diff --git a/packages/google-cloud-private-ca/samples/snippets/README.md b/packages/google-cloud-private-ca/samples/snippets/README.md new file mode 100644 index 000000000000..d818d557b83a --- /dev/null +++ b/packages/google-cloud-private-ca/samples/snippets/README.md @@ -0,0 +1,4 @@ +Samples migrated +================ + +New location: https://github.com/GoogleCloudPlatform/python-docs-samples/tree/main/privateca/snippets \ No newline at end of file diff --git a/packages/google-cloud-private-ca/samples/snippets/activate_subordinate_ca.py b/packages/google-cloud-private-ca/samples/snippets/activate_subordinate_ca.py deleted file mode 100644 index ad6d9b5593d9..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/activate_subordinate_ca.py +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_activate_subordinateca] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def activate_subordinate_ca( - project_id: str, - location: str, - ca_pool_name: str, - subordinate_ca_name: str, - pem_ca_certificate: str, - ca_name: str, -) -> None: - """ - Activate a subordinate Certificate Authority (CA). - *Prerequisite*: Get the Certificate Signing Resource (CSR) of the subordinate CA signed by another CA. Pass in the signed - certificate and (issuer CA's name or the issuer CA's Certificate chain). - *Post*: After activating the subordinate CA, it should be enabled before issuing certificates. - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: set it to the CA Pool under which the CA should be created. - pem_ca_certificate: the signed certificate, obtained by signing the CSR. - subordinate_ca_name: the CA to be activated. - ca_name: The name of the certificate authority which signed the CSR. - If an external CA (CA not present in Google Cloud) was used for signing, - then use the CA's issuerCertificateChain. - """ - - ca_service_client = privateca_v1.CertificateAuthorityServiceClient() - - subordinate_ca_path = ca_service_client.certificate_authority_path( - project_id, location, ca_pool_name, subordinate_ca_name - ) - ca_path = ca_service_client.certificate_authority_path( - project_id, location, ca_pool_name, ca_name - ) - - # Set CA subordinate config. - subordinate_config = privateca_v1.SubordinateConfig( - # Follow one of the below methods: - # Method 1: If issuer CA is in Google Cloud, set the Certificate Authority Name. - certificate_authority=ca_path, - # Method 2: If issuer CA is external to Google Cloud, set the issuer's certificate chain. - # The certificate chain of the CA (which signed the CSR) from leaf to root. - # pem_issuer_chain=privateca_v1.SubordinateConfig.SubordinateConfigChain( - # pem_certificates=issuer_certificate_chain, - # ) - ) - - # Construct the "Activate CA Request". - request = privateca_v1.ActivateCertificateAuthorityRequest( - name=subordinate_ca_path, - # The signed certificate. - pem_ca_certificate=pem_ca_certificate, - subordinate_config=subordinate_config, - ) - - # Activate the CA - operation = ca_service_client.activate_certificate_authority(request=request) - result = operation.result() - - print("Operation result:", result) - - # The current state will be STAGED. - # The Subordinate CA has to be ENABLED before issuing certificates. - print( - f"Current state: {ca_service_client.get_certificate_authority(name=subordinate_ca_path).state}" - ) - - -# [END privateca_activate_subordinateca] diff --git a/packages/google-cloud-private-ca/samples/snippets/conftest.py b/packages/google-cloud-private-ca/samples/snippets/conftest.py deleted file mode 100644 index d958e01cafda..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/conftest.py +++ /dev/null @@ -1,83 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import uuid - -import google.auth -import pytest - -from create_ca_pool import create_ca_pool -from create_certificate_authority import create_certificate_authority -from create_certificate_template import create_certificate_template -from delete_ca_pool import delete_ca_pool -from delete_certificate_authority import delete_certificate_authority -from delete_certificate_template import delete_certificate_template - -PROJECT = google.auth.default()[1] -LOCATION = "us-central1" -COMMON_NAME = "COMMON_NAME" -ORGANIZATION = "ORGANIZATION" -CA_DURATION = 1000000 - - -def generate_name() -> str: - return "test-" + uuid.uuid4().hex[:10] - - -@pytest.fixture -def ca_pool(): - CA_POOL_NAME = generate_name() - - create_ca_pool(PROJECT, LOCATION, CA_POOL_NAME) - - yield CA_POOL_NAME - - delete_ca_pool(PROJECT, LOCATION, CA_POOL_NAME) - - -@pytest.fixture -def certificate_authority(ca_pool): - CA_NAME = generate_name() - - create_certificate_authority( - PROJECT, LOCATION, ca_pool, CA_NAME, COMMON_NAME, ORGANIZATION, CA_DURATION - ) - - yield ca_pool, CA_NAME - - delete_certificate_authority(PROJECT, LOCATION, ca_pool, CA_NAME) - - -@pytest.fixture -def deleted_certificate_authority(ca_pool): - CA_NAME = generate_name() - - create_certificate_authority( - PROJECT, LOCATION, ca_pool, CA_NAME, COMMON_NAME, ORGANIZATION, CA_DURATION - ) - - delete_certificate_authority(PROJECT, LOCATION, ca_pool, CA_NAME) - - yield ca_pool, CA_NAME - - -@pytest.fixture -def certificate_template(): - TEMPLATE_NAME = generate_name() - - create_certificate_template(PROJECT, LOCATION, TEMPLATE_NAME) - - yield TEMPLATE_NAME - - delete_certificate_template(PROJECT, LOCATION, TEMPLATE_NAME) diff --git a/packages/google-cloud-private-ca/samples/snippets/create_ca_pool.py b/packages/google-cloud-private-ca/samples/snippets/create_ca_pool.py deleted file mode 100644 index 2b11785b039b..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/create_ca_pool.py +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_create_ca_pool] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def create_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None: - """ - Create a Certificate Authority pool. All certificates created under this CA pool will - follow the same issuance policy, IAM policies,etc., - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: a unique name for the ca pool. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - ca_pool = privateca_v1.CaPool( - # Set the tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers). - tier=privateca_v1.CaPool.Tier.ENTERPRISE, - ) - location_path = caServiceClient.common_location_path(project_id, location) - - # Create the pool request. - request = privateca_v1.CreateCaPoolRequest( - parent=location_path, - ca_pool_id=ca_pool_name, - ca_pool=ca_pool, - ) - - # Create the CA pool. - operation = caServiceClient.create_ca_pool(request=request) - - print("Operation result:", operation.result()) - - -# [END privateca_create_ca_pool] diff --git a/packages/google-cloud-private-ca/samples/snippets/create_certificate.py b/packages/google-cloud-private-ca/samples/snippets/create_certificate.py deleted file mode 100644 index 053305654296..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/create_certificate.py +++ /dev/null @@ -1,102 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_create_certificate] -import google.cloud.security.privateca_v1 as privateca_v1 -from google.protobuf import duration_pb2 - - -def create_certificate( - project_id: str, - location: str, - ca_pool_name: str, - ca_name: str, - certificate_name: str, - common_name: str, - domain_name: str, - certificate_lifetime: int, - public_key_bytes: bytes, -) -> None: - """ - Create a Certificate which is issued by the Certificate Authority present in the CA Pool. - The key used to sign the certificate is created by the Cloud KMS. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: set a unique name for the CA pool. - ca_name: the name of the certificate authority which issues the certificate. - certificate_name: set a unique name for the certificate. - common_name: a title for your certificate. - domain_name: fully qualified domain name for your certificate. - certificate_lifetime: the validity of the certificate in seconds. - public_key_bytes: public key used in signing the certificates. