From 78be1858ad22afa9a26a2cc463d0e49670c2d96c Mon Sep 17 00:00:00 2001
From: Paul Medynski <31868385+paulmedynski@users.noreply.github.com>
Date: Thu, 17 Jul 2025 07:38:56 -0300
Subject: [PATCH 1/3] Add new trusted AKV URLs for FR and DE (#3482)
- Added 4 new trusted AKV URLs.
- Fixed existing manual tests and added unit tests.
---
.../AzureKeyVaultProvider/Constants.cs | 32 +++--
.../add-ons/AzureKeyVaultProvider/Utils.cs | 2 +-
.../AlwaysEncrypted/ExceptionTestAKVStore.cs | 5 +-
.../AlwaysEncrypted/TrustedUrlsTest.cs | 133 ++++++++++++++++++
....Data.SqlClient.ManualTesting.Tests.csproj | 11 +-
5 files changed, 164 insertions(+), 19 deletions(-)
create mode 100644 src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs
diff --git a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs
index 6e26ac8539..a888d88e13 100644
--- a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs
+++ b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs
@@ -9,16 +9,28 @@ internal static class Constants
///
/// Azure Key Vault Domain Name
///
- internal static readonly string[] AzureKeyVaultPublicDomainNames = new string[] {
- @"vault.azure.net", // default
- @"vault.azure.cn", // Azure China
- @"vault.usgovcloudapi.net", // US Government
- @"vault.microsoftazure.de", // Azure Germany
- @"managedhsm.azure.net", // public HSM vault
- @"managedhsm.azure.cn", // Azure China HSM vault
- @"managedhsm.usgovcloudapi.net", // US Government HSM vault
- @"managedhsm.microsoftazure.de" // Azure Germany HSM vault
- };
+ internal static readonly string[] AzureKeyVaultPublicDomainNames =
+ [
+ // Azure Key Vaults
+ "vault.azure.net", // Default
+ "vault.azure.cn", // China
+ "vault.usgovcloudapi.net", // US Government
+ "vault.microsoftazure.de", // Azure Germany
+ "vault.cloudapi.microsoft.scloud", // USSec
+ "vault.cloudapi.eaglex.ic.gov", // USNat
+ "vault.sovcloud-api.fr", // France (Bleu)
+ "vault.sovcloud-api.de", // Germany (Delos)
+
+ // Managed High Security Modules (HSM) Vaults
+ "managedhsm.azure.net",
+ "managedhsm.azure.cn",
+ "managedhsm.usgovcloudapi.net",
+ "managedhsm.microsoftazure.de",
+ "managedhsm.cloudapi.microsoft.scloud",
+ "managedhsm.cloudapi.eaglex.ic.gov",
+ "managedhsm.sovcloud-api.fr",
+ "managedhsm.sovcloud-api.de"
+ ];
///
/// Always Encrypted Parameter names for exec handling
diff --git a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Utils.cs b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Utils.cs
index f71080ffab..ea7ffb4671 100644
--- a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Utils.cs
+++ b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Utils.cs
@@ -138,7 +138,7 @@ internal static ArgumentException InvalidAKVPath(string masterKeyPath, bool isSy
internal static ArgumentException InvalidAKVUrl(string masterKeyPath) =>
new(string.Format(CultureInfo.InvariantCulture, Strings.InvalidAkvUrlTemplate, masterKeyPath), Constants.AeParamMasterKeyPath);
- internal static Exception InvalidAKVUrlTrustedEndpoints(string masterKeyPath, string endpoints) =>
+ internal static ArgumentException InvalidAKVUrlTrustedEndpoints(string masterKeyPath, string endpoints) =>
