Framework/Core/SVT/Services/KeyVault.ps1

using namespace Microsoft.Azure.Commands.KeyVault.Models
Set-StrictMode -Version Latest 
class KeyVault: SVTBase
{       
    hidden [PSVault] $ResourceObject;
    hidden [PSObject[]] $AllEnabledKeys = $null;
    hidden [PSObject[]] $AllEnabledSecrets = $null;

    KeyVault([string] $subscriptionId, [string] $resourceGroupName, [string] $resourceName): 
        Base($subscriptionId, $resourceGroupName, $resourceName) 
    { 
        $this.GetResourceObject();
    }

    KeyVault([string] $subscriptionId, [SVTResource] $svtResource): 
        Base($subscriptionId, $svtResource) 
    { 
        $this.GetResourceObject();
    }

    hidden [PSVault] GetResourceObject()
    {
        if (-not $this.ResourceObject) 
        {
            $this.ResourceObject = Get-AzureRmKeyVault -VaultName $this.ResourceContext.ResourceName `
                                            -ResourceGroupName $this.ResourceContext.ResourceGroupName
            if(-not $this.ResourceObject)
            {
                throw ([SuppressedException]::new(("Resource '{0}' not found under Resource Group '{1}'" -f ($this.ResourceContext.ResourceName), ($this.ResourceContext.ResourceGroupName)), [SuppressedExceptionType]::InvalidOperation))
            }
        }
        return $this.ResourceObject;
    }

    hidden [ControlResult] CheckAdvancedAccessPolicies([ControlResult] $controlResult)
    {
        $accessPolicies = @{};
        $accessPolicies.Add("Enable access to Azure Virtual Machines for deployment", $this.ResourceObject.EnabledForDeployment);
        $accessPolicies.Add("Enable access to Azure Resource Manager for template deployment", $this.ResourceObject.EnabledForTemplateDeployment);
        $accessPolicies.Add("Enable access to Azure Disk Encryption for volume encryption", $this.ResourceObject.EnabledForDiskEncryption);
        
        $controlResult.SetStateData("Key Vault advanced access policies", $accessPolicies);

        if($this.ResourceObject.EnabledForDeployment -and $this.ResourceObject.EnabledForDiskEncryption -and $this.ResourceObject.EnabledForTemplateDeployment)
        {          
            $controlResult.AddMessage([VerificationResult]::Failed,
                                      [MessageData]::new("All Advanced Access Policies are enabled - ["+ $this.ResourceContext.ResourceName +"]"  , 
                                                         $accessPolicies));
        }
        elseif($this.ResourceObject.EnabledForDeployment -or $this.ResourceObject.EnabledForDiskEncryption -or $this.ResourceObject.EnabledForTemplateDeployment)
        {
            $controlResult.AddMessage([VerificationResult]::Verify,
                                     [MessageData]::new("Validate Advanced Access Policies - ["+ $this.ResourceContext.ResourceName +"]" , 
                                                         $accessPolicies));
        }
        else
        {       
            $controlResult.AddMessage([VerificationResult]::Passed, 
                                      [MessageData]::new("All Advanced Access Policies are disabled - ["+ $this.ResourceContext.ResourceName +"]", 
                                                         $accessPolicies));
        }  
        return $controlResult;
    }

    hidden [ControlResult] CheckAccessPolicies([ControlResult] $controlResult)
    {
            $accessPolicies = $this.ResourceObject.AccessPolicies
             $controlResult.VerificationResult = [VerificationResult]::Verify; 
            $controlResult.SetStateData("Access policies and their assigned permissions to Key/Secret/Certificate", $accessPolicies);
            $controlResult.AddMessage([MessageData]::new("Validate access policies and their assigned permissions to Key/Secret/Certificate - ["+ $this.ResourceContext.ResourceName +"]" , 
                                                         $accessPolicies));
        return $controlResult;
    }

    hidden [PSObject[]] FetchAllEnabledKeysWithVersions([ControlResult] $controlResult)
    {
        if($null -eq $this.AllEnabledKeys)
        {
            try
            {
                $keysResult = @();
                $keysResult += Get-AzureKeyVaultKey -VaultName $this.ResourceContext.ResourceName -ErrorAction Stop | 
                                Where-Object { $_.Enabled -eq $true };

