def Run(self, args): cert_ref = Revoke.ParseCertificateResource(args) if not console_io.PromptContinue( message='You are about to revoke Certificate [{}]'.format( cert_ref.RelativeName()), default=True): log.status.Print('Aborted by user.') return reason = flags_v1.ParseRevocationChoiceToEnum(args.reason) client = privateca_base.GetClientInstance(api_version='v1') messages = privateca_base.GetMessagesModule(api_version='v1') certificate = client.projects_locations_caPools_certificates.Revoke( messages. PrivatecaProjectsLocationsCaPoolsCertificatesRevokeRequest( name=cert_ref.RelativeName(), revokeCertificateRequest=messages.RevokeCertificateRequest( reason=reason, requestId=request_utils.GenerateRequestId()))) revoke_time = times.ParseDateTime( certificate.revocationDetails.revocationTime) log.status.Print('Revoked certificate [{}] at {}.'.format( certificate.name, times.FormatDateTime(revoke_time, tzinfo=times.LOCAL)))
def Run(self, args): client = privateca_base.GetClientInstance(api_version='v1') messages = privateca_base.GetMessagesModule(api_version='v1') ca_ref = args.CONCEPTS.certificate_authority.Parse() ca_name = ca_ref.RelativeName() current_ca = client.projects_locations_caPools_certificateAuthorities.Get( messages. PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest( name=ca_name)) resource_args.CheckExpectedCAType( messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE, current_ca, version='v1') ca_to_update, update_mask = update_utils_v1.UpdateCAFromArgs( args, current_ca.labels) # Patch is the gcloud client lib method to update a CA. operation = client.projects_locations_caPools_certificateAuthorities.Patch( messages. PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesPatchRequest( name=ca_name, certificateAuthority=ca_to_update, updateMask=','.join(update_mask), requestId=request_utils.GenerateRequestId())) return operations.Await(operation, 'Updating Subordinate CA.', api_version='v1')
def Run(self, args): client = privateca_base.GetClientInstance('v1') messages = privateca_base.GetMessagesModule('v1') ca_pool_ref = args.CONCEPTS.ca_pool.Parse() issuance_policy = flags_v1.ParseIssuancePolicy(args) publishing_options = flags_v1.ParsePublishingOptions(args) tier = flags_v1.ParseTierFlag(args) labels = labels_util.ParseCreateArgs(args, messages.CaPool.LabelsValue) new_ca_pool = messages.CaPool(issuancePolicy=issuance_policy, publishingOptions=publishing_options, tier=tier, labels=labels) operation = client.projects_locations_caPools.Create( messages.PrivatecaProjectsLocationsCaPoolsCreateRequest( caPool=new_ca_pool, caPoolId=ca_pool_ref.Name(), parent=ca_pool_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())) ca_pool_response = operations.Await(operation, 'Creating CA Pool.', api_version='v1') ca_pool = operations.GetMessageFromResponse(ca_pool_response, messages.CaPool) log.status.Print('Created CA Pool [{}].'.format(ca_pool.name))
def Run(self, args): client = privateca_base.GetClientInstance(api_version='v1') messages = privateca_base.GetMessagesModule(api_version='v1') template_ref = args.CONCEPTS.certificate_template.Parse() template_name = template_ref.RelativeName() if not console_io.PromptContinue( message='You are about to delete the certificate template [{}]' .format(template_ref.RelativeName()), default=True): log.status.Print('Aborted by user.') return operation = client.projects_locations_certificateTemplates.Delete( messages. PrivatecaProjectsLocationsCertificateTemplatesDeleteRequest( name=template_name, requestId=request_utils.GenerateRequestId())) operations.Await(operation, 'Deleting Certificate Template', api_version='v1') log.status.Print( 'Deleted Certificate Template [{}].'.format(template_name))
def Run(self, args): client = privateca_base.GetClientInstance() messages = privateca_base.GetMessagesModule() ca_ref = args.CONCEPTS.certificate_authority.Parse() current_ca = client.projects_locations_certificateAuthorities.Get( messages. PrivatecaProjectsLocationsCertificateAuthoritiesGetRequest( name=ca_ref.RelativeName())) resource_args.CheckExpectedCAType( messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED, current_ca) ca_to_update, update_mask = update_utils.UpdateCAFromArgs( args, current_ca.labels) operation = client.projects_locations_certificateAuthorities.Patch( messages. PrivatecaProjectsLocationsCertificateAuthoritiesPatchRequest( name=ca_ref.RelativeName(), certificateAuthority=ca_to_update, updateMask=','.join(update_mask), requestId=request_utils.GenerateRequestId())) return operations.Await(operation, 'Updating Root CA.')
