[keyvault-certificates] Fix begin_create_certificate validator to accept san_ip_addresses and san_uris#46380
Merged
kashifkhan merged 23 commits intoApr 29, 2026
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes Key Vault Certificates client-side policy validation so SAN-only policies using IP addresses and/or URIs are accepted, and adds coverage + recordings to prevent regressions.
Changes:
- Update sync/async certificate creation validators to treat
san_ip_addressesandsan_urisas satisfying the “SAN or subject required” rule. - Add unit assertions and new live tests (sync + async) validating IP/URI-only SAN policies; refresh test recordings/assets tag.
- Adjust live-test credential environment-variable handling to avoid empty-string
AZURE_*values interfering withDefaultAzureCredential.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/_client.py | Expands validator to include san_ip_addresses and san_uris. |
| sdk/keyvault/azure-keyvault-certificates/azure/keyvault/certificates/aio/_client.py | Same validator expansion for async create_certificate. |
| sdk/keyvault/azure-keyvault-certificates/tests/test_certificates_client.py | Adds sync live test + extends validator-behavior assertions. |
| sdk/keyvault/azure-keyvault-certificates/tests/test_certificates_client_async.py | Adds async live test + extends validator-behavior assertions. |
| sdk/keyvault/azure-keyvault-certificates/tests/_test_case.py | Avoids setting empty-string AZURE_* env vars during live tests. |
| sdk/keyvault/azure-keyvault-certificates/tests/_async_test_case.py | Same env-var adjustment for async tests. |
| sdk/keyvault/azure-keyvault-certificates/CHANGELOG.md | Documents the fix in 4.11.1 section. |
| sdk/keyvault/azure-keyvault-certificates/assets.json | Updates assets tag for new recordings. |
| sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_models.py | Changes KeyProperties.tags typing to Optional[Dict[str, str]] (appears unrelated to this PR’s stated scope). |
laiapat
approved these changes
Apr 17, 2026
… san_uris - Extended the policy validator in both the sync and async CertificateClient to also accept policies that specify only san_ip_addresses or san_uris, which are valid SAN types but were previously treated as missing subject information - Added test_create_certificate_with_san_ip_and_uris (sync + async) with live recordings to verify IP-only and URI-only SAN policies succeed end-to-end - Extended test_policy_expected_errors_for_create_cert to assert that IP-only and URI-only policies no longer raise ValueError - Fixed _test_case.py and _async_test_case.py to avoid setting AZURE_CLIENT_ID/ AZURE_CLIENT_SECRET to empty strings, which newer azure-identity treats as an attempt to use ClientSecretCredential and raises ValueError
rohitsinghal4u
force-pushed
the
fix/keyvault-certificates-san-ip-uri-validator
branch
from
8e9343f to
db3c5f8
Compare
…s://github.com/Azure/azure-sdk-for-python into fix/keyvault-certificates-san-ip-uri-validator
rohitsinghal4u
force-pushed
the
fix/keyvault-certificates-san-ip-uri-validator
branch
from
c93a4b8 to
8ab52ed
Compare
…y_expected_errors_for_create_cert Use except (HttpResponseError, ServiceRequestError) instead of bare except Exception to avoid silently swallowing unexpected errors (AttributeError, TypeError, etc.) that could indicate a regression in the validator or call signature. Also add HttpResponseError and ServiceRequestError to azure.core.exceptions imports.
melissamserv
approved these changes
Apr 23, 2026
Contributor
Author
|
/check-enforcer override |
Contributor
Author
|
/check-enforcer override |
Contributor
Author
|
/check-enforcer override |
Member
|
/check-enforcer override |
Member
|
/azp run python - pullrequest |
|
Azure Pipelines successfully started running 1 pipeline(s). |
laiapat
approved these changes
Apr 29, 2026
Contributor
Author
|
/check-enforcer override |
Contributor
Author
|
Hi @kashifkhan, the code is all merged and the CHANGELOG is set to \4.11.1 (2026-04-29). Could you please trigger the release pipeline to publish this to PyPI? Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes a bug where
CertificateClient.begin_create_certificate(and its async counterpartcreate_certificate) incorrectly raisedValueErrorwhen aCertificatePolicywas created with onlysan_ip_addressesorsan_uris(with nosubject,san_dns_names,san_emails, orsan_user_principal_names).IP addresses and URIs are valid Subject Alternative Name (SAN) types and should be accepted by the client's policy validator.
Root Cause
The validator in both
_client.pyandaio/_client.pychecked:san_ip_addressesandsan_uriswere missing from this condition.Changes
azure/keyvault/certificates/_client.py— addedsan_ip_addressesandsan_uristo the validator condition inbegin_create_certificateazure/keyvault/certificates/aio/_client.py— same fix for the async client'screate_certificateCHANGELOG.md— added 4.11.1 (Unreleased) section documenting the fixtests/test_certificates_client.py— extendedtest_policy_expected_errors_for_create_certto assert IP/URI-only policies no longer raise; addedtest_create_certificate_with_san_ip_and_urislive test (recorded)tests/test_certificates_client_async.py— same test additions for the async clienttests/_test_case.pyandtests/_async_test_case.py— fixed a secondary issue where empty-string values forAZURE_CLIENT_ID/AZURE_CLIENT_SECRETwere set into the environment, causing newer versions ofazure-identity'sEnvironmentCredential(which checksis not Nonerather than truthiness) to attempt and failClientSecretCredentialconstruction during developer auth. Now empty-string KEYVAULT_* vars cause the corresponding AZURE_* vars to be removed from the env, allowingDefaultAzureCredentialto fall through toAzureCliCredential.assets.json— updated tag topython/keyvault/azure-keyvault-certificates_a5c5c34814(new recordings pushed)Testing
https://kv-sdk-test-5903.vault.azure.net/test_policy_expected_errors_for_create_cert(sync + async) updated and verified