com.microsoft.azure.management.keyvault.Vault Java Examples

@Override
protected Asset transform(Vault vault) throws ScanException {
  var asset = super.transform(vault);

  enrichList(asset, "keys", vault, x -> vault.keys().list(), Key::id, Key::name);

  enrichList(asset, "secrets", vault, x -> vault.secrets().list(), Secret::id, Secret::name);

  asset.setProperty(
      "logs",
      this.api.monitor().diagnosticSettings().listByResource(vault.id()).stream()
          .map(DiagnosticSetting::logs)
          .flatMap(Collection::stream)
          .map(log -> MAPPER.convertValue(log, AssetProperties.class))
          .collect(Collectors.toList()));

  return asset;
}
 

@Test
@Ignore("Test is failing fix it, this is based on Existing RG and settings.")
public void canCRDCertificate() throws Exception {
    Vault vault = keyVaultManager.vaults().getByResourceGroup(RG_NAME, "bananagraphwebapp319com");
    AppServiceCertificate certificate = appServiceManager.certificates().define("bananacert")
            .withRegion(Region.US_WEST)
            .withExistingResourceGroup(RG_NAME)
            .withExistingCertificateOrder(appServiceManager.certificateOrders().getByResourceGroup(RG_NAME, "graphwebapp319"))
            .create();
    Assert.assertNotNull(certificate);

    // CREATE
    certificate = appServiceManager.certificates().define(CERTIFICATE_NAME)
            .withRegion(Region.US_EAST)
            .withExistingResourceGroup(RG_NAME)
            .withPfxFile(new File("/Users/jianghlu/Documents/code/certs/myserver.pfx"))
            .withPfxPassword("StrongPass!123")
            .create();
    Assert.assertNotNull(certificate);
}
 

/**
 * Print a key vault.
 *
 * @param vault the key vault resource
 */
public static void print(Vault vault) {
    StringBuilder info = new StringBuilder().append("Key Vault: ").append(vault.id())
            .append("Name: ").append(vault.name())
            .append("\n\tResource group: ").append(vault.resourceGroupName())
            .append("\n\tRegion: ").append(vault.region())
            .append("\n\tSku: ").append(vault.sku().name()).append(" - ").append(vault.sku().family())
            .append("\n\tVault URI: ").append(vault.vaultUri())
            .append("\n\tAccess policies: ");
    for (AccessPolicy accessPolicy : vault.accessPolicies()) {
        info.append("\n\t\tIdentity:").append(accessPolicy.objectId())
                .append("\n\t\tKey permissions: ").append(Joiner.on(", ").join(accessPolicy.permissions().keys()))
                .append("\n\t\tSecret permissions: ").append(Joiner.on(", ").join(accessPolicy.permissions().secrets()));
    }
    System.out.println(info.toString());
}
 

@Override
public Observable<Vault> createResourceAsync() {
    final VaultsInner client = this.manager().inner().vaults();
    return populateAccessPolicies().flatMap(new Func1<Object, Observable<VaultInner>>() {
        @Override
        public Observable<VaultInner> call(Object o) {
            VaultCreateOrUpdateParameters parameters = new VaultCreateOrUpdateParameters();
            parameters.withLocation(regionName());
            parameters.withProperties(inner().properties());
            parameters.withTags(inner().getTags());
            parameters.properties().withAccessPolicies(new ArrayList<AccessPolicyEntry>());
            for (AccessPolicy accessPolicy : accessPolicies) {
                parameters.properties().accessPolicies().add(accessPolicy.inner());
            }
            return client.createOrUpdateAsync(resourceGroupName(), name(), parameters);
        }
    }).map(innerToFluentMap(this));
}
 

@Override
public Observable<AppServiceCertificateKeyVaultBinding> createKeyVaultBindingAsync(String certificateName, Vault vault) {
    AppServiceCertificateResourceInner certInner = new AppServiceCertificateResourceInner();
    certInner.withLocation(vault.regionName());
    certInner.withKeyVaultId(vault.id());
    certInner.withKeyVaultSecretName(certificateName);
    final AppServiceCertificateOrderImpl self = this;
    return this.manager().inner().appServiceCertificateOrders().createOrUpdateCertificateAsync(
            resourceGroupName(), name(), certificateName, certInner)
            .map(new Func1<AppServiceCertificateResourceInner, AppServiceCertificateKeyVaultBinding>() {
                @Override
                public AppServiceCertificateKeyVaultBinding call(AppServiceCertificateResourceInner appServiceCertificateInner) {
                    return new AppServiceCertificateKeyVaultBindingImpl(appServiceCertificateInner, self);
                }
            });
}
 

