def testSubjectKeyValStrip(self):
flags.AddSubjectFlags(self.parser)
args = self.parser.parse_args(
['--subject', 'CN=google.com,C=US,ST=Washington'])
subject_config = flags.ParseSubjectFlags(args, is_ca=False)
subject = subject_config.subject
common_name = subject_config.commonName
self.assertEqual(common_name, 'google.com')
self.assertEqual(subject.countryCode, 'US')
self.assertEqual(subject.province, 'Washington')
args = self.parser.parse_args(
['--subject', 'CN=google.com , C=US,ST=Washington'])
subject_config = flags.ParseSubjectFlags(args, is_ca=False)
subject = subject_config.subject
common_name = subject_config.commonName
self.assertEqual(common_name, 'google.com')
self.assertEqual(subject.countryCode, 'US')
self.assertEqual(subject.province, 'Washington')
args = self.parser.parse_args(
['--subject', 'CN=google.com, C=US, ST=Washington'])
subject_config = flags.ParseSubjectFlags(args, is_ca=False)
subject = subject_config.subject
common_name = subject_config.commonName
self.assertEqual(common_name, 'google.com')
self.assertEqual(subject.countryCode, 'US')
self.assertEqual(subject.province, 'Washington')
def Run(self, args):
kms_key_version_ref, ca_ref = self.ParseResourceArgs(args)
kms_key_ref = kms_key_version_ref.Parent()
project_ref = ca_ref.Parent().Parent()
subject_config = flags.ParseSubjectFlags(args, is_ca=True)
issuing_options = flags.ParseIssuingOptions(args)
issuance_policy = flags.ParseIssuancePolicy(args)
reusable_config_wrapper = flags.ParseReusableConfig(args,
ca_ref.locationsId,
is_ca=True)
lifetime = flags.ParseValidityFlag(args)
labels = labels_util.ParseCreateArgs(
args, self.messages.CertificateAuthority.LabelsValue)
iam.CheckCreateCertificateAuthorityPermissions(project_ref,
kms_key_ref)
p4sa_email = p4sa.GetOrCreate(project_ref)
bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
new_ca = self.messages.CertificateAuthority(
type=self.messages.CertificateAuthority.TypeValueValuesEnum.
SELF_SIGNED,
lifetime=lifetime,
config=self.messages.CertificateConfig(
reusableConfig=reusable_config_wrapper,
subjectConfig=subject_config),
cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
certificatePolicy=issuance_policy,
issuingOptions=issuing_options,
gcsBucket=bucket_ref.bucket,
labels=labels)
operation = self.client.projects_locations_certificateAuthorities.Create(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId()))
ca_response = operations.Await(operation,
'Creating Certificate Authority.')
ca = operations.GetMessageFromResponse(
ca_response, self.messages.CertificateAuthority)
log.status.Print('Creating the initial Certificate Revocation List.')
self.client.projects_locations_certificateAuthorities.PublishCrl(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesPublishCrlRequest(
name=ca.name,
publishCertificateRevocationListRequest=self.messages.
PublishCertificateRevocationListRequest()))
log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
def testSubjectNoNameFailure(self):
flags.AddSubjectFlags(self.parser)
args = self.parser.parse_args([
'--subject',
'C=US, ST=Washington, L=Kirkland, O=Google LLC, OU=Cloud, postalCode=98033, streetAddress=6th Ave'
])
with self.AssertRaisesExceptionMatches(
exceptions.InvalidArgumentException, 'subject'):
flags.ParseSubjectFlags(args, is_ca=False)
def testSubjectFlagNoOrganizationFailure(self):
flags.AddSubjectFlags(self.parser)
with self.AssertRaisesExceptionMatches(
exceptions.InvalidArgumentException, 'organization'):
args = self.parser.parse_args([
'--subject',
'CN=google.com, C=US, ST=Washington, L=Kirkland, OU=Cloud, postalCode=98033, streetAddress=6th Ave'
])
flags.ParseSubjectFlags(args, is_ca=True)
def testSubjectParsePartialFields(self):
flags.AddSubjectFlags(self.parser)
args = self.parser.parse_args(
['--subject', 'O=Google LLC,CN=google.com,OU=Cloud'])
subject_config = flags.ParseSubjectFlags(args, is_ca=False)
subject = subject_config.subject
common_name = subject_config.commonName
self.assertEqual(common_name, 'google.com')
self.assertEqual(subject.organization, 'Google LLC')
self.assertEqual(subject.organizationalUnit, 'Cloud')
def testSubjectFlagInvalidKey(self):
flags.AddSubjectFlags(self.parser)
with self.AssertRaisesExceptionMatches(
Exception,
'Invalid value for [--subject]: Unrecognized subject attribute.'
