GoogleCloudPlatform · m-strzelczyk · Jan 25, 2023 · Jul 22, 2021 · Jul 28, 2021 · Jul 28, 2021
@@ -86,3 +86,4 @@
 /talent/**/*                           @GoogleCloudPlatform/python-samples-reviewers
 /vision/**/*                           @GoogleCloudPlatform/python-samples-reviewers
 /workflows/**/*                        @GoogleCloudPlatform/python-samples-reviewers
+/privateca/**/*                        @GoogleCloudPlatform/dee-infra @GoogleCloudPlatform/python-samples-reviewers
@@ -143,6 +143,7 @@ assign_issues_by:
   - 'api: kms'
   - 'api: cloudkms'
   - 'api: secretmanager'
+  - 'api: privateca'
   to:
   - GoogleCloudPlatform/dee-infra
 - labels:

@@ -0,0 +1,87 @@
+#!/usr/bin/env python
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START privateca_activate_subordinateca]
+import google.cloud.security.privateca_v1 as privateca_v1
+
+
+def activate_subordinate_ca(
+    project_id: str,
+    location: str,
+    ca_pool_name: str,
+    subordinate_ca_name: str,
+    pem_ca_certificate: str,
+    ca_name: str,
+) -> None:
+    """
+    Activate a subordinate Certificate Authority (CA).
+    *Prerequisite*: Get the Certificate Signing Resource (CSR) of the subordinate CA signed by another CA. Pass in the signed
+    certificate and (issuer CA's name or the issuer CA's Certificate chain).
+    *Post*: After activating the subordinate CA, it should be enabled before issuing certificates.
+    Args:
+        project_id: project ID or project number of the Cloud project you want to use.
+        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
+        ca_pool_name: set it to the CA Pool under which the CA should be created.
+        pem_ca_certificate: the signed certificate, obtained by signing the CSR.
+        subordinate_ca_name: the CA to be activated.
+        ca_name: The name of the certificate authority which signed the CSR.
+            If an external CA (CA not present in Google Cloud) was used for signing,
+            then use the CA's issuerCertificateChain.
+    """
+
+    ca_service_client = privateca_v1.CertificateAuthorityServiceClient()
+
+    subordinate_ca_path = ca_service_client.certificate_authority_path(
+        project_id, location, ca_pool_name, subordinate_ca_name
+    )
+    ca_path = ca_service_client.certificate_authority_path(
+        project_id, location, ca_pool_name, ca_name
+    )
+
+    # Set CA subordinate config.
+    subordinate_config = privateca_v1.SubordinateConfig(
+        # Follow one of the below methods:
+        # Method 1: If issuer CA is in Google Cloud, set the Certificate Authority Name.
+        certificate_authority=ca_path,
+        # Method 2: If issuer CA is external to Google Cloud, set the issuer's certificate chain.
+        # The certificate chain of the CA (which signed the CSR) from leaf to root.
+        # pem_issuer_chain=privateca_v1.SubordinateConfig.SubordinateConfigChain(
+        #     pem_certificates=issuer_certificate_chain,
+        # )
+    )
+
+    # Construct the "Activate CA Request".
+    request = privateca_v1.ActivateCertificateAuthorityRequest(
+        name=subordinate_ca_path,
+        # The signed certificate.
+        pem_ca_certificate=pem_ca_certificate,
+        subordinate_config=subordinate_config,
+    )
+
+    # Activate the CA
+    operation = ca_service_client.activate_certificate_authority(request=request)
+    result = operation.result()
+
+    print("Operation result:", result)
+
+    # The current state will be STAGED.
+    # The Subordinate CA has to be ENABLED before issuing certificates.
+    print(
+        f"Current state: {ca_service_client.get_certificate_authority(name=subordinate_ca_path).state}"
+    )
+
+
+# [END privateca_activate_subordinateca]
@@ -0,0 +1,83 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import uuid
+
+import google.auth
+import pytest
+
+from create_ca_pool import create_ca_pool
+from create_certificate_authority import create_certificate_authority
+from create_certificate_template import create_certificate_template
+from delete_ca_pool import delete_ca_pool
+from delete_certificate_authority import delete_certificate_authority
+from delete_certificate_template import delete_certificate_template
+
+PROJECT = google.auth.default()[1]
+LOCATION = "us-central1"
+COMMON_NAME = "COMMON_NAME"
+ORGANIZATION = "ORGANIZATION"
+CA_DURATION = 1000000
+
+
+def generate_name() -> str:
+    return "test-" + uuid.uuid4().hex[:10]
+
+
+@pytest.fixture
+def ca_pool():
+    CA_POOL_NAME = generate_name()
+
+    create_ca_pool(PROJECT, LOCATION, CA_POOL_NAME)
+
+    yield CA_POOL_NAME
+
+    delete_ca_pool(PROJECT, LOCATION, CA_POOL_NAME)
+
+
+@pytest.fixture
+def certificate_authority(ca_pool):
+    CA_NAME = generate_name()
+
+    create_certificate_authority(
+        PROJECT, LOCATION, ca_pool, CA_NAME, COMMON_NAME, ORGANIZATION, CA_DURATION
+    )
+
+    yield ca_pool, CA_NAME
+
+    delete_certificate_authority(PROJECT, LOCATION, ca_pool, CA_NAME)
+
+
+@pytest.fixture
+def deleted_certificate_authority(ca_pool):
+    CA_NAME = generate_name()
+
+    create_certificate_authority(
+        PROJECT, LOCATION, ca_pool, CA_NAME, COMMON_NAME, ORGANIZATION, CA_DURATION
+    )
+
+    delete_certificate_authority(PROJECT, LOCATION, ca_pool, CA_NAME)
+
+    yield ca_pool, CA_NAME
+
+
+@pytest.fixture
+def certificate_template():
+    TEMPLATE_NAME = generate_name()
+
+    create_certificate_template(PROJECT, LOCATION, TEMPLATE_NAME)
+
+    yield TEMPLATE_NAME
+
+    delete_certificate_template(PROJECT, LOCATION, TEMPLATE_NAME)
@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START privateca_create_ca_pool]
+import google.cloud.security.privateca_v1 as privateca_v1
+
+
+def create_ca_pool(project_id: str, location: str, ca_pool_name: str) -> None:
+    """
+    Create a Certificate Authority pool. All certificates created under this CA pool will
+    follow the same issuance policy, IAM policies,etc.,
+
+    Args:
+        project_id: project ID or project number of the Cloud project you want to use.