def Run(self, args): client = privateca_base.GetClientInstance() messages = privateca_base.GetMessagesModule() ca_ref = args.CONCEPTS.certificate_authority.Parse() if not console_io.PromptContinue( message='You are about to delete Certificate Authority [{}]'. format(ca_ref.RelativeName()), default=True): log.status.Print('Aborted by user.') return current_ca = client.projects_locations_certificateAuthorities.Get( messages. PrivatecaProjectsLocationsCertificateAuthoritiesGetRequest( name=ca_ref.RelativeName())) resource_args.CheckExpectedCAType( messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED, current_ca) operation = client.projects_locations_certificateAuthorities.Delete( messages. PrivatecaProjectsLocationsCertificateAuthoritiesDeleteRequest( name=ca_ref.RelativeName(), requestId=request_utils.GenerateRequestId())) operations.Await(operation, 'Deleting Root CA') log.status.Print('Deleted Root CA [{}].'.format(ca_ref.RelativeName()))
def Run(self, args): client = privateca_base.GetClientInstance() messages = privateca_base.GetMessagesModule() ca_ref = args.CONCEPTS.certificate_authority.Parse() current_ca = client.projects_locations_certificateAuthorities.Get( messages. PrivatecaProjectsLocationsCertificateAuthoritiesGetRequest( name=ca_ref.RelativeName())) resource_args.CheckExpectedCAType( messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE, current_ca) operation = client.projects_locations_certificateAuthorities.Restore( messages. PrivatecaProjectsLocationsCertificateAuthoritiesRestoreRequest( name=ca_ref.RelativeName(), restoreCertificateAuthorityRequest=messages. RestoreCertificateAuthorityRequest( requestId=request_utils.GenerateRequestId()))) operations.Await(operation, 'Restoring Subordinate CA') log.status.Print('Restored Subordinate CA [{}].'.format( ca_ref.RelativeName()))
def Run(self, args): client = privateca_base.GetClientInstance('v1') messages = privateca_base.GetMessagesModule('v1') cert_template_ref = args.CONCEPTS.certificate_template.Parse() flags_v1.ValidateIdentityConstraints(args) new_cert_template = messages.CertificateTemplate( predefinedValues=flags_v1.ParsePredefinedValues(args), identityConstraints=flags_v1.ParseIdentityConstraints(args), passthroughExtensions=flags_v1.ParseExtensionConstraints(args), description=args.description if args.IsSpecified('description') else None) operation = client.projects_locations_certificateTemplates.Create( messages. PrivatecaProjectsLocationsCertificateTemplatesCreateRequest( parent=cert_template_ref.Parent().RelativeName(), certificateTemplateId=cert_template_ref.Name(), certificateTemplate=new_cert_template, requestId=request_utils.GenerateRequestId())) cert_template_response = operations.Await( operation, 'Creating Certificate Template.', api_version='v1') cert_template = operations.GetMessageFromResponse( cert_template_response, messages.CertificateTemplate) log.status.Print('Created Certificate Template [{}].'.format( cert_template.name))
def Run(self, args): cert_ref = _ParseCertificateResource(args) reason = flags.ParseRevocationChoiceToEnum(args.reason) client = privateca_base.GetClientInstance() messages = privateca_base.GetMessagesModule() operation = client.projects_locations_certificateAuthorities_certificates.Revoke( messages. PrivatecaProjectsLocationsCertificateAuthoritiesCertificatesRevokeRequest( name=cert_ref.RelativeName(), revokeCertificateRequest=messages.RevokeCertificateRequest( reason=reason, requestId=request_utils.GenerateRequestId()))) response = operations.Await(operation, 'Revoking Certificate.') certificate = operations.GetMessageFromResponse( response, messages.Certificate) log.status.Print('Publishing a new Certificate Revocation List.') client.projects_locations_certificateAuthorities.PublishCrl( messages. PrivatecaProjectsLocationsCertificateAuthoritiesPublishCrlRequest( name=cert_ref.Parent().RelativeName(), publishCertificateRevocationListRequest=messages. PublishCertificateRevocationListRequest())) revoke_time = times.ParseDateTime( certificate.revocationDetails.revocationTime) log.status.Print('Revoked certificate [{}] at {}.'.format( certificate.name, times.FormatDateTime(revoke_time, tzinfo=times.LOCAL)))
