[Keyvault] Fix #27220: az keyvault certificate import: Fix invalid policy issue when no content_type provided (#27225)

Author: evelyn-ys

src/azure-cli/azure/cli/command_modules/keyvault/_validators.py

@@ -801,6 +801,16 @@ def process_certificate_policy(cmd, ns):
     if secret_properties:
         content_type = secret_properties.get('content_type')
 
+    if not content_type and hasattr(ns, 'certificate_bytes') and ns.certificate_bytes:
+        from OpenSSL import crypto
+        try:
+            crypto.load_certificate(crypto.FILETYPE_PEM, ns.certificate_bytes)
+            # if we get here, we know it was a PEM file
+            content_type = 'application/x-pem-file'
+        except (ValueError, crypto.Error):
+            # else it should be a pfx file
+            content_type = 'application/x-pkcs12'
+
     x509_certificate_properties = policy.get('x509_certificate_properties')
     if x509_certificate_properties:
         subject = x509_certificate_properties.get('subject')

src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/policy3.json

@@ -1 +1 @@
-{"attributes": {"created": "2023-05-25T06:10:06+00:00", "enabled": true, "expires": null, "notBefore": null, "recoveryLevel": null, "updated": "2023-05-25T06:10:06+00:00"}, "id": "https://cli-test-kv-ct-pispzvs2c.vault.azure.net/certificates/cert2/policy", "issuerParameters": {"certificateTransparency": null, "certificateType": null, "name": "Self"}, "keyProperties": {"curve": null, "exportable": true, "keySize": 2048, "keyType": "RSA", "reuseKey": false}, "lifetimeActions": [{"action": {"actionType": "AutoRenew"}, "trigger": {"daysBeforeExpiry": null, "lifetimePercentage": 90}}], "secretProperties": {"contentType": "application/x-pkcs12"}, "x509CertificateProperties": {"ekus": ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"], "keyUsage": ["digitalSignature", "keyAgreement", "keyCertSign", "keyEncipherment", "nonRepudiation"], "subject": "C=US, ST=WA, L=Redmon, O=Test Noodle, OU=TestNugget, CN=www.mytestdomain.com", "subjectAlternativeNames": {"dnsNames": ["1", "2"], "emails": null, "upns": null}, "validityInMonths": 60}}
+{"attributes": {"created": "2023-08-22T08:12:21+00:00", "enabled": true, "expires": null, "notBefore": null, "recoveryLevel": null, "updated": "2023-08-22T08:12:21+00:00"}, "id": "https://cli-test-kv-ct-4to5cl4dt.vault.azure.net/certificates/cert2/policy", "issuerParameters": {"certificateTransparency": null, "certificateType": null, "name": "Self"}, "keyProperties": {"curve": null, "exportable": true, "keySize": 2048, "keyType": "RSA", "reuseKey": false}, "lifetimeActions": [{"action": {"actionType": "AutoRenew"}, "trigger": {"daysBeforeExpiry": null, "lifetimePercentage": 90}}], "secretProperties": {"contentType": "application/x-pkcs12"}, "x509CertificateProperties": {"ekus": ["1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"], "keyUsage": ["digitalSignature", "keyAgreement", "keyCertSign", "keyEncipherment", "nonRepudiation"], "subject": "C=US, ST=WA, L=Redmon, O=Test Noodle, OU=TestNugget, CN=www.mytestdomain.com", "subjectAlternativeNames": {"dnsNames": ["1", "2"], "emails": null, "upns": null}, "validityInMonths": 60}}

src/azure-cli/azure/cli/command_modules/keyvault/tests/latest/policy4.json

@@ -0,0 +1,17 @@
+{
+  "issuerParameters": {
+    "name": "Self"
+  },
+  "keyProperties": {
+    "keySize": 2048,
+    "keyType": "RSA",
+    "reuseKey": false
+  },
+  "lifetimeActions": [
+    {
+      "action": {"actionType": "AutoRenew"},
+      "trigger": {"daysBeforeExpiry": null, "lifetimePercentage": 90}
+    }
+  ],
+  "validityInMonths": 60
+}