[Key Vault] Add local-only mode to CryptographyClient

[mccoyp]

Resolves #16619.

Aligns Python's CryptographyClient with other languages, in providing a local-only mode by means of a factory method.

[chlowell]

We expect no request, so I would use a mock transport that raises when the client tries to send e.g.

mock.Mock(send=mock.Mock(side_effect=Exception("client shouldn't send a request"))

[chlowell]

(That is, if it would be a bug for the client to send a request in local-only mode.)

[mccoyp]

This is one that I've made a note of to revisit -- I'm not too familiar with Mock and wasn't able to randomly turn enough dials to get a better understanding. I figure that asserting that the underlying client doesn't call get_key is sufficient for the time being

[chlowell]

Everything we need for local crypto is in the JWK. Do we really need to jam that into KeyVaultKey?

[mccoyp]

All the local crypto providers and operations assume that they're working with a KeyVaultKey, so we'd have to do so unless we refactor them to accept a JsonWebKey (unless I'm mistaken)

[mccoyp]

I don't think it's unreasonable by any means to make local providers accept JWKs, but it seems like a design question of whether we do that (and preserve the current definition of a KeyVaultKey) or make a smaller tweak to accept KeyVaultKeys intended for local-only use

[chlowell]

Right, that's what I'm getting at. Their expectation of KeyVaultKey appears to be driving additional complexity here but that expectation isn't a requirement. Actually they only need the JWK. If they took that up front, maybe it wouldn't be necessary to complicate KeyVaultKey?

[chlowell]

This will be either a valid Key Vault identifier or whatever the user gave us:

Suggested change

	return self._key_id
	return self._key.get("kid")

Does that remove the need to ask a caller to give us _key_id separately?

[mccoyp]

My thinking here is that a KeyVaultKey provided to CryptographyClient could have a valid Key Vault identifier for its id, but that the JsonWebKey could have a different kid. I assumed it made more sense to return the Key Vault identifier in the operation result if possible, which is why I added the _key_id keyword argument

[chlowell]

That would happen only when someone does KeyVaultKey(key_id, jwk=jwk) with key_id != jwk["kid"]. Granted, that is possible, but seems unlikely and given KeyVaultKey's docs ask for a Key Vault identifier for key_id, it seems reasonable not to special case it. My $0.02 🤑

[chlowell]

That would happen only when someone does KeyVaultKey(key_id, jwk=jwk) with key_id != jwk["kid"]. Granted, that is possible, but seems unlikely and given KeyVaultKey's docs ask for a Key Vault identifier for key_id, it seems reasonable not to special case it. My $0.02 🤑

[chlowell]

It's also possible to test private operations locally, using an imported key for public operations (the neighboring keys.py has suitable keys). Doesn't need to be in this PR but it's a test gap to fill before the next stable release. Also, need to cover EC keys as well.

[chlowell]

Do you know why we've stopped replacing the vault name?

[mccoyp]

Vault names aren't being replaced in responses with the PowerShellPreparer -- this is another item on my list of things to investigate 🕵️‍♀️