Updated test

Nicola Camillucci · Nicola Camillucci · commit 9f3dab696677 · 2026-05-25T12:10:12.000+01:00
diff --git a/sdk/keyvault/azure-keyvault-administration/assets.json b/sdk/keyvault/azure-keyvault-administration/assets.json
@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "python",
   "TagPrefix": "python/keyvault/azure-keyvault-administration",
-  "Tag": "python/keyvault/azure-keyvault-administration_007a803c2c"
+  "Tag": "python/keyvault/azure-keyvault-administration_a1cfcc06db"
 }
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/_async_test_case.py b/sdk/keyvault/azure-keyvault-administration/tests/_async_test_case.py
@@ -14,6 +14,8 @@ def __init__(self, **kwargs) -> None:
         hsm_playback_url = "https://managedhsmvaultname.managedhsm.azure.net"
         container_playback_uri = "https://storagename.blob.core.windows.net/container"
         playback_sas_token = "fake-sas"
+        playback_ekm_host = "fake-ekm-host"
+        playback_ekm_certificate = "fake-server-ca-certificate"
 
         if self.is_live:
             hsm = os.environ.get("AZURE_MANAGEDHSM_URL")
@@ -23,11 +25,15 @@ def __init__(self, **kwargs) -> None:
             self.container_uri = f"{storage_url.rstrip('/')}/{container_name}"
 
             self.sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN")
+            self.ekm_host = os.environ.get("EKM_PROXY_HOST")
+            self.ekm_certificate = os.environ.get("EKM_SERVER_CA_CERTIFICATE")
 
         else:
             self.managed_hsm_url = hsm_playback_url
             self.container_uri = container_playback_uri
             self.sas_token = playback_sas_token
+            self.ekm_host = playback_ekm_host
+            self.ekm_certificate = playback_ekm_certificate
 
         use_pwsh = os.environ.get("AZURE_TEST_USE_PWSH_AUTH", "false")
         use_cli = os.environ.get("AZURE_TEST_USE_CLI_AUTH", "false")
@@ -139,6 +145,8 @@ class KeyVaultEkmClientPreparer(BaseClientPreparer):
     def __call__(self, fn):
         async def _preparer(test_class, api_version, **kwargs):
             self._skip_if_not_configured(api_version)
+            kwargs["ekm_host"] = self.ekm_host
+            kwargs["ekm_certificate"] = self.ekm_certificate
             client = self.create_ekm_client(api_version=api_version, **kwargs)
 
             async with client:
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/_test_case.py b/sdk/keyvault/azure-keyvault-administration/tests/_test_case.py
@@ -16,6 +16,8 @@ def __init__(self, **kwargs) -> None:
         hsm_playback_url = "https://managedhsmvaultname.managedhsm.azure.net"
         container_playback_uri = "https://storagename.blob.core.windows.net/container"
         playback_sas_token = "fake-sas"
+        playback_ekm_host = "fake-ekm-host"
+        playback_server_ca_certificate = "fake-server-ca-certificate"
 
         if self.is_live:
             hsm = os.environ.get("AZURE_MANAGEDHSM_URL")
@@ -25,11 +27,15 @@ def __init__(self, **kwargs) -> None:
             self.container_uri = f"{storage_url.rstrip('/')}/{container_name}"
 
             self.sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN")
+            self.ekm_host = os.environ.get("EKM_PROXY_HOST")
+            self.ekm_certificate = os.environ.get("EKM_SERVER_CA_CERTIFICATE")
 
         else:
             self.managed_hsm_url = hsm_playback_url
             self.container_uri = container_playback_uri
             self.sas_token = playback_sas_token
+            self.ekm_host = playback_ekm_host
+            self.ekm_certificate = playback_server_ca_certificate
 
         use_pwsh = os.environ.get("AZURE_TEST_USE_PWSH_AUTH", "false")
         use_cli = os.environ.get("AZURE_TEST_USE_CLI_AUTH", "false")
@@ -156,6 +162,8 @@ def __init__(self, **kwargs) -> None:
     def __call__(self, fn):
         def _preparer(test_class, api_version, **kwargs):
             self._skip_if_not_configured(api_version)
+            kwargs["ekm_host"] = self.ekm_host
+            kwargs["ekm_certificate"] = self.ekm_certificate
             client = self.create_ekm_client(api_version=api_version, **kwargs)
 