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - # The public key used to sign the certificate can be generated using any crypto library/framework. - # Also you can use Cloud KMS to retrieve an already created public key. - # For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key. - - # Set the Public Key and its format. - public_key = privateca_v1.PublicKey( - key=public_key_bytes, - format_=privateca_v1.PublicKey.KeyFormat.PEM, - ) - - subject_config = privateca_v1.CertificateConfig.SubjectConfig( - subject=privateca_v1.Subject(common_name=common_name), - subject_alt_name=privateca_v1.SubjectAltNames(dns_names=[domain_name]), - ) - - # Set the X.509 fields required for the certificate. - x509_parameters = privateca_v1.X509Parameters( - key_usage=privateca_v1.KeyUsage( - base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions( - digital_signature=True, - key_encipherment=True, - ), - extended_key_usage=privateca_v1.KeyUsage.ExtendedKeyUsageOptions( - server_auth=True, - client_auth=True, - ), - ), - ) - - # Create certificate. - certificate = privateca_v1.Certificate( - config=privateca_v1.CertificateConfig( - public_key=public_key, - subject_config=subject_config, - x509_config=x509_parameters, - ), - lifetime=duration_pb2.Duration(seconds=certificate_lifetime), - ) - - # Create the Certificate Request. - request = privateca_v1.CreateCertificateRequest( - parent=caServiceClient.ca_pool_path(project_id, location, ca_pool_name), - certificate_id=certificate_name, - certificate=certificate, - issuing_certificate_authority_id=ca_name, - ) - result = caServiceClient.create_certificate(request=request) - - print("Certificate creation result:", result) - - -# [END privateca_create_certificate] diff --git a/packages/google-cloud-private-ca/samples/snippets/create_certificate_authority.py b/packages/google-cloud-private-ca/samples/snippets/create_certificate_authority.py deleted file mode 100644 index 2cb0c65ec17d..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/create_certificate_authority.py +++ /dev/null @@ -1,97 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_create_ca] -import google.cloud.security.privateca_v1 as privateca_v1 -from google.protobuf import duration_pb2 - - -def create_certificate_authority( - project_id: str, - location: str, - ca_pool_name: str, - ca_name: str, - common_name: str, - organization: str, - ca_duration: int, -) -> None: - """ - Create Certificate Authority which is the root CA in the given CA Pool. This CA will be - responsible for signing certificates within this pool. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: set it to the CA Pool under which the CA should be created. - ca_name: unique name for the CA. - common_name: a title for your certificate authority. - organization: the name of your company for your certificate authority. - ca_duration: the validity of the certificate authority in seconds. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - # Set the types of Algorithm used to create a cloud KMS key. - key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec( - algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256 - ) - - # Set CA subject config. - subject_config = privateca_v1.CertificateConfig.SubjectConfig( - subject=privateca_v1.Subject(common_name=common_name, organization=organization) - ) - - # Set the key usage options for X.509 fields. - x509_parameters = privateca_v1.X509Parameters( - key_usage=privateca_v1.KeyUsage( - base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions( - crl_sign=True, - cert_sign=True, - ) - ), - ca_options=privateca_v1.X509Parameters.CaOptions( - is_ca=True, - ), - ) - - # Set certificate authority settings. - certificate_authority = privateca_v1.CertificateAuthority( - # CertificateAuthority.Type.SELF_SIGNED denotes that this CA is a root CA. - type_=privateca_v1.CertificateAuthority.Type.SELF_SIGNED, - key_spec=key_version_spec, - config=privateca_v1.CertificateConfig( - subject_config=subject_config, - x509_config=x509_parameters, - ), - lifetime=duration_pb2.Duration(seconds=ca_duration), - ) - - ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) - - # Create the CertificateAuthorityRequest. - request = privateca_v1.CreateCertificateAuthorityRequest( - parent=ca_pool_path, - certificate_authority_id=ca_name, - certificate_authority=certificate_authority, - ) - - operation = caServiceClient.create_certificate_authority(request=request) - result = operation.result() - - print("Operation result:", result) - - -# [END privateca_create_ca] diff --git a/packages/google-cloud-private-ca/samples/snippets/create_certificate_csr.py b/packages/google-cloud-private-ca/samples/snippets/create_certificate_csr.py deleted file mode 100644 index d3bc892507ce..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/create_certificate_csr.py +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_create_certificate_csr] -import google.cloud.security.privateca_v1 as privateca_v1 -from google.protobuf import duration_pb2 - - -def create_certificate_csr( - project_id: str, - location: str, - ca_pool_name: str, - ca_name: str, - certificate_name: str, - certificate_lifetime: int, - pem_csr: str, -) -> None: - """ - Create a Certificate which is issued by the specified Certificate Authority (CA). - The certificate details and the public key is provided as a Certificate Signing Request (CSR). - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: set a unique name for the CA pool. - ca_name: the name of the certificate authority to sign the CSR. - certificate_name: set a unique name for the certificate. - certificate_lifetime: the validity of the certificate in seconds. - pem_csr: set the Certificate Issuing Request in the pem encoded format. - """ - - ca_service_client = privateca_v1.CertificateAuthorityServiceClient() - - # The public key used to sign the certificate can be generated using any crypto library/framework. - # Also you can use Cloud KMS to retrieve an already created public key. - # For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key. - - # Create certificate with CSR. - # The pem_csr contains the public key and the domain details required. - certificate = privateca_v1.Certificate( - pem_csr=pem_csr, - lifetime=duration_pb2.Duration(seconds=certificate_lifetime), - ) - - # Create the Certificate Request. - # Set the CA which is responsible for creating the certificate with the provided CSR. - request = privateca_v1.CreateCertificateRequest( - parent=ca_service_client.ca_pool_path(project_id, location, ca_pool_name), - certificate_id=certificate_name, - certificate=certificate, - issuing_certificate_authority_id=ca_name, - ) - response = ca_service_client.create_certificate(request=request) - - print(f"Certificate created successfully: {response.name}") - - # Get the signed certificate and the issuer chain list. - print(f"Signed certificate: {response.pem_certificate}") - print(f"Issuer chain list: {response.pem_certificate_chain}") - - -# [END privateca_create_certificate_csr] diff --git a/packages/google-cloud-private-ca/samples/snippets/create_certificate_template.py b/packages/google-cloud-private-ca/samples/snippets/create_certificate_template.py deleted file mode 100644 index 988ebfc364b4..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/create_certificate_template.py +++ /dev/null @@ -1,82 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_create_certificate_template] -import google.cloud.security.privateca_v1 as privateca_v1 -from google.type import expr_pb2 - - -def create_certificate_template( - project_id: str, - location: str, - certificate_template_id: str, -) -> None: - """ - Create a Certificate template. These templates can be reused for common - certificate issuance scenarios. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - certificate_template_id: set a unique name for the certificate template. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - # Describes any predefined X.509 values set by this template. - # The provided extensions are copied over to certificate requests that use this template. - x509_parameters = privateca_v1.X509Parameters( - key_usage=privateca_v1.KeyUsage( - base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions( - digital_signature=True, - key_encipherment=True, - ), - extended_key_usage=privateca_v1.KeyUsage.ExtendedKeyUsageOptions( - server_auth=True, - ), - ), - ca_options=privateca_v1.X509Parameters.CaOptions( - is_ca=False, - ), - ) - - # CEL expression that is evaluated against the Subject and - # Subject Alternative Name of the certificate before it is issued. - expr = expr_pb2.Expr(expression="subject_alt_names.all(san, san.type == DNS)") - - # Set the certificate issuance schema. - certificate_template = privateca_v1.CertificateTemplate( - predefined_values=x509_parameters, - identity_constraints=privateca_v1.CertificateIdentityConstraints( - cel_expression=expr, - allow_subject_passthrough=False, - allow_subject_alt_names_passthrough=False, - ), - ) - - # Request to create a certificate template. - request = privateca_v1.CreateCertificateTemplateRequest( - parent=caServiceClient.common_location_path(project_id, location), - certificate_template=certificate_template, - certificate_template_id=certificate_template_id, - ) - operation = caServiceClient.create_certificate_template(request=request) - result = operation.result() - - print("Operation result:", result) - - -# [END privateca_create_certificate_template] diff --git a/packages/google-cloud-private-ca/samples/snippets/create_subordinate_ca.py b/packages/google-cloud-private-ca/samples/snippets/create_subordinate_ca.py deleted file mode 100644 index 426a047dc980..