new ArgumentException(string.Format(CultureInfo.InvariantCulture, Strings.InvalidAkvKeyPathTrustedTemplate, masterKeyPath, endpoints),
Constants.AeParamMasterKeyPath);
}
diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/ExceptionTestAKVStore.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/ExceptionTestAKVStore.cs
index 6cb20a4351..9f0b194fb7 100644
--- a/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/ExceptionTestAKVStore.cs
+++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/ExceptionTestAKVStore.cs
@@ -182,7 +182,6 @@ public void InvalidCertificatePath()
string dummyPathWithOnlyHost = @"https://www.microsoft.com";
string invalidUrlErrorMessage = $@"Invalid url specified: '{dummyPathWithOnlyHost}'";
string dummyPathWithInvalidKey = @"https://www.microsoft.vault.azure.com/keys/dummykey/dummykeyid";
- string invalidTrustedEndpointErrorMessage = $@"Invalid Azure Key Vault key path specified: '{dummyPathWithInvalidKey}'. Valid trusted endpoints: vault.azure.net, vault.azure.cn, vault.usgovcloudapi.net, vault.microsoftazure.de, managedhsm.azure.net, managedhsm.azure.cn, managedhsm.usgovcloudapi.net, managedhsm.microsoftazure.de.\s+\(?Parameter (name: )?'?masterKeyPath('\))?";
Exception ex = Assert.Throws(
() => fixture.AkvStoreProvider.EncryptColumnEncryptionKey(dummyPathWithOnlyHost, MasterKeyEncAlgo, cek));
@@ -190,7 +189,7 @@ public void InvalidCertificatePath()
ex = Assert.Throws(
() => fixture.AkvStoreProvider.EncryptColumnEncryptionKey(dummyPathWithInvalidKey, MasterKeyEncAlgo, cek));
- Assert.Matches(invalidTrustedEndpointErrorMessage, ex.Message);
+ Assert.Matches(TrustedUrlsTest.MakeInvalidVaultErrorMessage(dummyPathWithInvalidKey), ex.Message);
ex = Assert.Throws(
() => fixture.AkvStoreProvider.DecryptColumnEncryptionKey(dummyPathWithOnlyHost, MasterKeyEncAlgo, encryptedCek));
@@ -198,7 +197,7 @@ public void InvalidCertificatePath()
ex = Assert.Throws(
() => fixture.AkvStoreProvider.DecryptColumnEncryptionKey(dummyPathWithInvalidKey, MasterKeyEncAlgo, encryptedCek));
- Assert.Matches(invalidTrustedEndpointErrorMessage, ex.Message);
+ Assert.Matches(TrustedUrlsTest.MakeInvalidVaultErrorMessage(dummyPathWithInvalidKey), ex.Message);
}
[InlineData(true)]
diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs
new file mode 100644
index 0000000000..a526eec22b
--- /dev/null
+++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs
@@ -0,0 +1,133 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System;
+using System.Reflection;
+using Azure.Core;
+using Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider;
+using Xunit;
+
+namespace Microsoft.Data.SqlClient.ManualTesting.Tests.AlwaysEncrypted;
+
+public class TrustedUrlsTest
+{
+ private readonly SqlColumnEncryptionAzureKeyVaultProvider _provider;
+ private readonly MethodInfo _method;
+
+ public TrustedUrlsTest()
+ {
+ _provider = new(new SqlClientCustomTokenCredential());
+
+ var assembly = typeof(SqlColumnEncryptionAzureKeyVaultProvider).Assembly;
+ var clazz = assembly.GetType("Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.SqlColumnEncryptionAzureKeyVaultProvider");
+ _method = clazz.GetMethod(
+ "ValidateNonEmptyAKVPath",
+ System.Reflection.BindingFlags.NonPublic |
