[Key Vault] Fix backup/restore tests in administration (#23558)

mccoyp · web-flow · commit 4dbefd475ecd · 2022-03-22T17:58:52.000-07:00
diff --git a/.vscode/cspell.json b/.vscode/cspell.json
@@ -239,6 +239,7 @@
     "parameterizing",
     "pytz",
     "pywin",
+    "RAGRS",
     "rdbms",
     "reauthenticated",
     "reimage",
@@ -248,6 +249,7 @@
     "RSNULL",
     "rtsp",
     "rtype",
+    "rwdlacu",
     "scbedd",
     "sdist",
     "secbak",
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/_test_case.py b/sdk/keyvault/azure-keyvault-administration/tests/_test_case.py
@@ -84,23 +84,8 @@ def setUp(self, *args, **kwargs):
             self.container_uri = "https://{}.blob.{}/{}".format(storage_name, storage_endpoint_suffix, container_name)
             self._scrub_url(real_url=self.container_uri, playback_url=container_playback_uri)
 
-            storage_account_key = os.environ.get("BLOB_PRIMARY_STORAGE_ACCOUNT_KEY")
-            if storage_account_key:
-                self.sas_token = generate_account_sas(
-                    account_name=storage_name,
-                    account_key=storage_account_key,
-                    resource_types=ResourceTypes(container=True, object=True),
-                    permission=AccountSasPermissions(
-                        create=True,
-                        list=True,
-                        write=True,
-                        read=True,
-                        add=True,
-                        delete=True,
-                        delete_previous_version=True,
-                    ),
-                    expiry=datetime.utcnow() + timedelta(minutes=30),
-                )
+            self.sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN")
+            if self.sas_token:
                 self.scrubber.register_name_pair(self.sas_token, playback_sas_token)
         else:
             self.managed_hsm_url = hsm_playback_url
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/test_backup_client.py b/sdk/keyvault/azure-keyvault-administration/tests/test_backup_client.py
@@ -23,9 +23,6 @@ def __init__(self, *args, **kwargs):
     @all_api_versions()
     @backup_client_setup
     def test_full_backup_and_restore(self, client):
-        if self.is_live:
-            pytest.skip("SAS token failures are causing sev2 alerts for service team")
-
         # backup the vault
         backup_poller = client.begin_backup(self.container_uri, self.sas_token)
         backup_operation = backup_poller.result()
@@ -70,9 +67,6 @@ def test_full_backup_and_restore_rehydration(self, client):
     @all_api_versions()
     @backup_client_setup
     def test_selective_key_restore(self, client):
-        if self.is_live:
-            pytest.skip("SAS token failures are causing sev2 alerts for service team")
-
         # create a key to selectively restore
         key_client = self.create_key_client(self.managed_hsm_url)
         key_name = self.get_resource_name("selective-restore-test-key")
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/test_backup_client_async.py b/sdk/keyvault/azure-keyvault-administration/tests/test_backup_client_async.py
@@ -21,9 +21,6 @@ def __init__(self, *args, **kwargs):
     @all_api_versions()
     @backup_client_setup
     async def test_full_backup_and_restore(self, client):
-        if self.is_live:
-            pytest.skip("SAS token failures are causing sev2 alerts for service team")
-
         # backup the vault
         backup_poller = await client.begin_backup(self.container_uri, self.sas_token)
         backup_operation = await backup_poller.result()
@@ -68,9 +65,6 @@ async def test_full_backup_and_restore_rehydration(self, client):
     @all_api_versions()
     @backup_client_setup
     async def test_selective_key_restore(self, client):
-        if self.is_live:
-            pytest.skip("SAS token failures are causing sev2 alerts for service team")
-
         # create a key to selectively restore
         key_client = self.create_key_client(self.managed_hsm_url, is_async=True)
         key_name = self.get_resource_name("selective-restore-test-key")
diff --git a/sdk/keyvault/test-resources.json b/sdk/keyvault/test-resources.json
@@ -77,12 +77,26 @@
                 "description": "Key Vault SKU to deploy. The default is 'premium'"
             }
         },
+        "baseTime": {
+            "type": "string",
+            "defaultValue": "[utcNow('u')]",
+            "metadata": {
+                "description": "The base time to add 500 minutes to for SAS token expiration. The default is the current time."
+            }
+        },
         "attestationImage": {
             "type": "string",
             "defaultValue": "keyvault-mock-attestation:latest",
             "metadata": {
                 "description": "The container image name and tag to use for the attestation mock service."
             }
+        },
+        "storageEndpointSuffix": {
+            "type": "string",
+            "defaultValue": "core.windows.net",
+            "metadata": {
+                "description": "The url suffix to use when accessing the storage data plane."
+            }
         }
     },
     "variables": {
@@ -111,6 +125,14 @@
             "virtualNetworkRules": [],
             "ipRules": [],
             "defaultAction": "Allow"
+        },
+        "accountSasProperties": {
+            "signedServices": "b",
+            "signedPermission": "rwdlacu",
+            "signedProtocol": "https",
+            "signedExpiry": "[dateTimeAdd(parameters('baseTime'), 'PT500M')]",
+            "signedResourceTypes": "sco",
+            "keyToSign": "key1"
         }
     },
     "resources": [
@@ -270,13 +292,17 @@
             "type": "string",
             "value": "[parameters('testApplicationOid')]"
         },
+        "KEYVAULT_STORAGE_ENDPOINT_SUFFIX": {
+            "type": "string",
+            "value": "[parameters('storageEndpointSuffix')]"
+        },
         "BLOB_STORAGE_ACCOUNT_NAME": {
             "type": "string",
             "value": "[variables('primaryAccountName')]"
         },
-        "BLOB_PRIMARY_STORAGE_ACCOUNT_KEY": {
+        "BLOB_STORAGE_SAS_TOKEN": {
             "type": "string",
-            "value": "[listKeys(variables('primaryAccountName'), variables('mgmtApiVersion')).keys[0].value]"
+            "value": "[listAccountSas(variables('primaryAccountName'), '2019-06-01', variables('accountSasProperties')).accountSasToken]"
         },
         "BLOB_CONTAINER_NAME" : {
             "type": "string",