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/create_subordinate_ca.py +++ /dev/null @@ -1,101 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_create_subordinateca] -import google.cloud.security.privateca_v1 as privateca_v1 -from google.protobuf import duration_pb2 - - -def create_subordinate_ca( - project_id: str, - location: str, - ca_pool_name: str, - subordinate_ca_name: str, - common_name: str, - organization: str, - domain: str, - ca_duration: int, -) -> None: - """ - Create Certificate Authority (CA) which is the subordinate CA in the given CA Pool. - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: set it to the CA Pool under which the CA should be created. - subordinate_ca_name: unique name for the Subordinate CA. - common_name: a title for your certificate authority. - organization: the name of your company for your certificate authority. - domain: the name of your company for your certificate authority. - ca_duration: the validity of the certificate authority in seconds. - """ - - ca_service_client = privateca_v1.CertificateAuthorityServiceClient() - - # Set the type of Algorithm - key_version_spec = privateca_v1.CertificateAuthority.KeyVersionSpec( - algorithm=privateca_v1.CertificateAuthority.SignHashAlgorithm.RSA_PKCS1_4096_SHA256 - ) - - # Set CA subject config. - subject_config = privateca_v1.CertificateConfig.SubjectConfig( - subject=privateca_v1.Subject( - common_name=common_name, organization=organization - ), - # Set the fully qualified domain name. - subject_alt_name=privateca_v1.SubjectAltNames(dns_names=[domain]), - ) - - # Set the key usage options for X.509 fields. - x509_parameters = privateca_v1.X509Parameters( - key_usage=privateca_v1.KeyUsage( - base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions( - crl_sign=True, - cert_sign=True, - ) - ), - ca_options=privateca_v1.X509Parameters.CaOptions( - is_ca=True, - ), - ) - - # Set certificate authority settings. - certificate_authority = privateca_v1.CertificateAuthority( - type_=privateca_v1.CertificateAuthority.Type.SUBORDINATE, - key_spec=key_version_spec, - config=privateca_v1.CertificateConfig( - subject_config=subject_config, - x509_config=x509_parameters, - ), - # Set the CA validity duration. - lifetime=duration_pb2.Duration(seconds=ca_duration), - ) - - ca_pool_path = ca_service_client.ca_pool_path(project_id, location, ca_pool_name) - - # Create the CertificateAuthorityRequest. - request = privateca_v1.CreateCertificateAuthorityRequest( - parent=ca_pool_path, - certificate_authority_id=subordinate_ca_name, - certificate_authority=certificate_authority, - ) - - operation = ca_service_client.create_certificate_authority(request=request) - result = operation.result() - - print(f"Operation result: {result}") - - -# [END privateca_create_subordinateca] diff --git a/packages/google-cloud-private-ca/samples/snippets/delete_ca_pool.py b/packages/google-cloud-private-ca/samples/snippets/delete_ca_pool.py deleted file mode 100644 index e90f89b00f8a..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/delete_ca_pool.py +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_delete_ca_pool] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def delete_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None: - """ - Delete the CA pool as mentioned by the ca_pool_name. - Before deleting the pool, all CAs in the pool MUST BE deleted. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: the name of the CA pool to be deleted. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) - - # Create the Delete request. - request = privateca_v1.DeleteCaPoolRequest(name=ca_pool_path) - - # Delete the CA Pool. - caServiceClient.delete_ca_pool(request=request) - - print("Deleted CA Pool:", ca_pool_name) - - -# [END privateca_delete_ca_pool] diff --git a/packages/google-cloud-private-ca/samples/snippets/delete_certificate_authority.py b/packages/google-cloud-private-ca/samples/snippets/delete_certificate_authority.py deleted file mode 100644 index fc0b73e4c1cf..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/delete_certificate_authority.py +++ /dev/null @@ -1,76 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_delete_ca] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def delete_certificate_authority( - project_id: str, location: str, ca_pool_name: str, ca_name: str -) -> None: - """ - Delete the Certificate Authority from the specified CA pool. - Before deletion, the CA must be disabled and must not contain any active certificates. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: the name of the CA pool under which the CA is present. - ca_name: the name of the CA to be deleted. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - ca_path = caServiceClient.certificate_authority_path( - project_id, location, ca_pool_name, ca_name - ) - - # Check if the CA is enabled. - ca_state = caServiceClient.get_certificate_authority(name=ca_path).state - print(ca_state) - if ca_state == privateca_v1.CertificateAuthority.State.ENABLED: - print( - "Please disable the Certificate Authority before deletion ! Current state:", - ca_state, - ) - - # Create the DeleteCertificateAuthorityRequest. - # Setting the ignore_active_certificates to True will delete the CA - # even if it contains active certificates. Care should be taken to re-anchor - # the certificates to new CA before deleting. - request = privateca_v1.DeleteCertificateAuthorityRequest( - name=ca_path, ignore_active_certificates=False - ) - - # Delete the Certificate Authority. - operation = caServiceClient.delete_certificate_authority(request=request) - result = operation.result() - - print("Operation result", result) - - # Get the current CA state. - ca_state = caServiceClient.get_certificate_authority(name=ca_path).state - - # Check if the CA has been deleted. - if ca_state == privateca_v1.CertificateAuthority.State.DELETED: - print("Successfully deleted Certificate Authority:", ca_name) - else: - print( - "Unable to delete Certificate Authority. Please try again ! Current state:", - ca_state, - ) - - -# [END privateca_delete_ca] diff --git a/packages/google-cloud-private-ca/samples/snippets/delete_certificate_template.py b/packages/google-cloud-private-ca/samples/snippets/delete_certificate_template.py deleted file mode 100644 index e44dca178c7c..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/delete_certificate_template.py +++ /dev/null @@ -1,52 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_delete_certificate_template] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def delete_certificate_template( - project_id: str, - location: str, - certificate_template_id: str, -) -> None: - """ - Delete the certificate template present in the given project and location. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - certificate_template_id: set a unique name for the certificate template. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - # Request to delete a certificate template. - request = privateca_v1.DeleteCertificateTemplateRequest( - name=caServiceClient.certificate_template_path( - project_id, - location, - certificate_template_id, - ) - ) - operation = caServiceClient.delete_certificate_template(request=request) - result = operation.result() - - print("Operation result", result) - print("Deleted certificate template:", certificate_template_id) - - -# [END privateca_delete_certificate_template] diff --git a/packages/google-cloud-private-ca/samples/snippets/disable_certificate_authority.py b/packages/google-cloud-private-ca/samples/snippets/disable_certificate_authority.py deleted file mode 100644 index 5ec4e7c0c7a5..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/disable_certificate_authority.py +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_disable_ca] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def disable_certificate_authority( - project_id: str, location: str, ca_pool_name: str, ca_name: str -) -> None: - """ - Disable a Certificate Authority which is present in the given CA pool. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: the name of the CA pool under which the CA is present. - ca_name: the name of the CA to be disabled. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - ca_path = caServiceClient.certificate_authority_path( - project_id, location, ca_pool_name, ca_name - ) - - # Create the Disable Certificate Authority Request. - request = privateca_v1.DisableCertificateAuthorityRequest(name=ca_path) - - # Disable the Certificate Authority. - operation = caServiceClient.disable_certificate_authority(request=request) - result = operation.result() - - print("Operation result:", result) - - # Get the current CA state. - ca_state = caServiceClient.get_certificate_authority(name=ca_path).state - - # Check if the CA is disabled. - if ca_state == privateca_v1.CertificateAuthority.State.DISABLED: - print("Disabled Certificate Authority:", ca_name) - else: - print("Cannot disable the Certificate Authority ! Current CA State:", ca_state) - - -# [END privateca_disable_ca] diff --git a/packages/google-cloud-private-ca/samples/snippets/enable_certificate_authority.py b/packages/google-cloud-private-ca/samples/snippets/enable_certificate_authority.py deleted file mode 100644 index a6ecd35580bc..