{Keyvault} Vendor azure-keyvault track1 SDK to make customization for supporting Python 3.11 (#27148)

* vendor keyvault data plane track1 sdk

* skip linter for vendored sdk

* fix usage in other modules

Author: evelyn-ys

src/azure-cli-core/azure/cli/core/profiles/_shared.py

@@ -65,11 +65,10 @@ class ResourceType(Enum):  # pylint: disable=too-few-public-methods
     MGMT_RESOURCE_MANAGEDAPPLICATIONS = ('azure.mgmt.resource.managedapplications', 'ApplicationClient')
     MGMT_MONITOR = ('azure.mgmt.monitor', 'MonitorManagementClient')
     MGMT_MSI = ('azure.mgmt.msi', 'ManagedServiceIdentityClient')
-    DATA_KEYVAULT = ('azure.keyvault', 'KeyVaultClient')
     DATA_KEYVAULT_CERTIFICATES = ('azure.keyvault.certificates', 'CertificateClient')
     DATA_KEYVAULT_KEYS = ('azure.keyvault.keys', 'KeyClient')
     DATA_KEYVAULT_SECRETS = ('azure.keyvault.secrets', 'SecretClient')
-    DATA_PRIVATE_KEYVAULT = ('azure.cli.command_modules.keyvault.vendored_sdks.azure_keyvault_t1', 'KeyVaultClient')
+    DATA_KEYVAULT = ('azure.cli.command_modules.keyvault.vendored_sdks.azure_keyvault_t1', 'KeyVaultClient')
     DATA_KEYVAULT_ADMINISTRATION_BACKUP = ('azure.keyvault.administration', 'KeyVaultBackupClient')
     DATA_KEYVAULT_ADMINISTRATION_ACCESS_CONTROL = ('azure.keyvault.administration', 'KeyVaultAccessControlClient')
     DATA_KEYVAULT_ADMINISTRATION_SETTING = ('azure.keyvault.administration', 'KeyVaultSettingsClient')
@@ -210,7 +209,6 @@ def default_api_version(self):
         ResourceType.DATA_KEYVAULT_SECRETS: None,
         ResourceType.DATA_KEYVAULT_ADMINISTRATION_SETTING: None,
         ResourceType.DATA_KEYVAULT: '7.0',
-        ResourceType.DATA_PRIVATE_KEYVAULT: '7.2',
         ResourceType.DATA_KEYVAULT_ADMINISTRATION_BACKUP: '7.4',
         ResourceType.DATA_KEYVAULT_ADMINISTRATION_ACCESS_CONTROL: '7.4',
         ResourceType.DATA_STORAGE: '2018-11-09',

src/azure-cli-core/azure/cli/core/tests/test_api_profiles.py

@@ -268,7 +268,7 @@ def test_get_versioned_sdk_path_semver(self):
         with mock.patch('azure.cli.core.profiles._shared.AZURE_API_PROFILES', test_profile):
             self.assertEqual(
                 get_versioned_sdk_path('latest', ResourceType.DATA_KEYVAULT),
-                "azure.keyvault.v7_0"
+                "azure.cli.command_modules.keyvault.vendored_sdks.azure_keyvault_t1.v7_0"
             )
 
 

src/azure-cli/azure/cli/command_modules/appconfig/_kv_helpers.py

@@ -18,7 +18,7 @@
 from knack.log import get_logger
 from knack.util import CLIError
 
-from azure.keyvault.key_vault_id import KeyVaultIdentifier
+from azure.cli.command_modules.keyvault.vendored_sdks.azure_keyvault_t1.key_vault_id import KeyVaultIdentifier
 from azure.appconfiguration import ResourceReadOnlyError, ConfigurationSetting
 from azure.core.exceptions import HttpResponseError
 from azure.cli.core.util import user_confirmation
@@ -829,7 +829,7 @@ def __compact_key_values(key_values):
 
 
 def __resolve_secret(keyvault_client, keyvault_reference):
-    from azure.keyvault.key_vault_id import SecretId
+    from azure.cli.command_modules.keyvault.vendored_sdks.azure_keyvault_t1.key_vault_id import SecretId
     try:
         secret_id = json.loads(keyvault_reference.value)["uri"]
         kv_identifier = SecretId(uri=secret_id)

src/azure-cli/azure/cli/command_modules/appconfig/_validators.py

@@ -227,7 +227,7 @@ def validate_identity(namespace):
 
 def validate_secret_identifier(namespace):
     """ Validate the format of keyvault reference secret identifier """
-    from azure.keyvault.key_vault_id import KeyVaultIdentifier
+    from azure.cli.command_modules.keyvault.vendored_sdks.azure_keyvault_t1.key_vault_id import KeyVaultIdentifier
 
     identifier = getattr(namespace, 'secret_identifier', None)
     try:

src/azure-cli/azure/cli/command_modules/keyvault/_client_factory.py

@@ -23,6 +23,7 @@ class Clients(str, Enum):
     mhsm_private_endpoint_connections = 'mhsm_private_endpoint_connections'
     mhsm_private_link_resources = 'mhsm_private_link_resources'
     mhsm_regions = 'mhsm_regions'
+    private_7_2 = 'private_7_2'
 