def Run(self, args): client = privateca_base.GetClientInstance(api_version='v1') messages = privateca_base.GetMessagesModule(api_version='v1') ca_ref = args.CONCEPTS.certificate_authority.Parse() current_ca = client.projects_locations_caPools_certificateAuthorities.Get( messages. PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest( name=ca_ref.RelativeName())) resource_args.CheckExpectedCAType( messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED, current_ca, version='v1') operation = client.projects_locations_caPools_certificateAuthorities.Undelete( messages. PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesUndeleteRequest( name=ca_ref.RelativeName(), undeleteCertificateAuthorityRequest=messages. UndeleteCertificateAuthorityRequest( requestId=request_utils.GenerateRequestId()))) operations.Await(operation, 'Undeleting Root CA', api_version='v1') log.status.Print('Undeleted Root CA [{}].'.format( ca_ref.RelativeName()))
def Run(self, args): new_ca, ca_ref, _ = create_utils.CreateCAFromArgs( args, is_subordinate=False) project_ref = ca_ref.Parent().Parent() key_version_ref = args.CONCEPTS.kms_key_version.Parse() kms_key_ref = key_version_ref.Parent() if key_version_ref else None iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) bucket_ref = None if args.IsSpecified('bucket'): bucket_ref = storage.ValidateBucketForCertificateAuthority(args.bucket) new_ca.gcsBucket = bucket_ref.bucket p4sa_email = p4sa.GetOrCreate(project_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) create_utils.PrintBetaResourceDeletionDisclaimer('certificate authorities') operation = self.client.projects_locations_certificateAuthorities.Create( self.messages .PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())) ca_response = operations.Await(operation, 'Creating Certificate Authority.') ca = operations.GetMessageFromResponse(ca_response, self.messages.CertificateAuthority) log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
def Run(self, args): kms_key_version_ref, ca_ref = self.ParseResourceArgs(args) kms_key_ref = kms_key_version_ref.Parent() project_ref = ca_ref.Parent().Parent() subject_config = flags.ParseSubjectFlags(args, is_ca=True) issuing_options = flags.ParseIssuingOptions(args) issuance_policy = flags.ParseIssuancePolicy(args) reusable_config_wrapper = flags.ParseReusableConfig(args, ca_ref.locationsId, is_ca=True) lifetime = flags.ParseValidityFlag(args) labels = labels_util.ParseCreateArgs( args, self.messages.CertificateAuthority.LabelsValue) iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) p4sa_email = p4sa.GetOrCreate(project_ref) bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) new_ca = self.messages.CertificateAuthority( type=self.messages.CertificateAuthority.TypeValueValuesEnum. SELF_SIGNED, lifetime=lifetime, config=self.messages.CertificateConfig( reusableConfig=reusable_config_wrapper, subjectConfig=subject_config), cloudKmsKeyVersion=kms_key_version_ref.RelativeName(), certificatePolicy=issuance_policy, issuingOptions=issuing_options, gcsBucket=bucket_ref.bucket, labels=labels) operation = self.client.projects_locations_certificateAuthorities.Create( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())) ca_response = operations.Await(operation, 'Creating Certificate Authority.') ca = operations.GetMessageFromResponse( ca_response, self.messages.CertificateAuthority) log.status.Print('Creating the initial Certificate Revocation List.') self.client.projects_locations_certificateAuthorities.PublishCrl( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesPublishCrlRequest( name=ca.name, publishCertificateRevocationListRequest=self.messages. PublishCertificateRevocationListRequest())) log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
def Run(self, args): new_ca, ca_ref, issuer_ref = create_utils.CreateCAFromArgs( args, is_subordinate=True) project_ref = ca_ref.Parent().Parent() key_version_ref = args.CONCEPTS.kms_key_version.Parse() kms_key_ref = key_version_ref.Parent() if key_version_ref else None iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) if issuer_ref: iam.CheckCreateCertificatePermissions(issuer_ref) # Pro-actively look for issuing CA issues to avoid downstream issues. create_utils.ValidateIssuingCA(issuer_ref.RelativeName()) bucket_ref = None if args.IsSpecified('bucket'): bucket_ref = storage.ValidateBucketForCertificateAuthority( args.bucket) new_ca.gcsBucket = bucket_ref.bucket p4sa_email = p4sa.GetOrCreate(project_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) create_utils.PrintBetaResourceDeletionDisclaimer( 'certificate authorities') operations.Await( self.client.projects_locations_certificateAuthorities.Create( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())), 'Creating Certificate Authority.') csr_response = self.client.projects_locations_certificateAuthorities.Fetch( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesFetchRequest( name=ca_ref.RelativeName())) csr = csr_response.pemCsr if args.create_csr: files.WriteFileContents(args.csr_output_file, csr) log.status.Print( "Created Certificate Authority [{}] and saved CSR to '{}'.". format(ca_ref.RelativeName(), args.csr_output_file)) return if issuer_ref: ca_certificate = self._SignCsr(issuer_ref, csr, new_ca.lifetime) self._ActivateCertificateAuthority(ca_ref, ca_certificate.pemCertificate, issuer_ref) log.status.Print('Created Certificate Authority [{}].'.format( ca_ref.RelativeName())) return
