diff --git a/sdk/keyvault/azure-keyvault-keys/MANIFEST.in b/sdk/keyvault/azure-keyvault-keys/MANIFEST.in index da63874bd18d..e303fbb80a60 100644 --- a/sdk/keyvault/azure-keyvault-keys/MANIFEST.in +++ b/sdk/keyvault/azure-keyvault-keys/MANIFEST.in @@ -1,7 +1,7 @@ include *.md include LICENSE -include azure/__init__.py -include azure/keyvault/__init__.py -recursive-include samples *.py -recursive-include tests *.py include azure/keyvault/keys/py.typed +recursive-include tests *.py +recursive-include samples *.py *.md +include azure/__init__.py +include azure/keyvault/__init__.py \ No newline at end of file diff --git a/sdk/keyvault/azure-keyvault-keys/_meta.json b/sdk/keyvault/azure-keyvault-keys/_meta.json new file mode 100644 index 000000000000..b26c18ac6f83 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-keys/_meta.json @@ -0,0 +1,6 @@ +{ + "commit": "59583521f5e5a5b1e02bd8966bc30b567ecc696a", + "repository_url": "https://github.com/test-repo-billy/azure-rest-api-specs", + "typespec_src": "specification/keyvault/Security.KeyVault.Keys", + "@azure-tools/typespec-python": "0.38.1" +} \ No newline at end of file diff --git a/sdk/keyvault/azure-keyvault-keys/azure/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/__init__.py index 679ab6995134..d55ccad1f573 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/__init__.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/__init__.py @@ -1,5 +1 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ __path__ = __import__("pkgutil").extend_path(__path__, __name__) # type: ignore diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/__init__.py index 679ab6995134..d55ccad1f573 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/__init__.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/__init__.py @@ -1,5 +1 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ __path__ = __import__("pkgutil").extend_path(__path__, __name__) # type: ignore diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/__init__.py index b4c48eacf7d4..4f7962408227 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/__init__.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/__init__.py @@ -1,41 +1,32 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------- -from ._enums import KeyCurveName, KeyExportEncryptionAlgorithm, KeyOperation, KeyRotationPolicyAction, KeyType -from ._shared.client_base import ApiVersion -from ._models import ( - DeletedKey, - JsonWebKey, - KeyProperties, - KeyReleasePolicy, - KeyRotationLifetimeAction, - KeyRotationPolicy, - KeyVaultKey, - KeyVaultKeyIdentifier, - ReleaseKeyResult, -) -from ._client import KeyClient +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# pylint: disable=wrong-import-position -__all__ = [ - "ApiVersion", - "KeyClient", - "JsonWebKey", - "KeyVaultKey", - "KeyVaultKeyIdentifier", - "KeyCurveName", - "KeyExportEncryptionAlgorithm", - "KeyOperation", - "KeyRotationPolicyAction", - "KeyType", - "DeletedKey", - "KeyProperties", - "KeyReleasePolicy", - "KeyRotationLifetimeAction", - "KeyRotationPolicy", - "ReleaseKeyResult", -] +from typing import TYPE_CHECKING +if TYPE_CHECKING: + from ._patch import * # pylint: disable=unused-wildcard-import + +from ._client import KeyVaultClient # type: ignore from ._version import VERSION __version__ = VERSION + +try: + from ._patch import __all__ as _patch_all + from ._patch import * +except ImportError: + _patch_all = [] +from ._patch import patch_sdk as _patch_sdk + +__all__ = [ + "KeyVaultClient", +] +__all__.extend([p for p in _patch_all if p not in __all__]) # pyright: ignore + +_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_client.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_client.py index b03c7768aedd..600eb2cb2546 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_client.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_client.py @@ -1,999 +1,100 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from datetime import datetime -from functools import partial -from typing import Any, Dict, List, Optional, Union +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- -from azure.core.paging import ItemPaged -from azure.core.polling import LROPoller -from azure.core.tracing.decorator import distributed_trace +from copy import deepcopy +from typing import Any, TYPE_CHECKING +from typing_extensions import Self -from .crypto import CryptographyClient -from ._enums import KeyCurveName, KeyExportEncryptionAlgorithm, KeyOperation, KeyType -from ._generated.models import KeyAttributes -from ._models import JsonWebKey, KeyRotationLifetimeAction -from ._shared import KeyVaultClientBase -from ._shared._polling import DeleteRecoverPollingMethod, KeyVaultOperationPoller -from ._models import DeletedKey, KeyVaultKey, KeyProperties, KeyReleasePolicy, KeyRotationPolicy, ReleaseKeyResult +from azure.core import PipelineClient +from azure.core.pipeline import policies +from azure.core.rest import HttpRequest, HttpResponse +from ._configuration import KeyVaultClientConfiguration +from ._operations import KeyVaultClientOperationsMixin +from ._serialization import Deserializer, Serializer -def _get_key_id(vault_url, key_name, version=None): - without_version = f"{vault_url}/keys/{key_name}" - return without_version + "/" + version if version else without_version +if TYPE_CHECKING: + from azure.core.credentials import TokenCredential -class KeyClient(KeyVaultClientBase): - """A high-level interface for managing a vault's keys. +class KeyVaultClient(KeyVaultClientOperationsMixin): + """The key vault client performs cryptographic key operations and vault operations against the Key + Vault service. - :param str vault_url: URL of the vault the client will access. This is also called the vault's "DNS Name". - You should validate that this URL references a valid Key Vault or Managed HSM resource. - See https://aka.ms/azsdk/blog/vault-uri for details. - :param credential: An object which can provide an access token for the vault, such as a credential from - :mod:`azure.identity` + :param vault_base_url: Required. + :type vault_base_url: str + :param credential: Credential used to authenticate requests to the service. Required. :type credential: ~azure.core.credentials.TokenCredential - - :keyword api_version: Version of the service API to use. Defaults to the most recent. - :paramtype api_version: ~azure.keyvault.keys.ApiVersion or str - :keyword bool verify_challenge_resource: Whether to verify the authentication challenge resource matches the Key - Vault or Managed HSM domain. Defaults to True. - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START create_key_client] - :end-before: [END create_key_client] - :language: python - :caption: Create a new ``KeyClient`` - :dedent: 4 + :keyword api_version: The API version to use for this operation. Default value is + "7.6-preview.1". Note that overriding this default value may result in unsupported behavior. + :paramtype api_version: str """ - # pylint:disable=protected-access, too-many-public-methods - - def _get_attributes( - self, - enabled: Optional[bool], - not_before: Optional[datetime], - expires_on: Optional[datetime], - exportable: Optional[bool] = None, - ) -> Optional[KeyAttributes]: - """Return a KeyAttributes object if non-None attributes are provided, or None otherwise. - - :param enabled: Whether the key is enabled. - :type enabled: bool or None - :param not_before: Not before date of the key in UTC. - :type not_before: ~datetime.datetime or None - :param expires_on: Expiry date of the key in UTC. - :type expires_on: ~datetime.datetime or None - :param exportable: Whether the private key can be exported. - :type exportable: bool or None - - :returns: An autorest-generated model of the key's attributes. - :rtype: KeyAttributes - """ - if enabled is not None or not_before is not None or expires_on is not None or exportable is not None: - return self._models.KeyAttributes( - enabled=enabled, not_before=not_before, expires=expires_on, exportable=exportable - ) - return None - - def get_cryptography_client( - self, - key_name: str, - *, - key_version: Optional[str] = None, - **kwargs, # pylint: disable=unused-argument - ) -> CryptographyClient: - """Gets a :class:`~azure.keyvault.keys.crypto.CryptographyClient` for the given key. - - :param str key_name: The name of the key used to perform cryptographic operations. - - :keyword key_version: Optional version of the key used to perform cryptographic operations. - :paramtype key_version: str or None - - :returns: A :class:`~azure.keyvault.keys.crypto.CryptographyClient` using the same options, credentials, and - HTTP client as this :class:`~azure.keyvault.keys.KeyClient`. - :rtype: ~azure.keyvault.keys.crypto.CryptographyClient - """ - key_id = _get_key_id(self._vault_url, key_name, key_version) - - # We provide a fake credential because the generated client already has the KeyClient's real credential - return CryptographyClient( - key_id, object(), generated_client=self._client, generated_models=self._models # type: ignore - ) - - @distributed_trace - def create_key( - self, - name: str, - key_type: Union[str, KeyType], - *, - size: Optional[int] = None, - curve: Optional[Union[str, KeyCurveName]] = None, - public_exponent: Optional[int] = None, - key_operations: Optional[List[Union[str, KeyOperation]]] = None, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - exportable: Optional[bool] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Create a key or, if ``name`` is already in use, create a new version of the key. - - Requires keys/create permission. - - :param str name: The name of the new key. - :param key_type: The type of key to create - :type key_type: ~azure.keyvault.keys.KeyType or str - - :keyword size: Key size in bits. Applies only to RSA and symmetric keys. Consider using - :func:`create_rsa_key` or :func:`create_oct_key` instead. - :paramtype size: int or None - :keyword curve: Elliptic curve name. Applies only to elliptic curve keys. Defaults to the NIST P-256 - elliptic curve. To create an elliptic curve key, consider using :func:`create_ec_key` instead. - :paramtype curve: ~azure.keyvault.keys.KeyCurveName or str or None - :keyword public_exponent: The RSA public exponent to use. Applies only to RSA keys created in a Managed HSM. - :paramtype public_exponent: int or None - :keyword key_operations: Allowed key operations - :paramtype key_operations: List[~azure.keyvault.keys.KeyOperation or str] or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword exportable: Whether the private key can be exported. - :paramtype exportable: bool or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - - :returns: The created key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START create_key] - :end-before: [END create_key] - :language: python - :caption: Create a key - :dedent: 8 - """ - attributes = self._get_attributes( - enabled=enabled, not_before=not_before, expires_on=expires_on, exportable=exportable - ) - - policy = release_policy - if policy is not None: - policy = self._models.KeyReleasePolicy( - encoded_policy=policy.encoded_policy, content_type=policy.content_type, immutable=policy.immutable - ) - parameters = self._models.KeyCreateParameters( - kty=key_type, - key_size=size, - key_attributes=attributes, - key_ops=key_operations, - tags=tags, - curve=curve, - public_exponent=public_exponent, - release_policy=policy, - ) - - bundle = self._client.create_key(vault_base_url=self.vault_url, key_name=name, parameters=parameters, **kwargs) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace - def create_rsa_key( - self, - name: str, - *, - size: Optional[int] = None, - public_exponent: Optional[int] = None, - hardware_protected: Optional[bool] = False, - key_operations: Optional[List[Union[str, KeyOperation]]] = None, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - exportable: Optional[bool] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Create a new RSA key or, if ``name`` is already in use, create a new version of the key - - Requires the keys/create permission. - - :param str name: The name for the new key. - - :keyword size: Key size in bits, for example 2048, 3072, or 4096. - :paramtype size: int or None - :keyword public_exponent: The RSA public exponent to use. Applies only to RSA keys created in a Managed HSM. - :paramtype public_exponent: int or None - :keyword hardware_protected: Whether the key should be created in a hardware security module. - Defaults to ``False``. - :paramtype hardware_protected: bool or None - :keyword key_operations: Allowed key operations - :paramtype key_operations: List[~azure.keyvault.keys.KeyOperation or str] or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword exportable: Whether the private key can be exported. - :paramtype exportable: bool or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - - :returns: The created key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START create_rsa_key] - :end-before: [END create_rsa_key] - :language: python - :caption: Create RSA key - :dedent: 8 - """ - return self.create_key( - name, - key_type="RSA-HSM" if hardware_protected else "RSA", - size=size, - public_exponent=public_exponent, - key_operations=key_operations, - enabled=enabled, - tags=tags, - not_before=not_before, - expires_on=expires_on, - exportable=exportable, - release_policy=release_policy, - **kwargs, - ) - - @distributed_trace - def create_ec_key( - self, - name: str, - *, - curve: Optional[Union[str, KeyCurveName]] = None, - key_operations: Optional[List[Union[str, KeyOperation]]] = None, - hardware_protected: Optional[bool] = False, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - exportable: Optional[bool] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Create a new elliptic curve key or, if ``name`` is already in use, create a new version of the key. - - Requires the keys/create permission. - - :param str name: The name for the new key. - - :keyword curve: Elliptic curve name. Defaults to the NIST P-256 elliptic curve. - :paramtype curve: ~azure.keyvault.keys.KeyCurveName or str or None - :keyword key_operations: Allowed key operations - :paramtype key_operations: List[~azure.keyvault.keys.KeyOperation or str] or None - :keyword hardware_protected: Whether the key should be created in a hardware security module. - Defaults to ``False``. - :paramtype hardware_protected: bool or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword exportable: Whether the private key can be exported. - :paramtype exportable: bool or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - - :returns: The created key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START create_ec_key] - :end-before: [END create_ec_key] - :language: python - :caption: Create an elliptic curve key - :dedent: 8 - """ - return self.create_key( - name, - key_type="EC-HSM" if hardware_protected else "EC", - curve=curve, - key_operations=key_operations, - enabled=enabled, - tags=tags, - not_before=not_before, - expires_on=expires_on, - exportable=exportable, - release_policy=release_policy, - **kwargs, - ) - - @distributed_trace - def create_oct_key( - self, - name: str, - *, - size: Optional[int] = None, - key_operations: Optional[List[Union[str, KeyOperation]]] = None, - hardware_protected: Optional[bool] = False, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - exportable: Optional[bool] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Create a new octet sequence (symmetric) key or, if ``name`` is in use, create a new version of the key. - - Requires the keys/create permission. - - :param str name: The name for the new key. - - :keyword size: Key size in bits, for example 128, 192, or 256. - :paramtype size: int or None - :keyword key_operations: Allowed key operations. - :paramtype key_operations: List[~azure.keyvault.keys.KeyOperation or str] or None - :keyword hardware_protected: Whether the key should be created in a hardware security module. - Defaults to ``False``. - :paramtype hardware_protected: bool or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword exportable: Whether the key can be exported. - :paramtype exportable: bool or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - - :returns: The created key - :rtype: ~azure.keyvault.keys.KeyVaultKey - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START create_oct_key] - :end-before: [END create_oct_key] - :language: python - :caption: Create an octet sequence (symmetric) key - :dedent: 8 - """ - return self.create_key( - name, - key_type="oct-HSM" if hardware_protected else "oct", - size=size, - key_operations=key_operations, - enabled=enabled, - tags=tags, - not_before=not_before, - expires_on=expires_on, - exportable=exportable, - release_policy=release_policy, - **kwargs, - ) - - @distributed_trace - def begin_delete_key(self, name: str, **kwargs: Any) -> LROPoller[DeletedKey]: # pylint:disable=bad-option-value,delete-operation-wrong-return-type - """Delete all versions of a key and its cryptographic material. - - Requires keys/delete permission. When this method returns Key Vault has begun deleting the key. Deletion may - take several seconds in a vault with soft-delete enabled. This method therefore returns a poller enabling you to - wait for deletion to complete. - - :param str name: The name of the key to delete. - - :returns: A poller for the delete key operation. The poller's `result` method returns the - :class:`~azure.keyvault.keys.DeletedKey` without waiting for deletion to complete. If the vault has - soft-delete enabled and you want to permanently delete the key with :func:`purge_deleted_key`, call the - poller's `wait` method first. It will block until the deletion is complete. The `wait` method requires - keys/get permission. - :rtype: ~azure.core.polling.LROPoller[~azure.keyvault.keys.DeletedKey] - - :raises ~azure.core.exceptions.ResourceNotFoundError or ~azure.core.exceptions.HttpResponseError: - the former if the key doesn't exist; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START delete_key] - :end-before: [END delete_key] - :language: python - :caption: Delete a key - :dedent: 8 - """ - polling_interval = kwargs.pop("_polling_interval", None) - if polling_interval is None: - polling_interval = 2 - pipeline_response, deleted_key_bundle = self._client.delete_key( - vault_base_url=self.vault_url, - key_name=name, - cls=lambda pipeline_response, deserialized, _: (pipeline_response, deserialized), - **kwargs, - ) - deleted_key = DeletedKey._from_deleted_key_bundle(deleted_key_bundle) - - command = partial(self.get_deleted_key, name=name, **kwargs) - polling_method = DeleteRecoverPollingMethod( - # no recovery ID means soft-delete is disabled, in which case we initialize the poller as finished - finished=deleted_key.recovery_id is None, - pipeline_response=pipeline_response, - command=command, - final_resource=deleted_key, - interval=polling_interval, - ) - return KeyVaultOperationPoller(polling_method) - - @distributed_trace - def get_key(self, name: str, version: Optional[str] = None, **kwargs: Any) -> KeyVaultKey: - """Get a key's attributes and, if it's an asymmetric key, its public material. - - Requires keys/get permission. - - :param str name: The name of the key to get. - :param version: (optional) A specific version of the key to get. If not specified, gets the latest version - of the key. - :type version: str or None - - :returns: The fetched key. - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.ResourceNotFoundError or ~azure.core.exceptions.HttpResponseError: - the former if the key doesn't exist; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START get_key] - :end-before: [END get_key] - :language: python - :caption: Get a key - :dedent: 8 - """ - bundle = self._client.get_key(self.vault_url, name, key_version=version or "", **kwargs) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace - def get_deleted_key(self, name: str, **kwargs: Any) -> DeletedKey: - """Get a deleted key. Possible only in a vault with soft-delete enabled. - - Requires keys/get permission. - - :param str name: The name of the key - - :returns: The deleted key - :rtype: ~azure.keyvault.keys.DeletedKey - - :raises ~azure.core.exceptions.ResourceNotFoundError or ~azure.core.exceptions.HttpResponseError: - the former if the key doesn't exist; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START get_deleted_key] - :end-before: [END get_deleted_key] - :language: python - :caption: Get a deleted key - :dedent: 8 - """ - bundle = self._client.get_deleted_key(self.vault_url, name, **kwargs) - return DeletedKey._from_deleted_key_bundle(bundle) - - @distributed_trace - def list_deleted_keys(self, **kwargs: Any) -> ItemPaged[DeletedKey]: - """List all deleted keys, including the public part of each. Possible only in a vault with soft-delete enabled. - - Requires keys/list permission. - - :returns: An iterator of deleted keys - :rtype: ~azure.core.paging.ItemPaged[~azure.keyvault.keys.DeletedKey] - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START list_deleted_keys] - :end-before: [END list_deleted_keys] - :language: python - :caption: List all the deleted keys - :dedent: 8 - """ - return self._client.get_deleted_keys( - self._vault_url, - maxresults=kwargs.pop("max_page_size", None), - cls=lambda objs: [DeletedKey._from_deleted_key_item(x) for x in objs], - **kwargs - ) - - @distributed_trace - def list_properties_of_keys(self, **kwargs: Any) -> ItemPaged[KeyProperties]: - """List identifiers and properties of all keys in the vault. - - Requires keys/list permission. - - :returns: An iterator of keys without their cryptographic material or version information - :rtype: ~azure.core.paging.ItemPaged[~azure.keyvault.keys.KeyProperties] - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START list_keys] - :end-before: [END list_keys] - :language: python - :caption: List all keys - :dedent: 8 - """ - return self._client.get_keys( - self._vault_url, - maxresults=kwargs.pop("max_page_size", None), - cls=lambda objs: [KeyProperties._from_key_item(x) for x in objs], - **kwargs - ) - - @distributed_trace - def list_properties_of_key_versions(self, name: str, **kwargs: Any) -> ItemPaged[KeyProperties]: - """List the identifiers and properties of a key's versions. - - Requires keys/list permission. - - :param str name: The name of the key - - :returns: An iterator of keys without their cryptographic material - :rtype: ~azure.core.paging.ItemPaged[~azure.keyvault.keys.KeyProperties] - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START list_properties_of_key_versions] - :end-before: [END list_properties_of_key_versions] - :language: python - :caption: List all versions of a key - :dedent: 8 - """ - return self._client.get_key_versions( - self._vault_url, - name, - maxresults=kwargs.pop("max_page_size", None), - cls=lambda objs: [KeyProperties._from_key_item(x) for x in objs], - **kwargs - ) - - @distributed_trace - def purge_deleted_key(self, name: str, **kwargs: Any) -> None: - """Permanently deletes a deleted key. Only possible in a vault with soft-delete enabled. - - Performs an irreversible deletion of the specified key, without possibility for recovery. The operation is not - available if the :py:attr:`~azure.keyvault.keys.KeyProperties.recovery_level` does not specify 'Purgeable'. - This method is only necessary for purging a key before its - :py:attr:`~azure.keyvault.keys.DeletedKey.scheduled_purge_date`. - - Requires keys/purge permission. - - :param str name: The name of the deleted key to purge - - :returns: None - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. code-block:: python - - # if the vault has soft-delete enabled, purge permanently deletes a deleted key - # (with soft-delete disabled, begin_delete_key is permanent) - key_client.purge_deleted_key("key-name") - - """ - self._client.purge_deleted_key(vault_base_url=self.vault_url, key_name=name, **kwargs) - - @distributed_trace - def begin_recover_deleted_key(self, name: str, **kwargs: Any) -> LROPoller[KeyVaultKey]: - """Recover a deleted key to its latest version. Possible only in a vault with soft-delete enabled. - - Requires keys/recover permission. - - When this method returns Key Vault has begun recovering the key. Recovery may take several seconds. This - method therefore returns a poller enabling you to wait for recovery to complete. Waiting is only necessary when - you want to use the recovered key in another operation immediately. - - :param str name: The name of the deleted key to recover - - :returns: A poller for the recovery operation. The poller's `result` method returns the recovered - :class:`~azure.keyvault.keys.KeyVaultKey` without waiting for recovery to complete. If you want to use the - recovered key immediately, call the poller's `wait` method, which blocks until the key is ready to use. The - `wait` method requires keys/get permission. - :rtype: ~azure.core.polling.LROPoller[~azure.keyvault.keys.KeyVaultKey] - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START recover_deleted_key] - :end-before: [END recover_deleted_key] - :language: python - :caption: Recover a deleted key - :dedent: 8 - """ - polling_interval = kwargs.pop("_polling_interval", None) - if polling_interval is None: - polling_interval = 2 - pipeline_response, recovered_key_bundle = self._client.recover_deleted_key( - vault_base_url=self.vault_url, - key_name=name, - cls=lambda pipeline_response, deserialized, _: (pipeline_response, deserialized), - **kwargs, - ) - recovered_key = KeyVaultKey._from_key_bundle(recovered_key_bundle) - command = partial(self.get_key, name=name, **kwargs) - polling_method = DeleteRecoverPollingMethod( - finished=False, - pipeline_response=pipeline_response, - command=command, - final_resource=recovered_key, - interval=polling_interval, - ) - - return KeyVaultOperationPoller(polling_method) - - @distributed_trace - def update_key_properties( - self, - name: str, - version: Optional[str] = None, - *, - key_operations: Optional[List[Union[str, KeyOperation]]] = None, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Change a key's properties (not its cryptographic material). - - Requires keys/update permission. - - :param str name: The name of key to update - :param version: (optional) The version of the key to update. If unspecified, the latest version is updated. - :type version: str or None - - :keyword key_operations: Allowed key operations - :paramtype key_operations: List[~azure.keyvault.keys.KeyOperation or str] or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - - :returns: The updated key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.ResourceNotFoundError or ~azure.core.exceptions.HttpResponseError: - the former if the key doesn't exist; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START update_key] - :end-before: [END update_key] - :language: python - :caption: Update a key's attributes - :dedent: 8 - """ - attributes = self._get_attributes(enabled=enabled, not_before=not_before, expires_on=expires_on) - - policy = release_policy - if policy is not None: - policy = self._models.KeyReleasePolicy( - content_type=policy.content_type, encoded_policy=policy.encoded_policy, immutable=policy.immutable - ) - parameters = self._models.KeyUpdateParameters( - key_ops=key_operations, - key_attributes=attributes, - tags=tags, - release_policy=policy, - ) - - bundle = self._client.update_key( - self.vault_url, name, key_version=version or "", parameters=parameters, **kwargs - ) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace - def backup_key(self, name: str, **kwargs: Any) -> bytes: - """Back up a key in a protected form useable only by Azure Key Vault. - - Requires keys/backup permission. - - This is intended to allow copying a key from one vault to another. Both vaults must be owned by the same Azure - subscription. Also, backup / restore cannot be performed across geopolitical boundaries. For example, a backup - from a vault in a USA region cannot be restored to a vault in an EU region. - - :param str name: The name of the key to back up - - :returns: The key backup result, in a protected bytes format that can only be used by Azure Key Vault. - :rtype: bytes - - :raises ~azure.core.exceptions.ResourceNotFoundError or ~azure.core.exceptions.HttpResponseError: - the former if the key doesn't exist; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START backup_key] - :end-before: [END backup_key] - :language: python - :caption: Get a key backup - :dedent: 8 - """ - backup_result = self._client.backup_key(self.vault_url, name, **kwargs) - return backup_result.value - - @distributed_trace - def restore_key_backup(self, backup: bytes, **kwargs: Any) -> KeyVaultKey: - """Restore a key backup to the vault. - - Requires keys/restore permission. - - This imports all versions of the key, with its name, attributes, and access control policies. If the key's name - is already in use, restoring it will fail. Also, the target vault must be owned by the same Microsoft Azure - subscription as the source vault. - - :param bytes backup: A key backup as returned by :func:`backup_key` - - :returns: The restored key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.ResourceExistsError or ~azure.core.exceptions.HttpResponseError: - the former if the backed up key's name is already in use; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys.py - :start-after: [START restore_key_backup] - :end-before: [END restore_key_backup] - :language: python - :caption: Restore a key backup - :dedent: 8 - """ - bundle = self._client.restore_key( - self.vault_url, - parameters=self._models.KeyRestoreParameters(key_bundle_backup=backup), - **kwargs - ) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace - def import_key( - self, - name: str, - key: JsonWebKey, - *, - hardware_protected: Optional[bool] = None, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - exportable: Optional[bool] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Import a key created externally. + def __init__(self, vault_base_url: str, credential: "TokenCredential", **kwargs: Any) -> None: + _endpoint = "{vaultBaseUrl}" + self._config = KeyVaultClientConfiguration(vault_base_url=vault_base_url, credential=credential, **kwargs) + _policies = kwargs.pop("policies", None) + if _policies is None: + _policies = [ + policies.RequestIdPolicy(**kwargs), + self._config.headers_policy, + self._config.user_agent_policy, + self._config.proxy_policy, + policies.ContentDecodePolicy(**kwargs), + self._config.redirect_policy, + self._config.retry_policy, + self._config.authentication_policy, + self._config.custom_hook_policy, + self._config.logging_policy, + policies.DistributedTracingPolicy(**kwargs), + policies.SensitiveHeaderCleanupPolicy(**kwargs) if self._config.redirect_policy else None, + self._config.http_logging_policy, + ] + self._client: PipelineClient = PipelineClient(base_url=_endpoint, policies=_policies, **kwargs) - Requires keys/import permission. If ``name`` is already in use, the key will be imported as a new version. + self._serialize = Serializer() + self._deserialize = Deserializer() + self._serialize.client_side_validation = False - :param str name: Name for the imported key - :param key: The JSON web key to import - :type key: ~azure.keyvault.keys.JsonWebKey + def send_request(self, request: HttpRequest, *, stream: bool = False, **kwargs: Any) -> HttpResponse: + """Runs the network request through the client's chained policies. - :keyword hardware_protected: Whether the key should be backed by a hardware security module - :paramtype hardware_protected: bool or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword exportable: Whether the private key can be exported. - :paramtype exportable: bool or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None + >>> from azure.core.rest import HttpRequest + >>> request = HttpRequest("GET", "https://www.example.org/") + + >>> response = client.send_request(request) + - :returns: The imported key - :rtype: ~azure.keyvault.keys.KeyVaultKey + For more information on this code flow, see https://aka.ms/azsdk/dpcodegen/python/send_request - :raises ~azure.core.exceptions.HttpResponseError: + :param request: The network request you want to make. Required. + :type request: ~azure.core.rest.HttpRequest + :keyword bool stream: Whether the response payload will be streamed. Defaults to False. + :return: The response of your network call. Does not do error handling on your response. + :rtype: ~azure.core.rest.HttpResponse """ - attributes = self._get_attributes( - enabled=enabled, not_before=not_before, expires_on=expires_on, exportable=exportable - ) - - policy = release_policy - if policy is not None: - policy = self._models.KeyReleasePolicy( - content_type=policy.content_type, encoded_policy=policy.encoded_policy, immutable=policy.immutable - ) - parameters = self._models.KeyImportParameters( - key=key._to_generated_model(), - key_attributes=attributes, - hsm=hardware_protected, - tags=tags, - release_policy=policy, - ) - - bundle = self._client.import_key(self.vault_url, name, parameters=parameters, **kwargs) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace - def release_key( - self, - name: str, - target_attestation_token: str, - *, - version: Optional[str] = None, - algorithm: Optional[Union[str, KeyExportEncryptionAlgorithm]] = None, - nonce: Optional[str] = None, - **kwargs: Any, - ) -> ReleaseKeyResult: - """Releases a key. - The release key operation is applicable to all key types. The target key must be marked - exportable. This operation requires the keys/release permission. - - :param str name: The name of the key to get. - :param str target_attestation_token: The attestation assertion for the target of the key release. - - :keyword version: A specific version of the key to release. If unspecified, the latest version is released. - :paramtype version: str or None - :keyword algorithm: The encryption algorithm to use to protect the released key material. - :paramtype algorithm: str or ~azure.keyvault.keys.KeyExportEncryptionAlgorithm or None - :keyword nonce: A client-provided nonce for freshness. - :paramtype nonce: str or None - - :return: The result of the key release. - :rtype: ~azure.keyvault.keys.ReleaseKeyResult - - :raises ~azure.core.exceptions.HttpResponseError: - """ - result = self._client.release( - vault_base_url=self._vault_url, - key_name=name, - key_version=version or "", - parameters=self._models.KeyReleaseParameters( - target_attestation_token=target_attestation_token, - nonce=nonce, - enc=algorithm, + request_copy = deepcopy(request) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True ), - **kwargs - ) - return ReleaseKeyResult(result.value) - - @distributed_trace - def get_random_bytes(self, count: int, **kwargs: Any) -> bytes: - """Get the requested number of random bytes from a managed HSM. - - :param int count: The requested number of random bytes. - - :return: The random bytes. - :rtype: bytes - - :raises ValueError or ~azure.core.exceptions.HttpResponseError: - the former if less than one random byte is requested; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_key_client.py - :start-after: [START get_random_bytes] - :end-before: [END get_random_bytes] - :language: python - :caption: Get random bytes - :dedent: 12 - """ - if count < 1: - raise ValueError("At least one random byte must be requested") - parameters = self._models.GetRandomBytesRequest(count=count) - result = self._client.get_random_bytes(vault_base_url=self._vault_url, parameters=parameters, **kwargs) - return result.value - - @distributed_trace - def get_key_rotation_policy(self, key_name: str, **kwargs: Any) -> KeyRotationPolicy: - """Get the rotation policy of a Key Vault key. - - :param str key_name: The name of the key. - - :return: The key rotation policy. - :rtype: ~azure.keyvault.keys.KeyRotationPolicy - - :raises ~azure.core.exceptions.HttpResponseError: - """ - policy = self._client.get_key_rotation_policy(vault_base_url=self._vault_url, key_name=key_name, **kwargs) - return KeyRotationPolicy._from_generated(policy) - - @distributed_trace - def rotate_key(self, name: str, **kwargs: Any) -> KeyVaultKey: - """Rotate the key based on the key policy by generating a new version of the key. - - This operation requires the keys/rotate permission. - - :param str name: The name of the key to rotate. - - :return: The new version of the rotated key. - :rtype: ~azure.keyvault.keys.KeyVaultKey + } - :raises ~azure.core.exceptions.HttpResponseError: - """ - bundle = self._client.rotate_key(vault_base_url=self._vault_url, key_name=name, **kwargs) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace - def update_key_rotation_policy( - self, - key_name: str, - policy: KeyRotationPolicy, - *, - lifetime_actions: Optional[List[KeyRotationLifetimeAction]] = None, - expires_in: Optional[str] = None, - **kwargs: Any, - ) -> KeyRotationPolicy: - """Updates the rotation policy of a Key Vault key. - - This operation requires the keys/update permission. - - :param str key_name: The name of the key in the given vault. - :param policy: The new rotation policy for the key. - :type policy: ~azure.keyvault.keys.KeyRotationPolicy - - :keyword lifetime_actions: Actions that will be performed by Key Vault over the lifetime of a key. This will - override the lifetime actions of the provided ``policy``. - :paramtype lifetime_actions: List[~azure.keyvault.keys.KeyRotationLifetimeAction] - :keyword str expires_in: The expiry time of the policy that will be applied on new key versions, defined as an - ISO 8601 duration. For example: 90 days is "P90D", 3 months is "P3M", and 48 hours is "PT48H". See - `Wikipedia `_ for more information on ISO 8601 durations. - This will override the expiry time of the provided ``policy``. + request_copy.url = self._client.format_url(request_copy.url, **path_format_arguments) + return self._client.send_request(request_copy, stream=stream, **kwargs) # type: ignore - :return: The updated rotation policy. - :rtype: ~azure.keyvault.keys.KeyRotationPolicy + def close(self) -> None: + self._client.close() - :raises ~azure.core.exceptions.HttpResponseError: - """ - actions = lifetime_actions or policy.lifetime_actions - if actions: - actions = [ - self._models.LifetimeActions( - action=self._models.LifetimeActionsType(type=action.action), - trigger=self._models.LifetimeActionsTrigger( - time_after_create=action.time_after_create, time_before_expiry=action.time_before_expiry - ), - ) - for action in actions - ] - - attributes = self._models.KeyRotationPolicyAttributes(expiry_time=expires_in or policy.expires_in) - new_policy = self._models.KeyRotationPolicy(lifetime_actions=actions or [], attributes=attributes) - result = self._client.update_key_rotation_policy( - vault_base_url=self._vault_url, key_name=key_name, key_rotation_policy=new_policy, **kwargs - ) - return KeyRotationPolicy._from_generated(result) - - def __enter__(self) -> "KeyClient": + def __enter__(self) -> Self: self._client.__enter__() return self + + def __exit__(self, *exc_details: Any) -> None: + self._client.__exit__(*exc_details) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_configuration.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_configuration.py similarity index 54% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_configuration.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_configuration.py index c7b4428506e3..b6be7288c7f4 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_configuration.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_configuration.py @@ -2,15 +2,18 @@ # -------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. +# Code generated by Microsoft (R) Python Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- -from typing import Any +from typing import Any, TYPE_CHECKING from azure.core.pipeline import policies -VERSION = "unknown" +from ._version import VERSION + +if TYPE_CHECKING: + from azure.core.credentials import TokenCredential class KeyVaultClientConfiguration: # pylint: disable=too-many-instance-attributes @@ -19,16 +22,28 @@ class KeyVaultClientConfiguration: # pylint: disable=too-many-instance-attribut Note that all parameters used to create this instance are saved as instance attributes. - :keyword api_version: Api Version. Default value is "7.5". Note that overriding this default - value may result in unsupported behavior. + :param vault_base_url: Required. + :type vault_base_url: str + :param credential: Credential used to authenticate requests to the service. Required. + :type credential: ~azure.core.credentials.TokenCredential + :keyword api_version: The API version to use for this operation. Default value is + "7.6-preview.1". Note that overriding this default value may result in unsupported behavior. :paramtype api_version: str """ - def __init__(self, **kwargs: Any) -> None: - api_version: str = kwargs.pop("api_version", "7.5") + def __init__(self, vault_base_url: str, credential: "TokenCredential", **kwargs: Any) -> None: + api_version: str = kwargs.pop("api_version", "7.6-preview.1") + + if vault_base_url is None: + raise ValueError("Parameter 'vault_base_url' must not be None.") + if credential is None: + raise ValueError("Parameter 'credential' must not be None.") + self.vault_base_url = vault_base_url + self.credential = credential self.api_version = api_version - kwargs.setdefault("sdk_moniker", "keyvault/{}".format(VERSION)) + self.credential_scopes = kwargs.pop("credential_scopes", ["https://vault.azure.net/.default"]) + kwargs.setdefault("sdk_moniker", "keyvault-keys/{}".format(VERSION)) self.polling_interval = kwargs.get("polling_interval", 30) self._configure(**kwargs) @@ -42,3 +57,7 @@ def _configure(self, **kwargs: Any) -> None: self.redirect_policy = kwargs.get("redirect_policy") or policies.RedirectPolicy(**kwargs) self.retry_policy = kwargs.get("retry_policy") or policies.RetryPolicy(**kwargs) self.authentication_policy = kwargs.get("authentication_policy") + if self.credential and not self.authentication_policy: + self.authentication_policy = policies.BearerTokenCredentialPolicy( + self.credential, *self.credential_scopes, **kwargs + ) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_enums.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_enums.py deleted file mode 100644 index 24dab8ff5ad7..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_enums.py +++ /dev/null @@ -1,72 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ - -# pylint: disable=enum-must-be-uppercase - -from enum import Enum - -from azure.core import CaseInsensitiveEnumMeta - - -class KeyCurveName(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """Supported elliptic curves""" - - p_256 = "P-256" #: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1. - p_384 = "P-384" #: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1. - p_521 = "P-521" #: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1. - p_256_k = "P-256K" #: The SECG SECP256K1 elliptic curve. - - -class KeyExportEncryptionAlgorithm(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """Supported algorithms for protecting exported key material""" - - ckm_rsa_aes_key_wrap = "CKM_RSA_AES_KEY_WRAP" - rsa_aes_key_wrap_256 = "RSA_AES_KEY_WRAP_256" - rsa_aes_key_wrap_384 = "RSA_AES_KEY_WRAP_384" - - -class KeyOperation(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """Supported key operations""" - - encrypt = "encrypt" - decrypt = "decrypt" - import_key = "import" - sign = "sign" - verify = "verify" - wrap_key = "wrapKey" - unwrap_key = "unwrapKey" - export = "export" - - -class KeyRotationPolicyAction(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """The action that will be executed in a key rotation policy""" - - rotate = "Rotate" #: Rotate the key based on the key policy. - notify = "Notify" #: Trigger Event Grid events. - - @classmethod - def _missing_(cls, value): - for member in cls: - if member.value.lower() == value.lower(): - return member - raise ValueError(f"{value} is not a valid KeyRotationPolicyAction") - - -class KeyType(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """Supported key types""" - - ec = "EC" #: Elliptic Curve - ec_hsm = "EC-HSM" #: Elliptic Curve with a private key which is not exportable from the HSM - rsa = "RSA" #: RSA (https://tools.ietf.org/html/rfc3447) - rsa_hsm = "RSA-HSM" #: RSA with a private key which is not exportable from the HSM - oct = "oct" #: Octet sequence (used to represent symmetric keys) - oct_hsm = "oct-HSM" #: Octet sequence with a private key which is not exportable from the HSM - - @classmethod - def _missing_(cls, value): - for member in cls: - if member.value.lower() == value.lower(): - return member - raise ValueError(f"{value} is not a valid KeyType") diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/__init__.py deleted file mode 100644 index 1e535724e551..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/__init__.py +++ /dev/null @@ -1,23 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from ._client import KeyVaultClient - -try: - from ._patch import __all__ as _patch_all - from ._patch import * # pylint: disable=unused-wildcard-import -except ImportError: - _patch_all = [] -from ._patch import patch_sdk as _patch_sdk - -__all__ = [ - "KeyVaultClient", -] -__all__.extend([p for p in _patch_all if p not in __all__]) - -_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_client.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_client.py deleted file mode 100644 index 28ee625036e6..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_client.py +++ /dev/null @@ -1,89 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from copy import deepcopy -from typing import Any - -from azure.core import PipelineClient -from azure.core.pipeline import policies -from azure.core.rest import HttpRequest, HttpResponse - -from . import models as _models -from ._configuration import KeyVaultClientConfiguration -from ._operations import KeyVaultClientOperationsMixin -from ._serialization import Deserializer, Serializer - - -class KeyVaultClient(KeyVaultClientOperationsMixin): # pylint: disable=client-accepts-api-version-keyword - """The key vault client performs cryptographic key operations and vault operations against the Key - Vault service. - - :keyword api_version: Api Version. Default value is "7.5". Note that overriding this default - value may result in unsupported behavior. - :paramtype api_version: str - """ - - def __init__(self, **kwargs: Any) -> None: # pylint: disable=missing-client-constructor-parameter-credential - _endpoint = "{vaultBaseUrl}" - self._config = KeyVaultClientConfiguration(**kwargs) - _policies = kwargs.pop("policies", None) - if _policies is None: - _policies = [ - policies.RequestIdPolicy(**kwargs), - self._config.headers_policy, - self._config.user_agent_policy, - self._config.proxy_policy, - policies.ContentDecodePolicy(**kwargs), - self._config.redirect_policy, - self._config.retry_policy, - self._config.authentication_policy, - self._config.custom_hook_policy, - self._config.logging_policy, - policies.DistributedTracingPolicy(**kwargs), - policies.SensitiveHeaderCleanupPolicy(**kwargs) if self._config.redirect_policy else None, - self._config.http_logging_policy, - ] - self._client: PipelineClient = PipelineClient(base_url=_endpoint, policies=_policies, **kwargs) - - client_models = {k: v for k, v in _models._models.__dict__.items() if isinstance(v, type)} - client_models.update({k: v for k, v in _models.__dict__.items() if isinstance(v, type)}) - self._serialize = Serializer(client_models) - self._deserialize = Deserializer(client_models) - self._serialize.client_side_validation = False - - def send_request(self, request: HttpRequest, *, stream: bool = False, **kwargs: Any) -> HttpResponse: - """Runs the network request through the client's chained policies. - - >>> from azure.core.rest import HttpRequest - >>> request = HttpRequest("GET", "https://www.example.org/") - - >>> response = client.send_request(request) - - - For more information on this code flow, see https://aka.ms/azsdk/dpcodegen/python/send_request - - :param request: The network request you want to make. Required. - :type request: ~azure.core.rest.HttpRequest - :keyword bool stream: Whether the response payload will be streamed. Defaults to False. - :return: The response of your network call. Does not do error handling on your response. - :rtype: ~azure.core.rest.HttpResponse - """ - - request_copy = deepcopy(request) - request_copy.url = self._client.format_url(request_copy.url) - return self._client.send_request(request_copy, stream=stream, **kwargs) # type: ignore - - def close(self) -> None: - self._client.close() - - def __enter__(self) -> "KeyVaultClient": - self._client.__enter__() - return self - - def __exit__(self, *exc_details: Any) -> None: - self._client.__exit__(*exc_details) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/__init__.py deleted file mode 100644 index 1e535724e551..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/__init__.py +++ /dev/null @@ -1,23 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from ._client import KeyVaultClient - -try: - from ._patch import __all__ as _patch_all - from ._patch import * # pylint: disable=unused-wildcard-import -except ImportError: - _patch_all = [] -from ._patch import patch_sdk as _patch_sdk - -__all__ = [ - "KeyVaultClient", -] -__all__.extend([p for p in _patch_all if p not in __all__]) - -_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_client.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_client.py deleted file mode 100644 index f017310ad823..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_client.py +++ /dev/null @@ -1,91 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from copy import deepcopy -from typing import Any, Awaitable - -from azure.core import AsyncPipelineClient -from azure.core.pipeline import policies -from azure.core.rest import AsyncHttpResponse, HttpRequest - -from .. import models as _models -from .._serialization import Deserializer, Serializer -from ._configuration import KeyVaultClientConfiguration -from ._operations import KeyVaultClientOperationsMixin - - -class KeyVaultClient(KeyVaultClientOperationsMixin): # pylint: disable=client-accepts-api-version-keyword - """The key vault client performs cryptographic key operations and vault operations against the Key - Vault service. - - :keyword api_version: Api Version. Default value is "7.5". Note that overriding this default - value may result in unsupported behavior. - :paramtype api_version: str - """ - - def __init__(self, **kwargs: Any) -> None: # pylint: disable=missing-client-constructor-parameter-credential - _endpoint = "{vaultBaseUrl}" - self._config = KeyVaultClientConfiguration(**kwargs) - _policies = kwargs.pop("policies", None) - if _policies is None: - _policies = [ - policies.RequestIdPolicy(**kwargs), - self._config.headers_policy, - self._config.user_agent_policy, - self._config.proxy_policy, - policies.ContentDecodePolicy(**kwargs), - self._config.redirect_policy, - self._config.retry_policy, - self._config.authentication_policy, - self._config.custom_hook_policy, - self._config.logging_policy, - policies.DistributedTracingPolicy(**kwargs), - policies.SensitiveHeaderCleanupPolicy(**kwargs) if self._config.redirect_policy else None, - self._config.http_logging_policy, - ] - self._client: AsyncPipelineClient = AsyncPipelineClient(base_url=_endpoint, policies=_policies, **kwargs) - - client_models = {k: v for k, v in _models._models.__dict__.items() if isinstance(v, type)} - client_models.update({k: v for k, v in _models.__dict__.items() if isinstance(v, type)}) - self._serialize = Serializer(client_models) - self._deserialize = Deserializer(client_models) - self._serialize.client_side_validation = False - - def send_request( - self, request: HttpRequest, *, stream: bool = False, **kwargs: Any - ) -> Awaitable[AsyncHttpResponse]: - """Runs the network request through the client's chained policies. - - >>> from azure.core.rest import HttpRequest - >>> request = HttpRequest("GET", "https://www.example.org/") - - >>> response = await client.send_request(request) - - - For more information on this code flow, see https://aka.ms/azsdk/dpcodegen/python/send_request - - :param request: The network request you want to make. Required. - :type request: ~azure.core.rest.HttpRequest - :keyword bool stream: Whether the response payload will be streamed. Defaults to False. - :return: The response of your network call. Does not do error handling on your response. - :rtype: ~azure.core.rest.AsyncHttpResponse - """ - - request_copy = deepcopy(request) - request_copy.url = self._client.format_url(request_copy.url) - return self._client.send_request(request_copy, stream=stream, **kwargs) # type: ignore - - async def close(self) -> None: - await self._client.close() - - async def __aenter__(self) -> "KeyVaultClient": - await self._client.__aenter__() - return self - - async def __aexit__(self, *exc_details: Any) -> None: - await self._client.__aexit__(*exc_details) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/__init__.py deleted file mode 100644 index de26d6fe0c5d..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/__init__.py +++ /dev/null @@ -1,95 +0,0 @@ -# coding=utf-8 -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -from ._models import Attributes -from ._models import BackupKeyResult -from ._models import DeletedKeyBundle -from ._models import DeletedKeyItem -from ._models import Error -from ._models import GetRandomBytesRequest -from ._models import JsonWebKey -from ._models import KeyAttributes -from ._models import KeyBundle -from ._models import KeyCreateParameters -from ._models import KeyExportParameters -from ._models import KeyImportParameters -from ._models import KeyItem -from ._models import KeyOperationResult -from ._models import KeyOperationsParameters -from ._models import KeyProperties -from ._models import KeyReleaseParameters -from ._models import KeyReleasePolicy -from ._models import KeyReleaseResult -from ._models import KeyRestoreParameters -from ._models import KeyRotationPolicy -from ._models import KeyRotationPolicyAttributes -from ._models import KeySignParameters -from ._models import KeyUpdateParameters -from ._models import KeyVaultError -from ._models import KeyVerifyParameters -from ._models import KeyVerifyResult -from ._models import LifetimeActions -from ._models import LifetimeActionsTrigger -from ._models import LifetimeActionsType -from ._models import RandomBytes - -from ._enums import ActionType -from ._enums import DeletionRecoveryLevel -from ._enums import JsonWebKeyCurveName -from ._enums import JsonWebKeyEncryptionAlgorithm -from ._enums import JsonWebKeyOperation -from ._enums import JsonWebKeySignatureAlgorithm -from ._enums import JsonWebKeyType -from ._enums import KeyEncryptionAlgorithm -from ._patch import __all__ as _patch_all -from ._patch import * # pylint: disable=unused-wildcard-import -from ._patch import patch_sdk as _patch_sdk - -__all__ = [ - "Attributes", - "BackupKeyResult", - "DeletedKeyBundle", - "DeletedKeyItem", - "Error", - "GetRandomBytesRequest", - "JsonWebKey", - "KeyAttributes", - "KeyBundle", - "KeyCreateParameters", - "KeyExportParameters", - "KeyImportParameters", - "KeyItem", - "KeyOperationResult", - "KeyOperationsParameters", - "KeyProperties", - "KeyReleaseParameters", - "KeyReleasePolicy", - "KeyReleaseResult", - "KeyRestoreParameters", - "KeyRotationPolicy", - "KeyRotationPolicyAttributes", - "KeySignParameters", - "KeyUpdateParameters", - "KeyVaultError", - "KeyVerifyParameters", - "KeyVerifyResult", - "LifetimeActions", - "LifetimeActionsTrigger", - "LifetimeActionsType", - "RandomBytes", - "ActionType", - "DeletionRecoveryLevel", - "JsonWebKeyCurveName", - "JsonWebKeyEncryptionAlgorithm", - "JsonWebKeyOperation", - "JsonWebKeySignatureAlgorithm", - "JsonWebKeyType", - "KeyEncryptionAlgorithm", -] -__all__.extend([p for p in _patch_all if p not in __all__]) -_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/_models.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/_models.py deleted file mode 100644 index bb1b908eb308..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/_models.py +++ /dev/null @@ -1,1552 +0,0 @@ -# coding=utf-8 -# pylint: disable=too-many-lines -# -------------------------------------------------------------------------- -# Copyright (c) Microsoft Corporation. All rights reserved. -# Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. -# Changes may cause incorrect behavior and will be lost if the code is regenerated. -# -------------------------------------------------------------------------- - -import datetime -from typing import Any, Dict, List, Optional, TYPE_CHECKING, Union - -from .. import _serialization - -if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports - from .. import models as _models - - -class Attributes(_serialization.Model): - """The object attributes managed by the KeyVault service. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar enabled: Determines whether the object is enabled. - :vartype enabled: bool - :ivar not_before: Not before date in UTC. - :vartype not_before: ~datetime.datetime - :ivar expires: Expiry date in UTC. - :vartype expires: ~datetime.datetime - :ivar created: Creation time in UTC. - :vartype created: ~datetime.datetime - :ivar updated: Last updated time in UTC. - :vartype updated: ~datetime.datetime - """ - - _validation = { - "created": {"readonly": True}, - "updated": {"readonly": True}, - } - - _attribute_map = { - "enabled": {"key": "enabled", "type": "bool"}, - "not_before": {"key": "nbf", "type": "unix-time"}, - "expires": {"key": "exp", "type": "unix-time"}, - "created": {"key": "created", "type": "unix-time"}, - "updated": {"key": "updated", "type": "unix-time"}, - } - - def __init__( - self, - *, - enabled: Optional[bool] = None, - not_before: Optional[datetime.datetime] = None, - expires: Optional[datetime.datetime] = None, - **kwargs: Any - ) -> None: - """ - :keyword enabled: Determines whether the object is enabled. - :paramtype enabled: bool - :keyword not_before: Not before date in UTC. - :paramtype not_before: ~datetime.datetime - :keyword expires: Expiry date in UTC. - :paramtype expires: ~datetime.datetime - """ - super().__init__(**kwargs) - self.enabled = enabled - self.not_before = not_before - self.expires = expires - self.created = None - self.updated = None - - -class BackupKeyResult(_serialization.Model): - """The backup key result, containing the backup blob. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar value: The backup blob containing the backed up key. - :vartype value: bytes - """ - - _validation = { - "value": {"readonly": True}, - } - - _attribute_map = { - "value": {"key": "value", "type": "base64"}, - } - - def __init__(self, **kwargs: Any) -> None: - """ """ - super().__init__(**kwargs) - self.value = None - - -class KeyBundle(_serialization.Model): - """A KeyBundle consisting of a WebKey plus its attributes. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar key: The Json web key. - :vartype key: ~azure.keyvault.v7_5.models.JsonWebKey - :ivar attributes: The key management attributes. - :vartype attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :ivar tags: Application specific metadata in the form of key-value pairs. - :vartype tags: dict[str, str] - :ivar managed: True if the key's lifetime is managed by key vault. If this is a key backing a - certificate, then managed will be true. - :vartype managed: bool - :ivar release_policy: The policy rules under which the key can be exported. - :vartype release_policy: ~azure.keyvault.v7_5.models.KeyReleasePolicy - """ - - _validation = { - "managed": {"readonly": True}, - } - - _attribute_map = { - "key": {"key": "key", "type": "JsonWebKey"}, - "attributes": {"key": "attributes", "type": "KeyAttributes"}, - "tags": {"key": "tags", "type": "{str}"}, - "managed": {"key": "managed", "type": "bool"}, - "release_policy": {"key": "release_policy", "type": "KeyReleasePolicy"}, - } - - def __init__( - self, - *, - key: Optional["_models.JsonWebKey"] = None, - attributes: Optional["_models.KeyAttributes"] = None, - tags: Optional[Dict[str, str]] = None, - release_policy: Optional["_models.KeyReleasePolicy"] = None, - **kwargs: Any - ) -> None: - """ - :keyword key: The Json web key. - :paramtype key: ~azure.keyvault.v7_5.models.JsonWebKey - :keyword attributes: The key management attributes. - :paramtype attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.v7_5.models.KeyReleasePolicy - """ - super().__init__(**kwargs) - self.key = key - self.attributes = attributes - self.tags = tags - self.managed = None - self.release_policy = release_policy - - -class DeletedKeyBundle(KeyBundle): - """A DeletedKeyBundle consisting of a WebKey plus its Attributes and deletion info. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar key: The Json web key. - :vartype key: ~azure.keyvault.v7_5.models.JsonWebKey - :ivar attributes: The key management attributes. - :vartype attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :ivar tags: Application specific metadata in the form of key-value pairs. - :vartype tags: dict[str, str] - :ivar managed: True if the key's lifetime is managed by key vault. If this is a key backing a - certificate, then managed will be true. - :vartype managed: bool - :ivar release_policy: The policy rules under which the key can be exported. - :vartype release_policy: ~azure.keyvault.v7_5.models.KeyReleasePolicy - :ivar recovery_id: The url of the recovery object, used to identify and recover the deleted - key. - :vartype recovery_id: str - :ivar scheduled_purge_date: The time when the key is scheduled to be purged, in UTC. - :vartype scheduled_purge_date: ~datetime.datetime - :ivar deleted_date: The time when the key was deleted, in UTC. - :vartype deleted_date: ~datetime.datetime - """ - - _validation = { - "managed": {"readonly": True}, - "scheduled_purge_date": {"readonly": True}, - "deleted_date": {"readonly": True}, - } - - _attribute_map = { - "key": {"key": "key", "type": "JsonWebKey"}, - "attributes": {"key": "attributes", "type": "KeyAttributes"}, - "tags": {"key": "tags", "type": "{str}"}, - "managed": {"key": "managed", "type": "bool"}, - "release_policy": {"key": "release_policy", "type": "KeyReleasePolicy"}, - "recovery_id": {"key": "recoveryId", "type": "str"}, - "scheduled_purge_date": {"key": "scheduledPurgeDate", "type": "unix-time"}, - "deleted_date": {"key": "deletedDate", "type": "unix-time"}, - } - - def __init__( - self, - *, - key: Optional["_models.JsonWebKey"] = None, - attributes: Optional["_models.KeyAttributes"] = None, - tags: Optional[Dict[str, str]] = None, - release_policy: Optional["_models.KeyReleasePolicy"] = None, - recovery_id: Optional[str] = None, - **kwargs: Any - ) -> None: - """ - :keyword key: The Json web key. - :paramtype key: ~azure.keyvault.v7_5.models.JsonWebKey - :keyword attributes: The key management attributes. - :paramtype attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.v7_5.models.KeyReleasePolicy - :keyword recovery_id: The url of the recovery object, used to identify and recover the deleted - key. - :paramtype recovery_id: str - """ - super().__init__(key=key, attributes=attributes, tags=tags, release_policy=release_policy, **kwargs) - self.recovery_id = recovery_id - self.scheduled_purge_date = None - self.deleted_date = None - - -class KeyItem(_serialization.Model): - """The key item containing key metadata. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar kid: Key identifier. - :vartype kid: str - :ivar attributes: The key management attributes. - :vartype attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :ivar tags: Application specific metadata in the form of key-value pairs. - :vartype tags: dict[str, str] - :ivar managed: True if the key's lifetime is managed by key vault. If this is a key backing a - certificate, then managed will be true. - :vartype managed: bool - """ - - _validation = { - "managed": {"readonly": True}, - } - - _attribute_map = { - "kid": {"key": "kid", "type": "str"}, - "attributes": {"key": "attributes", "type": "KeyAttributes"}, - "tags": {"key": "tags", "type": "{str}"}, - "managed": {"key": "managed", "type": "bool"}, - } - - def __init__( - self, - *, - kid: Optional[str] = None, - attributes: Optional["_models.KeyAttributes"] = None, - tags: Optional[Dict[str, str]] = None, - **kwargs: Any - ) -> None: - """ - :keyword kid: Key identifier. - :paramtype kid: str - :keyword attributes: The key management attributes. - :paramtype attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] - """ - super().__init__(**kwargs) - self.kid = kid - self.attributes = attributes - self.tags = tags - self.managed = None - - -class DeletedKeyItem(KeyItem): - """The deleted key item containing the deleted key metadata and information about deletion. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar kid: Key identifier. - :vartype kid: str - :ivar attributes: The key management attributes. - :vartype attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :ivar tags: Application specific metadata in the form of key-value pairs. - :vartype tags: dict[str, str] - :ivar managed: True if the key's lifetime is managed by key vault. If this is a key backing a - certificate, then managed will be true. - :vartype managed: bool - :ivar recovery_id: The url of the recovery object, used to identify and recover the deleted - key. - :vartype recovery_id: str - :ivar scheduled_purge_date: The time when the key is scheduled to be purged, in UTC. - :vartype scheduled_purge_date: ~datetime.datetime - :ivar deleted_date: The time when the key was deleted, in UTC. - :vartype deleted_date: ~datetime.datetime - """ - - _validation = { - "managed": {"readonly": True}, - "scheduled_purge_date": {"readonly": True}, - "deleted_date": {"readonly": True}, - } - - _attribute_map = { - "kid": {"key": "kid", "type": "str"}, - "attributes": {"key": "attributes", "type": "KeyAttributes"}, - "tags": {"key": "tags", "type": "{str}"}, - "managed": {"key": "managed", "type": "bool"}, - "recovery_id": {"key": "recoveryId", "type": "str"}, - "scheduled_purge_date": {"key": "scheduledPurgeDate", "type": "unix-time"}, - "deleted_date": {"key": "deletedDate", "type": "unix-time"}, - } - - def __init__( - self, - *, - kid: Optional[str] = None, - attributes: Optional["_models.KeyAttributes"] = None, - tags: Optional[Dict[str, str]] = None, - recovery_id: Optional[str] = None, - **kwargs: Any - ) -> None: - """ - :keyword kid: Key identifier. - :paramtype kid: str - :keyword attributes: The key management attributes. - :paramtype attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] - :keyword recovery_id: The url of the recovery object, used to identify and recover the deleted - key. - :paramtype recovery_id: str - """ - super().__init__(kid=kid, attributes=attributes, tags=tags, **kwargs) - self.recovery_id = recovery_id - self.scheduled_purge_date = None - self.deleted_date = None - - -class DeletedKeyListResult(_serialization.Model): - """A list of keys that have been deleted in this vault. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar value: A response message containing a list of deleted keys in the vault along with a - link to the next page of deleted keys. - :vartype value: list[~azure.keyvault.v7_5.models.DeletedKeyItem] - :ivar next_link: The URL to get the next set of deleted keys. - :vartype next_link: str - """ - - _validation = { - "value": {"readonly": True}, - "next_link": {"readonly": True}, - } - - _attribute_map = { - "value": {"key": "value", "type": "[DeletedKeyItem]"}, - "next_link": {"key": "nextLink", "type": "str"}, - } - - def __init__(self, **kwargs: Any) -> None: - """ """ - super().__init__(**kwargs) - self.value = None - self.next_link = None - - -class Error(_serialization.Model): - """The key vault server error. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar code: The error code. - :vartype code: str - :ivar message: The error message. - :vartype message: str - :ivar inner_error: The key vault server error. - :vartype inner_error: ~azure.keyvault.v7_5.models.Error - """ - - _validation = { - "code": {"readonly": True}, - "message": {"readonly": True}, - "inner_error": {"readonly": True}, - } - - _attribute_map = { - "code": {"key": "code", "type": "str"}, - "message": {"key": "message", "type": "str"}, - "inner_error": {"key": "innererror", "type": "Error"}, - } - - def __init__(self, **kwargs: Any) -> None: - """ """ - super().__init__(**kwargs) - self.code = None - self.message = None - self.inner_error = None - - -class GetRandomBytesRequest(_serialization.Model): - """The get random bytes request object. - - All required parameters must be populated in order to send to server. - - :ivar count: The requested number of random bytes. Required. - :vartype count: int - """ - - _validation = { - "count": {"required": True, "maximum": 128, "minimum": 1}, - } - - _attribute_map = { - "count": {"key": "count", "type": "int"}, - } - - def __init__(self, *, count: int, **kwargs: Any) -> None: - """ - :keyword count: The requested number of random bytes. Required. - :paramtype count: int - """ - super().__init__(**kwargs) - self.count = count - - -class JsonWebKey(_serialization.Model): # pylint: disable=too-many-instance-attributes - """As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18. - - :ivar kid: Key identifier. - :vartype kid: str - :ivar kty: JsonWebKey Key Type (kty), as defined in - https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. Known values are: "EC", - "EC-HSM", "RSA", "RSA-HSM", "oct", and "oct-HSM". - :vartype kty: str or ~azure.keyvault.v7_5.models.JsonWebKeyType - :ivar key_ops: - :vartype key_ops: list[str] - :ivar n: RSA modulus. - :vartype n: bytes - :ivar e: RSA public exponent. - :vartype e: bytes - :ivar d: RSA private exponent, or the D component of an EC private key. - :vartype d: bytes - :ivar dp: RSA private key parameter. - :vartype dp: bytes - :ivar dq: RSA private key parameter. - :vartype dq: bytes - :ivar qi: RSA private key parameter. - :vartype qi: bytes - :ivar p: RSA secret prime. - :vartype p: bytes - :ivar q: RSA secret prime, with p < q. - :vartype q: bytes - :ivar k: Symmetric key. - :vartype k: bytes - :ivar t: Protected Key, used with 'Bring Your Own Key'. - :vartype t: bytes - :ivar crv: Elliptic curve name. For valid values, see JsonWebKeyCurveName. Known values are: - "P-256", "P-384", "P-521", and "P-256K". - :vartype crv: str or ~azure.keyvault.v7_5.models.JsonWebKeyCurveName - :ivar x: X component of an EC public key. - :vartype x: bytes - :ivar y: Y component of an EC public key. - :vartype y: bytes - """ - - _attribute_map = { - "kid": {"key": "kid", "type": "str"}, - "kty": {"key": "kty", "type": "str"}, - "key_ops": {"key": "key_ops", "type": "[str]"}, - "n": {"key": "n", "type": "base64"}, - "e": {"key": "e", "type": "base64"}, - "d": {"key": "d", "type": "base64"}, - "dp": {"key": "dp", "type": "base64"}, - "dq": {"key": "dq", "type": "base64"}, - "qi": {"key": "qi", "type": "base64"}, - "p": {"key": "p", "type": "base64"}, - "q": {"key": "q", "type": "base64"}, - "k": {"key": "k", "type": "base64"}, - "t": {"key": "key_hsm", "type": "base64"}, - "crv": {"key": "crv", "type": "str"}, - "x": {"key": "x", "type": "base64"}, - "y": {"key": "y", "type": "base64"}, - } - - def __init__( - self, - *, - kid: Optional[str] = None, - kty: Optional[Union[str, "_models.JsonWebKeyType"]] = None, - key_ops: Optional[List[str]] = None, - n: Optional[bytes] = None, - e: Optional[bytes] = None, - d: Optional[bytes] = None, - dp: Optional[bytes] = None, - dq: Optional[bytes] = None, - qi: Optional[bytes] = None, - p: Optional[bytes] = None, - q: Optional[bytes] = None, - k: Optional[bytes] = None, - t: Optional[bytes] = None, - crv: Optional[Union[str, "_models.JsonWebKeyCurveName"]] = None, - x: Optional[bytes] = None, - y: Optional[bytes] = None, - **kwargs: Any - ) -> None: - """ - :keyword kid: Key identifier. - :paramtype kid: str - :keyword kty: JsonWebKey Key Type (kty), as defined in - https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. Known values are: "EC", - "EC-HSM", "RSA", "RSA-HSM", "oct", and "oct-HSM". - :paramtype kty: str or ~azure.keyvault.v7_5.models.JsonWebKeyType - :keyword key_ops: - :paramtype key_ops: list[str] - :keyword n: RSA modulus. - :paramtype n: bytes - :keyword e: RSA public exponent. - :paramtype e: bytes - :keyword d: RSA private exponent, or the D component of an EC private key. - :paramtype d: bytes - :keyword dp: RSA private key parameter. - :paramtype dp: bytes - :keyword dq: RSA private key parameter. - :paramtype dq: bytes - :keyword qi: RSA private key parameter. - :paramtype qi: bytes - :keyword p: RSA secret prime. - :paramtype p: bytes - :keyword q: RSA secret prime, with p < q. - :paramtype q: bytes - :keyword k: Symmetric key. - :paramtype k: bytes - :keyword t: Protected Key, used with 'Bring Your Own Key'. - :paramtype t: bytes - :keyword crv: Elliptic curve name. For valid values, see JsonWebKeyCurveName. Known values are: - "P-256", "P-384", "P-521", and "P-256K". - :paramtype crv: str or ~azure.keyvault.v7_5.models.JsonWebKeyCurveName - :keyword x: X component of an EC public key. - :paramtype x: bytes - :keyword y: Y component of an EC public key. - :paramtype y: bytes - """ - super().__init__(**kwargs) - self.kid = kid - self.kty = kty - self.key_ops = key_ops - self.n = n - self.e = e - self.d = d - self.dp = dp - self.dq = dq - self.qi = qi - self.p = p - self.q = q - self.k = k - self.t = t - self.crv = crv - self.x = x - self.y = y - - -class KeyAttributes(Attributes): - """The attributes of a key managed by the key vault service. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar enabled: Determines whether the object is enabled. - :vartype enabled: bool - :ivar not_before: Not before date in UTC. - :vartype not_before: ~datetime.datetime - :ivar expires: Expiry date in UTC. - :vartype expires: ~datetime.datetime - :ivar created: Creation time in UTC. - :vartype created: ~datetime.datetime - :ivar updated: Last updated time in UTC. - :vartype updated: ~datetime.datetime - :ivar recoverable_days: softDelete data retention days. Value should be >=7 and <=90 when - softDelete enabled, otherwise 0. - :vartype recoverable_days: int - :ivar recovery_level: Reflects the deletion recovery level currently in effect for keys in the - current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged - user; otherwise, only the system can purge the key, at the end of the retention interval. Known - values are: "Purgeable", "Recoverable+Purgeable", "Recoverable", - "Recoverable+ProtectedSubscription", "CustomizedRecoverable+Purgeable", - "CustomizedRecoverable", and "CustomizedRecoverable+ProtectedSubscription". - :vartype recovery_level: str or ~azure.keyvault.v7_5.models.DeletionRecoveryLevel - :ivar exportable: Indicates if the private key can be exported. Release policy must be provided - when creating the first version of an exportable key. - :vartype exportable: bool - :ivar hsm_platform: The underlying HSM Platform. - :vartype hsm_platform: str - """ - - _validation = { - "created": {"readonly": True}, - "updated": {"readonly": True}, - "recoverable_days": {"readonly": True}, - "recovery_level": {"readonly": True}, - "hsm_platform": {"readonly": True}, - } - - _attribute_map = { - "enabled": {"key": "enabled", "type": "bool"}, - "not_before": {"key": "nbf", "type": "unix-time"}, - "expires": {"key": "exp", "type": "unix-time"}, - "created": {"key": "created", "type": "unix-time"}, - "updated": {"key": "updated", "type": "unix-time"}, - "recoverable_days": {"key": "recoverableDays", "type": "int"}, - "recovery_level": {"key": "recoveryLevel", "type": "str"}, - "exportable": {"key": "exportable", "type": "bool"}, - "hsm_platform": {"key": "hsmPlatform", "type": "str"}, - } - - def __init__( - self, - *, - enabled: Optional[bool] = None, - not_before: Optional[datetime.datetime] = None, - expires: Optional[datetime.datetime] = None, - exportable: Optional[bool] = None, - **kwargs: Any - ) -> None: - """ - :keyword enabled: Determines whether the object is enabled. - :paramtype enabled: bool - :keyword not_before: Not before date in UTC. - :paramtype not_before: ~datetime.datetime - :keyword expires: Expiry date in UTC. - :paramtype expires: ~datetime.datetime - :keyword exportable: Indicates if the private key can be exported. Release policy must be - provided when creating the first version of an exportable key. - :paramtype exportable: bool - """ - super().__init__(enabled=enabled, not_before=not_before, expires=expires, **kwargs) - self.recoverable_days = None - self.recovery_level = None - self.exportable = exportable - self.hsm_platform = None - - -class KeyCreateParameters(_serialization.Model): - """The key create parameters. - - All required parameters must be populated in order to send to server. - - :ivar kty: The type of key to create. For valid values, see JsonWebKeyType. Required. Known - values are: "EC", "EC-HSM", "RSA", "RSA-HSM", "oct", and "oct-HSM". - :vartype kty: str or ~azure.keyvault.v7_5.models.JsonWebKeyType - :ivar key_size: The key size in bits. For example: 2048, 3072, or 4096 for RSA. - :vartype key_size: int - :ivar public_exponent: The public exponent for a RSA key. - :vartype public_exponent: int - :ivar key_ops: - :vartype key_ops: list[str or ~azure.keyvault.v7_5.models.JsonWebKeyOperation] - :ivar key_attributes: The attributes of a key managed by the key vault service. - :vartype key_attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :ivar tags: Application specific metadata in the form of key-value pairs. - :vartype tags: dict[str, str] - :ivar curve: Elliptic curve name. For valid values, see JsonWebKeyCurveName. Known values are: - "P-256", "P-384", "P-521", and "P-256K". - :vartype curve: str or ~azure.keyvault.v7_5.models.JsonWebKeyCurveName - :ivar release_policy: The policy rules under which the key can be exported. - :vartype release_policy: ~azure.keyvault.v7_5.models.KeyReleasePolicy - """ - - _validation = { - "kty": {"required": True}, - } - - _attribute_map = { - "kty": {"key": "kty", "type": "str"}, - "key_size": {"key": "key_size", "type": "int"}, - "public_exponent": {"key": "public_exponent", "type": "int"}, - "key_ops": {"key": "key_ops", "type": "[str]"}, - "key_attributes": {"key": "attributes", "type": "KeyAttributes"}, - "tags": {"key": "tags", "type": "{str}"}, - "curve": {"key": "crv", "type": "str"}, - "release_policy": {"key": "release_policy", "type": "KeyReleasePolicy"}, - } - - def __init__( - self, - *, - kty: Union[str, "_models.JsonWebKeyType"], - key_size: Optional[int] = None, - public_exponent: Optional[int] = None, - key_ops: Optional[List[Union[str, "_models.JsonWebKeyOperation"]]] = None, - key_attributes: Optional["_models.KeyAttributes"] = None, - tags: Optional[Dict[str, str]] = None, - curve: Optional[Union[str, "_models.JsonWebKeyCurveName"]] = None, - release_policy: Optional["_models.KeyReleasePolicy"] = None, - **kwargs: Any - ) -> None: - """ - :keyword kty: The type of key to create. For valid values, see JsonWebKeyType. Required. Known - values are: "EC", "EC-HSM", "RSA", "RSA-HSM", "oct", and "oct-HSM". - :paramtype kty: str or ~azure.keyvault.v7_5.models.JsonWebKeyType - :keyword key_size: The key size in bits. For example: 2048, 3072, or 4096 for RSA. - :paramtype key_size: int - :keyword public_exponent: The public exponent for a RSA key. - :paramtype public_exponent: int - :keyword key_ops: - :paramtype key_ops: list[str or ~azure.keyvault.v7_5.models.JsonWebKeyOperation] - :keyword key_attributes: The attributes of a key managed by the key vault service. - :paramtype key_attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] - :keyword curve: Elliptic curve name. For valid values, see JsonWebKeyCurveName. Known values - are: "P-256", "P-384", "P-521", and "P-256K". - :paramtype curve: str or ~azure.keyvault.v7_5.models.JsonWebKeyCurveName - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.v7_5.models.KeyReleasePolicy - """ - super().__init__(**kwargs) - self.kty = kty - self.key_size = key_size - self.public_exponent = public_exponent - self.key_ops = key_ops - self.key_attributes = key_attributes - self.tags = tags - self.curve = curve - self.release_policy = release_policy - - -class KeyExportParameters(_serialization.Model): - """The export key parameters. - - :ivar wrapping_key: The export key encryption Json web key. This key MUST be a RSA key that - supports encryption. - :vartype wrapping_key: ~azure.keyvault.v7_5.models.JsonWebKey - :ivar wrapping_kid: The export key encryption key identifier. This key MUST be a RSA key that - supports encryption. - :vartype wrapping_kid: str - :ivar enc: The encryption algorithm to use to protected the exported key material. Known values - are: "CKM_RSA_AES_KEY_WRAP", "RSA_AES_KEY_WRAP_256", and "RSA_AES_KEY_WRAP_384". - :vartype enc: str or ~azure.keyvault.v7_5.models.KeyEncryptionAlgorithm - """ - - _attribute_map = { - "wrapping_key": {"key": "wrappingKey", "type": "JsonWebKey"}, - "wrapping_kid": {"key": "wrappingKid", "type": "str"}, - "enc": {"key": "enc", "type": "str"}, - } - - def __init__( - self, - *, - wrapping_key: Optional["_models.JsonWebKey"] = None, - wrapping_kid: Optional[str] = None, - enc: Optional[Union[str, "_models.KeyEncryptionAlgorithm"]] = None, - **kwargs: Any - ) -> None: - """ - :keyword wrapping_key: The export key encryption Json web key. This key MUST be a RSA key that - supports encryption. - :paramtype wrapping_key: ~azure.keyvault.v7_5.models.JsonWebKey - :keyword wrapping_kid: The export key encryption key identifier. This key MUST be a RSA key - that supports encryption. - :paramtype wrapping_kid: str - :keyword enc: The encryption algorithm to use to protected the exported key material. Known - values are: "CKM_RSA_AES_KEY_WRAP", "RSA_AES_KEY_WRAP_256", and "RSA_AES_KEY_WRAP_384". - :paramtype enc: str or ~azure.keyvault.v7_5.models.KeyEncryptionAlgorithm - """ - super().__init__(**kwargs) - self.wrapping_key = wrapping_key - self.wrapping_kid = wrapping_kid - self.enc = enc - - -class KeyImportParameters(_serialization.Model): - """The key import parameters. - - All required parameters must be populated in order to send to server. - - :ivar hsm: Whether to import as a hardware key (HSM) or software key. - :vartype hsm: bool - :ivar key: The Json web key. Required. - :vartype key: ~azure.keyvault.v7_5.models.JsonWebKey - :ivar key_attributes: The key management attributes. - :vartype key_attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :ivar tags: Application specific metadata in the form of key-value pairs. - :vartype tags: dict[str, str] - :ivar release_policy: The policy rules under which the key can be exported. - :vartype release_policy: ~azure.keyvault.v7_5.models.KeyReleasePolicy - """ - - _validation = { - "key": {"required": True}, - } - - _attribute_map = { - "hsm": {"key": "Hsm", "type": "bool"}, - "key": {"key": "key", "type": "JsonWebKey"}, - "key_attributes": {"key": "attributes", "type": "KeyAttributes"}, - "tags": {"key": "tags", "type": "{str}"}, - "release_policy": {"key": "release_policy", "type": "KeyReleasePolicy"}, - } - - def __init__( - self, - *, - key: "_models.JsonWebKey", - hsm: Optional[bool] = None, - key_attributes: Optional["_models.KeyAttributes"] = None, - tags: Optional[Dict[str, str]] = None, - release_policy: Optional["_models.KeyReleasePolicy"] = None, - **kwargs: Any - ) -> None: - """ - :keyword hsm: Whether to import as a hardware key (HSM) or software key. - :paramtype hsm: bool - :keyword key: The Json web key. Required. - :paramtype key: ~azure.keyvault.v7_5.models.JsonWebKey - :keyword key_attributes: The key management attributes. - :paramtype key_attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.v7_5.models.KeyReleasePolicy - """ - super().__init__(**kwargs) - self.hsm = hsm - self.key = key - self.key_attributes = key_attributes - self.tags = tags - self.release_policy = release_policy - - -class KeyListResult(_serialization.Model): - """The key list result. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar value: A response message containing a list of keys in the key vault along with a link to - the next page of keys. - :vartype value: list[~azure.keyvault.v7_5.models.KeyItem] - :ivar next_link: The URL to get the next set of keys. - :vartype next_link: str - """ - - _validation = { - "value": {"readonly": True}, - "next_link": {"readonly": True}, - } - - _attribute_map = { - "value": {"key": "value", "type": "[KeyItem]"}, - "next_link": {"key": "nextLink", "type": "str"}, - } - - def __init__(self, **kwargs: Any) -> None: - """ """ - super().__init__(**kwargs) - self.value = None - self.next_link = None - - -class KeyOperationResult(_serialization.Model): - """The key operation result. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar kid: Key identifier. - :vartype kid: str - :ivar result: - :vartype result: bytes - :ivar iv: - :vartype iv: bytes - :ivar authentication_tag: - :vartype authentication_tag: bytes - :ivar additional_authenticated_data: - :vartype additional_authenticated_data: bytes - """ - - _validation = { - "kid": {"readonly": True}, - "result": {"readonly": True}, - "iv": {"readonly": True}, - "authentication_tag": {"readonly": True}, - "additional_authenticated_data": {"readonly": True}, - } - - _attribute_map = { - "kid": {"key": "kid", "type": "str"}, - "result": {"key": "value", "type": "base64"}, - "iv": {"key": "iv", "type": "base64"}, - "authentication_tag": {"key": "tag", "type": "base64"}, - "additional_authenticated_data": {"key": "aad", "type": "base64"}, - } - - def __init__(self, **kwargs: Any) -> None: - """ """ - super().__init__(**kwargs) - self.kid = None - self.result = None - self.iv = None - self.authentication_tag = None - self.additional_authenticated_data = None - - -class KeyOperationsParameters(_serialization.Model): - """The key operations parameters. - - All required parameters must be populated in order to send to server. - - :ivar algorithm: algorithm identifier. Required. Known values are: "RSA-OAEP", "RSA-OAEP-256", - "RSA1_5", "A128GCM", "A192GCM", "A256GCM", "A128KW", "A192KW", "A256KW", "A128CBC", "A192CBC", - "A256CBC", "A128CBCPAD", "A192CBCPAD", and "A256CBCPAD". - :vartype algorithm: str or ~azure.keyvault.v7_5.models.JsonWebKeyEncryptionAlgorithm - :ivar value: Required. - :vartype value: bytes - :ivar iv: Cryptographically random, non-repeating initialization vector for symmetric - algorithms. - :vartype iv: bytes - :ivar aad: Additional data to authenticate but not encrypt/decrypt when using authenticated - crypto algorithms. - :vartype aad: bytes - :ivar tag: The tag to authenticate when performing decryption with an authenticated algorithm. - :vartype tag: bytes - """ - - _validation = { - "algorithm": {"required": True}, - "value": {"required": True}, - } - - _attribute_map = { - "algorithm": {"key": "alg", "type": "str"}, - "value": {"key": "value", "type": "base64"}, - "iv": {"key": "iv", "type": "base64"}, - "aad": {"key": "aad", "type": "base64"}, - "tag": {"key": "tag", "type": "base64"}, - } - - def __init__( - self, - *, - algorithm: Union[str, "_models.JsonWebKeyEncryptionAlgorithm"], - value: bytes, - iv: Optional[bytes] = None, - aad: Optional[bytes] = None, - tag: Optional[bytes] = None, - **kwargs: Any - ) -> None: - """ - :keyword algorithm: algorithm identifier. Required. Known values are: "RSA-OAEP", - "RSA-OAEP-256", "RSA1_5", "A128GCM", "A192GCM", "A256GCM", "A128KW", "A192KW", "A256KW", - "A128CBC", "A192CBC", "A256CBC", "A128CBCPAD", "A192CBCPAD", and "A256CBCPAD". - :paramtype algorithm: str or ~azure.keyvault.v7_5.models.JsonWebKeyEncryptionAlgorithm - :keyword value: Required. - :paramtype value: bytes - :keyword iv: Cryptographically random, non-repeating initialization vector for symmetric - algorithms. - :paramtype iv: bytes - :keyword aad: Additional data to authenticate but not encrypt/decrypt when using authenticated - crypto algorithms. - :paramtype aad: bytes - :keyword tag: The tag to authenticate when performing decryption with an authenticated - algorithm. - :paramtype tag: bytes - """ - super().