def Args(parser):
key_spec_group = parser.add_group(
mutex=True,
help='The key configuration used for the CA certificate. Defaults to a '
'managed key if not specified.')
x509_config_group = parser.add_group(
mutex=True,
required=False,
help='The X.509 configuration used for the CA certificate.')
concept_parsers.ConceptParser([
presentation_specs.ResourcePresentationSpec(
'CERTIFICATE_AUTHORITY',
resource_args.CreateCertAuthorityResourceSpec(
'Certificate Authority'),
'The name of the root CA to create.',
required=True),
presentation_specs.ResourcePresentationSpec(
'--kms-key-version',
resource_args.CreateKmsKeyVersionResourceSpec(),
'An existing KMS key version to back this CA.',
group=key_spec_group),
presentation_specs.ResourcePresentationSpec(
'--from-ca',
resource_args.CreateCertAuthorityResourceSpec(
'source CA',
location_fallthroughs=[
deps.ArgFallthrough('--location'),
resource_args.LOCATION_PROPERTY_FALLTHROUGH
],
pool_id_fallthroughs=[deps.ArgFallthrough('--pool')]),
'An existing CA from which to copy configuration values for the new CA. '
'You can still override any of those values by explicitly providing '
'the appropriate flags. The specified existing CA must be part of '
'the same pool as the one being created.',
flag_name_overrides={
'project': '',
'location': '',
'pool': '',
},
prefixes=True)
]).AddToParser(parser)
flags_v1.AddSubjectFlags(parser, subject_required=False)
flags_v1.AddKeyAlgorithmFlag(
key_spec_group, default='rsa-pkcs1-4096-sha256')
flags_v1.AddValidityFlag(
parser,
resource_name='CA',
default_value='P10Y',
default_value_text='10 years')
labels_util.AddCreateLabelsFlags(parser)
flags_v1.AddBucketFlag(parser)
flags_v1.AddUsePresetProfilesFlag(x509_config_group)
# If max_chain_len is unspecified, no max length will be provided to the
# server on create, this allowing any number of subordinates.
flags_v1.AddInlineX509ParametersFlags(
x509_config_group, is_ca_command=True, default_max_chain_length=None)
flags_v1.AddAutoEnableFlag(parser)
def testParseKeySpecUsesDefaultKeyAlgorithmIfNotSpecified(self):
concept_parsers.ConceptParser.ForResource(
'--kms-key-version',
resource_args.CreateKmsKeyVersionResourceSpec(),
'KMS key version.').AddToParser(self.parser)
flags.AddKeyAlgorithmFlag(self.parser, default='rsa-pkcs1-3072-sha256')
args = self.parser.parse_args([])
key_spec = flags.ParseKeySpec(args)
self.assertIsNone(key_spec.cloudKmsKeyVersion)
self.assertEqual(
key_spec.algorithm, self.messages.KeyVersionSpec.
AlgorithmValueValuesEnum.RSA_PKCS1_3072_SHA256)
def testParseKeySpecWithKeyVersion(self):
concept_parsers.ConceptParser.ForResource(
'--kms-key-version',
resource_args.CreateKmsKeyVersionResourceSpec(),
'KMS key version.').AddToParser(self.parser)
flags.AddKeyAlgorithmFlag(self.parser)
key_version_resource = 'projects/foo/locations/bar/keyRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1'
args = self.parser.parse_args(
['--kms-key-version', key_version_resource])
key_spec = flags.ParseKeySpec(args)
self.assertIsNone(key_spec.algorithm)
self.assertEqual(key_spec.cloudKmsKeyVersion, key_version_resource)
def testParseKeySpecWithKeyAlgorithm(self):
concept_parsers.ConceptParser.ForResource(
'--kms-key-version',
resource_args.CreateKmsKeyVersionResourceSpec(),
'KMS key version.').AddToParser(self.parser)
flags.AddKeyAlgorithmFlag(self.parser)
args = self.parser.parse_args(['--key-algorithm=ec-p384-sha384'])
key_spec = flags.ParseKeySpec(args)
self.assertIsNone(key_spec.cloudKmsKeyVersion)
self.assertEqual(
key_spec.algorithm, self.messages.KeyVersionSpec.