):
args = self.parser.parse_args([
'--subject',
'C=US, CN=something, ST=Washington, LU=Kirkland, O=Google LLC, OU=Cloud, postalCode=98033, streetAddress=6th Ave'
])
flags.ParseSubjectFlags(args, is_ca=False)
def _GenerateCertificateConfig(self, request, args, location):
private_key, public_key = key_generation.RSAKeyGen(2048)
key_generation.ExportPrivateKey(args.key_output_file, private_key)
config = self.messages.CertificateConfig()
config.publicKey = self.messages.PublicKey()
config.publicKey.key = public_key
config.publicKey.type = self.messages.PublicKey.TypeValueValuesEnum.PEM_RSA_KEY
config.reusableConfig = flags.ParseReusableConfig(
args, location, is_ca_command=args.is_ca_cert)
config.subjectConfig = flags.ParseSubjectFlags(args,
is_ca=args.is_ca_cert)
return config
def _GenerateCertificateConfig(self, request, args):
messages = privateca_base.GetMessagesModule()
private_key, public_key = key_generation.RSAKeyGen(2048)
key_generation.ExportPrivateKey(args.key_output_file, private_key)
config = messages.CertificateConfig()
config.publicKey = messages.PublicKey()
config.publicKey.key = public_key
config.publicKey.type = messages.PublicKey.TypeValueValuesEnum.PEM_RSA_KEY
config.reusableConfig = flags.ParseReusableConfig(args)
config.subjectConfig = flags.ParseSubjectFlags(args, is_ca=False)
return config
def testSubjectParseAllFields(self):
flags.AddSubjectFlags(self.parser)
args = self.parser.parse_args([
'--subject',
'C=US, ST=Washington, L=Kirkland, O=Google LLC, CN=google.com, OU=Cloud, postalCode=98033, streetAddress=6th Ave'
])
subject_config = flags.ParseSubjectFlags(args, is_ca=False)
subject = subject_config.subject
common_name = subject_config.commonName
self.assertEqual(common_name, 'google.com')
self.assertEqual(subject.countryCode, 'US')
self.assertEqual(subject.province, 'Washington')
self.assertEqual(subject.organization, 'Google LLC')
self.assertEqual(subject.locality, 'Kirkland')
self.assertEqual(subject.organizationalUnit, 'Cloud')
self.assertEqual(subject.postalCode, '98033')
self.assertEqual(subject.streetAddress, '6th Ave')
def Run(self, args):
kms_key_version_ref, ca_ref, issuer_ref = _ParseResourceArgs(args)
kms_key_ref = kms_key_version_ref.Parent()
project_ref = ca_ref.Parent().Parent()
subject_config = flags.ParseSubjectFlags(args, is_ca=True)
issuing_options = flags.ParseIssuingOptions(args)
issuance_policy = flags.ParseIssuancePolicy(args)
reusable_config_wrapper = flags.ParseReusableConfig(args,
ca_ref.locationsId,
is_ca=True)
lifetime = flags.ParseValidityFlag(args)
labels = labels_util.ParseCreateArgs(
args, self.messages.CertificateAuthority.LabelsValue)
iam.CheckCreateCertificateAuthorityPermissions(project_ref,
kms_key_ref)
if issuer_ref:
iam.CheckCreateCertificatePermissions(issuer_ref)
p4sa_email = p4sa.GetOrCreate(project_ref)
bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
new_ca = self.messages.CertificateAuthority(
type=self.messages.CertificateAuthority.TypeValueValuesEnum.
SUBORDINATE,
lifetime=lifetime,
config=self.messages.CertificateConfig(
reusableConfig=reusable_config_wrapper,
subjectConfig=subject_config),
cloudKmsKeyVersion=kms_key_version_ref.RelativeName(),
certificatePolicy=issuance_policy,
issuingOptions=issuing_options,
gcsBucket=bucket_ref.bucket,
labels=labels)
operations.Await(
self.client.projects_locations_certificateAuthorities.Create(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId())),
'Creating Certificate Authority.')
csr_response = self.client.projects_locations_certificateAuthorities.GetCsr(
self.messages.
PrivatecaProjectsLocationsCertificateAuthoritiesGetCsrRequest(
name=ca_ref.RelativeName()))
csr = csr_response.pemCsr
if args.create_csr:
files.WriteFileContents(args.csr_output_file, csr)
log.status.Print(
"Created Certificate Authority [{}] and saved CSR to '{}'.".
format(ca_ref.RelativeName(), args.csr_output_file))
return
if issuer_ref:
ca_certificate = self._SignCsr(issuer_ref, csr, lifetime)
self._ActivateCertificateAuthority(ca_ref, ca_certificate)
log.status.Print('Created Certificate Authority [{}].'.format(
ca_ref.RelativeName()))
return
# This should not happen because of the required arg group, but it protects
# us in case of future additions.
raise exceptions.OneOfArgumentsRequiredException([
'--issuer', '--create-csr'
], ('To create a subordinate CA, please provide either an issuer or the '
'--create-csr flag to output a CSR to be signed by another issuer.'
))
