Skip to content

Commit

Permalink
docs(samples): added samples for issuance policy and certificate temp…
Browse files Browse the repository at this point in the history
…lates (#264)

* docs(samples): init commit - set issuance policy

* docs(samples): added certificate template CRUD samples

* refactor(samples): modified the samples for test coherence

* test(samples): Added tests for issuance policy and certificate templates.

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* refactor(samples): included filter condition and comments

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* refactor(samples): included review comments

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
  • Loading branch information
Sita04 and gcf-owl-bot[bot] authored Sep 14, 2021
1 parent c2129ae commit aab5bb5
Show file tree
Hide file tree
Showing 9 changed files with 619 additions and 27 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ public static void createCertificate(
// certificateLifetime: The validity of the certificate in seconds.
String commonName = "common-name";
String orgName = "org-name";
String domainName = "dnsname.com";
String domainName = "dns.your-domain.com";
long certificateLifetime = 1000L;

// Set the Public Key and its format.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
/*
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package privateca;

// [START privateca_create_certificate_template]

import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateIdentityConstraints;
import com.google.cloud.security.privateca.v1.CertificateTemplate;
import com.google.cloud.security.privateca.v1.CreateCertificateTemplateRequest;
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.LocationName;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.longrunning.Operation;
import com.google.type.Expr;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;

public class CreateCertificateTemplate {

public static void main(String[] args)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
/* TODO(developer): Replace these variables before running the sample.
location: For a list of locations, see:
https://cloud.google.com/certificate-authority-service/docs/locations */
String project = "your-project-id";
String location = "ca-location";
String certificateTemplateId = "certificate-template-id";

createCertificateTemplate(project, location, certificateTemplateId);
}

/* Creates a Certificate template. These templates can be reused for common
certificate issuance scenarios. */
public static void createCertificateTemplate(
String project, String location, String certificateTemplateId)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
/* Initialize client that will be used to send requests. This client only needs to be created
once, and can be reused for multiple requests. After completing all of your requests, call
the `certificateAuthorityServiceClient.close()` method on the client to safely
clean up any remaining background resources. */
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {

/* Describes any predefined X.509 values set by this template.
The provided extensions are copied over to certificate requests that use this template.*/
KeyUsage keyUsage =
KeyUsage.newBuilder()
.setBaseKeyUsage(
KeyUsageOptions.newBuilder()
.setDigitalSignature(true)
.setKeyEncipherment(true)
.build())
.setExtendedKeyUsage(ExtendedKeyUsageOptions.newBuilder().setServerAuth(true).build())
.build();

CaOptions caOptions = CaOptions.newBuilder().setIsCa(false).build();

/* CEL expression that is evaluated against the Subject and
Subject Alternative Name of the certificate before it is issued. */
Expr expr =
Expr.newBuilder().setExpression("subject_alt_names.all(san, san.type == DNS)").build();

// Set the certificate issuance schema.
CertificateTemplate certificateTemplate =
CertificateTemplate.newBuilder()
.setPredefinedValues(
X509Parameters.newBuilder().setKeyUsage(keyUsage).setCaOptions(caOptions).build())
.setIdentityConstraints(
CertificateIdentityConstraints.newBuilder()
.setCelExpression(expr)
.setAllowSubjectPassthrough(false)
.setAllowSubjectAltNamesPassthrough(false)
.build())
.build();

// Set the parent and certificate template properties.
CreateCertificateTemplateRequest certificateTemplateRequest =
CreateCertificateTemplateRequest.newBuilder()
.setParent(LocationName.of(project, location).toString())
.setCertificateTemplate(certificateTemplate)
.setCertificateTemplateId(certificateTemplateId)
.build();

// Create Template request.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.createCertificateTemplateCallable()
.futureCall(certificateTemplateRequest);

Operation response = futureCall.get(60, TimeUnit.SECONDS);

if (response.hasError()) {
System.out.println("Error creating certificate template ! " + response.getError());
return;
}

System.out.println("Successfully created certificate template ! " + response.getName());
}
}
}
// [END privateca_create_certificate_template]
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import com.google.cloud.security.privateca.v1.KeyUsage;
import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
import com.google.cloud.security.privateca.v1.Subject;
import com.google.cloud.security.privateca.v1.SubjectAltNames;
import com.google.cloud.security.privateca.v1.X509Parameters;
import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
import com.google.longrunning.Operation;
Expand Down Expand Up @@ -65,6 +66,7 @@ public static void createSubordinateCertificateAuthority(

String commonName = "common-name";
String orgName = "csr-org-name";
String domainName = "dns.your-domain.com";
int caDuration = 100000; // Validity of this CA in seconds.

