def Run(self, args):
cert_ref = Revoke.ParseCertificateResource(args)
if not console_io.PromptContinue(
message='You are about to revoke Certificate [{}]'.format(
cert_ref.RelativeName()),
default=True):
log.status.Print('Aborted by user.')
return
reason = flags_v1.ParseRevocationChoiceToEnum(args.reason)
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
certificate = client.projects_locations_caPools_certificates.Revoke(
messages.
PrivatecaProjectsLocationsCaPoolsCertificatesRevokeRequest(
name=cert_ref.RelativeName(),
revokeCertificateRequest=messages.RevokeCertificateRequest(
reason=reason,
requestId=request_utils.GenerateRequestId())))
revoke_time = times.ParseDateTime(
certificate.revocationDetails.revocationTime)
log.status.Print('Revoked certificate [{}] at {}.'.format(
certificate.name,
times.FormatDateTime(revoke_time, tzinfo=times.LOCAL)))
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
ca_ref = args.CONCEPTS.certificate_authority.Parse()
ca_name = ca_ref.RelativeName()
current_ca = client.projects_locations_caPools_certificateAuthorities.Get(
messages.
PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest(
name=ca_name))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE,
current_ca,
version='v1')
ca_to_update, update_mask = update_utils_v1.UpdateCAFromArgs(
args, current_ca.labels)
# Patch is the gcloud client lib method to update a CA.
operation = client.projects_locations_caPools_certificateAuthorities.Patch(
messages.
PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesPatchRequest(
name=ca_name,
certificateAuthority=ca_to_update,
updateMask=','.join(update_mask),
requestId=request_utils.GenerateRequestId()))
return operations.Await(operation,
'Updating Subordinate CA.',
api_version='v1')
def Run(self, args):
client = privateca_base.GetClientInstance('v1')
messages = privateca_base.GetMessagesModule('v1')
ca_pool_ref = args.CONCEPTS.ca_pool.Parse()
issuance_policy = flags_v1.ParseIssuancePolicy(args)
publishing_options = flags_v1.ParsePublishingOptions(args)
tier = flags_v1.ParseTierFlag(args)
labels = labels_util.ParseCreateArgs(args, messages.CaPool.LabelsValue)
new_ca_pool = messages.CaPool(issuancePolicy=issuance_policy,
publishingOptions=publishing_options,
tier=tier,
labels=labels)
operation = client.projects_locations_caPools.Create(
messages.PrivatecaProjectsLocationsCaPoolsCreateRequest(
caPool=new_ca_pool,
caPoolId=ca_pool_ref.Name(),
parent=ca_pool_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId()))
ca_pool_response = operations.Await(operation,
'Creating CA Pool.',
api_version='v1')
ca_pool = operations.GetMessageFromResponse(ca_pool_response,
messages.CaPool)
log.status.Print('Created CA Pool [{}].'.format(ca_pool.name))
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
template_ref = args.CONCEPTS.certificate_template.Parse()
template_name = template_ref.RelativeName()
if not console_io.PromptContinue(
message='You are about to delete the certificate template [{}]'
.format(template_ref.RelativeName()),
default=True):
log.status.Print('Aborted by user.')
return
operation = client.projects_locations_certificateTemplates.Delete(
messages.
PrivatecaProjectsLocationsCertificateTemplatesDeleteRequest(
name=template_name,
requestId=request_utils.GenerateRequestId()))
operations.Await(operation,
'Deleting Certificate Template',
api_version='v1')
log.status.Print(
'Deleted Certificate Template [{}].'.format(template_name))
def Run(self, args):
client = privateca_base.GetClientInstance()
messages = privateca_base.GetMessagesModule()
ca_ref = args.CONCEPTS.certificate_authority.Parse()
current_ca = client.projects_locations_certificateAuthorities.Get(
messages.
PrivatecaProjectsLocationsCertificateAuthoritiesGetRequest(
name=ca_ref.RelativeName()))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED,
current_ca)
ca_to_update, update_mask = update_utils.UpdateCAFromArgs(
args, current_ca.labels)
operation = client.projects_locations_certificateAuthorities.Patch(
messages.
PrivatecaProjectsLocationsCertificateAuthoritiesPatchRequest(
name=ca_ref.RelativeName(),
certificateAuthority=ca_to_update,
updateMask=','.join(update_mask),
requestId=request_utils.GenerateRequestId()))
return operations.Await(operation, 'Updating Root CA.')
def Run(self, args):
client = privateca_base.GetClientInstance()
messages = privateca_base.GetMessagesModule()
ca_ref = args.CONCEPTS.certificate_authority.Parse()
if not console_io.PromptContinue(
message='You are about to delete Certificate Authority [{}]'.
format(ca_ref.RelativeName()),
default=True):
log.status.Print('Aborted by user.')
return
current_ca = client.projects_locations_certificateAuthorities.Get(
messages.
