[Key Vault] Add support for custom role definitions (Azure#16063)

* Implement sync API

* Implement async API

* Add sync tests, update public model

* Add async tests, update Definitions model

* Add sync test recordings

* Add async test recordings

* Re-generate with approved swagger changes

* Add enum, address feedback

* Update KeyVaultRoleScope location

* Address feedback

* Add test recordings

* Apply naming changes

* Thanks, Charles!

Author: mccoyp

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/__init__.py

@@ -4,13 +4,13 @@
 # ------------------------------------
 from ._access_control_client import KeyVaultAccessControlClient
 from ._backup_client import KeyVaultBackupClient
+from ._enums import KeyVaultRoleScope, KeyVaultDataAction
 from ._internal.client_base import ApiVersion
 from ._models import (
     BackupOperation,
     KeyVaultPermission,
     KeyVaultRoleAssignment,
     KeyVaultRoleDefinition,
-    KeyVaultRoleScope,
     RestoreOperation,
     SelectiveKeyRestoreOperation,
 )
@@ -21,6 +21,7 @@
     "BackupOperation",
     "KeyVaultAccessControlClient",
     "KeyVaultBackupClient",
+    "KeyVaultDataAction",
     "KeyVaultPermission",
     "KeyVaultRoleAssignment",
     "KeyVaultRoleDefinition",

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_access_control_client.py

@@ -12,10 +12,11 @@
 
 if TYPE_CHECKING:
     # pylint:disable=ungrouped-imports
-    from typing import Any, Union
+    from typing import Any, Iterable, Union
     from uuid import UUID
     from azure.core.paging import ItemPaged
-    from ._models import KeyVaultRoleScope
+    from ._enums import KeyVaultRoleScope
+    from ._models import KeyVaultPermission
 
 
 class KeyVaultAccessControlClient(KeyVaultClientBase):
@@ -83,7 +84,7 @@ def get_role_assignment(self, role_scope, role_assignment_name, **kwargs):
         :param role_scope: the assignment's scope, for example "/", "/keys", or "/keys/<specific key identifier>"
             :class:`KeyVaultRoleScope` defines common broad scopes. Specify a narrower scope as a string.
         :type role_scope: str or KeyVaultRoleScope
-        :param role_assignment_name: the assignment's name. Must be a UUID.
+        :param role_assignment_name: the assignment's name.
         :type role_assignment_name: str or uuid.UUID
         :rtype: KeyVaultRoleAssignment
         """
@@ -109,6 +110,84 @@ def list_role_assignments(self, role_scope, **kwargs):
             **kwargs
         )
 