AlgorithmValueValuesEnum.EC_P384_SHA384)
def Args(parser):
key_spec_group = parser.add_group(
mutex=True,
help=
'The key configuration used for the CA certificate. Defaults to a '
'managed key if not specified.')
reusable_config_group = parser.add_group(
mutex=True,
required=False,
help='The X.509 configuration used for the CA certificate.')
issuer_configuration_group = parser.add_group(
mutex=True,
required=True,
help='The issuer configuration used for this CA certificate.')
concept_parsers.ConceptParser([
presentation_specs.ResourcePresentationSpec(
'CERTIFICATE_AUTHORITY',
resource_args.CreateCertificateAuthorityResourceSpec(
'Certificate Authority'),
'The name of the subordinate CA to create.',
required=True),
presentation_specs.ResourcePresentationSpec(
'--issuer',
resource_args.CreateCertificateAuthorityResourceSpec('Issuer'),
'The issuing certificate authority to use, if it is on Private CA.',
prefixes=True,
group=issuer_configuration_group),
presentation_specs.ResourcePresentationSpec(
'--kms-key-version',
resource_args.CreateKmsKeyVersionResourceSpec(),
'The KMS key version backing this CA.',
group=key_spec_group),
presentation_specs.ResourcePresentationSpec(
'--reusable-config',
resource_args.
CreateReusableConfigResourceSpec(location_fallthroughs=[
deps.Fallthrough(
function=lambda: '',
hint=(
'location will default to the same location as the '
'CA'),
active=False,
plural=False)
]),
'The Reusable Config containing X.509 values for this CA.',
flag_name_overrides={
'location': '',
'project': '',
},
group=reusable_config_group),
presentation_specs.ResourcePresentationSpec(
'--from-ca',
resource_args.CreateCertificateAuthorityResourceSpec(
'source CA'),
'An existing CA from which to copy configuration values for the '
'new CA. You can still override any of those values by explicitly '
'providing the appropriate flags.',
flag_name_overrides={'project': '--from-ca-project'},
prefixes=True)
]).AddToParser(parser)
flags.AddTierFlag(parser)
flags.AddSubjectFlags(parser, subject_required=False)
flags.AddPublishCaCertFlag(parser, use_update_help_text=False)
flags.AddPublishCrlFlag(parser, use_update_help_text=False)
flags.AddKeyAlgorithmFlag(key_spec_group,
default='rsa-pkcs1-2048-sha256')
flags.AddInlineReusableConfigFlags(reusable_config_group, is_ca=True)
flags.AddValidityFlag(parser,
resource_name='CA',
default_value='P3Y',
default_value_text='3 years')
flags.AddCertificateAuthorityIssuancePolicyFlag(parser)
labels_util.AddCreateLabelsFlags(parser)
flags.AddBucketFlag(parser)
offline_issuer_group = issuer_configuration_group.add_group(help=(
'If the issuing CA is not hosted on Private CA, you must provide '
'these settings:'))
base.Argument(
'--create-csr',
help=
('Indicates that a CSR should be generated which can be signed by '
'the issuing CA. This must be set if --issuer is not provided.'),
action='store_const',
const=True,
default=False,
required=True).AddToParser(offline_issuer_group)
base.Argument(
'--csr-output-file',
help=(
'The path where the resulting PEM-encoded CSR file should be '
'written.'),
required=True).AddToParser(offline_issuer_group)
def Args(parser):
persistence_group = parser.add_group(
mutex=True, required=True, help='Certificate persistence options.')
base.Argument(
'--cert-output-file',
help=
'The path where the resulting PEM-encoded certificate chain file should be written (ordered from leaf to root).',
required=False).AddToParser(persistence_group)
base.Argument(
'--validate-only',
help=
'If this flag is set, the certificate resource will not be persisted '
'and the returned certificate will not contain the pem_certificate field.',
action='store_true',
default=False,
required=False).AddToParser(persistence_group)
flags_v1.AddValidityFlag(parser, 'certificate', 'P30D', '30 days')
labels_util.AddCreateLabelsFlags(parser)
cert_generation_group = parser.add_group(
mutex=True, required=True, help='Certificate generation method.')
base.Argument(
'--csr',
help='A PEM-encoded certificate signing request file path.'
