def Run(self, args):
new_ca, ca_ref, _ = create_utils.CreateCAFromArgs(
args, is_subordinate=False)
project_ref = ca_ref.Parent().Parent()
key_version_ref = args.CONCEPTS.kms_key_version.Parse()
kms_key_ref = key_version_ref.Parent() if key_version_ref else None
iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref)
bucket_ref = None
if args.IsSpecified('bucket'):
bucket_ref = storage.ValidateBucketForCertificateAuthority(args.bucket)
new_ca.gcsBucket = bucket_ref.bucket
p4sa_email = p4sa.GetOrCreate(project_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
create_utils.PrintBetaResourceDeletionDisclaimer('certificate authorities')
operation = self.client.projects_locations_certificateAuthorities.Create(
self.messages
.PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId()))
ca_response = operations.Await(operation, 'Creating Certificate Authority.')
ca = operations.GetMessageFromResponse(ca_response,
self.messages.CertificateAuthority)
log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
def Run(self, args):
kms_key_version_ref, ca_ref = self.ParseResourceArgs(args)
kms_key_ref = kms_key_version_ref.Parent()
project_ref = ca_ref.Parent().Parent()
subject_config = flags.ParseSubjectFlags(args, is_ca=True)
issuing_options = flags.ParseIssuingOptions(args)
issuance_policy = flags.ParseIssuancePolicy(args)
reusable_config_wrapper = flags.ParseReusableConfig(args,
ca_ref.locationsId,
is_ca=True)
lifetime = flags.ParseValidityFlag(args)
labels = labels_util.ParseCreateArgs(
args, self.messages.CertificateAuthority.LabelsValue)
iam.CheckCreateCertificateAuthorityPermissions(project_ref,
kms_key_ref)
p4sa_email = p4sa.GetOrCreate(project_ref)
bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
new_ca = self.messages.CertificateAuthority(
type=self.messages.CertificateAuthority.TypeValueValuesEnum.
SELF_SIGNED,
lifetime=lifetime,
config=self.messages.CertificateConfig(
reusableConfig=reusable_config_wrapper,
subjectConfig=subject_config),
cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
certificatePolicy=issuance_policy,
issuingOptions=issuing_options,
gcsBucket=bucket_ref.bucket,
labels=labels)
operation = self.client.projects_locations_certificateAuthorities.Create(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId()))
ca_response = operations.Await(operation,
'Creating Certificate Authority.')
ca = operations.GetMessageFromResponse(
ca_response, self.messages.CertificateAuthority)
log.status.Print('Creating the initial Certificate Revocation List.')
self.client.projects_locations_certificateAuthorities.PublishCrl(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesPublishCrlRequest(
name=ca.name,
publishCertificateRevocationListRequest=self.messages.
PublishCertificateRevocationListRequest()))
log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
def Run(self, args):
new_ca, ca_ref, issuer_ref = create_utils.CreateCAFromArgs(
args, is_subordinate=True)
project_ref = ca_ref.Parent().Parent()
key_version_ref = args.CONCEPTS.kms_key_version.Parse()
kms_key_ref = key_version_ref.Parent() if key_version_ref else None
iam.CheckCreateCertificateAuthorityPermissions(project_ref,
kms_key_ref)
if issuer_ref:
iam.CheckCreateCertificatePermissions(issuer_ref)
# Pro-actively look for issuing CA issues to avoid downstream issues.
create_utils.ValidateIssuingCA(issuer_ref.RelativeName())
bucket_ref = None
if args.IsSpecified('bucket'):
bucket_ref = storage.ValidateBucketForCertificateAuthority(
args.bucket)
new_ca.gcsBucket = bucket_ref.bucket
p4sa_email = p4sa.GetOrCreate(project_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
create_utils.PrintBetaResourceDeletionDisclaimer(
'certificate authorities')
operations.Await(
self.client.projects_locations_certificateAuthorities.Create(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId())),
'Creating Certificate Authority.')