def _EnableCertificateAuthority(self, ca_name): """Enables the given CA.""" enable_request = self.messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesEnableRequest( name=ca_name, enableCertificateAuthorityRequest=self.messages .EnableCertificateAuthorityRequest( requestId=request_utils.GenerateRequestId())) operation = self.client.projects_locations_caPools_certificateAuthorities.Enable( enable_request) return operations.Await(operation, 'Enabling CA.', api_version='v1')
def _CreateOrUpdateTemplate(self, project, location, template_id, template, overwrite): """Returns an LRO for a Create or Update operation for the given template. Args: project: str, the project ID or number for the new template. location: str, the location for the new template. template_id: str, the resource ID for the new template. template: object, the body of the new template. overwrite: bool, whether to overwrite existing templates with the same ID. Raises: ReplicationError, if the template could not be replicated to this location. """ parent = 'projects/{}/locations/{}'.format(project, location) resource_name = '{}/certificateTemplates/{}'.format(parent, template_id) try: return self.client.projects_locations_certificateTemplates.Create( self.messages .PrivatecaProjectsLocationsCertificateTemplatesCreateRequest( parent=parent, certificateTemplateId=template_id, certificateTemplate=template, requestId=request_utils.GenerateRequestId())) except api_exceptions.HttpConflictError as e: if not overwrite: raise ReplicationError( location, 'Certificate template [{}] already exists and the --overwrite flag ' 'was not set.'.format(resource_name)) return self.client.projects_locations_certificateTemplates.Patch( self.messages .PrivatecaProjectsLocationsCertificateTemplatesPatchRequest( name=resource_name, certificateTemplate=template, # Always copy all fields. Mask value of '*' doesn't seem to be # currently supported by CCFE. updateMask='predefined_values,identity_constraints,passthrough_extensions,description,labels', requestId=request_utils.GenerateRequestId())) except api_exceptions.HttpError as e: raise ReplicationError(location, six.text_type(e))
def Run(self, args): self.client = privateca_base.GetClientInstance() self.messages = privateca_base.GetMessagesModule() cert_ref = args.CONCEPTS.certificate.Parse() issuing_ca = self._GetIssuingCa(cert_ref.Parent().RelativeName()) if issuing_ca.tier == self.messages.CertificateAuthority.TierValueValuesEnum.DEVOPS: CreateBeta._ValidateArgsForDevOpsIssuer(args) labels = labels_util.ParseCreateArgs( args, self.messages.Certificate.LabelsValue) request = self.messages.PrivatecaProjectsLocationsCertificateAuthoritiesCertificatesCreateRequest( ) request.certificate = self.messages.Certificate() request.certificateId = cert_ref.Name() request.certificate.lifetime = flags.ParseValidityFlag(args) request.certificate.labels = labels request.parent = cert_ref.Parent().RelativeName() request.requestId = request_utils.GenerateRequestId() # TODO(b/12345): only show this for Enterprise certs. create_utils.PrintBetaResourceDeletionDisclaimer('certificates') if args.csr: request.certificate.pemCsr = _ReadCsr(args.csr) elif args.generate_key: request.certificate.config = self._GenerateCertificateConfig( request, args, cert_ref.locationsId) else: # This should not happen because of the required arg group, but protects # in case of future additions. raise exceptions.OneOfArgumentsRequiredException( ['--csr', '--generate-key'], ('To create a certificate, please specify either a CSR or the ' '--generate-key flag to create a new key.')) certificate = self.client.projects_locations_certificateAuthorities_certificates.Create( request) status_message = 'Created Certificate' # DevOps certs won't have a name. if certificate.name: status_message += ' [{}]'.format(certificate.name) if args.IsSpecified('cert_output_file'): status_message += ' and saved it to [{}]'.format( args.cert_output_file) _WritePemChain(certificate.pemCertificate, certificate.pemCertificateChain, args.cert_output_file) status_message += '.' log.status.Print(status_message)
