davidkotnik/novafarma
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add new gcloud commands, API clients, and third-party libraries across various services.

Browse Source
This commit is contained in:
David Kotnik
2026-01-01 20:26:35 +01:00
parent 5e23cbece0
commit a19e592eb7
25221 changed files with 8324611 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/__init__.py Normal file
View File

@@ -0,0 +1,26 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""The command group for subordinates."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.calliope import base
@base.ReleaseTracks(base.ReleaseTrack.GA)
class Subordinates(base.Group):
"""Manage subordinate certificate authorities."""

170
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/activate.py Normal file
View File

@@ -0,0 +1,170 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Activate a pending certificate authority."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.privateca import base as privateca_base
from googlecloudsdk.api_lib.privateca import request_utils
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions
from googlecloudsdk.command_lib.privateca import create_utils
from googlecloudsdk.command_lib.privateca import flags
from googlecloudsdk.command_lib.privateca import operations
from googlecloudsdk.command_lib.privateca import pem_utils
from googlecloudsdk.command_lib.privateca import resource_args
from googlecloudsdk.core import log
from googlecloudsdk.core.console import console_io
from googlecloudsdk.core.util import files
@base.ReleaseTracks(base.ReleaseTrack.GA)
class Activate(base.SilentCommand):
r"""Activate a subordinate certificate authority awaiting user activation.
## EXAMPLES
To activate a subordinate CA named 'server-tls-1' in the location 'us-west1'
and CA Pool 'server-tls-pool' using a PEM certificate chain in 'chain.crt':
$ {command} server-tls-1 \
--location=us-west1 \
--pool=server-tls-pool \
--pem-chain=./chain.crt
"""
def __init__(self, *args, **kwargs):
super(Activate, self).__init__(*args, **kwargs)
self.client = privateca_base.GetClientInstance(api_version='v1')
self.messages = privateca_base.GetMessagesModule(api_version='v1')
@staticmethod
def Args(parser):
resource_args.AddCertAuthorityPositionalResourceArg(parser, 'to activate')
base.Argument(
'--pem-chain',
required=True,
help=(
'A file containing a list of PEM-encoded certificates, starting '
'with the current CA certificate and ending with the root CA '
'certificate.'
),
).AddToParser(parser)
flags.AddAutoEnableFlag(parser)
def _ParsePemChainFromFile(self, pem_chain_file):
"""Parses a pem chain from a file, splitting the leaf cert and chain.
Args:
pem_chain_file: file containing the pem_chain.
Raises:
exceptions.InvalidArgumentException if not enough certificates are
included.
Returns:
A tuple with (leaf_cert, rest_of_chain)
"""
try:
pem_chain_input = files.ReadFileContents(pem_chain_file)
except (files.Error, OSError, IOError):
raise exceptions.BadFileException(
"Could not read provided PEM chain file '{}'.".format(pem_chain_file)
)
certs = pem_utils.ValidateAndParsePemChain(pem_chain_input)
if len(certs) < 2:
raise exceptions.InvalidArgumentException(
'pem-chain',
'The pem_chain must include at least two certificates - the'
' subordinate CA certificate and an issuer certificate.',
)
return certs[0], certs[1:]
def _EnableCertificateAuthority(self, ca_name):
"""Enables the given CA."""
enable_request = self.messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesEnableRequest(
name=ca_name,
enableCertificateAuthorityRequest=self.messages.EnableCertificateAuthorityRequest(
requestId=request_utils.GenerateRequestId()
),
)
operation = (
self.client.projects_locations_caPools_certificateAuthorities.Enable(
enable_request
)
)
return operations.Await(operation, 'Enabling CA.', api_version='v1')
def _ShouldEnableCa(self, args, ca_ref):
"""Determines whether the CA should be enabled or not."""
if args.auto_enable:
return True
# Return false if there already is an enabled CA in the pool.
ca_pool_name = ca_ref.Parent().RelativeName()
list_response = self.client.projects_locations_caPools_certificateAuthorities.List(
self.messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesListRequest(
parent=ca_pool_name
)
)
if create_utils.HasEnabledCa(
list_response.certificateAuthorities, self.messages
):
return False
# Prompt the user if they would like to enable a CA in the pool.
return console_io.PromptContinue(
message=(
'The CaPool [{}] has no enabled CAs and cannot issue any '
'certificates until at least one CA is enabled. Would you like to '
'also enable this CA?'.format(ca_ref.Parent().Name())
),
default=False,
)
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
ca_ref = args.CONCEPTS.certificate_authority.Parse()
pem_cert, pem_chain = self._ParsePemChainFromFile(args.pem_chain)
operation = client.projects_locations_caPools_certificateAuthorities.Activate(
messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesActivateRequest(
name=ca_ref.RelativeName(),
activateCertificateAuthorityRequest=messages.ActivateCertificateAuthorityRequest(
pemCaCertificate=pem_cert,
subordinateConfig=messages.SubordinateConfig(
pemIssuerChain=messages.SubordinateConfigChain(
pemCertificates=pem_chain
)
),
),
)
)
operations.Await(
operation, 'Activating Certificate Authority.', api_version='v1'
)
log.status.Print(
'Activated Certificate Authority [{}].'.format(ca_ref.Name())
)
if self._ShouldEnableCa(args, ca_ref):
self._EnableCertificateAuthority(ca_ref.RelativeName())