PrivatecaProjectsLocationsCertificateAuthoritiesGetRequest(
name=ca_ref.RelativeName()))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED,
current_ca)
operation = client.projects_locations_certificateAuthorities.Delete(
messages.
PrivatecaProjectsLocationsCertificateAuthoritiesDeleteRequest(
name=ca_ref.RelativeName(),
requestId=request_utils.GenerateRequestId()))
operations.Await(operation, 'Deleting Root CA')
log.status.Print('Deleted Root CA [{}].'.format(ca_ref.RelativeName()))
def Run(self, args):
client = privateca_base.GetClientInstance()
messages = privateca_base.GetMessagesModule()
ca_ref = args.CONCEPTS.certificate_authority.Parse()
current_ca = client.projects_locations_certificateAuthorities.Get(
messages.
PrivatecaProjectsLocationsCertificateAuthoritiesGetRequest(
name=ca_ref.RelativeName()))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE,
current_ca)
operation = client.projects_locations_certificateAuthorities.Restore(
messages.
PrivatecaProjectsLocationsCertificateAuthoritiesRestoreRequest(
name=ca_ref.RelativeName(),
restoreCertificateAuthorityRequest=messages.
RestoreCertificateAuthorityRequest(
requestId=request_utils.GenerateRequestId())))
operations.Await(operation, 'Restoring Subordinate CA')
log.status.Print('Restored Subordinate CA [{}].'.format(
ca_ref.RelativeName()))
def Run(self, args):
client = privateca_base.GetClientInstance('v1')
messages = privateca_base.GetMessagesModule('v1')
cert_template_ref = args.CONCEPTS.certificate_template.Parse()
flags_v1.ValidateIdentityConstraints(args)
new_cert_template = messages.CertificateTemplate(
predefinedValues=flags_v1.ParsePredefinedValues(args),
identityConstraints=flags_v1.ParseIdentityConstraints(args),
passthroughExtensions=flags_v1.ParseExtensionConstraints(args),
description=args.description
if args.IsSpecified('description') else None)
operation = client.projects_locations_certificateTemplates.Create(
messages.
PrivatecaProjectsLocationsCertificateTemplatesCreateRequest(
parent=cert_template_ref.Parent().RelativeName(),
certificateTemplateId=cert_template_ref.Name(),
certificateTemplate=new_cert_template,
requestId=request_utils.GenerateRequestId()))
cert_template_response = operations.Await(
operation, 'Creating Certificate Template.', api_version='v1')
cert_template = operations.GetMessageFromResponse(
cert_template_response, messages.CertificateTemplate)
log.status.Print('Created Certificate Template [{}].'.format(
cert_template.name))
def Run(self, args):
cert_ref = _ParseCertificateResource(args)
reason = flags.ParseRevocationChoiceToEnum(args.reason)
client = privateca_base.GetClientInstance()
messages = privateca_base.GetMessagesModule()
operation = client.projects_locations_certificateAuthorities_certificates.Revoke(
messages.
PrivatecaProjectsLocationsCertificateAuthoritiesCertificatesRevokeRequest(
name=cert_ref.RelativeName(),
revokeCertificateRequest=messages.RevokeCertificateRequest(
reason=reason,
requestId=request_utils.GenerateRequestId())))
response = operations.Await(operation, 'Revoking Certificate.')
certificate = operations.GetMessageFromResponse(
response, messages.Certificate)
log.status.Print('Publishing a new Certificate Revocation List.')
client.projects_locations_certificateAuthorities.PublishCrl(
messages.
PrivatecaProjectsLocationsCertificateAuthoritiesPublishCrlRequest(
name=cert_ref.Parent().RelativeName(),
publishCertificateRevocationListRequest=messages.
PublishCertificateRevocationListRequest()))
revoke_time = times.ParseDateTime(
certificate.revocationDetails.revocationTime)
log.status.Print('Revoked certificate [{}] at {}.'.format(
certificate.name,
times.FormatDateTime(revoke_time, tzinfo=times.LOCAL)))
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
ca_ref = args.CONCEPTS.certificate_authority.Parse()
current_ca = client.projects_locations_caPools_certificateAuthorities.Get(
messages.
PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest(
name=ca_ref.RelativeName()))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED,
current_ca,
version='v1')
operation = client.projects_locations_caPools_certificateAuthorities.Undelete(
messages.
PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesUndeleteRequest(
name=ca_ref.RelativeName(),
undeleteCertificateAuthorityRequest=messages.
