diff --git a/privateca/cloud-client/src/main/java/privateca/MonitorCertificateAuthority.java b/privateca/cloud-client/src/main/java/privateca/MonitorCertificateAuthority.java new file mode 100644 index 00000000000..f34f8800698 --- /dev/null +++ b/privateca/cloud-client/src/main/java/privateca/MonitorCertificateAuthority.java @@ -0,0 +1,91 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package privateca; + +// [START privateca_monitor_ca_expiry] + +import com.google.cloud.monitoring.v3.AlertPolicyServiceClient; +import com.google.cloud.monitoring.v3.NotificationChannelServiceClient; +import com.google.monitoring.v3.AlertPolicy; +import com.google.monitoring.v3.AlertPolicy.Condition; +import com.google.monitoring.v3.AlertPolicy.Condition.MonitoringQueryLanguageCondition; +import com.google.monitoring.v3.AlertPolicy.ConditionCombinerType; +import com.google.monitoring.v3.NotificationChannel; +import com.google.monitoring.v3.ProjectName; +import java.io.IOException; + +public class MonitorCertificateAuthority { + + public static void main(String[] args) throws IOException { + // TODO(developer): Replace these variables before running the sample. + String project = "your-project-id"; + createCaMonitoringPolicy(project); + } + + // Creates a monitoring policy that notifies you 30 days before a managed CA expires. + public static void createCaMonitoringPolicy(String project) throws IOException { + /* Initialize client that will be used to send requests. This client only needs to be created + once, and can be reused for multiple requests. After completing all of your requests, call + the `client.close()` method on the client to safely + clean up any remaining background resources. */ + try (AlertPolicyServiceClient client = AlertPolicyServiceClient.create(); + NotificationChannelServiceClient notificationClient = + NotificationChannelServiceClient.create()) { + + String policyName = "policy-name"; + + /* Query which indicates the resource to monitor and the constraints. + Here, the alert policy notifies you 30 days before a managed CA expires. + For more info on creating queries, see: https://cloud.google.com/monitoring/mql/alerts */ + String query = + "fetch privateca.googleapis.com/CertificateAuthority" + + "| metric 'privateca.googleapis.com/ca/cert_chain_expiration'" + + "| group_by 5m," + + "[value_cert_chain_expiration_mean: mean(value.cert_chain_expiration)]" + + "| every 5m" + + "| condition val() < 2.592e+06 's'"; + + // Create a notification channel. + NotificationChannel notificationChannel = + NotificationChannel.newBuilder() + .setType("email") + .putLabels("email_address", "java-docs-samples-testing@google.com") + .build(); + NotificationChannel channel = + notificationClient.createNotificationChannel( + ProjectName.of(project), notificationChannel); + + // Set the query and notification channel. + AlertPolicy alertPolicy = + AlertPolicy.newBuilder() + .setDisplayName(policyName) + .addConditions( + Condition.newBuilder() + .setDisplayName("ca-cert-chain-expiration") + .setConditionMonitoringQueryLanguage( + MonitoringQueryLanguageCondition.newBuilder().setQuery(query).build()) + .build()) + .setCombiner(ConditionCombinerType.AND) + .addNotificationChannels(channel.getName()) + .build(); + + AlertPolicy policy = client.createAlertPolicy(ProjectName.of(project), alertPolicy); + + System.out.println("Monitoring policy successfully created !" + policy.getName()); + } + } +} +// [END privateca_monitor_ca_expiry] diff --git a/privateca/cloud-client/src/main/java/privateca/UpdateCertificateAuthority.java b/privateca/cloud-client/src/main/java/privateca/UpdateCertificateAuthority.java new file mode 100644 index 00000000000..b4953910d03 --- /dev/null +++ b/privateca/cloud-client/src/main/java/privateca/UpdateCertificateAuthority.java @@ -0,0 +1,99 @@ +/* + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package privateca; + +// [START privateca_update_ca_label] + +import com.google.api.core.ApiFuture; +import com.google.cloud.security.privateca.v1.CertificateAuthority; +import com.google.cloud.security.privateca.v1.CertificateAuthorityName; +import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient; +import com.google.cloud.security.privateca.v1.UpdateCertificateAuthorityRequest; +import com.google.longrunning.Operation; +import com.google.protobuf.FieldMask; +import