def _SignCsr(self, issuer_ref, csr, lifetime): """Issues a certificate under the given issuer with the given settings.""" certificate_id = 'subordinate-{}'.format(certificate_utils.GenerateCertId()) certificate_name = '{}/certificates/{}'.format(issuer_ref.RelativeName(), certificate_id) cert_request = self.messages.PrivatecaProjectsLocationsCertificateAuthoritiesCertificatesCreateRequest( certificateId=certificate_id, parent=issuer_ref.RelativeName(), requestId=request_utils.GenerateRequestId(), certificate=self.messages.Certificate( name=certificate_name, lifetime=lifetime, pemCsr=csr)) return self.client.projects_locations_certificateAuthorities_certificates.Create( cert_request)
def _GetRootCerts(self, ca_pool_ref): """Returns the root CA certs for all active CAs in the CA pool.""" client = privateca_base.GetClientInstance('v1') messages = privateca_base.GetMessagesModule('v1') fetch_ca_certs_response = client.projects_locations_caPools.FetchCaCerts( messages.PrivatecaProjectsLocationsCaPoolsFetchCaCertsRequest( caPool=ca_pool_ref.RelativeName(), fetchCaCertsRequest=messages.FetchCaCertsRequest( requestId=request_utils.GenerateRequestId()))) root_certs = [ chain.certificates[-1] for chain in fetch_ca_certs_response.caCerts ] return ''.join(pem_utils.PemChainForOutput(root_certs))
def Run(self, args): client = privateca_base.GetClientInstance() messages = privateca_base.GetMessagesModule() cert_ref = args.CONCEPTS.certificate.Parse() if not cert_ref: raise exceptions.InvalidArgumentException( 'CERTIFICATE', 'A certificate resource must be specified.') labels = labels_util.ParseCreateArgs(args, messages.Certificate.LabelsValue) request = messages.PrivatecaProjectsLocationsCertificateAuthoritiesCertificatesCreateRequest( ) request.certificate = messages.Certificate() request.certificateId = cert_ref.Name() request.certificate.name = cert_ref.RelativeName() request.certificate.lifetime = flags.ParseValidityFlag(args) request.certificate.labels = labels request.parent = cert_ref.Parent().RelativeName() request.requestId = request_utils.GenerateRequestId() if args.csr: request.certificate.pemCsr = self._ReadCsr(request, args.csr) elif args.generate_key: request.certificate.config = self._GenerateCertificateConfig( request, args, cert_ref.locationsId) else: # This should not happen because of the required arg group, but protects # in case of future additions. raise exceptions.OneOfArgumentsRequiredException( ['--csr', '--generate-key'], ('To create a certificate, please specify either a CSR or the ' '--generate-key flag to create a new key.')) operation = client.projects_locations_certificateAuthorities_certificates.Create( request) cert_response = operations.Await(operation, 'Creating Certificate.') certificate = operations.GetMessageFromResponse( cert_response, messages.Certificate) if args.IsSpecified('cert_output_file'): self._WritePemChain(certificate.pemCertificate, certificate.pemCertificateChain, args.cert_output_file) log.status.Print('Created Certificate [{}].'.format(certificate.name))
def Run(self, args): kms_key_version_ref, ca_ref = self.ParseResourceArgs(args) kms_key_ref = kms_key_version_ref.Parent() project_ref = ca_ref.Parent().Parent() common_name, subject = flags.ParseSubject(args.subject) subject_alt_names = flags.ParseSanFlags(args) issuing_options = flags.ParseIssuingOptions(args) issuance_policy = flags.ParseIssuancePolicy(args) reusable_config_wrapper = flags.ParseReusableConfig(args) lifetime = flags.ParseValidityFlag(args) labels = labels_util.ParseCreateArgs( args, self.messages.CertificateAuthority.LabelsValue) iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) p4sa_email = p4sa.GetOrCreate(project_ref) bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) new_ca = self.messages.CertificateAuthority( type=self.messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED, lifetime=lifetime, config=self.messages.CertificateConfig( reusableConfig=reusable_config_wrapper, subjectConfig=self.messages.SubjectConfig( commonName=common_name, subject=subject, subjectAltName=subject_alt_names)), cloudKmsKeyVersion=kms_key_version_ref.RelativeName(), certificatePolicy=issuance_policy, issuingOptions=issuing_options, gcsBucket=bucket_ref.bucket, labels=labels) operation = self.client.projects_locations_certificateAuthorities.Create( self.messages .PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())) return operations.Await(operation, 'Creating Certificate Authority.')