                $this.AllEnabledKeys = @();
                if($keysResult.Count -gt 0) 
                {
                    $keysResult | ForEach-Object {
                        Get-AzureKeyVaultKey -VaultName $this.ResourceContext.ResourceName -Name $_.Name -IncludeVersions |
                        Where-Object { $_.Enabled -eq $true } | 
                        ForEach-Object {
                            $this.AllEnabledKeys += Get-AzureKeyVaultKey -VaultName $this.ResourceContext.ResourceName -Name $_.Name -Version $_.Version ;
                        }
                    }
                }
            }
            catch
            {
                # null indicates exception
                $this.AllEnabledKeys = $null;

                if ($_.Exception.GetType().FullName -eq "Microsoft.Azure.KeyVault.Models.KeyVaultErrorException")
                {
                    $controlResult.AddMessage([MessageData]::new("Access denied: Read access is required on Key Vault Keys."));
                }
                else
                {
                    throw $_
                }
            }
        }
        return $this.AllEnabledKeys;
    }

    hidden [PSObject[]] FetchAllEnabledSecretsWithVersions([ControlResult] $controlResult)
    {
        if($null -eq $this.AllEnabledSecrets)
        {
            try
            {
                $secretsResult = @();
                $secretsResult += Get-AzureKeyVaultSecret -VaultName $this.ResourceContext.ResourceName -ErrorAction Stop | 
                                Where-Object { $_.Enabled -eq $true };

                $this.AllEnabledSecrets = @();
                if($secretsResult.Count -gt 0) 
                {
                    $secretsResult | ForEach-Object {
                        Get-AzureKeyVaultSecret -VaultName $this.ResourceContext.ResourceName -Name $_.Name -IncludeVersions |
                        Where-Object { $_.Enabled -eq $true } | 
                        ForEach-Object {
                            $this.AllEnabledSecrets += Get-AzureKeyVaultSecret -VaultName $this.ResourceContext.ResourceName -Name $_.Name -Version $_.Version ;
                        }
                    }
                }
            }
            catch
            {
                # null indicates exception
                $this.AllEnabledSecrets = $null;

                if ($_.Exception.GetType().FullName -eq "Microsoft.Azure.KeyVault.Models.KeyVaultErrorException")
                {
                    $controlResult.AddMessage([MessageData]::new("Access denied: Read access is required on Key Vault Secrets."));
                }
                else
                {
                    throw $_
                }
            }
        }
        return $this.AllEnabledSecrets;
    }

    hidden [ControlResult] CheckKeyHSMProtected([ControlResult] $controlResult)
    {
        $enabledKeys = $this.FetchAllEnabledKeysWithVersions($controlResult);
        if($null -ne $enabledKeys)
        {
            if($enabledKeys.Count -ne 0)
            {
                $nonHsmKeys = @();
                $nonHsmKeys += $enabledKeys | Where-Object { $_.Attributes.KeyType -ne $this.ControlSettings.KeyVault.KeyType };
                if($nonHsmKeys.Count -eq 0)
                { 
                    $controlResult.AddMessage( [VerificationResult]::Passed,
                        [MessageData]::new("All Keys, including previous versions, are protected by HSM for Key Vault - ["+ $this.ResourceContext.ResourceName +"]"));   
                }
                else 
                {
                    $controlResult.AddMessage([VerificationResult]::Failed,
                        [MessageData]::new("Following Keys, including previous versions, are not protected by HSM."  , 
                                ($nonHsmKeys | Select-Object Name, Version -ExpandProperty Attributes )));
                }
            }
            else
            {
                $controlResult.AddMessage([VerificationResult]::Passed,
                    [MessageData]::new("No Keys (enabled) found in - ["+ $this.ResourceContext.ResourceName +"]"));
            }
        }

