diff --git a/.vscode/cspell.json b/.vscode/cspell.json index 388b4295b9a9..531d65f03000 100644 --- a/.vscode/cspell.json +++ b/.vscode/cspell.json @@ -995,7 +995,8 @@ "filename": "sdk/keyvault/**", "words": [ "eddsa", - "Thawte" + "Thawte", + "tobytes" ] }, { diff --git a/sdk/keyvault/azure-keyvault-securitydomain/CHANGELOG.md b/sdk/keyvault/azure-keyvault-securitydomain/CHANGELOG.md new file mode 100644 index 000000000000..eb0fa128c8b3 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/CHANGELOG.md @@ -0,0 +1,7 @@ +# Release History + +## 1.0.0b1 (2025-05-06) + +### Features Added + +- Initial version diff --git a/sdk/keyvault/azure-keyvault-securitydomain/LICENSE b/sdk/keyvault/azure-keyvault-securitydomain/LICENSE new file mode 100644 index 000000000000..63447fd8bbbf --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/LICENSE @@ -0,0 +1,21 @@ +Copyright (c) Microsoft Corporation. + +MIT License + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/sdk/keyvault/azure-keyvault-securitydomain/MANIFEST.in b/sdk/keyvault/azure-keyvault-securitydomain/MANIFEST.in new file mode 100644 index 000000000000..e4ac0d9e632d --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/MANIFEST.in @@ -0,0 +1,7 @@ +include *.md +include LICENSE +include azure/keyvault/securitydomain/py.typed +recursive-include tests *.py +recursive-include samples *.py *.md +include azure/__init__.py +include azure/keyvault/__init__.py \ No newline at end of file diff --git a/sdk/keyvault/azure-keyvault-securitydomain/README.md b/sdk/keyvault/azure-keyvault-securitydomain/README.md new file mode 100644 index 000000000000..1096922a671e --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/README.md @@ -0,0 +1,206 @@ +# Azure Key Vault Security Domain client library for Python + +Azure Key Vault helps solve the following problems: + +- Managed HSM security domain management (this library) - securely download and restore a managed HSM's security domain +- Cryptographic key management ([azure-keyvault-keys](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-keys))- create, store, and control +access to the keys used to encrypt your data +- Secrets management +([azure-keyvault-secrets](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-secrets)) - +securely store and control access to tokens, passwords, certificates, API keys, +and other secrets +- Certificate management +([azure-keyvault-certificates](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-certificates)) - +create, manage, and deploy public and private SSL/TLS certificates +- Vault administration ([azure-keyvault-administration](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-administration)) - role-based access control (RBAC), and vault-level backup and restore options + +[Source code][library_src] +| [Package (PyPI)][pypi_package] +| [API reference documentation][reference_docs] +| [Key Vault documentation][azure_keyvault] +| [Managed HSM documentation][azure_managedhsm] +| [Samples][samples] + +## Getting started + +### Install the package + +Install [azure-keyvault-securitydomain][pypi_package] and [azure-identity][azure_identity_pypi] with [pip][pip]: + +```Bash +python -m pip install azure-keyvault-securitydomain azure-identity +``` + +[azure-identity][azure_identity] is used for Microsoft Entra ID authentication as demonstrated below. + +#### Prequisites + +- Python 3.9 or later +- An [Azure subscription][azure_sub] +- An existing [Key Vault Managed HSM][azure_managedhsm]. If you need to create a Managed HSM, you can do so using the Azure CLI by following the steps in [this document][managed_hsm_cli]. + +### Authenticate the client + +In order to interact with the Azure Key Vault service, you will need an instance of a +[SecurityDomainClient][securitydomain_client_docs], as well as a **vault URL** and a credential object. This document +demonstrates using a [DefaultAzureCredential][default_cred_ref], which is appropriate for most scenarios. We recommend +using a [managed identity][managed_identity] for authentication in production environments. + +See [azure-identity][azure_identity] documentation for more information about other methods of authentication and their +corresponding credential types. + +#### Create a client + +After configuring your environment for the [DefaultAzureCredential][default_cred_ref] to use a suitable method of +authentication, you can do the following to create a security domain client (replacing the value of `VAULT_URL` with +your vault's URL): + + + +```python +from azure.identity import DefaultAzureCredential +from azure.keyvault.securitydomain import SecurityDomainClient + +VAULT_URL = os.environ["VAULT_URL"] +credential = DefaultAzureCredential() +client = SecurityDomainClient(vault_url=VAULT_URL, credential=credential) +``` + + + +> **NOTE:** For an asynchronous client, import `azure.keyvault.securitydomain.aio`'s `SecurityDomainClient` instead. + +## Key concepts + +### Security domain + +To operate, a managed HSM must have a security domain. The security domain is an encrypted blob file that contains +artifacts like the HSM backup, user credentials, the signing key, and the data encryption key that's unique to the +managed HSM. For more information, please see [service documentation][securitydomain_docs]. + +### SecurityDomainClient + +A `SecurityDomainClient` can download and upload managed HSM security domains and get transfer keys. + +### Download operation + +A download operation retrieves the security domain of a managed HSM. This can be used to activate a provisioned +managed HSM. + +### Upload operation + +An upload operation restores a managed HSM using a provided security domain. + +### Transfer key + +A transfer key, or exchange key, is used to encrypt a security domain before uploading it to a managed HSM. For more +information, please see the [disaster recovery guide][disaster_recovery]. + +## Examples + +This section contains code snippets covering common tasks: + +- [Download a security domain](#download-a-security-domain) +- [Get a transfer key](#get-a-transfer-key) +- [Upload a security domain](#upload-a-security-domain) + +### Download a security domain + +`begin_download` can be used by a `SecurityDomainClient` to fetch a managed HSM's security domain, and this will also +activate a provisioned managed HSM. By default, the poller returned by this operation will poll on the managed HSM's +activation status, finishing when it's activated. To return immediately with the security domain object without waiting +for activation, you can pass the keyword argument `skip_activation_polling=True`. + +```python +from azure.keyvault.securitydomain.models import SecurityDomain + +security_domain: SecurityDomain = client.begin_download(certificate_info=certs_object).result() +assert security_domain.value +print("The managed HSM is now active.") +``` + +### Get a transfer key + +Using a different managed HSM than the one the security domain was downloaded from, `get_transfer_key` can be used by +a `SecurityDomainClient` to fetch a transfer key (also known as an exchange key). + +```python +from azure.keyvault.securitydomain.models import TransferKey + +NEW_VAULT_URL = os.environ["NEW_VAULT_URL"] +upload_client = SecurityDomainClient(vault_url=NEW_VAULT_URL, credential=credential) + +transfer_key: TransferKey = upload_client.get_transfer_key() +assert transfer_key.transfer_key_jwk +``` + +### Upload a security domain + +`begin_upload` can be used by a `SecurityDomainClient` to restore a different managed HSM with a security domain, for +example for disaster recovery. Like the download operation this will activate a provisioned managed HSM, but the poller +will return None if successful (and an error if unsuccessful) instead of the security domain object. + +```python +from azure.keyvault.securitydomain.models import SecurityDomainOperationStatus + +result: SecurityDomainOperationStatus = upload_client.begin_upload(security_domain=result).result() +print("The managed HSM has been successfully restored with the security domain.") +``` + +## Troubleshooting + +See the Azure Key Vault SDK's +[troubleshooting guide](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/keyvault/TROUBLESHOOTING.md) for +details on how to diagnose various failure scenarios. + +## Next steps +Samples are available in the Azure SDK for Python GitHub repository. These samples provide example code for the +following scenarios: + +- [Download a security domain][hello_world_sample] ([async version][hello_world_async_sample]) + +## Contributing + +This project welcomes contributions and suggestions. Most contributions require +you to agree to a Contributor License Agreement (CLA) declaring that you have +the right to, and actually do, grant us the rights to use your contribution. +For details, visit https://cla.microsoft.com. + +When you submit a pull request, a CLA-bot will automatically determine whether +you need to provide a CLA and decorate the PR appropriately (e.g., label, +comment). Simply follow the instructions provided by the bot. You will only +need to do this once across all repos using our CLA. + +This project has adopted the +[Microsoft Open Source Code of Conduct][code_of_conduct]. For more information, +see the Code of Conduct FAQ or contact opencode@microsoft.com with any +additional questions or comments. + + +[azure_identity]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/identity/azure-identity +[azure_identity_pypi]: https://pypi.org/project/azure-identity/ +[azure_keyvault]: https://learn.microsoft.com/azure/key-vault/ +[azure_managedhsm]: https://learn.microsoft.com/azure/key-vault/managed-hsm/ +[azure_sub]: https://azure.microsoft.com/free/ + +[code_of_conduct]: https://opensource.microsoft.com/codeofconduct/ + +[default_cred_ref]: https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential +[disaster_recovery]: https://learn.microsoft.com/azure/key-vault/managed-hsm/disaster-recovery-guide + +[hello_world_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-securitydomain/samples/hello_world.py +[hello_world_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-securitydomain/samples/hello_world_async.py + +[library_src]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain + +[managed_hsm_cli]: https://learn.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli +[managed_identity]: https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/overview + +[pip]: https://pypi.org/project/pip/ +[pypi_package]: https://pypi.org/project/azure-keyvault-securitydomain/ + +[reference_docs]: https://aka.ms/azsdk/python/keyvault-securitydomain/docs + +[samples]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-securitydomain/samples +[securitydomain_client_docs]: https://aka.ms/azsdk/python/keyvault-securitydomain/docs#azure.keyvault.securitydomain.SecurityDomainClient +[securitydomain_docs]: https://learn.microsoft.com/azure/key-vault/managed-hsm/security-domain diff --git a/sdk/keyvault/azure-keyvault-securitydomain/apiview-properties.json b/sdk/keyvault/azure-keyvault-securitydomain/apiview-properties.json new file mode 100644 index 000000000000..69719a23abeb --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/apiview-properties.json @@ -0,0 +1,16 @@ +{ + "CrossLanguagePackageId": "KeyVault", + "CrossLanguageDefinitionId": { + "azure.keyvault.securitydomain.models.CertificateInfo": "KeyVault.CertificateInfoObject", + "azure.keyvault.securitydomain.models.KeyVaultError": "KeyVaultError", + "azure.keyvault.securitydomain.models.KeyVaultErrorError": "KeyVaultError.error.anonymous", + "azure.keyvault.securitydomain.models.SecurityDomain": "KeyVault.SecurityDomainObject", + "azure.keyvault.securitydomain.models.SecurityDomainJsonWebKey": "KeyVault.SecurityDomainJsonWebKey", + "azure.keyvault.securitydomain.models.SecurityDomainOperationStatus": "KeyVault.SecurityDomainOperationStatus", + "azure.keyvault.securitydomain.models.TransferKey": "KeyVault.TransferKey", + "azure.keyvault.securitydomain.models.OperationStatus": "KeyVault.OperationStatus", + "azure.keyvault.securitydomain.SecurityDomainClient.get_download_status": "ClientCustomizations.SecurityDomainClient.getDownloadStatus", + "azure.keyvault.securitydomain.SecurityDomainClient.get_upload_status": "ClientCustomizations.SecurityDomainClient.getUploadStatus", + "azure.keyvault.securitydomain.SecurityDomainClient.get_transfer_key": "ClientCustomizations.SecurityDomainClient.getTransferKey" + } +} \ No newline at end of file diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/__init__.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/__init__.py new file mode 100644 index 000000000000..d55ccad1f573 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/__init__.py @@ -0,0 +1 @@ +__path__ = __import__("pkgutil").extend_path(__path__, __name__) # type: ignore diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/__init__.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/__init__.py new file mode 100644 index 000000000000..d55ccad1f573 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/__init__.py @@ -0,0 +1 @@ +__path__ = __import__("pkgutil").extend_path(__path__, __name__) # type: ignore diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/__init__.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/__init__.py new file mode 100644 index 000000000000..5cb269a9b5a9 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/__init__.py @@ -0,0 +1,32 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# pylint: disable=wrong-import-position + +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from ._patch import * # pylint: disable=unused-wildcard-import + +from ._client import SecurityDomainClient # type: ignore +from ._version import VERSION + +__version__ = VERSION + +try: + from ._patch import __all__ as _patch_all + from ._patch import * +except ImportError: + _patch_all = [] +from ._patch import patch_sdk as _patch_sdk + +__all__ = [ + "SecurityDomainClient", +] +__all__.extend([p for p in _patch_all if p not in __all__]) # pyright: ignore + +_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_client.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_client.py new file mode 100644 index 000000000000..c04961cc01ed --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_client.py @@ -0,0 +1,99 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- + +from copy import deepcopy +from typing import Any, TYPE_CHECKING +from typing_extensions import Self + +from azure.core import PipelineClient +from azure.core.pipeline import policies +from azure.core.rest import HttpRequest, HttpResponse + +from ._configuration import SecurityDomainClientConfiguration +from ._operations import SecurityDomainClientOperationsMixin +from ._serialization import Deserializer, Serializer + +if TYPE_CHECKING: + from azure.core.credentials import TokenCredential + + +class SecurityDomainClient(SecurityDomainClientOperationsMixin): + """SecurityDomainClient. + + :param vault_base_url: Required. + :type vault_base_url: str + :param credential: Credential used to authenticate requests to the service. Required. + :type credential: ~azure.core.credentials.TokenCredential + :keyword api_version: The API version to use for this operation. Default value is "7.5". Note + that overriding this default value may result in unsupported behavior. + :paramtype api_version: str + """ + + def __init__(self, vault_base_url: str, credential: "TokenCredential", **kwargs: Any) -> None: + _endpoint = "{vaultBaseUrl}" + self._config = SecurityDomainClientConfiguration(vault_base_url=vault_base_url, credential=credential, **kwargs) + _policies = kwargs.pop("policies", None) + if _policies is None: + _policies = [ + policies.RequestIdPolicy(**kwargs), + self._config.headers_policy, + self._config.user_agent_policy, + self._config.proxy_policy, + policies.ContentDecodePolicy(**kwargs), + self._config.redirect_policy, + self._config.retry_policy, + self._config.authentication_policy, + self._config.custom_hook_policy, + self._config.logging_policy, + policies.DistributedTracingPolicy(**kwargs), + policies.SensitiveHeaderCleanupPolicy(**kwargs) if self._config.redirect_policy else None, + self._config.http_logging_policy, + ] + self._client: PipelineClient = PipelineClient(base_url=_endpoint, policies=_policies, **kwargs) + + self._serialize = Serializer() + self._deserialize = Deserializer() + self._serialize.client_side_validation = False + + def send_request(self, request: HttpRequest, *, stream: bool = False, **kwargs: Any) -> HttpResponse: + """Runs the network request through the client's chained policies. + + >>> from azure.core.rest import HttpRequest + >>> request = HttpRequest("GET", "https://www.example.org/") + + >>> response = client.send_request(request) + + + For more information on this code flow, see https://aka.ms/azsdk/dpcodegen/python/send_request + + :param request: The network request you want to make. Required. + :type request: ~azure.core.rest.HttpRequest + :keyword bool stream: Whether the response payload will be streamed. Defaults to False. + :return: The response of your network call. Does not do error handling on your response. + :rtype: ~azure.core.rest.HttpResponse + """ + + request_copy = deepcopy(request) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + + request_copy.url = self._client.format_url(request_copy.url, **path_format_arguments) + return self._client.send_request(request_copy, stream=stream, **kwargs) # type: ignore + + def close(self) -> None: + self._client.close() + + def __enter__(self) -> Self: + self._client.__enter__() + return self + + def __exit__(self, *exc_details: Any) -> None: + self._client.__exit__(*exc_details) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_configuration.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_configuration.py new file mode 100644 index 000000000000..1a036a706db4 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_configuration.py @@ -0,0 +1,63 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- + +from typing import Any, TYPE_CHECKING + +from azure.core.pipeline import policies + +from ._version import VERSION + +if TYPE_CHECKING: + from azure.core.credentials import TokenCredential + + +class SecurityDomainClientConfiguration: # pylint: disable=too-many-instance-attributes + """Configuration for SecurityDomainClient. + + Note that all parameters used to create this instance are saved as instance + attributes. + + :param vault_base_url: Required. + :type vault_base_url: str + :param credential: Credential used to authenticate requests to the service. Required. + :type credential: ~azure.core.credentials.TokenCredential + :keyword api_version: The API version to use for this operation. Default value is "7.5". Note + that overriding this default value may result in unsupported behavior. + :paramtype api_version: str + """ + + def __init__(self, vault_base_url: str, credential: "TokenCredential", **kwargs: Any) -> None: + api_version: str = kwargs.pop("api_version", "7.5") + + if vault_base_url is None: + raise ValueError("Parameter 'vault_base_url' must not be None.") + if credential is None: + raise ValueError("Parameter 'credential' must not be None.") + + self.vault_base_url = vault_base_url + self.credential = credential + self.api_version = api_version + self.credential_scopes = kwargs.pop("credential_scopes", ["https://vault.azure.net/.default"]) + kwargs.setdefault("sdk_moniker", "keyvault-securitydomain/{}".format(VERSION)) + self.polling_interval = kwargs.get("polling_interval", 30) + self._configure(**kwargs) + + def _configure(self, **kwargs: Any) -> None: + self.user_agent_policy = kwargs.get("user_agent_policy") or policies.UserAgentPolicy(**kwargs) + self.headers_policy = kwargs.get("headers_policy") or policies.HeadersPolicy(**kwargs) + self.proxy_policy = kwargs.get("proxy_policy") or policies.ProxyPolicy(**kwargs) + self.logging_policy = kwargs.get("logging_policy") or policies.NetworkTraceLoggingPolicy(**kwargs) + self.http_logging_policy = kwargs.get("http_logging_policy") or policies.HttpLoggingPolicy(**kwargs) + self.custom_hook_policy = kwargs.get("custom_hook_policy") or policies.CustomHookPolicy(**kwargs) + self.redirect_policy = kwargs.get("redirect_policy") or policies.RedirectPolicy(**kwargs) + self.retry_policy = kwargs.get("retry_policy") or policies.RetryPolicy(**kwargs) + self.authentication_policy = kwargs.get("authentication_policy") + if self.credential and not self.authentication_policy: + self.authentication_policy = policies.BearerTokenCredentialPolicy( + self.credential, *self.credential_scopes, **kwargs + ) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/__init__.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/__init__.py new file mode 100644 index 000000000000..b10d62707fcc --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/__init__.py @@ -0,0 +1,71 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +from collections import namedtuple + +from urllib.parse import urlparse + +from .async_polling import ( + AsyncSecurityDomainDownloadNoPolling, + AsyncSecurityDomainDownloadPollingMethod, + AsyncSecurityDomainUploadPollingMethod, +) +from .challenge_auth_policy import ChallengeAuthPolicy +from .http_challenge import HttpChallenge +from . import http_challenge_cache +from .polling import ( + SecurityDomainDownloadNoPolling, + SecurityDomainDownloadPolling, + SecurityDomainDownloadPollingMethod, + SecurityDomainUploadPolling, + SecurityDomainUploadPollingMethod, +) + +HttpChallengeCache = http_challenge_cache # to avoid aliasing pylint error (C4745) + +__all__ = [ + "AsyncSecurityDomainDownloadNoPolling", + "AsyncSecurityDomainDownloadPollingMethod", + "AsyncSecurityDomainUploadPollingMethod", + "ChallengeAuthPolicy", + "HttpChallenge", + "HttpChallengeCache", + "SecurityDomainDownloadNoPolling", + "SecurityDomainDownloadPolling", + "SecurityDomainDownloadPollingMethod", + "SecurityDomainUploadPolling", + "SecurityDomainUploadPollingMethod", +] + +_VaultId = namedtuple("_VaultId", ["vault_url", "collection", "name", "version"]) + + +def parse_vault_id(url: str) -> "_VaultId": + try: + parsed_uri = urlparse(url) + except Exception as exc: # pylint: disable=broad-except + raise ValueError(f"'{url}' is not a valid url") from exc + if not (parsed_uri.scheme and parsed_uri.hostname): + raise ValueError(f"'{url}' is not a valid url") + + path = list(filter(None, parsed_uri.path.split("/"))) + + if len(path) < 2 or len(path) > 3: + raise ValueError(f"'{url}' is not a valid vault url") + + return _VaultId( + vault_url=f"{parsed_uri.scheme}://{parsed_uri.hostname}", + collection=path[0], + name=path[1], + version=path[2] if len(path) == 3 else None, + ) + + +try: + # pylint:disable=unused-import + from .async_challenge_auth_policy import AsyncChallengeAuthPolicy + + __all__.extend(["AsyncChallengeAuthPolicy"]) +except (SyntaxError, ImportError): + pass diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/async_challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/async_challenge_auth_policy.py new file mode 100644 index 000000000000..3e3ac1855178 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/async_challenge_auth_policy.py @@ -0,0 +1,256 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Policy implementing Key Vault's challenge authentication protocol. + +Normally the protocol is only used for the client's first service request, upon which: +1. The challenge authentication policy sends a copy of the request, without authorization or content. +2. Key Vault responds 401 with a header (the 'challenge') detailing how the client should authenticate such a request. +3. The policy authenticates according to the challenge and sends the original request with authorization. + +The policy caches the challenge and thus knows how to authenticate future requests. However, authentication +requirements can change. For example, a vault may move to a new tenant. In such a case the policy will attempt the +protocol again. +""" + +from copy import deepcopy +import sys +import time +from typing import Any, Callable, cast, Optional, overload, TypeVar, Union +from urllib.parse import urlparse + +from typing_extensions import ParamSpec + +from azure.core.credentials import AccessToken, AccessTokenInfo, TokenRequestOptions +from azure.core.credentials_async import AsyncSupportsTokenInfo, AsyncTokenCredential, AsyncTokenProvider +from azure.core.pipeline import PipelineRequest, PipelineResponse +from azure.core.pipeline.policies import AsyncBearerTokenCredentialPolicy +from azure.core.rest import AsyncHttpResponse, HttpRequest + +from .http_challenge import HttpChallenge +from . import http_challenge_cache as ChallengeCache +from .challenge_auth_policy import _enforce_tls, _has_claims, _update_challenge + +if sys.version_info < (3, 9): + from typing import Awaitable +else: + from collections.abc import Awaitable + + +P = ParamSpec("P") +T = TypeVar("T") + + +@overload +async def await_result(func: Callable[P, Awaitable[T]], *args: P.args, **kwargs: P.kwargs) -> T: ... + + +@overload +async def await_result(func: Callable[P, T], *args: P.args, **kwargs: P.kwargs) -> T: ... + + +async def await_result(func: Callable[P, Union[T, Awaitable[T]]], *args: P.args, **kwargs: P.kwargs) -> T: + """If func returns an awaitable, await it. + + :param func: The function to run. + :type func: callable + :param args: The positional arguments to pass to the function. + :type args: list + :rtype: any + :return: The result of the function + """ + result = func(*args, **kwargs) + if isinstance(result, Awaitable): + return await result + return result + + +class AsyncChallengeAuthPolicy(AsyncBearerTokenCredentialPolicy): + """Policy for handling HTTP authentication challenges. + + :param credential: An object which can provide an access token for the vault, such as a credential from + :mod:`azure.identity.aio` + :type credential: ~azure.core.credentials_async.AsyncTokenProvider + """ + + def __init__(self, credential: AsyncTokenProvider, *scopes: str, **kwargs: Any) -> None: + # Pass `enable_cae` so `enable_cae=True` is always passed through self.authorize_request + super().__init__(credential, *scopes, enable_cae=True, **kwargs) + self._credential: AsyncTokenProvider = credential + self._token: Optional[Union["AccessToken", "AccessTokenInfo"]] = None + self._verify_challenge_resource = kwargs.pop("verify_challenge_resource", True) + self._request_copy: Optional[HttpRequest] = None + + async def send(self, request: PipelineRequest[HttpRequest]) -> PipelineResponse[HttpRequest, AsyncHttpResponse]: + """Authorize request with a bearer token and send it to the next policy. + + We implement this method to account for the valid scenario where a Key Vault authentication challenge is + immediately followed by a CAE claims challenge. The base class's implementation would return the second 401 to + the caller, but we should handle that second challenge as well (and only return any third 401 response). + + :param request: The pipeline request object + :type request: ~azure.core.pipeline.PipelineRequest + :return: The pipeline response object + :rtype: ~azure.core.pipeline.PipelineResponse + """ + await await_result(self.on_request, request) + response: PipelineResponse[HttpRequest, AsyncHttpResponse] + try: + response = await self.next.send(request) + except Exception: # pylint:disable=broad-except + await await_result(self.on_exception, request) + raise + await await_result(self.on_response, request, response) + + if response.http_response.status_code == 401: + return await self.handle_challenge_flow(request, response) + return response + + async def handle_challenge_flow( + self, + request: PipelineRequest[HttpRequest], + response: PipelineResponse[HttpRequest, AsyncHttpResponse], + consecutive_challenge: bool = False, + ) -> PipelineResponse[HttpRequest, AsyncHttpResponse]: + """Handle the challenge flow of Key Vault and CAE authentication. + + :param request: The pipeline request object + :type request: ~azure.core.pipeline.PipelineRequest + :param response: The pipeline response object + :type response: ~azure.core.pipeline.PipelineResponse + :param bool consecutive_challenge: Whether the challenge is arriving immediately after another challenge. + Consecutive challenges can only be valid if a Key Vault challenge is followed by a CAE claims challenge. + True if the preceding challenge was a Key Vault challenge; False otherwise. + + :return: The pipeline response object + :rtype: ~azure.core.pipeline.PipelineResponse + """ + self._token = None # any cached token is invalid + if "WWW-Authenticate" in response.http_response.headers: + # If the previous challenge was a KV challenge and this one is too, return the 401 + claims_challenge = _has_claims(response.http_response.headers["WWW-Authenticate"]) + if consecutive_challenge and not claims_challenge: + return response + + request_authorized = await self.on_challenge(request, response) + if request_authorized: + # if we receive a challenge response, we retrieve a new token + # which matches the new target. In this case, we don't want to remove + # token from the request so clear the 'insecure_domain_change' tag + request.context.options.pop("insecure_domain_change", False) + try: + response = await self.next.send(request) + except Exception: # pylint:disable=broad-except + await await_result(self.on_exception, request) + raise + + # If consecutive_challenge == True, this could be a third consecutive 401 + if response.http_response.status_code == 401 and not consecutive_challenge: + # If the previous challenge wasn't from CAE, we can try this function one more time + if not claims_challenge: + return await self.handle_challenge_flow(request, response, consecutive_challenge=True) + await await_result(self.on_response, request, response) + return response + + async def on_request(self, request: PipelineRequest) -> None: + _enforce_tls(request) + challenge = ChallengeCache.get_challenge_for_url(request.http_request.url) + if challenge: + # Note that if the vault has moved to a new tenant since our last request for it, this request will fail. + if self._need_new_token(): + # azure-identity credentials require an AADv2 scope but the challenge may specify an AADv1 resource + scope = challenge.get_scope() or challenge.get_resource() + "/.default" + await self._request_kv_token(scope, challenge) + + bearer_token = cast(Union[AccessToken, AccessTokenInfo], self._token).token + request.http_request.headers["Authorization"] = f"Bearer {bearer_token}" + return + + # else: discover authentication information by eliciting a challenge from Key Vault. Remove any request data, + # saving it for later. Key Vault will reject the request as unauthorized and respond with a challenge. + # on_challenge will parse that challenge, use the original request including the body, authorize the + # request, and tell super to send it again. + if request.http_request.content: + self._request_copy = request.http_request + bodiless_request = HttpRequest( + method=request.http_request.method, + url=request.http_request.url, + headers=deepcopy(request.http_request.headers), + ) + bodiless_request.headers["Content-Length"] = "0" + request.http_request = bodiless_request + + async def on_challenge(self, request: PipelineRequest, response: PipelineResponse) -> bool: + try: + # CAE challenges may not include a scope or tenant; cache from the previous challenge to use if necessary + old_scope: Optional[str] = None + old_tenant: Optional[str] = None + cached_challenge = ChallengeCache.get_challenge_for_url(request.http_request.url) + if cached_challenge: + old_scope = cached_challenge.get_scope() or cached_challenge.get_resource() + "/.default" + old_tenant = cached_challenge.tenant_id + + challenge = _update_challenge(request, response) + # CAE challenges may not include a scope or tenant; use the previous challenge's values if necessary + if challenge.claims and old_scope: + challenge._parameters["scope"] = old_scope # pylint:disable=protected-access + challenge.tenant_id = old_tenant + # azure-identity credentials require an AADv2 scope but the challenge may specify an AADv1 resource + scope = challenge.get_scope() or challenge.get_resource() + "/.default" + except ValueError: + return False + + if self._verify_challenge_resource: + resource_domain = urlparse(scope).netloc + if not resource_domain: + raise ValueError(f"The challenge contains invalid scope '{scope}'.") + + request_domain = urlparse(request.http_request.url).netloc + if not request_domain.lower().endswith(f".{resource_domain.lower()}"): + raise ValueError( + f"The challenge resource '{resource_domain}' does not match the requested domain. Pass " + "`verify_challenge_resource=False` to your client's constructor to disable this verification. " + "See https://aka.ms/azsdk/blog/vault-uri for more information." + ) + + # If we had created a request copy in on_request, use it now to send along the original body content + if self._request_copy: + request.http_request = self._request_copy + + # The tenant parsed from AD FS challenges is "adfs"; we don't actually need a tenant for AD FS authentication + # For AD FS we skip cross-tenant authentication per https://github.com/Azure/azure-sdk-for-python/issues/28648 + if challenge.tenant_id and challenge.tenant_id.lower().endswith("adfs"): + await self.authorize_request(request, scope, claims=challenge.claims) + else: + await self.authorize_request(request, scope, claims=challenge.claims, tenant_id=challenge.tenant_id) + + return True + + def _need_new_token(self) -> bool: + now = time.time() + refresh_on = getattr(self._token, "refresh_on", None) + return not self._token or (refresh_on and refresh_on <= now) or self._token.expires_on - now < 300 + + async def _request_kv_token(self, scope: str, challenge: HttpChallenge) -> None: + """Implementation of BearerTokenCredentialPolicy's _request_token method, but specific to Key Vault. + + :param str scope: The scope for which to request a token. + :param challenge: The challenge for the request being made. + :type challenge: HttpChallenge + """ + # Exclude tenant for AD FS authentication + exclude_tenant = challenge.tenant_id and challenge.tenant_id.lower().endswith("adfs") + # The AsyncSupportsTokenInfo protocol needs TokenRequestOptions for token requests instead of kwargs + if hasattr(self._credential, "get_token_info"): + options: TokenRequestOptions = {"enable_cae": True} + if challenge.tenant_id and not exclude_tenant: + options["tenant_id"] = challenge.tenant_id + self._token = await cast(AsyncSupportsTokenInfo, self._credential).get_token_info(scope, options=options) + else: + if exclude_tenant: + self._token = await self._credential.get_token(scope, enable_cae=True) + else: + self._token = await cast(AsyncTokenCredential, self._credential).get_token( + scope, tenant_id=challenge.tenant_id, enable_cae=True + ) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/async_polling.