Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: migrate code from googleapis/java-security-private-ca #7413

Merged
merged 81 commits into from
Jan 17, 2023
Merged
Show file tree
Hide file tree
Changes from 76 commits
Commits
Show all changes
81 commits
Select commit Hold shift + click to select a range
53419ec
feat: initial code generation
chingor13 Sep 11, 2020
ff56576
chore: rename artifact to google-cloud-security-private-ca (#8)
chingor13 Sep 15, 2020
09ad9e4
chore(deps): update dependency com.google.cloud.samples:shared-config…
renovate-bot Oct 2, 2020
d9f8cd3
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Oct 8, 2020
fe1c90c
test(deps): update dependency junit:junit to v4.13.1
renovate-bot Oct 12, 2020
9567ced
deps: update dependency com.google.truth:truth to v1.1 (#50)
renovate-bot Oct 22, 2020
b9f58fb
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Oct 22, 2020
41a7d02
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Nov 2, 2020
2de90c1
test(deps): update dependency com.google.truth:truth to v1.1.2 (#104)
renovate-bot Jan 25, 2021
c52e240
test(deps): update dependency junit:junit to v4.13.2 (#119)
renovate-bot Feb 16, 2021
210830b
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Feb 24, 2021
af6132a
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Feb 25, 2021
ed4a697
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Feb 26, 2021
ae9c953
chore(deps): update dependency com.google.cloud.samples:shared-config…
renovate-bot Apr 9, 2021
7b4dc76
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Apr 19, 2021
da3934b
test(deps): update dependency com.google.truth:truth to v1.1.3 (#182)
renovate-bot May 26, 2021
241a764
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot May 31, 2021
c134de0
chore(deps): update dependency com.google.cloud.samples:shared-config…
renovate-bot Jun 7, 2021
23a28ef
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Jun 17, 2021
ddaccef
feat: add client code samples (#203)
Jun 30, 2021
50d1d74
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Jul 7, 2021
cbb836f
chore(deps): update dependency com.google.cloud:libraries-bom to v20.…
renovate-bot Jul 9, 2021
24005cb
chore(deps): update dependency com.google.cloud:libraries-bom to v20.…
renovate-bot Jul 27, 2021
618b17e
fix: changed the crypto public key provider to Bouncy Castle (#223)
Sita04 Aug 3, 2021
352439d
docs: client sample docs update (#219)
Sita04 Aug 3, 2021
2bbb7de
deps: update dependency org.bouncycastle:bcpkix-jdk15on to v1.69 (#234)
renovate-bot Aug 10, 2021
cd315df
chore(deps): update dependency com.google.cloud:libraries-bom to v21 …
renovate-bot Aug 19, 2021
790977a
chore(deps): update dependency com.google.cloud:libraries-bom to v22 …
renovate-bot Aug 27, 2021
b9638af
docs(samples): adding client library samples (#242)
Sita04 Aug 27, 2021
e4033ad
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Aug 31, 2021
6606d80
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Sep 1, 2021
3b3eded
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Sep 2, 2021
c2129ae
chore(deps): update dependency com.google.cloud:libraries-bom to v23 …
renovate-bot Sep 13, 2021
aab5bb5
docs(samples): added samples for issuance policy and certificate temp…
Sita04 Sep 14, 2021
4883026
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Sep 20, 2021
74776a2
docs(samples): added samples and tests for updating and monitoring CA…
Sita04 Sep 21, 2021
8ef0581
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Sep 27, 2021
033513e
chore(deps): update dependency com.google.cloud:libraries-bom to v23.…
renovate-bot Oct 1, 2021
ed417cb
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Oct 21, 2021
692edc4
chore(deps): update dependency com.google.cloud:libraries-bom to v24 …
renovate-bot Oct 27, 2021
da96b5b
deps: update dependency org.bouncycastle:bcpkix-jdk15on to v1.70 (#320)
renovate-bot Dec 6, 2021
91a23e4
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Dec 6, 2021
6333941
chore(deps): update dependency com.google.cloud.samples:shared-config…
renovate-bot Dec 6, 2021
e8c7506
chore(deps): update dependency com.google.cloud:libraries-bom to v24.…
renovate-bot Dec 8, 2021
27c1fcf
chore(deps): update dependency com.google.cloud:libraries-bom to v24.…
renovate-bot Dec 28, 2021
b5ebac3
chore(deps): update dependency com.google.cloud:libraries-bom to v24.…
renovate-bot Jan 7, 2022
b7c92ef
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Jan 17, 2022
13c89d0
chore(deps): update dependency com.google.cloud:libraries-bom to v24.…
renovate-bot Jan 18, 2022
59b8db4
chore(deps): update dependency com.google.cloud:libraries-bom to v24.…
renovate-bot Feb 8, 2022
0546e72
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Mar 1, 2022
d0542ce
chore(deps): update dependency com.google.cloud:libraries-bom to v24.…
renovate-bot Mar 3, 2022
c9f4001
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Mar 8, 2022
52ecb61
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Mar 14, 2022
327c628
chore(deps): update dependency com.google.cloud:libraries-bom to v25 …
renovate-bot Mar 14, 2022
197a68b
chore(deps): update dependency com.google.cloud:libraries-bom to v25.…
renovate-bot Apr 1, 2022
4c3e631
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Apr 1, 2022
49ee6a1
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Apr 18, 2022
66c8db8
chore(deps): update dependency com.google.cloud:libraries-bom to v25.…
renovate-bot Apr 27, 2022
c756bff
chore(deps): update dependency com.google.cloud:libraries-bom to v25.…
renovate-bot May 16, 2022
4e886df
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot May 25, 2022
ff12714
chore(deps): update dependency com.google.cloud:libraries-bom to v25.…
renovate-bot Jul 11, 2022
e47f7f4
chore(deps): update dependency com.google.cloud:libraries-bom to v26 …
renovate-bot Jul 14, 2022
6be65a3
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Jul 14, 2022
fd4a24f
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Aug 16, 2022
626e37e
chore(deps): update dependency com.google.cloud:libraries-bom to v26.…
renovate-bot Aug 16, 2022
e27071c
chore(deps): update dependency com.google.cloud:libraries-bom to v26.…
renovate-bot Aug 31, 2022
e790d66
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Sep 9, 2022
35a1d80
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Sep 20, 2022
6dd4491
chore(deps): update dependency com.google.cloud:libraries-bom to v26.…
renovate-bot Sep 20, 2022
9081b43
chore(deps): update dependency com.google.cloud:google-cloud-security…
renovate-bot Oct 6, 2022
17bd4e5
chore(deps): update dependency com.google.cloud:libraries-bom to v26.…
renovate-bot Oct 7, 2022
265f7f9
Merge remote-tracking branch 'migration/main' into java-security-priv…
Sita04 Nov 11, 2022
a85d82f
update readme to reference java docs samples repository
Sita04 Nov 11, 2022
0c88644
update readme
Sita04 Nov 11, 2022
4c6c294
moved the samples to snippets/ folder
Sita04 Nov 11, 2022
77a96dc
moved pom file
Sita04 Nov 11, 2022
bd99ca3
change names to match issuance policy
Sita04 Nov 17, 2022
1241449
Update pom.xml
Sita04 Nov 18, 2022
1604e5b
update code to fix test failure (issuance policy)
Sita04 Jan 17, 2023
8c8b544
lint fix
Sita04 Jan 17, 2023
14e4653
lint fix
Sita04 Jan 17, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 75 additions & 0 deletions privateca/snippets/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# Google Cloud Private Certificate Authority Service