csr_response = self.client.projects_locations_certificateAuthorities.Fetch(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesFetchRequest(
name=ca_ref.RelativeName()))
csr = csr_response.pemCsr
if args.create_csr:
files.WriteFileContents(args.csr_output_file, csr)
log.status.Print(
"Created Certificate Authority [{}] and saved CSR to '{}'.".
format(ca_ref.RelativeName(), args.csr_output_file))
return
if issuer_ref:
ca_certificate = self._SignCsr(issuer_ref, csr, new_ca.lifetime)
self._ActivateCertificateAuthority(ca_ref,
ca_certificate.pemCertificate,
issuer_ref)
log.status.Print('Created Certificate Authority [{}].'.format(
ca_ref.RelativeName()))
return
def Run(self, args):
kms_key_version_ref, ca_ref = self.ParseResourceArgs(args)
kms_key_ref = kms_key_version_ref.Parent()
project_ref = ca_ref.Parent().Parent()
common_name, subject = flags.ParseSubject(args.subject)
subject_alt_names = flags.ParseSanFlags(args)
issuing_options = flags.ParseIssuingOptions(args)
issuance_policy = flags.ParseIssuancePolicy(args)
reusable_config_wrapper = flags.ParseReusableConfig(args)
lifetime = flags.ParseValidityFlag(args)
labels = labels_util.ParseCreateArgs(
args, self.messages.CertificateAuthority.LabelsValue)
iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref)
p4sa_email = p4sa.GetOrCreate(project_ref)
bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
new_ca = self.messages.CertificateAuthority(
type=self.messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED,
lifetime=lifetime,
config=self.messages.CertificateConfig(
reusableConfig=reusable_config_wrapper,
subjectConfig=self.messages.SubjectConfig(
commonName=common_name,
subject=subject,
subjectAltName=subject_alt_names)),
cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
certificatePolicy=issuance_policy,
issuingOptions=issuing_options,
gcsBucket=bucket_ref.bucket,
labels=labels)
operation = self.client.projects_locations_certificateAuthorities.Create(
self.messages
.PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId()))
return operations.Await(operation, 'Creating Certificate Authority.')
def testAddResourceRoleBindingsCallsIamFunctions(self, mock_storage_fn,
mock_kms_fn):
p4sa_email = '*****@*****.**'
iam_principal = 'serviceAccount:{}'.format(p4sa_email)
p4sa.AddResourceRoleBindings(p4sa_email, self.key_ref, self.bucket_ref)
mock_kms_fn.assert_has_calls([
mock.call(self.key_ref, iam_principal,
'roles/cloudkms.signerVerifier')
])
mock_storage_fn.assert_has_calls([
mock.call(
mock.ANY, # self
self.bucket_ref,
iam_principal,
'roles/storage.objectAdmin')
])
def Run(self, args):
kms_key_version_ref, ca_ref, issuer_ref = _ParseResourceArgs(args)
kms_key_ref = kms_key_version_ref.Parent()
project_ref = ca_ref.Parent().Parent()
subject_config = flags.ParseSubjectFlags(args, is_ca=True)
issuing_options = flags.ParseIssuingOptions(args)
issuance_policy = flags.ParseIssuancePolicy(args)
reusable_config_wrapper = flags.ParseReusableConfig(args,
ca_ref.locationsId,
is_ca=True)
lifetime = flags.ParseValidityFlag(args)
labels = labels_util.ParseCreateArgs(
args, self.messages.CertificateAuthority.LabelsValue)
iam.CheckCreateCertificateAuthorityPermissions(project_ref,
kms_key_ref)
if issuer_ref:
iam.CheckCreateCertificatePermissions(issuer_ref)
p4sa_email = p4sa.GetOrCreate(project_ref)
bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
new_ca = self.messages.CertificateAuthority(
type=self.messages.CertificateAuthority.TypeValueValuesEnum.