@Override
public HostNameSslBindingImpl<FluentT, FluentImplT> withExistingKeyVault(final Vault vault) {
    Observable<AppServiceCertificateOrder> appServiceCertificateOrderObservable = Utils.rootResource(certificateInDefinition
            .withExistingKeyVault(vault)
            .createAsync());
    final AppServiceManager manager = this.parent().manager();
    this.newCertificate = appServiceCertificateOrderObservable
            .flatMap(new Func1<AppServiceCertificateOrder, Observable<AppServiceCertificate>>() {
        @Override
        public Observable<AppServiceCertificate> call(AppServiceCertificateOrder appServiceCertificateOrder) {
            return Utils.rootResource(manager.certificates().define(appServiceCertificateOrder.name())
                    .withRegion(parent().regionName())
                    .withExistingResourceGroup(parent().resourceGroupName())
                    .withExistingCertificateOrder(appServiceCertificateOrder)
                    .createAsync());
        }
    });
    return this;
}
 

private Vault initVault(final String VAULT_NAME) {

        Vault vault = keyVaultManager.vaults().define(VAULT_NAME).withRegion(VAULT_REGION)
                .withExistingResourceGroup(RESOURCE_GROUP).defineAccessPolicy()
                .forObjectId(MSAK_USER_OID).allowSecretAllPermissions()
                .allowStorageAllPermissions().attach().withDeploymentDisabled().create();
        return vault;
    }
 

private List<Vault> listVaultsBySubscription() {
  // for some reason Vaults does not directly expose the listBySubscription of VaultsImpl, so we
  // have to loop over all resource groups
  if (this.resourceGroup == null) {
    List<Vault> vaults = new ArrayList<>();
    for (var group : this.api.azure().resourceGroups().list()) {
      vaults.addAll(this.api.azure().vaults().listByResourceGroup(group.name()));
    }

    return vaults;
  } else {
    return this.api.azure().vaults().listByResourceGroup(this.resourceGroup);
  }
}
 

private Secret createKeyVaultSecret(String servicePrincipal, String identityPrincipal) throws Exception {
    String vaultName = SdkContext.randomResourceName("vlt", 10);
    String secretName = SdkContext.randomResourceName("srt", 10);
    String secretValue = Files.readFirstLine(new File(getClass().getClassLoader().getResource("test.certificate").getFile()), Charset.defaultCharset());

    Vault vault = keyVaultManager.vaults()
            .define(vaultName)
            .withRegion(Region.US_EAST)
            .withExistingResourceGroup(RG_NAME)
            .defineAccessPolicy()
                .forServicePrincipal(servicePrincipal)
                .allowSecretAllPermissions()
                .attach()
            .defineAccessPolicy()
                .forObjectId(identityPrincipal)
                .allowSecretAllPermissions()
                .attach()
            .withAccessFromAzureServices()
            .withDeploymentEnabled()
            // Important!! Only soft delete enabled key vault can be assigned to application gateway
            // See also: https://github.com/MicrosoftDocs/azure-docs/issues/34382
            .withSoftDeleteEnabled()
            .create();

    return vault.secrets()
            .define(secretName)
            .withValue(secretValue)
            .create();
}
 

@Override
public Observable<AppServiceCertificateOrder> createResourceAsync() {
    final AppServiceCertificateOrder self = this;
    return this.manager().inner().appServiceCertificateOrders().createOrUpdateAsync(
            resourceGroupName(), name(), inner())
            .map(innerToFluentMap(this))
            .flatMap(new Func1<AppServiceCertificateOrder, Observable<Void>>() {
                @Override
                public Observable<Void> call(AppServiceCertificateOrder certificateOrder) {
                    if (domainVerifyWebApp != null) {
                        return domainVerifyWebApp.verifyDomainOwnershipAsync(name(), domainVerificationToken()).toObservable();
                    } else if (domainVerifyDomain != null) {
                        return domainVerifyDomain.verifyDomainOwnershipAsync(name(), domainVerificationToken()).toObservable();
                    } else {
                        throw new IllegalArgumentException(
                                "Please specify a non-null web app or domain to verify the domain ownership "
                                        + "for hostname " + distinguishedName());
                    }
                }
            })
            .flatMap(new Func1<Void, Observable<AppServiceCertificateKeyVaultBinding>>() {
                @Override
                public Observable<AppServiceCertificateKeyVaultBinding> call(Void aVoid) {
                    return bindingVault.flatMap(new Func1<Vault, Observable<AppServiceCertificateKeyVaultBinding>>() {
                        @Override
                        public Observable<AppServiceCertificateKeyVaultBinding> call(Vault vault) {
                            return createKeyVaultBindingAsync(name(), vault);
                        }
                    });
                }
            })
            .map(new Func1<AppServiceCertificateKeyVaultBinding, AppServiceCertificateOrder>() {
                @Override
                public AppServiceCertificateOrder call(AppServiceCertificateKeyVaultBinding appServiceCertificateKeyVaultBinding) {
                    return self;
                }
            });
}
 