UndeleteCertificateAuthorityRequest(
requestId=request_utils.GenerateRequestId())))
operations.Await(operation, 'Undeleting Root CA', api_version='v1')
log.status.Print('Undeleted Root CA [{}].'.format(
ca_ref.RelativeName()))
def Run(self, args):
new_ca, ca_ref, _ = create_utils.CreateCAFromArgs(
args, is_subordinate=False)
project_ref = ca_ref.Parent().Parent()
key_version_ref = args.CONCEPTS.kms_key_version.Parse()
kms_key_ref = key_version_ref.Parent() if key_version_ref else None
iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref)
bucket_ref = None
if args.IsSpecified('bucket'):
bucket_ref = storage.ValidateBucketForCertificateAuthority(args.bucket)
new_ca.gcsBucket = bucket_ref.bucket
p4sa_email = p4sa.GetOrCreate(project_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
create_utils.PrintBetaResourceDeletionDisclaimer('certificate authorities')
operation = self.client.projects_locations_certificateAuthorities.Create(
self.messages
.PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId()))
ca_response = operations.Await(operation, 'Creating Certificate Authority.')
ca = operations.GetMessageFromResponse(ca_response,
self.messages.CertificateAuthority)
log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
def Run(self, args):
kms_key_version_ref, ca_ref = self.ParseResourceArgs(args)
kms_key_ref = kms_key_version_ref.Parent()
project_ref = ca_ref.Parent().Parent()
subject_config = flags.ParseSubjectFlags(args, is_ca=True)
issuing_options = flags.ParseIssuingOptions(args)
issuance_policy = flags.ParseIssuancePolicy(args)
reusable_config_wrapper = flags.ParseReusableConfig(args,
ca_ref.locationsId,
is_ca=True)
lifetime = flags.ParseValidityFlag(args)
labels = labels_util.ParseCreateArgs(
args, self.messages.CertificateAuthority.LabelsValue)
iam.CheckCreateCertificateAuthorityPermissions(project_ref,
kms_key_ref)
p4sa_email = p4sa.GetOrCreate(project_ref)
bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
new_ca = self.messages.CertificateAuthority(
type=self.messages.CertificateAuthority.TypeValueValuesEnum.
SELF_SIGNED,
lifetime=lifetime,
config=self.messages.CertificateConfig(
reusableConfig=reusable_config_wrapper,
subjectConfig=subject_config),
cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
certificatePolicy=issuance_policy,
issuingOptions=issuing_options,
gcsBucket=bucket_ref.bucket,
labels=labels)
operation = self.client.projects_locations_certificateAuthorities.Create(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId()))
ca_response = operations.Await(operation,
'Creating Certificate Authority.')
ca = operations.GetMessageFromResponse(
ca_response, self.messages.CertificateAuthority)
log.status.Print('Creating the initial Certificate Revocation List.')
self.client.projects_locations_certificateAuthorities.PublishCrl(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesPublishCrlRequest(
name=ca.name,
publishCertificateRevocationListRequest=self.messages.
PublishCertificateRevocationListRequest()))
log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
def Run(self, args):
new_ca, ca_ref, issuer_ref = create_utils.CreateCAFromArgs(
args, is_subordinate=True)
project_ref = ca_ref.Parent().Parent()
key_version_ref = args.CONCEPTS.kms_key_version.Parse()
kms_key_ref = key_version_ref.Parent() if key_version_ref else None
iam.CheckCreateCertificateAuthorityPermissions(project_ref,
kms_key_ref)
if issuer_ref:
iam.CheckCreateCertificatePermissions(issuer_ref)
# Pro-actively look for issuing CA issues to avoid downstream issues.
create_utils.ValidateIssuingCA(issuer_ref.RelativeName())
bucket_ref = None
if args.IsSpecified('bucket'):
bucket_ref = storage.ValidateBucketForCertificateAuthority(
args.bucket)
new_ca.gcsBucket = bucket_ref.bucket
p4sa_email = p4sa.GetOrCreate(project_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
create_utils.PrintBetaResourceDeletionDisclaimer(
'certificate authorities')
operations.Await(
self.client.projects_locations_certificateAuthorities.Create(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId())),
'Creating Certificate Authority.')
csr_response = self.client.projects_locations_certificateAuthorities.Fetch(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesFetchRequest(
name=ca_ref.RelativeName()))
csr = csr_response.pemCsr
if args.create_csr:
files.WriteFileContents(args.csr_output_file, csr)
log.status.Print(
"Created Certificate Authority [{}] and saved CSR to '{}'.".
format(ca_ref.RelativeName(), args.csr_output_file))
return
if issuer_ref:
ca_certificate = self._SignCsr(issuer_ref, csr, new_ca.lifetime)
self._ActivateCertificateAuthority(ca_ref,
ca_certificate.pemCertificate,
issuer_ref)
log.status.Print('Created Certificate Authority [{}].'.format(
ca_ref.RelativeName()))
return
def _EnableCertificateAuthority(self, ca_name):
"""Enables the given CA."""
enable_request = self.messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesEnableRequest(
name=ca_name,
enableCertificateAuthorityRequest=self.messages
.EnableCertificateAuthorityRequest(
requestId=request_utils.GenerateRequestId()))
operation = self.client.projects_locations_caPools_certificateAuthorities.Enable(
enable_request)
return operations.Await(operation, 'Enabling CA.', api_version='v1')
def _CreateOrUpdateTemplate(self, project, location, template_id, template,
overwrite):
"""Returns an LRO for a Create or Update operation for the given template.