+ System.Reflection.BindingFlags.Instance);
+ }
+
+ public const string InvalidVaultKeyPathErrorMessage =
+ @"Invalid Azure Key Vault key path specified: 'https://www.microsoft.com'. " +
+ "Valid trusted endpoints: " +
+ "vault.azure.net, " +
+ "vault.azure.cn, " +
+ "vault.usgovcloudapi.net, " +
+ "vault.microsoftazure.de, " +
+ "vault.cloudapi.microsoft.scloud, " +
+ "vault.cloudapi.eaglex.ic.gov, " +
+ "vault.sovcloud-api.fr, " +
+ "vault.sovcloud-api.de, " +
+ "managedhsm.azure.net, " +
+ "managedhsm.azure.cn, " +
+ "managedhsm.usgovcloudapi.net, " +
+ "managedhsm.microsoftazure.de, " +
+ "managedhsm.cloudapi.microsoft.scloud, " +
+ "managedhsm.cloudapi.eaglex.ic.gov, " +
+ "managedhsm.sovcloud-api.fr, " +
+ "managedhsm.sovcloud-api.de." +
+ @"\s+\(?Parameter (name: )?'?masterKeyPath('\))?";
+
+ private static string MakeUrl(string vault)
+ {
+ return $"https://{vault}/keys/dummykey/dummykeyid";
+ }
+
+ public static string MakeInvalidVaultErrorMessage(string url)
+ {
+ return
+ $"Invalid Azure Key Vault key path specified: '{url}'. " +
+ "Valid trusted endpoints: " +
+ "vault.azure.net, " +
+ "vault.azure.cn, " +
+ "vault.usgovcloudapi.net, " +
+ "vault.microsoftazure.de, " +
+ "vault.cloudapi.microsoft.scloud, " +
+ "vault.cloudapi.eaglex.ic.gov, " +
+ "vault.sovcloud-api.fr, " +
+ "vault.sovcloud-api.de, " +
+ "managedhsm.azure.net, " +
+ "managedhsm.azure.cn, " +
+ "managedhsm.usgovcloudapi.net, " +
+ "managedhsm.microsoftazure.de, " +
+ "managedhsm.cloudapi.microsoft.scloud, " +
+ "managedhsm.cloudapi.eaglex.ic.gov, " +
+ "managedhsm.sovcloud-api.fr, " +
+ "managedhsm.sovcloud-api.de." +
+ @"\s+\(?Parameter (name: )?'?masterKeyPath('\))?";
+ }
+
+ [Theory]
+ [InlineData("www.microsoft.com")]
+ [InlineData("www.microsoft.vault.azure.com")]
+ [InlineData("vault.azure.net.io")]
+ public void InvalidVaults(string vault)
+ {
+ // Test that invalid key paths throw and contain the expected error
+ // message.
+ var url = MakeUrl(vault);
+
+ try
+ {
+ _method.Invoke(_provider, new object[] { url, false });
+ }
+ catch (TargetInvocationException ex)
+ {
+ // Unwrap the exception to get the actual ArgumentException thrown
+ var argEx = ex.InnerException as ArgumentException;
+ Assert.NotNull(argEx);
+ var expected = MakeInvalidVaultErrorMessage(url);
+ Console.WriteLine("Actual: " + argEx.Message);
+ Console.WriteLine("Expected: " + expected);
+ Assert.Matches(expected, argEx.Message);
+ }
+ }
+
+ [Theory]
+ // Normal vaults.
+ [InlineData("vault.azure.net")]
+ [InlineData("vault.azure.cn")]
+ [InlineData("vault.usgovcloudapi.net")]
+ [InlineData("vault.microsoftazure.de")]
+ [InlineData("vault.cloudapi.microsoft.scloud")]
+ [InlineData("vault.cloudapi.eaglex.ic.gov")]
+ [InlineData("vault.sovcloud-api.fr")]
+ [InlineData("vault.sovcloud-api.de")]
+ // HSM vaults.
+ [InlineData("managedhsm.azure.net")]
+ [InlineData("managedhsm.azure.cn")]
+ [InlineData("managedhsm.usgovcloudapi.net")]
+ [InlineData("managedhsm.microsoftazure.de")]
+ [InlineData("managedhsm.cloudapi.microsoft.scloud")]
+ [InlineData("managedhsm.cloudapi.eaglex.ic.gov")]
+ [InlineData("managedhsm.sovcloud-api.fr")]
+ [InlineData("managedhsm.sovcloud-api.de")]
+ // Vaults with prefixes.
