Skip to content

Commit 41f5002

Browse files
edwardnealedwardneal
committed
Removed hardcoded references to Azure Key Vault key
1 parent 3d3230d commit 41f5002

File tree

8 files changed

+137
-47
lines changed

8 files changed

+137
-47
lines changed

src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/AKVUnitTests.cs

Lines changed: 42 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -14,13 +14,20 @@
1414

1515
namespace Microsoft.Data.SqlClient.ManualTesting.Tests.AlwaysEncrypted
1616
{
17-
public static class AKVUnitTests
17+
public class AKVUnitTests : IClassFixture<AzureKeyVaultKeyFixture>
1818
{
1919
const string EncryptionAlgorithm = "RSA_OAEP";
2020
public static readonly byte[] s_columnEncryptionKey = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32 };
2121
private const string cekCacheName = "_columnEncryptionKeyCache";
2222
private const string signatureVerificationResultCacheName = "_columnMasterKeyMetadataSignatureVerificationCache";
2323

24+
private readonly AzureKeyVaultKeyFixture _fixture;
25+
26+
public AKVUnitTests(AzureKeyVaultKeyFixture fixture)
27+
{
28+
_fixture = fixture;
29+
}
30+
2431
private static void ValidateAKVTraces(List<EventWrittenEventArgs> eventData, Guid threadActivityId)
2532
{
2633
Assert.NotNull(eventData);
@@ -64,36 +71,36 @@ private static void ValidateAKVTraces(List<EventWrittenEventArgs> eventData, Gui
6471
}
6572

6673
[ConditionalFact(typeof(DataTestUtility), nameof(DataTestUtility.IsAKVSetupAvailable))]
67-
public static void LegacyAuthenticationCallbackTest()
74+
public void LegacyAuthenticationCallbackTest()
6875
{
6976
Guid activityId = Trace.CorrelationManager.ActivityId = Guid.NewGuid();
7077
using DataTestUtility.AKVEventListener AKVListener = new();
7178

7279
// SqlClientCustomTokenCredential implements legacy authentication callback to request access token at client-side.
7380
SqlColumnEncryptionAzureKeyVaultProvider akvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(new SqlClientCustomTokenCredential());
74-
byte[] encryptedCek = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, s_columnEncryptionKey);
75-
byte[] decryptedCek = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, encryptedCek);
81+
byte[] encryptedCek = akvProvider.EncryptColumnEncryptionKey(_fixture.GeneratedKeyUri, EncryptionAlgorithm, s_columnEncryptionKey);
82+
byte[] decryptedCek = akvProvider.DecryptColumnEncryptionKey(_fixture.GeneratedKeyUri, EncryptionAlgorithm, encryptedCek);
7683

7784
Assert.Equal(s_columnEncryptionKey, decryptedCek);
7885
ValidateAKVTraces(AKVListener.EventData, activityId);
7986
}
8087

8188
[ConditionalFact(typeof(DataTestUtility), nameof(DataTestUtility.IsAKVSetupAvailable))]
82-
public static void TokenCredentialTest()
89+
public void TokenCredentialTest()
8390
{
8491
Guid activityId = Trace.CorrelationManager.ActivityId = Guid.NewGuid();
8592
using DataTestUtility.AKVEventListener AKVListener = new();
8693

8794
SqlColumnEncryptionAzureKeyVaultProvider akvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(DataTestUtility.GetTokenCredential());
88-
byte[] encryptedCek = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, s_columnEncryptionKey);
89-
byte[] decryptedCek = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, encryptedCek);
95+
byte[] encryptedCek = akvProvider.EncryptColumnEncryptionKey(_fixture.GeneratedKeyUri, EncryptionAlgorithm, s_columnEncryptionKey);
96+
byte[] decryptedCek = akvProvider.DecryptColumnEncryptionKey(_fixture.GeneratedKeyUri, EncryptionAlgorithm, encryptedCek);
9097

9198
Assert.Equal(s_columnEncryptionKey, decryptedCek);
9299
ValidateAKVTraces(AKVListener.EventData, activityId);
93100
}
94101

95102
[ConditionalFact(typeof(DataTestUtility), nameof(DataTestUtility.IsAKVSetupAvailable))]
96-
public static void TokenCredentialRotationTest()
103+
public void TokenCredentialRotationTest()
97104
{
98105
Guid activityId = Trace.CorrelationManager.ActivityId = Guid.NewGuid();
99106
using DataTestUtility.AKVEventListener AKVListener = new();
@@ -103,19 +110,19 @@ public static void TokenCredentialRotationTest()
103110