358
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/create.py Normal file
View File

@@ -0,0 +1,358 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Create a new subordinate certificate authority."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.privateca import base as privateca_base
from googlecloudsdk.api_lib.privateca import request_utils
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions
from googlecloudsdk.calliope.concepts import deps
from googlecloudsdk.command_lib.privateca import create_utils
from googlecloudsdk.command_lib.privateca import flags
from googlecloudsdk.command_lib.privateca import iam
from googlecloudsdk.command_lib.privateca import operations
from googlecloudsdk.command_lib.privateca import p4sa
from googlecloudsdk.command_lib.privateca import resource_args
from googlecloudsdk.command_lib.privateca import storage
from googlecloudsdk.command_lib.util.args import labels_util
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.command_lib.util.concepts import presentation_specs
from googlecloudsdk.core import log
from googlecloudsdk.core.console import console_io
from googlecloudsdk.core.util import files
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.GA)
class Create(base.CreateCommand):
r"""Create a new subordinate certificate authority.
## EXAMPLES
To create a subordinate CA named 'server-tls-1' whose issuer is on Private CA:
$ {command} server-tls-1 \
--location=us-west1 --pool=my-pool \
--subject="CN=Example TLS CA, O=Google" \
--issuer-pool=other-pool --issuer-location=us-west1 \
--kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"
To create a subordinate CA named 'server-tls-1' whose issuer is located
elsewhere:
$ {command} server-tls-1 \
--location=us-west1 --pool=my-pool \
--subject="CN=Example TLS CA, O=Google" \
--create-csr \
--csr-output-file=./csr.pem \
--kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"
To create a subordinate CA named 'server-tls-1' chaining up to a root CA
named 'prod-root' based on an existing CA:
$ {command} server-tls-1 \
--location=us-west1 --pool=my-pool \
--issuer-pool=other-pool --issuer-location=us-west1 \
--from-ca=source-ca \
--kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/key2/cryptoKeyVersions/1"
"""
def __init__(self, *args, **kwargs):
super(Create, self).__init__(*args, **kwargs)
self.client = privateca_base.GetClientInstance(api_version='v1')
self.messages = privateca_base.GetMessagesModule(api_version='v1')
@staticmethod
def Args(parser):
key_spec_group = parser.add_group(
mutex=True,
help=(
'The key configuration used for the CA certificate. Defaults to a '
'managed key if not specified.'
),
)
x509_config_group = parser.add_group(
mutex=True,
required=False,
help='The X.509 configuration used for the CA certificate.',
)
issuer_configuration_group = parser.add_group(
mutex=True,
required=True,
help='The issuer configuration used for this CA certificate.',
)
issuing_resource_group = issuer_configuration_group.add_group(
mutex=False,
required=False,
help='The issuing resource used for this CA certificate.',
)
base.Argument(
'--issuer-ca',
help=(
'The Certificate Authority ID of the CA to issue the subordinate '
'CA certificate from. This ID is optional. If ommitted, '
'any available ENABLED CA in the issuing CA pool will be chosen.'
),
required=False,
).AddToParser(parser)
concept_parsers.ConceptParser([
presentation_specs.ResourcePresentationSpec(
'CERTIFICATE_AUTHORITY',
resource_args.CreateCertAuthorityResourceSpec(
'Certificate Authority'
),
'The name of the subordinate CA to create.',
required=True,