Args:
project: str, the project ID or number for the new template.
location: str, the location for the new template.
template_id: str, the resource ID for the new template.
template: object, the body of the new template.
overwrite: bool, whether to overwrite existing templates with the same ID.
Raises:
ReplicationError, if the template could not be replicated to this
location.
"""
parent = 'projects/{}/locations/{}'.format(project, location)
resource_name = '{}/certificateTemplates/{}'.format(parent, template_id)
try:
return self.client.projects_locations_certificateTemplates.Create(
self.messages
.PrivatecaProjectsLocationsCertificateTemplatesCreateRequest(
parent=parent,
certificateTemplateId=template_id,
certificateTemplate=template,
requestId=request_utils.GenerateRequestId()))
except api_exceptions.HttpConflictError as e:
if not overwrite:
raise ReplicationError(
location,
'Certificate template [{}] already exists and the --overwrite flag '
'was not set.'.format(resource_name))
return self.client.projects_locations_certificateTemplates.Patch(
self.messages
.PrivatecaProjectsLocationsCertificateTemplatesPatchRequest(
name=resource_name,
certificateTemplate=template,
# Always copy all fields. Mask value of '*' doesn't seem to be
# currently supported by CCFE.
updateMask='predefined_values,identity_constraints,passthrough_extensions,description,labels',
requestId=request_utils.GenerateRequestId()))
except api_exceptions.HttpError as e:
raise ReplicationError(location, six.text_type(e))
def Run(self, args):
self.client = privateca_base.GetClientInstance()
self.messages = privateca_base.GetMessagesModule()
cert_ref = args.CONCEPTS.certificate.Parse()
issuing_ca = self._GetIssuingCa(cert_ref.Parent().RelativeName())
if issuing_ca.tier == self.messages.CertificateAuthority.TierValueValuesEnum.DEVOPS:
CreateBeta._ValidateArgsForDevOpsIssuer(args)
labels = labels_util.ParseCreateArgs(
args, self.messages.Certificate.LabelsValue)
request = self.messages.PrivatecaProjectsLocationsCertificateAuthoritiesCertificatesCreateRequest(
)
request.certificate = self.messages.Certificate()
request.certificateId = cert_ref.Name()
request.certificate.lifetime = flags.ParseValidityFlag(args)
request.certificate.labels = labels
request.parent = cert_ref.Parent().RelativeName()
request.requestId = request_utils.GenerateRequestId()
# TODO(b/12345): only show this for Enterprise certs.
create_utils.PrintBetaResourceDeletionDisclaimer('certificates')
if args.csr:
request.certificate.pemCsr = _ReadCsr(args.csr)
elif args.generate_key:
request.certificate.config = self._GenerateCertificateConfig(
request, args, cert_ref.locationsId)
else:
# This should not happen because of the required arg group, but protects
# in case of future additions.
raise exceptions.OneOfArgumentsRequiredException(
['--csr', '--generate-key'],
('To create a certificate, please specify either a CSR or the '
'--generate-key flag to create a new key.'))
certificate = self.client.projects_locations_certificateAuthorities_certificates.Create(
request)
status_message = 'Created Certificate'
# DevOps certs won't have a name.
if certificate.name:
status_message += ' [{}]'.format(certificate.name)
if args.IsSpecified('cert_output_file'):
status_message += ' and saved it to [{}]'.format(
args.cert_output_file)
_WritePemChain(certificate.pemCertificate,
certificate.pemCertificateChain,
args.cert_output_file)
status_message += '.'
log.status.Print(status_message)
def _SignCsr(self, issuer_ref, csr, lifetime):
"""Issues a certificate under the given issuer with the given settings."""
certificate_id = 'subordinate-{}'.format(certificate_utils.GenerateCertId())
certificate_name = '{}/certificates/{}'.format(issuer_ref.RelativeName(),
certificate_id)
cert_request = self.messages.PrivatecaProjectsLocationsCertificateAuthoritiesCertificatesCreateRequest(
certificateId=certificate_id,
parent=issuer_ref.RelativeName(),
requestId=request_utils.GenerateRequestId(),
certificate=self.messages.Certificate(
name=certificate_name, lifetime=lifetime, pemCsr=csr))
return self.client.projects_locations_certificateAuthorities_certificates.Create(
cert_request)
def _GetRootCerts(self, ca_pool_ref):
"""Returns the root CA certs for all active CAs in the CA pool."""
