tests/testthat/test01_resource.R

context("Resource creation")

tenant <- Sys.getenv("AZ_TEST_TENANT_ID")
app <- Sys.getenv("AZ_TEST_APP_ID")
password <- Sys.getenv("AZ_TEST_PASSWORD")
subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION")
username <- Sys.getenv("AZ_TEST_USERNAME")

if(tenant == "" || app == "" || password == "" || subscription == "" || username == "")
    skip("Tests skipped: ARM credentials not set")

rgname <- paste(sample(letters, 20, replace=TRUE), collapse="")
kvname <- paste(sample(letters, 10, replace=TRUE), collapse="")

rg <- AzureRMR::az_rm$
    new(tenant=tenant, app=app, password=password)$
    get_subscription(subscription)$
    create_resource_group(rgname, location="australiaeast")


test_that("Access policy function works",
{
    pol0 <- vault_access_policy(app, NULL, NULL, NULL, NULL, NULL)
    expect_is(pol0, "vault_access_policy")
    expect_true(AzureRMR::is_empty(pol0$key_permissions))
    expect_true(AzureRMR::is_empty(pol0$secret_permissions))
    expect_true(AzureRMR::is_empty(pol0$certificate_permissions))
    expect_true(AzureRMR::is_empty(pol0$storage_permissions))

    usr <- AzureGraph::ms_graph$
        new(tenant=tenant)$
        get_user(username)

    pol1 <- vault_access_policy(usr, NULL)
    expect_identical(pol1$objectId, usr$properties$id)
    expect_identical(pol1$permissions$keys,
        I(c("get", "list", "update", "create", "import", "delete", "recover", "backup", "restore",
            "decrypt", "encrypt", "unwrapkey", "wrapkey", "verify", "sign", "purge")))
    expect_identical(pol1$permissions$secrets,
        I(c("get", "list", "set", "delete", "recover", "backup", "restore", "purge")))
    expect_identical(pol1$permissions$certificates,
        I(c("get", "list", "update", "create", "import", "delete", "recover", "backup", "restore",
            "managecontacts", "manageissuers", "getissuers", "listissuers", "setissuers",
            "deleteissuers", "purge")))
    expect_identical(pol1$permissions$storage,
        I(c("backup", "delete", "deletesas", "get", "getsas", "list", "listsas",
            "purge", "recover", "regeneratekey", "restore", "set", "setsas", "update")))

    expect_error(vault_access_policy("user@example.com")) # must supply GUID or Graph object as principal
    expect_error(vault_access_policy(usr, NULL, key_permissions="none"))
    expect_error(vault_access_policy(usr, NULL, secret_permissions="none"))
    expect_error(vault_access_policy(usr, NULL, certificate_permissions="none"))
    expect_error(vault_access_policy(usr, NULL, storage_permissions="none"))

    pol2 <- vault_access_policy(usr, NULL, "get", "get", "get", "get")
    expect_is(pol2, "vault_access_policy")
    expect_identical(pol2$permissions$keys, I("get"))
    expect_identical(pol2$permissions$secrets, I("get"))
    expect_identical(pol2$permissions$certificates, I("get"))
    expect_identical(pol2$permissions$storage, I("get"))
})

test_that("Resource creation works",
{
    kv <- rg$create_key_vault(kvname)
    expect_is(kv, "az_key_vault")

    kv2 <- rg$get_key_vault(kvname)
    expect_is(kv2, "az_key_vault")
})

test_that("Access policy management works",
{
    kv <- rg$get_key_vault(kvname)

    usr <- AzureGraph::ms_graph$
        new(tenant=tenant)$
        get_user(username)

    kv$add_principal(usr)
    pols <- kv$properties$accessPolicies
    expect_true(any(sapply(pols, function(x) x$objectId == usr$properties$id)))

    kv$remove_principal(usr)
    pols <- kv$properties$accessPolicies
    expect_false(any(sapply(pols, function(x) x$objectId == usr$properties$id)))
})

test_that("Resource deletion works",
{
    expect_message(rg$delete_key_vault(kvname, confirm=FALSE))
    expect_silent(rg$purge_key_vault(kvname, rg$location, confirm=FALSE))
})


rg$delete(confirm=FALSE)

Try the AzureKeyVault package in your browser

Any scripts or data that you put into this service are public.

AzureKeyVault documentation built on Sept. 16, 2021, 5:12 p.m.