def Run(self, args): client = privateca_base.GetClientInstance() messages = privateca_base.GetMessagesModule() ca_ref = args.CONCEPTS.certificate_authority.Parse() if not console_io.PromptContinue( message= 'You are about to schedule Certificate Authority [{}] for deletion in 30 days' .format(ca_ref.RelativeName()), default=True): log.status.Print('Aborted by user.') return current_ca = client.projects_locations_certificateAuthorities.Get( messages. PrivatecaProjectsLocationsCertificateAuthoritiesGetRequest( name=ca_ref.RelativeName())) resource_args.CheckExpectedCAType( messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE, current_ca) operation = client.projects_locations_certificateAuthorities.ScheduleDelete( messages. PrivatecaProjectsLocationsCertificateAuthoritiesScheduleDeleteRequest( name=ca_ref.RelativeName(), scheduleDeleteCertificateAuthorityRequest=messages. ScheduleDeleteCertificateAuthorityRequest( ignoreActiveCertificates=args.ignore_active_certificates, requestId=request_utils.GenerateRequestId()))) ca_response = operations.Await( operation, 'Scheduling Subordinate CA for deletion') ca = operations.GetMessageFromResponse(ca_response, messages.CertificateAuthority) formatted_deletion_time = times.ParseDateTime( ca.deleteTime).astimezone(tz.tzutc()).strftime('%Y-%m-%dT%H:%MZ') log.status.Print( 'Scheduled Subordinate CA [{}] for deletion at {}.'.format( ca_ref.RelativeName(), formatted_deletion_time))
def _RunUpdate(self, client, messages, original_cert, args): # Collect the list of update masks labels_diff = labels_util.GetAndValidateOpsFromArgs(args) labels_update = labels_diff.Apply(messages.Certificate.LabelsValue, original_cert.labels) if not labels_update.needs_update: raise exceptions.InvalidArgumentException( 'labels', self.NO_CHANGES_MESSAGE.format(certificate=original_cert.name)) original_cert.labels = labels_update.labels return client.projects_locations_caPools_certificates.Patch( messages.PrivatecaProjectsLocationsCaPoolsCertificatesPatchRequest( name=original_cert.name, certificate=original_cert, updateMask='labels', requestId=request_utils.GenerateRequestId()))
def Run(self, args): client = privateca_base.GetClientInstance('v1') messages = privateca_base.GetMessagesModule('v1') ca_pool_ref = args.CONCEPTS.ca_pool.Parse() current_ca_pool = client.projects_locations_caPools.Get( messages.PrivatecaProjectsLocationsCaPoolsGetRequest( name=ca_pool_ref.RelativeName())) pool_to_update, update_mask = update_utils_v1.UpdateCaPoolFromArgs( args, current_ca_pool.labels) operation = client.projects_locations_caPools.Patch( messages.PrivatecaProjectsLocationsCaPoolsPatchRequest( name=ca_pool_ref.RelativeName(), caPool=pool_to_update, updateMask=','.join(update_mask), requestId=request_utils.GenerateRequestId())) return operations.Await(operation, 'Updating CA pool.', api_version='v1')
def Run(self, args): client = privateca_base.GetClientInstance('v1') messages = privateca_base.GetMessagesModule('v1') cert_template_ref = args.CONCEPTS.certificate_template.Parse() template_name = cert_template_ref.RelativeName() current_cert_template = client.projects_locations_certificateTemplates.Get( messages.PrivatecaProjectsLocationsCertificateTemplatesGetRequest( name=template_name)) cert_template_to_update, update_mask = self._UpdateCertificateTemplateFromArgs( args, current_cert_template.labels) # Confirm that the result of this update is intended to be identity # reflection, if applicable. flags_v1.ValidateIdentityConstraints( args, existing_copy_subj=current_cert_template.identityConstraints. allowSubjectPassthrough, existing_copy_sans=current_cert_template.identityConstraints. allowSubjectAltNamesPassthrough, for_update=True) operation = client.projects_locations_certificateTemplates.Patch( messages. PrivatecaProjectsLocationsCertificateTemplatesPatchRequest( name=template_name, certificateTemplate=cert_template_to_update, updateMask=','.join(update_mask), requestId=request_utils.GenerateRequestId())) cert_template_response = operations.Await( operation, 'Updating Certificate Template.', api_version='v1') cert_template = operations.GetMessageFromResponse( cert_template_response, messages.CertificateTemplate) log.status.Print('Updated Certificate Template [{}].'.format( cert_template.name))
def Run(self, args): client = privateca_base.GetClientInstance('v1') messages = privateca_base.GetMessagesModule('v1') ca_pool_ref = args.CONCEPTS.ca_pool.Parse() if not console_io.PromptContinue( message='You are about to delete the CA pool [{}]'.format( ca_pool_ref.RelativeName()), default=True): log.status.Print('Aborted by user.') return operation = client.projects_locations_caPools.Delete( messages.PrivatecaProjectsLocationsCaPoolsDeleteRequest( name=ca_pool_ref.RelativeName(), requestId=request_utils.GenerateRequestId())) operations.Await(operation, 'Deleting the CA pool', api_version='v1') log.status.Print('Deleted the CA pool [{}].'.format( ca_pool_ref.RelativeName()))