SUBORDINATE,
lifetime=lifetime,
config=self.messages.CertificateConfig(
reusableConfig=reusable_config_wrapper,
subjectConfig=subject_config),
cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
certificatePolicy=issuance_policy,
issuingOptions=issuing_options,
gcsBucket=bucket_ref.bucket,
labels=labels)
operations.Await(
self.client.projects_locations_certificateAuthorities.Create(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId())),
'Creating Certificate Authority.')
csr_response = self.client.projects_locations_certificateAuthorities.GetCsr(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesGetCsrRequest(
name=ca_ref.RelativeName()))
csr = csr_response.pemCsr
if args.create_csr:
files.WriteFileContents(args.csr_output_file, csr)
log.status.Print(
"Created Certificate Authority [{}] and saved CSR to '{}'.".
format(ca_ref.RelativeName(), args.csr_output_file))
return
if issuer_ref:
ca_certificate = self._SignCsr(issuer_ref, csr, lifetime)
self._ActivateCertificateAuthority(ca_ref, ca_certificate)
log.status.Print('Created Certificate Authority [{}].'.format(
ca_ref.RelativeName()))
return
# This should not happen because of the required arg group, but it protects
# us in case of future additions.
raise exceptions.OneOfArgumentsRequiredException([
'--issuer', '--create-csr'
], ('To create a subordinate CA, please provide either an issuer or the '
'--create-csr flag to output a CSR to be signed by another issuer.'
))
def Run(self, args):
new_ca, ca_ref, issuer_ref = create_utils_v1.CreateCAFromArgs(
args, is_subordinate=True)
# Retrive the Project reference from the Parent -> Location -> Pool -> CA
# resource structure.
project_ref = ca_ref.Parent().Parent().Parent()
key_version_ref = args.CONCEPTS.kms_key_version.Parse()
kms_key_ref = key_version_ref.Parent() if key_version_ref else None
if not args.IsSpecified('issuer_pool') and args.IsSpecified('auto_enable'):
raise exceptions.InvalidArgumentException([
'--auto-enable'
], ('The \'--auto-enable\' is only supported in the create command if an '
'issuer resource is specified. You can use the \'--auto-enable\' '
'command in the subordinate CA activate command.'))
if args.issuer_pool == args.pool:
if not console_io.PromptContinue(
message='The new CA will be in the same CA pool as the issuer CA. All'
' certificate authorities within a CA pool should be interchangeable.'
' Do you want to continue?',
default=True):
log.status.Print('Aborted by user.')
return
iam_v1.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref)
if issuer_ref:
iam_v1.CheckCreateCertificatePermissions(issuer_ref)
# Proactively look for issuing CA Pool problems to avoid downstream
# issues.
issuer_ca = args.issuer_ca if args.IsSpecified('issuer_ca') else None
create_utils_v1.ValidateIssuingPool(issuer_ref.RelativeName(), issuer_ca)
bucket_ref = None
if args.IsSpecified('bucket'):
bucket_ref = storage.ValidateBucketForCertificateAuthority(args.bucket)
new_ca.gcsBucket = bucket_ref.bucket
p4sa_email = p4sa.GetOrCreate(project_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
operations.Await(
self.client.projects_locations_caPools_certificateAuthorities.Create(
self.messages.
PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId())),
'Creating Certificate Authority.', api_version='v1')
csr_response = self.client.projects_locations_caPools_certificateAuthorities.Fetch(
self.messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesFetchRequest(
name=ca_ref.RelativeName()))
csr = csr_response.pemCsr
if args.create_csr:
files.WriteFileContents(args.csr_output_file, csr)
log.status.Print(
"Created Certificate Authority [{}] and saved CSR to '{}'.".format(
ca_ref.RelativeName(), args.csr_output_file))
return
if issuer_ref:
issuer_ca = args.issuer_ca if args.IsSpecified('issuer_ca') else None
ca_certificate = self._SignCsr(issuer_ref, csr, new_ca.lifetime,
issuer_ca)
self._ActivateCertificateAuthority(
ca_ref.RelativeName(), ca_certificate.pemCertificate,
ca_certificate.issuerCertificateAuthority)
log.status.Print('Created Certificate Authority [{}].'.format(
ca_ref.RelativeName()))
if self._ShouldEnableCa(args, ca_ref):
self._EnableCertificateAuthority(ca_ref.RelativeName())
return