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/async_polling.py new file mode 100644 index 000000000000..8b5bab044be0 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/async_polling.py @@ -0,0 +1,160 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +# pylint: disable=protected-access +from typing import Any, Callable, cast, TypeVar, Union + +from azure.core import AsyncPipelineClient +from azure.core.pipeline import PipelineResponse +from azure.core.polling.async_base_polling import AsyncLROBasePolling +from azure.core.polling.base_polling import OperationFailed +from azure.core.rest import AsyncHttpResponse, HttpRequest + +from .polling import _finished, _is_empty, SecurityDomainDownloadPolling +from ..models import SecurityDomain, SecurityDomainOperationStatus +from .._model_base import _deserialize + + +PollingReturnType_co = TypeVar("PollingReturnType_co", covariant=True) + + +class AsyncPollingTerminationMixin(AsyncLROBasePolling): + def finished(self) -> bool: + """Is this polling finished? + + :rtype: bool + :return: True if finished, False otherwise. + """ + return _finished(self.status()) + + def parse_resource( + self, + pipeline_response: PipelineResponse[HttpRequest, AsyncHttpResponse], + ) -> Union[SecurityDomain, SecurityDomainOperationStatus]: + """Assuming this response is a resource, use the deserialization callback to parse it. + If body is empty, assuming no resource to return. + + :param pipeline_response: The response object. + :type pipeline_response: ~azure.core.pipeline.PipelineResponse + :return: The parsed resource. + :rtype: any + """ + response = pipeline_response.http_response + if not _is_empty(response): + return self._deserialization_callback(pipeline_response) + + # This "type ignore" has been discussed with architects. + # We have a typing problem that if the Swagger/TSP describes a return type (PollingReturnType_co is not None), + # BUT the returned payload is actually empty, we don't want to fail, but return None. + # To be clean, we would have to make the polling return type Optional "just in case the Swagger/TSP is wrong". + # This is reducing the quality and the value of the typing annotations + # for a case that is not supposed to happen in the first place. So we decided to ignore the type error here. + return None # type: ignore + + +class AsyncNoPollingMixin(AsyncLROBasePolling): + def finished(self) -> bool: + """Is this polling finished? + + :rtype: bool + :return: Whether this polling is finished + """ + return True + + def status(self) -> str: + """Return the current status. + + :rtype: str + :return: The current status + """ + return "succeeded" + + def result(self, *args, **kwargs): # pylint: disable=unused-argument + return self.resource() + + +class AsyncSecurityDomainDownloadPollingMethod(AsyncPollingTerminationMixin, AsyncLROBasePolling): + def initialize( + self, + client: AsyncPipelineClient[Any, Any], + initial_response: PipelineResponse[HttpRequest, AsyncHttpResponse], + deserialization_callback: Callable[ + [PipelineResponse[HttpRequest, AsyncHttpResponse]], + PollingReturnType_co, + ], + ) -> None: + """Set the initial status of this LRO. + + :param client: The Azure Core Pipeline client used to make request. + :type client: ~azure.core.pipeline.PipelineClient + :param initial_response: The initial response for the call. + :type initial_response: ~azure.core.pipeline.PipelineResponse + :param deserialization_callback: A callback function to deserialize the final response. + :type deserialization_callback: callable + :raises: HttpResponseError if initial status is incorrect LRO state + """ + + def get_long_running_output(pipeline_response): + response = pipeline_response.http_response + return _deserialize(SecurityDomain, response.json()) + + super().initialize(client, initial_response, get_long_running_output) + + def resource(self) -> SecurityDomain: + """Return the built resource. + + :rtype: any + :return: The built resource. + """ + # The final response should actually be the security domain object that was returned in the initial response + return cast(SecurityDomain, self.parse_resource(self._initial_response)) + + +class AsyncSecurityDomainDownloadNoPolling(AsyncSecurityDomainDownloadPollingMethod, AsyncNoPollingMixin): + pass + + +class AsyncSecurityDomainUploadPolling(SecurityDomainDownloadPolling): + def set_initial_status(self, pipeline_response: PipelineResponse) -> str: + response: AsyncHttpResponse = pipeline_response.http_response + self._polling_url = response.headers["azure-asyncoperation"] + + if response.status_code in {200, 201, 202, 204}: + return self.get_status(pipeline_response) + raise OperationFailed("Operation failed or canceled") + + +class AsyncSecurityDomainUploadPollingMethod(AsyncPollingTerminationMixin, AsyncLROBasePolling): + def initialize( + self, + client: AsyncPipelineClient[Any, Any], + initial_response: PipelineResponse[HttpRequest, AsyncHttpResponse], + deserialization_callback: Callable[ + [PipelineResponse[HttpRequest, AsyncHttpResponse]], + PollingReturnType_co, + ], + ) -> None: + """Set the initial status of this LRO. + + :param client: The Azure Core Pipeline client used to make request. + :type client: ~azure.core.pipeline.PipelineClient + :param initial_response: The initial response for the call. + :type initial_response: ~azure.core.pipeline.PipelineResponse + :param deserialization_callback: A callback function to deserialize the final response. + :type deserialization_callback: callable + :raises: HttpResponseError if initial status is incorrect LRO state + """ + + def get_long_running_output(_): + return None + + super().initialize(client, initial_response, get_long_running_output) + + def resource(self) -> None: + """Return the built resource. + + :rtype: any + :return: The built resource. + """ + return None diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/challenge_auth_policy.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/challenge_auth_policy.py new file mode 100644 index 000000000000..eb4073d0e699 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/challenge_auth_policy.py @@ -0,0 +1,270 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Policy implementing Key Vault's challenge authentication protocol. + +Normally the protocol is only used for the client's first service request, upon which: +1. The challenge authentication policy sends a copy of the request, without authorization or content. +2. Key Vault responds 401 with a header (the 'challenge') detailing how the client should authenticate such a request. +3. The policy authenticates according to the challenge and sends the original request with authorization. + +The policy caches the challenge and thus knows how to authenticate future requests. However, authentication +requirements can change. For example, a vault may move to a new tenant. In such a case the policy will attempt the +protocol again. +""" + +from copy import deepcopy +import time +from typing import Any, cast, Optional, Union +from urllib.parse import urlparse + +from azure.core.credentials import ( + AccessToken, + AccessTokenInfo, + TokenCredential, + TokenProvider, + TokenRequestOptions, + SupportsTokenInfo, +) +from azure.core.exceptions import ServiceRequestError +from azure.core.pipeline import PipelineRequest, PipelineResponse +from azure.core.pipeline.policies import BearerTokenCredentialPolicy +from azure.core.rest import HttpRequest, HttpResponse + +from .http_challenge import HttpChallenge +from . import http_challenge_cache as ChallengeCache + + +def _enforce_tls(request: PipelineRequest) -> None: + if not request.http_request.url.lower().startswith("https"): + raise ServiceRequestError( + "Bearer token authentication is not permitted for non-TLS protected (non-https) URLs." + ) + + +def _has_claims(challenge: str) -> bool: + """Check if a challenge header contains claims. + + :param challenge: The challenge header to check. + :type challenge: str + + :returns: True if the challenge contains claims; False otherwise. + :rtype: bool + """ + # Split the challenge into its scheme and parameters, then check if any parameter contains claims + split_challenge = challenge.strip().split(" ", 1) + return any("claims=" in item for item in split_challenge[1].split(",")) + + +def _update_challenge(request: PipelineRequest, challenger: PipelineResponse) -> HttpChallenge: + """Parse challenge from a challenge response, cache it, and return it. + + :param request: The pipeline request that prompted the challenge response. + :type request: ~azure.core.pipeline.PipelineRequest + :param challenger: The pipeline response containing the authentication challenge. + :type challenger: ~azure.core.pipeline.PipelineResponse + + :returns: An HttpChallenge object representing the authentication challenge. + :rtype: HttpChallenge + """ + + challenge = HttpChallenge( + request.http_request.url, + challenger.http_response.headers.get("WWW-Authenticate"), + response_headers=challenger.http_response.headers, + ) + ChallengeCache.set_challenge_for_url(request.http_request.url, challenge) + return challenge + + +class ChallengeAuthPolicy(BearerTokenCredentialPolicy): + """Policy for handling HTTP authentication challenges. + + :param credential: An object which can provide an access token for the vault, such as a credential from + :mod:`azure.identity` + :type credential: ~azure.core.credentials.TokenProvider + :param str scopes: Lets you specify the type of access needed. + """ + + def __init__(self, credential: TokenProvider, *scopes: str, **kwargs: Any) -> None: + # Pass `enable_cae` so `enable_cae=True` is always passed through self.authorize_request + super(ChallengeAuthPolicy, self).__init__(credential, *scopes, enable_cae=True, **kwargs) + self._credential: TokenProvider = credential + self._token: Optional[Union["AccessToken", "AccessTokenInfo"]] = None + self._verify_challenge_resource = kwargs.pop("verify_challenge_resource", True) + self._request_copy: Optional[HttpRequest] = None + + def send(self, request: PipelineRequest[HttpRequest]) -> PipelineResponse[HttpRequest, HttpResponse]: + """Authorize request with a bearer token and send it to the next policy. + + We implement this method to account for the valid scenario where a Key Vault authentication challenge is + immediately followed by a CAE claims challenge. The base class's implementation would return the second 401 to + the caller, but we should handle that second challenge as well (and only return any third 401 response). + + :param request: The pipeline request object + :type request: ~azure.core.pipeline.PipelineRequest + + :return: The pipeline response object + :rtype: ~azure.core.pipeline.PipelineResponse + """ + self.on_request(request) + try: + response = self.next.send(request) + except Exception: # pylint:disable=broad-except + self.on_exception(request) + raise + + self.on_response(request, response) + if response.http_response.status_code == 401: + return self.handle_challenge_flow(request, response) + return response + + def handle_challenge_flow( + self, + request: PipelineRequest[HttpRequest], + response: PipelineResponse[HttpRequest, HttpResponse], + consecutive_challenge: bool = False, + ) -> PipelineResponse[HttpRequest, HttpResponse]: + """Handle the challenge flow of Key Vault and CAE authentication. + + :param request: The pipeline request object + :type request: ~azure.core.pipeline.PipelineRequest + :param response: The pipeline response object + :type response: ~azure.core.pipeline.PipelineResponse + :param bool consecutive_challenge: Whether the challenge is arriving immediately after another challenge. + Consecutive challenges can only be valid if a Key Vault challenge is followed by a CAE claims challenge. + True if the preceding challenge was a Key Vault challenge; False otherwise. + + :return: The pipeline response object + :rtype: ~azure.core.pipeline.PipelineResponse + """ + self._token = None # any cached token is invalid + if "WWW-Authenticate" in response.http_response.headers: + # If the previous challenge was a KV challenge and this one is too, return the 401 + claims_challenge = _has_claims(response.http_response.headers["WWW-Authenticate"]) + if consecutive_challenge and not claims_challenge: + return response + + request_authorized = self.on_challenge(request, response) + if request_authorized: + # if we receive a challenge response, we retrieve a new token + # which matches the new target. In this case, we don't want to remove + # token from the request so clear the 'insecure_domain_change' tag + request.context.options.pop("insecure_domain_change", False) + try: + response = self.next.send(request) + except Exception: # pylint:disable=broad-except + self.on_exception(request) + raise + + # If consecutive_challenge == True, this could be a third consecutive 401 + if response.http_response.status_code == 401 and not consecutive_challenge: + # If the previous challenge wasn't from CAE, we can try this function one more time + if not claims_challenge: + return self.handle_challenge_flow(request, response, consecutive_challenge=True) + self.on_response(request, response) + return response + + def on_request(self, request: PipelineRequest) -> None: + _enforce_tls(request) + challenge = ChallengeCache.get_challenge_for_url(request.http_request.url) + if challenge: + # Note that if the vault has moved to a new tenant since our last request for it, this request will fail. + if self._need_new_token: + # azure-identity credentials require an AADv2 scope but the challenge may specify an AADv1 resource + scope = challenge.get_scope() or challenge.get_resource() + "/.default" + self._request_kv_token(scope, challenge) + + bearer_token = cast(Union["AccessToken", "AccessTokenInfo"], self._token).token + request.http_request.headers["Authorization"] = f"Bearer {bearer_token}" + return + + # else: discover authentication information by eliciting a challenge from Key Vault. Remove any request data, + # saving it for later. Key Vault will reject the request as unauthorized and respond with a challenge. + # on_challenge will parse that challenge, use the original request including the body, authorize the + # request, and tell super to send it again. + if request.http_request.content: + self._request_copy = request.http_request + bodiless_request = HttpRequest( + method=request.http_request.method, + url=request.http_request.url, + headers=deepcopy(request.http_request.headers), + ) + bodiless_request.headers["Content-Length"] = "0" + request.http_request = bodiless_request + + def on_challenge(self, request: PipelineRequest, response: PipelineResponse) -> bool: + try: + # CAE challenges may not include a scope or tenant; cache from the previous challenge to use if necessary + old_scope: Optional[str] = None + old_tenant: Optional[str] = None + cached_challenge = ChallengeCache.get_challenge_for_url(request.http_request.url) + if cached_challenge: + old_scope = cached_challenge.get_scope() or cached_challenge.get_resource() + "/.default" + old_tenant = cached_challenge.tenant_id + + challenge = _update_challenge(request, response) + # CAE challenges may not include a scope or tenant; use the previous challenge's values if necessary + if challenge.claims and old_scope: + challenge._parameters["scope"] = old_scope # pylint:disable=protected-access + challenge.tenant_id = old_tenant + # azure-identity credentials require an AADv2 scope but the challenge may specify an AADv1 resource + scope = challenge.get_scope() or challenge.get_resource() + "/.default" + except ValueError: + return False + + if self._verify_challenge_resource: + resource_domain = urlparse(scope).netloc + if not resource_domain: + raise ValueError(f"The challenge contains invalid scope '{scope}'.") + + request_domain = urlparse(request.http_request.url).netloc + if not request_domain.lower().endswith(f".{resource_domain.lower()}"): + raise ValueError( + f"The challenge resource '{resource_domain}' does not match the requested domain. Pass " + "`verify_challenge_resource=False` to your client's constructor to disable this verification. " + "See https://aka.ms/azsdk/blog/vault-uri for more information." + ) + + # If we had created a request copy in on_request, use it now to send along the original body content + if self._request_copy: + request.http_request = self._request_copy + + # The tenant parsed from AD FS challenges is "adfs"; we don't actually need a tenant for AD FS authentication + # For AD FS we skip cross-tenant authentication per https://github.com/Azure/azure-sdk-for-python/issues/28648 + if challenge.tenant_id and challenge.tenant_id.lower().endswith("adfs"): + self.authorize_request(request, scope, claims=challenge.claims) + else: + self.authorize_request(request, scope, claims=challenge.claims, tenant_id=challenge.tenant_id) + + return True + + @property + def _need_new_token(self) -> bool: + now = time.time() + refresh_on = getattr(self._token, "refresh_on", None) + return not self._token or (refresh_on and refresh_on <= now) or self._token.expires_on - now < 300 + + def _request_kv_token(self, scope: str, challenge: HttpChallenge) -> None: + """Implementation of BearerTokenCredentialPolicy's _request_token method, but specific to Key Vault. + + :param str scope: The scope for which to request a token. + :param challenge: The challenge for the request being made. + :type challenge: HttpChallenge + """ + # Exclude tenant for AD FS authentication + exclude_tenant = challenge.tenant_id and challenge.tenant_id.lower().endswith("adfs") + # The SupportsTokenInfo protocol needs TokenRequestOptions for token requests instead of kwargs + if hasattr(self._credential, "get_token_info"): + options: TokenRequestOptions = {"enable_cae": True} + if challenge.tenant_id and not exclude_tenant: + options["tenant_id"] = challenge.tenant_id + self._token = cast(SupportsTokenInfo, self._credential).get_token_info(scope, options=options) + else: + if exclude_tenant: + self._token = self._credential.get_token(scope, enable_cae=True) + else: + self._token = cast(TokenCredential, self._credential).get_token( + scope, tenant_id=challenge.tenant_id, enable_cae=True + ) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/http_challenge.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/http_challenge.py new file mode 100644 index 000000000000..8b14b999de78 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/http_challenge.py @@ -0,0 +1,186 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import base64 +from typing import Dict, MutableMapping, Optional +from urllib import parse + + +class HttpChallenge(object): + """An object representing the content of a Key Vault authentication challenge. + + :param str request_uri: The URI of the HTTP request that prompted this challenge. + :param str challenge: The WWW-Authenticate header of the challenge response. + :param response_headers: Optional. The headers attached to the challenge response. + :type response_headers: MutableMapping[str, str] or None + """ + + def __init__( + self, request_uri: str, challenge: str, response_headers: "Optional[MutableMapping[str, str]]" = None + ) -> None: + """Parses an HTTP WWW-Authentication Bearer challenge from a server. + + Example challenge with claims: + Bearer authorization="https://login.windows-ppe.net/", error="invalid_token", + error_description="User session has been revoked", + claims="eyJhY2Nlc3NfdG9rZW4iOnsibmJmIjp7ImVzc2VudGlhbCI6dHJ1ZSwgInZhbHVlIjoiMTYwMzc0MjgwMCJ9fX0=" + """ + self.source_authority = self._validate_request_uri(request_uri) + self.source_uri = request_uri + self._parameters: "Dict[str, str]" = {} + + # get the scheme of the challenge and remove from the challenge string + trimmed_challenge = self._validate_challenge(challenge) + split_challenge = trimmed_challenge.split(" ", 1) + self.scheme = split_challenge[0] + trimmed_challenge = split_challenge[1] + + self.claims = None + # split trimmed challenge into comma-separated name=value pairs. Values are expected + # to be surrounded by quotes which are stripped here. + for item in trimmed_challenge.split(","): + # Special case for claims, which can contain = symbols as padding. Assume at most one claim per challenge + if "claims=" in item: + encoded_claims = item[item.index("=") + 1 :].strip(" \"'") + padding_needed = -len(encoded_claims) % 4 + try: + decoded_claims = base64.urlsafe_b64decode(encoded_claims + "=" * padding_needed).decode() + self.claims = decoded_claims + except Exception: # pylint:disable=broad-except + continue + # process name=value pairs + else: + comps = item.split("=") + if len(comps) == 2: + key = comps[0].strip(' "') + value = comps[1].strip(' "') + if key: + self._parameters[key] = value + + # minimum set of parameters + if not self._parameters: + raise ValueError("Invalid challenge parameters") + + # must specify authorization or authorization_uri + if "authorization" not in self._parameters and "authorization_uri" not in self._parameters: + raise ValueError("Invalid challenge parameters") + + authorization_uri = self.get_authorization_server() + # the authorization server URI should look something like https://login.windows.net/tenant-id + raw_uri_path = str(parse.urlparse(authorization_uri).path) + uri_path = raw_uri_path.lstrip("/") + self.tenant_id = uri_path.split("/", maxsplit=1)[0] or None + + # if the response headers were supplied + if response_headers: + # get the message signing key and message key encryption key from the headers + self.server_signature_key = response_headers.get("x-ms-message-signing-key", None) + self.server_encryption_key = response_headers.get("x-ms-message-encryption-key", None) + + def is_bearer_challenge(self) -> bool: + """Tests whether the HttpChallenge is a Bearer challenge. + + :returns: True if the challenge is a Bearer challenge; False otherwise. + :rtype: bool + """ + if not self.scheme: + return False + + return self.scheme.lower() == "bearer" + + def is_pop_challenge(self) -> bool: + """Tests whether the HttpChallenge is a proof of possession challenge. + + :returns: True if the challenge is a proof of possession challenge; False otherwise. + :rtype: bool + """ + if not self.scheme: + return False + + return self.scheme.lower() == "pop" + + def get_value(self, key: str) -> "Optional[str]": + return self._parameters.get(key) + + def get_authorization_server(self) -> str: + """Returns the URI for the authorization server if present, otherwise an empty string. + + :returns: The URI for the authorization server if present, otherwise an empty string. + :rtype: str + """ + value = "" + for key in ["authorization_uri", "authorization"]: + value = self.get_value(key) or "" + if value: + break + return value + + def get_resource(self) -> str: + """Returns the resource if present, otherwise an empty string. + + :returns: The challenge resource if present, otherwise an empty string. + :rtype: str + """ + return self.get_value("resource") or "" + + def get_scope(self) -> str: + """Returns the scope if present, otherwise an empty string. + + :returns: The challenge scope if present, otherwise an empty string. + :rtype: str + """ + return self.get_value("scope") or "" + + def supports_pop(self) -> bool: + """Returns True if the challenge supports proof of possession token auth; False otherwise. + + :returns: True if the challenge supports proof of possession token auth; False otherwise. + :rtype: bool + """ + return self._parameters.get("supportspop", "").lower() == "true" + + def supports_message_protection(self) -> bool: + """Returns True if the challenge vault supports message protection; False otherwise. + + :returns: True if the challenge vault supports message protection; False otherwise. + :rtype: bool + """ + return self.supports_pop() and self.server_encryption_key and self.server_signature_key # type: ignore + + def _validate_challenge( + self, challenge: str + ) -> str: # pylint:disable=bad-option-value,useless-option-value,no-self-use + """Verifies that the challenge is a valid auth challenge and returns the key=value pairs. + + :param str challenge: The WWW-Authenticate header of the challenge response. + + :returns: The challenge key/value pairs, with whitespace removed, as a string. + :rtype: str + """ + if not challenge: + raise ValueError("Challenge cannot be empty") + + return challenge.strip() + + def _validate_request_uri( + self, uri: str + ) -> str: # pylint:disable=bad-option-value,useless-option-value,no-self-use + """Extracts the host authority from the given URI. + + :param str uri: The URI of the HTTP request that prompted the challenge. + + :returns: The challenge host authority. + :rtype: str + """ + if not uri: + raise ValueError("request_uri cannot be empty") + + parsed = parse.urlparse(uri) + if not parsed.netloc: + raise ValueError("request_uri must be an absolute URI") + + if parsed.scheme.lower() not in ["http", "https"]: + raise ValueError("request_uri must be HTTP or HTTPS") + + return parsed.netloc diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/http_challenge_cache.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/http_challenge_cache.py new file mode 100644 index 000000000000..f1448cc53391 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/http_challenge_cache.py @@ -0,0 +1,93 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import threading +from typing import Dict, Optional +from urllib import parse + +from .http_challenge import HttpChallenge + + +_cache: "Dict[str, HttpChallenge]" = {} +_lock = threading.Lock() + + +def get_challenge_for_url(url: str) -> "Optional[HttpChallenge]": + """Gets the challenge for the cached URL. + + :param str url: the URL the challenge is cached for. + + :returns: The challenge for the cached request URL, or None if the request URL isn't cached. + :rtype: HttpChallenge or None + """ + + if not url: + raise ValueError("URL cannot be None") + + key = _get_cache_key(url) + + with _lock: + return _cache.get(key) + + +def _get_cache_key(url: str) -> str: + """Use the URL's netloc as cache key except when the URL specifies the default port for its scheme. In that case + use the netloc without the port. That is to say, https://foo.bar and https://foo.bar:443 are considered equivalent. + + This equivalency prevents an unnecessary challenge when using Key Vault's paging API. The Key Vault client doesn't + specify ports, but Key Vault's next page links do, so a redundant challenge would otherwise be executed when the + client requests the next page. + + :param str url: The HTTP request URL. + + :returns: The URL's `netloc`, minus any port attached to the URL. + :rtype: str + """ + + parsed = parse.urlparse(url) + if parsed.scheme == "https" and parsed.port == 443: + return parsed.netloc[:-4] + return parsed.netloc + + +def remove_challenge_for_url(url: str) -> None: + """Removes the cached challenge for the specified URL. + + :param str url: the URL for which to remove the cached challenge + """ + if not url: + raise ValueError("URL cannot be empty") + + parsed = parse.urlparse(url) + + with _lock: + del _cache[parsed.netloc] + + +def set_challenge_for_url(url: str, challenge: "HttpChallenge") -> None: + """Caches the challenge for the specified URL. + + :param str url: the URL for which to cache the challenge + :param challenge: the challenge to cache + :type challenge: HttpChallenge + """ + if not url: + raise ValueError("URL cannot be empty") + + if not challenge: + raise ValueError("Challenge cannot be empty") + + src_url = parse.urlparse(url) + if src_url.netloc != challenge.source_authority: + raise ValueError("Source URL and Challenge URL do not match") + + with _lock: + _cache[src_url.netloc] = challenge + + +def clear() -> None: + """Clears the cache.""" + + with _lock: + _cache.clear() diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/polling.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/polling.py new file mode 100644 index 000000000000..50cf167da77f --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_internal/polling.py @@ -0,0 +1,200 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +# pylint: disable=protected-access +from typing import Any, Callable, cast, TypeVar, Union + +from azure.core import PipelineClient +from azure.core.pipeline import PipelineResponse +from azure.core.polling.base_polling import LROBasePolling, OperationFailed, OperationResourcePolling +from azure.core.rest import AsyncHttpResponse, HttpResponse, HttpRequest + +from ..models import SecurityDomain, SecurityDomainOperationStatus +from .._model_base import _deserialize + + +PollingReturnType_co = TypeVar("PollingReturnType_co", covariant=True) + +# The correct success response should be "Succeeded", but this has already shipped. Handle "Success" just in case. +_FINISHED = frozenset(["succeeded", "success", "canceled", "failed"]) + + +def _finished(status): + if hasattr(status, "value"): + status = status.value + return str(status).lower() in _FINISHED + + +def _is_empty(response: Union[HttpResponse, AsyncHttpResponse]) -> bool: + """Check if response body contains meaningful content. + + :param response: The response object. + :type response: any + :return: True if response body is empty, False otherwise. + :rtype: bool + """ + return not bool(response.content) + + +class PollingTerminationMixin(LROBasePolling): + def finished(self) -> bool: + """Is this polling finished? + + :rtype: bool + :return: True if finished, False otherwise. + """ + return _finished(self.status()) + + def parse_resource( + self, + pipeline_response: PipelineResponse[HttpRequest, HttpResponse], + ) -> Union[SecurityDomain, SecurityDomainOperationStatus]: + """Assuming this response is a resource, use the deserialization callback to parse it. + If body is empty, assuming no resource to return. + + :param pipeline_response: The response object. + :type pipeline_response: ~azure.core.pipeline.PipelineResponse + :return: The parsed resource. + :rtype: any + """ + response = pipeline_response.http_response + if not _is_empty(response): + return self._deserialization_callback(pipeline_response) + + # This "type ignore" has been discussed with architects. + # We have a typing problem that if the Swagger/TSP describes a return type (PollingReturnType_co is not None), + # BUT the returned payload is actually empty, we don't want to fail, but return None. + # To be clean, we would have to make the polling return type Optional "just in case the Swagger/TSP is wrong". + # This is reducing the quality and the value of the typing annotations + # for a case that is not supposed to happen in the first place. So we decided to ignore the type error here. + return None # type: ignore + + +class NoPollingMixin(LROBasePolling): + def finished(self) -> bool: + """Is this polling finished? + + :rtype: bool + :return: Whether this polling is finished + """ + return True + + def status(self) -> str: + """Return the current status. + + :rtype: str + :return: The current status + """ + return "succeeded" + + def result(self, *args, **kwargs): # pylint: disable=unused-argument + return self.resource() + + +class SecurityDomainDownloadPolling(OperationResourcePolling): + def __init__(self) -> None: + self._polling_url = "" + super().__init__(operation_location_header="azure-asyncoperation") + + def get_polling_url(self) -> str: + return self._polling_url + + def get_final_get_url(self, pipeline_response: "PipelineResponse") -> None: + return None + + def set_initial_status(self, pipeline_response: "PipelineResponse") -> str: + response: HttpResponse = pipeline_response.http_response + self._polling_url = response.headers["azure-asyncoperation"] + + if response.status_code in {200, 201, 202, 204}: + # The initial download response doesn't contain the status, so we consider it as "InProgress" + # The next status update request will point to the download status endpoint and correctly update + return "InProgress" + raise OperationFailed("Operation failed or canceled") + + +class SecurityDomainDownloadPollingMethod(PollingTerminationMixin, LROBasePolling): + def initialize( + self, + client: PipelineClient[Any, Any], + initial_response: PipelineResponse[HttpRequest, HttpResponse], + deserialization_callback: Callable[ + [PipelineResponse[HttpRequest, HttpResponse]], + PollingReturnType_co, + ], + ) -> None: + """Set the initial status of this LRO. + + :param client: The Azure Core Pipeline client used to make request. + :type client: ~azure.core.pipeline.PipelineClient + :param initial_response: The initial response for the call. + :type initial_response: ~azure.core.pipeline.PipelineResponse + :param deserialization_callback: A callback function to deserialize the final response. + :type deserialization_callback: callable + :raises: HttpResponseError if initial status is incorrect LRO state + """ + + def get_long_running_output(pipeline_response): + response = pipeline_response.http_response + return _deserialize(SecurityDomain, response.json()) + + super().initialize(client, initial_response, get_long_running_output) + + def resource(self) -> SecurityDomain: + """Return the built resource. + + :rtype: any + :return: The built resource. + """ + # The final response should actually be the security domain object that was returned in the initial response + return cast(SecurityDomain, self.parse_resource(self._initial_response)) + + +class SecurityDomainDownloadNoPolling(SecurityDomainDownloadPollingMethod, NoPollingMixin): + pass + + +class SecurityDomainUploadPolling(SecurityDomainDownloadPolling): + def set_initial_status(self, pipeline_response: PipelineResponse) -> str: + response: HttpResponse = pipeline_response.http_response + self._polling_url = response.headers["azure-asyncoperation"] + + if response.status_code in {200, 201, 202, 204}: + return self.get_status(pipeline_response) + raise OperationFailed("Operation failed or canceled") + + +class SecurityDomainUploadPollingMethod(PollingTerminationMixin, LROBasePolling): + def initialize( + self, + client: PipelineClient[Any, Any], + initial_response: PipelineResponse[HttpRequest, HttpResponse], + deserialization_callback: Callable[ + [PipelineResponse[HttpRequest, HttpResponse]], + PollingReturnType_co, + ], + ) -> None: + """Set the initial status of this LRO. + + :param client: The Azure Core Pipeline client used to make request. + :type client: ~azure.core.pipeline.PipelineClient + :param initial_response: The initial response for the call. + :type initial_response: ~azure.core.pipeline.PipelineResponse + :param deserialization_callback: A callback function to deserialize the final response. + :type deserialization_callback: callable + :raises: HttpResponseError if initial status is incorrect LRO state + """ + + def get_long_running_output(_): + return None + + super().initialize(client, initial_response, get_long_running_output) + + def resource(self) -> None: + """Return the built resource. + + :rtype: any + :return: The built resource. + """ + return None diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_model_base.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_model_base.py new file mode 100644 index 000000000000..cb6e88f4c0e2 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_model_base.py @@ -0,0 +1,1235 @@ +# pylint: disable=too-many-lines +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for +# license information. +# -------------------------------------------------------------------------- +# pylint: disable=protected-access, broad-except, arguments-differ, signature-differs, no-member + +import copy +import calendar +import decimal +import functools +import sys +import logging +import base64 +import re +import typing +import enum +import email.utils +from datetime import datetime, date, time, timedelta, timezone +from json import JSONEncoder +import xml.etree.ElementTree as ET +from typing_extensions import Self +import isodate +from azure.core.exceptions import DeserializationError +from azure.core import CaseInsensitiveEnumMeta +from azure.core.pipeline import PipelineResponse +from azure.core.serialization import _Null + +if sys.version_info >= (3, 9): + from collections.abc import MutableMapping +else: + from typing import MutableMapping + +_LOGGER = logging.getLogger(__name__) + +__all__ = ["SdkJSONEncoder", "Model", "rest_field", "rest_discriminator"] + +TZ_UTC = timezone.utc +_T = typing.TypeVar("_T") + + +def _timedelta_as_isostr(td: timedelta) -> str: + """Converts a datetime.timedelta object into an ISO 8601 formatted string, e.g. 