+    @distributed_trace
+    def set_role_definition(self, role_scope, permissions, **kwargs):
+        # type: (Union[str, KeyVaultRoleScope], Iterable[KeyVaultPermission], **Any) -> KeyVaultRoleDefinition
+        """Creates or updates a custom role definition.
+
+        :param role_scope: scope of the role definition. :class:`KeyVaultRoleScope` defines common broad scopes.
+            Specify a narrower scope as a string. Managed HSM only supports '/', or KeyVaultRoleScope.global_value.
+        :type role_scope: str or KeyVaultRoleScope
+        :param permissions: the role definition's permissions. An empty list results in a role definition with no action
+            permissions.
+        :type permissions: Iterable[KeyVaultPermission]
+        :keyword role_definition_name: the role definition's name. Must be a UUID.
+        :type role_definition_name: str or uuid.UUID
+        :keyword assignable_scopes: the role definition's assignable scopes.
+        :type assignable_scopes: list[str]
+        :returns: The created or updated role definition
+        :rtype: KeyVaultRoleDefinition
+        """
+        role_definition_name = kwargs.pop("role_definition_name", None) or uuid4()
+        permissions = [
+            self._client.role_definitions.models.Permission(
+                actions=p.allowed_actions,
+                not_actions=p.denied_actions,
+                data_actions=p.allowed_data_actions,
+                not_data_actions=p.denied_data_actions,
+            )
+            for p in permissions
+        ]
+
+        properties = self._client.role_definitions.models.RoleDefinitionProperties(
+            role_name=role_definition_name, permissions=permissions, **kwargs
+        )
+        parameters = self._client.role_definitions.models.RoleDefinitionCreateParameters(properties=properties)
+
+        definition = self._client.role_definitions.create_or_update(
+            vault_base_url=self._vault_url,
+            scope=role_scope,
+            role_definition_name=role_definition_name,
+            parameters=parameters,
+            **kwargs
+        )
+        return KeyVaultRoleDefinition._from_generated(definition)
+
+    @distributed_trace
+    def get_role_definition(self, role_scope, role_definition_name, **kwargs):
+        # type: (Union[str, KeyVaultRoleScope], Union[str, UUID], **Any) -> KeyVaultRoleDefinition
+        """Get the specified role definition.
+
+        :param role_scope: scope of the role definition. :class:`KeyVaultRoleScope` defines common broad scopes.
+            Specify a narrower scope as a string. Managed HSM only supports '/', or KeyVaultRoleScope.global_value.
+        :type role_scope: str or KeyVaultRoleScope
+        :param role_definition_name: the role definition's name.
+        :type role_definition_name: str or uuid.UUID
+        :rtype: KeyVaultRoleDefinition
+        """
+        definition = self._client.role_definitions.get(
+            vault_base_url=self._vault_url, scope=role_scope, role_definition_name=str(role_definition_name), **kwargs
+        )
+        return KeyVaultRoleDefinition._from_generated(definition)
+
+    @distributed_trace
+    def delete_role_definition(self, role_scope, role_definition_name, **kwargs):
+        # type: (Union[str, KeyVaultRoleScope], Union[str, UUID], **Any) -> KeyVaultRoleDefinition
+        """Deletes a custom role definition.
+
+        :param role_scope: scope of the role definition. :class:`KeyVaultRoleScope` defines common broad scopes.
+            Specify a narrower scope as a string. Managed HSM only supports '/', or KeyVaultRoleScope.global_value.
+        :type role_scope: str or KeyVaultRoleScope
+        :param role_definition_name: the role definition's name. Must be a UUID.
+        :type role_definition_name: str or uuid.UUID
+        :returns: the deleted role definition
+        :rtype: KeyVaultRoleDefinition
+        """
+        definition = self._client.role_definitions.delete(
+            vault_base_url=self._vault_url, scope=role_scope, role_definition_name=str(role_definition_name), **kwargs
+        )
+        return KeyVaultRoleDefinition._from_generated(definition)
+
     @distributed_trace
     def list_role_definitions(self, role_scope, **kwargs):
         # type: (Union[str, KeyVaultRoleScope], **Any) -> ItemPaged[KeyVaultRoleDefinition]

