docs(samples): added samples for issuance policy and certificate temp…

…lates (#264) * docs(samples): init commit - set issuance policy * docs(samples): added certificate template CRUD samples * refactor(samples): modified the samples for test coherence * test(samples): Added tests for issuance policy and certificate templates. * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * refactor(samples): included filter condition and comments * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * refactor(samples): included review comments * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
googleapis · Sep 14, 2021 · e79724d · e79724d
1 parent fa2df57
commit e79724d
Show file tree

Hide file tree

Showing 10 changed files with 624 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -80,18 +80,23 @@ Samples are in the [`samples/`](https://github.com/googleapis/java-security-priv
 | Create Ca Pool | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateCaPool.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateCaPool.java) |
 | Create Certificate | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java) |
 | Create Certificate Authority | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateAuthority.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateAuthority.java) |
+| Create Certificate Template | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java) |
 | Create Certificate_CSR | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate_CSR.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate_CSR.java) |
 | Create Subordinate Ca | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java) |
 | Delete Ca Pool | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/DeleteCaPool.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/DeleteCaPool.java) |
 | Delete Certificate Authority | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateAuthority.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateAuthority.java) |
+| Delete Certificate Template | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java) |
 | Disable Certificate Authority | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/DisableCertificateAuthority.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/DisableCertificateAuthority.java) |
 | Enable Certificate Authority | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/EnableCertificateAuthority.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/EnableCertificateAuthority.java) |
 | Filter Certificates | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/FilterCertificates.java) |
 | List Ca Pools | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/ListCaPools.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/ListCaPools.java) |
 | List Certificate Authorities | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateAuthorities.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/ListCertificateAuthorities.java) |
+| List Certificate Templates | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/ListCertificateTemplates.java) |
 | List Certificates | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/ListCertificates.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/ListCertificates.java) |
 | Revoke Certificate | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/RevokeCertificate.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/RevokeCertificate.java) |
 | Undelete Certificate Authority | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/UndeleteCertificateAuthority.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/UndeleteCertificateAuthority.java) |
+| Update Ca Pool_Issuance Policy | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/UpdateCaPool_IssuancePolicy.java) |
+| Update Certificate Template | [source code](https://github.com/googleapis/java-security-private-ca/blob/master/samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java) | [![Open in Cloud Shell][shell_img]](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/googleapis/java-security-private-ca&page=editor&open_in_editor=samples/snippets/cloud-client/src/main/java/privateca/UpdateCertificateTemplate.java) |
 
 
 

diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificate.java
@@ -85,7 +85,7 @@ public static void createCertificate(
       // certificateLifetime: The validity of the certificate in seconds.
       String commonName = "common-name";
       String orgName = "org-name";
-      String domainName = "dnsname.com";
+      String domainName = "dns.your-domain.com";
       long certificateLifetime = 1000L;
 
       // Set the Public Key and its format.

diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java
@@ -0,0 +1,121 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package privateca;
+
+// [START privateca_create_certificate_template]
+
+import com.google.api.core.ApiFuture;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
+import com.google.cloud.security.privateca.v1.CertificateIdentityConstraints;
+import com.google.cloud.security.privateca.v1.CertificateTemplate;
+import com.google.cloud.security.privateca.v1.CreateCertificateTemplateRequest;
+import com.google.cloud.security.privateca.v1.KeyUsage;
+import com.google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions;
+import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
+import com.google.cloud.security.privateca.v1.LocationName;
+import com.google.cloud.security.privateca.v1.X509Parameters;
+import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
+import com.google.longrunning.Operation;
+import com.google.type.Expr;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+public class CreateCertificateTemplate {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* TODO(developer): Replace these variables before running the sample.
+    location: For a list of locations, see:
+    https://cloud.google.com/certificate-authority-service/docs/locations */
+    String project = "your-project-id";
+    String location = "ca-location";
+    String certificateTemplateId = "certificate-template-id";
+
+    createCertificateTemplate(project, location, certificateTemplateId);
+  }
+
+  /* Creates a Certificate template. These templates can be reused for common
+  certificate issuance scenarios. */
+  public static void createCertificateTemplate(
+      String project, String location, String certificateTemplateId)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* Initialize client that will be used to send requests. This client only needs to be created
+    once, and can be reused for multiple requests. After completing all of your requests, call
+    the `certificateAuthorityServiceClient.close()` method on the client to safely
+    clean up any remaining background resources. */
+    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
+        CertificateAuthorityServiceClient.create()) {
+
+      /* Describes any predefined X.509 values set by this template.
+      The provided extensions are copied over to certificate requests that use this template.*/
+      KeyUsage keyUsage =
+          KeyUsage.newBuilder()
+              .setBaseKeyUsage(
+                  KeyUsageOptions.newBuilder()
+                      .setDigitalSignature(true)
+                      .setKeyEncipherment(true)
+                      .build())
+              .setExtendedKeyUsage(ExtendedKeyUsageOptions.newBuilder().setServerAuth(true).build())
+              .build();
+
+      CaOptions caOptions = CaOptions.newBuilder().setIsCa(false).build();
+
+      /* CEL expression that is evaluated against the Subject and
+      Subject Alternative Name of the certificate before it is issued. */
+      Expr expr =
+          Expr.newBuilder().setExpression("subject_alt_names.all(san, san.type == DNS)").build();
+
+      // Set the certificate issuance schema.
+      CertificateTemplate certificateTemplate =
+          CertificateTemplate.newBuilder()
+              .setPredefinedValues(
+                  X509Parameters.newBuilder().setKeyUsage(keyUsage).setCaOptions(caOptions).build())
+              .setIdentityConstraints(
+                  CertificateIdentityConstraints.newBuilder()
+                      .setCelExpression(expr)
+                      .setAllowSubjectPassthrough(false)
+                      .setAllowSubjectAltNamesPassthrough(false)
+                      .build())
+              .build();
+
+      // Set the parent and certificate template properties.
+      CreateCertificateTemplateRequest certificateTemplateRequest =
+          CreateCertificateTemplateRequest.newBuilder()
+              .setParent(LocationName.of(project, location).toString())
+              .setCertificateTemplate(certificateTemplate)
+              .setCertificateTemplateId(certificateTemplateId)
+              .build();
+
+      // Create Template request.
+      ApiFuture<Operation> futureCall =
+          certificateAuthorityServiceClient
+              .createCertificateTemplateCallable()
+              .futureCall(certificateTemplateRequest);
+
+      Operation response = futureCall.get(60, TimeUnit.SECONDS);
+
+      if (response.hasError()) {
+        System.out.println("Error creating certificate template ! " + response.getError());
+        return;
+      }
+
+      System.out.println("Successfully created certificate template ! " + response.getName());
+    }
+  }
+}
+// [END privateca_create_certificate_template]
diff --git a/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java b/samples/snippets/cloud-client/src/main/java/privateca/CreateSubordinateCa.java
@@ -29,6 +29,7 @@
 import com.google.cloud.security.privateca.v1.KeyUsage;
 import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
 import com.google.cloud.security.privateca.v1.Subject;
+import com.google.cloud.security.privateca.v1.SubjectAltNames;
 import com.google.cloud.security.privateca.v1.X509Parameters;
 import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
 import com.google.longrunning.Operation;
@@ -65,6 +66,7 @@ public static void createSubordinateCertificateAuthority(
 
       String commonName = "common-name";
       String orgName = "csr-org-name";
+      String domainName = "dns.your-domain.com";
       int caDuration = 100000; // Validity of this CA in seconds.
 
       // Set the type of Algorithm.
@@ -76,6 +78,8 @@ public static void createSubordinateCertificateAuthority(
           SubjectConfig.newBuilder()
               .setSubject(
                   Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
+              // Set the fully qualified domain name.
+              .setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build())
               .build();
 
       //  Set the key usage options for X.509 fields.

diff --git a/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java b/samples/snippets/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package privateca;
+
+// [START privateca_delete_certificate_template]
+
+import com.google.api.core.ApiFuture;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
+import com.google.cloud.security.privateca.v1.CertificateTemplateName;
+import com.google.cloud.security.privateca.v1.DeleteCertificateTemplateRequest;
+import com.google.longrunning.Operation;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+public class DeleteCertificateTemplate {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* TODO(developer): Replace these variables before running the sample.
+    location: For a list of locations, see:
+    https://cloud.google.com/certificate-authority-service/docs/locations
+    certificateTemplateId: Id of the certificate template to delete. */
+    String project = "your-project-id";
+    String location = "ca-location";
+    String certificateTemplateId = "certificate-template-id";
+
+    deleteCertificateTemplate(project, location, certificateTemplateId);
+  }
+
+  // Deletes the certificate template present in the given project and location.
+  public static void deleteCertificateTemplate(
+      String project, String location, String certificateTemplateId)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* Initialize client that will be used to send requests. This client only needs to be created
+    once, and can be reused for multiple requests. After completing all of your requests, call
+    the `certificateAuthorityServiceClient.close()` method on the client to safely
+    clean up any remaining background resources. */
+    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
+        CertificateAuthorityServiceClient.create()) {
+
+      // Set the parent name of the certificate template to be deleted.
+      DeleteCertificateTemplateRequest request =
+          DeleteCertificateTemplateRequest.newBuilder()
+              .setName(
+                  CertificateTemplateName.of(project, location, certificateTemplateId).toString())
+              .build();
+
+      ApiFuture<Operation> futureCall =
+          certificateAuthorityServiceClient.deleteCertificateTemplateCallable().futureCall(request);
+
+      Operation response = futureCall.get(60, TimeUnit.SECONDS);
+
+      // Check for errors.
+      if (response.hasError()) {
+        System.out.println("Error deleting the certificate template ! " + response.getError());
+        return;
+      }
+
+      System.out.println("Successfully created certificate template ! " + response.getName());
+    }
+  }
+}
+// [END privateca_delete_certificate_template]