'P4DT12H30M05S' + + Function adapted from the Tin Can Python project: https://github.com/RusticiSoftware/TinCanPython + + :param timedelta td: The timedelta to convert + :rtype: str + :return: ISO8601 version of this timedelta + """ + + # Split seconds to larger units + seconds = td.total_seconds() + minutes, seconds = divmod(seconds, 60) + hours, minutes = divmod(minutes, 60) + days, hours = divmod(hours, 24) + + days, hours, minutes = list(map(int, (days, hours, minutes))) + seconds = round(seconds, 6) + + # Build date + date_str = "" + if days: + date_str = "%sD" % days + + if hours or minutes or seconds: + # Build time + time_str = "T" + + # Hours + bigger_exists = date_str or hours + if bigger_exists: + time_str += "{:02}H".format(hours) + + # Minutes + bigger_exists = bigger_exists or minutes + if bigger_exists: + time_str += "{:02}M".format(minutes) + + # Seconds + try: + if seconds.is_integer(): + seconds_string = "{:02}".format(int(seconds)) + else: + # 9 chars long w/ leading 0, 6 digits after decimal + seconds_string = "%09.6f" % seconds + # Remove trailing zeros + seconds_string = seconds_string.rstrip("0") + except AttributeError: # int.is_integer() raises + seconds_string = "{:02}".format(seconds) + + time_str += "{}S".format(seconds_string) + else: + time_str = "" + + return "P" + date_str + time_str + + +def _serialize_bytes(o, format: typing.Optional[str] = None) -> str: + encoded = base64.b64encode(o).decode() + if format == "base64url": + return encoded.strip("=").replace("+", "-").replace("/", "_") + return encoded + + +def _serialize_datetime(o, format: typing.Optional[str] = None): + if hasattr(o, "year") and hasattr(o, "hour"): + if format == "rfc7231": + return email.utils.format_datetime(o, usegmt=True) + if format == "unix-timestamp": + return int(calendar.timegm(o.utctimetuple())) + + # astimezone() fails for naive times in Python 2.7, so make make sure o is aware (tzinfo is set) + if not o.tzinfo: + iso_formatted = o.replace(tzinfo=TZ_UTC).isoformat() + else: + iso_formatted = o.astimezone(TZ_UTC).isoformat() + # Replace the trailing "+00:00" UTC offset with "Z" (RFC 3339: https://www.ietf.org/rfc/rfc3339.txt) + return iso_formatted.replace("+00:00", "Z") + # Next try datetime.date or datetime.time + return o.isoformat() + + +def _is_readonly(p): + try: + return p._visibility == ["read"] + except AttributeError: + return False + + +class SdkJSONEncoder(JSONEncoder): + """A JSON encoder that's capable of serializing datetime objects and bytes.""" + + def __init__(self, *args, exclude_readonly: bool = False, format: typing.Optional[str] = None, **kwargs): + super().__init__(*args, **kwargs) + self.exclude_readonly = exclude_readonly + self.format = format + + def default(self, o): # pylint: disable=too-many-return-statements + if _is_model(o): + if self.exclude_readonly: + readonly_props = [p._rest_name for p in o._attr_to_rest_field.values() if _is_readonly(p)] + return {k: v for k, v in o.items() if k not in readonly_props} + return dict(o.items()) + try: + return super(SdkJSONEncoder, self).default(o) + except TypeError: + if isinstance(o, _Null): + return None + if isinstance(o, decimal.Decimal): + return float(o) + if isinstance(o, (bytes, bytearray)): + return _serialize_bytes(o, self.format) + try: + # First try datetime.datetime + return _serialize_datetime(o, self.format) + except AttributeError: + pass + # Last, try datetime.timedelta + try: + return _timedelta_as_isostr(o) + except AttributeError: + # This will be raised when it hits value.total_seconds in the method above + pass + return super(SdkJSONEncoder, self).default(o) + + +_VALID_DATE = re.compile(r"\d{4}[-]\d{2}[-]\d{2}T\d{2}:\d{2}:\d{2}" + r"\.?\d*Z?[-+]?[\d{2}]?:?[\d{2}]?") +_VALID_RFC7231 = re.compile( + r"(Mon|Tue|Wed|Thu|Fri|Sat|Sun),\s\d{2}\s" + r"(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s\d{4}\s\d{2}:\d{2}:\d{2}\sGMT" +) + + +def _deserialize_datetime(attr: typing.Union[str, datetime]) -> datetime: + """Deserialize ISO-8601 formatted string into Datetime object. + + :param str attr: response string to be deserialized. + :rtype: ~datetime.datetime + :returns: The datetime object from that input + """ + if isinstance(attr, datetime): + # i'm already deserialized + return attr + attr = attr.upper() + match = _VALID_DATE.match(attr) + if not match: + raise ValueError("Invalid datetime string: " + attr) + + check_decimal = attr.split(".") + if len(check_decimal) > 1: + decimal_str = "" + for digit in check_decimal[1]: + if digit.isdigit(): + decimal_str += digit + else: + break + if len(decimal_str) > 6: + attr = attr.replace(decimal_str, decimal_str[0:6]) + + date_obj = isodate.parse_datetime(attr) + test_utc = date_obj.utctimetuple() + if test_utc.tm_year > 9999 or test_utc.tm_year < 1: + raise OverflowError("Hit max or min date") + return date_obj + + +def _deserialize_datetime_rfc7231(attr: typing.Union[str, datetime]) -> datetime: + """Deserialize RFC7231 formatted string into Datetime object. + + :param str attr: response string to be deserialized. + :rtype: ~datetime.datetime + :returns: The datetime object from that input + """ + if isinstance(attr, datetime): + # i'm already deserialized + return attr + match = _VALID_RFC7231.match(attr) + if not match: + raise ValueError("Invalid datetime string: " + attr) + + return email.utils.parsedate_to_datetime(attr) + + +def _deserialize_datetime_unix_timestamp(attr: typing.Union[float, datetime]) -> datetime: + """Deserialize unix timestamp into Datetime object. + + :param str attr: response string to be deserialized. + :rtype: ~datetime.datetime + :returns: The datetime object from that input + """ + if isinstance(attr, datetime): + # i'm already deserialized + return attr + return datetime.fromtimestamp(attr, TZ_UTC) + + +def _deserialize_date(attr: typing.Union[str, date]) -> date: + """Deserialize ISO-8601 formatted string into Date object. + :param str attr: response string to be deserialized. + :rtype: date + :returns: The date object from that input + """ + # This must NOT use defaultmonth/defaultday. Using None ensure this raises an exception. + if isinstance(attr, date): + return attr + return isodate.parse_date(attr, defaultmonth=None, defaultday=None) # type: ignore + + +def _deserialize_time(attr: typing.Union[str, time]) -> time: + """Deserialize ISO-8601 formatted string into time object. + + :param str attr: response string to be deserialized. + :rtype: datetime.time + :returns: The time object from that input + """ + if isinstance(attr, time): + return attr + return isodate.parse_time(attr) + + +def _deserialize_bytes(attr): + if isinstance(attr, (bytes, bytearray)): + return attr + return bytes(base64.b64decode(attr)) + + +def _deserialize_bytes_base64(attr): + if isinstance(attr, (bytes, bytearray)): + return attr + padding = "=" * (3 - (len(attr) + 3) % 4) # type: ignore + attr = attr + padding # type: ignore + encoded = attr.replace("-", "+").replace("_", "/") + return bytes(base64.b64decode(encoded)) + + +def _deserialize_duration(attr): + if isinstance(attr, timedelta): + return attr + return isodate.parse_duration(attr) + + +def _deserialize_decimal(attr): + if isinstance(attr, decimal.Decimal): + return attr + return decimal.Decimal(str(attr)) + + +def _deserialize_int_as_str(attr): + if isinstance(attr, int): + return attr + return int(attr) + + +_DESERIALIZE_MAPPING = { + datetime: _deserialize_datetime, + date: _deserialize_date, + time: _deserialize_time, + bytes: _deserialize_bytes, + bytearray: _deserialize_bytes, + timedelta: _deserialize_duration, + typing.Any: lambda x: x, + decimal.Decimal: _deserialize_decimal, +} + +_DESERIALIZE_MAPPING_WITHFORMAT = { + "rfc3339": _deserialize_datetime, + "rfc7231": _deserialize_datetime_rfc7231, + "unix-timestamp": _deserialize_datetime_unix_timestamp, + "base64": _deserialize_bytes, + "base64url": _deserialize_bytes_base64, +} + + +def get_deserializer(annotation: typing.Any, rf: typing.Optional["_RestField"] = None): + if annotation is int and rf and rf._format == "str": + return _deserialize_int_as_str + if rf and rf._format: + return _DESERIALIZE_MAPPING_WITHFORMAT.get(rf._format) + return _DESERIALIZE_MAPPING.get(annotation) # pyright: ignore + + +def _get_type_alias_type(module_name: str, alias_name: str): + types = { + k: v + for k, v in sys.modules[module_name].__dict__.items() + if isinstance(v, typing._GenericAlias) # type: ignore + } + if alias_name not in types: + return alias_name + return types[alias_name] + + +def _get_model(module_name: str, model_name: str): + models = {k: v for k, v in sys.modules[module_name].__dict__.items() if isinstance(v, type)} + module_end = module_name.rsplit(".", 1)[0] + models.update({k: v for k, v in sys.modules[module_end].__dict__.items() if isinstance(v, type)}) + if isinstance(model_name, str): + model_name = model_name.split(".")[-1] + if model_name not in models: + return model_name + return models[model_name] + + +_UNSET = object() + + +class _MyMutableMapping(MutableMapping[str, typing.Any]): # pylint: disable=unsubscriptable-object + def __init__(self, data: typing.Dict[str, typing.Any]) -> None: + self._data = data + + def __contains__(self, key: typing.Any) -> bool: + return key in self._data + + def __getitem__(self, key: str) -> typing.Any: + return self._data.__getitem__(key) + + def __setitem__(self, key: str, value: typing.Any) -> None: + self._data.__setitem__(key, value) + + def __delitem__(self, key: str) -> None: + self._data.__delitem__(key) + + def __iter__(self) -> typing.Iterator[typing.Any]: + return self._data.__iter__() + + def __len__(self) -> int: + return self._data.__len__() + + def __ne__(self, other: typing.Any) -> bool: + return not self.__eq__(other) + + def keys(self) -> typing.KeysView[str]: + """ + :returns: a set-like object providing a view on D's keys + :rtype: ~typing.KeysView + """ + return self._data.keys() + + def values(self) -> typing.ValuesView[typing.Any]: + """ + :returns: an object providing a view on D's values + :rtype: ~typing.ValuesView + """ + return self._data.values() + + def items(self) -> typing.ItemsView[str, typing.Any]: + """ + :returns: set-like object providing a view on D's items + :rtype: ~typing.ItemsView + """ + return self._data.items() + + def get(self, key: str, default: typing.Any = None) -> typing.Any: + """ + Get the value for key if key is in the dictionary, else default. + :param str key: The key to look up. + :param any default: The value to return if key is not in the dictionary. Defaults to None + :returns: D[k] if k in D, else d. + :rtype: any + """ + try: + return self[key] + except KeyError: + return default + + @typing.overload + def pop(self, key: str) -> typing.Any: ... + + @typing.overload + def pop(self, key: str, default: _T) -> _T: ... + + @typing.overload + def pop(self, key: str, default: typing.Any) -> typing.Any: ... + + def pop(self, key: str, default: typing.Any = _UNSET) -> typing.Any: + """ + Removes specified key and return the corresponding value. + :param str key: The key to pop. + :param any default: The value to return if key is not in the dictionary + :returns: The value corresponding to the key. + :rtype: any + :raises KeyError: If key is not found and default is not given. + """ + if default is _UNSET: + return self._data.pop(key) + return self._data.pop(key, default) + + def popitem(self) -> typing.Tuple[str, typing.Any]: + """ + Removes and returns some (key, value) pair + :returns: The (key, value) pair. + :rtype: tuple + :raises KeyError: if D is empty. + """ + return self._data.popitem() + + def clear(self) -> None: + """ + Remove all items from D. + """ + self._data.clear() + + def update(self, *args: typing.Any, **kwargs: typing.Any) -> None: + """ + Updates D from mapping/iterable E and F. + :param any args: Either a mapping object or an iterable of key-value pairs. + """ + self._data.update(*args, **kwargs) + + @typing.overload + def setdefault(self, key: str, default: None = None) -> None: ... + + @typing.overload + def setdefault(self, key: str, default: typing.Any) -> typing.Any: ... + + def setdefault(self, key: str, default: typing.Any = _UNSET) -> typing.Any: + """ + Same as calling D.get(k, d), and setting D[k]=d if k not found + :param str key: The key to look up. + :param any default: The value to set if key is not in the dictionary + :returns: D[k] if k in D, else d. + :rtype: any + """ + if default is _UNSET: + return self._data.setdefault(key) + return self._data.setdefault(key, default) + + def __eq__(self, other: typing.Any) -> bool: + try: + other_model = self.__class__(other) + except Exception: + return False + return self._data == other_model._data + + def __repr__(self) -> str: + return str(self._data) + + +def _is_model(obj: typing.Any) -> bool: + return getattr(obj, "_is_model", False) + + +def _serialize(o, format: typing.Optional[str] = None): # pylint: disable=too-many-return-statements + if isinstance(o, list): + return [_serialize(x, format) for x in o] + if isinstance(o, dict): + return {k: _serialize(v, format) for k, v in o.items()} + if isinstance(o, set): + return {_serialize(x, format) for x in o} + if isinstance(o, tuple): + return tuple(_serialize(x, format) for x in o) + if isinstance(o, (bytes, bytearray)): + return _serialize_bytes(o, format) + if isinstance(o, decimal.Decimal): + return float(o) + if isinstance(o, enum.Enum): + return o.value + if isinstance(o, int): + if format == "str": + return str(o) + return o + try: + # First try datetime.datetime + return _serialize_datetime(o, format) + except AttributeError: + pass + # Last, try datetime.timedelta + try: + return _timedelta_as_isostr(o) + except AttributeError: + # This will be raised when it hits value.total_seconds in the method above + pass + return o + + +def _get_rest_field( + attr_to_rest_field: typing.Dict[str, "_RestField"], rest_name: str +) -> typing.Optional["_RestField"]: + try: + return next(rf for rf in attr_to_rest_field.values() if rf._rest_name == rest_name) + except StopIteration: + return None + + +def _create_value(rf: typing.Optional["_RestField"], value: typing.Any) -> typing.Any: + if not rf: + return _serialize(value, None) + if rf._is_multipart_file_input: + return value + if rf._is_model: + return _deserialize(rf._type, value) + if isinstance(value, ET.Element): + value = _deserialize(rf._type, value) + return _serialize(value, rf._format) + + +class Model(_MyMutableMapping): + _is_model = True + # label whether current class's _attr_to_rest_field has been calculated + # could not see _attr_to_rest_field directly because subclass inherits it from parent class + _calculated: typing.Set[str] = set() + + def __init__(self, *args: typing.Any, **kwargs: typing.Any) -> None: + class_name = self.__class__.__name__ + if len(args) > 1: + raise TypeError(f"{class_name}.__init__() takes 2 positional arguments but {len(args) + 1} were given") + dict_to_pass = { + rest_field._rest_name: rest_field._default + for rest_field in self._attr_to_rest_field.values() + if rest_field._default is not _UNSET + } + if args: # pylint: disable=too-many-nested-blocks + if isinstance(args[0], ET.Element): + existed_attr_keys = [] + model_meta = getattr(self, "_xml", {}) + + for rf in self._attr_to_rest_field.values(): + prop_meta = getattr(rf, "_xml", {}) + xml_name = prop_meta.get("name", rf._rest_name) + xml_ns = prop_meta.get("ns", model_meta.get("ns", None)) + if xml_ns: + xml_name = "{" + xml_ns + "}" + xml_name + + # attribute + if prop_meta.get("attribute", False) and args[0].get(xml_name) is not None: + existed_attr_keys.append(xml_name) + dict_to_pass[rf._rest_name] = _deserialize(rf._type, args[0].get(xml_name)) + continue + + # unwrapped element is array + if prop_meta.get("unwrapped", False): + # unwrapped array could either use prop items meta/prop meta + if prop_meta.get("itemsName"): + xml_name = prop_meta.get("itemsName") + xml_ns = prop_meta.get("itemNs") + if xml_ns: + xml_name = "{" + xml_ns + "}" + xml_name + items = args[0].findall(xml_name) # pyright: ignore + if len(items) > 0: + existed_attr_keys.append(xml_name) + dict_to_pass[rf._rest_name] = _deserialize(rf._type, items) + continue + + # text element is primitive type + if prop_meta.get("text", False): + if args[0].text is not None: + dict_to_pass[rf._rest_name] = _deserialize(rf._type, args[0].text) + continue + + # wrapped element could be normal property or array, it should only have one element + item = args[0].find(xml_name) + if item is not None: + existed_attr_keys.append(xml_name) + dict_to_pass[rf._rest_name] = _deserialize(rf._type, item) + + # rest thing is additional properties + for e in args[0]: + if e.tag not in existed_attr_keys: + dict_to_pass[e.tag] = _convert_element(e) + else: + dict_to_pass.update( + {k: _create_value(_get_rest_field(self._attr_to_rest_field, k), v) for k, v in args[0].items()} + ) + else: + non_attr_kwargs = [k for k in kwargs if k not in self._attr_to_rest_field] + if non_attr_kwargs: + # actual type errors only throw the first wrong keyword arg they see, so following that. + raise TypeError(f"{class_name}.__init__() got an unexpected keyword argument '{non_attr_kwargs[0]}'") + dict_to_pass.update( + { + self._attr_to_rest_field[k]._rest_name: _create_value(self._attr_to_rest_field[k], v) + for k, v in kwargs.items() + if v is not None + } + ) + super().__init__(dict_to_pass) + + def copy(self) -> "Model": + return Model(self.__dict__) + + def __new__(cls, *args: typing.Any, **kwargs: typing.Any) -> Self: + if f"{cls.__module__}.{cls.__qualname__}" not in cls._calculated: + # we know the last nine classes in mro are going to be 'Model', '_MyMutableMapping', 'MutableMapping', + # 'Mapping', 'Collection', 'Sized', 'Iterable', 'Container' and 'object' + mros = cls.__mro__[:-9][::-1] # ignore parents, and reverse the mro order + attr_to_rest_field: typing.Dict[str, _RestField] = { # map attribute name to rest_field property + k: v for mro_class in mros for k, v in mro_class.__dict__.items() if k[0] != "_" and hasattr(v, "_type") + } + annotations = { + k: v + for mro_class in mros + if hasattr(mro_class, "__annotations__") + for k, v in mro_class.__annotations__.items() + } + for attr, rf in attr_to_rest_field.items(): + rf._module = cls.__module__ + if not rf._type: + rf._type = rf._get_deserialize_callable_from_annotation(annotations.get(attr, None)) + if not rf._rest_name_input: + rf._rest_name_input = attr + cls._attr_to_rest_field: typing.Dict[str, _RestField] = dict(attr_to_rest_field.items()) + cls._calculated.add(f"{cls.__module__}.{cls.__qualname__}") + + return super().__new__(cls) # pylint: disable=no-value-for-parameter + + def __init_subclass__(cls, discriminator: typing.Optional[str] = None) -> None: + for base in cls.__bases__: + if hasattr(base, "__mapping__"): + base.__mapping__[discriminator or cls.__name__] = cls # type: ignore + + @classmethod + def _get_discriminator(cls, exist_discriminators) -> typing.Optional["_RestField"]: + for v in cls.__dict__.values(): + if isinstance(v, _RestField) and v._is_discriminator and v._rest_name not in exist_discriminators: + return v + return None + + @classmethod + def _deserialize(cls, data, exist_discriminators): + if not hasattr(cls, "__mapping__"): + return cls(data) + discriminator = cls._get_discriminator(exist_discriminators) + if discriminator is None: + return cls(data) + exist_discriminators.append(discriminator._rest_name) + if isinstance(data, ET.Element): + model_meta = getattr(cls, "_xml", {}) + prop_meta = getattr(discriminator, "_xml", {}) + xml_name = prop_meta.get("name", discriminator._rest_name) + xml_ns = prop_meta.get("ns", model_meta.get("ns", None)) + if xml_ns: + xml_name = "{" + xml_ns + "}" + xml_name + + if data.get(xml_name) is not None: + discriminator_value = data.get(xml_name) + else: + discriminator_value = data.find(xml_name).text # pyright: ignore + else: + discriminator_value = data.get(discriminator._rest_name) + mapped_cls = cls.__mapping__.get(discriminator_value, cls) # pyright: ignore + return mapped_cls._deserialize(data, exist_discriminators) + + def as_dict(self, *, exclude_readonly: bool = False) -> typing.Dict[str, typing.Any]: + """Return a dict that can be turned into json using json.dump. + + :keyword bool exclude_readonly: Whether to remove the readonly properties. + :returns: A dict JSON compatible object + :rtype: dict + """ + + result = {} + readonly_props = [] + if exclude_readonly: + readonly_props = [p._rest_name for p in self._attr_to_rest_field.values() if _is_readonly(p)] + for k, v in self.items(): + if exclude_readonly and k in readonly_props: # pyright: ignore + continue + is_multipart_file_input = False + try: + is_multipart_file_input = next( + rf for rf in self._attr_to_rest_field.values() if rf._rest_name == k + )._is_multipart_file_input + except StopIteration: + pass + result[k] = v if is_multipart_file_input else Model._as_dict_value(v, exclude_readonly=exclude_readonly) + return result + + @staticmethod + def _as_dict_value(v: typing.Any, exclude_readonly: bool = False) -> typing.Any: + if v is None or isinstance(v, _Null): + return None + if isinstance(v, (list, tuple, set)): + return type(v)(Model._as_dict_value(x, exclude_readonly=exclude_readonly) for x in v) + if isinstance(v, dict): + return {dk: Model._as_dict_value(dv, exclude_readonly=exclude_readonly) for dk, dv in v.items()} + return v.as_dict(exclude_readonly=exclude_readonly) if hasattr(v, "as_dict") else v + + +def _deserialize_model(model_deserializer: typing.Optional[typing.Callable], obj): + if _is_model(obj): + return obj + return _deserialize(model_deserializer, obj) + + +def _deserialize_with_optional(if_obj_deserializer: typing.Optional[typing.Callable], obj): + if obj is None: + return obj + return _deserialize_with_callable(if_obj_deserializer, obj) + + +def _deserialize_with_union(deserializers, obj): + for deserializer in deserializers: + try: + return _deserialize(deserializer, obj) + except DeserializationError: + pass + raise DeserializationError() + + +def _deserialize_dict( + value_deserializer: typing.Optional[typing.Callable], + module: typing.Optional[str], + obj: typing.Dict[typing.Any, typing.Any], +): + if obj is None: + return obj + if isinstance(obj, ET.Element): + obj = {child.tag: child for child in obj} + return {k: _deserialize(value_deserializer, v, module) for k, v in obj.items()} + + +def _deserialize_multiple_sequence( + entry_deserializers: typing.List[typing.Optional[typing.Callable]], + module: typing.Optional[str], + obj, +): + if obj is None: + return obj + return type(obj)(_deserialize(deserializer, entry, module) for entry, deserializer in zip(obj, entry_deserializers)) + + +def _deserialize_sequence( + deserializer: typing.Optional[typing.Callable], + module: typing.Optional[str], + obj, +): + if obj is None: + return obj + if isinstance(obj, ET.Element): + obj = list(obj) + return type(obj)(_deserialize(deserializer, entry, module) for entry in obj) + + +def _sorted_annotations(types: typing.List[typing.Any]) -> typing.List[typing.Any]: + return sorted( + types, + key=lambda x: hasattr(x, "__name__") and x.__name__.lower() in ("str", "float", "int", "bool"), + ) + + +def _get_deserialize_callable_from_annotation( # pylint: disable=too-many-return-statements, too-many-branches + annotation: typing.Any, + module: typing.Optional[str], + rf: typing.Optional["_RestField"] = None, +) -> typing.Optional[typing.Callable[[typing.Any], typing.Any]]: + if not annotation: + return None + + # is it a type alias? + if isinstance(annotation, str): + if module is not None: + annotation = _get_type_alias_type(module, annotation) + + # is it a forward ref / in quotes? + if isinstance(annotation, (str, typing.ForwardRef)): + try: + model_name = annotation.__forward_arg__ # type: ignore + except AttributeError: + model_name = annotation + if module is not None: + annotation = _get_model(module, model_name) # type: ignore + + try: + if module and _is_model(annotation): + if rf: + rf._is_model = True + + return functools.partial(_deserialize_model, annotation) # pyright: ignore + except Exception: + pass + + # is it a literal? + try: + if annotation.__origin__ is typing.Literal: # pyright: ignore + return None + except AttributeError: + pass + + # is it optional? + try: + if any(a for a in annotation.__args__ if a == type(None)): # pyright: ignore + if len(annotation.__args__) <= 2: # pyright: ignore + if_obj_deserializer = _get_deserialize_callable_from_annotation( + next(a for a in annotation.__args__ if a != type(None)), module, rf # pyright: ignore + ) + + return functools.partial(_deserialize_with_optional, if_obj_deserializer) + # the type is Optional[Union[...]], we need to remove the None type from the Union + annotation_copy = copy.copy(annotation) + annotation_copy.__args__ = [a for a in annotation_copy.__args__ if a != type(None)] # pyright: ignore + return _get_deserialize_callable_from_annotation(annotation_copy, module, rf) + except AttributeError: + pass + + # is it union? + if getattr(annotation, "__origin__", None) is typing.Union: + # initial ordering is we make `string` the last deserialization option, because it is often them most generic + deserializers = [ + _get_deserialize_callable_from_annotation(arg, module, rf) + for arg in _sorted_annotations(annotation.__args__) # pyright: ignore + ] + + return functools.partial(_deserialize_with_union, deserializers) + + try: + if annotation._name == "Dict": # pyright: ignore + value_deserializer = _get_deserialize_callable_from_annotation( + annotation.__args__[1], module, rf # pyright: ignore + ) + + return functools.partial( + _deserialize_dict, + value_deserializer, + module, + ) + except (AttributeError, IndexError): + pass + try: + if annotation._name in ["List", "Set", "Tuple", "Sequence"]: # pyright: ignore + if len(annotation.__args__) > 1: # pyright: ignore + entry_deserializers = [ + _get_deserialize_callable_from_annotation(dt, module, rf) + for dt in annotation.__args__ # pyright: ignore + ] + return functools.partial(_deserialize_multiple_sequence, entry_deserializers, module) + deserializer = _get_deserialize_callable_from_annotation( + annotation.__args__[0], module, rf # pyright: ignore + ) + + return functools.partial(_deserialize_sequence, deserializer, module) + except (TypeError, IndexError, AttributeError, SyntaxError): + pass + + def _deserialize_default( + deserializer, + obj, + ): + if obj is None: + return obj + try: + return _deserialize_with_callable(deserializer, obj) + except Exception: + pass + return obj + + if get_deserializer(annotation, rf): + return functools.partial(_deserialize_default, get_deserializer(annotation, rf)) + + return functools.partial(_deserialize_default, annotation) + + +def _deserialize_with_callable( + deserializer: typing.Optional[typing.Callable[[typing.Any], typing.Any]], + value: typing.Any, +): # pylint: disable=too-many-return-statements + try: + if value is None or isinstance(value, _Null): + return None + if isinstance(value, ET.Element): + if deserializer is str: + return value.text or "" + if deserializer is int: + return int(value.text) if value.text else None + if deserializer is float: + return float(value.text) if value.text else None + if deserializer is bool: + return value.text == "true" if value.text else None + if deserializer is None: + return value + if deserializer in [int, float, bool]: + return deserializer(value) + if isinstance(deserializer, CaseInsensitiveEnumMeta): + try: + return deserializer(value) + except ValueError: + # for unknown value, return raw value + return value + if isinstance(deserializer, type) and issubclass(deserializer, Model): + return deserializer._deserialize(value, []) + return typing.cast(typing.Callable[[typing.Any], typing.Any], deserializer)(value) + except Exception as e: + raise DeserializationError() from e + + +def _deserialize( + deserializer: typing.Any, + value: typing.Any, + module: typing.Optional[str] = None, + rf: typing.Optional["_RestField"] = None, + format: typing.Optional[str] = None, +) -> typing.Any: + if isinstance(value, PipelineResponse): + value = value.http_response.json() + if rf is None and format: + rf = _RestField(format=format) + if not isinstance(deserializer, functools.partial): + deserializer = _get_deserialize_callable_from_annotation(deserializer, module, rf) + return _deserialize_with_callable(deserializer, value) + + +def _failsafe_deserialize( + deserializer: typing.Any, + value: typing.Any, + module: typing.Optional[str] = None, + rf: typing.Optional["_RestField"] = None, + format: typing.Optional[str] = None, +) -> typing.Any: + try: + return _deserialize(deserializer, value, module, rf, format) + except DeserializationError: + _LOGGER.warning( + "Ran into a deserialization error. Ignoring since this is failsafe deserialization", exc_info=True + ) + return None + + +def _failsafe_deserialize_xml( + deserializer: typing.Any, + value: typing.Any, +) -> typing.Any: + try: + return _deserialize_xml(deserializer, value) + except DeserializationError: + _LOGGER.warning( + "Ran into a deserialization error. Ignoring since this is failsafe deserialization", exc_info=True + ) + return None + + +class _RestField: + def __init__( + self, + *, + name: typing.Optional[str] = None, + type: typing.Optional[typing.Callable] = None, # pylint: disable=redefined-builtin + is_discriminator: bool = False, + visibility: typing.Optional[typing.List[str]] = None, + default: typing.Any = _UNSET, + format: typing.Optional[str] = None, + is_multipart_file_input: bool = False, + xml: typing.Optional[typing.Dict[str, typing.Any]] = None, + ): + self._type = type + self._rest_name_input = name + self._module: typing.Optional[str] = None + self._is_discriminator = is_discriminator + self._visibility = visibility + self._is_model = False + self._default = default + self._format = format + self._is_multipart_file_input = is_multipart_file_input + self._xml = xml if xml is not None else {} + + @property + def _class_type(self) -> typing.Any: + return getattr(self._type, "args", [None])[0] + + @property + def _rest_name(self) -> str: + if self._rest_name_input is None: + raise ValueError("Rest name was never set") + return self._rest_name_input + + def __get__(self, obj: Model, type=None): # pylint: disable=redefined-builtin + # by this point, type and rest_name will have a value bc we default + # them in __new__ of the Model class + item = obj.get(self._rest_name) + if item is None: + return item + if self._is_model: + return item + return _deserialize(self._type, _serialize(item, self._format), rf=self) + + def __set__(self, obj: Model, value) -> None: + if value is None: + # we want to wipe out entries if users set attr to None + try: + obj.__delitem__(self._rest_name) + except KeyError: + pass + return + if self._is_model: + if not _is_model(value): + value = _deserialize(self._type, value) + obj.__setitem__(self._rest_name, value) + return + obj.__setitem__(self._rest_name, _serialize(value, self._format)) + + def _get_deserialize_callable_from_annotation( + self, annotation: typing.Any + ) -> typing.Optional[typing.Callable[[typing.Any], typing.Any]]: + return _get_deserialize_callable_from_annotation(annotation, self._module, self) + + +def rest_field( + *, + name: typing.Optional[str] = None, + type: typing.Optional[typing.Callable] = None, # pylint: disable=redefined-builtin + visibility: typing.Optional[typing.List[str]] = None, + default: typing.Any = _UNSET, + format: typing.Optional[str] = None, + is_multipart_file_input: bool = False, + xml: typing.Optional[typing.Dict[str, typing.Any]] = None, +) -> typing.Any: + return _RestField( + name=name, + type=type, + visibility=visibility, + default=default, + format=format, + is_multipart_file_input=is_multipart_file_input, + xml=xml, + ) + + +def rest_discriminator( + *, + name: typing.Optional[str] = None, + type: typing.Optional[typing.Callable] = None, # pylint: disable=redefined-builtin + visibility: typing.Optional[typing.List[str]] = None, + xml: typing.Optional[typing.Dict[str, typing.Any]] = None, +) -> typing.Any: + return _RestField(name=name, type=type, is_discriminator=True, visibility=visibility, xml=xml) + + +def serialize_xml(model: Model, exclude_readonly: bool = False) -> str: + """Serialize a model to XML. + + :param Model model: The model to serialize. + :param bool exclude_readonly: Whether to exclude readonly properties. + :returns: The XML representation of the model. + :rtype: str + """ + return ET.tostring(_get_element(model, exclude_readonly), encoding="unicode") # type: ignore + + +def _get_element( + o: typing.Any, + exclude_readonly: bool = False, + parent_meta: typing.Optional[typing.Dict[str, typing.Any]] = None, + wrapped_element: typing.Optional[ET.Element] = None, +) -> typing.Union[ET.Element, typing.List[ET.Element]]: + if _is_model(o): + model_meta = getattr(o, "_xml", {}) + + # if prop is a model, then use the prop element directly, else generate a wrapper of model + if wrapped_element is None: + wrapped_element = _create_xml_element( + model_meta.get("name", o.__class__.__name__), + model_meta.get("prefix"), + model_meta.get("ns"), + ) + + readonly_props = [] + if exclude_readonly: + readonly_props = [p._rest_name for p in o._attr_to_rest_field.values() if _is_readonly(p)] + + for k, v in o.items(): + # do not serialize readonly properties + if exclude_readonly and k in readonly_props: + continue + + prop_rest_field = _get_rest_field(o._attr_to_rest_field, k) + if prop_rest_field: + prop_meta = getattr(prop_rest_field, "_xml").copy() + # use the wire name as xml name if no specific name is set + if prop_meta.get("name") is None: + prop_meta["name"] = k + else: + # additional properties will not have rest field, use the wire name as xml name + prop_meta = {"name": k} + + # if no ns for prop, use model's + if prop_meta.get("ns") is None and model_meta.get("ns"): + prop_meta["ns"] = model_meta.get("ns") + prop_meta["prefix"] = model_meta.get("prefix") + + if prop_meta.get("unwrapped", False): + # unwrapped could only set on array + wrapped_element.extend(_get_element(v, exclude_readonly, prop_meta)) + elif prop_meta.get("text", False): + # text could only set on primitive type + wrapped_element.text = _get_primitive_type_value(v) + elif prop_meta.get("attribute", False): + xml_name = prop_meta.get("name", k) + if prop_meta.get("ns"): + ET.register_namespace(prop_meta.get("prefix"), prop_meta.get("ns")) # pyright: ignore + xml_name = "{" + prop_meta.get("ns") + "}" + xml_name # pyright: ignore + # attribute should be primitive type + wrapped_element.set(xml_name, _get_primitive_type_value(v)) + else: + # other wrapped prop element + wrapped_element.append(_get_wrapped_element(v, exclude_readonly, prop_meta)) + return wrapped_element + if isinstance(o, list): + return [_get_element(x, exclude_readonly, parent_meta) for x in o] # type: ignore + if isinstance(o, dict): + result = [] + for k, v in o.items(): + result.append( + _get_wrapped_element( + v, + exclude_readonly, + { + "name": k, + "ns": parent_meta.get("ns") if parent_meta else None, + "prefix": parent_meta.get("prefix") if parent_meta else None, + }, + ) + ) + return result + + # primitive case need to create element based on parent_meta + if parent_meta: + return _get_wrapped_element( + o, + exclude_readonly, + { + "name": parent_meta.get("itemsName", parent_meta.get("name")), + "prefix": parent_meta.get("itemsPrefix", parent_meta.get("prefix")), + "ns": parent_meta.get("itemsNs", parent_meta.get("ns")), + }, + ) + + raise ValueError("Could not serialize value into xml: " + o) + + +def _get_wrapped_element( + v: typing.Any, + exclude_readonly: bool, + meta: typing.Optional[typing.Dict[str, typing.Any]], +) -> ET.Element: + wrapped_element = _create_xml_element( + meta.get("name") if meta else None, meta.get("prefix") if meta else None, meta.get("ns") if meta else None + ) + if isinstance(v, (dict, list)): + wrapped_element.extend(_get_element(v, exclude_readonly, meta)) + elif _is_model(v): + _get_element(v, exclude_readonly, meta, wrapped_element) + else: + wrapped_element.text = _get_primitive_type_value(v) + return wrapped_element + + +def _get_primitive_type_value(v) -> str: + if v is True: + return "true" + if v is False: + return "false" + if isinstance(v, _Null): + return "" + return str(v) + + +def _create_xml_element(tag, prefix=None, ns=None): + if prefix and ns: + ET.register_namespace(prefix, ns) + if ns: + return ET.Element("{" + ns + "}" + tag) + return ET.Element(tag) + + +def _deserialize_xml( + deserializer: typing.Any, + value: str, +) -> typing.Any: + element = ET.fromstring(value) # nosec + return _deserialize(deserializer, element) + + +def _convert_element(e: ET.Element): + # dict case + if len(e.attrib) > 0 or len({child.tag for child in e}) > 1: + dict_result: typing.Dict[str, typing.Any] = {} + for child in e: + if dict_result.get(child.tag) is not None: + if isinstance(dict_result[child.tag], list): + dict_result[child.tag].append(_convert_element(child)) + else: + dict_result[child.tag] = [dict_result[child.tag], _convert_element(child)] + else: + dict_result[child.tag] = _convert_element(child) + dict_result.update(e.attrib) + return dict_result + # array case + if len(e) > 0: + array_result: typing.List[typing.Any] = [] + for child in e: + array_result.append(_convert_element(child)) + return array_result + # primitive case + return e.text diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_operations/__init__.