 
 OPERATIONS_NAME = {
@@ -39,8 +40,6 @@ class Clients(str, Enum):
     ResourceType.MGMT_KEYVAULT:
         'azure.mgmt.keyvault{api_version}.{module_name}#{class_name}{obj_name}',
     ResourceType.DATA_KEYVAULT:
-        'azure.keyvault{api_version}.key_vault_client#{class_name}{obj_name}',
-    ResourceType.DATA_PRIVATE_KEYVAULT:
         'azure.cli.command_modules.keyvault.vendored_sdks.azure_keyvault_t1{api_version}.'
         'key_vault_client#{class_name}{obj_name}',
     ResourceType.DATA_KEYVAULT_ADMINISTRATION_BACKUP:
@@ -110,9 +109,9 @@ def get_client_factory(resource_type, client_name=''):
     if is_mgmt_plane(resource_type):
         return keyvault_mgmt_client_factory(resource_type, client_name)
     if resource_type == ResourceType.DATA_KEYVAULT:
+        if client_name == Clients.private_7_2:
+            return keyvault_private_data_plane_factory_v7_2_preview
         return keyvault_data_plane_factory
-    if resource_type == ResourceType.DATA_PRIVATE_KEYVAULT:
-        return keyvault_private_data_plane_factory_v7_2_preview
     if resource_type == ResourceType.DATA_KEYVAULT_ADMINISTRATION_BACKUP:
         return data_plane_azure_keyvault_administration_backup_client
     if resource_type == ResourceType.DATA_KEYVAULT_ADMINISTRATION_ACCESS_CONTROL:
@@ -169,7 +168,8 @@ def _keyvault_mgmt_client_factory(cli_ctx, _):
 
 
 def keyvault_data_plane_factory(cli_ctx, *_):
-    from azure.keyvault import KeyVaultAuthentication, KeyVaultClient
+    from azure.cli.command_modules.keyvault.vendored_sdks.azure_keyvault_t1 import (
+        KeyVaultAuthentication, KeyVaultClient)
     from azure.cli.core.util import should_disable_connection_verify
 
     version = str(get_api_version(cli_ctx, ResourceType.DATA_KEYVAULT))
@@ -197,13 +197,11 @@ def keyvault_private_data_plane_factory_v7_2_preview(cli_ctx, _):
         KeyVaultAuthentication, KeyVaultClient)
     from azure.cli.core.util import should_disable_connection_verify
 
-    version = str(get_api_version(cli_ctx, ResourceType.DATA_PRIVATE_KEYVAULT))
-
     def get_token(server, resource, scope):  # pylint: disable=unused-argument
         return Profile(cli_ctx=cli_ctx).get_raw_token(resource=resource,
                                                       subscription=cli_ctx.data.get('subscription_id'))[0]
 
-    client = KeyVaultClient(KeyVaultAuthentication(get_token), api_version=version)
+    client = KeyVaultClient(KeyVaultAuthentication(get_token), api_version='7.2')
 
     # HACK, work around the fact that KeyVault library does't take confiuration object on constructor
     # which could be used to turn off the verifiaction. Remove this once we migrate to new data plane library

src/azure-cli/azure/cli/command_modules/keyvault/_completers.py

@@ -15,7 +15,7 @@ def get_keyvault_name_completion_list(resource_name):
 
     @Completer
     def completer(cmd, prefix, namespace, **kwargs):  # pylint: disable=unused-argument
-        from azure.keyvault import KeyVaultAuthentication, KeyVaultClient
+        from .vendored_sdks.azure_keyvault_t1 import KeyVaultAuthentication, KeyVaultClient
         from azure.cli.core.profiles import ResourceType, get_api_version
         version = str(get_api_version(cmd.cli_ctx, ResourceType.DATA_KEYVAULT))
         client = KeyVaultClient(KeyVaultAuthentication(_get_token), api_version=version)
@@ -34,7 +34,7 @@ def get_keyvault_version_completion_list(resource_name):
 
     @Completer
     def completer(cmd, prefix, namespace, **kwargs):  # pylint: disable=unused-argument
-        from azure.keyvault import KeyVaultAuthentication, KeyVaultClient
+        from .vendored_sdks.azure_keyvault_t1 import KeyVaultAuthentication, KeyVaultClient
         from azure.cli.core.profiles import ResourceType, get_api_version
         version = str(get_api_version(cmd.cli_ctx, ResourceType.DATA_KEYVAULT))
         client = KeyVaultClient(KeyVaultAuthentication(_get_token), api_version=version)

src/azure-cli/azure/cli/command_modules/keyvault/_validators.py

@@ -631,7 +631,7 @@ def set_vault_base_url(ns):
 