        return $controlResult;
    }
    
    hidden [ControlResult] CheckKeyMinimumOperations([ControlResult] $controlResult)
    {
        $enabledKeys = $this.FetchAllEnabledKeysWithVersions($controlResult);
        if($null -ne $enabledKeys)
        {
            if($enabledKeys.Count -ne 0)
            {
                $keyOperations = $enabledKeys | Select-Object Name, Version, @{Label="Key Operations"; Expression={[system.string]::Join(", ",$_.Key.KeyOps)}} 
                $controlResult.SetStateData("Key Vault key operations", $keyOperations);
                $controlResult.AddMessage([VerificationResult]::Verify,
                                            [MessageData]::new("Verify the operations permitted using Key on - ["+ $this.ResourceContext.ResourceName +"]",
                                            ($keyOperations )) );   
            }
            else
            {
                $controlResult.AddMessage([VerificationResult]::Passed,
                    [MessageData]::new("No Keys (enabled) found in - ["+ $this.ResourceContext.ResourceName +"]"));
            }
        }

        return $controlResult;
    }

    hidden [ControlResult] CheckAppAuthenticationCertificate([ControlResult] $controlResult)
    {
        try{
              $outputList = @();
              $appList = $this.GetAzureRmKeyVaultApplications()
              $appList |
                ForEach-Object {
                    $credentials = Get-AzureRmADAppCredential -ApplicationId $_.ApplicationId
                    $compliance =  if (($credentials| Where-Object { $_.Type -eq $this.ControlSettings.KeyVault.ADAppCredentialTypePwd } | Measure-Object).Count -eq 0 ) { "Yes" } else { "No" } ;
                    $output = New-Object System.Object
                    $output | Add-Member -type NoteProperty -name AzureADAppName -Value $_.DisplayName
                    $output | Add-Member -type NoteProperty -name ApplicationId -Value $_.ApplicationId
                    $output | Add-Member -type NoteProperty -name CertificateCredentialCount -Value ($credentials | Where-Object { $_.Type -eq $this.ControlSettings.KeyVault.ADAppCredentialTypeCrt } | Measure-Object ).Count
                    $output | Add-Member -type NoteProperty -name PasswordCredentialCount -Value ($credentials | Where-Object { $_.Type -eq $this.ControlSettings.KeyVault.ADAppCredentialTypePwd } | Measure-Object).Count
                    $output | Add-Member -type NoteProperty -name Compliance -Value $compliance
                    $outputList += $output;
                }
         
                if(($outputList| Measure-Object).Count -gt 0)
                {
                    $controlResult.AddMessage([MessageData]::new("Compliance details of Azure Active Directory applications:",
                                                                  $outputList));
          
                    if (($outputList | Where-Object { ($_.Compliance -eq "No") } | Measure-Object ).Count -gt 0)
                    {
                        $controlResult.AddMessage([VerificationResult]::Failed ,
                                                  [MessageData]::new("Remove the password credentials from Azure AD Applications which are non-compliant.") );
                    }
                    else
                    {
                        $controlResult.VerificationResult = [VerificationResult]::Passed
                    }
                }
                else
                {
                    $controlResult.AddMessage([VerificationResult]::Passed ,
                                                  [MessageData]::new("No Azure AD Applications have access to Key Vault.") );
                }
        }
        catch
        {
             if ($_.Exception.GetType().FullName -eq "Microsoft.Azure.KeyVault.Models.KeyVaultErrorException")
             {
                $controlResult.AddMessage([MessageData]::new("Access denied: Read access is required on Key Vault Keys."));
             }
             else
             {
                 throw $_
             }    
        }
        return $controlResult;
    }

   
    hidden [ControlResult] CheckAppsSharingKayVault([ControlResult] $controlResult)
    {
        $appList = $this.GetAzureRmKeyVaultApplications() 
      