104111
SqlColumnEncryptionAzureKeyVaultProvider newAkvProvider = new SqlColumnEncryptionAzureKeyVaultProvider(DataTestUtility.GetTokenCredential());
105112

106-
byte[] encryptedCekWithNewProvider = newAkvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, s_columnEncryptionKey);
107-
byte[] decryptedCekWithOldProvider = oldAkvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, encryptedCekWithNewProvider);
113+
byte[] encryptedCekWithNewProvider = newAkvProvider.EncryptColumnEncryptionKey(_fixture.GeneratedKeyUri, EncryptionAlgorithm, s_columnEncryptionKey);
114+
byte[] decryptedCekWithOldProvider = oldAkvProvider.DecryptColumnEncryptionKey(_fixture.GeneratedKeyUri, EncryptionAlgorithm, encryptedCekWithNewProvider);
108115
Assert.Equal(s_columnEncryptionKey, decryptedCekWithOldProvider);
109116

110-
byte[] encryptedCekWithOldProvider = oldAkvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, s_columnEncryptionKey);
111-
byte[] decryptedCekWithNewProvider = newAkvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, EncryptionAlgorithm, encryptedCekWithOldProvider);
117+
byte[] encryptedCekWithOldProvider = oldAkvProvider.EncryptColumnEncryptionKey(_fixture.GeneratedKeyUri, EncryptionAlgorithm, s_columnEncryptionKey);
118+
byte[] decryptedCekWithNewProvider = newAkvProvider.DecryptColumnEncryptionKey(_fixture.GeneratedKeyUri, EncryptionAlgorithm, encryptedCekWithOldProvider);
112119
Assert.Equal(s_columnEncryptionKey, decryptedCekWithNewProvider);
113120

114121
ValidateAKVTraces(AKVListener.EventData, activityId);
115122
}
116123

117124
[ConditionalFact(typeof(DataTestUtility), nameof(DataTestUtility.IsAKVSetupAvailable))]
118-
public static void ReturnSpecifiedVersionOfKeyWhenItIsNotTheMostRecentVersion()
125+
public void ReturnSpecifiedVersionOfKeyWhenItIsNotTheMostRecentVersion()
119126
{
120127
Uri keyPathUri = new Uri(DataTestUtility.AKVOriginalUrl);
121128
Uri vaultUri = new Uri(keyPathUri.GetLeftPart(UriPartial.Authority));
@@ -161,7 +168,7 @@ public static void ThrowWhenUrlHasLessThanThreeSegments()
161168
}
162169

163170
[ConditionalFact(typeof(DataTestUtility), nameof(DataTestUtility.IsAKVSetupAvailable))]
164-
public static void DecryptedCekIsCachedDuringDecryption()
171+
public void DecryptedCekIsCachedDuringDecryption()
165172
{
166173
Guid activityId = Trace.CorrelationManager.ActivityId = Guid.NewGuid();
167174
using DataTestUtility.AKVEventListener AKVListener = new();
@@ -170,67 +177,67 @@ public static void DecryptedCekIsCachedDuringDecryption()
170177
byte[] plaintextKey1 = { 1, 2, 3 };
171178
byte[] plaintextKey2 = { 1, 2, 3 };
172179
byte[] plaintextKey3 = { 0, 1, 2, 3 };
173-
byte[] encryptedKey1 = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", plaintextKey1);
174-
byte[] encryptedKey2 = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", plaintextKey2);
175-
byte[] encryptedKey3 = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", plaintextKey3);
180+
byte[] encryptedKey1 = akvProvider.EncryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", plaintextKey1);
181+
byte[] encryptedKey2 = akvProvider.EncryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", plaintextKey2);
182+
byte[] encryptedKey3 = akvProvider.EncryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", plaintextKey3);
176183

177-
byte[] decryptedKey1 = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", encryptedKey1);
184+
byte[] decryptedKey1 = akvProvider.DecryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", encryptedKey1);
178185
Assert.Equal(1, GetCacheCount(cekCacheName, akvProvider));
179186
Assert.Equal(plaintextKey1, decryptedKey1);
180187

