[Az.KeyVault] Security domain Upload Split (#22671)

* 0825 update

* 0825 update2

* Security Domain Upload Split

* Update ChangeLog

* Polish code

* Polish code

* Polish code

* Help files generate

* Add online version in help files

* Rename super class from SecurityDomainCmdletClient to SecurityDomainCmdletBase

* Supress Static Analysis

* Suppress Static Analysis

* Suppress Static Analysis

* Sytax in help files

* Align the new design

* Update changelog

* Update Pester test

* ByRestoredBlob

* Resolve comments

* SecurityDomainRestoredBlob

* Update help files

* Update src/KeyVault/KeyVault/ChangeLog.md

Co-authored-by: Beisi Zhou <[email protected]>

* Rename files

* Update help file

* suppress signature issue

* suppress signature issue

* ExchangeKey

* ExchangeKeyPath, OutFile

---------

Co-authored-by: Beisi Zhou <[email protected]>

Author: NoriZC

src/KeyVault/KeyVault.Test/PesterTests/ManagedHsmDataPlaneTests.Tests.ps1

@@ -278,6 +278,37 @@ Describe 'Export Import Security domain' {
     #   Import-AzKeyVaultSecurityDomain -Name $hsmName -Keys $certsKeys -SecurityDomainPath $sd.FullName
 }
 
+Describe 'Export Import Security Domain by Restored Blob' {
+    $sd = New-TemporaryFile
+
+    It 'Can export security domain' {
+        Get-Content $sd | Should -BeNullOrEmpty
+        Export-AzKeyVaultSecurityDomain -HsmName $hsmName -Certificates $certs -OutputPath $sd.FullName -Quorum 3 -Force
+        Get-Content $sd | Should -Not -BeNullOrEmpty
+    }
+
+    # Cannot test initializing because it needs a newly created HSM
+    It 'Can Download Security Domain ExchangeKey' {
+        $exchangeKeyOutputPath = "$PSScriptRoot/ExchangeKey.cer"
+        Import-AzKeyVaultSecurityDomain -Name $hsmName -OutFile $exchangeKeyOutputPath -DownloadExchangeKey 
+    }
+    
+    # This command can be executed offline
+    It 'Can decrypt and encrypt Security Domain Data locally' {
+        $exchangeKeyPath = "$PSScriptRoot/ExchangeKey.cer"
+        $SecurityDomainRestoredBlob = "$PSScriptRoot/HsmRestoredBlob.json"
+        Import-AzKeyVaultSecurityDomain -Keys $certsKeys -ExchangeKeyPath  $exchangeKeyPath -SecurityDomainPath $sd.FullName -OutFile $SecurityDomainRestoredBlob -RestoreBlob 
+    }
+
+    It 'Can Import Security Domain by Restore Blob' {
+        $SecurityDomainRestoredBlob = "$PSScriptRoot/HsmRestoredBlob.json"
+        Import-AzKeyVaultSecurityDomain -Name $hsmName -SecurityDomainPath $SecurityDomainRestoredBlob -ImportRestoredBlob
+    }
+
+    # Cannot test importing because it needs another HSM
+    #   Import-AzKeyVaultSecurityDomain -Name $hsmName -Keys $certsKeys -SecurityDomainPath $sd.FullName
+}
+
 Describe 'Custom Role Definition' {
     $roleName = "my custom role"
     $roleDesc = "description for my role"

src/KeyVault/KeyVault/ChangeLog.md

@@ -18,6 +18,8 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Supported splitting `Import-AzKeyVaultSecurityDomain` process into three steps to allow keys to be hidden offline.
+    - Added `DownloadExchangeKey`, `RestoreBlob` and `ImportRestoredBlob` in `Import-AzKeyVaultSecurityDomain`.
 