).AddToParser(cert_generation_group)
non_csr_group = cert_generation_group.add_group(
help=
'Alternatively, you may describe the certificate and key to use.')
key_group = non_csr_group.add_group(
mutex=True,
required=True,
help=
'To describe the key that will be used for this certificate, use '
'one of the following options.')
key_generation_group = key_group.add_group(
help='To generate a new key pair, use the following:')
base.Argument(
'--generate-key',
help=
'Use this flag to have a new RSA-2048 private key securely generated on your machine.',
action='store_const',
const=True,
default=False,
required=True).AddToParser(key_generation_group)
base.Argument('--key-output-file',
help=_KEY_OUTPUT_HELP,
required=True).AddToParser(key_generation_group)
base.Argument(
'--ca',
help='The name of an existing certificate authority to use for '
'issuing the certificate. If omitted, a certificate authority '
'will be will be chosen from the CA pool by the service on your behalf.',
required=False).AddToParser(parser)
subject_group = non_csr_group.add_group(
help='The subject names for the certificate.', required=True)
flags_v1.AddSubjectFlags(subject_group)
x509_parameters_group = non_csr_group.add_group(
mutex=True,
help='The x509 configuration used for this certificate.')
flags_v1.AddInlineX509ParametersFlags(x509_parameters_group,
is_ca_command=False,
default_max_chain_length=0)
flags_v1.AddUsePresetProfilesFlag(x509_parameters_group)
cert_arg = 'CERTIFICATE'
concept_parsers.ConceptParser([
presentation_specs.ResourcePresentationSpec(
cert_arg,
resource_args.CreateCertResourceSpec(
cert_arg, [Create._GenerateCertificateIdFallthrough()]),
'The name of the certificate to issue. If the certificate ID '
'is omitted, a random identifier will be generated according '
'to the following format: {YYYYMMDD}-{3 random alphanumeric '
'characters}-{3 random alphanumeric characters}. The '
'certificate ID is not required when the issuing CA pool is in '
'the DevOps tier.',
required=True),
presentation_specs.ResourcePresentationSpec(
'--template',
resource_args.CreateCertificateTemplateResourceSpec(
'certificate_template'),
'The name of a certificate template to use for issuing this '
'certificate, if desired. A template may overwrite parts of '
'the certificate request, and the use of certificate templates '
'may be required and/or regulated by the issuing CA Pool\'s CA '
'Manager. The specified template must be in the same location '
'as the issuing CA Pool.',
required=False,
prefixes=True),
presentation_specs.ResourcePresentationSpec(
'--kms-key-version',
resource_args.CreateKmsKeyVersionResourceSpec(),
'An existing KMS key version backing this certificate.',
group=key_group),
],
command_level_fallthroughs={
'--template.location':
['CERTIFICATE.issuer-location']
}).AddToParser(parser)
# The only time a resource is returned is when args.validate_only is set.
parser.display_info.AddFormat('yaml(certificateDescription)')
def Args(parser):
key_spec_group = parser.add_group(
mutex=True,
help='The key configuration used for the CA certificate. Defaults to a '
'managed key if not specified.')
reusable_config_group = parser.add_group(
mutex=True,
required=False,
help='The X.509 configuration used for the CA certificate.')
concept_parsers.ConceptParser([
presentation_specs.ResourcePresentationSpec(
'CERTIFICATE_AUTHORITY',
resource_args.CreateCertificateAuthorityResourceSpec(
'Certificate Authority'),
'The name of the root CA to create.',
required=True),
presentation_specs.ResourcePresentationSpec(
'--kms-key-version',
resource_args.CreateKmsKeyVersionResourceSpec(),
'An existing KMS key version to back this CA.',
group=key_spec_group),
presentation_specs.ResourcePresentationSpec(
'--reusable-config',
resource_args.CreateReusableConfigResourceSpec(
location_fallthroughs=[
deps.Fallthrough(
function=lambda: '',
hint=('location will default to the same location as '
'the CA'),
active=False,
plural=False)
]),
'The Reusable Config containing X.509 values for this CA.',
flag_name_overrides={
'location': '',
'project': '',
},
group=reusable_config_group),
presentation_specs.ResourcePresentationSpec(
'--from-ca',
resource_args.CreateCertificateAuthorityResourceSpec('source CA'),
'An existing CA from which to copy configuration values for the new CA. '
'You can still override any of those values by explicitly providing '
'the appropriate flags.',
flag_name_overrides={'project': '--from-ca-project'},
prefixes=True)
]).AddToParser(parser)
flags.AddSubjectFlags(parser, subject_required=False)
flags.AddKeyAlgorithmFlag(key_spec_group, default='rsa-pkcs1-4096-sha256')
flags.AddValidityFlag(
parser,
resource_name='CA',
default_value='P10Y',
default_value_text='10 years')
labels_util.AddCreateLabelsFlags(parser)
flags.AddBucketFlag(parser)
flags.AddTierFlag(parser)
flags.AddPublishCaCertFlag(parser, use_update_help_text=False)
flags.AddPublishCrlFlag(parser, use_update_help_text=False)
flags.AddCertificateAuthorityIssuancePolicyFlag(parser)
flags.AddInlineReusableConfigFlags(
reusable_config_group,
is_ca_command=True,
default_max_chain_length=None)
def Args(parser):
key_spec_group = parser.add_group(
mutex=True,
help='The key configuration used for the CA certificate. Defaults to a '
'managed key if not specified.')