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_operations/__init__.py new file mode 100644 index 000000000000..c6b747b3914b --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_operations/__init__.py @@ -0,0 +1,25 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# pylint: disable=wrong-import-position + +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from ._patch import * # pylint: disable=unused-wildcard-import + +from ._operations import SecurityDomainClientOperationsMixin # type: ignore + +from ._patch import __all__ as _patch_all +from ._patch import * +from ._patch import patch_sdk as _patch_sdk + +__all__ = [ + "SecurityDomainClientOperationsMixin", +] +__all__.extend([p for p in _patch_all if p not in __all__]) # pyright: ignore +_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_operations/_operations.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_operations/_operations.py new file mode 100644 index 000000000000..2a40071a6feb --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_operations/_operations.py @@ -0,0 +1,628 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +from io import IOBase +import json +import sys +from typing import Any, Callable, Dict, IO, Iterator, Optional, TypeVar, Union, cast, overload + +from azure.core.exceptions import ( + ClientAuthenticationError, + HttpResponseError, + ResourceExistsError, + ResourceNotFoundError, + ResourceNotModifiedError, + StreamClosedError, + StreamConsumedError, + map_error, +) +from azure.core.pipeline import PipelineResponse +from azure.core.polling import LROPoller, NoPolling, PollingMethod +from azure.core.polling.base_polling import LROBasePolling +from azure.core.rest import HttpRequest, HttpResponse +from azure.core.tracing.decorator import distributed_trace +from azure.core.utils import case_insensitive_dict + +from .. import models as _models +from .._model_base import SdkJSONEncoder, _deserialize, _failsafe_deserialize +from .._serialization import Serializer +from .._vendor import SecurityDomainClientMixinABC + +if sys.version_info >= (3, 9): + from collections.abc import MutableMapping +else: + from typing import MutableMapping # type: ignore +JSON = MutableMapping[str, Any] # pylint: disable=unsubscriptable-object +T = TypeVar("T") +ClsType = Optional[Callable[[PipelineResponse[HttpRequest, HttpResponse], T, Dict[str, Any]], Any]] + +_SERIALIZER = Serializer() +_SERIALIZER.client_side_validation = False + + +def build_security_domain_get_download_status_request(**kwargs: Any) -> HttpRequest: # pylint: disable=name-too-long + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) + + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + accept = _headers.pop("Accept", "application/json") + + # Construct URL + _url = "/securitydomain/download/pending" + + # Construct parameters + _params["api-version"] = _SERIALIZER.query("api_version", api_version, "str") + + # Construct headers + _headers["Accept"] = _SERIALIZER.header("accept", accept, "str") + + return HttpRequest(method="GET", url=_url, params=_params, headers=_headers, **kwargs) + + +def build_security_domain_download_request(**kwargs: Any) -> HttpRequest: + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) + + content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + accept = _headers.pop("Accept", "application/json") + + # Construct URL + _url = "/securitydomain/download" + + # Construct parameters + _params["api-version"] = _SERIALIZER.query("api_version", api_version, "str") + + # Construct headers + if content_type is not None: + _headers["Content-Type"] = _SERIALIZER.header("content_type", content_type, "str") + _headers["Accept"] = _SERIALIZER.header("accept", accept, "str") + + return HttpRequest(method="POST", url=_url, params=_params, headers=_headers, **kwargs) + + +def build_security_domain_get_upload_status_request(**kwargs: Any) -> HttpRequest: # pylint: disable=name-too-long + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) + + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + accept = _headers.pop("Accept", "application/json") + + # Construct URL + _url = "/securitydomain/upload/pending" + + # Construct parameters + _params["api-version"] = _SERIALIZER.query("api_version", api_version, "str") + + # Construct headers + _headers["Accept"] = _SERIALIZER.header("accept", accept, "str") + + return HttpRequest(method="GET", url=_url, params=_params, headers=_headers, **kwargs) + + +def build_security_domain_upload_request(**kwargs: Any) -> HttpRequest: + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) + + content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + accept = _headers.pop("Accept", "application/json") + + # Construct URL + _url = "/securitydomain/upload" + + # Construct parameters + _params["api-version"] = _SERIALIZER.query("api_version", api_version, "str") + + # Construct headers + if content_type is not None: + _headers["Content-Type"] = _SERIALIZER.header("content_type", content_type, "str") + _headers["Accept"] = _SERIALIZER.header("accept", accept, "str") + + return HttpRequest(method="POST", url=_url, params=_params, headers=_headers, **kwargs) + + +def build_security_domain_get_transfer_key_request(**kwargs: Any) -> HttpRequest: # pylint: disable=name-too-long + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = case_insensitive_dict(kwargs.pop("params", {}) or {}) + + api_version: str = kwargs.pop("api_version", _params.pop("api-version", "7.5")) + accept = _headers.pop("Accept", "application/json") + + # Construct URL + _url = "/securitydomain/upload" + + # Construct parameters + _params["api-version"] = _SERIALIZER.query("api_version", api_version, "str") + + # Construct headers + _headers["Accept"] = _SERIALIZER.header("accept", accept, "str") + + return HttpRequest(method="GET", url=_url, params=_params, headers=_headers, **kwargs) + + +class SecurityDomainClientOperationsMixin(SecurityDomainClientMixinABC): + + @distributed_trace + def get_download_status(self, **kwargs: Any) -> _models.SecurityDomainOperationStatus: + """Retrieves the Security Domain download operation status. + + :return: SecurityDomainOperationStatus. The SecurityDomainOperationStatus is compatible with + MutableMapping + :rtype: ~azure.keyvault.securitydomain.models.SecurityDomainOperationStatus + :raises ~azure.core.exceptions.HttpResponseError: + """ + error_map: MutableMapping = { + 401: ClientAuthenticationError, + 404: ResourceNotFoundError, + 409: ResourceExistsError, + 304: ResourceNotModifiedError, + } + error_map.update(kwargs.pop("error_map", {}) or {}) + + _headers = kwargs.pop("headers", {}) or {} + _params = kwargs.pop("params", {}) or {} + + cls: ClsType[_models.SecurityDomainOperationStatus] = kwargs.pop("cls", None) + + _request = build_security_domain_get_download_status_request( + api_version=self._config.api_version, + headers=_headers, + params=_params, + ) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + _request.url = self._client.format_url(_request.url, **path_format_arguments) + + _stream = kwargs.pop("stream", False) + pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access + _request, stream=_stream, **kwargs + ) + + response = pipeline_response.http_response + + if response.status_code not in [200]: + if _stream: + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass + map_error(status_code=response.status_code, response=response, error_map=error_map) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) + raise HttpResponseError(response=response, model=error) + + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.SecurityDomainOperationStatus, response.json()) + + if cls: + return cls(pipeline_response, deserialized, {}) # type: ignore + + return deserialized # type: ignore + + def _download_initial( + self, certificate_info_object: Union[_models.CertificateInfo, JSON, IO[bytes]], **kwargs: Any + ) -> Iterator[bytes]: + error_map: MutableMapping = { + 401: ClientAuthenticationError, + 404: ResourceNotFoundError, + 409: ResourceExistsError, + 304: ResourceNotModifiedError, + } + error_map.update(kwargs.pop("error_map", {}) or {}) + + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = kwargs.pop("params", {}) or {} + + content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) + cls: ClsType[Iterator[bytes]] = kwargs.pop("cls", None) + + content_type = content_type or "application/json" + _content = None + if isinstance(certificate_info_object, (IOBase, bytes)): + _content = certificate_info_object + else: + _content = json.dumps(certificate_info_object, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore + + _request = build_security_domain_download_request( + content_type=content_type, + api_version=self._config.api_version, + content=_content, + headers=_headers, + params=_params, + ) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + _request.url = self._client.format_url(_request.url, **path_format_arguments) + + _stream = True + pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access + _request, stream=_stream, **kwargs + ) + + response = pipeline_response.http_response + + if response.status_code not in [202]: + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass + map_error(status_code=response.status_code, response=response, error_map=error_map) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) + raise HttpResponseError(response=response, model=error) + + response_headers = {} + response_headers["Azure-AsyncOperation"] = self._deserialize( + "str", response.headers.get("Azure-AsyncOperation") + ) + response_headers["Retry-After"] = self._deserialize("int", response.headers.get("Retry-After")) + + deserialized = response.iter_bytes() + + if cls: + return cls(pipeline_response, deserialized, response_headers) # type: ignore + + return deserialized # type: ignore + + @overload + def _begin_download( + self, certificate_info_object: _models.CertificateInfo, *, content_type: str = "application/json", **kwargs: Any + ) -> LROPoller[None]: ... + @overload + def _begin_download( + self, certificate_info_object: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> LROPoller[None]: ... + @overload + def _begin_download( + self, certificate_info_object: IO[bytes], *, content_type: str = "application/json", **kwargs: Any + ) -> LROPoller[None]: ... + + @distributed_trace + def _begin_download( + self, certificate_info_object: Union[_models.CertificateInfo, JSON, IO[bytes]], **kwargs: Any + ) -> LROPoller[None]: + """Retrieves the Security Domain from the managed HSM. Calling this endpoint can be used to + activate a provisioned managed HSM resource. + + :param certificate_info_object: The Security Domain download operation requires customer to + provide N certificates (minimum 3 and maximum 10) containing a public key in JWK format. Is one + of the following types: CertificateInfo, JSON, IO[bytes] Required. + :type certificate_info_object: ~azure.keyvault.securitydomain.models.CertificateInfo or JSON or + IO[bytes] + :return: An instance of LROPoller that returns None + :rtype: ~azure.core.polling.LROPoller[None] + :raises ~azure.core.exceptions.HttpResponseError: + """ + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = kwargs.pop("params", {}) or {} + + content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) + cls: ClsType[None] = kwargs.pop("cls", None) + polling: Union[bool, PollingMethod] = kwargs.pop("polling", True) + lro_delay = kwargs.pop("polling_interval", self._config.polling_interval) + cont_token: Optional[str] = kwargs.pop("continuation_token", None) + if cont_token is None: + raw_result = self._download_initial( + certificate_info_object=certificate_info_object, + content_type=content_type, + cls=lambda x, y, z: x, + headers=_headers, + params=_params, + **kwargs + ) + raw_result.http_response.read() # type: ignore + kwargs.pop("error_map", None) + + def get_long_running_output(pipeline_response): # pylint: disable=inconsistent-return-statements + if cls: + return cls(pipeline_response, None, {}) # type: ignore + + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + + if polling is True: + polling_method: PollingMethod = cast( + PollingMethod, LROBasePolling(lro_delay, path_format_arguments=path_format_arguments, **kwargs) + ) + elif polling is False: + polling_method = cast(PollingMethod, NoPolling()) + else: + polling_method = polling + if cont_token: + return LROPoller[None].from_continuation_token( + polling_method=polling_method, + continuation_token=cont_token, + client=self._client, + deserialization_callback=get_long_running_output, + ) + return LROPoller[None](self._client, raw_result, get_long_running_output, polling_method) # type: ignore + + @distributed_trace + def get_upload_status(self, **kwargs: Any) -> _models.SecurityDomainOperationStatus: + """Get Security Domain upload operation status. + + :return: SecurityDomainOperationStatus. The SecurityDomainOperationStatus is compatible with + MutableMapping + :rtype: ~azure.keyvault.securitydomain.models.SecurityDomainOperationStatus + :raises ~azure.core.exceptions.HttpResponseError: + """ + error_map: MutableMapping = { + 401: ClientAuthenticationError, + 404: ResourceNotFoundError, + 409: ResourceExistsError, + 304: ResourceNotModifiedError, + } + error_map.update(kwargs.pop("error_map", {}) or {}) + + _headers = kwargs.pop("headers", {}) or {} + _params = kwargs.pop("params", {}) or {} + + cls: ClsType[_models.SecurityDomainOperationStatus] = kwargs.pop("cls", None) + + _request = build_security_domain_get_upload_status_request( + api_version=self._config.api_version, + headers=_headers, + params=_params, + ) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + _request.url = self._client.format_url(_request.url, **path_format_arguments) + + _stream = kwargs.pop("stream", False) + pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access + _request, stream=_stream, **kwargs + ) + + response = pipeline_response.http_response + + if response.status_code not in [200]: + if _stream: + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass + map_error(status_code=response.status_code, response=response, error_map=error_map) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) + raise HttpResponseError(response=response, model=error) + + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.SecurityDomainOperationStatus, response.json()) + + if cls: + return cls(pipeline_response, deserialized, {}) # type: ignore + + return deserialized # type: ignore + + def _upload_initial( + self, security_domain: Union[_models.SecurityDomain, JSON, IO[bytes]], **kwargs: Any + ) -> Iterator[bytes]: + error_map: MutableMapping = { + 401: ClientAuthenticationError, + 404: ResourceNotFoundError, + 409: ResourceExistsError, + 304: ResourceNotModifiedError, + } + error_map.update(kwargs.pop("error_map", {}) or {}) + + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = kwargs.pop("params", {}) or {} + + content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) + cls: ClsType[Iterator[bytes]] = kwargs.pop("cls", None) + + content_type = content_type or "application/json" + _content = None + if isinstance(security_domain, (IOBase, bytes)): + _content = security_domain + else: + _content = json.dumps(security_domain, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore + + _request = build_security_domain_upload_request( + content_type=content_type, + api_version=self._config.api_version, + content=_content, + headers=_headers, + params=_params, + ) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + _request.url = self._client.format_url(_request.url, **path_format_arguments) + + _stream = True + pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access + _request, stream=_stream, **kwargs + ) + + response = pipeline_response.http_response + + if response.status_code not in [202, 204]: + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass + map_error(status_code=response.status_code, response=response, error_map=error_map) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) + raise HttpResponseError(response=response, model=error) + + response_headers = {} + if response.status_code == 202: + response_headers["Azure-AsyncOperation"] = self._deserialize( + "str", response.headers.get("Azure-AsyncOperation") + ) + response_headers["Retry-After"] = self._deserialize("int", response.headers.get("Retry-After")) + + deserialized = response.iter_bytes() + + if cls: + return cls(pipeline_response, deserialized, response_headers) # type: ignore + + return deserialized # type: ignore + + @overload + def _begin_upload( + self, security_domain: _models.SecurityDomain, *, content_type: str = "application/json", **kwargs: Any + ) -> LROPoller[_models.SecurityDomainOperationStatus]: ... + @overload + def _begin_upload( + self, security_domain: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> LROPoller[_models.SecurityDomainOperationStatus]: ... + @overload + def _begin_upload( + self, security_domain: IO[bytes], *, content_type: str = "application/json", **kwargs: Any + ) -> LROPoller[_models.SecurityDomainOperationStatus]: ... + + @distributed_trace + def _begin_upload( + self, security_domain: Union[_models.SecurityDomain, JSON, IO[bytes]], **kwargs: Any + ) -> LROPoller[_models.SecurityDomainOperationStatus]: + """Restore the provided Security Domain. + + :param security_domain: The Security Domain to be restored. Is one of the following types: + SecurityDomain, JSON, IO[bytes] Required. + :type security_domain: ~azure.keyvault.securitydomain.models.SecurityDomain or JSON or + IO[bytes] + :return: An instance of LROPoller that returns SecurityDomainOperationStatus. The + SecurityDomainOperationStatus is compatible with MutableMapping + :rtype: + ~azure.core.polling.LROPoller[~azure.keyvault.securitydomain.models.SecurityDomainOperationStatus] + :raises ~azure.core.exceptions.HttpResponseError: + """ + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = kwargs.pop("params", {}) or {} + + content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) + cls: ClsType[_models.SecurityDomainOperationStatus] = kwargs.pop("cls", None) + polling: Union[bool, PollingMethod] = kwargs.pop("polling", True) + lro_delay = kwargs.pop("polling_interval", self._config.polling_interval) + cont_token: Optional[str] = kwargs.pop("continuation_token", None) + if cont_token is None: + raw_result = self._upload_initial( + security_domain=security_domain, + content_type=content_type, + cls=lambda x, y, z: x, + headers=_headers, + params=_params, + **kwargs + ) + raw_result.http_response.read() # type: ignore + kwargs.pop("error_map", None) + + def get_long_running_output(pipeline_response): + response_headers = {} + response = pipeline_response.http_response + response_headers["Azure-AsyncOperation"] = self._deserialize( + "str", response.headers.get("Azure-AsyncOperation") + ) + response_headers["Retry-After"] = self._deserialize("int", response.headers.get("Retry-After")) + + deserialized = _deserialize(_models.SecurityDomainOperationStatus, response.json()) + if cls: + return cls(pipeline_response, deserialized, response_headers) # type: ignore + return deserialized + + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + + if polling is True: + polling_method: PollingMethod = cast( + PollingMethod, LROBasePolling(lro_delay, path_format_arguments=path_format_arguments, **kwargs) + ) + elif polling is False: + polling_method = cast(PollingMethod, NoPolling()) + else: + polling_method = polling + if cont_token: + return LROPoller[_models.SecurityDomainOperationStatus].from_continuation_token( + polling_method=polling_method, + continuation_token=cont_token, + client=self._client, + deserialization_callback=get_long_running_output, + ) + return LROPoller[_models.SecurityDomainOperationStatus]( + self._client, raw_result, get_long_running_output, polling_method # type: ignore + ) + + @distributed_trace + def get_transfer_key(self, **kwargs: Any) -> _models.TransferKey: + """Retrieve Security Domain transfer key. + + :return: TransferKey. The TransferKey is compatible with MutableMapping + :rtype: ~azure.keyvault.securitydomain.models.TransferKey + :raises ~azure.core.exceptions.HttpResponseError: + """ + error_map: MutableMapping = { + 401: ClientAuthenticationError, + 404: ResourceNotFoundError, + 409: ResourceExistsError, + 304: ResourceNotModifiedError, + } + error_map.update(kwargs.pop("error_map", {}) or {}) + + _headers = kwargs.pop("headers", {}) or {} + _params = kwargs.pop("params", {}) or {} + + cls: ClsType[_models.TransferKey] = kwargs.pop("cls", None) + + _request = build_security_domain_get_transfer_key_request( + api_version=self._config.api_version, + headers=_headers, + params=_params, + ) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + _request.url = self._client.format_url(_request.url, **path_format_arguments) + + _stream = kwargs.pop("stream", False) + pipeline_response: PipelineResponse = self._client._pipeline.run( # pylint: disable=protected-access + _request, stream=_stream, **kwargs + ) + + response = pipeline_response.http_response + + if response.status_code not in [200]: + if _stream: + try: + response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass + map_error(status_code=response.status_code, response=response, error_map=error_map) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) + raise HttpResponseError(response=response, model=error) + + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.TransferKey, response.json()) + + if cls: + return cls(pipeline_response, deserialized, {}) # type: ignore + + return deserialized # type: ignore diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_operations/_patch.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_operations/_patch.py new file mode 100644 index 000000000000..f7dd32510333 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_operations/_patch.py @@ -0,0 +1,20 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Customize generated code here. + +Follow our quickstart for examples: https://aka.ms/azsdk/python/dpcodegen/python/customize +""" +from typing import List + +__all__: List[str] = [] # Add all objects you want publicly available to users at this package level + + +def patch_sdk(): + """Do not remove from this file. + + `patch_sdk` is a last resort escape hatch that allows you to do customizations + you can't accomplish using the techniques described in + https://aka.ms/azsdk/python/dpcodegen/python/customize + """ diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_patch.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_patch.py new file mode 100644 index 000000000000..522e805b3b7f --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_patch.py @@ -0,0 +1,289 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Customize generated code here. + +Follow our quickstart for examples: https://aka.ms/azsdk/python/dpcodegen/python/customize +""" +from copy import deepcopy +from enum import Enum +from typing import Any, IO, List, MutableMapping, overload, Union +from urllib.parse import urlparse + +from azure.core import CaseInsensitiveEnumMeta +from azure.core.credentials import TokenCredential +from azure.core.pipeline.policies import HttpLoggingPolicy +from azure.core.polling import LROPoller +from azure.core.rest import HttpRequest, HttpResponse +from azure.core.tracing.decorator import distributed_trace + +from ._client import SecurityDomainClient as KeyVaultClient +from ._internal import ( + ChallengeAuthPolicy, + SecurityDomainDownloadNoPolling, + SecurityDomainDownloadPolling, + SecurityDomainDownloadPollingMethod, + SecurityDomainUploadPolling, + SecurityDomainUploadPollingMethod, +) +from .models import CertificateInfo, SecurityDomain, SecurityDomainOperationStatus +from ._serialization import Serializer + +JSON = MutableMapping[str, Any] # pylint: disable=unsubscriptable-object + +__all__: List[str] = [ + "SecurityDomainClient", +] # Add all objects you want publicly available to users at this package level + + +class ApiVersion(str, Enum, metaclass=CaseInsensitiveEnumMeta): + """Key Vault API versions supported by this package""" + + #: this is the default version + V7_5 = "7.5" + + +DEFAULT_VERSION = ApiVersion.V7_5 + +_SERIALIZER = Serializer() +_SERIALIZER.client_side_validation = False + + +def _format_api_version(request: HttpRequest, api_version: str) -> HttpRequest: + """Returns a request copy that includes an api-version query parameter if one wasn't originally present. + + :param request: The HTTP request being sent. + :type request: ~azure.core.rest.HttpRequest + :param str api_version: The service API version that the request should include. + + :returns: A copy of the request that includes an api-version query parameter. + :rtype: ~azure.core.rest.HttpRequest + """ + request_copy = deepcopy(request) + params = {"api-version": api_version} # By default, we want to use the client's API version + query = urlparse(request_copy.url).query + + if query: + request_copy.url = request_copy.url.partition("?")[0] + existing_params = {p[0]: p[-1] for p in [p.partition("=") for p in query.split("&")]} + params.update(existing_params) # If an api-version was provided, this will overwrite our default + + # Reconstruct the query parameters onto the URL + query_params = [] + for k, v in params.items(): + query_params.append("{}={}".format(k, v)) + query = "?" + "&".join(query_params) + request_copy.url = request_copy.url + query + return request_copy + + +class SecurityDomainClient(KeyVaultClient): + """Manages the security domain of a Managed HSM. + + :param str vault_url: URL of the vault on which the client will operate. This is also called the vault's "DNS Name". + You should validate that this URL references a valid Key Vault or Managed HSM resource. + See https://aka.ms/azsdk/blog/vault-uri for details. + :param credential: An object which can provide an access token for the vault, such as a credential from + :mod:`azure.identity` + :type credential: ~azure.core.credentials.TokenCredential + + :keyword str api_version: The API version to use for this operation. Default value is "7.5". Note that overriding + this default value may result in unsupported behavior. + :keyword bool verify_challenge_resource: Whether to verify the authentication challenge resource matches the Key + Vault or Managed HSM domain. Defaults to True. + """ + + def __init__(self, vault_url: str, credential: TokenCredential, **kwargs: Any) -> None: + self.api_version = kwargs.pop("api_version", DEFAULT_VERSION) + # If API version was provided as an enum value, need to make a plain string for 3.11 compatibility + if hasattr(self.api_version, "value"): + self.api_version = self.api_version.value + self._vault_url = vault_url.strip(" /") + + http_logging_policy = HttpLoggingPolicy(**kwargs) + http_logging_policy.allowed_header_names.update( + {"x-ms-keyvault-network-info", "x-ms-keyvault-region", "x-ms-keyvault-service-version"} + ) + verify_challenge = kwargs.pop("verify_challenge_resource", True) + super().__init__( + vault_url, + credential, + api_version=self.api_version, + authentication_policy=ChallengeAuthPolicy(credential, verify_challenge_resource=verify_challenge), + http_logging_policy=http_logging_policy, + **kwargs, + ) + + @overload + def begin_download( + self, + certificate_info: CertificateInfo, + *, + content_type: str = "application/json", + skip_activation_polling: bool = False, + **kwargs: Any, + ) -> LROPoller[SecurityDomain]: ... + + @overload + def begin_download( + self, + certificate_info: JSON, + *, + content_type: str = "application/json", + skip_activation_polling: bool = False, + **kwargs: Any, + ) -> LROPoller[SecurityDomain]: ... + + @overload + def begin_download( + self, + certificate_info: IO[bytes], + *, + content_type: str = "application/json", + skip_activation_polling: bool = False, + **kwargs: Any, + ) -> LROPoller[SecurityDomain]: ... + + @distributed_trace + def begin_download( + self, + certificate_info: Union[CertificateInfo, JSON, IO[bytes]], + *, + content_type: str = "application/json", + skip_activation_polling: bool = False, + **kwargs: Any, + ) -> LROPoller[SecurityDomain]: + """Retrieves the Security Domain from the managed HSM. Calling this endpoint can + be used to activate a provisioned managed HSM resource. + + :param certificate_info: The Security Domain download operation requires the customer to provide N + certificates (minimum 3 and maximum 10) containing a public key in JWK format. Required in one of the + following types: CertificateInfo, JSON, or IO[bytes]. + :type certificate_info: ~azure.keyvault.securitydomain.models.CertificateInfo or + JSON or IO[bytes] + :keyword str content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :keyword bool skip_activation_polling: If set to True, the operation will not poll for HSM activation to + complete and calling `.result()` on the poller will return the security domain object immediately. Default + value is False. + + :return: An instance of LROPoller that returns SecurityDomain. The + SecurityDomain is compatible with MutableMapping + :rtype: + ~azure.core.polling.LROPoller[~azure.keyvault.securitydomain.models.SecurityDomain] + :raises ~azure.core.exceptions.HttpResponseError: + """ + delay = kwargs.pop("polling_interval", self._config.polling_interval) + polling_method = ( + SecurityDomainDownloadNoPolling() + if skip_activation_polling is True + else SecurityDomainDownloadPollingMethod(lro_algorithms=[SecurityDomainDownloadPolling()], timeout=delay) + ) + return super()._begin_download( # type: ignore[return-value] + certificate_info, + content_type=content_type, + polling=polling_method, + **kwargs, + ) + + @overload + @distributed_trace + def begin_upload( + self, + security_domain: SecurityDomain, + *, + content_type: str = "application/json", + **kwargs: Any, + ) -> LROPoller[None]: ... + + @overload + @distributed_trace + def begin_upload( + self, + security_domain: JSON, + *, + content_type: str = "application/json", + **kwargs: Any, + ) -> LROPoller[None]: ... + + @overload + @distributed_trace + def begin_upload( + self, + security_domain: IO[bytes], + *, + content_type: str = "application/json", + **kwargs: Any, + ) -> LROPoller[None]: ... + + @distributed_trace + def begin_upload( + self, + security_domain: Union[SecurityDomain, JSON, IO[bytes]], + *, + content_type: str = "application/json", + **kwargs: Any, + ) -> LROPoller[None]: + """Restore the provided Security Domain. + + :param security_domain: The Security Domain to be restored. Required in one of the following types: + SecurityDomain, JSON, or IO[bytes]. + :type security_domain: ~azure.keyvault.securitydomain.models.SecurityDomain or JSON or + IO[bytes] + :keyword str content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + + :return: An instance of LROPoller that returns SecurityDomainOperationStatus. The + SecurityDomainOperationStatus is compatible with MutableMapping + :rtype: + ~azure.core.polling.LROPoller[~azure.keyvault.securitydomain.models.SecurityDomainOperationStatus] + :raises ~azure.core.exceptions.HttpResponseError: + """ + delay = kwargs.pop("polling_interval", self._config.polling_interval) + polling_method = SecurityDomainUploadPollingMethod( + lro_algorithms=[SecurityDomainUploadPolling()], timeout=delay + ) + return super()._begin_upload( # type: ignore[return-value] + security_domain, + content_type=content_type, + polling=polling_method, + **kwargs, + ) + + @property + def vault_url(self) -> str: + return self._vault_url + + @distributed_trace + def send_request(self, request: HttpRequest, *, stream: bool = False, **kwargs: Any) -> HttpResponse: + """Runs a network request using the client's existing pipeline. + + The request URL can be relative to the vault URL. The service API version used for the request is the same as + the client's unless otherwise specified. This method does not raise if the response is an error; to raise an + exception, call `raise_for_status()` on the returned response object. For more information about how to send + custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request. + + :param request: The network request you want to make. + :type request: ~azure.core.rest.HttpRequest + + :keyword bool stream: Whether the response payload will be streamed. Defaults to False. + + :return: The response of your network call. Does not do error handling on your response. + :rtype: ~azure.core.rest.HttpResponse + """ + request_copy = _format_api_version(request, self.api_version) + path_format_arguments = { + "vaultBaseUrl": _SERIALIZER.url("vault_base_url", self._vault_url, "str", skip_quote=True), + } + request_copy.url = self._client.format_url(request_copy.url, **path_format_arguments) + return self._client.send_request(request_copy, stream=stream, **kwargs) + + +def patch_sdk(): + """Do not remove from this file. + + `patch_sdk` is a last resort escape hatch that allows you to do customizations + you can't accomplish using the techniques described in + https://aka.ms/azsdk/python/dpcodegen/python/customize + """ diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_serialization.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_serialization.py new file mode 100644 index 000000000000..7a0232de5ddc --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_serialization.py @@ -0,0 +1,2050 @@ +# pylint: disable=line-too-long,useless-suppression,too-many-lines +# -------------------------------------------------------------------------- +# +# Copyright (c) Microsoft Corporation. All rights reserved. +# +# The MIT License (MIT) +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the ""Software""), to +# deal in the Software without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +# sell copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED *AS IS*, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS +# IN THE SOFTWARE. +# +# -------------------------------------------------------------------------- + +# pyright: reportUnnecessaryTypeIgnoreComment=false + +from base64 import b64decode, b64encode +import calendar +import datetime +import decimal +import email +from enum import Enum +import json +import logging +import re +import sys +import codecs +from typing import ( + Dict, + Any, + cast, + Optional, + Union, + AnyStr, + IO, + Mapping, + Callable, + MutableMapping, + List, +) + +try: + from urllib import quote # type: ignore +except ImportError: + from urllib.parse import quote +import xml.etree.ElementTree as ET + +import isodate # type: ignore +from typing_extensions import Self + +from azure.core.exceptions import DeserializationError, SerializationError +from azure.core.serialization import NULL as CoreNull + +_BOM = codecs.BOM_UTF8.decode(encoding="utf-8") + +JSON = MutableMapping[str, Any] + + +class RawDeserializer: + + # Accept "text" because we're open minded people... + JSON_REGEXP = re.compile(r"^(application|text)/([a-z+.]