예제 #1
0
    def Run(self, args):
        kms_key_version_ref, ca_ref = self.ParseResourceArgs(args)
        kms_key_ref = kms_key_version_ref.Parent()
        project_ref = ca_ref.Parent().Parent()

        subject_config = flags.ParseSubjectFlags(args, is_ca=True)
        issuing_options = flags.ParseIssuingOptions(args)
        issuance_policy = flags.ParseIssuancePolicy(args)
        reusable_config_wrapper = flags.ParseReusableConfig(args,
                                                            ca_ref.locationsId,
                                                            is_ca=True)
        lifetime = flags.ParseValidityFlag(args)
        labels = labels_util.ParseCreateArgs(
            args, self.messages.CertificateAuthority.LabelsValue)

        iam.CheckCreateCertificateAuthorityPermissions(project_ref,
                                                       kms_key_ref)

        p4sa_email = p4sa.GetOrCreate(project_ref)
        bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)

        p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)

        new_ca = self.messages.CertificateAuthority(
            type=self.messages.CertificateAuthority.TypeValueValuesEnum.
            SELF_SIGNED,
            lifetime=lifetime,
            config=self.messages.CertificateConfig(
                reusableConfig=reusable_config_wrapper,
                subjectConfig=subject_config),
            cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
            certificatePolicy=issuance_policy,
            issuingOptions=issuing_options,
            gcsBucket=bucket_ref.bucket,
            labels=labels)

        operation = self.client.projects_locations_certificateAuthorities.Create(
            self.messages.
            PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
                certificateAuthority=new_ca,
                certificateAuthorityId=ca_ref.Name(),
                parent=ca_ref.Parent().RelativeName(),
                requestId=request_utils.GenerateRequestId()))

        ca_response = operations.Await(operation,
                                       'Creating Certificate Authority.')
        ca = operations.GetMessageFromResponse(
            ca_response, self.messages.CertificateAuthority)

        log.status.Print('Creating the initial Certificate Revocation List.')
        self.client.projects_locations_certificateAuthorities.PublishCrl(
            self.messages.
            PrivatecaProjectsLocationsCertificateAuthoritiesPublishCrlRequest(
                name=ca.name,
                publishCertificateRevocationListRequest=self.messages.
                PublishCertificateRevocationListRequest()))

        log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
예제 #2
0
  def Run(self, args):
    kms_key_version_ref, ca_ref = self.ParseResourceArgs(args)
    kms_key_ref = kms_key_version_ref.Parent()
    project_ref = ca_ref.Parent().Parent()

    common_name, subject = flags.ParseSubject(args.subject)
    subject_alt_names = flags.ParseSanFlags(args)
    issuing_options = flags.ParseIssuingOptions(args)
    issuance_policy = flags.ParseIssuancePolicy(args)
    reusable_config_wrapper = flags.ParseReusableConfig(args)
    lifetime = flags.ParseValidityFlag(args)
    labels = labels_util.ParseCreateArgs(
        args, self.messages.CertificateAuthority.LabelsValue)

    iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref)

    p4sa_email = p4sa.GetOrCreate(project_ref)
    bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)

    p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)

    new_ca = self.messages.CertificateAuthority(
        type=self.messages.CertificateAuthority.TypeValueValuesEnum.SELF_SIGNED,
        lifetime=lifetime,
        config=self.messages.CertificateConfig(
            reusableConfig=reusable_config_wrapper,
            subjectConfig=self.messages.SubjectConfig(
                commonName=common_name,
                subject=subject,
                subjectAltName=subject_alt_names)),
        cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
        certificatePolicy=issuance_policy,
        issuingOptions=issuing_options,
        gcsBucket=bucket_ref.bucket,
        labels=labels)

    operation = self.client.projects_locations_certificateAuthorities.Create(
        self.messages
        .PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
            certificateAuthority=new_ca,
            certificateAuthorityId=ca_ref.Name(),
            parent=ca_ref.Parent().RelativeName(),
            requestId=request_utils.GenerateRequestId()))

    return operations.Await(operation, 'Creating Certificate Authority.')
예제 #3
0
    def testCreateBucketCreatesCorrectBucket(self, mock_uuid):
        bucket_uuid = '28657537-369c-41c6-81fe-0212b41cc732'
        expected_bucket_name = 'privateca_content_{}'.format(bucket_uuid)

        mock_uuid.return_value = uuid.UUID(bucket_uuid)
        self.client.buckets.Insert.Expect(
            request=self.messages.StorageBucketsInsertRequest(
                project='foo',
                predefinedDefaultObjectAcl=self.messages.
                StorageBucketsInsertRequest.
                PredefinedDefaultObjectAclValueValuesEnum.publicRead,
                bucket=self.messages.Bucket(
                    name=expected_bucket_name,
                    location='us-west1',
                    versioning=self.messages.Bucket.VersioningValue(
                        enabled=True))),
            response=self.messages.Bucket())

        result = storage.CreateBucketForCertificateAuthority(self.ca_ref)
        self.assertEqual(result,
                         storage_util.BucketReference(expected_bucket_name))
예제 #4
0
    def Run(self, args):
        kms_key_version_ref, ca_ref, issuer_ref = _ParseResourceArgs(args)
        kms_key_ref = kms_key_version_ref.Parent()
        project_ref = ca_ref.Parent().Parent()

        subject_config = flags.ParseSubjectFlags(args, is_ca=True)
        issuing_options = flags.ParseIssuingOptions(args)
        issuance_policy = flags.ParseIssuancePolicy(args)
        reusable_config_wrapper = flags.ParseReusableConfig(args,
                                                            ca_ref.locationsId,
                                                            is_ca=True)
        lifetime = flags.ParseValidityFlag(args)
        labels = labels_util.ParseCreateArgs(
            args, self.messages.CertificateAuthority.LabelsValue)

        iam.CheckCreateCertificateAuthorityPermissions(project_ref,
                                                       kms_key_ref)
        if issuer_ref:
            iam.CheckCreateCertificatePermissions(issuer_ref)

        p4sa_email = p4sa.GetOrCreate(project_ref)
        bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)

        p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)

        new_ca = self.messages.CertificateAuthority(
            type=self.messages.CertificateAuthority.TypeValueValuesEnum.
            SUBORDINATE,
            lifetime=lifetime,
            config=self.messages.CertificateConfig(
                reusableConfig=reusable_config_wrapper,
                subjectConfig=subject_config),
            cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
            certificatePolicy=issuance_policy,
            issuingOptions=issuing_options,
            gcsBucket=bucket_ref.bucket,
            labels=labels)

        operations.Await(
            self.client.projects_locations_certificateAuthorities.Create(
                self.messages.
                PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
                    certificateAuthority=new_ca,
                    certificateAuthorityId=ca_ref.Name(),
                    parent=ca_ref.Parent().RelativeName(),
                    requestId=request_utils.GenerateRequestId())),
            'Creating Certificate Authority.')

        csr_response = self.client.projects_locations_certificateAuthorities.GetCsr(
            self.messages.
            PrivatecaProjectsLocationsCertificateAuthoritiesGetCsrRequest(
                name=ca_ref.RelativeName()))
        csr = csr_response.pemCsr

        if args.create_csr:
            files.WriteFileContents(args.csr_output_file, csr)
            log.status.Print(
                "Created Certificate Authority [{}] and saved CSR to '{}'.".
                format(ca_ref.RelativeName(), args.csr_output_file))
            return

        if issuer_ref:
            ca_certificate = self._SignCsr(issuer_ref, csr, lifetime)
            self._ActivateCertificateAuthority(ca_ref, ca_certificate)
            log.status.Print('Created Certificate Authority [{}].'.format(
                ca_ref.RelativeName()))
            return

        # This should not happen because of the required arg group, but it protects
        # us in case of future additions.
        raise exceptions.OneOfArgumentsRequiredException([
            '--issuer', '--create-csr'
        ], ('To create a subordinate CA, please provide either an issuer or the '
            '--create-csr flag to output a CSR to be signed by another issuer.'
            ))