+ [InlineData("foo.bar.vault.microsoftazure.de")]
+ [InlineData("baz.bar.foo.managedhsm.sovcloud-api.fr")]
+ public void ValidVaults(string vault)
+ {
+ // Test that valid vault key paths do not throw exceptions
+ _method.Invoke(_provider, new object[] { MakeUrl(vault), false });
+ }
+}
diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTesting.Tests.csproj b/src/Microsoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTesting.Tests.csproj
index a5b217f1cd..99b350a411 100644
--- a/src/Microsoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTesting.Tests.csproj
+++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/Microsoft.Data.SqlClient.ManualTesting.Tests.csproj
@@ -37,21 +37,22 @@
-
-
-
-
-
+
+
+
+
+
+
From 07f24e0d44d592abcef58dc4d33d9b8bdf3fbe5e Mon Sep 17 00:00:00 2001
From: Paul Medynski <31868385+paulmedynski@users.noreply.github.com>
Date: Thu, 17 Jul 2025 08:33:58 -0300
Subject: [PATCH 2/3] - Replaced modern syntax with older style supported by C#
9.0.
---
.../AzureKeyVaultProvider/Constants.cs | 5 +-
.../AlwaysEncrypted/TrustedUrlsTest.cs | 197 ++++++++----------
2 files changed, 90 insertions(+), 112 deletions(-)
diff --git a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs
index a888d88e13..25b0e7242e 100644
--- a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs
+++ b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs
@@ -10,7 +10,8 @@ internal static class Constants
/// Azure Key Vault Domain Name
///
internal static readonly string[] AzureKeyVaultPublicDomainNames =
- [
+ new string[]
+ {
// Azure Key Vaults
"vault.azure.net", // Default
"vault.azure.cn", // China
@@ -30,7 +31,7 @@ internal static class Constants
"managedhsm.cloudapi.eaglex.ic.gov",
"managedhsm.sovcloud-api.fr",
"managedhsm.sovcloud-api.de"
- ];
+ };
///
/// Always Encrypted Parameter names for exec handling
diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs
index a526eec22b..6a6d438ea5 100644
--- a/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs
+++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs
@@ -8,126 +8,103 @@
using Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider;
using Xunit;
-namespace Microsoft.Data.SqlClient.ManualTesting.Tests.AlwaysEncrypted;
-
-public class TrustedUrlsTest
+namespace Microsoft.Data.SqlClient.ManualTesting.Tests.AlwaysEncrypted
{
- private readonly SqlColumnEncryptionAzureKeyVaultProvider _provider;
- private readonly MethodInfo _method;
-
- public TrustedUrlsTest()
+ public class TrustedUrlsTest
{
- _provider = new(new SqlClientCustomTokenCredential());
-
- var assembly = typeof(SqlColumnEncryptionAzureKeyVaultProvider).Assembly;
- var clazz = assembly.GetType("Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.SqlColumnEncryptionAzureKeyVaultProvider");
- _method = clazz.GetMethod(
- "ValidateNonEmptyAKVPath",
- System.Reflection.BindingFlags.NonPublic |
- System.Reflection.BindingFlags.Instance);
- }
+ private readonly SqlColumnEncryptionAzureKeyVaultProvider _provider;
+ private readonly MethodInfo _method;
- public const string InvalidVaultKeyPathErrorMessage =
- @"Invalid Azure Key Vault key path specified: 'https://www.microsoft.com'. " +
- "Valid trusted endpoints: " +
- "vault.azure.net, " +
- "vault.azure.cn, " +
- "vault.usgovcloudapi.net, " +
- "vault.microsoftazure.de, " +
- "vault.cloudapi.microsoft.scloud, " +
- "vault.cloudapi.eaglex.ic.gov, " +
- "vault.sovcloud-api.fr, " +
- "vault.sovcloud-api.de, " +
- "managedhsm.azure.net, " +
