[KV] Fix flakiness in release policy test (Azure#21181)

Author: mccoyp

sdk/keyvault/azure-keyvault-keys/tests/recordings/test_keys_async.test_key_crud_operations_2016_10_01_vault.yaml

@@ -9,7 +9,7 @@ interactions:
       Content-Type:
       - application/json
       User-Agent:
-      - azsdk-python-keyvault-keys/4.5.0b2 Python/3.9.0 (Windows-10-10.0.19041-SP0)
+      - azsdk-python-keyvault-keys/4.5.0b5 Python/3.9.0 (Windows-10-10.0.22000-SP0)
     method: POST
     uri: https://managedhsmname.managedhsm.azure.net/keys/livekvtestkey-named4c517f5/create?api-version=7.3-preview
   response:
@@ -25,7 +25,7 @@ interactions:
         resource="https://managedhsm.azure.net"
       x-content-type-options: nosniff
       x-frame-options: SAMEORIGIN
-      x-ms-server-latency: '0'
+      x-ms-server-latency: '1'
     status:
       code: 401
       message: Unauthorized
@@ -41,12 +41,12 @@ interactions:
       Content-Type:
       - application/json
       User-Agent:
-      - azsdk-python-keyvault-keys/4.5.0b2 Python/3.9.0 (Windows-10-10.0.19041-SP0)
+      - azsdk-python-keyvault-keys/4.5.0b5 Python/3.9.0 (Windows-10-10.0.22000-SP0)
     method: POST
     uri: https://managedhsmname.managedhsm.azure.net/keys/livekvtestkey-named4c517f5/create?api-version=7.3-preview
   response:
     body:
-      string: '{"attributes":{"created":1628108364,"enabled":true,"exportable":true,"recoverableDays":7,"recoveryLevel":"CustomizedRecoverable+Purgeable","updated":1628108364},"key":{"e":"AQAB","key_ops":["wrapKey","decrypt","encrypt","unwrapKey","sign","verify"],"kid":"https://managedhsmname.managedhsm.azure.net/keys/livekvtestkey-named4c517f5/6e738db2a7c60f432fb8befd069f2ab2","kty":"RSA-HSM","n":"oDdi5cXpMWJpMv9R8xWyFfezI8_Pnt8mWXnhsjNROc8YaLZzdAUwYfCa4kS8QjUWYxxOgYXSsX8bISrHRAJiZqnopfUruSCrMqBVE8PotgOdVn_D-EIOIPHB--nwf1bRACC3wANiKuMsXI2dCRnOZVgWP-CoaMeMxuOplLp08g8SlYDzdXAqRjj2na8zA152DHz5tZVIqI6kAQVjGxYeb6DnFSqRsLrcR-UJXtdKT6G4wGupDgchhwK9D3zhEE78qtarsDNr0x9fxbTKtwtFVFAJIyLbsAhXQ0vUXLO1V2FalIr4SMPuah3sbw4UiFKLVt4lwGmub3rixicA1acFww"},"release_policy":{"contentType":"application/json;
+      string: '{"attributes":{"created":1633729957,"enabled":true,"exportable":true,"recoverableDays":7,"recoveryLevel":"CustomizedRecoverable+Purgeable","updated":1633729957},"key":{"e":"AQAB","key_ops":["wrapKey","decrypt","encrypt","unwrapKey","sign","verify"],"kid":"https://managedhsmname.managedhsm.azure.net/keys/livekvtestkey-named4c517f5/264bd2f68e264ff0981310113b993ef8","kty":"RSA-HSM","n":"qXlKVYSmNi9oCLhrP3Ba5kV0MAf3-5VDdMgISpxhrQkt5KZ4poE7aOx8iJ6pxsUhgBTptuOS2rJD7BXfr-c77M2zPgX0yg3-4DV8Ppm2mQE6Orkdh5OTGSd9_LWV4BSwZkXrUlSSgGP0DcQH3pAdwe5u6KVwOINn-YRdMGWtMUMXBPEz3-sn7M2eR08oYi2PDGiaCyMPi_UdOhQG0VGuZw5z2rYZzEDOWF61eSAhzrDX4SsMjYNbgE-whUZO7sRW02JCh_-tXIGBCofA9nyWgIpUQGjw1Fp7lp0e2KyyhUtvDHg2W5QwhfOQ3dFUY5tadhunDLNbF1CKJqF_7zbmxQ"},"release_policy":{"contentType":"application/json;
         charset=utf-8","data":"eyJhbnlPZiI6W3siYW55T2YiOlt7ImNsYWltIjoic2RrLXRlc3QiLCJlcXVhbHMiOnRydWV9XSwiYXV0aG9yaXR5IjoiaHR0cHM6Ly9za3JhdHRlc3RhdGlvbi5henVyZXdlYnNpdGVzLm5ldC8ifV0sInZlcnNpb24iOiIxLjAuMCJ9"}}'
     headers:
       cache-control: no-cache
@@ -58,41 +58,41 @@ interactions:
       x-frame-options: SAMEORIGIN
       x-ms-keyvault-network-info: conn_type=Ipv4;addr=172.92.159.124;act_addr_fam=Ipv4;
       x-ms-keyvault-region: westus
-      x-ms-server-latency: '873'
+      x-ms-server-latency: '866'
     status:
       code: 200
       message: OK
     url: https://mcpatinotesthsm.managedhsm.azure.net/keys/livekvtestkey-named4c517f5/create?api-version=7.3-preview
 - request:
-    body: '{"attributes": {"exp": 2524723200}, "tags": {"foo": "updated tag"}, "release_policy":
-      {"data": "eyJhbnlPZiI6IFt7ImFueU9mIjogW3siY2xhaW0iOiAic2RrLXRlc3QiLCAiZXF1YWxzIjogZmFsc2V9XSwgImF1dGhvcml0eSI6ICJodHRwczovL3NrcmF0dGVzdGF0aW9uLmF6dXJld2Vic2l0ZXMubmV0LyJ9XSwgInZlcnNpb24iOiAiMS4wLjAifQ"}}'
+    body: '{"key_ops": ["decrypt", "encrypt"], "attributes": {"exp": 2524723200},
+      "tags": {"foo": "updated tag"}, "release_policy": {"data": "eyJhbnlPZiI6IFt7ImFueU9mIjogW3siY2xhaW0iOiAic2RrLXRlc3QiLCAiZXF1YWxzIjogZmFsc2V9XSwgImF1dGhvcml0eSI6ICJodHRwczovL3NrcmF0dGVzdGF0aW9uLmF6dXJld2Vic2l0ZXMubmV0LyJ9XSwgInZlcnNpb24iOiAiMS4wLjAifQ"}}'
     headers:
       Accept:
       - application/json
       Content-Length:
-      - '289'
+      - '324'
       Content-Type:
       - application/json
       User-Agent:
-      - azsdk-python-keyvault-keys/4.5.0b2 Python/3.9.0 (Windows-10-10.0.19041-SP0)
+      - azsdk-python-keyvault-keys/4.5.0b5 Python/3.9.0 (Windows-10-10.0.22000-SP0)
     method: PATCH
     uri: https://managedhsmname.managedhsm.azure.net/keys/livekvtestkey-named4c517f5/?api-version=7.3-preview
   response:
     body:
-      string: '{"attributes":{"created":1628108364,"enabled":true,"exp":2524723200,"exportable":true,"recoverableDays":7,"recoveryLevel":"CustomizedRecoverable+Purgeable","updated":1628108365},"key":{"e":"AQAB","key_ops":["wrapKey","verify","sign","unwrapKey","encrypt","decrypt"],"kid":"https://managedhsmname.managedhsm.azure.net/keys/livekvtestkey-named4c517f5/6e738db2a7c60f432fb8befd069f2ab2","kty":"RSA-HSM","n":"oDdi5cXpMWJpMv9R8xWyFfezI8_Pnt8mWXnhsjNROc8YaLZzdAUwYfCa4kS8QjUWYxxOgYXSsX8bISrHRAJiZqnopfUruSCrMqBVE8PotgOdVn_D-EIOIPHB--nwf1bRACC3wANiKuMsXI2dCRnOZVgWP-CoaMeMxuOplLp08g8SlYDzdXAqRjj2na8zA152DHz5tZVIqI6kAQVjGxYeb6DnFSqRsLrcR-UJXtdKT6G4wGupDgchhwK9D3zhEE78qtarsDNr0x9fxbTKtwtFVFAJIyLbsAhXQ0vUXLO1V2FalIr4SMPuah3sbw4UiFKLVt4lwGmub3rixicA1acFww"},"release_policy":{"contentType":"application/json;
+      string: '{"attributes":{"created":1633729957,"enabled":true,"exp":2524723200,"exportable":true,"recoverableDays":7,"recoveryLevel":"CustomizedRecoverable+Purgeable","updated":1633729960},"key":{"e":"AQAB","key_ops":["decrypt","encrypt"],"kid":"https://managedhsmname.managedhsm.azure.net/keys/livekvtestkey-named4c517f5/264bd2f68e264ff0981310113b993ef8","kty":"RSA-HSM","n":"qXlKVYSmNi9oCLhrP3Ba5kV0MAf3-5VDdMgISpxhrQkt5KZ4poE7aOx8iJ6pxsUhgBTptuOS2rJD7BXfr-c77M2zPgX0yg3-4DV8Ppm2mQE6Orkdh5OTGSd9_LWV4BSwZkXrUlSSgGP0DcQH3pAdwe5u6KVwOINn-YRdMGWtMUMXBPEz3-sn7M2eR08oYi2PDGiaCyMPi_UdOhQG0VGuZw5z2rYZzEDOWF61eSAhzrDX4SsMjYNbgE-whUZO7sRW02JCh_-tXIGBCofA9nyWgIpUQGjw1Fp7lp0e2KyyhUtvDHg2W5QwhfOQ3dFUY5tadhunDLNbF1CKJqF_7zbmxQ"},"release_policy":{"contentType":"application/json;
         charset=utf-8","data":"eyJhbnlPZiI6W3siYW55T2YiOlt7ImNsYWltIjoic2RrLXRlc3QiLCJlcXVhbHMiOmZhbHNlfV0sImF1dGhvcml0eSI6Imh0dHBzOi8vc2tyYXR0ZXN0YXRpb24uYXp1cmV3ZWJzaXRlcy5uZXQvIn1dLCJ2ZXJzaW9uIjoiMS4wLjAifQ"},"tags":{"foo":"updated
         tag"}}'
     headers:
       cache-control: no-cache
-      content-length: '1034'
+      content-length: '996'
       content-security-policy: default-src 'self'
       content-type: application/json; charset=utf-8
       strict-transport-security: max-age=31536000; includeSubDomains
       x-content-type-options: nosniff
       x-frame-options: SAMEORIGIN
       x-ms-keyvault-network-info: conn_type=Ipv4;addr=172.92.159.124;act_addr_fam=Ipv4;
       x-ms-keyvault-region: westus
-      x-ms-server-latency: '738'
+      x-ms-server-latency: '655'
     status:
       code: 200
       message: OK