             with client:
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/conftest.py b/sdk/keyvault/azure-keyvault-administration/tests/conftest.py
@@ -32,6 +32,8 @@ def add_sanitizers(test_proxy):
     storage_url = os.environ.get("BLOB_STORAGE_URL", "https://Sanitized.blob.core.windows.net")
     client_id = os.environ.get("KEYVAULT_CLIENT_ID", "service-principal-id")
     sas_token = os.environ.get("BLOB_STORAGE_SAS_TOKEN", "fake-sas")
+    ekm_host = os.environ.get("EKM_PROXY_HOST", "fake-ekm-host")
+    ekm_certificate = os.environ.get("EKM_SERVER_CA_CERTIFICATE", "fake-server-ca-certificate")
 
     add_general_string_sanitizer(target=azure_keyvault_url, value="https://Sanitized.vault.azure.net")
     add_general_string_sanitizer(target=keyvault_tenant_id, value="00000000-0000-0000-0000-000000000000")
@@ -40,6 +42,8 @@ def add_sanitizers(test_proxy):
     add_general_string_sanitizer(target=azure_attestation_uri, value="https://Sanitized.azurewebsites.net")
     add_general_string_sanitizer(target=storage_url, value="https://Sanitized.blob.core.windows.net")
     add_general_string_sanitizer(target=sas_token, value="fake-sas")
+    add_general_string_sanitizer(target=ekm_host, value="fake-ekm-host")
+    add_general_string_sanitizer(target=ekm_certificate, value="fake-server-ca-certificate")
     add_general_string_sanitizer(target=client_id, value="service-principal-id")
     # Sanitize API versions of `azure-keyvault-keys` requests
     add_uri_regex_sanitizer(
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/test_ekm_client.py b/sdk/keyvault/azure-keyvault-administration/tests/test_ekm_client.py
@@ -2,156 +2,100 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
+
+import base64
 import pytest
 
 from azure.core.exceptions import HttpResponseError
-from azure.keyvault.administration import (
-    KeyVaultEkmClient,
-    KeyVaultEkmConnection,
-    KeyVaultEkmProxyClientCertificateInfo,
-    KeyVaultEkmProxyInfo,
-)
-from azure.keyvault.administration._generated.models import EkmConnection as _GeneratedEkmConnection
+from azure.keyvault.administration import KeyVaultEkmClient, KeyVaultEkmConnection
+from azure.keyvault.administration._internal.client_base import DEFAULT_VERSION
 
 from devtools_testutils import recorded_by_proxy
 
 from _shared.test_case import KeyVaultTestCase
 from _test_case import KeyVaultEkmClientPreparer, get_decorator
 
+only_latest = get_decorator(api_versions=[DEFAULT_VERSION])
 
-# EKM operations are only available on the 2026-01-01-preview API version.
-ekm_api_versions = get_decorator(api_versions=["2026-01-01-preview"])
-
-# Minimal placeholder bytes; real ca certificates are PEM/DER chains pinned to your EKM proxy.
-_PROXY_CA_BYTES = b"\x30\x82\x01\x00"
-
-
-def _build_connection(host: str = "ekm.contoso.com") -> KeyVaultEkmConnection:
-    return KeyVaultEkmConnection(
-        host=host,
-        server_ca_certificates=[_PROXY_CA_BYTES],
-        path_prefix="/api",
-        server_subject_common_name="ekm.contoso.com",
-    )
-
-
-class TestEkmModels:
-    """Unit tests for EKM public model wrappers (no service interaction)."""
-
-    def test_ekm_connection_init_required_and_optional_fields(self):
-        connection = _build_connection()
-        assert connection.host == "ekm.contoso.com"
-        assert connection.server_ca_certificates == [_PROXY_CA_BYTES]
-        assert connection.path_prefix == "/api"
-        assert connection.server_subject_common_name == "ekm.contoso.com"
-
-    def test_ekm_connection_optional_fields_default_to_none(self):
-        connection = KeyVaultEkmConnection(host="h.example", server_ca_certificates=[_PROXY_CA_BYTES])
-        assert connection.path_prefix is None
-        assert connection.server_subject_common_name is None
+# Note: These tests require an EKM connection to be established with an EKM Sample Proxy.
 
