key, check n and e).
+        assert.notEqual(rotatedKey.id, key.id);
+        assert.notEqual(rotatedKey.properties.version, key.properties.version);
+        assert.notDeepEqual(rotatedKey.key?.n, key.key?.n);
+      });
 
-      await supportsTracing((tracingOptions) => client.rotateKey(key.name, { tracingOptions }), [
-        "Azure.KeyVault.Keys.KeyClient.rotateKey"
-      ]);
-    });
+      it("rotateKey supports tracing", async () => {
+        const keyName = recorder.getUniqueName("keyrotatetracing");
+        const key = await client.createKey(keyName, "RSA");
 
-    it("updateKeyRotationPolicy supports creating a new rotation policy and fetching it", async () => {
-      const keyName = recorder.getUniqueName("keyrotationpolicy");
-      const key = await client.createKey(keyName, "RSA");
-
-      const rotationPolicy = await client.updateKeyRotationPolicy(key.name, {
-        expiresIn: "P90D",
-        lifetimeActions: [
-          {
-            action: "Rotate",
-            timeBeforeExpiry: "P30D"
-          }
-        ]
+        await supportsTracing((tracingOptions) => client.rotateKey(key.name, { tracingOptions }), [
+          "Azure.KeyVault.Keys.KeyClient.rotateKey"
+        ]);
       });
 
-      const fetchedPolicy = await client.getKeyRotationPolicy(keyName);
+      it("updateKeyRotationPolicy supports creating a new rotation policy and fetching it", async () => {
+        const keyName = recorder.getUniqueName("keyrotationpolicy");
+        const key = await client.createKey(keyName, "RSA");
 
-      assert.deepEqual(fetchedPolicy, rotationPolicy);
-    });
+        const rotationPolicy = await client.updateKeyRotationPolicy(key.name, {
+          expiresIn: "P90D",
+          lifetimeActions: [
+            {
+              action: "Rotate",
+              timeBeforeExpiry: "P30D"
+            }
+          ]
+        });
 
-    it("updateKeyRotationPolicy supports updating an existing policy", async () => {
-      const keyName = recorder.getUniqueName("keyrotationpolicy");
-      const key = await client.createKey(keyName, "RSA");
-
-      // Create a policy which we will override later.
-      await client.updateKeyRotationPolicy(key.name, {
-        lifetimeActions: [
-          {
-            action: "Rotate",
-            timeAfterCreate: "P2M"
-          }
-        ]
-      });
+        const fetchedPolicy = await client.getKeyRotationPolicy(keyName);
 
-      const updatedPolicy = await client.updateKeyRotationPolicy(key.name, {
-        expiresIn: "P90D",
-        lifetimeActions: [
-          {
-            action: "Notify",
-            timeBeforeExpiry: "P30D"
-          }
-        ]
+        assert.deepEqual(fetchedPolicy, rotationPolicy);
       });
 
-      assert.deepEqual(updatedPolicy, {
-        id: updatedPolicy.id,
-        createdOn: updatedPolicy.createdOn,
-        updatedOn: updatedPolicy.updatedOn,
-        expiresIn: "P90D",
-        lifetimeActions: [
-          {
-            timeAfterCreate: undefined,
-            action: "Notify",
-            timeBeforeExpiry: "P30D"
-          }
-        ]
-      });
-    });
-
-    it("updateKeyRotationPolicy supports tracing", async () => {
-      const keyName = recorder.getUniqueName("updaterotationpolicy");
-      const key = await client.createKey(keyName, "EC");
+      it("updateKeyRotationPolicy supports updating an existing policy", async () => {
+        const keyName = recorder.getUniqueName("keyrotationpolicy");
+        const key = await client.createKey(keyName, "RSA");
 
-      await supportsTracing(
-        (tracingOptions) =>
-          client.updateKeyRotationPolicy(
-            key.name,
+        // Create a policy which we will override later.
+        await client.updateKeyRotationPolicy(key.name, {
+          lifetimeActions: [
             {
-              lifetimeActions: [
-                {
-                  action: "Notify",
-                  timeBeforeExpiry: "P30D"
-                }
-              ],
-              expiresIn: "P90D"
-            },
-            { tracingOptions }
-          ),
-        ["Azure.KeyVault.Keys.KeyClient.updateKeyRotationPolicy"]
-      );
-    });
+              action: "Rotate",
+              timeAfterCreate: "P2M"
+            }
+          ]
+        });
+
+        const updatedPolicy = await client.updateKeyRotationPolicy(key.name, {
+          expiresIn: "P90D",
+          lifetimeActions: [
+            {
+              action: "Notify",
+              timeBeforeExpiry: "P30D"
+            }
+          ]
+        });
+
+        assert.deepEqual(updatedPolicy, {
+          id: updatedPolicy.id,
+          createdOn: updatedPolicy.createdOn,
+          updatedOn: updatedPolicy.updatedOn,
+          expiresIn: "P90D",
+          lifetimeActions: [
+            {
+              timeAfterCreate: undefined,
+              action: "Notify",
+              timeBeforeExpiry: "P30D"
+            }
+          ]
+        });
+      });
 
