[KeyVault] Switch the location of skr policy from github to maa endpoint (#24807)

* switch skr policy from github to maa endpoint

* add change log

* refine code

Author: BethanyZhou

src/KeyVault/KeyVault/ChangeLog.md

@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* [Breaking change] Removed the offline fallback policy if specify parameter `UseDefaultCVMPolicy` in `Add-AzKeyVaultKey`. Key creation will fail if unable to get regional default CVM SKR policy from MAA Service Discovery API.
 * [Breaking change] Removed parameter `Value` from `Invoke-AzKeyVaultKeyOperation`.
 * [Breaking change] Removed property `Result` from the output type `PSKeyOperationResult` of `Invoke-AzKeyVaultKeyOperation`.
 * [Breaking Change] Replaced parameter `EnableRbacAuthorization` by `DisableRbacAuthorization` in `New-AzKeyVault` and `Update-AzKeyVault`.

src/KeyVault/KeyVault/Commands/Key/AddAzureKeyVaultKey.cs

@@ -13,24 +13,29 @@
 // ----------------------------------------------------------------------------------
 
 using Microsoft.Azure.Commands.Common;
+using Microsoft.Azure.Commands.Common.Authentication;
+using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Microsoft.Azure.Commands.Common.Exceptions;
 using Microsoft.Azure.Commands.KeyVault.Helpers;
 using Microsoft.Azure.Commands.KeyVault.Models;
 using Microsoft.Azure.Commands.KeyVault.Properties;
 using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
+using Microsoft.Azure.Internal.Common;
 using Microsoft.Azure.KeyVault.WebKey;
 using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
-using Microsoft.WindowsAzure.Commands.Common.CustomAttributes;
+using Microsoft.Rest;
 using Microsoft.WindowsAzure.Commands.Utilities.Common;
 
+using Newtonsoft.Json.Linq;
+
 using System;
 using System.Collections;
 using System.IO;
 using System.Linq;
 using System.Management.Automation;
-using System.Net.Http;
 using System.Reflection;
 using System.Security;
+
 using Track2Sdk = Azure.Security.KeyVault.Keys;
 
 namespace Microsoft.Azure.Commands.KeyVault
@@ -75,8 +80,9 @@ public class AddAzureKeyVaultKey : KeyVaultCmdletBase
 
         #region Constants 
 
-        private const string DefaultCVMPolicyUrl = "https://raw.githubusercontent.com/Azure/confidential-computing-cvm/main/cvm_deployment/key/skr-policy.json";
-        private const string DefaultCVMPolicyPath = "Microsoft.Azure.Commands.KeyVault.Resources.skr-policy.json";
+        private const string DefaultCVMPolicyApi = "subscriptions/{0}/providers/Microsoft.Attestation/Locations/{1}/defaultProvider";
+        private const string DefaultCVMPolicyTemplatePath = "Microsoft.Azure.Commands.KeyVault.Resources.skr-policy.json";
+        private const string MaaEnpointApiVersion = "2020-10-01";
 
         #endregion
 
@@ -376,7 +382,6 @@ public class AddAzureKeyVaultKey : KeyVaultCmdletBase
             ParameterSetName = ResourceIdCreateParameterSet)]
         public string ReleasePolicyPath { get; set; }
 