-    def test_ekm_connection_repr_includes_host(self):
-        connection = _build_connection("repr.example.net")
-        assert "repr.example.net" in repr(connection)
 
-    def test_ekm_connection_round_trip_to_and_from_generated(self):
-        original = _build_connection()
-        generated = original._to_generated()
-        assert isinstance(generated, _GeneratedEkmConnection)
-        assert generated.host == original.host
-        assert generated.server_ca_certificates == original.server_ca_certificates
-        assert generated.path_prefix == original.path_prefix
-        assert generated.server_subject_common_name == original.server_subject_common_name
-
-        round_tripped = KeyVaultEkmConnection._from_generated(generated)
-        assert round_tripped.host == original.host
-        assert round_tripped.server_ca_certificates == original.server_ca_certificates
-        assert round_tripped.path_prefix == original.path_prefix
-        assert round_tripped.server_subject_common_name == original.server_subject_common_name
-
-    def test_ekm_proxy_client_certificate_info_kwargs(self):
-        info = KeyVaultEkmProxyClientCertificateInfo(
-            ca_certificates=[_PROXY_CA_BYTES], subject_common_name="ekm-client.contoso.com"
-        )
-        assert info.ca_certificates == [_PROXY_CA_BYTES]
-        assert info.subject_common_name == "ekm-client.contoso.com"
-        assert "ekm-client.contoso.com" in repr(info)
-
-    def test_ekm_proxy_info_kwargs(self):
-        info = KeyVaultEkmProxyInfo(
-            api_version="2.0", proxy_vendor="Contoso", proxy_name="ProxyX 1.2", ekm_vendor="Acme", ekm_product="HSM 9000"
-        )
-        assert info.api_version == "2.0"
-        assert info.proxy_vendor == "Contoso"
-        assert info.proxy_name == "ProxyX 1.2"
-        assert info.ekm_vendor == "Acme"
-        assert info.ekm_product == "HSM 9000"
-        rendered = repr(info)
-        assert "Contoso" in rendered and "Acme" in rendered
-
-
-class TestEkmClient(KeyVaultTestCase):
-    @pytest.mark.parametrize("api_version", ekm_api_versions)
+class TestEkm(KeyVaultTestCase):
+    @pytest.mark.live_test_only
+    @pytest.mark.parametrize("api_version", only_latest)
     @KeyVaultEkmClientPreparer()
     @recorded_by_proxy
-    def test_ekm_connection_lifecycle(self, client: KeyVaultEkmClient, **kwargs):
-        """Exercise create -> get -> update -> delete on an EKM connection."""
-        # Pre-condition: there should not be an existing EKM connection.
-        # If the recording was made against a clean HSM, delete is a no-op below.
+    def test_ekm_connection(self, client: KeyVaultEkmClient, **kwargs):
+        ekm_host = kwargs.pop("ekm_host")
+        server_ca_certificate = kwargs.pop("ekm_certificate")
+        if not server_ca_certificate or not ekm_host:
+            pytest.skip(
+                "EKM CA certificate is required for live tests. Please set the EKM_PROXY_HOST and EKM_SERVER_CA_CERTIFICATE environment variables."
+            )
+
+        # Cleanup
         try:
             client.delete_ekm_connection()
         except HttpResponseError:
             pass
 