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/enable_certificate_authority.py +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_enable_ca] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def enable_certificate_authority( - project_id: str, location: str, ca_pool_name: str, ca_name: str -) -> None: - """ - Enable the Certificate Authority present in the given ca pool. - CA cannot be enabled if it has been already deleted. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: the name of the CA pool under which the CA is present. - ca_name: the name of the CA to be enabled. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - ca_path = caServiceClient.certificate_authority_path( - project_id, location, ca_pool_name, ca_name - ) - - # Create the Enable Certificate Authority Request. - request = privateca_v1.EnableCertificateAuthorityRequest( - name=ca_path, - ) - - # Enable the Certificate Authority. - operation = caServiceClient.enable_certificate_authority(request=request) - result = operation.result() - - print("Operation result:", result) - - # Get the current CA state. - ca_state = caServiceClient.get_certificate_authority(name=ca_path).state - - # Check if the CA is enabled. - if ca_state == privateca_v1.CertificateAuthority.State.ENABLED: - print("Enabled Certificate Authority:", ca_name) - else: - print("Cannot enable the Certificate Authority ! Current CA State:", ca_state) - - -# [END privateca_enable_ca] diff --git a/packages/google-cloud-private-ca/samples/snippets/filter_certificates.py b/packages/google-cloud-private-ca/samples/snippets/filter_certificates.py deleted file mode 100644 index c9789dcc639c..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/filter_certificates.py +++ /dev/null @@ -1,49 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_filter_certificate] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def filter_certificates( - project_id: str, location: str, ca_pool_name: str, filter_condition: str -) -> None: - """ - Filter certificates based on a condition and list them. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: name of the CA pool which contains the certificates to be listed. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) - - # Create the certificate request and set the filter condition. - request = privateca_v1.ListCertificatesRequest( - parent=ca_pool_path, - filter=filter_condition, - ) - - # Retrieve and print the certificate names. - print("Available certificates: ") - for cert in caServiceClient.list_certificates(request=request): - print(f"- {cert.name}") - - -# [END privateca_filter_certificate] diff --git a/packages/google-cloud-private-ca/samples/snippets/list_ca_pools.py b/packages/google-cloud-private-ca/samples/snippets/list_ca_pools.py deleted file mode 100644 index b072045e4345..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/list_ca_pools.py +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_list_ca_pool] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def list_ca_pools(project_id: str, location: str) -> None: - """ - List all CA pools present in the given project and location. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - location_path = caServiceClient.common_location_path(project_id, location) - - request = privateca_v1.ListCaPoolsRequest(parent=location_path) - - print("Available CA pools:") - - for ca_pool in caServiceClient.list_ca_pools(request=request): - ca_pool_name = ca_pool.name - # ca_pool.name represents the full resource name of the - # format 'projects/{project-id}/locations/{location}/ca-pools/{ca-pool-name}'. - # Hence stripping it down to just pool name. - print(caServiceClient.parse_ca_pool_path(ca_pool_name)["ca_pool"]) - - -# [END privateca_list_ca_pool] diff --git a/packages/google-cloud-private-ca/samples/snippets/list_certificate_authorities.py b/packages/google-cloud-private-ca/samples/snippets/list_certificate_authorities.py deleted file mode 100644 index 19fd37d9546b..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/list_certificate_authorities.py +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_list_ca] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def list_certificate_authorities( - project_id: str, location: str, ca_pool_name: str -) -> None: - """ - List all Certificate authorities present in the given CA Pool. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: the name of the CA pool under which the CAs to be listed are present. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) - - # List the CA name and its corresponding state. - for ca in caServiceClient.list_certificate_authorities(parent=ca_pool_path): - print(ca.name, "is", ca.state) - - -# [END privateca_list_ca] diff --git a/packages/google-cloud-private-ca/samples/snippets/list_certificate_templates.py b/packages/google-cloud-private-ca/samples/snippets/list_certificate_templates.py deleted file mode 100644 index 8e8c4c7d5c0d..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/list_certificate_templates.py +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_list_certificate_template] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def list_certificate_templates(project_id: str, location: str) -> None: - """ - List the certificate templates present in the given project and location. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - # List Templates Request. - request = privateca_v1.ListCertificateTemplatesRequest( - parent=caServiceClient.common_location_path(project_id, location), - ) - - print("Available certificate templates:") - for certificate_template in caServiceClient.list_certificate_templates( - request=request - ): - print(certificate_template.name) - - -# [END privateca_list_certificate_template] diff --git a/packages/google-cloud-private-ca/samples/snippets/list_certificates.py b/packages/google-cloud-private-ca/samples/snippets/list_certificates.py deleted file mode 100644 index 9c04ed93470f..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/list_certificates.py +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_list_certificate] - -import google.cloud.security.privateca_v1 as privateca_v1 - - -def list_certificates( - project_id: str, - location: str, - ca_pool_name: str, -) -> None: - """ - List Certificates present in the given CA pool. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: name of the CA pool which contains the certificates to be listed. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) - - # Retrieve and print the certificate names. - print(f"Available certificates in CA pool {ca_pool_name}:") - for certificate in caServiceClient.list_certificates(parent=ca_pool_path): - print(certificate.name) - - -# [END privateca_list_certificate] diff --git a/packages/google-cloud-private-ca/samples/snippets/monitor_certificate_authority.py b/packages/google-cloud-private-ca/samples/snippets/monitor_certificate_authority.py deleted file mode 100644 index bac5e023b983..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/monitor_certificate_authority.py +++ /dev/null @@ -1,77 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_monitor_ca_expiry] -import google.cloud.monitoring_v3 as monitoring_v3 - - -def create_ca_monitor_policy(project_id: str) -> None: - """ - Create a monitoring policy that notifies you 30 days before a managed CA expires. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - """ - - alertPolicyServiceClient = monitoring_v3.AlertPolicyServiceClient() - notificationChannelServiceClient = monitoring_v3.NotificationChannelServiceClient() - - # Query which indicates the resource to monitor and the constraints. - # Here, the alert policy notifies you 30 days before a managed CA expires. - # For more information on creating queries, see: https://cloud.google.com/monitoring/mql/alerts - query = ( - "fetch privateca.googleapis.com/CertificateAuthority" - "| metric 'privateca.googleapis.com/ca/cert_chain_expiration'" - "| group_by 5m," - "[value_cert_chain_expiration_mean: mean(value.cert_chain_expiration)]" - "| every 5m" - "| condition val() < 2.592e+06 's'" - ) - - # Create a notification channel. - notification_channel = monitoring_v3.NotificationChannel( - type_="email", - labels={"email_address": "python-docs-samples-testing@google.com"}, - ) - channel = notificationChannelServiceClient.create_notification_channel( - name=notificationChannelServiceClient.common_project_path(project_id), - notification_channel=notification_channel, - ) - - # Set the query and notification channel. - alert_policy = monitoring_v3.AlertPolicy( - display_name="policy-name", - conditions=[ - monitoring_v3.AlertPolicy.Condition( - display_name="ca-cert-chain-expiration", - condition_monitoring_query_language=monitoring_v3.AlertPolicy.Condition.MonitoringQueryLanguageCondition( - query=query, - ), - ) - ], - combiner=monitoring_v3.AlertPolicy.ConditionCombinerType.AND, - notification_channels=[channel.name], - ) - - policy = alertPolicyServiceClient.create_alert_policy( - name=notificationChannelServiceClient.common_project_path(project_id), - alert_policy=alert_policy, - ) - - print("Monitoring policy successfully created!", policy.name) - - -# [END privateca_monitor_ca_expiry] diff --git a/packages/google-cloud-private-ca/samples/snippets/noxfile.py b/packages/google-cloud-private-ca/samples/snippets/noxfile.py deleted file mode 100644 index de104dbc64d3..