+\+)?json$") + + # Name used in context + CONTEXT_NAME = "deserialized_data" + + @classmethod + def deserialize_from_text(cls, data: Optional[Union[AnyStr, IO]], content_type: Optional[str] = None) -> Any: + """Decode data according to content-type. + + Accept a stream of data as well, but will be load at once in memory for now. + + If no content-type, will return the string version (not bytes, not stream) + + :param data: Input, could be bytes or stream (will be decoded with UTF8) or text + :type data: str or bytes or IO + :param str content_type: The content type. + :return: The deserialized data. + :rtype: object + """ + if hasattr(data, "read"): + # Assume a stream + data = cast(IO, data).read() + + if isinstance(data, bytes): + data_as_str = data.decode(encoding="utf-8-sig") + else: + # Explain to mypy the correct type. + data_as_str = cast(str, data) + + # Remove Byte Order Mark if present in string + data_as_str = data_as_str.lstrip(_BOM) + + if content_type is None: + return data + + if cls.JSON_REGEXP.match(content_type): + try: + return json.loads(data_as_str) + except ValueError as err: + raise DeserializationError("JSON is invalid: {}".format(err), err) from err + elif "xml" in (content_type or []): + try: + + try: + if isinstance(data, unicode): # type: ignore + # If I'm Python 2.7 and unicode XML will scream if I try a "fromstring" on unicode string + data_as_str = data_as_str.encode(encoding="utf-8") # type: ignore + except NameError: + pass + + return ET.fromstring(data_as_str) # nosec + except ET.ParseError as err: + # It might be because the server has an issue, and returned JSON with + # content-type XML.... + # So let's try a JSON load, and if it's still broken + # let's flow the initial exception + def _json_attemp(data): + try: + return True, json.loads(data) + except ValueError: + return False, None # Don't care about this one + + success, json_result = _json_attemp(data) + if success: + return json_result + # If i'm here, it's not JSON, it's not XML, let's scream + # and raise the last context in this block (the XML exception) + # The function hack is because Py2.7 messes up with exception + # context otherwise. + _LOGGER.critical("Wasn't XML not JSON, failing") + raise DeserializationError("XML is invalid") from err + elif content_type.startswith("text/"): + return data_as_str + raise DeserializationError("Cannot deserialize content-type: {}".format(content_type)) + + @classmethod + def deserialize_from_http_generics(cls, body_bytes: Optional[Union[AnyStr, IO]], headers: Mapping) -> Any: + """Deserialize from HTTP response. + + Use bytes and headers to NOT use any requests/aiohttp or whatever + specific implementation. + Headers will tested for "content-type" + + :param bytes body_bytes: The body of the response. + :param dict headers: The headers of the response. + :returns: The deserialized data. + :rtype: object + """ + # Try to use content-type from headers if available + content_type = None + if "content-type" in headers: + content_type = headers["content-type"].split(";")[0].strip().lower() + # Ouch, this server did not declare what it sent... + # Let's guess it's JSON... + # Also, since Autorest was considering that an empty body was a valid JSON, + # need that test as well.... + else: + content_type = "application/json" + + if body_bytes: + return cls.deserialize_from_text(body_bytes, content_type) + return None + + +_LOGGER = logging.getLogger(__name__) + +try: + _long_type = long # type: ignore +except NameError: + _long_type = int + +TZ_UTC = datetime.timezone.utc + +_FLATTEN = re.compile(r"(? None: + self.additional_properties: Optional[Dict[str, Any]] = {} + for k in kwargs: # pylint: disable=consider-using-dict-items + if k not in self._attribute_map: + _LOGGER.warning("%s is not a known attribute of class %s and will be ignored", k, self.__class__) + elif k in self._validation and self._validation[k].get("readonly", False): + _LOGGER.warning("Readonly attribute %s will be ignored in class %s", k, self.__class__) + else: + setattr(self, k, kwargs[k]) + + def __eq__(self, other: Any) -> bool: + """Compare objects by comparing all attributes. + + :param object other: The object to compare + :returns: True if objects are equal + :rtype: bool + """ + if isinstance(other, self.__class__): + return self.__dict__ == other.__dict__ + return False + + def __ne__(self, other: Any) -> bool: + """Compare objects by comparing all attributes. + + :param object other: The object to compare + :returns: True if objects are not equal + :rtype: bool + """ + return not self.__eq__(other) + + def __str__(self) -> str: + return str(self.__dict__) + + @classmethod + def enable_additional_properties_sending(cls) -> None: + cls._attribute_map["additional_properties"] = {"key": "", "type": "{object}"} + + @classmethod + def is_xml_model(cls) -> bool: + try: + cls._xml_map # type: ignore + except AttributeError: + return False + return True + + @classmethod + def _create_xml_node(cls): + """Create XML node. + + :returns: The XML node + :rtype: xml.etree.ElementTree.Element + """ + try: + xml_map = cls._xml_map # type: ignore + except AttributeError: + xml_map = {} + + return _create_xml_node(xml_map.get("name", cls.__name__), xml_map.get("prefix", None), xml_map.get("ns", None)) + + def serialize(self, keep_readonly: bool = False, **kwargs: Any) -> JSON: + """Return the JSON that would be sent to server from this model. + + This is an alias to `as_dict(full_restapi_key_transformer, keep_readonly=False)`. + + If you want XML serialization, you can pass the kwargs is_xml=True. + + :param bool keep_readonly: If you want to serialize the readonly attributes + :returns: A dict JSON compatible object + :rtype: dict + """ + serializer = Serializer(self._infer_class_models()) + return serializer._serialize( # type: ignore # pylint: disable=protected-access + self, keep_readonly=keep_readonly, **kwargs + ) + + def as_dict( + self, + keep_readonly: bool = True, + key_transformer: Callable[[str, Dict[str, Any], Any], Any] = attribute_transformer, + **kwargs: Any + ) -> JSON: + """Return a dict that can be serialized using json.dump. + + Advanced usage might optionally use a callback as parameter: + + .. code::python + + def my_key_transformer(key, attr_desc, value): + return key + + Key is the attribute name used in Python. Attr_desc + is a dict of metadata. Currently contains 'type' with the + msrest type and 'key' with the RestAPI encoded key. + Value is the current value in this object. + + The string returned will be used to serialize the key. + If the return type is a list, this is considered hierarchical + result dict. + + See the three examples in this file: + + - attribute_transformer + - full_restapi_key_transformer + - last_restapi_key_transformer + + If you want XML serialization, you can pass the kwargs is_xml=True. + + :param bool keep_readonly: If you want to serialize the readonly attributes + :param function key_transformer: A key transformer function. + :returns: A dict JSON compatible object + :rtype: dict + """ + serializer = Serializer(self._infer_class_models()) + return serializer._serialize( # type: ignore # pylint: disable=protected-access + self, key_transformer=key_transformer, keep_readonly=keep_readonly, **kwargs + ) + + @classmethod + def _infer_class_models(cls): + try: + str_models = cls.__module__.rsplit(".", 1)[0] + models = sys.modules[str_models] + client_models = {k: v for k, v in models.__dict__.items() if isinstance(v, type)} + if cls.__name__ not in client_models: + raise ValueError("Not Autorest generated code") + except Exception: # pylint: disable=broad-exception-caught + # Assume it's not Autorest generated (tests?). Add ourselves as dependencies. + client_models = {cls.__name__: cls} + return client_models + + @classmethod + def deserialize(cls, data: Any, content_type: Optional[str] = None) -> Self: + """Parse a str using the RestAPI syntax and return a model. + + :param str data: A str using RestAPI structure. JSON by default. + :param str content_type: JSON by default, set application/xml if XML. + :returns: An instance of this model + :raises DeserializationError: if something went wrong + :rtype: Self + """ + deserializer = Deserializer(cls._infer_class_models()) + return deserializer(cls.__name__, data, content_type=content_type) # type: ignore + + @classmethod + def from_dict( + cls, + data: Any, + key_extractors: Optional[Callable[[str, Dict[str, Any], Any], Any]] = None, + content_type: Optional[str] = None, + ) -> Self: + """Parse a dict using given key extractor return a model. + + By default consider key + extractors (rest_key_case_insensitive_extractor, attribute_key_case_insensitive_extractor + and last_rest_key_case_insensitive_extractor) + + :param dict data: A dict using RestAPI structure + :param function key_extractors: A key extractor function. + :param str content_type: JSON by default, set application/xml if XML. + :returns: An instance of this model + :raises DeserializationError: if something went wrong + :rtype: Self + """ + deserializer = Deserializer(cls._infer_class_models()) + deserializer.key_extractors = ( # type: ignore + [ # type: ignore + attribute_key_case_insensitive_extractor, + rest_key_case_insensitive_extractor, + last_rest_key_case_insensitive_extractor, + ] + if key_extractors is None + else key_extractors + ) + return deserializer(cls.__name__, data, content_type=content_type) # type: ignore + + @classmethod + def _flatten_subtype(cls, key, objects): + if "_subtype_map" not in cls.__dict__: + return {} + result = dict(cls._subtype_map[key]) + for valuetype in cls._subtype_map[key].values(): + result.update(objects[valuetype]._flatten_subtype(key, objects)) # pylint: disable=protected-access + return result + + @classmethod + def _classify(cls, response, objects): + """Check the class _subtype_map for any child classes. + We want to ignore any inherited _subtype_maps. + + :param dict response: The initial data + :param dict objects: The class objects + :returns: The class to be used + :rtype: class + """ + for subtype_key in cls.__dict__.get("_subtype_map", {}).keys(): + subtype_value = None + + if not isinstance(response, ET.Element): + rest_api_response_key = cls._get_rest_key_parts(subtype_key)[-1] + subtype_value = response.get(rest_api_response_key, None) or response.get(subtype_key, None) + else: + subtype_value = xml_key_extractor(subtype_key, cls._attribute_map[subtype_key], response) + if subtype_value: + # Try to match base class. Can be class name only + # (bug to fix in Autorest to support x-ms-discriminator-name) + if cls.__name__ == subtype_value: + return cls + flatten_mapping_type = cls._flatten_subtype(subtype_key, objects) + try: + return objects[flatten_mapping_type[subtype_value]] # type: ignore + except KeyError: + _LOGGER.warning( + "Subtype value %s has no mapping, use base class %s.", + subtype_value, + cls.__name__, + ) + break + else: + _LOGGER.warning("Discriminator %s is absent or null, use base class %s.", subtype_key, cls.__name__) + break + return cls + + @classmethod + def _get_rest_key_parts(cls, attr_key): + """Get the RestAPI key of this attr, split it and decode part + :param str attr_key: Attribute key must be in attribute_map. + :returns: A list of RestAPI part + :rtype: list + """ + rest_split_key = _FLATTEN.split(cls._attribute_map[attr_key]["key"]) + return [_decode_attribute_map_key(key_part) for key_part in rest_split_key] + + +def _decode_attribute_map_key(key): + """This decode a key in an _attribute_map to the actual key we want to look at + inside the received data. + + :param str key: A key string from the generated code + :returns: The decoded key + :rtype: str + """ + return key.replace("\\.", ".") + + +class Serializer: # pylint: disable=too-many-public-methods + """Request object model serializer.""" + + basic_types = {str: "str", int: "int", bool: "bool", float: "float"} + + _xml_basic_types_serializers = {"bool": lambda x: str(x).lower()} + days = {0: "Mon", 1: "Tue", 2: "Wed", 3: "Thu", 4: "Fri", 5: "Sat", 6: "Sun"} + months = { + 1: "Jan", + 2: "Feb", + 3: "Mar", + 4: "Apr", + 5: "May", + 6: "Jun", + 7: "Jul", + 8: "Aug", + 9: "Sep", + 10: "Oct", + 11: "Nov", + 12: "Dec", + } + validation = { + "min_length": lambda x, y: len(x) < y, + "max_length": lambda x, y: len(x) > y, + "minimum": lambda x, y: x < y, + "maximum": lambda x, y: x > y, + "minimum_ex": lambda x, y: x <= y, + "maximum_ex": lambda x, y: x >= y, + "min_items": lambda x, y: len(x) < y, + "max_items": lambda x, y: len(x) > y, + "pattern": lambda x, y: not re.match(y, x, re.UNICODE), + "unique": lambda x, y: len(x) != len(set(x)), + "multiple": lambda x, y: x % y != 0, + } + + def __init__(self, classes: Optional[Mapping[str, type]] = None) -> None: + self.serialize_type = { + "iso-8601": Serializer.serialize_iso, + "rfc-1123": Serializer.serialize_rfc, + "unix-time": Serializer.serialize_unix, + "duration": Serializer.serialize_duration, + "date": Serializer.serialize_date, + "time": Serializer.serialize_time, + "decimal": Serializer.serialize_decimal, + "long": Serializer.serialize_long, + "bytearray": Serializer.serialize_bytearray, + "base64": Serializer.serialize_base64, + "object": self.serialize_object, + "[]": self.serialize_iter, + "{}": self.serialize_dict, + } + self.dependencies: Dict[str, type] = dict(classes) if classes else {} + self.key_transformer = full_restapi_key_transformer + self.client_side_validation = True + + def _serialize( # pylint: disable=too-many-nested-blocks, too-many-branches, too-many-statements, too-many-locals + self, target_obj, data_type=None, **kwargs + ): + """Serialize data into a string according to type. + + :param object target_obj: The data to be serialized. + :param str data_type: The type to be serialized from. + :rtype: str, dict + :raises SerializationError: if serialization fails. + :returns: The serialized data. + """ + key_transformer = kwargs.get("key_transformer", self.key_transformer) + keep_readonly = kwargs.get("keep_readonly", False) + if target_obj is None: + return None + + attr_name = None + class_name = target_obj.__class__.__name__ + + if data_type: + return self.serialize_data(target_obj, data_type, **kwargs) + + if not hasattr(target_obj, "_attribute_map"): + data_type = type(target_obj).__name__ + if data_type in self.basic_types.values(): + return self.serialize_data(target_obj, data_type, **kwargs) + + # Force "is_xml" kwargs if we detect a XML model + try: + is_xml_model_serialization = kwargs["is_xml"] + except KeyError: + is_xml_model_serialization = kwargs.setdefault("is_xml", target_obj.is_xml_model()) + + serialized = {} + if is_xml_model_serialization: + serialized = target_obj._create_xml_node() # pylint: disable=protected-access + try: + attributes = target_obj._attribute_map # pylint: disable=protected-access + for attr, attr_desc in attributes.items(): + attr_name = attr + if not keep_readonly and target_obj._validation.get( # pylint: disable=protected-access + attr_name, {} + ).get("readonly", False): + continue + + if attr_name == "additional_properties" and attr_desc["key"] == "": + if target_obj.additional_properties is not None: + serialized.update(target_obj.additional_properties) + continue + try: + + orig_attr = getattr(target_obj, attr) + if is_xml_model_serialization: + pass # Don't provide "transformer" for XML for now. Keep "orig_attr" + else: # JSON + keys, orig_attr = key_transformer(attr, attr_desc.copy(), orig_attr) + keys = keys if isinstance(keys, list) else [keys] + + kwargs["serialization_ctxt"] = attr_desc + new_attr = self.serialize_data(orig_attr, attr_desc["type"], **kwargs) + + if is_xml_model_serialization: + xml_desc = attr_desc.get("xml", {}) + xml_name = xml_desc.get("name", attr_desc["key"]) + xml_prefix = xml_desc.get("prefix", None) + xml_ns = xml_desc.get("ns", None) + if xml_desc.get("attr", False): + if xml_ns: + ET.register_namespace(xml_prefix, xml_ns) + xml_name = "{{{}}}{}".format(xml_ns, xml_name) + serialized.set(xml_name, new_attr) # type: ignore + continue + if xml_desc.get("text", False): + serialized.text = new_attr # type: ignore + continue + if isinstance(new_attr, list): + serialized.extend(new_attr) # type: ignore + elif isinstance(new_attr, ET.Element): + # If the down XML has no XML/Name, + # we MUST replace the tag with the local tag. But keeping the namespaces. + if "name" not in getattr(orig_attr, "_xml_map", {}): + splitted_tag = new_attr.tag.split("}") + if len(splitted_tag) == 2: # Namespace + new_attr.tag = "}".join([splitted_tag[0], xml_name]) + else: + new_attr.tag = xml_name + serialized.append(new_attr) # type: ignore + else: # That's a basic type + # Integrate namespace if necessary + local_node = _create_xml_node(xml_name, xml_prefix, xml_ns) + local_node.text = str(new_attr) + serialized.append(local_node) # type: ignore + else: # JSON + for k in reversed(keys): # type: ignore + new_attr = {k: new_attr} + + _new_attr = new_attr + _serialized = serialized + for k in keys: # type: ignore + if k not in _serialized: + _serialized.update(_new_attr) # type: ignore + _new_attr = _new_attr[k] # type: ignore + _serialized = _serialized[k] + except ValueError as err: + if isinstance(err, SerializationError): + raise + + except (AttributeError, KeyError, TypeError) as err: + msg = "Attribute {} in object {} cannot be serialized.\n{}".format(attr_name, class_name, str(target_obj)) + raise SerializationError(msg) from err + return serialized + + def body(self, data, data_type, **kwargs): + """Serialize data intended for a request body. + + :param object data: The data to be serialized. + :param str data_type: The type to be serialized from. + :rtype: dict + :raises SerializationError: if serialization fails. + :raises ValueError: if data is None + :returns: The serialized request body + """ + + # Just in case this is a dict + internal_data_type_str = data_type.strip("[]{}") + internal_data_type = self.dependencies.get(internal_data_type_str, None) + try: + is_xml_model_serialization = kwargs["is_xml"] + except KeyError: + if internal_data_type and issubclass(internal_data_type, Model): + is_xml_model_serialization = kwargs.setdefault("is_xml", internal_data_type.is_xml_model()) + else: + is_xml_model_serialization = False + if internal_data_type and not isinstance(internal_data_type, Enum): + try: + deserializer = Deserializer(self.dependencies) + # Since it's on serialization, it's almost sure that format is not JSON REST + # We're not able to deal with additional properties for now. + deserializer.additional_properties_detection = False + if is_xml_model_serialization: + deserializer.key_extractors = [ # type: ignore + attribute_key_case_insensitive_extractor, + ] + else: + deserializer.key_extractors = [ + rest_key_case_insensitive_extractor, + attribute_key_case_insensitive_extractor, + last_rest_key_case_insensitive_extractor, + ] + data = deserializer._deserialize(data_type, data) # pylint: disable=protected-access + except DeserializationError as err: + raise SerializationError("Unable to build a model: " + str(err)) from err + + return self._serialize(data, data_type, **kwargs) + + def url(self, name, data, data_type, **kwargs): + """Serialize data intended for a URL path. + + :param str name: The name of the URL path parameter. + :param object data: The data to be serialized. + :param str data_type: The type to be serialized from. + :rtype: str + :returns: The serialized URL path + :raises TypeError: if serialization fails. + :raises ValueError: if data is None + """ + try: + output = self.serialize_data(data, data_type, **kwargs) + if data_type == "bool": + output = json.dumps(output) + + if kwargs.get("skip_quote") is True: + output = str(output) + output = output.replace("{", quote("{")).replace("}", quote("}")) + else: + output = quote(str(output), safe="") + except SerializationError as exc: + raise TypeError("{} must be type {}.".format(name, data_type)) from exc + return output + + def query(self, name, data, data_type, **kwargs): + """Serialize data intended for a URL query. + + :param str name: The name of the query parameter. + :param object data: The data to be serialized. + :param str data_type: The type to be serialized from. + :rtype: str, list + :raises TypeError: if serialization fails. + :raises ValueError: if data is None + :returns: The serialized query parameter + """ + try: + # Treat the list aside, since we don't want to encode the div separator + if data_type.startswith("["): + internal_data_type = data_type[1:-1] + do_quote = not kwargs.get("skip_quote", False) + return self.serialize_iter(data, internal_data_type, do_quote=do_quote, **kwargs) + + # Not a list, regular serialization + output = self.serialize_data(data, data_type, **kwargs) + if data_type == "bool": + output = json.dumps(output) + if kwargs.get("skip_quote") is True: + output = str(output) + else: + output = quote(str(output), safe="") + except SerializationError as exc: + raise TypeError("{} must be type {}.".format(name, data_type)) from exc + return str(output) + + def header(self, name, data, data_type, **kwargs): + """Serialize data intended for a request header. + + :param str name: The name of the header. + :param object data: The data to be serialized. + :param str data_type: The type to be serialized from. + :rtype: str + :raises TypeError: if serialization fails. + :raises ValueError: if data is None + :returns: The serialized header + """ + try: + if data_type in ["[str]"]: + data = ["" if d is None else d for d in data] + + output = self.serialize_data(data, data_type, **kwargs) + if data_type == "bool": + output = json.dumps(output) + except SerializationError as exc: + raise TypeError("{} must be type {}.".format(name, data_type)) from exc + return str(output) + + def serialize_data(self, data, data_type, **kwargs): + """Serialize generic data according to supplied data type. + + :param object data: The data to be serialized. + :param str data_type: The type to be serialized from. + :raises AttributeError: if required data is None. + :raises ValueError: if data is None + :raises SerializationError: if serialization fails. + :returns: The serialized data. + :rtype: str, int, float, bool, dict, list + """ + if data is None: + raise ValueError("No value for given attribute") + + try: + if data is CoreNull: + return None + if data_type in self.basic_types.values(): + return self.serialize_basic(data, data_type, **kwargs) + + if data_type in self.serialize_type: + return self.serialize_type[data_type](data, **kwargs) + + # If dependencies is empty, try with current data class + # It has to be a subclass of Enum anyway + enum_type = self.dependencies.get(data_type, data.__class__) + if issubclass(enum_type, Enum): + return Serializer.serialize_enum(data, enum_obj=enum_type) + + iter_type = data_type[0] + data_type[-1] + if iter_type in self.serialize_type: + return self.serialize_type[iter_type](data, data_type[1:-1], **kwargs) + + except (ValueError, TypeError) as err: + msg = "Unable to serialize value: {!r} as type: {!r}." + raise SerializationError(msg.format(data, data_type)) from err + return self._serialize(data, **kwargs) + + @classmethod + def _get_custom_serializers(cls, data_type, **kwargs): # pylint: disable=inconsistent-return-statements + custom_serializer = kwargs.get("basic_types_serializers", {}).get(data_type) + if custom_serializer: + return custom_serializer + if kwargs.get("is_xml", False): + return cls._xml_basic_types_serializers.get(data_type) + + @classmethod + def serialize_basic(cls, data, data_type, **kwargs): + """Serialize basic builting data type. + Serializes objects to str, int, float or bool. + + Possible kwargs: + - basic_types_serializers dict[str, callable] : If set, use the callable as serializer + - is_xml bool : If set, use xml_basic_types_serializers + + :param obj data: Object to be serialized. + :param str data_type: Type of object in the iterable. + :rtype: str, int, float, bool + :return: serialized object + """ + custom_serializer = cls._get_custom_serializers(data_type, **kwargs) + if custom_serializer: + return custom_serializer(data) + if data_type == "str": + return cls.serialize_unicode(data) + return eval(data_type)(data) # nosec # pylint: disable=eval-used + + @classmethod + def serialize_unicode(cls, data): + """Special handling for serializing unicode strings in Py2. + Encode to UTF-8 if unicode, otherwise handle as a str. + + :param str data: Object to be serialized. + :rtype: str + :return: serialized object + """ + try: # If I received an enum, return its value + return data.value + except AttributeError: + pass + + try: + if isinstance(data, unicode): # type: ignore + # Don't change it, JSON and XML ElementTree are totally able + # to serialize correctly u'' strings + return data + except NameError: + return str(data) + return str(data) + + def serialize_iter(self, data, iter_type, div=None, **kwargs): + """Serialize iterable. + + Supported kwargs: + - serialization_ctxt dict : The current entry of _attribute_map, or same format. + serialization_ctxt['type'] should be same as data_type. + - is_xml bool : If set, serialize as XML + + :param list data: Object to be serialized. + :param str iter_type: Type of object in the iterable. + :param str div: If set, this str will be used to combine the elements + in the iterable into a combined string. Default is 'None'. + Defaults to False. + :rtype: list, str + :return: serialized iterable + """ + if isinstance(data, str): + raise SerializationError("Refuse str type as a valid iter type.") + + serialization_ctxt = kwargs.get("serialization_ctxt", {}) + is_xml = kwargs.get("is_xml", False) + + serialized = [] + for d in data: + try: + serialized.append(self.serialize_data(d, iter_type, **kwargs)) + except ValueError as err: + if isinstance(err, SerializationError): + raise + serialized.append(None) + + if kwargs.get("do_quote", False): + serialized = ["" if s is None else quote(str(s), safe="") for s in serialized] + + if div: + serialized = ["" if s is None else str(s) for s in serialized] + serialized = div.join(serialized) + + if "xml" in serialization_ctxt or is_xml: + # XML serialization is more complicated + xml_desc = serialization_ctxt.get("xml", {}) + xml_name = xml_desc.get("name") + if not xml_name: + xml_name = serialization_ctxt["key"] + + # Create a wrap node if necessary (use the fact that Element and list have "append") + is_wrapped = xml_desc.get("wrapped", False) + node_name = xml_desc.get("itemsName", xml_name) + if is_wrapped: + final_result = _create_xml_node(xml_name, xml_desc.get("prefix", None), xml_desc.get("ns", None)) + else: + final_result = [] + # All list elements to "local_node" + for el in serialized: + if isinstance(el, ET.Element): + el_node = el + else: + el_node = _create_xml_node(node_name, xml_desc.get("prefix", None), xml_desc.get("ns", None)) + if el is not None: # Otherwise it writes "None" :-p + el_node.text = str(el) + final_result.append(el_node) + return final_result + return serialized + + def serialize_dict(self, attr, dict_type, **kwargs): + """Serialize a dictionary of objects. + + :param dict attr: Object to be serialized. + :param str dict_type: Type of object in the dictionary. + :rtype: dict + :return: serialized dictionary + """ + serialization_ctxt = kwargs.get("serialization_ctxt", {}) + serialized = {} + for key, value in attr.items(): + try: + serialized[self.serialize_unicode(key)] = self.serialize_data(value, dict_type, **kwargs) + except ValueError as err: + if isinstance(err, SerializationError): + raise + serialized[self.serialize_unicode(key)] = None + + if "xml" in serialization_ctxt: + # XML serialization is more complicated + xml_desc = serialization_ctxt["xml"] + xml_name = xml_desc["name"] + + final_result = _create_xml_node(xml_name, xml_desc.get("prefix", None), xml_desc.get("ns", None)) + for key, value in serialized.items(): + ET.SubElement(final_result, key).text = value + return final_result + + return serialized + + def serialize_object(self, attr, **kwargs): # pylint: disable=too-many-return-statements + """Serialize a generic object. + This will be handled as a dictionary. If object passed in is not + a basic type (str, int, float, dict, list) it will simply be + cast to str. + + :param dict attr: Object to be serialized. + :rtype: dict or str + :return: serialized object + """ + if attr is None: + return None + if isinstance(attr, ET.Element): + return attr + obj_type = type(attr) + if obj_type in self.basic_types: + return self.serialize_basic(attr, self.basic_types[obj_type], **kwargs) + if obj_type is _long_type: + return self.serialize_long(attr) + if obj_type is str: + return self.serialize_unicode(attr) + if obj_type is datetime.datetime: + return self.serialize_iso(attr) + if obj_type is datetime.date: + return self.serialize_date(attr) + if obj_type is datetime.time: + return self.serialize_time(attr) + if obj_type is datetime.timedelta: + return self.serialize_duration(attr) + if obj_type is decimal.Decimal: + return self.serialize_decimal(attr) + + # If it's a model or I know this dependency, serialize as a Model + if obj_type in self.dependencies.values() or isinstance(attr, Model): + return self._serialize(attr) + + if obj_type == dict: + serialized = {} + for key, value in attr.items(): + try: + serialized[self.serialize_unicode(key)] = self.serialize_object(value, **kwargs) + except ValueError: + serialized[self.serialize_unicode(key)] = None + return serialized + + if obj_type == list: + serialized = [] + for obj in attr: + try: + serialized.append(self.serialize_object(obj, **kwargs)) + except ValueError: + pass + return serialized + return str(attr) + + @staticmethod + def serialize_enum(attr, enum_obj=None): + try: + result = attr.value + except AttributeError: + result = attr + try: + enum_obj(result) # type: ignore + return result + except ValueError as exc: + for enum_value in enum_obj: # type: ignore + if enum_value.value.lower() == str(attr).lower(): + return enum_value.value + error = "{!r} is not valid value for enum {!r}" + raise SerializationError(error.format(attr, enum_obj)) from exc + + @staticmethod + def serialize_bytearray(attr, **kwargs): # pylint: disable=unused-argument + """Serialize bytearray into base-64 string. + + :param str attr: Object to be serialized. + :rtype: str + :return: serialized base64 + """ + return b64encode(attr).decode() + + @staticmethod + def serialize_base64(attr, **kwargs): # pylint: disable=unused-argument + """Serialize str into base-64 string. + + :param str attr: Object to be serialized. + :rtype: str + :return: serialized base64 + """ + encoded = b64encode(attr).decode("ascii") + return encoded.strip("=").replace("+", "-").replace("/", "_") + + @staticmethod + def serialize_decimal(attr, **kwargs): # pylint: disable=unused-argument + """Serialize Decimal object to float. + + :param decimal attr: Object to be serialized. + :rtype: float + :return: serialized decimal + """ + return float(attr) + + @staticmethod + def serialize_long(attr, **kwargs): # pylint: disable=unused-argument + """Serialize long (Py2) or int (Py3). + + :param int attr: Object to be serialized. + :rtype: int/long + :return: serialized long + """ + return _long_type(attr) + + @staticmethod + def serialize_date(attr, **kwargs): # pylint: disable=unused-argument + """Serialize Date object into ISO-8601 formatted string. + + :param Date attr: Object to be serialized. + :rtype: str + :return: serialized date + """ + if isinstance(attr, str): + attr = isodate.parse_date(attr) + t = "{:04}-{:02}-{:02}".format(attr.year, attr.month, attr.day) + return t + + @staticmethod + def serialize_time(attr, **kwargs): # pylint: disable=unused-argument + """Serialize Time object into ISO-8601 formatted string. + + :param datetime.time attr: Object to be serialized. + :rtype: str + :return: serialized time + """ + if isinstance(attr, str): + attr = isodate.parse_time(attr) + t = "{:02}:{:02}:{:02}".format(attr.hour, attr.minute, attr.second) + if attr.microsecond: + t += ".{:02}".format(attr.microsecond) + return t + + @staticmethod + def serialize_duration(attr, **kwargs): # pylint: disable=unused-argument + """Serialize TimeDelta object into ISO-8601 formatted string. + + :param TimeDelta attr: Object to be serialized. + :rtype: str + :return: serialized duration + """ + if isinstance(attr, str): + attr = isodate.parse_duration(attr) + return isodate.duration_isoformat(attr) + + @staticmethod + def serialize_rfc(attr, **kwargs): # pylint: disable=unused-argument + """Serialize Datetime object into RFC-1123 formatted string. + + :param Datetime attr: Object to be serialized. + :rtype: str + :raises TypeError: if format invalid. + :return: serialized rfc + """ + try: + if not attr.tzinfo: + _LOGGER.warning("Datetime with no tzinfo will be considered UTC.") + utc = attr.utctimetuple() + except AttributeError as exc: + raise TypeError("RFC1123 object must be valid Datetime object.") from exc + + return "{}, {:02} {} {:04} {:02}:{:02}:{:02} GMT".format( + Serializer.days[utc.tm_wday], + utc.tm_mday, + Serializer.months[utc.tm_mon], + utc.tm_year, + utc.tm_hour, + utc.tm_min, + utc.tm_sec, + ) + + @staticmethod + def serialize_iso(attr, **kwargs): # pylint: disable=unused-argument + """Serialize Datetime object into ISO-8601 formatted string. + + :param Datetime attr: Object to be serialized. + :rtype: str + :raises SerializationError: if format invalid. + :return: serialized iso + """ + if isinstance(attr, str): + attr = isodate.parse_datetime(attr) + try: + if not attr.tzinfo: + _LOGGER.warning("Datetime with no tzinfo will be considered UTC.") + utc = attr.utctimetuple() + if utc.tm_year > 9999 or utc.tm_year < 1: + raise OverflowError("Hit max or min date") + + microseconds = str(attr.microsecond).rjust(6, "0").rstrip("0").ljust(3, "0") + if microseconds: + microseconds = "." + microseconds + date = "{:04}-{:02}-{:02}T{:02}:{:02}:{:02}".format( + utc.tm_year, utc.tm_mon, utc.tm_mday, utc.tm_hour, utc.tm_min, utc.tm_sec + ) + return date + microseconds + "Z" + except (ValueError, OverflowError) as err: + msg = "Unable to serialize datetime object." + raise SerializationError(msg) from err + except AttributeError as err: + msg = "ISO-8601 object must be valid Datetime object." + raise TypeError(msg) from err + + @staticmethod + def serialize_unix(attr, **kwargs): # pylint: disable=unused-argument + """Serialize Datetime object into IntTime format. + This is represented as seconds. + + :param Datetime attr: Object to be serialized. + :rtype: int + :raises SerializationError: if format invalid + :return: serialied unix + """ + if isinstance(attr, int): + return attr + try: + if not attr.tzinfo: + _LOGGER.warning("Datetime with no tzinfo will be considered UTC.") + return int(calendar.timegm(attr.utctimetuple())) + except AttributeError as exc: + raise TypeError("Unix time object must be valid Datetime object.") from exc + + +def rest_key_extractor(attr, attr_desc, data): # pylint: disable=unused-argument + key = attr_desc["key"] + working_data = data + + while "." in key: + # Need the cast, as for some reasons "split" is typed as list[str | Any] + dict_keys = cast(List[str], _FLATTEN.split(key)) + if len(dict_keys) == 1: + key = _decode_attribute_map_key(dict_keys[0]) + break + working_key = _decode_attribute_map_key(dict_keys[0]) + working_data = working_data.get(working_key, data) + if working_data is None: + # If at any point while following flatten JSON path see None, it means + # that all properties under are None as well + return None + key = ".".join(dict_keys[1:]) + + return working_data.get(key) + + +def rest_key_case_insensitive_extractor( # pylint: disable=unused-argument, inconsistent-return-statements + attr, attr_desc, data +): + key = attr_desc["key"] + working_data = data + + while "." in key: + dict_keys = _FLATTEN.split(key) + if len(dict_keys) == 1: + key = _decode_attribute_map_key(dict_keys[0]) + break + working_key = _decode_attribute_map_key(dict_keys[0]) + working_data = attribute_key_case_insensitive_extractor(working_key, None, working_data) + if working_data is None: + # If at any point while following flatten JSON path see None, it means + # that all properties under are None as well + return None + key = ".".join(dict_keys[1:]) + + if working_data: + return attribute_key_case_insensitive_extractor(key, None, working_data) + + +def last_rest_key_extractor(attr, attr_desc, data): # pylint: disable=unused-argument + """Extract the attribute in "data" based on the last part of the JSON path key. + + :param str attr: The attribute to extract + :param dict attr_desc: The attribute description + :param dict data: The data to extract from + :rtype: object + :returns: The extracted attribute + """ + key = attr_desc["key"] + dict_keys = _FLATTEN.split(key) + return attribute_key_extractor(dict_keys[-1], None, data) + + +def last_rest_key_case_insensitive_extractor(attr, attr_desc, data): # pylint: disable=unused-argument + """Extract the attribute in "data" based on the last part of the JSON path key. + + This is the case insensitive version of "last_rest_key_extractor" + :param str attr: The attribute to extract + :param dict attr_desc: The attribute description + :param dict data: The data to extract from + :rtype: object + :returns: The extracted attribute + """ + key = attr_desc["key"] + dict_keys = _FLATTEN.split(key) + return attribute_key_case_insensitive_extractor(dict_keys[-1], None, data) + + +def attribute_key_extractor(attr, _, data): + return data.get(attr) + + +def attribute_key_case_insensitive_extractor(attr, _, data): + found_key = None + lower_attr = attr.lower() + for key in data: + if lower_attr == key.lower(): + found_key = key + break + + return data.get(found_key) + + +def _extract_name_from_internal_type(internal_type): + """Given an internal type XML description, extract correct XML name with namespace. + + :param dict internal_type: An model type + :rtype: tuple + :returns: A tuple XML name + namespace dict + """ + internal_type_xml_map = getattr(internal_type, "_xml_map", {}) + xml_name = internal_type_xml_map.get("name", internal_type.