__init__(**kwargs) - self.algorithm = algorithm - self.value = value - self.iv = iv - self.aad = aad - self.tag = tag - - -class KeyProperties(_serialization.Model): - """Properties of the key pair backing a certificate. - - :ivar exportable: Indicates if the private key can be exported. Release policy must be provided - when creating the first version of an exportable key. - :vartype exportable: bool - :ivar key_type: The type of key pair to be used for the certificate. Known values are: "EC", - "EC-HSM", "RSA", "RSA-HSM", "oct", and "oct-HSM". - :vartype key_type: str or ~azure.keyvault.v7_5.models.JsonWebKeyType - :ivar key_size: The key size in bits. For example: 2048, 3072, or 4096 for RSA. - :vartype key_size: int - :ivar reuse_key: Indicates if the same key pair will be used on certificate renewal. - :vartype reuse_key: bool - :ivar curve: Elliptic curve name. For valid values, see JsonWebKeyCurveName. Known values are: - "P-256", "P-384", "P-521", and "P-256K". - :vartype curve: str or ~azure.keyvault.v7_5.models.JsonWebKeyCurveName - """ - - _attribute_map = { - "exportable": {"key": "exportable", "type": "bool"}, - "key_type": {"key": "kty", "type": "str"}, - "key_size": {"key": "key_size", "type": "int"}, - "reuse_key": {"key": "reuse_key", "type": "bool"}, - "curve": {"key": "crv", "type": "str"}, - } - - def __init__( - self, - *, - exportable: Optional[bool] = None, - key_type: Optional[Union[str, "_models.JsonWebKeyType"]] = None, - key_size: Optional[int] = None, - reuse_key: Optional[bool] = None, - curve: Optional[Union[str, "_models.JsonWebKeyCurveName"]] = None, - **kwargs: Any - ) -> None: - """ - :keyword exportable: Indicates if the private key can be exported. Release policy must be - provided when creating the first version of an exportable key. - :paramtype exportable: bool - :keyword key_type: The type of key pair to be used for the certificate. Known values are: "EC", - "EC-HSM", "RSA", "RSA-HSM", "oct", and "oct-HSM". - :paramtype key_type: str or ~azure.keyvault.v7_5.models.JsonWebKeyType - :keyword key_size: The key size in bits. For example: 2048, 3072, or 4096 for RSA. - :paramtype key_size: int - :keyword reuse_key: Indicates if the same key pair will be used on certificate renewal. - :paramtype reuse_key: bool - :keyword curve: Elliptic curve name. For valid values, see JsonWebKeyCurveName. Known values - are: "P-256", "P-384", "P-521", and "P-256K". - :paramtype curve: str or ~azure.keyvault.v7_5.models.JsonWebKeyCurveName - """ - super().__init__(**kwargs) - self.exportable = exportable - self.key_type = key_type - self.key_size = key_size - self.reuse_key = reuse_key - self.curve = curve - - -class KeyReleaseParameters(_serialization.Model): - """The release key parameters. - - All required parameters must be populated in order to send to server. - - :ivar target_attestation_token: The attestation assertion for the target of the key release. - Required. - :vartype target_attestation_token: str - :ivar nonce: A client provided nonce for freshness. - :vartype nonce: str - :ivar enc: The encryption algorithm to use to protected the exported key material. Known values - are: "CKM_RSA_AES_KEY_WRAP", "RSA_AES_KEY_WRAP_256", and "RSA_AES_KEY_WRAP_384". - :vartype enc: str or ~azure.keyvault.v7_5.models.KeyEncryptionAlgorithm - """ - - _validation = { - "target_attestation_token": {"required": True, "min_length": 1}, - } - - _attribute_map = { - "target_attestation_token": {"key": "target", "type": "str"}, - "nonce": {"key": "nonce", "type": "str"}, - "enc": {"key": "enc", "type": "str"}, - } - - def __init__( - self, - *, - target_attestation_token: str, - nonce: Optional[str] = None, - enc: Optional[Union[str, "_models.KeyEncryptionAlgorithm"]] = None, - **kwargs: Any - ) -> None: - """ - :keyword target_attestation_token: The attestation assertion for the target of the key release. - Required. - :paramtype target_attestation_token: str - :keyword nonce: A client provided nonce for freshness. - :paramtype nonce: str - :keyword enc: The encryption algorithm to use to protected the exported key material. Known - values are: "CKM_RSA_AES_KEY_WRAP", "RSA_AES_KEY_WRAP_256", and "RSA_AES_KEY_WRAP_384". - :paramtype enc: str or ~azure.keyvault.v7_5.models.KeyEncryptionAlgorithm - """ - super().__init__(**kwargs) - self.target_attestation_token = target_attestation_token - self.nonce = nonce - self.enc = enc - - -class KeyReleasePolicy(_serialization.Model): - """The policy rules under which the key can be exported. - - :ivar content_type: Content type and version of key release policy. - :vartype content_type: str - :ivar immutable: Defines the mutability state of the policy. Once marked immutable, this flag - cannot be reset and the policy cannot be changed under any circumstances. - :vartype immutable: bool - :ivar encoded_policy: Blob encoding the policy rules under which the key can be released. Blob - must be base64 URL encoded. - :vartype encoded_policy: bytes - """ - - _attribute_map = { - "content_type": {"key": "contentType", "type": "str"}, - "immutable": {"key": "immutable", "type": "bool"}, - "encoded_policy": {"key": "data", "type": "base64"}, - } - - def __init__( - self, - *, - content_type: str = "application/json; charset=utf-8", - immutable: Optional[bool] = None, - encoded_policy: Optional[bytes] = None, - **kwargs: Any - ) -> None: - """ - :keyword content_type: Content type and version of key release policy. - :paramtype content_type: str - :keyword immutable: Defines the mutability state of the policy. Once marked immutable, this - flag cannot be reset and the policy cannot be changed under any circumstances. - :paramtype immutable: bool - :keyword encoded_policy: Blob encoding the policy rules under which the key can be released. - Blob must be base64 URL encoded. - :paramtype encoded_policy: bytes - """ - super().__init__(**kwargs) - self.content_type = content_type - self.immutable = immutable - self.encoded_policy = encoded_policy - - -class KeyReleaseResult(_serialization.Model): - """The release result, containing the released key. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar value: A signed object containing the released key. - :vartype value: str - """ - - _validation = { - "value": {"readonly": True}, - } - - _attribute_map = { - "value": {"key": "value", "type": "str"}, - } - - def __init__(self, **kwargs: Any) -> None: - """ """ - super().__init__(**kwargs) - self.value = None - - -class KeyRestoreParameters(_serialization.Model): - """The key restore parameters. - - All required parameters must be populated in order to send to server. - - :ivar key_bundle_backup: The backup blob associated with a key bundle. Required. - :vartype key_bundle_backup: bytes - """ - - _validation = { - "key_bundle_backup": {"required": True}, - } - - _attribute_map = { - "key_bundle_backup": {"key": "value", "type": "base64"}, - } - - def __init__(self, *, key_bundle_backup: bytes, **kwargs: Any) -> None: - """ - :keyword key_bundle_backup: The backup blob associated with a key bundle. Required. - :paramtype key_bundle_backup: bytes - """ - super().__init__(**kwargs) - self.key_bundle_backup = key_bundle_backup - - -class KeyRotationPolicy(_serialization.Model): - """Management policy for a key. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar id: The key policy id. - :vartype id: str - :ivar lifetime_actions: Actions that will be performed by Key Vault over the lifetime of a key. - For preview, lifetimeActions can only have two items at maximum: one for rotate, one for - notify. Notification time would be default to 30 days before expiry and it is not configurable. - :vartype lifetime_actions: list[~azure.keyvault.v7_5.models.LifetimeActions] - :ivar attributes: The key rotation policy attributes. - :vartype attributes: ~azure.keyvault.v7_5.models.KeyRotationPolicyAttributes - """ - - _validation = { - "id": {"readonly": True}, - } - - _attribute_map = { - "id": {"key": "id", "type": "str"}, - "lifetime_actions": {"key": "lifetimeActions", "type": "[LifetimeActions]"}, - "attributes": {"key": "attributes", "type": "KeyRotationPolicyAttributes"}, - } - - def __init__( - self, - *, - lifetime_actions: Optional[List["_models.LifetimeActions"]] = None, - attributes: Optional["_models.KeyRotationPolicyAttributes"] = None, - **kwargs: Any - ) -> None: - """ - :keyword lifetime_actions: Actions that will be performed by Key Vault over the lifetime of a - key. For preview, lifetimeActions can only have two items at maximum: one for rotate, one for - notify. Notification time would be default to 30 days before expiry and it is not configurable. - :paramtype lifetime_actions: list[~azure.keyvault.v7_5.models.LifetimeActions] - :keyword attributes: The key rotation policy attributes. - :paramtype attributes: ~azure.keyvault.v7_5.models.KeyRotationPolicyAttributes - """ - super().__init__(**kwargs) - self.id = None - self.lifetime_actions = lifetime_actions - self.attributes = attributes - - -class KeyRotationPolicyAttributes(_serialization.Model): - """The key rotation policy attributes. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar expiry_time: The expiryTime will be applied on the new key version. It should be at least - 28 days. It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: - PT48H, 1 year and 10 days: P1Y10D. - :vartype expiry_time: str - :ivar created: The key rotation policy created time in UTC. - :vartype created: ~datetime.datetime - :ivar updated: The key rotation policy's last updated time in UTC. - :vartype updated: ~datetime.datetime - """ - - _validation = { - "created": {"readonly": True}, - "updated": {"readonly": True}, - } - - _attribute_map = { - "expiry_time": {"key": "expiryTime", "type": "str"}, - "created": {"key": "created", "type": "unix-time"}, - "updated": {"key": "updated", "type": "unix-time"}, - } - - def __init__(self, *, expiry_time: Optional[str] = None, **kwargs: Any) -> None: - """ - :keyword expiry_time: The expiryTime will be applied on the new key version. It should be at - least 28 days. It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: - PT48H, 1 year and 10 days: P1Y10D. - :paramtype expiry_time: str - """ - super().__init__(**kwargs) - self.expiry_time = expiry_time - self.created = None - self.updated = None - - -class KeySignParameters(_serialization.Model): - """The key operations parameters. - - All required parameters must be populated in order to send to server. - - :ivar algorithm: The signing/verification algorithm identifier. For more information on - possible algorithm types, see JsonWebKeySignatureAlgorithm. Required. Known values are: - "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "RSNULL", "ES256", "ES384", "ES512", and - "ES256K". - :vartype algorithm: str or ~azure.keyvault.v7_5.models.JsonWebKeySignatureAlgorithm - :ivar value: Required. - :vartype value: bytes - """ - - _validation = { - "algorithm": {"required": True}, - "value": {"required": True}, - } - - _attribute_map = { - "algorithm": {"key": "alg", "type": "str"}, - "value": {"key": "value", "type": "base64"}, - } - - def __init__( - self, *, algorithm: Union[str, "_models.JsonWebKeySignatureAlgorithm"], value: bytes, **kwargs: Any - ) -> None: - """ - :keyword algorithm: The signing/verification algorithm identifier. For more information on - possible algorithm types, see JsonWebKeySignatureAlgorithm. Required. Known values are: - "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "RSNULL", "ES256", "ES384", "ES512", and - "ES256K". - :paramtype algorithm: str or ~azure.keyvault.v7_5.models.JsonWebKeySignatureAlgorithm - :keyword value: Required. - :paramtype value: bytes - """ - super().__init__(**kwargs) - self.algorithm = algorithm - self.value = value - - -class KeyUpdateParameters(_serialization.Model): - """The key update parameters. - - :ivar key_ops: Json web key operations. For more information on possible key operations, see - JsonWebKeyOperation. - :vartype key_ops: list[str or ~azure.keyvault.v7_5.models.JsonWebKeyOperation] - :ivar key_attributes: The attributes of a key managed by the key vault service. - :vartype key_attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :ivar tags: Application specific metadata in the form of key-value pairs. - :vartype tags: dict[str, str] - :ivar release_policy: The policy rules under which the key can be exported. - :vartype release_policy: ~azure.keyvault.v7_5.models.KeyReleasePolicy - """ - - _attribute_map = { - "key_ops": {"key": "key_ops", "type": "[str]"}, - "key_attributes": {"key": "attributes", "type": "KeyAttributes"}, - "tags": {"key": "tags", "type": "{str}"}, - "release_policy": {"key": "release_policy", "type": "KeyReleasePolicy"}, - } - - def __init__( - self, - *, - key_ops: Optional[List[Union[str, "_models.JsonWebKeyOperation"]]] = None, - key_attributes: Optional["_models.KeyAttributes"] = None, - tags: Optional[Dict[str, str]] = None, - release_policy: Optional["_models.KeyReleasePolicy"] = None, - **kwargs: Any - ) -> None: - """ - :keyword key_ops: Json web key operations. For more information on possible key operations, see - JsonWebKeyOperation. - :paramtype key_ops: list[str or ~azure.keyvault.v7_5.models.JsonWebKeyOperation] - :keyword key_attributes: The attributes of a key managed by the key vault service. - :paramtype key_attributes: ~azure.keyvault.v7_5.models.KeyAttributes - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.v7_5.models.KeyReleasePolicy - """ - super().__init__(**kwargs) - self.key_ops = key_ops - self.key_attributes = key_attributes - self.tags = tags - self.release_policy = release_policy - - -class KeyVaultError(_serialization.Model): - """The key vault error exception. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar error: The key vault server error. - :vartype error: ~azure.keyvault.v7_5.models.Error - """ - - _validation = { - "error": {"readonly": True}, - } - - _attribute_map = { - "error": {"key": "error", "type": "Error"}, - } - - def __init__(self, **kwargs: Any) -> None: - """ """ - super().__init__(**kwargs) - self.error = None - - -class KeyVerifyParameters(_serialization.Model): - """The key verify parameters. - - All required parameters must be populated in order to send to server. - - :ivar algorithm: The signing/verification algorithm. For more information on possible algorithm - types, see JsonWebKeySignatureAlgorithm. Required. Known values are: "PS256", "PS384", "PS512", - "RS256", "RS384", "RS512", "RSNULL", "ES256", "ES384", "ES512", and "ES256K". - :vartype algorithm: str or ~azure.keyvault.v7_5.models.JsonWebKeySignatureAlgorithm - :ivar digest: The digest used for signing. Required. - :vartype digest: bytes - :ivar signature: The signature to be verified. Required. - :vartype signature: bytes - """ - - _validation = { - "algorithm": {"required": True}, - "digest": {"required": True}, - "signature": {"required": True}, - } - - _attribute_map = { - "algorithm": {"key": "alg", "type": "str"}, - "digest": {"key": "digest", "type": "base64"}, - "signature": {"key": "value", "type": "base64"}, - } - - def __init__( - self, - *, - algorithm: Union[str, "_models.JsonWebKeySignatureAlgorithm"], - digest: bytes, - signature: bytes, - **kwargs: Any - ) -> None: - """ - :keyword algorithm: The signing/verification algorithm. For more information on possible - algorithm types, see JsonWebKeySignatureAlgorithm. Required. Known values are: "PS256", - "PS384", "PS512", "RS256", "RS384", "RS512", "RSNULL", "ES256", "ES384", "ES512", and "ES256K". - :paramtype algorithm: str or ~azure.keyvault.v7_5.models.JsonWebKeySignatureAlgorithm - :keyword digest: The digest used for signing. Required. - :paramtype digest: bytes - :keyword signature: The signature to be verified. Required. - :paramtype signature: bytes - """ - super().__init__(**kwargs) - self.algorithm = algorithm - self.digest = digest - self.signature = signature - - -class KeyVerifyResult(_serialization.Model): - """The key verify result. - - Variables are only populated by the server, and will be ignored when sending a request. - - :ivar value: True if the signature is verified, otherwise false. - :vartype value: bool - """ - - _validation = { - "value": {"readonly": True}, - } - - _attribute_map = { - "value": {"key": "value", "type": "bool"}, - } - - def __init__(self, **kwargs: Any) -> None: - """ """ - super().__init__(**kwargs) - self.value = None - - -class LifetimeActions(_serialization.Model): - """Action and its trigger that will be performed by Key Vault over the lifetime of a key. - - :ivar trigger: The condition that will execute the action. - :vartype trigger: ~azure.keyvault.v7_5.models.LifetimeActionsTrigger - :ivar action: The action that will be executed. - :vartype action: ~azure.keyvault.v7_5.models.LifetimeActionsType - """ - - _attribute_map = { - "trigger": {"key": "trigger", "type": "LifetimeActionsTrigger"}, - "action": {"key": "action", "type": "LifetimeActionsType"}, - } - - def __init__( - self, - *, - trigger: Optional["_models.LifetimeActionsTrigger"] = None, - action: Optional["_models.LifetimeActionsType"] = None, - **kwargs: Any - ) -> None: - """ - :keyword trigger: The condition that will execute the action. - :paramtype trigger: ~azure.keyvault.v7_5.models.LifetimeActionsTrigger - :keyword action: The action that will be executed. - :paramtype action: ~azure.keyvault.v7_5.models.LifetimeActionsType - """ - super().__init__(**kwargs) - self.trigger = trigger - self.action = action - - -class LifetimeActionsTrigger(_serialization.Model): - """A condition to be satisfied for an action to be executed. - - :ivar time_after_create: Time after creation to attempt to rotate. It only applies to rotate. - It will be in ISO 8601 duration format. Example: 90 days : "P90D". - :vartype time_after_create: str - :ivar time_before_expiry: Time before expiry to attempt to rotate or notify. It will be in ISO - 8601 duration format. Example: 90 days : "P90D". - :vartype time_before_expiry: str - """ - - _attribute_map = { - "time_after_create": {"key": "timeAfterCreate", "type": "str"}, - "time_before_expiry": {"key": "timeBeforeExpiry", "type": "str"}, - } - - def __init__( - self, *, time_after_create: Optional[str] = None, time_before_expiry: Optional[str] = None, **kwargs: Any - ) -> None: - """ - :keyword time_after_create: Time after creation to attempt to rotate. It only applies to - rotate. It will be in ISO 8601 duration format. Example: 90 days : "P90D". - :paramtype time_after_create: str - :keyword time_before_expiry: Time before expiry to attempt to rotate or notify. It will be in - ISO 8601 duration format. Example: 90 days : "P90D". - :paramtype time_before_expiry: str - """ - super().__init__(**kwargs) - self.time_after_create = time_after_create - self.time_before_expiry = time_before_expiry - - -class LifetimeActionsType(_serialization.Model): - """The action that will be executed. - - :ivar type: The type of the action. The value should be compared case-insensitively. Known - values are: "Rotate" and "Notify". - :vartype type: str or ~azure.keyvault.v7_5.models.ActionType - """ - - _attribute_map = { - "type": {"key": "type", "type": "str"}, - } - - def __init__(self, *, type: Optional[Union[str, "_models.ActionType"]] = None, **kwargs: Any) -> None: - """ - :keyword type: The type of the action. The value should be compared case-insensitively. Known - values are: "Rotate" and "Notify". - :paramtype type: str or ~azure.keyvault.v7_5.models.ActionType - """ - super().__init__(**kwargs) - self.type = type - - -class RandomBytes(_serialization.Model): - """The get random bytes response object containing the bytes. - - All required parameters must be populated in order to send to server. - - :ivar value: The bytes encoded as a base64url string. Required. - :vartype value: bytes - """ - - _validation = { - "value": {"required": True}, - } - - _attribute_map = { - "value": {"key": "value", "type": "base64"}, - } - - def __init__(self, *, value: bytes, **kwargs: Any) -> None: - """ - :keyword value: The bytes encoded as a base64url string. Required. - :paramtype value: bytes - """ - super().__init__(**kwargs) - self.value = value diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/py.typed b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/py.typed deleted file mode 100644 index e5aff4f83af8..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/py.typed +++ /dev/null @@ -1 +0,0 @@ -# Marker file for PEP 561. \ No newline at end of file diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_model_base.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_model_base.py new file mode 100644 index 000000000000..7f73b97b23ef --- /dev/null +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_model_base.py @@ -0,0 +1,1175 @@ +# pylint: disable=too-many-lines +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for +# license information. +# -------------------------------------------------------------------------- +# pylint: disable=protected-access, broad-except + +import copy +import calendar +import decimal +import functools +import sys +import logging +import base64 +import re +import typing +import enum +import email.utils +from datetime import datetime, date, time, timedelta, timezone +from json import JSONEncoder +import xml.etree.ElementTree as ET +from typing_extensions import Self +import isodate +from azure.core.exceptions import DeserializationError +from azure.core import CaseInsensitiveEnumMeta +from azure.core.pipeline import PipelineResponse +from azure.core.serialization import _Null + +if sys.version_info >= (3, 9): + from collections.abc import MutableMapping +else: + from typing import MutableMapping + +_LOGGER = logging.getLogger(__name__) + +__all__ = ["SdkJSONEncoder", "Model", "rest_field", "rest_discriminator"] + +TZ_UTC = timezone.utc +_T = typing.TypeVar("_T") + + +def _timedelta_as_isostr(td: timedelta) -> str: + """Converts a datetime.timedelta object into an ISO 8601 formatted string, e.g. 'P4DT12H30M05S' + + Function adapted from the Tin Can Python project: https://github.com/RusticiSoftware/TinCanPython + + :param timedelta td: The timedelta to convert + :rtype: str + :return: ISO8601 version of this timedelta + """ + + # Split seconds to larger units + seconds = td.total_seconds() + minutes, seconds = divmod(seconds, 60) + hours, minutes = divmod(minutes, 60) + days, hours = divmod(hours, 24) + + days, hours, minutes = list(map(int, (days, hours, minutes))) + seconds = round(seconds, 6) + + # Build date + date_str = "" + if days: + date_str = "%sD" % days + + if hours or minutes or seconds: + # Build time + time_str = "T" + + # Hours + bigger_exists = date_str or hours + if bigger_exists: + time_str += "{:02}H".format(hours) + + # Minutes + bigger_exists = bigger_exists or minutes + if bigger_exists: + time_str += "{:02}M".format(minutes) + + # Seconds + try: + if seconds.is_integer(): + seconds_string = "{:02}".format(int(seconds)) + else: + # 9 chars long w/ leading 0, 6 digits after decimal + seconds_string = "%09.6f" % seconds + # Remove trailing zeros + seconds_string = seconds_string.rstrip("0") + except AttributeError: # int.is_integer() raises + seconds_string = "{:02}".format(seconds) + + time_str += "{}S".format(seconds_string) + else: + time_str = "" + + return "P" + date_str + time_str + + +def _serialize_bytes(o, format: typing.Optional[str] = None) -> str: + encoded = base64.b64encode(o).decode() + if format == "base64url": + return encoded.strip("=").replace("+", "-").replace("/", "_") + return encoded + + +def _serialize_datetime(o, format: typing.Optional[str] = None): + if hasattr(o, "year") and hasattr(o, "hour"): + if format == "rfc7231": + return email.utils.format_datetime(o, usegmt=True) + if format == "unix-timestamp": + return int(calendar.timegm(o.utctimetuple())) + + # astimezone() fails for naive times in Python 2.7, so make make sure o is aware (tzinfo is set) + if not o.tzinfo: + iso_formatted = o.replace(tzinfo=TZ_UTC).isoformat() + else: + iso_formatted = o.astimezone(TZ_UTC).isoformat() + # Replace the trailing "+00:00" UTC offset with "Z" (RFC 3339: https://www.ietf.org/rfc/rfc3339.txt) + return iso_formatted.replace("+00:00", "Z") + # Next try datetime.date or datetime.time + return o.isoformat() + + +def _is_readonly(p): + try: + return p._visibility == ["read"] + except AttributeError: + return False + + +class SdkJSONEncoder(JSONEncoder): + """A JSON encoder that's capable of serializing datetime objects and bytes.""" + + def __init__(self, *args, exclude_readonly: bool = False, format: typing.Optional[str] = None, **kwargs): + super().__init__(*args, **kwargs) + self.exclude_readonly = exclude_readonly + self.format = format + + def default(self, o): # pylint: disable=too-many-return-statements + if _is_model(o): + if self.exclude_readonly: + readonly_props = [p._rest_name for p in o._attr_to_rest_field.values() if _is_readonly(p)] + return {k: v for k, v in o.items() if k not in readonly_props} + return dict(o.items()) + try: + return super(SdkJSONEncoder, self).default(o) + except TypeError: + if isinstance(o, _Null): + return None + if isinstance(o, decimal.Decimal): + return float(o) + if isinstance(o, (bytes, bytearray)): + return _serialize_bytes(o, self.format) + try: + # First try datetime.datetime + return _serialize_datetime(o, self.format) + except AttributeError: + pass + # Last, try datetime.timedelta + try: + return _timedelta_as_isostr(o) + except AttributeError: + # This will be raised when it hits value.total_seconds in the method above + pass + return super(SdkJSONEncoder, self).default(o) + + +_VALID_DATE = re.compile(r"\d{4}[-]\d{2}[-]\d{2}T\d{2}:\d{2}:\d{2}" + r"\.?\d*Z?[-+]?[\d{2}]?:?[\d{2}]?") +_VALID_RFC7231 = re.compile( + r"(Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s\d{2}\s" + r"(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}:\d{2}:\d{2}\sGMT" +) + + +def _deserialize_datetime(attr: typing.Union[str, datetime]) -> datetime: + """Deserialize ISO-8601 formatted string into Datetime object. + + :param str attr: response string to be deserialized. + :rtype: ~datetime.datetime + :returns: The datetime object from that input + """ + if isinstance(attr, datetime): + # i'm already deserialized + return attr + attr = attr.upper() + match = _VALID_DATE.match(attr) + if not match: + raise ValueError("Invalid datetime string: " + attr) + + check_decimal = attr.split(".") + if len(check_decimal) > 1: + decimal_str = "" + for digit in check_decimal[1]: + if digit.isdigit(): + decimal_str += digit + else: + break + if len(decimal_str) > 6: + attr = attr.replace(decimal_str, decimal_str[0:6]) + + date_obj = isodate.parse_datetime(attr) + test_utc = date_obj.utctimetuple() + if test_utc.tm_year > 9999 or test_utc.tm_year < 1: + raise OverflowError("Hit max or min date") + return date_obj + + +def _deserialize_datetime_rfc7231(attr: typing.Union[str, datetime]) -> datetime: + """Deserialize RFC7231 formatted string into Datetime object. + + :param str attr: response string to be deserialized. + :rtype: ~datetime.datetime + :returns: The datetime object from that input + """ + if isinstance(attr, datetime): + # i'm already deserialized + return attr + match = _VALID_RFC7231.match(attr) + if not match: + raise ValueError("Invalid datetime string: " + attr) + + return email.utils.parsedate_to_datetime(attr) + + +def _deserialize_datetime_unix_timestamp(attr: typing.Union[float, datetime]) -> datetime: + """Deserialize unix timestamp into Datetime object. + + :param str attr: response string to be deserialized. + :rtype: ~datetime.datetime + :returns: The datetime object from that input + """ + if isinstance(attr, datetime): + # i'm already deserialized + return attr + return datetime.fromtimestamp(attr, TZ_UTC) + + +def _deserialize_date(attr: typing.Union[str, date]) -> date: + """Deserialize ISO-8601 formatted string into Date object. + :param str attr: response string to be deserialized. + :rtype: date + :returns: The date object from that input + """ + # This must NOT use defaultmonth/defaultday. Using None ensure this raises an exception. + if isinstance(attr, date): + return attr + return isodate.parse_date(attr, defaultmonth=None, defaultday=None) # type: ignore + + +def _deserialize_time(attr: typing.Union[str, time]) -> time: + """Deserialize ISO-8601 formatted string into time object. + + :param str attr: response string to be deserialized. + :rtype: datetime.time + :returns: The time object from that input + """ + if isinstance(attr, time): + return attr + return isodate.parse_time(attr) + + +def _deserialize_bytes(attr): + if isinstance(attr, (bytes, bytearray)): + return attr + return bytes(base64.b64decode(attr)) + + +def _deserialize_bytes_base64(attr): + if isinstance(attr, (bytes, bytearray)): + return attr + padding = "=" * (3 - (len(attr) + 3) % 4) # type: ignore + attr = attr + padding # type: ignore + encoded = attr.replace("-", "+").replace("_", "/") + return bytes(base64.b64decode(encoded)) + + +def _deserialize_duration(attr): + if isinstance(attr, timedelta): + return attr + return isodate.parse_duration(attr) + + +def _deserialize_decimal(attr): + if isinstance(attr, decimal.Decimal): + return attr + return decimal.Decimal(str(attr)) + + +def _deserialize_int_as_str(attr): + if isinstance(attr, int): + return attr + return int(attr) + + +_DESERIALIZE_MAPPING = { + datetime: _deserialize_datetime, + date: _deserialize_date, + time: _deserialize_time, + bytes: _deserialize_bytes, + bytearray: _deserialize_bytes, + timedelta: _deserialize_duration, + typing.Any: lambda x: x, + decimal.Decimal: _deserialize_decimal, +} + +_DESERIALIZE_MAPPING_WITHFORMAT = { + "rfc3339": _deserialize_datetime, + "rfc7231": _deserialize_datetime_rfc7231, + "unix-timestamp": _deserialize_datetime_unix_timestamp, + "base64": _deserialize_bytes, + "base64url": _deserialize_bytes_base64, +} + + +def get_deserializer(annotation: typing.Any, rf: typing.Optional["_RestField"] = None): + if annotation is int and rf and rf._format == "str": + return _deserialize_int_as_str + if rf and rf._format: + return _DESERIALIZE_MAPPING_WITHFORMAT.get(rf._format) + return _DESERIALIZE_MAPPING.get(annotation) # pyright: ignore + + +def _get_type_alias_type(module_name: str, alias_name: str): + types = { + k: v + for k, v in sys.modules[module_name].__dict__.items() + if isinstance(v, typing._GenericAlias) # type: ignore + } + if alias_name not in types: + return alias_name + return types[alias_name] + + +def _get_model(module_name: str, model_name: str): + models = {k: v for k, v in sys.modules[module_name].__dict__.items() if isinstance(v, type)} + module_end = module_name.rsplit(".", 1)[0] + models.update({k: v for k, v in sys.modules[module_end].__dict__.items() if isinstance(v, type)}) + if isinstance(model_name, str): + model_name = model_name.split(".")[-1] + if model_name not in models: + return model_name + return models[model_name] + + +_UNSET = object() + + +class _MyMutableMapping(MutableMapping[str, typing.Any]): # pylint: disable=unsubscriptable-object + def __init__(self, data: typing.Dict[str, typing.Any]) -> None: + self._data = data + + def __contains__(self, key: typing.Any) -> bool: + return key in self._data + + def __getitem__(self, key: str) -> typing.Any: + return self._data.__getitem__(key) + + def __setitem__(self, key: str, value: typing.Any) -> None: + self._data.__setitem__(key, value) + + def __delitem__(self, key: str) -> None: + self._data.__delitem__(key) + + def __iter__(self) -> typing.Iterator[typing.Any]: + return self._data.__iter__() + + def __len__(self) -> int: + return self._data.__len__() + + def __ne__(self, other: typing.Any) -> bool: + return not self.__eq__(other) + + def keys(self) -> typing.KeysView[str]: + return self._data.keys() + + def values(self) -> typing.ValuesView[typing.Any]: + return self._data.values() + + def items(self) -> typing.ItemsView[str, typing.Any]: + return self._data.items() + + def get(self, key: str, default: typing.Any = None) -> typing.Any: + try: + return self[key] + except KeyError: + return default + + @typing.overload + def pop(self, key: str) -> typing.Any: ... + + @typing.overload + def pop(self, key: str, default: _T) -> _T: ... + + @typing.overload + def pop(self, key: str, default: typing.Any) -> typing.Any: ... + + def pop(self, key: str, default: typing.Any = _UNSET) -> typing.Any: + if default is _UNSET: + return self._data.pop(key) + return self._data.pop(key, default) + + def popitem(self) -> typing.Tuple[str, typing.Any]: + return self._data.popitem() + + def clear(self) -> None: + self._data.clear() + + def update(self, *args: typing.Any, **kwargs: typing.Any) -> None: + self._data.update(*args, **kwargs) + + @typing.overload + def setdefault(self, key: str, default: None = None) -> None: ... + + @typing.overload + def setdefault(self, key: str, default: typing.Any) -> typing.Any: ... + + def setdefault(self, key: str, default: typing.Any = _UNSET) -> typing.Any: + if default is _UNSET: + return self._data.setdefault(key) + return self._data.setdefault(key, default) + + def __eq__(self, other: typing.Any) -> bool: + try: + other_model = self.__class__(other) + except Exception: + return False + return self._data == other_model._data + + def __repr__(self) -> str: + return str(self._data) + + +def _is_model(obj: typing.Any) -> bool: + return getattr(obj, "_is_model", False) + + +def _serialize(o, format: typing.Optional[str] = None): # pylint: disable=too-many-return-statements + if isinstance(o, list): + return [_serialize(x, format) for x in o] + if isinstance(o, dict): + return {k: _serialize(v, format) for k, v in o.items()} + if isinstance(o, set): + return {_serialize(x, format) for x in o} + if isinstance(o, tuple): + return tuple(_serialize(x, format) for x in o) + if isinstance(o, (bytes, bytearray)): + return _serialize_bytes(o, format) + if isinstance(o, decimal.Decimal): + return float(o) + if isinstance(o, enum.Enum): + return o.value + if isinstance(o, int): + if format == "str": + return str(o) + return o + try: + # First try datetime.datetime + return _serialize_datetime(o, format) + except AttributeError: + pass + # Last, try datetime.timedelta + try: + return _timedelta_as_isostr(o) + except AttributeError: + # This will be raised when it hits value.total_seconds in the method above + pass + return o + + +def _get_rest_field( + attr_to_rest_field: typing.Dict[str, "_RestField"], rest_name: str +) -> typing.Optional["_RestField"]: + try: + return next(rf for rf in attr_to_rest_field.values() if rf._rest_name == rest_name) + except StopIteration: + return None + + +def _create_value(rf: typing.Optional["_RestField"], value: typing.Any) -> typing.Any: + if not rf: + return _serialize(value, None) + if rf._is_multipart_file_input: + return value + if rf._is_model: + return _deserialize(rf._type, value) + if isinstance(value, ET.Element): + value = _deserialize(rf._type, value) + return _serialize(value, rf._format) + + +class Model(_MyMutableMapping): + _is_model = True + # label whether current class's _attr_to_rest_field has been calculated + # could not see _attr_to_rest_field directly because subclass inherits it from parent class + _calculated: typing.Set[str] = set() + + def __init__(self, *args: typing.Any, **kwargs: typing.Any) -> None: + class_name = self.__class__.__name__ + if len(args) > 1: + raise TypeError(f"{class_name}.__init__() takes 2 positional arguments but {len(args) + 1} were given") + dict_to_pass = { + rest_field._rest_name: rest_field._default + for rest_field in self._attr_to_rest_field.values() + if rest_field._default is not _UNSET + } + if args: # pylint: disable=too-many-nested-blocks + if isinstance(args[0], ET.Element): + existed_attr_keys = [] + model_meta = getattr(self, "_xml", {}) + + for rf in self._attr_to_rest_field.values(): + prop_meta = getattr(rf, "_xml", {}) + xml_name = prop_meta.get("name", rf._rest_name) + xml_ns = prop_meta.get("ns", model_meta.get("ns", None)) + if xml_ns: + xml_name = "{" + xml_ns + "}" + xml_name + + # attribute + if prop_meta.get("attribute", False) and args[0].get(xml_name) is not None: + existed_attr_keys.append(xml_name) + dict_to_pass[rf._rest_name] = _deserialize(rf._type, args[0].get(xml_name)) + continue + + # unwrapped element is array + if prop_meta.get("unwrapped", False): + # unwrapped array could either use prop items meta/prop meta + if prop_meta.get("itemsName"): + xml_name = prop_meta.get("itemsName") + xml_ns = prop_meta.get("itemNs") + if xml_ns: + xml_name = "{" + xml_ns + "}" + xml_name + items = args[0].findall(xml_name) # pyright: ignore + if len(items) > 0: + existed_attr_keys.append(xml_name) + dict_to_pass[rf._rest_name] = _deserialize(rf._type, items) + continue + + # text element is primitive type + if prop_meta.get("text", False): + if args[0].text is not None: + dict_to_pass[rf._rest_name] = _deserialize(rf._type, args[0].text) + continue + + # wrapped element could be normal property or array, it should only have one element + item = args[0].find(xml_name) + if item is not None: + existed_attr_keys.append(xml_name) + dict_to_pass[rf._rest_name] = _deserialize(rf._type, item) + + # rest thing is additional properties + for e in args[0]: + if e.tag not in existed_attr_keys: + dict_to_pass[e.tag] = _convert_element(e) + else: + dict_to_pass.update( + {k: _create_value(_get_rest_field(self._attr_to_rest_field, k), v) for k, v in args[0].items()} + ) + else: + non_attr_kwargs = [k for k in kwargs if k not in self._attr_to_rest_field] + if non_attr_kwargs: + # actual type errors only throw the first wrong keyword arg they see, so following that. + raise TypeError(f"{class_name}.__init__() got an unexpected keyword argument '{non_attr_kwargs[0]}'") + dict_to_pass.update( + { + self._attr_to_rest_field[k]._rest_name: _create_value(self._attr_to_rest_field[k], v) + for k, v in kwargs.items() + if v is not None + } + ) + super().__init__(dict_to_pass) + + def copy(self) -> "Model": + return Model(self.__dict__) + + def __new__(cls, *args: typing.Any, **kwargs: typing.Any) -> Self: + if f"{cls.__module__}.{cls.__qualname__}" not in cls._calculated: + # we know the last nine classes in mro are going to be 'Model', '_MyMutableMapping', 'MutableMapping', + # 'Mapping', 'Collection', 'Sized', 'Iterable', 'Container' and 'object' + mros = cls.__mro__[:-9][::-1] # ignore parents, and reverse the mro order + attr_to_rest_field: typing.Dict[str, _RestField] = { # map attribute name to rest_field property + k: v for mro_class in mros for k, v in mro_class.__dict__.items() if k[0] != "_" and hasattr(v, "_type") + } + annotations = { + k: v + for mro_class in mros + if hasattr(mro_class, "__annotations__") + for k, v in mro_class.__annotations__.items() + } + for attr, rf in attr_to_rest_field.items(): + rf._module = cls.__module__ + if not rf._type: + rf._type = rf._get_deserialize_callable_from_annotation(annotations.get(attr, None)) + if not rf._rest_name_input: + rf._rest_name_input = attr + cls._attr_to_rest_field: typing.Dict[str, _RestField] = dict(attr_to_rest_field.items()) + cls._calculated.add(f"{cls.__module__}.{cls.__qualname__}") + + return super().__new__(cls) # pylint: disable=no-value-for-parameter + + def __init_subclass__(cls, discriminator: typing.Optional[str] = None) -> None: + for base in cls.__bases__: + if hasattr(base, "__mapping__"): + base.__mapping__[discriminator or cls.__name__] = cls # type: ignore + + @classmethod + def _get_discriminator(cls, exist_discriminators) -> typing.Optional["_RestField"]: + for v in cls.__dict__.values(): + if isinstance(v, _RestField) and v._is_discriminator and v._rest_name not in exist_discriminators: + return v + return None + + @classmethod + def _deserialize(cls, data, exist_discriminators): + if not hasattr(cls, "__mapping__"): + return cls(data) + discriminator = cls._get_discriminator(exist_discriminators) + if discriminator is None: + return cls(data) + exist_discriminators.append(discriminator._rest_name) + if isinstance(data, ET.Element): + model_meta = getattr(cls, "_xml", {}) + prop_meta = getattr(discriminator, "_xml", {}) + xml_name = prop_meta.get("name", discriminator._rest_name) + xml_ns = prop_meta.get("ns", model_meta.get("ns", None)) + if xml_ns: + xml_name = "{" + xml_ns + "}" + xml_name + + if data.get(xml_name) is not None: + discriminator_value = data.get(xml_name) + else: + discriminator_value = data.find(xml_name).text # pyright: ignore + else: + discriminator_value = data.get(discriminator._rest_name) + mapped_cls = cls.__mapping__.get(discriminator_value, cls) # pyright: ignore + return mapped_cls._deserialize(data, exist_discriminators) + + def as_dict(self, *, exclude_readonly: bool = False) -> typing.Dict[str, typing.Any]: + """Return a dict that can be turned into json using json.dump. + + :keyword bool exclude_readonly: Whether to remove the readonly properties. + :returns: A dict JSON compatible object + :rtype: dict + """ + + result = {} + readonly_props = [] + if exclude_readonly: + readonly_props = [p._rest_name for p in self._attr_to_rest_field.values() if _is_readonly(p)] + for k, v in self.items(): + if exclude_readonly and k in readonly_props: # pyright: ignore + continue + is_multipart_file_input = False + try: + is_multipart_file_input = next( + rf for rf in self._attr_to_rest_field.values() if rf._rest_name == k + )._is_multipart_file_input + except StopIteration: + pass + result[k] = v if is_multipart_file_input else Model._as_dict_value(v, exclude_readonly=exclude_readonly) + return result + + @staticmethod + def _as_dict_value(v: typing.Any, exclude_readonly: bool = False) -> typing.Any: + if v is None or isinstance(v, _Null): + return None + if isinstance(v, (list, tuple, set)): + return type(v)(Model._as_dict_value(x, exclude_readonly=exclude_readonly) for x in v) + if isinstance(v, dict): + return {dk: Model._as_dict_value(dv, exclude_readonly=exclude_readonly) for dk, dv in v.items()} + return v.as_dict(exclude_readonly=exclude_readonly) if hasattr(v, "as_dict") else v + + +def _deserialize_model(model_deserializer: typing.Optional[typing.Callable], obj): + if _is_model(obj): + return obj + return _deserialize(model_deserializer, obj) + + +def _deserialize_with_optional(if_obj_deserializer: typing.Optional[typing.Callable], obj): + if obj is None: + return obj + return _deserialize_with_callable(if_obj_deserializer, obj) + + +def _deserialize_with_union(deserializers, obj): + for deserializer in deserializers: + try: + return _deserialize(deserializer, obj) + except DeserializationError: + pass + raise DeserializationError() + + +def _deserialize_dict( + value_deserializer: typing.Optional[typing.Callable], + module: typing.Optional[str], + obj: typing.Dict[typing.Any, typing.Any], +): + if obj is None: + return obj + if isinstance(obj, ET.Element): + obj = {child.tag: child for child in obj} + return {k: _deserialize(value_deserializer, v, module) for k, v in obj.items()} + + +def _deserialize_multiple_sequence( + entry_deserializers: typing.List[typing.Optional[typing.Callable]], + module: typing.Optional[str], + obj, +): + if obj is None: + return obj + return type(obj)(_deserialize(deserializer, entry, module) for entry, deserializer in zip(obj, entry_deserializers)) + + +def _deserialize_sequence( + deserializer: typing.Optional[typing.Callable], + module: typing.Optional[str], + obj, +): + if obj is None: + return obj + if isinstance(obj, ET.Element): + obj = list(obj) + return type(obj)(_deserialize(deserializer, entry, module) for entry in obj) + + +def _sorted_annotations(types: typing.List[typing.Any]) -> typing.List[typing.Any]: + return sorted( + types, + key=lambda x: hasattr(x, "__name__") and x.__name__.lower() in ("str", "float", "int", "bool"), + ) + + +def _get_deserialize_callable_from_annotation( # pylint: disable=too-many-return-statements, too-many-branches + annotation: typing.Any, + module: typing.Optional[str], + rf: typing.Optional["_RestField"] = None, +) -> typing.Optional[typing.Callable[[typing.Any], typing.Any]]: + if not annotation: + return None + + # is it a type alias? + if isinstance(annotation, str): + if module is not None: + annotation = _get_type_alias_type(module, annotation) + + # is it a forward ref / in quotes? + if isinstance(annotation, (str, typing.ForwardRef)): + try: + model_name = annotation.__forward_arg__ # type: ignore + except AttributeError: + model_name = annotation + if module is not None: + annotation = _get_model(module, model_name) # type: ignore + + try: + if module and _is_model(annotation): + if rf: + rf._is_model = True + + return functools.partial(_deserialize_model, annotation) # pyright: ignore + except Exception: + pass + + # is it a literal? + try: + if annotation.__origin__ is typing.Literal: # pyright: ignore + return None + except AttributeError: + pass + + # is it optional? + try: + if any(a for a in annotation.__args__ if a == type(None)): # pyright: ignore + if len(annotation.__args__) <= 2: # pyright: ignore + if_obj_deserializer = _get_deserialize_callable_from_annotation( + next(a for a in annotation.__args__ if a != type(None)), module, rf # pyright: ignore + ) + + return functools.partial(_deserialize_with_optional, if_obj_deserializer) + # the type is Optional[Union[...]], we need to remove the None type from the Union + annotation_copy = copy.copy(annotation) + annotation_copy.__args__ = [a for a in annotation_copy.__args__ if a != type(None)] # pyright: ignore + return _get_deserialize_callable_from_annotation(annotation_copy, module, rf) + except AttributeError: + pass + + # is it union? + if getattr(annotation, "__origin__", None) is typing.Union: + # initial ordering is we make `string` the last deserialization option, because it is often them most generic + deserializers = [ + _get_deserialize_callable_from_annotation(arg, module, rf) + for arg in _sorted_annotations(annotation.__args__) # pyright: ignore + ] + + return functools.partial(_deserialize_with_union, deserializers) + + try: + if annotation._name == "Dict": # pyright: ignore + value_deserializer = _get_deserialize_callable_from_annotation( + annotation.__args__[1], module, rf # pyright: ignore + ) + + return functools.partial( + _deserialize_dict, + value_deserializer, + module, + ) + except (AttributeError, IndexError): + pass + try: + if annotation._name in ["List", "Set", "Tuple", "Sequence"]: # pyright: ignore + if len(annotation.__args__) > 1: # pyright: ignore + entry_deserializers = [ + _get_deserialize_callable_from_annotation(dt, module, rf) + for dt in annotation.__args__ # pyright: ignore + ] + return functools.partial(_deserialize_multiple_sequence, entry_deserializers, module) + deserializer = _get_deserialize_callable_from_annotation( + annotation.__args__[0], module, rf # pyright: ignore + ) + + return functools.partial(_deserialize_sequence, deserializer, module) + except (TypeError, IndexError, AttributeError, SyntaxError): + pass + + def _deserialize_default( + deserializer, + obj, + ): + if obj is None: + return obj + try: + return _deserialize_with_callable(deserializer, obj) + except Exception: + pass + return obj + + if get_deserializer(annotation, rf): + return functools.partial(_deserialize_default, get_deserializer(annotation, rf)) + + return functools.partial(_deserialize_default, annotation) + + +def _deserialize_with_callable( + deserializer: typing.Optional[typing.Callable[[typing.Any], typing.Any]], + value: typing.Any, +): # pylint: disable=too-many-return-statements + try: + if value is None or isinstance(value, _Null): + return None + if isinstance(value, ET.Element): + if deserializer is str: + return value.text or "" + if deserializer is int: + return int(value.text) if value.text else None + if deserializer is float: + return float(value.text) if value.text else None + if deserializer is bool: + return value.text == "true" if value.text else None + if deserializer is None: + return value + if deserializer in [int, float, bool]: + return deserializer(value) + if isinstance(deserializer, CaseInsensitiveEnumMeta): + try: + return deserializer(value) + except ValueError: + # for unknown value, return raw value + return value + if isinstance(deserializer, type) and issubclass(deserializer, Model): + return deserializer._deserialize(value, []) + return typing.cast(typing.Callable[[typing.Any], typing.Any], deserializer)(value) + except Exception as e: + raise DeserializationError() from e + + +def _deserialize( + deserializer: typing.Any, + value: typing.Any, + module: typing.Optional[str] = None, + rf: typing.Optional["_RestField"] = None, + format: typing.Optional[str] = None, +) -> typing.Any: + if isinstance(value, PipelineResponse): + value = value.http_response.json() + if rf is None and format: + rf = _RestField(format=format) + if not isinstance(deserializer, functools.partial): + deserializer = _get_deserialize_callable_from_annotation(deserializer, module, rf) + return _deserialize_with_callable(deserializer, value) + + +def _failsafe_deserialize( + deserializer: typing.Any, + value: typing.Any, + module: typing.Optional[str] = None, + rf: typing.Optional["_RestField"] = None, + format: typing.Optional[str] = None, +) -> typing.Any: + try: + return _deserialize(deserializer, value, module, rf, format) + except DeserializationError: + _LOGGER.warning( + "Ran into a deserialization error. Ignoring since this is failsafe deserialization", exc_info=True + ) + return None + + +class _RestField: + def __init__( + self, + *, + name: typing.Optional[str] = None, + type: typing.Optional[typing.Callable] = None, # pylint: disable=redefined-builtin + is_discriminator: bool = False, + visibility: typing.Optional[typing.List[str]] = None, + default: typing.Any = _UNSET, + format: typing.Optional[str] = None, + is_multipart_file_input: bool = False, + xml: typing.Optional[typing.Dict[str, typing.Any]] = None, + ): + self._type = type + self._rest_name_input = name + self._module: typing.Optional[str] = None + self._is_discriminator = is_discriminator + self._visibility = visibility + self._is_model = False + self._default = default + self._format = format + self._is_multipart_file_input = is_multipart_file_input + self._xml = xml if xml is not None else {} + + @property + def _class_type(self) -> typing.Any: + return getattr(self._type, "args", [None])[0] + + @property + def _rest_name(self) -> str: + if self._rest_name_input is None: + raise ValueError("Rest name was never set") + return self._rest_name_input + + def __get__(self, obj: Model, type=None): # pylint: disable=redefined-builtin + # by this point, type and rest_name will have a value bc we default + # them in __new__ of the Model class + item = obj.get(self._rest_name) + if item is None: + return item + if self._is_model: + return item + return _deserialize(self._type, _serialize(item, self._format), rf=self) + + def __set__(self, obj: Model, value) -> None: + if value is None: + # we want to wipe out entries if users set attr to None + try: + obj.__delitem__(self._rest_name) + except KeyError: + pass + return + if self._is_model: + if not _is_model(value): + value = _deserialize(self._type, value) + obj.__setitem__(self._rest_name, value) + return + obj.__setitem__(self._rest_name, _serialize(value, self._format)) + + def _get_deserialize_callable_from_annotation( + self, annotation: typing.Any + ) -> typing.Optional[typing.Callable[[typing.Any], typing.Any]]: + return _get_deserialize_callable_from_annotation(annotation, self._module, self) + + +def rest_field( + *, + name: typing.Optional[str] = None, + type: typing.Optional[typing.Callable] = None, # pylint: disable=redefined-builtin + visibility: typing.Optional[typing.List[str]] = None, + default: typing.Any = _UNSET, + format: typing.Optional[str] = None, + is_multipart_file_input: bool = False, + xml: typing.Optional[typing.Dict[str, typing.Any]] = None, +) -> typing.Any: + return _RestField( + name=name, + type=type, + visibility=visibility, + default=default, + format=format, + is_multipart_file_input=is_multipart_file_input, + xml=xml, + ) + + +def rest_discriminator( + *, + name: typing.Optional[str] = None, + type: typing.Optional[typing.Callable] = None, # pylint: disable=redefined-builtin + visibility: typing.Optional[typing.List[str]] = None, + xml: typing.Optional[typing.Dict[str, typing.Any]] = None, +) -> typing.Any: + return _RestField(name=name, type=type, is_discriminator=True, visibility=visibility, xml=xml) + + +def serialize_xml(model: Model, exclude_readonly: bool = False) -> str: + """Serialize a model to XML. + + :param Model model: The model to serialize. + :param bool exclude_readonly: Whether to exclude readonly properties. + :returns: The XML representation of the model. + :rtype: str + """ + return ET.tostring(_get_element(model, exclude_readonly), encoding="unicode") # type: ignore + + +def _get_element( + o: typing.Any, + exclude_readonly: bool = False, + parent_meta: typing.Optional[typing.Dict[str, typing.Any]] = None, + wrapped_element: typing.Optional[ET.Element] = None, +) -> typing.Union[ET.Element, typing.List[ET.Element]]: + if _is_model(o): + model_meta = getattr(o, "_xml", {}) + + # if prop is a model, then use the prop element directly, else generate a wrapper of model + if wrapped_element is None: + wrapped_element = _create_xml_element( + model_meta.get("name", o.__class__.__name__), + model_meta.get("prefix"), + model_meta.get("ns"), + ) + + readonly_props = [] + if exclude_readonly: + readonly_props = [p._rest_name for p in o._attr_to_rest_field.values() if _is_readonly(p)] + + for k, v in o.items(): + # do not serialize readonly properties + if exclude_readonly and k in readonly_props: + continue + + prop_rest_field = _get_rest_field(o._attr_to_rest_field, k) + if prop_rest_field: + prop_meta = getattr(prop_rest_field, "_xml").copy() + # use the wire name as xml name if no specific name is set + if prop_meta.get("name") is None: + prop_meta["name"] = k + else: + # additional properties will not have rest field, use the wire name as xml name + prop_meta = {"name": k} + + # if no ns for prop, use model's + if prop_meta.get("ns") is None and model_meta.get("ns"): + prop_meta["ns"] = model_meta.get("ns") + prop_meta["prefix"] = model_meta.get("prefix") + + if prop_meta.get("unwrapped", False): + # unwrapped could only set on array + wrapped_element.extend(_get_element(v, exclude_readonly, prop_meta)) + elif prop_meta.get("text", False): + # text could only set on primitive type + wrapped_element.text = _get_primitive_type_value(v) + elif prop_meta.get("attribute", False): + xml_name = prop_meta.get("name", k) + if prop_meta.get("ns"): + ET.register_namespace(prop_meta.get("prefix"), prop_meta.get("ns")) # pyright: ignore + xml_name = "{" + prop_meta.get("ns") + "}" + xml_name # pyright: ignore + # attribute should be primitive type + wrapped_element.set(xml_name, _get_primitive_type_value(v)) + else: + # other wrapped prop element + wrapped_element.append(_get_wrapped_element(v, exclude_readonly, prop_meta)) + return wrapped_element + if isinstance(o, list): + return [_get_element(x, exclude_readonly, parent_meta) for x in o] # type: ignore + if isinstance(o, dict): + result = [] + for k, v in o.items(): + result.append( + _get_wrapped_element( + v, + exclude_readonly, + { + "name": k, + "ns": parent_meta.get("ns") if parent_meta else None, + "prefix": parent_meta.get("prefix") if parent_meta else None, + }, + ) + ) + return result + + # primitive case need to create element based on parent_meta + if parent_meta: + return _get_wrapped_element( + o, + exclude_readonly, + { + "name": parent_meta.get("itemsName", parent_meta.get("name")), + "prefix": parent_meta.get("itemsPrefix", parent_meta.get("prefix")), + "ns": parent_meta.get("itemsNs", parent_meta.get("ns")), + }, + ) + + raise ValueError("Could not serialize value into xml: " + o) + + +def _get_wrapped_element( + v: typing.Any, + exclude_readonly: bool, + meta: typing.Optional[typing.Dict[str, typing.Any]], +) -> ET.Element: + wrapped_element = _create_xml_element( + meta.get("name") if meta else None, meta.get("prefix") if meta else None, meta.get("ns") if meta else None + ) + if isinstance(v, (dict, list)): + wrapped_element.extend(_get_element(v, exclude_readonly, meta)) + elif _is_model(v): + _get_element(v, exclude_readonly, meta, wrapped_element) + else: + wrapped_element.text = _get_primitive_type_value(v) + return wrapped_element + + +def _get_primitive_type_value(v) -> str: + if v is True: + return "true" + if v is False: + return "false" + if isinstance(v, _Null): + return "" + return str(v) + + +def _create_xml_element(tag, prefix=None, ns=None): + if prefix and ns: + ET.register_namespace(prefix, ns) + if ns: + return ET.Element("{" + ns + "}" + tag) + return ET.Element(tag) + + +def _deserialize_xml( + deserializer: typing.Any, + value: str, +) -> typing.Any: + element = ET.fromstring(value) # nosec + return _deserialize(deserializer, element) + + +def _convert_element(e: ET.Element): + # dict case + if len(e.attrib) > 0 or len({child.tag for child in e}) > 1: + dict_result: typing.Dict[str, typing.Any] = {} + for child in e: + if dict_result.get(child.tag) is not None: + if isinstance(dict_result[child.tag], list): + dict_result[child.tag].append(_convert_element(child)) + else: + dict_result[child.tag] = [dict_result[child.tag], _convert_element(child)] + else: + dict_result[child.tag] = _convert_element(child) + dict_result.update(e.attrib) + return dict_result + # array case + if len(e) > 0: + array_result: typing.List[typing.Any] = [] + for child in e: + array_result.append(_convert_element(child)) + return array_result + # primitive case + return e.text diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_models.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_models.py deleted file mode 100644 index 607ae0919d2a..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_models.py +++ /dev/null @@ -1,602 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------- -from collections import namedtuple -from datetime import datetime -from typing import Any, Dict, List, Optional, Union, TYPE_CHECKING - -from ._enums import KeyOperation, KeyRotationPolicyAction, KeyType -from ._shared import parse_key_vault_id -from ._generated.models import JsonWebKey as _JsonWebKey - -if TYPE_CHECKING: - from ._generated import models as _models - -KeyOperationResult = namedtuple("KeyOperationResult", ["id", "value"]) - - -class JsonWebKey(object): - """As defined in http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18. All parameters are optional. - - :keyword str kid: Key identifier. - :keyword kty: Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40 - :paramtype kty: ~azure.keyvault.keys.KeyType or str - :keyword key_ops: Allowed operations for the key - :paramtype key_ops: list[str or ~azure.keyvault.keys.KeyOperation] - :keyword bytes n: RSA modulus. - :keyword bytes e: RSA public exponent. - :keyword bytes d: RSA private exponent, or the D component of an EC private key. - :keyword bytes dp: RSA private key parameter. - :keyword bytes dq: RSA private key parameter. - :keyword bytes qi: RSA private key parameter. - :keyword bytes p: RSA secret prime. - :keyword bytes q: RSA secret prime, with p < q. - :keyword bytes k: Symmetric key. - :keyword bytes t: HSM Token, used with 'Bring Your Own Key'. - :keyword crv: Elliptic curve name. - :paramtype crv: ~azure.keyvault.keys.KeyCurveName or str - :keyword bytes x: X component of an EC public key. - :keyword bytes y: Y component of an EC public key. - """ - - _FIELDS = ("kid", "kty", "key_ops", "n", "e", "d", "dp", "dq", "qi", "p", "q", "k", "t", "crv", "x", "y") - - def __init__(self, **kwargs: Any) -> None: - for field in self._FIELDS: - setattr(self, field, kwargs.get(field)) - - def _to_generated_model(self) -> _JsonWebKey: - jwk = _JsonWebKey() - for field in self._FIELDS: - setattr(jwk, field, getattr(self, field)) - return jwk - - -class KeyProperties(object): - """A key's ID and attributes. - - :param str key_id: The key ID. - :param attributes: The key attributes. - :type attributes: ~azure.keyvault.keys._generated.models.KeyAttributes - - :keyword bool managed: Whether the key's lifetime is managed by Key Vault. - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword release_policy: The azure.keyvault.keys.KeyReleasePolicy specifying the rules under which the key - can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - """ - - def __init__(self, key_id: str, attributes: "Optional[_models.KeyAttributes]" = None, **kwargs: Any) -> None: - self._attributes = attributes - self._id = key_id - self._vault_id = KeyVaultKeyIdentifier(key_id) - self._managed = kwargs.get("managed", None) - self._tags = kwargs.get("tags", None) - self._release_policy = kwargs.pop("release_policy", None) - - def __repr__(self) -> str: - return f""[:1024] - - @classmethod - def _from_key_bundle(cls, key_bundle: "_models.KeyBundle") -> "KeyProperties": - # pylint:disable=line-too-long - # release_policy was added in 7.3-preview - release_policy = None - if ( - hasattr(key_bundle, "release_policy") and key_bundle.release_policy is not None # type: ignore[attr-defined] - ): - release_policy = KeyReleasePolicy( - encoded_policy=key_bundle.release_policy.encoded_policy, # type: ignore - content_type=key_bundle.release_policy.content_type, # type: ignore[attr-defined] - immutable=key_bundle.release_policy.immutable, # type: ignore[attr-defined] - ) - - return cls( - key_bundle.key.kid, # type: ignore - attributes=key_bundle.attributes, - managed=key_bundle.managed, - tags=key_bundle.tags, - release_policy=release_policy, - ) - - @classmethod - def _from_key_item(cls, key_item: "_models.KeyItem") -> "KeyProperties": - return cls( - key_id=key_item.kid, # type: ignore - attributes=key_item.attributes, - managed=key_item.managed, - tags=key_item.tags, - ) - - @property - def id(self) -> str: - """The key ID. - - :returns: The key ID. - :rtype: str - """ - return self._id - - @property - def name(self) -> str: - """The key name. - - :returns: The key name. - :rtype: str - """ - return self._vault_id.name - - @property - def version(self) -> Optional[str]: - """The key version. - - :returns: The key version. - :rtype: str or None - """ - return self._vault_id.version - - @property - def enabled(self) -> Optional[bool]: - """Whether the key is enabled for use. - - :returns: True if the key is enabled for use; False otherwise. - :rtype: bool or None - """ - return self._attributes.enabled if self._attributes else None - - @property - def not_before(self) -> Optional[datetime]: - """The time before which the key can not be used, in UTC. - - :returns: The time before which the key can not be used, in UTC. - :rtype: ~datetime.datetime or None - """ - return self._attributes.not_before if self._attributes else None - - @property - def expires_on(self) -> Optional[datetime]: - """When the key will expire, in UTC. - - :returns: When the key will expire, in UTC. - :rtype: ~datetime.datetime or None - """ - return self._attributes.expires if self._attributes else None - - @property - def created_on(self) -> Optional[datetime]: - """When the key was created, in UTC. - - :returns: When the key was created, in UTC. - :rtype: ~datetime.datetime or None - """ - return self._attributes.created if self._attributes else None - - @property - def updated_on(self) -> Optional[datetime]: - """When the key was last updated, in UTC. - - :returns: When the key was last updated, in UTC. - :rtype: ~datetime.datetime or None - """ - return self._attributes.updated if self._attributes else None - - @property - def vault_url(self) -> str: - """URL of the vault containing the key. - - :returns: URL of the vault containing the key. - :rtype: str - """ - return self._vault_id.vault_url - - @property - def recoverable_days(self) -> Optional[int]: - """The number of days the key is retained before being deleted from a soft-delete enabled Key Vault. - - :returns: The number of days the key is retained before being deleted from a soft-delete enabled Key Vault. - :rtype: int or None - """ - # recoverable_days was added in 7.1-preview - if self._attributes: - return getattr(self._attributes, "recoverable_days", None) - return None - - @property - def recovery_level(self) -> Optional[str]: - """The vault's deletion recovery level for keys. - - :returns: The vault's deletion recovery level for keys. - :rtype: str or None - """ - return self._attributes.recovery_level if self._attributes else None - - @property - def tags(self) -> Dict[str, str]: - """Application specific metadata in the form of key-value pairs. - - :returns: A dictionary of tags attached to the key. - :rtype: dict[str, str] - """ - return self._tags - - @property - def managed(self) -> Optional[bool]: - """Whether the key's lifetime is managed by Key Vault. If the key backs a certificate, this will be true. - - :returns: True if the key's lifetime is managed by Key Vault; False otherwise. - :rtype: bool or None - """ - return self._managed - - @property - def exportable(self) -> Optional[bool]: - """Whether the private key can be exported. - - :returns: True if the private key can be exported; False otherwise. - :rtype: bool or None - """ - # exportable was added in 7.3-preview - if self._attributes: - return getattr(self._attributes, "exportable", None) - return None - - @property - def release_policy(self) -> "Optional[KeyReleasePolicy]": - """The :class:`~azure.keyvault.keys.KeyReleasePolicy` specifying the rules under which the key can be exported. - - :returns: The key's release policy specifying the rules for exporting. - :rtype: ~azure.keyvault.keys.KeyReleasePolicy or None - """ - return self._release_policy - - @property - def hsm_platform(self) -> Optional[str]: - """The underlying HSM platform. - - :returns: The underlying HSM platform. - :rtype: str or None - """ - # hsm_platform was added in 7.5-preview.1 - if self._attributes: - return getattr(self._attributes, "hsm_platform", None) - return None - - -class KeyReleasePolicy(object): - """The policy rules under which a key can be exported. - - :param bytes encoded_policy: The policy rules under which the key can be released. Encoded based on the - ``content_type``. For more information regarding release policy grammar, please refer to: - https://aka.ms/policygrammarkeys for Azure Key Vault; https://aka.ms/policygrammarmhsm for Azure Managed HSM. - - :keyword str content_type: Content type and version of the release policy. Defaults to "application/json; - charset=utf-8" if omitted. - :keyword bool immutable: Marks a release policy as immutable. An immutable release policy cannot be changed or - updated after being marked immutable. Release policies are mutable by default. - """ - - def __init__(self, encoded_policy: bytes, **kwargs: Any) -> None: - self.encoded_policy = encoded_policy - self.content_type = kwargs.get("content_type", None) - self.immutable = kwargs.get("immutable", None) - - -class ReleaseKeyResult(object): - """The result of a key release operation. - - :ivar str value: A signed token containing the released key. - - :param str value: A signed token containing the released key. - """ - - def __init__(self, value: str) -> None: - self.value = value - - -class KeyRotationLifetimeAction(object): - """An action and its corresponding trigger that will be performed by Key Vault over the lifetime of a key. - - :param action: The action that will be executed. - :type action: ~azure.keyvault.keys.KeyRotationPolicyAction or str - - :keyword time_after_create: Time after creation to attempt the specified action, as an ISO 8601 duration. - For example, 90 days is "P90D". See `Wikipedia `_ for more - information on ISO 8601 durations. - :paramtype time_after_create: str or None - :keyword time_before_expiry: Time before expiry to attempt the specified action, as an ISO 8601 duration. - For example, 90 days is "P90D". See `Wikipedia `_ for more - information on ISO 8601 durations. - :paramtype time_before_expiry: str or None - """ - - def __init__(self, action: Union[KeyRotationPolicyAction, str], **kwargs: Any) -> None: - self.action = action - self.time_after_create: Optional[str] = kwargs.get("time_after_create", None) - self.time_before_expiry: Optional[str] = kwargs.get("time_before_expiry", None) - - @classmethod - def _from_generated(cls, lifetime_action: "_models.LifetimeActions") -> "KeyRotationLifetimeAction": - if lifetime_action.action: - if lifetime_action.trigger: - return cls( - action=lifetime_action.action.type, # type: ignore - time_after_create=lifetime_action.trigger.time_after_create, - time_before_expiry=lifetime_action.trigger.time_before_expiry, - ) - return cls(action=lifetime_action.action) # type: ignore - raise ValueError("Provided LifetimeActions model is missing a required lifetime action property.") - - -class KeyRotationPolicy(object): - """The key rotation policy that belongs to a key. - - :ivar id: The identifier of the key rotation policy. - :vartype id: str or None - :ivar lifetime_actions: Actions that will be performed by Key Vault over the lifetime of a key. - :vartype lifetime_actions: list[~azure.keyvault.keys.KeyRotationLifetimeAction] - :ivar expires_in: The expiry time of the policy that will be applied on new key versions, defined as an ISO 8601 - duration. For example, 90 days is "P90D". See `Wikipedia `_ for - more information on ISO 8601 durations. - :vartype expires_in: str or None - :ivar created_on: When the policy was created, in UTC - :vartype created_on: ~datetime.datetime or None - :ivar updated_on: When the policy was last updated, in UTC - :vartype updated_on: ~datetime.datetime or None - """ - - def __init__(self, **kwargs: Any) -> None: - self.id = kwargs.get("policy_id", None) - self.lifetime_actions: List[KeyRotationLifetimeAction] = kwargs.get("lifetime_actions", []) - self.expires_in = kwargs.get("expires_in", None) - self.created_on = kwargs.get("created_on", None) - self.updated_on = kwargs.get("updated_on", None) - - @classmethod - def _from_generated(cls, policy: "_models.KeyRotationPolicy") -> "KeyRotationPolicy": - lifetime_actions = ( - [] - if policy.lifetime_actions is None - else [KeyRotationLifetimeAction._from_generated(action) for action in policy.lifetime_actions] # pylint:disable=protected-access - ) - if policy.attributes: - return cls( - policy_id=policy.id, - lifetime_actions=lifetime_actions, - expires_in=policy.attributes.expiry_time, - created_on=policy.attributes.created, - updated_on=policy.attributes.updated, - ) - return cls(policy_id=policy.id, lifetime_actions=lifetime_actions) - - -class KeyVaultKey(object): - """A key's attributes and cryptographic material. - - :param str key_id: Key Vault's identifier for the key. Typically a URI, e.g. - https://myvault.vault.azure.net/keys/my-key/version - :param jwk: The key's cryptographic material as a JSON Web Key (https://tools.ietf.org/html/rfc7517). This may be - provided as a dictionary or keyword arguments. See :class:`~azure.keyvault.keys.models.JsonWebKey` for field - names. - :type jwk: Dict[str, Any] - - Providing cryptographic material as keyword arguments: - - .. code-block:: python - - from azure.keyvault.keys.models import KeyVaultKey - - key_id = 'https://myvault.vault.azure.net/keys/my-key/my-key-version' - key_bytes = os.urandom(32) - key = KeyVaultKey(key_id, k=key_bytes, kty='oct', key_ops=['unwrapKey', 'wrapKey']) - - Providing cryptographic material as a dictionary: - - .. code-block:: python - - from azure.keyvault.keys.models import KeyVaultKey - - key_id = 'https://myvault.vault.azure.net/keys/my-key/my-key-version' - key_bytes = os.urandom(32) - jwk = {'k': key_bytes, 'kty': 'oct', 'key_ops': ['unwrapKey', 'wrapKey']} - key = KeyVaultKey(key_id, jwk=jwk) - - """ - - def __init__(self, key_id: str, jwk: Optional[Dict[str, Any]] = None, **kwargs) -> None: - self._properties: KeyProperties = kwargs.pop("properties", None) or KeyProperties(key_id, **kwargs) - if isinstance(jwk, dict): - if any(field in kwargs for field in JsonWebKey._FIELDS): - raise ValueError( - "Individual keyword arguments for key material and the 'jwk' argument are mutually exclusive." - ) - self._key_material = JsonWebKey(**jwk) - else: - self._key_material = JsonWebKey(**kwargs) - - def __repr__(self) -> str: - return f""[:1024] - - @classmethod - def _from_key_bundle(cls, key_bundle: "_models.KeyBundle") -> "KeyVaultKey": - # pylint:disable=protected-access - return cls( - key_id=key_bundle.key.kid, # type: ignore - jwk={field: getattr(key_bundle.key, field, None) for field in JsonWebKey._FIELDS}, - properties=KeyProperties._from_key_bundle(key_bundle), - ) - - @property - def id(self) -> str: - """The key ID. - - :returns: The key ID. - :rtype: str - """ - return self._properties.id - - @property - def name(self) -> str: - """The key name. - - :returns: The key name. - :rtype: str - """ - return self._properties.name - - @property - def properties(self) -> KeyProperties: - """The key properties. - - :returns: The key properties. - :rtype: ~azure.keyvault.keys.KeyProperties - """ - return self._properties - - @property - def key(self) -> JsonWebKey: - """The JSON Web Key (JWK) for the key. - - :returns: The JSON Web Key (JWK) for the key. - :rtype: ~azure.keyvault.keys.JsonWebKey - """ - return self._key_material - - @property - def key_type(self) -> Union[str, KeyType]: - """The key's type. See :class:`~azure.keyvault.keys.KeyType` for possible values. - - :returns: The key's type. See :class:`~azure.keyvault.keys.KeyType` for possible values. - :rtype: ~azure.keyvault.keys.KeyType or str - """ - # pylint:disable=no-member - return self._key_material.kty # type: ignore[attr-defined] - - @property - def key_operations(self) -> List[Union[str, KeyOperation]]: - """Permitted operations. See :class:`~azure.keyvault.keys.KeyOperation` for possible values. - - :returns: Permitted operations. See :class:`~azure.keyvault.keys.KeyOperation` for possible values. - :rtype: List[~azure.keyvault.keys.KeyOperation or str] - """ - # pylint:disable=no-member - return self._key_material.key_ops # type: ignore[attr-defined] - - -class KeyVaultKeyIdentifier(object): - """Information about a KeyVaultKey parsed from a key ID. - - :param str source_id: The full original identifier of a key - - :raises ValueError: if the key ID is improperly formatted - - Example: - .. literalinclude:: ../tests/test_parse_id.py - :start-after: [START parse_key_vault_key_id] - :end-before: [END parse_key_vault_key_id] - :language: python - :caption: Parse a key's ID - :dedent: 8 - """ - - def __init__(self, source_id: str) -> None: - self._resource_id = parse_key_vault_id(source_id) - - @property - def source_id(self) -> str: - return self._resource_id.source_id - - @property - def vault_url(self) -> str: - return self._resource_id.vault_url - - @property - def name(self) -> str: - return self._resource_id.name - - @property - def version(self) -> Optional[str]: - return self._resource_id.version - - -class DeletedKey(KeyVaultKey): - """A deleted key's properties, cryptographic material and its deletion information. - - If soft-delete is enabled, returns information about its recovery as well. - - :param properties: Properties of the deleted key. - :type properties: ~azure.keyvault.keys.KeyProperties - :param deleted_date: When the key was deleted, in UTC. - :type deleted_date: ~datetime.datetime or None - :param recovery_id: An identifier used to recover the deleted key. Returns ``None`` if soft-delete is disabled. - :type recovery_id: str or None - :param scheduled_purge_date: When the key is scheduled to be purged, in UTC. Returns ``None`` if soft-delete is - disabled. - :type scheduled_purge_date: ~datetime.datetime or None - """ - - def __init__( - self, - properties: KeyProperties, - deleted_date: Optional[datetime] = None, - recovery_id: Optional[str] = None, - scheduled_purge_date: Optional[datetime] = None, - **kwargs: Any, - ) -> None: - super(DeletedKey, self).__init__(properties=properties, **kwargs) - self._deleted_date = deleted_date - self._recovery_id = recovery_id - self._scheduled_purge_date = scheduled_purge_date - - def __repr__(self) -> str: - return f""[:1024] - - @classmethod - def _from_deleted_key_bundle(cls, deleted_key_bundle: "_models.DeletedKeyBundle") -> "DeletedKey": - # pylint:disable=protected-access - return cls( - properties=KeyProperties._from_key_bundle(deleted_key_bundle), - key_id=deleted_key_bundle.key.kid, # type: ignore - jwk={field: getattr(deleted_key_bundle.key, field, None) for field in JsonWebKey._FIELDS}, - deleted_date=deleted_key_bundle.deleted_date, - recovery_id=deleted_key_bundle.recovery_id, - scheduled_purge_date=deleted_key_bundle.scheduled_purge_date, - ) - - @classmethod - def _from_deleted_key_item(cls, deleted_key_item: "_models.DeletedKeyItem") -> "DeletedKey": - return cls( - properties=KeyProperties._from_key_item(deleted_key_item), # pylint: disable=protected-access - key_id=deleted_key_item.kid, - deleted_date=deleted_key_item.deleted_date, - recovery_id=deleted_key_item.recovery_id, - scheduled_purge_date=deleted_key_item.scheduled_purge_date, - ) - - @property - def deleted_date(self) -> Optional[datetime]: - """When the key was deleted, in UTC. - - :returns: When the key was deleted, in UTC. - :rtype: ~datetime.datetime or None - """ - return self._deleted_date - - @property - def recovery_id(self) -> Optional[str]: - """An identifier used to recover the deleted key. Returns ``None`` if soft-delete is disabled. - - :returns: An identifier used to recover the deleted key. Returns ``None`` if soft-delete is disabled. - :rtype: str or None - """ - return self._recovery_id - - @property - def scheduled_purge_date(self) -> Optional[datetime]: - """When the key is scheduled to be purged, in UTC. Returns ``None`` if soft-delete is disabled. - - :returns: When the key is scheduled to be purged, in UTC. Returns ``None`` if soft-delete is disabled. - :rtype: ~datetime.datetime or None - """ - return self._scheduled_purge_date diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_operations/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_operations/__init__.py similarity index 58% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_operations/__init__.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_operations/__init__.py index 29ea96fccbfe..d514f5e4b5be 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_operations/__init__.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_operations/__init__.py @@ -2,18 +2,24 @@ # -------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. +# Code generated by Microsoft (R) Python Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- +# pylint: disable=wrong-import-position -from ._operations import KeyVaultClientOperationsMixin +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from ._patch import * # pylint: disable=unused-wildcard-import + +from ._operations import KeyVaultClientOperationsMixin # type: ignore from ._patch import __all__ as _patch_all -from ._patch import * # pylint: disable=unused-wildcard-import +from ._patch import * from ._patch import patch_sdk as _patch_sdk __all__ = [ "KeyVaultClientOperationsMixin", ] -__all__.extend([p for p in _patch_all if p not in __all__]) +__all__.extend([p for p in _patch_all if p not in __all__]) # pyright: ignore _patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_operations/_operations.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_operations/_operations.py similarity index 70% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_operations/_operations.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_operations/_operations.py index f612e1fcee1f..0899a0199ac8 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_operations/_operations.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_operations/_operations.py @@ -1,13 +1,15 @@ -# pylint: disable=too-many-lines,too-many-statements +# pylint: disable=too-many-lines # coding=utf-8 # -------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. +# Code generated by Microsoft (R) Python Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- from io import IOBase -from typing import Any, Callable, Dict, IO, Iterable, Optional, TypeVar, Union, overload +import json +import sys +from typing import Any, Callable, Dict, IO, Iterable, List, Optional, TypeVar, Union, overload import urllib.parse from azure.core.exceptions import ( @@ -16,6 +18,8 @@ ResourceExistsError, ResourceNotFoundError, ResourceNotModifiedError, + StreamClosedError, + StreamConsumedError, map_error, ) from azure.core.paging import ItemPaged @@ -25,9 +29,15 @@ from azure.core.utils import case_insensitive_dict from .. import models as _models +from .._model_base import SdkJSONEncoder, _deserialize, _failsafe_deserialize from .._serialization import Serializer from .._vendor import KeyVaultClientMixinABC +if sys.version_info >= (3, 9): + from collections.abc import MutableMapping +else: + from typing import MutableMapping # type: ignore +JSON = MutableMapping[str, Any] # pylint: disable=unsubscriptable-object T = TypeVar("T") ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] @@ -40,13 +50,13 @@ def build_key_vault_create_key_request(key_name: str, **kwargs: Any) -> HttpRequ _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL _url = "/keys/{key-name}/create" path_format_arguments = { - "key-name": _SERIALIZER.url("key_name", key_name, "str", pattern=r"^[0-9a-zA-Z-]+$"), + "key-name": _SERIALIZER.url("key_name", key_name, "str"), } _url: str = _url.format(**path_format_arguments) # type: ignore @@ -66,13 +76,13 @@ def build_key_vault_rotate_key_request(key_name: str, **kwargs: Any) -> HttpRequ _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL _url = "/keys/{key-name}/rotate" path_format_arguments = { - "key-name": _SERIALIZER.url("key_name", key_name, "str", pattern=r"^[0-9a-zA-Z-]+$"), + "key-name": _SERIALIZER.url("key_name", key_name, "str"), } _url: str = _url.format(**path_format_arguments) # type: ignore @@ -91,13 +101,13 @@ def build_key_vault_import_key_request(key_name: str, **kwargs: Any) -> HttpRequ _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL _url = "/keys/{key-name}" path_format_arguments = { - "key-name": _SERIALIZER.url("key_name", key_name, "str", pattern=r"^[0-9a-zA-Z-]+$"), + "key-name": _SERIALIZER.url("key_name", key_name, "str"), } _url: str = _url.format(**path_format_arguments) # type: ignore @@ -117,7 +127,7 @@ def build_key_vault_delete_key_request(key_name: str, **kwargs: Any) -> HttpRequ _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -142,7 +152,7 @@ def build_key_vault_update_key_request(key_name: str, key_version: str, **kwargs _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -169,7 +179,7 @@ def build_key_vault_get_key_request(key_name: str, key_version: str, **kwargs: A _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -196,7 +206,7 @@ def build_key_vault_get_key_versions_request( _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -208,9 +218,9 @@ def build_key_vault_get_key_versions_request( _url: str = _url.format(**path_format_arguments) # type: ignore # Construct parameters - if maxresults is not None: - _params["maxresults"] = _SERIALIZER.query("maxresults", maxresults, "int", maximum=25, minimum=1) _params["api-version"] = _SERIALIZER.query("api_version", api_version, "str") + if maxresults is not None: + _params["maxresults"] = _SERIALIZER.query("maxresults", maxresults, "int") # Construct headers _headers["Accept"] = _SERIALIZER.header("accept", accept, "str") @@ -222,16 +232,16 @@ def build_key_vault_get_keys_request(*, maxresults: Optional[int] = None, **kwar _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL _url = "/keys" # Construct parameters - if maxresults is not None: - _params["maxresults"] = _SERIALIZER.query("maxresults", maxresults, "int", maximum=25, minimum=1) _params["api-version"] = _SERIALIZER.query("api_version", api_version, "str") + if maxresults is not None: + _params["maxresults"] = _SERIALIZER.query("maxresults", maxresults, "int") # Construct headers _headers["Accept"] = _SERIALIZER.header("accept", accept, "str") @@ -243,7 +253,7 @@ def build_key_vault_backup_key_request(key_name: str, **kwargs: Any) -> HttpRequ _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -268,7 +278,7 @@ def build_key_vault_restore_key_request(**kwargs: Any) -> HttpRequest: _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -290,7 +300,7 @@ def build_key_vault_encrypt_request(key_name: str, key_version: str, **kwargs: A _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -318,7 +328,7 @@ def build_key_vault_decrypt_request(key_name: str, key_version: str, **kwargs: A _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -346,7 +356,7 @@ def build_key_vault_sign_request(key_name: str, key_version: str, **kwargs: Any) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -374,7 +384,7 @@ def build_key_vault_verify_request(key_name: str, key_version: str, **kwargs: An _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -402,7 +412,7 @@ def build_key_vault_wrap_key_request(key_name: str, key_version: str, **kwargs: _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -430,7 +440,7 @@ def build_key_vault_unwrap_key_request(key_name: str, key_version: str, **kwargs _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -458,7 +468,7 @@ def build_key_vault_release_request(key_name: str, key_version: str, **kwargs: A _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -485,16 +495,16 @@ def build_key_vault_get_deleted_keys_request(*, maxresults: Optional[int] = None _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL _url = "/deletedkeys" # Construct parameters - if maxresults is not None: - _params["maxresults"] = _SERIALIZER.query("maxresults", maxresults, "int", maximum=25, minimum=1) _params["api-version"] = _SERIALIZER.query("api_version", api_version, "str") + if maxresults is not None: + _params["maxresults"] = _SERIALIZER.query("maxresults", maxresults, "int") # Construct headers _headers["Accept"] = _SERIALIZER.header("accept", accept, "str") @@ -506,7 +516,7 @@ def build_key_vault_get_deleted_key_request(key_name: str, **kwargs: Any) -> Htt _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -532,7 +542,7 @@ def build_key_vault_purge_deleted_key_request( # pylint: disable=name-too-long _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -558,7 +568,7 @@ def build_key_vault_recover_deleted_key_request( # pylint: disable=name-too-lon _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -584,7 +594,7 @@ def build_key_vault_get_key_rotation_policy_request( # pylint: disable=name-too _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -611,7 +621,7 @@ def build_key_vault_update_key_rotation_policy_request( # pylint: disable=name- _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -638,7 +648,7 @@ def build_key_vault_get_random_bytes_request(**kwargs: Any) -> HttpRequest: _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) - api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.6-preview.1")) accept = _headers.pop("Accept", "application/json") # Construct URL @@ -656,10 +666,10 @@ def build_key_vault_get_random_bytes_request(**kwargs: Any) -> HttpRequest: class KeyVaultClientOperationsMixin(KeyVaultClientMixinABC): # pylint: disable=too-many-public-methods + @overload def create_key( self, - vault_base_url: str, key_name: str, parameters: _models.KeyCreateParameters, *, @@ -672,32 +682,49 @@ def create_key( key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name for the new key. The system will generate the version name for the new key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. Required. :type key_name: str :param parameters: The parameters to create a key. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyCreateParameters + :type parameters: ~azure.keyvault.keys.models.KeyCreateParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @overload def create_key( - self, - vault_base_url: str, - key_name: str, - parameters: IO[bytes], - *, - content_type: str = "application/json", - **kwargs: Any + self, key_name: str, parameters: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> _models.KeyBundle: + """Creates a new key, stores it, then returns key parameters and attributes to the client. + + The create key operation can be used to create any key type in Azure Key Vault. If the named + key already exists, Azure Key Vault creates a new version of the key. It requires the + keys/create permission. + + :param key_name: The name for the new key. The system will generate the version name for the + new key. The value you provide may be copied globally for the purpose of running the service. + The value provided should not include personally identifiable or sensitive information. + Required. + :type key_name: str + :param parameters: The parameters to create a key. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def create_key( + self, key_name: str, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any ) -> _models.KeyBundle: """Creates a new key, stores it, then returns key parameters and attributes to the client. @@ -705,8 +732,6 @@ def create_key( key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name for the new key. The system will generate the version name for the new key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. @@ -717,18 +742,14 @@ def create_key( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def create_key( - self, - vault_base_url: str, - key_name: str, - parameters: Union[_models.KeyCreateParameters, IO[bytes]], - **kwargs: Any + self, key_name: str, parameters: Union[_models.KeyCreateParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyBundle: """Creates a new key, stores it, then returns key parameters and attributes to the client. @@ -736,24 +757,19 @@ def create_key( key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name for the new key. The system will generate the version name for the new key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. Required. :type key_name: str - :param parameters: The parameters to create a key. Is either a KeyCreateParameters type or a - IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyCreateParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :param parameters: The parameters to create a key. Is one of the following types: + KeyCreateParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyCreateParameters or JSON or IO[bytes] + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -768,28 +784,28 @@ def create_key( cls: ClsType[_models.KeyBundle] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyCreateParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_create_key_request( key_name=key_name, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -798,12 +814,18 @@ def create_key( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -811,23 +833,21 @@ def create_key( return deserialized # type: ignore @distributed_trace - def rotate_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.KeyBundle: + def rotate_key(self, key_name: str, **kwargs: Any) -> _models.KeyBundle: """Creates a new key version, stores it, then returns key parameters, attributes and policy to the client. The operation will rotate the key based on the key policy. It requires the keys/rotate permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of key to be rotated. The system will generate a new version in the specified key. Required. :type key_name: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -847,11 +867,13 @@ def rotate_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -860,12 +882,18 @@ def rotate_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -875,7 +903,6 @@ def rotate_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode @overload def import_key( self, - vault_base_url: str, key_name: str, parameters: _models.KeyImportParameters, *, @@ -889,31 +916,48 @@ def import_key( named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: Name for the imported key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. Required. :type key_name: str :param parameters: The parameters to import a key. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyImportParameters + :type parameters: ~azure.keyvault.keys.models.KeyImportParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @overload def import_key( - self, - vault_base_url: str, - key_name: str, - parameters: IO[bytes], - *, - content_type: str = "application/json", - **kwargs: Any + self, key_name: str, parameters: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> _models.KeyBundle: + """Imports an externally created key, stores it, and returns key parameters and attributes to the + client. + + The import key operation may be used to import any key type into an Azure Key Vault. If the + named key already exists, Azure Key Vault creates a new version of the key. This operation + requires the keys/import permission. + + :param key_name: Name for the imported key. The value you provide may be copied globally for + the purpose of running the service. The value provided should not include personally + identifiable or sensitive information. Required. + :type key_name: str + :param parameters: The parameters to import a key. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def import_key( + self, key_name: str, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any ) -> _models.KeyBundle: """Imports an externally created key, stores it, and returns key parameters and attributes to the client. @@ -922,8 +966,6 @@ def import_key( named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: Name for the imported key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. Required. @@ -933,18 +975,14 @@ def import_key( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def import_key( - self, - vault_base_url: str, - key_name: str, - parameters: Union[_models.KeyImportParameters, IO[bytes]], - **kwargs: Any + self, key_name: str, parameters: Union[_models.KeyImportParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyBundle: """Imports an externally created key, stores it, and returns key parameters and attributes to the client. @@ -953,23 +991,18 @@ def import_key( named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: Name for the imported key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. Required. :type key_name: str - :param parameters: The parameters to import a key. Is either a KeyImportParameters type or a - IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyImportParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :param parameters: The parameters to import a key. Is one of the following types: + KeyImportParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyImportParameters or JSON or IO[bytes] + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -984,28 +1017,28 @@ def import_key( cls: ClsType[_models.KeyBundle] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyImportParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_import_key_request( key_name=key_name, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1014,12 +1047,18 @@ def import_key( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1027,7 +1066,7 @@ def import_key( return deserialized # type: ignore @distributed_trace - def delete_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.DeletedKeyBundle: + def delete_key(self, key_name: str, **kwargs: Any) -> _models.DeletedKeyBundle: """Deletes a key of any type from storage in Azure Key Vault. The delete key operation cannot be used to remove individual versions of a key. This operation @@ -1035,15 +1074,13 @@ def delete_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key to delete. Required. :type key_name: str - :return: DeletedKeyBundle - :rtype: ~azure.keyvault.v7_5.models.DeletedKeyBundle + :return: DeletedKeyBundle. The DeletedKeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.DeletedKeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1063,11 +1100,13 @@ def delete_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1076,12 +1115,18 @@ def delete_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("DeletedKeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.DeletedKeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1091,7 +1136,6 @@ def delete_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode @overload def update_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyUpdateParameters, @@ -1106,26 +1150,54 @@ def update_key( cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of key to update. Required. :type key_name: str :param key_version: The version of the key to update. Required. :type key_version: str :param parameters: The parameters of the key to update. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyUpdateParameters + :type parameters: ~azure.keyvault.keys.models.KeyUpdateParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def update_key( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyBundle: + """The update key operation changes specified attributes of a stored key and can be applied to any + key type and key version stored in Azure Key Vault. + + In order to perform this operation, the key must already exist in the Key Vault. Note: The + cryptographic material of a key itself cannot be changed. This operation requires the + keys/update permission. + + :param key_name: The name of key to update. Required. + :type key_name: str + :param key_version: The version of the key to update. Required. + :type key_version: str + :param parameters: The parameters of the key to update. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @overload def update_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -1140,8 +1212,6 @@ def update_key( cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of key to update. Required. :type key_name: str :param key_version: The version of the key to update. Required. @@ -1151,18 +1221,17 @@ def update_key( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def update_key( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyUpdateParameters, IO[bytes]], + parameters: Union[_models.KeyUpdateParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyBundle: """The update key operation changes specified attributes of a stored key and can be applied to any @@ -1172,23 +1241,18 @@ def update_key( cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of key to update. Required. :type key_name: str :param key_version: The version of the key to update. Required. :type key_version: str - :param parameters: The parameters of the key to update. Is either a KeyUpdateParameters type or - a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyUpdateParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :param parameters: The parameters of the key to update. Is one of the following types: + KeyUpdateParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyUpdateParameters or JSON or IO[bytes] + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1203,29 +1267,29 @@ def update_key( cls: ClsType[_models.KeyBundle] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyUpdateParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_update_key_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1234,12 +1298,18 @@ def update_key( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1247,25 +1317,23 @@ def update_key( return deserialized # type: ignore @distributed_trace - def get_key(self, vault_base_url: str, key_name: str, key_version: str, **kwargs: Any) -> _models.KeyBundle: + def get_key(self, key_name: str, key_version: str, **kwargs: Any) -> _models.KeyBundle: """Gets the public part of a stored key. The get key operation is applicable to all key types. If the requested key is symmetric, then no key material is released in the response. This operation requires the keys/get permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key to get. Required. :type key_name: str :param key_version: Adding the version parameter retrieves a specific version of a key. This URI fragment is optional. If not specified, the latest version of the key is returned. Required. :type key_version: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1286,11 +1354,13 @@ def get_key(self, vault_base_url: str, key_name: str, key_version: str, **kwargs params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1299,12 +1369,18 @@ def get_key(self, vault_base_url: str, key_name: str, key_version: str, **kwargs if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1313,30 +1389,28 @@ def get_key(self, vault_base_url: str, key_name: str, key_version: str, **kwargs @distributed_trace def get_key_versions( - self, vault_base_url: str, key_name: str, *, maxresults: Optional[int] = None, **kwargs: Any + self, key_name: str, *, maxresults: Optional[int] = None, **kwargs: Any ) -> Iterable["_models.KeyItem"]: """Retrieves a list of individual key versions with the same key name. The full key identifier, attributes, and tags are provided in the response. This operation requires the keys/list permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :keyword maxresults: Maximum number of results to return in a page. If not specified the service will return up to 25 results. Default value is None. :paramtype maxresults: int :return: An iterator like instance of KeyItem - :rtype: ~azure.core.paging.ItemPaged[~azure.keyvault.v7_5.models.KeyItem] + :rtype: ~azure.core.paging.ItemPaged[~azure.keyvault.keys.models.KeyItem] :raises ~azure.core.exceptions.HttpResponseError: """ _headers = kwargs.pop("headers", {}) or {} _params = kwargs.pop("params", {}) or {} - cls: ClsType[_models._models.KeyListResult] = kwargs.pop("cls", None) # pylint: disable=protected-access + cls: ClsType[List[_models.KeyItem]] = kwargs.pop("cls", None) - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1355,7 +1429,9 @@ def prepare_request(next_link=None): params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) @@ -1373,20 +1449,20 @@ def prepare_request(next_link=None): "GET", urllib.parse.urljoin(next_link, _parsed_next_link.path), params=_next_request_params ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) return _request def extract_data(pipeline_response): - deserialized = self._deserialize( - _models._models.KeyListResult, pipeline_response # pylint: disable=protected-access - ) - list_of_elem = deserialized.value + deserialized = pipeline_response.http_response.json() + list_of_elem = _deserialize(List[_models.KeyItem], deserialized["value"]) if cls: list_of_elem = cls(list_of_elem) # type: ignore - return deserialized.next_link or None, iter(list_of_elem) + return deserialized.get("nextLink") or None, iter(list_of_elem) def get_next(next_link=None): _request = prepare_request(next_link) @@ -1398,10 +1474,8 @@ def get_next(next_link=None): response = pipeline_response.http_response if response.status_code not in [200]: - if _stream: - response.read() # Load the body in memory and close the socket map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) return pipeline_response @@ -1409,9 +1483,7 @@ def get_next(next_link=None): return ItemPaged(get_next, extract_data) @distributed_trace - def get_keys( - self, vault_base_url: str, *, maxresults: Optional[int] = None, **kwargs: Any - ) -> Iterable["_models.KeyItem"]: + def get_keys(self, *, maxresults: Optional[int] = None, **kwargs: Any) -> Iterable["_models.KeyItem"]: """List keys in the specified vault. Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the @@ -1419,21 +1491,19 @@ def get_keys( the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response. This operation requires the keys/list permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :keyword maxresults: Maximum number of results to return in a page. If not specified the service will return up to 25 results. Default value is None. :paramtype maxresults: int :return: An iterator like instance of KeyItem - :rtype: ~azure.core.paging.ItemPaged[~azure.keyvault.v7_5.models.KeyItem] + :rtype: ~azure.core.paging.ItemPaged[~azure.keyvault.keys.models.KeyItem] :raises ~azure.core.exceptions.HttpResponseError: """ _headers = kwargs.pop("headers", {}) or {} _params = kwargs.pop("params", {}) or {} - cls: ClsType[_models._models.KeyListResult] = kwargs.pop("cls", None) # pylint: disable=protected-access + cls: ClsType[List[_models.KeyItem]] = kwargs.pop("cls", None) - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1451,7 +1521,9 @@ def prepare_request(next_link=None): params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) @@ -1469,20 +1541,20 @@ def prepare_request(next_link=None): "GET", urllib.parse.urljoin(next_link, _parsed_next_link.path), params=_next_request_params ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) return _request def extract_data(pipeline_response): - deserialized = self._deserialize( - _models._models.KeyListResult, pipeline_response # pylint: disable=protected-access - ) - list_of_elem = deserialized.value + deserialized = pipeline_response.http_response.json() + list_of_elem = _deserialize(List[_models.KeyItem], deserialized["value"]) if cls: list_of_elem = cls(list_of_elem) # type: ignore - return deserialized.next_link or None, iter(list_of_elem) + return deserialized.get("nextLink") or None, iter(list_of_elem) def get_next(next_link=None): _request = prepare_request(next_link) @@ -1494,10 +1566,8 @@ def get_next(next_link=None): response = pipeline_response.http_response if response.status_code not in [200]: - if _stream: - response.read() # Load the body in memory and close the socket map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) return pipeline_response @@ -1505,7 +1575,7 @@ def get_next(next_link=None): return ItemPaged(get_next, extract_data) @distributed_trace - def backup_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.BackupKeyResult: + def backup_key(self, key_name: str, **kwargs: Any) -> _models.BackupKeyResult: """Requests that a backup of the specified key be downloaded to the client. The Key Backup operation exports a key from Azure Key Vault in a protected form. Note that this @@ -1520,15 +1590,13 @@ def backup_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode cannot be restored in an EU geographical area. This operation requires the key/backup permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str - :return: BackupKeyResult - :rtype: ~azure.keyvault.v7_5.models.BackupKeyResult + :return: BackupKeyResult. The BackupKeyResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.BackupKeyResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1548,11 +1616,13 @@ def backup_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1561,12 +1631,18 @@ def backup_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("BackupKeyResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.BackupKeyResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1575,12 +1651,34 @@ def backup_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _mode @overload def restore_key( - self, - vault_base_url: str, - parameters: _models.KeyRestoreParameters, - *, - content_type: str = "application/json", - **kwargs: Any + self, parameters: _models.KeyRestoreParameters, *, content_type: str = "application/json", **kwargs: Any + ) -> _models.KeyBundle: + """Restores a backed up key to a vault. + + Imports a previously backed up key into Azure Key Vault, restoring the key, its key identifier, + attributes and access control policies. The RESTORE operation may be used to import a + previously backed up key. Individual versions of a key cannot be restored. The key is restored + in its entirety with the same key name as it had when it was backed up. If the key name is not + available in the target Key Vault, the RESTORE operation will be rejected. While the key name + is retained during restore, the final key identifier will change if the key is restored to a + different vault. Restore will restore all versions and preserve version identifiers. The + RESTORE operation is subject to security constraints: The target Key Vault must be owned by the + same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission + in the target Key Vault. This operation requires the keys/restore permission. + + :param parameters: The parameters to restore the key. Required. + :type parameters: ~azure.keyvault.keys.models.KeyRestoreParameters + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def restore_key( + self, parameters: JSON, *, content_type: str = "application/json", **kwargs: Any ) -> _models.KeyBundle: """Restores a backed up key to a vault. @@ -1595,21 +1693,19 @@ def restore_key( same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission in the target Key Vault. This operation requires the keys/restore permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param parameters: The parameters to restore the key. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyRestoreParameters + :type parameters: JSON :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @overload def restore_key( - self, vault_base_url: str, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any + self, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any ) -> _models.KeyBundle: """Restores a backed up key to a vault. @@ -1624,21 +1720,19 @@ def restore_key( same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission in the target Key Vault. This operation requires the keys/restore permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param parameters: The parameters to restore the key. Required. :type parameters: IO[bytes] :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def restore_key( - self, vault_base_url: str, parameters: Union[_models.KeyRestoreParameters, IO[bytes]], **kwargs: Any + self, parameters: Union[_models.KeyRestoreParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyBundle: """Restores a backed up key to a vault. @@ -1653,19 +1747,14 @@ def restore_key( same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission in the target Key Vault. This operation requires the keys/restore permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str - :param parameters: The parameters to restore the key. Is either a KeyRestoreParameters type or - a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyRestoreParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :param parameters: The parameters to restore the key. Is one of the following types: + KeyRestoreParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyRestoreParameters or JSON or IO[bytes] + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1680,27 +1769,27 @@ def restore_key( cls: ClsType[_models.KeyBundle] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyRestoreParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_restore_key_request( content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1709,12 +1798,18 @@ def restore_key( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1724,7 +1819,6 @@ def restore_key( @overload def encrypt( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyOperationsParameters, @@ -1743,26 +1837,58 @@ def encrypt( key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for the encryption operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def encrypt( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyOperationResult: + """Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a key vault. + + The ENCRYPT operation encrypts an arbitrary sequence of bytes using an encryption key that is + stored in Azure Key Vault. Note that the ENCRYPT operation only supports a single block of + data, the size of which is dependent on the target key and the encryption algorithm to be used. + The ENCRYPT operation is only strictly necessary for symmetric keys stored in Azure Key Vault + since protection with an asymmetric key can be performed using public portion of the key. This + operation is supported for asymmetric keys as a convenience for callers that have a + key-reference but do not have access to the public key material. This operation requires the + keys/encrypt permission. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for the encryption operation. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload def encrypt( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -1781,8 +1907,6 @@ def encrypt( key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -1792,18 +1916,17 @@ def encrypt( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def encrypt( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyOperationsParameters, IO[bytes]], + parameters: Union[_models.KeyOperationsParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyOperationResult: """Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a key vault. @@ -1817,23 +1940,18 @@ def encrypt( key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for the encryption operation. Is either a - KeyOperationsParameters type or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :param parameters: The parameters for the encryption operation. Is one of the following types: + KeyOperationsParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters or JSON or IO[bytes] + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1848,29 +1966,29 @@ def encrypt( cls: ClsType[_models.KeyOperationResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyOperationsParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_encrypt_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1879,12 +1997,18 @@ def encrypt( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyOperationResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyOperationResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1894,7 +2018,6 @@ def encrypt( @overload def decrypt( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyOperationsParameters, @@ -1911,29 +2034,62 @@ def decrypt( stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption without first ensuring the integrity of the ciphertext using an HMAC, for example. See - https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more + https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more + information. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for the decryption operation. Required. + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def decrypt( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyOperationResult: + """Decrypts a single block of encrypted data. + + The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption + key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a + single block of data may be decrypted, the size of this block is dependent on the target key + and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys + stored in Azure Key Vault since it uses the private portion of the key. This operation requires + the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption + without first ensuring the integrity of the ciphertext using an HMAC, for example. See + https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for the decryption operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters + :type parameters: JSON :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload def decrypt( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -1950,11 +2106,9 @@ def decrypt( stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption without first ensuring the integrity of the ciphertext using an HMAC, for example. See - https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more + https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -1964,18 +2118,17 @@ def decrypt( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def decrypt( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyOperationsParameters, IO[bytes]], + parameters: Union[_models.KeyOperationsParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyOperationResult: """Decrypts a single block of encrypted data. @@ -1987,26 +2140,21 @@ def decrypt( stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption without first ensuring the integrity of the ciphertext using an HMAC, for example. See - https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more + https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for the decryption operation. Is either a - KeyOperationsParameters type or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :param parameters: The parameters for the decryption operation. Is one of the following types: + KeyOperationsParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters or JSON or IO[bytes] + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2021,29 +2169,29 @@ def decrypt( cls: ClsType[_models.KeyOperationResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyOperationsParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_decrypt_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2052,12 +2200,18 @@ def decrypt( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyOperationResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyOperationResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2067,7 +2221,6 @@ def decrypt( @overload def sign( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeySignParameters, @@ -2081,26 +2234,53 @@ def sign( since this operation uses the private portion of the key. This operation requires the keys/sign permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for the signing operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeySignParameters + :type parameters: ~azure.keyvault.keys.models.KeySignParameters + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def sign( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyOperationResult: + """Creates a signature from a digest using the specified key. + + The SIGN operation is applicable to asymmetric and symmetric keys stored in Azure Key Vault + since this operation uses the private portion of the key. This operation requires the keys/sign + permission. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for the signing operation. Required. + :type parameters: JSON :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload def sign( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -2114,8 +2294,6 @@ def sign( since this operation uses the private portion of the key. This operation requires the keys/sign permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -2125,18 +2303,17 @@ def sign( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def sign( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeySignParameters, IO[bytes]], + parameters: Union[_models.KeySignParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyOperationResult: """Creates a signature from a digest using the specified key. @@ -2145,23 +2322,18 @@ def sign( since this operation uses the private portion of the key. This operation requires the keys/sign permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for the signing operation. Is either a KeySignParameters type - or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeySignParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :param parameters: The parameters for the signing operation. Is one of the following types: + KeySignParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeySignParameters or JSON or IO[bytes] + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2176,29 +2348,29 @@ def sign( cls: ClsType[_models.KeyOperationResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeySignParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_sign_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2207,12 +2379,18 @@ def sign( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyOperationResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyOperationResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2222,7 +2400,6 @@ def sign( @overload def verify( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyVerifyParameters, @@ -2238,26 +2415,55 @@ def verify( convenience for callers that only have a key-reference and not the public portion of the key. This operation requires the keys/verify permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for verify operations. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyVerifyParameters + :type parameters: ~azure.keyvault.keys.models.KeyVerifyParameters + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyVerifyResult. The KeyVerifyResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyVerifyResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def verify( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyVerifyResult: + """Verifies a signature using a specified key. + + The VERIFY operation is applicable to symmetric keys stored in Azure Key Vault. VERIFY is not + strictly necessary for asymmetric keys stored in Azure Key Vault since signature verification + can be performed using the public portion of the key but this operation is supported as a + convenience for callers that only have a key-reference and not the public portion of the key. + This operation requires the keys/verify permission. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for verify operations. Required. + :type parameters: JSON :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyVerifyResult - :rtype: ~azure.keyvault.v7_5.models.KeyVerifyResult + :return: KeyVerifyResult. The KeyVerifyResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyVerifyResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload def verify( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -2273,8 +2479,6 @@ def verify( convenience for callers that only have a key-reference and not the public portion of the key. This operation requires the keys/verify permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -2284,18 +2488,17 @@ def verify( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyVerifyResult - :rtype: ~azure.keyvault.v7_5.models.KeyVerifyResult + :return: KeyVerifyResult. The KeyVerifyResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyVerifyResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def verify( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyVerifyParameters, IO[bytes]], + parameters: Union[_models.KeyVerifyParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyVerifyResult: """Verifies a signature using a specified key. @@ -2306,23 +2509,18 @@ def verify( convenience for callers that only have a key-reference and not the public portion of the key. This operation requires the keys/verify permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for verify operations. Is either a KeyVerifyParameters type - or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyVerifyParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyVerifyResult - :rtype: ~azure.keyvault.v7_5.models.KeyVerifyResult + :param parameters: The parameters for verify operations. Is one of the following types: + KeyVerifyParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyVerifyParameters or JSON or IO[bytes] + :return: KeyVerifyResult. The KeyVerifyResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyVerifyResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2337,29 +2535,29 @@ def verify( cls: ClsType[_models.KeyVerifyResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyVerifyParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_verify_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2368,12 +2566,18 @@ def verify( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyVerifyResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyVerifyResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2383,7 +2587,6 @@ def verify( @overload def wrap_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyOperationsParameters, @@ -2400,26 +2603,56 @@ def wrap_key( as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for wrap operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def wrap_key( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyOperationResult: + """Wraps a symmetric key using a specified key. + + The WRAP operation supports encryption of a symmetric key using a key encryption key that has + previously been stored in an Azure Key Vault. The WRAP operation is only strictly necessary for + symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be + performed using the public portion of the key. This operation is supported for asymmetric keys + as a convenience for callers that have a key-reference but do not have access to the public key + material. This operation requires the keys/wrapKey permission. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for wrap operation. Required. + :type parameters: JSON :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload def wrap_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -2436,8 +2669,6 @@ def wrap_key( as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -2447,18 +2678,17 @@ def wrap_key( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def wrap_key( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyOperationsParameters, IO[bytes]], + parameters: Union[_models.KeyOperationsParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyOperationResult: """Wraps a symmetric key using a specified key. @@ -2470,23 +2700,18 @@ def wrap_key( as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for wrap operation. Is either a KeyOperationsParameters type - or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :param parameters: The parameters for wrap operation. Is one of the following types: + KeyOperationsParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters or JSON or IO[bytes] + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2501,29 +2726,29 @@ def wrap_key( cls: ClsType[_models.KeyOperationResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyOperationsParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_wrap_key_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2532,12 +2757,18 @@ def wrap_key( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyOperationResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyOperationResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2547,7 +2778,6 @@ def wrap_key( @overload def unwrap_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyOperationsParameters, @@ -2562,26 +2792,54 @@ def unwrap_key( asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for the key operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def unwrap_key( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyOperationResult: + """Unwraps a symmetric key using the specified key that was initially used for wrapping that key. + + The UNWRAP operation supports decryption of a symmetric key using the target key encryption + key. This operation is the reverse of the WRAP operation. The UNWRAP operation applies to + asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of + the key. This operation requires the keys/unwrapKey permission. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for the key operation. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload def unwrap_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -2596,8 +2854,6 @@ def unwrap_key( asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -2607,18 +2863,17 @@ def unwrap_key( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def unwrap_key( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyOperationsParameters, IO[bytes]], + parameters: Union[_models.KeyOperationsParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyOperationResult: """Unwraps a symmetric key using the specified key that was initially used for wrapping that key. @@ -2628,23 +2883,18 @@ def unwrap_key( asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for the key operation. Is either a KeyOperationsParameters - type or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :param parameters: The parameters for the key operation. Is one of the following types: + KeyOperationsParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters or JSON or IO[bytes] + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2659,29 +2909,29 @@ def unwrap_key( cls: ClsType[_models.KeyOperationResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyOperationsParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_unwrap_key_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2690,12 +2940,18 @@ def unwrap_key( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyOperationResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyOperationResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2705,7 +2961,6 @@ def unwrap_key( @overload def release( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyReleaseParameters, @@ -2718,27 +2973,54 @@ def release( The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key to get. Required. :type key_name: str :param key_version: Adding the version parameter retrieves a specific version of a key. Required. :type key_version: str :param parameters: The parameters for the key release operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyReleaseParameters + :type parameters: ~azure.keyvault.keys.models.KeyReleaseParameters + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyReleaseResult. The KeyReleaseResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyReleaseResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def release( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyReleaseResult: + """Releases a key. + + The release key operation is applicable to all key types. The target key must be marked + exportable. This operation requires the keys/release permission. + + :param key_name: The name of the key to get. Required. + :type key_name: str + :param key_version: Adding the version parameter retrieves a specific version of a key. + Required. + :type key_version: str + :param parameters: The parameters for the key release operation. Required. + :type parameters: JSON :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyReleaseResult - :rtype: ~azure.keyvault.v7_5.models.KeyReleaseResult + :return: KeyReleaseResult. The KeyReleaseResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyReleaseResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload def release( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -2751,8 +3033,6 @@ def release( The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key to get. Required. :type key_name: str :param key_version: Adding the version parameter retrieves a specific version of a key. @@ -2763,18 +3043,17 @@ def release( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyReleaseResult - :rtype: ~azure.keyvault.v7_5.models.KeyReleaseResult + :return: KeyReleaseResult. The KeyReleaseResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyReleaseResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def release( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyReleaseParameters, IO[bytes]], + parameters: Union[_models.KeyReleaseParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyReleaseResult: """Releases a key. @@ -2782,24 +3061,19 @@ def release( The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key to get. Required. :type key_name: str :param key_version: Adding the version parameter retrieves a specific version of a key. Required. :type key_version: str - :param parameters: The parameters for the key release operation. Is either a - KeyReleaseParameters type or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyReleaseParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyReleaseResult - :rtype: ~azure.keyvault.v7_5.models.KeyReleaseResult + :param parameters: The parameters for the key release operation. Is one of the following types: + KeyReleaseParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyReleaseParameters or JSON or IO[bytes] + :return: KeyReleaseResult. The KeyReleaseResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyReleaseResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2814,29 +3088,29 @@ def release( cls: ClsType[_models.KeyReleaseResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyReleaseParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_release_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2845,12 +3119,18 @@ def release( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyReleaseResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyReleaseResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2859,7 +3139,7 @@ def release( @distributed_trace def get_deleted_keys( - self, vault_base_url: str, *, maxresults: Optional[int] = None, **kwargs: Any + self, *, maxresults: Optional[int] = None, **kwargs: Any ) -> Iterable["_models.DeletedKeyItem"]: """Lists the deleted keys in the specified vault. @@ -2869,21 +3149,19 @@ def get_deleted_keys( can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/list permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :keyword maxresults: Maximum number of results to return in a page. If not specified the service will return up to 25 results. Default value is None. :paramtype maxresults: int :return: An iterator like instance of DeletedKeyItem - :rtype: ~azure.core.paging.ItemPaged[~azure.keyvault.v7_5.models.DeletedKeyItem] + :rtype: ~azure.core.paging.ItemPaged[~azure.keyvault.keys.models.DeletedKeyItem] :raises ~azure.core.exceptions.HttpResponseError: """ _headers = kwargs.pop("headers", {}) or {} _params = kwargs.pop("params", {}) or {} - cls: ClsType[_models._models.DeletedKeyListResult] = kwargs.pop("cls", None) # pylint: disable=protected-access + cls: ClsType[List[_models.DeletedKeyItem]] = kwargs.pop("cls", None) - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2901,7 +3179,9 @@ def prepare_request(next_link=None): params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) @@ -2919,20 +3199,20 @@ def prepare_request(next_link=None): "GET", urllib.parse.urljoin(next_link, _parsed_next_link.path), params=_next_request_params ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) return _request def extract_data(pipeline_response): - deserialized = self._deserialize( - _models._models.DeletedKeyListResult, pipeline_response # pylint: disable=protected-access - ) - list_of_elem = deserialized.value + deserialized = pipeline_response.http_response.json() + list_of_elem = _deserialize(List[_models.DeletedKeyItem], deserialized["value"]) if cls: list_of_elem = cls(list_of_elem) # type: ignore - return deserialized.next_link or None, iter(list_of_elem) + return deserialized.get("nextLink") or None, iter(list_of_elem) def get_next(next_link=None): _request = prepare_request(next_link) @@ -2944,10 +3224,8 @@ def get_next(next_link=None): response = pipeline_response.http_response if response.status_code not in [200]: - if _stream: - response.read() # Load the body in memory and close the socket map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) return pipeline_response @@ -2955,22 +3233,20 @@ def get_next(next_link=None): return ItemPaged(get_next, extract_data) @distributed_trace - def get_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.DeletedKeyBundle: + def get_deleted_key(self, key_name: str, **kwargs: Any) -> _models.DeletedKeyBundle: """Gets the public part of a deleted key. The Get Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/get permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str - :return: DeletedKeyBundle - :rtype: ~azure.keyvault.v7_5.models.DeletedKeyBundle + :return: DeletedKeyBundle. The DeletedKeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.DeletedKeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2990,11 +3266,13 @@ def get_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -3003,12 +3281,18 @@ def get_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("DeletedKeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.DeletedKeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -3016,24 +3300,20 @@ def get_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> return deserialized # type: ignore @distributed_trace - def purge_deleted_key( # pylint: disable=inconsistent-return-statements - self, vault_base_url: str, key_name: str, **kwargs: Any - ) -> None: + def purge_deleted_key(self, key_name: str, **kwargs: Any) -> None: # pylint: disable=inconsistent-return-statements """Permanently deletes the specified key. The Purge Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/purge permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :return: None :rtype: None :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -3053,7 +3333,9 @@ def purge_deleted_key( # pylint: disable=inconsistent-return-statements params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) @@ -3065,17 +3347,15 @@ def purge_deleted_key( # pylint: disable=inconsistent-return-statements response = pipeline_response.http_response if response.status_code not in [204]: - if _stream: - response.read() # Load the body in memory and close the socket map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) if cls: return cls(pipeline_response, None, {}) # type: ignore @distributed_trace - def recover_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.KeyBundle: + def recover_deleted_key(self, key_name: str, **kwargs: Any) -> _models.KeyBundle: """Recovers the deleted key to its latest version. The Recover Deleted Key operation is applicable for deleted keys in soft-delete enabled vaults. @@ -3083,15 +3363,13 @@ def recover_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) non-deleted key will return an error. Consider this the inverse of the delete operation on soft-delete enabled vaults. This operation requires the keys/recover permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the deleted key. Required. :type key_name: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -3111,11 +3389,13 @@ def recover_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -3124,12 +3404,18 @@ def recover_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -3137,21 +3423,19 @@ def recover_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) return deserialized # type: ignore @distributed_trace - def get_key_rotation_policy(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.KeyRotationPolicy: + def get_key_rotation_policy(self, key_name: str, **kwargs: Any) -> _models.KeyRotationPolicy: """Lists the policy for a key. The GetKeyRotationPolicy operation returns the specified key policy resources in the specified key vault. This operation requires the keys/get permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key in a given key vault. Required. :type key_name: str - :return: KeyRotationPolicy - :rtype: ~azure.keyvault.v7_5.models.KeyRotationPolicy + :return: KeyRotationPolicy. The KeyRotationPolicy is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyRotationPolicy :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -3171,11 +3455,13 @@ def get_key_rotation_policy(self, vault_base_url: str, key_name: str, **kwargs: params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -3184,12 +3470,18 @@ def get_key_rotation_policy(self, vault_base_url: str, key_name: str, **kwargs: if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyRotationPolicy", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyRotationPolicy, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -3199,7 +3491,6 @@ def get_key_rotation_policy(self, vault_base_url: str, key_name: str, **kwargs: @overload def update_key_rotation_policy( self, - vault_base_url: str, key_name: str, key_rotation_policy: _models.KeyRotationPolicy, *, @@ -3211,37 +3502,48 @@ def update_key_rotation_policy( Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key in the given vault. Required. :type key_name: str :param key_rotation_policy: The policy for the key. Required. - :type key_rotation_policy: ~azure.keyvault.v7_5.models.KeyRotationPolicy + :type key_rotation_policy: ~azure.keyvault.keys.models.KeyRotationPolicy :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyRotationPolicy - :rtype: ~azure.keyvault.v7_5.models.KeyRotationPolicy + :return: KeyRotationPolicy. The KeyRotationPolicy is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyRotationPolicy :raises ~azure.core.exceptions.HttpResponseError: """ @overload def update_key_rotation_policy( - self, - vault_base_url: str, - key_name: str, - key_rotation_policy: IO[bytes], - *, - content_type: str = "application/json", - **kwargs: Any + self, key_name: str, key_rotation_policy: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> _models.KeyRotationPolicy: + """Updates the rotation policy for a key. + + Set specified members in the key policy. Leave others as undefined. This operation requires the + keys/update permission. + + :param key_name: The name of the key in the given vault. Required. + :type key_name: str + :param key_rotation_policy: The policy for the key. Required. + :type key_rotation_policy: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyRotationPolicy. The KeyRotationPolicy is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyRotationPolicy + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def update_key_rotation_policy( + self, key_name: str, key_rotation_policy: IO[bytes], *, content_type: str = "application/json", **kwargs: Any ) -> _models.KeyRotationPolicy: """Updates the rotation policy for a key. Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key in the given vault. Required. :type key_name: str :param key_rotation_policy: The policy for the key. Required. @@ -3249,39 +3551,30 @@ def update_key_rotation_policy( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyRotationPolicy - :rtype: ~azure.keyvault.v7_5.models.KeyRotationPolicy + :return: KeyRotationPolicy. The KeyRotationPolicy is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyRotationPolicy :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def update_key_rotation_policy( - self, - vault_base_url: str, - key_name: str, - key_rotation_policy: Union[_models.KeyRotationPolicy, IO[bytes]], - **kwargs: Any + self, key_name: str, key_rotation_policy: Union[_models.KeyRotationPolicy, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyRotationPolicy: """Updates the rotation policy for a key. Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key in the given vault. Required. :type key_name: str - :param key_rotation_policy: The policy for the key. Is either a KeyRotationPolicy type or a - IO[bytes] type. Required. - :type key_rotation_policy: ~azure.keyvault.v7_5.models.KeyRotationPolicy or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyRotationPolicy - :rtype: ~azure.keyvault.v7_5.models.KeyRotationPolicy + :param key_rotation_policy: The policy for the key. Is one of the following types: + KeyRotationPolicy, JSON, IO[bytes] Required. + :type key_rotation_policy: ~azure.keyvault.keys.models.KeyRotationPolicy or JSON or IO[bytes] + :return: KeyRotationPolicy. The KeyRotationPolicy is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyRotationPolicy :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -3296,28 +3589,28 @@ def update_key_rotation_policy( cls: ClsType[_models.KeyRotationPolicy] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(key_rotation_policy, (IOBase, bytes)): _content = key_rotation_policy else: - _json = self._serialize.body(key_rotation_policy, "KeyRotationPolicy") + _content = json.dumps(key_rotation_policy, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_update_key_rotation_policy_request( key_name=key_name, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -3326,12 +3619,18 @@ def update_key_rotation_policy( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyRotationPolicy", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyRotationPolicy, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -3340,70 +3639,74 @@ def update_key_rotation_policy( @overload def get_random_bytes( - self, - vault_base_url: str, - parameters: _models.GetRandomBytesRequest, - *, - content_type: str = "application/json", - **kwargs: Any + self, parameters: _models.GetRandomBytesRequest, *, content_type: str = "application/json", **kwargs: Any ) -> _models.RandomBytes: """Get the requested number of bytes containing random values. Get the requested number of bytes containing random values from a managed HSM. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param parameters: The request object to get random bytes. Required. - :type parameters: ~azure.keyvault.v7_5.models.GetRandomBytesRequest + :type parameters: ~azure.keyvault.keys.models.GetRandomBytesRequest :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: RandomBytes - :rtype: ~azure.keyvault.v7_5.models.RandomBytes + :return: RandomBytes. The RandomBytes is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.RandomBytes :raises ~azure.core.exceptions.HttpResponseError: """ @overload def get_random_bytes( - self, vault_base_url: str, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any + self, parameters: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> _models.RandomBytes: + """Get the requested number of bytes containing random values. + + Get the requested number of bytes containing random values from a managed HSM. + + :param parameters: The request object to get random bytes. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: RandomBytes. The RandomBytes is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.RandomBytes + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + def get_random_bytes( + self, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any ) -> _models.RandomBytes: """Get the requested number of bytes containing random values. Get the requested number of bytes containing random values from a managed HSM. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param parameters: The request object to get random bytes. Required. :type parameters: IO[bytes] :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: RandomBytes - :rtype: ~azure.keyvault.v7_5.models.RandomBytes + :return: RandomBytes. The RandomBytes is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.RandomBytes :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace def get_random_bytes( - self, vault_base_url: str, parameters: Union[_models.GetRandomBytesRequest, IO[bytes]], **kwargs: Any + self, parameters: Union[_models.GetRandomBytesRequest, JSON, IO[bytes]], **kwargs: Any ) -> _models.RandomBytes: """Get the requested number of bytes containing random values. Get the requested number of bytes containing random values from a managed HSM. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str - :param parameters: The request object to get random bytes. Is either a GetRandomBytesRequest - type or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.GetRandomBytesRequest or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: RandomBytes - :rtype: ~azure.keyvault.v7_5.models.RandomBytes + :param parameters: The request object to get random bytes. Is one of the following types: + GetRandomBytesRequest, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.GetRandomBytesRequest or JSON or IO[bytes] + :return: RandomBytes. The RandomBytes is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.RandomBytes :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -3418,27 +3721,27 @@ def get_random_bytes( cls: ClsType[_models.RandomBytes] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "GetRandomBytesRequest") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_get_random_bytes_request( content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -3447,12 +3750,18 @@ def get_random_bytes( if response.status_code not in [200]: if _stream: - response.read() # Load the body in memory and close the socket + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("RandomBytes", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.RandomBytes, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_operations/_patch.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_operations/_patch.py similarity index 100% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_operations/_patch.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_operations/_patch.py diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_patch.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_patch.py similarity index 100% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_patch.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_patch.py diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_sdk_moniker.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_sdk_moniker.py deleted file mode 100644 index 6677724a8b67..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_sdk_moniker.py +++ /dev/null @@ -1,7 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from ._version import VERSION - -SDK_MONIKER = f"keyvault-keys/{VERSION}" diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_serialization.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_serialization.py similarity index 85% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_serialization.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_serialization.py index baa661cb82d2..670738f0789c 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_serialization.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_serialization.py @@ -1,3 +1,4 @@ +# pylint: disable=too-many-lines # -------------------------------------------------------------------------- # # Copyright (c) Microsoft Corporation. All rights reserved. @@ -24,7 +25,6 @@ # # -------------------------------------------------------------------------- -# pylint: skip-file # pyright: reportUnnecessaryTypeIgnoreComment=false from base64 import b64decode, b64encode @@ -52,7 +52,6 @@ MutableMapping, Type, List, - Mapping, ) try: @@ -91,6 +90,8 @@ def deserialize_from_text(cls, data: Optional[Union[AnyStr, IO]], content_type: :param data: Input, could be bytes or stream (will be decoded with UTF8) or text :type data: str or bytes or IO :param str content_type: The content type. + :return: The deserialized data. + :rtype: object """ if hasattr(data, "read"): # Assume a stream @@ -112,7 +113,7 @@ def deserialize_from_text(cls, data: Optional[Union[AnyStr, IO]], content_type: try: return json.loads(data_as_str) except ValueError as err: - raise DeserializationError("JSON is invalid: {}".format(err), err) + raise DeserializationError("JSON is invalid: {}".format(err), err) from err elif "xml" in (content_type or []): try: @@ -144,6 +145,8 @@ def _json_attemp(data): # context otherwise. _LOGGER.critical("Wasn't XML not JSON, failing") raise DeserializationError("XML is invalid") from err + elif content_type.startswith("text/"): + return data_as_str raise DeserializationError("Cannot deserialize content-type: {}".format(content_type)) @classmethod @@ -153,6 +156,11 @@ def deserialize_from_http_generics(cls, body_bytes: Optional[Union[AnyStr, IO]], Use bytes and headers to NOT use any requests/aiohttp or whatever specific implementation. Headers will tested for "content-type" + + :param bytes body_bytes: The body of the response. + :param dict headers: The headers of the response. + :returns: The deserialized data. + :rtype: object """ # Try to use content-type from headers if available content_type = None @@ -170,13 +178,6 @@ def deserialize_from_http_generics(cls, body_bytes: Optional[Union[AnyStr, IO]], return None -try: - basestring # type: ignore - unicode_str = unicode # type: ignore -except NameError: - basestring = str - unicode_str = str - _LOGGER = logging.getLogger(__name__) try: @@ -184,80 +185,31 @@ def deserialize_from_http_generics(cls, body_bytes: Optional[Union[AnyStr, IO]], except NameError: _long_type = int - -class UTC(datetime.tzinfo): - """Time Zone info for handling UTC""" - - def utcoffset(self, dt): - """UTF offset for UTC is 0.""" - return datetime.timedelta(0) - - def tzname(self, dt): - """Timestamp representation.""" - return "Z" - - def dst(self, dt): - """No daylight saving for UTC.""" - return datetime.timedelta(hours=1) - - -try: - from datetime import timezone as _FixedOffset # type: ignore -except ImportError: # Python 2.7 - - class _FixedOffset(datetime.tzinfo): # type: ignore - """Fixed offset in minutes east from UTC. - Copy/pasted from Python doc - :param datetime.timedelta offset: offset in timedelta format - """ - - def __init__(self, offset): - self.__offset = offset - - def utcoffset(self, dt): - return self.__offset - - def tzname(self, dt): - return str(self.__offset.total_seconds() / 3600) - - def __repr__(self): - return "".format(self.tzname(None)) - - def dst(self, dt): - return datetime.timedelta(0) - - def __getinitargs__(self): - return (self.__offset,) - - -try: - from datetime import timezone - - TZ_UTC = timezone.utc -except ImportError: - TZ_UTC = UTC() # type: ignore +TZ_UTC = datetime.timezone.utc _FLATTEN = re.compile(r"(? None: self.additional_properties: Optional[Dict[str, Any]] = {} - for k in kwargs: + for k in kwargs: # pylint: disable=consider-using-dict-items if k not in self._attribute_map: _LOGGER.warning("%s is not a known attribute of class %s and will be ignored", k, self.__class__) elif k in self._validation and self._validation[k].get("readonly", False): @@ -305,13 +264,23 @@ def __init__(self, **kwargs: Any) -> None: setattr(self, k, kwargs[k]) def __eq__(self, other: Any) -> bool: - """Compare objects by comparing all attributes.""" + """Compare objects by comparing all attributes. + + :param object other: The object to compare + :returns: True if objects are equal + :rtype: bool + """ if isinstance(other, self.__class__): return self.__dict__ == other.__dict__ return False def __ne__(self, other: Any) -> bool: - """Compare objects by comparing all attributes.""" + """Compare objects by comparing all attributes. + + :param object other: The object to compare + :returns: True if objects are not equal + :rtype: bool + """ return not self.__eq__(other) def __str__(self) -> str: @@ -331,7 +300,11 @@ def is_xml_model(cls) -> bool: @classmethod def _create_xml_node(cls): - """Create XML node.""" + """Create XML node. + + :returns: The XML node + :rtype: xml.etree.ElementTree.Element + """ try: xml_map = cls._xml_map # type: ignore except AttributeError: @@ -351,7 +324,9 @@ def serialize(self, keep_readonly: bool = False, **kwargs: Any) -> JSON: :rtype: dict """ serializer = Serializer(self._infer_class_models()) - return serializer._serialize(self, keep_readonly=keep_readonly, **kwargs) # type: ignore + return serializer._serialize( # type: ignore # pylint: disable=protected-access + self, keep_readonly=keep_readonly, **kwargs + ) def as_dict( self, @@ -385,12 +360,15 @@ def my_key_transformer(key, attr_desc, value): If you want XML serialization, you can pass the kwargs is_xml=True. + :param bool keep_readonly: If you want to serialize the readonly attributes :param function key_transformer: A key transformer function. :returns: A dict JSON compatible object :rtype: dict """ serializer = Serializer(self._infer_class_models()) - return serializer._serialize(self, key_transformer=key_transformer, keep_readonly=keep_readonly, **kwargs) # type: ignore + return serializer._serialize( # type: ignore # pylint: disable=protected-access + self, key_transformer=key_transformer, keep_readonly=keep_readonly, **kwargs + ) @classmethod def _infer_class_models(cls): @@ -400,7 +378,7 @@ def _infer_class_models(cls): client_models = {k: v for k, v in models.__dict__.items() if isinstance(v, type)} if cls.__name__ not in client_models: raise ValueError("Not Autorest generated code") - except Exception: + except Exception: # pylint: disable=broad-exception-caught # Assume it's not Autorest generated (tests?). Add ourselves as dependencies. client_models = {cls.__name__: cls} return client_models @@ -413,6 +391,7 @@ def deserialize(cls: Type[ModelType], data: Any, content_type: Optional[str] = N :param str content_type: JSON by default, set application/xml if XML. :returns: An instance of this model :raises: DeserializationError if something went wrong + :rtype: ModelType """ deserializer = Deserializer(cls._infer_class_models()) return deserializer(cls.__name__, data, content_type=content_type) # type: ignore @@ -431,9 +410,11 @@ def from_dict( and last_rest_key_case_insensitive_extractor) :param dict data: A dict using RestAPI structure + :param function key_extractors: A key extractor function. :param str content_type: JSON by default, set application/xml if XML. :returns: An instance of this model :raises: DeserializationError if something went wrong + :rtype: ModelType """ deserializer = Deserializer(cls._infer_class_models()) deserializer.key_extractors = ( # type: ignore @@ -453,21 +434,25 @@ def _flatten_subtype(cls, key, objects): return {} result = dict(cls._subtype_map[key]) for valuetype in cls._subtype_map[key].values(): - result.update(objects[valuetype]._flatten_subtype(key, objects)) + result.update(objects[valuetype]._flatten_subtype(key, objects)) # pylint: disable=protected-access return result @classmethod def _classify(cls, response, objects): """Check the class _subtype_map for any child classes. We want to ignore any inherited _subtype_maps. - Remove the polymorphic key from the initial data. + + :param dict response: The initial data + :param dict objects: The class objects + :returns: The class to be used + :rtype: class """ for subtype_key in cls.__dict__.get("_subtype_map", {}).keys(): subtype_value = None if not isinstance(response, ET.Element): rest_api_response_key = cls._get_rest_key_parts(subtype_key)[-1] - subtype_value = response.pop(rest_api_response_key, None) or response.pop(subtype_key, None) + subtype_value = response.get(rest_api_response_key, None) or response.get(subtype_key, None) else: subtype_value = xml_key_extractor(subtype_key, cls._attribute_map[subtype_key], response) if subtype_value: @@ -506,11 +491,13 @@ def _decode_attribute_map_key(key): inside the received data. :param str key: A key string from the generated code + :returns: The decoded key + :rtype: str """ return key.replace("\\.", ".") -class Serializer(object): +class Serializer: # pylint: disable=too-many-public-methods """Request object model serializer.""" basic_types = {str: "str", int: "int", bool: "bool", float: "float"} @@ -545,7 +532,7 @@ class Serializer(object): "multiple": lambda x, y: x % y != 0, } - def __init__(self, classes: Optional[Mapping[str, Type[ModelType]]] = None): + def __init__(self, classes: Optional[Mapping[str, type]] = None) -> None: self.serialize_type = { "iso-8601": Serializer.serialize_iso, "rfc-1123": Serializer.serialize_rfc, @@ -561,17 +548,20 @@ def __init__(self, classes: Optional[Mapping[str, Type[ModelType]]] = None): "[]": self.serialize_iter, "{}": self.serialize_dict, } - self.dependencies: Dict[str, Type[ModelType]] = dict(classes) if classes else {} + self.dependencies: Dict[str, type] = dict(classes) if classes else {} self.key_transformer = full_restapi_key_transformer self.client_side_validation = True - def _serialize(self, target_obj, data_type=None, **kwargs): + def _serialize( # pylint: disable=too-many-nested-blocks, too-many-branches, too-many-statements, too-many-locals + self, target_obj, data_type=None, **kwargs + ): """Serialize data into a string according to type. - :param target_obj: The data to be serialized. + :param object target_obj: The data to be serialized. :param str data_type: The type to be serialized from. :rtype: str, dict :raises: SerializationError if serialization fails. + :returns: The serialized data. """ key_transformer = kwargs.get("key_transformer", self.key_transformer) keep_readonly = kwargs.get("keep_readonly", False) @@ -597,12 +587,14 @@ def _serialize(self, target_obj, data_type=None, **kwargs): serialized = {} if is_xml_model_serialization: - serialized = target_obj._create_xml_node() + serialized = target_obj._create_xml_node() # pylint: disable=protected-access try: - attributes = target_obj._attribute_map + attributes = target_obj._attribute_map # pylint: disable=protected-access for attr, attr_desc in attributes.items(): attr_name = attr - if not keep_readonly and target_obj._validation.get(attr_name, {}).get("readonly", False): + if not keep_readonly and target_obj._validation.get( # pylint: disable=protected-access + attr_name, {} + ).get("readonly", False): continue if attr_name == "additional_properties" and attr_desc["key"] == "": @@ -638,7 +630,8 @@ def _serialize(self, target_obj, data_type=None, **kwargs): if isinstance(new_attr, list): serialized.extend(new_attr) # type: ignore elif isinstance(new_attr, ET.Element): - # If the down XML has no XML/Name, we MUST replace the tag with the local tag. But keeping the namespaces. + # If the down XML has no XML/Name, + # we MUST replace the tag with the local tag. But keeping the namespaces. if "name" not in getattr(orig_attr, "_xml_map", {}): splitted_tag = new_attr.tag.split("}") if len(splitted_tag) == 2: # Namespace @@ -649,7 +642,7 @@ def _serialize(self, target_obj, data_type=None, **kwargs): else: # That's a basic type # Integrate namespace if necessary local_node = _create_xml_node(xml_name, xml_prefix, xml_ns) - local_node.text = unicode_str(new_attr) + local_node.text = str(new_attr) serialized.append(local_node) # type: ignore else: # JSON for k in reversed(keys): # type: ignore @@ -669,17 +662,17 @@ def _serialize(self, target_obj, data_type=None, **kwargs): except (AttributeError, KeyError, TypeError) as err: msg = "Attribute {} in object {} cannot be serialized.\n{}".format(attr_name, class_name, str(target_obj)) raise SerializationError(msg) from err - else: - return serialized + return serialized def body(self, data, data_type, **kwargs): """Serialize data intended for a request body. - :param data: The data to be serialized. + :param object data: The data to be serialized. :param str data_type: The type to be serialized from. :rtype: dict :raises: SerializationError if serialization fails. :raises: ValueError if data is None + :returns: The serialized request body """ # Just in case this is a dict @@ -708,7 +701,7 @@ def body(self, data, data_type, **kwargs): attribute_key_case_insensitive_extractor, last_rest_key_case_insensitive_extractor, ] - data = deserializer._deserialize(data_type, data) + data = deserializer._deserialize(data_type, data) # pylint: disable=protected-access except DeserializationError as err: raise SerializationError("Unable to build a model: " + str(err)) from err @@ -717,9 +710,11 @@ def body(self, data, data_type, **kwargs): def url(self, name, data, data_type, **kwargs): """Serialize data intended for a URL path. - :param data: The data to be serialized. + :param str name: The name of the URL path parameter. + :param object data: The data to be serialized. :param str data_type: The type to be serialized from. :rtype: str + :returns: The serialized URL path :raises: TypeError if serialization fails. :raises: ValueError if data is None """ @@ -733,21 +728,20 @@ def url(self, name, data, data_type, **kwargs): output = output.replace("{", quote("{")).replace("}", quote("}")) else: output = quote(str(output), safe="") - except SerializationError: - raise TypeError("{} must be type {}.".format(name, data_type)) - else: - return output + except SerializationError as exc: + raise TypeError("{} must be type {}.".format(name, data_type)) from exc + return output def query(self, name, data, data_type, **kwargs): """Serialize data intended for a URL query. - :param data: The data to be serialized. + :param str name: The name of the query parameter. + :param object data: The data to be serialized. :param str data_type: The type to be serialized from. - :keyword bool skip_quote: Whether to skip quote the serialized result. - Defaults to False. :rtype: str, list :raises: TypeError if serialization fails. :raises: ValueError if data is None + :returns: The serialized query parameter """ try: # Treat the list aside, since we don't want to encode the div separator @@ -764,19 +758,20 @@ def query(self, name, data, data_type, **kwargs): output = str(output) else: output = quote(str(output), safe="") - except SerializationError: - raise TypeError("{} must be type {}.".format(name, data_type)) - else: - return str(output) + except SerializationError as exc: + raise TypeError("{} must be type {}.".format(name, data_type)) from exc + return str(output) def header(self, name, data, data_type, **kwargs): """Serialize data intended for a request header. - :param data: The data to be serialized. + :param str name: The name of the header. + :param object data: The data to be serialized. :param str data_type: The type to be serialized from. :rtype: str :raises: TypeError if serialization fails. :raises: ValueError if data is None + :returns: The serialized header """ try: if data_type in ["[str]"]: @@ -785,21 +780,20 @@ def header(self, name, data, data_type, **kwargs): output = self.serialize_data(data, data_type, **kwargs) if data_type == "bool": output = json.dumps(output) - except SerializationError: - raise TypeError("{} must be type {}.".format(name, data_type)) - else: - return str(output) + except SerializationError as exc: + raise TypeError("{} must be type {}.".format(name, data_type)) from exc + return str(output) def serialize_data(self, data, data_type, **kwargs): """Serialize generic data according to supplied data type. - :param data: The data to be serialized. + :param object data: The data to be serialized. :param str data_type: The type to be serialized from. - :param bool required: Whether it's essential that the data not be - empty or None :raises: AttributeError if required data is None. :raises: ValueError if data is None :raises: SerializationError if serialization fails. + :returns: The serialized data. + :rtype: str, int, float, bool, dict, list """ if data is None: raise ValueError("No value for given attribute") @@ -810,7 +804,7 @@ def serialize_data(self, data, data_type, **kwargs): if data_type in self.basic_types.values(): return self.serialize_basic(data, data_type, **kwargs) - elif data_type in self.serialize_type: + if data_type in self.serialize_type: return self.serialize_type[data_type](data, **kwargs) # If dependencies is empty, try with current data class @@ -826,11 +820,10 @@ def serialize_data(self, data, data_type, **kwargs): except (ValueError, TypeError) as err: msg = "Unable to serialize value: {!r} as type: {!r}." raise SerializationError(msg.format(data, data_type)) from err - else: - return self._serialize(data, **kwargs) + return self._serialize(data, **kwargs) @classmethod - def _get_custom_serializers(cls, data_type, **kwargs): + def _get_custom_serializers(cls, data_type, **kwargs): # pylint: disable=inconsistent-return-statements custom_serializer = kwargs.get("basic_types_serializers", {}).get(data_type) if custom_serializer: return custom_serializer @@ -846,23 +839,26 @@ def serialize_basic(cls, data, data_type, **kwargs): - basic_types_serializers dict[str, callable] : If set, use the callable as serializer - is_xml bool : If set, use xml_basic_types_serializers - :param data: Object to be serialized. + :param obj data: Object to be serialized. :param str data_type: Type of object in the iterable. + :rtype: str, int, float, bool + :return: serialized object """ custom_serializer = cls._get_custom_serializers(data_type, **kwargs) if custom_serializer: return custom_serializer(data) if data_type == "str": return cls.serialize_unicode(data) - return eval(data_type)(data) # nosec + return eval(data_type)(data) # nosec # pylint: disable=eval-used @classmethod def serialize_unicode(cls, data): """Special handling for serializing unicode strings in Py2. Encode to UTF-8 if unicode, otherwise handle as a str. - :param data: Object to be serialized. + :param str data: Object to be serialized. :rtype: str + :return: serialized object """ try: # If I received an enum, return its value return data.value @@ -876,8 +872,7 @@ def serialize_unicode(cls, data): return data except NameError: return str(data) - else: - return str(data) + return str(data) def serialize_iter(self, data, iter_type, div=None, **kwargs): """Serialize iterable. @@ -887,15 +882,13 @@ def serialize_iter(self, data, iter_type, div=None, **kwargs): serialization_ctxt['type'] should be same as data_type. - is_xml bool : If set, serialize as XML - :param list attr: Object to be serialized. + :param list data: Object to be serialized. :param str iter_type: Type of object in the iterable. - :param bool required: Whether the objects in the iterable must - not be None or empty. :param str div: If set, this str will be used to combine the elements in the iterable into a combined string. Default is 'None'. - :keyword bool do_quote: Whether to quote the serialized result of each iterable element. Defaults to False. :rtype: list, str + :return: serialized iterable """ if isinstance(data, str): raise SerializationError("Refuse str type as a valid iter type.") @@ -950,9 +943,8 @@ def serialize_dict(self, attr, dict_type, **kwargs): :param dict attr: Object to be serialized. :param str dict_type: Type of object in the dictionary. - :param bool required: Whether the objects in the dictionary must - not be None or empty. :rtype: dict + :return: serialized dictionary """ serialization_ctxt = kwargs.get("serialization_ctxt", {}) serialized = {} @@ -976,7 +968,7 @@ def serialize_dict(self, attr, dict_type, **kwargs): return serialized - def serialize_object(self, attr, **kwargs): + def serialize_object(self, attr, **kwargs): # pylint: disable=too-many-return-statements """Serialize a generic object. This will be handled as a dictionary. If object passed in is not a basic type (str, int, float, dict, list) it will simply be @@ -984,6 +976,7 @@ def serialize_object(self, attr, **kwargs): :param dict attr: Object to be serialized. :rtype: dict or str + :return: serialized object """ if attr is None: return None @@ -994,7 +987,7 @@ def serialize_object(self, attr, **kwargs): return self.serialize_basic(attr, self.basic_types[obj_type], **kwargs) if obj_type is _long_type: return self.serialize_long(attr) - if obj_type is unicode_str: + if obj_type is str: return self.serialize_unicode(attr) if obj_type is datetime.datetime: return self.serialize_iso(attr) @@ -1008,7 +1001,7 @@ def serialize_object(self, attr, **kwargs): return self.serialize_decimal(attr) # If it's a model or I know this dependency, serialize as a Model - elif obj_type in self.dependencies.values() or isinstance(attr, Model): + if obj_type in self.dependencies.values() or isinstance(attr, Model): return self._serialize(attr) if obj_type == dict: @@ -1039,56 +1032,61 @@ def serialize_enum(attr, enum_obj=None): try: enum_obj(result) # type: ignore return result - except ValueError: + except ValueError as exc: for enum_value in enum_obj: # type: ignore if enum_value.value.lower() == str(attr).lower(): return enum_value.value error = "{!r} is not valid value for enum {!r}" - raise SerializationError(error.format(attr, enum_obj)) + raise SerializationError(error.format(attr, enum_obj)) from exc @staticmethod - def serialize_bytearray(attr, **kwargs): + def serialize_bytearray(attr, **kwargs): # pylint: disable=unused-argument """Serialize bytearray into base-64 string. - :param attr: Object to be serialized. + :param str attr: Object to be serialized. :rtype: str + :return: serialized base64 """ return b64encode(attr).decode() @staticmethod - def serialize_base64(attr, **kwargs): + def serialize_base64(attr, **kwargs): # pylint: disable=unused-argument """Serialize str into base-64 string. - :param attr: Object to be serialized. + :param str attr: Object to be serialized. :rtype: str + :return: serialized base64 """ encoded = b64encode(attr).decode("ascii") return encoded.strip("=").replace("+", "-").replace("/", "_") @staticmethod - def serialize_decimal(attr, **kwargs): + def serialize_decimal(attr, **kwargs): # pylint: disable=unused-argument """Serialize Decimal object to float. - :param attr: Object to be serialized. + :param decimal attr: Object to be serialized. :rtype: float + :return: serialized decimal """ return float(attr) @staticmethod - def serialize_long(attr, **kwargs): + def serialize_long(attr, **kwargs): # pylint: disable=unused-argument """Serialize long (Py2) or int (Py3). - :param attr: Object to be serialized. + :param int attr: Object to be serialized. :rtype: int/long + :return: serialized long """ return _long_type(attr) @staticmethod - def serialize_date(attr, **kwargs): + def serialize_date(attr, **kwargs): # pylint: disable=unused-argument """Serialize Date object into ISO-8601 formatted string. :param Date attr: Object to be serialized. :rtype: str + :return: serialized date """ if isinstance(attr, str): attr = isodate.parse_date(attr) @@ -1096,11 +1094,12 @@ def serialize_date(attr, **kwargs): return t @staticmethod - def serialize_time(attr, **kwargs): + def serialize_time(attr, **kwargs): # pylint: disable=unused-argument """Serialize Time object into ISO-8601 formatted string. :param datetime.time attr: Object to be serialized. :rtype: str + :return: serialized time """ if isinstance(attr, str): attr = isodate.parse_time(attr) @@ -1110,30 +1109,32 @@ def serialize_time(attr, **kwargs): return t @staticmethod - def serialize_duration(attr, **kwargs): + def serialize_duration(attr, **kwargs): # pylint: disable=unused-argument """Serialize TimeDelta object into ISO-8601 formatted string. :param TimeDelta attr: Object to be serialized. :rtype: str + :return: serialized duration """ if isinstance(attr, str): attr = isodate.parse_duration(attr) return isodate.duration_isoformat(attr) @staticmethod - def serialize_rfc(attr, **kwargs): + def serialize_rfc(attr, **kwargs): # pylint: disable=unused-argument """Serialize Datetime object into RFC-1123 formatted string. :param Datetime attr: Object to be serialized. :rtype: str :raises: TypeError if format invalid. + :return: serialized rfc """ try: if not attr.tzinfo: _LOGGER.warning("Datetime with no tzinfo will be considered UTC.") utc = attr.utctimetuple() - except AttributeError: - raise TypeError("RFC1123 object must be valid Datetime object.") + except AttributeError as exc: + raise TypeError("RFC1123 object must be valid Datetime object.") from exc return "{}, {:02} {} {:04} {:02}:{:02}:{:02} GMT".format( Serializer.days[utc.tm_wday], @@ -1146,12 +1147,13 @@ def serialize_rfc(attr, **kwargs): ) @staticmethod - def serialize_iso(attr, **kwargs): + def serialize_iso(attr, **kwargs): # pylint: disable=unused-argument """Serialize Datetime object into ISO-8601 formatted string. :param Datetime attr: Object to be serialized. :rtype: str :raises: SerializationError if format invalid. + :return: serialized iso """ if isinstance(attr, str): attr = isodate.parse_datetime(attr) @@ -1177,13 +1179,14 @@ def serialize_iso(attr, **kwargs): raise TypeError(msg) from err @staticmethod - def serialize_unix(attr, **kwargs): + def serialize_unix(attr, **kwargs): # pylint: disable=unused-argument """Serialize Datetime object into IntTime format. This is represented as seconds. :param Datetime attr: Object to be serialized. :rtype: int :raises: SerializationError if format invalid + :return: serialied unix """ if isinstance(attr, int): return attr @@ -1191,11 +1194,11 @@ def serialize_unix(attr, **kwargs): if not attr.tzinfo: _LOGGER.warning("Datetime with no tzinfo will be considered UTC.") return int(calendar.timegm(attr.utctimetuple())) - except AttributeError: - raise TypeError("Unix time object must be valid Datetime object.") + except AttributeError as exc: + raise TypeError("Unix time object must be valid Datetime object.") from exc -def rest_key_extractor(attr, attr_desc, data): +def rest_key_extractor(attr, attr_desc, data): # pylint: disable=unused-argument key = attr_desc["key"] working_data = data @@ -1216,7 +1219,9 @@ def rest_key_extractor(attr, attr_desc, data): return working_data.get(key) -def rest_key_case_insensitive_extractor(attr, attr_desc, data): +def rest_key_case_insensitive_extractor( # pylint: disable=unused-argument, inconsistent-return-statements + attr, attr_desc, data +): key = attr_desc["key"] working_data = data @@ -1237,17 +1242,29 @@ def rest_key_case_insensitive_extractor(attr, attr_desc, data): return attribute_key_case_insensitive_extractor(key, None, working_data) -def last_rest_key_extractor(attr, attr_desc, data): - """Extract the attribute in "data" based on the last part of the JSON path key.""" +def last_rest_key_extractor(attr, attr_desc, data): # pylint: disable=unused-argument + """Extract the attribute in "data" based on the last part of the JSON path key. + + :param str attr: The attribute to extract + :param dict attr_desc: The attribute description + :param dict data: The data to extract from + :rtype: object + :returns: The extracted attribute + """ key = attr_desc["key"] dict_keys = _FLATTEN.split(key) return attribute_key_extractor(dict_keys[-1], None, data) -def last_rest_key_case_insensitive_extractor(attr, attr_desc, data): +def last_rest_key_case_insensitive_extractor(attr, attr_desc, data): # pylint: disable=unused-argument """Extract the attribute in "data" based on the last part of the JSON path key. This is the case insensitive version of "last_rest_key_extractor" + :param str attr: The attribute to extract + :param dict attr_desc: The attribute description + :param dict data: The data to extract from + :rtype: object + :returns: The extracted attribute """ key = attr_desc["key"] dict_keys = _FLATTEN.split(key) @@ -1284,7 +1301,7 @@ def _extract_name_from_internal_type(internal_type): return xml_name -def xml_key_extractor(attr, attr_desc, data): +def xml_key_extractor(attr, attr_desc, data): # pylint: disable=unused-argument,too-many-return-statements if isinstance(data, dict): return None @@ -1336,22 +1353,21 @@ def xml_key_extractor(attr, attr_desc, data): if is_iter_type: if is_wrapped: return None # is_wrapped no node, we want None - else: - return [] # not wrapped, assume empty list + return [] # not wrapped, assume empty list return None # Assume it's not there, maybe an optional node. # If is_iter_type and not wrapped, return all found children if is_iter_type: if not is_wrapped: return children - else: # Iter and wrapped, should have found one node only (the wrap one) - if len(children) != 1: - raise DeserializationError( - "Tried to deserialize an array not wrapped, and found several nodes '{}'. Maybe you should declare this array as wrapped?".format( - xml_name - ) + # Iter and wrapped, should have found one node only (the wrap one) + if len(children) != 1: + raise DeserializationError( + "Tried to deserialize an array not wrapped, and found several nodes '{}'. Maybe you should declare this array as wrapped?".format( # pylint: disable=line-too-long + xml_name ) - return list(children[0]) # Might be empty list and that's ok. + ) + return list(children[0]) # Might be empty list and that's ok. # Here it's not a itertype, we should have found one element only or empty if len(children) > 1: @@ -1359,7 +1375,7 @@ def xml_key_extractor(attr, attr_desc, data): return children[0] -class Deserializer(object): +class Deserializer: """Response object model deserializer. :param dict classes: Class type dictionary for deserializing complex types. @@ -1368,9 +1384,9 @@ class Deserializer(object): basic_types = {str: "str", int: "int", bool: "bool", float: "float"} - valid_date = re.compile(r"\d{4}[-]\d{2}[-]\d{2}T\d{2}:\d{2}:\d{2}" r"\.?