 def validate_key_id(entity_type):
     def _validate(ns):
-        from azure.keyvault.key_vault_id import KeyVaultIdentifier
+        from .vendored_sdks.azure_keyvault_t1.key_vault_id import KeyVaultIdentifier
 
         pure_entity_type = entity_type.replace('deleted', '')
         name = getattr(ns, pure_entity_type + '_name', None)
@@ -662,7 +662,7 @@ def _validate(ns):
 
 def validate_keyvault_resource_id(entity_type):
     def _validate(ns):
-        from azure.keyvault.key_vault_id import KeyVaultIdentifier
+        from .vendored_sdks.azure_keyvault_t1.key_vault_id import KeyVaultIdentifier
 
         pure_entity_type = entity_type.replace('deleted', '')
         name = getattr(ns, pure_entity_type + '_name', None) or getattr(ns, 'name', None)
@@ -697,7 +697,7 @@ def _validate(ns):
 
 
 def validate_sas_definition_id(ns):
-    from azure.keyvault import StorageSasDefinitionId
+    from .vendored_sdks.azure_keyvault_t1 import StorageSasDefinitionId
     acct_name = getattr(ns, 'storage_account_name', None)
     sas_name = getattr(ns, 'sas_definition_name', None)
     vault = getattr(ns, 'vault_base_url', None)
@@ -713,7 +713,7 @@ def validate_sas_definition_id(ns):
 
 
 def validate_storage_account_id(ns):
-    from azure.keyvault import StorageAccountId
+    from .vendored_sdks.azure_keyvault_t1 import StorageAccountId
     acct_name = getattr(ns, 'storage_account_name', None)
     vault = getattr(ns, 'vault_base_url', None)
     identifier = getattr(ns, 'identifier', None)

src/azure-cli/azure/cli/command_modules/keyvault/commands.py

@@ -53,7 +53,7 @@ def load_command_table(self, _):
     if not is_azure_stack_profile(self):
         mgmt_hsms_entity = get_client(self.cli_ctx, ResourceType.MGMT_KEYVAULT, Clients.managed_hsms)
         mgmt_hsms_regions_entity = get_client(self.cli_ctx, ResourceType.MGMT_KEYVAULT, Clients.mhsm_regions)
-        private_data_entity = get_client(self.cli_ctx, ResourceType.DATA_PRIVATE_KEYVAULT)
+        private_data_entity = get_client(self.cli_ctx, ResourceType.DATA_KEYVAULT, Clients.private_7_2)
         data_backup_entity = get_client(self.cli_ctx, ResourceType.DATA_KEYVAULT_ADMINISTRATION_BACKUP)
         data_access_control_entity = get_client(self.cli_ctx, ResourceType.DATA_KEYVAULT_ADMINISTRATION_ACCESS_CONTROL)
         data_setting_entity = get_client(self.cli_ctx, ResourceType.DATA_KEYVAULT_ADMINISTRATION_SETTING)

src/azure-cli/azure/cli/command_modules/keyvault/custom.py

@@ -2360,8 +2360,7 @@ def _security_domain_restore_blob(sd_file, sd_exchange_key, sd_wrapping_keys, pa
 
 def _security_domain_upload_blob(cmd, client, hsm_name, restore_blob_value, identifier=None,
                                  vault_base_url=None, no_wait=False):
-    SecurityDomainObject = cmd.get_models('SecurityDomainObject',
-                                          resource_type=ResourceType.DATA_PRIVATE_KEYVAULT)
+    from .vendored_sdks.azure_keyvault_t1.v7_2.models import SecurityDomainObject
     security_domain = SecurityDomainObject(value=restore_blob_value)
     retval = client.upload(vault_base_url=hsm_name or vault_base_url, security_domain=security_domain)
     if no_wait:
@@ -2408,9 +2407,7 @@ def security_domain_download(cmd, client, hsm_name, sd_wrapping_keys, security_d
     if os.path.exists(security_domain_file):
         raise CLIError("File named '{}' already exists.".format(security_domain_file))
 
-    CertificateSet = cmd.get_models('CertificateSet', resource_type=ResourceType.DATA_PRIVATE_KEYVAULT)
-    SecurityDomainJsonWebKey = cmd.get_models('SecurityDomainJsonWebKey',
-                                              resource_type=ResourceType.DATA_PRIVATE_KEYVAULT)
+    from .vendored_sdks.azure_keyvault_t1.v7_2.models import CertificateSet, SecurityDomainJsonWebKey
 
     for path in sd_wrapping_keys:
         if os.path.isdir(path):

src/azure-cli/azure/cli/command_modules/keyvault/vendored_sdks/azure_keyvault_t1/_internal.py

@@ -16,7 +16,7 @@
 from cryptography.hazmat.primitives.asymmetric import padding as asym_padding
 from cryptography.hazmat.primitives import hashes, constant_time, padding, hmac
 
-from azure.keyvault.models import JsonWebKey
+from .models import JsonWebKey
 
 def _a128cbc_hs256_encrypt(key, iv, plaintext, authdata):
     if not key or not len(key) >= 32: