def Run(self, args): kms_key_version_ref, ca_ref = self.ParseResourceArgs(args) kms_key_ref = kms_key_version_ref.Parent() project_ref = ca_ref.Parent().Parent() subject_config = flags.ParseSubjectFlags(args, is_ca=True) issuing_options = flags.ParseIssuingOptions(args) issuance_policy = flags.ParseIssuancePolicy(args) reusable_config_wrapper = flags.ParseReusableConfig(args, ca_ref.locationsId, is_ca=True) lifetime = flags.ParseValidityFlag(args) labels = labels_util.ParseCreateArgs( args, self.messages.CertificateAuthority.LabelsValue) iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) p4sa_email = p4sa.GetOrCreate(project_ref) bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) new_ca = self.messages.CertificateAuthority( type=self.messages.CertificateAuthority.TypeValueValuesEnum. SELF_SIGNED, lifetime=lifetime, config=self.messages.CertificateConfig( reusableConfig=reusable_config_wrapper, subjectConfig=subject_config), cloudKmsKeyVersion=kms_key_version_ref.RelativeName(), certificatePolicy=issuance_policy, issuingOptions=issuing_options, gcsBucket=bucket_ref.bucket, labels=labels) operation = self.client.projects_locations_certificateAuthorities.Create( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())) ca_response = operations.Await(operation, 'Creating Certificate Authority.') ca = operations.GetMessageFromResponse( ca_response, self.messages.CertificateAuthority) log.status.Print('Creating the initial Certificate Revocation List.') self.client.projects_locations_certificateAuthorities.PublishCrl( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesPublishCrlRequest( name=ca.name, publishCertificateRevocationListRequest=self.messages. PublishCertificateRevocationListRequest())) log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
def Run(self, args): kms_key_version_ref, ca_ref = self.ParseResourceArgs(args) kms_key_ref = kms_key_version_ref.Parent() project_ref = ca_ref.Parent().Parent() common_name, subject = flags.ParseSubject(args.subject) subject_alt_names = flags.ParseSanFlags(args) issuing_options = flags.ParseIssuingOptions(args) issuance_policy = flags.ParseIssuancePolicy(args) reusable_config_wrapper = flags.ParseReusableConfig(args) lifetime = flags.ParseValidityFlag(args) labels = labels_util.ParseCreateArgs( args, self.messages.CertificateAuthority.LabelsValue) iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) p4sa_email = p4sa.GetOrCreate(project_ref) bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) new_ca = self.messages.CertificateAuthority( type=self.messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED, lifetime=lifetime, config=self.messages.CertificateConfig( reusableConfig=reusable_config_wrapper, subjectConfig=self.messages.SubjectConfig( commonName=common_name, subject=subject, subjectAltName=subject_alt_names)), cloudKmsKeyVersion=kms_key_version_ref.RelativeName(), certificatePolicy=issuance_policy, issuingOptions=issuing_options, gcsBucket=bucket_ref.bucket, labels=labels) operation = self.client.projects_locations_certificateAuthorities.Create( self.messages .PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())) return operations.Await(operation, 'Creating Certificate Authority.')
def testCreateBucketCreatesCorrectBucket(self, mock_uuid): bucket_uuid = '28657537-369c-41c6-81fe-0212b41cc732' expected_bucket_name = 'privateca_content_{}'.format(bucket_uuid) mock_uuid.return_value = uuid.UUID(bucket_uuid) self.client.buckets.Insert.Expect( request=self.messages.StorageBucketsInsertRequest( project='foo', predefinedDefaultObjectAcl=self.messages. StorageBucketsInsertRequest. PredefinedDefaultObjectAclValueValuesEnum.publicRead, bucket=self.messages.Bucket( name=expected_bucket_name, location='us-west1', versioning=self.messages.Bucket.VersioningValue( enabled=True))), response=self.messages.Bucket()) result = storage.CreateBucketForCertificateAuthority(self.ca_ref) self.assertEqual(result, storage_util.BucketReference(expected_bucket_name))
def Run(self, args): kms_key_version_ref, ca_ref, issuer_ref = _ParseResourceArgs(args) kms_key_ref = kms_key_version_ref.Parent() project_ref = ca_ref.Parent().Parent() subject_config = flags.ParseSubjectFlags(args, is_ca=True) issuing_options = flags.ParseIssuingOptions(args) issuance_policy = flags.ParseIssuancePolicy(args) reusable_config_wrapper = flags.ParseReusableConfig(args, ca_ref.locationsId, is_ca=True) lifetime = flags.ParseValidityFlag(args) labels = labels_util.ParseCreateArgs( args, self.messages.CertificateAuthority.LabelsValue) iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) if issuer_ref: iam.CheckCreateCertificatePermissions(issuer_ref) p4sa_email = p4sa.GetOrCreate(project_ref) bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) new_ca = self.messages.CertificateAuthority( type=self.messages.CertificateAuthority.TypeValueValuesEnum. SUBORDINATE, lifetime=lifetime, config=self.messages.CertificateConfig( reusableConfig=reusable_config_wrapper, subjectConfig=subject_config), cloudKmsKeyVersion=kms_key_version_ref.RelativeName(), certificatePolicy=issuance_policy, issuingOptions=issuing_options, gcsBucket=bucket_ref.bucket, labels=labels) operations.Await( self.client.projects_locations_certificateAuthorities.Create( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())), 'Creating Certificate Authority.') csr_response = self.client.projects_locations_certificateAuthorities.GetCsr( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesGetCsrRequest( name=ca_ref.RelativeName())) csr = csr_response.pemCsr if args.create_csr: files.WriteFileContents(args.csr_output_file, csr) log.status.Print( "Created Certificate Authority [{}] and saved CSR to '{}'.". format(ca_ref.RelativeName(), args.csr_output_file)) return if issuer_ref: ca_certificate = self._SignCsr(issuer_ref, csr, lifetime) self._ActivateCertificateAuthority(ca_ref, ca_certificate) log.status.Print('Created Certificate Authority [{}].'.format( ca_ref.RelativeName())) return # This should not happen because of the required arg group, but it protects # us in case of future additions. raise exceptions.OneOfArgumentsRequiredException([ '--issuer', '--create-csr' ], ('To create a subordinate CA, please provide either an issuer or the ' '--create-csr flag to output a CSR to be signed by another issuer.' ))