 ## Version 4.11.0
 * Fixed certificate policy bugs if DnsName is null. [#22642]

src/KeyVault/KeyVault/SecurityDomain/Cmdlets/BackupSecurityDomain.cs renamed to src/KeyVault/KeyVault/SecurityDomain/Cmdlets/ExportAzKeyVaultSecurityDomain.cs

@@ -1,5 +1,7 @@
 using Microsoft.Azure.Commands.Common.Authentication;
+using Microsoft.Azure.Commands.KeyVault.Models;
 using Microsoft.Azure.Commands.KeyVault.Properties;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
 using System;
 using System.Linq;
 using System.Management.Automation;
@@ -9,8 +11,21 @@ namespace Microsoft.Azure.Commands.KeyVault.SecurityDomain.Cmdlets
 {
     [Cmdlet(VerbsData.Export, ResourceManager.Common.AzureRMConstants.AzurePrefix + CmdletNoun.KeyVault + "SecurityDomain", SupportsShouldProcess = true, DefaultParameterSetName = ByName)]
     [OutputType(typeof(bool))]
-    public class BackupSecurityDomain: SecurityDomainCmdlet
+    public class ExportAzKeyVaultSecurityDomain: SecurityDomainCmdlet
     {
+        protected const string ByName = "ByName";
+        protected const string ByInputObject = "ByInputObject";
+        // protected const string ByResourceId = "ByResourceID";
+
+        [Parameter(HelpMessage = "Name of the managed HSM.", Mandatory = true, ParameterSetName = ByName)]
+        [Alias("HsmName")]
+        [ValidateNotNullOrEmpty]
+        public string Name { get; set; }
+
+        [Parameter(HelpMessage = "Object representing a managed HSM.", Mandatory = true, ParameterSetName = ByInputObject, ValueFromPipeline = true)]
+        [ValidateNotNull]
+        public PSKeyVaultIdentityItem InputObject { get; set; }
+
         [Parameter(HelpMessage = "Paths to the certificates that are used to encrypt the security domain data.", Mandatory = true)]
         [ValidateNotNullOrEmpty()]
         public string[] Certificates { get; set; }
@@ -31,6 +46,10 @@ public class BackupSecurityDomain: SecurityDomainCmdlet
 
         public override void DoExecuteCmdlet()
         {
+            if (this.IsParameterBound(c => c.InputObject))
+            {
+                Name = InputObject.VaultName;
+            }
             ValidateParameters();
 
             var certificates = Certificates.Select(path => new X509Certificate2(ResolveUserPath(path)));