__name__) + xml_ns = internal_type_xml_map.get("ns", None) + if xml_ns: + xml_name = "{{{}}}{}".format(xml_ns, xml_name) + return xml_name + + +def xml_key_extractor(attr, attr_desc, data): # pylint: disable=unused-argument,too-many-return-statements + if isinstance(data, dict): + return None + + # Test if this model is XML ready first + if not isinstance(data, ET.Element): + return None + + xml_desc = attr_desc.get("xml", {}) + xml_name = xml_desc.get("name", attr_desc["key"]) + + # Look for a children + is_iter_type = attr_desc["type"].startswith("[") + is_wrapped = xml_desc.get("wrapped", False) + internal_type = attr_desc.get("internalType", None) + internal_type_xml_map = getattr(internal_type, "_xml_map", {}) + + # Integrate namespace if necessary + xml_ns = xml_desc.get("ns", internal_type_xml_map.get("ns", None)) + if xml_ns: + xml_name = "{{{}}}{}".format(xml_ns, xml_name) + + # If it's an attribute, that's simple + if xml_desc.get("attr", False): + return data.get(xml_name) + + # If it's x-ms-text, that's simple too + if xml_desc.get("text", False): + return data.text + + # Scenario where I take the local name: + # - Wrapped node + # - Internal type is an enum (considered basic types) + # - Internal type has no XML/Name node + if is_wrapped or (internal_type and (issubclass(internal_type, Enum) or "name" not in internal_type_xml_map)): + children = data.findall(xml_name) + # If internal type has a local name and it's not a list, I use that name + elif not is_iter_type and internal_type and "name" in internal_type_xml_map: + xml_name = _extract_name_from_internal_type(internal_type) + children = data.findall(xml_name) + # That's an array + else: + if internal_type: # Complex type, ignore itemsName and use the complex type name + items_name = _extract_name_from_internal_type(internal_type) + else: + items_name = xml_desc.get("itemsName", xml_name) + children = data.findall(items_name) + + if len(children) == 0: + if is_iter_type: + if is_wrapped: + return None # is_wrapped no node, we want None + return [] # not wrapped, assume empty list + return None # Assume it's not there, maybe an optional node. + + # If is_iter_type and not wrapped, return all found children + if is_iter_type: + if not is_wrapped: + return children + # Iter and wrapped, should have found one node only (the wrap one) + if len(children) != 1: + raise DeserializationError( + "Tried to deserialize an array not wrapped, and found several nodes '{}'. Maybe you should declare this array as wrapped?".format( + xml_name + ) + ) + return list(children[0]) # Might be empty list and that's ok. + + # Here it's not a itertype, we should have found one element only or empty + if len(children) > 1: + raise DeserializationError("Find several XML '{}' where it was not expected".format(xml_name)) + return children[0] + + +class Deserializer: + """Response object model deserializer. + + :param dict classes: Class type dictionary for deserializing complex types. + :ivar list key_extractors: Ordered list of extractors to be used by this deserializer. + """ + + basic_types = {str: "str", int: "int", bool: "bool", float: "float"} + + valid_date = re.compile(r"\d{4}[-]\d{2}[-]\d{2}T\d{2}:\d{2}:\d{2}\.?\d*Z?[-+]?[\d{2}]?:?[\d{2}]?") + + def __init__(self, classes: Optional[Mapping[str, type]] = None) -> None: + self.deserialize_type = { + "iso-8601": Deserializer.deserialize_iso, + "rfc-1123": Deserializer.deserialize_rfc, + "unix-time": Deserializer.deserialize_unix, + "duration": Deserializer.deserialize_duration, + "date": Deserializer.deserialize_date, + "time": Deserializer.deserialize_time, + "decimal": Deserializer.deserialize_decimal, + "long": Deserializer.deserialize_long, + "bytearray": Deserializer.deserialize_bytearray, + "base64": Deserializer.deserialize_base64, + "object": self.deserialize_object, + "[]": self.deserialize_iter, + "{}": self.deserialize_dict, + } + self.deserialize_expected_types = { + "duration": (isodate.Duration, datetime.timedelta), + "iso-8601": (datetime.datetime), + } + self.dependencies: Dict[str, type] = dict(classes) if classes else {} + self.key_extractors = [rest_key_extractor, xml_key_extractor] + # Additional properties only works if the "rest_key_extractor" is used to + # extract the keys. Making it to work whatever the key extractor is too much + # complicated, with no real scenario for now. + # So adding a flag to disable additional properties detection. This flag should be + # used if your expect the deserialization to NOT come from a JSON REST syntax. + # Otherwise, result are unexpected + self.additional_properties_detection = True + + def __call__(self, target_obj, response_data, content_type=None): + """Call the deserializer to process a REST response. + + :param str target_obj: Target data type to deserialize to. + :param requests.Response response_data: REST response object. + :param str content_type: Swagger "produces" if available. + :raises DeserializationError: if deserialization fails. + :return: Deserialized object. + :rtype: object + """ + data = self._unpack_content(response_data, content_type) + return self._deserialize(target_obj, data) + + def _deserialize(self, target_obj, data): # pylint: disable=inconsistent-return-statements + """Call the deserializer on a model. + + Data needs to be already deserialized as JSON or XML ElementTree + + :param str target_obj: Target data type to deserialize to. + :param object data: Object to deserialize. + :raises DeserializationError: if deserialization fails. + :return: Deserialized object. + :rtype: object + """ + # This is already a model, go recursive just in case + if hasattr(data, "_attribute_map"): + constants = [name for name, config in getattr(data, "_validation", {}).items() if config.get("constant")] + try: + for attr, mapconfig in data._attribute_map.items(): # pylint: disable=protected-access + if attr in constants: + continue + value = getattr(data, attr) + if value is None: + continue + local_type = mapconfig["type"] + internal_data_type = local_type.strip("[]{}") + if internal_data_type not in self.dependencies or isinstance(internal_data_type, Enum): + continue + setattr(data, attr, self._deserialize(local_type, value)) + return data + except AttributeError: + return + + response, class_name = self._classify_target(target_obj, data) + + if isinstance(response, str): + return self.deserialize_data(data, response) + if isinstance(response, type) and issubclass(response, Enum): + return self.deserialize_enum(data, response) + + if data is None or data is CoreNull: + return data + try: + attributes = response._attribute_map # type: ignore # pylint: disable=protected-access + d_attrs = {} + for attr, attr_desc in attributes.items(): + # Check empty string. If it's not empty, someone has a real "additionalProperties"... + if attr == "additional_properties" and attr_desc["key"] == "": + continue + raw_value = None + # Enhance attr_desc with some dynamic data + attr_desc = attr_desc.copy() # Do a copy, do not change the real one + internal_data_type = attr_desc["type"].strip("[]{}") + if internal_data_type in self.dependencies: + attr_desc["internalType"] = self.dependencies[internal_data_type] + + for key_extractor in self.key_extractors: + found_value = key_extractor(attr, attr_desc, data) + if found_value is not None: + if raw_value is not None and raw_value != found_value: + msg = ( + "Ignoring extracted value '%s' from %s for key '%s'" + " (duplicate extraction, follow extractors order)" + ) + _LOGGER.warning(msg, found_value, key_extractor, attr) + continue + raw_value = found_value + + value = self.deserialize_data(raw_value, attr_desc["type"]) + d_attrs[attr] = value + except (AttributeError, TypeError, KeyError) as err: + msg = "Unable to deserialize to object: " + class_name # type: ignore + raise DeserializationError(msg) from err + additional_properties = self._build_additional_properties(attributes, data) + return self._instantiate_model(response, d_attrs, additional_properties) + + def _build_additional_properties(self, attribute_map, data): + if not self.additional_properties_detection: + return None + if "additional_properties" in attribute_map and attribute_map.get("additional_properties", {}).get("key") != "": + # Check empty string. If it's not empty, someone has a real "additionalProperties" + return None + if isinstance(data, ET.Element): + data = {el.tag: el.text for el in data} + + known_keys = { + _decode_attribute_map_key(_FLATTEN.split(desc["key"])[0]) + for desc in attribute_map.values() + if desc["key"] != "" + } + present_keys = set(data.keys()) + missing_keys = present_keys - known_keys + return {key: data[key] for key in missing_keys} + + def _classify_target(self, target, data): + """Check to see whether the deserialization target object can + be classified into a subclass. + Once classification has been determined, initialize object. + + :param str target: The target object type to deserialize to. + :param str/dict data: The response data to deserialize. + :return: The classified target object and its class name. + :rtype: tuple + """ + if target is None: + return None, None + + if isinstance(target, str): + try: + target = self.dependencies[target] + except KeyError: + return target, target + + try: + target = target._classify(data, self.dependencies) # type: ignore # pylint: disable=protected-access + except AttributeError: + pass # Target is not a Model, no classify + return target, target.__class__.__name__ # type: ignore + + def failsafe_deserialize(self, target_obj, data, content_type=None): + """Ignores any errors encountered in deserialization, + and falls back to not deserializing the object. Recommended + for use in error deserialization, as we want to return the + HttpResponseError to users, and not have them deal with + a deserialization error. + + :param str target_obj: The target object type to deserialize to. + :param str/dict data: The response data to deserialize. + :param str content_type: Swagger "produces" if available. + :return: Deserialized object. + :rtype: object + """ + try: + return self(target_obj, data, content_type=content_type) + except: # pylint: disable=bare-except + _LOGGER.debug( + "Ran into a deserialization error. Ignoring since this is failsafe deserialization", exc_info=True + ) + return None + + @staticmethod + def _unpack_content(raw_data, content_type=None): + """Extract the correct structure for deserialization. + + If raw_data is a PipelineResponse, try to extract the result of RawDeserializer. + if we can't, raise. Your Pipeline should have a RawDeserializer. + + If not a pipeline response and raw_data is bytes or string, use content-type + to decode it. If no content-type, try JSON. + + If raw_data is something else, bypass all logic and return it directly. + + :param obj raw_data: Data to be processed. + :param str content_type: How to parse if raw_data is a string/bytes. + :raises JSONDecodeError: If JSON is requested and parsing is impossible. + :raises UnicodeDecodeError: If bytes is not UTF8 + :rtype: object + :return: Unpacked content. + """ + # Assume this is enough to detect a Pipeline Response without importing it + context = getattr(raw_data, "context", {}) + if context: + if RawDeserializer.CONTEXT_NAME in context: + return context[RawDeserializer.CONTEXT_NAME] + raise ValueError("This pipeline didn't have the RawDeserializer policy; can't deserialize") + + # Assume this is enough to recognize universal_http.ClientResponse without importing it + if hasattr(raw_data, "body"): + return RawDeserializer.deserialize_from_http_generics(raw_data.text(), raw_data.headers) + + # Assume this enough to recognize requests.Response without importing it. + if hasattr(raw_data, "_content_consumed"): + return RawDeserializer.deserialize_from_http_generics(raw_data.text, raw_data.headers) + + if isinstance(raw_data, (str, bytes)) or hasattr(raw_data, "read"): + return RawDeserializer.deserialize_from_text(raw_data, content_type) # type: ignore + return raw_data + + def _instantiate_model(self, response, attrs, additional_properties=None): + """Instantiate a response model passing in deserialized args. + + :param Response response: The response model class. + :param dict attrs: The deserialized response attributes. + :param dict additional_properties: Additional properties to be set. + :rtype: Response + :return: The instantiated response model. + """ + if callable(response): + subtype = getattr(response, "_subtype_map", {}) + try: + readonly = [ + k + for k, v in response._validation.items() # pylint: disable=protected-access # type: ignore + if v.get("readonly") + ] + const = [ + k + for k, v in response._validation.items() # pylint: disable=protected-access # type: ignore + if v.get("constant") + ] + kwargs = {k: v for k, v in attrs.items() if k not in subtype and k not in readonly + const} + response_obj = response(**kwargs) + for attr in readonly: + setattr(response_obj, attr, attrs.get(attr)) + if additional_properties: + response_obj.additional_properties = additional_properties # type: ignore + return response_obj + except TypeError as err: + msg = "Unable to deserialize {} into model {}. ".format(kwargs, response) # type: ignore + raise DeserializationError(msg + str(err)) from err + else: + try: + for attr, value in attrs.items(): + setattr(response, attr, value) + return response + except Exception as exp: + msg = "Unable to populate response model. " + msg += "Type: {}, Error: {}".format(type(response), exp) + raise DeserializationError(msg) from exp + + def deserialize_data(self, data, data_type): # pylint: disable=too-many-return-statements + """Process data for deserialization according to data type. + + :param str data: The response string to be deserialized. + :param str data_type: The type to deserialize to. + :raises DeserializationError: if deserialization fails. + :return: Deserialized object. + :rtype: object + """ + if data is None: + return data + + try: + if not data_type: + return data + if data_type in self.basic_types.values(): + return self.deserialize_basic(data, data_type) + if data_type in self.deserialize_type: + if isinstance(data, self.deserialize_expected_types.get(data_type, tuple())): + return data + + is_a_text_parsing_type = lambda x: x not in [ # pylint: disable=unnecessary-lambda-assignment + "object", + "[]", + r"{}", + ] + if isinstance(data, ET.Element) and is_a_text_parsing_type(data_type) and not data.text: + return None + data_val = self.deserialize_type[data_type](data) + return data_val + + iter_type = data_type[0] + data_type[-1] + if iter_type in self.deserialize_type: + return self.deserialize_type[iter_type](data, data_type[1:-1]) + + obj_type = self.dependencies[data_type] + if issubclass(obj_type, Enum): + if isinstance(data, ET.Element): + data = data.text + return self.deserialize_enum(data, obj_type) + + except (ValueError, TypeError, AttributeError) as err: + msg = "Unable to deserialize response data." + msg += " Data: {}, {}".format(data, data_type) + raise DeserializationError(msg) from err + return self._deserialize(obj_type, data) + + def deserialize_iter(self, attr, iter_type): + """Deserialize an iterable. + + :param list attr: Iterable to be deserialized. + :param str iter_type: The type of object in the iterable. + :return: Deserialized iterable. + :rtype: list + """ + if attr is None: + return None + if isinstance(attr, ET.Element): # If I receive an element here, get the children + attr = list(attr) + if not isinstance(attr, (list, set)): + raise DeserializationError("Cannot deserialize as [{}] an object of type {}".format(iter_type, type(attr))) + return [self.deserialize_data(a, iter_type) for a in attr] + + def deserialize_dict(self, attr, dict_type): + """Deserialize a dictionary. + + :param dict/list attr: Dictionary to be deserialized. Also accepts + a list of key, value pairs. + :param str dict_type: The object type of the items in the dictionary. + :return: Deserialized dictionary. + :rtype: dict + """ + if isinstance(attr, list): + return {x["key"]: self.deserialize_data(x["value"], dict_type) for x in attr} + + if isinstance(attr, ET.Element): + # Transform value into {"Key": "value"} + attr = {el.tag: el.text for el in attr} + return {k: self.deserialize_data(v, dict_type) for k, v in attr.items()} + + def deserialize_object(self, attr, **kwargs): # pylint: disable=too-many-return-statements + """Deserialize a generic object. + This will be handled as a dictionary. + + :param dict attr: Dictionary to be deserialized. + :return: Deserialized object. + :rtype: dict + :raises TypeError: if non-builtin datatype encountered. + """ + if attr is None: + return None + if isinstance(attr, ET.Element): + # Do no recurse on XML, just return the tree as-is + return attr + if isinstance(attr, str): + return self.deserialize_basic(attr, "str") + obj_type = type(attr) + if obj_type in self.basic_types: + return self.deserialize_basic(attr, self.basic_types[obj_type]) + if obj_type is _long_type: + return self.deserialize_long(attr) + + if obj_type == dict: + deserialized = {} + for key, value in attr.items(): + try: + deserialized[key] = self.deserialize_object(value, **kwargs) + except ValueError: + deserialized[key] = None + return deserialized + + if obj_type == list: + deserialized = [] + for obj in attr: + try: + deserialized.append(self.deserialize_object(obj, **kwargs)) + except ValueError: + pass + return deserialized + + error = "Cannot deserialize generic object with type: " + raise TypeError(error + str(obj_type)) + + def deserialize_basic(self, attr, data_type): # pylint: disable=too-many-return-statements + """Deserialize basic builtin data type from string. + Will attempt to convert to str, int, float and bool. + This function will also accept '1', '0', 'true' and 'false' as + valid bool values. + + :param str attr: response string to be deserialized. + :param str data_type: deserialization data type. + :return: Deserialized basic type. + :rtype: str, int, float or bool + :raises TypeError: if string format is not valid. + """ + # If we're here, data is supposed to be a basic type. + # If it's still an XML node, take the text + if isinstance(attr, ET.Element): + attr = attr.text + if not attr: + if data_type == "str": + # None or '', node is empty string. + return "" + # None or '', node with a strong type is None. + # Don't try to model "empty bool" or "empty int" + return None + + if data_type == "bool": + if attr in [True, False, 1, 0]: + return bool(attr) + if isinstance(attr, str): + if attr.lower() in ["true", "1"]: + return True + if attr.lower() in ["false", "0"]: + return False + raise TypeError("Invalid boolean value: {}".format(attr)) + + if data_type == "str": + return self.deserialize_unicode(attr) + return eval(data_type)(attr) # nosec # pylint: disable=eval-used + + @staticmethod + def deserialize_unicode(data): + """Preserve unicode objects in Python 2, otherwise return data + as a string. + + :param str data: response string to be deserialized. + :return: Deserialized string. + :rtype: str or unicode + """ + # We might be here because we have an enum modeled as string, + # and we try to deserialize a partial dict with enum inside + if isinstance(data, Enum): + return data + + # Consider this is real string + try: + if isinstance(data, unicode): # type: ignore + return data + except NameError: + return str(data) + return str(data) + + @staticmethod + def deserialize_enum(data, enum_obj): + """Deserialize string into enum object. + + If the string is not a valid enum value it will be returned as-is + and a warning will be logged. + + :param str data: Response string to be deserialized. If this value is + None or invalid it will be returned as-is. + :param Enum enum_obj: Enum object to deserialize to. + :return: Deserialized enum object. + :rtype: Enum + """ + if isinstance(data, enum_obj) or data is None: + return data + if isinstance(data, Enum): + data = data.value + if isinstance(data, int): + # Workaround. We might consider remove it in the future. + try: + return list(enum_obj.__members__.values())[data] + except IndexError as exc: + error = "{!r} is not a valid index for enum {!r}" + raise DeserializationError(error.format(data, enum_obj)) from exc + try: + return enum_obj(str(data)) + except ValueError: + for enum_value in enum_obj: + if enum_value.value.lower() == str(data).lower(): + return enum_value + # We don't fail anymore for unknown value, we deserialize as a string + _LOGGER.warning("Deserializer is not able to find %s as valid enum in %s", data, enum_obj) + return Deserializer.deserialize_unicode(data) + + @staticmethod + def deserialize_bytearray(attr): + """Deserialize string into bytearray. + + :param str attr: response string to be deserialized. + :return: Deserialized bytearray + :rtype: bytearray + :raises TypeError: if string format invalid. + """ + if isinstance(attr, ET.Element): + attr = attr.text + return bytearray(b64decode(attr)) # type: ignore + + @staticmethod + def deserialize_base64(attr): + """Deserialize base64 encoded string into string. + + :param str attr: response string to be deserialized. + :return: Deserialized base64 string + :rtype: bytearray + :raises TypeError: if string format invalid. + """ + if isinstance(attr, ET.Element): + attr = attr.text + padding = "=" * (3 - (len(attr) + 3) % 4) # type: ignore + attr = attr + padding # type: ignore + encoded = attr.replace("-", "+").replace("_", "/") + return b64decode(encoded) + + @staticmethod + def deserialize_decimal(attr): + """Deserialize string into Decimal object. + + :param str attr: response string to be deserialized. + :return: Deserialized decimal + :raises DeserializationError: if string format invalid. + :rtype: decimal + """ + if isinstance(attr, ET.Element): + attr = attr.text + try: + return decimal.Decimal(str(attr)) # type: ignore + except decimal.DecimalException as err: + msg = "Invalid decimal {}".format(attr) + raise DeserializationError(msg) from err + + @staticmethod + def deserialize_long(attr): + """Deserialize string into long (Py2) or int (Py3). + + :param str attr: response string to be deserialized. + :return: Deserialized int + :rtype: long or int + :raises ValueError: if string format invalid. + """ + if isinstance(attr, ET.Element): + attr = attr.text + return _long_type(attr) # type: ignore + + @staticmethod + def deserialize_duration(attr): + """Deserialize ISO-8601 formatted string into TimeDelta object. + + :param str attr: response string to be deserialized. + :return: Deserialized duration + :rtype: TimeDelta + :raises DeserializationError: if string format invalid. + """ + if isinstance(attr, ET.Element): + attr = attr.text + try: + duration = isodate.parse_duration(attr) + except (ValueError, OverflowError, AttributeError) as err: + msg = "Cannot deserialize duration object." + raise DeserializationError(msg) from err + return duration + + @staticmethod + def deserialize_date(attr): + """Deserialize ISO-8601 formatted string into Date object. + + :param str attr: response string to be deserialized. + :return: Deserialized date + :rtype: Date + :raises DeserializationError: if string format invalid. + """ + if isinstance(attr, ET.Element): + attr = attr.text + if re.search(r"[^\W\d_]", attr, re.I + re.U): # type: ignore + raise DeserializationError("Date must have only digits and -. Received: %s" % attr) + # This must NOT use defaultmonth/defaultday. Using None ensure this raises an exception. + return isodate.parse_date(attr, defaultmonth=0, defaultday=0) + + @staticmethod + def deserialize_time(attr): + """Deserialize ISO-8601 formatted string into time object. + + :param str attr: response string to be deserialized. + :return: Deserialized time + :rtype: datetime.time + :raises DeserializationError: if string format invalid. + """ + if isinstance(attr, ET.Element): + attr = attr.text + if re.search(r"[^\W\d_]", attr, re.I + re.U): # type: ignore + raise DeserializationError("Date must have only digits and -. Received: %s" % attr) + return isodate.parse_time(attr) + + @staticmethod + def deserialize_rfc(attr): + """Deserialize RFC-1123 formatted string into Datetime object. + + :param str attr: response string to be deserialized. + :return: Deserialized RFC datetime + :rtype: Datetime + :raises DeserializationError: if string format invalid. + """ + if isinstance(attr, ET.Element): + attr = attr.text + try: + parsed_date = email.utils.parsedate_tz(attr) # type: ignore + date_obj = datetime.datetime( + *parsed_date[:6], tzinfo=datetime.timezone(datetime.timedelta(minutes=(parsed_date[9] or 0) / 60)) + ) + if not date_obj.tzinfo: + date_obj = date_obj.astimezone(tz=TZ_UTC) + except ValueError as err: + msg = "Cannot deserialize to rfc datetime object." + raise DeserializationError(msg) from err + return date_obj + + @staticmethod + def deserialize_iso(attr): + """Deserialize ISO-8601 formatted string into Datetime object. + + :param str attr: response string to be deserialized. + :return: Deserialized ISO datetime + :rtype: Datetime + :raises DeserializationError: if string format invalid. + """ + if isinstance(attr, ET.Element): + attr = attr.text + try: + attr = attr.upper() # type: ignore + match = Deserializer.valid_date.match(attr) + if not match: + raise ValueError("Invalid datetime string: " + attr) + + check_decimal = attr.split(".") + if len(check_decimal) > 1: + decimal_str = "" + for digit in check_decimal[1]: + if digit.isdigit(): + decimal_str += digit + else: + break + if len(decimal_str) > 6: + attr = attr.replace(decimal_str, decimal_str[0:6]) + + date_obj = isodate.parse_datetime(attr) + test_utc = date_obj.utctimetuple() + if test_utc.tm_year > 9999 or test_utc.tm_year < 1: + raise OverflowError("Hit max or min date") + except (ValueError, OverflowError, AttributeError) as err: + msg = "Cannot deserialize datetime object." + raise DeserializationError(msg) from err + return date_obj + + @staticmethod + def deserialize_unix(attr): + """Serialize Datetime object into IntTime format. + This is represented as seconds. + + :param int attr: Object to be serialized. + :return: Deserialized datetime + :rtype: Datetime + :raises DeserializationError: if format invalid + """ + if isinstance(attr, ET.Element): + attr = int(attr.text) # type: ignore + try: + attr = int(attr) + date_obj = datetime.datetime.fromtimestamp(attr, TZ_UTC) + except ValueError as err: + msg = "Cannot deserialize to unix datetime object." + raise DeserializationError(msg) from err + return date_obj diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_vendor.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_vendor.py new file mode 100644 index 000000000000..57f93f534546 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_vendor.py @@ -0,0 +1,25 @@ +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- + +from abc import ABC +from typing import TYPE_CHECKING + +from ._configuration import SecurityDomainClientConfiguration + +if TYPE_CHECKING: + from azure.core import PipelineClient + + from ._serialization import Deserializer, Serializer + + +class SecurityDomainClientMixinABC(ABC): + """DO NOT use this class. It is for internal typing use only.""" + + _client: "PipelineClient" + _config: SecurityDomainClientConfiguration + _serialize: "Serializer" + _deserialize: "Deserializer" diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_version.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_version.py new file mode 100644 index 000000000000..be71c81bd282 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/_version.py @@ -0,0 +1,9 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- + +VERSION = "1.0.0b1" diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/__init__.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/__init__.py new file mode 100644 index 000000000000..a2c929f88bc6 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/__init__.py @@ -0,0 +1,29 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# pylint: disable=wrong-import-position + +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from ._patch import * # pylint: disable=unused-wildcard-import + +from ._client import SecurityDomainClient # type: ignore + +try: + from ._patch import __all__ as _patch_all + from ._patch import * +except ImportError: + _patch_all = [] +from ._patch import patch_sdk as _patch_sdk + +__all__ = [ + "SecurityDomainClient", +] +__all__.extend([p for p in _patch_all if p not in __all__]) # pyright: ignore + +_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_client.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_client.py new file mode 100644 index 000000000000..5f02c9d10f16 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_client.py @@ -0,0 +1,101 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- + +from copy import deepcopy +from typing import Any, Awaitable, TYPE_CHECKING +from typing_extensions import Self + +from azure.core import AsyncPipelineClient +from azure.core.pipeline import policies +from azure.core.rest import AsyncHttpResponse, HttpRequest + +from .._serialization import Deserializer, Serializer +from ._configuration import SecurityDomainClientConfiguration +from ._operations import SecurityDomainClientOperationsMixin + +if TYPE_CHECKING: + from azure.core.credentials_async import AsyncTokenCredential + + +class SecurityDomainClient(SecurityDomainClientOperationsMixin): + """SecurityDomainClient. + + :param vault_base_url: Required. + :type vault_base_url: str + :param credential: Credential used to authenticate requests to the service. Required. + :type credential: ~azure.core.credentials_async.AsyncTokenCredential + :keyword api_version: The API version to use for this operation. Default value is "7.5". Note + that overriding this default value may result in unsupported behavior. + :paramtype api_version: str + """ + + def __init__(self, vault_base_url: str, credential: "AsyncTokenCredential", **kwargs: Any) -> None: + _endpoint = "{vaultBaseUrl}" + self._config = SecurityDomainClientConfiguration(vault_base_url=vault_base_url, credential=credential, **kwargs) + _policies = kwargs.pop("policies", None) + if _policies is None: + _policies = [ + policies.RequestIdPolicy(**kwargs), + self._config.headers_policy, + self._config.user_agent_policy, + self._config.proxy_policy, + policies.ContentDecodePolicy(**kwargs), + self._config.redirect_policy, + self._config.retry_policy, + self._config.authentication_policy, + self._config.custom_hook_policy, + self._config.logging_policy, + policies.DistributedTracingPolicy(**kwargs), + policies.SensitiveHeaderCleanupPolicy(**kwargs) if self._config.redirect_policy else None, + self._config.http_logging_policy, + ] + self._client: AsyncPipelineClient = AsyncPipelineClient(base_url=_endpoint, policies=_policies, **kwargs) + + self._serialize = Serializer() + self._deserialize = Deserializer() + self._serialize.client_side_validation = False + + def send_request( + self, request: HttpRequest, *, stream: bool = False, **kwargs: Any + ) -> Awaitable[AsyncHttpResponse]: + """Runs the network request through the client's chained policies. + + >>> from azure.core.rest import HttpRequest + >>> request = HttpRequest("GET", "https://www.example.org/") + + >>> response = await client.send_request(request) + + + For more information on this code flow, see https://aka.ms/azsdk/dpcodegen/python/send_request + + :param request: The network request you want to make. Required. + :type request: ~azure.core.rest.HttpRequest + :keyword bool stream: Whether the response payload will be streamed. Defaults to False. + :return: The response of your network call. Does not do error handling on your response. + :rtype: ~azure.core.rest.AsyncHttpResponse + """ + + request_copy = deepcopy(request) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + + request_copy.url = self._client.format_url(request_copy.url, **path_format_arguments) + return self._client.send_request(request_copy, stream=stream, **kwargs) # type: ignore + + async def close(self) -> None: + await self._client.close() + + async def __aenter__(self) -> Self: + await self._client.__aenter__() + return self + + async def __aexit__(self, *exc_details: Any) -> None: + await self._client.__aexit__(*exc_details) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_configuration.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_configuration.py new file mode 100644 index 000000000000..bd16d340efbe --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_configuration.py @@ -0,0 +1,63 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- + +from typing import Any, TYPE_CHECKING + +from azure.core.pipeline import policies + +from .._version import VERSION + +if TYPE_CHECKING: + from azure.core.credentials_async import AsyncTokenCredential + + +class SecurityDomainClientConfiguration: # pylint: disable=too-many-instance-attributes + """Configuration for SecurityDomainClient. + + Note that all parameters used to create this instance are saved as instance + attributes. + + :param vault_base_url: Required. + :type vault_base_url: str + :param credential: Credential used to authenticate requests to the service. Required. + :type credential: ~azure.core.credentials_async.AsyncTokenCredential + :keyword api_version: The API version to use for this operation. Default value is "7.5". Note + that overriding this default value may result in unsupported behavior. + :paramtype api_version: str + """ + + def __init__(self, vault_base_url: str, credential: "AsyncTokenCredential", **kwargs: Any) -> None: + api_version: str = kwargs.pop("api_version", "7.5") + + if vault_base_url is None: + raise ValueError("Parameter 'vault_base_url' must not be None.") + if credential is None: + raise ValueError("Parameter 'credential' must not be None.") + + self.vault_base_url = vault_base_url + self.credential = credential + self.api_version = api_version + self.credential_scopes = kwargs.pop("credential_scopes", ["https://vault.azure.net/.default"]) + kwargs.setdefault("sdk_moniker", "keyvault-securitydomain/{}".format(VERSION)) + self.polling_interval = kwargs.get("polling_interval", 30) + self._configure(**kwargs) + + def _configure(self, **kwargs: Any) -> None: + self.user_agent_policy = kwargs.get("user_agent_policy") or policies.UserAgentPolicy(**kwargs) + self.headers_policy = kwargs.get("headers_policy") or policies.HeadersPolicy(**kwargs) + self.proxy_policy = kwargs.get("proxy_policy") or policies.ProxyPolicy(**kwargs) + self.logging_policy = kwargs.get("logging_policy") or policies.NetworkTraceLoggingPolicy(**kwargs) + self.http_logging_policy = kwargs.get("http_logging_policy") or policies.HttpLoggingPolicy(**kwargs) + self.custom_hook_policy = kwargs.get("custom_hook_policy") or policies.CustomHookPolicy(**kwargs) + self.redirect_policy = kwargs.get("redirect_policy") or policies.AsyncRedirectPolicy(**kwargs) + self.retry_policy = kwargs.get("retry_policy") or policies.AsyncRetryPolicy(**kwargs) + self.authentication_policy = kwargs.get("authentication_policy") + if self.credential and not self.authentication_policy: + self.authentication_policy = policies.AsyncBearerTokenCredentialPolicy( + self.credential, *self.credential_scopes, **kwargs + ) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_operations/__init__.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_operations/__init__.py new file mode 100644 index 000000000000..c6b747b3914b --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_operations/__init__.py @@ -0,0 +1,25 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# pylint: disable=wrong-import-position + +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from ._patch import * # pylint: disable=unused-wildcard-import + +from ._operations import SecurityDomainClientOperationsMixin # type: ignore + +from ._patch import __all__ as _patch_all +from ._patch import * +from ._patch import patch_sdk as _patch_sdk + +__all__ = [ + "SecurityDomainClientOperationsMixin", +] +__all__.extend([p for p in _patch_all if p not in __all__]) # pyright: ignore +_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_operations/_operations.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_operations/_operations.py new file mode 100644 index 000000000000..5fb92afed931 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_operations/_operations.py @@ -0,0 +1,533 @@ +# pylint: disable=line-too-long,useless-suppression +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +from io import IOBase +import json +import sys +from typing import Any, AsyncIterator, Callable, Dict, IO, Optional, TypeVar, Union, cast, overload + +from azure.core.exceptions import ( + ClientAuthenticationError, + HttpResponseError, + ResourceExistsError, + ResourceNotFoundError, + ResourceNotModifiedError, + StreamClosedError, + StreamConsumedError, + map_error, +) +from azure.core.pipeline import PipelineResponse +from azure.core.polling import AsyncLROPoller, AsyncNoPolling, AsyncPollingMethod +from azure.core.polling.async_base_polling import AsyncLROBasePolling +from azure.core.rest import AsyncHttpResponse, HttpRequest +from azure.core.tracing.decorator_async import distributed_trace_async +from azure.core.utils import case_insensitive_dict + +from ... import models as _models +from ..._model_base import SdkJSONEncoder, _deserialize, _failsafe_deserialize +from ..._operations._operations import ( + build_security_domain_download_request, + build_security_domain_get_download_status_request, + build_security_domain_get_transfer_key_request, + build_security_domain_get_upload_status_request, + build_security_domain_upload_request, +) +from .._vendor import SecurityDomainClientMixinABC + +if sys.version_info >= (3, 9): + from collections.abc import MutableMapping +else: + from typing import MutableMapping # type: ignore +JSON = MutableMapping[str, Any] # pylint: disable=unsubscriptable-object +T = TypeVar("T") +ClsType = Optional[Callable[[PipelineResponse[HttpRequest, AsyncHttpResponse], T, Dict[str, Any]], Any]] + + +class SecurityDomainClientOperationsMixin(SecurityDomainClientMixinABC): + + @distributed_trace_async + async def get_download_status(self, **kwargs: Any) -> _models.SecurityDomainOperationStatus: + """Retrieves the Security Domain download operation status. + + :return: SecurityDomainOperationStatus. The SecurityDomainOperationStatus is compatible with + MutableMapping + :rtype: ~azure.keyvault.securitydomain.models.SecurityDomainOperationStatus + :raises ~azure.core.exceptions.HttpResponseError: + """ + error_map: MutableMapping = { + 401: ClientAuthenticationError, + 404: ResourceNotFoundError, + 409: ResourceExistsError, + 304: ResourceNotModifiedError, + } + error_map.update(kwargs.pop("error_map", {}) or {}) + + _headers = kwargs.pop("headers", {}) or {} + _params = kwargs.pop("params", {}) or {} + + cls: ClsType[_models.SecurityDomainOperationStatus] = kwargs.pop("cls", None) + + _request = build_security_domain_get_download_status_request( + api_version=self._config.api_version, + headers=_headers, + params=_params, + ) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + _request.url = self._client.format_url(_request.url, **path_format_arguments) + + _stream = kwargs.pop("stream", False) + pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access + _request, stream=_stream, **kwargs + ) + + response = pipeline_response.http_response + + if response.status_code not in [200]: + if _stream: + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass + map_error(status_code=response.status_code, response=response, error_map=error_map) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) + raise HttpResponseError(response=response, model=error) + + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.SecurityDomainOperationStatus, response.json()) + + if cls: + return cls(pipeline_response, deserialized, {}) # type: ignore + + return deserialized # type: ignore + + async def _download_initial( + self, certificate_info_object: Union[_models.CertificateInfo, JSON, IO[bytes]], **kwargs: Any + ) -> AsyncIterator[bytes]: + error_map: MutableMapping = { + 401: ClientAuthenticationError, + 404: ResourceNotFoundError, + 409: ResourceExistsError, + 304: ResourceNotModifiedError, + } + error_map.update(kwargs.pop("error_map", {}) or {}) + + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = kwargs.pop("params", {}) or {} + + content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) + cls: ClsType[AsyncIterator[bytes]] = kwargs.pop("cls", None) + + content_type = content_type or "application/json" + _content = None + if isinstance(certificate_info_object, (IOBase, bytes)): + _content = certificate_info_object + else: + _content = json.dumps(certificate_info_object, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore + + _request = build_security_domain_download_request( + content_type=content_type, + api_version=self._config.api_version, + content=_content, + headers=_headers, + params=_params, + ) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + _request.url = self._client.format_url(_request.url, **path_format_arguments) + + _stream = True + pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access + _request, stream=_stream, **kwargs + ) + + response = pipeline_response.http_response + + if response.status_code not in [202]: + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass + map_error(status_code=response.status_code, response=response, error_map=error_map) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) + raise HttpResponseError(response=response, model=error) + + response_headers = {} + response_headers["Azure-AsyncOperation"] = self._deserialize( + "str", response.headers.get("Azure-AsyncOperation") + ) + response_headers["Retry-After"] = self._deserialize("int", response.headers.get("Retry-After")) + + deserialized = response.iter_bytes() + + if cls: + return cls(pipeline_response, deserialized, response_headers) # type: ignore + + return deserialized # type: ignore + + @overload + async def _begin_download( + self, certificate_info_object: _models.CertificateInfo, *, content_type: str = "application/json", **kwargs: Any + ) -> AsyncLROPoller[None]: ... + @overload + async def _begin_download( + self, certificate_info_object: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> AsyncLROPoller[None]: ... + @overload + async def _begin_download( + self, certificate_info_object: IO[bytes], *, content_type: str = "application/json", **kwargs: Any + ) -> AsyncLROPoller[None]: ... + + @distributed_trace_async + async def _begin_download( + self, certificate_info_object: Union[_models.CertificateInfo, JSON, IO[bytes]], **kwargs: Any + ) -> AsyncLROPoller[None]: + """Retrieves the Security Domain from the managed HSM. Calling this endpoint can be used to + activate a provisioned managed HSM resource. + + :param certificate_info_object: The Security Domain download operation requires customer to + provide N certificates (minimum 3 and maximum 10) containing a public key in JWK format. Is one + of the following types: CertificateInfo, JSON, IO[bytes] Required. + :type certificate_info_object: ~azure.keyvault.securitydomain.models.CertificateInfo or JSON or + IO[bytes] + :return: An instance of AsyncLROPoller that returns None + :rtype: ~azure.core.polling.AsyncLROPoller[None] + :raises ~azure.core.exceptions.HttpResponseError: + """ + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = kwargs.pop("params", {}) or {} + + content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) + cls: ClsType[None] = kwargs.pop("cls", None) + polling: Union[bool, AsyncPollingMethod] = kwargs.pop("polling", True) + lro_delay = kwargs.pop("polling_interval", self._config.polling_interval) + cont_token: Optional[str] = kwargs.pop("continuation_token", None) + if cont_token is None: + raw_result = await self._download_initial( + certificate_info_object=certificate_info_object, + content_type=content_type, + cls=lambda x, y, z: x, + headers=_headers, + params=_params, + **kwargs + ) + await raw_result.http_response.read() # type: ignore + kwargs.pop("error_map", None) + + def get_long_running_output(pipeline_response): # pylint: disable=inconsistent-return-statements + if cls: + return cls(pipeline_response, None, {}) # type: ignore + + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + + if polling is True: + polling_method: AsyncPollingMethod = cast( + AsyncPollingMethod, + AsyncLROBasePolling(lro_delay, path_format_arguments=path_format_arguments, **kwargs), + ) + elif polling is False: + polling_method = cast(AsyncPollingMethod, AsyncNoPolling()) + else: + polling_method = polling + if cont_token: + return AsyncLROPoller[None].from_continuation_token( + polling_method=polling_method, + continuation_token=cont_token, + client=self._client, + deserialization_callback=get_long_running_output, + ) + return AsyncLROPoller[None](self._client, raw_result, get_long_running_output, polling_method) # type: ignore + + @distributed_trace_async + async def get_upload_status(self, **kwargs: Any) -> _models.SecurityDomainOperationStatus: + """Get Security Domain upload operation status. + + :return: SecurityDomainOperationStatus. The SecurityDomainOperationStatus is compatible with + MutableMapping + :rtype: ~azure.keyvault.securitydomain.models.SecurityDomainOperationStatus + :raises ~azure.core.exceptions.HttpResponseError: + """ + error_map: MutableMapping = { + 401: ClientAuthenticationError, + 404: ResourceNotFoundError, + 409: ResourceExistsError, + 304: ResourceNotModifiedError, + } + error_map.update(kwargs.pop("error_map", {}) or {}) + + _headers = kwargs.pop("headers", {}) or {} + _params = kwargs.pop("params", {}) or {} + + cls: ClsType[_models.SecurityDomainOperationStatus] = kwargs.pop("cls", None) + + _request = build_security_domain_get_upload_status_request( + api_version=self._config.api_version, + headers=_headers, + params=_params, + ) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + _request.url = self._client.format_url(_request.url, **path_format_arguments) + + _stream = kwargs.pop("stream", False) + pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access + _request, stream=_stream, **kwargs + ) + + response = pipeline_response.http_response + + if response.status_code not in [200]: + if _stream: + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass + map_error(status_code=response.status_code, response=response, error_map=error_map) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) + raise HttpResponseError(response=response, model=error) + + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.SecurityDomainOperationStatus, response.json()) + + if cls: + return cls(pipeline_response, deserialized, {}) # type: ignore + + return deserialized # type: ignore + + async def _upload_initial( + self, security_domain: Union[_models.SecurityDomain, JSON, IO[bytes]], **kwargs: Any + ) -> AsyncIterator[bytes]: + error_map: MutableMapping = { + 401: ClientAuthenticationError, + 404: ResourceNotFoundError, + 409: ResourceExistsError, + 304: ResourceNotModifiedError, + } + error_map.update(kwargs.pop("error_map", {}) or {}) + + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = kwargs.pop("params", {}) or {} + + content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) + cls: ClsType[AsyncIterator[bytes]] = kwargs.pop("cls", None) + + content_type = content_type or "application/json" + _content = None + if isinstance(security_domain, (IOBase, bytes)): + _content = security_domain + else: + _content = json.dumps(security_domain, cls=SdkJSONEncoder, exclude_readonly=True) # type: ignore + + _request = build_security_domain_upload_request( + content_type=content_type, + api_version=self._config.api_version, + content=_content, + headers=_headers, + params=_params, + ) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + _request.url = self._client.format_url(_request.url, **path_format_arguments) + + _stream = True + pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access + _request, stream=_stream, **kwargs + ) + + response = pipeline_response.http_response + + if response.status_code not in [202, 204]: + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass + map_error(status_code=response.status_code, response=response, error_map=error_map) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) + raise HttpResponseError(response=response, model=error) + + response_headers = {} + if response.status_code == 202: + response_headers["Azure-AsyncOperation"] = self._deserialize( + "str", response.headers.get("Azure-AsyncOperation") + ) + response_headers["Retry-After"] = self._deserialize("int", response.headers.get("Retry-After")) + + deserialized = response.iter_bytes() + + if cls: + return cls(pipeline_response, deserialized, response_headers) # type: ignore + + return deserialized # type: ignore + + @overload + async def _begin_upload( + self, security_domain: _models.SecurityDomain, *, content_type: str = "application/json", **kwargs: Any + ) -> AsyncLROPoller[_models.SecurityDomainOperationStatus]: ... + @overload + async def _begin_upload( + self, security_domain: JSON, *, content_type: str = "application/json", **kwargs: Any + ) -> AsyncLROPoller[_models.SecurityDomainOperationStatus]: ... + @overload + async def _begin_upload( + self, security_domain: IO[bytes], *, content_type: str = "application/json", **kwargs: Any + ) -> AsyncLROPoller[_models.SecurityDomainOperationStatus]: ... + + @distributed_trace_async + async def _begin_upload( + self, security_domain: Union[_models.SecurityDomain, JSON, IO[bytes]], **kwargs: Any + ) -> AsyncLROPoller[_models.SecurityDomainOperationStatus]: + """Restore the provided Security Domain. + + :param security_domain: The Security Domain to be restored. Is one of the following types: + SecurityDomain, JSON, IO[bytes] Required. + :type security_domain: ~azure.keyvault.securitydomain.models.SecurityDomain or JSON or + IO[bytes] + :return: An instance of AsyncLROPoller that returns SecurityDomainOperationStatus. The + SecurityDomainOperationStatus is compatible with MutableMapping + :rtype: + ~azure.core.polling.AsyncLROPoller[~azure.keyvault.securitydomain.models.SecurityDomainOperationStatus] + :raises ~azure.core.exceptions.HttpResponseError: + """ + _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {}) + _params = kwargs.pop("params", {}) or {} + + content_type: Optional[str] = kwargs.pop("content_type", _headers.pop("Content-Type", None)) + cls: ClsType[_models.SecurityDomainOperationStatus] = kwargs.pop("cls", None) + polling: Union[bool, AsyncPollingMethod] = kwargs.pop("polling", True) + lro_delay = kwargs.pop("polling_interval", self._config.polling_interval) + cont_token: Optional[str] = kwargs.pop("continuation_token", None) + if cont_token is None: + raw_result = await self._upload_initial( + security_domain=security_domain, + content_type=content_type, + cls=lambda x, y, z: x, + headers=_headers, + params=_params, + **kwargs + ) + await raw_result.http_response.read() # type: ignore + kwargs.pop("error_map", None) + + def get_long_running_output(pipeline_response): + response_headers = {} + response = pipeline_response.http_response + response_headers["Azure-AsyncOperation"] = self._deserialize( + "str", response.headers.get("Azure-AsyncOperation") + ) + response_headers["Retry-After"] = self._deserialize("int", response.headers.get("Retry-After")) + + deserialized = _deserialize(_models.SecurityDomainOperationStatus, response.json()) + if cls: + return cls(pipeline_response, deserialized, response_headers) # type: ignore + return deserialized + + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + + if polling is True: + polling_method: AsyncPollingMethod = cast( + AsyncPollingMethod, + AsyncLROBasePolling(lro_delay, path_format_arguments=path_format_arguments, **kwargs), + ) + elif polling is False: + polling_method = cast(AsyncPollingMethod, AsyncNoPolling()) + else: + polling_method = polling + if cont_token: + return AsyncLROPoller[_models.SecurityDomainOperationStatus].from_continuation_token( + polling_method=polling_method, + continuation_token=cont_token, + client=self._client, + deserialization_callback=get_long_running_output, + ) + return AsyncLROPoller[_models.SecurityDomainOperationStatus]( + self._client, raw_result, get_long_running_output, polling_method # type: ignore + ) + + @distributed_trace_async + async def get_transfer_key(self, **kwargs: Any) -> _models.TransferKey: + """Retrieve Security Domain transfer key. + + :return: TransferKey. The TransferKey is compatible with MutableMapping + :rtype: ~azure.keyvault.securitydomain.models.TransferKey + :raises ~azure.core.exceptions.HttpResponseError: + """ + error_map: MutableMapping = { + 401: ClientAuthenticationError, + 404: ResourceNotFoundError, + 409: ResourceExistsError, + 304: ResourceNotModifiedError, + } + error_map.update(kwargs.pop("error_map", {}) or {}) + + _headers = kwargs.pop("headers", {}) or {} + _params = kwargs.pop("params", {}) or {} + + cls: ClsType[_models.TransferKey] = kwargs.pop("cls", None) + + _request = build_security_domain_get_transfer_key_request( + api_version=self._config.api_version, + headers=_headers, + params=_params, + ) + path_format_arguments = { + "vaultBaseUrl": self._serialize.url( + "self._config.vault_base_url", self._config.vault_base_url, "str", skip_quote=True + ), + } + _request.url = self._client.format_url(_request.url, **path_format_arguments) + + _stream = kwargs.pop("stream", False) + pipeline_response: PipelineResponse = await self._client._pipeline.run( # type: ignore # pylint: disable=protected-access + _request, stream=_stream, **kwargs + ) + + response = pipeline_response.http_response + + if response.status_code not in [200]: + if _stream: + try: + await response.read() # Load the body in memory and close the socket + except (StreamConsumedError, StreamClosedError): + pass + map_error(status_code=response.status_code, response=response, error_map=error_map) + error = _failsafe_deserialize(_models.KeyVaultError, response.json()) + raise HttpResponseError(response=response, model=error) + + if _stream: + deserialized = response.iter_bytes() + else: + deserialized = _deserialize(_models.TransferKey, response.json()) + + if cls: + return cls(pipeline_response, deserialized, {}) # type: ignore + + return deserialized # type: ignore diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_operations/_patch.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_operations/_patch.py new file mode 100644 index 000000000000..f7dd32510333 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_operations/_patch.py @@ -0,0 +1,20 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Customize generated code here. + +Follow our quickstart for examples: https://aka.ms/azsdk/python/dpcodegen/python/customize +""" +from typing import List + +__all__: List[str] = [] # Add all objects you want publicly available to users at this package level + + +def patch_sdk(): + """Do not remove from this file. + + `patch_sdk` is a last resort escape hatch that allows you to do customizations + you can't accomplish using the techniques described in + https://aka.ms/azsdk/python/dpcodegen/python/customize + """ diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_patch.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_patch.py new file mode 100644 index 000000000000..7a6d31a184fe --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_patch.py @@ -0,0 +1,247 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Customize generated code here. + +Follow our quickstart for examples: https://aka.ms/azsdk/python/dpcodegen/python/customize +""" +from typing import Any, Awaitable, IO, List, MutableMapping, overload, Union + +from azure.core.credentials_async import AsyncTokenCredential +from azure.core.pipeline.policies import HttpLoggingPolicy +from azure.core.polling import AsyncLROPoller +from azure.core.rest import AsyncHttpResponse, HttpRequest +from azure.core.tracing.decorator_async import distributed_trace_async + +from ._client import SecurityDomainClient as KeyVaultClient +from .._internal import ( + AsyncChallengeAuthPolicy, + AsyncSecurityDomainDownloadNoPolling, + AsyncSecurityDomainDownloadPollingMethod, + AsyncSecurityDomainUploadPollingMethod, + SecurityDomainDownloadPolling, + SecurityDomainUploadPolling, +) +from ..models import CertificateInfo, SecurityDomain, SecurityDomainOperationStatus +from .._patch import DEFAULT_VERSION, _format_api_version, _SERIALIZER + + +JSON = MutableMapping[str, Any] # pylint: disable=unsubscriptable-object + +__all__: List[str] = [ + "SecurityDomainClient", +] # Add all objects you want publicly available to users at this package level + + +class SecurityDomainClient(KeyVaultClient): + """Manages the security domain of a Managed HSM. + + :param str vault_url: URL of the vault on which the client will operate. This is also called the vault's "DNS Name". + You should validate that this URL references a valid Key Vault or Managed HSM resource. + See https://aka.ms/azsdk/blog/vault-uri for details. + :param credential: An object which can provide an access token for the vault, such as a credential from + :mod:`azure.identity` + :type credential: ~azure.core.credentials_async.AsyncTokenCredential + + :keyword str api_version: The API version to use for this operation. Default value is "7.5". Note that overriding + this default value may result in unsupported behavior. + :keyword bool verify_challenge_resource: Whether to verify the authentication challenge resource matches the Key + Vault or Managed HSM domain. Defaults to True. + :keyword int polling_interval: Default waiting time between two polls for LRO operations if no + Retry-After header is present. + """ + + def __init__(self, vault_url: str, credential: AsyncTokenCredential, **kwargs: Any) -> None: + self.api_version = kwargs.pop("api_version", DEFAULT_VERSION) + # If API version was provided as an enum value, need to make a plain string for 3.11 compatibility + if hasattr(self.api_version, "value"): + self.api_version = self.api_version.value + self._vault_url = vault_url.strip(" /") + + http_logging_policy = HttpLoggingPolicy(**kwargs) + http_logging_policy.allowed_header_names.update( + {"x-ms-keyvault-network-info", "x-ms-keyvault-region", "x-ms-keyvault-service-version"} + ) + verify_challenge = kwargs.pop("verify_challenge_resource", True) + super().__init__( + vault_url, + credential, + api_version=self.api_version, + authentication_policy=AsyncChallengeAuthPolicy(credential, verify_challenge_resource=verify_challenge), + http_logging_policy=http_logging_policy, + **kwargs, + ) + + @overload + async def begin_download( + self, + certificate_info: CertificateInfo, + *, + content_type: str = "application/json", + skip_activation_polling: bool = False, + **kwargs: Any, + ) -> AsyncLROPoller[SecurityDomain]: ... + + @overload + async def begin_download( + self, + certificate_info: JSON, + *, + content_type: str = "application/json", + skip_activation_polling: bool = False, + **kwargs: Any, + ) -> AsyncLROPoller[SecurityDomain]: ... + + @overload + async def begin_download( + self, + certificate_info: IO[bytes], + *, + content_type: str = "application/json", + skip_activation_polling: bool = False, + **kwargs: Any, + ) -> AsyncLROPoller[SecurityDomain]: ... + + @distributed_trace_async + async def begin_download( + self, + certificate_info: Union[CertificateInfo, JSON, IO[bytes]], + *, + content_type: str = "application/json", + skip_activation_polling: bool = False, + **kwargs: Any, + ) -> AsyncLROPoller[SecurityDomain]: + """Retrieves the Security Domain from the managed HSM. Calling this endpoint can + be used to activate a provisioned managed HSM resource. + + :param certificate_info: The Security Domain download operation requires the customer to provide N + certificates (minimum 3 and maximum 10) containing a public key in JWK format. Required in one of the + following types: CertificateInfo, JSON, or IO[bytes]. + :type certificate_info: ~azure.keyvault.securitydomain.models.CertificateInfo or + JSON or IO[bytes] + :keyword str content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + :keyword bool skip_activation_polling: If set to True, the operation will not poll for HSM activation to + complete and calling `.result()` on the poller will return the security domain object immediately. Default + value is False. + + :return: An instance of AsyncLROPoller that returns SecurityDomain. The + SecurityDomain is compatible with MutableMapping + :rtype: + ~azure.core.polling.AsyncLROPoller[~azure.keyvault.securitydomain.models.SecurityDomain] + :raises ~azure.core.exceptions.HttpResponseError: + """ + delay = kwargs.pop("polling_interval", self._config.polling_interval) + polling_method = ( + AsyncSecurityDomainDownloadNoPolling() + if skip_activation_polling is True + else AsyncSecurityDomainDownloadPollingMethod( + lro_algorithms=[SecurityDomainDownloadPolling()], timeout=delay + ) + ) + return await super()._begin_download( # type: ignore[return-value] + certificate_info, + content_type=content_type, + polling=polling_method, + **kwargs, + ) + + @overload + @distributed_trace_async + async def begin_upload( + self, + security_domain: SecurityDomain, + *, + content_type: str = "application/json", + **kwargs: Any, + ) -> AsyncLROPoller[None]: ... + + @overload + @distributed_trace_async + async def begin_upload( + self, + security_domain: JSON, + *, + content_type: str = "application/json", + **kwargs: Any, + ) -> AsyncLROPoller[None]: ... + + @overload + @distributed_trace_async + async def begin_upload( + self, + security_domain: IO[bytes], + *, + content_type: str = "application/json", + **kwargs: Any, + ) -> AsyncLROPoller[None]: ... + + @distributed_trace_async + async def begin_upload( + self, + security_domain: Union[SecurityDomain, JSON, IO[bytes]], + *, + content_type: str = "application/json", + **kwargs: Any, + ) -> AsyncLROPoller[None]: + """Restore the provided Security Domain. + + :param security_domain: The Security Domain to be restored. Required in one of the following types: + SecurityDomain, JSON, or IO[bytes]. + :type security_domain: ~azure.keyvault.securitydomain.models.SecurityDomain or JSON or + IO[bytes] + :keyword str content_type: Body Parameter content-type. Content type parameter for JSON body. + Default value is "application/json". + + :return: An instance of AsyncLROPoller that returns SecurityDomainOperationStatus. The + SecurityDomainOperationStatus is compatible with MutableMapping + :rtype: + ~azure.core.polling.AsyncLROPoller[~azure.keyvault.securitydomain.models.SecurityDomainOperationStatus] + :raises ~azure.core.exceptions.HttpResponseError: + """ + delay = kwargs.pop("polling_interval", self._config.polling_interval) + polling_method = AsyncSecurityDomainUploadPollingMethod( + lro_algorithms=[SecurityDomainUploadPolling()], timeout=delay + ) + return await super()._begin_upload( # type: ignore[return-value] + security_domain, + content_type=content_type, + polling=polling_method, + **kwargs, + ) + + @distributed_trace_async + def send_request( + self, request: HttpRequest, *, stream: bool = False, **kwargs: Any + ) -> Awaitable[AsyncHttpResponse]: + """Runs a network request using the client's existing pipeline. + + The request URL can be relative to the vault URL. The service API version used for the request is the same as + the client's unless otherwise specified. This method does not raise if the response is an error; to raise an + exception, call `raise_for_status()` on the returned response object. For more information about how to send + custom requests with this method, see https://aka.ms/azsdk/dpcodegen/python/send_request. + + :param request: The network request you want to make. + :type request: ~azure.core.rest.HttpRequest + + :keyword bool stream: Whether the response payload will be streamed. Defaults to False. + + :return: The response of your network call. Does not do error handling on your response. + :rtype: ~azure.core.rest.AsyncHttpResponse + """ + request_copy = _format_api_version(request, self.api_version) + path_format_arguments = { + "vaultBaseUrl": _SERIALIZER.url("vault_base_url", self._vault_url, "str", skip_quote=True), + } + request_copy.url = self._client.format_url(request_copy.url, **path_format_arguments) + return self._client.send_request(request_copy, stream=stream, **kwargs) + + +def patch_sdk(): + """Do not remove from this file. + + `patch_sdk` is a last resort escape hatch that allows you to do customizations + you can't accomplish using the techniques described in + https://aka.ms/azsdk/python/dpcodegen/python/customize + """ diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_vendor.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_vendor.py new file mode 100644 index 000000000000..f6bbe4c3d81e --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/aio/_vendor.py @@ -0,0 +1,25 @@ +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- + +from abc import ABC +from typing import TYPE_CHECKING + +from ._configuration import SecurityDomainClientConfiguration + +if TYPE_CHECKING: + from azure.core import AsyncPipelineClient + + from .._serialization import Deserializer, Serializer + + +class SecurityDomainClientMixinABC(ABC): + """DO NOT use this class. It is for internal typing use only.""" + + _client: "AsyncPipelineClient" + _config: SecurityDomainClientConfiguration + _serialize: "Serializer" + _deserialize: "Deserializer" diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/__init__.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/__init__.py new file mode 100644 index 000000000000..e998274a376a --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/__init__.py @@ -0,0 +1,44 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# pylint: disable=wrong-import-position + +from typing import TYPE_CHECKING + +if TYPE_CHECKING: + from ._patch import * # pylint: disable=unused-wildcard-import + + +from ._models import ( # type: ignore + CertificateInfo, + KeyVaultError, + KeyVaultErrorError, + SecurityDomain, + SecurityDomainJsonWebKey, + SecurityDomainOperationStatus, + TransferKey, +) + +from ._enums import ( # type: ignore + OperationStatus, +) +from ._patch import __all__ as _patch_all +from ._patch import * +from ._patch import patch_sdk as _patch_sdk + +__all__ = [ + "CertificateInfo", + "KeyVaultError", + "KeyVaultErrorError", + "SecurityDomain", + "SecurityDomainJsonWebKey", + "SecurityDomainOperationStatus", + "TransferKey", + "OperationStatus", +] +__all__.extend([p for p in _patch_all if p not in __all__]) # pyright: ignore +_patch_sdk() diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/_enums.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/_enums.py new file mode 100644 index 000000000000..9fb7878c20a4 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/_enums.py @@ -0,0 +1,21 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- + +from enum import Enum +from azure.core import CaseInsensitiveEnumMeta + + +class OperationStatus(str, Enum, metaclass=CaseInsensitiveEnumMeta): + """Operation status.""" + + SUCCESS = "Success" + """The operation succeeded.""" + IN_PROGRESS = "InProgress" + """The operation is in progress.""" + FAILED = "Failed" + """The operation failed.""" diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/_models.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/_models.py new file mode 100644 index 000000000000..b9fd996d8f2f --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/_models.py @@ -0,0 +1,261 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# pylint: disable=useless-super-delegation + +from typing import Any, List, Mapping, Optional, TYPE_CHECKING, Union, overload + +from .. import _model_base +from .._model_base import rest_field + +if TYPE_CHECKING: + from .. import models as _models + + +class CertificateInfo(_model_base.Model): + """The Security Domain download operation requires customer to provide N certificates (minimum 3 + and maximum 10) containing a public key in JWK format. + + :ivar certificates: Certificates needed from customer. Required. + :vartype certificates: list[~azure.keyvault.securitydomain.models.SecurityDomainJsonWebKey] + :ivar required: Customer to specify the number of certificates (minimum 2 and maximum 10) to + restore Security Domain. + :vartype required: int + """ + + certificates: List["_models.SecurityDomainJsonWebKey"] = rest_field( + visibility=["read", "create", "update", "delete", "query"] + ) + """Certificates needed from customer. Required.""" + required: Optional[int] = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """Customer to specify the number of certificates (minimum 2 and maximum 10) to restore Security + Domain.""" + + @overload + def __init__( + self, + *, + certificates: List["_models.SecurityDomainJsonWebKey"], + required: Optional[int] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class KeyVaultError(_model_base.Model): + """The key vault error exception. + + :ivar error: The key vault server error. + :vartype error: ~azure.keyvault.securitydomain.models.KeyVaultErrorError + """ + + error: Optional["_models.KeyVaultErrorError"] = rest_field(visibility=["read"]) + """The key vault server error.""" + + +class KeyVaultErrorError(_model_base.Model): + """KeyVaultErrorError. + + :ivar code: The error code. + :vartype code: str + :ivar message: The error message. + :vartype message: str + :ivar inner_error: The key vault server error. + :vartype inner_error: ~azure.keyvault.securitydomain.models.KeyVaultErrorError + """ + + code: Optional[str] = rest_field(visibility=["read"]) + """The error code.""" + message: Optional[str] = rest_field(visibility=["read"]) + """The error message.""" + inner_error: Optional["_models.KeyVaultErrorError"] = rest_field(name="innererror", visibility=["read"]) + """The key vault server error.""" + + +class SecurityDomain(_model_base.Model): + """The Security Domain. + + :ivar value: The Security Domain. Required. + :vartype value: str + """ + + value: str = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """The Security Domain. Required.""" + + @overload + def __init__( + self, + *, + value: str, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class SecurityDomainJsonWebKey(_model_base.Model): + """A JSON Web Key (JWK) for use in a security domain operation. + + :ivar kid: Key identifier. Required. + :vartype kid: str + :ivar kty: JsonWebKey Key Type (kty), as defined in + `https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40 + `_. For Security Domain + this value must be RSA. Required. + :vartype kty: str + :ivar key_ops: Supported key operations. Required. + :vartype key_ops: list[str] + :ivar n: RSA modulus. Required. + :vartype n: str + :ivar e: RSA public exponent. Required. + :vartype e: str + :ivar x5_c: X509 certificate chain parameter. Required. + :vartype x5_c: list[str] + :ivar use: Public Key Use Parameter. This is optional and if present must be enc. + :vartype use: str + :ivar x5_t: X509 certificate SHA1 thumbprint. This is optional. + :vartype x5_t: str + :ivar x5_t_s256: X509 certificate SHA256 thumbprint. Required. + :vartype x5_t_s256: str + :ivar alg: Algorithm intended for use with the key. Required. + :vartype alg: str + """ + + kid: str = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """Key identifier. Required.""" + kty: str = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """JsonWebKey Key Type (kty), as defined in + `https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40 + `_. For Security Domain + this value must be RSA. Required.""" + key_ops: List[str] = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """Supported key operations. Required.""" + n: str = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """RSA modulus. Required.""" + e: str = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """RSA public exponent. Required.""" + x5_c: List[str] = rest_field(name="x5c", visibility=["read", "create", "update", "delete", "query"]) + """X509 certificate chain parameter. Required.""" + use: Optional[str] = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """Public Key Use Parameter. This is optional and if present must be enc.""" + x5_t: Optional[str] = rest_field(name="x5t", visibility=["read", "create", "update", "delete", "query"]) + """X509 certificate SHA1 thumbprint. This is optional.""" + x5_t_s256: str = rest_field(name="x5t#S256", visibility=["read", "create", "update", "delete", "query"]) + """X509 certificate SHA256 thumbprint. Required.""" + alg: str = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """Algorithm intended for use with the key. Required.""" + + @overload + def __init__( + self, + *, + kid: str, + kty: str, + key_ops: List[str], + n: str, + e: str, + x5_c: List[str], + x5_t_s256: str, + alg: str, + use: Optional[str] = None, + x5_t: Optional[str] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class SecurityDomainOperationStatus(_model_base.Model): + """The Security Domain operation status. + + :ivar status: Operation status. Known values are: "Success", "InProgress", and "Failed". + :vartype status: str or ~azure.keyvault.securitydomain.models.OperationStatus + :ivar status_details: Details of the operation status. + :vartype status_details: str + """ + + status: Optional[Union[str, "_models.OperationStatus"]] = rest_field( + visibility=["read", "create", "update", "delete", "query"] + ) + """Operation status. Known values are: \"Success\", \"InProgress\", and \"Failed\".""" + status_details: Optional[str] = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """Details of the operation status.""" + + @overload + def __init__( + self, + *, + status: Optional[Union[str, "_models.OperationStatus"]] = None, + status_details: Optional[str] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) + + +class TransferKey(_model_base.Model): + """Security Domain transfer key. + + :ivar key_format: Specifies the format of the transfer key. + :vartype key_format: str + :ivar transfer_key: Specifies the transfer key in JWK format. Required. + :vartype transfer_key: ~azure.keyvault.securitydomain.models.SecurityDomainJsonWebKey + """ + + key_format: Optional[str] = rest_field(visibility=["read", "create", "update", "delete", "query"]) + """Specifies the format of the transfer key.""" + transfer_key: "_models.SecurityDomainJsonWebKey" = rest_field( + visibility=["read", "create", "update", "delete", "query"] + ) + """Specifies the transfer key in JWK format. Required.""" + + @overload + def __init__( + self, + *, + transfer_key: "_models.SecurityDomainJsonWebKey", + key_format: Optional[str] = None, + ) -> None: ... + + @overload + def __init__(self, mapping: Mapping[str, Any]) -> None: + """ + :param mapping: raw JSON to initialize the model. + :type mapping: Mapping[str, Any] + """ + + def __init__(self, *args: Any, **kwargs: Any) -> None: + super().