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/noxfile.py +++ /dev/null @@ -1,292 +0,0 @@ -# Copyright 2019 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -from __future__ import print_function - -import glob -import os -from pathlib import Path -import sys -from typing import Callable, Dict, Optional - -import nox - -# WARNING - WARNING - WARNING - WARNING - WARNING -# WARNING - WARNING - WARNING - WARNING - WARNING -# DO NOT EDIT THIS FILE EVER! -# WARNING - WARNING - WARNING - WARNING - WARNING -# WARNING - WARNING - WARNING - WARNING - WARNING - -BLACK_VERSION = "black==22.3.0" -ISORT_VERSION = "isort==5.10.1" - -# Copy `noxfile_config.py` to your directory and modify it instead. - -# `TEST_CONFIG` dict is a configuration hook that allows users to -# modify the test configurations. The values here should be in sync -# with `noxfile_config.py`. Users will copy `noxfile_config.py` into -# their directory and modify it. - -TEST_CONFIG = { - # You can opt out from the test for specific Python versions. - "ignored_versions": [], - # Old samples are opted out of enforcing Python type hints - # All new samples should feature them - "enforce_type_hints": False, - # An envvar key for determining the project id to use. Change it - # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a - # build specific Cloud project. You can also use your own string - # to use your own Cloud project. - "gcloud_project_env": "GOOGLE_CLOUD_PROJECT", - # 'gcloud_project_env': 'BUILD_SPECIFIC_GCLOUD_PROJECT', - # If you need to use a specific version of pip, - # change pip_version_override to the string representation - # of the version number, for example, "20.2.4" - "pip_version_override": None, - # A dictionary you want to inject into your test. Don't put any - # secrets here. These values will override predefined values. - "envs": {}, -} - - -try: - # Ensure we can import noxfile_config in the project's directory. - sys.path.append(".") - from noxfile_config import TEST_CONFIG_OVERRIDE -except ImportError as e: - print("No user noxfile_config found: detail: {}".format(e)) - TEST_CONFIG_OVERRIDE = {} - -# Update the TEST_CONFIG with the user supplied values. -TEST_CONFIG.update(TEST_CONFIG_OVERRIDE) - - -def get_pytest_env_vars() -> Dict[str, str]: - """Returns a dict for pytest invocation.""" - ret = {} - - # Override the GCLOUD_PROJECT and the alias. - env_key = TEST_CONFIG["gcloud_project_env"] - # This should error out if not set. - ret["GOOGLE_CLOUD_PROJECT"] = os.environ[env_key] - - # Apply user supplied envs. - ret.update(TEST_CONFIG["envs"]) - return ret - - -# DO NOT EDIT - automatically generated. -# All versions used to test samples. -ALL_VERSIONS = ["3.7", "3.8", "3.9", "3.10", "3.11"] - -# Any default versions that should be ignored. -IGNORED_VERSIONS = TEST_CONFIG["ignored_versions"] - -TESTED_VERSIONS = sorted([v for v in ALL_VERSIONS if v not in IGNORED_VERSIONS]) - -INSTALL_LIBRARY_FROM_SOURCE = os.environ.get("INSTALL_LIBRARY_FROM_SOURCE", False) in ( - "True", - "true", -) - -# Error if a python version is missing -nox.options.error_on_missing_interpreters = True - -# -# Style Checks -# - - -# Linting with flake8. -# -# We ignore the following rules: -# E203: whitespace before ‘:’ -# E266: too many leading ‘#’ for block comment -# E501: line too long -# I202: Additional newline in a section of imports -# -# We also need to specify the rules which are ignored by default: -# ['E226', 'W504', 'E126', 'E123', 'W503', 'E24', 'E704', 'E121'] -FLAKE8_COMMON_ARGS = [ - "--show-source", - "--builtin=gettext", - "--max-complexity=20", - "--exclude=.nox,.cache,env,lib,generated_pb2,*_pb2.py,*_pb2_grpc.py", - "--ignore=E121,E123,E126,E203,E226,E24,E266,E501,E704,W503,W504,I202", - "--max-line-length=88", -] - - -@nox.session -def lint(session: nox.sessions.Session) -> None: - if not TEST_CONFIG["enforce_type_hints"]: - session.install("flake8") - else: - session.install("flake8", "flake8-annotations") - - args = FLAKE8_COMMON_ARGS + [ - ".", - ] - session.run("flake8", *args) - - -# -# Black -# - - -@nox.session -def blacken(session: nox.sessions.Session) -> None: - """Run black. Format code to uniform standard.""" - session.install(BLACK_VERSION) - python_files = [path for path in os.listdir(".") if path.endswith(".py")] - - session.run("black", *python_files) - - -# -# format = isort + black -# - - -@nox.session -def format(session: nox.sessions.Session) -> None: - """ - Run isort to sort imports. Then run black - to format code to uniform standard. - """ - session.install(BLACK_VERSION, ISORT_VERSION) - python_files = [path for path in os.listdir(".") if path.endswith(".py")] - - # Use the --fss option to sort imports using strict alphabetical order. - # See https://pycqa.github.io/isort/docs/configuration/options.html#force-sort-within-sections - session.run("isort", "--fss", *python_files) - session.run("black", *python_files) - - -# -# Sample Tests -# - - -PYTEST_COMMON_ARGS = ["--junitxml=sponge_log.xml"] - - -def _session_tests( - session: nox.sessions.Session, post_install: Callable = None -) -> None: - # check for presence of tests - test_list = glob.glob("**/*_test.py", recursive=True) + glob.glob( - "**/test_*.py", recursive=True - ) - test_list.extend(glob.glob("**/tests", recursive=True)) - - if len(test_list) == 0: - print("No tests found, skipping directory.") - return - - if TEST_CONFIG["pip_version_override"]: - pip_version = TEST_CONFIG["pip_version_override"] - session.install(f"pip=={pip_version}") - """Runs py.test for a particular project.""" - concurrent_args = [] - if os.path.exists("requirements.txt"): - if os.path.exists("constraints.txt"): - session.install("-r", "requirements.txt", "-c", "constraints.txt") - else: - session.install("-r", "requirements.txt") - with open("requirements.txt") as rfile: - packages = rfile.read() - - if os.path.exists("requirements-test.txt"): - if os.path.exists("constraints-test.txt"): - session.install("-r", "requirements-test.txt", "-c", "constraints-test.txt") - else: - session.install("-r", "requirements-test.txt") - with open("requirements-test.txt") as rtfile: - packages += rtfile.read() - - if INSTALL_LIBRARY_FROM_SOURCE: - session.install("-e", _get_repo_root()) - - if post_install: - post_install(session) - - if "pytest-parallel" in packages: - concurrent_args.extend(["--workers", "auto", "--tests-per-worker", "auto"]) - elif "pytest-xdist" in packages: - concurrent_args.extend(["-n", "auto"]) - - session.run( - "pytest", - *(PYTEST_COMMON_ARGS + session.posargs + concurrent_args), - # Pytest will return 5 when no tests are collected. This can happen - # on travis where slow and flaky tests are excluded. - # See http://doc.pytest.org/en/latest/_modules/_pytest/main.html - success_codes=[0, 5], - env=get_pytest_env_vars(), - ) - - -@nox.session(python=ALL_VERSIONS) -def py(session: nox.sessions.Session) -> None: - """Runs py.test for a sample using the specified version of Python.""" - if session.python in TESTED_VERSIONS: - _session_tests(session) - else: - session.skip( - "SKIPPED: {} tests are disabled for this sample.".format(session.python) - ) - - -# -# Readmegen -# - - -def _get_repo_root() -> Optional[str]: - """Returns the root folder of the project.""" - # Get root of this repository. Assume we don't have directories nested deeper than 10 items. - p = Path(os.getcwd()) - for i in range(10): - if p is None: - break - if Path(p / ".git").exists(): - return str(p) - # .git is not available in repos cloned via Cloud Build - # setup.py is always in the library's root, so use that instead - # https://github.com/googleapis/synthtool/issues/792 - if Path(p / "setup.py").exists(): - return str(p) - p = p.parent - raise Exception("Unable to detect repository root.") - - -GENERATED_READMES = sorted([x for x in Path(".").rglob("*.rst.in")]) - - -@nox.session -@nox.parametrize("path", GENERATED_READMES) -def readmegen(session: nox.sessions.Session, path: str) -> None: - """(Re-)generates the readme for a sample.""" - session.install("jinja2", "pyyaml") - dir_ = os.path.dirname(path) - - if os.path.exists(os.path.join(dir_, "requirements.txt")): - session.install("-r", os.path.join(dir_, "requirements.txt")) - - in_file = os.path.join(dir_, "README.rst.in") - session.run( - "python", _get_repo_root() + "/scripts/readme-gen/readme_gen.py", in_file - ) diff --git a/packages/google-cloud-private-ca/samples/snippets/noxfile_config.py b/packages/google-cloud-private-ca/samples/snippets/noxfile_config.py deleted file mode 100644 index 4a4db8c2de30..