src/KeyVault/KeyVault/SecurityDomain/Cmdlets/ImportAzKeyVaultSecurityDomain.cs

@@ -0,0 +1,188 @@
+using Microsoft.Azure.Commands.Common.Authentication;
+using Microsoft.Azure.Commands.KeyVault.Models;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using Microsoft.Azure.Commands.KeyVault.SecurityDomain.Common;
+using Microsoft.Azure.Commands.KeyVault.SecurityDomain.Models;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
+using Newtonsoft.Json;
+using System;
+using System.IO;
+using System.Linq;
+using System.Management.Automation;
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.Azure.Commands.KeyVault.SecurityDomain.Cmdlets
+{
+    [Cmdlet(VerbsData.Import, ResourceManager.Common.AzureRMConstants.AzurePrefix + CmdletNoun.KeyVault + "SecurityDomain", SupportsShouldProcess = true, DefaultParameterSetName = ByName)]
+    [OutputType(typeof(bool))]
+    public class ImportAzKeyVaultSecurityDomain : SecurityDomainCmdlet
+    {
+        protected const string DoRestoreBlob = "DoRestoreBlob";
+        protected const string ByRestoredBlob = "ByRestoredBlob";
+        protected const string GenerateExchangeKey = "GenerateExchangeKey";
+        protected const string ByName = "ByName";
+        protected const string ByInputObject = "ByInputObject";
+        // protected const string ByResourceId = "ByResourceID";
+
+        [Parameter(HelpMessage = "Name of the managed HSM.", Mandatory = true, ParameterSetName = ByName)]
+        [Parameter(HelpMessage = "Name of the managed HSM.", Mandatory = true, ParameterSetName = ByRestoredBlob)]
+        [Parameter(HelpMessage = "Name of the managed HSM.", Mandatory = true, ParameterSetName = GenerateExchangeKey)]
+        [Alias("HsmName")]
+        [ValidateNotNullOrEmpty]
+        public string Name { get; set; }
+
+        [Parameter(HelpMessage = "Object representing a managed HSM.", Mandatory = true, ParameterSetName = ByInputObject, ValueFromPipeline = true)]
+        [ValidateNotNull]
+        public PSKeyVaultIdentityItem InputObject { get; set; }
+
+        [Parameter(HelpMessage = "Information about the keys that are used to decrypt the security domain data. See examples for how it is constructed.", Mandatory = true, ParameterSetName = ByName)]
+        [Parameter(HelpMessage = "Information about the keys that are used to decrypt the security domain data. See examples for how it is constructed.", Mandatory = true, ParameterSetName = ByInputObject)]
+        [Parameter(HelpMessage = "Information about the keys that are used to decrypt the security domain data. See examples for how it is constructed.", Mandatory = true, ParameterSetName = DoRestoreBlob)]
+        [ValidateNotNullOrEmpty]
+        public KeyPath[] Keys { get; set; }
+
+        [Parameter(HelpMessage = "Specify the path to the encrypted security domain data.", Mandatory = true, ParameterSetName = ByName)]
+        [Parameter(HelpMessage = "Specify the path to the encrypted security domain data.", Mandatory = true, ParameterSetName = ByInputObject)]
+        [Parameter(HelpMessage = "Specify the path to the prepared security domain data.", Mandatory = true, ParameterSetName = ByRestoredBlob)]
+        [Parameter(HelpMessage = "Specify the path to the encrypted security domain data.", Mandatory = true, ParameterSetName = DoRestoreBlob)]
+        [Alias("Path")]
+        [ValidateNotNullOrEmpty]
+        public string SecurityDomainPath { get; set; }
+
+        [Parameter(HelpMessage = "Local file path to store the security domain encrypted with the exchange key.", Mandatory = true, ParameterSetName = DoRestoreBlob)]
+        [Parameter(HelpMessage = "Local file path to store the exported key.", Mandatory = true, ParameterSetName = GenerateExchangeKey)]
+        [ValidateNotNullOrEmpty]
+        public string OutFile { get; set; }
+
+        [Parameter(HelpMessage = "Local path of exchange key used to encrypt the security domain data. Generated by running Import-AzKeyVaultSecurityDomain with -DownloadExchangeKey.", Mandatory = true, ParameterSetName=DoRestoreBlob)]
+        [ValidateNotNullOrEmpty]
+        public string ExchangeKeyPath { get; set; }
+
+
+        [Parameter(HelpMessage = "Specify whether to overwrite existing file.", ParameterSetName = GenerateExchangeKey)]
+        [Parameter(HelpMessage = "Specify whether to overwrite existing file.", ParameterSetName = DoRestoreBlob)]
+        public SwitchParameter Force { get; set; }
+
+        [Parameter(HelpMessage = "When specified, an exchange key will be downloaded to specified path.", Mandatory = true, ParameterSetName = GenerateExchangeKey)]
+        public SwitchParameter DownloadExchangeKey { get; set; }
+
+        [Parameter(HelpMessage = "When specified, the security domain data will be decrypted and encrypted using generated ExchangeKey locally.", Mandatory = true, ParameterSetName = DoRestoreBlob)]
+        public SwitchParameter RestoreBlob { get; set; }
+
+        [Parameter(HelpMessage = "When specified, SecurityDomainPath should be encrypted security domain data generated by Restore-AzKeyVaultSecurityDomainBlob.", Mandatory = true, ParameterSetName = ByRestoredBlob)]
+        public SwitchParameter ImportRestoredBlob { get; set; }
+
+        [Parameter(HelpMessage = "When specified, a boolean will be returned when cmdlet succeeds.")]
+        public SwitchParameter PassThru { get; set; }
+