- "managedhsm.azure.cn, " +
- "managedhsm.usgovcloudapi.net, " +
- "managedhsm.microsoftazure.de, " +
- "managedhsm.cloudapi.microsoft.scloud, " +
- "managedhsm.cloudapi.eaglex.ic.gov, " +
- "managedhsm.sovcloud-api.fr, " +
- "managedhsm.sovcloud-api.de." +
- @"\s+\(?Parameter (name: )?'?masterKeyPath('\))?";
-
- private static string MakeUrl(string vault)
- {
- return $"https://{vault}/keys/dummykey/dummykeyid";
- }
+ public TrustedUrlsTest()
+ {
+ _provider = new(new SqlClientCustomTokenCredential());
- public static string MakeInvalidVaultErrorMessage(string url)
- {
- return
- $"Invalid Azure Key Vault key path specified: '{url}'. " +
- "Valid trusted endpoints: " +
- "vault.azure.net, " +
- "vault.azure.cn, " +
- "vault.usgovcloudapi.net, " +
- "vault.microsoftazure.de, " +
- "vault.cloudapi.microsoft.scloud, " +
- "vault.cloudapi.eaglex.ic.gov, " +
- "vault.sovcloud-api.fr, " +
- "vault.sovcloud-api.de, " +
- "managedhsm.azure.net, " +
- "managedhsm.azure.cn, " +
- "managedhsm.usgovcloudapi.net, " +
- "managedhsm.microsoftazure.de, " +
- "managedhsm.cloudapi.microsoft.scloud, " +
- "managedhsm.cloudapi.eaglex.ic.gov, " +
- "managedhsm.sovcloud-api.fr, " +
- "managedhsm.sovcloud-api.de." +
- @"\s+\(?Parameter (name: )?'?masterKeyPath('\))?";
- }
+ var assembly = typeof(SqlColumnEncryptionAzureKeyVaultProvider).Assembly;
+ var clazz = assembly.GetType("Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider.SqlColumnEncryptionAzureKeyVaultProvider");
+ _method = clazz.GetMethod(
+ "ValidateNonEmptyAKVPath",
+ System.Reflection.BindingFlags.NonPublic |
+ System.Reflection.BindingFlags.Instance);
+ }
- [Theory]
- [InlineData("www.microsoft.com")]
- [InlineData("www.microsoft.vault.azure.com")]
- [InlineData("vault.azure.net.io")]
- public void InvalidVaults(string vault)
- {
- // Test that invalid key paths throw and contain the expected error
- // message.
- var url = MakeUrl(vault);
+ private static string MakeUrl(string vault)
+ {
+ return $"https://{vault}/keys/dummykey/dummykeyid";
+ }
- try
+ public static string MakeInvalidVaultErrorMessage(string url)
{
- _method.Invoke(_provider, new object[] { url, false });
+ return
+ $"Invalid Azure Key Vault key path specified: '{url}'. " +
+ "Valid trusted endpoints: " +
+ "vault.azure.net, " +
+ "vault.azure.cn, " +
+ "vault.usgovcloudapi.net, " +
+ "vault.microsoftazure.de, " +
+ "vault.cloudapi.microsoft.scloud, " +
+ "vault.cloudapi.eaglex.ic.gov, " +
+ "vault.sovcloud-api.fr, " +
+ "vault.sovcloud-api.de, " +
+ "managedhsm.azure.net, " +
+ "managedhsm.azure.cn, " +
+ "managedhsm.usgovcloudapi.net, " +
+ "managedhsm.microsoftazure.de, " +
+ "managedhsm.cloudapi.microsoft.scloud, " +
+ "managedhsm.cloudapi.eaglex.ic.gov, " +
+ "managedhsm.sovcloud-api.fr, " +
+ "managedhsm.sovcloud-api.de." +
+ @"\s+\(?Parameter (name: )?'?masterKeyPath('\))?";
}
- catch (TargetInvocationException ex)
+
+ [Theory]
+ [InlineData("www.microsoft.com")]
+ [InlineData("www.microsoft.vault.azure.com")]
+ [InlineData("vault.azure.net.io")]
+ public void InvalidVaults(string vault)
{
- // Unwrap the exception to get the actual ArgumentException thrown
- var argEx = ex.InnerException as ArgumentException;
- Assert.NotNull(argEx);
- var expected = MakeInvalidVaultErrorMessage(url);
- Console.WriteLine("Actual: " + argEx.Message);
- Console.WriteLine("Expected: " + expected);
- Assert.Matches(expected, argEx.Message);
+ // Test that invalid key paths throw and contain the expected error
+ // message.
