File: //snap/google-cloud-cli/394/lib/surface/privateca/roots/create.py
# -*- coding: utf-8 -*- #
# Copyright 2020 Google LLC. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Create a new root certificate authority."""
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
from googlecloudsdk.api_lib.privateca import base as privateca_base
from googlecloudsdk.api_lib.privateca import request_utils
from googlecloudsdk.calliope import base
from googlecloudsdk.calliope.concepts import deps
from googlecloudsdk.command_lib.privateca import create_utils
from googlecloudsdk.command_lib.privateca import flags
from googlecloudsdk.command_lib.privateca import iam
from googlecloudsdk.command_lib.privateca import operations
from googlecloudsdk.command_lib.privateca import p4sa
from googlecloudsdk.command_lib.privateca import resource_args
from googlecloudsdk.command_lib.privateca import storage
from googlecloudsdk.command_lib.util.args import labels_util
from googlecloudsdk.command_lib.util.concepts import concept_parsers
from googlecloudsdk.command_lib.util.concepts import presentation_specs
from googlecloudsdk.core import log
from googlecloudsdk.core.console import console_io
@base.DefaultUniverseOnly
@base.ReleaseTracks(base.ReleaseTrack.GA)
class Create(base.CreateCommand):
# pylint: disable=line-too-long
r"""Create a new root certificate authority.
TIP: Consider setting a [project lien](https://cloud.google.com/resource-manager/docs/project-liens) on the project to prevent it from accidental deletion.
## EXAMPLES
To create a root CA that supports one layer of subordinates:
$ {command} prod-root \
--location=us-west1 --pool=my-pool \
--kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1" \
--subject="CN=Example Production Root CA, O=Google" \
--max-chain-length=1
To create a root CA that is based on an existing CA:
$ {command} prod-root \
--location=us-west1 --pool=my-pool \
--kms-key-version="projects/my-project-pki/locations/us-west1/keyRings/kr1/cryptoKeys/k1/cryptoKeyVersions/1" \
--from-ca=source-root
"""
def __init__(self, *args, **kwargs):
super(Create, self).__init__(*args, **kwargs)
self.client = privateca_base.GetClientInstance(api_version='v1')
self.messages = privateca_base.GetMessagesModule(api_version='v1')
@staticmethod
def Args(parser):
key_spec_group = parser.add_group(
mutex=True,
help='The key configuration used for the CA certificate. Defaults to a '
'managed key if not specified.')
x509_config_group = parser.add_group(
mutex=True,
required=False,
help='The X.509 configuration used for the CA certificate.')
concept_parsers.ConceptParser([
presentation_specs.ResourcePresentationSpec(
'CERTIFICATE_AUTHORITY',
resource_args.CreateCertAuthorityResourceSpec(
'Certificate Authority'),
'The name of the root CA to create.',
required=True),
presentation_specs.ResourcePresentationSpec(
'--kms-key-version',
resource_args.CreateKmsKeyVersionResourceSpec(),
'An existing KMS key version to back this CA.',
group=key_spec_group),
presentation_specs.ResourcePresentationSpec(
'--from-ca',
resource_args.CreateCertAuthorityResourceSpec(
'source CA',
location_fallthroughs=[
deps.ArgFallthrough('--location'),
resource_args.LOCATION_PROPERTY_FALLTHROUGH
],
pool_id_fallthroughs=[deps.ArgFallthrough('--pool')]),
'An existing CA from which to copy configuration values for the new CA. '
'You can still override any of those values by explicitly providing '
'the appropriate flags. The specified existing CA must be part of '
'the same pool as the one being created.',
flag_name_overrides={
'project': '',
'location': '',
'pool': '',
},
prefixes=True)
]).AddToParser(parser)
flags.AddSubjectFlags(parser, subject_required=False)
flags.AddKeyAlgorithmFlag(
key_spec_group, default='rsa-pkcs1-4096-sha256')
flags.AddValidityFlag(
parser,
resource_name='CA',
default_value='P10Y',
default_value_text='10 years')
labels_util.AddCreateLabelsFlags(parser)
flags.AddBucketFlag(parser)
flags.AddUsePresetProfilesFlag(x509_config_group)
# If max_chain_len is unspecified, no max length will be provided to the
# server on create, this allowing any number of subordinates.
flags.AddInlineX509ParametersFlags(
x509_config_group, is_ca_command=True, default_max_chain_length=None)
flags.AddAutoEnableFlag(parser)
flags.AddSubjectKeyIdFlag(parser)
flags.AddUserDefinedAccessUrlsFlags(parser)
def _EnableCertificateAuthority(self, ca_name):
"""Enables the given CA."""
enable_request = self.messages.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesEnableRequest(
name=ca_name,
enableCertificateAuthorityRequest=self.messages
.EnableCertificateAuthorityRequest(
requestId=request_utils.GenerateRequestId()))
operation = self.client.projects_locations_caPools_certificateAuthorities.Enable(
enable_request)
return operations.Await(operation, 'Enabling CA.', api_version='v1')
def _ShouldEnableCa(self, args, ca_ref):
"""Determines whether the CA should be enabled or not."""
if args.auto_enable:
return True
# Return false if there already is an enabled CA in the pool.
ca_pool_name = ca_ref.Parent().RelativeName()
list_response = self.client.projects_locations_caPools_certificateAuthorities.List(
self.messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesListRequest(
parent=ca_pool_name))
if create_utils.HasEnabledCa(
list_response.certificateAuthorities, self.messages):
return False
# Prompt the user if they would like to enable a CA in the pool.
return console_io.PromptContinue(
message='The CaPool [{}] has no enabled CAs and cannot issue any '
'certificates until at least one CA is enabled. Would you like to '
'also enable this CA?'.format(ca_ref.Parent().Name()), default=False)
def Run(self, args):
new_ca, ca_ref, _ = create_utils.CreateCAFromArgs(
args, is_subordinate=False)
pool_ref = ca_ref.Parent()
project_ref = pool_ref.Parent().Parent()
key_version_ref = args.CONCEPTS.kms_key_version.Parse()
kms_key_ref = key_version_ref.Parent() if key_version_ref else None
iam.CheckCreateCertificateAuthorityPermissions(project_ref, kms_key_ref)
bucket_ref = None
if args.IsSpecified('bucket'):
bucket_ref = storage.ValidateBucketForCertificateAuthority(args.bucket)
new_ca.gcsBucket = bucket_ref.bucket
# P4SA is needed only if user specifies any resource.
if bucket_ref or kms_key_ref:
p4sa.AddResourceRoleBindings(
p4sa.GetOrCreate(project_ref), kms_key_ref, bucket_ref)
operation = self.client.projects_locations_caPools_certificateAuthorities.Create(
self.messages
.PrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesCreateRequest(
certificateAuthority=new_ca,
certificateAuthorityId=ca_ref.Name(),
parent=pool_ref.RelativeName(),
requestId=request_utils.GenerateRequestId()))
ca_response = operations.Await(operation, 'Creating Certificate Authority.', api_version='v1')
ca = operations.GetMessageFromResponse(ca_response,
self.messages.CertificateAuthority)
log.status.Print('Created Certificate Authority [{}].'.format(ca.name))
log.status.Print(
'TIP: To avoid accidental deletion, '
'please consider adding a project lien on this project. To find out '
'more, see the following doc: '
'https://cloud.google.com/resource-manager/docs/project-liens.'
)
if self._ShouldEnableCa(args, ca_ref):
self._EnableCertificateAuthority(ca_ref.RelativeName())