-        # Create
-        created = client.create_ekm_connection(_build_connection())
-        assert isinstance(created, KeyVaultEkmConnection)
-        assert created.host == "ekm.contoso.com"
-        assert created.path_prefix == "/api"
-
-        # Get
-        fetched = client.get_ekm_connection()
-        assert isinstance(fetched, KeyVaultEkmConnection)
-        assert fetched.host == created.host
-        assert fetched.path_prefix == created.path_prefix
-
-        # Update
-        updated_input = _build_connection()
-        updated_input.path_prefix = "/v2"
-        updated = client.update_ekm_connection(updated_input)
-        assert updated.path_prefix == "/v2"
-
-        # Delete
-        deleted = client.delete_ekm_connection()
-        assert isinstance(deleted, KeyVaultEkmConnection)
-        assert deleted.host == created.host
-
-    @pytest.mark.parametrize("api_version", ekm_api_versions)
-    @KeyVaultEkmClientPreparer()
-    @recorded_by_proxy
-    def test_get_ekm_certificate(self, client: KeyVaultEkmClient, **kwargs):
-        """The EKM proxy client certificate info should always be retrievable."""
-        info = client.get_ekm_certificate()
-        assert isinstance(info, KeyVaultEkmProxyClientCertificateInfo)
-        # The service may return either populated certificate info or an empty payload
-        # depending on EKM provisioning state. Both are valid response shapes.
-
-    @pytest.mark.parametrize("api_version", ekm_api_versions)
-    @KeyVaultEkmClientPreparer()
-    @recorded_by_proxy
-    def test_check_ekm_connection(self, client: KeyVaultEkmClient, **kwargs):
-        """Verify check_ekm_connection returns proxy info when an EKM proxy is reachable."""
-        try:
-            client.create_ekm_connection(_build_connection())
-        except HttpResponseError:
-            # An EKM connection may already exist from a previous test/recording
-            pass
-
-        try:
-            info = client.check_ekm_connection()
-            assert isinstance(info, KeyVaultEkmProxyInfo)
-        finally:
-            try:
-                client.delete_ekm_connection()
-            except HttpResponseError:
-                pass
+        # Create an EKM connection
+        ekm_connection = KeyVaultEkmConnection(
+            host=ekm_host,
+            server_ca_certificates=[base64.b64decode(server_ca_certificate)],
+            path_prefix="/api/v1",
+        )
+        created_ekm_connection = client.create_ekm_connection(connection=ekm_connection)
+        assert created_ekm_connection is not None
+        assert created_ekm_connection.host == ekm_host
+        assert created_ekm_connection.server_ca_certificates is not None
+        assert len(created_ekm_connection.server_ca_certificates) == 1
+        assert created_ekm_connection.path_prefix == ekm_connection.path_prefix
+        assert created_ekm_connection.server_subject_common_name == ekm_connection.server_subject_common_name
+
+        # Get the EKM connection
+        retrieved_ekm_connection = client.get_ekm_connection()
+        assert retrieved_ekm_connection is not None
+        assert retrieved_ekm_connection.host == ekm_host
+        assert retrieved_ekm_connection.server_ca_certificates is not None
+        assert len(retrieved_ekm_connection.server_ca_certificates) == 1
+        assert retrieved_ekm_connection.path_prefix == ekm_connection.path_prefix
+        assert retrieved_ekm_connection.server_subject_common_name == created_ekm_connection.server_subject_common_name
+
+        # Get the EKM certificate
+        ekm_certificate = client.get_ekm_certificate()
+        assert ekm_certificate is not None
+        assert ekm_certificate.ca_certificates is not None
+        assert len(ekm_certificate.ca_certificates) == 1
+
+        # Check the EKM connection status
+        connection_status = client.check_ekm_connection()
+        assert connection_status is not None
+        assert connection_status.api_version is not None
+        assert connection_status.proxy_vendor is not None
+        assert connection_status.proxy_name is not None
+        assert connection_status.ekm_vendor is not None
+        assert connection_status.ekm_product is not None
+
+        # Update the EKM connection
+        updated_ekm_connection = KeyVaultEkmConnection(
+            host=ekm_host,
+            server_ca_certificates=[base64.b64decode(server_ca_certificate)],
+            path_prefix="/api/v1",
+        )
+        result = client.update_ekm_connection(connection=updated_ekm_connection)
+        assert result is not None
+        assert result.host == updated_ekm_connection.host
+        assert result.server_ca_certificates is not None
+        assert len(result.server_ca_certificates) == 1
+        assert result.path_prefix == updated_ekm_connection.path_prefix
+        assert result.server_subject_common_name == updated_ekm_connection.server_subject_common_name
+
+        # Delete the EKM connection
+        result = client.delete_ekm_connection()
+        assert result is not None
+        assert result.host == updated_ekm_connection.host
+        assert result.server_ca_certificates is not None
+        assert len(result.server_ca_certificates) == 1
+        assert result.path_prefix == updated_ekm_connection.path_prefix
+        assert result.server_subject_common_name == updated_ekm_connection.server_subject_common_name
diff --git a/sdk/keyvault/azure-keyvault-administration/tests/test_ekm_client_async.py b/sdk/keyvault/azure-keyvault-administration/tests/test_ekm_client_async.py

Original file line number	Diff line number	Diff line change
`@@ -2,5 +2,5 @@`
`2`	`2`	`"AssetsRepo": "Azure/azure-sdk-assets",`
`3`	`3`	`"AssetsRepoPrefixPath": "python",`
`4`	`4`	`"TagPrefix": "python/keyvault/azure-keyvault-administration",`
`5`		`- "Tag": "python/keyvault/azure-keyvault-administration_007a803c2c"`
	`5`	`+ "Tag": "python/keyvault/azure-keyvault-administration_a1cfcc06db"`
`6`	`6`	`}`