def AddRequestIdHook(unused_ref, unused_args, request): """Fills a unique identifier for a request with a requestId field.""" request.requestId = request_utils.GenerateRequestId() return request
def Run(self, args): new_ca, ca_ref, issuer_ref = create_utils_v1.CreateCAFromArgs( args, is_subordinate=True) # Retrive the Project reference from the Parent -> Location -> Pool -> CA # resource structure. project_ref = ca_ref.Parent().Parent().Parent() key_version_ref = args.CONCEPTS.kms_key_version.Parse() kms_key_ref = key_version_ref.Parent() if key_version_ref else None if not args.IsSpecified('issuer_pool') and args.IsSpecified('auto_enable'): raise exceptions.InvalidArgumentException([ '--auto-enable' ], ('The \'--auto-enable\' is only supported in the create command if an ' 'issuer resource is specified. You can use the \'--auto-enable\' ' 'command in the subordinate CA activate command.')) if args.issuer_pool == args.pool: if not console_io.PromptContinue( message='The new CA will be in the same CA pool as the issuer CA. All' ' certificate authorities within a CA pool should be interchangeable.' ' Do you want to continue?', default=True): log.status.Print('Aborted by user.') return iam_v1.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) if issuer_ref: iam_v1.CheckCreateCertificatePermissions(issuer_ref) # Proactively look for issuing CA Pool problems to avoid downstream # issues. issuer_ca = args.issuer_ca if args.IsSpecified('issuer_ca') else None create_utils_v1.ValidateIssuingPool(issuer_ref.RelativeName(), issuer_ca) bucket_ref = None if args.IsSpecified('bucket'): bucket_ref = storage.ValidateBucketForCertificateAuthority(args.bucket) new_ca.gcsBucket = bucket_ref.bucket p4sa_email = p4sa.GetOrCreate(project_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) operations.Await( self.client.projects_locations_caPools_certificateAuthorities.Create( self.messages. PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())), 'Creating Certificate Authority.', api_version='v1') csr_response = self.client.projects_locations_caPools_certificateAuthorities.Fetch( self.messages .PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesFetchRequest( name=ca_ref.RelativeName())) csr = csr_response.pemCsr if args.create_csr: files.WriteFileContents(args.csr_output_file, csr) log.status.Print( "Created Certificate Authority [{}] and saved CSR to '{}'.".format( ca_ref.RelativeName(), args.csr_output_file)) return if issuer_ref: issuer_ca = args.issuer_ca if args.IsSpecified('issuer_ca') else None ca_certificate = self._SignCsr(issuer_ref, csr, new_ca.lifetime, issuer_ca) self._ActivateCertificateAuthority( ca_ref.RelativeName(), ca_certificate.pemCertificate, ca_certificate.issuerCertificateAuthority) log.status.Print('Created Certificate Authority [{}].'.format( ca_ref.RelativeName())) if self._ShouldEnableCa(args, ca_ref): self._EnableCertificateAuthority(ca_ref.RelativeName()) return
def Run(self, args): self.client = privateca_base.GetClientInstance(api_version='v1') self.messages = privateca_base.GetMessagesModule(api_version='v1') self._ValidateArgs(args) cert_ref = args.CONCEPTS.certificate.Parse() labels = labels_util.ParseCreateArgs( args, self.messages.Certificate.LabelsValue) request = self.messages.PrivatecaProjectsLocationsCaPoolsCertificatesCreateRequest( ) request.certificate = self.messages.Certificate() request.certificateId = cert_ref.Name() request.certificate.lifetime = flags_v1.ParseValidityFlag(args) request.certificate.labels = labels request.parent = cert_ref.Parent().RelativeName() request.requestId = request_utils.GenerateRequestId() request.validateOnly = args.validate_only if args.IsSpecified('ca'): request.issuingCertificateAuthorityId = args.ca template_ref = args.CONCEPTS.template.Parse() if template_ref: if template_ref.locationsId != cert_ref.locationsId: raise exceptions.InvalidArgumentException( '--template', 'The certificate template must be in the same location as the ' 'issuing CA Pool.') request.certificate.certificateTemplate = template_ref.RelativeName( ) if args.csr: request.certificate.pemCsr = _ReadCsr(args.csr) else: request.certificate.config = self._GenerateCertificateConfig( request, args) certificate = self.client.projects_locations_caPools_certificates.Create( request) # Validate-only certs don't have a resource name or pem certificate. if args.validate_only: return certificate status_message = 'Created Certificate' if certificate.name: status_message += ' [{}]'.format(certificate.name) else: Create._PrintWarningsForUnpersistedCert(args) if certificate.pemCertificate: status_message += ' and saved it to [{}]'.format( args.cert_output_file) _WritePemChain(certificate.pemCertificate, certificate.pemCertificateChain, args.cert_output_file) status_message += '.' log.status.Print(status_message)