client = privateca_base.GetClientInstance('v1')
messages = privateca_base.GetMessagesModule('v1')
fetch_ca_certs_response = client.projects_locations_caPools.FetchCaCerts(
messages.PrivatecaProjectsLocationsCaPoolsFetchCaCertsRequest(
caPool=ca_pool_ref.RelativeName(),
fetchCaCertsRequest=messages.FetchCaCertsRequest(
requestId=request_utils.GenerateRequestId())))
root_certs = [
chain.certificates[-1] for chain in fetch_ca_certs_response.caCerts
]
return ''.join(pem_utils.PemChainForOutput(root_certs))
def Run(self, args):
client = privateca_base.GetClientInstance()
messages = privateca_base.GetMessagesModule()
cert_ref = args.CONCEPTS.certificate.Parse()
if not cert_ref:
raise exceptions.InvalidArgumentException(
'CERTIFICATE', 'A certificate resource must be specified.')
labels = labels_util.ParseCreateArgs(args,
messages.Certificate.LabelsValue)
request = messages.PrivatecaProjectsLocationsCertificateAuthoritiesCertificatesCreateRequest(
)
request.certificate = messages.Certificate()
request.certificateId = cert_ref.Name()
request.certificate.name = cert_ref.RelativeName()
request.certificate.lifetime = flags.ParseValidityFlag(args)
request.certificate.labels = labels
request.parent = cert_ref.Parent().RelativeName()
request.requestId = request_utils.GenerateRequestId()
if args.csr:
request.certificate.pemCsr = self._ReadCsr(request, args.csr)
elif args.generate_key:
request.certificate.config = self._GenerateCertificateConfig(
request, args, cert_ref.locationsId)
else:
# This should not happen because of the required arg group, but protects
# in case of future additions.
raise exceptions.OneOfArgumentsRequiredException(
['--csr', '--generate-key'],
('To create a certificate, please specify either a CSR or the '
'--generate-key flag to create a new key.'))
operation = client.projects_locations_certificateAuthorities_certificates.Create(
request)
cert_response = operations.Await(operation, 'Creating Certificate.')
certificate = operations.GetMessageFromResponse(
cert_response, messages.Certificate)
if args.IsSpecified('cert_output_file'):
self._WritePemChain(certificate.pemCertificate,
certificate.pemCertificateChain,
args.cert_output_file)
log.status.Print('Created Certificate [{}].'.format(certificate.name))
def Run(self, args):
kms_key_version_ref, ca_ref = self.ParseResourceArgs(args)
kms_key_ref = kms_key_version_ref.Parent()
project_ref = ca_ref.Parent().Parent()
common_name, subject = flags.ParseSubject(args.subject)
subject_alt_names = flags.ParseSanFlags(args)
issuing_options = flags.ParseIssuingOptions(args)
issuance_policy = flags.ParseIssuancePolicy(args)
reusable_config_wrapper = flags.ParseReusableConfig(args)
lifetime = flags.ParseValidityFlag(args)
labels = labels_util.ParseCreateArgs(
args, self.messages.CertificateAuthority.LabelsValue)
iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref)
p4sa_email = p4sa.GetOrCreate(project_ref)
bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
new_ca = self.messages.CertificateAuthority(
type=self.messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED,
lifetime=lifetime,
config=self.messages.CertificateConfig(
reusableConfig=reusable_config_wrapper,
subjectConfig=self.messages.SubjectConfig(
commonName=common_name,
subject=subject,
subjectAltName=subject_alt_names)),
cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
certificatePolicy=issuance_policy,
issuingOptions=issuing_options,
gcsBucket=bucket_ref.bucket,
labels=labels)
operation = self.client.projects_locations_certificateAuthorities.Create(
self.messages
.PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId()))
return operations.Await(operation, 'Creating Certificate Authority.')
def Run(self, args):
client = privateca_base.GetClientInstance()
messages = privateca_base.GetMessagesModule()
ca_ref = args.CONCEPTS.certificate_authority.Parse()
if not console_io.PromptContinue(
message=
'You are about to schedule Certificate Authority [{}] for deletion in 30 days'
.format(ca_ref.RelativeName()),
default=True):
log.status.Print('Aborted by user.')
return
current_ca = client.projects_locations_certificateAuthorities.Get(
messages.
PrivatecaProjectsLocationsCertificateAuthoritiesGetRequest(
name=ca_ref.RelativeName()))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE,
current_ca)
operation = client.projects_locations_certificateAuthorities.ScheduleDelete(
messages.
PrivatecaProjectsLocationsCertificateAuthoritiesScheduleDeleteRequest(
name=ca_ref.RelativeName(),
scheduleDeleteCertificateAuthorityRequest=messages.