sdk/keyvault/azure-keyvault-keys/tests/recordings/test_keys_async.test_key_crud_operations_7_0_vault.yaml

@@ -61,6 +61,11 @@ class KeyClientTests(KeysTestCase, KeyVaultTestCase):
     def __init__(self, *args, **kwargs):
         super(KeyClientTests, self).__init__(*args, match_body=False, **kwargs)
 
+    def _assert_jwks_equal(self, jwk1, jwk2):
+        for field in JsonWebKey._FIELDS:
+            if field != "key_ops":
+                assert getattr(jwk1, field) == getattr(jwk2, field)
+
     def _assert_key_attributes_equal(self, k1, k2):
         self.assertEqual(k1.name, k2.name)
         self.assertEqual(k1.vault_url, k2.vault_url)
@@ -123,9 +128,14 @@ def _update_key_properties(self, client, key, release_policy=None):
         expires = date_parse.parse("2050-01-02T08:00:00.000Z")
         tags = {"foo": "updated tag"}
         key_ops = ["decrypt", "encrypt"]
+
+        # wait before updating the key to make sure updated_on has a different value
+        if self.is_live:
+            time.sleep(2)
         key_bundle = client.update_key_properties(
             key.name, key_operations=key_ops, expires_on=expires, tags=tags, release_policy=release_policy
         )
+
         assert tags == key_bundle.properties.tags
         assert key.id == key_bundle.id
         assert key.properties.updated_on != key_bundle.properties.updated_on
@@ -183,7 +193,10 @@ def test_key_crud_operations(self, client, is_hsm, **kwargs):
         assert tags == ec_key.properties.tags
         # create ec with curve
         ec_key_curve_name = self.get_resource_name("crud-P-256-ec-key")
-        self._create_ec_key(client, key_name=ec_key_curve_name, curve="P-256", hardware_protected=is_hsm)
+        created_ec_key_curve = self._create_ec_key(
+            client, key_name=ec_key_curve_name, curve="P-256", hardware_protected=is_hsm
+        )
+        self.assertEqual("P-256", created_ec_key_curve.key.crv)
 
