Skip to content

Commit

Permalink
docs(samples): added samples and tests for updating and monitoring CA (
Browse files Browse the repository at this point in the history
…#274)

* docs(samples): added samples and tests for updating and monitoring CA

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* docs(samples): added review comments

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
  • Loading branch information
Sita04 and gcf-owl-bot[bot] committed Jan 17, 2023
1 parent ff2799e commit 9344d74
Show file tree
Hide file tree
Showing 4 changed files with 207 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
/*
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package privateca;

// [START privateca_monitor_ca_expiry]

import com.google.cloud.monitoring.v3.AlertPolicyServiceClient;
import com.google.cloud.monitoring.v3.NotificationChannelServiceClient;
import com.google.monitoring.v3.AlertPolicy;
import com.google.monitoring.v3.AlertPolicy.Condition;
import com.google.monitoring.v3.AlertPolicy.Condition.MonitoringQueryLanguageCondition;
import com.google.monitoring.v3.AlertPolicy.ConditionCombinerType;
import com.google.monitoring.v3.NotificationChannel;
import com.google.monitoring.v3.ProjectName;
import java.io.IOException;

public class MonitorCertificateAuthority {

public static void main(String[] args) throws IOException {
// TODO(developer): Replace these variables before running the sample.
String project = "your-project-id";
createCaMonitoringPolicy(project);
}

// Creates a monitoring policy that notifies you 30 days before a managed CA expires.
public static void createCaMonitoringPolicy(String project) throws IOException {
/* Initialize client that will be used to send requests. This client only needs to be created
once, and can be reused for multiple requests. After completing all of your requests, call
the `client.close()` method on the client to safely
clean up any remaining background resources. */
try (AlertPolicyServiceClient client = AlertPolicyServiceClient.create();
NotificationChannelServiceClient notificationClient =
NotificationChannelServiceClient.create()) {

String policyName = "policy-name";

/* Query which indicates the resource to monitor and the constraints.
Here, the alert policy notifies you 30 days before a managed CA expires.
For more info on creating queries, see: https://cloud.google.com/monitoring/mql/alerts */
String query =
"fetch privateca.googleapis.com/CertificateAuthority"
+ "| metric 'privateca.googleapis.com/ca/cert_chain_expiration'"
+ "| group_by 5m,"
+ "[value_cert_chain_expiration_mean: mean(value.cert_chain_expiration)]"
+ "| every 5m"
+ "| condition val() < 2.592e+06 's'";

// Create a notification channel.
NotificationChannel notificationChannel =
NotificationChannel.newBuilder()
.setType("email")
.putLabels("email_address", "[email protected]")
.build();
NotificationChannel channel =
notificationClient.createNotificationChannel(
ProjectName.of(project), notificationChannel);

// Set the query and notification channel.
AlertPolicy alertPolicy =
AlertPolicy.newBuilder()
.setDisplayName(policyName)
.addConditions(
Condition.newBuilder()
.setDisplayName("ca-cert-chain-expiration")
.setConditionMonitoringQueryLanguage(
MonitoringQueryLanguageCondition.newBuilder().setQuery(query).build())
.build())
.setCombiner(ConditionCombinerType.AND)
.addNotificationChannels(channel.getName())
.build();

AlertPolicy policy = client.createAlertPolicy(ProjectName.of(project), alertPolicy);

System.out.println("Monitoring policy successfully created !" + policy.getName());
}
}
}
// [END privateca_monitor_ca_expiry]
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
/*
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package privateca;

// [START privateca_update_ca_label]

import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CertificateAuthority;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.UpdateCertificateAuthorityRequest;
import com.google.longrunning.Operation;
import com.google.protobuf.FieldMask;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;

public class UpdateCertificateAuthority {

public static void main(String[] args)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// pool_Id: Set it to the CA Pool under which the CA should be created.
// certificateAuthorityName: Unique name for the CA.
String project = "your-project-id";
String location = "ca-location";
String pool_Id = "ca-pool-id";
String certificateAuthorityName = "certificate-authority-name";

updateCaLabel(project, location, pool_Id, certificateAuthorityName);
}

// Updates the labels in a certificate authority.
public static void updateCaLabel(
String project, String location, String pool_Id, String certificateAuthorityName)
throws IOException, ExecutionException, InterruptedException, TimeoutException {
/* Initialize client that will be used to send requests. This client only needs to be created
once, and can be reused for multiple requests. After completing all of your requests, call
the `certificateAuthorityServiceClient.close()` method on the client to safely
clean up any remaining background resources. */
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {

// Set the parent path and the new labels.
String certificateAuthorityParent =
CertificateAuthorityName.of(project, location, pool_Id, certificateAuthorityName)
.toString();
CertificateAuthority certificateAuthority =
CertificateAuthority.newBuilder()
.setName(certificateAuthorityParent)
.putLabels("env", "test")
.build();

// Create a request to update the CA.
UpdateCertificateAuthorityRequest request =
UpdateCertificateAuthorityRequest.newBuilder()
.setCertificateAuthority(certificateAuthority)
.setUpdateMask(FieldMask.newBuilder().addPaths("labels").build())
.build();

// Update the CA and wait for the operation to complete.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.updateCertificateAuthorityCallable()
.futureCall(request);
Operation operation = futureCall.get(60, TimeUnit.SECONDS);

// Check for errors.
if (operation.hasError()) {
System.out.println("Error in updating labels ! " + operation.getError());
}

// Get the updated CA and check if it contains the new label.
CertificateAuthority response =
certificateAuthorityServiceClient.getCertificateAuthority(certificateAuthorityParent);
if (response.getLabelsMap().containsKey("env")
&& response.getLabelsMap().get("env").equalsIgnoreCase("test")) {
System.out.println("Successfully updated the labels ! ");
}
}
}
}
// [END privateca_update_ca_label]
13 changes: 13 additions & 0 deletions privateca/cloud-client/src/test/java/privateca/SnippetsIT.java
Original file line number Diff line number Diff line change
Expand Up @@ -320,6 +320,19 @@ public void testListCertificateAuthorities() throws IOException {
assertThat(stdOut.toString()).contains(CA_NAME);
}

@Test
public void testUpdateCertificateAuthority()
throws IOException, ExecutionException, InterruptedException, TimeoutException {
privateca.UpdateCertificateAuthority.updateCaLabel(PROJECT_ID, LOCATION, CA_POOL_ID, CA_NAME);
assertThat(stdOut.toString()).contains("Successfully updated the labels ! ");
}

@Test
public void testMonitorCertificateAuthority() throws IOException, InterruptedException {
privateca.MonitorCertificateAuthority.createCaMonitoringPolicy(PROJECT_ID);
assertThat(stdOut.toString()).contains("Monitoring policy successfully created !");
}

@Test
public void testEnableDisableCertificateAuthority()
throws InterruptedException, ExecutionException, IOException {
Expand Down
4 changes: 4 additions & 0 deletions privateca/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,10 @@
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-kms</artifactId>
</dependency>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-monitoring</artifactId>
</dependency>

<dependency>
<groupId>junit</groupId>
Expand Down

0 comments on commit 9344d74

Please sign in to comment.