ScheduleDeleteCertificateAuthorityRequest(
ignoreActiveCertificates=args.ignore_active_certificates,
requestId=request_utils.GenerateRequestId())))
ca_response = operations.Await(
operation, 'Scheduling Subordinate CA for deletion')
ca = operations.GetMessageFromResponse(ca_response,
messages.CertificateAuthority)
formatted_deletion_time = times.ParseDateTime(
ca.deleteTime).astimezone(tz.tzutc()).strftime('%Y-%m-%dT%H:%MZ')
log.status.Print(
'Scheduled Subordinate CA [{}] for deletion at {}.'.format(
ca_ref.RelativeName(), formatted_deletion_time))
def _RunUpdate(self, client, messages, original_cert, args):
# Collect the list of update masks
labels_diff = labels_util.GetAndValidateOpsFromArgs(args)
labels_update = labels_diff.Apply(messages.Certificate.LabelsValue,
original_cert.labels)
if not labels_update.needs_update:
raise exceptions.InvalidArgumentException(
'labels',
self.NO_CHANGES_MESSAGE.format(certificate=original_cert.name))
original_cert.labels = labels_update.labels
return client.projects_locations_caPools_certificates.Patch(
messages.PrivatecaProjectsLocationsCaPoolsCertificatesPatchRequest(
name=original_cert.name,
certificate=original_cert,
updateMask='labels',
requestId=request_utils.GenerateRequestId()))
def Run(self, args):
client = privateca_base.GetClientInstance('v1')
messages = privateca_base.GetMessagesModule('v1')
ca_pool_ref = args.CONCEPTS.ca_pool.Parse()
current_ca_pool = client.projects_locations_caPools.Get(
messages.PrivatecaProjectsLocationsCaPoolsGetRequest(
name=ca_pool_ref.RelativeName()))
pool_to_update, update_mask = update_utils_v1.UpdateCaPoolFromArgs(
args, current_ca_pool.labels)
operation = client.projects_locations_caPools.Patch(
messages.PrivatecaProjectsLocationsCaPoolsPatchRequest(
name=ca_pool_ref.RelativeName(),
caPool=pool_to_update,
updateMask=','.join(update_mask),
requestId=request_utils.GenerateRequestId()))
return operations.Await(operation, 'Updating CA pool.', api_version='v1')
def Run(self, args):
client = privateca_base.GetClientInstance('v1')
messages = privateca_base.GetMessagesModule('v1')
cert_template_ref = args.CONCEPTS.certificate_template.Parse()
template_name = cert_template_ref.RelativeName()
current_cert_template = client.projects_locations_certificateTemplates.Get(
messages.PrivatecaProjectsLocationsCertificateTemplatesGetRequest(
name=template_name))
cert_template_to_update, update_mask = self._UpdateCertificateTemplateFromArgs(
args, current_cert_template.labels)
# Confirm that the result of this update is intended to be identity
# reflection, if applicable.
flags_v1.ValidateIdentityConstraints(
args,
existing_copy_subj=current_cert_template.identityConstraints.
allowSubjectPassthrough,
existing_copy_sans=current_cert_template.identityConstraints.
allowSubjectAltNamesPassthrough,
for_update=True)
operation = client.projects_locations_certificateTemplates.Patch(
messages.
PrivatecaProjectsLocationsCertificateTemplatesPatchRequest(
name=template_name,
certificateTemplate=cert_template_to_update,
updateMask=','.join(update_mask),
requestId=request_utils.GenerateRequestId()))
cert_template_response = operations.Await(
operation, 'Updating Certificate Template.', api_version='v1')
cert_template = operations.GetMessageFromResponse(
cert_template_response, messages.CertificateTemplate)
log.status.Print('Updated Certificate Template [{}].'.format(
cert_template.name))
def Run(self, args):
client = privateca_base.GetClientInstance('v1')
messages = privateca_base.GetMessagesModule('v1')
ca_pool_ref = args.CONCEPTS.ca_pool.Parse()
if not console_io.PromptContinue(
message='You are about to delete the CA pool [{}]'.format(
ca_pool_ref.RelativeName()),
default=True):
log.status.Print('Aborted by user.')
return
operation = client.projects_locations_caPools.Delete(
messages.PrivatecaProjectsLocationsCaPoolsDeleteRequest(
name=ca_pool_ref.RelativeName(),
requestId=request_utils.GenerateRequestId()))
operations.Await(operation, 'Deleting the CA pool', api_version='v1')
log.status.Print('Deleted the CA pool [{}].'.format(
ca_pool_ref.RelativeName()))
def AddRequestIdHook(unused_ref, unused_args, request):
"""Fills a unique identifier for a request with a requestId field."""
