[KeyVault] Removed redundant Microsoft Graph API calls for access policy in Get-AzKeyVault (#23062)

* reduce MSGraph API call for access policy

* Add change log

* Update src/KeyVault/KeyVault/Models/ModelExtensions.cs

* Update ChangeLog.md

* polish code

* record test cases for Set-AzKeyVaultAccessPolicy

* Record test case for TestConfidentialVMSetAzVmOsDiskDesIdDiskWithVMGuestManual (#23534)

* test trying

* clean

* merge from main

* test new record

---------

Co-authored-by: Adam Sandor <[email protected]>

* Update src/KeyVault/KeyVault/ChangeLog.md

Co-authored-by: Yeming Liu <[email protected]>

* polish code

---------

Co-authored-by: Yabo Hu <[email protected]>
Co-authored-by: Adam Sandor <[email protected]>
Co-authored-by: Yeming Liu <[email protected]>

Author: 4 people

src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1

@@ -6232,14 +6232,14 @@ function Test-ManualConfidentialVMSetAzVmOsDiskDesIdDiskWithVMGuest
     # Setup
     #$rgname = Get-ComputeTestResourceName;
     $loc = "northeurope";
-    $rgname = "adsandwiki53";
+    $rgname = "adsandwiki57";
 
     try
     {
         <#
         The below script runs assuming that these below steps were manually run beforehand.
         This script uses Data Plane Operations, which our test framework does not support.
-        $rgname = "adsandwiki53";
+        $rgname = "adsandwiki57";
         $loc = 'northeurope';
         New-AzResourceGroup -Name $rgname -Location $loc -Force;
 
@@ -6255,8 +6255,8 @@ function Test-ManualConfidentialVMSetAzVmOsDiskDesIdDiskWithVMGuest
         $secureEncryptGuestState = 'DiskWithVMGuestState';
         $vmSecurityType = "ConfidentialVM";
         $user = "admin01";
-        #$password = Get-PasswordForVM;
-        $securePassword = "Testing1234567" | ConvertTo-SecureString -AsPlainText -Force; 
+        $password = "Testing1234567";
+        $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force; 
         $cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword);
 
         $kvname = "kv" + $rgname;
@@ -6300,12 +6300,12 @@ function Test-ManualConfidentialVMSetAzVmOsDiskDesIdDiskWithVMGuest
         $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force; 
         $cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword);
 
-        $kvname = "kvadsandwiki53";
-        $keyname = "kadsandwiki53";
-        $desName= "desadsandwiki53";
+        $kvname = "kv" + $rgname;
+        $keyname = "k" + $rgname;
+        $desName= "des" + $rgname;
 
-        $encryptionKeyVaultId = "/subscriptions/e37510d7-33b6-4676-886f-ee75bcc01871/resourceGroups/adsandwiki53/providers/Microsoft.KeyVault/vaults/kvadsandwiki53";
-        $encryptionKeyURL = "https://kvadsandwiki53.vault.azure.net/keys/kadsandwiki53/c3d6f9e802ac4a90962cf43b9718cc94";
+        $encryptionKeyVaultId = "/subscriptions/e37510d7-33b6-4676-886f-ee75bcc01871/resourceGroups/adsandwiki57/providers/Microsoft.KeyVault/vaults/kvadsandwiki57";
+        $encryptionKeyURL = "https://kvadsandwiki57.vault.azure.net/keys/kadsandwiki57/3bacce5d72d147a785ecf79d4b1dc9b0";
 