// Set the type of Algorithm.
Expand All @@ -76,6 +78,8 @@ public static void createSubordinateCertificateAuthority(
SubjectConfig.newBuilder()
.setSubject(
Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
// Set the fully qualified domain name.
.setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build())
.build();

// Set the key usage options for X.509 fields.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
/*
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package privateca;

// [START privateca_delete_certificate_template]

import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateTemplateName;
import com.google.cloud.security.privateca.v1.DeleteCertificateTemplateRequest;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;

public class DeleteCertificateTemplate {

public static void main(String[] args)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
/* TODO(developer): Replace these variables before running the sample.
location: For a list of locations, see:
https://cloud.google.com/certificate-authority-service/docs/locations
certificateTemplateId: Id of the certificate template to delete. */
String project = "your-project-id";
String location = "ca-location";
String certificateTemplateId = "certificate-template-id";

deleteCertificateTemplate(project, location, certificateTemplateId);
}

// Deletes the certificate template present in the given project and location.
public static void deleteCertificateTemplate(
String project, String location, String certificateTemplateId)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
/* Initialize client that will be used to send requests. This client only needs to be created
once, and can be reused for multiple requests. After completing all of your requests, call
the `certificateAuthorityServiceClient.close()` method on the client to safely
clean up any remaining background resources. */
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {

// Set the parent name of the certificate template to be deleted.
DeleteCertificateTemplateRequest request =
DeleteCertificateTemplateRequest.newBuilder()
.setName(
CertificateTemplateName.of(project, location, certificateTemplateId).toString())
.build();

ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient.deleteCertificateTemplateCallable().futureCall(request);

Operation response = futureCall.get(60, TimeUnit.SECONDS);

// Check for errors.
if (response.hasError()) {
System.out.println("Error deleting the certificate template ! " + response.getError());
return;
}

System.out.println("Successfully created certificate template ! " + response.getName());
}
}
}
// [END privateca_delete_certificate_template]
Original file line number Diff line number Diff line change
Expand Up @@ -30,21 +30,16 @@ public static void main(String[] args) throws IOException {
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// pool_Id: Id of the CA pool which contains the certificates to be listed.
// filterCondition: Filter certificates based on the given condition.
// For more info on conditions supported,
// see:
// https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support
String project = "your-project-id";
String location = "ca-location";
String pool_Id = "ca-pool-id";
String filterCondition = "filter-condition";

filterCertificates(project, location, pool_Id, filterCondition);
filterCertificates(project, location, pool_Id);
}

// Filter certificates based on a condition and list them.
public static void filterCertificates(
String project, String location, String pool_Id, String filterCondition) throws IOException {
public static void filterCertificates(String project, String location, String pool_Id)
throws IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
Expand All @@ -63,8 +58,16 @@ public static void filterCertificates(
ListCertificatesRequest listCertificatesRequest =
ListCertificatesRequest.newBuilder()
.setParent(caPool.toString())
// Filter certificates according to the given condition.
.setFilter(filterCondition)
/* Filter certificates based on the given condition.
For more info on conditions supported,
see:
https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support
Few examples for constructing conditions:
certificate_description.subject_description.not_after_time=timestamp(com.google.protobuf)
certificate_description.subject_description.subject_alt_name.dns_names:my-dns
Here, we are filtering certificates which has organization name = csr-org-name */
.setFilter(
"certificate_description.subject_description.subject.organization=csr-org-name")
.build();

// Retrieve and print the certificate names.
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
/*
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package privateca;

// [START privateca_list_certificate_template]

import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CertificateTemplate;
import com.google.cloud.security.privateca.v1.ListCertificateTemplatesRequest;
import com.google.cloud.security.privateca.v1.ListCertificateTemplatesResponse;
import com.google.cloud.security.privateca.v1.LocationName;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;

public class ListCertificateTemplates {

public static void main(String[] args)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
/* TODO(developer): Replace these variables before running the sample.
location: For a list of locations, see:
https://cloud.google.com/certificate-authority-service/docs/locations */
String project = "your-project-id";
String location = "ca-location";

listCertificateTemplates(project, location);
}

// Lists the certificate templates present in the given project and location.
public static void listCertificateTemplates(String project, String location)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
/* Initialize client that will be used to send requests. This client only needs to be created
once, and can be reused for multiple requests. After completing all of your requests, call
the `certificateAuthorityServiceClient.close()` method on the client to safely
clean up any remaining background resources. */
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {

// Set the parent name to list the certificate templates.
ListCertificateTemplatesRequest request =
ListCertificateTemplatesRequest.newBuilder()
.setParent(LocationName.of(project, location).toString())
.build();

ApiFuture<ListCertificateTemplatesResponse> futureCall =
certificateAuthorityServiceClient.listCertificateTemplatesCallable().futureCall(request);

// Get the response.
ListCertificateTemplatesResponse response = futureCall.get(60, TimeUnit.SECONDS);

// List all templates.
for (CertificateTemplate template : response.getCertificateTemplatesList()) {
System.out.println(template.getName());
}
}
}
}
// [END privateca_list_certificate_template]
Loading

0 comments on commit aab5bb5

Please sign in to comment.