+        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
+        ca_pool_name: a unique name for the ca pool.
+    """
+
+    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
+
+    ca_pool = privateca_v1.CaPool(
+        # Set the tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers).
+        tier=privateca_v1.CaPool.Tier.ENTERPRISE,
+    )
+    location_path = caServiceClient.common_location_path(project_id, location)
+
+    # Create the pool request.
+    request = privateca_v1.CreateCaPoolRequest(
+        parent=location_path,
+        ca_pool_id=ca_pool_name,
+        ca_pool=ca_pool,
+    )
+
+    # Create the CA pool.
+    operation = caServiceClient.create_ca_pool(request=request)
+
+    print("Operation result:", operation.result())
+
+
+# [END privateca_create_ca_pool]
@@ -0,0 +1,102 @@
+#!/usr/bin/env python
+
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# [START privateca_create_certificate]
+import google.cloud.security.privateca_v1 as privateca_v1
+from google.protobuf import duration_pb2
+
+
+def create_certificate(
+    project_id: str,
+    location: str,
+    ca_pool_name: str,
+    ca_name: str,
+    certificate_name: str,
+    common_name: str,
+    domain_name: str,
+    certificate_lifetime: int,
+    public_key_bytes: bytes,
+) -> None:
+    """
+    Create a Certificate which is issued by the Certificate Authority present in the CA Pool.
+    The key used to sign the certificate is created by the Cloud KMS.
+
+    Args:
+        project_id: project ID or project number of the Cloud project you want to use.
+        location: location you want to use. For a list of locations, see: https://cloud.google.com/certificate-authority-service/docs/locations.
+        ca_pool_name: set a unique name for the CA pool.
+        ca_name: the name of the certificate authority which issues the certificate.
+        certificate_name: set a unique name for the certificate.
+        common_name: a title for your certificate.
+        domain_name: fully qualified domain name for your certificate.
+        certificate_lifetime: the validity of the certificate in seconds.
+        public_key_bytes: public key used in signing the certificates.
+    """
+
+    caServiceClient = privateca_v1.CertificateAuthorityServiceClient()
+
+    # The public key used to sign the certificate can be generated using any crypto library/framework.
+    # Also you can use Cloud KMS to retrieve an already created public key.
+    # For more info, see: https://cloud.google.com/kms/docs/retrieve-public-key.
+
+    # Set the Public Key and its format.
+    public_key = privateca_v1.PublicKey(
+        key=public_key_bytes,
+        format_=privateca_v1.PublicKey.KeyFormat.PEM,
+    )
+
+    subject_config = privateca_v1.CertificateConfig.SubjectConfig(
+        subject=privateca_v1.Subject(common_name=common_name),
+        subject_alt_name=privateca_v1.SubjectAltNames(dns_names=[domain_name]),
+    )
+
+    # Set the X.509 fields required for the certificate.
+    x509_parameters = privateca_v1.X509Parameters(
+        key_usage=privateca_v1.KeyUsage(
+            base_key_usage=privateca_v1.KeyUsage.KeyUsageOptions(
+                digital_signature=True,
+                key_encipherment=True,
+            ),
+            extended_key_usage=privateca_v1.KeyUsage.ExtendedKeyUsageOptions(
+                server_auth=True,
+                client_auth=True,
+            ),
+        ),
+    )
+
+    # Create certificate.
+    certificate = privateca_v1.Certificate(
+        config=privateca_v1.CertificateConfig(
+            public_key=public_key,
+            subject_config=subject_config,
+            x509_config=x509_parameters,
+        ),
+        lifetime=duration_pb2.Duration(seconds=certificate_lifetime),
+    )
+
+    # Create the Certificate Request.
+    request = privateca_v1.CreateCertificateRequest(
+        parent=caServiceClient.ca_pool_path(project_id, location, ca_pool_name),
+        certificate_id=certificate_name,
+        certificate=certificate,
+        issuing_certificate_authority_id=ca_name,
+    )
+    result = caServiceClient.create_certificate(request=request)
+
+    print("Certificate creation result:", result)
+
+
+# [END privateca_create_certificate]