         # Create new DES Config and DES
         $diskEncryptionType = "ConfidentialVmEncryptedWithCustomerKey";
@@ -6327,7 +6327,7 @@ function Test-ManualConfidentialVMSetAzVmOsDiskDesIdDiskWithVMGuest
         $vnet = New-AzVirtualNetwork -Force -Name ($vnetPrefix + $rgname) -ResourceGroupName $rgname -Location $loc -AddressPrefix "10.0.0.0/16" -Subnet $subnet;
         $vnet = Get-AzVirtualNetwork -Name ($vnetPrefix + $rgname) -ResourceGroupName $rgname;
         $subnetId = $vnet.Subnets[0].Id;
-        $pubip = New-AzPublicIpAddress -Force -Name ($pubIpPrefix + $rgname) -ResourceGroupName $rgname -Location $loc -AllocationMethod Dynamic -DomainNameLabel $domainNameLabel2;
+        $pubip = New-AzPublicIpAddress -Force -Name ($pubIpPrefix + $rgname) -ResourceGroupName $rgname -Location $loc -AllocationMethod Static -DomainNameLabel $domainNameLabel2;
         $pubip = Get-AzPublicIpAddress -Name ($pubIpPrefix + $rgname) -ResourceGroupName $rgname;
         $pubipId = $pubip.Id;
         $nic = New-AzNetworkInterface -Force -Name ($nicPrefix + $rgname) -ResourceGroupName $rgname -Location $loc -SubnetId $subnetId -PublicIpAddressId $pubip.Id;
@@ -6468,8 +6468,8 @@ function Test-ConfVMSetAzDiskSecurityProfile
         $keyname = "key" + $rgname;
         $desName= "des" + $rgname;
         $KeySize = 3072; 
-        $keyVaultId = "/subscriptions/e37510d7-33b6-4676-886f-ee75bcc01871/resourceGroups/adsanddes2/providers/Microsoft.KeyVault/vaults/valadsanddes2";
-        $keyUrl = "https://valadsanddes2.vault.azure.net/keys/keyadsanddes2/929ebcca47fd4540a1ce06fbb35c821e";
+        $keyVaultId = "/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590/resourceGroups/adsanddes2/providers/Microsoft.KeyVault/vaults/valadsanddes2";
+        $keyUrl = "https://valadsanddes2.vault.azure.net/keys/keyadsanddes2/186432bab3ba4f829f483670988a2996";
 
         # Create new DES Config and DES
         $diskEncryptionType = "ConfidentialVmEncryptedWithCustomerKey";

src/Compute/Compute.Test/SessionRecords/Microsoft.Azure.Commands.Compute.Test.ScenarioTests.VirtualMachineTests/TestConfVMSetAzDiskSecurityProfile.json

@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Removed redundant Microsoft Graph API calls for access policy in `Get-AzKeyVault`.
 
 ## Version 5.0.0
 * Removed non-core types creation in PowerShell scripts to be compatible in constrained language mode.
@@ -250,4 +251,4 @@
 
 ## Version 1.0.0
 * General availability of `Az.KeyVault` module
-* Remove deprecated PurgeDisabled property from PS models
+* Remove deprecated PurgeDisabled property from PS models

src/Compute/Compute.Test/SessionRecords/Microsoft.Azure.Commands.Compute.Test.ScenarioTests.VirtualMachineTests/TestConfidentialVMSetAzVmOsDiskDesIdDiskWithVMGuestManual.json

