[Az.KeyVault] Included policy while importing Certificate to a KeyVault

src/KeyVault/KeyVault.Test/PesterTests/Certificate.Tests.ps1

@@ -0,0 +1,35 @@
+BeforeAll {
+    $vaultName = 'nori-kv765'
+    . "..\Scripts\Common.ps1"
+}
+
+Describe "Import Certificate with policy" {
+    It "ImportCertificateFromFileParameterSet" {
+        $certName = Get-CertificateName
+        $certFilePath = "..\Resources\importCert00.pfx"
+        $policyPath = "..\Resources\certPolicy.json"
+
+        $cert = Import-AzKeyVaultCertificate -VaultName $vaultName -Name $certName -FilePath $certFilePath -PolicyPath $policyPath
+        $cert.Policy.SecretContentType | Should -Be "application/x-pkcs12"
+    }
+    It "ImportWithPrivateKeyFromStringParameterSet" {
+        $certName = Get-CertificateName
+        $certFilePath = "..\Resources\importCert00.pfx"
+        $policyPath = "..\Resources\certPolicy.json"
+        $Base64StringCertificate = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes($certFilePath))
+
+        $cert = Import-AzKeyVaultCertificate -VaultName $vaultName -Name $certName -CertificateString $Base64StringCertificate -PolicyPath $policyPath
+        $cert.Policy.SecretContentType | Should -Be "application/x-pkcs12"
+    }
+    It "ImportWithPrivateKeyFromCollectionParameterSet" {
+        $certName = Get-CertificateName
+        $certFilePath = "..\Resources\importCert00.pfx"
+        $policyPath = "..\Resources\certPolicy.json"
+        $certCollection = [System.Security.Cryptography.X509Certificates.X509Certificate2Collection]::new()
+        $certCollection.Import($certFilePath, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
+
+        $cert = Import-AzKeyVaultCertificate -VaultName $vaultName -Name $certName -CertificateCollection $certCollection -PolicyPath $policyPath
+        $cert.Policy.SecretContentType | Should -Be "application/x-pkcs12"
+    }
+}
+

src/KeyVault/KeyVault.Test/Resources/certPolicy.json

@@ -0,0 +1,40 @@
+{
+  "id": "https://myvault.vault.azure.net/certificates/updateCert01/policy",
+  "key_props": {
+  "exportable": true,
+  "kty": "RSA",
+  "key_size": 2048,
+  "reuse_key": false
+  },
+
+  "secret_props": {
+  "contentType": "application/x-pkcs12"
+  },
+
+  "x509_props": {
+    "subject": "CN=KeyVaultTest",
+    "ekus": [],
+    "key_usage": [],
+    "validity_months": 297
+  },
+
+  "lifetime_actions": [
+    {
+      "trigger": {
+      "lifetime_percentage": 80
+      },
+      "action": {
+      "action_type": "EmailContacts"
+      }
+    }
+  ],
+
+  "issuer": {
+    "name": "Unknown"
+  },
+  "attributes": {
+    "enabled": true,
+    "created": 1482188947,
+    "updated": 1482188947
+  }
+}

src/KeyVault/KeyVault/ChangeLog.md

@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Added parameter `PolicyPath` in `Import-AzKeyVaultCertificate` to support custom policy [#20780]
 
 ## Version 4.9.2
 * Updated Azure.Core to 1.28.0.

src/KeyVault/KeyVault/Commands/Certificate/ImportAzureKeyVaultCertificate.cs

@@ -27,6 +27,9 @@
 using Microsoft.Azure.Commands.Common.Exceptions;
 using Microsoft.Azure.Commands.KeyVault.Properties;
 
+using Newtonsoft.Json;
+using System.Text.Json;
+
 namespace Microsoft.Azure.Commands.KeyVault
 {
     /// <summary>
@@ -106,8 +109,25 @@ public class ImportAzureKeyVaultCertificate : KeyVaultCmdletBase
         [Parameter(Mandatory = false,
                     ParameterSetName = ImportWithPrivateKeyFromStringParameterSet,
                     HelpMessage = "Specifies the password for the certificate and private key base64 encoded string to import.")]
+        [Parameter(Mandatory = false,
+                    ParameterSetName = ImportWithPrivateKeyFromCollectionParameterSet,
+                    HelpMessage = "Specifies the password for the certificate collection and private key to import.")]
         public SecureString Password { get; set; }
 
+        /// <summary>
+        /// File Path
+        /// </summary>
+        [Parameter(Mandatory = false,
+                   ParameterSetName = ImportCertificateFromFileParameterSet,
+                   HelpMessage = "Specifies the path to the file that contains the certificate policy to import to key vault.")]
+        [Parameter(Mandatory = false,
+                    ParameterSetName = ImportWithPrivateKeyFromStringParameterSet,
+                    HelpMessage = "Specifies the path to the file that contains the certificate policy to import to key vault.")]
+        [Parameter(Mandatory = false,
+                    ParameterSetName = ImportWithPrivateKeyFromCollectionParameterSet,
+                    HelpMessage = "Specifies the path to the file that contains the certificate policy to import to key vault.")]
+        public string PolicyPath { get; set; }
+
         /// <summary>
         /// Certificate Collection
         /// </summary>
@@ -153,16 +173,22 @@ public override void ExecuteCmdlet()
                 ValidateParameters();
 
