// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
using AzureMcp.Core.Commands;
using AzureMcp.Core.Commands.Subscription;
using AzureMcp.KeyVault.Options;
using AzureMcp.KeyVault.Options.Certificate;
using AzureMcp.KeyVault.Services;
using Microsoft.Extensions.Logging;
namespace AzureMcp.KeyVault.Commands.Certificate;
public sealed class CertificateImportCommand(ILogger<CertificateImportCommand> logger) : SubscriptionCommand<CertificateImportOptions>
{
private const string CommandTitle = "Import Key Vault Certificate";
private readonly ILogger<CertificateImportCommand> _logger = logger;
private readonly Option<string> _vaultOption = KeyVaultOptionDefinitions.VaultName;
private readonly Option<string> _certificateOption = KeyVaultOptionDefinitions.CertificateName;
private readonly Option<string> _certificateDataOption = KeyVaultOptionDefinitions.CertificateData;
private readonly Option<string> _passwordOption = KeyVaultOptionDefinitions.CertificatePassword;
public override string Name => "import";
public override string Title => CommandTitle;
public override ToolMetadata Metadata => new() { Destructive = true, ReadOnly = false };
public override string Description =>
"""
Imports (uploads) an existing certificate (PFX or PEM with private key) into an Azure Key Vault without generating
a new certificate or key material. This command accepts either a file path to a PFX/PEM file, a base64 encoded PFX,
or raw PEM text starting with -----BEGIN. If the certificate is a password-protected PFX, a password must be provided.
Returns certificate details including name, id, keyId, secretId, cer (base64), thumbprint, validity, and policy
subject/issuer.
""";
protected override void RegisterOptions(Command command)
{
base.RegisterOptions(command);
command.AddOption(_vaultOption);
command.AddOption(_certificateOption);
command.AddOption(_certificateDataOption);
command.AddOption(_passwordOption);
}
protected override CertificateImportOptions BindOptions(ParseResult parseResult)
{
var options = base.BindOptions(parseResult);
options.VaultName = parseResult.GetValueForOption(_vaultOption);
options.CertificateName = parseResult.GetValueForOption(_certificateOption);
options.CertificateData = parseResult.GetValueForOption(_certificateDataOption);
options.Password = parseResult.GetValueForOption(_passwordOption);
return options;
}
public override async Task<CommandResponse> ExecuteAsync(CommandContext context, ParseResult parseResult)
{
var options = BindOptions(parseResult);
try
{
if (!Validate(parseResult.CommandResult, context.Response).IsValid)
{
return context.Response;
}
var keyVaultService = context.GetService<IKeyVaultService>();
var certificate = await keyVaultService.ImportCertificate(
options.VaultName!,
options.CertificateName!,
options.CertificateData!,
options.Password,
options.Subscription!,
options.Tenant,
options.RetryPolicy);
context.Response.Results = ResponseResult.Create(
new CertificateImportCommandResult(
certificate.Name,
certificate.Id,
certificate.KeyId,
certificate.SecretId,
Convert.ToBase64String(certificate.Cer),
certificate.Properties.X509ThumbprintString,
certificate.Properties.Enabled,
certificate.Properties.NotBefore,
certificate.Properties.ExpiresOn,
certificate.Properties.CreatedOn,
certificate.Properties.UpdatedOn,
certificate.Policy.Subject,
certificate.Policy.IssuerName),
KeyVaultJsonContext.Default.CertificateImportCommandResult);
}
catch (Exception ex)
{
_logger.LogError(ex, "Error importing certificate {CertificateName} into vault {VaultName}", options.CertificateName, options.VaultName);
HandleException(context, ex);
}
return context.Response;
}
internal record CertificateImportCommandResult(string Name, Uri Id, Uri KeyId, Uri SecretId, string Cer, string Thumbprint, bool? Enabled, DateTimeOffset? NotBefore, DateTimeOffset? ExpiresOn, DateTimeOffset? CreatedOn, DateTimeOffset? UpdatedOn, string Subject, string IssuerName);
}