-    it("throws when attempting to fetch a policy of a non-existent key", async () => {
-      const keyName = recorder.getUniqueName("nonexistentkey");
-      await assert.isRejected(client.getKeyRotationPolicy(keyName));
-    });
+      it("updateKeyRotationPolicy supports tracing", async () => {
+        const keyName = recorder.getUniqueName("updaterotationpolicy");
+        const key = await client.createKey(keyName, "EC");
+
+        await supportsTracing(
+          (tracingOptions) =>
+            client.updateKeyRotationPolicy(
+              key.name,
+              {
+                lifetimeActions: [
+                  {
+                    action: "Notify",
+                    timeBeforeExpiry: "P30D"
+                  }
+                ],
+                expiresIn: "P90D"
+              },
+              { tracingOptions }
+            ),
+          ["Azure.KeyVault.Keys.KeyClient.updateKeyRotationPolicy"]
+        );
+      });
 
-    it("getKeyRotationPolicy supports tracing", async () => {
-      const keyName = recorder.getUniqueName("rotationpolicytracing");
-      const key = await client.createKey(keyName, "RSA");
-
-      await client.updateKeyRotationPolicy(key.name, {
-        lifetimeActions: [
-          {
-            action: "Rotate",
-            timeAfterCreate: "P2M"
-          }
-        ]
+      it("throws when attempting to fetch a policy of a non-existent key", async () => {
+        const keyName = recorder.getUniqueName("nonexistentkey");
+        await assert.isRejected(client.getKeyRotationPolicy(keyName));
       });
 
-      await supportsTracing(
-        (tracingOptions) => client.getKeyRotationPolicy(key.name, { tracingOptions }),
-        ["Azure.KeyVault.Keys.KeyClient.getKeyRotationPolicy"]
-      );
-    });
+      it("getKeyRotationPolicy supports tracing", async () => {
+        const keyName = recorder.getUniqueName("rotationpolicytracing");
+        const key = await client.createKey(keyName, "RSA");
+
+        await client.updateKeyRotationPolicy(key.name, {
+          lifetimeActions: [
+            {
+              action: "Rotate",
+              timeAfterCreate: "P2M"
+            }
+          ]
+        });
+
+        await supportsTracing(
+          (tracingOptions) => client.getKeyRotationPolicy(key.name, { tracingOptions }),
+          ["Azure.KeyVault.Keys.KeyClient.getKeyRotationPolicy"]
+        );
+      });
+    }
   });
 });
diff --git a/sdk/keyvault/keyvault-keys/test/utils/testAuthentication.ts b/sdk/keyvault/keyvault-keys/test/utils/testAuthentication.ts
@@ -48,7 +48,10 @@ export async function authenticate(that: Context, version: string): Promise<any>
   const credential = new ClientSecretCredential(
     env.AZURE_TENANT_ID,
     env.AZURE_CLIENT_ID,
-    env.AZURE_CLIENT_SECRET
+    env.AZURE_CLIENT_SECRET,
+    {
+      authorityHost: env.AZURE_AUTHORITY_HOST
+    }
   );
 
   const keyVaultUrl = env.KEYVAULT_URI;
diff --git a/sdk/keyvault/keyvault-keys/test/utils/utils.common.ts b/sdk/keyvault/keyvault-keys/test/utils/utils.common.ts
@@ -59,3 +59,12 @@ export function onVersions(
 ): TestFunctionWrapper {
   return supports(serviceVersion || getServiceVersion(), supportedVersions, serviceVersions);
 }
+
+/**
+ * Acts as a proxy to check with we're running on public or sovereign cloud.
+ *
+ * @returns - true if running on public cloud, false otherwise.
+ */
+export function isPublicCloud(): boolean {
+  return (env.AZURE_AUTHORITY_HOST ?? "").includes(".microsoftonline.com");
+}
diff --git a/sdk/keyvault/keyvault-secrets/karma.conf.js b/sdk/keyvault/keyvault-secrets/karma.conf.js
@@ -46,7 +46,8 @@ module.exports = function(config) {
       "AZURE_CLIENT_SECRET",
       "AZURE_TENANT_ID",
       "KEYVAULT_URI",
-      "TEST_MODE"
+      "TEST_MODE",
+      "AZURE_AUTHORITY_HOST"
     ],
 
     reporters: ["mocha", "coverage", "junit", "json-to-file"],
diff --git a/sdk/keyvault/keyvault-secrets/test/utils/testAuthentication.ts b/sdk/keyvault/keyvault-secrets/test/utils/testAuthentication.ts