        $controlResult.SetStateData("Key Vault sharing app list", $appList);

        if( ($appList | Measure-Object ).Count -gt 1)
        {
            $controlResult.AddMessage([VerificationResult]::Verify,
                                        [MessageData]::new("Validate that Azure AD Applications requires access to Key Vault. Total:" + ($appList | Measure-Object ).Count , 
                                                            $appList)); 
        }
        elseif( ($appList | Measure-Object ).Count -eq 1)
        {
           $controlResult.AddMessage([VerificationResult]::Passed,
                                     "Only 1 Azure AD Application has access to Key Vault.", $appList); 
        } 
        else
        {
           $controlResult.AddMessage([VerificationResult]::Passed,
                                     "No Azure AD Applications have access to Key Vault."); 
        } 
      
        return $controlResult;
    }

    hidden [void] ProcessKeySecretExpiryDate([PSObject[]] $enabledResources, [ControlResult] $controlResult, [string] $resourceType, [bool] $isAccessDenied, [int] $rotationDurationDays)
    {
        if($enabledResources.Count -ne 0)
        {
            $utcNow = [DateTime]::UtcNow;
            $utcNow30 = $utcNow.AddDays(30);

            $withoutExpiry = @();
            $withoutExpiry += $enabledResources | Where-Object { $null -eq $_.Attributes.Expires };
            if($withoutExpiry.Count -gt 0)
            {
                # result = Failed
                $this.SetVerificationResultForExpiryDate($controlResult, [VerificationResult]::Failed, $isAccessDenied)
                $controlResult.AddMessage([MessageData]::new("Following $resourceType, including previous versions, does not have expiry date.", 
                                                        ($withoutExpiry | Select-Object -Property Name, Version -ExpandProperty Attributes) ));
            }

            $longActiveResources = @(); # VerificationResult = Failed
            $needToDisableResources = @(); # VerificationResult = Failed
            $needToRotateResources = @(); # VerificationResult = Verify

            $enabledResources | ForEach-Object {
                $expiryDate = $null

                if($null -ne $_.Attributes.Expires)
                {
                    $expiryDate = [DateTime] $_.Attributes.Expires
                }

                #check if expiry is future or null
                if(($null -eq $expiryDate) -or ($utcNow30 -le $expiryDate))
                {
                    $createdDate = [DateTime] $_.Attributes.Created

                    # check if resource is created/active for more than 180 days ago
                    if(($utcNow - $createdDate).TotalDays -ge $rotationDurationDays)
                    {
                        $longActiveResources += $_;
                        $this.SetVerificationResultForExpiryDate($controlResult, [VerificationResult]::Failed, $isAccessDenied);
                    }
                    else
                    {
                        $this.SetVerificationResultForExpiryDate($controlResult, [VerificationResult]::Passed, $isAccessDenied);
                    }
                }
                # resource already expired but still enabled
                elseif($expiryDate -lt $utcNow)
                {
                    $needToDisableResources += $_;
                    $this.SetVerificationResultForExpiryDate($controlResult, [VerificationResult]::Failed, $isAccessDenied);
                }
                # resource is about to expire within next 30 days
                elseif(($utcNow -le $expiryDate) -and ($expiryDate -le $utcNow30))
                {
                    $needToRotateResources += $_;
                    $this.SetVerificationResultForExpiryDate($controlResult, [VerificationResult]::Verify, $isAccessDenied);
                }
            };

            # Display summary messages
            if ($longActiveResources.Count -gt 0)
            {
                $controlResult.AddMessage([MessageData]::new("Following $resourceType, including previous versions, are more than $rotationDurationDays days old.", 
                                            ($longActiveResources | Select-Object -Property Name, Version -ExpandProperty Attributes ) ));
            }

            if ($needToDisableResources.Count -gt 0)
            {
                $controlResult.AddMessage([MessageData]::new("Following $resourceType, including previous versions, are expired but 'Enabled'.", 
                                            ($needToDisableResources | Select-Object -Property Name, Version -ExpandProperty Attributes ) ));
            }

            if ($needToRotateResources.Count -gt 0)
            {
                $controlResult.AddMessage([MessageData]::new("Following $resourceType, including previous versions, are about to expire within next 30 days. Please rotate the $resourceType.", 
                                            ($needToRotateResources | Select-Object -Property Name, Version -ExpandProperty Attributes ) ));
            }
        }
        else
        {
            $this.SetVerificationResultForExpiryDate($controlResult, [VerificationResult]::Passed, $isAccessDenied);
            $controlResult.AddMessage([MessageData]::new("No $resourceType (enabled) found in - ["+ $this.ResourceContext.ResourceName +"]"));
        }
    }

    hidden [void] SetVerificationResultForExpiryDate([ControlResult] $controlResult, [VerificationResult] $newResult, [bool] $isAccessDenied)
    {
        if($isAccessDenied)
        {
            $controlResult.VerificationResult = [VerificationResult]::Manual;
            return;
        }

        $stateMachine = @(
            [VerificationResult]::Manual,
            [VerificationResult]::Passed,
            [VerificationResult]::Verify,
            [VerificationResult]::Failed
        );

        $existingIndex = [array]::indexof($stateMachine, $controlResult.VerificationResult);
        $newIndex = [array]::indexof($stateMachine, $newResult);
        if($existingIndex -le $newIndex)
        {
            $controlResult.VerificationResult = $newResult;
        }
    }

    hidden [ControlResult] CheckKeyExpirationDate([ControlResult] $controlResult)
    {
        $isKeysCompliant = $True
        $isAccessDenied = $False

        $enabledKeys = $this.FetchAllEnabledKeysWithVersions($controlResult);
        if($null -ne $enabledKeys)
        {
            $this.ProcessKeySecretExpiryDate($enabledKeys, $controlResult, "Keys", $isAccessDenied, $this.ControlSettings.KeyVault.KeyRotationDuration_Days);
        }
        else
        {
            $isAccessDenied = $True
            $this.SetVerificationResultForExpiryDate($controlResult, [VerificationResult]::Manual, $isAccessDenied);
        }

        $enabledSecrets = $this.FetchAllEnabledSecretsWithVersions($controlResult);
        if($null -ne $enabledSecrets)
        {
            $this.ProcessKeySecretExpiryDate($enabledSecrets, $controlResult, "Secrets", $isAccessDenied, $this.ControlSettings.KeyVault.SecretRotationDuration_Days);
        }
        else
        {
            $isAccessDenied = $True
            $this.SetVerificationResultForExpiryDate($controlResult, [VerificationResult]::Manual, $isAccessDenied);
        }

        return $controlResult;
   }

    hidden [PSObject] GetAzureRmKeyVaultApplications ()  
     {
        $applicationList = @();
        $this.ResourceObject.AccessPolicies  | 
        ForEach-Object { 
            $svcPrincipal= Get-AzureRmADServicePrincipal -ObjectId $_.ObjectId
            if($svcPrincipal){
                $application = Get-AzureRmADApplication -ApplicationId $svcPrincipal.ApplicationId
                if($application){
                    $applicationList += $application
                }
            }
        }
        return $applicationList;
}
    hidden [ControlResult] CheckKeyVaultSoftDelete([ControlResult] $controlResult)
    {
        $isSoftDeleteEnable=$this.ResourceObject.EnableSoftDelete;
        if($isSoftDeleteEnable -eq $true){
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("Soft delete is enabled for this Key Vault")); 
            }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("Soft delete is disabled for this Key Vault")); 
        }

        return $controlResult;
        
    }
}