         # import key
         import_test_key_name = self.get_resource_name("import-test-key")
@@ -217,13 +230,16 @@ def test_key_crud_operations(self, client, is_hsm, **kwargs):
         deleted_key_poller = client.begin_delete_key(rsa_key.name)
         deleted_key = deleted_key_poller.result()
         self.assertIsNotNone(deleted_key)
-        self.assertEqual(rsa_key.key_type, deleted_key.key_type)
+
+        # aside from key_ops, the original updated keys should have the same JWKs
+        self._assert_jwks_equal(rsa_key.key, deleted_key.key)
         self.assertEqual(deleted_key.id, rsa_key.id)
         self.assertTrue(
             deleted_key.recovery_id and deleted_key.deleted_date and deleted_key.scheduled_purge_date,
             "Missing required deleted key attributes.",
         )
         deleted_key_poller.wait()
+
         # get the deleted key when soft deleted enabled
         deleted_key = client.get_deleted_key(rsa_key.name)
         self.assertIsNotNone(deleted_key)

sdk/keyvault/azure-keyvault-keys/tests/recordings/test_keys_async.test_key_crud_operations_7_1_vault.yaml

@@ -49,22 +49,9 @@ def __init__(self, *args, **kwargs):
         super().__init__(*args, match_body=False, **kwargs)
 
     def _assert_jwks_equal(self, jwk1, jwk2):
-        assert jwk1.kid == jwk2.kid
-        assert jwk1.kty == jwk2.kty
-        assert sorted(jwk1.key_ops) == sorted(jwk2.key_ops)
-        assert jwk1.n == jwk2.n
-        assert jwk1.e == jwk2.e
-        assert jwk1.d == jwk2.d
-        assert jwk1.dp == jwk2.dp
-        assert jwk1.dq == jwk2.dq
-        assert jwk1.qi == jwk2.qi
-        assert jwk1.p == jwk2.p
-        assert jwk1.q == jwk2.q
-        assert jwk1.k == jwk2.k
-        assert jwk1.t == jwk2.t
-        assert jwk1.crv == jwk2.crv
-        assert jwk1.x == jwk2.x
-        assert jwk1.y == jwk2.y
+        for field in JsonWebKey._FIELDS:
+            if field != "key_ops":
+                assert getattr(jwk1, field) == getattr(jwk2, field)
 
     def _assert_key_attributes_equal(self, k1, k2):
         self.assertEqual(k1.name, k2.name)
@@ -127,12 +114,19 @@ def _validate_rsa_key_bundle(self, key_attributes, vault, key_name, kty, key_ops
     async def _update_key_properties(self, client, key, release_policy=None):
         expires = date_parse.parse("2050-01-02T08:00:00.000Z")
         tags = {"foo": "updated tag"}
+        key_ops = ["decrypt", "encrypt"]
+
+        # wait before updating the key to make sure updated_on has a different value
+        if self.is_live:
+            await asyncio.sleep(2)
         key_bundle = await client.update_key_properties(
-            key.name, expires_on=expires, tags=tags, release_policy=release_policy
+            key.name, key_operations=key_ops, expires_on=expires, tags=tags, release_policy=release_policy
         )
+
         assert tags == key_bundle.properties.tags
         assert key.id == key_bundle.id
         assert key.properties.updated_on != key_bundle.properties.updated_on
+        assert sorted(key_ops) == sorted(key_bundle.key_operations)
         if release_policy:
             assert key.properties.release_policy.data != key_bundle.properties.release_policy.data
         return key_bundle
@@ -233,6 +227,8 @@ async def test_key_crud_operations(self, client, is_hsm, **kwargs):
         # delete the new key
         deleted_key = await client.delete_key(rsa_key.name)
         self.assertIsNotNone(deleted_key)
+
+        # aside from key_ops, the original updated keys should have the same JWKs
         self._assert_jwks_equal(rsa_key.key, deleted_key.key)
         self.assertEqual(deleted_key.id, rsa_key.id)
         self.assertTrue(