request.requestId = request_utils.GenerateRequestId()
return request
def Run(self, args):
new_ca, ca_ref, issuer_ref = create_utils_v1.CreateCAFromArgs(
args, is_subordinate=True)
# Retrive the Project reference from the Parent -> Location -> Pool -> CA
# resource structure.
project_ref = ca_ref.Parent().Parent().Parent()
key_version_ref = args.CONCEPTS.kms_key_version.Parse()
kms_key_ref = key_version_ref.Parent() if key_version_ref else None
if not args.IsSpecified('issuer_pool') and args.IsSpecified('auto_enable'):
raise exceptions.InvalidArgumentException([
'--auto-enable'
], ('The \'--auto-enable\' is only supported in the create command if an '
'issuer resource is specified. You can use the \'--auto-enable\' '
'command in the subordinate CA activate command.'))
if args.issuer_pool == args.pool:
if not console_io.PromptContinue(
message='The new CA will be in the same CA pool as the issuer CA. All'
' certificate authorities within a CA pool should be interchangeable.'
' Do you want to continue?',
default=True):
log.status.Print('Aborted by user.')
return
iam_v1.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref)
if issuer_ref:
iam_v1.CheckCreateCertificatePermissions(issuer_ref)
# Proactively look for issuing CA Pool problems to avoid downstream
# issues.
issuer_ca = args.issuer_ca if args.IsSpecified('issuer_ca') else None
create_utils_v1.ValidateIssuingPool(issuer_ref.RelativeName(), issuer_ca)
bucket_ref = None
if args.IsSpecified('bucket'):
bucket_ref = storage.ValidateBucketForCertificateAuthority(args.bucket)
new_ca.gcsBucket = bucket_ref.bucket
p4sa_email = p4sa.GetOrCreate(project_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
operations.Await(
self.client.projects_locations_caPools_certificateAuthorities.Create(
self.messages.
PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId())),
'Creating Certificate Authority.', api_version='v1')
csr_response = self.client.projects_locations_caPools_certificateAuthorities.Fetch(
self.messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesFetchRequest(
name=ca_ref.RelativeName()))
csr = csr_response.pemCsr
if args.create_csr:
files.WriteFileContents(args.csr_output_file, csr)
log.status.Print(
"Created Certificate Authority [{}] and saved CSR to '{}'.".format(
ca_ref.RelativeName(), args.csr_output_file))
return
if issuer_ref:
issuer_ca = args.issuer_ca if args.IsSpecified('issuer_ca') else None
ca_certificate = self._SignCsr(issuer_ref, csr, new_ca.lifetime,
issuer_ca)
self._ActivateCertificateAuthority(
ca_ref.RelativeName(), ca_certificate.pemCertificate,
ca_certificate.issuerCertificateAuthority)
log.status.Print('Created Certificate Authority [{}].'.format(
ca_ref.RelativeName()))
if self._ShouldEnableCa(args, ca_ref):
self._EnableCertificateAuthority(ca_ref.RelativeName())
return
def Run(self, args):
self.client = privateca_base.GetClientInstance(api_version='v1')
self.messages = privateca_base.GetMessagesModule(api_version='v1')
self._ValidateArgs(args)
cert_ref = args.CONCEPTS.certificate.Parse()
labels = labels_util.ParseCreateArgs(
args, self.messages.Certificate.LabelsValue)
request = self.messages.PrivatecaProjectsLocationsCaPoolsCertificatesCreateRequest(
)
request.certificate = self.messages.Certificate()
request.certificateId = cert_ref.Name()
request.certificate.lifetime = flags_v1.ParseValidityFlag(args)
request.certificate.labels = labels
request.parent = cert_ref.Parent().RelativeName()
request.requestId = request_utils.GenerateRequestId()
request.validateOnly = args.validate_only
if args.IsSpecified('ca'):
request.issuingCertificateAuthorityId = args.ca
template_ref = args.CONCEPTS.template.Parse()
if template_ref:
if template_ref.locationsId != cert_ref.locationsId:
raise exceptions.InvalidArgumentException(
'--template',
'The certificate template must be in the same location as the '
'issuing CA Pool.')
request.certificate.certificateTemplate = template_ref.RelativeName(
)
if args.csr:
request.certificate.pemCsr = _ReadCsr(args.csr)
else:
request.certificate.config = self._GenerateCertificateConfig(
request, args)
certificate = self.client.projects_locations_caPools_certificates.Create(
request)
# Validate-only certs don't have a resource name or pem certificate.
if args.validate_only:
return certificate
status_message = 'Created Certificate'
if certificate.name:
status_message += ' [{}]'.format(certificate.name)
else:
Create._PrintWarningsForUnpersistedCert(args)
if certificate.pemCertificate:
status_message += ' and saved it to [{}]'.format(
args.cert_output_file)
_WritePemChain(certificate.pemCertificate,
certificate.pemCertificateChain,
args.cert_output_file)
status_message += '.'