@Override
public Observable<Vault> listByResourceGroupAsync(String resourceGroupName) {
    return wrapPageAsync(this.inner().listByResourceGroupAsync(resourceGroupName));
}
 

@Override
public AppServiceCertificateOrderImpl withExistingKeyVault(Vault vault) {
    this.bindingVault = Observable.just(vault);
    return this;
}
 

@Override
public AppServiceCertificateKeyVaultBinding createKeyVaultBinding(String certificateName, Vault vault) {
    return createKeyVaultBindingAsync(certificateName, vault).toBlocking().single();
}
 

@Override
public Vault recoverSoftDeletedVault(String resourceGroupName, String vaultName, String location) {
    return recoverSoftDeletedVaultAsync(resourceGroupName, vaultName, location).toBlocking().last();
}
 

public AzureKeyVaultScanner() {
  super(Vault::id, Vault::name);
}
 

@Override
public PagedList<Vault> listByResourceGroup(String groupName) {
    return wrapList(this.inner().listByResourceGroup(groupName));
}
 

SecretsImpl(KeyVaultClient client, Vault vault) {
    this.inner = client;
    this.vault = vault;
}
 

SecretImpl(String name, SecretBundle innerObject, Vault vault) {
    super(name, innerObject);
    this.vault = vault;
    this.updateSecretRequest = new UpdateSecretRequest.Builder(vault.vaultUri(), name);
}
 

KeyImpl(String name, KeyBundle innerObject, Vault vault) {
    super(name, innerObject);
    this.vault = vault;
    this.updateKeyRequest = new UpdateKeyRequest.Builder(vault.vaultUri(), name);
}
 

KeysImpl(KeyVaultClient client, Vault vault) {
    this.inner = client;
    this.vault = vault;
}
 

@BeforeAll
static void setUpOnce() {
  discoverAssets(
      AzureKeyVaultScanner::new,
      api -> {
        var vault1 = createWithId(Vault.class, "vault-with-expiry", new VaultInner());

        var key =
            createKey(
                "key",
                "key-name",
                new KeyBundle()
                    .withAttributes(
                        (KeyAttributes)
                            new KeyAttributes().withExpires(new DateTime().plusWeeks(30))));

        when(vault1.keys().list()).thenReturn(MockedPagedList.of(key));

        var vault2 = createWithId(Vault.class, "vault-without-expiry", new VaultInner());

        key = createKey("key", "key-name", new KeyBundle());

        when(vault2.keys().list()).thenReturn(MockedPagedList.of(key));

        when(api.azure.vaults().listByResourceGroup(anyString()))
            .thenReturn(MockedPagedList.of(vault1, vault2));

        var settings =
            createDiagnosticsSetting(
                "some-id",
                "some-name",
                new DiagnosticSettingsResourceInner()
                    .withLogs(
                        List.of(
                            new LogSettings()
                                .withEnabled(true)
                                .withRetentionPolicy(
                                    new RetentionPolicy().withEnabled(true).withDays(270)))));

        when(api.monitor().diagnosticSettings().listByResource(anyString()))
            .thenReturn(MockedPagedList.of(settings));
      });
}
 

@Override
protected List<Vault> list() {
  return this.listVaultsBySubscription();
}
 

/**
 * Bind a Key Vault secret to a certificate store that will be used for storing the certificate once it's ready.
 * @param certificateName the name of the Key Vault Secret
 * @param vault the key vault to store the certificate
 * @return a binding containing the key vault information
 */
AppServiceCertificateKeyVaultBinding createKeyVaultBinding(String certificateName, Vault vault);
 

/**
 * Bind a Key Vault secret to a certificate store that will be used for storing the certificate once it's ready.
 * @param certificateName the name of the Key Vault Secret
 * @param vault the key vault to store the certificate
 * @return a binding containing the key vault information
 */
Observable<AppServiceCertificateKeyVaultBinding> createKeyVaultBindingAsync(String certificateName, Vault vault);
 

/**
 * Specifies an existing key vault to store the certificate private key.
 *
 * The vault MUST allow 2 service principals to read/write secrets:
 * f3c21649-0979-4721-ac85-b0216b2cf413 and abfa0a7c-a6b6-4736-8310-5855508787cd.
 * If they don't have access, an attempt will be made to grant access. If you are
 * logged in from an identity without access to the Active Directory Graph, this
 * attempt will fail.
 *
 * @param vault the vault to store the private key
 * @return the next stage of the definition
 */
WithCreate withExistingKeyVault(Vault vault);
 

/**
 * Stores the certificate in an existing vault.
 * @param vault the existing vault to use
 * @return the next stage of the definition
 */
WithSslType<ParentT> withExistingKeyVault(Vault vault);
 

/**
 * Stores the certificate in an existing vault.
 * @param vault the existing vault to use
 * @return the next stage of the definition
 */
WithSslType<ParentT> withExistingKeyVault(Vault vault);