__init__(*args, **kwargs) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/_patch.py b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/_patch.py new file mode 100644 index 000000000000..f7dd32510333 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/models/_patch.py @@ -0,0 +1,20 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Customize generated code here. + +Follow our quickstart for examples: https://aka.ms/azsdk/python/dpcodegen/python/customize +""" +from typing import List + +__all__: List[str] = [] # Add all objects you want publicly available to users at this package level + + +def patch_sdk(): + """Do not remove from this file. + + `patch_sdk` is a last resort escape hatch that allows you to do customizations + you can't accomplish using the techniques described in + https://aka.ms/azsdk/python/dpcodegen/python/customize + """ diff --git a/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/py.typed b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/py.typed new file mode 100644 index 000000000000..e5aff4f83af8 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/azure/keyvault/securitydomain/py.typed @@ -0,0 +1 @@ +# Marker file for PEP 561. \ No newline at end of file diff --git a/sdk/keyvault/azure-keyvault-securitydomain/dev_requirements.txt b/sdk/keyvault/azure-keyvault-securitydomain/dev_requirements.txt new file mode 100644 index 000000000000..c82827bb56f4 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/dev_requirements.txt @@ -0,0 +1,4 @@ +-e ../../../tools/azure-sdk-tools +../../core/azure-core +../../identity/azure-identity +aiohttp \ No newline at end of file diff --git a/sdk/keyvault/azure-keyvault-securitydomain/samples/README.md b/sdk/keyvault/azure-keyvault-securitydomain/samples/README.md new file mode 100644 index 000000000000..999a0581fa49 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/samples/README.md @@ -0,0 +1,40 @@ +--- +page_type: sample +languages: + - python +products: + - azure + - azure-key-vault +urlFragment: keyvault-securitydomain-samples +--- + +# Azure Key Vault Security Domain Client Library Python Samples + +## Prerequisites + +You must have an [Azure subscription](https://azure.microsoft.com/free) and a [Key Vault Managed HSM][managed_hsm] to run these samples. You can create a managed HSM with the [Azure CLI][managed_hsm_cli]. + +## Setup + +To run these samples, first install the Key Vault Security Domain and Azure Identity libraries: + +```commandline +python -m pip install azure-keyvault-securitydomain azure-identity +``` + +[Azure Identity](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md) is used for authenticating Key Vault clients. These samples use the +[DefaultAzureCredential](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/README.md#defaultazurecredential), but any credential from the library can be used with Key Vault clients. + +## Contents + +| File | Description | +|-------------|-------------| +| [hello_world.py][hello_world_sample] ([async version][hello_world_async_sample]) | download a security domain | + + + +[hello_world_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-securitydomain/samples/hello_world.py +[hello_world_async_sample]: https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/keyvault/azure-keyvault-securitydomain/samples/hello_world_async.py + +[managed_hsm]: https://learn.microsoft.com/azure/key-vault/managed-hsm/overview +[managed_hsm_cli]: https://learn.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli diff --git a/sdk/keyvault/azure-keyvault-securitydomain/samples/hello_world.py b/sdk/keyvault/azure-keyvault-securitydomain/samples/hello_world.py new file mode 100644 index 000000000000..5347f5c04aeb --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/samples/hello_world.py @@ -0,0 +1,58 @@ +# pylint: disable=line-too-long,useless-suppression +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +from json import loads +import os + +from azure.keyvault.securitydomain.models import CertificateInfo, SecurityDomainJsonWebKey + +# ---------------------------------------------------------------------------------------------------------- +# Prerequisites: +# 1. An Azure Key Vault Managed HSM (https://learn.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli) +# +# 2. Three JSON files, containing JWKs, to be used as security domain wrapping keys. Set environment variables +# SD_KEY_1, SD_KEY_2, and SD_KEY_3 to the paths of the files. +# +# 3. azure-keyvault-securitydomain and azure-identity libraries (pip install these) +# +# 4. Set environment variable VAULT_URL with the URL of your managed HSM +# +# 5. Set up your environment to use azure-identity's DefaultAzureCredential. For more information about how to configure +# the DefaultAzureCredential, refer to https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential +# +# ---------------------------------------------------------------------------------------------------------- +# Sample - demonstrates the security domain download operations for Azure Key Vault Managed HSM +# +# 1. Download a security domain (begin_download) +# ---------------------------------------------------------------------------------------------------------- + +# Instantiate a security domain client that will be used to call the service. +# Here we use the DefaultAzureCredential, but any azure-identity credential can be used. +# [START create_a_security_domain_client] +from azure.identity import DefaultAzureCredential +from azure.keyvault.securitydomain import SecurityDomainClient + +VAULT_URL = os.environ["VAULT_URL"] +credential = DefaultAzureCredential() +client = SecurityDomainClient(vault_url=VAULT_URL, credential=credential) +# [END create_a_security_domain_client] + +# Load the JWKs into SecurityDomainJsonWebKey objects, to provide to a CertificateInfo object. +print("Preparing security domain wrapping keys.") +sd_wrapping_keys = [os.environ["SD_KEY_1"], os.environ["SD_KEY_2"], os.environ["SD_KEY_3"]] +certificates = [] +for path in sd_wrapping_keys: + with open(path, "rb") as f: + jwk = loads(f.read()) + certificates.append(SecurityDomainJsonWebKey(jwk)) +certs_object = CertificateInfo(certificates=certificates) + +# Download the security domain. Without passing `skip_activation_polling=True`, calling `.result()` on the returned +# poller will wait for HSM activation to complete. By passing the argument, the poller will return immediately with +# the security domain instead (activation status can be checked with `client.get_download_status`). +print("Beginning security domain download.") +poller = client.begin_download(certificate_info=certs_object, skip_activation_polling=True) +security_domain = poller.result() +print("Security domain downloaded successfully.") diff --git a/sdk/keyvault/azure-keyvault-securitydomain/samples/hello_world_async.py b/sdk/keyvault/azure-keyvault-securitydomain/samples/hello_world_async.py new file mode 100644 index 000000000000..b33316f8592b --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/samples/hello_world_async.py @@ -0,0 +1,63 @@ +# pylint: disable=line-too-long,useless-suppression +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import asyncio +from json import loads +import os + +from azure.keyvault.securitydomain.models import CertificateInfo, SecurityDomainJsonWebKey + +# ---------------------------------------------------------------------------------------------------------- +# Prerequisites: +# 1. An Azure Key Vault Managed HSM (https://learn.microsoft.com/azure/key-vault/managed-hsm/quick-create-cli) +# +# 2. Three JSON files, containing JWKs, to be used as security domain wrapping keys. Set environment variables +# SD_KEY_1, SD_KEY_2, and SD_KEY_3 to the paths of the files. +# +# 3. azure-keyvault-securitydomain and azure-identity libraries (pip install these) +# +# 4. Set environment variable VAULT_URL with the URL of your managed HSM +# +# 5. Set up your environment to use azure-identity's DefaultAzureCredential. For more information about how to configure +# the DefaultAzureCredential, refer to https://aka.ms/azsdk/python/identity/docs#azure.identity.DefaultAzureCredential +# +# ---------------------------------------------------------------------------------------------------------- +# Sample - demonstrates the security domain download operations for Azure Key Vault Managed HSM +# +# 1. Download a security domain (begin_download) +# ---------------------------------------------------------------------------------------------------------- + + +async def run_sample(): + # Instantiate a security domain client that will be used to call the service. + # Here we use the DefaultAzureCredential, but any azure-identity credential can be used. + from azure.identity.aio import DefaultAzureCredential + from azure.keyvault.securitydomain.aio import SecurityDomainClient + + VAULT_URL = os.environ["VAULT_URL"] + credential = DefaultAzureCredential() + client = SecurityDomainClient(vault_url=VAULT_URL, credential=credential) + + # Load the JWKs into SecurityDomainJsonWebKey objects, to provide to a CertificateInfo object. + print("Preparing security domain wrapping keys.") + sd_wrapping_keys = [os.environ["SD_KEY_1"], os.environ["SD_KEY_2"], os.environ["SD_KEY_3"]] + certificates = [] + for path in sd_wrapping_keys: + with open(path, "rb") as f: + jwk = loads(f.read()) + certificates.append(SecurityDomainJsonWebKey(jwk)) + certs_object = CertificateInfo(certificates=certificates) + + # Download the security domain. Without passing `skip_activation_polling=True`, calling `.result()` on the returned + # poller will wait for HSM activation to complete. By passing the argument, the poller will return immediately with + # the security domain instead (activation status can be checked with `client.get_download_status`). + print("Beginning security domain download.") + poller = await client.begin_download(certificate_info=certs_object, skip_activation_polling=True) + security_domain = poller.result() + print("Security domain downloaded successfully.") + + +if __name__ == "__main__": + asyncio.run(run_sample()) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/setup.py b/sdk/keyvault/azure-keyvault-securitydomain/setup.py new file mode 100644 index 000000000000..2c5a9b16aa0a --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/setup.py @@ -0,0 +1,71 @@ +# coding=utf-8 +# -------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# Code generated by Microsoft (R) Python Code Generator. +# Changes may cause incorrect behavior and will be lost if the code is regenerated. +# -------------------------------------------------------------------------- +# coding: utf-8 + +import os +import re +from setuptools import setup, find_packages + + +PACKAGE_NAME = "azure-keyvault-securitydomain" +PACKAGE_PPRINT_NAME = "Azure Keyvault Securitydomain" + +# a-b-c => a/b/c +package_folder_path = PACKAGE_NAME.replace("-", "/") + +# Version extraction inspired from 'requests' +with open(os.path.join(package_folder_path, "_version.py"), "r") as fd: + version = re.search(r'^VERSION\s*=\s*[\'"]([^\'"]*)[\'"]', fd.read(), re.MULTILINE).group(1) + +if not version: + raise RuntimeError("Cannot find version information") + + +setup( + name=PACKAGE_NAME, + version=version, + description="Microsoft {} Client Library for Python".format(PACKAGE_PPRINT_NAME), + long_description=open("README.md", "r").read(), + long_description_content_type="text/markdown", + license="MIT License", + author="Microsoft Corporation", + author_email="azpysdkhelp@microsoft.com", + url="https://github.com/Azure/azure-sdk-for-python/tree/main/sdk", + keywords="azure, azure sdk", + classifiers=[ + "Development Status :: 4 - Beta", + "Programming Language :: Python", + "Programming Language :: Python :: 3 :: Only", + "Programming Language :: Python :: 3", + "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", + "Programming Language :: Python :: 3.12", + "Programming Language :: Python :: 3.13", + "License :: OSI Approved :: MIT License", + ], + zip_safe=False, + packages=find_packages( + exclude=[ + "tests", + # Exclude packages that will be covered by PEP420 or nspkg + "azure", + "azure.keyvault", + ] + ), + include_package_data=True, + package_data={ + "azure.keyvault.securitydomain": ["py.typed"], + }, + install_requires=[ + "isodate>=0.6.1", + "azure-core>=1.31.0", + "typing-extensions>=4.6.0", + ], + python_requires=">=3.9", +) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/tests/_async_test_case.py b/sdk/keyvault/azure-keyvault-securitydomain/tests/_async_test_case.py new file mode 100644 index 000000000000..5e140a3cd2ca --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/tests/_async_test_case.py @@ -0,0 +1,81 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import os + +import pytest + +from devtools_testutils import AzureRecordedTestCase + + +class BaseClientPreparer(AzureRecordedTestCase): + def __init__(self, **kwargs) -> None: + hsm_playback_url = "https://managedhsmvaultname.managedhsm.azure.net" + secondary_hsm_playback_url = "https://managedhsmvaultname2.managedhsm.azure.net" + vault_playback_url = "https://keyvaultname.vault.azure.net" + container_playback_uri = "https://storagename.blob.core.windows.net/container" + playback_sas_token = "fake-sas" + + if self.is_live: + self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL") + self.secondary_hsm_url = os.environ.get("SECONDARY_MANAGEDHSM_URL") + self.vault_url = os.environ.get("AZURE_KEYVAULT_URL") + storage_url = os.environ.get("BLOB_STORAGE_URL") + container_name = os.environ.get("BLOB_CONTAINER_NAME") + self.container_uri = f"{storage_url}/{container_name}" + + self.sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN") + + else: + self.managed_hsm_url = hsm_playback_url + self.secondary_hsm_url = secondary_hsm_playback_url + self.vault_url = vault_playback_url + self.container_uri = container_playback_uri + self.sas_token = playback_sas_token + + self.managed_identity_client_id = os.environ.get("MANAGED_IDENTITY_CLIENT_ID") + use_pwsh = os.environ.get("AZURE_TEST_USE_PWSH_AUTH", "false") + use_cli = os.environ.get("AZURE_TEST_USE_CLI_AUTH", "false") + use_vscode = os.environ.get("AZURE_TEST_USE_VSCODE_AUTH", "false") + use_azd = os.environ.get("AZURE_TEST_USE_AZD_AUTH", "false") + # Only set service principal credentials if user-based auth is not requested + if use_pwsh == use_cli == use_vscode == use_azd == "false": + self._set_mgmt_settings_real_values() + + def _skip_if_not_configured(self, **kwargs): + if self.is_live and self.managed_hsm_url is None: + pytest.skip("No HSM endpoint for live testing") + + def _set_mgmt_settings_real_values(self): + if self.is_live: + os.environ["AZURE_TENANT_ID"] = os.getenv("KEYVAULT_TENANT_ID", "") # empty in pipelines + os.environ["AZURE_CLIENT_ID"] = os.getenv("KEYVAULT_CLIENT_ID", "") # empty in pipelines + os.environ["AZURE_CLIENT_SECRET"] = os.getenv("KEYVAULT_CLIENT_SECRET", "") # empty for user-based auth + + +class ClientPreparer(BaseClientPreparer): + def __init__(self, **kwargs) -> None: + super().__init__(**kwargs) + + def __call__(self, fn): + async def _preparer(test_class, **kwargs): + self._skip_if_not_configured() + kwargs["container_uri"] = self.container_uri + kwargs["managed_hsm_url"] = self.managed_hsm_url + client = self.create_client(self.managed_hsm_url, **kwargs) + upload_client = self.create_client(self.secondary_hsm_url, **kwargs) + + async with client: + async with upload_client: + await fn(test_class, client, upload_client, **kwargs) + + return _preparer + + def create_client(self, hsm_url, **kwargs): + from azure.keyvault.securitydomain.aio import SecurityDomainClient + + credential = self.get_credential(SecurityDomainClient, is_async=True) + return self.create_client_from_credential( + SecurityDomainClient, credential=credential, vault_url=hsm_url, **kwargs + ) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/tests/_shared/async_test_case.py b/sdk/keyvault/azure-keyvault-securitydomain/tests/_shared/async_test_case.py new file mode 100644 index 000000000000..963d3964b54e --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/tests/_shared/async_test_case.py @@ -0,0 +1,43 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import asyncio + +from azure.keyvault.securitydomain._internal import HttpChallengeCache +from devtools_testutils import AzureRecordedTestCase + + +class KeyVaultTestCase(AzureRecordedTestCase): + async def _poll_until_no_exception(self, fn, *resource_names, expected_exception, max_retries=20, retry_delay=3): + """polling helper for live tests because some operations take an unpredictable amount of time to complete""" + + for name in resource_names: + for i in range(max_retries): + try: + # TODO: better for caller to apply args to fn; could also gather + await fn(name) + break + except expected_exception: + if i == max_retries - 1: + raise + if self.is_live: + await asyncio.sleep(retry_delay) + + async def _poll_until_exception(self, fn, *resource_names, expected_exception, max_retries=20, retry_delay=3): + """polling helper for live tests because some operations take an unpredictable amount of time to complete""" + + for name in resource_names: + for _ in range(max_retries): + try: + # TODO: better for caller to apply args to fn; could also gather + await fn(name) + if self.is_live: + await asyncio.sleep(retry_delay) + except expected_exception: + return + self.fail("expected exception {expected_exception} was not raised") + + def teardown_method(self, method): + HttpChallengeCache.clear() + assert len(HttpChallengeCache._cache) == 0 diff --git a/sdk/keyvault/azure-keyvault-securitydomain/tests/_shared/test_case.py b/sdk/keyvault/azure-keyvault-securitydomain/tests/_shared/test_case.py new file mode 100644 index 000000000000..9f8ee381f417 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/tests/_shared/test_case.py @@ -0,0 +1,43 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import time + +from azure.keyvault.securitydomain._internal import HttpChallengeCache +from devtools_testutils import AzureRecordedTestCase + + +class KeyVaultTestCase(AzureRecordedTestCase): + def get_resource_name(self, name): + """helper to create resources with a consistent, test-indicative prefix""" + return super(KeyVaultTestCase, self).get_resource_name("livekvtest{}".format(name)) + + def _poll_until_no_exception(self, fn, expected_exception, max_retries=20, retry_delay=10): + """polling helper for live tests because some operations take an unpredictable amount of time to complete""" + + for i in range(max_retries): + try: + return fn() + except expected_exception: + if i == max_retries - 1: + raise + if self.is_live: + time.sleep(retry_delay) + + def _poll_until_exception(self, fn, expected_exception, max_retries=20, retry_delay=10): + """polling helper for live tests because some operations take an unpredictable amount of time to complete""" + + for _ in range(max_retries): + try: + fn() + if self.is_live: + time.sleep(retry_delay) + except expected_exception: + return + + self.fail("expected exception {expected_exception} was not raised") + + def teardown_method(self, method): + HttpChallengeCache.clear() + assert len(HttpChallengeCache._cache) == 0 diff --git a/sdk/keyvault/azure-keyvault-securitydomain/tests/_test_case.py b/sdk/keyvault/azure-keyvault-securitydomain/tests/_test_case.py new file mode 100644 index 000000000000..3158a3195695 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/tests/_test_case.py @@ -0,0 +1,88 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import os + +import pytest + +from devtools_testutils import AzureRecordedTestCase + + +class BaseClientPreparer(AzureRecordedTestCase): + def __init__(self, **kwargs) -> None: + hsm_playback_url = "https://managedhsmvaultname.managedhsm.azure.net" + secondary_hsm_playback_url = "https://managedhsmvaultname2.managedhsm.azure.net" + vault_playback_url = "https://keyvaultname.vault.azure.net" + container_playback_uri = "https://storagename.blob.core.windows.net/container" + playback_sas_token = "fake-sas" + + if self.is_live: + self.managed_hsm_url = os.environ.get("AZURE_MANAGEDHSM_URL") + self.secondary_hsm_url = os.environ.get("SECONDARY_MANAGEDHSM_URL") + self.vault_url = os.environ.get("AZURE_KEYVAULT_URL") + storage_url = os.environ.get("BLOB_STORAGE_URL") + container_name = os.environ.get("BLOB_CONTAINER_NAME") + self.container_uri = f"{storage_url}/{container_name}" + + self.sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN") + + else: + self.managed_hsm_url = hsm_playback_url + self.secondary_hsm_url = secondary_hsm_playback_url + self.vault_url = vault_playback_url + self.container_uri = container_playback_uri + self.sas_token = playback_sas_token + + self.managed_identity_client_id = os.environ.get("MANAGED_IDENTITY_CLIENT_ID") + use_pwsh = os.environ.get("AZURE_TEST_USE_PWSH_AUTH", "false") + use_cli = os.environ.get("AZURE_TEST_USE_CLI_AUTH", "false") + use_vscode = os.environ.get("AZURE_TEST_USE_VSCODE_AUTH", "false") + use_azd = os.environ.get("AZURE_TEST_USE_AZD_AUTH", "false") + # Only set service principal credentials if user-based auth is not requested + if use_pwsh == use_cli == use_vscode == use_azd == "false": + self._set_mgmt_settings_real_values() + + def _skip_if_not_configured(self, **kwargs): + if self.is_live and self.managed_hsm_url is None: + pytest.skip("No HSM endpoint for live testing") + + def _set_mgmt_settings_real_values(self): + if self.is_live: + os.environ["AZURE_TENANT_ID"] = os.getenv("KEYVAULT_TENANT_ID", "") # empty in pipelines + os.environ["AZURE_CLIENT_ID"] = os.getenv("KEYVAULT_CLIENT_ID", "") # empty in pipelines + os.environ["AZURE_CLIENT_SECRET"] = os.getenv("KEYVAULT_CLIENT_SECRET", "") # empty for user-based auth + + +class ClientPreparer(BaseClientPreparer): + def __init__(self, **kwargs) -> None: + super().__init__(**kwargs) + + def __call__(self, fn): + def _preparer(test_class, **kwargs): + self._skip_if_not_configured() + kwargs["container_uri"] = self.container_uri + kwargs["managed_hsm_url"] = self.managed_hsm_url + client = self.create_client(self.managed_hsm_url, **kwargs) + upload_client = self.create_client(self.secondary_hsm_url, **kwargs) + + with client: + with upload_client: + fn(test_class, client, upload_client, **kwargs) + + return _preparer + + def create_client(self, hsm_url, **kwargs): + from azure.keyvault.securitydomain import SecurityDomainClient + + credential = self.get_credential(SecurityDomainClient) + return self.create_client_from_credential( + SecurityDomainClient, credential=credential, vault_url=hsm_url, **kwargs + ) + + +def get_decorator(**kwargs): + """returns a test decorator for test parameterization""" + versions = kwargs.pop("api_versions", None) or ["7.5"] + params = [pytest.param(api_version) for api_version in versions] + return params diff --git a/sdk/keyvault/azure-keyvault-securitydomain/tests/test_security_domain.py b/sdk/keyvault/azure-keyvault-securitydomain/tests/test_security_domain.py new file mode 100644 index 000000000000..69b6497269d5 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/tests/test_security_domain.py @@ -0,0 +1,121 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import codecs +import hashlib +import json +import os +from urllib.parse import urlparse + +import pytest + +from azure.keyvault.securitydomain.models import CertificateInfo, SecurityDomainJsonWebKey + +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.serialization import Encoding +from cryptography.x509 import load_pem_x509_certificate + +from _shared.test_case import KeyVaultTestCase +from _test_case import ClientPreparer +from utils import Utils + + +def _int_to_bytes(i): + h = hex(i) + if len(h) > 1 and h[0:2] == "0x": + h = h[2:] + # need to strip L in python 2.x + h = h.strip("L") + if len(h) % 2: + h = "0" + h + return codecs.decode(h, "hex") + + +def _public_rsa_key_to_jwk(rsa_key, encoding=None): + public_numbers = rsa_key.public_numbers() + n = _int_to_bytes(public_numbers.n) + if encoding: + n = encoding(n) + e = _int_to_bytes(public_numbers.e) + if encoding: + e = encoding(e) + return (n, e) + + +class TestSecurityDomain(KeyVaultTestCase): + @pytest.mark.live_test_only + @ClientPreparer() + def test_security_domain_download_and_upload(self, client, upload_client, **kwargs): + path_prefix = os.path.abspath(os.path.join(os.path.abspath(__file__), os.pardir, os.pardir)) + hsm_url = os.environ["AZURE_MANAGEDHSM_URL"] + hsm_name = urlparse(hsm_url).netloc.split(".")[0] + certs_path = f"{path_prefix}{hsm_name}-certificate" + sd_wrapping_keys = [f"{certs_path}0.cer", f"{certs_path}1.cer", f"{certs_path}2.cer"] + certificates = [] + for path in sd_wrapping_keys: + with open(path, "rb") as f: + pem_data = f.read() + + cert = load_pem_x509_certificate(pem_data, backend=default_backend()) + public_key = cert.public_key() + public_bytes = cert.public_bytes(Encoding.DER) + x5c = [Utils.security_domain_b64_url_encode_for_x5c(public_bytes)] # only one cert, not a chain + x5t = Utils.security_domain_b64_url_encode(hashlib.sha1(public_bytes).digest()) + x5tS256 = Utils.security_domain_b64_url_encode(hashlib.sha256(public_bytes).digest()) + key_ops = ["verify", "encrypt", "wrapKey"] + + # populate key into jwk + kty = "RSA" + alg = "RSA-OAEP-256" + n, e = _public_rsa_key_to_jwk(public_key, encoding=Utils.security_domain_b64_url_encode) + + certificates.append( + SecurityDomainJsonWebKey( + kid=cert.subject.rfc4514_string(), + kty=kty, + key_ops=key_ops, + n=n, + e=e, + x5_c=x5c, + alg=alg, + x5_t=x5t, + x5_t_s256=x5tS256, + ) + ) + certs_object = CertificateInfo(certificates=certificates) + poller = client.begin_download(certificate_info=certs_object, skip_activation_polling=True) + result = poller.result() + assert result.value + + transfer_key = json.loads(upload_client.get_transfer_key().transfer_key_jwk) + secondary_hsm_url = os.environ["SECONDARY_MANAGEDHSM_URL"] + secondary_hsm_name = urlparse(secondary_hsm_url).netloc.split(".")[0] + key_path = f"{path_prefix}{secondary_hsm_name}-transfer-key.pem" + + def get_x5c_as_pem(): + x5c = transfer_key.get("x5c", []) + if not x5c: + raise ValueError("Insufficient x5c.") + b64cert = x5c[0] + header = "-----BEGIN CERTIFICATE-----" + footer = "-----END CERTIFICATE-----" + pem = [header] + for i in range(0, len(b64cert), 65): + line_len = min(65, len(b64cert) - i) + line = b64cert[i : i + line_len] + pem.append(line) + pem.append(footer) + return "\n".join(pem) + + try: + with open(key_path, "w") as f: + f.write(get_x5c_as_pem()) + except Exception as ex: # pylint: disable=broad-except + if os.path.isfile(key_path): + os.remove(key_path) + raise ex + + poller = upload_client.begin_upload(security_domain=result) + result = poller.result() + assert result.status.lower() == "success" diff --git a/sdk/keyvault/azure-keyvault-securitydomain/tests/test_security_domain_async.py b/sdk/keyvault/azure-keyvault-securitydomain/tests/test_security_domain_async.py new file mode 100644 index 000000000000..7d0819408c93 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/tests/test_security_domain_async.py @@ -0,0 +1,101 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +import hashlib +import json +import os +from urllib.parse import urlparse + +import pytest + +from azure.keyvault.securitydomain.models import CertificateInfo, SecurityDomainJsonWebKey + +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.serialization import Encoding +from cryptography.x509 import load_pem_x509_certificate + +from test_security_domain import _public_rsa_key_to_jwk +from _shared.async_test_case import KeyVaultTestCase +from _async_test_case import ClientPreparer +from utils import Utils + + +class TestSecurityDomain(KeyVaultTestCase): + @pytest.mark.asyncio + @pytest.mark.live_test_only + @ClientPreparer() + async def test_security_domain_download_and_upload(self, client, upload_client, **kwargs): + path_prefix = os.path.abspath(os.path.join(os.path.abspath(__file__), os.pardir, os.pardir)) + hsm_url = os.environ["AZURE_MANAGEDHSM_URL"] + hsm_name = urlparse(hsm_url).netloc.split(".")[0] + certs_path = f"{path_prefix}{hsm_name}-certificate" + sd_wrapping_keys = [f"{certs_path}0.cer", f"{certs_path}1.cer", f"{certs_path}2.cer"] + certificates = [] + for path in sd_wrapping_keys: + with open(path, "rb") as f: + pem_data = f.read() + + cert = load_pem_x509_certificate(pem_data, backend=default_backend()) + public_key = cert.public_key() + public_bytes = cert.public_bytes(Encoding.DER) + x5c = [Utils.security_domain_b64_url_encode_for_x5c(public_bytes)] # only one cert, not a chain + x5t = Utils.security_domain_b64_url_encode(hashlib.sha1(public_bytes).digest()) + x5tS256 = Utils.security_domain_b64_url_encode(hashlib.sha256(public_bytes).digest()) + key_ops = ["verify", "encrypt", "wrapKey"] + + # populate key into jwk + kty = "RSA" + alg = "RSA-OAEP-256" + n, e = _public_rsa_key_to_jwk(public_key, encoding=Utils.security_domain_b64_url_encode) + + certificates.append( + SecurityDomainJsonWebKey( + kid=cert.subject.rfc4514_string(), + kty=kty, + key_ops=key_ops, + n=n, + e=e, + x5_c=x5c, + alg=alg, + x5_t=x5t, + x5_t_s256=x5tS256, + ) + ) + certs_object = CertificateInfo(certificates=certificates) + poller = await client.begin_download(certificate_info=certs_object, polling=False) + result = await poller.result() + assert result.value + + key = await upload_client.get_transfer_key() + transfer_key = json.loads(key.transfer_key_jwk) + secondary_hsm_url = os.environ["SECONDARY_MANAGEDHSM_URL"] + secondary_hsm_name = urlparse(secondary_hsm_url).netloc.split(".")[0] + key_path = f"{path_prefix}{secondary_hsm_name}-transfer-key.pem" + + def get_x5c_as_pem(): + x5c = transfer_key.get("x5c", []) + if not x5c: + raise ValueError("Insufficient x5c.") + b64cert = x5c[0] + header = "-----BEGIN CERTIFICATE-----" + footer = "-----END CERTIFICATE-----" + pem = [header] + for i in range(0, len(b64cert), 65): + line_len = min(65, len(b64cert) - i) + line = b64cert[i : i + line_len] + pem.append(line) + pem.append(footer) + return "\n".join(pem) + + try: + with open(key_path, "w") as f: + f.write(get_x5c_as_pem()) + except Exception as ex: # pylint: disable=broad-except + if os.path.isfile(key_path): + os.remove(key_path) + raise ex + + poller = await upload_client.begin_upload(security_domain=result) + result = await poller.result() + assert result.status.lower() == "success" diff --git a/sdk/keyvault/azure-keyvault-securitydomain/tests/utils.py b/sdk/keyvault/azure-keyvault-securitydomain/tests/utils.py new file mode 100644 index 000000000000..14930ddd10de --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/tests/utils.py @@ -0,0 +1,52 @@ +# -------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See License.txt in the project root for license information. +# -------------------------------------------------------------------------------------------- + +import array +import base64 +import hashlib +import secrets + +from cryptography.hazmat.primitives.serialization import Encoding + + +class Utils: + @staticmethod + def is_little_endian(): + a = array.array("H", [1]).tobytes() + # little endian: b'\x01\x00' + # big endian: b'\x00\x01' + return a[0] == 1 + + @staticmethod + def convert_to_uint16(b: bytearray): + ret = [0 for _ in range(len(b) // 2)] + for i in range(0, len(b), 2): + byte_order = "little" if Utils.is_little_endian() else "big" + ret[i // 2] = int.from_bytes(bytearray([b[i], b[i + 1]]), byteorder=byte_order, signed=False) + return ret + + @staticmethod + def get_random(cb): + ret = bytearray() + for _ in range(cb): + ret.append(secrets.randbits(8)) + return ret + + @staticmethod + def get_SHA256_thumbprint(cert): + public_bytes = cert.public_bytes(Encoding.DER) + return hashlib.sha256(public_bytes).digest() + + @staticmethod + def security_domain_b64_url_encode_for_x5c(s): + return base64.b64encode(s).decode("ascii") + + @staticmethod + def security_domain_b64_url_encode(s): + return base64.b64encode(s).decode("ascii").strip("=").replace("+", "-").replace("/", "_") + + +if __name__ == "__main__": + print(Utils.convert_to_uint16(bytearray([40, 30, 20, 10]))) diff --git a/sdk/keyvault/azure-keyvault-securitydomain/tsp-location.yaml b/sdk/keyvault/azure-keyvault-securitydomain/tsp-location.yaml new file mode 100644 index 000000000000..7f1f278b6e39 --- /dev/null +++ b/sdk/keyvault/azure-keyvault-securitydomain/tsp-location.yaml @@ -0,0 +1,5 @@ +directory: specification/keyvault/Security.KeyVault.SecurityDomain +commit: 89e8dbb5b552204552be0e15bd5d708fe05384ed +repo: Azure/azure-rest-api-specs +additionalDirectories: +- specification/keyvault/Security.KeyVault.Common/ diff --git a/sdk/keyvault/ci.yml b/sdk/keyvault/ci.yml index c69612d67ec7..34874c99ccd7 100644 --- a/sdk/keyvault/ci.yml +++ b/sdk/keyvault/ci.yml @@ -40,5 +40,7 @@ extends: safeName: azurekeyvaultkeys - name: azure-keyvault-secrets safeName: azurekeyvaultsecrets + - name: azure-keyvault-securitydomain + safeName: azurekeyvaultsecuritydomain - name: azure-mgmt-keyvault safeName: azuremgmtkeyvault