diff --git a/src/KeyVault/KeyVault.Test/PesterTests/CertificateBackedKeyFiltering.Tests.ps1 b/src/KeyVault/KeyVault.Test/PesterTests/CertificateBackedKeyFiltering.Tests.ps1 new file mode 100644 index 000000000000..e4335c06e328 --- /dev/null +++ b/src/KeyVault/KeyVault.Test/PesterTests/CertificateBackedKeyFiltering.Tests.ps1 @@ -0,0 +1,57 @@ + +$debugModulePath = "$PSScriptRoot\..\..\..\..\artifacts\Debug\Az.KeyVault\Az.KeyVault.psd1" +Import-Module $debugModulePath -Force + +$vaultName = 'danielKV7103' +. "$PSScriptRoot\..\Scripts\Common.ps1" + +Describe "Get-AzKeyVaultKey filters certificate-backed keys" { + It "Should not return certificate-backed managed keys" { + $certName = Get-CertificateName + $keyName = Get-KeyName + + # Create a self-signed certificate (creates a managed key) + $policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=test.contoso.com" -IssuerName Self -ValidityInMonths 6 + $certOp = Add-AzKeyVaultCertificate -VaultName $vaultName -Name $certName -CertificatePolicy $policy + + Start-Sleep -Seconds 30 + $cert = Get-AzKeyVaultCertificate -VaultName $vaultName -Name $certName + $cert | Should Not BeNullOrEmpty + + $key = Add-AzKeyVaultKey -VaultName $vaultName -Name $keyName -Destination Software + $key | Should Not BeNullOrEmpty + + $keys = Get-AzKeyVaultKey -VaultName $vaultName + + $standaloneKey = $keys | Where-Object { $_.Name -eq $keyName } + $standaloneKey | Should Not BeNullOrEmpty + + $certBackedKey = $keys | Where-Object { $_.Name -eq $certName } + $certBackedKey | Should BeNullOrEmpty + } +} + +Describe "Get-AzKeyVaultSecret filters certificate-backed secrets" { + It "Should not return certificate-backed managed secrets" { + $certName = Get-CertificateName + $secretName = Get-SecretName + + # Create a certificate (creates both managed key AND managed secret) + $policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=test2.contoso.com" -IssuerName Self -ValidityInMonths 6 + $certOp = Add-AzKeyVaultCertificate -VaultName $vaultName -Name $certName -CertificatePolicy $policy + + Start-Sleep -Seconds 30 + + $secretValue = ConvertTo-SecureString "MySecretValue123!" -AsPlainText -Force + $secret = Set-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -SecretValue $secretValue + $secret | Should Not BeNullOrEmpty + + $secrets = Get-AzKeyVaultSecret -VaultName $vaultName + + $standaloneSecret = $secrets | Where-Object { $_.Name -eq $secretName } + $standaloneSecret | Should Not BeNullOrEmpty + + $certBackedSecret = $secrets | Where-Object { $_.Name -eq $certName } + $certBackedSecret | Should BeNullOrEmpty + } +} diff --git a/src/KeyVault/KeyVault/Models/Client/KeyVaultDataServiceClient.cs b/src/KeyVault/KeyVault/Models/Client/KeyVaultDataServiceClient.cs index 1d35da6ec860..e5906b4916bf 100644 --- a/src/KeyVault/KeyVault/Models/Client/KeyVaultDataServiceClient.cs +++ b/src/KeyVault/KeyVault/Models/Client/KeyVaultDataServiceClient.cs @@ -719,7 +719,8 @@ public IEnumerable GetSecrets(KeyVaultObjectFilter options.NextLink = result.NextPageLink; return (result == null) ? new List() : - result.Select((secretItem) => new PSKeyVaultSecretIdentityItem(secretItem, this.vaultUriHelper)); + result.Where((secretItem) => secretItem.Managed != true) + .Select((secretItem) => new PSKeyVaultSecretIdentityItem(secretItem, this.vaultUriHelper)); } catch (Exception ex) { @@ -748,7 +749,8 @@ public IEnumerable GetSecretVersions(KeyVaultObjec result = this.keyVaultClient.GetSecretVersionsNextAsync(options.NextLink).GetAwaiter().GetResult(); options.NextLink = result.NextPageLink; - return result.Select((secretItem) => new PSKeyVaultSecretIdentityItem(secretItem, this.vaultUriHelper)); + return result.Where((secretItem) => secretItem.Managed != true) + .Select((secretItem) => new PSKeyVaultSecretIdentityItem(secretItem, this.vaultUriHelper)); } catch (Exception ex) { diff --git a/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs index 15815ba1f55e..c88a72fc463f 100644 --- a/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs +++ b/src/KeyVault/KeyVault/Track2Models/Track2VaultClient.cs @@ -142,7 +142,10 @@ private IEnumerable GetKeys(KeyClient client) var allKeys = client.GetPropertiesOfKeys(); foreach (var keyProperties in allKeys) { - results.Add(new PSKeyVaultKeyIdentityItem(keyProperties, _vaultUriHelper, false)); + if (keyProperties.Managed != true) + { + results.Add(new PSKeyVaultKeyIdentityItem(keyProperties, _vaultUriHelper, false)); + } } return results; } @@ -159,7 +162,10 @@ private IEnumerable GetKeyVersions(KeyClient client, var allKeys = client.GetPropertiesOfKeyVersions(keyName); foreach (var keyProperties in allKeys) { - results.Add(new PSKeyVaultKeyIdentityItem(keyProperties, _vaultUriHelper, false)); + if (keyProperties.Managed != true) + { + results.Add(new PSKeyVaultKeyIdentityItem(keyProperties, _vaultUriHelper, false)); + } } return results; }