java.io.IOException; +import java.util.concurrent.ExecutionException; +import java.util.concurrent.TimeUnit; +import java.util.concurrent.TimeoutException; + +public class UpdateCertificateAuthority { + + public static void main(String[] args) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + // TODO(developer): Replace these variables before running the sample. + // location: For a list of locations, see: + // https://cloud.google.com/certificate-authority-service/docs/locations + // pool_Id: Set it to the CA Pool under which the CA should be created. + // certificateAuthorityName: Unique name for the CA. + String project = "your-project-id"; + String location = "ca-location"; + String pool_Id = "ca-pool-id"; + String certificateAuthorityName = "certificate-authority-name"; + + updateCaLabel(project, location, pool_Id, certificateAuthorityName); + } + + // Updates the labels in a certificate authority. + public static void updateCaLabel( + String project, String location, String pool_Id, String certificateAuthorityName) + throws IOException, ExecutionException, InterruptedException, TimeoutException { + /* Initialize client that will be used to send requests. This client only needs to be created + once, and can be reused for multiple requests. After completing all of your requests, call + the `certificateAuthorityServiceClient.close()` method on the client to safely + clean up any remaining background resources. */ + try (CertificateAuthorityServiceClient certificateAuthorityServiceClient = + CertificateAuthorityServiceClient.create()) { + + // Set the parent path and the new labels. + String certificateAuthorityParent = + CertificateAuthorityName.of(project, location, pool_Id, certificateAuthorityName) + .toString(); + CertificateAuthority certificateAuthority = + CertificateAuthority.newBuilder() + .setName(certificateAuthorityParent) + .putLabels("env", "test") + .build(); + + // Create a request to update the CA. + UpdateCertificateAuthorityRequest request = + UpdateCertificateAuthorityRequest.newBuilder() + .setCertificateAuthority(certificateAuthority) + .setUpdateMask(FieldMask.newBuilder().addPaths("labels").build()) + .build(); + + // Update the CA and wait for the operation to complete. + ApiFuture futureCall = + certificateAuthorityServiceClient + .updateCertificateAuthorityCallable() + .futureCall(request); + Operation operation = futureCall.get(60, TimeUnit.SECONDS); + + // Check for errors. + if (operation.hasError()) { + System.out.println("Error in updating labels ! " + operation.getError()); + } + + // Get the updated CA and check if it contains the new label. + CertificateAuthority response = + certificateAuthorityServiceClient.getCertificateAuthority(certificateAuthorityParent); + if (response.getLabelsMap().containsKey("env") + && response.getLabelsMap().get("env").equalsIgnoreCase("test")) { + System.out.println("Successfully updated the labels ! "); + } + } + } +} +// [END privateca_update_ca_label] diff --git a/privateca/cloud-client/src/test/java/privateca/SnippetsIT.java b/privateca/cloud-client/src/test/java/privateca/SnippetsIT.java index d907faa388c..4b6ecf35f25 100644 --- a/privateca/cloud-client/src/test/java/privateca/SnippetsIT.java +++ b/privateca/cloud-client/src/test/java/privateca/SnippetsIT.java @@ -320,6 +320,19 @@ public void testListCertificateAuthorities() throws IOException { assertThat(stdOut.toString()).contains(CA_NAME); } + @Test + public void testUpdateCertificateAuthority() + throws IOException, ExecutionException, InterruptedException, TimeoutException { + privateca.UpdateCertificateAuthority.updateCaLabel(PROJECT_ID, LOCATION, CA_POOL_ID, CA_NAME); + assertThat(stdOut.toString()).contains("Successfully updated the labels ! "); + } + + @Test + public void testMonitorCertificateAuthority() throws IOException, InterruptedException { + privateca.MonitorCertificateAuthority.createCaMonitoringPolicy(PROJECT_ID); + assertThat(stdOut.toString()).contains("Monitoring policy successfully created !"); + } + @Test public void testEnableDisableCertificateAuthority() throws InterruptedException, ExecutionException, IOException { diff --git a/privateca/pom.xml b/privateca/pom.xml index 819f35d807b..c3828d5d464 100644 --- a/privateca/pom.xml +++ b/privateca/pom.xml @@ -63,6 +63,10 @@ com.google.cloud google-cloud-kms + + com.google.cloud + google-cloud-monitoring + junit