\d*Z?[-+]?[\d{2}]?:?[\d{2}]?") + valid_date = re.compile(r"\d{4}[-]\d{2}[-]\d{2}T\d{2}:\d{2}:\d{2}\.?\d*Z?[-+]?[\d{2}]?:?[\d{2}]?") - def __init__(self, classes: Optional[Mapping[str, Type[ModelType]]] = None): + def __init__(self, classes: Optional[Mapping[str, type]] = None) -> None: self.deserialize_type = { "iso-8601": Deserializer.deserialize_iso, "rfc-1123": Deserializer.deserialize_rfc, @@ -1390,7 +1406,7 @@ def __init__(self, classes: Optional[Mapping[str, Type[ModelType]]] = None): "duration": (isodate.Duration, datetime.timedelta), "iso-8601": (datetime.datetime), } - self.dependencies: Dict[str, Type[ModelType]] = dict(classes) if classes else {} + self.dependencies: Dict[str, type] = dict(classes) if classes else {} self.key_extractors = [rest_key_extractor, xml_key_extractor] # Additional properties only works if the "rest_key_extractor" is used to # extract the keys. Making it to work whatever the key extractor is too much @@ -1408,11 +1424,12 @@ def __call__(self, target_obj, response_data, content_type=None): :param str content_type: Swagger "produces" if available. :raises: DeserializationError if deserialization fails. :return: Deserialized object. + :rtype: object """ data = self._unpack_content(response_data, content_type) return self._deserialize(target_obj, data) - def _deserialize(self, target_obj, data): + def _deserialize(self, target_obj, data): # pylint: disable=inconsistent-return-statements """Call the deserializer on a model. Data needs to be already deserialized as JSON or XML ElementTree @@ -1421,12 +1438,13 @@ def _deserialize(self, target_obj, data): :param object data: Object to deserialize. :raises: DeserializationError if deserialization fails. :return: Deserialized object. + :rtype: object """ # This is already a model, go recursive just in case if hasattr(data, "_attribute_map"): constants = [name for name, config in getattr(data, "_validation", {}).items() if config.get("constant")] try: - for attr, mapconfig in data._attribute_map.items(): + for attr, mapconfig in data._attribute_map.items(): # pylint: disable=protected-access if attr in constants: continue value = getattr(data, attr) @@ -1443,15 +1461,15 @@ def _deserialize(self, target_obj, data): response, class_name = self._classify_target(target_obj, data) - if isinstance(response, basestring): + if isinstance(response, str): return self.deserialize_data(data, response) - elif isinstance(response, type) and issubclass(response, Enum): + if isinstance(response, type) and issubclass(response, Enum): return self.deserialize_enum(data, response) - if data is None: + if data is None or data is CoreNull: return data try: - attributes = response._attribute_map # type: ignore + attributes = response._attribute_map # type: ignore # pylint: disable=protected-access d_attrs = {} for attr, attr_desc in attributes.items(): # Check empty string. If it's not empty, someone has a real "additionalProperties"... @@ -1481,9 +1499,8 @@ def _deserialize(self, target_obj, data): except (AttributeError, TypeError, KeyError) as err: msg = "Unable to deserialize to object: " + class_name # type: ignore raise DeserializationError(msg) from err - else: - additional_properties = self._build_additional_properties(attributes, data) - return self._instantiate_model(response, d_attrs, additional_properties) + additional_properties = self._build_additional_properties(attributes, data) + return self._instantiate_model(response, d_attrs, additional_properties) def _build_additional_properties(self, attribute_map, data): if not self.additional_properties_detection: @@ -1510,18 +1527,20 @@ def _classify_target(self, target, data): :param str target: The target object type to deserialize to. :param str/dict data: The response data to deserialize. + :return: The classified target object and its class name. + :rtype: tuple """ if target is None: return None, None - if isinstance(target, basestring): + if isinstance(target, str): try: target = self.dependencies[target] except KeyError: return target, target try: - target = target._classify(data, self.dependencies) + target = target._classify(data, self.dependencies) # type: ignore # pylint: disable=protected-access except AttributeError: pass # Target is not a Model, no classify return target, target.__class__.__name__ # type: ignore @@ -1536,10 +1555,12 @@ def failsafe_deserialize(self, target_obj, data, content_type=None): :param str target_obj: The target object type to deserialize to. :param str/dict data: The response data to deserialize. :param str content_type: Swagger "produces" if available. + :return: Deserialized object. + :rtype: object """ try: return self(target_obj, data, content_type=content_type) - except: + except: # pylint: disable=bare-except _LOGGER.debug( "Ran into a deserialization error. Ignoring since this is failsafe deserialization", exc_info=True ) @@ -1557,10 +1578,12 @@ def _unpack_content(raw_data, content_type=None): If raw_data is something else, bypass all logic and return it directly. - :param raw_data: Data to be processed. - :param content_type: How to parse if raw_data is a string/bytes. + :param obj raw_data: Data to be processed. + :param str content_type: How to parse if raw_data is a string/bytes. :raises JSONDecodeError: If JSON is requested and parsing is impossible. :raises UnicodeDecodeError: If bytes is not UTF8 + :rtype: object + :return: Unpacked content. """ # Assume this is enough to detect a Pipeline Response without importing it context = getattr(raw_data, "context", {}) @@ -1577,31 +1600,42 @@ def _unpack_content(raw_data, content_type=None): if hasattr(raw_data, "_content_consumed"): return RawDeserializer.deserialize_from_http_generics(raw_data.text, raw_data.headers) - if isinstance(raw_data, (basestring, bytes)) or hasattr(raw_data, "read"): + if isinstance(raw_data, (str, bytes)) or hasattr(raw_data, "read"): return RawDeserializer.deserialize_from_text(raw_data, content_type) # type: ignore return raw_data def _instantiate_model(self, response, attrs, additional_properties=None): """Instantiate a response model passing in deserialized args. - :param response: The response model class. - :param d_attrs: The deserialized response attributes. + :param Response response: The response model class. + :param dict attrs: The deserialized response attributes. + :param dict additional_properties: Additional properties to be set. + :rtype: Response + :return: The instantiated response model. """ if callable(response): subtype = getattr(response, "_subtype_map", {}) try: - readonly = [k for k, v in response._validation.items() if v.get("readonly")] - const = [k for k, v in response._validation.items() if v.get("constant")] + readonly = [ + k + for k, v in response._validation.items() # pylint: disable=protected-access # type: ignore + if v.get("readonly") + ] + const = [ + k + for k, v in response._validation.items() # pylint: disable=protected-access # type: ignore + if v.get("constant") + ] kwargs = {k: v for k, v in attrs.items() if k not in subtype and k not in readonly + const} response_obj = response(**kwargs) for attr in readonly: setattr(response_obj, attr, attrs.get(attr)) if additional_properties: - response_obj.additional_properties = additional_properties + response_obj.additional_properties = additional_properties # type: ignore return response_obj except TypeError as err: msg = "Unable to deserialize {} into model {}. ".format(kwargs, response) # type: ignore - raise DeserializationError(msg + str(err)) + raise DeserializationError(msg + str(err)) from err else: try: for attr, value in attrs.items(): @@ -1610,15 +1644,16 @@ def _instantiate_model(self, response, attrs, additional_properties=None): except Exception as exp: msg = "Unable to populate response model. " msg += "Type: {}, Error: {}".format(type(response), exp) - raise DeserializationError(msg) + raise DeserializationError(msg) from exp - def deserialize_data(self, data, data_type): + def deserialize_data(self, data, data_type): # pylint: disable=too-many-return-statements """Process data for deserialization according to data type. :param str data: The response string to be deserialized. :param str data_type: The type to deserialize to. :raises: DeserializationError if deserialization fails. :return: Deserialized object. + :rtype: object """ if data is None: return data @@ -1632,7 +1667,11 @@ def deserialize_data(self, data, data_type): if isinstance(data, self.deserialize_expected_types.get(data_type, tuple())): return data - is_a_text_parsing_type = lambda x: x not in ["object", "[]", r"{}"] + is_a_text_parsing_type = lambda x: x not in [ # pylint: disable=unnecessary-lambda-assignment + "object", + "[]", + r"{}", + ] if isinstance(data, ET.Element) and is_a_text_parsing_type(data_type) and not data.text: return None data_val = self.deserialize_type[data_type](data) @@ -1652,14 +1691,14 @@ def deserialize_data(self, data, data_type): msg = "Unable to deserialize response data." msg += " Data: {}, {}".format(data, data_type) raise DeserializationError(msg) from err - else: - return self._deserialize(obj_type, data) + return self._deserialize(obj_type, data) def deserialize_iter(self, attr, iter_type): """Deserialize an iterable. :param list attr: Iterable to be deserialized. :param str iter_type: The type of object in the iterable. + :return: Deserialized iterable. :rtype: list """ if attr is None: @@ -1676,6 +1715,7 @@ def deserialize_dict(self, attr, dict_type): :param dict/list attr: Dictionary to be deserialized. Also accepts a list of key, value pairs. :param str dict_type: The object type of the items in the dictionary. + :return: Deserialized dictionary. :rtype: dict """ if isinstance(attr, list): @@ -1686,11 +1726,12 @@ def deserialize_dict(self, attr, dict_type): attr = {el.tag: el.text for el in attr} return {k: self.deserialize_data(v, dict_type) for k, v in attr.items()} - def deserialize_object(self, attr, **kwargs): + def deserialize_object(self, attr, **kwargs): # pylint: disable=too-many-return-statements """Deserialize a generic object. This will be handled as a dictionary. :param dict attr: Dictionary to be deserialized. + :return: Deserialized object. :rtype: dict :raises: TypeError if non-builtin datatype encountered. """ @@ -1699,7 +1740,7 @@ def deserialize_object(self, attr, **kwargs): if isinstance(attr, ET.Element): # Do no recurse on XML, just return the tree as-is return attr - if isinstance(attr, basestring): + if isinstance(attr, str): return self.deserialize_basic(attr, "str") obj_type = type(attr) if obj_type in self.basic_types: @@ -1725,11 +1766,10 @@ def deserialize_object(self, attr, **kwargs): pass return deserialized - else: - error = "Cannot deserialize generic object with type: " - raise TypeError(error + str(obj_type)) + error = "Cannot deserialize generic object with type: " + raise TypeError(error + str(obj_type)) - def deserialize_basic(self, attr, data_type): + def deserialize_basic(self, attr, data_type): # pylint: disable=too-many-return-statements """Deserialize basic builtin data type from string. Will attempt to convert to str, int, float and bool. This function will also accept '1', '0', 'true' and 'false' as @@ -1737,6 +1777,7 @@ def deserialize_basic(self, attr, data_type): :param str attr: response string to be deserialized. :param str data_type: deserialization data type. + :return: Deserialized basic type. :rtype: str, int, float or bool :raises: TypeError if string format is not valid. """ @@ -1748,24 +1789,23 @@ def deserialize_basic(self, attr, data_type): if data_type == "str": # None or '', node is empty string. return "" - else: - # None or '', node with a strong type is None. - # Don't try to model "empty bool" or "empty int" - return None + # None or '', node with a strong type is None. + # Don't try to model "empty bool" or "empty int" + return None if data_type == "bool": if attr in [True, False, 1, 0]: return bool(attr) - elif isinstance(attr, basestring): + if isinstance(attr, str): if attr.lower() in ["true", "1"]: return True - elif attr.lower() in ["false", "0"]: + if attr.lower() in ["false", "0"]: return False raise TypeError("Invalid boolean value: {}".format(attr)) if data_type == "str": return self.deserialize_unicode(attr) - return eval(data_type)(attr) # nosec + return eval(data_type)(attr) # nosec # pylint: disable=eval-used @staticmethod def deserialize_unicode(data): @@ -1773,6 +1813,7 @@ def deserialize_unicode(data): as a string. :param str data: response string to be deserialized. + :return: Deserialized string. :rtype: str or unicode """ # We might be here because we have an enum modeled as string, @@ -1786,8 +1827,7 @@ def deserialize_unicode(data): return data except NameError: return str(data) - else: - return str(data) + return str(data) @staticmethod def deserialize_enum(data, enum_obj): @@ -1799,6 +1839,7 @@ def deserialize_enum(data, enum_obj): :param str data: Response string to be deserialized. If this value is None or invalid it will be returned as-is. :param Enum enum_obj: Enum object to deserialize to. + :return: Deserialized enum object. :rtype: Enum """ if isinstance(data, enum_obj) or data is None: @@ -1809,9 +1850,9 @@ def deserialize_enum(data, enum_obj): # Workaround. We might consider remove it in the future. try: return list(enum_obj.__members__.values())[data] - except IndexError: + except IndexError as exc: error = "{!r} is not a valid index for enum {!r}" - raise DeserializationError(error.format(data, enum_obj)) + raise DeserializationError(error.format(data, enum_obj)) from exc try: return enum_obj(str(data)) except ValueError: @@ -1827,6 +1868,7 @@ def deserialize_bytearray(attr): """Deserialize string into bytearray. :param str attr: response string to be deserialized. + :return: Deserialized bytearray :rtype: bytearray :raises: TypeError if string format invalid. """ @@ -1839,6 +1881,7 @@ def deserialize_base64(attr): """Deserialize base64 encoded string into string. :param str attr: response string to be deserialized. + :return: Deserialized base64 string :rtype: bytearray :raises: TypeError if string format invalid. """ @@ -1854,8 +1897,9 @@ def deserialize_decimal(attr): """Deserialize string into Decimal object. :param str attr: response string to be deserialized. - :rtype: Decimal + :return: Deserialized decimal :raises: DeserializationError if string format invalid. + :rtype: decimal """ if isinstance(attr, ET.Element): attr = attr.text @@ -1870,6 +1914,7 @@ def deserialize_long(attr): """Deserialize string into long (Py2) or int (Py3). :param str attr: response string to be deserialized. + :return: Deserialized int :rtype: long or int :raises: ValueError if string format invalid. """ @@ -1882,6 +1927,7 @@ def deserialize_duration(attr): """Deserialize ISO-8601 formatted string into TimeDelta object. :param str attr: response string to be deserialized. + :return: Deserialized duration :rtype: TimeDelta :raises: DeserializationError if string format invalid. """ @@ -1892,14 +1938,14 @@ def deserialize_duration(attr): except (ValueError, OverflowError, AttributeError) as err: msg = "Cannot deserialize duration object." raise DeserializationError(msg) from err - else: - return duration + return duration @staticmethod def deserialize_date(attr): """Deserialize ISO-8601 formatted string into Date object. :param str attr: response string to be deserialized. + :return: Deserialized date :rtype: Date :raises: DeserializationError if string format invalid. """ @@ -1915,6 +1961,7 @@ def deserialize_time(attr): """Deserialize ISO-8601 formatted string into time object. :param str attr: response string to be deserialized. + :return: Deserialized time :rtype: datetime.time :raises: DeserializationError if string format invalid. """ @@ -1929,6 +1976,7 @@ def deserialize_rfc(attr): """Deserialize RFC-1123 formatted string into Datetime object. :param str attr: response string to be deserialized. + :return: Deserialized RFC datetime :rtype: Datetime :raises: DeserializationError if string format invalid. """ @@ -1937,21 +1985,21 @@ def deserialize_rfc(attr): try: parsed_date = email.utils.parsedate_tz(attr) # type: ignore date_obj = datetime.datetime( - *parsed_date[:6], tzinfo=_FixedOffset(datetime.timedelta(minutes=(parsed_date[9] or 0) / 60)) + *parsed_date[:6], tzinfo=datetime.timezone(datetime.timedelta(minutes=(parsed_date[9] or 0) / 60)) ) if not date_obj.tzinfo: date_obj = date_obj.astimezone(tz=TZ_UTC) except ValueError as err: msg = "Cannot deserialize to rfc datetime object." raise DeserializationError(msg) from err - else: - return date_obj + return date_obj @staticmethod def deserialize_iso(attr): """Deserialize ISO-8601 formatted string into Datetime object. :param str attr: response string to be deserialized. + :return: Deserialized ISO datetime :rtype: Datetime :raises: DeserializationError if string format invalid. """ @@ -1981,8 +2029,7 @@ def deserialize_iso(attr): except (ValueError, OverflowError, AttributeError) as err: msg = "Cannot deserialize datetime object." raise DeserializationError(msg) from err - else: - return date_obj + return date_obj @staticmethod def deserialize_unix(attr): @@ -1990,6 +2037,7 @@ def deserialize_unix(attr): This is represented as seconds. :param int attr: Object to be serialized. + :return: Deserialized datetime :rtype: Datetime :raises: DeserializationError if format invalid """ @@ -2001,5 +2049,4 @@ def deserialize_unix(attr): except ValueError as err: msg = "Cannot deserialize to unix datetime object." raise DeserializationError(msg) from err - else: - return date_obj + return date_obj diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/__init__.py deleted file mode 100644 index 4bcf3faed073..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/__init__.py +++ /dev/null @@ -1,77 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from typing import Optional -from urllib import parse - -from .challenge_auth_policy import ChallengeAuthPolicy -from .client_base import KeyVaultClientBase -from .http_challenge import HttpChallenge -from . import http_challenge_cache - -HttpChallengeCache = http_challenge_cache # to avoid aliasing pylint error (C4745) - - -__all__ = [ - "ChallengeAuthPolicy", - "HttpChallenge", - "HttpChallengeCache", - "KeyVaultClientBase", -] - -class KeyVaultResourceId(): - """Represents a Key Vault identifier and its parsed contents. - - :param str source_id: The complete identifier received from Key Vault - :param str vault_url: The vault URL - :param str name: The name extracted from the ID - :param str version: The version extracted from the ID - """ - - def __init__( - self, - source_id: str, - vault_url: str, - name: str, - version: "Optional[str]" = None, - ) -> None: - self.source_id = source_id - self.vault_url = vault_url - self.name = name - self.version = version - - -def parse_key_vault_id(source_id: str) -> KeyVaultResourceId: - try: - parsed_uri = parse.urlparse(source_id) - except Exception as exc: - raise ValueError(f"'{source_id}' is not a valid ID") from exc - if not (parsed_uri.scheme and parsed_uri.hostname): - raise ValueError(f"'{source_id}' is not a valid ID") - - path = list(filter(None, parsed_uri.path.split("/"))) - - if len(path) < 2 or len(path) > 3: - raise ValueError(f"'{source_id}' is not a valid ID") - - vault_url = f"{parsed_uri.scheme}://{parsed_uri.hostname}" - if parsed_uri.port: - vault_url += f":{parsed_uri.port}" - - return KeyVaultResourceId( - source_id=source_id, - vault_url=vault_url, - name=path[1], - version=path[2] if len(path) == 3 else None, - ) - - -try: - # pylint:disable=unused-import - from .async_challenge_auth_policy import AsyncChallengeAuthPolicy - from .async_client_base import AsyncKeyVaultClientBase - - __all__.extend(["AsyncChallengeAuthPolicy", "AsyncKeyVaultClientBase"]) -except (SyntaxError, ImportError): - pass diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/_polling.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/_polling.py deleted file mode 100644 index d4b83a0eca57..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/_polling.py +++ /dev/null @@ -1,142 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -import logging -import threading -import uuid -from typing import Any, Callable, cast, Optional - -from azure.core.exceptions import ResourceNotFoundError, HttpResponseError -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import HttpTransport -from azure.core.polling import PollingMethod, LROPoller, NoPolling - -from azure.core.tracing.decorator import distributed_trace -from azure.core.tracing.common import with_current_context - -logger = logging.getLogger(__name__) - - -class KeyVaultOperationPoller(LROPoller): - """Poller for long running operations where calling result() doesn't wait for operation to complete. - - :param polling_method: The poller's polling method. - :type polling_method: ~azure.core.polling.PollingMethod - """ - - def __init__(self, polling_method: PollingMethod) -> None: - super(KeyVaultOperationPoller, self).__init__(None, None, lambda *_: None, NoPolling()) - self._polling_method = polling_method - - # pylint: disable=arguments-differ - def result(self) -> "Any": # type: ignore - """Returns a representation of the final resource without waiting for the operation to complete. - - :returns: The deserialized resource of the long running operation - :rtype: Any - - :raises ~azure.core.exceptions.HttpResponseError: Server problem with the query. - """ - return self._polling_method.resource() - - @distributed_trace - def wait(self, timeout: Optional[float] = None) -> None: - """Wait on the long running operation for a number of seconds. - - You can check if this call has ended with timeout with the "done()" method. - - :param float timeout: Period of time to wait for the long running operation to complete (in seconds). - - :raises ~azure.core.exceptions.HttpResponseError: Server problem with the query. - """ - - if not self._polling_method.finished(): - self._done = threading.Event() - self._thread = threading.Thread( - target=with_current_context(self._start), name=f"KeyVaultOperationPoller({uuid.uuid4()})" - ) - self._thread.daemon = True - self._thread.start() - - if self._thread is None: - return - self._thread.join(timeout=timeout) - try: - # Let's handle possible None in forgiveness here - raise self._exception # type: ignore - except TypeError: # Was None - pass - - -class DeleteRecoverPollingMethod(PollingMethod): - """Poller for deleting resources, and recovering deleted resources, in vaults with soft-delete enabled. - - This works by polling for the existence of the deleted or recovered resource. When a resource is deleted, Key Vault - immediately removes it from its collection. However, the resource will not immediately appear in the deleted - collection. Key Vault will therefore respond 404 to GET requests for the deleted resource; when it responds 2xx, - the resource exists in the deleted collection i.e. its deletion is complete. - - Similarly, while recovering a deleted resource, Key Vault will respond 404 to GET requests for the non-deleted - resource; when it responds 2xx, the resource exists in the non-deleted collection, i.e. its recovery is complete. - - :param pipeline_response: The operation's original pipeline response. - :type pipeline_response: PipelineResponse - :param command: A callable to invoke when polling. - :type command: Callable - :param final_resource: The final resource returned by the polling operation. - :type final_resource: Any - :param bool finished: Whether or not the polling operation is completed. - :param int interval: The polling interval, in seconds. - """ - def __init__( - self, - pipeline_response: PipelineResponse, - command: Callable, - final_resource: Any, - finished: bool, - interval: int = 2 - ) -> None: - self._pipeline_response = pipeline_response - self._command = command - self._resource = final_resource - self._polling_interval = interval - self._finished = finished - - def _update_status(self) -> None: - try: - self._command() - self._finished = True - except ResourceNotFoundError: - pass - except HttpResponseError as e: - # If we are polling on get_deleted_* and we don't have get permissions, we will get - # ResourceNotFoundError until the resource is recovered, at which point we'll get a 403. - if e.status_code == 403: - self._finished = True - else: - raise - - def initialize(self, client: Any, initial_response: Any, deserialization_callback: Callable) -> None: - pass - - def run(self) -> None: - try: - while not self.finished(): - self._update_status() - if not self.finished(): - # We should always ask the client's transport to sleep, instead of sleeping directly - transport: HttpTransport = cast(HttpTransport, self._pipeline_response.context.transport) - transport.sleep(self._polling_interval) - except Exception as e: - logger.warning(str(e)) - raise - - def finished(self) -> bool: - return self._finished - - def resource(self) -> Any: - return self._resource - - def status(self) -> str: - return "finished" if self._finished else "polling" diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/_polling_async.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/_polling_async.py deleted file mode 100644 index a089567b7c1f..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/_polling_async.py +++ /dev/null @@ -1,87 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -import logging -from typing import Any, Callable, cast - -from azure.core.exceptions import ResourceNotFoundError, HttpResponseError -from azure.core.pipeline import PipelineResponse -from azure.core.pipeline.transport import AsyncHttpTransport -from azure.core.polling import AsyncPollingMethod - -logger = logging.getLogger(__name__) - - -class AsyncDeleteRecoverPollingMethod(AsyncPollingMethod): - """Poller for deleting resources, and recovering deleted resources, in vaults with soft-delete enabled. - - This works by polling for the existence of the deleted or recovered resource. When a resource is deleted, Key Vault - immediately removes it from its collection. However, the resource will not immediately appear in the deleted - collection. Key Vault will therefore respond 404 to GET requests for the deleted resource; when it responds 2xx, - the resource exists in the deleted collection i.e. its deletion is complete. - - Similarly, while recovering a deleted resource, Key Vault will respond 404 to GET requests for the non-deleted - resource; when it responds 2xx, the resource exists in the non-deleted collection, i.e. its recovery is complete. - - :param pipeline_response: The operation's original pipeline response. - :type pipeline_response: PipelineResponse - :param command: An awaitable to invoke when polling. - :type command: Callable - :param final_resource: The final resource returned by the polling operation. - :type final_resource: Any - :param bool finished: Whether or not the polling operation is completed. - :param int interval: The polling interval, in seconds. - """ - - def __init__( - self, - pipeline_response: PipelineResponse, - command: Callable, - final_resource: Any, - finished: bool, - interval: int = 2 - ) -> None: - self._pipeline_response = pipeline_response - self._command = command - self._resource = final_resource - self._polling_interval = interval - self._finished = finished - - def initialize(self, client, initial_response, deserialization_callback): - pass - - async def _update_status(self) -> None: - try: - await self._command() - self._finished = True - except ResourceNotFoundError: - pass - except HttpResponseError as e: - # If we are polling on get_deleted_* and we don't have get permissions, we will get - # ResourceNotFoundError until the resource is recovered, at which point we'll get a 403. - if e.status_code == 403: - self._finished = True - else: - raise - - async def run(self) -> None: - try: - while not self.finished(): - await self._update_status() - if not self.finished(): - # We should always ask the client's transport to sleep, instead of sleeping directly - transport: AsyncHttpTransport = cast(AsyncHttpTransport, self._pipeline_response.context.transport) - await transport.sleep(self._polling_interval) - except Exception as e: - logger.warning(str(e)) - raise - - def finished(self) -> bool: - return self._finished - - def resource(self) -> Any: - return self._resource - - def status(self) -> str: - return "finished" if self._finished else "polling" diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_challenge_auth_policy.py deleted file mode 100644 index dad851f8f58c..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_challenge_auth_policy.py +++ /dev/null @@ -1,262 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -"""Policy implementing Key Vault's challenge authentication protocol. - -Normally the protocol is only used for the client's first service request, upon which: -1. The challenge authentication policy sends a copy of the request, without authorization or content. -2. Key Vault responds 401 with a header (the 'challenge') detailing how the client should authenticate such a request. -3. The policy authenticates according to the challenge and sends the original request with authorization. - -The policy caches the challenge and thus knows how to authenticate future requests. However, authentication -requirements can change. For example, a vault may move to a new tenant. In such a case the policy will attempt the -protocol again. -""" - -from copy import deepcopy -import sys -import time -from typing import Any, Callable, cast, Optional, overload, TypeVar, Union -from urllib.parse import urlparse - -from typing_extensions import ParamSpec - -from azure.core.credentials import AccessToken, AccessTokenInfo, TokenRequestOptions -from azure.core.credentials_async import AsyncSupportsTokenInfo, AsyncTokenCredential, AsyncTokenProvider -from azure.core.pipeline import PipelineRequest, PipelineResponse -from azure.core.pipeline.policies import AsyncBearerTokenCredentialPolicy -from azure.core.rest import AsyncHttpResponse, HttpRequest - -from .http_challenge import HttpChallenge -from . import http_challenge_cache as ChallengeCache -from .challenge_auth_policy import _enforce_tls, _has_claims, _update_challenge - -if sys.version_info < (3, 9): - from typing import Awaitable -else: - from collections.abc import Awaitable - - -P = ParamSpec("P") -T = TypeVar("T") - - -@overload -async def await_result(func: Callable[P, Awaitable[T]], *args: P.args, **kwargs: P.kwargs) -> T: ... - - -@overload -async def await_result(func: Callable[P, T], *args: P.args, **kwargs: P.kwargs) -> T: ... - - -async def await_result(func: Callable[P, Union[T, Awaitable[T]]], *args: P.args, **kwargs: P.kwargs) -> T: - """If func returns an awaitable, await it. - - :param func: The function to run. - :type func: callable - :param args: The positional arguments to pass to the function. - :type args: list - :rtype: any - :return: The result of the function - """ - result = func(*args, **kwargs) - if isinstance(result, Awaitable): - return await result - return result - - -class AsyncChallengeAuthPolicy(AsyncBearerTokenCredentialPolicy): - """Policy for handling HTTP authentication challenges. - - :param credential: An object which can provide an access token for the vault, such as a credential from - :mod:`azure.identity.aio` - :type credential: ~azure.core.credentials_async.AsyncTokenProvider - """ - - def __init__(self, credential: AsyncTokenProvider, *scopes: str, **kwargs: Any) -> None: - # Pass `enable_cae` so `enable_cae=True` is always passed through self.authorize_request - super().__init__(credential, *scopes, enable_cae=True, **kwargs) - self._credential: AsyncTokenProvider = credential - self._token: Optional[Union["AccessToken", "AccessTokenInfo"]] = None - self._verify_challenge_resource = kwargs.pop("verify_challenge_resource", True) - self._request_copy: Optional[HttpRequest] = None - - async def send( - self, request: PipelineRequest[HttpRequest] - ) -> PipelineResponse[HttpRequest, AsyncHttpResponse]: - """Authorize request with a bearer token and send it to the next policy. - - We implement this method to account for the valid scenario where a Key Vault authentication challenge is - immediately followed by a CAE claims challenge. The base class's implementation would return the second 401 to - the caller, but we should handle that second challenge as well (and only return any third 401 response). - - :param request: The pipeline request object - :type request: ~azure.core.pipeline.PipelineRequest - :return: The pipeline response object - :rtype: ~azure.core.pipeline.PipelineResponse - """ - await await_result(self.on_request, request) - response: PipelineResponse[HttpRequest, AsyncHttpResponse] - try: - response = await self.next.send(request) - except Exception: # pylint:disable=broad-except - await await_result(self.on_exception, request) - raise - await await_result(self.on_response, request, response) - - if response.http_response.status_code == 401: - return await self.handle_challenge_flow(request, response) - return response - - async def handle_challenge_flow( - self, - request: PipelineRequest[HttpRequest], - response: PipelineResponse[HttpRequest, AsyncHttpResponse], - consecutive_challenge: bool = False, - ) -> PipelineResponse[HttpRequest, AsyncHttpResponse]: - """Handle the challenge flow of Key Vault and CAE authentication. - - :param request: The pipeline request object - :type request: ~azure.core.pipeline.PipelineRequest - :param response: The pipeline response object - :type response: ~azure.core.pipeline.PipelineResponse - :param bool consecutive_challenge: Whether the challenge is arriving immediately after another challenge. - Consecutive challenges can only be valid if a Key Vault challenge is followed by a CAE claims challenge. - True if the preceding challenge was a Key Vault challenge; False otherwise. - - :return: The pipeline response object - :rtype: ~azure.core.pipeline.PipelineResponse - """ - self._token = None # any cached token is invalid - if "WWW-Authenticate" in response.http_response.headers: - # If the previous challenge was a KV challenge and this one is too, return the 401 - claims_challenge = _has_claims(response.http_response.headers["WWW-Authenticate"]) - if consecutive_challenge and not claims_challenge: - return response - - request_authorized = await self.on_challenge(request, response) - if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) - try: - response = await self.next.send(request) - except Exception: # pylint:disable=broad-except - await await_result(self.on_exception, request) - raise - - # If consecutive_challenge == True, this could be a third consecutive 401 - if response.http_response.status_code == 401 and not consecutive_challenge: - # If the previous challenge wasn't from CAE, we can try this function one more time - if not claims_challenge: - return await self.handle_challenge_flow(request, response, consecutive_challenge=True) - await await_result(self.on_response, request, response) - return response - - - async def on_request(self, request: PipelineRequest) -> None: - _enforce_tls(request) - challenge = ChallengeCache.get_challenge_for_url(request.http_request.url) - if challenge: - # Note that if the vault has moved to a new tenant since our last request for it, this request will fail. - if self._need_new_token(): - # azure-identity credentials require an AADv2 scope but the challenge may specify an AADv1 resource - scope = challenge.get_scope() or challenge.get_resource() + "/.default" - await self._request_kv_token(scope, challenge) - - bearer_token = cast(Union[AccessToken, AccessTokenInfo], self._token).token - request.http_request.headers["Authorization"] = f"Bearer {bearer_token}" - return - - # else: discover authentication information by eliciting a challenge from Key Vault. Remove any request data, - # saving it for later. Key Vault will reject the request as unauthorized and respond with a challenge. - # on_challenge will parse that challenge, use the original request including the body, authorize the - # request, and tell super to send it again. - if request.http_request.content: - self._request_copy = request.http_request - bodiless_request = HttpRequest( - method=request.http_request.method, - url=request.http_request.url, - headers=deepcopy(request.http_request.headers), - ) - bodiless_request.headers["Content-Length"] = "0" - request.http_request = bodiless_request - - - async def on_challenge(self, request: PipelineRequest, response: PipelineResponse) -> bool: - try: - # CAE challenges may not include a scope or tenant; cache from the previous challenge to use if necessary - old_scope: Optional[str] = None - old_tenant: Optional[str] = None - cached_challenge = ChallengeCache.get_challenge_for_url(request.http_request.url) - if cached_challenge: - old_scope = cached_challenge.get_scope() or cached_challenge.get_resource() + "/.default" - old_tenant = cached_challenge.tenant_id - - challenge = _update_challenge(request, response) - # CAE challenges may not include a scope or tenant; use the previous challenge's values if necessary - if challenge.claims and old_scope: - challenge._parameters["scope"] = old_scope # pylint:disable=protected-access - challenge.tenant_id = old_tenant - # azure-identity credentials require an AADv2 scope but the challenge may specify an AADv1 resource - scope = challenge.get_scope() or challenge.get_resource() + "/.default" - except ValueError: - return False - - if self._verify_challenge_resource: - resource_domain = urlparse(scope).netloc - if not resource_domain: - raise ValueError(f"The challenge contains invalid scope '{scope}'.") - - request_domain = urlparse(request.http_request.url).netloc - if not request_domain.lower().endswith(f".{resource_domain.lower()}"): - raise ValueError( - f"The challenge resource '{resource_domain}' does not match the requested domain. Pass " - "`verify_challenge_resource=False` to your client's constructor to disable this verification. " - "See https://aka.ms/azsdk/blog/vault-uri for more information." - ) - - # If we had created a request copy in on_request, use it now to send along the original body content - if self._request_copy: - request.http_request = self._request_copy - - # The tenant parsed from AD FS challenges is "adfs"; we don't actually need a tenant for AD FS authentication - # For AD FS we skip cross-tenant authentication per https://github.com/Azure/azure-sdk-for-python/issues/28648 - if challenge.tenant_id and challenge.tenant_id.lower().endswith("adfs"): - await self.authorize_request(request, scope, claims=challenge.claims) - else: - await self.authorize_request( - request, scope, claims=challenge.claims, tenant_id=challenge.tenant_id - ) - - return True - - def _need_new_token(self) -> bool: - now = time.time() - refresh_on = getattr(self._token, "refresh_on", None) - return not self._token or (refresh_on and refresh_on <= now) or self._token.expires_on - now < 300 - - async def _request_kv_token(self, scope: str, challenge: HttpChallenge) -> None: - """Implementation of BearerTokenCredentialPolicy's _request_token method, but specific to Key Vault. - - :param str scope: The scope for which to request a token. - :param challenge: The challenge for the request being made. - :type challenge: HttpChallenge - """ - # Exclude tenant for AD FS authentication - exclude_tenant = challenge.tenant_id and challenge.tenant_id.lower().endswith("adfs") - # The AsyncSupportsTokenInfo protocol needs TokenRequestOptions for token requests instead of kwargs - if hasattr(self._credential, "get_token_info"): - options: TokenRequestOptions = {"enable_cae": True} - if challenge.tenant_id and not exclude_tenant: - options["tenant_id"] = challenge.tenant_id - self._token = await cast(AsyncSupportsTokenInfo, self._credential).get_token_info(scope, options=options) - else: - if exclude_tenant: - self._token = await self._credential.get_token(scope, enable_cae=True) - else: - self._token = await cast(AsyncTokenCredential, self._credential).get_token( - scope, tenant_id=challenge.tenant_id, enable_cae=True - ) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_client_base.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_client_base.py deleted file mode 100644 index 08fb1c9f668e..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/async_client_base.py +++ /dev/null @@ -1,115 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -import sys -from typing import Any - -from azure.core.credentials_async import AsyncTokenCredential -from azure.core.pipeline.policies import HttpLoggingPolicy -from azure.core.rest import AsyncHttpResponse, HttpRequest -from azure.core.tracing.decorator_async import distributed_trace_async - -from . import AsyncChallengeAuthPolicy -from .client_base import ApiVersion, DEFAULT_VERSION, _format_api_version, _SERIALIZER -from .._sdk_moniker import SDK_MONIKER -from .._generated.aio import KeyVaultClient as _KeyVaultClient -from .._generated import models as _models - -if sys.version_info < (3, 9): - from typing import Awaitable -else: - from collections.abc import Awaitable - - -class AsyncKeyVaultClientBase(object): - # pylint:disable=protected-access - def __init__(self, vault_url: str, credential: AsyncTokenCredential, **kwargs: Any) -> None: - if not credential: - raise ValueError( - "credential should be an object supporting the AsyncTokenCredential protocol, " - "such as a credential from azure-identity" - ) - if not vault_url: - raise ValueError("vault_url must be the URL of an Azure Key Vault") - - try: - self.api_version = kwargs.pop("api_version", DEFAULT_VERSION) - # If API version was provided as an enum value, need to make a plain string for 3.11 compatibility - if hasattr(self.api_version, "value"): - self.api_version = self.api_version.value - self._vault_url = vault_url.strip(" /") - - client = kwargs.get("generated_client") - if client: - # caller provided a configured client -> only models left to initialize - self._client = client - models = kwargs.get("generated_models") - self._models = models or _models - return - - http_logging_policy = HttpLoggingPolicy(**kwargs) - http_logging_policy.allowed_header_names.update( - {"x-ms-keyvault-network-info", "x-ms-keyvault-region", "x-ms-keyvault-service-version"} - ) - - verify_challenge = kwargs.pop("verify_challenge_resource", True) - self._client = _KeyVaultClient( - api_version=self.api_version, - authentication_policy=AsyncChallengeAuthPolicy(credential, verify_challenge_resource=verify_challenge), - sdk_moniker=SDK_MONIKER, - http_logging_policy=http_logging_policy, - **kwargs - ) - self._models = _models - except ValueError as exc: - # Ignore pyright error that comes from not identifying ApiVersion as an iterable enum - raise NotImplementedError( - f"This package doesn't support API version '{self.api_version}'. " - + "Supported versions: " - + f"{', '.join(v.value for v in ApiVersion)}" # pyright: ignore[reportGeneralTypeIssues] - ) from exc - - @property - def vault_url(self) -> str: - return self._vault_url - - async def __aenter__(self) -> "AsyncKeyVaultClientBase": - await self._client.__aenter__() - return self - - async def __aexit__(self, *args: Any) -> None: - await self._client.__aexit__(*args) - - async def close(self) -> None: - """Close sockets opened by the client. - - Calling this method is unnecessary when using the client as a context manager. - """ - await self._client.close() - - @distributed_trace_async - def send_request( - self, request: HttpRequest, *, stream: bool = False, **kwargs: Any - ) -> Awaitable[AsyncHttpResponse]: - """Runs a network request using the client's existing pipeline. - - The request URL can be relative to the vault URL. The service API version used for the request is the same as - the client's unless otherwise specified. This method does not raise if the response is an error; to raise an - exception, call `raise_for_status()` on the returned response object. For more information about how to send - custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request. - - :param request: The network request you want to make. - :type request: ~azure.core.rest.HttpRequest - - :keyword bool stream: Whether the response payload will be streamed. Defaults to False. - - :return: The response of your network call. Does not do error handling on your response. - :rtype: ~azure.core.rest.AsyncHttpResponse - """ - request_copy = _format_api_version(request, self.api_version) - path_format_arguments = { - "vaultBaseUrl": _SERIALIZER.url("vault_base_url", self._vault_url, "str", skip_quote=True), - } - request_copy.url = self._client._client.format_url(request_copy.url, **path_format_arguments) - return self._client._client.send_request(request_copy, stream=stream, **kwargs) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/challenge_auth_policy.py deleted file mode 100644 index eb4073d0e699..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/challenge_auth_policy.py +++ /dev/null @@ -1,270 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -"""Policy implementing Key Vault's challenge authentication protocol. - -Normally the protocol is only used for the client's first service request, upon which: -1. The challenge authentication policy sends a copy of the request, without authorization or content. -2. Key Vault responds 401 with a header (the 'challenge') detailing how the client should authenticate such a request. -3. The policy authenticates according to the challenge and sends the original request with authorization. - -The policy caches the challenge and thus knows how to authenticate future requests. However, authentication -requirements can change. For example, a vault may move to a new tenant. In such a case the policy will attempt the -protocol again. -""" - -from copy import deepcopy -import time -from typing import Any, cast, Optional, Union -from urllib.parse import urlparse - -from azure.core.credentials import ( - AccessToken, - AccessTokenInfo, - TokenCredential, - TokenProvider, - TokenRequestOptions, - SupportsTokenInfo, -) -from azure.core.exceptions import ServiceRequestError -from azure.core.pipeline import PipelineRequest, PipelineResponse -from azure.core.pipeline.policies import BearerTokenCredentialPolicy -from azure.core.rest import HttpRequest, HttpResponse - -from .http_challenge import HttpChallenge -from . import http_challenge_cache as ChallengeCache - - -def _enforce_tls(request: PipelineRequest) -> None: - if not request.http_request.url.lower().startswith("https"): - raise ServiceRequestError( - "Bearer token authentication is not permitted for non-TLS protected (non-https) URLs." - ) - - -def _has_claims(challenge: str) -> bool: - """Check if a challenge header contains claims. - - :param challenge: The challenge header to check. - :type challenge: str - - :returns: True if the challenge contains claims; False otherwise. - :rtype: bool - """ - # Split the challenge into its scheme and parameters, then check if any parameter contains claims - split_challenge = challenge.strip().split(" ", 1) - return any("claims=" in item for item in split_challenge[1].split(",")) - - -def _update_challenge(request: PipelineRequest, challenger: PipelineResponse) -> HttpChallenge: - """Parse challenge from a challenge response, cache it, and return it. - - :param request: The pipeline request that prompted the challenge response. - :type request: ~azure.core.pipeline.PipelineRequest - :param challenger: The pipeline response containing the authentication challenge. - :type challenger: ~azure.core.pipeline.PipelineResponse - - :returns: An HttpChallenge object representing the authentication challenge. - :rtype: HttpChallenge - """ - - challenge = HttpChallenge( - request.http_request.url, - challenger.http_response.headers.get("WWW-Authenticate"), - response_headers=challenger.http_response.headers, - ) - ChallengeCache.set_challenge_for_url(request.http_request.url, challenge) - return challenge - - -class ChallengeAuthPolicy(BearerTokenCredentialPolicy): - """Policy for handling HTTP authentication challenges. - - :param credential: An object which can provide an access token for the vault, such as a credential from - :mod:`azure.identity` - :type credential: ~azure.core.credentials.TokenProvider - :param str scopes: Lets you specify the type of access needed. - """ - - def __init__(self, credential: TokenProvider, *scopes: str, **kwargs: Any) -> None: - # Pass `enable_cae` so `enable_cae=True` is always passed through self.authorize_request - super(ChallengeAuthPolicy, self).__init__(credential, *scopes, enable_cae=True, **kwargs) - self._credential: TokenProvider = credential - self._token: Optional[Union["AccessToken", "AccessTokenInfo"]] = None - self._verify_challenge_resource = kwargs.pop("verify_challenge_resource", True) - self._request_copy: Optional[HttpRequest] = None - - def send(self, request: PipelineRequest[HttpRequest]) -> PipelineResponse[HttpRequest, HttpResponse]: - """Authorize request with a bearer token and send it to the next policy. - - We implement this method to account for the valid scenario where a Key Vault authentication challenge is - immediately followed by a CAE claims challenge. The base class's implementation would return the second 401 to - the caller, but we should handle that second challenge as well (and only return any third 401 response). - - :param request: The pipeline request object - :type request: ~azure.core.pipeline.PipelineRequest - - :return: The pipeline response object - :rtype: ~azure.core.pipeline.PipelineResponse - """ - self.on_request(request) - try: - response = self.next.send(request) - except Exception: # pylint:disable=broad-except - self.on_exception(request) - raise - - self.on_response(request, response) - if response.http_response.status_code == 401: - return self.handle_challenge_flow(request, response) - return response - - def handle_challenge_flow( - self, - request: PipelineRequest[HttpRequest], - response: PipelineResponse[HttpRequest, HttpResponse], - consecutive_challenge: bool = False, - ) -> PipelineResponse[HttpRequest, HttpResponse]: - """Handle the challenge flow of Key Vault and CAE authentication. - - :param request: The pipeline request object - :type request: ~azure.core.pipeline.PipelineRequest - :param response: The pipeline response object - :type response: ~azure.core.pipeline.PipelineResponse - :param bool consecutive_challenge: Whether the challenge is arriving immediately after another challenge. - Consecutive challenges can only be valid if a Key Vault challenge is followed by a CAE claims challenge. - True if the preceding challenge was a Key Vault challenge; False otherwise. - - :return: The pipeline response object - :rtype: ~azure.core.pipeline.PipelineResponse - """ - self._token = None # any cached token is invalid - if "WWW-Authenticate" in response.http_response.headers: - # If the previous challenge was a KV challenge and this one is too, return the 401 - claims_challenge = _has_claims(response.http_response.headers["WWW-Authenticate"]) - if consecutive_challenge and not claims_challenge: - return response - - request_authorized = self.on_challenge(request, response) - if request_authorized: - # if we receive a challenge response, we retrieve a new token - # which matches the new target. In this case, we don't want to remove - # token from the request so clear the 'insecure_domain_change' tag - request.context.options.pop("insecure_domain_change", False) - try: - response = self.next.send(request) - except Exception: # pylint:disable=broad-except - self.on_exception(request) - raise - - # If consecutive_challenge == True, this could be a third consecutive 401 - if response.http_response.status_code == 401 and not consecutive_challenge: - # If the previous challenge wasn't from CAE, we can try this function one more time - if not claims_challenge: - return self.handle_challenge_flow(request, response, consecutive_challenge=True) - self.on_response(request, response) - return response - - def on_request(self, request: PipelineRequest) -> None: - _enforce_tls(request) - challenge = ChallengeCache.get_challenge_for_url(request.http_request.url) - if challenge: - # Note that if the vault has moved to a new tenant since our last request for it, this request will fail. - if self._need_new_token: - # azure-identity credentials require an AADv2 scope but the challenge may specify an AADv1 resource - scope = challenge.get_scope() or challenge.get_resource() + "/.default" - self._request_kv_token(scope, challenge) - - bearer_token = cast(Union["AccessToken", "AccessTokenInfo"], self._token).token - request.http_request.headers["Authorization"] = f"Bearer {bearer_token}" - return - - # else: discover authentication information by eliciting a challenge from Key Vault. Remove any request data, - # saving it for later. Key Vault will reject the request as unauthorized and respond with a challenge. - # on_challenge will parse that challenge, use the original request including the body, authorize the - # request, and tell super to send it again. - if request.http_request.content: - self._request_copy = request.http_request - bodiless_request = HttpRequest( - method=request.http_request.method, - url=request.http_request.url, - headers=deepcopy(request.http_request.headers), - ) - bodiless_request.headers["Content-Length"] = "0" - request.http_request = bodiless_request - - def on_challenge(self, request: PipelineRequest, response: PipelineResponse) -> bool: - try: - # CAE challenges may not include a scope or tenant; cache from the previous challenge to use if necessary - old_scope: Optional[str] = None - old_tenant: Optional[str] = None - cached_challenge = ChallengeCache.get_challenge_for_url(request.http_request.url) - if cached_challenge: - old_scope = cached_challenge.get_scope() or cached_challenge.get_resource() + "/.default" - old_tenant = cached_challenge.tenant_id - - challenge = _update_challenge(request, response) - # CAE challenges may not include a scope or tenant; use the previous challenge's values if necessary - if challenge.claims and old_scope: - challenge._parameters["scope"] = old_scope # pylint:disable=protected-access - challenge.tenant_id = old_tenant - # azure-identity credentials require an AADv2 scope but the challenge may specify an AADv1 resource - scope = challenge.get_scope() or challenge.get_resource() + "/.default" - except ValueError: - return False - - if self._verify_challenge_resource: - resource_domain = urlparse(scope).netloc - if not resource_domain: - raise ValueError(f"The challenge contains invalid scope '{scope}'.") - - request_domain = urlparse(request.http_request.url).netloc - if not request_domain.lower().endswith(f".{resource_domain.lower()}"): - raise ValueError( - f"The challenge resource '{resource_domain}' does not match the requested domain. Pass " - "`verify_challenge_resource=False` to your client's constructor to disable this verification. " - "See https://aka.ms/azsdk/blog/vault-uri for more information." - ) - - # If we had created a request copy in on_request, use it now to send along the original body content - if self._request_copy: - request.http_request = self._request_copy - - # The tenant parsed from AD FS challenges is "adfs"; we don't actually need a tenant for AD FS authentication - # For AD FS we skip cross-tenant authentication per https://github.com/Azure/azure-sdk-for-python/issues/28648 - if challenge.tenant_id and challenge.tenant_id.lower().endswith("adfs"): - self.authorize_request(request, scope, claims=challenge.claims) - else: - self.authorize_request(request, scope, claims=challenge.claims, tenant_id=challenge.tenant_id) - - return True - - @property - def _need_new_token(self) -> bool: - now = time.time() - refresh_on = getattr(self._token, "refresh_on", None) - return not self._token or (refresh_on and refresh_on <= now) or self._token.expires_on - now < 300 - - def _request_kv_token(self, scope: str, challenge: HttpChallenge) -> None: - """Implementation of BearerTokenCredentialPolicy's _request_token method, but specific to Key Vault. - - :param str scope: The scope for which to request a token. - :param challenge: The challenge for the request being made. - :type challenge: HttpChallenge - """ - # Exclude tenant for AD FS authentication - exclude_tenant = challenge.tenant_id and challenge.tenant_id.lower().endswith("adfs") - # The SupportsTokenInfo protocol needs TokenRequestOptions for token requests instead of kwargs - if hasattr(self._credential, "get_token_info"): - options: TokenRequestOptions = {"enable_cae": True} - if challenge.tenant_id and not exclude_tenant: - options["tenant_id"] = challenge.tenant_id - self._token = cast(SupportsTokenInfo, self._credential).get_token_info(scope, options=options) - else: - if exclude_tenant: - self._token = self._credential.get_token(scope, enable_cae=True) - else: - self._token = cast(TokenCredential, self._credential).get_token( - scope, tenant_id=challenge.tenant_id, enable_cae=True - ) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/client_base.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/client_base.py deleted file mode 100644 index 704cea8a0753..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/client_base.py +++ /dev/null @@ -1,158 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from copy import deepcopy -from enum import Enum -from typing import Any -from urllib.parse import urlparse - -from azure.core import CaseInsensitiveEnumMeta -from azure.core.credentials import TokenCredential -from azure.core.pipeline.policies import HttpLoggingPolicy -from azure.core.rest import HttpRequest, HttpResponse -from azure.core.tracing.decorator import distributed_trace - -from . import ChallengeAuthPolicy -from .._generated import KeyVaultClient as _KeyVaultClient -from .._generated import models as _models -from .._generated._serialization import Serializer -from .._sdk_moniker import SDK_MONIKER - - -class ApiVersion(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """Key Vault API versions supported by this package""" - - #: this is the default version - V7_5 = "7.5" - V7_4 = "7.4" - V7_3 = "7.3" - V7_2 = "7.2" - V7_1 = "7.1" - V7_0 = "7.0" - V2016_10_01 = "2016-10-01" - - -DEFAULT_VERSION = ApiVersion.V7_5 - -_SERIALIZER = Serializer() -_SERIALIZER.client_side_validation = False - - -def _format_api_version(request: HttpRequest, api_version: str) -> HttpRequest: - """Returns a request copy that includes an api-version query parameter if one wasn't originally present. - - :param request: The HTTP request being sent. - :type request: ~azure.core.rest.HttpRequest - :param str api_version: The service API version that the request should include. - - :returns: A copy of the request that includes an api-version query parameter. - :rtype: azure.core.rest.HttpRequest - """ - request_copy = deepcopy(request) - params = {"api-version": api_version} # By default, we want to use the client's API version - query = urlparse(request_copy.url).query - - if query: - request_copy.url = request_copy.url.partition("?")[0] - existing_params = {p[0]: p[-1] for p in [p.partition("=") for p in query.split("&")]} - params.update(existing_params) # If an api-version was provided, this will overwrite our default - - # Reconstruct the query parameters onto the URL - query_params = [] - for k, v in params.items(): - query_params.append("{}={}".format(k, v)) - query = "?" + "&".join(query_params) - request_copy.url = request_copy.url + query - return request_copy - - -class KeyVaultClientBase(object): - # pylint:disable=protected-access - def __init__(self, vault_url: str, credential: TokenCredential, **kwargs: Any) -> None: - if not credential: - raise ValueError( - "credential should be an object supporting the TokenCredential protocol, " - "such as a credential from azure-identity" - ) - if not vault_url: - raise ValueError("vault_url must be the URL of an Azure Key Vault") - - try: - self.api_version = kwargs.pop("api_version", DEFAULT_VERSION) - # If API version was provided as an enum value, need to make a plain string for 3.11 compatibility - if hasattr(self.api_version, "value"): - self.api_version = self.api_version.value - self._vault_url = vault_url.strip(" /") - - client = kwargs.get("generated_client") - if client: - # caller provided a configured client -> only models left to initialize - self._client = client - models = kwargs.get("generated_models") - self._models = models or _models - return - - http_logging_policy = HttpLoggingPolicy(**kwargs) - http_logging_policy.allowed_header_names.update( - {"x-ms-keyvault-network-info", "x-ms-keyvault-region", "x-ms-keyvault-service-version"} - ) - - verify_challenge = kwargs.pop("verify_challenge_resource", True) - self._client = _KeyVaultClient( - api_version=self.api_version, - authentication_policy=ChallengeAuthPolicy(credential, verify_challenge_resource=verify_challenge), - sdk_moniker=SDK_MONIKER, - http_logging_policy=http_logging_policy, - **kwargs - ) - self._models = _models - except ValueError as exc: - # Ignore pyright error that comes from not identifying ApiVersion as an iterable enum - raise NotImplementedError( - f"This package doesn't support API version '{self.api_version}'. " - + "Supported versions: " - + f"{', '.join(v.value for v in ApiVersion)}" # pyright: ignore[reportGeneralTypeIssues] - ) from exc - - @property - def vault_url(self) -> str: - return self._vault_url - - def __enter__(self) -> "KeyVaultClientBase": - self._client.__enter__() - return self - - def __exit__(self, *args: Any) -> None: - self._client.__exit__(*args) - - def close(self) -> None: - """Close sockets opened by the client. - - Calling this method is unnecessary when using the client as a context manager. - """ - self._client.close() - - @distributed_trace - def send_request(self, request: HttpRequest, *, stream: bool = False, **kwargs: Any) -> HttpResponse: - """Runs a network request using the client's existing pipeline. - - The request URL can be relative to the vault URL. The service API version used for the request is the same as - the client's unless otherwise specified. This method does not raise if the response is an error; to raise an - exception, call `raise_for_status()` on the returned response object. For more information about how to send - custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request. - - :param request: The network request you want to make. - :type request: ~azure.core.rest.HttpRequest - - :keyword bool stream: Whether the response payload will be streamed. Defaults to False. - - :return: The response of your network call. Does not do error handling on your response. - :rtype: ~azure.core.rest.HttpResponse - """ - request_copy = _format_api_version(request, self.api_version) - path_format_arguments = { - "vaultBaseUrl": _SERIALIZER.url("vault_base_url", self._vault_url, "str", skip_quote=True), - } - request_copy.url = self._client._client.format_url(request_copy.url, **path_format_arguments) - return self._client._client.send_request(request_copy, stream=stream, **kwargs) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/http_challenge.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/http_challenge.py deleted file mode 100644 index 0320df5a868b..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/http_challenge.py +++ /dev/null @@ -1,182 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -import base64 -from typing import Dict, MutableMapping, Optional -from urllib import parse - - -class HttpChallenge(object): - """An object representing the content of a Key Vault authentication challenge. - - :param str request_uri: The URI of the HTTP request that prompted this challenge. - :param str challenge: The WWW-Authenticate header of the challenge response. - :param response_headers: Optional. The headers attached to the challenge response. - :type response_headers: MutableMapping[str, str] or None - """ - - def __init__( - self, request_uri: str, challenge: str, response_headers: "Optional[MutableMapping[str, str]]" = None - ) -> None: - """Parses an HTTP WWW-Authentication Bearer challenge from a server. - - Example challenge with claims: - Bearer authorization="https://login.windows-ppe.net/", error="invalid_token", - error_description="User session has been revoked", - claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTYwMzc0MjgwMCJ9fX0=" - """ - self.source_authority = self._validate_request_uri(request_uri) - self.source_uri = request_uri - self._parameters: "Dict[str, str]" = {} - - # get the scheme of the challenge and remove from the challenge string - trimmed_challenge = self._validate_challenge(challenge) - split_challenge = trimmed_challenge.split(" ", 1) - self.scheme = split_challenge[0] - trimmed_challenge = split_challenge[1] - - self.claims = None - # split trimmed challenge into comma-separated name=value pairs. Values are expected - # to be surrounded by quotes which are stripped here. - for item in trimmed_challenge.split(","): - # Special case for claims, which can contain = symbols as padding. Assume at most one claim per challenge - if "claims=" in item: - encoded_claims = item[item.index("=") + 1 :].strip(" \"'") - padding_needed = -len(encoded_claims) % 4 - try: - decoded_claims = base64.urlsafe_b64decode(encoded_claims + "=" * padding_needed).decode() - self.claims = decoded_claims - except Exception: # pylint:disable=broad-except - continue - # process name=value pairs - else: - comps = item.split("=") - if len(comps) == 2: - key = comps[0].strip(' "') - value = comps[1].strip(' "') - if key: - self._parameters[key] = value - - # minimum set of parameters - if not self._parameters: - raise ValueError("Invalid challenge parameters") - - # must specify authorization or authorization_uri - if "authorization" not in self._parameters and "authorization_uri" not in self._parameters: - raise ValueError("Invalid challenge parameters") - - authorization_uri = self.get_authorization_server() - # the authorization server URI should look something like https://login.windows.net/tenant-id - raw_uri_path = str(parse.urlparse(authorization_uri).path) - uri_path = raw_uri_path.lstrip("/") - self.tenant_id = uri_path.split("/", maxsplit=1)[0] or None - - # if the response headers were supplied - if response_headers: - # get the message signing key and message key encryption key from the headers - self.server_signature_key = response_headers.get("x-ms-message-signing-key", None) - self.server_encryption_key = response_headers.get("x-ms-message-encryption-key", None) - - def is_bearer_challenge(self) -> bool: - """Tests whether the HttpChallenge is a Bearer challenge. - - :returns: True if the challenge is a Bearer challenge; False otherwise. - :rtype: bool - """ - if not self.scheme: - return False - - return self.scheme.lower() == "bearer" - - def is_pop_challenge(self) -> bool: - """Tests whether the HttpChallenge is a proof of possession challenge. - - :returns: True if the challenge is a proof of possession challenge; False otherwise. - :rtype: bool - """ - if not self.scheme: - return False - - return self.scheme.lower() == "pop" - - def get_value(self, key: str) -> "Optional[str]": - return self._parameters.get(key) - - def get_authorization_server(self) -> str: - """Returns the URI for the authorization server if present, otherwise an empty string. - - :returns: The URI for the authorization server if present, otherwise an empty string. - :rtype: str - """ - value = "" - for key in ["authorization_uri", "authorization"]: - value = self.get_value(key) or "" - if value: - break - return value - - def get_resource(self) -> str: - """Returns the resource if present, otherwise an empty string. - - :returns: The challenge resource if present, otherwise an empty string. - :rtype: str - """ - return self.get_value("resource") or "" - - def get_scope(self) -> str: - """Returns the scope if present, otherwise an empty string. - - :returns: The challenge scope if present, otherwise an empty string. - :rtype: str - """ - return self.get_value("scope") or "" - - def supports_pop(self) -> bool: - """Returns True if the challenge supports proof of possession token auth; False otherwise. - - :returns: True if the challenge supports proof of possession token auth; False otherwise. - :rtype: bool - """ - return self._parameters.get("supportspop", "").lower() == "true" - - def supports_message_protection(self) -> bool: - """Returns True if the challenge vault supports message protection; False otherwise. - - :returns: True if the challenge vault supports message protection; False otherwise. - :rtype: bool - """ - return self.supports_pop() and self.server_encryption_key and self.server_signature_key # type: ignore - - def _validate_challenge(self, challenge: str) -> str: # pylint:disable=bad-option-value,useless-option-value,no-self-use - """Verifies that the challenge is a valid auth challenge and returns the key=value pairs. - - :param str challenge: The WWW-Authenticate header of the challenge response. - - :returns: The challenge key/value pairs, with whitespace removed, as a string. - :rtype: str - """ - if not challenge: - raise ValueError("Challenge cannot be empty") - - return challenge.strip() - - def _validate_request_uri(self, uri: str) -> str: # pylint:disable=bad-option-value,useless-option-value,no-self-use - """Extracts the host authority from the given URI. - - :param str uri: The URI of the HTTP request that prompted the challenge. - - :returns: The challenge host authority. - :rtype: str - """ - if not uri: - raise ValueError("request_uri cannot be empty") - - parsed = parse.urlparse(uri) - if not parsed.netloc: - raise ValueError("request_uri must be an absolute URI") - - if parsed.scheme.lower() not in ["http", "https"]: - raise ValueError("request_uri must be HTTP or HTTPS") - - return parsed.netloc diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/http_challenge_cache.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/http_challenge_cache.py deleted file mode 100644 index f1448cc53391..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_shared/http_challenge_cache.py +++ /dev/null @@ -1,93 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -import threading -from typing import Dict, Optional -from urllib import parse - -from .http_challenge import HttpChallenge - - -_cache: "Dict[str, HttpChallenge]" = {} -_lock = threading.Lock() - - -def get_challenge_for_url(url: str) -> "Optional[HttpChallenge]": - """Gets the challenge for the cached URL. - - :param str url: the URL the challenge is cached for. - - :returns: The challenge for the cached request URL, or None if the request URL isn't cached. - :rtype: HttpChallenge or None - """ - - if not url: - raise ValueError("URL cannot be None") - - key = _get_cache_key(url) - - with _lock: - return _cache.get(key) - - -def _get_cache_key(url: str) -> str: - """Use the URL's netloc as cache key except when the URL specifies the default port for its scheme. In that case - use the netloc without the port. That is to say, https://foo.bar and https://foo.bar:443 are considered equivalent. - - This equivalency prevents an unnecessary challenge when using Key Vault's paging API. The Key Vault client doesn't - specify ports, but Key Vault's next page links do, so a redundant challenge would otherwise be executed when the - client requests the next page. - - :param str url: The HTTP request URL. - - :returns: The URL's `netloc`, minus any port attached to the URL. - :rtype: str - """ - - parsed = parse.urlparse(url) - if parsed.scheme == "https" and parsed.port == 443: - return parsed.netloc[:-4] - return parsed.netloc - - -def remove_challenge_for_url(url: str) -> None: - """Removes the cached challenge for the specified URL. - - :param str url: the URL for which to remove the cached challenge - """ - if not url: - raise ValueError("URL cannot be empty") - - parsed = parse.urlparse(url) - - with _lock: - del _cache[parsed.netloc] - - -def set_challenge_for_url(url: str, challenge: "HttpChallenge") -> None: - """Caches the challenge for the specified URL. - - :param str url: the URL for which to cache the challenge - :param challenge: the challenge to cache - :type challenge: HttpChallenge - """ - if not url: - raise ValueError("URL cannot be empty") - - if not challenge: - raise ValueError("Challenge cannot be empty") - - src_url = parse.urlparse(url) - if src_url.netloc != challenge.source_authority: - raise ValueError("Source URL and Challenge URL do not match") - - with _lock: - _cache[src_url.netloc] = challenge - - -def clear() -> None: - """Clears the cache.""" - - with _lock: - _cache.clear() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_vendor.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_vendor.py similarity index 88% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_vendor.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_vendor.py index db923753c642..3790083b97e3 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/_vendor.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_vendor.py @@ -1,7 +1,7 @@ # -------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. +# Code generated by Microsoft (R) Python Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- @@ -11,7 +11,6 @@ from ._configuration import KeyVaultClientConfiguration if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports from azure.core import PipelineClient from ._serialization import Deserializer, Serializer diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_version.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_version.py index 81a6e1e8366d..bd412784f4e1 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_version.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_version.py @@ -1,6 +1,9 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- -VERSION = "4.10.1" +VERSION = "4.10.0b1" diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/__init__.py index 71cad7e66b18..8c996b993b8a 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/__init__.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/__init__.py @@ -1,7 +1,29 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from ._client import KeyClient +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# pylint: disable=wrong-import-position -__all__ = ["KeyClient"] +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from ._patch import * # pylint: disable=unused-wildcard-import + +from ._client import KeyVaultClient # type: ignore + +try: + from ._patch import __all__ as _patch_all + from ._patch import * +except ImportError: + _patch_all = [] +from ._patch import patch_sdk as _patch_sdk + +__all__ = [ + "KeyVaultClient", +] +__all__.extend([p for p in _patch_all if p not in __all__]) # pyright: ignore + +_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_client.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_client.py index 86d537129cc3..6da9106e5189 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_client.