+        public override void DoExecuteCmdlet()
+        {
+            if (this.IsParameterBound(c => c.InputObject))
+            {
+                Name = InputObject.VaultName;
+            }
+            if (ParameterSetName == GenerateExchangeKey)
+            {
+                if (ShouldProcess($"managed HSM {Name}", $"download exported key to '{OutFile}'"))
+                {
+                    var exchangeKey = Client.DownloadSecurityDomainExchangeKeyAsPem(Name, CancellationToken);
+                    OutFile = ResolveUserPath(OutFile);
+
+                    if (!AzureSession.Instance.DataStore.FileExists(OutFile) || Force || ShouldContinue(string.Format(Resources.FileOverwriteMessage, OutFile), Resources.FileOverwriteCaption))
+                    {
+                        AzureSession.Instance.DataStore.WriteFile(OutFile, exchangeKey);
+                        WriteDebug($"Security domain data of managed HSM '{Name}' downloaded to '{OutFile}'.");
+                    }
+                }
+            }
+            else if (ParameterSetName == DoRestoreBlob)
+            {
+                ValidateParameters();
+                if (ShouldProcess($"Generating file {OutFile}", $"restore security domain data from file \"{SecurityDomainPath}\""))
+                {
+                    Keys = Keys.Select(key => new KeyPath()
+                    {
+                        PublicKey = ResolveUserPath(key.PublicKey),
+                        PrivateKey = ResolveUserPath(key.PrivateKey)
+                    }).ToArray();
+                    ExchangeKeyPath = ResolveUserPath(ExchangeKeyPath);
+                    OutFile = ResolveUserPath(OutFile);
+
+                    // Decrypt using Private Keys
+                    var securityDomain = LoadSdFromFile(ResolveUserPath(SecurityDomainPath));
+                    var rawSecurityDomain = Client.DecryptSecurityDomain(securityDomain, Keys);
+                    // Encript using Exchange Keys Generated by Initialize-AzKeyVaultSecurityDomainRecovery
+                    var exchangeKey = new X509Certificate2(ExchangeKeyPath);
+                    var encryptedSecurityDomain = Client.EncryptForRestore(rawSecurityDomain, exchangeKey);
+                    string securityDomainBlob = JsonConvert.SerializeObject(encryptedSecurityDomain);
+
+                    if (!AzureSession.Instance.DataStore.FileExists(OutFile) || Force || ShouldContinue(string.Format(Resources.FileOverwriteMessage, OutFile), Resources.FileOverwriteCaption))
+                    {
+                        AzureSession.Instance.DataStore.WriteFile(OutFile, securityDomainBlob);
+                        WriteDebug($"Security domain data of exported managed HSM '{SecurityDomainPath}' restored to '{OutFile}'.");
+                    }
+                }
+            }
+            else
+            {
+                if (ShouldProcess($"managed HSM {Name}", $"restore security domain data from file \"{SecurityDomainPath}\""))
+                {
+                    var securityDomainRestore = JsonConvert.DeserializeObject<SecurityDomainRestoreData>(Utils.FileToString(SecurityDomainPath));
+
+                    if (!ImportRestoredBlob)
+                    {
+                        ValidateParameters();
+                        var securityDomain = LoadSdFromFile(ResolveUserPath(SecurityDomainPath));
+                        Keys = Keys.Select(key => new KeyPath()
+                        {
+                            PublicKey = this.ResolveUserPath(key.PublicKey),
+                            PrivateKey = this.ResolveUserPath(key.PrivateKey)
+                        }).ToArray();
+
+                        var rawSecurityDomain = Client.DecryptSecurityDomain(securityDomain, Keys);
+                        var exchangeKey = Client.DownloadSecurityDomainExchangeKey(Name, CancellationToken);
+                        securityDomainRestore = Client.EncryptForRestore(rawSecurityDomain, exchangeKey);
+                    }
+
+                    Client.RestoreSecurityDomain(Name, securityDomainRestore, CancellationToken);
+                }
+            }
+            if (PassThru)
+            {
+                WriteObject(true);
+            }
+
+        }
+
+        private void ValidateParameters()
+        {
+            if (Keys.Length < 2)
+            {
+                throw new ArgumentException(string.Format(Resources.RestoreSecurityDomainNotEnoughKey, Common.Constants.MinQuorum));
+            }
+            if (Keys.Any(key => string.IsNullOrEmpty(key.PublicKey) || string.IsNullOrEmpty(key.PrivateKey)))
+            {
+                throw new ArgumentException(Resources.RestoreSecurityDomainBadKey);
+            }
+        }
+
+        private SecurityDomainData LoadSdFromFile(string path)
+        {
+            try
+            {
+                string content = Utils.FileToString(path);
+                if (string.IsNullOrWhiteSpace(content))
+                {
+                    throw new ArgumentException(nameof(SecurityDomainPath));
+                }
+                return JsonConvert.DeserializeObject<SecurityDomainData>(content);
+            }
+            catch (Exception ex)
+            {
+                throw new Exception(
+                    string.Format(Resources.LoadSecurityDomainFileFailed, path), ex);
+            }
+        }
+    }
+}