def testSubjectKeyValStrip(self): flags.AddSubjectFlags(self.parser) args = self.parser.parse_args( ['--subject', 'CN=google.com,C=US,ST=Washington']) subject_config = flags.ParseSubjectFlags(args, is_ca=False) subject = subject_config.subject common_name = subject_config.commonName self.assertEqual(common_name, 'google.com') self.assertEqual(subject.countryCode, 'US') self.assertEqual(subject.province, 'Washington') args = self.parser.parse_args( ['--subject', 'CN=google.com , C=US,ST=Washington']) subject_config = flags.ParseSubjectFlags(args, is_ca=False) subject = subject_config.subject common_name = subject_config.commonName self.assertEqual(common_name, 'google.com') self.assertEqual(subject.countryCode, 'US') self.assertEqual(subject.province, 'Washington') args = self.parser.parse_args( ['--subject', 'CN=google.com, C=US, ST=Washington']) subject_config = flags.ParseSubjectFlags(args, is_ca=False) subject = subject_config.subject common_name = subject_config.commonName self.assertEqual(common_name, 'google.com') self.assertEqual(subject.countryCode, 'US') self.assertEqual(subject.province, 'Washington')
def Run(self, args): kms_key_version_ref, ca_ref = self.ParseResourceArgs(args) kms_key_ref = kms_key_version_ref.Parent() project_ref = ca_ref.Parent().Parent() subject_config = flags.ParseSubjectFlags(args, is_ca=True) issuing_options = flags.ParseIssuingOptions(args) issuance_policy = flags.ParseIssuancePolicy(args) reusable_config_wrapper = flags.ParseReusableConfig(args, ca_ref.locationsId, is_ca=True) lifetime = flags.ParseValidityFlag(args) labels = labels_util.ParseCreateArgs( args, self.messages.CertificateAuthority.LabelsValue) iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) p4sa_email = p4sa.GetOrCreate(project_ref) bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) new_ca = self.messages.CertificateAuthority( type=self.messages.CertificateAuthority.TypeValueValuesEnum. SELF_SIGNED, lifetime=lifetime, config=self.messages.CertificateConfig( reusableConfig=reusable_config_wrapper, subjectConfig=subject_config), cloudKmsKeyVersion=kms_key_version_ref.RelativeName(), certificatePolicy=issuance_policy, issuingOptions=issuing_options, gcsBucket=bucket_ref.bucket, labels=labels) operation = self.client.projects_locations_certificateAuthorities.Create( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())) ca_response = operations.Await(operation, 'Creating Certificate Authority.') ca = operations.GetMessageFromResponse( ca_response, self.messages.CertificateAuthority) log.status.Print('Creating the initial Certificate Revocation List.') self.client.projects_locations_certificateAuthorities.PublishCrl( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesPublishCrlRequest( name=ca.name, publishCertificateRevocationListRequest=self.messages. PublishCertificateRevocationListRequest())) log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
def testSubjectNoNameFailure(self): flags.AddSubjectFlags(self.parser) args = self.parser.parse_args([ '--subject', 'C=US, ST=Washington, L=Kirkland, O=Google LLC, OU=Cloud, postalCode=98033, streetAddress=6th Ave' ]) with self.AssertRaisesExceptionMatches( exceptions.InvalidArgumentException, 'subject'): flags.ParseSubjectFlags(args, is_ca=False)
def testSubjectFlagNoOrganizationFailure(self): flags.AddSubjectFlags(self.parser) with self.AssertRaisesExceptionMatches( exceptions.InvalidArgumentException, 'organization'): args = self.parser.parse_args([ '--subject', 'CN=google.com, C=US, ST=Washington, L=Kirkland, OU=Cloud, postalCode=98033, streetAddress=6th Ave' ]) flags.ParseSubjectFlags(args, is_ca=True)
def testSubjectParsePartialFields(self): flags.AddSubjectFlags(self.parser) args = self.parser.parse_args( ['--subject', 'O=Google LLC,CN=google.com,OU=Cloud']) subject_config = flags.ParseSubjectFlags(args, is_ca=False) subject = subject_config.subject common_name = subject_config.commonName self.assertEqual(common_name, 'google.com') self.assertEqual(subject.organization, 'Google LLC') self.assertEqual(subject.organizationalUnit, 'Cloud')
def testSubjectFlagInvalidKey(self): flags.AddSubjectFlags(self.parser) with self.AssertRaisesExceptionMatches( Exception, 'Invalid value for [--subject]: Unrecognized subject attribute.' ): args = self.parser.parse_args([ '--subject', 'C=US, CN=something, ST=Washington, LU=Kirkland, O=Google LLC, OU=Cloud, postalCode=98033, streetAddress=6th Ave' ]) flags.ParseSubjectFlags(args, is_ca=False)
