Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

az keyvault certificate create - validation too strict #35926

Closed
Splaxi opened this issue Jun 5, 2024 · 4 comments
Closed

az keyvault certificate create - validation too strict #35926

Splaxi opened this issue Jun 5, 2024 · 4 comments
Assignees
@mccoyp
Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. KeyVault question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.

Comments

@Splaxi
Copy link

Splaxi commented Jun 5, 2024

Windows 11

PS C:\>az version 
{
  "azure-cli": "2.61.0",
  "azure-cli-core": "2.61.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {}
}

Describe the bug
Trying to create a new certificate, based on the input that I'm required from portal.azure.com or the Az.KeyVault PowerShell module. The validation is to strict in the following code:

azure-sdk-for-python/sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_client.py

Lines 94 to 96 in a624a22

if not (policy.san_emails or policy.san_user_principal_names or policy.san_dns_names or policy.subject):
raise ValueError(NO_SAN_OR_SUBJECT)

To Reproduce
Policy - as json

{
    "policy": {
        "key_props": {
            "kty": "RSA",
            "key_size": 2048,
            "reuse_key": false
        },
        "secret_props": {
            "contentType": "application/x-pkcs12"
        },
        "x509_props": {
            "subject": "CN=testing.contoso.com",
            "validity_months": 12
        },
        "issuer": {
            "name": "Unknown"
        },
        "attributes": {
            "enabled": true
        }
    }
}

Az Cli command executed, in PowerShell 7+

az keyvault certificate create --vault-name this-is-keyvault --name this-is-a-cert --policy $policyJson

I'm confident that I have handled the quotation issues within powershell, as I'm able to post the above policy directly via:

az rest --resource https://vault.azure.net --method post --uri https://this-is-keyvault.vault.azure.net/certificates/this-is-a-cert/create?api-version=7.4 --body $policyJson

The error code / message posted:
You need to set either subject or one of the subject alternative names parameters in the policy

Expected behavior
I'm expecting it to create a valid, pending, certificate. Just like it would via the portal.azure.com, Az.KeyVault PowerShell module or the Azure REST API for KeyVault / Certificates

Screenshots
image

Additional context
@github-actions github-actions bot added Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. KeyVault needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team. labels Jun 5, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 5, 2024

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @jlichwa @RandalliLama @schaabs.

@mccoyp
Copy link
Member

mccoyp commented Jun 18, 2024

Hi @Splaxi -- thank you for opening an issue, and I apologize for the delayed response. I was able to reproduce your issue today and did some digging for the cause. Given that your example policy includes a subject, the error message made me think that the CLI may not be processing the policy as intended.

I found the build_certificate_policy method in the CLI's source code, which is where the policy parameter seems to actually be processed. I noticed that the anticipated format was a little different from your JSON; key_properties was expected instead of key_props, validity_in_months instead of validity_months, etc. I ended up setting the following $policyJson based on the CLI's expectations:

{
  "key_properties": {
    "key_type": "RSA",
    "key_size": 2048,
    "reuse_key": false
  },
  "secret_properties": {
    "content_type": "application/x-pkcs12"
  },
  "x509_certificate_properties": {
    "subject": "CN=testing.contoso.com",
    "validity_in_months": 12
  },
  "issuer_parameters": {
    "name": "Unknown"
  },
  "attributes": {
    "enabled": true
  }
}

With this $policyJson, the same az keyvault certificate create command now worked -- it seems that the issue was coming from the format.

I found an old issue about the unclear guidance on certificate policy formatting: Azure/azure-cli#9423. The az keyvault certificate get-default-policy --scaffold command does give a helpful guide for policy formatting -- the policy scaffold uses camelCase instead of snake_case, and I found that replacing the parameter casing of the policyJson above also works with the az keyvault certificate create command.

cc @evelyn-ys to forward CLI feedback.

@mccoyp mccoyp added issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. and removed needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Jun 18, 2024
@github-actions GitHub Actions
Copy link

Hi @Splaxi. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

@github-actions GitHub Actions
Copy link

Hi @Splaxi, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.

@github-project-automation github-project-automation bot moved this from Todo to Untriaged in Azure SDK for Key Vault Jun 25, 2024
@github-actions github-actions bot locked and limited conversation to collaborators Sep 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mccoyp mccoyp

Labels
Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. KeyVault question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.
Projects
Azure SDK for Key Vault
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Splaxi @mccoyp