181-
decryptedKey1 = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", encryptedKey1);
188+
decryptedKey1 = akvProvider.DecryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", encryptedKey1);
182189
Assert.Equal(1, GetCacheCount(cekCacheName, akvProvider));
183190
Assert.Equal(plaintextKey1, decryptedKey1);
184191

185-
byte[] decryptedKey2 = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", encryptedKey2);
192+
byte[] decryptedKey2 = akvProvider.DecryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", encryptedKey2);
186193
Assert.Equal(2, GetCacheCount(cekCacheName, akvProvider));
187194
Assert.Equal(plaintextKey2, decryptedKey2);
188195

189-
byte[] decryptedKey3 = akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", encryptedKey3);
196+
byte[] decryptedKey3 = akvProvider.DecryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", encryptedKey3);
190197
Assert.Equal(3, GetCacheCount(cekCacheName, akvProvider));
191198
Assert.Equal(plaintextKey3, decryptedKey3);
192199

193200
ValidateAKVTraces(AKVListener.EventData, activityId);
194201
}
195202

196203
[ConditionalFact(typeof(DataTestUtility), nameof(DataTestUtility.IsAKVSetupAvailable))]
197-
public static void SignatureVerificationResultIsCachedDuringVerification()
204+
public void SignatureVerificationResultIsCachedDuringVerification()
198205
{
199206
Guid activityId = Trace.CorrelationManager.ActivityId = Guid.NewGuid();
200207
using DataTestUtility.AKVEventListener AKVListener = new();
201208

202209
SqlColumnEncryptionAzureKeyVaultProvider akvProvider = new(new SqlClientCustomTokenCredential());
203-
byte[] signature = akvProvider.SignColumnMasterKeyMetadata(DataTestUtility.AKVUrl, true);
204-
byte[] signature2 = akvProvider.SignColumnMasterKeyMetadata(DataTestUtility.AKVUrl, true);
205-
byte[] signatureWithoutEnclave = akvProvider.SignColumnMasterKeyMetadata(DataTestUtility.AKVUrl, false);
210+
byte[] signature = akvProvider.SignColumnMasterKeyMetadata(_fixture.GeneratedKeyUri, true);
211+
byte[] signature2 = akvProvider.SignColumnMasterKeyMetadata(_fixture.GeneratedKeyUri, true);
212+
byte[] signatureWithoutEnclave = akvProvider.SignColumnMasterKeyMetadata(_fixture.GeneratedKeyUri, false);
206213

207-
Assert.True(akvProvider.VerifyColumnMasterKeyMetadata(DataTestUtility.AKVUrl, true, signature));
214+
Assert.True(akvProvider.VerifyColumnMasterKeyMetadata(_fixture.GeneratedKeyUri, true, signature));
208215
Assert.Equal(1, GetCacheCount(signatureVerificationResultCacheName, akvProvider));
209216

210-
Assert.True(akvProvider.VerifyColumnMasterKeyMetadata(DataTestUtility.AKVUrl, true, signature));
217+
Assert.True(akvProvider.VerifyColumnMasterKeyMetadata(_fixture.GeneratedKeyUri, true, signature));
211218
Assert.Equal(1, GetCacheCount(signatureVerificationResultCacheName, akvProvider));
212219

213-
Assert.True(akvProvider.VerifyColumnMasterKeyMetadata(DataTestUtility.AKVUrl, true, signature2));
220+
Assert.True(akvProvider.VerifyColumnMasterKeyMetadata(_fixture.GeneratedKeyUri, true, signature2));
214221
Assert.Equal(1, GetCacheCount(signatureVerificationResultCacheName, akvProvider));
215222

216-
Assert.True(akvProvider.VerifyColumnMasterKeyMetadata(DataTestUtility.AKVUrl, false, signatureWithoutEnclave));
223+
Assert.True(akvProvider.VerifyColumnMasterKeyMetadata(_fixture.GeneratedKeyUri, false, signatureWithoutEnclave));
217224
Assert.Equal(2, GetCacheCount(signatureVerificationResultCacheName, akvProvider));
218225