+ var url = MakeUrl(vault);
+
+ try
+ {
+ _method.Invoke(_provider, new object[] { url, false });
+ }
+ catch (TargetInvocationException ex)
+ {
+ // Unwrap the exception to get the actual ArgumentException thrown
+ var argEx = ex.InnerException as ArgumentException;
+ Assert.NotNull(argEx);
+ Assert.Matches(MakeInvalidVaultErrorMessage(url), argEx.Message);
+ }
}
- }
- [Theory]
- // Normal vaults.
- [InlineData("vault.azure.net")]
- [InlineData("vault.azure.cn")]
- [InlineData("vault.usgovcloudapi.net")]
- [InlineData("vault.microsoftazure.de")]
- [InlineData("vault.cloudapi.microsoft.scloud")]
- [InlineData("vault.cloudapi.eaglex.ic.gov")]
- [InlineData("vault.sovcloud-api.fr")]
- [InlineData("vault.sovcloud-api.de")]
- // HSM vaults.
- [InlineData("managedhsm.azure.net")]
- [InlineData("managedhsm.azure.cn")]
- [InlineData("managedhsm.usgovcloudapi.net")]
- [InlineData("managedhsm.microsoftazure.de")]
- [InlineData("managedhsm.cloudapi.microsoft.scloud")]
- [InlineData("managedhsm.cloudapi.eaglex.ic.gov")]
- [InlineData("managedhsm.sovcloud-api.fr")]
- [InlineData("managedhsm.sovcloud-api.de")]
- // Vaults with prefixes.
- [InlineData("foo.bar.vault.microsoftazure.de")]
- [InlineData("baz.bar.foo.managedhsm.sovcloud-api.fr")]
- public void ValidVaults(string vault)
- {
- // Test that valid vault key paths do not throw exceptions
- _method.Invoke(_provider, new object[] { MakeUrl(vault), false });
+ [Theory]
+ // Normal vaults.
+ [InlineData("vault.azure.net")]
+ [InlineData("vault.azure.cn")]
+ [InlineData("vault.usgovcloudapi.net")]
+ [InlineData("vault.microsoftazure.de")]
+ [InlineData("vault.cloudapi.microsoft.scloud")]
+ [InlineData("vault.cloudapi.eaglex.ic.gov")]
+ [InlineData("vault.sovcloud-api.fr")]
+ [InlineData("vault.sovcloud-api.de")]
+ // HSM vaults.
+ [InlineData("managedhsm.azure.net")]
+ [InlineData("managedhsm.azure.cn")]
+ [InlineData("managedhsm.usgovcloudapi.net")]
+ [InlineData("managedhsm.microsoftazure.de")]
+ [InlineData("managedhsm.cloudapi.microsoft.scloud")]
+ [InlineData("managedhsm.cloudapi.eaglex.ic.gov")]
+ [InlineData("managedhsm.sovcloud-api.fr")]
+ [InlineData("managedhsm.sovcloud-api.de")]
+ // Vaults with prefixes.