-        [CmdletParameterBreakingChangeWithVersion(nameof(UseDefaultCVMPolicy), "12.0.0", "6.0.0", ChangeDescription = "The offline fallback policy will be removed. Key creation will fail if unable to get regional default CVM SKR policy from MAA Service Discovery API.")]
         [Parameter(Mandatory = false,
             ParameterSetName = HsmInteractiveCreateParameterSet,
             HelpMessage = "Specifies to use default policy under which the key can be exported for CVM disk encryption.")]
@@ -626,30 +631,33 @@ internal Track2Sdk.JsonWebKey CreateTrack2WebKeyFromFile()
         private string GetDefaultCVMPolicy()
         {
             string defaultCVMPolicy = null;
-
             try
             {
-                using (var client = new HttpClient())
+                var location = keyVaultManagementCmdletBase.ListVaults("", null)?.FirstOrDefault(r => r.VaultName.Equals(VaultName ?? HsmName, StringComparison.OrdinalIgnoreCase))?.Location;
+                if (null == location)
                 {
-                    defaultCVMPolicy = client.GetStringAsync(DefaultCVMPolicyUrl).ConfigureAwait(true).GetAwaiter().GetResult();
+                    throw new AzPSException(string.Format(Resources.NoVaultWithGivenNameFound, VaultName), ErrorKind.UserError);
                 }
-
-            }
-            catch (Exception e)
-            {
-                WriteWarning(string.Format(Resources.FetchDefaultCVMPolicyFromLocal, e.Message));
-                try
+                string endpoint = DefaultContext.Environment.GetEndpoint(AzureEnvironment.Endpoint.ResourceManager);
+                string defaultCVMPolicyUrl = string.Format(DefaultCVMPolicyApi, DefaultContext.Subscription.Id, location);
+                ServiceClientCredentials creds = AzureSession.Instance.AuthenticationFactory.GetServiceClientCredentials(DefaultContext, endpoint);
+                var serviceClient = AzureSession.Instance.ClientFactory.CreateArmClient<AzureRestClient>(DefaultContext, AzureEnvironment.Endpoint.ResourceManager);
+                string response = serviceClient.Operations.GetResourceWithFullResponse(defaultCVMPolicyUrl, MaaEnpointApiVersion)?.Body;
+                var regionalMaaEndpoint = JObject.Parse(response)?["properties"]?["attestUri"]?.ToString();
+                if (null == regionalMaaEndpoint)
                 {
-                    using (var stream = Assembly.GetExecutingAssembly().GetManifestResourceStream(DefaultCVMPolicyPath))
-                    using (var reader = new StreamReader(stream))
-                    {
-                        defaultCVMPolicy = reader.ReadToEnd();
-                    }
+                    throw new AzPSException($"unable to get regional MAA endpoint from {defaultCVMPolicyUrl}.", ErrorKind.ServiceError);
                 }
-                catch (Exception ex)
+                using (var stream = Assembly.GetExecutingAssembly().GetManifestResourceStream(DefaultCVMPolicyTemplatePath))
+                using (var reader = new StreamReader(stream))
                 {
-                    throw new AzPSArgumentException(string.Format(Resources.FetchDefaultCVMPolicyFailedWithErrorMessage, ex.Message), nameof(UseDefaultCVMPolicy));
-                };
+                    defaultCVMPolicy = reader.ReadToEnd();
+                }
+                defaultCVMPolicy = defaultCVMPolicy.Replace("{regional-maa-endpoint}", regionalMaaEndpoint);
+            }
+            catch (Exception ex)
+            {
+                throw new AzPSArgumentException(string.Format(Resources.FetchDefaultCVMPolicyFailedWithErrorMessage, ex.Message), nameof(UseDefaultCVMPolicy));
             }
             return defaultCVMPolicy;
         }

src/KeyVault/KeyVault/Models/IKeyVaultDataServiceClient.cs renamed to src/KeyVault/KeyVault/Models/Client/IKeyVaultDataServiceClient.cs

@@ -13,14 +13,17 @@
 // ----------------------------------------------------------------------------------
 
 using System;
+using System.Collections;
 using System.Collections.Generic;
 using System.Diagnostics.Tracing;
 using System.Linq;
 using System.Management.Automation;
 using Azure.Core.Diagnostics;
 using Microsoft.Azure.Commands.Common.Authentication;
+using Microsoft.Azure.Commands.KeyVault.Properties;
 using Microsoft.Azure.Commands.KeyVault.Track2Models;
 using Microsoft.Azure.Commands.ResourceManager.Common;
+using Microsoft.Azure.Commands.ResourceManager.Common.Tags;
 
 namespace Microsoft.Azure.Commands.KeyVault.Models
 {
@@ -47,6 +50,7 @@ internal IKeyVaultDataServiceClient DataServiceClient
                 this.dataServiceClient = value;
             }
         }
+        private IKeyVaultDataServiceClient dataServiceClient;
 
         internal IKeyVaultDataServiceClient Track2DataClient
         {
@@ -68,6 +72,9 @@ internal IKeyVaultDataServiceClient Track2DataClient
                 _track2DataServiceClient = value;
             }
         }
+        private IKeyVaultDataServiceClient _track2DataServiceClient;
+
+        internal static readonly KeyVaultManagementCmdletBase keyVaultManagementCmdletBase = new KeyVaultManagementCmdletBase();
 
         protected string GetDefaultFileForOperation(string operationName, string vaultName, string entityName)
         {
@@ -78,9 +85,6 @@ protected string GetDefaultFileForOperation(string operationName, string vaultNa
             return filename;
         }
 