219226
ValidateAKVTraces(AKVListener.EventData, activityId);
220227
}
221228

222229
[ConditionalFact(typeof(DataTestUtility), nameof(DataTestUtility.IsAKVSetupAvailable))]
223-
public static void CekCacheEntryIsEvictedAfterTtlExpires()
230+
public void CekCacheEntryIsEvictedAfterTtlExpires()
224231
{
225232
Guid activityId = Trace.CorrelationManager.ActivityId = Guid.NewGuid();
226233
using DataTestUtility.AKVEventListener AKVListener = new();
227234

228235
SqlColumnEncryptionAzureKeyVaultProvider akvProvider = new(new SqlClientCustomTokenCredential());
229236
akvProvider.ColumnEncryptionKeyCacheTtl = TimeSpan.FromSeconds(5);
230237
byte[] plaintextKey = { 1, 2, 3 };
231-
byte[] encryptedKey = akvProvider.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", plaintextKey);
238+
byte[] encryptedKey = akvProvider.EncryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", plaintextKey);
232239

233-
akvProvider.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", encryptedKey);
240+
akvProvider.DecryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", encryptedKey);
234241
Assert.True(CekCacheContainsKey(encryptedKey, akvProvider));
235242
Assert.Equal(1, GetCacheCount(cekCacheName, akvProvider));
236243

@@ -242,7 +249,7 @@ public static void CekCacheEntryIsEvictedAfterTtlExpires()
242249
}
243250

244251
[ConditionalFact(typeof(DataTestUtility), nameof(DataTestUtility.IsAKVSetupAvailable))]
245-
public static void CekCacheShouldBeDisabledWhenCustomProviderIsRegisteredGlobally()
252+
public void CekCacheShouldBeDisabledWhenCustomProviderIsRegisteredGlobally()
246253
{
247254
if (SQLSetupStrategyAzureKeyVault.IsAKVProviderRegistered)
248255
{
@@ -255,9 +262,9 @@ public static void CekCacheShouldBeDisabledWhenCustomProviderIsRegisteredGloball
255262
SqlColumnEncryptionAzureKeyVaultProvider akvProviderInGlobalCache =
256263
globalProviders["AZURE_KEY_VAULT"] as SqlColumnEncryptionAzureKeyVaultProvider;
257264
byte[] plaintextKey = { 1, 2, 3 };
258-
byte[] encryptedKey = akvProviderInGlobalCache.EncryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", plaintextKey);
265+
byte[] encryptedKey = akvProviderInGlobalCache.EncryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", plaintextKey);
259266

260-
akvProviderInGlobalCache.DecryptColumnEncryptionKey(DataTestUtility.AKVUrl, "RSA_OAEP", encryptedKey);
267+
akvProviderInGlobalCache.DecryptColumnEncryptionKey(_fixture.GeneratedKeyUri, "RSA_OAEP", encryptedKey);
261268
Assert.Equal(0, GetCacheCount(cekCacheName, akvProviderInGlobalCache));
262269
}
263270
}

src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/EnclaveAzureDatabaseTests.cs

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,15 @@
1414
namespace Microsoft.Data.SqlClient.ManualTesting.Tests.AlwaysEncrypted
1515
{
1616
// This test class is for internal use only
17-
public sealed class EnclaveAzureDatabaseTests : IDisposable
17+
public sealed class EnclaveAzureDatabaseTests : IDisposable, IClassFixture<AzureKeyVaultKeyFixture>
1818
{
1919
private ColumnMasterKey akvColumnMasterKey;
2020
private ColumnEncryptionKey akvColumnEncryptionKey;
2121
private SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider;
2222
private List<DbObject> databaseObjects = new List<DbObject>();
2323
private List<string> connStrings = new List<string>();
2424

25-
public EnclaveAzureDatabaseTests()
25+
public EnclaveAzureDatabaseTests(AzureKeyVaultKeyFixture keyVaultKeyFixture)
2626
{
2727
if (DataTestUtility.IsEnclaveAzureDatabaseSetup())
2828
{
@@ -32,7 +32,7 @@ public EnclaveAzureDatabaseTests()
3232
SQLSetupStrategyAzureKeyVault.RegisterGlobalProviders(sqlColumnEncryptionAzureKeyVaultProvider);
3333
}
3434