+ [InlineData("foo.bar.vault.microsoftazure.de")]
+ [InlineData("baz.bar.foo.managedhsm.sovcloud-api.fr")]
+ public void ValidVaults(string vault)
+ {
+ // Test that valid vault key paths do not throw exceptions
+ _method.Invoke(_provider, new object[] { MakeUrl(vault), false });
+ }
}
}
From e0db8c99721b4dca80f2c9d7b223f4be31669c0f Mon Sep 17 00:00:00 2001
From: Paul Medynski <31868385+paulmedynski@users.noreply.github.com>
Date: Thu, 17 Jul 2025 13:08:10 -0300
Subject: [PATCH 3/3] - Removed sensitive vault domains.
---
.../add-ons/AzureKeyVaultProvider/Constants.cs | 4 ----
.../tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs | 8 --------
2 files changed, 12 deletions(-)
diff --git a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs
index 25b0e7242e..0881dd028f 100644
--- a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs
+++ b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/Constants.cs
@@ -17,8 +17,6 @@ internal static class Constants
"vault.azure.cn", // China
"vault.usgovcloudapi.net", // US Government
"vault.microsoftazure.de", // Azure Germany
- "vault.cloudapi.microsoft.scloud", // USSec
- "vault.cloudapi.eaglex.ic.gov", // USNat
"vault.sovcloud-api.fr", // France (Bleu)
"vault.sovcloud-api.de", // Germany (Delos)
@@ -27,8 +25,6 @@ internal static class Constants
"managedhsm.azure.cn",
"managedhsm.usgovcloudapi.net",
"managedhsm.microsoftazure.de",
- "managedhsm.cloudapi.microsoft.scloud",
- "managedhsm.cloudapi.eaglex.ic.gov",
"managedhsm.sovcloud-api.fr",
"managedhsm.sovcloud-api.de"
};
diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs
index 6a6d438ea5..c815fbf346 100644
--- a/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs
+++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/AlwaysEncrypted/TrustedUrlsTest.cs
@@ -41,16 +41,12 @@ public static string MakeInvalidVaultErrorMessage(string url)
"vault.azure.cn, " +
"vault.usgovcloudapi.net, " +
"vault.microsoftazure.de, " +
- "vault.cloudapi.microsoft.scloud, " +
- "vault.cloudapi.eaglex.ic.gov, " +
"vault.sovcloud-api.fr, " +
"vault.sovcloud-api.de, " +
"managedhsm.azure.net, " +
"managedhsm.azure.cn, " +
"managedhsm.usgovcloudapi.net, " +
"managedhsm.microsoftazure.de, " +
- "managedhsm.cloudapi.microsoft.scloud, " +
- "managedhsm.cloudapi.eaglex.ic.gov, " +
"managedhsm.sovcloud-api.fr, " +
"managedhsm.sovcloud-api.de." +
@"\s+\(?Parameter (name: )?'?masterKeyPath('\))?";
@@ -85,8 +81,6 @@ public void InvalidVaults(string vault)
[InlineData("vault.azure.cn")]
[InlineData("vault.usgovcloudapi.net")]
[InlineData("vault.microsoftazure.de")]
- [InlineData("vault.cloudapi.microsoft.scloud")]
- [InlineData("vault.cloudapi.eaglex.ic.gov")]
[InlineData("vault.sovcloud-api.fr")]
[InlineData("vault.sovcloud-api.de")]
// HSM vaults.
@@ -94,8 +88,6 @@ public void InvalidVaults(string vault)
[InlineData("managedhsm.azure.cn")]
[InlineData("managedhsm.usgovcloudapi.net")]
[InlineData("managedhsm.microsoftazure.de")]
- [InlineData("managedhsm.cloudapi.microsoft.scloud")]
- [InlineData("managedhsm.cloudapi.eaglex.ic.gov")]
[InlineData("managedhsm.sovcloud-api.fr")]
[InlineData("managedhsm.sovcloud-api.de")]
// Vaults with prefixes.