log.status.Print(status_message)
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
ca_ref = args.CONCEPTS.certificate_authority.Parse()
ca_name = ca_ref.RelativeName()
if args.skip_grace_period:
prompt_message = (
'You are about to delete Certificate Authority [{}] as '
'soon as possible without a 30-day grace period where '
'undeletion would have been allowed. If you proceed, there '
'will be no way to recover this CA.').format(
ca_ref.RelativeName())
else:
prompt_message = (
'You are about to delete Certificate Authority [{}]').format(
ca_ref.RelativeName())
if not console_io.PromptContinue(message=prompt_message, default=True):
log.status.Print('Aborted by user.')
return
current_ca = client.projects_locations_caPools_certificateAuthorities.Get(
messages.
PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest(
name=ca_name))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE,
current_ca,
version='v1')
operation = client.projects_locations_caPools_certificateAuthorities.Delete(
messages.
PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesDeleteRequest(
name=ca_name,
ignoreActiveCertificates=args.ignore_active_certificates,
skipGracePeriod=args.skip_grace_period,
requestId=request_utils.GenerateRequestId()))
try:
ca_response = operations.Await(operation,
'Deleting Subordinate CA',
api_version='v1')
except waiter.OperationError as e:
# API error message refers to the proto field name which is slightly
# different from the gcloud flag name.
raise operations.OperationError(
six.text_type(e).replace(
'`ignore_active_certificates` parameter',
'`--ignore-active-certificates` flag'))
ca = operations.GetMessageFromResponse(ca_response,
messages.CertificateAuthority)
formatted_expire_time = times.ParseDateTime(ca.expireTime).astimezone(
tz.tzutc()).strftime('%Y-%m-%dT%H:%MZ')
if current_ca.state == messages.CertificateAuthority.StateValueValuesEnum.AWAITING_USER_ACTIVATION:
log.status.Print(
'Deleted Subordinate CA [{}]. This CA was never activated and cannot be recovered using `subordinates undelete`.'
.format(ca_name))
elif args.skip_grace_period:
log.status.Print(
'Deleted Subordinate CA [{}]. CA can not be undeleted.'.format(
ca_name))
else:
log.status.Print(
'Deleted Subordinate CA [{}]. CA can be undeleted until {}.'.
format(ca_name, formatted_expire_time))
def Run(self, args):
kms_key_version_ref, ca_ref, issuer_ref = _ParseResourceArgs(args)
kms_key_ref = kms_key_version_ref.Parent()
project_ref = ca_ref.Parent().Parent()
subject_config = flags.ParseSubjectFlags(args, is_ca=True)
issuing_options = flags.ParseIssuingOptions(args)
issuance_policy = flags.ParseIssuancePolicy(args)
reusable_config_wrapper = flags.ParseReusableConfig(args,
ca_ref.locationsId,
is_ca=True)
lifetime = flags.ParseValidityFlag(args)
labels = labels_util.ParseCreateArgs(
args, self.messages.CertificateAuthority.LabelsValue)
iam.CheckCreateCertificateAuthorityPermissions(project_ref,
kms_key_ref)
if issuer_ref:
iam.CheckCreateCertificatePermissions(issuer_ref)
p4sa_email = p4sa.GetOrCreate(project_ref)
bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
new_ca = self.messages.CertificateAuthority(
type=self.messages.CertificateAuthority.TypeValueValuesEnum.
SUBORDINATE,
lifetime=lifetime,
config=self.messages.CertificateConfig(
reusableConfig=reusable_config_wrapper,
subjectConfig=subject_config),
cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
certificatePolicy=issuance_policy,
issuingOptions=issuing_options,
gcsBucket=bucket_ref.bucket,
labels=labels)
operations.Await(
self.client.projects_locations_certificateAuthorities.Create(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId())),
'Creating Certificate Authority.')
csr_response = self.client.projects_locations_certificateAuthorities.GetCsr(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesGetCsrRequest(
name=ca_ref.RelativeName()))
csr = csr_response.pemCsr
if args.create_csr:
files.WriteFileContents(args.csr_output_file, csr)
log.status.Print(
"Created Certificate Authority [{}] and saved CSR to '{}'.".
format(ca_ref.RelativeName(), args.csr_output_file))
return
if issuer_ref:
ca_certificate = self._SignCsr(issuer_ref, csr, lifetime)
self._ActivateCertificateAuthority(ca_ref, ca_certificate)
log.status.Print('Created Certificate Authority [{}].'.format(
ca_ref.RelativeName()))
return
# This should not happen because of the required arg group, but it protects
# us in case of future additions.
raise exceptions.OneOfArgumentsRequiredException([
'--issuer', '--create-csr'
], ('To create a subordinate CA, please provide either an issuer or the '
'--create-csr flag to output a CSR to be signed by another issuer.'
))