def _GenerateCertificateConfig(self, request, args, location): private_key, public_key = key_generation.RSAKeyGen(2048) key_generation.ExportPrivateKey(args.key_output_file, private_key) config = self.messages.CertificateConfig() config.publicKey = self.messages.PublicKey() config.publicKey.key = public_key config.publicKey.type = self.messages.PublicKey.TypeValueValuesEnum.PEM_RSA_KEY config.reusableConfig = flags.ParseReusableConfig( args, location, is_ca_command=args.is_ca_cert) config.subjectConfig = flags.ParseSubjectFlags(args, is_ca=args.is_ca_cert) return config
def _GenerateCertificateConfig(self, request, args): messages = privateca_base.GetMessagesModule() private_key, public_key = key_generation.RSAKeyGen(2048) key_generation.ExportPrivateKey(args.key_output_file, private_key) config = messages.CertificateConfig() config.publicKey = messages.PublicKey() config.publicKey.key = public_key config.publicKey.type = messages.PublicKey.TypeValueValuesEnum.PEM_RSA_KEY config.reusableConfig = flags.ParseReusableConfig(args) config.subjectConfig = flags.ParseSubjectFlags(args, is_ca=False) return config
def testSubjectParseAllFields(self): flags.AddSubjectFlags(self.parser) args = self.parser.parse_args([ '--subject', 'C=US, ST=Washington, L=Kirkland, O=Google LLC, CN=google.com, OU=Cloud, postalCode=98033, streetAddress=6th Ave' ]) subject_config = flags.ParseSubjectFlags(args, is_ca=False) subject = subject_config.subject common_name = subject_config.commonName self.assertEqual(common_name, 'google.com') self.assertEqual(subject.countryCode, 'US') self.assertEqual(subject.province, 'Washington') self.assertEqual(subject.organization, 'Google LLC') self.assertEqual(subject.locality, 'Kirkland') self.assertEqual(subject.organizationalUnit, 'Cloud') self.assertEqual(subject.postalCode, '98033') self.assertEqual(subject.streetAddress, '6th Ave')
def Run(self, args): kms_key_version_ref, ca_ref, issuer_ref = _ParseResourceArgs(args) kms_key_ref = kms_key_version_ref.Parent() project_ref = ca_ref.Parent().Parent() subject_config = flags.ParseSubjectFlags(args, is_ca=True) issuing_options = flags.ParseIssuingOptions(args) issuance_policy = flags.ParseIssuancePolicy(args) reusable_config_wrapper = flags.ParseReusableConfig(args, ca_ref.locationsId, is_ca=True) lifetime = flags.ParseValidityFlag(args) labels = labels_util.ParseCreateArgs( args, self.messages.CertificateAuthority.LabelsValue) iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref) if issuer_ref: iam.CheckCreateCertificatePermissions(issuer_ref) p4sa_email = p4sa.GetOrCreate(project_ref) bucket_ref = storage.CreateBucketForCertificateAuthority(ca_ref) p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref) new_ca = self.messages.CertificateAuthority( type=self.messages.CertificateAuthority.TypeValueValuesEnum. SUBORDINATE, lifetime=lifetime, config=self.messages.CertificateConfig( reusableConfig=reusable_config_wrapper, subjectConfig=subject_config), cloudKmsKeyVersion=kms_key_version_ref.RelativeName(), certificatePolicy=issuance_policy, issuingOptions=issuing_options, gcsBucket=bucket_ref.bucket, labels=labels) operations.Await( self.client.projects_locations_certificateAuthorities.Create( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesCreateRequest( certificateAuthority=new_ca, certificateAuthorityId=ca_ref.Name(), parent=ca_ref.Parent().RelativeName(), requestId=request_utils.GenerateRequestId())), 'Creating Certificate Authority.') csr_response = self.client.projects_locations_certificateAuthorities.GetCsr( self.messages. PrivatecaProjectsLocationsCertificateAuthoritiesGetCsrRequest( name=ca_ref.RelativeName())) csr = csr_response.pemCsr if args.create_csr: files.WriteFileContents(args.csr_output_file, csr) log.status.Print( "Created Certificate Authority [{}] and saved CSR to '{}'.". format(ca_ref.RelativeName(), args.csr_output_file)) return if issuer_ref: ca_certificate = self._SignCsr(issuer_ref, csr, lifetime) self._ActivateCertificateAuthority(ca_ref, ca_certificate) log.status.Print('Created Certificate Authority [{}].'.format( ca_ref.RelativeName())) return # This should not happen because of the required arg group, but it protects # us in case of future additions. raise exceptions.OneOfArgumentsRequiredException([ '--issuer', '--create-csr' ], ('To create a subordinate CA, please provide either an issuer or the ' '--create-csr flag to output a CSR to be signed by another issuer.' ))