),
presentation_specs.ResourcePresentationSpec(
'--issuer-pool',
resource_args.CreateCaPoolResourceSpec('Issuer'),
'The issuing CA Pool to use, if it is on Private CA.',
prefixes=True,
required=False,
flag_name_overrides={
'location': '--issuer-location',
},
group=issuing_resource_group,
),
presentation_specs.ResourcePresentationSpec(
'--kms-key-version',
resource_args.CreateKmsKeyVersionResourceSpec(),
'The KMS key version backing this CA.',
group=key_spec_group,
),
presentation_specs.ResourcePresentationSpec(
'--from-ca',
resource_args.CreateCertAuthorityResourceSpec(
'source CA',
location_fallthroughs=[
deps.ArgFallthrough('--location'),
resource_args.LOCATION_PROPERTY_FALLTHROUGH,
],
pool_id_fallthroughs=[deps.ArgFallthrough('--pool')],
),
'An existing CA from which to copy configuration values for the '
'new CA. You can still override any of those values by explicitly '
'providing the appropriate flags. The specified existing CA must '
'be part of the same pool as the one being created.',
flag_name_overrides={
'project': '',
'location': '',
'pool': '',
},
prefixes=True,
),
]).AddToParser(parser)
flags.AddSubjectFlags(parser, subject_required=False)
flags.AddKeyAlgorithmFlag(key_spec_group, default='rsa-pkcs1-2048-sha256')
flags.AddUsePresetProfilesFlag(x509_config_group)
# Subordinates should have no children by default.
flags.AddInlineX509ParametersFlags(
x509_config_group, is_ca_command=True, default_max_chain_length=0
)
flags.AddValidityFlag(
parser,
resource_name='CA',
default_value='P3Y',
default_value_text='3 years',
)
labels_util.AddCreateLabelsFlags(parser)
flags.AddBucketFlag(parser)
flags.AddSubjectKeyIdFlag(parser)
offline_issuer_group = issuer_configuration_group.add_group(
help=(
'If the issuing CA is not hosted on Private CA, you must provide '
'these settings:'
)
)
base.Argument(
'--create-csr',
help=(
'Indicates that a CSR should be generated which can be signed by '
'the issuing CA. This must be set if --issuer is not provided.'
),
action='store_const',
const=True,
default=False,
required=True,
).AddToParser(offline_issuer_group)
base.Argument(
'--csr-output-file',
help=(
'The path where the resulting PEM-encoded CSR file should be '
'written.'
),
required=True,
).AddToParser(offline_issuer_group)
flags.AddAutoEnableFlag(parser)
flags.AddUserDefinedAccessUrlsFlags(parser)
def _EnableCertificateAuthority(self, ca_name):
"""Enable the given CA."""
enable_request = self.messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesEnableRequest(
name=ca_name,
enableCertificateAuthorityRequest=self.messages.EnableCertificateAuthorityRequest(
requestId=request_utils.GenerateRequestId()
),
)
operation = (
self.client.projects_locations_caPools_certificateAuthorities.Enable(
enable_request
)
)
return operations.Await(operation, 'Enabling CA.', api_version='v1')
def _ShouldEnableCa(self, args, ca_ref):
"""Determines whether the CA should be enabled or not."""
if args.auto_enable:
return True
# Return false if there already is an enabled CA in the pool.
ca_pool_name = ca_ref.Parent().RelativeName()
list_response = self.client.projects_locations_caPools_certificateAuthorities.List(
self.messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesListRequest(
parent=ca_pool_name
)
)
if create_utils.HasEnabledCa(
list_response.certificateAuthorities, self.messages
):
return False
# Prompt the user if they would like to enable a CA in the pool.
return console_io.PromptContinue(
message=(
'The CaPool [{}] has no enabled CAs and cannot issue any '
'certificates until at least one CA is enabled. Would you like to '