35-
akvColumnMasterKey = new AkvColumnMasterKey(DatabaseHelper.GenerateUniqueName("AKVCMK"), akvUrl: DataTestUtility.AKVUrl, sqlColumnEncryptionAzureKeyVaultProvider, DataTestUtility.EnclaveEnabled);
35+
akvColumnMasterKey = new AkvColumnMasterKey(DatabaseHelper.GenerateUniqueName("AKVCMK"), akvUrl: keyVaultKeyFixture.GeneratedKeyUri, sqlColumnEncryptionAzureKeyVaultProvider, DataTestUtility.EnclaveEnabled);
3636
databaseObjects.Add(akvColumnMasterKey);
3737

3838
akvColumnEncryptionKey = new ColumnEncryptionKey(DatabaseHelper.GenerateUniqueName("AKVCEK"),

src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TestFixtures/AzureKeyVaultKeyFixture.cs

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
// Licensed to the .NET Foundation under one or more agreements.
2+
// The .NET Foundation licenses this file to you under the MIT license.
3+
// See the LICENSE file in the project root for more information.using System;
4+
5+
using Microsoft.Data.SqlClient.TestUtilities.Fixtures;
6+
7+
namespace Microsoft.Data.SqlClient.ManualTesting.Tests.AlwaysEncrypted
8+
{
9+
public sealed class AzureKeyVaultKeyFixture : AzureKeyVaultKeyFixtureBase
10+
{
11+
public string GeneratedKeyUri { get; }
12+
13+
public AzureKeyVaultKeyFixture()
14+
: base(DataTestUtility.AKVBaseUri, DataTestUtility.GetTokenCredential())
15+
{
16+
GeneratedKeyUri = CreateKey(nameof(GeneratedKeyUri), 2048).ToString();
17+
}
18+
}
19+
}

src/Microsoft.Data.SqlClient/tests/ManualTests/DataCommon/DataTestUtility.cs

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,6 @@ public static class DataTestUtility
3838
public static readonly string AADPasswordConnectionString = null;
3939
public static readonly string AADServicePrincipalId = null;
4040
public static readonly string AADServicePrincipalSecret = null;
41-
public static readonly string AKVBaseUrl = null;
42-
public static readonly string AKVUrl = null;
4341
public static readonly string AKVOriginalUrl = null;
4442
public static readonly string AKVTenantId = null;
4543
public static readonly string LocalDbAppName = null;
@@ -72,7 +70,6 @@ public static class DataTestUtility
7270
public static string AADUserIdentityAccessToken = null;
7371
public const string ApplicationClientId = "2fd908ad-0664-4344-b9be-cd3e8b574c38";
7472
public const string UdtTestDbName = "UdtTestDb";
75-
public const string AKVKeyName = "TestSqlClientAzureKeyVaultProvider";
7673
public const string EventSourcePrefix = "Microsoft.Data.SqlClient";
7774
public const string MDSEventSourceName = "Microsoft.Data.SqlClient.EventSource";
7875
public const string AKVEventSourceName = "Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.EventSource";
@@ -199,8 +196,6 @@ static DataTestUtility()
199196
if (!string.IsNullOrEmpty(AKVOriginalUrl) && Uri.TryCreate(AKVOriginalUrl, UriKind.Absolute, out AKVBaseUri))
200197
{
201198
AKVBaseUri = new Uri(AKVBaseUri, "/");
202-
AKVBaseUrl = AKVBaseUri.AbsoluteUri;
203-
AKVUrl = (new Uri(AKVBaseUri, $"/keys/{AKVKeyName}")).AbsoluteUri;
204199
}
205200

206201
AKVTenantId = c.AzureKeyVaultTenantId;
@@ -461,7 +456,7 @@ public static bool IsNotAzureServer()
461456
// Ref: https://feedback.azure.com/forums/307516-azure-synapse-analytics/suggestions/17858869-support-always-encrypted-in-sql-data-warehouse
462457
public static bool IsAKVSetupAvailable()
463458
{
464-
return !string.IsNullOrEmpty(AKVUrl) && !string.IsNullOrEmpty(UserManagedIdentityClientId) && !string.IsNullOrEmpty(AKVTenantId) && IsNotAzureSynapse();
459+
return AKVBaseUri != null && !string.IsNullOrEmpty(UserManagedIdentityClientId) && !string.IsNullOrEmpty(AKVTenantId) && IsNotAzureSynapse();
465460
}
466461

467462
private static readonly DefaultAzureCredential s_defaultCredential = new(new DefaultAzureCredentialOptions { ManagedIdentityClientId = UserManagedIdentityClientId });

0 commit comments

Comments
 (0)