[KeyVault] - Update setup script to include additional role assignments for MHSM (#14743)

maorleger · web-flow · commit 4639212b1eb6 · 2021-04-06T15:33:03.000-07:00
## What

- Adds `Managed HSM Crypto Officer` and `Managed HSM Crypto User` role assignments to test user when deploying MHSM.

## Why

Recent RBAC changes for MHSM recently went live which impact how existing permissions are defined. In order to access key operations the Administrator role is no longer sufficient. To keep our tests running we need to add the Crypto Officer and Crypto User role assignments to our test application after the managed HSM is activated.
diff --git a/sdk/keyvault/keyvault-keys/recordings/node/cryptographyclient_for_managed_hsm_skipped_if_mhsm_is_not_deployed_with_aes_crypto_algorithms/recording_encrypts_and_decrypts_using_aescbc.js b/sdk/keyvault/keyvault-keys/recordings/node/cryptographyclient_for_managed_hsm_skipped_if_mhsm_is_not_deployed_with_aes_crypto_algorithms/recording_encrypts_and_decrypts_using_aescbc.js
diff --git a/sdk/keyvault/keyvault-keys/test/public/crypto.hsm.spec.ts b/sdk/keyvault/keyvault-keys/test/public/crypto.hsm.spec.ts
@@ -11,6 +11,7 @@ import { authenticate } from "../utils/testAuthentication";
 import { stringToUint8Array, uint8ArrayToString } from "../utils/crypto";
 import TestClient from "../utils/testClient";
 import { getServiceVersion, onVersions } from "../utils/utils.common";
+import { isNode } from "@azure/core-http";
 
 onVersions({ minVer: "7.2" }).describe(
   "CryptographyClient for managed HSM (skipped if MHSM is not deployed)",
@@ -41,11 +42,6 @@ onVersions({ minVer: "7.2" }).describe(
       keyName = testClient.formatName("cryptography-client-test" + keySuffix);
     });
 
-    afterEach(async function() {
-      await testClient?.flushKey(keyName);
-      await recorder.stop();
-    });
-
     describe("with AES crypto algorithms", async function() {
       it("encrypts and decrypts using AES-GCM", async function(this: Context) {
         keyVaultKey = await hsmClient.createKey(keyName, "AES", { keySize: 256 });
@@ -65,29 +61,34 @@ onVersions({ minVer: "7.2" }).describe(
           authenticationTag: encryptResult.authenticationTag
         });
         assert.equal(text, uint8ArrayToString(decryptResult.result));
+        await testClient?.flushKey(keyName);
+        await recorder.stop();
       });
 
       it("encrypts and decrypts using AES-CBC", async function(this: Context) {
+        if (!isNode) {
+          this.skip();
+        }
         keyVaultKey = await hsmClient.createKey(keyName, "AES", { keySize: 256 });
         cryptoClient = new CryptographyClient(keyVaultKey.id!, credential);
         const text = this.test!.title;
+        // We are using a predictable IV to support our recorded tests; however, you should use a cryptographically secure IV or omit it and
+        // let the client library generate it for you.
+        const iv = stringToUint8Array("xxxxxxxxxxxxxxxx");
         const encryptResult = await cryptoClient.encrypt({
           algorithm: "A256CBCPAD",
           plaintext: stringToUint8Array(text),
-          iv: stringToUint8Array(text)
+          iv
         });
-        // There is a service-level issue where `iv` is not returned
-        // from the service as part of the result. Until it's resolved
-        // we have to pend this and just pass the same iv
-        // back to decrypt for now.
-        // assert.exists(encryptResult.iv);
 
         const decryptResult = await cryptoClient.decrypt({
           algorithm: "A256CBCPAD",
           ciphertext: encryptResult.result!,
-          iv: stringToUint8Array(text) // Replace with `encryptResult.iv!` once ADO 9361749 is resolved.
+          iv
         });
         assert.equal(uint8ArrayToString(decryptResult.result), text);
+        await testClient?.flushKey(keyName);
+        await recorder.stop();
       });
     });
   }
diff --git a/sdk/keyvault/test-resources-post.ps1 b/sdk/keyvault/test-resources-post.ps1
@@ -106,3 +106,12 @@ if (Test-Path $sdpath) {
 az keyvault security-domain download --hsm-name $hsmName --security-domain-file $sdPath --sd-quorum 2 --sd-wrapping-keys $wrappingFiles
 
 Log "Security domain downloaded to '$sdPath'; Managed HSM is now active at '$hsmUrl'"
+
+# Force a sleep to wait for Managed HSM activation to propagate through Cosmos replication. Issue tracked in AzDo.
+Log "Sleeping for 30 seconds to allow activation to propagate..."
+Start-Sleep -Seconds 30
+
+Log "Creating additional required role assignments for resource access."
+New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto Officer" -ObjectID $DeploymentOutputs["CLIENT_OBJECT_ID"]
+New-AzKeyVaultRoleAssignment -HsmName $hsmName -RoleDefinitionName "Managed HSM Crypto User" -ObjectID $DeploymentOutputs["CLIENT_OBJECT_ID"]
+Log "Done."