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_enums.py

@@ -0,0 +1,76 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+from enum import Enum
+
+
+class KeyVaultRoleScope(str, Enum):
+    """Collection of well known role scopes. This list is not exhaustive."""
+
+    GLOBAL = "/"  #: use this if you want role assignments to apply to everything on the resource
+
+    KEYS = "/keys"  #: use this if you want role assignments to apply to all keys
+
+
+class KeyVaultDataAction(str, Enum):
+    """Supported permissions for data actions."""
+
+    #: Read HSM key metadata.
+    READ_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/read/action"
+    #: Update an HSM key.
+    WRITE_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/write/action"
+    #: Read deleted HSM key.
+    READ_DELETED_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action"
+    #: Recover deleted HSM key.
+    RECOVER_DELETED_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action"
+    #: Backup HSM keys.
+    BACKUP_HSM_KEYS = "Microsoft.KeyVault/managedHsm/keys/backup/action"
+    #: Restore HSM keys.
+    RESTORE_HSM_KEYS = "Microsoft.KeyVault/managedHsm/keys/restore/action"
+    #: Delete role assignment.
+    DELETE_ROLE_ASSIGNMENT = "Microsoft.KeyVault/managedHsm/roleAssignments/delete/action"
+    #: Get role assignment.
+    GET_ROLE_ASSIGNMENT = "Microsoft.KeyVault/managedHsm/roleAssignments/read/action"
+    #: Create or update role assignment.
+    WRITE_ROLE_ASSIGNMENT = "Microsoft.KeyVault/managedHsm/roleAssignments/write/action"
+    #: Get role definition.
+    READ_ROLE_DEFINITION = "Microsoft.KeyVault/managedHsm/roleDefinitions/read/action"
+    #: Encrypt using an HSM key.
+    ENCRYPT_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/encrypt/action"
+    #: Decrypt using an HSM key.
+    DECRYPT_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/decrypt/action"
+    #: Wrap using an HSM key.
+    WRAP_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/wrap/action"
+    #: Unwrap using an HSM key.
+    UNWRAP_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/unwrap/action"
+    #: Sign using an HSM key.
+    SIGN_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/sign/action"
+    #: Verify using an HSM key.
+    VERIFY_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/verify/action"
+    #: Create an HSM key.
+    CREATE_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/create"
+    #: Delete an HSM key.
+    DELETE_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/delete"
+    #: Export an HSM key.
+    EXPORT_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/export/action"
+    #: Import an HSM key.
+    IMPORT_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/import/action"
+    #: Purge a deleted HSM key.
+    PURGE_DELETED_HSM_KEY = "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete"
+    #: Download an HSM security domain.
+    DOWNLOAD_HSM_SECURITY_DOMAIN = "Microsoft.KeyVault/managedHsm/securitydomain/download/action"
+    #: Upload an HSM security domain.
+    UPLOAD_HSM_SECURITY_DOMAIN = "Microsoft.KeyVault/managedHsm/securitydomain/upload/action"
+    #: Check the status of the HSM security domain exchange file.
+    READ_HSM_SECURITY_DOMAIN_STATUS = "Microsoft.KeyVault/managedHsm/securitydomain/upload/read"
+    #: Download an HSM security domain transfer key.
+    READ_HSM_SECURITY_DOMAIN_TRANSFER_KEY = "Microsoft.KeyVault/managedHsm/securitydomain/transferkey/read"
+    #: Start an HSM backup.
+    START_HSM_BACKUP = "Microsoft.KeyVault/managedHsm/backup/start/action"
+    #: Start an HSM restore.
+    START_HSM_RESTORE = "Microsoft.KeyVault/managedHsm/restore/start/action"
+    #: Read an HSM backup status.
+    READ_HSM_BACKUP_STATUS = "Microsoft.KeyVault/managedHsm/backup/status/action"
+    #: Read an HSM restore status.
+    READ_HSM_RESTORE_STATUS = "Microsoft.KeyVault/managedHsm/restore/status/action"

sdk/keyvault/azure-keyvault-administration/azure/keyvault/administration/_generated/v7_2_preview/aio/operations_async/__init__.py

@@ -1,17 +1,15 @@
 # coding=utf-8
 # --------------------------------------------------------------------------
-# Copyright (c) Microsoft Corporation. All rights reserved.
-# Licensed under the MIT License. See License.txt in the project root for license information.
-# Code generated by Microsoft (R) AutoRest Code Generator.
+# Code generated by Microsoft (R) AutoRest Code Generator (autorest: 3.0.6306, generator: {generator})
 # Changes may cause incorrect behavior and will be lost if the code is regenerated.
 # --------------------------------------------------------------------------
 
-from ._key_vault_client_operations_async import KeyVaultClientOperationsMixin
 from ._role_definitions_operations_async import RoleDefinitionsOperations
 from ._role_assignments_operations_async import RoleAssignmentsOperations
+from ._key_vault_client_operations_async import KeyVaultClientOperationsMixin
 
 __all__ = [
-    'KeyVaultClientOperationsMixin',
     'RoleDefinitionsOperations',
     'RoleAssignmentsOperations',
+    'KeyVaultClientOperationsMixin',
 ]