                 PSKeyVaultCertificate certBundle = null;
+                PSKeyVaultCertificatePolicy policy = null;
+                if (!string.IsNullOrEmpty(PolicyPath))
+                {
+                    policy = PSKeyVaultCertificatePolicy.FromJsonFile(PolicyPath);
+                }
 
                 switch (ParameterSetName)
                 {
                     case ImportCertificateFromFileParameterSet:
+
                         // Pem file can't be handled by X509Certificate2Collection in dotnet standard
                         // Just read it as raw data and pass it to service side
                         if (IsPemFile(FilePath))
                         {
                             byte[] pemBytes = File.ReadAllBytes(FilePath);
-                            certBundle = this.Track2DataClient.ImportCertificate(VaultName, Name, pemBytes, Password, Tag?.ConvertToDictionary(), Constants.PemContentType);
+                            certBundle = this.Track2DataClient.ImportCertificate(VaultName, Name, pemBytes, Password, Tag?.ConvertToDictionary(), Constants.PemContentType, certPolicy: policy);
                         }
                         else
                         {
@@ -179,8 +205,9 @@ public override void ExecuteCmdlet()
 
                             if (doImport)
                             {
+
                                 byte[] base64Bytes = userProvidedCertColl.Export(X509ContentType.Pfx, Password?.ConvertToString());
-                                certBundle = this.Track2DataClient.ImportCertificate(VaultName, Name, base64Bytes, Password, Tag?.ConvertToDictionary());
+                                certBundle = this.Track2DataClient.ImportCertificate(VaultName, Name, base64Bytes, Password, Tag?.ConvertToDictionary(), certPolicy:policy);
                             }
                             else
                             {
@@ -194,12 +221,12 @@ public override void ExecuteCmdlet()
                         break;
 
                     case ImportWithPrivateKeyFromCollectionParameterSet:
-                        certBundle = this.DataServiceClient.ImportCertificate(VaultName, Name, CertificateCollection, Tag?.ConvertToDictionary());
+                        certBundle = this.Track2DataClient.ImportCertificate(VaultName, Name, CertificateCollection, Password, Tag?.ConvertToDictionary(), certPolicy: policy);
 
                         break;
 
                     case ImportWithPrivateKeyFromStringParameterSet:
-                        certBundle = this.Track2DataClient.ImportCertificate(VaultName, Name, CertificateString, Password, Tag?.ConvertToDictionary(), ContentType);
+                        certBundle = this.Track2DataClient.ImportCertificate(VaultName, Name, CertificateString, Password, Tag?.ConvertToDictionary(), ContentType, certPolicy: policy);
 
                         break;
                 }

src/KeyVault/KeyVault/Models/IKeyVaultDataServiceClient.cs

@@ -164,11 +164,11 @@ public interface IKeyVaultDataServiceClient
 
         PSKeyVaultCertificate MergeCertificate(string vaultName, string certName, byte[] certBytes, Dictionary<string, string> tags);
 
-        PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, byte[] certificate, SecureString certPassword, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType);
+        PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, byte[] certificate, SecureString certPassword, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType, PSKeyVaultCertificatePolicy certPolicy = null);
 
-        PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, string base64CertString, SecureString certPassword, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType);
+        PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, string base64CertString, SecureString certPassword, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType, PSKeyVaultCertificatePolicy certPolicy = null);
 
-        PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, X509Certificate2Collection certificateCollection, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType);
+        PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, X509Certificate2Collection certificateCollection, SecureString certPassword, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType, PSKeyVaultCertificatePolicy certPolicy = null);
 
         PSDeletedKeyVaultCertificate DeleteCertificate(string vaultName, string certName);
 

src/KeyVault/KeyVault/Models/KeyVaultDataServiceClient.cs

@@ -817,12 +817,12 @@ public PSKeyVaultCertificate MergeCertificate(string vaultName, string certName,
 
         }
 
-        public PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, byte[] certificate, SecureString certPassword, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType)
+        public PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, byte[] certificate, SecureString certPassword, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType, PSKeyVaultCertificatePolicy certPolicyPath = null)
         {
             return ImportCertificate(vaultName, certName, Convert.ToBase64String(certificate), certPassword, tags, contentType);
         }
 
-        public PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, string base64CertColl, SecureString certPassword, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType)
+        public PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, string base64CertColl, SecureString certPassword, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType, PSKeyVaultCertificatePolicy certPolicyPath = null)
         {
             if (string.IsNullOrEmpty(vaultName))
                 throw new ArgumentNullException(nameof(vaultName));
@@ -855,7 +855,7 @@ public PSKeyVaultCertificate ImportCertificate(string vaultName, string certName
             return new PSKeyVaultCertificate(certBundle);
         }
 
-        public PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, X509Certificate2Collection certificateCollection, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType)
+        public PSKeyVaultCertificate ImportCertificate(string vaultName, string certName, X509Certificate2Collection certificateCollection, SecureString certPassword, IDictionary<string, string> tags, string contentType = Constants.Pkcs12ContentType, PSKeyVaultCertificatePolicy certPolicy = null)
         {
             if (string.IsNullOrEmpty(vaultName))
                 throw new ArgumentNullException(nameof(vaultName));

src/KeyVault/KeyVault/Models/PSKeyVaultCertificate.cs

@@ -30,6 +30,7 @@ public class PSKeyVaultCertificate : PSKeyVaultCertificateIdentityItem
         public string SecretId { get; internal set; }
         public string Thumbprint { get; set; }
 
+        public PSKeyVaultCertificatePolicy Policy { get; set; }
         public string RecoveryLevel { get; private set; }
 
         internal PSKeyVaultCertificate(CertificateBundle certificateBundle, VaultUriHelper vaultUriHelper)
@@ -156,6 +157,7 @@ internal PSKeyVaultCertificate(KeyVaultCertificateWithPolicy keyVaultCertificate
 
             KeyId = keyVaultCertificate.KeyId?.ToString();
             SecretId = keyVaultCertificate.SecretId?.ToString();
+            Policy = PSKeyVaultCertificatePolicy.FromTrack2CertificatePolicy(keyVaultCertificate.Policy);
 
             if (keyVaultCertificate.Properties != null)
             {