x509_config_group = parser.add_group(
mutex=True,
required=False,
help='The X.509 configuration used for the CA certificate.')
issuer_configuration_group = parser.add_group(
mutex=True,
required=True,
help='The issuer configuration used for this CA certificate.')
issuing_resource_group = issuer_configuration_group.add_group(
mutex=False,
required=False,
help='The issuing resource used for this CA certificate.')
base.Argument(
'--issuer-ca',
help=(
'The Certificate Authority ID of the CA to issue the subordinate '
'CA certificate from. This ID is optional. If ommitted, '
'any available ENABLED CA in the issuing CA pool will be chosen.'),
required=False).AddToParser(issuing_resource_group)
concept_parsers.ConceptParser([
presentation_specs.ResourcePresentationSpec(
'CERTIFICATE_AUTHORITY',
resource_args.CreateCertAuthorityResourceSpec(
'Certificate Authority'),
'The name of the subordinate CA to create.',
required=True),
presentation_specs.ResourcePresentationSpec(
'--issuer-pool',
resource_args.CreateCaPoolResourceSpec('Issuer'),
'The issuing CA Pool to use, if it is on Private CA.',
prefixes=True,
required=False,
flag_name_overrides={
'location': '--issuer-location',
},
group=issuing_resource_group),
presentation_specs.ResourcePresentationSpec(
'--kms-key-version',
resource_args.CreateKmsKeyVersionResourceSpec(),
'The KMS key version backing this CA.',
group=key_spec_group),
presentation_specs.ResourcePresentationSpec(
'--from-ca',
resource_args.CreateCertAuthorityResourceSpec(
'source CA',
location_fallthroughs=[
deps.ArgFallthrough('--location'),
resource_args.LOCATION_PROPERTY_FALLTHROUGH
],
pool_id_fallthroughs=[deps.ArgFallthrough('--pool')]),
'An existing CA from which to copy configuration values for the '
'new CA. You can still override any of those values by explicitly '
'providing the appropriate flags. The specified existing CA must '
'be part of the same pool as the one being created.',
flag_name_overrides={
'project': '',
'location': '',
'pool': '',
},
prefixes=True)
]).AddToParser(parser)
flags_v1.AddSubjectFlags(parser, subject_required=False)
flags_v1.AddKeyAlgorithmFlag(
key_spec_group, default='rsa-pkcs1-2048-sha256')
flags_v1.AddUsePresetProfilesFlag(x509_config_group)
# Subordinates should have no children by default.
flags_v1.AddInlineX509ParametersFlags(
x509_config_group, is_ca_command=True, default_max_chain_length=0)
flags_v1.AddValidityFlag(
parser,
resource_name='CA',
default_value='P3Y',
default_value_text='3 years')
labels_util.AddCreateLabelsFlags(parser)
flags_v1.AddBucketFlag(parser)
offline_issuer_group = issuer_configuration_group.add_group(
help=('If the issuing CA is not hosted on Private CA, you must provide '
'these settings:'))
base.Argument(
'--create-csr',
help=('Indicates that a CSR should be generated which can be signed by '
'the issuing CA. This must be set if --issuer is not provided.'),
action='store_const',
const=True,
default=False,
required=True).AddToParser(offline_issuer_group)
base.Argument(
'--csr-output-file',
help=('The path where the resulting PEM-encoded CSR file should be '
'written.'),
required=True).AddToParser(offline_issuer_group)
flags_v1.AddAutoEnableFlag(parser)