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/noxfile_config.py +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default TEST_CONFIG_OVERRIDE for python repos. - -# You can copy this file into your directory, then it will be inported from -# the noxfile.py. - -# The source of truth: -# https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/noxfile_config.py - -TEST_CONFIG_OVERRIDE = { - # You can opt out from the test for specific Python versions. - "ignored_versions": ["2.7"], - # Old samples are opted out of enforcing Python type hints - # All new samples should feature them - "enforce_type_hints": False, - # An envvar key for determining the project id to use. Change it - # to 'BUILD_SPECIFIC_GCLOUD_PROJECT' if you want to opt in using a - # build specific Cloud project. You can also use your own string - # to use your own Cloud project. - # "gcloud_project_env": "GOOGLE_CLOUD_PROJECT", - "gcloud_project_env": "BUILD_SPECIFIC_GCLOUD_PROJECT", - # A dictionary you want to inject into your test. Don't put any - # secrets here. These values will override predefined values. - "envs": {}, -} diff --git a/packages/google-cloud-private-ca/samples/snippets/requirements-test.txt b/packages/google-cloud-private-ca/samples/snippets/requirements-test.txt deleted file mode 100644 index 77d6f60472ee..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/requirements-test.txt +++ /dev/null @@ -1,3 +0,0 @@ -pytest==7.2.1 -google-auth==2.16.0 -cryptography==39.0.0 diff --git a/packages/google-cloud-private-ca/samples/snippets/requirements.txt b/packages/google-cloud-private-ca/samples/snippets/requirements.txt deleted file mode 100644 index cf4bb56d46ab..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/requirements.txt +++ /dev/null @@ -1,3 +0,0 @@ -google-cloud-private-ca==1.6.1 -google-cloud-kms==2.14.1 -google-cloud-monitoring==2.14.1 \ No newline at end of file diff --git a/packages/google-cloud-private-ca/samples/snippets/revoke_certificate.py b/packages/google-cloud-private-ca/samples/snippets/revoke_certificate.py deleted file mode 100644 index fa0d2f24e203..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/revoke_certificate.py +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import sys - -# isort: split -# [START privateca_revoke_certificate] - -import google.cloud.security.privateca_v1 as privateca_v1 - - -def revoke_certificate( - project_id: str, - location: str, - ca_pool_name: str, - certificate_name: str, -) -> None: - """ - Revoke an issued certificate. Once revoked, the certificate will become invalid and will expire post its lifetime. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: name for the CA pool which contains the certificate. - certificate_name: name of the certificate to be revoked. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - # Create Certificate Path. - certificate_path = caServiceClient.certificate_path( - project_id, location, ca_pool_name, certificate_name - ) - - # Create Revoke Certificate Request and specify the appropriate revocation reason. - request = privateca_v1.RevokeCertificateRequest( - name=certificate_path, reason=privateca_v1.RevocationReason.PRIVILEGE_WITHDRAWN - ) - result = caServiceClient.revoke_certificate(request=request) - - print("Certificate revoke result:", result) - - -# [END privateca_revoke_certificate] - -if __name__ == "__main__": - revoke_certificate( - project_id=sys.argv[1], - location=sys.argv[2], - ca_pool_name=sys.argv[3], - certificate_name=sys.argv[4], - ) diff --git a/packages/google-cloud-private-ca/samples/snippets/test_ca_pools.py b/packages/google-cloud-private-ca/samples/snippets/test_ca_pools.py deleted file mode 100644 index 5fc17a5d3082..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/test_ca_pools.py +++ /dev/null @@ -1,85 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import re -import typing -import uuid - -import google.auth - -from create_ca_pool import create_ca_pool -from delete_ca_pool import delete_ca_pool -from list_ca_pools import list_ca_pools -from update_ca_pool_issuance_policy import update_ca_pool_issuance_policy - -PROJECT = google.auth.default()[1] -LOCATION = "us-central1" - - -def generate_name() -> str: - return "test-" + uuid.uuid4().hex[:10] - - -def test_create_ca_pool(ca_pool, capsys: typing.Any) -> None: - CA_POOL_NAME = generate_name() - - create_ca_pool(PROJECT, LOCATION, CA_POOL_NAME) - - out, _ = capsys.readouterr() - - assert re.search( - f'Operation result: name: "projects/{PROJECT}/locations/{LOCATION}/caPools/{CA_POOL_NAME}"', - out, - ) - - delete_ca_pool(PROJECT, LOCATION, CA_POOL_NAME) - - -def test_list_ca_pools(capsys: typing.Any) -> None: - CA_POOL_NAME_1 = generate_name() - CA_POOL_NAME_2 = generate_name() - - create_ca_pool(PROJECT, LOCATION, CA_POOL_NAME_1) - create_ca_pool(PROJECT, LOCATION, CA_POOL_NAME_2) - list_ca_pools(PROJECT, LOCATION) - - out, _ = capsys.readouterr() - - assert "Available CA pools:" in out - assert f"{CA_POOL_NAME_1}\n" in out - assert f"{CA_POOL_NAME_2}\n" in out - - delete_ca_pool(PROJECT, LOCATION, CA_POOL_NAME_1) - delete_ca_pool(PROJECT, LOCATION, CA_POOL_NAME_2) - - -def test_delete_ca_pool(capsys: typing.Any) -> None: - CA_POOL_NAME = generate_name() - - create_ca_pool(PROJECT, LOCATION, CA_POOL_NAME) - delete_ca_pool(PROJECT, LOCATION, CA_POOL_NAME) - - out, _ = capsys.readouterr() - - assert re.search(f"Deleted CA Pool: {CA_POOL_NAME}", out) - - -def test_update_ca_pool_issuance_policy(ca_pool, capsys: typing.Any) -> None: - CA_POOL_NAME = ca_pool - - update_ca_pool_issuance_policy(PROJECT, LOCATION, CA_POOL_NAME) - - out, _ = capsys.readouterr() - - assert "CA Pool Issuance policy has been updated successfully!" in out diff --git a/packages/google-cloud-private-ca/samples/snippets/test_certificate_authorities.py b/packages/google-cloud-private-ca/samples/snippets/test_certificate_authorities.py deleted file mode 100644 index daac5bcf0e0d..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/test_certificate_authorities.py +++ /dev/null @@ -1,119 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import re -import typing -import uuid - -import google.auth - -from create_ca_pool import create_ca_pool -from create_certificate_authority import create_certificate_authority -from delete_ca_pool import delete_ca_pool -from delete_certificate_authority import delete_certificate_authority -from disable_certificate_authority import disable_certificate_authority -from enable_certificate_authority import enable_certificate_authority -from monitor_certificate_authority import create_ca_monitor_policy -from undelete_certificate_authority import undelete_certificate_authority -from update_certificate_authority import update_ca_label - -PROJECT = google.auth.default()[1] -LOCATION = "us-central1" -COMMON_NAME = "COMMON_NAME" -ORGANIZATION = "ORGANIZATION" -CA_DURATION = 1000000 - - -def generate_name() -> str: - return "i" + uuid.uuid4().hex[:10] - - -def test_create_certificate(capsys: typing.Any) -> None: - CA_POOL_NAME = generate_name() - CA_NAME = generate_name() - - create_ca_pool(PROJECT, LOCATION, CA_POOL_NAME) - create_certificate_authority( - PROJECT, LOCATION, CA_POOL_NAME, CA_NAME, COMMON_NAME, ORGANIZATION, CA_DURATION - ) - - out, _ = capsys.readouterr() - - assert re.search( - f'Operation result: name: "projects/{PROJECT}/locations/{LOCATION}/caPools/{CA_POOL_NAME}/certificateAuthorities/{CA_NAME}"', - out, - ) - - delete_certificate_authority(PROJECT, LOCATION, CA_POOL_NAME, CA_NAME) - delete_ca_pool(PROJECT, LOCATION, CA_POOL_NAME) - - -def test_enable_and_disable_certificate_authority( - certificate_authority, capsys: typing.Any -) -> None: - CA_POOL_NAME, CA_NAME = certificate_authority - - enable_certificate_authority(PROJECT, LOCATION, CA_POOL_NAME, CA_NAME) - disable_certificate_authority(PROJECT, LOCATION, CA_POOL_NAME, CA_NAME) - - out, _ = capsys.readouterr() - - assert re.search( - f"Enabled Certificate Authority: {CA_NAME}", - out, - ) - assert re.search( - f"Disabled Certificate Authority: {CA_NAME}", - out, - ) - - -def test_undelete_certificate_authority( - deleted_certificate_authority, capsys: typing.Any -) -> None: - CA_POOL_NAME, CA_NAME = deleted_certificate_authority - - undelete_certificate_authority(PROJECT, LOCATION, CA_POOL_NAME, CA_NAME) - delete_certificate_authority(PROJECT, LOCATION, CA_POOL_NAME, CA_NAME) - delete_ca_pool(PROJECT, LOCATION, CA_POOL_NAME) - - out, _ = capsys.readouterr() - assert re.search( - f"Successfully undeleted Certificate Authority: {CA_NAME}", - out, - ) - assert re.search( - f"Successfully deleted Certificate Authority: {CA_NAME}", - out, - ) - - -def test_update_certificate_authority( - certificate_authority, capsys: typing.Any -) -> None: - CA_POOL_NAME, CA_NAME = certificate_authority - - update_ca_label(PROJECT, LOCATION, CA_POOL_NAME, CA_NAME) - - out, _ = capsys.readouterr() - - assert "Successfully updated the labels !" in out - - -def test_create_monitor_ca_policy(capsys: typing.Any) -> None: - create_ca_monitor_policy(PROJECT) - - out, _ = capsys.readouterr() - - assert "Monitoring policy successfully created!" in out diff --git a/packages/google-cloud-private-ca/samples/snippets/test_certificates.py b/packages/google-cloud-private-ca/samples/snippets/test_certificates.py deleted file mode 100644 index 35fcac35008f..