@@ -0,0 +1,115 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Applications.Models;
+using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Groups.Models;
+using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Users.Models;
+using Newtonsoft.Json;
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+
+namespace Microsoft.Azure.Commands.KeyVault.Models.ADObject
+{
+    internal static class MSGraphClientExtension
+    {
+
+        public static bool IsUser(this Common.MSGraph.Version1_0.DirectoryObjects.Models.MicrosoftGraphDirectoryObject obj)
+        {
+            return string.Equals(obj.Odatatype, "#microsoft.graph.user", StringComparison.OrdinalIgnoreCase);
+        }
+        public static bool IsServicePrincipal(this Common.MSGraph.Version1_0.DirectoryObjects.Models.MicrosoftGraphDirectoryObject obj)
+        {
+            return string.Equals(obj.Odatatype, "#microsoft.graph.servicePrincipal", StringComparison.OrdinalIgnoreCase);
+        }
+        public static bool IsGroup(this Common.MSGraph.Version1_0.DirectoryObjects.Models.MicrosoftGraphDirectoryObject obj)
+        {
+            return string.Equals(obj.Odatatype, "#microsoft.graph.group", StringComparison.OrdinalIgnoreCase);
+        }
+
+        public static PSADUser ToPSADUser(this MicrosoftGraphUser user)
+        {
+            return new PSADUser()
+            {
+                DisplayName = user.DisplayName,
+                Id = user.Id,
+                UserPrincipalName = user.UserPrincipalName,
+                Type = user.UserType ?? "User",
+                UsageLocation = user.UsageLocation,
+                GivenName = user.GivenName,
+                Surname = user.Surname,
+                AccountEnabled = user.AccountEnabled,
+                MailNickname = user.MailNickname,
+                Mail = user.Mail,
+                ImmutableId = user.OnPremisesImmutableId,
+                AdditionalProperties = user.AdditionalProperties
+            };
+        }
+
+        public static PSADGroup ToPSADGroup(this MicrosoftGraphGroup group)
+        {
+            return new PSADGroup()
+            {
+                DisplayName = group.DisplayName,
+                Id = group.Id,
+                Type = "Group",
+                SecurityEnabled = group.SecurityEnabled,
+                MailNickname = !string.IsNullOrEmpty(group.Mail) ? group.Mail : group.AdditionalProperties.ContainsKey("mailNickname") ? group.AdditionalProperties["mailNickname"]?.ToString() : null,
+                Description = group.AdditionalProperties.ContainsKey("description") ? group.AdditionalProperties["description"]?.ToString() : null,
+                MailEnabled = group.MailEnabled,
+                AdditionalProperties = group.AdditionalProperties
+            };
+        }
+
+        public static PSADServicePrincipal ToPSADServicePrincipal(this MicrosoftGraphServicePrincipal servicePrincipal)
+        {
+            return new PSADServicePrincipal()
+            {
+                DisplayName = servicePrincipal.DisplayName,
+                Id = servicePrincipal.Id,
+                ApplicationId = Guid.Parse(servicePrincipal.AppId),
+                Type = "ServicePrincipal",
+                ServicePrincipalNames = servicePrincipal.ServicePrincipalNames.ToArray(),
+                AdditionalProperties = servicePrincipal.AdditionalProperties
+            };
+        }
+
+
+        public static PSADObject ToPSADObject(this Common.MSGraph.Version1_0.DirectoryObjects.Models.MicrosoftGraphDirectoryObject obj)
+        {
+            if (obj == null) throw new ArgumentNullException();
+
+            if (obj.IsUser())
+            {
+                return JsonConvert.DeserializeObject<MicrosoftGraphUser>(JsonConvert.SerializeObject(obj)).ToPSADUser();
+            }
+            if (obj.IsServicePrincipal())
+            {
+                return JsonConvert.DeserializeObject<MicrosoftGraphServicePrincipal>(JsonConvert.SerializeObject(obj)).ToPSADServicePrincipal();
+            }
+            if (obj.IsGroup())
+            {
+                return JsonConvert.DeserializeObject<MicrosoftGraphGroup>(JsonConvert.SerializeObject(obj)).ToPSADGroup();
+            }
+
+            return new PSADObject()
+            {
+                Id = obj.Id,
+            };
+        }
+
+    }
+}

src/KeyVault/KeyVault/ChangeLog.md

@@ -0,0 +1,33 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Microsoft.Azure.Commands.KeyVault.Models.ADObject
+{
+    internal class PSADGroup : PSADObject
+    {
+        public bool? SecurityEnabled { get; set; }
+
+        public bool? MailEnabled { get; set; }
+
+        public string MailNickname { get; set; }
+
+        public string ObjectType => "Group";
+
+        public string Description { get; set; }
+    }
+}

src/KeyVault/KeyVault/Models/ADObject/MSGraphClientExtension.cs

@@ -0,0 +1,31 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Microsoft.Azure.Commands.KeyVault.Models.ADObject
+{
+    internal class PSADObject
+    {
+        public string DisplayName { get; set; }
+
+        public string Id { get; set; }
+
+        public string Type { get; set; }
+
+        public IDictionary<string, object> AdditionalProperties { get; set; }
+    }
+}

src/KeyVault/KeyVault/Models/ADObject/PSADGroup.cs

@@ -0,0 +1,29 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Microsoft.Azure.Commands.KeyVault.Models.ADObject
+{
+    internal class PSADServicePrincipal : PSADObject
+    {
+        public string[] ServicePrincipalNames { get; set; }
+
+        public Guid ApplicationId { get; set; }
+
+        public string ObjectType => "ServicePrincipal";
+    }
+}

src/KeyVault/KeyVault/Models/ADObject/PSADObject.cs

@@ -0,0 +1,41 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Microsoft.Azure.Commands.KeyVault.Models.ADObject
+{
+    internal class PSADUser : PSADObject
+    {
+        public string UserPrincipalName { get; set; }
+
+        public string ObjectType => "User";
+
+        public string UsageLocation { get; set; }
+
+        public string GivenName { get; set; }
+
+        public string Surname { get; set; }
+
+        public bool? AccountEnabled { get; set; }
+
+        public string MailNickname { get; set; }
+
+        public string Mail { get; set; }
+
+        public string ImmutableId { get; set; }
+    }
+}