def Run(self, args): client = privateca_base.GetClientInstance(api_version='v1') messages = privateca_base.GetMessagesModule(api_version='v1') ca_ref = args.CONCEPTS.certificate_authority.Parse() ca_name = ca_ref.RelativeName() if args.skip_grace_period: prompt_message = ( 'You are about to delete Certificate Authority [{}] as ' 'soon as possible without a 30-day grace period where ' 'undeletion would have been allowed. If you proceed, there ' 'will be no way to recover this CA.').format( ca_ref.RelativeName()) else: prompt_message = ( 'You are about to delete Certificate Authority [{}]').format( ca_ref.RelativeName()) if not console_io.PromptContinue(message=prompt_message, default=True): log.status.Print('Aborted by user.') return current_ca = client.projects_locations_caPools_certificateAuthorities.Get( messages. PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest( name=ca_name)) resource_args.CheckExpectedCAType( messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE, current_ca, version='v1') operation = client.projects_locations_caPools_certificateAuthorities.Delete( messages. PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesDeleteRequest( name=ca_name, ignoreActiveCertificates=args.ignore_active_certificates, skipGracePeriod=args.skip_grace_period, requestId=request_utils.GenerateRequestId())) try: ca_response = operations.Await(operation, 'Deleting Subordinate CA', api_version='v1') except waiter.OperationError as e: # API error message refers to the proto field name which is slightly # different from the gcloud flag name. raise operations.OperationError( six.text_type(e).replace( '`ignore_active_certificates` parameter', '`--ignore-active-certificates` flag')) ca = operations.GetMessageFromResponse(ca_response, messages.CertificateAuthority) formatted_expire_time = times.ParseDateTime(ca.expireTime).astimezone( tz.tzutc()).strftime('%Y-%m-%dT%H:%MZ') if current_ca.state == messages.CertificateAuthority.StateValueValuesEnum.AWAITING_USER_ACTIVATION: log.status.Print( 'Deleted Subordinate CA [{}]. This CA was never activated and cannot be recovered using `subordinates undelete`.' .format(ca_name)) elif args.skip_grace_period: log.status.Print( 'Deleted Subordinate CA [{}]. CA can not be undeleted.'.format( ca_name)) else: log.status.Print( 'Deleted Subordinate CA [{}]. CA can be undeleted until {}.'. format(ca_name, formatted_expire_time))
def Run(self, args): kms_key_version_ref, ca_ref, issuer_ref = _ParseResourceArgs(args) kms_key_ref = kms_key_version_ref.Parent() project_ref = ca_ref.Parent().Parent() subject_config = flags.ParseSubjectFlags(args, is_ca=True) issuing_options = flags.ParseIssuingOptions(args) issuance_policy = flags.ParseIssuancePolicy(args) reusable_config_wrapper = flags.ParseReusableConfig(args, ca_ref.locationsId, is_ca=True) lifetime = flags.ParseValidityFlag(args) labels = labels_util.ParseCreateArgs( args, self.messages.CertificateAuthority.LabelsValue) iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) if issuer_ref: iam.CheckCreateCertificatePermissions(issuer_ref) p4sa_email = p4sa.GetOrCreate(project_ref) bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) new_ca = self.messages.CertificateAuthority( type=self.messages.CertificateAuthority.TypeValueValuesEnum. SUBORDINATE, lifetime=lifetime, config=self.messages.CertificateConfig( reusableConfig=reusable_config_wrapper, subjectConfig=subject_config), cloudKmsKeyVersion=kms_key_version_ref.RelativeName(), certificatePolicy=issuance_policy, issuingOptions=issuing_options, gcsBucket=bucket_ref.bucket, labels=labels) operations.Await( self.client.projects_locations_certificateAuthorities.Create( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())), 'Creating Certificate Authority.') csr_response = self.client.projects_locations_certificateAuthorities.GetCsr( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesGetCsrRequest( name=ca_ref.RelativeName())) csr = csr_response.pemCsr if args.create_csr: files.WriteFileContents(args.csr_output_file, csr) log.status.Print( "Created Certificate Authority [{}] and saved CSR to '{}'.". format(ca_ref.RelativeName(), args.csr_output_file)) return if issuer_ref: ca_certificate = self._SignCsr(issuer_ref, csr, lifetime) self._ActivateCertificateAuthority(ca_ref, ca_certificate) log.status.Print('Created Certificate Authority [{}].'.format( ca_ref.RelativeName())) return # This should not happen because of the required arg group, but it protects # us in case of future additions. raise exceptions.OneOfArgumentsRequiredException([ '--issuer', '--create-csr' ], ('To create a subordinate CA, please provide either an issuer or the ' '--create-csr flag to output a CSR to be signed by another issuer.' ))