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/test_certificates.py +++ /dev/null @@ -1,96 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -import re -import time -import typing -import uuid - -from cryptography.hazmat.backends.openssl.backend import backend -from cryptography.hazmat.primitives.asymmetric import rsa -from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat -import google.auth - -from create_certificate import create_certificate -from disable_certificate_authority import disable_certificate_authority -from enable_certificate_authority import enable_certificate_authority -from filter_certificates import filter_certificates -from revoke_certificate import revoke_certificate - -PROJECT = google.auth.default()[1] -LOCATION = "us-central1" -COMMON_NAME = "COMMON_NAME" -ORGANIZATION = "ORGANIZATION" -CERTIFICATE_LIFETIME = 1000000 -DOMAIN_NAME = "domain.com" - - -def generate_name() -> str: - return "test-" + uuid.uuid4().hex[:10] - - -def test_create_and_revoke_certificate_authority( - certificate_authority, capsys: typing.Any -) -> None: - CERT_NAME = generate_name() - - CA_POOL_NAME, CA_NAME = certificate_authority - enable_certificate_authority(PROJECT, LOCATION, CA_POOL_NAME, CA_NAME) - - private_key = rsa.generate_private_key( - public_exponent=65537, key_size=2048, backend=backend - ) - - public_key_bytes = private_key.public_key().public_bytes( - Encoding.PEM, PublicFormat.SubjectPublicKeyInfo - ) - - # Wait while crypto key is generating - time.sleep(5) - - create_certificate( - PROJECT, - LOCATION, - CA_POOL_NAME, - CA_NAME, - CERT_NAME, - COMMON_NAME, - DOMAIN_NAME, - CERTIFICATE_LIFETIME, - public_key_bytes, - ) - - FILTER_CONDITION = ( - f"certificate_description.subject_description.subject.common_name={COMMON_NAME}" - ) - filter_certificates(PROJECT, LOCATION, CA_POOL_NAME, FILTER_CONDITION) - - revoke_certificate( - PROJECT, - LOCATION, - CA_POOL_NAME, - CERT_NAME, - ) - - disable_certificate_authority(PROJECT, LOCATION, CA_POOL_NAME, CA_NAME) - - out, _ = capsys.readouterr() - assert "Certificate creation result:" in out - assert "Available certificates:" in out - assert re.search( - f"- projects/.*/locations/{LOCATION}/caPools/{CA_POOL_NAME}/certificates/{CERT_NAME}", - out, - ) - assert "Certificate revoke result:" in out diff --git a/packages/google-cloud-private-ca/samples/snippets/test_crud_certificate_templates.py b/packages/google-cloud-private-ca/samples/snippets/test_crud_certificate_templates.py deleted file mode 100644 index 8c2c94b86d8a..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/test_crud_certificate_templates.py +++ /dev/null @@ -1,71 +0,0 @@ -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import re -import typing -import uuid - -import google.auth - -from create_certificate_template import create_certificate_template -from delete_certificate_template import delete_certificate_template -from list_certificate_templates import list_certificate_templates -from update_certificate_template import update_certificate_template - -PROJECT = google.auth.default()[1] -LOCATION = "us-central1" -COMMON_NAME = "COMMON_NAME" -ORGANIZATION = "ORGANIZATION" -CA_DURATION = 1000000 - - -def generate_name() -> str: - return "i" + uuid.uuid4().hex[:10] - - -def test_create_delete_certificate_template(capsys: typing.Any) -> None: - TEMPLATE_NAME = generate_name() - - create_certificate_template(PROJECT, LOCATION, TEMPLATE_NAME) - delete_certificate_template(PROJECT, LOCATION, TEMPLATE_NAME) - - out, _ = capsys.readouterr() - - assert re.search( - f'Operation result: name: "projects/{PROJECT}/locations/{LOCATION}/certificateTemplates/{TEMPLATE_NAME}"', - out, - ) - - assert re.search(f"Deleted certificate template: {TEMPLATE_NAME}", out) - - -def test_list_certificate_templates(certificate_template, capsys: typing.Any) -> None: - TEMPLATE_NAME = certificate_template - - list_certificate_templates(PROJECT, LOCATION) - - out, _ = capsys.readouterr() - - assert "Available certificate templates:" in out - assert f"{TEMPLATE_NAME}\n" in out - - -def test_update_certificate_template(certificate_template, capsys: typing.Any) -> None: - TEMPLATE_NAME = certificate_template - - update_certificate_template(PROJECT, LOCATION, TEMPLATE_NAME) - - out, _ = capsys.readouterr() - - assert "Successfully updated the certificate template!" in out diff --git a/packages/google-cloud-private-ca/samples/snippets/test_subordinate_ca.py b/packages/google-cloud-private-ca/samples/snippets/test_subordinate_ca.py deleted file mode 100644 index 1fe2d29a395b..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/test_subordinate_ca.py +++ /dev/null @@ -1,113 +0,0 @@ -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -import re -import typing -import uuid - -import google.auth -import google.cloud.security.privateca_v1 as privateca_v1 - -from activate_subordinate_ca import activate_subordinate_ca -from create_certificate_csr import create_certificate_csr -from create_subordinate_ca import create_subordinate_ca -from revoke_certificate import revoke_certificate - -PROJECT = google.auth.default()[1] -LOCATION = "us-central1" -COMMON_NAME = "COMMON_NAME" -ORGANIZATION = "ORGANIZATION" -CA_DURATION = CERTIFICATE_LIFETIME = 1000000 -DOMAIN_NAME = "domain.com" - - -def generate_name() -> str: - return "test-" + uuid.uuid4().hex[:10] - - -def test_subordinate_certificate_authority( - certificate_authority, capsys: typing.Any -) -> None: - CSR_CERT_NAME = generate_name() - SUBORDINATE_CA_NAME = generate_name() - - CA_POOL_NAME, ROOT_CA_NAME = certificate_authority - - # 1. Create a Subordinate Certificate Authority. - create_subordinate_ca( - PROJECT, - LOCATION, - CA_POOL_NAME, - SUBORDINATE_CA_NAME, - COMMON_NAME, - ORGANIZATION, - DOMAIN_NAME, - CA_DURATION, - ) - - # 2. Fetch CSR of the given CA. - ca_service_client = privateca_v1.CertificateAuthorityServiceClient() - - ca_path = ca_service_client.certificate_authority_path( - PROJECT, LOCATION, CA_POOL_NAME, SUBORDINATE_CA_NAME - ) - response = ca_service_client.fetch_certificate_authority_csr(name=ca_path) - pem_csr = response.pem_csr - - # 3. Sign the CSR and create a certificate. - create_certificate_csr( - PROJECT, - LOCATION, - CA_POOL_NAME, - ROOT_CA_NAME, - CSR_CERT_NAME, - CERTIFICATE_LIFETIME, - pem_csr, - ) - - # 4. Get certificate PEM format - certificate_name = ca_service_client.certificate_path( - PROJECT, LOCATION, CA_POOL_NAME, CSR_CERT_NAME - ) - pem_certificate = ca_service_client.get_certificate( - name=certificate_name - ).pem_certificate - - # 5. Activate Subordinate CA - activate_subordinate_ca( - PROJECT, - LOCATION, - CA_POOL_NAME, - SUBORDINATE_CA_NAME, - pem_certificate, - ROOT_CA_NAME, - ) - - revoke_certificate( - PROJECT, - LOCATION, - CA_POOL_NAME, - CSR_CERT_NAME, - ) - - out, _ = capsys.readouterr() - - assert re.search( - f'Operation result: name: "projects/{PROJECT}/locations/{LOCATION}/caPools/{CA_POOL_NAME}/certificateAuthorities/{SUBORDINATE_CA_NAME}"', - out, - ) - - assert "Certificate created successfully" in out - assert f"Current state: {privateca_v1.CertificateAuthority.State.STAGED}" in out diff --git a/packages/google-cloud-private-ca/samples/snippets/undelete_certificate_authority.py b/packages/google-cloud-private-ca/samples/snippets/undelete_certificate_authority.py deleted file mode 100644 index f436f891cd38..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/undelete_certificate_authority.py +++ /dev/null @@ -1,68 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_undelete_ca] -import google.cloud.security.privateca_v1 as privateca_v1 - - -def undelete_certificate_authority( - project_id: str, location: str, ca_pool_name: str, ca_name: str -) -> None: - """ - Restore a deleted CA, if still within the grace period of 30 days. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: the name of the CA pool under which the deleted CA is present. - ca_name: the name of the CA to be restored (undeleted). - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - ca_path = caServiceClient.certificate_authority_path( - project_id, location, ca_pool_name, ca_name - ) - - # Confirm if the CA is in DELETED stage. - ca_state = caServiceClient.get_certificate_authority(name=ca_path).state - if ca_state != privateca_v1.CertificateAuthority.State.DELETED: - print("CA is not deleted !") - return - - # Create the Request. - request = privateca_v1.UndeleteCertificateAuthorityRequest(name=ca_path) - - # Undelete the CA. - operation = caServiceClient.undelete_certificate_authority(request=request) - result = operation.result() - - print("Operation result", result) - - # Get the current CA state. - ca_state = caServiceClient.get_certificate_authority(name=ca_path).state - - # CA state changes from DELETED to DISABLED if successfully restored. - # Confirm if the CA is DISABLED. - if ca_state == privateca_v1.CertificateAuthority.State.DISABLED: - print("Successfully undeleted Certificate Authority:", ca_name) - else: - print( - "Unable to restore the Certificate Authority! Please try again! Current state:", - ca_state, - ) - - -# [END privateca_undelete_ca] diff --git a/packages/google-cloud-private-ca/samples/snippets/update_ca_pool_issuance_policy.py b/packages/google-cloud-private-ca/samples/snippets/update_ca_pool_issuance_policy.py deleted file mode 100644 index 750c6f36a320..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/update_ca_pool_issuance_policy.py +++ /dev/null @@ -1,97 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2021 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_set_issuance_policy] -import google.cloud.security.privateca_v1 as privateca_v1 -from google.protobuf import field_mask_pb2 -from google.type import expr_pb2 - - -def update_ca_pool_issuance_policy( - project_id: str, - location: str, - ca_pool_name: str, -) -> None: - """ - Update the issuance policy for a CA Pool. All certificates issued from this CA Pool should - meet the issuance policy - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: a unique name for the ca pool. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - ca_pool_path = caServiceClient.ca_pool_path(project_id, location, ca_pool_name) - - # Set the updated issuance policy for the CA Pool. - # This particular issuance policy allows only SANs that - # have DNS Names as "us.google.org" or ending in ".google.com". */ - expr = expr_pb2.Expr( - expression='subject_alt_names.all(san, san.type == DNS && (san.value == "us.google.org" || san.value.endsWith(".google.com")) )' - ) - - issuance_policy = privateca_v1.CaPool.IssuancePolicy( - identity_constraints=privateca_v1.CertificateIdentityConstraints( - allow_subject_passthrough=True, - allow_subject_alt_names_passthrough=True, - cel_expression=expr, - ), - ) - - ca_pool = privateca_v1.CaPool( - name=ca_pool_path, - issuance_policy=issuance_policy, - ) - - # 1. Set the CA pool with updated values. - # 2. Set the update mask to specify which properties of the CA Pool should be updated. - # Only the properties specified in the mask will be updated. Make sure that the mask fields - # match the updated issuance policy. - # For more info on constructing path for update mask, see: - # https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/projects.locations.caPools#issuancepolicy */ - request = privateca_v1.UpdateCaPoolRequest( - ca_pool=ca_pool, - update_mask=field_mask_pb2.FieldMask( - paths=[ - "issuance_policy.identity_constraints.allow_subject_alt_names_passthrough", - "issuance_policy.identity_constraints.allow_subject_passthrough", - "issuance_policy.identity_constraints.cel_expression", - ], - ), - ) - operation = caServiceClient.update_ca_pool(request=request) - result = operation.result() - - print("Operation result", result) - - # Get the CA Pool's issuance policy and verify if the fields have been successfully updated. - issuance_policy = caServiceClient.get_ca_pool(name=ca_pool_path).issuance_policy - - # Similarly, you can check for other modified fields as well. - if ( - issuance_policy.identity_constraints.allow_subject_passthrough - and issuance_policy.identity_constraints.allow_subject_alt_names_passthrough - ): - print("CA Pool Issuance policy has been updated successfully!") - return - - print("Error in updating CA Pool Issuance policy! Please try again!") - - -# [END privateca_set_issuance_policy] diff --git a/packages/google-cloud-private-ca/samples/snippets/update_certificate_authority.py b/packages/google-cloud-private-ca/samples/snippets/update_certificate_authority.py deleted file mode 100644 index 9acd3f8b2eb0..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/update_certificate_authority.py +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_update_ca_label] -import google.cloud.security.privateca_v1 as privateca_v1 -from google.protobuf import field_mask_pb2 - - -def update_ca_label( - project_id: str, - location: str, - ca_pool_name: str, - ca_name: str, -) -> None: - """ - Update the labels in a certificate authority. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - ca_pool_name: set it to the CA Pool under which the CA should be updated. - ca_name: unique name for the CA. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - # Set the parent path and the new labels. - ca_parent = caServiceClient.certificate_authority_path( - project_id, location, ca_pool_name, ca_name - ) - certificate_authority = privateca_v1.CertificateAuthority( - name=ca_parent, - labels={"env": "test"}, - ) - - # Create a request to update the CA. - request = privateca_v1.UpdateCertificateAuthorityRequest( - certificate_authority=certificate_authority, - update_mask=field_mask_pb2.FieldMask(paths=["labels"]), - ) - - operation = caServiceClient.update_certificate_authority(request=request) - result = operation.result() - - print("Operation result:", result) - - # Get the updated CA and check if it contains the new label. - - certificate_authority = caServiceClient.get_certificate_authority(name=ca_parent) - - if ( - "env" in certificate_authority.labels - and certificate_authority.labels["env"] == "test" - ): - print("Successfully updated the labels !") - - -# [END privateca_update_ca_label] diff --git a/packages/google-cloud-private-ca/samples/snippets/update_certificate_template.py b/packages/google-cloud-private-ca/samples/snippets/update_certificate_template.py deleted file mode 100644 index ac05be89bd97..000000000000 --- a/packages/google-cloud-private-ca/samples/snippets/update_certificate_template.py +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/env python - -# Copyright 2022 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# [START privateca_update_certificate_template] -import google.cloud.security.privateca_v1 as privateca_v1 -from google.protobuf import field_mask_pb2 - - -def update_certificate_template( - project_id: str, - location: str, - certificate_template_id: str, -) -> None: - """ - Update an existing certificate template. - - Args: - project_id: project ID or project number of the Cloud project you want to use. - location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations. - certificate_template_id: set a unique name for the certificate template. - """ - - caServiceClient = privateca_v1.CertificateAuthorityServiceClient() - - certificate_name = caServiceClient.certificate_template_path( - project_id, - location, - certificate_template_id, - ) - - # Set the parent name and the properties to be updated. - certificate_template = privateca_v1.CertificateTemplate( - name=certificate_name, - identity_constraints=privateca_v1.CertificateIdentityConstraints( - allow_subject_passthrough=False, - allow_subject_alt_names_passthrough=True, - ), - ) - - # Set the mask corresponding to the properties updated above. - field_mask = field_mask_pb2.FieldMask( - paths=[ - "identity_constraints.allow_subject_alt_names_passthrough", - "identity_constraints.allow_subject_passthrough", - ], - ) - - # Set the new template. - # Set the mask to specify which properties of the template should be updated. - request = privateca_v1.UpdateCertificateTemplateRequest( - certificate_template=certificate_template, - update_mask=field_mask, - ) - operation = caServiceClient.update_certificate_template(request=request) - result = operation.result() - - print("Operation result", result) - - # Get the updated certificate template and check if the properties have been updated. - cert_identity_constraints = caServiceClient.get_certificate_template( - name=certificate_name - ).identity_constraints - - if ( - not cert_identity_constraints.allow_subject_passthrough - and cert_identity_constraints.allow_subject_alt_names_passthrough - ): - print("Successfully updated the certificate template!") - return - - print("Error in updating certificate template!") - - -# [END privateca_update_certificate_template]