-        private IKeyVaultDataServiceClient dataServiceClient;
-        private IKeyVaultDataServiceClient _track2DataServiceClient;
-
         /// <summary>
         /// Utility function that will continually iterate over the updated KeyVaultObjectFilterOptions until the options
         /// NextLink is null, and writes all the retrieved objects.

src/KeyVault/KeyVault/Models/KeyVaultDataServiceClient.cs renamed to src/KeyVault/KeyVault/Models/Client/KeyVaultDataServiceClient.cs

@@ -123,7 +123,7 @@ protected T FilterByTag<T>(T vault, Hashtable tag) where T : PSKeyVaultIdentityI
             return FilterByTag(new List<T> { vault }, tag).FirstOrDefault();
         }
 
-        protected List<PSKeyVaultIdentityItem> ListVaults(string resourceGroupName, Hashtable tag, ResourceTypeName? resourceTypeName = ResourceTypeName.Vault)
+        internal List<PSKeyVaultIdentityItem> ListVaults(string resourceGroupName, Hashtable tag, ResourceTypeName? resourceTypeName = ResourceTypeName.Vault)
         {
             var vaults = new List<PSKeyVaultIdentityItem>();
 

src/KeyVault/KeyVault/Models/VaultManagementClient.cs renamed to src/KeyVault/KeyVault/Models/Client/VaultManagementClient.cs

@@ -612,9 +612,6 @@ You can find the object ID using Azure Active Directory Module for Windows Power
   <data name="RecoverHsm" xml:space="preserve">
     <value>Recover HSM?</value>
   </data>
-  <data name="FetchDefaultCVMPolicyFromLocal" xml:space="preserve">
-    <value>Fetching default CVM policy from remote failed because {0}. Trying to fetch default CVM policy from local backup copy.</value>
-  </data>
   <data name="UpdateKeyVaultSetting" xml:space="preserve">
     <value>Update vault setting</value>
   </data>
@@ -627,4 +624,7 @@ You can find the object ID using Azure Active Directory Module for Windows Power
   <data name="UseManagedIdentityAndSasTokenNeitherExist" xml:space="preserve">
     <value>Please choose either SasToken or UseUserManagedIdentity as authentication method.</value>
   </data>
+  <data name="NoVaultWithGivenNameFound" xml:space="preserve">
+    <value>Vault '{0}' does not exist in current subscription.  If this vault exists in your tenant, please switch to the correct subscription.</value>
+  </data>
 </root>

src/KeyVault/KeyVault/Models/KeyVaultCmdletBase.cs

@@ -2,55 +2,12 @@
   "anyOf": [
     {
       "allOf": [
-        {
-          "claim": "x-ms-attestation-type",
-          "equals": "sevsnpvm"
-        },
-        {
-          "claim": "x-ms-compliance-status",
-          "equals": "azure-compliant-cvm"
-        }
-      ],
-      "authority": "https://sharedeus.eus.attest.azure.net/"
-    },
-    {
-      "allOf": [
-        {
-          "claim": "x-ms-attestation-type",
-          "equals": "sevsnpvm"
-        },
-        {
-          "claim": "x-ms-compliance-status",
-          "equals": "azure-compliant-cvm"
-        }
-      ],
-      "authority": "https://sharedwus.wus.attest.azure.net/"
-    },
-    {
-      "allOf": [
-        {
-          "claim": "x-ms-attestation-type",
-          "equals": "sevsnpvm"
-        },
-        {
-          "claim": "x-ms-compliance-status",
-          "equals": "azure-compliant-cvm"
-        }
-      ],
-      "authority": "https://sharedneu.neu.attest.azure.net/"
-    },
-    {
-      "allOf": [
-        {
-          "claim": "x-ms-attestation-type",
-          "equals": "sevsnpvm"
-        },
         {
           "claim": "x-ms-compliance-status",
           "equals": "azure-compliant-cvm"
         }
       ],
-      "authority": "https://sharedweu.weu.attest.azure.net/"
+      "authority": "{regional-maa-endpoint}"
     }
   ],
   "version": "1.0.0"