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_client.py @@ -1,1009 +1,102 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -# pylint:disable=too-many-lines -from datetime import datetime -from functools import partial -from typing import Any, Dict, List, Optional, Union +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- -from azure.core.async_paging import AsyncItemPaged -from azure.core.tracing.decorator import distributed_trace -from azure.core.tracing.decorator_async import distributed_trace_async +from copy import deepcopy +from typing import Any, Awaitable, TYPE_CHECKING +from typing_extensions import Self -from ..crypto.aio import CryptographyClient -from .._client import _get_key_id -from .._enums import KeyCurveName, KeyExportEncryptionAlgorithm, KeyOperation -from .._generated.models import KeyAttributes -from .._shared._polling_async import AsyncDeleteRecoverPollingMethod -from .._shared import AsyncKeyVaultClientBase -from .. import ( - DeletedKey, - JsonWebKey, - KeyProperties, - KeyReleasePolicy, - KeyRotationLifetimeAction, - KeyRotationPolicy, - KeyType, - KeyVaultKey, - ReleaseKeyResult, -) +from azure.core import AsyncPipelineClient +from azure.core.pipeline import policies +from azure.core.rest import AsyncHttpResponse, HttpRequest +from .._serialization import Deserializer, Serializer +from ._configuration import KeyVaultClientConfiguration +from ._operations import KeyVaultClientOperationsMixin -class KeyClient(AsyncKeyVaultClientBase): - """A high-level asynchronous interface for managing a vault's keys. +if TYPE_CHECKING: + from azure.core.credentials_async import AsyncTokenCredential - :param str vault_url: URL of the vault the client will access. This is also called the vault's "DNS Name". - You should validate that this URL references a valid Key Vault or Managed HSM resource. - See https://aka.ms/azsdk/blog/vault-uri for details. - :param credential: An object which can provide an access token for the vault, such as a credential from - :mod:`azure.identity.aio` - :type credential: ~azure.core.credentials_async.AsyncTokenCredential - :keyword api_version: Version of the service API to use. Defaults to the most recent. - :paramtype api_version: ~azure.keyvault.keys.ApiVersion or str - :keyword bool verify_challenge_resource: Whether to verify the authentication challenge resource matches the Key - Vault or Managed HSM domain. Defaults to True. +class KeyVaultClient(KeyVaultClientOperationsMixin): + """The key vault client performs cryptographic key operations and vault operations against the Key + Vault service. - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START create_key_client] - :end-before: [END create_key_client] - :language: python - :caption: Create a new ``KeyClient`` - :dedent: 4 + :param vault_base_url: Required. + :type vault_base_url: str + :param credential: Credential used to authenticate requests to the service. Required. + :type credential: ~azure.core.credentials_async.AsyncTokenCredential + :keyword api_version: The API version to use for this operation. Default value is + "7.6-preview.1". Note that overriding this default value may result in unsupported behavior. + :paramtype api_version: str """ - # pylint:disable=protected-access, too-many-public-methods - - def _get_attributes( - self, - enabled: Optional[bool], - not_before: Optional[datetime], - expires_on: Optional[datetime], - exportable: Optional[bool] = None, - ) -> Optional[KeyAttributes]: - """Return a KeyAttributes object if non-None attributes are provided, or None otherwise. - - :param enabled: Whether the key is enabled. - :type enabled: bool or None - :param not_before: Not before date of the key in UTC. - :type not_before: ~datetime.datetime or None - :param expires_on: Expiry date of the key in UTC. - :type expires_on: ~datetime.datetime or None - :param exportable: Whether the private key can be exported. - :type exportable: bool or None - - :returns: An autorest-generated model of the key's attributes. - :rtype: KeyAttributes - """ - if enabled is not None or not_before is not None or expires_on is not None or exportable is not None: - return self._models.KeyAttributes( - enabled=enabled, not_before=not_before, expires=expires_on, exportable=exportable - ) - return None - - def get_cryptography_client( - self, - key_name: str, - *, - key_version: Optional[str] = None, - **kwargs, # pylint: disable=unused-argument - ) -> CryptographyClient: - """Gets a :class:`~azure.keyvault.keys.crypto.aio.CryptographyClient` for the given key. - - :param str key_name: The name of the key used to perform cryptographic operations. - - :keyword key_version: Optional version of the key used to perform cryptographic operations. - :paramtype key_version: str or None - - :returns: A :class:`~azure.keyvault.keys.crypto.aio.CryptographyClient` using the same options, credentials, and - HTTP client as this :class:`~azure.keyvault.keys.aio.KeyClient`. - :rtype: ~azure.keyvault.keys.crypto.aio.CryptographyClient - """ - key_id = _get_key_id(self._vault_url, key_name, key_version) - - # We provide a fake credential because the generated client already has the KeyClient's real credential - return CryptographyClient( - key_id, object(), generated_client=self._client, generated_models=self._models # type: ignore - ) - - @distributed_trace_async - async def create_key( - self, - name: str, - key_type: Union[str, KeyType], - *, - size: Optional[int] = None, - curve: Optional[Union[str, KeyCurveName]] = None, - public_exponent: Optional[int] = None, - key_operations: Optional[List[Union[str, KeyOperation]]] = None, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - exportable: Optional[bool] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Create a key or, if ``name`` is already in use, create a new version of the key. - - Requires keys/create permission. - - :param str name: The name of the new key. - :param key_type: The type of key to create - :type key_type: ~azure.keyvault.keys.KeyType or str - - :keyword size: Key size in bits. Applies only to RSA and symmetric keys. Consider using - :func:`create_rsa_key` or :func:`create_oct_key` instead. - :paramtype size: int or None - :keyword curve: Elliptic curve name. Applies only to elliptic curve keys. Defaults to the NIST P-256 - elliptic curve. To create an elliptic curve key, consider using :func:`create_ec_key` instead. - :paramtype curve: ~azure.keyvault.keys.KeyCurveName or str or None - :keyword public_exponent: The RSA public exponent to use. Applies only to RSA keys created in a Managed HSM. - :paramtype public_exponent: int or None - :keyword key_operations: Allowed key operations - :paramtype key_operations: List[~azure.keyvault.keys.KeyOperation or str] or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword exportable: Whether the private key can be exported. - :paramtype exportable: bool or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - - :returns: The created key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START create_key] - :end-before: [END create_key] - :language: python - :caption: Create a key - :dedent: 8 - """ - attributes = self._get_attributes( - enabled=enabled, not_before=not_before, expires_on=expires_on, exportable=exportable - ) - - policy = release_policy - if policy is not None: - policy = self._models.KeyReleasePolicy( - encoded_policy=policy.encoded_policy, content_type=policy.content_type, immutable=policy.immutable - ) - parameters = self._models.KeyCreateParameters( - kty=key_type, - key_size=size, - key_attributes=attributes, - key_ops=key_operations, - tags=tags, - curve=curve, - public_exponent=public_exponent, - release_policy=policy, - ) - - bundle = await self._client.create_key( - vault_base_url=self.vault_url, - key_name=name, - parameters=parameters, - **kwargs, - ) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace_async - async def create_rsa_key( - self, - name: str, - *, - size: Optional[int] = None, - public_exponent: Optional[int] = None, - hardware_protected: Optional[bool] = False, - key_operations: Optional[List[Union[str, KeyOperation]]] = None, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - exportable: Optional[bool] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Create a new RSA key or, if ``name`` is already in use, create a new version of the key - - Requires the keys/create permission. - - :param str name: The name for the new key. - - :keyword size: Key size in bits, for example 2048, 3072, or 4096. - :paramtype size: int or None - :keyword public_exponent: The RSA public exponent to use. Applies only to RSA keys created in a Managed HSM. - :paramtype public_exponent: int or None - :keyword hardware_protected: Whether the key should be created in a hardware security module. - Defaults to ``False``. - :paramtype hardware_protected: bool or None - :keyword key_operations: Allowed key operations - :paramtype key_operations: List[~azure.keyvault.keys.KeyOperation or str] or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword exportable: Whether the private key can be exported. - :paramtype exportable: bool or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - - :returns: The created key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START create_rsa_key] - :end-before: [END create_rsa_key] - :language: python - :caption: Create RSA key - :dedent: 8 - """ - return await self.create_key( - name, - key_type="RSA-HSM" if hardware_protected else "RSA", - size=size, - public_exponent=public_exponent, - key_operations=key_operations, - enabled=enabled, - tags=tags, - not_before=not_before, - expires_on=expires_on, - exportable=exportable, - release_policy=release_policy, - **kwargs, - ) - - @distributed_trace_async - async def create_ec_key( - self, - name: str, - *, - curve: Optional[Union[str, KeyCurveName]] = None, - key_operations: Optional[List[Union[str, KeyOperation]]] = None, - hardware_protected: Optional[bool] = False, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - exportable: Optional[bool] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Create a new elliptic curve key or, if ``name`` is already in use, create a new version of the key. - - Requires the keys/create permission. - - :param str name: The name for the new key. - - :keyword curve: Elliptic curve name. Defaults to the NIST P-256 elliptic curve. - :paramtype curve: ~azure.keyvault.keys.KeyCurveName or str or None - :keyword key_operations: Allowed key operations - :paramtype key_operations: List[~azure.keyvault.keys.KeyOperation or str] or None - :keyword hardware_protected: Whether the key should be created in a hardware security module. - Defaults to ``False``. - :paramtype hardware_protected: bool or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword exportable: Whether the private key can be exported. - :paramtype exportable: bool or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - - :returns: The created key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START create_ec_key] - :end-before: [END create_ec_key] - :language: python - :caption: Create an elliptic curve key - :dedent: 8 - """ - return await self.create_key( - name, - key_type="EC-HSM" if hardware_protected else "EC", - curve=curve, - key_operations=key_operations, - enabled=enabled, - tags=tags, - not_before=not_before, - expires_on=expires_on, - exportable=exportable, - release_policy=release_policy, - **kwargs, - ) - - @distributed_trace_async - async def create_oct_key( - self, - name: str, - *, - size: Optional[int] = None, - key_operations: Optional[List[Union[str, KeyOperation]]] = None, - hardware_protected: Optional[bool] = False, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - exportable: Optional[bool] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Create a new octet sequence (symmetric) key or, if ``name`` is in use, create a new version of the key. - - Requires the keys/create permission. - - :param str name: The name for the new key. - - :keyword size: Key size in bits, for example 128, 192, or 256. - :paramtype size: int or None - :keyword key_operations: Allowed key operations. - :paramtype key_operations: List[~azure.keyvault.keys.KeyOperation or str] or None - :keyword hardware_protected: Whether the key should be created in a hardware security module. - Defaults to ``False``. - :paramtype hardware_protected: bool or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword exportable: Whether the key can be exported. - :paramtype exportable: bool or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - - :returns: The created key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START create_oct_key] - :end-before: [END create_oct_key] - :language: python - :caption: Create an octet sequence (symmetric) key - :dedent: 8 - """ - return await self.create_key( - name, - key_type="oct-HSM" if hardware_protected else "oct", - size=size, - key_operations=key_operations, - enabled=enabled, - tags=tags, - not_before=not_before, - expires_on=expires_on, - exportable=exportable, - release_policy=release_policy, - **kwargs, - ) - - @distributed_trace_async - async def delete_key(self, name: str, **kwargs: Any) -> DeletedKey: - """Delete all versions of a key and its cryptographic material. - - Requires keys/delete permission. If the vault has soft-delete enabled, deletion may take several seconds to - complete. - - :param str name: The name of the key to delete - - :returns: The deleted key - :rtype: ~azure.keyvault.keys.DeletedKey - - :raises ~azure.core.exceptions.ResourceNotFoundError or ~azure.core.exceptions.HttpResponseError: - the former if the key doesn't exist; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START delete_key] - :end-before: [END delete_key] - :language: python - :caption: Delete a key - :dedent: 8 - """ - polling_interval = kwargs.pop("_polling_interval", None) - if polling_interval is None: - polling_interval = 2 - pipeline_response, deleted_key_bundle = await self._client.delete_key( - vault_base_url=self.vault_url, - key_name=name, - cls=lambda pipeline_response, deserialized, _: (pipeline_response, deserialized), - **kwargs, - ) - deleted_key = DeletedKey._from_deleted_key_bundle(deleted_key_bundle) - - polling_method = AsyncDeleteRecoverPollingMethod( - # no recovery ID means soft-delete is disabled, in which case we initialize the poller as finished - finished=deleted_key.recovery_id is None, - pipeline_response=pipeline_response, - command=partial(self.get_deleted_key, name=name, **kwargs), - final_resource=deleted_key, - interval=polling_interval, - ) - await polling_method.run() - - return polling_method.resource() - - @distributed_trace_async - async def get_key(self, name: str, version: Optional[str] = None, **kwargs: Any) -> KeyVaultKey: - """Get a key's attributes and, if it's an asymmetric key, its public material. - - Requires keys/get permission. - - :param str name: The name of the key to get. - :param version: (optional) A specific version of the key to get. If not specified, gets the latest version - of the key. - :type version: str or None - - :returns: The fetched key. - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.ResourceNotFoundError or ~azure.core.exceptions.HttpResponseError: - the former if the key doesn't exist; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START get_key] - :end-before: [END get_key] - :language: python - :caption: Get a key - :dedent: 8 - """ - if version is None: - version = "" - - bundle = await self._client.get_key(self.vault_url, name, version, **kwargs) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace_async - async def get_deleted_key(self, name: str, **kwargs: Any) -> DeletedKey: - """Get a deleted key. Possible only in a vault with soft-delete enabled. - - Requires keys/get permission. - - :param str name: The name of the key - - :returns: The deleted key - :rtype: ~azure.keyvault.keys.DeletedKey - - :raises ~azure.core.exceptions.ResourceNotFoundError or ~azure.core.exceptions.HttpResponseError: - the former if the key doesn't exist; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START get_deleted_key] - :end-before: [END get_deleted_key] - :language: python - :caption: Get a deleted key - :dedent: 8 - """ - bundle = await self._client.get_deleted_key(self.vault_url, name, **kwargs) - return DeletedKey._from_deleted_key_bundle(bundle) - - @distributed_trace - def list_deleted_keys(self, **kwargs: Any) -> AsyncItemPaged[DeletedKey]: - """List all deleted keys, including the public part of each. Possible only in a vault with soft-delete enabled. - - Requires keys/list permission. - - :returns: An iterator of deleted keys - :rtype: ~azure.core.async_paging.AsyncItemPaged[~azure.keyvault.keys.DeletedKey] - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START list_deleted_keys] - :end-before: [END list_deleted_keys] - :language: python - :caption: List all the deleted keys - :dedent: 8 - """ - return self._client.get_deleted_keys( - self.vault_url, - maxresults=kwargs.pop("max_page_size", None), - cls=lambda objs: [DeletedKey._from_deleted_key_item(x) for x in objs], - **kwargs, - ) - - @distributed_trace - def list_properties_of_keys(self, **kwargs: Any) -> AsyncItemPaged[KeyProperties]: - """List identifiers and properties of all keys in the vault. - - Requires keys/list permission. - - :returns: An iterator of keys without their cryptographic material or version information - :rtype: ~azure.core.async_paging.AsyncItemPaged[~azure.keyvault.keys.KeyProperties] - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START list_keys] - :end-before: [END list_keys] - :language: python - :caption: List all keys - :dedent: 8 - """ - return self._client.get_keys( - self.vault_url, - maxresults=kwargs.pop("max_page_size", None), - cls=lambda objs: [KeyProperties._from_key_item(x) for x in objs], - **kwargs, - ) - - @distributed_trace - def list_properties_of_key_versions(self, name: str, **kwargs: Any) -> AsyncItemPaged[KeyProperties]: - """List the identifiers and properties of a key's versions. - - Requires keys/list permission. - - :param str name: The name of the key - - :returns: An iterator of keys without their cryptographic material - :rtype: ~azure.core.async_paging.AsyncItemPaged[~azure.keyvault.keys.KeyProperties] - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START list_properties_of_key_versions] - :end-before: [END list_properties_of_key_versions] - :language: python - :caption: List all versions of a key - :dedent: 8 - """ - return self._client.get_key_versions( - self.vault_url, - name, - maxresults=kwargs.pop("max_page_size", None), - cls=lambda objs: [KeyProperties._from_key_item(x) for x in objs], - **kwargs, - ) - - @distributed_trace_async - async def purge_deleted_key(self, name: str, **kwargs: Any) -> None: - """Permanently deletes a deleted key. Only possible in a vault with soft-delete enabled. - - Performs an irreversible deletion of the specified key, without possibility for recovery. The operation is not - available if the :py:attr:`~azure.keyvault.keys.KeyProperties.recovery_level` does not specify 'Purgeable'. - This method is only necessary for purging a key before its - :py:attr:`~azure.keyvault.keys.DeletedKey.scheduled_purge_date`. - - Requires keys/purge permission. - - :param str name: The name of the deleted key to purge - - :returns: None - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. code-block:: python - - # if the vault has soft-delete enabled, purge permanently deletes a deleted key - # (with soft-delete disabled, delete_key is permanent) - await key_client.purge_deleted_key("key-name") - - """ - await self._client.purge_deleted_key(self.vault_url, name, **kwargs) - - @distributed_trace_async - async def recover_deleted_key(self, name: str, **kwargs: Any) -> KeyVaultKey: - """Recover a deleted key to its latest version. Possible only in a vault with soft-delete enabled. - - Requires keys/recover permission. If the vault does not have soft-delete enabled, :func:`delete_key` is - permanent, and this method will raise an error. Attempting to recover a non-deleted key will also raise an - error. - - :param str name: The name of the deleted key - - :returns: The recovered key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.HttpResponseError: - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START recover_deleted_key] - :end-before: [END recover_deleted_key] - :language: python - :caption: Recover a deleted key - :dedent: 8 - """ - polling_interval = kwargs.pop("_polling_interval", None) - if polling_interval is None: - polling_interval = 2 - pipeline_response, recovered_key_bundle = await self._client.recover_deleted_key( - vault_base_url=self.vault_url, - key_name=name, - cls=lambda pipeline_response, deserialized, _: (pipeline_response, deserialized), - **kwargs, - ) - recovered_key = KeyVaultKey._from_key_bundle(recovered_key_bundle) - - command = partial(self.get_key, name=name, **kwargs) - polling_method = AsyncDeleteRecoverPollingMethod( - pipeline_response=pipeline_response, - command=command, - final_resource=recovered_key, - finished=False, - interval=polling_interval - ) - await polling_method.run() - - return polling_method.resource() - - @distributed_trace_async - async def update_key_properties( - self, - name: str, - version: Optional[str] = None, - *, - key_operations: Optional[List[Union[str, KeyOperation]]] = None, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Change a key's properties (not its cryptographic material). - - Requires keys/update permission. - - :param str name: The name of key to update - :param version: (optional) The version of the key to update. If unspecified, the latest version is updated. - :type version: str or None - - :keyword key_operations: Allowed key operations - :paramtype key_operations: List[~azure.keyvault.keys.KeyOperation or str] or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None - - :returns: The updated key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.ResourceNotFoundError or ~azure.core.exceptions.HttpResponseError: - the former if the key doesn't exist; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START update_key] - :end-before: [END update_key] - :language: python - :caption: Update a key's attributes - :dedent: 8 - """ - attributes = self._get_attributes(enabled=enabled, not_before=not_before, expires_on=expires_on) - - policy = release_policy - if policy is not None: - policy = self._models.KeyReleasePolicy( - content_type=policy.content_type, encoded_policy=policy.encoded_policy, immutable=policy.immutable - ) - parameters = self._models.KeyUpdateParameters( - key_ops=key_operations, - key_attributes=attributes, - tags=tags, - release_policy=policy, - ) - - bundle = await self._client.update_key( - self.vault_url, - name, - key_version=version or "", - parameters=parameters, - **kwargs, - ) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace_async - async def backup_key(self, name: str, **kwargs: Any) -> bytes: - """Back up a key in a protected form useable only by Azure Key Vault. - - Requires key/backup permission. This is intended to allow copying a key from one vault to another. Both vaults - must be owned by the same Azure subscription. Also, backup / restore cannot be performed across geopolitical - boundaries. For example, a backup from a vault in a USA region cannot be restored to a vault in an EU region. - - :param str name: The name of the key to back up - - :returns: The key backup result, in a protected bytes format that can only be used by Azure Key Vault. - :rtype: bytes - - :raises ~azure.core.exceptions.ResourceNotFoundError or ~azure.core.exceptions.HttpResponseError: - the former if the key doesn't exist; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START backup_key] - :end-before: [END backup_key] - :language: python - :caption: Get a key backup - :dedent: 8 - """ - backup_result = await self._client.backup_key(self.vault_url, name, **kwargs) - return backup_result.value - - @distributed_trace_async - async def restore_key_backup(self, backup: bytes, **kwargs: Any) -> KeyVaultKey: - """Restore a key backup to the vault. - - Requires keys/restore permission. This imports all versions of the key, with its name, attributes, and access - control policies. If the key's name is already in use, restoring it will fail. Also, the target vault must be - owned by the same Microsoft Azure subscription as the source vault. - - :param bytes backup: A key backup as returned by :func:`backup_key` - - :returns: The restored key - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.ResourceExistsError or ~azure.core.exceptions.HttpResponseError: - the former if the backed up key's name is already in use; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_samples_keys_async.py - :start-after: [START restore_key_backup] - :end-before: [END restore_key_backup] - :language: python - :caption: Restore a key backup - :dedent: 8 - """ - bundle = await self._client.restore_key( - self.vault_url, - parameters=self._models.KeyRestoreParameters(key_bundle_backup=backup), - **kwargs, - ) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace_async - async def import_key( - self, - name: str, - key: JsonWebKey, - *, - hardware_protected: Optional[bool] = None, - enabled: Optional[bool] = None, - tags: Optional[Dict[str, str]] = None, - not_before: Optional[datetime] = None, - expires_on: Optional[datetime] = None, - exportable: Optional[bool] = None, - release_policy: Optional[KeyReleasePolicy] = None, - **kwargs: Any, - ) -> KeyVaultKey: - """Import a key created externally. + def __init__(self, vault_base_url: str, credential: "AsyncTokenCredential", **kwargs: Any) -> None: + _endpoint = "{vaultBaseUrl}" + self._config = KeyVaultClientConfiguration(vault_base_url=vault_base_url, credential=credential, **kwargs) + _policies = kwargs.pop("policies", None) + if _policies is None: + _policies = [ + policies.RequestIdPolicy(**kwargs), + self._config.headers_policy, + self._config.user_agent_policy, + self._config.proxy_policy, + policies.ContentDecodePolicy(**kwargs), + self._config.redirect_policy, + self._config.retry_policy, + self._config.authentication_policy, + self._config.custom_hook_policy, + self._config.logging_policy, + policies.DistributedTracingPolicy(**kwargs), + policies.SensitiveHeaderCleanupPolicy(**kwargs) if self._config.redirect_policy else None, + self._config.http_logging_policy, + ] + self._client: AsyncPipelineClient = AsyncPipelineClient(base_url=_endpoint, policies=_policies, **kwargs) - Requires keys/import permission. If ``name`` is already in use, the key will be imported as a new version. + self._serialize = Serializer() + self._deserialize = Deserializer() + self._serialize.client_side_validation = False - :param str name: Name for the imported key - :param key: The JSON web key to import - :type key: ~azure.keyvault.keys.JsonWebKey + def send_request( + self, request: HttpRequest, *, stream: bool = False, **kwargs: Any + ) -> Awaitable[AsyncHttpResponse]: + """Runs the network request through the client's chained policies. - :keyword hardware_protected: Whether the key should be backed by a hardware security module - :paramtype hardware_protected: bool or None - :keyword enabled: Whether the key is enabled for use. - :paramtype enabled: bool or None - :keyword tags: Application specific metadata in the form of key-value pairs. - :paramtype tags: dict[str, str] or None - :keyword not_before: Not before date of the key in UTC - :paramtype not_before: ~datetime.datetime or None - :keyword expires_on: Expiry date of the key in UTC - :paramtype expires_on: ~datetime.datetime or None - :keyword exportable: Whether the private key can be exported. - :paramtype exportable: bool or None - :keyword release_policy: The policy rules under which the key can be exported. - :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None + >>> from azure.core.rest import HttpRequest + >>> request = HttpRequest("GET", "https://www.example.org/") + + >>> response = await client.send_request(request) + - :returns: The imported key - :rtype: ~azure.keyvault.keys.KeyVaultKey + For more information on this code flow, see https://aka.ms/azsdk/dpcodegen/python/send_request - :raises ~azure.core.exceptions.HttpResponseError: + :param request: The network request you want to make. Required. + :type request: ~azure.core.rest.HttpRequest + :keyword bool stream: Whether the response payload will be streamed. Defaults to False. + :return: The response of your network call. Does not do error handling on your response. + :rtype: ~azure.core.rest.AsyncHttpResponse """ - attributes = self._get_attributes( - enabled=enabled, not_before=not_before, expires_on=expires_on, exportable=exportable - ) - - policy = release_policy - if policy is not None: - policy = self._models.KeyReleasePolicy( - content_type=policy.content_type, encoded_policy=policy.encoded_policy, immutable=policy.immutable - ) - parameters = self._models.KeyImportParameters( - key=key._to_generated_model(), - key_attributes=attributes, - hsm=hardware_protected, - tags=tags, - release_policy=policy, - ) - - bundle = await self._client.import_key( - self.vault_url, name, parameters=parameters, **kwargs - ) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace_async - async def release_key( - self, - name: str, - target_attestation_token: str, - *, - version: Optional[str] = None, - algorithm: Optional[Union[str, KeyExportEncryptionAlgorithm]] = None, - nonce: Optional[str] = None, - **kwargs: Any, - ) -> ReleaseKeyResult: - """Releases a key. - The release key operation is applicable to all key types. The target key must be marked - exportable. This operation requires the keys/release permission. - - :param str name: The name of the key to get. - :param str target_attestation_token: The attestation assertion for the target of the key release. - - :keyword version: A specific version of the key to release. If unspecified, the latest version is released. - :paramtype version: str or None - :keyword algorithm: The encryption algorithm to use to protect the released key material. - :paramtype algorithm: str or ~azure.keyvault.keys.KeyExportEncryptionAlgorithm or None - :keyword nonce: A client-provided nonce for freshness. - :paramtype nonce: str or None - - :return: The result of the key release. - :rtype: ~azure.keyvault.keys.ReleaseKeyResult - - :raises ~azure.core.exceptions.HttpResponseError: - """ - result = await self._client.release( - vault_base_url=self._vault_url, - key_name=name, - key_version=version or "", - parameters=self._models.KeyReleaseParameters( - target_attestation_token=target_attestation_token, - nonce=nonce, - enc=algorithm, + request_copy = deepcopy(request) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True ), - **kwargs, - ) - return ReleaseKeyResult(result.value) + } - @distributed_trace_async - async def get_random_bytes(self, count: int, **kwargs: Any) -> bytes: - """Get the requested number of random bytes from a managed HSM. - - :param int count: The requested number of random bytes. - - :return: The random bytes. - :rtype: bytes - - :raises ValueError or ~azure.core.exceptions.HttpResponseError: - the former if less than one random byte is requested; the latter for other errors - - Example: - .. literalinclude:: ../tests/test_keys_async.py - :start-after: [START get_random_bytes] - :end-before: [END get_random_bytes] - :language: python - :caption: Get random bytes - :dedent: 12 - """ - if count < 1: - raise ValueError("At least one random byte must be requested") - parameters = self._models.GetRandomBytesRequest(count=count) - result = await self._client.get_random_bytes(vault_base_url=self._vault_url, parameters=parameters, **kwargs) - return result.value + request_copy.url = self._client.format_url(request_copy.url, **path_format_arguments) + return self._client.send_request(request_copy, stream=stream, **kwargs) # type: ignore - @distributed_trace_async - async def get_key_rotation_policy(self, key_name: str, **kwargs: Any) -> KeyRotationPolicy: - """Get the rotation policy of a Key Vault key. + async def close(self) -> None: + await self._client.close() - :param str key_name: The name of the key. - - :return: The key rotation policy. - :rtype: ~azure.keyvault.keys.KeyRotationPolicy - - :raises ~azure.core.exceptions.HttpResponseError: - """ - policy = await self._client.get_key_rotation_policy(vault_base_url=self._vault_url, key_name=key_name, **kwargs) - return KeyRotationPolicy._from_generated(policy) - - @distributed_trace_async - async def rotate_key(self, name: str, **kwargs: Any) -> KeyVaultKey: - """Rotate the key based on the key policy by generating a new version of the key. - - This operation requires the keys/rotate permission. - - :param str name: The name of the key to rotate. - - :return: The new version of the rotated key. - :rtype: ~azure.keyvault.keys.KeyVaultKey - - :raises ~azure.core.exceptions.HttpResponseError: - """ - bundle = await self._client.rotate_key(vault_base_url=self._vault_url, key_name=name, **kwargs) - return KeyVaultKey._from_key_bundle(bundle) - - @distributed_trace_async - async def update_key_rotation_policy( - self, - key_name: str, - policy: KeyRotationPolicy, - *, - lifetime_actions: Optional[List[KeyRotationLifetimeAction]] = None, - expires_in: Optional[str] = None, - **kwargs: Any, - ) -> KeyRotationPolicy: - """Updates the rotation policy of a Key Vault key. - - This operation requires the keys/update permission. - - :param str key_name: The name of the key in the given vault. - :param policy: The new rotation policy for the key. - :type policy: ~azure.keyvault.keys.KeyRotationPolicy - - :keyword lifetime_actions: Actions that will be performed by Key Vault over the lifetime of a key. This will - override the lifetime actions of the provided ``policy``. - :paramtype lifetime_actions: List[~azure.keyvault.keys.KeyRotationLifetimeAction] - :keyword str expires_in: The expiry time of the policy that will be applied on new key versions, defined as an - ISO 8601 duration. For example: 90 days is "P90D", 3 months is "P3M", and 48 hours is "PT48H". See - `Wikipedia `_ for more information on ISO 8601 durations. - This will override the expiry time of the provided ``policy``. - - :return: The updated rotation policy. - :rtype: ~azure.keyvault.keys.KeyRotationPolicy - - :raises ~azure.core.exceptions.HttpResponseError: - """ - actions = lifetime_actions or policy.lifetime_actions - if actions: - actions = [ - self._models.LifetimeActions( - action=self._models.LifetimeActionsType(type=action.action), - trigger=self._models.LifetimeActionsTrigger( - time_after_create=action.time_after_create, time_before_expiry=action.time_before_expiry - ), - ) - for action in actions - ] - - attributes = self._models.KeyRotationPolicyAttributes(expiry_time=expires_in or policy.expires_in) - new_policy = self._models.KeyRotationPolicy(lifetime_actions=actions or [], attributes=attributes) - result = await self._client.update_key_rotation_policy( - vault_base_url=self._vault_url, key_name=key_name, key_rotation_policy=new_policy, **kwargs - ) - return KeyRotationPolicy._from_generated(result) - - async def __aenter__(self) -> "KeyClient": + async def __aenter__(self) -> Self: await self._client.__aenter__() return self + + async def __aexit__(self, *exc_details: Any) -> None: + await self._client.__aexit__(*exc_details) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_configuration.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_configuration.py similarity index 54% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_configuration.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_configuration.py index 8dd6125e8e1d..903c92e8bc9d 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_configuration.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_configuration.py @@ -2,15 +2,18 @@ # -------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. +# Code generated by Microsoft (R) Python Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- -from typing import Any +from typing import Any, TYPE_CHECKING from azure.core.pipeline import policies -VERSION = "unknown" +from .._version import VERSION + +if TYPE_CHECKING: + from azure.core.credentials_async import AsyncTokenCredential class KeyVaultClientConfiguration: # pylint: disable=too-many-instance-attributes @@ -19,16 +22,28 @@ class KeyVaultClientConfiguration: # pylint: disable=too-many-instance-attribut Note that all parameters used to create this instance are saved as instance attributes. - :keyword api_version: Api Version. Default value is "7.5". Note that overriding this default - value may result in unsupported behavior. + :param vault_base_url: Required. + :type vault_base_url: str + :param credential: Credential used to authenticate requests to the service. Required. + :type credential: ~azure.core.credentials_async.AsyncTokenCredential + :keyword api_version: The API version to use for this operation. Default value is + "7.6-preview.1". Note that overriding this default value may result in unsupported behavior. :paramtype api_version: str """ - def __init__(self, **kwargs: Any) -> None: - api_version: str = kwargs.pop("api_version", "7.5") + def __init__(self, vault_base_url: str, credential: "AsyncTokenCredential", **kwargs: Any) -> None: + api_version: str = kwargs.pop("api_version", "7.6-preview.1") + + if vault_base_url is None: + raise ValueError("Parameter 'vault_base_url' must not be None.") + if credential is None: + raise ValueError("Parameter 'credential' must not be None.") + self.vault_base_url = vault_base_url + self.credential = credential self.api_version = api_version - kwargs.setdefault("sdk_moniker", "keyvault/{}".format(VERSION)) + self.credential_scopes = kwargs.pop("credential_scopes", ["https://vault.azure.net/.default"]) + kwargs.setdefault("sdk_moniker", "keyvault-keys/{}".format(VERSION)) self.polling_interval = kwargs.get("polling_interval", 30) self._configure(**kwargs) @@ -42,3 +57,7 @@ def _configure(self, **kwargs: Any) -> None: self.redirect_policy = kwargs.get("redirect_policy") or policies.AsyncRedirectPolicy(**kwargs) self.retry_policy = kwargs.get("retry_policy") or policies.AsyncRetryPolicy(**kwargs) self.authentication_policy = kwargs.get("authentication_policy") + if self.credential and not self.authentication_policy: + self.authentication_policy = policies.AsyncBearerTokenCredentialPolicy( + self.credential, *self.credential_scopes, **kwargs + ) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_operations/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_operations/__init__.py similarity index 58% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_operations/__init__.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_operations/__init__.py index 29ea96fccbfe..d514f5e4b5be 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_operations/__init__.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_operations/__init__.py @@ -2,18 +2,24 @@ # -------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. +# Code generated by Microsoft (R) Python Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- +# pylint: disable=wrong-import-position -from ._operations import KeyVaultClientOperationsMixin +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from ._patch import * # pylint: disable=unused-wildcard-import + +from ._operations import KeyVaultClientOperationsMixin # type: ignore from ._patch import __all__ as _patch_all -from ._patch import * # pylint: disable=unused-wildcard-import +from ._patch import * from ._patch import patch_sdk as _patch_sdk __all__ = [ "KeyVaultClientOperationsMixin", ] -__all__.extend([p for p in _patch_all if p not in __all__]) +__all__.extend([p for p in _patch_all if p not in __all__]) # pyright: ignore _patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_operations/_operations.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_operations/_operations.py similarity index 66% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_operations/_operations.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_operations/_operations.py index f3862fe3311b..89e61b9d8725 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_operations/_operations.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_operations/_operations.py @@ -1,13 +1,15 @@ -# pylint: disable=too-many-lines,too-many-statements +# pylint: disable=too-many-lines # coding=utf-8 # -------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. +# Code generated by Microsoft (R) Python Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- from io import IOBase -from typing import Any, AsyncIterable, Callable, Dict, IO, Optional, TypeVar, Union, overload +import json +import sys +from typing import Any, AsyncIterable, Callable, Dict, IO, List, Optional, TypeVar, Union, overload import urllib.parse from azure.core.async_paging import AsyncItemPaged, AsyncList @@ -17,6 +19,8 @@ ResourceExistsError, ResourceNotFoundError, ResourceNotModifiedError, + StreamClosedError, + StreamConsumedError, map_error, ) from azure.core.pipeline import PipelineResponse @@ -26,6 +30,7 @@ from azure.core.utils import case_insensitive_dict from ... import models as _models +from ..._model_base import SdkJSONEncoder, _deserialize, _failsafe_deserialize from ..._operations._operations import ( build_key_vault_backup_key_request, build_key_vault_create_key_request, @@ -54,15 +59,20 @@ ) from .._vendor import KeyVaultClientMixinABC +if sys.version_info >= (3, 9): + from collections.abc import MutableMapping +else: + from typing import MutableMapping # type: ignore +JSON = MutableMapping[str, Any] # pylint: disable=unsubscriptable-object T = TypeVar("T") ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] class KeyVaultClientOperationsMixin(KeyVaultClientMixinABC): # pylint: disable=too-many-public-methods + @overload async def create_key( self, - vault_base_url: str, key_name: str, parameters: _models.KeyCreateParameters, *, @@ -75,32 +85,49 @@ async def create_key( key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name for the new key. The system will generate the version name for the new key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. Required. :type key_name: str :param parameters: The parameters to create a key. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyCreateParameters + :type parameters: ~azure.keyvault.keys.models.KeyCreateParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def create_key( - self, - vault_base_url: str, - key_name: str, - parameters: IO[bytes], - *, - content_type: str = "application/json", - **kwargs: Any + self, key_name: str, parameters: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> _models.KeyBundle: + """Creates a new key, stores it, then returns key parameters and attributes to the client. + + The create key operation can be used to create any key type in Azure Key Vault. If the named + key already exists, Azure Key Vault creates a new version of the key. It requires the + keys/create permission. + + :param key_name: The name for the new key. The system will generate the version name for the + new key. The value you provide may be copied globally for the purpose of running the service. + The value provided should not include personally identifiable or sensitive information. + Required. + :type key_name: str + :param parameters: The parameters to create a key. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def create_key( + self, key_name: str, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any ) -> _models.KeyBundle: """Creates a new key, stores it, then returns key parameters and attributes to the client. @@ -108,8 +135,6 @@ async def create_key( key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name for the new key. The system will generate the version name for the new key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. @@ -120,18 +145,14 @@ async def create_key( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def create_key( - self, - vault_base_url: str, - key_name: str, - parameters: Union[_models.KeyCreateParameters, IO[bytes]], - **kwargs: Any + self, key_name: str, parameters: Union[_models.KeyCreateParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyBundle: """Creates a new key, stores it, then returns key parameters and attributes to the client. @@ -139,24 +160,19 @@ async def create_key( key already exists, Azure Key Vault creates a new version of the key. It requires the keys/create permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name for the new key. The system will generate the version name for the new key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. Required. :type key_name: str - :param parameters: The parameters to create a key. Is either a KeyCreateParameters type or a - IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyCreateParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :param parameters: The parameters to create a key. Is one of the following types: + KeyCreateParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyCreateParameters or JSON or IO[bytes] + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -171,28 +187,28 @@ async def create_key( cls: ClsType[_models.KeyBundle] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyCreateParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_create_key_request( key_name=key_name, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -201,12 +217,18 @@ async def create_key( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -214,23 +236,21 @@ async def create_key( return deserialized # type: ignore @distributed_trace_async - async def rotate_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.KeyBundle: + async def rotate_key(self, key_name: str, **kwargs: Any) -> _models.KeyBundle: """Creates a new key version, stores it, then returns key parameters, attributes and policy to the client. The operation will rotate the key based on the key policy. It requires the keys/rotate permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of key to be rotated. The system will generate a new version in the specified key. Required. :type key_name: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -250,11 +270,13 @@ async def rotate_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -263,12 +285,18 @@ async def rotate_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -278,7 +306,6 @@ async def rotate_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> @overload async def import_key( self, - vault_base_url: str, key_name: str, parameters: _models.KeyImportParameters, *, @@ -292,31 +319,48 @@ async def import_key( named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: Name for the imported key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. Required. :type key_name: str :param parameters: The parameters to import a key. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyImportParameters + :type parameters: ~azure.keyvault.keys.models.KeyImportParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def import_key( - self, - vault_base_url: str, - key_name: str, - parameters: IO[bytes], - *, - content_type: str = "application/json", - **kwargs: Any + self, key_name: str, parameters: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> _models.KeyBundle: + """Imports an externally created key, stores it, and returns key parameters and attributes to the + client. + + The import key operation may be used to import any key type into an Azure Key Vault. If the + named key already exists, Azure Key Vault creates a new version of the key. This operation + requires the keys/import permission. + + :param key_name: Name for the imported key. The value you provide may be copied globally for + the purpose of running the service. The value provided should not include personally + identifiable or sensitive information. Required. + :type key_name: str + :param parameters: The parameters to import a key. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def import_key( + self, key_name: str, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any ) -> _models.KeyBundle: """Imports an externally created key, stores it, and returns key parameters and attributes to the client. @@ -325,8 +369,6 @@ async def import_key( named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: Name for the imported key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. Required. @@ -336,18 +378,14 @@ async def import_key( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def import_key( - self, - vault_base_url: str, - key_name: str, - parameters: Union[_models.KeyImportParameters, IO[bytes]], - **kwargs: Any + self, key_name: str, parameters: Union[_models.KeyImportParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyBundle: """Imports an externally created key, stores it, and returns key parameters and attributes to the client. @@ -356,23 +394,18 @@ async def import_key( named key already exists, Azure Key Vault creates a new version of the key. This operation requires the keys/import permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: Name for the imported key. The value you provide may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information. Required. :type key_name: str - :param parameters: The parameters to import a key. Is either a KeyImportParameters type or a - IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyImportParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :param parameters: The parameters to import a key. Is one of the following types: + KeyImportParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyImportParameters or JSON or IO[bytes] + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -387,28 +420,28 @@ async def import_key( cls: ClsType[_models.KeyBundle] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyImportParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_import_key_request( key_name=key_name, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -417,12 +450,18 @@ async def import_key( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -430,7 +469,7 @@ async def import_key( return deserialized # type: ignore @distributed_trace_async - async def delete_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.DeletedKeyBundle: + async def delete_key(self, key_name: str, **kwargs: Any) -> _models.DeletedKeyBundle: """Deletes a key of any type from storage in Azure Key Vault. The delete key operation cannot be used to remove individual versions of a key. This operation @@ -438,15 +477,13 @@ async def delete_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations. This operation requires the keys/delete permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key to delete. Required. :type key_name: str - :return: DeletedKeyBundle - :rtype: ~azure.keyvault.v7_5.models.DeletedKeyBundle + :return: DeletedKeyBundle. The DeletedKeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.DeletedKeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -466,11 +503,13 @@ async def delete_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -479,12 +518,18 @@ async def delete_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("DeletedKeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.DeletedKeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -494,7 +539,6 @@ async def delete_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> @overload async def update_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyUpdateParameters, @@ -509,26 +553,54 @@ async def update_key( cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of key to update. Required. :type key_name: str :param key_version: The version of the key to update. Required. :type key_version: str :param parameters: The parameters of the key to update. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyUpdateParameters + :type parameters: ~azure.keyvault.keys.models.KeyUpdateParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def update_key( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyBundle: + """The update key operation changes specified attributes of a stored key and can be applied to any + key type and key version stored in Azure Key Vault. + + In order to perform this operation, the key must already exist in the Key Vault. Note: The + cryptographic material of a key itself cannot be changed. This operation requires the + keys/update permission. + + :param key_name: The name of key to update. Required. + :type key_name: str + :param key_version: The version of the key to update. Required. + :type key_version: str + :param parameters: The parameters of the key to update. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def update_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -543,8 +615,6 @@ async def update_key( cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of key to update. Required. :type key_name: str :param key_version: The version of the key to update. Required. @@ -554,18 +624,17 @@ async def update_key( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def update_key( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyUpdateParameters, IO[bytes]], + parameters: Union[_models.KeyUpdateParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyBundle: """The update key operation changes specified attributes of a stored key and can be applied to any @@ -575,23 +644,18 @@ async def update_key( cryptographic material of a key itself cannot be changed. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of key to update. Required. :type key_name: str :param key_version: The version of the key to update. Required. :type key_version: str - :param parameters: The parameters of the key to update. Is either a KeyUpdateParameters type or - a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyUpdateParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :param parameters: The parameters of the key to update. Is one of the following types: + KeyUpdateParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyUpdateParameters or JSON or IO[bytes] + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -606,29 +670,29 @@ async def update_key( cls: ClsType[_models.KeyBundle] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyUpdateParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_update_key_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -637,12 +701,18 @@ async def update_key( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -650,25 +720,23 @@ async def update_key( return deserialized # type: ignore @distributed_trace_async - async def get_key(self, vault_base_url: str, key_name: str, key_version: str, **kwargs: Any) -> _models.KeyBundle: + async def get_key(self, key_name: str, key_version: str, **kwargs: Any) -> _models.KeyBundle: """Gets the public part of a stored key. The get key operation is applicable to all key types. If the requested key is symmetric, then no key material is released in the response. This operation requires the keys/get permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key to get. Required. :type key_name: str :param key_version: Adding the version parameter retrieves a specific version of a key. This URI fragment is optional. If not specified, the latest version of the key is returned. Required. :type key_version: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -689,11 +757,13 @@ async def get_key(self, vault_base_url: str, key_name: str, key_version: str, ** params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -702,12 +772,18 @@ async def get_key(self, vault_base_url: str, key_name: str, key_version: str, ** if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -716,30 +792,28 @@ async def get_key(self, vault_base_url: str, key_name: str, key_version: str, ** @distributed_trace def get_key_versions( - self, vault_base_url: str, key_name: str, *, maxresults: Optional[int] = None, **kwargs: Any + self, key_name: str, *, maxresults: Optional[int] = None, **kwargs: Any ) -> AsyncIterable["_models.KeyItem"]: """Retrieves a list of individual key versions with the same key name. The full key identifier, attributes, and tags are provided in the response. This operation requires the keys/list permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :keyword maxresults: Maximum number of results to return in a page. If not specified the service will return up to 25 results. Default value is None. :paramtype maxresults: int :return: An iterator like instance of KeyItem - :rtype: ~azure.core.async_paging.AsyncItemPaged[~azure.keyvault.v7_5.models.KeyItem] + :rtype: ~azure.core.async_paging.AsyncItemPaged[~azure.keyvault.keys.models.KeyItem] :raises ~azure.core.exceptions.HttpResponseError: """ _headers = kwargs.pop("headers", {}) or {} _params = kwargs.pop("params", {}) or {} - cls: ClsType[_models._models.KeyListResult] = kwargs.pop("cls", None) # pylint: disable=protected-access + cls: ClsType[List[_models.KeyItem]] = kwargs.pop("cls", None) - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -758,7 +832,9 @@ def prepare_request(next_link=None): params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) @@ -776,20 +852,20 @@ def prepare_request(next_link=None): "GET", urllib.parse.urljoin(next_link, _parsed_next_link.path), params=_next_request_params ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) return _request async def extract_data(pipeline_response): - deserialized = self._deserialize( - _models._models.KeyListResult, pipeline_response # pylint: disable=protected-access - ) - list_of_elem = deserialized.value + deserialized = pipeline_response.http_response.json() + list_of_elem = _deserialize(List[_models.KeyItem], deserialized["value"]) if cls: list_of_elem = cls(list_of_elem) # type: ignore - return deserialized.next_link or None, AsyncList(list_of_elem) + return deserialized.get("nextLink") or None, AsyncList(list_of_elem) async def get_next(next_link=None): _request = prepare_request(next_link) @@ -801,10 +877,8 @@ async def get_next(next_link=None): response = pipeline_response.http_response if response.status_code not in [200]: - if _stream: - await response.read() # Load the body in memory and close the socket map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) return pipeline_response @@ -812,9 +886,7 @@ async def get_next(next_link=None): return AsyncItemPaged(get_next, extract_data) @distributed_trace - def get_keys( - self, vault_base_url: str, *, maxresults: Optional[int] = None, **kwargs: Any - ) -> AsyncIterable["_models.KeyItem"]: + def get_keys(self, *, maxresults: Optional[int] = None, **kwargs: Any) -> AsyncIterable["_models.KeyItem"]: """List keys in the specified vault. Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the @@ -822,21 +894,19 @@ def get_keys( the base key identifier, attributes, and tags are provided in the response. Individual versions of a key are not listed in the response. This operation requires the keys/list permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :keyword maxresults: Maximum number of results to return in a page. If not specified the service will return up to 25 results. Default value is None. :paramtype maxresults: int :return: An iterator like instance of KeyItem - :rtype: ~azure.core.async_paging.AsyncItemPaged[~azure.keyvault.v7_5.models.KeyItem] + :rtype: ~azure.core.async_paging.AsyncItemPaged[~azure.keyvault.keys.models.KeyItem] :raises ~azure.core.exceptions.HttpResponseError: """ _headers = kwargs.pop("headers", {}) or {} _params = kwargs.pop("params", {}) or {} - cls: ClsType[_models._models.KeyListResult] = kwargs.pop("cls", None) # pylint: disable=protected-access + cls: ClsType[List[_models.KeyItem]] = kwargs.pop("cls", None) - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -854,7 +924,9 @@ def prepare_request(next_link=None): params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) @@ -872,20 +944,20 @@ def prepare_request(next_link=None): "GET", urllib.parse.urljoin(next_link, _parsed_next_link.path), params=_next_request_params ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) return _request async def extract_data(pipeline_response): - deserialized = self._deserialize( - _models._models.KeyListResult, pipeline_response # pylint: disable=protected-access - ) - list_of_elem = deserialized.value + deserialized = pipeline_response.http_response.json() + list_of_elem = _deserialize(List[_models.KeyItem], deserialized["value"]) if cls: list_of_elem = cls(list_of_elem) # type: ignore - return deserialized.next_link or None, AsyncList(list_of_elem) + return deserialized.get("nextLink") or None, AsyncList(list_of_elem) async def get_next(next_link=None): _request = prepare_request(next_link) @@ -897,10 +969,8 @@ async def get_next(next_link=None): response = pipeline_response.http_response if response.status_code not in [200]: - if _stream: - await response.read() # Load the body in memory and close the socket map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) return pipeline_response @@ -908,7 +978,7 @@ async def get_next(next_link=None): return AsyncItemPaged(get_next, extract_data) @distributed_trace_async - async def backup_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.BackupKeyResult: + async def backup_key(self, key_name: str, **kwargs: Any) -> _models.BackupKeyResult: """Requests that a backup of the specified key be downloaded to the client. The Key Backup operation exports a key from Azure Key Vault in a protected form. Note that this @@ -923,15 +993,13 @@ async def backup_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> cannot be restored in an EU geographical area. This operation requires the key/backup permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str - :return: BackupKeyResult - :rtype: ~azure.keyvault.v7_5.models.BackupKeyResult + :return: BackupKeyResult. The BackupKeyResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.BackupKeyResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -951,11 +1019,13 @@ async def backup_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -964,12 +1034,18 @@ async def backup_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("BackupKeyResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.BackupKeyResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -978,12 +1054,7 @@ async def backup_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> @overload async def restore_key( - self, - vault_base_url: str, - parameters: _models.KeyRestoreParameters, - *, - content_type: str = "application/json", - **kwargs: Any + self, parameters: _models.KeyRestoreParameters, *, content_type: str = "application/json", **kwargs: Any ) -> _models.KeyBundle: """Restores a backed up key to a vault. @@ -998,21 +1069,46 @@ async def restore_key( same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission in the target Key Vault. This operation requires the keys/restore permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param parameters: The parameters to restore the key. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyRestoreParameters + :type parameters: ~azure.keyvault.keys.models.KeyRestoreParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def restore_key( - self, vault_base_url: str, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any + self, parameters: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> _models.KeyBundle: + """Restores a backed up key to a vault. + + Imports a previously backed up key into Azure Key Vault, restoring the key, its key identifier, + attributes and access control policies. The RESTORE operation may be used to import a + previously backed up key. Individual versions of a key cannot be restored. The key is restored + in its entirety with the same key name as it had when it was backed up. If the key name is not + available in the target Key Vault, the RESTORE operation will be rejected. While the key name + is retained during restore, the final key identifier will change if the key is restored to a + different vault. Restore will restore all versions and preserve version identifiers. The + RESTORE operation is subject to security constraints: The target Key Vault must be owned by the + same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission + in the target Key Vault. This operation requires the keys/restore permission. + + :param parameters: The parameters to restore the key. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def restore_key( + self, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any ) -> _models.KeyBundle: """Restores a backed up key to a vault. @@ -1027,21 +1123,19 @@ async def restore_key( same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission in the target Key Vault. This operation requires the keys/restore permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param parameters: The parameters to restore the key. Required. :type parameters: IO[bytes] :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def restore_key( - self, vault_base_url: str, parameters: Union[_models.KeyRestoreParameters, IO[bytes]], **kwargs: Any + self, parameters: Union[_models.KeyRestoreParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyBundle: """Restores a backed up key to a vault. @@ -1056,19 +1150,14 @@ async def restore_key( same Microsoft Azure Subscription as the source Key Vault The user must have RESTORE permission in the target Key Vault. This operation requires the keys/restore permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str - :param parameters: The parameters to restore the key. Is either a KeyRestoreParameters type or - a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyRestoreParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :param parameters: The parameters to restore the key. Is one of the following types: + KeyRestoreParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyRestoreParameters or JSON or IO[bytes] + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1083,27 +1172,27 @@ async def restore_key( cls: ClsType[_models.KeyBundle] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyRestoreParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_restore_key_request( content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1112,12 +1201,18 @@ async def restore_key( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1127,7 +1222,6 @@ async def restore_key( @overload async def encrypt( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyOperationsParameters, @@ -1146,26 +1240,58 @@ async def encrypt( key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for the encryption operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def encrypt( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyOperationResult: + """Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a key vault. + + The ENCRYPT operation encrypts an arbitrary sequence of bytes using an encryption key that is + stored in Azure Key Vault. Note that the ENCRYPT operation only supports a single block of + data, the size of which is dependent on the target key and the encryption algorithm to be used. + The ENCRYPT operation is only strictly necessary for symmetric keys stored in Azure Key Vault + since protection with an asymmetric key can be performed using public portion of the key. This + operation is supported for asymmetric keys as a convenience for callers that have a + key-reference but do not have access to the public key material. This operation requires the + keys/encrypt permission. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for the encryption operation. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def encrypt( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -1184,8 +1310,6 @@ async def encrypt( key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -1195,18 +1319,17 @@ async def encrypt( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def encrypt( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyOperationsParameters, IO[bytes]], + parameters: Union[_models.KeyOperationsParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyOperationResult: """Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a key vault. @@ -1220,23 +1343,18 @@ async def encrypt( key-reference but do not have access to the public key material. This operation requires the keys/encrypt permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for the encryption operation. Is either a - KeyOperationsParameters type or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :param parameters: The parameters for the encryption operation. Is one of the following types: + KeyOperationsParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters or JSON or IO[bytes] + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1251,29 +1369,29 @@ async def encrypt( cls: ClsType[_models.KeyOperationResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyOperationsParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_encrypt_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1282,12 +1400,18 @@ async def encrypt( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyOperationResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyOperationResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1297,7 +1421,6 @@ async def encrypt( @overload async def decrypt( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyOperationsParameters, @@ -1314,29 +1437,62 @@ async def decrypt( stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption without first ensuring the integrity of the ciphertext using an HMAC, for example. See - https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more + https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more + information. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for the decryption operation. Required. + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def decrypt( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyOperationResult: + """Decrypts a single block of encrypted data. + + The DECRYPT operation decrypts a well-formed block of ciphertext using the target encryption + key and specified algorithm. This operation is the reverse of the ENCRYPT operation; only a + single block of data may be decrypted, the size of this block is dependent on the target key + and the algorithm to be used. The DECRYPT operation applies to asymmetric and symmetric keys + stored in Azure Key Vault since it uses the private portion of the key. This operation requires + the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption + without first ensuring the integrity of the ciphertext using an HMAC, for example. See + https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for the decryption operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters + :type parameters: JSON :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def decrypt( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -1353,11 +1509,9 @@ async def decrypt( stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption without first ensuring the integrity of the ciphertext using an HMAC, for example. See - https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more + https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -1367,18 +1521,17 @@ async def decrypt( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def decrypt( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyOperationsParameters, IO[bytes]], + parameters: Union[_models.KeyOperationsParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyOperationResult: """Decrypts a single block of encrypted data. @@ -1390,26 +1543,21 @@ async def decrypt( stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/decrypt permission. Microsoft recommends not to use CBC algorithms for decryption without first ensuring the integrity of the ciphertext using an HMAC, for example. See - https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more + https://docs.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for the decryption operation. Is either a - KeyOperationsParameters type or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :param parameters: The parameters for the decryption operation. Is one of the following types: + KeyOperationsParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters or JSON or IO[bytes] + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1424,29 +1572,29 @@ async def decrypt( cls: ClsType[_models.KeyOperationResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyOperationsParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_decrypt_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1455,12 +1603,18 @@ async def decrypt( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyOperationResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyOperationResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1470,7 +1624,6 @@ async def decrypt( @overload async def sign( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeySignParameters, @@ -1484,26 +1637,53 @@ async def sign( since this operation uses the private portion of the key. This operation requires the keys/sign permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for the signing operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeySignParameters + :type parameters: ~azure.keyvault.keys.models.KeySignParameters + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def sign( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyOperationResult: + """Creates a signature from a digest using the specified key. + + The SIGN operation is applicable to asymmetric and symmetric keys stored in Azure Key Vault + since this operation uses the private portion of the key. This operation requires the keys/sign + permission. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for the signing operation. Required. + :type parameters: JSON :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def sign( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -1517,8 +1697,6 @@ async def sign( since this operation uses the private portion of the key. This operation requires the keys/sign permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -1528,18 +1706,17 @@ async def sign( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def sign( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeySignParameters, IO[bytes]], + parameters: Union[_models.KeySignParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyOperationResult: """Creates a signature from a digest using the specified key. @@ -1548,23 +1725,18 @@ async def sign( since this operation uses the private portion of the key. This operation requires the keys/sign permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for the signing operation. Is either a KeySignParameters type - or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeySignParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :param parameters: The parameters for the signing operation. Is one of the following types: + KeySignParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeySignParameters or JSON or IO[bytes] + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1579,29 +1751,29 @@ async def sign( cls: ClsType[_models.KeyOperationResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeySignParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_sign_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1610,12 +1782,18 @@ async def sign( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyOperationResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyOperationResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1625,7 +1803,6 @@ async def sign( @overload async def verify( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyVerifyParameters, @@ -1641,26 +1818,55 @@ async def verify( convenience for callers that only have a key-reference and not the public portion of the key. This operation requires the keys/verify permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for verify operations. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyVerifyParameters + :type parameters: ~azure.keyvault.keys.models.KeyVerifyParameters + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyVerifyResult. The KeyVerifyResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyVerifyResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def verify( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyVerifyResult: + """Verifies a signature using a specified key. + + The VERIFY operation is applicable to symmetric keys stored in Azure Key Vault. VERIFY is not + strictly necessary for asymmetric keys stored in Azure Key Vault since signature verification + can be performed using the public portion of the key but this operation is supported as a + convenience for callers that only have a key-reference and not the public portion of the key. + This operation requires the keys/verify permission. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for verify operations. Required. + :type parameters: JSON :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyVerifyResult - :rtype: ~azure.keyvault.v7_5.models.KeyVerifyResult + :return: KeyVerifyResult. The KeyVerifyResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyVerifyResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def verify( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -1676,8 +1882,6 @@ async def verify( convenience for callers that only have a key-reference and not the public portion of the key. This operation requires the keys/verify permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -1687,18 +1891,17 @@ async def verify( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyVerifyResult - :rtype: ~azure.keyvault.v7_5.models.KeyVerifyResult + :return: KeyVerifyResult. The KeyVerifyResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyVerifyResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def verify( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyVerifyParameters, IO[bytes]], + parameters: Union[_models.KeyVerifyParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyVerifyResult: """Verifies a signature using a specified key. @@ -1709,23 +1912,18 @@ async def verify( convenience for callers that only have a key-reference and not the public portion of the key. This operation requires the keys/verify permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for verify operations. Is either a KeyVerifyParameters type - or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyVerifyParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyVerifyResult - :rtype: ~azure.keyvault.v7_5.models.KeyVerifyResult + :param parameters: The parameters for verify operations. Is one of the following types: + KeyVerifyParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyVerifyParameters or JSON or IO[bytes] + :return: KeyVerifyResult. The KeyVerifyResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyVerifyResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1740,29 +1938,29 @@ async def verify( cls: ClsType[_models.KeyVerifyResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyVerifyParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_verify_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1771,12 +1969,18 @@ async def verify( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyVerifyResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyVerifyResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1786,7 +1990,6 @@ async def verify( @overload async def wrap_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyOperationsParameters, @@ -1803,26 +2006,56 @@ async def wrap_key( as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for wrap operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def wrap_key( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyOperationResult: + """Wraps a symmetric key using a specified key. + + The WRAP operation supports encryption of a symmetric key using a key encryption key that has + previously been stored in an Azure Key Vault. The WRAP operation is only strictly necessary for + symmetric keys stored in Azure Key Vault since protection with an asymmetric key can be + performed using the public portion of the key. This operation is supported for asymmetric keys + as a convenience for callers that have a key-reference but do not have access to the public key + material. This operation requires the keys/wrapKey permission. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for wrap operation. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def wrap_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -1839,8 +2072,6 @@ async def wrap_key( as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -1850,18 +2081,17 @@ async def wrap_key( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def wrap_key( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyOperationsParameters, IO[bytes]], + parameters: Union[_models.KeyOperationsParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyOperationResult: """Wraps a symmetric key using a specified key. @@ -1873,23 +2103,18 @@ async def wrap_key( as a convenience for callers that have a key-reference but do not have access to the public key material. This operation requires the keys/wrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for wrap operation. Is either a KeyOperationsParameters type - or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :param parameters: The parameters for wrap operation. Is one of the following types: + KeyOperationsParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters or JSON or IO[bytes] + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -1904,29 +2129,29 @@ async def wrap_key( cls: ClsType[_models.KeyOperationResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyOperationsParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_wrap_key_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -1935,12 +2160,18 @@ async def wrap_key( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyOperationResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyOperationResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -1950,7 +2181,6 @@ async def wrap_key( @overload async def unwrap_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyOperationsParameters, @@ -1965,26 +2195,54 @@ async def unwrap_key( asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str :param parameters: The parameters for the key operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def unwrap_key( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyOperationResult: + """Unwraps a symmetric key using the specified key that was initially used for wrapping that key. + + The UNWRAP operation supports decryption of a symmetric key using the target key encryption + key. This operation is the reverse of the WRAP operation. The UNWRAP operation applies to + asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of + the key. This operation requires the keys/unwrapKey permission. + + :param key_name: The name of the key. Required. + :type key_name: str + :param key_version: The version of the key. Required. + :type key_version: str + :param parameters: The parameters for the key operation. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def unwrap_key( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -1999,8 +2257,6 @@ async def unwrap_key( asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. @@ -2010,18 +2266,17 @@ async def unwrap_key( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def unwrap_key( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyOperationsParameters, IO[bytes]], + parameters: Union[_models.KeyOperationsParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyOperationResult: """Unwraps a symmetric key using the specified key that was initially used for wrapping that key. @@ -2031,23 +2286,18 @@ async def unwrap_key( asymmetric and symmetric keys stored in Azure Key Vault since it uses the private portion of the key. This operation requires the keys/unwrapKey permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :param key_version: The version of the key. Required. :type key_version: str - :param parameters: The parameters for the key operation. Is either a KeyOperationsParameters - type or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyOperationsParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyOperationResult - :rtype: ~azure.keyvault.v7_5.models.KeyOperationResult + :param parameters: The parameters for the key operation. Is one of the following types: + KeyOperationsParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyOperationsParameters or JSON or IO[bytes] + :return: KeyOperationResult. The KeyOperationResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyOperationResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2062,29 +2312,29 @@ async def unwrap_key( cls: ClsType[_models.KeyOperationResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyOperationsParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_unwrap_key_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2093,12 +2343,18 @@ async def unwrap_key( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyOperationResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyOperationResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2108,7 +2364,6 @@ async def unwrap_key( @overload async def release( self, - vault_base_url: str, key_name: str, key_version: str, parameters: _models.KeyReleaseParameters, @@ -2121,27 +2376,54 @@ async def release( The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key to get. Required. :type key_name: str :param key_version: Adding the version parameter retrieves a specific version of a key. Required. :type key_version: str :param parameters: The parameters for the key release operation. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyReleaseParameters + :type parameters: ~azure.keyvault.keys.models.KeyReleaseParameters :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyReleaseResult - :rtype: ~azure.keyvault.v7_5.models.KeyReleaseResult + :return: KeyReleaseResult. The KeyReleaseResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyReleaseResult + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def release( + self, + key_name: str, + key_version: str, + parameters: JSON, + *, + content_type: str = "application/json", + **kwargs: Any + ) -> _models.KeyReleaseResult: + """Releases a key. + + The release key operation is applicable to all key types. The target key must be marked + exportable. This operation requires the keys/release permission. + + :param key_name: The name of the key to get. Required. + :type key_name: str + :param key_version: Adding the version parameter retrieves a specific version of a key. + Required. + :type key_version: str + :param parameters: The parameters for the key release operation. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyReleaseResult. The KeyReleaseResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyReleaseResult :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def release( self, - vault_base_url: str, key_name: str, key_version: str, parameters: IO[bytes], @@ -2154,8 +2436,6 @@ async def release( The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key to get. Required. :type key_name: str :param key_version: Adding the version parameter retrieves a specific version of a key. @@ -2166,18 +2446,17 @@ async def release( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyReleaseResult - :rtype: ~azure.keyvault.v7_5.models.KeyReleaseResult + :return: KeyReleaseResult. The KeyReleaseResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyReleaseResult :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def release( self, - vault_base_url: str, key_name: str, key_version: str, - parameters: Union[_models.KeyReleaseParameters, IO[bytes]], + parameters: Union[_models.KeyReleaseParameters, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyReleaseResult: """Releases a key. @@ -2185,24 +2464,19 @@ async def release( The release key operation is applicable to all key types. The target key must be marked exportable. This operation requires the keys/release permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key to get. Required. :type key_name: str :param key_version: Adding the version parameter retrieves a specific version of a key. Required. :type key_version: str - :param parameters: The parameters for the key release operation. Is either a - KeyReleaseParameters type or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.KeyReleaseParameters or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyReleaseResult - :rtype: ~azure.keyvault.v7_5.models.KeyReleaseResult + :param parameters: The parameters for the key release operation. Is one of the following types: + KeyReleaseParameters, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.KeyReleaseParameters or JSON or IO[bytes] + :return: KeyReleaseResult. The KeyReleaseResult is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyReleaseResult :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2217,29 +2491,29 @@ async def release( cls: ClsType[_models.KeyReleaseResult] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "KeyReleaseParameters") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_release_request( key_name=key_name, key_version=key_version, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2248,12 +2522,18 @@ async def release( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyReleaseResult", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyReleaseResult, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2262,7 +2542,7 @@ async def release( @distributed_trace def get_deleted_keys( - self, vault_base_url: str, *, maxresults: Optional[int] = None, **kwargs: Any + self, *, maxresults: Optional[int] = None, **kwargs: Any ) -> AsyncIterable["_models.DeletedKeyItem"]: """Lists the deleted keys in the specified vault. @@ -2272,21 +2552,19 @@ def get_deleted_keys( can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/list permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :keyword maxresults: Maximum number of results to return in a page. If not specified the service will return up to 25 results. Default value is None. :paramtype maxresults: int :return: An iterator like instance of DeletedKeyItem - :rtype: ~azure.core.async_paging.AsyncItemPaged[~azure.keyvault.v7_5.models.DeletedKeyItem] + :rtype: ~azure.core.async_paging.AsyncItemPaged[~azure.keyvault.keys.models.DeletedKeyItem] :raises ~azure.core.exceptions.HttpResponseError: """ _headers = kwargs.pop("headers", {}) or {} _params = kwargs.pop("params", {}) or {} - cls: ClsType[_models._models.DeletedKeyListResult] = kwargs.pop("cls", None) # pylint: disable=protected-access + cls: ClsType[List[_models.DeletedKeyItem]] = kwargs.pop("cls", None) - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2304,7 +2582,9 @@ def prepare_request(next_link=None): params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) @@ -2322,20 +2602,20 @@ def prepare_request(next_link=None): "GET", urllib.parse.urljoin(next_link, _parsed_next_link.path), params=_next_request_params ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) return _request async def extract_data(pipeline_response): - deserialized = self._deserialize( - _models._models.DeletedKeyListResult, pipeline_response # pylint: disable=protected-access - ) - list_of_elem = deserialized.value + deserialized = pipeline_response.http_response.json() + list_of_elem = _deserialize(List[_models.DeletedKeyItem], deserialized["value"]) if cls: list_of_elem = cls(list_of_elem) # type: ignore - return deserialized.next_link or None, AsyncList(list_of_elem) + return deserialized.get("nextLink") or None, AsyncList(list_of_elem) async def get_next(next_link=None): _request = prepare_request(next_link) @@ -2347,10 +2627,8 @@ async def get_next(next_link=None): response = pipeline_response.http_response if response.status_code not in [200]: - if _stream: - await response.read() # Load the body in memory and close the socket map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) return pipeline_response @@ -2358,22 +2636,20 @@ async def get_next(next_link=None): return AsyncItemPaged(get_next, extract_data) @distributed_trace_async - async def get_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.DeletedKeyBundle: + async def get_deleted_key(self, key_name: str, **kwargs: Any) -> _models.DeletedKeyBundle: """Gets the public part of a deleted key. The Get Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/get permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str - :return: DeletedKeyBundle - :rtype: ~azure.keyvault.v7_5.models.DeletedKeyBundle + :return: DeletedKeyBundle. The DeletedKeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.DeletedKeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2393,11 +2669,13 @@ async def get_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: An params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2406,12 +2684,18 @@ async def get_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: An if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("DeletedKeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.DeletedKeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2419,24 +2703,20 @@ async def get_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: An return deserialized # type: ignore @distributed_trace_async - async def purge_deleted_key( # pylint: disable=inconsistent-return-statements - self, vault_base_url: str, key_name: str, **kwargs: Any - ) -> None: + async def purge_deleted_key(self, key_name: str, **kwargs: Any) -> None: """Permanently deletes the specified key. The Purge Deleted Key operation is applicable for soft-delete enabled vaults. While the operation can be invoked on any vault, it will return an error if invoked on a non soft-delete enabled vault. This operation requires the keys/purge permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key. Required. :type key_name: str :return: None :rtype: None :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2456,7 +2736,9 @@ async def purge_deleted_key( # pylint: disable=inconsistent-return-statements params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) @@ -2468,17 +2750,15 @@ async def purge_deleted_key( # pylint: disable=inconsistent-return-statements response = pipeline_response.http_response if response.status_code not in [204]: - if _stream: - await response.read() # Load the body in memory and close the socket map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) if cls: return cls(pipeline_response, None, {}) # type: ignore @distributed_trace_async - async def recover_deleted_key(self, vault_base_url: str, key_name: str, **kwargs: Any) -> _models.KeyBundle: + async def recover_deleted_key(self, key_name: str, **kwargs: Any) -> _models.KeyBundle: """Recovers the deleted key to its latest version. The Recover Deleted Key operation is applicable for deleted keys in soft-delete enabled vaults. @@ -2486,15 +2766,13 @@ async def recover_deleted_key(self, vault_base_url: str, key_name: str, **kwargs non-deleted key will return an error. Consider this the inverse of the delete operation on soft-delete enabled vaults. This operation requires the keys/recover permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the deleted key. Required. :type key_name: str - :return: KeyBundle - :rtype: ~azure.keyvault.v7_5.models.KeyBundle + :return: KeyBundle. The KeyBundle is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyBundle :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2514,11 +2792,13 @@ async def recover_deleted_key(self, vault_base_url: str, key_name: str, **kwargs params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2527,12 +2807,18 @@ async def recover_deleted_key(self, vault_base_url: str, key_name: str, **kwargs if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyBundle", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyBundle, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2540,23 +2826,19 @@ async def recover_deleted_key(self, vault_base_url: str, key_name: str, **kwargs return deserialized # type: ignore @distributed_trace_async - async def get_key_rotation_policy( - self, vault_base_url: str, key_name: str, **kwargs: Any - ) -> _models.KeyRotationPolicy: + async def get_key_rotation_policy(self, key_name: str, **kwargs: Any) -> _models.KeyRotationPolicy: """Lists the policy for a key. The GetKeyRotationPolicy operation returns the specified key policy resources in the specified key vault. This operation requires the keys/get permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key in a given key vault. Required. :type key_name: str - :return: KeyRotationPolicy - :rtype: ~azure.keyvault.v7_5.models.KeyRotationPolicy + :return: KeyRotationPolicy. The KeyRotationPolicy is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyRotationPolicy :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2576,11 +2858,13 @@ async def get_key_rotation_policy( params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2589,12 +2873,18 @@ async def get_key_rotation_policy( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyRotationPolicy", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyRotationPolicy, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2604,7 +2894,6 @@ async def get_key_rotation_policy( @overload async def update_key_rotation_policy( self, - vault_base_url: str, key_name: str, key_rotation_policy: _models.KeyRotationPolicy, *, @@ -2616,37 +2905,48 @@ async def update_key_rotation_policy( Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key in the given vault. Required. :type key_name: str :param key_rotation_policy: The policy for the key. Required. - :type key_rotation_policy: ~azure.keyvault.v7_5.models.KeyRotationPolicy + :type key_rotation_policy: ~azure.keyvault.keys.models.KeyRotationPolicy :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: KeyRotationPolicy - :rtype: ~azure.keyvault.v7_5.models.KeyRotationPolicy + :return: KeyRotationPolicy. The KeyRotationPolicy is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyRotationPolicy :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def update_key_rotation_policy( - self, - vault_base_url: str, - key_name: str, - key_rotation_policy: IO[bytes], - *, - content_type: str = "application/json", - **kwargs: Any + self, key_name: str, key_rotation_policy: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> _models.KeyRotationPolicy: + """Updates the rotation policy for a key. + + Set specified members in the key policy. Leave others as undefined. This operation requires the + keys/update permission. + + :param key_name: The name of the key in the given vault. Required. + :type key_name: str + :param key_rotation_policy: The policy for the key. Required. + :type key_rotation_policy: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: KeyRotationPolicy. The KeyRotationPolicy is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyRotationPolicy + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def update_key_rotation_policy( + self, key_name: str, key_rotation_policy: IO[bytes], *, content_type: str = "application/json", **kwargs: Any ) -> _models.KeyRotationPolicy: """Updates the rotation policy for a key. Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key in the given vault. Required. :type key_name: str :param key_rotation_policy: The policy for the key. Required. @@ -2654,39 +2954,30 @@ async def update_key_rotation_policy( :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: KeyRotationPolicy - :rtype: ~azure.keyvault.v7_5.models.KeyRotationPolicy + :return: KeyRotationPolicy. The KeyRotationPolicy is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyRotationPolicy :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def update_key_rotation_policy( - self, - vault_base_url: str, - key_name: str, - key_rotation_policy: Union[_models.KeyRotationPolicy, IO[bytes]], - **kwargs: Any + self, key_name: str, key_rotation_policy: Union[_models.KeyRotationPolicy, JSON, IO[bytes]], **kwargs: Any ) -> _models.KeyRotationPolicy: """Updates the rotation policy for a key. Set specified members in the key policy. Leave others as undefined. This operation requires the keys/update permission. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param key_name: The name of the key in the given vault. Required. :type key_name: str - :param key_rotation_policy: The policy for the key. Is either a KeyRotationPolicy type or a - IO[bytes] type. Required. - :type key_rotation_policy: ~azure.keyvault.v7_5.models.KeyRotationPolicy or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: KeyRotationPolicy - :rtype: ~azure.keyvault.v7_5.models.KeyRotationPolicy + :param key_rotation_policy: The policy for the key. Is one of the following types: + KeyRotationPolicy, JSON, IO[bytes] Required. + :type key_rotation_policy: ~azure.keyvault.keys.models.KeyRotationPolicy or JSON or IO[bytes] + :return: KeyRotationPolicy. The KeyRotationPolicy is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.KeyRotationPolicy :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2701,28 +2992,28 @@ async def update_key_rotation_policy( cls: ClsType[_models.KeyRotationPolicy] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(key_rotation_policy, (IOBase, bytes)): _content = key_rotation_policy else: - _json = self._serialize.body(key_rotation_policy, "KeyRotationPolicy") + _content = json.dumps(key_rotation_policy, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_update_key_rotation_policy_request( key_name=key_name, content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2731,12 +3022,18 @@ async def update_key_rotation_policy( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("KeyRotationPolicy", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.KeyRotationPolicy, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore @@ -2745,70 +3042,74 @@ async def update_key_rotation_policy( @overload async def get_random_bytes( - self, - vault_base_url: str, - parameters: _models.GetRandomBytesRequest, - *, - content_type: str = "application/json", - **kwargs: Any + self, parameters: _models.GetRandomBytesRequest, *, content_type: str = "application/json", **kwargs: Any ) -> _models.RandomBytes: """Get the requested number of bytes containing random values. Get the requested number of bytes containing random values from a managed HSM. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param parameters: The request object to get random bytes. Required. - :type parameters: ~azure.keyvault.v7_5.models.GetRandomBytesRequest + :type parameters: ~azure.keyvault.keys.models.GetRandomBytesRequest :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. Default value is "application/json". :paramtype content_type: str - :return: RandomBytes - :rtype: ~azure.keyvault.v7_5.models.RandomBytes + :return: RandomBytes. The RandomBytes is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.RandomBytes :raises ~azure.core.exceptions.HttpResponseError: """ @overload async def get_random_bytes( - self, vault_base_url: str, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any + self, parameters: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> _models.RandomBytes: + """Get the requested number of bytes containing random values. + + Get the requested number of bytes containing random values from a managed HSM. + + :param parameters: The request object to get random bytes. Required. + :type parameters: JSON + :keyword content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :paramtype content_type: str + :return: RandomBytes. The RandomBytes is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.RandomBytes + :raises ~azure.core.exceptions.HttpResponseError: + """ + + @overload + async def get_random_bytes( + self, parameters: IO[bytes], *, content_type: str = "application/json", **kwargs: Any ) -> _models.RandomBytes: """Get the requested number of bytes containing random values. Get the requested number of bytes containing random values from a managed HSM. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str :param parameters: The request object to get random bytes. Required. :type parameters: IO[bytes] :keyword content_type: Body Parameter content-type. Content type parameter for binary body. Default value is "application/json". :paramtype content_type: str - :return: RandomBytes - :rtype: ~azure.keyvault.v7_5.models.RandomBytes + :return: RandomBytes. The RandomBytes is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.RandomBytes :raises ~azure.core.exceptions.HttpResponseError: """ @distributed_trace_async async def get_random_bytes( - self, vault_base_url: str, parameters: Union[_models.GetRandomBytesRequest, IO[bytes]], **kwargs: Any + self, parameters: Union[_models.GetRandomBytesRequest, JSON, IO[bytes]], **kwargs: Any ) -> _models.RandomBytes: """Get the requested number of bytes containing random values. Get the requested number of bytes containing random values from a managed HSM. - :param vault_base_url: The vault name, for example https://myvault.vault.azure.net. Required. - :type vault_base_url: str - :param parameters: The request object to get random bytes. Is either a GetRandomBytesRequest - type or a IO[bytes] type. Required. - :type parameters: ~azure.keyvault.v7_5.models.GetRandomBytesRequest or IO[bytes] - :keyword content_type: Body Parameter content-type. Known values are: 'application/json'. - Default value is None. - :paramtype content_type: str - :return: RandomBytes - :rtype: ~azure.keyvault.v7_5.models.RandomBytes + :param parameters: The request object to get random bytes. Is one of the following types: + GetRandomBytesRequest, JSON, IO[bytes] Required. + :type parameters: ~azure.keyvault.keys.models.GetRandomBytesRequest or JSON or IO[bytes] + :return: RandomBytes. The RandomBytes is compatible with MutableMapping + :rtype: ~azure.keyvault.keys.models.RandomBytes :raises ~azure.core.exceptions.HttpResponseError: """ - error_map = { + error_map: MutableMapping = { 401: ClientAuthenticationError, 404: ResourceNotFoundError, 409: ResourceExistsError, @@ -2823,27 +3124,27 @@ async def get_random_bytes( cls: ClsType[_models.RandomBytes] = kwargs.pop("cls", None) content_type = content_type or "application/json" - _json = None _content = None if isinstance(parameters, (IOBase, bytes)): _content = parameters else: - _json = self._serialize.body(parameters, "GetRandomBytesRequest") + _content = json.dumps(parameters, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore _request = build_key_vault_get_random_bytes_request( content_type=content_type, api_version=self._config.api_version, - json=_json, content=_content, headers=_headers, params=_params, ) path_format_arguments = { - "vaultBaseUrl": self._serialize.url("vault_base_url", vault_base_url, "str", skip_quote=True), + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), } _request.url = self._client.format_url(_request.url, **path_format_arguments) - _stream = False + _stream = kwargs.pop("stream", False) pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access _request, stream=_stream, **kwargs ) @@ -2852,12 +3153,18 @@ async def get_random_bytes( if response.status_code not in [200]: if _stream: - await response.read() # Load the body in memory and close the socket + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass map_error(status_code=response.status_code, response=response, error_map=error_map) - error = self._deserialize.failsafe_deserialize(_models.KeyVaultError, pipeline_response) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) raise HttpResponseError(response=response, model=error) - deserialized = self._deserialize("RandomBytes", pipeline_response) + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.RandomBytes, response.json()) if cls: return cls(pipeline_response, deserialized, {}) # type: ignore diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_operations/_patch.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_operations/_patch.py similarity index 100% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_operations/_patch.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_operations/_patch.py diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_patch.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_patch.py similarity index 100% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_patch.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_patch.py diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_vendor.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_vendor.py similarity index 88% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_vendor.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_vendor.py index 92c6d827acd9..2b1f525d61ea 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/aio/_vendor.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_vendor.py @@ -1,7 +1,7 @@ # -------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. +# Code generated by Microsoft (R) Python Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- @@ -11,7 +11,6 @@ from ._configuration import KeyVaultClientConfiguration if TYPE_CHECKING: - # pylint: disable=unused-import,ungrouped-imports from azure.core import AsyncPipelineClient from .._serialization import Deserializer, Serializer diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/__init__.py deleted file mode 100644 index 9e931898fc8e..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/__init__.py +++ /dev/null @@ -1,32 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from ._models import ( - DecryptResult, - EncryptResult, - KeyVaultRSAPrivateKey, - KeyVaultRSAPublicKey, - SignResult, - WrapResult, - VerifyResult, - UnwrapResult, -) -from ._enums import EncryptionAlgorithm, KeyWrapAlgorithm, SignatureAlgorithm -from ._client import CryptographyClient - - -__all__ = [ - "CryptographyClient", - "DecryptResult", - "EncryptionAlgorithm", - "EncryptResult", - "KeyVaultRSAPrivateKey", - "KeyVaultRSAPublicKey", - "KeyWrapAlgorithm", - "SignatureAlgorithm", - "SignResult", - "WrapResult", - "VerifyResult", - "UnwrapResult", -] diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_client.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_client.py deleted file mode 100644 index c2f3021216be..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_client.py +++ /dev/null @@ -1,588 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from datetime import datetime -import logging -from typing import Any, cast, Dict, Optional, Union - -from azure.core.credentials import TokenCredential -from azure.core.exceptions import HttpResponseError -from azure.core.tracing.decorator import distributed_trace - -from . import ( - DecryptResult, - EncryptionAlgorithm, - EncryptResult, - KeyWrapAlgorithm, - SignatureAlgorithm, - SignResult, - VerifyResult, - UnwrapResult, - WrapResult, -) -from ._key_validity import raise_if_time_invalid -from ._models import KeyVaultRSAPrivateKey, KeyVaultRSAPublicKey -from ._providers import get_local_cryptography_provider, NoLocalCryptography -from .. import KeyOperation -from .._models import JsonWebKey, KeyVaultKey -from .._shared import KeyVaultClientBase, KeyVaultResourceId, parse_key_vault_id - -_LOGGER = logging.getLogger(__name__) - - -def _validate_arguments( - operation: KeyOperation, - algorithm: EncryptionAlgorithm, - *, - iv: Optional[bytes] = None, - tag: Optional[bytes] = None, - aad: Optional[bytes] = None, - ) -> None: - """Validates the arguments passed to perform an operation with a provided algorithm. - - :param KeyOperation operation: the type of operation being requested - :param EncryptionAlgorithm algorithm: the encryption algorithm to use for the operation - - :keyword iv: initialization vector - :paramtype iv: bytes or None - :keyword tag: authentication tag returned from an encryption - :paramtype tag: bytes or None - :keyword aad: data that is authenticated but not encrypted - :paramtype aad: bytes or None - - :raises ValueError: if parameters that are incompatible with the specified algorithm are provided. - """ - if operation == KeyOperation.encrypt: - if iv and "CBC" not in algorithm: - raise ValueError( - f"iv should only be provided with AES-CBC algorithms; {algorithm} does not accept an iv" - ) - if iv is None and "CBC" in algorithm: - raise ValueError("iv is a required parameter for encryption with AES-CBC algorithms.") - if aad and not ("CBC" in algorithm or "GCM" in algorithm): - raise ValueError( - f"additional_authenticated_data should only be provided with AES algorithms; {algorithm} does not " - "accept additional authenticated data" - ) - - if operation == KeyOperation.decrypt: - if iv and not ("CBC" in algorithm or "GCM" in algorithm): - raise ValueError( - f"iv should only be provided with AES algorithms; {algorithm} does not accept an iv" - ) - if iv is None and ("CBC" in algorithm or "GCM" in algorithm): - raise ValueError("iv is a required parameter for decryption with AES algorithms.") - if tag and "GCM" not in algorithm: - raise ValueError( - f"authentication_tag should only be provided with AES-GCM algorithms; {algorithm} does not accept a tag" - ) - if tag is None and "GCM" in algorithm: - raise ValueError("authentication_tag is a required parameter for AES-GCM decryption.") - if aad and not ("CBC" in algorithm or "GCM" in algorithm): - raise ValueError( - f"additional_authenticated_data should only be provided with AES algorithms; {algorithm} does not " - "accept additional authenticated data" - ) - - -class CryptographyClient(KeyVaultClientBase): - """Performs cryptographic operations using Azure Key Vault keys. - - This client will perform operations locally when it's intialized with the necessary key material or is able to get - that material from Key Vault. When the required key material is unavailable, cryptographic operations are performed - by the Key Vault service. - - :param key: Either a azure.keyvault.keys.KeyVaultKey instance as returned by - :func:`~azure.keyvault.keys.KeyClient.get_key`, or a string. - If a string, the value must be the identifier of an Azure Key Vault key. Including a version is recommended. - :type key: str or azure.keyvault.keys.KeyVaultKey - :param credential: An object which can provide an access token for the vault, such as a credential from - :mod:`azure.identity` - :type credential: ~azure.core.credentials.TokenCredential - - :keyword api_version: Version of the service API to use. Defaults to the most recent. - :paramtype api_version: ~azure.keyvault.keys.ApiVersion or str - :keyword bool verify_challenge_resource: Whether to verify the authentication challenge resource matches the Key - Vault or Managed HSM domain. Defaults to True. - - .. literalinclude:: ../tests/test_examples_crypto.py - :start-after: [START create_client] - :end-before: [END create_client] - :caption: Create a CryptographyClient - :language: python - :dedent: 8 - """ - - # pylint:disable=protected-access - - def __init__(self, key: Union[KeyVaultKey, str], credential: TokenCredential, **kwargs: Any) -> None: - self._jwk = kwargs.pop("_jwk", False) - self._not_before: Optional[datetime] = None - self._expires_on: Optional[datetime] = None - self._key_id: Optional[KeyVaultResourceId] = None - - if isinstance(key, KeyVaultKey): - self._key: Union[JsonWebKey, KeyVaultKey, str, None] = key.key - self._key_id = parse_key_vault_id(key.id) - if key.properties._attributes: - self._not_before = key.properties.not_before - self._expires_on = key.properties.expires_on - elif isinstance(key, str): - self._key = None - self._key_id = parse_key_vault_id(key) - if self._key_id.version is None: - self._key_id.version = "" # to avoid an error and get the latest version when getting the key - self._keys_get_forbidden = False - elif self._jwk: - self._key = key - else: - raise ValueError("'key' must be a KeyVaultKey instance or a key ID string") - - if self._jwk: - try: - self._local_provider = get_local_cryptography_provider(cast(JsonWebKey, self._key)) - self._initialized = True - except Exception as ex: - raise ValueError("The provided jwk is not valid for local cryptography") from ex - else: - self._local_provider = NoLocalCryptography() - self._initialized = False - - self._vault_url = None if (self._jwk or self._key_id is None) else self._key_id.vault_url # type: ignore - super(CryptographyClient, self).__init__( - vault_url=self._vault_url or "vault_url", credential=credential, **kwargs - ) - - @property - def key_id(self) -> Optional[str]: - """The full identifier of the client's key. - - This property may be None when a client is constructed with :func:`from_jwk`. - - :returns: The full identifier of the client's key. - :rtype: str or None - """ - if not self._jwk: - return self._key_id.source_id if self._key_id else None - return cast(JsonWebKey, self._key).kid # type: ignore[attr-defined] - - @property - def vault_url(self) -> Optional[str]: # type: ignore - """The base vault URL of the client's key. - - This property may be None when a client is constructed with :func:`from_jwk`. - - :returns: The base vault URL of the client's key. - :rtype: str or None - """ - return self._vault_url - - @classmethod - def from_jwk(cls, jwk: Union[JsonWebKey, Dict[str, Any]]) -> "CryptographyClient": - """Creates a client that can only perform cryptographic operations locally. - - :param jwk: the key's cryptographic material, as a JsonWebKey or dictionary. - :type jwk: JsonWebKey or Dict[str, Any] - - :returns: A client that can only perform local cryptographic operations. - :rtype: CryptographyClient - """ - if not isinstance(jwk, JsonWebKey): - jwk = JsonWebKey(**jwk) - return cls(jwk, object(), _jwk=True) # type: ignore - - @distributed_trace - def _initialize(self, **kwargs: Any) -> None: - if self._initialized: - return - - # try to get the key material, if we don't have it and aren't forbidden to do so - if not (self._key or self._keys_get_forbidden): - try: - key_bundle = self._client.get_key( - self._key_id.vault_url if self._key_id else None, - self._key_id.name if self._key_id else None, - self._key_id.version if self._key_id else None, - **kwargs - ) - key = KeyVaultKey._from_key_bundle(key_bundle) - self._key = key.key - self._key_id = parse_key_vault_id(key.id) # update the key ID in case we didn't have the version before - except HttpResponseError as ex: - # if we got a 403, we don't have keys/get permission and won't try to get the key again - # (other errors may be transient) - self._keys_get_forbidden = ex.status_code == 403 - - # if we have the key material, create a local crypto provider with it - if self._key: - self._local_provider = get_local_cryptography_provider(cast(JsonWebKey, self._key)) - self._initialized = True - else: - # try to get the key again next time unless we know we're forbidden to do so - self._initialized = self._keys_get_forbidden - - @distributed_trace - def create_rsa_private_key(self) -> KeyVaultRSAPrivateKey: # pylint:disable=client-method-missing-kwargs - """Create an `RSAPrivateKey` implementation backed by this `CryptographyClient`, as a `KeyVaultRSAPrivateKey`. - - The `CryptographyClient` will attempt to download the key, if it hasn't been already, as part of this operation. - - :returns: A `KeyVaultRSAPrivateKey`, which implements `cryptography`'s `RSAPrivateKey` interface. - :rtype: ~azure.keyvault.keys.crypto.KeyVaultRSAPrivateKey - """ - self._initialize() - return KeyVaultRSAPrivateKey(client=self, key_material=cast(JsonWebKey, self._key)) - - @distributed_trace - def create_rsa_public_key(self) -> KeyVaultRSAPublicKey: # pylint:disable=client-method-missing-kwargs - """Create an `RSAPublicKey` implementation backed by this `CryptographyClient`, as a `KeyVaultRSAPublicKey`. - - The `CryptographyClient` will attempt to download the key, if it hasn't been already, as part of this operation. - - :returns: A `KeyVaultRSAPublicKey`, which implements `cryptography`'s `RSAPublicKey` interface. - :rtype: ~azure.keyvault.keys.crypto.KeyVaultRSAPublicKey - """ - self._initialize() - return KeyVaultRSAPublicKey(client=self, key_material=cast(JsonWebKey, self._key)) - - @distributed_trace - def encrypt( - self, - algorithm: EncryptionAlgorithm, - plaintext: bytes, - *, - iv: Optional[bytes] = None, - additional_authenticated_data: Optional[bytes] = None, - **kwargs: Any, - ) -> EncryptResult: - """Encrypt bytes using the client's key. - - Requires the keys/encrypt permission. This method encrypts only a single block of data, whose size depends on - the key and encryption algorithm. - - :param algorithm: Encryption algorithm to use - :type algorithm: ~azure.keyvault.keys.crypto.EncryptionAlgorithm - :param bytes plaintext: Bytes to encrypt - - :keyword iv: Initialization vector. Required for only AES-CBC(PAD) encryption. If you pass your own IV, - make sure you use a cryptographically random, non-repeating IV. If omitted, an attempt will be made to - generate an IV via `os.urandom `_ for local - cryptography; for remote cryptography, Key Vault will generate an IV. - :paramtype iv: bytes or None - :keyword additional_authenticated_data: Optional data that is authenticated but not encrypted. For use - with AES-GCM encryption. - :paramtype additional_authenticated_data: bytes or None - - :returns: The result of the encryption operation. - :rtype: ~azure.keyvault.keys.crypto.EncryptResult - - :raises ValueError: if parameters that are incompatible with the specified algorithm are provided, or if - generating an IV fails on the current platform. - - .. literalinclude:: ../tests/test_examples_crypto.py - :start-after: [START encrypt] - :end-before: [END encrypt] - :caption: Encrypt bytes - :language: python - :dedent: 8 - """ - _validate_arguments( - operation=KeyOperation.encrypt, algorithm=algorithm, iv=iv, aad=additional_authenticated_data - ) - self._initialize(**kwargs) - - if self._local_provider.supports(KeyOperation.encrypt, algorithm): - raise_if_time_invalid(self._not_before, self._expires_on) - try: - return self._local_provider.encrypt(algorithm, plaintext, iv=iv) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local encrypt operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.encrypt}" operation with algorithm "{algorithm}"' - ) - - operation_result = self._client.encrypt( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeyOperationsParameters( - algorithm=algorithm, value=plaintext, iv=iv, aad=additional_authenticated_data - ), - **kwargs - ) - - result_iv = operation_result.iv if hasattr(operation_result, "iv") else None - result_tag = operation_result.authentication_tag if hasattr(operation_result, "authentication_tag") else None - result_aad = ( - operation_result.additional_authenticated_data - if hasattr(operation_result, "additional_authenticated_data") - else None - ) - - return EncryptResult( - key_id=self.key_id, - algorithm=algorithm, - ciphertext=operation_result.result, - iv=result_iv, - authentication_tag=result_tag, - additional_authenticated_data=result_aad, - ) - - @distributed_trace - def decrypt( - self, - algorithm: EncryptionAlgorithm, - ciphertext: bytes, - *, - iv: Optional[bytes] = None, - authentication_tag: Optional[bytes] = None, - additional_authenticated_data: Optional[bytes] = None, - **kwargs: Any, - ) -> DecryptResult: - """Decrypt a single block of encrypted data using the client's key. - - Requires the keys/decrypt permission. This method decrypts only a single block of data, whose size depends on - the key and encryption algorithm. - - :param algorithm: Encryption algorithm to use - :type algorithm: ~azure.keyvault.keys.crypto.EncryptionAlgorithm - :param bytes ciphertext: Encrypted bytes to decrypt. Microsoft recommends you not use CBC without first ensuring - the integrity of the ciphertext using, for example, an HMAC. See - https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information. - - :keyword iv: The initialization vector used during encryption. Required for AES decryption. - :paramtype iv: bytes or None - :keyword authentication_tag: The authentication tag generated during encryption. Required for only AES-GCM - decryption. - :paramtype authentication_tag: bytes or None - :keyword additional_authenticated_data: Optional data that is authenticated but not encrypted. For use - with AES-GCM decryption. - :paramtype additional_authenticated_data: bytes or None - - :returns: The result of the decryption operation. - :rtype: ~azure.keyvault.keys.crypto.DecryptResult - - :raises ValueError: If parameters that are incompatible with the specified algorithm are provided. - - .. literalinclude:: ../tests/test_examples_crypto.py - :start-after: [START decrypt] - :end-before: [END decrypt] - :caption: Decrypt bytes - :language: python - :dedent: 8 - """ - _validate_arguments( - operation=KeyOperation.decrypt, - algorithm=algorithm, - iv=iv, - tag=authentication_tag, - aad=additional_authenticated_data, - ) - self._initialize(**kwargs) - - if self._local_provider.supports(KeyOperation.decrypt, algorithm): - try: - return self._local_provider.decrypt(algorithm, ciphertext, iv=iv) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local decrypt operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.decrypt}" operation with algorithm "{algorithm}"' - ) - - operation_result = self._client.decrypt( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeyOperationsParameters( - algorithm=algorithm, value=ciphertext, iv=iv, tag=authentication_tag, aad=additional_authenticated_data - ), - **kwargs - ) - - return DecryptResult(key_id=self.key_id, algorithm=algorithm, plaintext=operation_result.result) - - @distributed_trace - def wrap_key(self, algorithm: KeyWrapAlgorithm, key: bytes, **kwargs: Any) -> WrapResult: - """Wrap a key with the client's key. - - Requires the keys/wrapKey permission. - - :param algorithm: wrapping algorithm to use - :type algorithm: ~azure.keyvault.keys.crypto.KeyWrapAlgorithm - :param bytes key: key to wrap - - :returns: The result of the wrapping operation. - :rtype: ~azure.keyvault.keys.crypto.WrapResult - - .. literalinclude:: ../tests/test_examples_crypto.py - :start-after: [START wrap_key] - :end-before: [END wrap_key] - :caption: Wrap a key - :language: python - :dedent: 8 - """ - self._initialize(**kwargs) - if self._local_provider.supports(KeyOperation.wrap_key, algorithm): - raise_if_time_invalid(self._not_before, self._expires_on) - try: - return self._local_provider.wrap_key(algorithm, key) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local wrap operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.wrap_key}" operation with algorithm "{algorithm}"' - ) - - operation_result = self._client.wrap_key( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeyOperationsParameters(algorithm=algorithm, value=key), - **kwargs - ) - - return WrapResult(key_id=self.key_id, algorithm=algorithm, encrypted_key=operation_result.result) - - @distributed_trace - def unwrap_key(self, algorithm: KeyWrapAlgorithm, encrypted_key: bytes, **kwargs: Any) -> UnwrapResult: - """Unwrap a key previously wrapped with the client's key. - - Requires the keys/unwrapKey permission. - - :param algorithm: wrapping algorithm to use - :type algorithm: ~azure.keyvault.keys.crypto.KeyWrapAlgorithm - :param bytes encrypted_key: the wrapped key - - :returns: The result of the unwrapping operation. - :rtype: ~azure.keyvault.keys.crypto.UnwrapResult - - .. literalinclude:: ../tests/test_examples_crypto.py - :start-after: [START unwrap_key] - :end-before: [END unwrap_key] - :caption: Unwrap a key - :language: python - :dedent: 8 - """ - self._initialize(**kwargs) - if self._local_provider.supports(KeyOperation.unwrap_key, algorithm): - try: - return self._local_provider.unwrap_key(algorithm, encrypted_key) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local unwrap operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.unwrap_key}" operation with algorithm "{algorithm}"' - ) - - operation_result = self._client.unwrap_key( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeyOperationsParameters(algorithm=algorithm, value=encrypted_key), - **kwargs - ) - return UnwrapResult(key_id=self.key_id, algorithm=algorithm, key=operation_result.result) - - @distributed_trace - def sign(self, algorithm: SignatureAlgorithm, digest: bytes, **kwargs: Any) -> SignResult: - """Create a signature from a digest using the client's key. - - Requires the keys/sign permission. - - :param algorithm: signing algorithm - :type algorithm: ~azure.keyvault.keys.crypto.SignatureAlgorithm - :param bytes digest: hashed bytes to sign - - :returns: The result of the signing operation. - :rtype: ~azure.keyvault.keys.crypto.SignResult - - .. literalinclude:: ../tests/test_examples_crypto.py - :start-after: [START sign] - :end-before: [END sign] - :caption: Sign bytes - :language: python - :dedent: 8 - """ - self._initialize(**kwargs) - if self._local_provider.supports(KeyOperation.sign, algorithm): - raise_if_time_invalid(self._not_before, self._expires_on) - try: - return self._local_provider.sign(algorithm, digest) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local sign operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.sign}" operation with algorithm "{algorithm}"' - ) - - operation_result = self._client.sign( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeySignParameters(algorithm=algorithm, value=digest), - **kwargs - ) - - return SignResult(key_id=self.key_id, algorithm=algorithm, signature=operation_result.result) - - @distributed_trace - def verify(self, algorithm: SignatureAlgorithm, digest: bytes, signature: bytes, **kwargs: Any) -> VerifyResult: - """Verify a signature using the client's key. - - Requires the keys/verify permission. - - :param algorithm: verification algorithm - :type algorithm: ~azure.keyvault.keys.crypto.SignatureAlgorithm - :param bytes digest: Pre-hashed digest corresponding to **signature**. The hash algorithm used must be - compatible with ``algorithm``. - :param bytes signature: signature to verify - - :returns: The result of the verifying operation. - :rtype: ~azure.keyvault.keys.crypto.VerifyResult - - .. literalinclude:: ../tests/test_examples_crypto.py - :start-after: [START verify] - :end-before: [END verify] - :caption: Verify a signature - :language: python - :dedent: 8 - """ - self._initialize(**kwargs) - if self._local_provider.supports(KeyOperation.verify, algorithm): - try: - return self._local_provider.verify(algorithm, digest, signature) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local verify operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.verify}" operation with algorithm "{algorithm}"' - ) - - operation_result = self._client.verify( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeyVerifyParameters(algorithm=algorithm, digest=digest, signature=signature), - **kwargs - ) - - return VerifyResult(key_id=self.key_id, algorithm=algorithm, is_valid=operation_result.value) - - def __enter__(self) -> "CryptographyClient": - self._client.__enter__() - return self diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_enums.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_enums.py deleted file mode 100644 index de0f19154879..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_enums.py +++ /dev/null @@ -1,49 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from enum import Enum -from azure.core import CaseInsensitiveEnumMeta - -# pylint: disable=enum-must-be-uppercase -class KeyWrapAlgorithm(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """Key wrapping algorithms""" - - aes_128 = "A128KW" - aes_192 = "A192KW" - aes_256 = "A256KW" - rsa_oaep = "RSA-OAEP" - rsa_oaep_256 = "RSA-OAEP-256" - rsa1_5 = "RSA1_5" - - -class EncryptionAlgorithm(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """Encryption algorithms""" - - rsa_oaep = "RSA-OAEP" - rsa_oaep_256 = "RSA-OAEP-256" - rsa1_5 = "RSA1_5" - a128_gcm = "A128GCM" - a192_gcm = "A192GCM" - a256_gcm = "A256GCM" - a128_cbc = "A128CBC" - a192_cbc = "A192CBC" - a256_cbc = "A256CBC" - a128_cbcpad = "A128CBCPAD" - a192_cbcpad = "A192CBCPAD" - a256_cbcpad = "A256CBCPAD" - - -class SignatureAlgorithm(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """Signature algorithms, described in https://tools.ietf.org/html/rfc7518""" - - ps256 = "PS256" #: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 - ps384 = "PS384" #: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 - ps512 = "PS512" #: RSASSA-PSS using SHA-512 and MGF1 with SHA-512 - rs256 = "RS256" #: RSASSA-PKCS1-v1_5 using SHA-256 - rs384 = "RS384" #: RSASSA-PKCS1-v1_5 using SHA-384 - rs512 = "RS512" #: RSASSA-PKCS1-v1_5 using SHA-512 - es256 = "ES256" #: ECDSA using P-256 and SHA-256 - es384 = "ES384" #: ECDSA using P-384 and SHA-384 - es512 = "ES512" #: ECDSA using P-521 and SHA-512 - es256_k = "ES256K" #: ECDSA using P-256K and SHA-256 diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/__init__.py deleted file mode 100644 index 880d4cdeb7ae..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/__init__.py +++ /dev/null @@ -1,32 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from .algorithm import ( - Algorithm, - AsymmetricEncryptionAlgorithm, - SymmetricEncryptionAlgorithm, - AuthenticatedSymmetricEncryptionAlgorithm, - SignatureAlgorithm, -) -from .ec_key import EllipticCurveKey -from .key import Key -from .rsa_key import RsaKey -from .symmetric_key import SymmetricKey -from .transform import CryptoTransform, BlockCryptoTransform, AuthenticatedCryptoTransform, SignatureTransform - -__all__ = [ - "Key", - "EllipticCurveKey", - "RsaKey", - "Algorithm", - "AsymmetricEncryptionAlgorithm", - "SymmetricEncryptionAlgorithm", - "AuthenticatedCryptoTransform", - "SignatureAlgorithm", - "CryptoTransform", - "BlockCryptoTransform", - "AuthenticatedSymmetricEncryptionAlgorithm", - "SignatureTransform", - "SymmetricKey", -] diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/_internal.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/_internal.py deleted file mode 100644 index f19eb2cb0ee0..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/_internal.py +++ /dev/null @@ -1,131 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -import codecs -from base64 import b64encode, b64decode - -from cryptography.hazmat.primitives.asymmetric import utils - - -def _bytes_to_int(b): - if not b or not isinstance(b, bytes): - raise ValueError("b must be non-empty byte string") - - return int(codecs.encode(b, "hex"), 16) - - -def _int_to_bytes(i): - h = hex(i) - if len(h) > 1 and h[0:2] == "0x": - h = h[2:] - - # need to strip L in python 2.x - h = h.strip("L") - - if len(h) % 2: - h = "0" + h - return codecs.decode(h, "hex") - - -def _bstr_to_b64url(bstr): - """Serialize bytes into base-64 string. - - :param bytes bstr: Object to be serialized. - - :returns: The base-64 URL encoded string. - :rtype: str - """ - encoded = b64encode(bstr).decode() - return encoded.strip("=").replace("+", "-").replace("/", "_") - - -def _str_to_b64url(s): - """Serialize str into base-64 string. - - :param str s: Object to be serialized. - - :returns: The base-64 URL encoded string. - :rtype: str - """ - return _bstr_to_b64url(s.encode(encoding="utf8")) - - -def _b64_to_bstr(b64str): - """Deserialize base-64 encoded string into string. - - :param str b64str: response string to be deserialized. - - :returns: The decoded bytes. - :rtype: bytes - - :raises: TypeError if string format invalid. - """ - padding = "=" * (3 - (len(b64str) + 3) % 4) - b64str = b64str + padding - encoded = b64str.replace("-", "+").replace("_", "/") - return b64decode(encoded) - - -def _b64_to_str(b64str): - """Deserialize base-64 encoded string into string. - - :param str b64str: response string to be deserialized. - - :returns: The decoded string. - :rtype: str - - :raises: TypeError if string format invalid. - """ - return _b64_to_bstr(b64str).decode("utf8") - - -def _int_to_fixed_length_bigendian_bytes(i, length): - """Convert an integer to a bigendian byte string left-padded with zeroes to a fixed length. - - :param int i: The integer to convert. - :param int length: The length of the desired byte string. - - :returns: A bigendian byte string of length `length`, representing integer `i`. - :rtype: bytes - """ - - b = _int_to_bytes(i) - - if len(b) > length: - raise ValueError(f"{i} is too large to be represented by {length} bytes") - - if len(b) < length: - b = (b"\0" * (length - len(b))) + b - - return b - - -def ecdsa_to_asn1_der(signature): - """ASN.1 DER encode an ECDSA signature. - - :param bytes signature: ECDSA signature encoded according to RFC 7518, i.e. the concatenated big-endian bytes of - two integers (as produced by Key Vault) - - :returns: signature, ASN.1 DER encoded (as expected by ``cryptography``) - :rtype: bytes - """ - mid = len(signature) // 2 - r = _bytes_to_int(signature[:mid]) - s = _bytes_to_int(signature[mid:]) - return utils.encode_dss_signature(r, s) - - -def asn1_der_to_ecdsa(signature, algorithm): - """Convert an ASN.1 DER encoded signature to ECDSA encoding. - - :param bytes signature: an ASN.1 DER encoded ECDSA signature (as produced by ``cryptography``) - :param _Ecdsa algorithm: signing algorithm which produced ``signature`` - - :returns: signature encoded according to RFC 7518 (as expected by Key Vault) - :rtype: bytes - """ - r, s = utils.decode_dss_signature(signature) - r_bytes = _int_to_fixed_length_bigendian_bytes(r, algorithm.coordinate_length) - s_bytes = _int_to_fixed_length_bigendian_bytes(s, algorithm.coordinate_length) - return r_bytes + s_bytes diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithm.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithm.py deleted file mode 100644 index 1b2c2446ed6b..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithm.py +++ /dev/null @@ -1,78 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from abc import abstractmethod -from typing import Optional, TYPE_CHECKING, Union - -if TYPE_CHECKING: - from cryptography.hazmat.primitives import hashes - - -_alg_registry = {} - - -class Algorithm(object): - _name: Optional[str] = None - - @classmethod - def name(cls): - return cls._name - - @classmethod - def register(cls): - _alg_registry[cls._name] = cls - - @staticmethod - def resolve(name): - if name not in _alg_registry: - return None - return _alg_registry[name]() - - -class AsymmetricEncryptionAlgorithm(Algorithm): - @abstractmethod - def create_encryptor(self, key): - raise NotImplementedError() - - @abstractmethod - def create_decryptor(self, key): - raise NotImplementedError() - - -class SymmetricEncryptionAlgorithm(Algorithm): - @abstractmethod - def create_encryptor(self, key, iv): - raise NotImplementedError() - - @abstractmethod - def create_decryptor(self, key, iv): - raise NotImplementedError() - - -class AuthenticatedSymmetricEncryptionAlgorithm(Algorithm): # pylint:disable=bad-option-value,name-too-long - @abstractmethod - def create_encryptor(self, key, iv, auth_data, auth_tag): - raise NotImplementedError() - - @abstractmethod - def create_decryptor(self, key, iv, auth_data, auth_tag): - raise NotImplementedError() - - -class SignatureAlgorithm(Algorithm): - _default_hash_algorithm: "Union[hashes.SHA256, hashes.SHA384, hashes.SHA512, None]" = None - - @property - def default_hash_algorithm(self): - return self._default_hash_algorithm - - @abstractmethod - def create_signature_transform(self, key): - raise NotImplementedError() - - -class HashAlgorithm(Algorithm): - @abstractmethod - def create_digest(self): - raise NotImplementedError() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/__init__.py deleted file mode 100644 index 76c0368acdcf..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/__init__.py +++ /dev/null @@ -1,38 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from .aes_cbc import Aes128Cbc, Aes192Cbc, Aes256Cbc, Aes128CbcPad, Aes192CbcPad, Aes256CbcPad -from .aes_cbc_hmac import Aes128CbcHmacSha256, Aes192CbcHmacSha384, Aes256CbcHmacSha512 -from .aes_kw import AesKw128, AesKw192, AesKw256 -from .ecdsa import Ecdsa256, Es256, Es384, Es512 -from .rsa_encryption import Rsa1_5, RsaOaep, RsaOaep256 -from .rsa_signing import Ps256, Ps384, Ps512, Rs256, Rs384, Rs512 - -__all__ = [ - "Aes128Cbc", - "Aes192Cbc", - "Aes256Cbc", - "Aes128CbcPad", - "Aes192CbcPad", - "Aes256CbcPad", - "Aes128CbcHmacSha256", - "Aes192CbcHmacSha384", - "Aes256CbcHmacSha512", - "AesKw128", - "AesKw192", - "AesKw256", - "Ecdsa256", - "Es256", - "Es384", - "Es512", - "Ps256", - "Ps384", - "Ps512", - "Rsa1_5", - "Rs256", - "Rs384", - "Rs512", - "RsaOaep", - "RsaOaep256", -] diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/aes_cbc.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/aes_cbc.py deleted file mode 100644 index 618ffaf370ae..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/aes_cbc.py +++ /dev/null @@ -1,145 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import padding - -from ..algorithm import SymmetricEncryptionAlgorithm -from ..transform import BlockCryptoTransform - - -# pylint: disable=W0223 - -_CBC_BLOCK_SIZE = 128 - - -class _AesCbcCryptoTransform(BlockCryptoTransform): - def __init__(self, key, iv): - super(_AesCbcCryptoTransform, self).__init__(key) - self._cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) - - def transform(self, data): - return self.update(data) + self.finalize() - - def block_size(self): - return _CBC_BLOCK_SIZE - - -class _AesCbcDecryptor(_AesCbcCryptoTransform): - def __init__(self, key, iv, padding_mode): - super(_AesCbcDecryptor, self).__init__(key, iv) - self._ctx = self._cipher.decryptor() - self._padder = padding_mode.unpadder() - - def update(self, data): - decrypted = self._ctx.update(data) + self._ctx.finalize() - return self._padder.update(decrypted) - - def finalize(self): - return self._padder.finalize() - - -class _AesCbcEncryptor(_AesCbcCryptoTransform): - def __init__(self, key, iv, padding_mode): - super(_AesCbcEncryptor, self).__init__(key, iv) - self._ctx = self._cipher.encryptor() - self._padder = padding_mode.padder() - - def update(self, data): - padded = self._padder.update(data) + self._padder.finalize() - return self._ctx.update(padded) - - def finalize(self): - return self._ctx.finalize() - - -class _AesCbc(SymmetricEncryptionAlgorithm): - _key_size = 256 - _block_size = _CBC_BLOCK_SIZE - - def block_size(self): - return self._block_size - - def block_size_in_bytes(self): - return self._block_size >> 3 - - def key_size(self): - return self._key_size - - def key_size_in_bytes(self): - return self._key_size >> 3 - - def create_encryptor(self, key, iv): - key, iv = self._validate_input(key, iv) - - return _AesCbcEncryptor(key, iv, padding.PKCS7(self._block_size)) - - def create_decryptor(self, key, iv): - key, iv = self._validate_input(key, iv) - - return _AesCbcDecryptor(key, iv, padding.PKCS7(self._block_size)) - - def _validate_input(self, key, iv): - if not key: - raise ValueError("A key is required for AES-CBC and AES-CBCPAD encryption and decryption") - if len(key) < self.key_size_in_bytes(): - raise ValueError(f"key must be at least {self.key_size} bits") - - if not iv: - raise ValueError("A 16-byte iv is required for AES-CBC and AES-CBCPAD encryption and decryption") - if not len(iv) == self.block_size_in_bytes(): - raise ValueError(f"iv must be {self.block_size} bits") - - return key[: self.key_size_in_bytes()], iv - - -class _AesCbcPad(_AesCbc): - def create_encryptor(self, key, iv): - key, iv = self._validate_input(key, iv) - - return _AesCbcEncryptor(key, iv, padding.PKCS7(self._block_size)) - - def create_decryptor(self, key, iv): - key, iv = self._validate_input(key, iv) - - return _AesCbcDecryptor(key, iv, padding.PKCS7(self._block_size)) - - -class Aes128Cbc(_AesCbc): - _name = "A128CBC" - _key_size = 128 - - -class Aes128CbcPad(_AesCbcPad): - _name = "A128CBCPAD" - _key_size = 128 - - -class Aes192Cbc(_AesCbc): - _name = "A192CBC" - _key_size = 192 - - -class Aes192CbcPad(_AesCbcPad): - _name = "A192CBCPAD" - _key_size = 192 - - -class Aes256Cbc(_AesCbc): - _name = "A256CBC" - _key_size = 256 - - -class Aes256CbcPad(_AesCbcPad): - _name = "A256CBCPAD" - _key_size = 256 - - -Aes128Cbc.register() -Aes128CbcPad.register() -Aes192Cbc.register() -Aes192CbcPad.register() -Aes256Cbc.register() -Aes256CbcPad.register() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/aes_cbc_hmac.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/aes_cbc_hmac.py deleted file mode 100644 index 4fad959fade9..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/aes_cbc_hmac.py +++ /dev/null @@ -1,149 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from abc import abstractmethod - -from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import padding, hashes, hmac - -from ..algorithm import AuthenticatedSymmetricEncryptionAlgorithm -from ..transform import AuthenticatedCryptoTransform -from .._internal import _int_to_fixed_length_bigendian_bytes - - -class _AesCbcHmacCryptoTransform(AuthenticatedCryptoTransform): - def __init__(self, key, iv, auth_data, auth_tag): - super(_AesCbcHmacCryptoTransform, self).__init__() - - self._aes_key = key[: len(key) // 2] - self._hmac_key = key[len(key) // 2 :] - hash_algorithm = {256: hashes.SHA256(), 384: hashes.SHA384(), 512: hashes.SHA512()}[len(key) * 8] - - self._cipher = Cipher(algorithms.AES(self._aes_key), modes.CBC(iv), backend=default_backend()) - self._tag = auth_tag or bytearray() - self._hmac = hmac.HMAC(self._hmac_key, hash_algorithm, backend=default_backend()) - self._auth_data_length = _int_to_fixed_length_bigendian_bytes(len(auth_data) * 8, 8) - - # prime the hash - self._hmac.update(auth_data) - self._hmac.update(iv) - - def tag(self): - return self._tag - - def block_size(self): - # return self._cipher.block_size - raise NotImplementedError() - - @abstractmethod - def update(self, data): - raise NotImplementedError() - - @abstractmethod - def finalize(self): - raise NotImplementedError() - - def transform(self, data): - return self.update(data) + self.finalize() - - -class _AesCbcHmacEncryptor(_AesCbcHmacCryptoTransform): - def __init__(self, key, iv, auth_data, auth_tag): - super(_AesCbcHmacEncryptor, self).__init__(key, iv, auth_data, auth_tag) - self._ctx = self._cipher.encryptor() - self._padder = padding.PKCS7(self.block_size).padder() - self._tag[:] = [] - - def update(self, data): - padded = self._padder.update(data) - cipher_text = self._ctx.update(padded) - self._hmac.update(cipher_text) - return cipher_text - - def finalize(self): - padded = self._padder.finalize() - cipher_text = self._ctx.update(padded) + self._ctx.finalize() - self._hmac.update(cipher_text) - self._hmac.update(self._auth_data_length) - self._tag.extend(self._hmac.finalize()[: len(self._hmac_key)]) - return cipher_text - - def block_size(self): - raise NotImplementedError() - - -class _AesCbcHmacDecryptor(_AesCbcHmacCryptoTransform): - def __init__(self, key, iv, auth_data, auth_tag): - super(_AesCbcHmacDecryptor, self).__init__(key, iv, auth_data, auth_tag) - self._ctx = self._cipher.decryptor() - self._padder = padding.PKCS7(self.block_size).unpadder() - - def update(self, data): - self._hmac.update(data) - padded = self._ctx.update(data) - return self._padder.update(padded) - - def finalize(self): - self._hmac.update(self._auth_data_length) - self._hmac.verify(self.tag) - padded = self._ctx.finalize() - return self._padder.update(padded) + self._padder.finalize() - - # override transform from the base so we can verify the entire hash before we start decrypting - def transform(self, data): - self._hmac.update(data) - self._hmac.update(self._auth_data_length) - self._hmac.verify(self.tag) - padded = self._ctx.update(data) + self._ctx.finalize() - return self._padder.update(padded) + self._padder.finalize() - - def block_size(self): - raise NotImplementedError() - - -class _AesCbcHmac(AuthenticatedSymmetricEncryptionAlgorithm): - _key_size = 256 - - @property - def block_size(self): - return self._key_size // 2 - - @property - def block_size_in_bytes(self): - return self.block_size >> 3 - - @property - def key_size(self): - return self._key_size - - @property - def key_size_in_bytes(self): - return self._key_size >> 3 - - def create_encryptor(self, key, iv, auth_data, auth_tag=None): - return _AesCbcHmacEncryptor(key, iv, auth_data, auth_tag) - - def create_decryptor(self, key, iv, auth_data, auth_tag): - return _AesCbcHmacDecryptor(key, iv, auth_data, auth_tag) - - -class Aes128CbcHmacSha256(_AesCbcHmac): - _key_size = 256 - _name = "A128CBC-HS256" - - -class Aes192CbcHmacSha384(_AesCbcHmac): - _key_size = 384 - _name = "A192CBC-HS384" - - -class Aes256CbcHmacSha512(_AesCbcHmac): - _key_size = 512 - _name = "A256CBC-HS512" - - -Aes128CbcHmacSha256.register() -Aes192CbcHmacSha384.register() -Aes256CbcHmacSha512.register() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/aes_kw.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/aes_kw.py deleted file mode 100644 index 4990de7331bb..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/aes_kw.py +++ /dev/null @@ -1,68 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from cryptography.hazmat.primitives.keywrap import aes_key_wrap, aes_key_unwrap -from cryptography.hazmat.backends import default_backend - -from ..algorithm import AsymmetricEncryptionAlgorithm -from ..transform import CryptoTransform -from ..._enums import KeyWrapAlgorithm - - -class _AesKeyWrapTransform(CryptoTransform): - def transform(self, data): - return aes_key_wrap(self._key, data, default_backend()) - - -class _AesKeyUnwrapTransform(CryptoTransform): - def transform(self, data): - return aes_key_unwrap(self._key, data, default_backend()) - - -class _AesKeyWrap(AsymmetricEncryptionAlgorithm): - _key_size = 256 - - @property - def key_size(self): - return self._key_size - - @property - def key_size_in_bytes(self): - return self._key_size >> 3 - - def create_encryptor(self, key): - key = self._validate_input(key) - return _AesKeyWrapTransform(key) - - def create_decryptor(self, key): - key = self._validate_input(key) - return _AesKeyUnwrapTransform(key) - - def _validate_input(self, key): - if not key: - raise ValueError("key") - if len(key) < self.key_size_in_bytes: - raise ValueError(f"key must be at least {self.key_size} bits") - - return key[: self.key_size_in_bytes] - - -class AesKw128(_AesKeyWrap): - _key_size = 128 - _name = "A128KW" - - -class AesKw192(_AesKeyWrap): - _key_size = 192 - _name = "A192KW" - - -class AesKw256(_AesKeyWrap): - _key_size = 256 - _name = KeyWrapAlgorithm.aes_256 - - -AesKw128.register() -AesKw192.register() -AesKw256.register() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/ecdsa.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/ecdsa.py deleted file mode 100644 index 2c3a6c8bd132..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/ecdsa.py +++ /dev/null @@ -1,60 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import ec -from cryptography.hazmat.primitives.asymmetric import utils - -from ..algorithm import SignatureAlgorithm -from ..transform import SignatureTransform -from ..._enums import SignatureAlgorithm as KeyVaultSignatureAlgorithm - - -class _EcdsaSignatureTransform(SignatureTransform): - def __init__(self, key, hash_algorithm): - super(_EcdsaSignatureTransform, self).__init__() - - self._key = key - self._hash_algorithm = hash_algorithm - - def sign(self, digest): - return self._key.sign(digest, ec.ECDSA(utils.Prehashed(self._hash_algorithm))) - - def verify(self, digest, signature): - return self._key.verify(signature, digest, ec.ECDSA(utils.Prehashed(self._hash_algorithm))) - - -class _Ecdsa(SignatureAlgorithm): - def create_signature_transform(self, key): - return _EcdsaSignatureTransform(key, self.default_hash_algorithm) - - -class Ecdsa256(_Ecdsa): - _name = KeyVaultSignatureAlgorithm.es256_k - _default_hash_algorithm = hashes.SHA256() - coordinate_length = 32 - - -class Es256(_Ecdsa): - _name = KeyVaultSignatureAlgorithm.es256 - _default_hash_algorithm = hashes.SHA256() - coordinate_length = 32 - - -class Es384(_Ecdsa): - _name = KeyVaultSignatureAlgorithm.es384 - _default_hash_algorithm = hashes.SHA384() - coordinate_length = 48 - - -class Es512(_Ecdsa): - _name = KeyVaultSignatureAlgorithm.es512 - _default_hash_algorithm = hashes.SHA512() - coordinate_length = 66 - - -Ecdsa256.register() -Es256.register() -Es384.register() -Es512.register() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/rsa_encryption.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/rsa_encryption.py deleted file mode 100644 index df83c67365d2..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/rsa_encryption.py +++ /dev/null @@ -1,79 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import padding - -from ..algorithm import AsymmetricEncryptionAlgorithm -from ..transform import CryptoTransform -from ..._enums import EncryptionAlgorithm - - -class _Rsa1_5Encryptor(CryptoTransform): - def transform(self, data): - return self._key.encrypt(data, padding.PKCS1v15()) - - -class _Rsa1_5Decryptor(CryptoTransform): - def transform(self, data): - return self._key.decrypt(data, padding.PKCS1v15()) - - -class Rsa1_5(AsymmetricEncryptionAlgorithm): # pylint:disable=client-incorrect-naming-convention - _name = EncryptionAlgorithm.rsa1_5 - - def create_encryptor(self, key): - return _Rsa1_5Encryptor(key) - - def create_decryptor(self, key): - return _Rsa1_5Decryptor(key) - - -class _RsaOaepDecryptor(CryptoTransform): - def __init__(self, key, hash_cls): - self._hash_cls = hash_cls - super(_RsaOaepDecryptor, self).__init__(key) - - def transform(self, data): - oaep_padding = padding.OAEP( - mgf=padding.MGF1(algorithm=self._hash_cls()), algorithm=self._hash_cls(), label=None - ) - return self._key.decrypt(data, oaep_padding) - - -class _RsaOaepEncryptor(CryptoTransform): - def __init__(self, key, hash_cls): - self._hash_cls = hash_cls - super(_RsaOaepEncryptor, self).__init__(key) - - def transform(self, data): - oaep_padding = padding.OAEP( - mgf=padding.MGF1(algorithm=self._hash_cls()), algorithm=self._hash_cls(), label=None - ) - return self._key.encrypt(data, oaep_padding) - - -class RsaOaep(AsymmetricEncryptionAlgorithm): - _name = EncryptionAlgorithm.rsa_oaep - - def create_encryptor(self, key): - return _RsaOaepEncryptor(key, hashes.SHA1) - - def create_decryptor(self, key): - return _RsaOaepDecryptor(key, hashes.SHA1) - - -class RsaOaep256(AsymmetricEncryptionAlgorithm): - _name = EncryptionAlgorithm.rsa_oaep_256 - - def create_encryptor(self, key): - return _RsaOaepEncryptor(key, hashes.SHA256) - - def create_decryptor(self, key): - return _RsaOaepDecryptor(key, hashes.SHA256) - - -Rsa1_5.register() -RsaOaep.register() -RsaOaep256.register() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/rsa_signing.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/rsa_signing.py deleted file mode 100644 index 984befca583a..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/rsa_signing.py +++ /dev/null @@ -1,75 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from cryptography.hazmat.primitives import hashes -from cryptography.hazmat.primitives.asymmetric import padding, utils - -from ..algorithm import SignatureAlgorithm -from ..transform import SignatureTransform -from ..._enums import SignatureAlgorithm as KeyVaultSignatureAlgorithm - - -class RsaSignatureTransform(SignatureTransform): - def __init__(self, key, padding_function, hash_algorithm): - super(RsaSignatureTransform, self).__init__() - self._key = key - self._padding_function = padding_function - self._hash_algorithm = hash_algorithm - - def sign(self, digest): - return self._key.sign(digest, self._padding_function(digest), utils.Prehashed(self._hash_algorithm)) - - def verify(self, digest, signature): - self._key.verify(signature, digest, self._padding_function(digest), utils.Prehashed(self._hash_algorithm)) - - -class RsaSsaPkcs1v15(SignatureAlgorithm): - def create_signature_transform(self, key): - return RsaSignatureTransform(key, lambda _: padding.PKCS1v15(), self._default_hash_algorithm) - - -class RsaSsaPss(SignatureAlgorithm): - def create_signature_transform(self, key): - return RsaSignatureTransform(key, self._get_padding, self._default_hash_algorithm) - - def _get_padding(self, digest): - return padding.PSS(mgf=padding.MGF1(self._default_hash_algorithm), salt_length=len(digest)) - - -class Ps256(RsaSsaPss): - _name = KeyVaultSignatureAlgorithm.ps256 - _default_hash_algorithm = hashes.SHA256() - - -class Ps384(RsaSsaPss): - _name = KeyVaultSignatureAlgorithm.ps384 - _default_hash_algorithm = hashes.SHA384() - - -class Ps512(RsaSsaPss): - _name = KeyVaultSignatureAlgorithm.ps512 - _default_hash_algorithm = hashes.SHA512() - - -class Rs256(RsaSsaPkcs1v15): - _name = KeyVaultSignatureAlgorithm.rs256 - _default_hash_algorithm = hashes.SHA256() - - -class Rs384(RsaSsaPkcs1v15): - _name = KeyVaultSignatureAlgorithm.rs384 - _default_hash_algorithm = hashes.SHA384() - - -class Rs512(RsaSsaPkcs1v15): - _name = KeyVaultSignatureAlgorithm.rs512 - _default_hash_algorithm = hashes.SHA512() - - -Ps256.register() -Ps384.register() -Ps512.register() -Rs256.register() -Rs384.register() -Rs512.register() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/sha_2.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/sha_2.py deleted file mode 100644 index 34e4a0bc3bbc..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/algorithms/sha_2.py +++ /dev/null @@ -1,53 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from typing import Union, Type - -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives import hashes - -from ..algorithm import HashAlgorithm -from ..transform import DigestTransform - - -class _Sha2DigestTransform(DigestTransform): - def __init__(self, algorithm): - super(_Sha2DigestTransform, self).__init__() - self._digest = hashes.Hash(algorithm=algorithm, backend=default_backend()) - - def update(self, data): - return self._digest.update(data) - - def finalize(self, data): - return self._digest.finalize() - - -class _Sha2HashAlgorithm(HashAlgorithm): - - _algorithm_cls: Union[Type[hashes.SHA256], Type[hashes.SHA384], Type[hashes.SHA512], None] = None - - def create_digest(self): - return _Sha2DigestTransform(self._algorithm_cls()) # pylint:disable=not-callable - - -class Sha256(_Sha2HashAlgorithm): - _algorithm_cls = hashes.SHA256 - _name = "SHA256" - - -class Sha384(_Sha2HashAlgorithm): - _algorithm_cls = hashes.SHA384 - _name = "SHA384" - - -class Sha512(_Sha2HashAlgorithm): - _algorithm_cls = hashes.SHA512 - _name = "SHA512" - - -Sha256.register() - -Sha384.register() - -Sha512.register() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/ec_key.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/ec_key.py deleted file mode 100644 index 481a6fd45241..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/ec_key.py +++ /dev/null @@ -1,106 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -import uuid - -from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives.asymmetric.ec import ( - EllipticCurvePrivateKey, - EllipticCurvePrivateNumbers, - EllipticCurvePublicNumbers, - SECP256R1, - SECP384R1, - SECP521R1, - SECP256K1, -) - -from ._internal import _bytes_to_int, asn1_der_to_ecdsa, ecdsa_to_asn1_der -from .key import Key -from .algorithms.ecdsa import Es256, Es512, Es384, Ecdsa256 -from ... import KeyCurveName - -_crypto_crv_to_kv_crv = { - "secp256r1": KeyCurveName.p_256, - "secp384r1": KeyCurveName.p_384, - "secp521r1": KeyCurveName.p_521, - "secp256k1": KeyCurveName.p_256_k, -} -_kv_crv_to_crypto_cls = { - KeyCurveName.p_256: SECP256R1, - KeyCurveName.p_256_k: SECP256K1, - KeyCurveName.p_384: SECP384R1, - KeyCurveName.p_521: SECP521R1, - "SECP256K1": SECP256K1, # "SECP256K1" is from Key Vault 2016-10-01 -} -_curve_to_default_algorithm = { - KeyCurveName.p_256: Es256.name(), - KeyCurveName.p_256_k: Ecdsa256.name(), - KeyCurveName.p_384: Es384.name(), - KeyCurveName.p_521: Es512.name(), - "SECP256K1": Ecdsa256.name(), # "SECP256K1" is from Key Vault 2016-10-01 -} - - -class EllipticCurveKey(Key): - _supported_signature_algorithms = frozenset(_curve_to_default_algorithm.values()) - - def __init__(self, x, y, d=None, kid=None, curve=None): - super(EllipticCurveKey, self).__init__() - - self._kid = kid or str(uuid.uuid4()) - self._default_algorithm = _curve_to_default_algorithm[curve] - curve_cls = _kv_crv_to_crypto_cls[curve] - - public_numbers = EllipticCurvePublicNumbers(x, y, curve_cls()) - self._public_key = public_numbers.public_key(default_backend()) - self._private_key = None - if d is not None: - private_numbers = EllipticCurvePrivateNumbers(d, public_numbers) - self._private_key = private_numbers.private_key(default_backend()) - - @classmethod - def from_jwk(cls, jwk): - if jwk.kty not in ("EC", "EC-HSM"): - raise ValueError("The specified key must be of type 'EC' or 'EC-HSM'") - - if not jwk.x or not jwk.y: - raise ValueError("jwk must have values for 'x' and 'y'") - - x = _bytes_to_int(jwk.x) - y = _bytes_to_int(jwk.y) - d = _bytes_to_int(jwk.d) if jwk.d is not None else None - return cls(x, y, d, kid=jwk.kid, curve=jwk.crv) - - def is_private_key(self): - return isinstance(self._private_key, EllipticCurvePrivateKey) - - def decrypt(self, cipher_text, **kwargs): - raise NotImplementedError("Local decryption isn't supported with elliptic curve keys") - - def encrypt(self, plain_text, **kwargs): - raise NotImplementedError("Local encryption isn't supported with elliptic curve keys") - - def wrap_key(self, key, **kwargs): - raise NotImplementedError("Local key wrapping isn't supported with elliptic curve keys") - - def unwrap_key(self, encrypted_key, **kwargs): - raise NotImplementedError("Local key unwrapping isn't supported with elliptic curve keys") - - def sign(self, digest, **kwargs): - algorithm = self._get_algorithm("sign", **kwargs) - signer = algorithm.create_signature_transform(self._private_key) - signature = signer.sign(digest) - ecdsa_signature = asn1_der_to_ecdsa(signature, algorithm) - return ecdsa_signature - - def verify(self, digest, signature, **kwargs): - algorithm = self._get_algorithm("verify", **kwargs) - signer = algorithm.create_signature_transform(self._public_key) - asn1_signature = ecdsa_to_asn1_der(signature) - try: - signer.verify(digest, asn1_signature) - return True - except InvalidSignature: - return False diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/key.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/key.py deleted file mode 100644 index 82298feb1654..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/key.py +++ /dev/null @@ -1,94 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ - -from abc import ABCMeta, abstractmethod -from typing import Any, FrozenSet - -from .algorithm import Algorithm - - -class Key(object, metaclass=ABCMeta): - _supported_encryption_algorithms: FrozenSet[Any] = frozenset([]) - _supported_key_wrap_algorithms: FrozenSet[Any] = frozenset([]) - _supported_signature_algorithms: FrozenSet[Any] = frozenset([]) - - def __init__(self): - self._kid = None - - @property - def default_encryption_algorithm(self): - return None - - @property - def default_key_wrap_algorithm(self): - return None - - @property - def default_signature_algorithm(self): - return None - - @property - def supported_encryption_algorithms(self): - return self._supported_encryption_algorithms - - @property - def supported_key_wrap_algorithms(self): - return self._supported_key_wrap_algorithms - - @property - def supported_signature_algorithms(self): - return self._supported_signature_algorithms - - @property - def kid(self): - return self._kid - - @abstractmethod - def is_private_key(self): - pass - - @abstractmethod - def decrypt(self, cipher_text, **kwargs): - raise NotImplementedError() - - @abstractmethod - def encrypt(self, plain_text, **kwargs): - raise NotImplementedError() - - @abstractmethod - def wrap_key(self, key, **kwargs): - raise NotImplementedError() - - @abstractmethod - def unwrap_key(self, encrypted_key, **kwargs): - raise NotImplementedError() - - @abstractmethod - def sign(self, digest, **kwargs): - raise NotImplementedError() - - @abstractmethod - def verify(self, digest, signature, **kwargs): - raise NotImplementedError() - - def _get_algorithm(self, op, **kwargs): - default_algorithm, supported_algorithms = { - "encrypt": (self.default_encryption_algorithm, self.supported_encryption_algorithms), - "decrypt": (self.default_encryption_algorithm, self.supported_encryption_algorithms), - "wrapKey": (self.default_key_wrap_algorithm, self.supported_key_wrap_algorithms), - "unwrapKey": (self.default_key_wrap_algorithm, self.supported_key_wrap_algorithms), - "sign": (self.default_signature_algorithm, self.supported_signature_algorithms), - "verify": (self.default_signature_algorithm, self.supported_signature_algorithms), - }[op] - - algorithm = kwargs.get("algorithm", default_algorithm) - - if not isinstance(algorithm, Algorithm): - algorithm = Algorithm.resolve(algorithm) - - if not algorithm or not supported_algorithms or algorithm.name() not in supported_algorithms: - raise ValueError(f"unsupported algorithm '{algorithm}'") - - return algorithm diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/rsa_key.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/rsa_key.py deleted file mode 100644 index e1325894bccc..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/rsa_key.py +++ /dev/null @@ -1,221 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -import uuid - -from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives.asymmetric.rsa import ( - RSAPrivateKey, - RSAPrivateNumbers, - RSAPublicNumbers, - generate_private_key, - rsa_crt_dmp1, - rsa_crt_dmq1, - rsa_crt_iqmp, -) - -from ._internal import _bytes_to_int, _int_to_bytes -from .key import Key -from .algorithms import Ps256, Ps384, Ps512, Rsa1_5, RsaOaep, RsaOaep256, Rs256, Rs384, Rs512 -from ... import JsonWebKey, KeyOperation - - -class RsaKey(Key): # pylint:disable=too-many-public-methods - PUBLIC_KEY_DEFAULT_OPS = [KeyOperation.encrypt, KeyOperation.wrap_key, KeyOperation.verify] - PRIVATE_KEY_DEFAULT_OPS = PUBLIC_KEY_DEFAULT_OPS + [ - KeyOperation.decrypt, - KeyOperation.unwrap_key, - KeyOperation.sign, - ] - - _supported_encryption_algorithms = frozenset((Rsa1_5.name(), RsaOaep.name(), RsaOaep256.name())) - _supported_key_wrap_algorithms = frozenset((Rsa1_5.name(), RsaOaep.name(), RsaOaep256.name())) - _supported_signature_algorithms = frozenset( - (Ps256.name(), Ps384.name(), Ps512.name(), Rs256.name(), Rs384.name(), Rs512.name(),) - ) - - def __init__(self, kid=None): - super(RsaKey, self).__init__() - self._kid = kid - self.kty = None - self.key_ops = None - self._rsa_impl = None - - @property - def n(self): - return _int_to_bytes(self._public_key_material().n) - - @property - def e(self): - return _int_to_bytes(self._public_key_material().e) - - @property - def p(self): - return _int_to_bytes(self._private_key_material().p) if self.is_private_key() else None - - @property - def q(self): - return _int_to_bytes(self._private_key_material().q) if self.is_private_key() else None - - @property - def b(self): - return _int_to_bytes(self._private_key_material().b) if self.is_private_key() else None - - @property - def d(self): - return _int_to_bytes(self._private_key_material().d) if self.is_private_key() else None - - @property - def dq(self): - return _int_to_bytes(self._private_key_material().dmq1) if self.is_private_key() else None - - @property - def dp(self): - return _int_to_bytes(self._private_key_material().dmp1) if self.is_private_key() else None - - @property - def qi(self): - return _int_to_bytes(self._private_key_material().iqmp) if self.is_private_key() else None - - @property - def private_key(self): - return self._rsa_impl if self.is_private_key() else None - - @property - def public_key(self): - return self._rsa_impl.public_key() if self.is_private_key() else self._rsa_impl - - @staticmethod - def generate(kid=None, kty="RSA", size=2048, e=65537): - key = RsaKey() - key.kid = kid or str(uuid.uuid4()) - key.kty = kty - key.key_ops = RsaKey.PRIVATE_KEY_DEFAULT_OPS - # pylint:disable=protected-access - key._rsa_impl = generate_private_key(public_exponent=e, key_size=size, backend=default_backend()) - return key - - @classmethod - def from_jwk(cls, jwk): - if jwk.kty not in ("RSA", "RSA-HSM"): - raise ValueError('The specified jwk must have a key type of "RSA" or "RSA-HSM"') - - if not jwk.n or not jwk.e: - raise ValueError("Invalid RSA jwk, both n and e must be have values") - - rsa_key = cls(kid=jwk.kid) - rsa_key.kty = jwk.kty - rsa_key.key_ops = jwk.key_ops - - pub = RSAPublicNumbers(n=_bytes_to_int(jwk.n), e=_bytes_to_int(jwk.e)) - - # if the private key values are specified construct a private key - # only the secret primes and private exponent are needed as other fields can be calculated - if jwk.p and jwk.q and jwk.d: - # convert the values of p, q, and d from bytes to int - p = _bytes_to_int(jwk.p) - q = _bytes_to_int(jwk.q) - d = _bytes_to_int(jwk.d) - - # convert or compute the remaining private key numbers - dmp1 = _bytes_to_int(jwk.dp) if jwk.dp else rsa_crt_dmp1(private_exponent=d, p=p) - dmq1 = _bytes_to_int(jwk.dq) if jwk.dq else rsa_crt_dmq1(private_exponent=d, q=q) - iqmp = _bytes_to_int(jwk.qi) if jwk.qi else rsa_crt_iqmp(p=p, q=q) - - # create the private key from the jwk key values - priv = RSAPrivateNumbers(p=p, q=q, d=d, dmp1=dmp1, dmq1=dmq1, iqmp=iqmp, public_numbers=pub) - key_impl = priv.private_key(default_backend()) - - # if the necessary private key values are not specified create the public key - else: - key_impl = pub.public_key(default_backend()) - - rsa_key._rsa_impl = key_impl - - return rsa_key - - def to_jwk(self, include_private=False): - jwk = JsonWebKey( - kid=self.kid, - kty=self.kty, - key_ops=self.key_ops if include_private else RsaKey.PUBLIC_KEY_DEFAULT_OPS, - n=self.n, - e=self.e, - ) - - if include_private: - jwk.q = self.q - jwk.p = self.p - jwk.d = self.d - jwk.dq = self.dq - jwk.dp = self.dp - jwk.qi = self.qi - - return jwk - - @property - def default_encryption_algorithm(self): - return RsaOaep.name() - - @property - def default_key_wrap_algorithm(self): - return RsaOaep.name() - - @property - def default_signature_algorithm(self): - return Rs256.name() - - def encrypt(self, plain_text, **kwargs): - algorithm = self._get_algorithm("encrypt", **kwargs) - encryptor = algorithm.create_encryptor(self.public_key) - return encryptor.transform(plain_text) - - def decrypt(self, cipher_text, **kwargs): - if not self.is_private_key(): - raise NotImplementedError("The current RsaKey does not support decrypt") - - algorithm = self._get_algorithm("decrypt", **kwargs) - decryptor = algorithm.create_decryptor(self.private_key) - return decryptor.transform(cipher_text) - - def sign(self, digest, **kwargs): - if not self.is_private_key(): - raise NotImplementedError("The current RsaKey does not support sign") - - algorithm = self._get_algorithm("sign", **kwargs) - signer = algorithm.create_signature_transform(self.private_key) - return signer.sign(digest) - - def verify(self, digest, signature, **kwargs): - algorithm = self._get_algorithm("verify", **kwargs) - signer = algorithm.create_signature_transform(self.public_key) - try: - # cryptography's verify methods return None, and raise when verification fails - signer.verify(digest, signature) - return True - except InvalidSignature: - return False - - def wrap_key(self, key, **kwargs): - algorithm = self._get_algorithm("wrapKey", **kwargs) - encryptor = algorithm.create_encryptor(self.public_key) - return encryptor.transform(key) - - def unwrap_key(self, encrypted_key, **kwargs): - if not self.is_private_key(): - raise NotImplementedError("The current RsaKey does not support unwrap") - - algorithm = self._get_algorithm("unwrapKey", **kwargs) - decryptor = algorithm.create_decryptor(self.private_key) - return decryptor.transform(encrypted_key) - - def is_private_key(self): - return isinstance(self._rsa_impl, RSAPrivateKey) - - def _public_key_material(self): - return self.public_key.public_numbers() - - def _private_key_material(self): - return self.private_key.private_numbers() if self.private_key else None diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/symmetric_key.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/symmetric_key.py deleted file mode 100644 index 1682b1ac4bd0..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/symmetric_key.py +++ /dev/null @@ -1,125 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -import uuid -import os - -from azure.core.exceptions import AzureError -from .key import Key -from .algorithms.aes_cbc import Aes256CbcPad, Aes192CbcPad, Aes128CbcPad -from .algorithms.aes_cbc_hmac import Aes256CbcHmacSha512, Aes192CbcHmacSha384 -from .algorithms.aes_kw import AesKw256, AesKw192, AesKw128 - -key_size_128 = 128 >> 3 -key_size_192 = 192 >> 3 -key_size_256 = 256 >> 3 -key_size_384 = 384 >> 3 -key_size_512 = 512 >> 3 - -_default_key_size = key_size_256 - -_supported_key_sizes = [key_size_128, key_size_192, key_size_256, key_size_384, key_size_512] - -_default_enc_alg_by_size = { - key_size_128: Aes128CbcPad.name(), - key_size_192: Aes192CbcPad.name(), - key_size_256: Aes256CbcPad.name(), - key_size_384: Aes192CbcHmacSha384.name(), - key_size_512: Aes256CbcHmacSha512.name(), -} - -_default_kw_alg_by_size = { - key_size_128: AesKw128.name(), - key_size_192: AesKw192.name(), - key_size_256: AesKw256.name(), - key_size_384: AesKw256.name(), - key_size_512: AesKw256.name(), -} - - -def raise_if_incorrect_key_size(algorithm, key_size): - if algorithm._key_size >> 3 != key_size: # pylint:disable=protected-access - raise AzureError("Invalid AES encryption algorithm for key size. The algorithm must match the size of the key.") - - -class SymmetricKey(Key): - def __init__(self, kid=None, key_bytes=None, key_size=None): - super(SymmetricKey, self).__init__() - - self._kid = kid or str(uuid.uuid4()) - - if not key_bytes: - key_size = key_size or _default_key_size - - if key_size not in _supported_key_sizes: - raise ValueError("The key size must be 128, 192, 256, 384 or 512 bits of data") - - key_bytes = os.urandom(key_size) - - if len(key_bytes) not in _supported_key_sizes: - raise ValueError("The key size must be 128, 192, 256, 384 or 512 bits of data") - - self._key = key_bytes - - supported_encryption_algorithms = [] - supported_key_wrap_algorithms = [] - key_size = len(self._key) - if key_size >= key_size_128: - supported_encryption_algorithms.append(Aes128CbcPad.name()) - supported_key_wrap_algorithms.append(AesKw128.name()) - if key_size >= key_size_192: - supported_encryption_algorithms.append(Aes192CbcPad.name()) - supported_key_wrap_algorithms.append(AesKw192.name()) - if key_size >= key_size_256: - supported_encryption_algorithms.append(Aes256CbcPad.name()) - supported_key_wrap_algorithms.append(AesKw256.name()) - self._supported_encryption_algorithms = frozenset(supported_encryption_algorithms) - self._supported_key_wrap_algorithms = frozenset(supported_key_wrap_algorithms) - - def is_private_key(self): - return True - - @classmethod - def from_jwk(cls, jwk): - return cls(kid=jwk.kid, key_bytes=jwk.k) - - @property - def kid(self): - return self._kid - - @property - def default_encryption_algorithm(self): - return _default_enc_alg_by_size[len(self._key)] - - @property - def default_key_wrap_algorithm(self): - return _default_kw_alg_by_size[len(self._key)] - - def encrypt(self, plain_text, iv, **kwargs): # pylint:disable=arguments-differ - algorithm = self._get_algorithm("encrypt", **kwargs) - raise_if_incorrect_key_size(algorithm, len(self._key)) - encryptor = algorithm.create_encryptor(key=self._key, iv=iv) - return encryptor.transform(plain_text) - - def decrypt(self, cipher_text, iv, **kwargs): # pylint:disable=arguments-differ - algorithm = self._get_algorithm("decrypt", **kwargs) - raise_if_incorrect_key_size(algorithm, len(self._key)) - decryptor = algorithm.create_decryptor(key=self._key, iv=iv) - return decryptor.transform(cipher_text) - - def wrap_key(self, key, **kwargs): - algorithm = self._get_algorithm("wrapKey", **kwargs) - encryptor = algorithm.create_encryptor(key=self._key) - return encryptor.transform(key) - - def unwrap_key(self, encrypted_key, **kwargs): - algorithm = self._get_algorithm("unwrapKey", **kwargs) - decryptor = algorithm.create_decryptor(key=self._key) - return decryptor.transform(encrypted_key) - - def sign(self, digest, **kwargs): - raise NotImplementedError("Local signing isn't supported with symmetric keys") - - def verify(self, digest, signature, **kwargs): - raise NotImplementedError("Local signature verification isn't supported with symmetric keys") diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/transform.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/transform.py deleted file mode 100644 index 3a24f7ab1a7f..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/transform.py +++ /dev/null @@ -1,61 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ - -from abc import ABCMeta, abstractmethod - - -class CryptoTransform(object, metaclass=ABCMeta): - def __init__(self, key): - self._key = key - - def __enter__(self): - return self - - def __exit__(self, exc_type, exc_val, exc_tb): - self._key = None - - @abstractmethod - def transform(self, data): - raise NotImplementedError() - - -class BlockCryptoTransform(CryptoTransform): - @abstractmethod - def block_size(self): - raise NotImplementedError() - - @abstractmethod - def update(self, data): - raise NotImplementedError() - - @abstractmethod - def finalize(self): - raise NotImplementedError() - - -class AuthenticatedCryptoTransform(object, metaclass=ABCMeta): - @abstractmethod - def tag(self): - raise NotImplementedError() - - -class SignatureTransform(object, metaclass=ABCMeta): - @abstractmethod - def sign(self, digest): - raise NotImplementedError() - - @abstractmethod - def verify(self, digest, signature): - raise NotImplementedError() - - -class DigestTransform(object, metaclass=ABCMeta): - @abstractmethod - def update(self, data): - raise NotImplementedError() - - @abstractmethod - def finalize(self, data): - raise NotImplementedError() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_key_validity.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_key_validity.py deleted file mode 100644 index 4e879040759b..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_key_validity.py +++ /dev/null @@ -1,16 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from datetime import datetime, timezone -from typing import Optional - - -def raise_if_time_invalid(not_before: Optional[datetime], expires_on: Optional[datetime]) -> None: - now = datetime.now(timezone.utc) - if (not_before and expires_on) and not not_before <= now <= expires_on: - raise ValueError(f"This client's key is useable only between {not_before} and {expires_on} (UTC)") - if not_before and not_before > now: - raise ValueError(f"This client's key is not useable until {not_before} (UTC)") - if expires_on and expires_on <= now: - raise ValueError(f"This client's key expired at {expires_on} (UTC)") diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_models.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_models.py deleted file mode 100644 index e673940f1fa4..