diff --git a/R/az_vault.R b/R/az_vault.R index 2dade32..be5bf51 100644 --- a/R/az_vault.R +++ b/R/az_vault.R @@ -8,7 +8,7 @@ public=list( { if(!inherits(principal, "vault_access_policy")) principal <- vault_access_policy( - find_principal(principal), + principal, tenant, key_permissions, secret_permissions, @@ -72,18 +72,6 @@ public=list( )) -find_principal=function(principal) -{ - if(is_user(principal) || is_service_principal(principal)) - principal$properties$id - else if(is_app(principal)) - principal$get_service_principal()$properties$id - else if(!is_guid(principal)) - stop("Must supply a valid principal ID or object", call.=FALSE) - else AzureAuth::normalize_guid(principal) -} - - #' @export vault_access_policy <- function(principal, tenant=NULL, key_permissions="all", @@ -91,6 +79,8 @@ vault_access_policy <- function(principal, tenant=NULL, certificate_permissions="all", storage_permissions="all") { + principal <- find_principal(principal) + key_permissions <- verify_key_permissions(key_permissions) secret_permissions <- verify_secret_permissions(secret_permissions) certificate_permissions <- verify_certificate_permissions(certificate_permissions) @@ -123,12 +113,24 @@ print.vault_access_policy <- function(x, ...) cat("Certificate permissions:\n") cat(strwrap(paste(x$permissions$certificates, collapse=", "), indent=4, exdent=4), sep="\n") cat("Storage account permissions:\n") - cat(strwrap(paste(x$permissions$storage_permissions, collapse=", "), indent=4, exdent=4), sep="\n") + cat(strwrap(paste(x$permissions$storage, collapse=", "), indent=4, exdent=4), sep="\n") cat("\n") invisible(x) } +find_principal=function(principal) +{ + if(is_user(principal) || is_service_principal(principal)) + principal$properties$id + else if(is_app(principal)) + principal$get_service_principal()$properties$id + else if(!is_guid(principal)) + stop("Must supply a valid principal ID or object", call.=FALSE) + else AzureAuth::normalize_guid(principal) +} + + verify_key_permissions <- function(perms) { key_perms <- c("get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", diff --git a/tests/testthat.R b/tests/testthat.R new file mode 100644 index 0000000..d6672b3 --- /dev/null +++ b/tests/testthat.R @@ -0,0 +1,4 @@ +library(testthat) +library(AzureKeyVault) + +test_check("AzureKeyVault") diff --git a/tests/testthat/test01_resource.R b/tests/testthat/test01_resource.R new file mode 100644 index 0000000..6b35b5a --- /dev/null +++ b/tests/testthat/test01_resource.R @@ -0,0 +1,98 @@ +context("Resource creation") + +tenant <- Sys.getenv("AZ_TEST_TENANT_ID") +app <- Sys.getenv("AZ_TEST_APP_ID") +password <- Sys.getenv("AZ_TEST_PASSWORD") +subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION") +username <- Sys.getenv("AZ_TEST_USERNAME") + +if(tenant == "" || app == "" || password == "" || subscription == "" || username == "") + skip("Tests skipped: ARM credentials not set") + +if(!requireNamespace("AzureGraph", quietly=TRUE)) + skip("Resource creation tests skipped, AzureGraph not installed") + +rgname <- paste(sample(letters, 20, replace=TRUE), collapse="") +kvname <- paste(sample(letters, 10, replace=TRUE), collapse="") + +rg <- AzureRMR::az_rm$ + new(tenant=tenant, app=app, password=password)$ + get_subscription(subscription)$ + create_resource_group(rgname, location="australiaeast") + + +test_that("Access policy function works", +{ + pol0 <- vault_access_policy(app, NULL, NULL, NULL, NULL, NULL) + expect_is(pol0, "vault_access_policy") + expect_true(AzureRMR::is_empty(pol0$key_permissions)) + expect_true(AzureRMR::is_empty(pol0$secret_permissions)) + expect_true(AzureRMR::is_empty(pol0$certificate_permissions)) + expect_true(AzureRMR::is_empty(pol0$storage_permissions)) + + usr <- AzureGraph::ms_graph$ + new(tenant=tenant)$ + get_user(username) + + pol1 <- vault_access_policy(usr, NULL) + expect_identical(pol1$objectId, usr$properties$id) + expect_identical(pol1$permissions$keys, + I(c("get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", + "decrypt", "encrypt", "unwrapkey", "wrapkey", "verify", "sign", "purge"))) + expect_identical(pol1$permissions$secrets, + I(c("get", "list", "set", "delete", "recover", "backup", "restore", "purge"))) + expect_identical(pol1$permissions$certificates, + I(c("get", "list", "update", "create", "import", "delete", "recover", "backup", "restore", + "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers", + "deleteissuers", "purge"))) + expect_identical(pol1$permissions$storage, + I(c("backup", "delete", "deletesas", "get", "getsas", "list", "listsas", + "purge", "recover", "regeneratekey", "restore", "set", "setsas", "update"))) + + expect_error(vault_access_policy(username)) # must supply GUID or Graph object as principal + expect_error(vault_access_policy(usr, NULL, key_permissions="none")) + expect_error(vault_access_policy(usr, NULL, secret_permissions="none")) + expect_error(vault_access_policy(usr, NULL, certificate_permissions="none")) + expect_error(vault_access_policy(usr, NULL, storage_permissions="none")) + + pol2 <- vault_access_policy(usr, NULL, "get", "get", "get", "get") + expect_is(pol2, "vault_access_policy") + expect_identical(pol2$permissions$keys, I("get")) + expect_identical(pol2$permissions$secrets, I("get")) + expect_identical(pol2$permissions$certificates, I("get")) + expect_identical(pol2$permissions$storage, I("get")) +}) + +test_that("Resource creation works", +{ + kv <- rg$create_key_vault(kvname) + expect_is(kv, "az_key_vault") + + kv2 <- rg$get_key_vault(kvname) + expect_is(kv2, "az_key_vault") +}) + +test_that("Access policy management works", +{ + kv <- rg$get_key_vault(kvname) + + usr <- AzureGraph::ms_graph$ + new(tenant=tenant)$ + get_user(username) + + kv$add_principal(usr) + pols <- kv$properties$accessPolicies + expect_true(any(sapply(pols, function(x) x$objectId == usr$properties$id))) + + kv$remove_principal(usr) + pols <- kv$properties$accessPolicies + expect_false(any(sapply(pols, function(x) x$objectId == usr$properties$id))) +}) + +test_that("Resource deletion works", +{ + expect_message(rg$delete_key_vault(kvname, confirm=FALSE)) +}) + + +rg$delete(confirm=FALSE)