'also enable this CA?'.format(ca_ref.Parent().Name())
),
default=False,
)
def _ActivateCertificateAuthority(self, ca_name, pem_cert, issuer_chain):
"""Activates the given CA using the given certificate and issuing CA chain."""
activate_request = self.messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesActivateRequest(
name=ca_name,
activateCertificateAuthorityRequest=self.messages.ActivateCertificateAuthorityRequest(
pemCaCertificate=pem_cert,
subordinateConfig=self.messages.SubordinateConfig(
pemIssuerChain=self.messages.SubordinateConfigChain(
pemCertificates=issuer_chain
)
),
),
)
operation = (
self.client.projects_locations_caPools_certificateAuthorities.Activate(
activate_request
)
)
return operations.Await(operation, 'Activating CA.', api_version='v1')
def Run(self, args):
new_ca, ca_ref, issuer_ref = create_utils.CreateCAFromArgs(
args, is_subordinate=True
)
# Retrive the Project reference from the Parent -> Location -> Pool -> CA
# resource structure.
project_ref = ca_ref.Parent().Parent().Parent()
key_version_ref = args.CONCEPTS.kms_key_version.Parse()
kms_key_ref = key_version_ref.Parent() if key_version_ref else None
if not args.IsSpecified('issuer_pool') and args.IsSpecified('auto_enable'):
raise exceptions.InvalidArgumentException(
['--auto-enable'],
(
"The '--auto-enable' is only supported in the create command if"
' an issuer resource is specified. You can use the'
" '--auto-enable' command in the subordinate CA activate command."
),
)
if args.issuer_pool == args.pool:
if not console_io.PromptContinue(
message=(
'The new CA will be in the same CA pool as the issuer CA. All'
' certificate authorities within a CA pool should be'
' interchangeable. Do you want to continue?'
),
default=True,
):
log.status.Print('Aborted by user.')
return
iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref)
if issuer_ref:
iam.CheckCreateCertificatePermissions(issuer_ref)
# Proactively look for issuing CA Pool problems to avoid downstream
# issues.
issuer_ca = args.issuer_ca if args.IsSpecified('issuer_ca') else None
create_utils.ValidateIssuingPool(issuer_ref.RelativeName(), issuer_ca)
bucket_ref = None
if args.IsSpecified('bucket'):
bucket_ref = storage.ValidateBucketForCertificateAuthority(args.bucket)
new_ca.gcsBucket = bucket_ref.bucket
p4sa_email = p4sa.GetOrCreate(project_ref)
p4sa.AddResourceRoleBindings(p4sa_email, kms_key_ref, bucket_ref)
operations.Await(
self.client.projects_locations_caPools_certificateAuthorities.Create(
self.messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=ca_ref.Parent().RelativeName(),
requestId=request_utils.GenerateRequestId(),
)
),
'Creating Certificate Authority.',
api_version='v1',
)
csr_response = self.client.projects_locations_caPools_certificateAuthorities.Fetch(
self.messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesFetchRequest(
name=ca_ref.RelativeName()
)
)
csr = csr_response.pemCsr
if args.create_csr:
files.WriteFileContents(args.csr_output_file, csr)
log.status.Print(
"Created Certificate Authority [{}] and saved CSR to '{}'.".format(
ca_ref.RelativeName(), args.csr_output_file
)
)
return
if issuer_ref:
issuer_ca = args.issuer_ca if args.IsSpecified('issuer_ca') else None
ca_certificate = create_utils.SignCsr(issuer_ref, csr, issuer_ca, new_ca)
self._ActivateCertificateAuthority(
ca_ref.RelativeName(),
ca_certificate.pemCertificate,
ca_certificate.pemCertificateChain,
)
log.status.Print(
'Created Certificate Authority [{}].'.format(ca_ref.RelativeName())
)
if self._ShouldEnableCa(args, ca_ref):
self._EnableCertificateAuthority(ca_ref.RelativeName())
return

163
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/delete.py Normal file
View File

@@ -0,0 +1,163 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Delete a subordinate certificate authority."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from dateutil import tz
from googlecloudsdk.api_lib.privateca import base as privateca_base
from googlecloudsdk.api_lib.privateca import request_utils
from googlecloudsdk.api_lib.util import waiter
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.privateca import flags
from googlecloudsdk.command_lib.privateca import operations
from googlecloudsdk.command_lib.privateca import resource_args
from googlecloudsdk.core import log
from googlecloudsdk.core.console import console_io
from googlecloudsdk.core.util import times
import six
@base.ReleaseTracks(base.ReleaseTrack.GA)
class Delete(base.DeleteCommand):
r"""Delete a subordinate certificate authority.
Delete a Subordinate Certificate Authority. Deleted Subordinate Certificate
Authorities may be recovered with the `{parent_command} undelete` command
within a grace period of 30 days.
Use the --skip-grace-period flag to delete as soon as possible without the
30-day grace period to undelete.
Note that any user-managed KMS keys or Google Cloud Storage buckets
will not be affected by this operation. You will need to delete the user-
managed resources separately once the CA is deleted. Any Google-managed
resources will be cleaned up.
The CA specified in this command MUST:
1) be in the DISABLED or STAGED state.
2) have no un-revoked or un-expired certificates. Use the revoke command
to revoke any active certificates.
Use the `--ignore-active-certificates` flag to remove 2) as a requirement.
## EXAMPLES
To delete a subordinate CA:
$ {command} server-tls-1 --pool=my-pool --location=us-west1
To delete a CA while skipping the confirmation input:
$ {command} server-tls-1s --pool=my-pool --location=us-west1 --quiet
To undo the deletion for a subordinate CA:
$ {parent_command} undelete server-tls-1 --pool=my-pool
--location=us-west1
"""
@staticmethod
def Args(parser):
resource_args.AddCertAuthorityPositionalResourceArg(parser, 'to delete')
flags.AddIgnoreActiveCertificatesFlag(parser)
flags.AddSkipGracePeriodFlag(parser)
flags.AddIgnoreDependentResourcesFlag(parser)
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
ca_ref = args.CONCEPTS.certificate_authority.Parse()
ca_name = ca_ref.RelativeName()
prompt_message = (
'You are about to delete Certificate Authority [{}].').format(
ca_ref.RelativeName())
if args.ignore_dependent_resources:
prompt_message += (
'\nThis deletion will happen without '
'checking if the CA\'s CA Pool is being used by another '
'resource, which may cause unintended and effects on any '
'dependent resource(s) since the CA Pool would not be '
'able to issue certificates.')
if args.skip_grace_period:
prompt_message += (
'\nThis deletion will happen as '
'soon as possible without a 30-day grace period where '
'undeletion would have been allowed. If you proceed, there '
'will be no way to recover this CA.')
if not console_io.PromptContinue(message=prompt_message, default=True):
log.status.Print('Aborted by user.')
return
current_ca = client.projects_locations_caPools_certificateAuthorities.Get(
messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest(
name=ca_name))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE,
current_ca,
version='v1')
operation = client.projects_locations_caPools_certificateAuthorities.Delete(
messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesDeleteRequest(
name=ca_name,
ignoreActiveCertificates=args.ignore_active_certificates,
skipGracePeriod=args.skip_grace_period,
ignoreDependentResources=args.ignore_dependent_resources,
requestId=request_utils.GenerateRequestId()))
try:
ca_response = operations.Await(
operation, 'Deleting Subordinate CA', api_version='v1')
except waiter.OperationError as e:
# API error message refers to the proto field name which is slightly
# different from the gcloud flag name.
raise operations.OperationError(
six.text_type(e).replace('`ignore_active_certificates` parameter',
'`--ignore-active-certificates` flag'))
ca = operations.GetMessageFromResponse(ca_response,
messages.CertificateAuthority)
formatted_expire_time = times.ParseDateTime(ca.expireTime).astimezone(
tz.tzutc()).strftime('%Y-%m-%dT%H:%MZ')
if (
current_ca.state
== messages.CertificateAuthority.StateValueValuesEnum.AWAITING_USER_ACTIVATION
):
log.status.Print(
'Deleted Subordinate CA [{}]. This CA was never activated and cannot'
' be recovered using `subordinates undelete`.'.format(ca_name)
)
elif args.skip_grace_period:
log.status.Print(
'Deleted Subordinate CA [{}]. CA can not be undeleted.'.format(
ca_name
)
)
else:
log.status.Print(
'Deleted Subordinate CA [{}]. CA can be undeleted until {}.'.format(
ca_name, formatted_expire_time
)
)

35
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/describe.yaml Normal file
View File

@@ -0,0 +1,35 @@
- release_tracks: [GA]
help_text:
brief: |
Get metadata for a subordinate certificate authority.
description: |
Returns metadata for the given certificate authority.
examples: |
To get metadata for the subordinate CA 'server-tls-1' in CA Pool 'my-pool' and location
'us-west1':
$ {command} server-tls-1 \
--location=us-west1 \
--pool=my-pool
To download the PEM-encoded CA certificate chain for the 'server-tls-1'
CA in location 'us-west1' to a file
called 'server-tls-1.crt':
$ {command} server-tls-1 \
--location=us-west1 \
--pool=my-pool \
--format="value(pemCaCertificates)" > ./server-tls-1.crt
request:
collection: privateca.projects.locations.caPools.certificateAuthorities
api_version: v1
arguments:
resource:
help_text: The certificate authority for which to obtain metadata.
spec: !REF googlecloudsdk.command_lib.privateca.resources:cert_authority
response:
modify_response_hooks:
- googlecloudsdk.command_lib.privateca.hooks:CheckResponseSubordinateTypeHook:version=v1

92
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/disable.py Normal file
View File

@@ -0,0 +1,92 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Disable a subordinate certificate authority."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.privateca import base as privateca_base
from googlecloudsdk.api_lib.privateca import request_utils
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.privateca import flags
from googlecloudsdk.command_lib.privateca import operations
from googlecloudsdk.command_lib.privateca import resource_args
from googlecloudsdk.core import log
from googlecloudsdk.core.console import console_io
@base.ReleaseTracks(base.ReleaseTrack.GA)
class Disable(base.SilentCommand):
r"""Disable a subordinate certificate authority.
Disables a subordinate certificate authority. The subordinate certificate
authority will not be allowed to issue certificates once disabled. It may
still revoke certificates and/or generate CRLs.
## EXAMPLES
To disable a subordinate CA:
$ {command} server-tls1 --location=us-west1 --pool=my-pool
"""
@staticmethod
def Args(parser):
resource_args.AddCertAuthorityPositionalResourceArg(parser, 'to disable')
flags.AddIgnoreDependentResourcesFlag(parser)
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
ca_ref = args.CONCEPTS.certificate_authority.Parse()
ca_name = ca_ref.RelativeName()
if args.ignore_dependent_resources:
prompt_message = (
'You are about to disable Certificate Authority [{}] without '
'checking if the CA\'s CA Pool is being used by another '
'resource. If you proceed and this is the last enabled CA in '
'the CA Pool, there may be unintended and '
'unrecoverable effects on any dependent resource(s) since the '
'CA Pool would not be able to issue certificates.'
).format(ca_ref.RelativeName())
if not console_io.PromptContinue(message=prompt_message, default=True):
log.status.Print('Aborted by user.')
return
current_ca = client.projects_locations_caPools_certificateAuthorities.Get(
messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest(
name=ca_name))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE,
current_ca,
version='v1')
operation = client.projects_locations_caPools_certificateAuthorities.Disable(
messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesDisableRequest(
name=ca_name,
disableCertificateAuthorityRequest=messages
.DisableCertificateAuthorityRequest(
ignoreDependentResources=args.ignore_dependent_resources,
requestId=request_utils.GenerateRequestId())))
operations.Await(operation, 'Disabling Subordinate CA', api_version='v1')
log.status.Print('Disabled Subordinate CA [{}].'.format(ca_name))

74
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/enable.py Normal file
View File

@@ -0,0 +1,74 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Enable a subordinate certificate authority."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.privateca import base as privateca_base
from googlecloudsdk.api_lib.privateca import request_utils
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.privateca import operations
from googlecloudsdk.command_lib.privateca import resource_args
from googlecloudsdk.core import log
@base.ReleaseTracks(base.ReleaseTrack.GA)
class EnableGA(base.SilentCommand):
r"""Enable a subordinate certificate authority.
Enables a subordinate certificate authority. The
subordinate certificate authority will be allowed to issue certificates once
enabled.
## EXAMPLES
To enable a subordinate CA:
$ {command} server-tls1 --pool=my-pool --location=us-west1
"""
@staticmethod
def Args(parser):
resource_args.AddCertAuthorityPositionalResourceArg(parser, 'to enable')
def Run(self, args):
client = privateca_base.GetClientInstance('v1')
messages = privateca_base.GetMessagesModule('v1')
ca_ref = args.CONCEPTS.certificate_authority.Parse()
current_ca = client.projects_locations_caPools_certificateAuthorities.Get(
messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest(
name=ca_ref.RelativeName()))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE,
current_ca, 'v1')
operation = client.projects_locations_caPools_certificateAuthorities.Enable(
messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesEnableRequest(
name=ca_ref.RelativeName(),
enableCertificateAuthorityRequest=messages
.EnableCertificateAuthorityRequest(
requestId=request_utils.GenerateRequestId())))
operations.Await(operation, 'Enabling Subordinate CA', api_version='v1')
log.status.Print('Enabled Subordinate CA [{}].'.format(
ca_ref.RelativeName()))

57
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/get_csr.py Normal file
View File

@@ -0,0 +1,57 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Get the csr of a pending Certificate Authority."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.privateca import base as privateca_base
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.privateca import resource_args
@base.ReleaseTracks(base.ReleaseTrack.GA)
class GetCsr(base.Command):
# pylint: disable=line-too-long
r"""Get the CSR for a subordinate certificate authority that has not yet been activated.
Gets the PEM-encoded CSR for a subordinate certificate authority that is
awaiting user activation. The CSR should be signed by the issuing Certificate
Authority and uploaded back using the `subordinates activate` command.
## EXAMPLES
To download the CSR for the 'server-tls-1' CA into a file called
'server-tls-1.csr':
$ {command} server-tls-1 --location=us-west1 --pool=my-pool > server-tls-1.csr
"""
@staticmethod
def Args(parser):
resource_args.AddCertAuthorityPositionalResourceArg(
parser, 'for which to get the CSR')
parser.display_info.AddFormat("""value(pemCsr)""")
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
ca_ref = args.CONCEPTS.certificate_authority.Parse()
return client.projects_locations_caPools_certificateAuthorities.Fetch(
messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesFetchRequest(
name=ca_ref.RelativeName()))

127
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/list.py Normal file
View File

@@ -0,0 +1,127 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""List the subordinate certificate authorities within a project."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from apitools.base.py import list_pager
from googlecloudsdk.api_lib.privateca import base as privateca_base
from googlecloudsdk.api_lib.privateca import resource_utils
from googlecloudsdk.api_lib.util import common_args
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope import exceptions
from googlecloudsdk.command_lib.privateca import response_utils
from googlecloudsdk.command_lib.privateca import text_utils
from googlecloudsdk.core import properties
@base.ReleaseTracks(base.ReleaseTrack.GA)
class List(base.ListCommand):
"""List subordinate certificate authorities.
List the subordinate certificate authorities within a project.
## EXAMPLES
To list all subordinate certificate authorities in a project:
$ {command}
To list all subordinate certificate authorities within a project and location
'us-central1':
$ {command} --location=us-central1
To list all subordinate certificate authorities within a CA Pool in location
'us-central1':
$ {command} --pool=my-pool --location=us-central1
"""
@staticmethod
def Args(parser):
base.Argument(
'--location',
help=(
'Location of the certificate authorities. If omitted, subordinate '
'CAs across all regions will be listed. Note that, if it is '
'populated, the privateca/location property will be used if this '
'flag is not specified. To ignore this property, specify "-" as '
'the location.')).AddToParser(parser)
base.Argument(
'--pool',
help=('ID of the CA Pool where the certificate authorities reside. If '
'omitted, subordinate CAs across all CA pools will be listed.'
)).AddToParser(parser)
base.PAGE_SIZE_FLAG.SetDefault(parser, 100)
base.FILTER_FLAG.RemoveFromParser(parser)
parser.display_info.AddFormat("""
table(
name.basename(),
name.scope().segment(-5):label=LOCATION,
name.scope().segment(-3):label=POOL,
state,
state.regex("ENABLED","YES","NO"):label=INCLUDED_IN_POOL_ISSUANCE,
ca_certificate_descriptions[0].subject_description.not_before_time():label=NOT_BEFORE,
ca_certificate_descriptions[0].subject_description.not_after_time():label=NOT_AFTER)
""")
parser.display_info.AddTransforms({
'not_before_time': text_utils.TransformNotBeforeTime,
'not_after_time': text_utils.TransformNotAfterTime
})
parser.display_info.AddUriFunc(
resource_utils.MakeGetUriFunc(
'privateca.projects.locations.caPools.certificateAuthorities'))
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
location_property_fallback = properties.VALUES.privateca.location.Get()
if args.IsSpecified('location'):
location = args.location
elif location_property_fallback and args.IsSpecified('pool'):
location = location_property_fallback
else:
location = '-'
ca_pool_id = args.pool if args.IsSpecified('pool') else '-'
if location == '-' and args.IsSpecified('pool'):
raise exceptions.InvalidArgumentException(
'--location',
'If a pool id is specified, you must also specify the location of that pool.'
)
parent_resource = 'projects/{}/locations/{}/caPools/{}'.format(
properties.VALUES.core.project.GetOrFail(), location, ca_pool_id)
request = messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesListRequest(
parent=parent_resource,
filter='type:SUBORDINATE',
orderBy=common_args.ParseSortByArg(args.sort_by))
return list_pager.YieldFromList(
client.projects_locations_caPools_certificateAuthorities,
request,
field='certificateAuthorities',
limit=args.limit,
batch_size_attribute='pageSize',
batch_size=args.page_size,
get_field_func=response_utils.GetFieldAndLogUnreachable)

76
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/undelete.py Normal file
View File

@@ -0,0 +1,76 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Undelete a subordinate certificate authority."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.privateca import base as privateca_base
from googlecloudsdk.api_lib.privateca import request_utils
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.privateca import operations
from googlecloudsdk.command_lib.privateca import resource_args
from googlecloudsdk.core import log
@base.ReleaseTracks(base.ReleaseTrack.GA)
class Undelete(base.SilentCommand):
r"""Undelete a subordinate certificate authority.
Restores a subordinate Certificate Authority that has been deleted. A
Certificate Authority can be undeleted within 30 days of being deleted. Use
this command to halt the deletion process. An undeleted CA will move to
DISABLED state.
## EXAMPLES
To undelete a subordinate CA:
$ {command} server-tls-1 --location=us-west1 --pool=my-pool
"""
@staticmethod
def Args(parser):
resource_args.AddCertAuthorityPositionalResourceArg(parser, 'to undelete')
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
ca_ref = args.CONCEPTS.certificate_authority.Parse()
current_ca = client.projects_locations_caPools_certificateAuthorities.Get(
messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest(
name=ca_ref.RelativeName()))
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE,
current_ca,
version='v1')
operation = client.projects_locations_caPools_certificateAuthorities.Undelete(
messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesUndeleteRequest(
name=ca_ref.RelativeName(),
undeleteCertificateAuthorityRequest=messages
.UndeleteCertificateAuthorityRequest(
requestId=request_utils.GenerateRequestId())))
operations.Await(operation, 'Undeleting Subordinate CA', api_version='v1')
log.status.Print('Undeleted Subordinate CA [{}].'.format(
ca_ref.RelativeName()))

101
gcloud auth application-default login/google-cloud-sdk/lib/surface/privateca/subordinates/update.py Normal file
View File

@@ -0,0 +1,101 @@
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Update a subordinate certificate authority."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.privateca import base as privateca_base
from googlecloudsdk.api_lib.privateca import request_utils
from googlecloudsdk.calliope import base
from googlecloudsdk.command_lib.privateca import operations
from googlecloudsdk.command_lib.privateca import resource_args
from googlecloudsdk.command_lib.privateca import update_utils
from googlecloudsdk.command_lib.util.args import labels_util
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.GA)
class Update(base.UpdateCommand):
r"""Update an existing subordinate certificate authority.
## EXAMPLES
To update labels on a subordinate CA:
$ {command} server-tls-1 \
--pool=my-pool \
--location=us-west1 \
--update-labels=foo=bar
To update the CA certificate chain for a subordinate CA:
$ {command} server-tls-1 \
--pool=my-pool \
--location=us-west1 \
--pem-chain=pem_chain.txt
"""
@staticmethod
def Args(parser):
resource_args.AddCertAuthorityPositionalResourceArg(parser, 'to update')
base.Argument(
'--pem-chain',
required=False,
help=(
'A file containing a list of PEM-encoded certificates that'
' represent the issuing chain of this CA. Please note'
' that the certificate corresponding to this specific CA should be'
' excluded.'
),
).AddToParser(parser)
labels_util.AddUpdateLabelsFlags(parser)
def Run(self, args):
client = privateca_base.GetClientInstance(api_version='v1')
messages = privateca_base.GetMessagesModule(api_version='v1')
ca_ref = args.CONCEPTS.certificate_authority.Parse()
ca_name = ca_ref.RelativeName()
current_ca = client.projects_locations_caPools_certificateAuthorities.Get(
messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequest(
name=ca_name
)
)
resource_args.CheckExpectedCAType(
messages.CertificateAuthority.TypeValueValuesEnum.SUBORDINATE,
current_ca,
version='v1',
)
ca_to_update, update_mask = update_utils.UpdateCAFromArgs(
args, current_ca.labels
)
# Patch is the gcloud client lib method to update a CA.
operation = client.projects_locations_caPools_certificateAuthorities.Patch(
messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesPatchRequest(
name=ca_name,
certificateAuthority=ca_to_update,
updateMask=','.join(update_mask),
requestId=request_utils.GenerateRequestId(),
)
)
return operations.Await(
operation, 'Updating Subordinate CA.', api_version='v1'
)