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_models.py +++ /dev/null @@ -1,582 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from typing import Any, cast, Optional, NoReturn, Union, TYPE_CHECKING - -from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.primitives.asymmetric.padding import AsymmetricPadding, OAEP, PKCS1v15, PSS, MGF1 -from cryptography.hazmat.primitives.asymmetric.rsa import ( - rsa_crt_dmp1, - rsa_crt_dmq1, - rsa_crt_iqmp, - rsa_recover_prime_factors, - RSAPrivateKey, - RSAPrivateNumbers, - RSAPublicKey, - RSAPublicNumbers, -) -from cryptography.hazmat.primitives.asymmetric.utils import Prehashed -from cryptography.hazmat.primitives.hashes import Hash, HashAlgorithm, SHA1, SHA256, SHA384, SHA512 -from cryptography.hazmat.primitives.serialization import ( - Encoding, - KeySerializationEncryption, - PrivateFormat, - PublicFormat, -) - -from ._enums import EncryptionAlgorithm, KeyWrapAlgorithm, SignatureAlgorithm -from .._models import JsonWebKey - -if TYPE_CHECKING: - # Import client only during TYPE_CHECKING to avoid circular dependency - from ._client import CryptographyClient - - -SIGN_ALGORITHM_MAP = { - SHA256: SignatureAlgorithm.rs256, - SHA384: SignatureAlgorithm.rs384, - SHA512: SignatureAlgorithm.rs512, -} -OAEP_MAP = {SHA1: EncryptionAlgorithm.rsa_oaep, SHA256: EncryptionAlgorithm.rsa_oaep_256} -PSS_MAP = { - SignatureAlgorithm.rs256: SignatureAlgorithm.ps256, - SignatureAlgorithm.rs384: SignatureAlgorithm.ps384, - SignatureAlgorithm.rs512: SignatureAlgorithm.ps512, -} - - -def get_encryption_algorithm(padding: AsymmetricPadding) -> EncryptionAlgorithm: - """Maps an `AsymmetricPadding` to an encryption algorithm. - - :param padding: The padding to use. - :type padding: ~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding - - :returns: The corresponding Key Vault encryption algorithm. - :rtype: EncryptionAlgorithm - """ - if isinstance(padding, OAEP): - # Public algorithm property was only added in https://github.com/pyca/cryptography/pull/9582 - # _algorithm property has been available in every version of the OAEP class, so we use it as a backup - try: - algorithm = padding.algorithm # type: ignore[attr-defined] - except AttributeError: - algorithm = padding._algorithm # pylint:disable=protected-access - mapped_algorithm = OAEP_MAP.get(type(algorithm)) - if mapped_algorithm is None: - raise ValueError(f"Unsupported algorithm: {algorithm.name}") - - # Public mgf property was added at the same time as algorithm - try: - mgf = padding.mgf # type: ignore[attr-defined] - except AttributeError: - mgf = padding._mgf # pylint:disable=protected-access - if not isinstance(mgf, MGF1): - raise ValueError(f"Unsupported MGF: {mgf}") - - elif isinstance(padding, PKCS1v15): - mapped_algorithm = EncryptionAlgorithm.rsa1_5 - else: - raise ValueError(f"Unsupported padding: {padding.name}") - - return mapped_algorithm - - -def get_signature_algorithm(padding: AsymmetricPadding, algorithm: HashAlgorithm) -> SignatureAlgorithm: - """Maps an `AsymmetricPadding` and `HashAlgorithm` to a signature algorithm. - - :param padding: The padding to use. - :type padding: ~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding - :param algorithm: The algorithm to use. - :type algorithm: ~cryptography.hazmat.primitives.hashes.HashAlgorithm - - :returns: The corresponding Key Vault signature algorithm. - :rtype: SignatureAlgorithm - """ - mapped_algorithm = SIGN_ALGORITHM_MAP.get(type(algorithm)) - if mapped_algorithm is None: - raise ValueError(f"Unsupported algorithm: {algorithm.name}") - - # If PSS padding is requested, use the PSS equivalent algorithm - if isinstance(padding, PSS): - mapped_algorithm = PSS_MAP.get(mapped_algorithm) - - # Public mgf property was only added in https://github.com/pyca/cryptography/pull/9582 - # _mgf property has been available in every version of the PSS class, so we use it as a backup - try: - mgf = padding.mgf # type: ignore[attr-defined] - except AttributeError: - mgf = padding._mgf # pylint:disable=protected-access - if not isinstance(mgf, MGF1): - raise ValueError(f"Unsupported MGF: {mgf}") - - # The only other padding accepted is PKCS1v15 - elif not isinstance(padding, PKCS1v15): - raise ValueError(f"Unsupported padding: {padding.name}") - - return cast(SignatureAlgorithm, mapped_algorithm) - - -class KeyVaultRSAPublicKey(RSAPublicKey): - """An `RSAPublicKey` implementation based on a key managed by Key Vault. - - This class should not be instantiated directly. Instead, use the - :func:`~azure.keyvault.keys.crypto.CryptographyClient.create_rsa_public_key` method to create a key based on the - client's key. Only synchronous clients and operations are supported at this time. - """ - - def __init__(self, client: "CryptographyClient", key_material: Optional[JsonWebKey] = None) -> None: - self._client: "CryptographyClient" = client - self._key: Optional[JsonWebKey] = key_material - - def encrypt(self, plaintext: bytes, padding: AsymmetricPadding) -> bytes: - """Encrypts the given plaintext. - - :param bytes plaintext: Plaintext to encrypt. - :param padding: The padding to use. Supported paddings are `OAEP` and `PKCS1v15`. For `OAEP` padding, supported - hash algorithms are `SHA1` and `SHA256`. The only supported mask generation function is `MGF1`. See - https://learn.microsoft.com/azure/key-vault/keys/about-keys-details for details. - :type padding: ~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding - - :returns: The encrypted ciphertext, as bytes. - :rtype: bytes - """ - mapped_algorithm = get_encryption_algorithm(padding) - result = self._client.encrypt(mapped_algorithm, plaintext) - return result.ciphertext - - @property - def key_size(self) -> int: - """The bit length of the public modulus. - - :returns: The key's size. - :rtype: int - - :raises ValueError: if the client is unable to obtain the key material from Key Vault. - """ - if self._key is None: - raise ValueError( - "Key material could not be obtained from Key Vault. Only remote cryptographic operations " - "(encrypt, verify) can be performed." - ) - - public_key = self.public_numbers().public_key() - return public_key.key_size - - def public_numbers(self) -> RSAPublicNumbers: - """Returns an `RSAPublicNumbers` representing the key's public numbers. - - :returns: The public numbers of the key. - :rtype: RSAPublicNumbers - - :raises ValueError: if the client is unable to obtain the key material from Key Vault. - """ - if self._key is None: - raise ValueError( - "Key material could not be obtained from Key Vault. Only remote cryptographic operations " - "(encrypt, verify) can be performed." - ) - - e = int.from_bytes(self._key.e, "big") # type: ignore[attr-defined] - n = int.from_bytes(self._key.n, "big") # type: ignore[attr-defined] - return RSAPublicNumbers(e, n) - - def public_bytes(self, encoding: Encoding, format: PublicFormat) -> bytes: - """Allows serialization of the key to bytes. - - This function uses the `cryptography` library's implementation. - Encoding (`PEM` or `DER`) and format (`SubjectPublicKeyInfo` or `PKCS1`) are chosen to define the exact - serialization. - - :param encoding: A value from the `Encoding` enum. - :type encoding: ~cryptography.hazmat.primitives.serialization.Encoding - :param format: A value from the `PublicFormat` enum. - :type format: ~cryptography.hazmat.primitives.serialization.PublicFormat - - :returns: The serialized key. - :rtype: bytes - - :raises ValueError: if the client is unable to obtain the key material from Key Vault. - """ - if self._key is None: - raise ValueError( - "Key material could not be obtained from Key Vault. Only remote cryptographic operations " - "(encrypt, verify) can be performed." - ) - - public_key = self.public_numbers().public_key() - return public_key.public_bytes(encoding=encoding, format=format) - - def verify( - self, - signature: bytes, - data: bytes, - padding: AsymmetricPadding, - algorithm: Union[Prehashed, HashAlgorithm], - ) -> None: - """Verifies the signature of the data. - - :param bytes signature: The signature to sign, as bytes. - :param bytes data: The message string that was signed., as bytes. - :param padding: The padding to use. Supported paddings are `PKCS1v15` and `PSS`. For `PSS`, the only supported - mask generation function is `MGF1`. See https://learn.microsoft.com/azure/key-vault/keys/about-keys-details - for details. - :type padding: ~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding - :param algorithm: The algorithm to sign with. Only `HashAlgorithm`s are supported -- specifically, `SHA256`, - `SHA384`, and `SHA512`. - :type algorithm: ~cryptography.hazmat.primitives.asymmetric.utils.Prehashed or - cryptography.hazmat.primitives.hashes.HashAlgorithm - - :raises InvalidSignature: If the signature does not validate. - """ - if isinstance(algorithm, Prehashed): - raise ValueError("`Prehashed` algorithms are unsupported. Please provide a `HashAlgorithm` instead.") - mapped_algorithm = get_signature_algorithm(padding, algorithm) - digest = Hash(algorithm) - digest.update(data) - result = self._client.verify(mapped_algorithm, digest.finalize(), signature) - if not result.is_valid: - raise InvalidSignature(f"The provided signature '{signature!r}' is invalid.") - - def recover_data_from_signature( - self, signature: bytes, padding: AsymmetricPadding, algorithm: Optional[HashAlgorithm] - ) -> bytes: - # pylint: disable=line-too-long - """Recovers the signed data from the signature. Only supported with `cryptography` version 3.3 and above. - - This function uses the `cryptography` library's implementation. - The data typically contains the digest of the original message string. The `padding` and `algorithm` parameters - must match the ones used when the signature was created for the recovery to succeed. - The `algorithm` parameter can also be set to None to recover all the data present in the signature, without - regard to its format or the hash algorithm used for its creation. - - For `PKCS1v15` padding, this method returns the data after removing the padding layer. For standard signatures - the data contains the full `DigestInfo` structure. For non-standard signatures, any data can be returned, - including zero-length data. - - Normally you should use the `verify()` function to validate the signature. But for some non-standard signature - formats you may need to explicitly recover and validate the signed data. The following are some examples: - - * Some old Thawte and Verisign timestamp certificates without `DigestInfo`. - * Signed MD5/SHA1 hashes in TLS 1.1 or earlier (`RFC 4346 `_, section 4.7). - * IKE version 1 signatures without `DigestInfo` (`RFC 2409 `_, section 5.1). - - :param bytes signature: The signature. - :param padding: An instance of `AsymmetricPadding`. Recovery is only supported with some of the padding types. - :type padding: ~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding - :param algorithm: An instance of `HashAlgorithm`. Can be None to return all the data present in the signature. - :type algorithm: ~cryptography.hazmat.primitives.hashes.HashAlgorithm - - :returns: The signed data. - :rtype: bytes - :raises NotImplementedError: if the local version of `cryptography` doesn't support this method. - :raises ~cryptography.exceptions.InvalidSignature: if the signature is invalid. - :raises ~cryptography.exceptions.UnsupportedAlgorithm: if the signature data recovery is not supported with - the provided `padding` type. - :raises ValueError: if the client is unable to obtain the key material from Key Vault. - """ - if self._key is None: - raise ValueError( - "Key material could not be obtained from Key Vault. Only remote cryptographic operations " - "(encrypt, verify) can be performed." - ) - - public_key = self.public_numbers().public_key() - try: - return public_key.recover_data_from_signature(signature=signature, padding=padding, algorithm=algorithm) - except AttributeError as exc: - raise NotImplementedError( - "This method is only available on `cryptography`>=3.3. Update your package version to use this method." - ) from exc - - def __eq__(self, other: object) -> bool: - """Checks equality. - - :param object other: Another object to compare with this instance. Currently, only comparisons with - `KeyVaultRSAPrivateKey` or `JsonWebKey` instances are supported. - - :returns: True if the objects are equal; False if the objects are unequal or if key material can't be obtained - from Key Vault for comparison. - :rtype: bool - """ - if self._key is None: - return False - - if isinstance(other, KeyVaultRSAPublicKey): - return all(getattr(self._key, field) == getattr(other._key, field) for field in self._key._FIELDS) - if isinstance(other, JsonWebKey): - return all(getattr(self._key, field) == getattr(other, field) for field in self._key._FIELDS) - return False - - def verifier( # pylint:disable=docstring-missing-param,docstring-missing-return,docstring-missing-rtype - self, signature: bytes, padding: AsymmetricPadding, algorithm: HashAlgorithm - ) -> NoReturn: - """Not implemented. This method was deprecated in `cryptography` 2.0 and removed in 37.0.0.""" - raise NotImplementedError() - - -class KeyVaultRSAPrivateKey(RSAPrivateKey): - """An `RSAPrivateKey` implementation based on a key managed by Key Vault. - - This class should not be instantiated directly. Instead, use the - :func:`~azure.keyvault.keys.crypto.CryptographyClient.create_rsa_private_key` method to create a key based on the - client's key. Only synchronous clients and operations are supported at this time. - """ - - def __init__(self, client: "CryptographyClient", key_material: Optional[JsonWebKey]) -> None: - self._client: "CryptographyClient" = client - self._key: Optional[JsonWebKey] = key_material - - def decrypt(self, ciphertext: bytes, padding: AsymmetricPadding) -> bytes: - """Decrypts the provided ciphertext. - - :param bytes ciphertext: Encrypted bytes to decrypt. - :param padding: The padding to use. Supported paddings are `OAEP` and `PKCS1v15`. For `OAEP` padding, supported - hash algorithms are `SHA1` and `SHA256`. The only supported mask generation function is `MGF1`. See - https://learn.microsoft.com/azure/key-vault/keys/about-keys-details for details. - :type padding: ~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding - - :returns: The decrypted plaintext, as bytes. - :rtype: bytes - """ - mapped_algorithm = get_encryption_algorithm(padding) - result = self._client.decrypt(mapped_algorithm, ciphertext) - return result.plaintext - - @property - def key_size(self) -> int: - """The bit length of the public modulus. - - :returns: The key's size. - :rtype: int - - :raises ValueError: if the client is unable to obtain the key material from Key Vault. - """ - if self._key is None: - raise ValueError( - "Key material could not be obtained from Key Vault. Only remote cryptographic operations " - "(decrypt, sign) can be performed." - ) - - # Key size only requires public modulus, which we can always get - # Relying on private numbers instead would cause issues for keys stored in KV (which doesn't return private key) - return self.public_key().key_size - - def public_key(self) -> KeyVaultRSAPublicKey: - """The `RSAPublicKey` associated with this private key, as a `KeyVaultRSAPublicKey`. - - The public key implementation will use the same underlying cryptography client as this private key. - - :returns: The `KeyVaultRSAPublicKey` associated with the key. - :rtype: ~azure.keyvault.keys.crypto.KeyVaultRSAPublicKey - """ - return KeyVaultRSAPublicKey(self._client, self._key) - - def sign( - self, - data: bytes, - padding: AsymmetricPadding, - algorithm: Union[Prehashed, HashAlgorithm], - ) -> bytes: - """Signs the data. - - :param bytes data: The data to sign, as bytes. - :param padding: The padding to use. Supported paddings are `PKCS1v15` and `PSS`. For `PSS`, the only supported - mask generation function is `MGF1`. See https://learn.microsoft.com/azure/key-vault/keys/about-keys-details - for details. - :type padding: ~cryptography.hazmat.primitives.asymmetric.padding.AsymmetricPadding - :param algorithm: The algorithm to sign with. Only `HashAlgorithm`s are supported -- specifically, `SHA256`, - `SHA384`, and `SHA512`. - :type algorithm: ~cryptography.hazmat.primitives.asymmetric.utils.Prehashed or - cryptography.hazmat.primitives.hashes.HashAlgorithm - - :returns: The signature, as bytes. - :rtype: bytes - """ - if isinstance(algorithm, Prehashed): - raise ValueError("`Prehashed` algorithms are unsupported. Please provide a `HashAlgorithm` instead.") - mapped_algorithm = get_signature_algorithm(padding, algorithm) - digest = Hash(algorithm) - digest.update(data) - result = self._client.sign(mapped_algorithm, digest.finalize()) - return result.signature - - def private_numbers(self) -> RSAPrivateNumbers: - """Returns an `RSAPrivateNumbers` representing the key's private numbers. - - :returns: The private numbers of the key. - :rtype: ~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers - - :raises ValueError: if the client is unable to obtain the key material from Key Vault. - """ - if self._key is None: - raise ValueError( - "Key material could not be obtained from Key Vault. Only remote cryptographic operations " - "(decrypt, sign) can be performed." - ) - - # Fetch public numbers from JWK - e = int.from_bytes(self._key.e, "big") # type: ignore[attr-defined] - n = int.from_bytes(self._key.n, "big") # type: ignore[attr-defined] - public_numbers = RSAPublicNumbers(e, n) - - # Fetch private numbers from JWK - p = int.from_bytes(self._key.p, "big") if self._key.p else None # type: ignore[attr-defined] - q = int.from_bytes(self._key.q, "big") if self._key.q else None # type: ignore[attr-defined] - d = int.from_bytes(self._key.d, "big") if self._key.d else None # type: ignore[attr-defined] - dmp1 = int.from_bytes(self._key.dp, "big") if self._key.dp else None # type: ignore[attr-defined] - dmq1 = int.from_bytes(self._key.dq, "big") if self._key.dq else None # type: ignore[attr-defined] - iqmp = int.from_bytes(self._key.qi, "big") if self._key.qi else None # type: ignore[attr-defined] - - # Calculate any missing attributes - if d is None: - raise ValueError("An 'RSAPrivateNumbers' couldn't be created with the available key material.") - if p is None or q is None: - p, q = rsa_recover_prime_factors(n, e, d) - if dmp1 is None: - dmp1 = rsa_crt_dmp1(d, p) - if dmq1 is None: - dmq1 = rsa_crt_dmq1(d, q) - if iqmp is None: - iqmp = rsa_crt_iqmp(p, q) - - return RSAPrivateNumbers(p, q, d, dmp1, dmq1, iqmp, public_numbers) - - def private_bytes( - self, encoding: Encoding, format: PrivateFormat, encryption_algorithm: KeySerializationEncryption - ) -> bytes: - """Allows serialization of the key to bytes. - - This function uses the `cryptography` library's implementation. - Encoding (`PEM` or `DER`) and format (`TraditionalOpenSSL`, `OpenSSH`, or `PKCS8`) and encryption algorithm - (such as `BestAvailableEncryption` or `NoEncryption`) are chosen to define the exact serialization. - - :param encoding: A value from the `Encoding` enum. - :type encoding: ~cryptography.hazmat.primitives.serialization.Encoding - :param format: A value from the `PrivateFormat` enum. - :type format: ~cryptography.hazmat.primitives.serialization.PrivateFormat - :param encryption_algorithm: An instance of an object conforming to the `KeySerializationEncryption` interface. - :type encryption_algorithm: ~cryptography.hazmat.primitives.serialization.KeySerializationEncryption - - :returns: The serialized key. - :rtype: bytes - - :raises ValueError: if the client is unable to obtain the key material from Key Vault. - """ - if self._key is None: - raise ValueError( - "Key material could not be obtained from Key Vault. Only remote cryptographic operations " - "(decrypt, sign) can be performed." - ) - - try: - private_numbers = self.private_numbers() - except ValueError as exc: - raise ValueError("Insufficient key material to serialize the private key.") from exc - private_key = private_numbers.private_key() - return private_key.private_bytes(encoding=encoding, format=format, encryption_algorithm=encryption_algorithm) - - def signer( # pylint:disable=docstring-missing-param,docstring-missing-return,docstring-missing-rtype - self, padding: AsymmetricPadding, algorithm: HashAlgorithm - ) -> NoReturn: - """Not implemented. This method was deprecated in `cryptography` 2.0 and removed in 37.0.0.""" - raise NotImplementedError() - - -class DecryptResult: - """The result of a decrypt operation. - - :param str key_id: The encryption key's Key Vault identifier - :param algorithm: The encryption algorithm used - :type algorithm: ~azure.keyvault.keys.crypto.EncryptionAlgorithm - :param bytes plaintext: The decrypted bytes - """ - - def __init__(self, key_id: Optional[str], algorithm: EncryptionAlgorithm, plaintext: bytes) -> None: - self.key_id = key_id - self.algorithm = algorithm - self.plaintext = plaintext - - -class EncryptResult: - """The result of an encrypt operation. - - :param str key_id: The encryption key's Key Vault identifier - :param algorithm: The encryption algorithm used - :type algorithm: ~azure.keyvault.keys.crypto.EncryptionAlgorithm - :param bytes ciphertext: The encrypted bytes - - :keyword bytes iv: Initialization vector for symmetric algorithms - :keyword bytes authentication_tag: The tag to authenticate when performing decryption with an authenticated - algorithm - :keyword bytes additional_authenticated_data: Additional data to authenticate but not encrypt/decrypt when using an - authenticated algorithm - """ - - def __init__(self, key_id: Optional[str], algorithm: EncryptionAlgorithm, ciphertext: bytes, **kwargs: Any) -> None: - self.key_id = key_id - self.algorithm = algorithm - self.ciphertext = ciphertext - self.iv = kwargs.pop("iv", None) - self.tag = kwargs.pop("authentication_tag", None) - self.aad = kwargs.pop("additional_authenticated_data", None) - - -class SignResult: - """The result of a sign operation. - - :param str key_id: The signing key's Key Vault identifier - :param algorithm: The signature algorithm used - :type algorithm: ~azure.keyvault.keys.crypto.SignatureAlgorithm - :param bytes signature: - """ - - def __init__(self, key_id: Optional[str], algorithm: SignatureAlgorithm, signature: bytes) -> None: - self.key_id = key_id - self.algorithm = algorithm - self.signature = signature - - -class VerifyResult: - """The result of a verify operation. - - :param str key_id: The signing key's Key Vault identifier - :param bool is_valid: Whether the signature is valid - :param algorithm: The signature algorithm used - :type algorithm: ~azure.keyvault.keys.crypto.SignatureAlgorithm - """ - - def __init__(self, key_id: Optional[str], is_valid: bool, algorithm: SignatureAlgorithm) -> None: - self.key_id = key_id - self.is_valid = is_valid - self.algorithm = algorithm - - -class UnwrapResult: - """The result of an unwrap key operation. - - :param str key_id: Key encryption key's Key Vault identifier - :param algorithm: The key wrap algorithm used - :type algorithm: ~azure.keyvault.keys.crypto.KeyWrapAlgorithm - :param bytes key: The unwrapped key - """ - - def __init__(self, key_id: Optional[str], algorithm: KeyWrapAlgorithm, key: bytes) -> None: - self.key_id = key_id - self.algorithm = algorithm - self.key = key - - -class WrapResult: - """The result of a wrap key operation. - - :param str key_id: The wrapping key's Key Vault identifier - :param algorithm: The key wrap algorithm used - :type algorithm: ~azure.keyvault.keys.crypto.KeyWrapAlgorithm - :param bytes encrypted_key: The encrypted key bytes - """ - - def __init__(self, key_id: Optional[str], algorithm: KeyWrapAlgorithm, encrypted_key: bytes) -> None: - self.key_id = key_id - self.algorithm = algorithm - self.encrypted_key = encrypted_key diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/__init__.py deleted file mode 100644 index 8c146d1a1fca..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/__init__.py +++ /dev/null @@ -1,36 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from typing import TYPE_CHECKING - -from .ec import EllipticCurveCryptographyProvider -from .local_provider import LocalCryptographyProvider -from .rsa import RsaCryptographyProvider -from .symmetric import SymmetricCryptographyProvider -from ... import KeyType - -if TYPE_CHECKING: - from ... import JsonWebKey - - -def get_local_cryptography_provider(key: "JsonWebKey") -> LocalCryptographyProvider: - if key.kty in (KeyType.ec, KeyType.ec_hsm): # type: ignore[attr-defined] - return EllipticCurveCryptographyProvider(key) - if key.kty in (KeyType.rsa, KeyType.rsa_hsm): # type: ignore[attr-defined] - return RsaCryptographyProvider(key) - if key.kty in (KeyType.oct, KeyType.oct_hsm): # type: ignore[attr-defined] - return SymmetricCryptographyProvider(key) - - raise ValueError(f'Unsupported key type "{key.kty}"') # type: ignore[attr-defined] - - -class NoLocalCryptography(LocalCryptographyProvider): - def __init__(self): # pylint:disable=super-init-not-called - return - - def supports(self, operation, algorithm): - return False - - def _get_internal_key(self, key): - return None diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/ec.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/ec.py deleted file mode 100644 index d72dd505a1a2..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/ec.py +++ /dev/null @@ -1,34 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from typing import TYPE_CHECKING - -from .local_provider import LocalCryptographyProvider -from .._internal import EllipticCurveKey -from ... import KeyOperation, KeyType - -if TYPE_CHECKING: - from .local_provider import Algorithm - from .._internal import Key - from ... import JsonWebKey - -_PRIVATE_KEY_OPERATIONS = frozenset((KeyOperation.decrypt, KeyOperation.sign, KeyOperation.unwrap_key)) - - -class EllipticCurveCryptographyProvider(LocalCryptographyProvider): - def _get_internal_key(self, key: "JsonWebKey") -> "Key": - if key.kty not in (KeyType.ec, KeyType.ec_hsm): # type: ignore[attr-defined] - raise ValueError('"key" must be an EC or EC-HSM key') - return EllipticCurveKey.from_jwk(key) - - def supports(self, operation: KeyOperation, algorithm: "Algorithm") -> bool: - if operation in _PRIVATE_KEY_OPERATIONS and not self._internal_key.is_private_key(): - return False - if operation in (KeyOperation.decrypt, KeyOperation.encrypt): - return algorithm in self._internal_key.supported_encryption_algorithms - if operation in (KeyOperation.unwrap_key, KeyOperation.wrap_key): - return algorithm in self._internal_key.supported_key_wrap_algorithms - if operation in (KeyOperation.sign, KeyOperation.verify): - return algorithm in self._internal_key.supported_signature_algorithms - return False diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/local_provider.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/local_provider.py deleted file mode 100644 index 6e0edd2f526c..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/local_provider.py +++ /dev/null @@ -1,104 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -import abc -import os -from typing import Optional, TYPE_CHECKING, Union - -from azure.core.exceptions import AzureError - -from .. import DecryptResult, EncryptResult, SignResult, UnwrapResult, VerifyResult, WrapResult -from ... import KeyOperation - -ABC = abc.ABC - -if TYPE_CHECKING: - from .._internal.key import Key - from .. import EncryptionAlgorithm, KeyWrapAlgorithm, SignatureAlgorithm - from ... import JsonWebKey - - Algorithm = Union[EncryptionAlgorithm, KeyWrapAlgorithm, SignatureAlgorithm] - - -class LocalCryptographyProvider(ABC): - def __init__(self, key: "JsonWebKey") -> None: - self._allowed_ops = frozenset(key.key_ops or []) # type: ignore[attr-defined] - self._internal_key = self._get_internal_key(key) - self._key = key - - @abc.abstractmethod - def _get_internal_key(self, key: "JsonWebKey") -> "Key": - pass - - @abc.abstractmethod - def supports(self, operation: KeyOperation, algorithm: "Algorithm") -> bool: - pass - - @property - def key_id(self) -> "Optional[str]": - """The full identifier of the provider's key. - - :returns: The full identifier of the provider's key. - :rtype: str or None - """ - return self._key.kid # type: ignore[attr-defined] - - def _raise_if_unsupported(self, operation: KeyOperation, algorithm: "Algorithm") -> None: - if not self.supports(operation, algorithm): - raise NotImplementedError( - f'This key does not support the "{operation}" operation with algorithm "{algorithm}"' - ) - if operation not in self._allowed_ops: - raise AzureError(f'This key does not allow the "{operation}" operation') - - def encrypt( - self, algorithm: "EncryptionAlgorithm", plaintext: bytes, iv: "Optional[bytes]" = None - ) -> EncryptResult: - self._raise_if_unsupported(KeyOperation.encrypt, algorithm) - - # If an IV isn't provided with AES-CBCPAD encryption, try to create one - if iv is None and algorithm.value.endswith("CBCPAD"): - try: - iv = os.urandom(16) - except NotImplementedError as ex: - raise ValueError( - "An IV could not be generated on this OS. Please provide your own cryptographically random, " - "non-repeating IV for local cryptography." - ) from ex - - ciphertext = self._internal_key.encrypt(plaintext, algorithm=algorithm.value, iv=iv) - return EncryptResult( - key_id=self._key.kid, algorithm=algorithm, ciphertext=ciphertext, iv=iv # type: ignore[attr-defined] - ) - - def decrypt( - self, algorithm: "EncryptionAlgorithm", ciphertext: bytes, iv: "Optional[bytes]" = None - ) -> DecryptResult: - self._raise_if_unsupported(KeyOperation.decrypt, algorithm) - plaintext = self._internal_key.decrypt(ciphertext, iv=iv, algorithm=algorithm.value) - return DecryptResult( - key_id=self._key.kid, algorithm=algorithm, plaintext=plaintext # type: ignore[attr-defined] - ) - - def wrap_key(self, algorithm: "KeyWrapAlgorithm", key: bytes) -> "WrapResult": - self._raise_if_unsupported(KeyOperation.wrap_key, algorithm) - encrypted_key = self._internal_key.wrap_key(key, algorithm=algorithm.value) - return WrapResult( - key_id=self._key.kid, algorithm=algorithm, encrypted_key=encrypted_key # type: ignore[attr-defined] - ) - - def unwrap_key(self, algorithm: "KeyWrapAlgorithm", encrypted_key: bytes) -> "UnwrapResult": - self._raise_if_unsupported(KeyOperation.unwrap_key, algorithm) - unwrapped_key = self._internal_key.unwrap_key(encrypted_key, algorithm=algorithm.value) - return UnwrapResult(key_id=self._key.kid, algorithm=algorithm, key=unwrapped_key) # type: ignore[attr-defined] - - def sign(self, algorithm: "SignatureAlgorithm", digest: bytes) -> "SignResult": - self._raise_if_unsupported(KeyOperation.sign, algorithm) - signature = self._internal_key.sign(digest, algorithm=algorithm.value) - return SignResult(key_id=self._key.kid, algorithm=algorithm, signature=signature) # type: ignore[attr-defined] - - def verify(self, algorithm: "SignatureAlgorithm", digest: bytes, signature: bytes) -> "VerifyResult": - self._raise_if_unsupported(KeyOperation.verify, algorithm) - is_valid = self._internal_key.verify(digest, signature, algorithm=algorithm.value) - return VerifyResult(key_id=self._key.kid, algorithm=algorithm, is_valid=is_valid) # type: ignore[attr-defined] diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/rsa.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/rsa.py deleted file mode 100644 index 4394cc2a9b51..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/rsa.py +++ /dev/null @@ -1,34 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from typing import TYPE_CHECKING - -from .local_provider import LocalCryptographyProvider -from .._internal import RsaKey -from ... import KeyOperation, KeyType - -if TYPE_CHECKING: - from .local_provider import Algorithm - from .._internal import Key - from ... import JsonWebKey - -_PRIVATE_KEY_OPERATIONS = frozenset((KeyOperation.decrypt, KeyOperation.sign, KeyOperation.unwrap_key)) - - -class RsaCryptographyProvider(LocalCryptographyProvider): - def _get_internal_key(self, key: "JsonWebKey") -> "Key": - if key.kty not in (KeyType.rsa, KeyType.rsa_hsm): # type: ignore[attr-defined] - raise ValueError('"key" must be an RSA or RSA-HSM key') - return RsaKey.from_jwk(key) - - def supports(self, operation: KeyOperation, algorithm: "Algorithm") -> bool: - if operation in _PRIVATE_KEY_OPERATIONS and not self._internal_key.is_private_key(): - return False - if operation in (KeyOperation.decrypt, KeyOperation.encrypt): - return algorithm in self._internal_key.supported_encryption_algorithms - if operation in (KeyOperation.unwrap_key, KeyOperation.wrap_key): - return algorithm in self._internal_key.supported_key_wrap_algorithms - if operation in (KeyOperation.sign, KeyOperation.verify): - return algorithm in self._internal_key.supported_signature_algorithms - return False diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/symmetric.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/symmetric.py deleted file mode 100644 index 3a5f473b36c1..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/symmetric.py +++ /dev/null @@ -1,28 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from typing import TYPE_CHECKING - -from .local_provider import LocalCryptographyProvider -from .._internal import SymmetricKey -from ... import KeyOperation, KeyType - -if TYPE_CHECKING: - from .local_provider import Algorithm - from .._internal import Key - from ... import JsonWebKey - - -class SymmetricCryptographyProvider(LocalCryptographyProvider): - def _get_internal_key(self, key: "JsonWebKey") -> "Key": - if key.kty not in (KeyType.oct, KeyType.oct_hsm): # type: ignore[attr-defined] - raise ValueError('"key" must be an oct or oct-HSM (symmetric) key') - return SymmetricKey.from_jwk(key) - - def supports(self, operation: KeyOperation, algorithm: "Algorithm") -> bool: - if operation in (KeyOperation.decrypt, KeyOperation.encrypt): - return algorithm in self._internal_key.supported_encryption_algorithms - if operation in (KeyOperation.unwrap_key, KeyOperation.wrap_key): - return algorithm in self._internal_key.supported_key_wrap_algorithms - return False diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/__init__.py deleted file mode 100644 index 3a8c0f5ee127..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/__init__.py +++ /dev/null @@ -1,50 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from typing import Any, List, Optional - -from ._client import CryptographyClient - - -__all__ = [ - "CryptographyClient", -] - - -def __dir__() -> List[str]: - return __all__ - - -# Allow importing these types for backwards compatibility, but exclude indexing types that shouldn't be in aio namespace - - -def __getattr__(name: str): - requested: Optional[Any] = None - if name == "EncryptionAlgorithm": - from .. import EncryptionAlgorithm - - requested = EncryptionAlgorithm - if name == "KeyWrapAlgorithm": - from .. import KeyWrapAlgorithm - - requested = KeyWrapAlgorithm - if name == "SignatureAlgorithm": - from .. import SignatureAlgorithm - - requested = SignatureAlgorithm - if name == "EncryptResult": - from .. import EncryptResult - - requested = EncryptResult - if name == "SignResult": - from .. import SignResult - - requested = SignResult - if name == "WrapResult": - from .. import WrapResult - - requested = WrapResult - if requested: - return requested - raise AttributeError(f"module 'azure.keyvault.keys.crypto.aio' has no attribute {name}") diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/_client.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/_client.py deleted file mode 100644 index d6d2a4ff0ef8..000000000000 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/_client.py +++ /dev/null @@ -1,510 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -from datetime import datetime -import logging -from typing import Any, cast, Dict, Optional, Union - -from azure.core.credentials_async import AsyncTokenCredential -from azure.core.exceptions import HttpResponseError -from azure.core.tracing.decorator_async import distributed_trace_async - -from .. import ( - DecryptResult, - EncryptionAlgorithm, - EncryptResult, - KeyWrapAlgorithm, - SignatureAlgorithm, - SignResult, - VerifyResult, - UnwrapResult, - WrapResult, -) -from .._client import _validate_arguments -from .._key_validity import raise_if_time_invalid -from .._providers import get_local_cryptography_provider, NoLocalCryptography -from ... import KeyOperation -from ..._models import JsonWebKey, KeyVaultKey -from ..._shared import AsyncKeyVaultClientBase, KeyVaultResourceId, parse_key_vault_id - -_LOGGER = logging.getLogger(__name__) - - -class CryptographyClient(AsyncKeyVaultClientBase): - """Performs cryptographic operations using Azure Key Vault keys. - - This client will perform operations locally when it's intialized with the necessary key material or is able to get - that material from Key Vault. When the required key material is unavailable, cryptographic operations are performed - by the Key Vault service. - - :param key: Either a azure.keyvault.keys.KeyVaultKey instance as returned by - :func:`~azure.keyvault.keys.aio.KeyClient.get_key`, or a string. - If a string, the value must be the identifier of an Azure Key Vault key. Including a version is recommended. - :type key: str or azure.keyvault.keys.KeyVaultKey - :param credential: An object which can provide an access token for the vault, such as a credential from - :mod:`azure.identity.aio` - :type credential: ~azure.core.credentials_async.AsyncTokenCredential - - :keyword api_version: Version of the service API to use. Defaults to the most recent. - :paramtype api_version: ~azure.keyvault.keys.ApiVersion or str - :keyword bool verify_challenge_resource: Whether to verify the authentication challenge resource matches the Key - Vault or Managed HSM domain. Defaults to True. - - .. literalinclude:: ../tests/test_examples_crypto_async.py - :start-after: [START create_client] - :end-before: [END create_client] - :caption: Create a CryptographyClient - :language: python - :dedent: 8 - """ - - # pylint:disable=protected-access - - def __init__(self, key: Union[KeyVaultKey, str], credential: AsyncTokenCredential, **kwargs: Any) -> None: - self._jwk = kwargs.pop("_jwk", False) - self._not_before: Optional[datetime] = None - self._expires_on: Optional[datetime] = None - self._key_id: Optional[KeyVaultResourceId] = None - - if isinstance(key, KeyVaultKey): - self._key: Union[JsonWebKey, KeyVaultKey, str, None] = key.key - self._key_id = parse_key_vault_id(key.id) - if key.properties._attributes: - self._not_before = key.properties.not_before - self._expires_on = key.properties.expires_on - elif isinstance(key, str): - self._key = None - self._key_id = parse_key_vault_id(key) - if self._key_id.version is None: - self._key_id.version = "" # to avoid an error and get the latest version when getting the key - self._keys_get_forbidden = False - elif self._jwk: - self._key = key - else: - raise ValueError("'key' must be a KeyVaultKey instance or a key ID string") - - if self._jwk: - try: - self._local_provider = get_local_cryptography_provider(cast(JsonWebKey, self._key)) - self._initialized = True - except Exception as ex: - raise ValueError("The provided jwk is not valid for local cryptography") from ex - else: - self._local_provider = NoLocalCryptography() - self._initialized = False - - self._vault_url = None if (self._jwk or self._key_id is None) else self._key_id.vault_url # type: ignore - super().__init__(vault_url=self._vault_url or "vault_url", credential=credential, **kwargs) - - @property - def key_id(self) -> Optional[str]: - """The full identifier of the client's key. - - This property may be None when a client is constructed with :func:`from_jwk`. - - :returns: The full identifier of the client's key. - :rtype: str or None - """ - if not self._jwk: - return self._key_id.source_id if self._key_id else None - return cast(JsonWebKey, self._key).kid # type: ignore[attr-defined] - - @property - def vault_url(self) -> Optional[str]: # type: ignore - """The base vault URL of the client's key. - - This property may be None when a client is constructed with :func:`from_jwk`. - - :returns: The base vault URL of the client's key. - :rtype: str or None - """ - return self._vault_url - - @classmethod - def from_jwk(cls, jwk: Union[JsonWebKey, Dict[str, Any]]) -> "CryptographyClient": - """Creates a client that can only perform cryptographic operations locally. - - :param jwk: the key's cryptographic material, as a JsonWebKey or dictionary. - :type jwk: JsonWebKey or Dict[str, Any] - - :returns: A client that can only perform local cryptographic operations. - :rtype: CryptographyClient - """ - if not isinstance(jwk, JsonWebKey): - jwk = JsonWebKey(**jwk) - return cls(jwk, object(), _jwk=True) # type: ignore - - @distributed_trace_async - async def _initialize(self, **kwargs: Any) -> None: - if self._initialized: - return - - # try to get the key material, if we don't have it and aren't forbidden to do so - if not (self._key or self._keys_get_forbidden): - try: - key_bundle = await self._client.get_key( - self._key_id.vault_url if self._key_id else None, - self._key_id.name if self._key_id else None, - self._key_id.version if self._key_id else None, - **kwargs - ) - key = KeyVaultKey._from_key_bundle(key_bundle) - self._key = key.key - self._key_id = parse_key_vault_id(key.id) # update the key ID in case we didn't have the version before - except HttpResponseError as ex: - # if we got a 403, we don't have keys/get permission and won't try to get the key again - # (other errors may be transient) - self._keys_get_forbidden = ex.status_code == 403 - - # if we have the key material, create a local crypto provider with it - if self._key: - self._local_provider = get_local_cryptography_provider(cast(JsonWebKey, self._key)) - self._initialized = True - else: - # try to get the key again next time unless we know we're forbidden to do so - self._initialized = self._keys_get_forbidden - - @distributed_trace_async - async def encrypt( - self, - algorithm: EncryptionAlgorithm, - plaintext: bytes, - *, - iv: Optional[bytes] = None, - additional_authenticated_data: Optional[bytes] = None, - **kwargs: Any, - ) -> EncryptResult: - """Encrypt bytes using the client's key. - - Requires the keys/encrypt permission. This method encrypts only a single block of data, whose size depends on - the key and encryption algorithm. - - :param algorithm: Encryption algorithm to use - :type algorithm: ~azure.keyvault.keys.crypto.EncryptionAlgorithm - :param bytes plaintext: Bytes to encrypt - - :keyword iv: Initialization vector. Required for only AES-CBC(PAD) encryption. If you pass your own IV, - make sure you use a cryptographically random, non-repeating IV. If omitted, an attempt will be made to - generate an IV via `os.urandom `_ for local - cryptography; for remote cryptography, Key Vault will generate an IV. - :paramtype iv: bytes or None - :keyword additional_authenticated_data: Optional data that is authenticated but not encrypted. For use - with AES-GCM encryption. - :paramtype additional_authenticated_data: bytes or None - - :returns: The result of the encryption operation. - :rtype: ~azure.keyvault.keys.crypto.EncryptResult - - :raises ValueError: if parameters that are incompatible with the specified algorithm are provided, or if - generating an IV fails on the current platform. - - .. literalinclude:: ../tests/test_examples_crypto_async.py - :start-after: [START encrypt] - :end-before: [END encrypt] - :caption: Encrypt bytes - :language: python - :dedent: 8 - """ - _validate_arguments( - operation=KeyOperation.encrypt, algorithm=algorithm, iv=iv, aad=additional_authenticated_data - ) - await self._initialize(**kwargs) - - if self._local_provider.supports(KeyOperation.encrypt, algorithm): - raise_if_time_invalid(self._not_before, self._expires_on) - try: - return self._local_provider.encrypt(algorithm, plaintext, iv=iv) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local encrypt operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.encrypt}" operation with algorithm "{algorithm}"' - ) - - operation_result = await self._client.encrypt( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeyOperationsParameters( - algorithm=algorithm, value=plaintext, iv=iv, aad=additional_authenticated_data - ), - **kwargs - ) - - result_iv = operation_result.iv if hasattr(operation_result, "iv") else None - result_tag = operation_result.authentication_tag if hasattr(operation_result, "authentication_tag") else None - result_aad = ( - operation_result.additional_authenticated_data - if hasattr(operation_result, "additional_authenticated_data") - else None - ) - - return EncryptResult( - key_id=self.key_id, - algorithm=algorithm, - ciphertext=operation_result.result, - iv=result_iv, - authentication_tag=result_tag, - additional_authenticated_data=result_aad, - ) - - @distributed_trace_async - async def decrypt( - self, - algorithm: EncryptionAlgorithm, - ciphertext: bytes, - *, - iv: Optional[bytes] = None, - authentication_tag: Optional[bytes] = None, - additional_authenticated_data: Optional[bytes] = None, - **kwargs: Any, - ) -> DecryptResult: - """Decrypt a single block of encrypted data using the client's key. - - Requires the keys/decrypt permission. This method decrypts only a single block of data, whose size depends on - the key and encryption algorithm. - - :param algorithm: Encryption algorithm to use - :type algorithm: ~azure.keyvault.keys.crypto.EncryptionAlgorithm - :param bytes ciphertext: Encrypted bytes to decrypt. Microsoft recommends you not use CBC without first ensuring - the integrity of the ciphertext using, for example, an HMAC. See - https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode for more information. - - :keyword iv: The initialization vector used during encryption. Required for AES decryption. - :paramtype iv: bytes or None - :keyword authentication_tag: The authentication tag generated during encryption. Required for only AES-GCM - decryption. - :paramtype authentication_tag: bytes or None - :keyword additional_authenticated_data: Optional data that is authenticated but not encrypted. For use - with AES-GCM decryption. - :paramtype additional_authenticated_data: bytes or None - - :returns: The result of the decryption operation. - :rtype: ~azure.keyvault.keys.crypto.DecryptResult - - :raises ValueError: If parameters that are incompatible with the specified algorithm are provided. - - .. literalinclude:: ../tests/test_examples_crypto_async.py - :start-after: [START decrypt] - :end-before: [END decrypt] - :caption: Decrypt bytes - :language: python - :dedent: 8 - """ - _validate_arguments( - operation=KeyOperation.decrypt, - algorithm=algorithm, - iv=iv, - tag=authentication_tag, - aad=additional_authenticated_data, - ) - await self._initialize(**kwargs) - - if self._local_provider.supports(KeyOperation.decrypt, algorithm): - try: - return self._local_provider.decrypt(algorithm, ciphertext, iv=iv) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local decrypt operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.decrypt}" operation with algorithm "{algorithm}"' - ) - - operation_result = await self._client.decrypt( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeyOperationsParameters( - algorithm=algorithm, value=ciphertext, iv=iv, tag=authentication_tag, aad=additional_authenticated_data - ), - **kwargs - ) - - return DecryptResult(key_id=self.key_id, algorithm=algorithm, plaintext=operation_result.result) - - @distributed_trace_async - async def wrap_key(self, algorithm: KeyWrapAlgorithm, key: bytes, **kwargs: Any) -> WrapResult: - """Wrap a key with the client's key. - - Requires the keys/wrapKey permission. - - :param algorithm: wrapping algorithm to use - :type algorithm: ~azure.keyvault.keys.crypto.KeyWrapAlgorithm - :param bytes key: key to wrap - - :returns: The result of the wrapping operation. - :rtype: ~azure.keyvault.keys.crypto.WrapResult - - .. literalinclude:: ../tests/test_examples_crypto_async.py - :start-after: [START wrap_key] - :end-before: [END wrap_key] - :caption: Wrap a key - :language: python - :dedent: 8 - """ - await self._initialize(**kwargs) - if self._local_provider.supports(KeyOperation.wrap_key, algorithm): - raise_if_time_invalid(self._not_before, self._expires_on) - try: - return self._local_provider.wrap_key(algorithm, key) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local wrap operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.wrap_key}" operation with algorithm "{algorithm}"' - ) - - operation_result = await self._client.wrap_key( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeyOperationsParameters(algorithm=algorithm, value=key), - **kwargs - ) - - return WrapResult(key_id=self.key_id, algorithm=algorithm, encrypted_key=operation_result.result) - - @distributed_trace_async - async def unwrap_key(self, algorithm: KeyWrapAlgorithm, encrypted_key: bytes, **kwargs: Any) -> UnwrapResult: - """Unwrap a key previously wrapped with the client's key. - - Requires the keys/unwrapKey permission. - - :param algorithm: wrapping algorithm to use - :type algorithm: ~azure.keyvault.keys.crypto.KeyWrapAlgorithm - :param bytes encrypted_key: the wrapped key - - :returns: The result of the unwrapping operation. - :rtype: ~azure.keyvault.keys.crypto.UnwrapResult - - .. literalinclude:: ../tests/test_examples_crypto_async.py - :start-after: [START unwrap_key] - :end-before: [END unwrap_key] - :caption: Unwrap a key - :language: python - :dedent: 8 - """ - await self._initialize(**kwargs) - if self._local_provider.supports(KeyOperation.unwrap_key, algorithm): - try: - return self._local_provider.unwrap_key(algorithm, encrypted_key) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local unwrap operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.unwrap_key}" operation with algorithm "{algorithm}"' - ) - - operation_result = await self._client.unwrap_key( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeyOperationsParameters(algorithm=algorithm, value=encrypted_key), - **kwargs - ) - - return UnwrapResult(key_id=self.key_id, algorithm=algorithm, key=operation_result.result) - - @distributed_trace_async - async def sign(self, algorithm: SignatureAlgorithm, digest: bytes, **kwargs: Any) -> SignResult: - """Create a signature from a digest using the client's key. - - Requires the keys/sign permission. - - :param algorithm: signing algorithm - :type algorithm: ~azure.keyvault.keys.crypto.SignatureAlgorithm - :param bytes digest: hashed bytes to sign - - :returns: The result of the signing operation. - :rtype: ~azure.keyvault.keys.crypto.SignResult - - .. literalinclude:: ../tests/test_examples_crypto_async.py - :start-after: [START sign] - :end-before: [END sign] - :caption: Sign bytes - :language: python - :dedent: 8 - """ - await self._initialize(**kwargs) - if self._local_provider.supports(KeyOperation.sign, algorithm): - raise_if_time_invalid(self._not_before, self._expires_on) - try: - return self._local_provider.sign(algorithm, digest) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local sign operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.sign}" operation with algorithm "{algorithm}"' - ) - - operation_result = await self._client.sign( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeySignParameters(algorithm=algorithm, value=digest), - **kwargs - ) - - return SignResult(key_id=self.key_id, algorithm=algorithm, signature=operation_result.result) - - @distributed_trace_async - async def verify( - self, algorithm: SignatureAlgorithm, digest: bytes, signature: bytes, **kwargs: Any - ) -> VerifyResult: - """Verify a signature using the client's key. - - Requires the keys/verify permission. - - :param algorithm: verification algorithm - :type algorithm: ~azure.keyvault.keys.crypto.SignatureAlgorithm - :param bytes digest: Pre-hashed digest corresponding to **signature**. The hash algorithm used must be - compatible with ``algorithm``. - :param bytes signature: signature to verify - - :returns: The result of the verifying operation. - :rtype: ~azure.keyvault.keys.crypto.VerifyResult - - .. literalinclude:: ../tests/test_examples_crypto_async.py - :start-after: [START verify] - :end-before: [END verify] - :caption: Verify a signature - :language: python - :dedent: 8 - """ - await self._initialize(**kwargs) - if self._local_provider.supports(KeyOperation.verify, algorithm): - try: - return self._local_provider.verify(algorithm, digest, signature) - except Exception as ex: # pylint:disable=broad-except - _LOGGER.warning("Local verify operation failed: %s", ex, exc_info=_LOGGER.isEnabledFor(logging.DEBUG)) - if self._jwk: - raise - elif self._jwk: - raise NotImplementedError( - f'This key does not support the "{KeyOperation.verify}" operation with algorithm "{algorithm}"' - ) - - operation_result = await self._client.verify( - vault_base_url=self._key_id.vault_url if self._key_id else None, - key_name=self._key_id.name if self._key_id else None, - key_version=self._key_id.version if self._key_id else None, - parameters=self._models.KeyVerifyParameters(algorithm=algorithm, digest=digest, signature=signature), - **kwargs - ) - - return VerifyResult(key_id=self.key_id, algorithm=algorithm, is_valid=operation_result.value) - - async def __aenter__(self) -> "CryptographyClient": - await self._client.__aenter__() - return self diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/__init__.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/__init__.py new file mode 100644 index 000000000000..4f3181627f09 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/__init__.py @@ -0,0 +1,100 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# pylint: disable=wrong-import-position + +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from ._patch import * # pylint: disable=unused-wildcard-import + + +from ._models import ( # type: ignore + BackupKeyResult, + DeletedKeyBundle, + DeletedKeyItem, + GetRandomBytesRequest, + JsonWebKey, + KeyAttributes, + KeyBundle, + KeyCreateParameters, + KeyImportParameters, + KeyItem, + KeyOperationResult, + KeyOperationsParameters, + KeyReleaseParameters, + KeyReleasePolicy, + KeyReleaseResult, + KeyRestoreParameters, + KeyRotationPolicy, + KeyRotationPolicyAttributes, + KeySignParameters, + KeyUpdateParameters, + KeyVaultError, + KeyVaultErrorError, + KeyVerifyParameters, + KeyVerifyResult, + LifetimeActions, + LifetimeActionsTrigger, + LifetimeActionsType, + RandomBytes, +) + +from ._enums import ( # type: ignore + DeletionRecoveryLevel, + JsonWebKeyCurveName, + JsonWebKeyEncryptionAlgorithm, + JsonWebKeyOperation, + JsonWebKeySignatureAlgorithm, + JsonWebKeyType, + KeyEncryptionAlgorithm, + KeyRotationPolicyAction, +) +from ._patch import __all__ as _patch_all +from ._patch import * +from ._patch import patch_sdk as _patch_sdk + +__all__ = [ + "BackupKeyResult", + "DeletedKeyBundle", + "DeletedKeyItem", + "GetRandomBytesRequest", + "JsonWebKey", + "KeyAttributes", + "KeyBundle", + "KeyCreateParameters", + "KeyImportParameters", + "KeyItem", + "KeyOperationResult", + "KeyOperationsParameters", + "KeyReleaseParameters", + "KeyReleasePolicy", + "KeyReleaseResult", + "KeyRestoreParameters", + "KeyRotationPolicy", + "KeyRotationPolicyAttributes", + "KeySignParameters", + "KeyUpdateParameters", + "KeyVaultError", + "KeyVaultErrorError", + "KeyVerifyParameters", + "KeyVerifyResult", + "LifetimeActions", + "LifetimeActionsTrigger", + "LifetimeActionsType", + "RandomBytes", + "DeletionRecoveryLevel", + "JsonWebKeyCurveName", + "JsonWebKeyEncryptionAlgorithm", + "JsonWebKeyOperation", + "JsonWebKeySignatureAlgorithm", + "JsonWebKeyType", + "KeyEncryptionAlgorithm", + "KeyRotationPolicyAction", +] +__all__.extend([p for p in _patch_all if p not in __all__]) # pyright: ignore +_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/_enums.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/_enums.py similarity index 69% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/_enums.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/_enums.py index 6e13009627a9..1f2ef3e4a21a 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/_enums.py +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/_enums.py @@ -2,7 +2,7 @@ # -------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See License.txt in the project root for license information. -# Code generated by Microsoft (R) AutoRest Code Generator. +# Code generated by Microsoft (R) Python Code Generator. # Changes may cause incorrect behavior and will be lost if the code is regenerated. # -------------------------------------------------------------------------- @@ -10,19 +10,10 @@ from azure.core import CaseInsensitiveEnumMeta -class ActionType(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """The type of the action. The value should be compared case-insensitively.""" - - ROTATE = "Rotate" - """Rotate the key based on the key policy.""" - NOTIFY = "Notify" - """Trigger Event Grid events. Defaults to 30 days before expiry. Key Vault only.""" - - class DeletionRecoveryLevel(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """Reflects the deletion recovery level currently in effect for keys in the current vault. If it - contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only - the system can purge the key, at the end of the retention interval. + """Reflects the deletion recovery level currently in effect for certificates in the current vault. + If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; + otherwise, only the system can purge the certificate, at the end of the retention interval. """ PURGEABLE = "Purgeable" @@ -47,18 +38,18 @@ class DeletionRecoveryLevel(str, Enum, metaclass=CaseInsensitiveEnumMeta): after 90 days, if not recovered""" CUSTOMIZED_RECOVERABLE_PURGEABLE = "CustomizedRecoverable+Purgeable" """Denotes a vault state in which deletion is recoverable, and which also permits immediate and - permanent deletion (i.e. purge when 7<= SoftDeleteRetentionInDays < 90). This level guarantees + permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90). This level guarantees the recoverability of the deleted entity during the retention interval, unless a Purge operation is requested, or the subscription is cancelled.""" CUSTOMIZED_RECOVERABLE = "CustomizedRecoverable" """Denotes a vault state in which deletion is recoverable without the possibility for immediate - and permanent deletion (i.e. purge when 7<= SoftDeleteRetentionInDays < 90).This level + and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90).This level guarantees the recoverability of the deleted entity during the retention interval and while the subscription is still available.""" CUSTOMIZED_RECOVERABLE_PROTECTED_SUBSCRIPTION = "CustomizedRecoverable+ProtectedSubscription" """Denotes a vault and subscription state in which deletion is recoverable, immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot - be permanently canceled when 7<= SoftDeleteRetentionInDays < 90. This level guarantees the + be permanently canceled when 7 <= SoftDeleteRetentionInDays < 90. This level guarantees the recoverability of the deleted entity during the retention interval, and also reflects the fact that the subscription itself cannot be cancelled.""" @@ -77,36 +68,73 @@ class JsonWebKeyCurveName(str, Enum, metaclass=CaseInsensitiveEnumMeta): class JsonWebKeyEncryptionAlgorithm(str, Enum, metaclass=CaseInsensitiveEnumMeta): - """algorithm identifier.""" + """An algorithm used for encryption and decryption.""" RSA_OAEP = "RSA-OAEP" + """[Not recommended] RSAES using Optimal Asymmetric Encryption Padding (OAEP), as described in + https://tools.ietf.org/html/rfc3447, with the default parameters specified by RFC 3447 in + Section A.2.1. Those default parameters are using a hash function of SHA-1 and a mask + generation function of MGF1 with SHA-1. Microsoft recommends using RSA_OAEP_256 or stronger + algorithms for enhanced security. Microsoft does *not* recommend RSA_OAEP, which is included + solely for backwards compatibility. RSA_OAEP utilizes SHA1, which has known collision problems.""" RSA_OAEP256 = "RSA-OAEP-256" + """RSAES using Optimal Asymmetric Encryption Padding with a hash function of SHA-256 and a mask + generation function of MGF1 with SHA-256.""" RSA1_5 = "RSA1_5" + """[Not recommended] RSAES-PKCS1-V1_5 key encryption, as described in + https://tools.ietf.org/html/rfc3447. Microsoft recommends using RSA_OAEP_256 or stronger + algorithms for enhanced security. Microsoft does *not* recommend RSA_1_5, which is included + solely for backwards compatibility. Cryptographic standards no longer consider RSA with the + PKCS#1 v1.5 padding scheme secure for encryption.""" A128_GCM = "A128GCM" + """128-bit AES-GCM.""" A192_GCM = "A192GCM" + """192-bit AES-GCM.""" A256_GCM = "A256GCM" + """256-bit AES-GCM.""" A128_KW = "A128KW" + """128-bit AES key wrap.""" A192_KW = "A192KW" + """192-bit AES key wrap.""" A256_KW = "A256KW" + """256-bit AES key wrap.""" A128_CBC = "A128CBC" + """128-bit AES-CBC.""" A192_CBC = "A192CBC" + """192-bit AES-CBC.""" A256_CBC = "A256CBC" + """256-bit AES-CBC.""" A128_CBCPAD = "A128CBCPAD" + """128-bit AES-CBC with PKCS padding.""" A192_CBCPAD = "A192CBCPAD" + """192-bit AES-CBC with PKCS padding.""" A256_CBCPAD = "A256CBCPAD" + """256-bit AES-CBC with PKCS padding.""" + CKM_AES_KEY_WRAP = "CKM_AES_KEY_WRAP" + """CKM AES key wrap.""" + CKM_AES_KEY_WRAP_PAD = "CKM_AES_KEY_WRAP_PAD" + """CKM AES key wrap with padding.""" class JsonWebKeyOperation(str, Enum, metaclass=CaseInsensitiveEnumMeta): """JSON web key operations. For more information, see JsonWebKeyOperation.""" ENCRYPT = "encrypt" + """Indicates that the key can be used to encrypt.""" DECRYPT = "decrypt" + """Indicates that the key can be used to decrypt.""" SIGN = "sign" + """Indicates that the key can be used to sign.""" VERIFY = "verify" + """Indicates that the key can be used to verify.""" WRAP_KEY = "wrapKey" + """Indicates that the key can be used to wrap another key.""" UNWRAP_KEY = "unwrapKey" + """Indicates that the key can be used to unwrap another key.""" IMPORT = "import" + """Indicates that the key can be imported during creation.""" EXPORT = "export" + """Indicates that the private component of the key can be exported.""" class JsonWebKeySignatureAlgorithm(str, Enum, metaclass=CaseInsensitiveEnumMeta): @@ -164,5 +192,17 @@ class KeyEncryptionAlgorithm(str, Enum, metaclass=CaseInsensitiveEnumMeta): """The encryption algorithm to use to protected the exported key material.""" CKM_RSA_AES_KEY_WRAP = "CKM_RSA_AES_KEY_WRAP" - RSA_AES_KEY_WRAP256 = "RSA_AES_KEY_WRAP_256" - RSA_AES_KEY_WRAP384 = "RSA_AES_KEY_WRAP_384" + """The CKM_RSA_AES_KEY_WRAP key wrap mechanism.""" + RSA_AES_KEY_WRAP_256 = "RSA_AES_KEY_WRAP_256" + """The RSA_AES_KEY_WRAP_256 key wrap mechanism.""" + RSA_AES_KEY_WRAP_384 = "RSA_AES_KEY_WRAP_384" + """The RSA_AES_KEY_WRAP_384 key wrap mechanism.""" + + +class KeyRotationPolicyAction(str, Enum, metaclass=CaseInsensitiveEnumMeta): + """The type of the action. The value should be compared case-insensitively.""" + + ROTATE = "Rotate" + """Rotate the key based on the key policy.""" + NOTIFY = "Notify" + """Trigger Event Grid events. Defaults to 30 days before expiry. Key Vault only.""" diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/_models.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/_models.py new file mode 100644 index 000000000000..fa2aefb9468e --- /dev/null +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/_models.py @@ -0,0 +1,1215 @@ +# pylint: disable=too-many-lines +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# pylint: disable=useless-super-delegation + +import datetime +from typing import Any, Dict, List, Mapping, Optional, TYPE_CHECKING, Union, overload + +from .. import _model_base +from .._model_base import rest_field + +if TYPE_CHECKING: + from .. import models as _models + + +class BackupKeyResult(_model_base.Model): + """The backup key result, containing the backup blob. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar value: The backup blob containing the backed up key. + :vartype value: bytes + """ + + value: Optional[bytes] = rest_field(visibility=["read"], format="base64url") + """The backup blob containing the backed up key.""" + + +class DeletedKeyBundle(_model_base.Model): + """A DeletedKeyBundle consisting of a WebKey plus its Attributes and deletion info. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar key: The Json web key. + :vartype key: ~azure.keyvault.keys.models.JsonWebKey + :ivar attributes: The key management attributes. + :vartype attributes: ~azure.keyvault.keys.models.KeyAttributes + :ivar tags: Application specific metadata in the form of key-value pairs. + :vartype tags: dict[str, str] + :ivar managed: True if the key's lifetime is managed by key vault. If this is a key backing a + certificate, then managed will be true. + :vartype managed: bool + :ivar release_policy: The policy rules under which the key can be exported. + :vartype release_policy: ~azure.keyvault.keys.models.KeyReleasePolicy + :ivar recovery_id: The url of the recovery object, used to identify and recover the deleted + key. + :vartype recovery_id: str + :ivar scheduled_purge_date: The time when the key is scheduled to be purged, in UTC. + :vartype scheduled_purge_date: ~datetime.datetime + :ivar deleted_date: The time when the key was deleted, in UTC. + :vartype deleted_date: ~datetime.datetime + """ + + key: Optional["_models.JsonWebKey"] = rest_field() + """The Json web key.""" + attributes: Optional["_models.KeyAttributes"] = rest_field() + """The key management attributes.""" + tags: Optional[Dict[str, str]] = rest_field() + """Application specific metadata in the form of key-value pairs.""" + managed: Optional[bool] = rest_field(visibility=["read"]) + """True if the key's lifetime is managed by key vault. If this is a key backing a certificate, + then managed will be true.""" + release_policy: Optional["_models.KeyReleasePolicy"] = rest_field() + """The policy rules under which the key can be exported.""" + recovery_id: Optional[str] = rest_field(name="recoveryId") + """The url of the recovery object, used to identify and recover the deleted key.""" + scheduled_purge_date: Optional[datetime.datetime] = rest_field( + name="scheduledPurgeDate", visibility=["read"], format="unix-timestamp" + ) + """The time when the key is scheduled to be purged, in UTC.""" + deleted_date: Optional[datetime.datetime] = rest_field( + name="deletedDate", visibility=["read"], format="unix-timestamp" + ) + """The time when the key was deleted, in UTC.""" + + @overload + def __init__( + self, + *, + key: Optional["_models.JsonWebKey"] = None, + attributes: Optional["_models.KeyAttributes"] = None, + tags: Optional[Dict[str, str]] = None, + release_policy: Optional["_models.KeyReleasePolicy"] = None, + recovery_id: Optional[str] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class DeletedKeyItem(_model_base.Model): + """The deleted key item containing the deleted key metadata and information about deletion. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar kid: Key identifier. + :vartype kid: str + :ivar attributes: The key management attributes. + :vartype attributes: ~azure.keyvault.keys.models.KeyAttributes + :ivar tags: Application specific metadata in the form of key-value pairs. + :vartype tags: dict[str, str] + :ivar managed: True if the key's lifetime is managed by key vault. If this is a key backing a + certificate, then managed will be true. + :vartype managed: bool + :ivar recovery_id: The url of the recovery object, used to identify and recover the deleted + key. + :vartype recovery_id: str + :ivar scheduled_purge_date: The time when the key is scheduled to be purged, in UTC. + :vartype scheduled_purge_date: ~datetime.datetime + :ivar deleted_date: The time when the key was deleted, in UTC. + :vartype deleted_date: ~datetime.datetime + """ + + kid: Optional[str] = rest_field() + """Key identifier.""" + attributes: Optional["_models.KeyAttributes"] = rest_field() + """The key management attributes.""" + tags: Optional[Dict[str, str]] = rest_field() + """Application specific metadata in the form of key-value pairs.""" + managed: Optional[bool] = rest_field(visibility=["read"]) + """True if the key's lifetime is managed by key vault. If this is a key backing a certificate, + then managed will be true.""" + recovery_id: Optional[str] = rest_field(name="recoveryId") + """The url of the recovery object, used to identify and recover the deleted key.""" + scheduled_purge_date: Optional[datetime.datetime] = rest_field( + name="scheduledPurgeDate", visibility=["read"], format="unix-timestamp" + ) + """The time when the key is scheduled to be purged, in UTC.""" + deleted_date: Optional[datetime.datetime] = rest_field( + name="deletedDate", visibility=["read"], format="unix-timestamp" + ) + """The time when the key was deleted, in UTC.""" + + @overload + def __init__( + self, + *, + kid: Optional[str] = None, + attributes: Optional["_models.KeyAttributes"] = None, + tags: Optional[Dict[str, str]] = None, + recovery_id: Optional[str] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class GetRandomBytesRequest(_model_base.Model): + """The get random bytes request object. + + All required parameters must be populated in order to send to server. + + :ivar count: The requested number of random bytes. Required. + :vartype count: int + """ + + count: int = rest_field() + """The requested number of random bytes. Required.""" + + @overload + def __init__( + self, + *, + count: int, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class JsonWebKey(_model_base.Model): + """As of http://tools.ietf.org/html/draft-ietf-jose-json-web-key-18. + + :ivar kid: Key identifier. + :vartype kid: str + :ivar kty: JsonWebKey Key Type (kty), as defined in + https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. Known values are: "EC", + "EC-HSM", "RSA", "RSA-HSM", "oct", and "oct-HSM". + :vartype kty: str or ~azure.keyvault.keys.models.JsonWebKeyType + :ivar key_ops: Json web key operations. For more information on possible key operations, see + JsonWebKeyOperation. + :vartype key_ops: list[str] + :ivar n: RSA modulus. + :vartype n: bytes + :ivar e: RSA public exponent. + :vartype e: bytes + :ivar d: RSA private exponent, or the D component of an EC private key. + :vartype d: bytes + :ivar dp: RSA private key parameter. + :vartype dp: bytes + :ivar dq: RSA private key parameter. + :vartype dq: bytes + :ivar qi: RSA private key parameter. + :vartype qi: bytes + :ivar p: RSA secret prime. + :vartype p: bytes + :ivar q: RSA secret prime, with p < q. + :vartype q: bytes + :ivar k: Symmetric key. + :vartype k: bytes + :ivar t: Protected Key, used with 'Bring Your Own Key'. + :vartype t: bytes + :ivar crv: Elliptic curve name. For valid values, see JsonWebKeyCurveName. Known values are: + "P-256", "P-384", "P-521", and "P-256K". + :vartype crv: str or ~azure.keyvault.keys.models.JsonWebKeyCurveName + :ivar x: X component of an EC public key. + :vartype x: bytes + :ivar y: Y component of an EC public key. + :vartype y: bytes + """ + + kid: Optional[str] = rest_field() + """Key identifier.""" + kty: Optional[Union[str, "_models.JsonWebKeyType"]] = rest_field() + """JsonWebKey Key Type (kty), as defined in + https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. Known values are: \"EC\", + \"EC-HSM\", \"RSA\", \"RSA-HSM\", \"oct\", and \"oct-HSM\".""" + key_ops: Optional[List[str]] = rest_field() + """Json web key operations. For more information on possible key operations, see + JsonWebKeyOperation.""" + n: Optional[bytes] = rest_field(format="base64url") + """RSA modulus.""" + e: Optional[bytes] = rest_field(format="base64url") + """RSA public exponent.""" + d: Optional[bytes] = rest_field(format="base64url") + """RSA private exponent, or the D component of an EC private key.""" + dp: Optional[bytes] = rest_field(format="base64url") + """RSA private key parameter.""" + dq: Optional[bytes] = rest_field(format="base64url") + """RSA private key parameter.""" + qi: Optional[bytes] = rest_field(format="base64url") + """RSA private key parameter.""" + p: Optional[bytes] = rest_field(format="base64url") + """RSA secret prime.""" + q: Optional[bytes] = rest_field(format="base64url") + """RSA secret prime, with p < q.""" + k: Optional[bytes] = rest_field(format="base64url") + """Symmetric key.""" + t: Optional[bytes] = rest_field(name="key_hsm", format="base64url") + """Protected Key, used with 'Bring Your Own Key'.""" + crv: Optional[Union[str, "_models.JsonWebKeyCurveName"]] = rest_field() + """Elliptic curve name. For valid values, see JsonWebKeyCurveName. Known values are: \"P-256\", + \"P-384\", \"P-521\", and \"P-256K\".""" + x: Optional[bytes] = rest_field(format="base64url") + """X component of an EC public key.""" + y: Optional[bytes] = rest_field(format="base64url") + """Y component of an EC public key.""" + + @overload + def __init__( + self, + *, + kid: Optional[str] = None, + kty: Optional[Union[str, "_models.JsonWebKeyType"]] = None, + key_ops: Optional[List[str]] = None, + n: Optional[bytes] = None, + e: Optional[bytes] = None, + d: Optional[bytes] = None, + dp: Optional[bytes] = None, + dq: Optional[bytes] = None, + qi: Optional[bytes] = None, + p: Optional[bytes] = None, + q: Optional[bytes] = None, + k: Optional[bytes] = None, + t: Optional[bytes] = None, + crv: Optional[Union[str, "_models.JsonWebKeyCurveName"]] = None, + x: Optional[bytes] = None, + y: Optional[bytes] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyAttributes(_model_base.Model): + """The attributes of a key managed by the key vault service. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar enabled: Determines whether the object is enabled. + :vartype enabled: bool + :ivar not_before: Not before date in UTC. + :vartype not_before: ~datetime.datetime + :ivar expires: Expiry date in UTC. + :vartype expires: ~datetime.datetime + :ivar created: Creation time in UTC. + :vartype created: ~datetime.datetime + :ivar updated: Last updated time in UTC. + :vartype updated: ~datetime.datetime + :ivar recoverable_days: softDelete data retention days. Value should be >=7 and <=90 when + softDelete enabled, otherwise 0. + :vartype recoverable_days: int + :ivar recovery_level: Reflects the deletion recovery level currently in effect for keys in the + current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged + user; otherwise, only the system can purge the key, at the end of the retention interval. Known + values are: "Purgeable", "Recoverable+Purgeable", "Recoverable", + "Recoverable+ProtectedSubscription", "CustomizedRecoverable+Purgeable", + "CustomizedRecoverable", and "CustomizedRecoverable+ProtectedSubscription". + :vartype recovery_level: str or ~azure.keyvault.keys.models.DeletionRecoveryLevel + :ivar exportable: Indicates if the private key can be exported. Release policy must be provided + when creating the first version of an exportable key. + :vartype exportable: bool + :ivar hsm_platform: The underlying HSM Platform. + :vartype hsm_platform: str + """ + + enabled: Optional[bool] = rest_field() + """Determines whether the object is enabled.""" + not_before: Optional[datetime.datetime] = rest_field(name="nbf", format="unix-timestamp") + """Not before date in UTC.""" + expires: Optional[datetime.datetime] = rest_field(name="exp", format="unix-timestamp") + """Expiry date in UTC.""" + created: Optional[datetime.datetime] = rest_field(visibility=["read"], format="unix-timestamp") + """Creation time in UTC.""" + updated: Optional[datetime.datetime] = rest_field(visibility=["read"], format="unix-timestamp") + """Last updated time in UTC.""" + recoverable_days: Optional[int] = rest_field(name="recoverableDays", visibility=["read"]) + """softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise + 0.""" + recovery_level: Optional[Union[str, "_models.DeletionRecoveryLevel"]] = rest_field( + name="recoveryLevel", visibility=["read"] + ) + """Reflects the deletion recovery level currently in effect for keys in the current vault. If it + contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only + the system can purge the key, at the end of the retention interval. Known values are: + \"Purgeable\", \"Recoverable+Purgeable\", \"Recoverable\", + \"Recoverable+ProtectedSubscription\", \"CustomizedRecoverable+Purgeable\", + \"CustomizedRecoverable\", and \"CustomizedRecoverable+ProtectedSubscription\".""" + exportable: Optional[bool] = rest_field() + """Indicates if the private key can be exported. Release policy must be provided when creating the + first version of an exportable key.""" + hsm_platform: Optional[str] = rest_field(name="hsmPlatform", visibility=["read"]) + """The underlying HSM Platform.""" + + @overload + def __init__( + self, + *, + enabled: Optional[bool] = None, + not_before: Optional[datetime.datetime] = None, + expires: Optional[datetime.datetime] = None, + exportable: Optional[bool] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyBundle(_model_base.Model): + """A KeyBundle consisting of a WebKey plus its attributes. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar key: The Json web key. + :vartype key: ~azure.keyvault.keys.models.JsonWebKey + :ivar attributes: The key management attributes. + :vartype attributes: ~azure.keyvault.keys.models.KeyAttributes + :ivar tags: Application specific metadata in the form of key-value pairs. + :vartype tags: dict[str, str] + :ivar managed: True if the key's lifetime is managed by key vault. If this is a key backing a + certificate, then managed will be true. + :vartype managed: bool + :ivar release_policy: The policy rules under which the key can be exported. + :vartype release_policy: ~azure.keyvault.keys.models.KeyReleasePolicy + """ + + key: Optional["_models.JsonWebKey"] = rest_field() + """The Json web key.""" + attributes: Optional["_models.KeyAttributes"] = rest_field() + """The key management attributes.""" + tags: Optional[Dict[str, str]] = rest_field() + """Application specific metadata in the form of key-value pairs.""" + managed: Optional[bool] = rest_field(visibility=["read"]) + """True if the key's lifetime is managed by key vault. If this is a key backing a certificate, + then managed will be true.""" + release_policy: Optional["_models.KeyReleasePolicy"] = rest_field() + """The policy rules under which the key can be exported.""" + + @overload + def __init__( + self, + *, + key: Optional["_models.JsonWebKey"] = None, + attributes: Optional["_models.KeyAttributes"] = None, + tags: Optional[Dict[str, str]] = None, + release_policy: Optional["_models.KeyReleasePolicy"] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyCreateParameters(_model_base.Model): + """The key create parameters. + + All required parameters must be populated in order to send to server. + + :ivar kty: The type of key to create. For valid values, see JsonWebKeyType. Required. Known + values are: "EC", "EC-HSM", "RSA", "RSA-HSM", "oct", and "oct-HSM". + :vartype kty: str or ~azure.keyvault.keys.models.JsonWebKeyType + :ivar key_size: The key size in bits. For example: 2048, 3072, or 4096 for RSA. + :vartype key_size: int + :ivar public_exponent: The public exponent for a RSA key. + :vartype public_exponent: int + :ivar key_ops: Json web key operations. For more information on possible key operations, see + JsonWebKeyOperation. + :vartype key_ops: list[str or ~azure.keyvault.keys.models.JsonWebKeyOperation] + :ivar key_attributes: The attributes of a key managed by the key vault service. + :vartype key_attributes: ~azure.keyvault.keys.models.KeyAttributes + :ivar tags: Application specific metadata in the form of key-value pairs. + :vartype tags: dict[str, str] + :ivar curve: Elliptic curve name. For valid values, see JsonWebKeyCurveName. Known values are: + "P-256", "P-384", "P-521", and "P-256K". + :vartype curve: str or ~azure.keyvault.keys.models.JsonWebKeyCurveName + :ivar release_policy: The policy rules under which the key can be exported. + :vartype release_policy: ~azure.keyvault.keys.models.KeyReleasePolicy + """ + + kty: Union[str, "_models.JsonWebKeyType"] = rest_field() + """The type of key to create. For valid values, see JsonWebKeyType. Required. Known values are: + \"EC\", \"EC-HSM\", \"RSA\", \"RSA-HSM\", \"oct\", and \"oct-HSM\".""" + key_size: Optional[int] = rest_field() + """The key size in bits. For example: 2048, 3072, or 4096 for RSA.""" + public_exponent: Optional[int] = rest_field() + """The public exponent for a RSA key.""" + key_ops: Optional[List[Union[str, "_models.JsonWebKeyOperation"]]] = rest_field() + """Json web key operations. For more information on possible key operations, see + JsonWebKeyOperation.""" + key_attributes: Optional["_models.KeyAttributes"] = rest_field(name="attributes") + """The attributes of a key managed by the key vault service.""" + tags: Optional[Dict[str, str]] = rest_field() + """Application specific metadata in the form of key-value pairs.""" + curve: Optional[Union[str, "_models.JsonWebKeyCurveName"]] = rest_field(name="crv") + """Elliptic curve name. For valid values, see JsonWebKeyCurveName. Known values are: \"P-256\", + \"P-384\", \"P-521\", and \"P-256K\".""" + release_policy: Optional["_models.KeyReleasePolicy"] = rest_field() + """The policy rules under which the key can be exported.""" + + @overload + def __init__( + self, + *, + kty: Union[str, "_models.JsonWebKeyType"], + key_size: Optional[int] = None, + public_exponent: Optional[int] = None, + key_ops: Optional[List[Union[str, "_models.JsonWebKeyOperation"]]] = None, + key_attributes: Optional["_models.KeyAttributes"] = None, + tags: Optional[Dict[str, str]] = None, + curve: Optional[Union[str, "_models.JsonWebKeyCurveName"]] = None, + release_policy: Optional["_models.KeyReleasePolicy"] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyImportParameters(_model_base.Model): + """The key import parameters. + + All required parameters must be populated in order to send to server. + + :ivar hsm: Whether to import as a hardware key (HSM) or software key. + :vartype hsm: bool + :ivar key: The Json web key. Required. + :vartype key: ~azure.keyvault.keys.models.JsonWebKey + :ivar key_attributes: The key management attributes. + :vartype key_attributes: ~azure.keyvault.keys.models.KeyAttributes + :ivar tags: Application specific metadata in the form of key-value pairs. + :vartype tags: dict[str, str] + :ivar release_policy: The policy rules under which the key can be exported. + :vartype release_policy: ~azure.keyvault.keys.models.KeyReleasePolicy + """ + + hsm: Optional[bool] = rest_field(name="Hsm") + """Whether to import as a hardware key (HSM) or software key.""" + key: "_models.JsonWebKey" = rest_field() + """The Json web key. Required.""" + key_attributes: Optional["_models.KeyAttributes"] = rest_field(name="attributes") + """The key management attributes.""" + tags: Optional[Dict[str, str]] = rest_field() + """Application specific metadata in the form of key-value pairs.""" + release_policy: Optional["_models.KeyReleasePolicy"] = rest_field() + """The policy rules under which the key can be exported.""" + + @overload + def __init__( + self, + *, + key: "_models.JsonWebKey", + hsm: Optional[bool] = None, + key_attributes: Optional["_models.KeyAttributes"] = None, + tags: Optional[Dict[str, str]] = None, + release_policy: Optional["_models.KeyReleasePolicy"] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyItem(_model_base.Model): + """The key item containing key metadata. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar kid: Key identifier. + :vartype kid: str + :ivar attributes: The key management attributes. + :vartype attributes: ~azure.keyvault.keys.models.KeyAttributes + :ivar tags: Application specific metadata in the form of key-value pairs. + :vartype tags: dict[str, str] + :ivar managed: True if the key's lifetime is managed by key vault. If this is a key backing a + certificate, then managed will be true. + :vartype managed: bool + """ + + kid: Optional[str] = rest_field() + """Key identifier.""" + attributes: Optional["_models.KeyAttributes"] = rest_field() + """The key management attributes.""" + tags: Optional[Dict[str, str]] = rest_field() + """Application specific metadata in the form of key-value pairs.""" + managed: Optional[bool] = rest_field(visibility=["read"]) + """True if the key's lifetime is managed by key vault. If this is a key backing a certificate, + then managed will be true.""" + + @overload + def __init__( + self, + *, + kid: Optional[str] = None, + attributes: Optional["_models.KeyAttributes"] = None, + tags: Optional[Dict[str, str]] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyOperationResult(_model_base.Model): + """The key operation result. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar kid: Key identifier. + :vartype kid: str + :ivar result: The result of the operation. + :vartype result: bytes + :ivar iv: Cryptographically random, non-repeating initialization vector for symmetric + algorithms. + :vartype iv: bytes + :ivar authentication_tag: The tag to authenticate when performing decryption with an + authenticated algorithm. + :vartype authentication_tag: bytes + :ivar additional_authenticated_data: Additional data to authenticate but not encrypt/decrypt + when using authenticated crypto algorithms. + :vartype additional_authenticated_data: bytes + """ + + kid: Optional[str] = rest_field(visibility=["read"]) + """Key identifier.""" + result: Optional[bytes] = rest_field(name="value", visibility=["read"], format="base64url") + """The result of the operation.""" + iv: Optional[bytes] = rest_field(visibility=["read"], format="base64url") + """Cryptographically random, non-repeating initialization vector for symmetric algorithms.""" + authentication_tag: Optional[bytes] = rest_field(name="tag", visibility=["read"], format="base64url") + """The tag to authenticate when performing decryption with an authenticated algorithm.""" + additional_authenticated_data: Optional[bytes] = rest_field(name="aad", visibility=["read"], format="base64url") + """Additional data to authenticate but not encrypt/decrypt when using authenticated crypto + algorithms.""" + + +class KeyOperationsParameters(_model_base.Model): + """The key operations parameters. + + All required parameters must be populated in order to send to server. + + :ivar algorithm: algorithm identifier. Required. Known values are: "RSA-OAEP", "RSA-OAEP-256", + "RSA1_5", "A128GCM", "A192GCM", "A256GCM", "A128KW", "A192KW", "A256KW", "A128CBC", "A192CBC", + "A256CBC", "A128CBCPAD", "A192CBCPAD", "A256CBCPAD", "CKM_AES_KEY_WRAP", and + "CKM_AES_KEY_WRAP_PAD". + :vartype algorithm: str or ~azure.keyvault.keys.models.JsonWebKeyEncryptionAlgorithm + :ivar value: The value to operate on. Required. + :vartype value: bytes + :ivar iv: Cryptographically random, non-repeating initialization vector for symmetric + algorithms. + :vartype iv: bytes + :ivar aad: Additional data to authenticate but not encrypt/decrypt when using authenticated + crypto algorithms. + :vartype aad: bytes + :ivar tag: The tag to authenticate when performing decryption with an authenticated algorithm. + :vartype tag: bytes + """ + + algorithm: Union[str, "_models.JsonWebKeyEncryptionAlgorithm"] = rest_field(name="alg") + """algorithm identifier. Required. Known values are: \"RSA-OAEP\", \"RSA-OAEP-256\", \"RSA1_5\", + \"A128GCM\", \"A192GCM\", \"A256GCM\", \"A128KW\", \"A192KW\", \"A256KW\", \"A128CBC\", + \"A192CBC\", \"A256CBC\", \"A128CBCPAD\", \"A192CBCPAD\", \"A256CBCPAD\", \"CKM_AES_KEY_WRAP\", + and \"CKM_AES_KEY_WRAP_PAD\".""" + value: bytes = rest_field(format="base64url") + """The value to operate on. Required.""" + iv: Optional[bytes] = rest_field(format="base64url") + """Cryptographically random, non-repeating initialization vector for symmetric algorithms.""" + aad: Optional[bytes] = rest_field(format="base64url") + """Additional data to authenticate but not encrypt/decrypt when using authenticated crypto + algorithms.""" + tag: Optional[bytes] = rest_field(format="base64url") + """The tag to authenticate when performing decryption with an authenticated algorithm.""" + + @overload + def __init__( + self, + *, + algorithm: Union[str, "_models.JsonWebKeyEncryptionAlgorithm"], + value: bytes, + iv: Optional[bytes] = None, + aad: Optional[bytes] = None, + tag: Optional[bytes] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyReleaseParameters(_model_base.Model): + """The release key parameters. + + All required parameters must be populated in order to send to server. + + :ivar target_attestation_token: The attestation assertion for the target of the key release. + Required. + :vartype target_attestation_token: str + :ivar nonce: A client provided nonce for freshness. + :vartype nonce: str + :ivar enc: The encryption algorithm to use to protected the exported key material. Known values + are: "CKM_RSA_AES_KEY_WRAP", "RSA_AES_KEY_WRAP_256", and "RSA_AES_KEY_WRAP_384". + :vartype enc: str or ~azure.keyvault.keys.models.KeyEncryptionAlgorithm + """ + + target_attestation_token: str = rest_field(name="target") + """The attestation assertion for the target of the key release. Required.""" + nonce: Optional[str] = rest_field() + """A client provided nonce for freshness.""" + enc: Optional[Union[str, "_models.KeyEncryptionAlgorithm"]] = rest_field() + """The encryption algorithm to use to protected the exported key material. Known values are: + \"CKM_RSA_AES_KEY_WRAP\", \"RSA_AES_KEY_WRAP_256\", and \"RSA_AES_KEY_WRAP_384\".""" + + @overload + def __init__( + self, + *, + target_attestation_token: str, + nonce: Optional[str] = None, + enc: Optional[Union[str, "_models.KeyEncryptionAlgorithm"]] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyReleasePolicy(_model_base.Model): + """The policy rules under which the key can be exported. + + :ivar content_type: Content type and version of key release policy. + :vartype content_type: str + :ivar immutable: Defines the mutability state of the policy. Once marked immutable, this flag + cannot be reset and the policy cannot be changed under any circumstances. + :vartype immutable: bool + :ivar encoded_policy: Blob encoding the policy rules under which the key can be released. Blob + must be base64 URL encoded. + :vartype encoded_policy: bytes + """ + + content_type: Optional[str] = rest_field(name="contentType") + """Content type and version of key release policy.""" + immutable: Optional[bool] = rest_field() + """Defines the mutability state of the policy. Once marked immutable, this flag cannot be reset + and the policy cannot be changed under any circumstances.""" + encoded_policy: Optional[bytes] = rest_field(name="data", format="base64url") + """Blob encoding the policy rules under which the key can be released. Blob must be base64 URL + encoded.""" + + @overload + def __init__( + self, + *, + content_type: Optional[str] = None, + immutable: Optional[bool] = None, + encoded_policy: Optional[bytes] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyReleaseResult(_model_base.Model): + """The release result, containing the released key. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar value: A signed object containing the released key. + :vartype value: str + """ + + value: Optional[str] = rest_field(visibility=["read"]) + """A signed object containing the released key.""" + + +class KeyRestoreParameters(_model_base.Model): + """The key restore parameters. + + All required parameters must be populated in order to send to server. + + :ivar key_bundle_backup: The backup blob associated with a key bundle. Required. + :vartype key_bundle_backup: bytes + """ + + key_bundle_backup: bytes = rest_field(name="value", format="base64url") + """The backup blob associated with a key bundle. Required.""" + + @overload + def __init__( + self, + *, + key_bundle_backup: bytes, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyRotationPolicy(_model_base.Model): + """Management policy for a key. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar id: The key policy id. + :vartype id: str + :ivar lifetime_actions: Actions that will be performed by Key Vault over the lifetime of a key. + For preview, lifetimeActions can only have two items at maximum: one for rotate, one for + notify. Notification time would be default to 30 days before expiry and it is not configurable. + :vartype lifetime_actions: list[~azure.keyvault.keys.models.LifetimeActions] + :ivar attributes: The key rotation policy attributes. + :vartype attributes: ~azure.keyvault.keys.models.KeyRotationPolicyAttributes + """ + + id: Optional[str] = rest_field(visibility=["read"]) + """The key policy id.""" + lifetime_actions: Optional[List["_models.LifetimeActions"]] = rest_field(name="lifetimeActions") + """Actions that will be performed by Key Vault over the lifetime of a key. For preview, + lifetimeActions can only have two items at maximum: one for rotate, one for notify. + Notification time would be default to 30 days before expiry and it is not configurable.""" + attributes: Optional["_models.KeyRotationPolicyAttributes"] = rest_field() + """The key rotation policy attributes.""" + + @overload + def __init__( + self, + *, + lifetime_actions: Optional[List["_models.LifetimeActions"]] = None, + attributes: Optional["_models.KeyRotationPolicyAttributes"] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyRotationPolicyAttributes(_model_base.Model): + """The key rotation policy attributes. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar expiry_time: The expiryTime will be applied on the new key version. It should be at least + 28 days. It will be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: + PT48H, 1 year and 10 days: P1Y10D. + :vartype expiry_time: str + :ivar created: The key rotation policy created time in UTC. + :vartype created: ~datetime.datetime + :ivar updated: The key rotation policy's last updated time in UTC. + :vartype updated: ~datetime.datetime + """ + + expiry_time: Optional[str] = rest_field(name="expiryTime") + """The expiryTime will be applied on the new key version. It should be at least 28 days. It will + be in ISO 8601 Format. Examples: 90 days: P90D, 3 months: P3M, 48 hours: PT48H, 1 year and 10 + days: P1Y10D.""" + created: Optional[datetime.datetime] = rest_field(visibility=["read"], format="unix-timestamp") + """The key rotation policy created time in UTC.""" + updated: Optional[datetime.datetime] = rest_field(visibility=["read"], format="unix-timestamp") + """The key rotation policy's last updated time in UTC.""" + + @overload + def __init__( + self, + *, + expiry_time: Optional[str] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeySignParameters(_model_base.Model): + """The key operations parameters. + + All required parameters must be populated in order to send to server. + + :ivar algorithm: The signing/verification algorithm identifier. For more information on + possible algorithm types, see JsonWebKeySignatureAlgorithm. Required. Known values are: + "PS256", "PS384", "PS512", "RS256", "RS384", "RS512", "RSNULL", "ES256", "ES384", "ES512", and + "ES256K". + :vartype algorithm: str or ~azure.keyvault.keys.models.JsonWebKeySignatureAlgorithm + :ivar value: The value to operate on. Required. + :vartype value: bytes + """ + + algorithm: Union[str, "_models.JsonWebKeySignatureAlgorithm"] = rest_field(name="alg") + """The signing/verification algorithm identifier. For more information on possible algorithm + types, see JsonWebKeySignatureAlgorithm. Required. Known values are: \"PS256\", \"PS384\", + \"PS512\", \"RS256\", \"RS384\", \"RS512\", \"RSNULL\", \"ES256\", \"ES384\", \"ES512\", and + \"ES256K\".""" + value: bytes = rest_field(format="base64url") + """The value to operate on. Required.""" + + @overload + def __init__( + self, + *, + algorithm: Union[str, "_models.JsonWebKeySignatureAlgorithm"], + value: bytes, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyUpdateParameters(_model_base.Model): + """The key update parameters. + + :ivar key_ops: Json web key operations. For more information on possible key operations, see + JsonWebKeyOperation. + :vartype key_ops: list[str or ~azure.keyvault.keys.models.JsonWebKeyOperation] + :ivar key_attributes: The attributes of a key managed by the key vault service. + :vartype key_attributes: ~azure.keyvault.keys.models.KeyAttributes + :ivar tags: Application specific metadata in the form of key-value pairs. + :vartype tags: dict[str, str] + :ivar release_policy: The policy rules under which the key can be exported. + :vartype release_policy: ~azure.keyvault.keys.models.KeyReleasePolicy + """ + + key_ops: Optional[List[Union[str, "_models.JsonWebKeyOperation"]]] = rest_field() + """Json web key operations. For more information on possible key operations, see + JsonWebKeyOperation.""" + key_attributes: Optional["_models.KeyAttributes"] = rest_field(name="attributes") + """The attributes of a key managed by the key vault service.""" + tags: Optional[Dict[str, str]] = rest_field() + """Application specific metadata in the form of key-value pairs.""" + release_policy: Optional["_models.KeyReleasePolicy"] = rest_field() + """The policy rules under which the key can be exported.""" + + @overload + def __init__( + self, + *, + key_ops: Optional[List[Union[str, "_models.JsonWebKeyOperation"]]] = None, + key_attributes: Optional["_models.KeyAttributes"] = None, + tags: Optional[Dict[str, str]] = None, + release_policy: Optional["_models.KeyReleasePolicy"] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyVaultError(_model_base.Model): + """The key vault error exception. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar error: The key vault server error. + :vartype error: ~azure.keyvault.keys.models.KeyVaultErrorError + """ + + error: Optional["_models.KeyVaultErrorError"] = rest_field(visibility=["read"]) + """The key vault server error.""" + + +class KeyVaultErrorError(_model_base.Model): + """KeyVaultErrorError. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar code: The error code. + :vartype code: str + :ivar message: The error message. + :vartype message: str + :ivar inner_error: The key vault server error. + :vartype inner_error: ~azure.keyvault.keys.models.KeyVaultErrorError + """ + + code: Optional[str] = rest_field(visibility=["read"]) + """The error code.""" + message: Optional[str] = rest_field(visibility=["read"]) + """The error message.""" + inner_error: Optional["_models.KeyVaultErrorError"] = rest_field(name="innererror", visibility=["read"]) + """The key vault server error.""" + + +class KeyVerifyParameters(_model_base.Model): + """The key verify parameters. + + All required parameters must be populated in order to send to server. + + :ivar algorithm: The signing/verification algorithm. For more information on possible algorithm + types, see JsonWebKeySignatureAlgorithm. Required. Known values are: "PS256", "PS384", "PS512", + "RS256", "RS384", "RS512", "RSNULL", "ES256", "ES384", "ES512", and "ES256K". + :vartype algorithm: str or ~azure.keyvault.keys.models.JsonWebKeySignatureAlgorithm + :ivar digest: The digest used for signing. Required. + :vartype digest: bytes + :ivar signature: The signature to be verified. Required. + :vartype signature: bytes + """ + + algorithm: Union[str, "_models.JsonWebKeySignatureAlgorithm"] = rest_field(name="alg") + """The signing/verification algorithm. For more information on possible algorithm types, see + JsonWebKeySignatureAlgorithm. Required. Known values are: \"PS256\", \"PS384\", \"PS512\", + \"RS256\", \"RS384\", \"RS512\", \"RSNULL\", \"ES256\", \"ES384\", \"ES512\", and \"ES256K\".""" + digest: bytes = rest_field(format="base64url") + """The digest used for signing. Required.""" + signature: bytes = rest_field(name="value", format="base64url") + """The signature to be verified. Required.""" + + @overload + def __init__( + self, + *, + algorithm: Union[str, "_models.JsonWebKeySignatureAlgorithm"], + digest: bytes, + signature: bytes, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyVerifyResult(_model_base.Model): + """The key verify result. + + Readonly variables are only populated by the server, and will be ignored when sending a request. + + :ivar value: True if the signature is verified, otherwise false. + :vartype value: bool + """ + + value: Optional[bool] = rest_field(visibility=["read"]) + """True if the signature is verified, otherwise false.""" + + +class LifetimeActions(_model_base.Model): + """Action and its trigger that will be performed by Key Vault over the lifetime of a key. + + :ivar trigger: The condition that will execute the action. + :vartype trigger: ~azure.keyvault.keys.models.LifetimeActionsTrigger + :ivar action: The action that will be executed. + :vartype action: ~azure.keyvault.keys.models.LifetimeActionsType + """ + + trigger: Optional["_models.LifetimeActionsTrigger"] = rest_field() + """The condition that will execute the action.""" + action: Optional["_models.LifetimeActionsType"] = rest_field() + """The action that will be executed.""" + + @overload + def __init__( + self, + *, + trigger: Optional["_models.LifetimeActionsTrigger"] = None, + action: Optional["_models.LifetimeActionsType"] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class LifetimeActionsTrigger(_model_base.Model): + """A condition to be satisfied for an action to be executed. + + :ivar time_after_create: Time after creation to attempt to rotate. It only applies to rotate. + It will be in ISO 8601 duration format. Example: 90 days : "P90D". + :vartype time_after_create: str + :ivar time_before_expiry: Time before expiry to attempt to rotate or notify. It will be in ISO + 8601 duration format. Example: 90 days : "P90D". + :vartype time_before_expiry: str + """ + + time_after_create: Optional[str] = rest_field(name="timeAfterCreate") + """Time after creation to attempt to rotate. It only applies to rotate. It will be in ISO 8601 + duration format. Example: 90 days : \"P90D\".""" + time_before_expiry: Optional[str] = rest_field(name="timeBeforeExpiry") + """Time before expiry to attempt to rotate or notify. It will be in ISO 8601 duration format. + Example: 90 days : \"P90D\".""" + + @overload + def __init__( + self, + *, + time_after_create: Optional[str] = None, + time_before_expiry: Optional[str] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class LifetimeActionsType(_model_base.Model): + """The action that will be executed. + + :ivar type: The type of the action. The value should be compared case-insensitively. Known + values are: "Rotate" and "Notify". + :vartype type: str or ~azure.keyvault.keys.models.KeyRotationPolicyAction + """ + + type: Optional[Union[str, "_models.KeyRotationPolicyAction"]] = rest_field() + """The type of the action. The value should be compared case-insensitively. Known values are: + \"Rotate\" and \"Notify\".""" + + @overload + def __init__( + self, + *, + type: Optional[Union[str, "_models.KeyRotationPolicyAction"]] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class RandomBytes(_model_base.Model): + """The get random bytes response object containing the bytes. + + + :ivar value: The bytes encoded as a base64url string. Required. + :vartype value: bytes + """ + + value: bytes = rest_field(format="base64url") + """The bytes encoded as a base64url string. Required.""" + + @overload + def __init__( + self, + *, + value: bytes, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/_patch.py b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/_patch.py similarity index 100% rename from sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_generated/models/_patch.py rename to sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/models/_patch.py diff --git a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/py.typed b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/py.typed index e69de29bb2d1..e5aff4f83af8 100644 --- a/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/py.typed +++ b/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/py.typed @@ -0,0 +1 @@ +# Marker file for PEP 561. \ No newline at end of file diff --git a/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py b/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py index bdf7d1305fd3..5f409d76eeb1 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations.py @@ -14,7 +14,7 @@ # 2. azure-keyvault-keys and azure-identity libraries (pip install these) # # 3. Set environment variable VAULT_URL with the URL of your key vault -# +# # 4. Set up your environment to use azure-identity's DefaultAzureCredential. For more information about how to configure # the DefaultAzureCredential, refer to https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential # diff --git a/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py b/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py index f6990ab87997..b5420526eb04 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/backup_restore_operations_async.py @@ -34,13 +34,14 @@ # 5. Restore a key (restore_key_backup) # ---------------------------------------------------------------------------------------------------------- + async def run_sample(): # Instantiate a key client that will be used to call the service. # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. VAULT_URL = os.environ["VAULT_URL"] credential = DefaultAzureCredential() client = KeyClient(vault_url=VAULT_URL, credential=credential) - + # Let's create a Key of type RSA. # if the key already exists in the Key Vault, then a new version of the key is created. print("\n.. Create Key") diff --git a/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py b/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py index afb096383708..c6226066f8df 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/hello_world.py @@ -12,7 +12,7 @@ # 2. azure-keyvault-keys and azure-identity libraries (pip install these) # # 3. Set environment variable VAULT_URL with the URL of your key vault -# +# # 4. Set up your environment to use azure-identity's DefaultAzureCredential. For more information about how to configure # the DefaultAzureCredential, refer to https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential # @@ -70,9 +70,7 @@ # associated with a key previously stored within Key Vault. print("\n.. Update a Key by name") expires = datetime.datetime.utcnow() + datetime.timedelta(days=365) -updated_ec_key = client.update_key_properties( - ec_key.name, ec_key.properties.version, expires_on=expires, enabled=False -) +updated_ec_key = client.update_key_properties(ec_key.name, ec_key.properties.version, expires_on=expires, enabled=False) print(f"Key with name '{updated_ec_key.name}' was updated on date '{updated_ec_key.properties.updated_on}'") print(f"Key with name '{updated_ec_key.name}' was updated to expire on '{updated_ec_key.properties.expires_on}'") diff --git a/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py b/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py index 864f14750aaa..600b48ef0038 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/hello_world_async.py @@ -35,6 +35,7 @@ # 5. Delete a key (delete_key) # ---------------------------------------------------------------------------------------------------------- + async def run_sample(): # Instantiate a key client that will be used to call the service. # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. diff --git a/sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py b/sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py index 248ac051899e..eeff6ab5b212 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/key_rotation.py @@ -14,7 +14,7 @@ # 2. azure-keyvault-keys and azure-identity libraries (pip install these) # # 3. Set environment variable VAULT_URL with the URL of your key vault -# +# # 4. Set up your environment to use azure-identity's DefaultAzureCredential. For more information about how to configure # the DefaultAzureCredential, refer to https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential # diff --git a/sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py b/sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py index c20f614943a7..bb9b646d1c03 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/key_rotation_async.py @@ -36,6 +36,7 @@ # 5. Delete a key (delete_key) # ---------------------------------------------------------------------------------------------------------- + async def run_sample(): # Instantiate a key client that will be used to call the service. # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. @@ -108,4 +109,4 @@ async def run_sample(): if __name__ == "__main__": - asyncio.run(run_sample()) \ No newline at end of file + asyncio.run(run_sample()) diff --git a/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py b/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py index f8b01807efc4..75fbf1174f73 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/list_operations.py @@ -13,7 +13,7 @@ # 2. azure-keyvault-keys and azure-identity libraries (pip install these) # # 3. Set environment variable VAULT_URL with the URL of your key vault -# +# # 4. Set up your environment to use azure-identity's DefaultAzureCredential. For more information about how to configure # the DefaultAzureCredential, refer to https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential # diff --git a/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py b/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py index 757017e45e00..6b25d1767c90 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/list_operations_async.py @@ -35,6 +35,7 @@ # # ---------------------------------------------------------------------------------------------------------- + async def run_sample(): # Instantiate a key client that will be used to call the service. # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. diff --git a/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py b/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py index 9b5b45985c97..9dbf73de874f 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations.py @@ -13,7 +13,7 @@ # 2. azure-keyvault-keys and azure-identity libraries (pip install these) # # 3. Set environment variable VAULT_URL with the URL of your key vault -# +# # 4. Set up your environment to use azure-identity's DefaultAzureCredential. For more information about how to configure # the DefaultAzureCredential, refer to https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential # diff --git a/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py b/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py index bcb8eb588df3..f8afd828acae 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/recover_purge_operations_async.py @@ -7,6 +7,7 @@ from azure.identity.aio import DefaultAzureCredential from azure.keyvault.keys.aio import KeyClient + # ---------------------------------------------------------------------------------------------------------- # Prerequisites: # 1. An Azure Key Vault (https://learn.microsoft.com/azure/key-vault/quick-create-cli) diff --git a/sdk/keyvault/azure-keyvault-keys/samples/send_request.py b/sdk/keyvault/azure-keyvault-keys/samples/send_request.py index 78d35dc3c8f2..f9fd32e62129 100644 --- a/sdk/keyvault/azure-keyvault-keys/samples/send_request.py +++ b/sdk/keyvault/azure-keyvault-keys/samples/send_request.py @@ -14,7 +14,7 @@ # 2. azure-keyvault-keys and azure-identity libraries (pip install these) # # 3. Set environment variable VAULT_URL with the URL of your key vault -# +# # 4. Set up your environment to use azure-identity's DefaultAzureCredential. For more information about how to configure # the DefaultAzureCredential, refer to https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential # @@ -55,7 +55,7 @@ response = client.send_request(request) # The return value is an azure.core.rest.HttpResponse -- the key information is in the response body. -# We can get a dictionary of the body content with the `json` method. +# We can get a dictionary of the body content with the `json` method. response_body = response.json() print(f"\n.. Key with ID {response_body['key']['kid']} was found.") diff --git a/sdk/keyvault/azure-keyvault-keys/setup.py b/sdk/keyvault/azure-keyvault-keys/setup.py index 662d1a12d4fe..71d4610a46af 100644 --- a/sdk/keyvault/azure-keyvault-keys/setup.py +++ b/sdk/keyvault/azure-keyvault-keys/setup.py @@ -1,51 +1,44 @@ -#!/usr/bin/env python - -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -# pylint:disable=missing-docstring +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# coding: utf-8 +import os import re -import os.path -from io import open -from setuptools import find_packages, setup +from setuptools import setup, find_packages + -# Change the PACKAGE_NAME only to change folder and different name PACKAGE_NAME = "azure-keyvault-keys" -PACKAGE_PPRINT_NAME = "Key Vault Keys" +PACKAGE_PPRINT_NAME = "Azure Keyvault Keys" # a-b-c => a/b/c -PACKAGE_FOLDER_PATH = PACKAGE_NAME.replace("-", "/") -# a-b-c => a.b.c -NAMESPACE_NAME = PACKAGE_NAME.replace("-", ".") +package_folder_path = PACKAGE_NAME.replace("-", "/") # Version extraction inspired from 'requests' -with open(os.path.join(PACKAGE_FOLDER_PATH, "_version.py"), "r") as fd: - VERSION = re.search(r'^VERSION\s*=\s*[\'"]([^\'"]*)[\'"]', fd.read(), re.MULTILINE).group(1) +with open(os.path.join(package_folder_path, "_version.py"), "r") as fd: + version = re.search(r'^VERSION\s*=\s*[\'"]([^\'"]*)[\'"]', fd.read(), re.MULTILINE).group(1) -if not VERSION: +if not version: raise RuntimeError("Cannot find version information") -with open("README.md", encoding="utf-8") as f: - README = f.read() -with open("CHANGELOG.md", encoding="utf-8") as f: - CHANGELOG = f.read() setup( name=PACKAGE_NAME, - version=VERSION, - include_package_data=True, - description=f"Microsoft Azure {PACKAGE_PPRINT_NAME} Client Library for Python", - long_description=README + "\n\n" + CHANGELOG, + version=version, + description="Microsoft {} Client Library for Python".format(PACKAGE_PPRINT_NAME), + long_description=open("README.md", "r").read(), long_description_content_type="text/markdown", license="MIT License", author="Microsoft Corporation", - author_email="azurekeyvault@microsoft.com", - url="https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys", + author_email="azpysdkhelp@microsoft.com", + url="https://github.com/Azure/azure-sdk-for-python/tree/main/sdk", keywords="azure, azure sdk", classifiers=[ - "Development Status :: 5 - Production/Stable", + "Development Status :: 4 - Beta", "Programming Language :: Python", "Programming Language :: Python :: 3 :: Only", "Programming Language :: Python :: 3", @@ -59,18 +52,20 @@ zip_safe=False, packages=find_packages( exclude=[ - "samples", "tests", # Exclude packages that will be covered by PEP420 or nspkg "azure", "azure.keyvault", ] ), - python_requires=">=3.8", + include_package_data=True, + package_data={ + "azure.keyvault.keys": ["py.typed"], + }, install_requires=[ - "azure-core>=1.31.0", - "cryptography>=2.1.4", "isodate>=0.6.1", - "typing-extensions>=4.0.1", + "azure-core>=1.30.0", + "typing-extensions>=4.6.0", ], + python_requires=">=3.8", ) diff --git a/sdk/keyvault/azure-keyvault-keys/tests/_keys_test_case.py b/sdk/keyvault/azure-keyvault-keys/tests/_keys_test_case.py index d1e99ba811e3..d23ab5e15853 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/_keys_test_case.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/_keys_test_case.py @@ -13,7 +13,7 @@ def _get_attestation_uri(self): playback_uri = "https://fakeattestation.azurewebsites.net" if self.is_live: real_uri = os.environ.get("AZURE_KEYVAULT_ATTESTATION_URL") - real_uri = real_uri.rstrip('/') + real_uri = real_uri.rstrip("/") if real_uri is None: pytest.skip("No AZURE_KEYVAULT_ATTESTATION_URL environment variable") return real_uri @@ -22,9 +22,11 @@ def _get_attestation_uri(self): def create_crypto_client(self, key, **kwargs): if kwargs.pop("is_async", False): from azure.keyvault.keys.crypto.aio import CryptographyClient - credential = self.get_credential(CryptographyClient,is_async=True) + + credential = self.get_credential(CryptographyClient, is_async=True) else: from azure.keyvault.keys.crypto import CryptographyClient + credential = self.get_credential(CryptographyClient) return self.create_client_from_credential(CryptographyClient, credential=credential, key=key, **kwargs) diff --git a/sdk/keyvault/azure-keyvault-keys/tests/_shared/test_case.py b/sdk/keyvault/azure-keyvault-keys/tests/_shared/test_case.py index a67376fd53e1..87a1198ea5de 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/_shared/test_case.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/_shared/test_case.py @@ -8,8 +8,6 @@ from devtools_testutils import AzureRecordedTestCase - - class KeyVaultTestCase(AzureRecordedTestCase): def get_resource_name(self, name): """helper to create resources with a consistent, test-indicative prefix""" diff --git a/sdk/keyvault/azure-keyvault-keys/tests/_shared/test_case_async.py b/sdk/keyvault/azure-keyvault-keys/tests/_shared/test_case_async.py index 6059c528f1a3..fb26f89f3ab3 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/_shared/test_case_async.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/_shared/test_case_async.py @@ -36,7 +36,7 @@ async def _poll_until_exception(self, fn, expected_exception, max_retries=20, re except expected_exception: return self.fail("expected exception {expected_exception} was not raised") - + def teardown_method(self, method): HttpChallengeCache.clear() assert len(HttpChallengeCache._cache) == 0 diff --git a/sdk/keyvault/azure-keyvault-keys/tests/conftest.py b/sdk/keyvault/azure-keyvault-keys/tests/conftest.py index 106eceaa03c8..fcbdf60429ef 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/conftest.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/conftest.py @@ -12,16 +12,22 @@ add_general_string_sanitizer, add_oauth_response_sanitizer, is_live, - remove_batch_sanitizers + remove_batch_sanitizers, ) from azure.keyvault.keys._shared.client_base import DEFAULT_VERSION, ApiVersion -os.environ['PYTHONHASHSEED'] = '0' +os.environ["PYTHONHASHSEED"] = "0" ALL_API_VERSIONS = "--all-api-versions" + def pytest_addoption(parser): - parser.addoption(ALL_API_VERSIONS, action="store_true", default=False, - help="Test all api version in live mode. Not applicable in playback mode.") + parser.addoption( + ALL_API_VERSIONS, + action="store_true", + default=False, + help="Test all api version in live mode. Not applicable in playback mode.", + ) + def pytest_configure(config): if is_live() and not config.getoption(ALL_API_VERSIONS): @@ -29,16 +35,19 @@ def pytest_configure(config): else: pytest.api_version = ApiVersion + @pytest.fixture(scope="session", autouse=True) def add_sanitizers(test_proxy): azure_keyvault_url = os.getenv("AZURE_KEYVAULT_URL", "https://vaultname.vault.azure.net") azure_keyvault_url = azure_keyvault_url.rstrip("/") keyvault_tenant_id = os.getenv("KEYVAULT_TENANT_ID", "keyvault_tenant_id") keyvault_subscription_id = os.getenv("KEYVAULT_SUBSCRIPTION_ID", "keyvault_subscription_id") - azure_managedhsm_url = os.environ.get("AZURE_MANAGEDHSM_URL","https://managedhsmvaultname.managedhsm.azure.net") + azure_managedhsm_url = os.environ.get("AZURE_MANAGEDHSM_URL", "https://managedhsmvaultname.managedhsm.azure.net") azure_managedhsm_url = azure_managedhsm_url.rstrip("/") - azure_attestation_uri = os.environ.get("AZURE_KEYVAULT_ATTESTATION_URL","https://fakeattestation.azurewebsites.net") - azure_attestation_uri = azure_attestation_uri.rstrip('/') + azure_attestation_uri = os.environ.get( + "AZURE_KEYVAULT_ATTESTATION_URL", "https://fakeattestation.azurewebsites.net" + ) + azure_attestation_uri = azure_attestation_uri.rstrip("/") add_general_string_sanitizer(target=azure_keyvault_url, value="https://vaultname.vault.azure.net") add_general_string_sanitizer(target=keyvault_tenant_id, value="00000000-0000-0000-0000-000000000000") @@ -50,7 +59,12 @@ def add_sanitizers(test_proxy): # Remove the following sanitizers since certain fields are needed in tests and are non-sensitive: # - AZSDK3430: $..id # - AZSDK3447: $.key - remove_batch_sanitizers(["AZSDK3430", "AZSDK3447",]) + remove_batch_sanitizers( + [ + "AZSDK3430", + "AZSDK3447", + ] + ) @pytest.fixture(scope="session", autouse=True) @@ -78,6 +92,7 @@ def immediate_return(_): else: yield + @pytest.fixture(scope="session") def event_loop(request): loop = asyncio.get_event_loop() diff --git a/sdk/keyvault/azure-keyvault-keys/tests/perfstress_tests/sign.py b/sdk/keyvault/azure-keyvault-keys/tests/perfstress_tests/sign.py index e98cbd1ce11c..469de42d8a35 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/perfstress_tests/sign.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/perfstress_tests/sign.py @@ -25,6 +25,7 @@ def __init__(self, arguments): super().__init__(arguments) from dotenv import load_dotenv + load_dotenv() # Auth configuration diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth.py b/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth.py index de26cc59f07d..b889b052484f 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth.py @@ -36,6 +36,7 @@ TOKEN_TYPES = [AccessToken, AccessTokenInfo] + class TestChallengeAuth(KeyVaultTestCase, KeysTestCase): @pytest.mark.parametrize("api_version,is_hsm", only_default_version) @KeysClientPreparer() @@ -125,7 +126,6 @@ def test_enforces_tls(): pipeline.run(HttpRequest("GET", url)) - def test_challenge_cache(): url_a = get_random_url() challenge_a = HttpChallenge(url_a, "Bearer authorization=authority A, resource=resource A") @@ -148,9 +148,7 @@ def test_challenge_parsing(): tenant = "tenant" authority = f"https://login.authority.net/{tenant}" resource = "https://challenge.resource" - challenge = HttpChallenge( - "https://request.uri", challenge=f"Bearer authorization={authority}, resource={resource}" - ) + challenge = HttpChallenge("https://request.uri", challenge=f"Bearer authorization={authority}, resource={resource}") assert challenge.get_authorization_server() == authority assert challenge.get_resource() == resource @@ -548,8 +546,8 @@ def get_token(*_, **__): mock_response( status_code=401, headers={"WWW-Authenticate": f'Bearer authorization="{url}", resource={resource}'} ), - mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}) - ] + mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}), + ], ) transport_2 = validating_transport( requests=[Request(), Request(required_headers={"Authorization": f"Bearer {token}"})], @@ -557,8 +555,8 @@ def get_token(*_, **__): mock_response( status_code=401, headers={"WWW-Authenticate": f'Bearer authorization="{url}", resource={resource}'} ), - mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}) - ] + mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}), + ], ) client = KeyClient(url, credential, transport=transport, verify_challenge_resource=verify_challenge_resource) @@ -603,8 +601,8 @@ def get_token(*_, **__): mock_response( status_code=401, headers={"WWW-Authenticate": f'Bearer authorization="{url}", resource={resource}'} ), - mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}) - ] + mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}), + ], ) client = KeyClient(url, credential, transport=transport, verify_challenge_resource=verify_challenge_resource) diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth_async.py b/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth_async.py index 81ec711f6ad2..4834e9037d3a 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth_async.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_challenge_auth_async.py @@ -19,7 +19,7 @@ from azure.core.pipeline import AsyncPipeline from azure.core.pipeline.policies import SansIOHTTPPolicy from azure.core.rest import HttpRequest -from azure.keyvault.keys._shared import AsyncChallengeAuthPolicy,HttpChallenge, HttpChallengeCache +from azure.keyvault.keys._shared import AsyncChallengeAuthPolicy, HttpChallenge, HttpChallengeCache from azure.keyvault.keys._shared.client_base import DEFAULT_VERSION from azure.keyvault.keys.aio import KeyClient from devtools_testutils.aio import recorded_by_proxy_async @@ -45,7 +45,7 @@ class TestChallengeAuth(KeyVaultTestCase): @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_default_version) + @pytest.mark.parametrize("api_version,is_hsm", only_default_version) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_multitenant_authentication(self, client, is_hsm, **kwargs): @@ -131,9 +131,7 @@ async def get_token(*scopes, **_): credential = Mock(spec_set=["get_token"], get_token=Mock(wraps=get_token)) else: credential = Mock(spec_set=["get_token_info"], get_token_info=Mock(wraps=get_token)) - pipeline = AsyncPipeline( - policies=[AsyncChallengeAuthPolicy(credential=credential)], transport=Mock(send=send) - ) + pipeline = AsyncPipeline(policies=[AsyncChallengeAuthPolicy(credential=credential)], transport=Mock(send=send)) request = HttpRequest("POST", get_random_url()) request.set_bytes_body(expected_content) await pipeline.run(request) @@ -200,9 +198,7 @@ async def get_token(*_, options=None, **kwargs): credential = Mock(spec_set=["get_token"], get_token=Mock(wraps=get_token)) else: credential = Mock(spec_set=["get_token_info"], get_token_info=Mock(wraps=get_token)) - pipeline = AsyncPipeline( - policies=[AsyncChallengeAuthPolicy(credential=credential)], transport=Mock(send=send) - ) + pipeline = AsyncPipeline(policies=[AsyncChallengeAuthPolicy(credential=credential)], transport=Mock(send=send)) request = HttpRequest("POST", get_random_url()) request.set_bytes_body(expected_content) await pipeline.run(request) @@ -495,8 +491,8 @@ async def get_token(*_, **__): mock_response( status_code=401, headers={"WWW-Authenticate": f'Bearer authorization="{url}", resource={resource}'} ), - mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}) - ] + mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}), + ], ) transport_2 = async_validating_transport( requests=[Request(), Request(required_headers={"Authorization": f"Bearer {token}"})], @@ -504,8 +500,8 @@ async def get_token(*_, **__): mock_response( status_code=401, headers={"WWW-Authenticate": f'Bearer authorization="{url}", resource={resource}'} ), - mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}) - ] + mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}), + ], ) client = KeyClient(url, credential, transport=transport, verify_challenge_resource=verify_challenge_resource) @@ -550,8 +546,8 @@ async def get_token(*_, **__): mock_response( status_code=401, headers={"WWW-Authenticate": f'Bearer authorization="{url}", resource={resource}'} ), - mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}) - ] + mock_response(status_code=200, json_payload={"key": {"kid": f"{url}/key-name"}}), + ], ) client = KeyClient(url, credential, transport=transport, verify_challenge_resource=verify_challenge_resource) diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client.py b/sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client.py index 73452cf6582b..e3ab37566ac5 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client.py @@ -1,3 +1,4 @@ +# pylint: disable=too-many-lines # ------------------------------------ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. @@ -19,7 +20,7 @@ rsa_crt_dmq1, rsa_crt_iqmp, RSAPrivateNumbers, - RSAPublicNumbers + RSAPublicNumbers, ) from cryptography.hazmat.primitives.serialization import Encoding, NoEncryption, PrivateFormat, PublicFormat import pytest @@ -59,21 +60,21 @@ def _to_bytes(hex): # RSA key with private components so that the JWK can be used for private operations TEST_JWK = { - "kty":"RSA", - "key_ops":["decrypt", "verify", "unwrapKey"], - "n":_to_bytes( + "kty": "RSA", + "key_ops": ["decrypt", "verify", "unwrapKey"], + "n": _to_bytes( "00a0914d00234ac683b21b4c15d5bed887bdc959c2e57af54ae734e8f00720d775d275e455207e3784ceeb60a50a4655dd72a7a94d271e8ee8f7959a669ca6e775bf0e23badae991b4529d978528b4bd90521d32dd2656796ba82b6bbfc7668c8f5eeb5053747fd199319d29a8440d08f4412d527ff9311eda71825920b47b1c46b11ab3e91d7316407e89c7f340f7b85a34042ce51743b27d4718403d34c7b438af6181be05e4d11eb985d38253d7fe9bf53fc2f1b002d22d2d793fa79a504b6ab42d0492804d7071d727a06cf3a8893aa542b1503f832b296371b6707d4dc6e372f8fe67d8ded1c908fde45ce03bc086a71487fa75e43aa0e0679aa0d20efe35" ), - "e":_to_bytes("10001"), - "p":_to_bytes( + "e": _to_bytes("10001"), + "p": _to_bytes( "00d1deac8d68ddd2c1fd52d5999655b2cf1565260de5269e43fd2a85f39280e1708ffff0682166cb6106ee5ea5e9ffd9f98d0becc9ff2cda2febc97259215ad84b9051e563e14a051dce438bc6541a24ac4f014cf9732d36ebfc1e61a00d82cbe412090f7793cfbd4b7605be133dfc3991f7e1bed5786f337de5036fc1e2df4cf3" ), - "q":_to_bytes( + "q": _to_bytes( "00c3dc66b641a9b73cd833bc439cd34fc6574465ab5b7e8a92d32595a224d56d911e74624225b48c15a670282a51c40d1dad4bc2e9a3c8dab0c76f10052dfb053bc6ed42c65288a8e8bace7a8881184323f94d7db17ea6dfba651218f931a93b8f738f3d8fd3f6ba218d35b96861a0f584b0ab88ddcf446b9815f4d287d83a3237" ), - "d":_to_bytes( + "d": _to_bytes( "627c7d24668148fe2252c7fa649ea8a5a9ed44d75c766cda42b29b660e99404f0e862d4561a6c95af6a83d213e0a2244b03cd28576473215073785fb067f015da19084ade9f475e08b040a9a2c7ba00253bb8125508c9df140b75161d266be347a5e0f6900fe1d8bbf78ccc25eeb37e0c9d188d6e1fc15169ba4fe12276193d77790d2326928bd60d0d01d6ead8d6ac4861abadceec95358fd6689c50a1671a4a936d2376440a41445501da4e74bfb98f823bd19c45b94eb01d98fc0d2f284507f018ebd929b8180dbe6381fdd434bffb7800aaabdd973d55f9eaf9bb88a6ea7b28c2a80231e72de1ad244826d665582c2362761019de2e9f10cb8bcc2625649" - ) + ), } @@ -110,9 +111,10 @@ def _validate_rsa_key_bundle(self, key_attributes, vault, key_name, kty, key_ops assert key.kty == kty, f"kty should by '{key}', but is '{key.kty}'" assert key.n and key.e, "Bad RSA public material." assert sorted(key_ops) == sorted(key.key_ops), f"keyOps should be '{key_ops}', but is '{key.key_ops}'" - - assert key_attributes.properties.created_on and key_attributes.properties.updated_on, "Missing required date attributes." - + + assert ( + key_attributes.properties.created_on and key_attributes.properties.updated_on + ), "Missing required date attributes." def _validate_ec_key_bundle(self, key_curve, key_attributes, vault, key_name, kty): prefix = "/".join(s.strip("/") for s in [vault, "keys", key_name]) @@ -121,7 +123,9 @@ def _validate_ec_key_bundle(self, key_curve, key_attributes, vault, key_name, kt assert key_curve == key.crv assert kid.index(prefix) == 0, f"Key Id should start with '{prefix}', but value is '{kid}'" assert key.kty == kty, f"kty should by '{key}', but is '{key.kty}'" - assert key_attributes.properties.created_on and key_attributes.properties.updated_on,"Missing required date attributes." + assert ( + key_attributes.properties.created_on and key_attributes.properties.updated_on + ), "Missing required date attributes." def _import_test_key(self, client, name, hardware_protected=False): key = JsonWebKey( @@ -168,7 +172,7 @@ def _import_symmetric_test_key(self, client, name): assert key_vault_key.key.kid == imported_key.id == key_vault_key.id return key_vault_key - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_ec_key_id(self, key_client, is_hsm, **kwargs): @@ -185,7 +189,7 @@ def test_ec_key_id(self, key_client, is_hsm, **kwargs): crypto_client.verify(SignatureAlgorithm.es256_k, hashlib.sha256(self.plaintext).digest(), self.plaintext) - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_rsa_key_id(self, key_client, is_hsm, **kwargs): @@ -403,7 +407,7 @@ def test_symmetric_encrypt_and_decrypt(self, key_client, **kwargs): encrypt_result.ciphertext, iv=encrypt_result.iv, authentication_tag=encrypt_result.tag, - additional_authenticated_data=self.aad + additional_authenticated_data=self.aad, ) else: encrypt_result = crypto_client.encrypt( @@ -414,13 +418,15 @@ def test_symmetric_encrypt_and_decrypt(self, key_client, **kwargs): encrypt_result.algorithm, encrypt_result.ciphertext, iv=encrypt_result.iv, - additional_authenticated_data=None if "CBC" in algorithm else self.aad + additional_authenticated_data=None if "CBC" in algorithm else self.aad, ) assert decrypt_result.key_id == imported_key.id assert decrypt_result.algorithm == algorithm if algorithm.endswith("CBC"): - assert decrypt_result.plaintext.startswith(self.plaintext) # AES-CBC returns a zero-padded plaintext + assert decrypt_result.plaintext.startswith( + self.plaintext + ) # AES-CBC returns a zero-padded plaintext else: assert decrypt_result.plaintext == self.plaintext @@ -440,7 +446,7 @@ def test_symmetric_wrap_and_unwrap(self, key_client, **kwargs): result = crypto_client.unwrap_key(result.algorithm, result.encrypted_key) assert result.key == self.plaintext - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_encrypt_local(self, key_client, is_hsm, **kwargs): @@ -458,7 +464,7 @@ def test_encrypt_local(self, key_client, is_hsm, **kwargs): result = crypto_client.decrypt(result.algorithm, result.ciphertext) assert result.plaintext == self.plaintext - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_encrypt_local_from_jwk(self, key_client, is_hsm, **kwargs): @@ -476,8 +482,8 @@ def test_encrypt_local_from_jwk(self, key_client, is_hsm, **kwargs): result = crypto_client.decrypt(result.algorithm, result.ciphertext) assert result.plaintext == self.plaintext - - @pytest.mark.parametrize("api_version,is_hsm",only_hsm) + + @pytest.mark.parametrize("api_version,is_hsm", only_hsm) @KeysClientPreparer() @recorded_by_proxy def test_symmetric_encrypt_local(self, key_client, **kwargs): @@ -505,7 +511,7 @@ def test_symmetric_encrypt_local(self, key_client, **kwargs): assert decrypt_result.key_id == imported_key.id assert decrypt_result.algorithm == algorithm assert decrypt_result.plaintext == self.plaintext - + @pytest.mark.parametrize("api_version,is_hsm", only_hsm) @KeysClientPreparer() @recorded_by_proxy @@ -530,14 +536,14 @@ def test_symmetric_decrypt_local(self, key_client, **kwargs): encrypt_result.algorithm, encrypt_result.ciphertext, iv=encrypt_result.iv, - additional_authenticated_data=self.aad + additional_authenticated_data=self.aad, ) assert decrypt_result.key_id == imported_key.id assert decrypt_result.algorithm == algorithm assert decrypt_result.plaintext == self.plaintext - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_wrap_local(self, key_client, is_hsm, **kwargs): @@ -554,7 +560,7 @@ def test_wrap_local(self, key_client, is_hsm, **kwargs): result = crypto_client.unwrap_key(result.algorithm, result.encrypted_key) assert result.key == self.plaintext - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_wrap_local_from_jwk(self, key_client, is_hsm, **kwargs): @@ -572,7 +578,7 @@ def test_wrap_local_from_jwk(self, key_client, is_hsm, **kwargs): result = crypto_client.unwrap_key(result.algorithm, result.encrypted_key) assert result.key == self.plaintext - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_rsa_verify_local(self, key_client, is_hsm, **kwargs): @@ -597,7 +603,7 @@ def test_rsa_verify_local(self, key_client, is_hsm, **kwargs): result = crypto_client.verify(result.algorithm, digest, result.signature) assert result.is_valid - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_rsa_verify_local_from_jwk(self, key_client, is_hsm, **kwargs): @@ -608,12 +614,12 @@ def test_rsa_verify_local_from_jwk(self, key_client, is_hsm, **kwargs): crypto_client = self.create_crypto_client(key, api_version=key_client.api_version) local_client = CryptographyClient.from_jwk(key.key) for signature_algorithm, hash_function in ( - (SignatureAlgorithm.ps256, hashlib.sha256), - (SignatureAlgorithm.ps384, hashlib.sha384), - (SignatureAlgorithm.ps512, hashlib.sha512), - (SignatureAlgorithm.rs256, hashlib.sha256), - (SignatureAlgorithm.rs384, hashlib.sha384), - (SignatureAlgorithm.rs512, hashlib.sha512), + (SignatureAlgorithm.ps256, hashlib.sha256), + (SignatureAlgorithm.ps384, hashlib.sha384), + (SignatureAlgorithm.ps512, hashlib.sha512), + (SignatureAlgorithm.rs256, hashlib.sha256), + (SignatureAlgorithm.rs384, hashlib.sha384), + (SignatureAlgorithm.rs512, hashlib.sha512), ): digest = hash_function(self.plaintext).digest() @@ -623,7 +629,7 @@ def test_rsa_verify_local_from_jwk(self, key_client, is_hsm, **kwargs): result = local_client.verify(result.algorithm, digest, result.signature) assert result.is_valid - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_ec_verify_local(self, key_client, is_hsm, **kwargs): @@ -648,7 +654,7 @@ def test_ec_verify_local(self, key_client, is_hsm, **kwargs): result = crypto_client.verify(result.algorithm, digest, result.signature) assert result.is_valid - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_ec_verify_local_from_jwk(self, key_client, is_hsm, **kwargs): @@ -674,11 +680,12 @@ def test_ec_verify_local_from_jwk(self, key_client, is_hsm, **kwargs): result = local_client.verify(result.algorithm, digest, result.signature) assert result.is_valid - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_local_validity_period_enforcement(self, key_client, is_hsm, **kwargs): """Local crypto operations should respect a key's nbf and exp properties""" + def test_operations(key, expected_error_substrings, encrypt_algorithms, wrap_algorithms): crypto_client = self.create_crypto_client(key, api_version=key_client.api_version) for algorithm in encrypt_algorithms: @@ -721,7 +728,7 @@ def test_operations(key, expected_error_substrings, encrypt_algorithms, wrap_alg valid_key, (str(the_year_3000), str(the_year_3001)), rsa_encryption_algorithms, rsa_wrap_algorithms ) - @pytest.mark.parametrize("api_version,is_hsm",only_vault_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_vault_7_4_plus) @KeysClientPreparer() @recorded_by_proxy def test_send_request(self, key_client, is_hsm, **kwargs): @@ -742,7 +749,7 @@ def test_send_request(self, key_client, is_hsm, **kwargs): method="POST", url=f"keys/{key_name}/{imported_key.properties.version}/sign", headers={"Accept": "application/json"}, - json=json + json=json, ) response = crypto_client.send_request(request) result = response.json() @@ -1088,7 +1095,7 @@ def test_rsa_public_key_public_bytes(): public_numbers = public_key.public_numbers() crypto_public_numbers = RSAPublicNumbers(e=public_numbers.e, n=public_numbers.n) crypto_public_bytes = crypto_public_numbers.public_key().public_bytes(Encoding.PEM, PublicFormat.PKCS1) - assert public_bytes == crypto_public_bytes + assert public_bytes == crypto_public_bytes def test_rsa_public_key_private_key_size(): diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client_async.py b/sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client_async.py index e3870e63a5c3..6cc8e92eec2a 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client_async.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client_async.py @@ -1,3 +1,4 @@ +# pylint: disable=too-many-lines # ------------------------------------ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. @@ -70,8 +71,9 @@ def _validate_rsa_key_bundle(self, key_attributes, vault, key_name, kty, key_ops assert key.kty == kty, f"kty should by '{key}', but is '{key.kty}'" assert key.n and key.e, "Bad RSA public material." assert sorted(key_ops) == sorted(key.key_ops), f"keyOps should be '{key_ops}', but is '{key.key_ops}'" - assert key_attributes.properties.created_on and key_attributes.properties.updated_on,"Missing required date attributes." - + assert ( + key_attributes.properties.created_on and key_attributes.properties.updated_on + ), "Missing required date attributes." def _validate_ec_key_bundle(self, key_curve, key_attributes, vault, key_name, kty): prefix = "/".join(s.strip("/") for s in [vault, "keys", key_name]) @@ -80,7 +82,9 @@ def _validate_ec_key_bundle(self, key_curve, key_attributes, vault, key_name, kt assert key_curve == key.crv assert kid.index(prefix) == 0, f"Key Id should start with '{prefix}', but value is '{kid}'" assert key.kty == kty, f"kty should by '{key}', but is '{key.kty}'" - assert key_attributes.properties.created_on and key_attributes.properties.updated_on,"Missing required date attributes." + assert ( + key_attributes.properties.created_on and key_attributes.properties.updated_on + ), "Missing required date attributes." async def _import_test_key(self, client, name, hardware_protected=False): def _to_bytes(hex): @@ -133,7 +137,7 @@ async def _import_symmetric_test_key(self, client, name): return key_vault_key @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_ec_key_id(self, key_client, is_hsm, **kwargs): @@ -150,7 +154,7 @@ async def test_ec_key_id(self, key_client, is_hsm, **kwargs): await crypto_client.verify(SignatureAlgorithm.es256, hashlib.sha256(self.plaintext).digest(), self.plaintext) @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_rsa_key_id(self, key_client, is_hsm, **kwargs): @@ -169,7 +173,7 @@ async def test_rsa_key_id(self, key_client, is_hsm, **kwargs): await crypto_client.wrap_key(KeyWrapAlgorithm.rsa_oaep, self.plaintext) @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_encrypt_and_decrypt(self, key_client, is_hsm, **kwargs): @@ -189,7 +193,7 @@ async def test_encrypt_and_decrypt(self, key_client, is_hsm, **kwargs): assert self.plaintext == result.plaintext @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_sign_and_verify(self, key_client, is_hsm, **kwargs): @@ -212,7 +216,7 @@ async def test_sign_and_verify(self, key_client, is_hsm, **kwargs): assert verified.is_valid @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_wrap_and_unwrap(self, key_client, is_hsm, **kwargs): @@ -233,7 +237,7 @@ async def test_wrap_and_unwrap(self, key_client, is_hsm, **kwargs): assert key_bytes == result.key @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_hsm) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_symmetric_encrypt_and_decrypt(self, key_client, **kwargs): @@ -259,7 +263,7 @@ async def test_symmetric_encrypt_and_decrypt(self, key_client, **kwargs): result.ciphertext, iv=result.iv, authentication_tag=result.tag, - additional_authenticated_data=self.aad + additional_authenticated_data=self.aad, ) else: result = await crypto_client.encrypt( @@ -270,7 +274,7 @@ async def test_symmetric_encrypt_and_decrypt(self, key_client, **kwargs): result.algorithm, result.ciphertext, iv=self.iv, - additional_authenticated_data=None if "CBC" in algorithm else self.aad + additional_authenticated_data=None if "CBC" in algorithm else self.aad, ) assert result.key_id == imported_key.id @@ -281,7 +285,7 @@ async def test_symmetric_encrypt_and_decrypt(self, key_client, **kwargs): assert result.plaintext == self.plaintext @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_hsm) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_symmetric_wrap_and_unwrap(self, key_client, **kwargs): @@ -298,7 +302,7 @@ async def test_symmetric_wrap_and_unwrap(self, key_client, **kwargs): assert result.key == self.plaintext @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_encrypt_local(self, key_client, is_hsm, **kwargs): @@ -337,7 +341,7 @@ async def test_encrypt_local_from_jwk(self, key_client, is_hsm, **kwargs): assert result.plaintext, self.plaintext @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_hsm) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_symmetric_encrypt_local(self, key_client, **kwargs): @@ -367,7 +371,7 @@ async def test_symmetric_encrypt_local(self, key_client, **kwargs): assert decrypt_result.plaintext == self.plaintext @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_hsm) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_symmetric_decrypt_local(self, key_client, **kwargs): @@ -391,7 +395,7 @@ async def test_symmetric_decrypt_local(self, key_client, **kwargs): encrypt_result.algorithm, encrypt_result.ciphertext, iv=encrypt_result.iv, - additional_authenticated_data=self.aad + additional_authenticated_data=self.aad, ) assert decrypt_result.key_id == imported_key.id @@ -399,7 +403,7 @@ async def test_symmetric_decrypt_local(self, key_client, **kwargs): assert decrypt_result.plaintext == self.plaintext @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_wrap_local(self, key_client, is_hsm, **kwargs): @@ -417,7 +421,7 @@ async def test_wrap_local(self, key_client, is_hsm, **kwargs): assert result.key, self.plaintext @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_wrap_local_from_jwk(self, key_client, is_hsm, **kwargs): @@ -436,7 +440,7 @@ async def test_wrap_local_from_jwk(self, key_client, is_hsm, **kwargs): assert result.key, self.plaintext @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_rsa_verify_local(self, key_client, is_hsm, **kwargs): @@ -462,7 +466,7 @@ async def test_rsa_verify_local(self, key_client, is_hsm, **kwargs): assert result.is_valid @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_rsa_verify_local_from_jwk(self, key_client, is_hsm, **kwargs): @@ -473,12 +477,12 @@ async def test_rsa_verify_local_from_jwk(self, key_client, is_hsm, **kwargs): crypto_client = self.create_crypto_client(key, is_async=True, api_version=key_client.api_version) local_client = CryptographyClient.from_jwk(key.key) for signature_algorithm, hash_function in ( - (SignatureAlgorithm.ps256, hashlib.sha256), - (SignatureAlgorithm.ps384, hashlib.sha384), - (SignatureAlgorithm.ps512, hashlib.sha512), - (SignatureAlgorithm.rs256, hashlib.sha256), - (SignatureAlgorithm.rs384, hashlib.sha384), - (SignatureAlgorithm.rs512, hashlib.sha512), + (SignatureAlgorithm.ps256, hashlib.sha256), + (SignatureAlgorithm.ps384, hashlib.sha384), + (SignatureAlgorithm.ps512, hashlib.sha512), + (SignatureAlgorithm.rs256, hashlib.sha256), + (SignatureAlgorithm.rs384, hashlib.sha384), + (SignatureAlgorithm.rs512, hashlib.sha512), ): digest = hash_function(self.plaintext).digest() @@ -489,7 +493,7 @@ async def test_rsa_verify_local_from_jwk(self, key_client, is_hsm, **kwargs): assert result.is_valid @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_ec_verify_local(self, key_client, is_hsm, **kwargs): @@ -515,7 +519,7 @@ async def test_ec_verify_local(self, key_client, is_hsm, **kwargs): assert result.is_valid @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_ec_verify_local_from_jwk(self, key_client, is_hsm, **kwargs): @@ -542,11 +546,12 @@ async def test_ec_verify_local_from_jwk(self, key_client, is_hsm, **kwargs): assert result.is_valid @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_local_validity_period_enforcement(self, key_client, is_hsm, **kwargs): """Local crypto operations should respect a key's nbf and exp properties""" + async def test_operations(key, expected_error_substrings, encrypt_algorithms, wrap_algorithms): crypto_client = self.create_crypto_client(key, is_async=True, api_version=key_client.api_version) crypto_client._keys_get_forbidden = True # Prevent caching key material locally, to force remote ops @@ -593,7 +598,7 @@ async def test_operations(key, expected_error_substrings, encrypt_algorithms, wr ) @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_vault_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_vault_7_4_plus) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_send_request(self, key_client, is_hsm, **kwargs): @@ -614,7 +619,7 @@ async def test_send_request(self, key_client, is_hsm, **kwargs): method="POST", url=f"keys/{key_name}/{imported_key.properties.version}/sign", headers={"Accept": "application/json"}, - json=json + json=json, ) response = await crypto_client.send_request(request) result = response.json() @@ -637,7 +642,10 @@ class CustomHookPolicy(SansIOHTTPPolicy): @pytest.mark.asyncio async def test_symmetric_wrap_and_unwrap_local(): key = KeyVaultKey( - key_id="http://localhost/keys/key/version", k=os.urandom(32), kty="oct", key_ops=["unwrapKey", "wrapKey"], + key_id="http://localhost/keys/key/version", + k=os.urandom(32), + kty="oct", + key_ops=["unwrapKey", "wrapKey"], ) crypto_client = CryptographyClient(key, credential=lambda *_: None) @@ -800,7 +808,7 @@ async def test_local_only_mode_no_service_calls(): async def test_local_only_mode_raise(): """A local-only CryptographyClient should raise an exception if an operation can't be performed locally""" - jwk = {"kty":"RSA", "key_ops":["decrypt", "verify", "unwrapKey"], "n":b"10011", "e":b"10001"} + jwk = {"kty": "RSA", "key_ops": ["decrypt", "verify", "unwrapKey"], "n": b"10011", "e": b"10001"} client = CryptographyClient.from_jwk(jwk=jwk) # Algorithm not supported locally @@ -913,7 +921,7 @@ async def test_aes_cbc_iv_validation(): @pytest.mark.asyncio async def test_encrypt_argument_validation(): """The client should raise an error when arguments don't work with the specified algorithm""" - + mock_client = mock.Mock() key = mock.Mock( spec=KeyVaultKey, diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_examples_crypto.py b/sdk/keyvault/azure-keyvault-keys/tests/test_examples_crypto.py index a6b06f998a93..adf1c97eb6cb 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_examples_crypto.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_examples_crypto.py @@ -12,6 +12,7 @@ all_api_versions = get_decorator(only_vault=True) + class TestCryptoExamples(KeyVaultTestCase, KeysTestCase): @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_examples_crypto_async.py b/sdk/keyvault/azure-keyvault-keys/tests/test_examples_crypto_async.py index d8b2ee94d165..8629d07d2f7a 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_examples_crypto_async.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_examples_crypto_async.py @@ -15,7 +15,7 @@ class TestCryptoExamples(KeyVaultTestCase): @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_encrypt_decrypt_async(self, key_client, **kwargs): @@ -59,7 +59,7 @@ async def test_encrypt_decrypt_async(self, key_client, **kwargs): # [END decrypt] @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_wrap_unwrap_async(self, key_client, **kwargs): @@ -88,7 +88,7 @@ async def test_wrap_unwrap_async(self, key_client, **kwargs): # [END unwrap_key] @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_sign_verify_async(self, key_client, **kwargs): diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_key_client.py b/sdk/keyvault/azure-keyvault-keys/tests/test_key_client.py index 3b57d5465d9b..caeb57fe2314 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_key_client.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_key_client.py @@ -23,7 +23,7 @@ KeyRotationLifetimeAction, KeyRotationPolicy, KeyRotationPolicyAction, - KeyType + KeyType, ) from azure.keyvault.keys._generated.models import KeyRotationPolicy as _KeyRotationPolicy from dateutil import parser as date_parse @@ -52,6 +52,7 @@ def _assert_rotation_policies_equal(p1, p2): assert p1.updated_on == p2.updated_on assert len(p1.lifetime_actions) == len(p2.lifetime_actions) + def _assert_lifetime_actions_equal(a1, a2): assert a1.action == a2.action assert a1.time_after_create == a2.time_after_create @@ -113,8 +114,9 @@ def _validate_ec_key_bundle(self, key_curve, key_attributes, vault, key_name, kt assert key_curve == key.crv assert kid.index(prefix) == 0, f"Key Id should start with '{prefix}', but value is '{kid}'" assert key.kty == kty, f"kty should by '{key}', but is '{key.kty}'" - assert key_attributes.properties.created_on and key_attributes.properties.updated_on,"Missing required date attributes." - + assert ( + key_attributes.properties.created_on and key_attributes.properties.updated_on + ), "Missing required date attributes." def _validate_rsa_key_bundle(self, key_attributes, vault, key_name, kty, key_ops): prefix = "/".join(s.strip("/") for s in [vault, "keys", key_name]) @@ -124,7 +126,9 @@ def _validate_rsa_key_bundle(self, key_attributes, vault, key_name, kty, key_ops assert key.kty == kty, f"kty should by '{key}', but is '{key.kty}'" assert key.n and key.e, "Bad RSA public material." assert sorted(key_ops) == sorted(key.key_ops), f"keyOps should be '{key_ops}', but is '{key.key_ops}'" - assert key_attributes.properties.created_on and key_attributes.properties.updated_on, "Missing required date attributes." + assert ( + key_attributes.properties.created_on and key_attributes.properties.updated_on + ), "Missing required date attributes." def _update_key_properties(self, client, key, release_policy=None): expires = date_parse.parse("2050-01-02T08:00:00.000Z") @@ -182,7 +186,7 @@ def _to_bytes(hex): self._validate_rsa_key_bundle(imported_key, client.vault_url, name, key.kty, key.key_ops) return imported_key - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_key_crud_operations(self, client, is_hsm, **kwargs): @@ -209,7 +213,7 @@ def test_key_crud_operations(self, client, is_hsm, **kwargs): # create rsa key rsa_key_name = self.get_resource_name("crud-rsa-key") tags = {"purpose": "unit test", "test name ": "CreateRSAKeyTest"} - key_ops = ["encrypt","decrypt","sign","verify","wrapKey","unwrapKey"] + key_ops = ["encrypt", "decrypt", "sign", "verify", "wrapKey", "unwrapKey"] rsa_key = self._create_rsa_key( client, key_name=rsa_key_name, key_operations=key_ops, size=2048, tags=tags, hardware_protected=is_hsm ) @@ -238,8 +242,10 @@ def test_key_crud_operations(self, client, is_hsm, **kwargs): # aside from key_ops, the original updated keys should have the same JWKs self._assert_jwks_equal(rsa_key.key, deleted_key.key) assert deleted_key.id == rsa_key.id - assert deleted_key.recovery_id and deleted_key.deleted_date and deleted_key.scheduled_purge_date, "Missing required deleted key attributes." - + assert ( + deleted_key.recovery_id and deleted_key.deleted_date and deleted_key.scheduled_purge_date + ), "Missing required deleted key attributes." + deleted_key_poller.wait() # get the deleted key when soft deleted enabled @@ -247,7 +253,7 @@ def test_key_crud_operations(self, client, is_hsm, **kwargs): assert deleted_key is not None assert rsa_key.id == deleted_key.id - @pytest.mark.parametrize("api_version,is_hsm",only_hsm) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm) @KeysClientPreparer() @recorded_by_proxy def test_rsa_public_exponent(self, client, **kwargs): @@ -260,7 +266,7 @@ def test_rsa_public_exponent(self, client, **kwargs): public_exponent = key.key.e[0] assert public_exponent == 17 - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_backup_restore(self, client, is_hsm, **kwargs): @@ -287,7 +293,7 @@ def test_backup_restore(self, client, is_hsm, **kwargs): restored_key = self._poll_until_no_exception(restore_function, ResourceExistsError) self._assert_key_attributes_equal(created_bundle.properties, restored_key.properties) - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_key_list(self, client, is_hsm, **kwargs): @@ -312,7 +318,7 @@ def test_key_list(self, client, is_hsm, **kwargs): del expected[key.name] assert len(expected) == 0 - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_list_versions(self, client, is_hsm, **kwargs): @@ -338,7 +344,7 @@ def test_list_versions(self, client, is_hsm, **kwargs): self._assert_key_attributes_equal(expected_key.properties, key) assert 0 == len(expected) - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_list_deleted_keys(self, client, is_hsm, **kwargs): @@ -369,7 +375,7 @@ def test_list_deleted_keys(self, client, is_hsm, **kwargs): self._assert_key_attributes_equal(expected[key.name].properties, key.properties) del expected[key.name] - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_recover(self, client, is_hsm, **kwargs): @@ -396,7 +402,7 @@ def test_recover(self, client, is_hsm, **kwargs): expected_key = keys[key_name] self._assert_key_attributes_equal(expected_key.properties, recovered_key.properties) - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_purge(self, client, is_hsm, **kwargs): @@ -428,8 +434,8 @@ def test_purge(self, client, is_hsm, **kwargs): deleted = [s.name for s in client.list_deleted_keys()] assert not any(s in deleted for s in key_names) - @pytest.mark.parametrize("api_version,is_hsm",logging_enabled) - @KeysClientPreparer(logging_enable = True) + @pytest.mark.parametrize("api_version,is_hsm", logging_enabled) + @KeysClientPreparer(logging_enable=True) @recorded_by_proxy def test_logging_enabled(self, client, is_hsm, **kwargs): mock_handler = MockHandler() @@ -463,8 +469,8 @@ def test_logging_enabled(self, client, is_hsm, **kwargs): mock_handler.close() assert False, "Expected request body wasn't logged" - @pytest.mark.parametrize("api_version,is_hsm",logging_enabled) - @KeysClientPreparer(logging_enable = False) + @pytest.mark.parametrize("api_version,is_hsm", logging_enabled) + @KeysClientPreparer(logging_enable=False) @recorded_by_proxy def test_logging_disabled(self, client, is_hsm, **kwargs): mock_handler = MockHandler() @@ -497,7 +503,7 @@ def test_logging_disabled(self, client, is_hsm, **kwargs): mock_handler.close() - @pytest.mark.parametrize("api_version,is_hsm",only_hsm_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm_7_4_plus) @KeysClientPreparer() @recorded_by_proxy def test_get_random_bytes(self, client, **kwargs): @@ -513,11 +519,11 @@ def test_get_random_bytes(self, client, **kwargs): assert all(random_bytes != rb for rb in generated_random_bytes) generated_random_bytes.append(random_bytes) - @pytest.mark.parametrize("api_version,is_hsm",only_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_7_4_plus) @KeysClientPreparer() @recorded_by_proxy def test_key_release(self, client, is_hsm, **kwargs): - if (self.is_live and os.environ["KEYVAULT_SKU"] != "premium"): + if self.is_live and os.environ["KEYVAULT_SKU"] != "premium": pytest.skip("This test is not supported on standard SKU vaults. Follow up with service team") if is_hsm and client.api_version == ApiVersion.V7_5: pytest.skip("Currently failing on 7.5-preview.1; skipping for now") @@ -543,7 +549,7 @@ def test_key_release(self, client, is_hsm, **kwargs): if self.is_live and "Target environment attestation statement cannot be verified" in ex.message: pytest.skip("Target environment attestation statement cannot be verified. Likely transient failure.") - @pytest.mark.parametrize("api_version,is_hsm",only_hsm_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm_7_4_plus) @KeysClientPreparer() @recorded_by_proxy def test_imported_key_release(self, client, **kwargs): @@ -566,11 +572,11 @@ def test_imported_key_release(self, client, **kwargs): release_result = client.release_key(imported_key_name, attestation) assert release_result.value - @pytest.mark.parametrize("api_version,is_hsm",only_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_7_4_plus) @KeysClientPreparer() @recorded_by_proxy def test_update_release_policy(self, client, **kwargs): - if (self.is_live and os.environ["KEYVAULT_SKU"] != "premium"): + if self.is_live and os.environ["KEYVAULT_SKU"] != "premium": pytest.skip("This test is not supported on standard SKU vaults. Follow up with service team") if client.api_version == ApiVersion.V7_5: pytest.skip("Currently failing on 7.5-preview.1; skipping for now") @@ -591,17 +597,9 @@ def test_update_release_policy(self, client, **kwargs): new_release_policy_json = { "anyOf": [ - { - "anyOf": [ - { - "claim": "sdk-test", - "equals": False - } - ], - "authority": attestation_uri.rstrip("/") + "/" - } + {"anyOf": [{"claim": "sdk-test", "equals": False}], "authority": attestation_uri.rstrip("/") + "/"} ], - "version": "1.0.0" + "version": "1.0.0", } policy_string = json.dumps(new_release_policy_json).encode() new_release_policy = KeyReleasePolicy(policy_string) @@ -612,12 +610,12 @@ def test_update_release_policy(self, client, **kwargs): claim_condition = claim_condition if isinstance(claim_condition, bool) else json.loads(claim_condition) assert claim_condition is False - #Immutable policies aren't currently supported on Managed HSM - @pytest.mark.parametrize("api_version,is_hsm",only_vault_7_4_plus) + # Immutable policies aren't currently supported on Managed HSM + @pytest.mark.parametrize("api_version,is_hsm", only_vault_7_4_plus) @KeysClientPreparer() @recorded_by_proxy def test_immutable_release_policy(self, client, **kwargs): - if (self.is_live and os.environ["KEYVAULT_SKU"] != "premium"): + if self.is_live and os.environ["KEYVAULT_SKU"] != "premium": pytest.skip("This test is not supported on standard SKU vaults. Follow up with service team") set_bodiless_matcher() @@ -632,17 +630,9 @@ def test_immutable_release_policy(self, client, **kwargs): new_release_policy_json = { "anyOf": [ - { - "anyOf": [ - { - "claim": "sdk-test", - "equals": False - } - ], - "authority": attestation_uri.rstrip("/") + "/" - } + {"anyOf": [{"claim": "sdk-test", "equals": False}], "authority": attestation_uri.rstrip("/") + "/"} ], - "version": "1.0.0" + "version": "1.0.0", } policy_string = json.dumps(new_release_policy_json).encode() new_release_policy = KeyReleasePolicy(policy_string, immutable=True) @@ -650,11 +640,11 @@ def test_immutable_release_policy(self, client, **kwargs): with pytest.raises(HttpResponseError): self._update_key_properties(client, key, new_release_policy) - @pytest.mark.parametrize("api_version,is_hsm",only_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_7_4_plus) @KeysClientPreparer() @recorded_by_proxy def test_key_rotation(self, client, is_hsm, **kwargs): - if (not is_public_cloud() and self.is_live): + if not is_public_cloud() and self.is_live: pytest.skip("This test is not supported in usgov/china region. Follow up with service team.") set_bodiless_matcher() @@ -672,11 +662,11 @@ def test_key_rotation(self, client, is_hsm, **kwargs): assert key.properties.version != rotated_key.properties.version assert key.key.n != rotated_key.key.n - @pytest.mark.parametrize("api_version,is_hsm",only_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_7_4_plus) @KeysClientPreparer() @recorded_by_proxy def test_key_rotation_policy(self, client, is_hsm, **kwargs): - if (not is_public_cloud() and self.is_live): + if not is_public_cloud() and self.is_live: pytest.skip("This test is not supported in usgov/china region. Follow up with service team.") set_bodiless_matcher() @@ -730,7 +720,9 @@ def test_key_rotation_policy(self, client, is_hsm, **kwargs): if not is_hsm: # updating with a round-tripped policy and overriding lifetime_actions newest_actions = [KeyRotationLifetimeAction(KeyRotationPolicyAction.notify, time_before_expiry="P60D")] - newest_policy = client.update_key_rotation_policy(key_name, policy=new_policy, lifetime_actions=newest_actions) + newest_policy = client.update_key_rotation_policy( + key_name, policy=new_policy, lifetime_actions=newest_actions + ) newest_fetched_policy = client.get_key_rotation_policy(key_name) assert newest_policy.expires_in == "P90D" _assert_rotation_policies_equal(newest_policy, newest_fetched_policy) @@ -748,7 +740,7 @@ def test_key_rotation_policy(self, client, is_hsm, **kwargs): newest_fetched_policy_actions = newest_fetched_policy.lifetime_actions[i] _assert_lifetime_actions_equal(newest_policy_actions, newest_fetched_policy_actions) - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_get_cryptography_client(self, client, is_hsm, **kwargs): @@ -784,7 +776,7 @@ def test_get_cryptography_client(self, client, is_hsm, **kwargs): assert "RSA-OAEP" == result.algorithm assert plaintext == result.plaintext - @pytest.mark.parametrize("api_version,is_hsm",only_vault_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_vault_7_4_plus) @KeysClientPreparer() @recorded_by_proxy def test_send_request(self, client, is_hsm, **kwargs): @@ -813,6 +805,7 @@ def test_40x_handling(self, client, **kwargs): # Test that 409 is raised correctly (`create_key` shouldn't actually trigger this, but for raising behavior) def run(*_, **__): return Mock(http_response=Mock(status_code=409)) + with patch.object(client._client._client._pipeline, "run", run): with pytest.raises(ResourceExistsError): client.create_key("...", "RSA") diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_keys_async.py b/sdk/keyvault/azure-keyvault-keys/tests/test_keys_async.py index b29fd650381c..bf58ae474c92 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_keys_async.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_keys_async.py @@ -27,7 +27,13 @@ import pytest from _shared.test_case_async import KeyVaultTestCase -from _async_test_case import get_attestation_token, get_decorator, get_release_policy, is_public_cloud, AsyncKeysClientPreparer +from _async_test_case import ( + get_attestation_token, + get_decorator, + get_release_policy, + is_public_cloud, + AsyncKeysClientPreparer, +) from test_key_client import _assert_lifetime_actions_equal, _assert_rotation_policies_equal from devtools_testutils import set_bodiless_matcher from devtools_testutils.aio import recorded_by_proxy_async @@ -36,12 +42,8 @@ all_api_versions = get_decorator(is_async=True) only_hsm = get_decorator(only_hsm=True, is_async=True) -only_hsm_7_4_plus = get_decorator( - only_hsm=True, is_async=True, api_versions=[ApiVersion.V7_4, ApiVersion.V7_5] -) -only_vault_7_4_plus = get_decorator( - only_vault=True, is_async=True, api_versions=[ApiVersion.V7_4, ApiVersion.V7_5] -) +only_hsm_7_4_plus = get_decorator(only_hsm=True, is_async=True, api_versions=[ApiVersion.V7_4, ApiVersion.V7_5]) +only_vault_7_4_plus = get_decorator(only_vault=True, is_async=True, api_versions=[ApiVersion.V7_4, ApiVersion.V7_5]) only_7_4_plus = get_decorator(is_async=True, api_versions=[ApiVersion.V7_4, ApiVersion.V7_5]) logging_enabled = get_decorator(is_async=True, logging_enable=True) logging_disabled = get_decorator(is_async=True, logging_enable=False) @@ -67,15 +69,15 @@ def _assert_jwks_equal(self, jwk1, jwk2): assert getattr(jwk1, field) == getattr(jwk2, field) def _assert_key_attributes_equal(self, k1: KeyProperties, k2: KeyProperties) -> None: - assert k1.name== k2.name - assert k1.vault_url== k2.vault_url - assert k1.enabled== k2.enabled - assert k1.not_before== k2.not_before - assert k1.expires_on== k2.expires_on - assert k1.created_on== k2.created_on - assert k1.updated_on== k2.updated_on - assert k1.tags== k2.tags - assert k1.recovery_level== k2.recovery_level + assert k1.name == k2.name + assert k1.vault_url == k2.vault_url + assert k1.enabled == k2.enabled + assert k1.not_before == k2.not_before + assert k1.expires_on == k2.expires_on + assert k1.created_on == k2.created_on + assert k1.updated_on == k2.updated_on + assert k1.tags == k2.tags + assert k1.recovery_level == k2.recovery_level assert k1.hsm_platform == k2.hsm_platform async def _create_rsa_key(self, client, key_name, **kwargs): @@ -105,7 +107,9 @@ def _validate_ec_key_bundle(self, key_curve, key_attributes, vault, key_name, kt assert key_curve == key.crv assert kid.index(prefix) == 0, f"Key Id should start with '{prefix}', but value is '{kid}'" assert key.kty == kty, f"kty should by '{key}', but is '{key.kty}'" - assert key_attributes.properties.created_on and key_attributes.properties.updated_on,"Missing required date attributes." + assert ( + key_attributes.properties.created_on and key_attributes.properties.updated_on + ), "Missing required date attributes." def _validate_rsa_key_bundle(self, key_attributes, vault, key_name, kty, key_ops): prefix = "/".join(s.strip("/") for s in [vault, "keys", key_name]) @@ -115,7 +119,9 @@ def _validate_rsa_key_bundle(self, key_attributes, vault, key_name, kty, key_ops assert key.kty == kty, f"kty should by '{key}', but is '{key.kty}'" assert key.n and key.e, "Bad RSA public material." assert sorted(key_ops) == sorted(key.key_ops), f"keyOps should be '{key_ops}', but is '{key.key_ops}'" - assert key_attributes.properties.created_on and key_attributes.properties.updated_on,"Missing required date attributes." + assert ( + key_attributes.properties.created_on and key_attributes.properties.updated_on + ), "Missing required date attributes." async def _update_key_properties(self, client, key, release_policy=None): expires = date_parse.parse("2050-01-02T08:00:00.000Z") @@ -181,7 +187,7 @@ def _to_bytes(hex): return imported_key @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_key_crud_operations(self, client, is_hsm, **kwargs): @@ -222,9 +228,7 @@ async def test_key_crud_operations(self, client, is_hsm, **kwargs): self._assert_key_attributes_equal(rsa_key.properties, key.properties) # get key without version - self._assert_key_attributes_equal( - rsa_key.properties, (await client.get_key(rsa_key.name)).properties - ) + self._assert_key_attributes_equal(rsa_key.properties, (await client.get_key(rsa_key.name)).properties) # update key with version if self.is_live: @@ -240,7 +244,9 @@ async def test_key_crud_operations(self, client, is_hsm, **kwargs): # aside from key_ops, the original updated keys should have the same JWKs self._assert_jwks_equal(rsa_key.key, deleted_key.key) assert deleted_key.id == rsa_key.id - assert deleted_key.recovery_id and deleted_key.deleted_date and deleted_key.scheduled_purge_date,"Missing required deleted key attributes." + assert ( + deleted_key.recovery_id and deleted_key.deleted_date and deleted_key.scheduled_purge_date + ), "Missing required deleted key attributes." # get the deleted key when soft deleted enabled deleted_key = await client.get_deleted_key(rsa_key.name) @@ -248,7 +254,7 @@ async def test_key_crud_operations(self, client, is_hsm, **kwargs): assert rsa_key.id == deleted_key.id @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_hsm) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_rsa_public_exponent(self, client, **kwargs): @@ -261,7 +267,7 @@ async def test_rsa_public_exponent(self, client, **kwargs): assert public_exponent == 17 @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_backup_restore(self, client, is_hsm, **kwargs): @@ -274,7 +280,7 @@ async def test_backup_restore(self, client, is_hsm, **kwargs): # backup key key_backup = await client.backup_key(created_bundle.name) - #self.assertIsNotNone(key_backup, "key_backup") + # self.assertIsNotNone(key_backup, "key_backup") assert key_backup is not None # delete key @@ -289,7 +295,7 @@ async def test_backup_restore(self, client, is_hsm, **kwargs): self._assert_key_attributes_equal(created_bundle.properties, restored_key.properties) @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_key_list(self, client, is_hsm, **kwargs): @@ -313,7 +319,7 @@ async def test_key_list(self, client, is_hsm, **kwargs): assert len(expected) == 0 @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_list_versions(self, client, is_hsm, **kwargs): @@ -340,7 +346,7 @@ async def test_list_versions(self, client, is_hsm, **kwargs): assert 0 == len(expected) @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_list_deleted_keys(self, client, is_hsm, **kwargs): @@ -372,7 +378,7 @@ async def test_list_deleted_keys(self, client, is_hsm, **kwargs): assert len(expected) == 0 @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_recover(self, client, is_hsm, **kwargs): @@ -403,7 +409,7 @@ async def test_recover(self, client, is_hsm, **kwargs): assert len(set(expected.keys()) & set(actual.keys())) == len(expected) @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_purge(self, client, is_hsm, **kwargs): @@ -431,8 +437,8 @@ async def test_purge(self, client, is_hsm, **kwargs): assert deleted_key.name not in key_names @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",logging_enabled) - @AsyncKeysClientPreparer(logging_enable = True) + @pytest.mark.parametrize("api_version,is_hsm", logging_enabled) + @AsyncKeysClientPreparer(logging_enable=True) @recorded_by_proxy_async async def test_logging_enabled(self, client, is_hsm, **kwargs): mock_handler = MockHandler() @@ -467,8 +473,8 @@ async def test_logging_enabled(self, client, is_hsm, **kwargs): assert False, "Expected request body wasn't logged" @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",logging_disabled) - @AsyncKeysClientPreparer(logging_enable = False) + @pytest.mark.parametrize("api_version,is_hsm", logging_disabled) + @AsyncKeysClientPreparer(logging_enable=False) @recorded_by_proxy_async async def test_logging_disabled(self, client, is_hsm, **kwargs): mock_handler = MockHandler() @@ -502,7 +508,7 @@ async def test_logging_disabled(self, client, is_hsm, **kwargs): mock_handler.close() @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_hsm_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm_7_4_plus) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_get_random_bytes(self, client, **kwargs): @@ -519,11 +525,11 @@ async def test_get_random_bytes(self, client, **kwargs): generated_random_bytes.append(random_bytes) @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_7_4_plus) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_key_release(self, client, is_hsm, **kwargs): - if (self.is_live and os.environ["KEYVAULT_SKU"] != "premium"): + if self.is_live and os.environ["KEYVAULT_SKU"] != "premium": pytest.skip("This test is not supported on standard SKU vaults. Follow up with service team") if is_hsm and client.api_version == ApiVersion.V7_5: pytest.skip("Currently failing on 7.5-preview.1; skipping for now") @@ -550,7 +556,7 @@ async def test_key_release(self, client, is_hsm, **kwargs): pytest.skip("Target environment attestation statement cannot be verified. Likely transient failure.") @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_hsm_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm_7_4_plus) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_imported_key_release(self, client, **kwargs): @@ -574,11 +580,11 @@ async def test_imported_key_release(self, client, **kwargs): assert release_result.value @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_7_4_plus) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_update_release_policy(self, client, **kwargs): - if (self.is_live and os.environ["KEYVAULT_SKU"] != "premium"): + if self.is_live and os.environ["KEYVAULT_SKU"] != "premium": pytest.skip("This test is not supported on standard SKU vaults. Follow up with service team") if client.api_version == ApiVersion.V7_5: pytest.skip("Currently failing on 7.5-preview.1; skipping for now") @@ -599,17 +605,9 @@ async def test_update_release_policy(self, client, **kwargs): new_release_policy_json = { "anyOf": [ - { - "anyOf": [ - { - "claim": "sdk-test", - "equals": False - } - ], - "authority": attestation_uri.rstrip("/") + "/" - } + {"anyOf": [{"claim": "sdk-test", "equals": False}], "authority": attestation_uri.rstrip("/") + "/"} ], - "version": "1.0.0" + "version": "1.0.0", } policy_string = json.dumps(new_release_policy_json).encode() new_release_policy = KeyReleasePolicy(policy_string) @@ -622,11 +620,11 @@ async def test_update_release_policy(self, client, **kwargs): # Immutable policies aren't currently supported on Managed HSM @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_vault_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_vault_7_4_plus) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_immutable_release_policy(self, client, **kwargs): - if (self.is_live and os.environ["KEYVAULT_SKU"] != "premium"): + if self.is_live and os.environ["KEYVAULT_SKU"] != "premium": pytest.skip("This test is not supported on standard SKU vaults. Follow up with service team") set_bodiless_matcher() @@ -641,17 +639,9 @@ async def test_immutable_release_policy(self, client, **kwargs): new_release_policy_json = { "anyOf": [ - { - "anyOf": [ - { - "claim": "sdk-test", - "equals": False - } - ], - "authority": attestation_uri.rstrip("/") + "/" - } + {"anyOf": [{"claim": "sdk-test", "equals": False}], "authority": attestation_uri.rstrip("/") + "/"} ], - "version": "1.0.0" + "version": "1.0.0", } policy_string = json.dumps(new_release_policy_json).encode() new_release_policy = KeyReleasePolicy(policy_string, immutable=True) @@ -660,11 +650,11 @@ async def test_immutable_release_policy(self, client, **kwargs): await self._update_key_properties(client, key, new_release_policy) @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_7_4_plus) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_key_rotation(self, client, is_hsm, **kwargs): - if (not is_public_cloud() and self.is_live): + if not is_public_cloud() and self.is_live: pytest.skip("This test is not supported in usgov/china region. Follow up with service team.") set_bodiless_matcher() @@ -685,11 +675,11 @@ async def test_key_rotation(self, client, is_hsm, **kwargs): assert key.key.n != rotated_key.key.n @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_7_4_plus) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_key_rotation_policy(self, client, is_hsm, **kwargs): - if (not is_public_cloud() and self.is_live): + if not is_public_cloud() and self.is_live: pytest.skip("This test is not supported in usgov/china region. Follow up with service team.") set_bodiless_matcher() @@ -765,7 +755,7 @@ async def test_key_rotation_policy(self, client, is_hsm, **kwargs): _assert_lifetime_actions_equal(newest_policy_actions, newest_fetched_policy_actions) @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_get_cryptography_client(self, client, is_hsm, **kwargs): @@ -802,7 +792,7 @@ async def test_get_cryptography_client(self, client, is_hsm, **kwargs): assert plaintext == result.plaintext @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_vault_7_4_plus) + @pytest.mark.parametrize("api_version,is_hsm", only_vault_7_4_plus) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_send_request(self, client, is_hsm, **kwargs): @@ -832,6 +822,7 @@ async def test_40x_handling(self, client, **kwargs): # Test that 409 is raised correctly (`create_key` shouldn't actually trigger this, but for raising behavior) async def run(*_, **__): return Mock(http_response=Mock(status_code=409)) + with patch.object(client._client._client._pipeline, "run", run): with pytest.raises(ResourceExistsError): await client.create_key("...", "RSA") diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_local_crypto.py b/sdk/keyvault/azure-keyvault-keys/tests/test_local_crypto.py index 52ec32992543..e9b2867fc08d 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_local_crypto.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_local_crypto.py @@ -7,10 +7,8 @@ import pytest from azure.keyvault.keys import KeyCurveName, KeyVaultKey -from azure.keyvault.keys.crypto import (EncryptionAlgorithm, KeyWrapAlgorithm, - SignatureAlgorithm) -from azure.keyvault.keys.crypto._providers import \ - get_local_cryptography_provider +from azure.keyvault.keys.crypto import EncryptionAlgorithm, KeyWrapAlgorithm, SignatureAlgorithm +from azure.keyvault.keys.crypto._providers import get_local_cryptography_provider from keys import EC_KEYS, RSA_KEYS @@ -48,14 +46,14 @@ def test_rsa_encrypt_decrypt(key, algorithm): (EncryptionAlgorithm.a256_cbcpad, 32), (EncryptionAlgorithm.a192_cbcpad, 24), (EncryptionAlgorithm.a128_cbcpad, 16), - ) + ), ) def test_symmetric_encrypt_decrypt(algorithm, key_size): jwk = { "k": os.urandom(key_size), - "kid":"http://localhost/keys/key/version", + "kid": "http://localhost/keys/key/version", "kty": "oct-HSM", - "key_ops": ("encrypt", "decrypt") + "key_ops": ("encrypt", "decrypt"), } key = KeyVaultKey(key_id="http://localhost/keys/key/version", jwk=jwk) provider = get_local_cryptography_provider(key.key) @@ -119,9 +117,9 @@ def test_rsa_wrap_unwrap(key, algorithm): def test_symmetric_wrap_unwrap(algorithm): jwk = { "k": os.urandom(32), - "kid":"http://localhost/keys/key/version", + "kid": "http://localhost/keys/key/version", "kty": "oct", - "key_ops": ("unwrapKey", "wrapKey") + "key_ops": ("unwrapKey", "wrapKey"), } key = KeyVaultKey(key_id="http://localhost/keys/key/version", jwk=jwk) provider = get_local_cryptography_provider(key.key) diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_parse_id.py b/sdk/keyvault/azure-keyvault-keys/tests/test_parse_id.py index 3f72b8cb9556..eb33db5f2860 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_parse_id.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_parse_id.py @@ -15,7 +15,7 @@ class TestParseId(KeyVaultTestCase, KeysTestCase): - @pytest.mark.parametrize("api_version,is_hsm",only_vault) + @pytest.mark.parametrize("api_version,is_hsm", only_vault) @KeysClientPreparer() @recorded_by_proxy def test_parse_key_id_with_version(self, client, **kwargs): diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys.py b/sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys.py index 68e2b6496d64..be044fe64650 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys.py @@ -36,11 +36,11 @@ def test_create_key_client(): class TestExamplesKeyVault(KeyVaultTestCase, KeysTestCase): - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_example_key_crud_operations(self, key_client, **kwargs): - if (self.is_live and os.environ["KEYVAULT_SKU"] != "premium"): + if self.is_live and os.environ["KEYVAULT_SKU"] != "premium": pytest.skip("This test is not supported on standard SKU vaults. Follow up with service team") key_name = self.get_resource_name("key-name") @@ -131,7 +131,7 @@ def test_example_key_crud_operations(self, key_client, **kwargs): deleted_key_poller.wait() # [END delete_key] - @pytest.mark.parametrize("api_version,is_hsm",only_hsm) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm) @KeysClientPreparer() @recorded_by_proxy def test_example_create_oct_key(self, key_client, **kwargs): @@ -145,7 +145,7 @@ def test_example_create_oct_key(self, key_client, **kwargs): print(key.key_type) # [END create_oct_key] - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_example_key_list_operations(self, key_client, **kwargs): @@ -186,7 +186,7 @@ def test_example_key_list_operations(self, key_client, **kwargs): print(key.deleted_date) # [END list_deleted_keys] - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_example_keys_backup_restore(self, key_client, **kwargs): @@ -219,7 +219,7 @@ def test_example_keys_backup_restore(self, key_client, **kwargs): print(restored_key.properties.version) # [END restore_key_backup] - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @KeysClientPreparer() @recorded_by_proxy def test_example_keys_recover(self, key_client, **kwargs): diff --git a/sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys_async.py b/sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys_async.py index 0357017a4b44..e8e127c82d9e 100644 --- a/sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys_async.py +++ b/sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys_async.py @@ -42,11 +42,11 @@ async def test_create_key_client(): class TestExamplesKeyVault(KeyVaultTestCase): @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_example_key_crud_operations(self, key_client, **kwargs): - if (self.is_live and os.environ["KEYVAULT_SKU"] != "premium"): + if self.is_live and os.environ["KEYVAULT_SKU"] != "premium": pytest.skip("This test is not supported on standard SKU vaults. Follow up with service team") key_name = self.get_resource_name("key-name") @@ -132,7 +132,7 @@ async def test_example_key_crud_operations(self, key_client, **kwargs): # [END delete_key] @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",only_hsm) + @pytest.mark.parametrize("api_version,is_hsm", only_hsm) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_example_create_oct_key(self, key_client, **kwargs): @@ -147,7 +147,7 @@ async def test_example_create_oct_key(self, key_client, **kwargs): # [END create_oct_key] @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_example_key_list_operations(self, key_client, **kwargs): @@ -194,7 +194,7 @@ async def test_example_key_list_operations(self, key_client, **kwargs): # [END list_deleted_keys] @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_example_keys_backup_restore(self, key_client, **kwargs): @@ -229,7 +229,7 @@ async def test_example_keys_backup_restore(self, key_client, **kwargs): # [END restore_key_backup] @pytest.mark.asyncio - @pytest.mark.parametrize("api_version,is_hsm",all_api_versions) + @pytest.mark.parametrize("api_version,is_hsm", all_api_versions) @AsyncKeysClientPreparer() @recorded_by_proxy_async async def test_example_keys_recover(self, key_client, **kwargs): diff --git a/sdk/keyvault/azure-keyvault-keys/tsp-location.yaml b/sdk/keyvault/azure-keyvault-keys/tsp-location.yaml new file mode 100644 index 000000000000..32886bc46a9e --- /dev/null +++ b/sdk/keyvault/azure-keyvault-keys/tsp-location.yaml @@ -0,0 +1,5 @@ +directory: specification/keyvault/Security.KeyVault.Keys +commit: 59583521f5e5a5b1e02bd8966bc30b567ecc696a +repo: test-repo-billy/azure-rest-api-specs +additionalDirectories: +- specification/keyvault/Security.KeyVault.Common