<a href="https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/java-docs-samples&page=editor&open_in_editor=privateca/snippets/README.md">
<img alt="Open in Cloud Shell" src ="http://gstatic.com/cloudssh/images/open-btn.png"></a>

Google [Cloud Private Certificate Authority Service](https://cloud.google.com/certificate-authority-service) is a highly available, scalable Google Cloud service that enables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).

These sample Java applications demonstrate how to access the Cloud CA API using the
Google Java API Client Libraries.

## Prerequisites

### Google Cloud Project

Set up a Google Cloud project with billing enabled.

### Enable the API

You must [enable the Google Private Certificate Authority Service API](https://console.cloud.google.com/flows/enableapi?apiid=privateca.googleapis.com) for your project in order to use these samples.

### Service account

A service account with private key credentials is required to create signed bearer tokens.
Create a [service account](https://console.cloud.google.com/iam-admin/serviceaccounts/create) and download the credentials file as JSON.

### Set Environment Variables

You must set your project ID and service account credentials in order to run the tests.

```
$ export GOOGLE_CLOUD_PROJECT="<google-project-id-here>"
$ export GOOGLE_APPLICATION_CREDENTIALS="<path-to-service-account-credentials-file>"
```

### Grant Permissions

You must ensure that the [user account or service account](https://cloud.google.com/iam/docs/service-accounts#differences_between_a_service_account_and_a_user_account) you used to authorize your gcloud session has the proper permissions to edit Private CA resources for your project. In the Cloud Console under IAM, add the following roles to the project whose service account you're using to test:

* Cloud CA Service Admin
* Cloud CA Service Certificate Requester
* Cloud CA Service Certificate Manager
* Cloud CA Service Certificate Template User
* Cloud CA Service Workload Certificate Requester
* Cloud CA Service Operation Manager
* Cloud CA Service Auditor

More information can be found in the [Google Private Certificate Authority Service Docs](https://cloud.google.com/certificate-authority-service/docs/reference/permissions-and-roles).


## Build and Run

The following instructions will help you prepare your development environment.

1. Download and install the [Java Development Kit (JDK)](https://www.oracle.com/java/technologies/javase-downloads.html).
Verify that the [JAVA_HOME](https://docs.oracle.com/javase/8/docs/technotes/guides/troubleshoot/envvars001.html) environment variable is set and points to your JDK installation.


2. Download and install [Apache Maven](http://maven.apache.org/download.cgi) by following the [Maven installation guide](http://maven.apache.org/install.html) for your specific operating system.


3. Clone the GoogleCloudPlatform/java-docs-samples repository.
```
git clone https://github.com/GoogleCloudPlatform/java-docs-samples.git
```

4. Navigate to the sample code directory.

```
cd privateca/snippets
```

5. Run the **SnippetsIT** test file present under the test folder.

### Crypto frameworks
[Bouncy Castle](https://www.bouncycastle.org/documentation.html) cryptographic framework is used as a part of testing.
84 changes: 84 additions & 0 deletions privateca/snippets/pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
<?xml version='1.0' encoding='UTF-8'?>
<!--
Copyright 2021 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.google.cloud</groupId>
<artifactId>security-private-ca-snippets</artifactId>
<packaging>jar</packaging>
<name>Google Certificate Authority Service Snippets</name>
<url>https://github.com/googleapis/java-security-private-ca</url>

<!--
The parent pom defines common style checks and testing strategies for our samples.
Removing or replacing it should not affect the execution of the samples in anyway.
-->
<parent>
<groupId>com.google.cloud.samples</groupId>
<artifactId>shared-configuration</artifactId>
<version>1.2.0</version>
</parent>

<properties>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>

<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>libraries-bom</artifactId>
<version>26.1.3</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>

<dependencies>
<!-- TODO: switch to libraries-bom after this artifact is included -->
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-security-private-ca</artifactId>
<version>2.5.4</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.70</version>
</dependency>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-kms</artifactId>
</dependency>
<dependency>
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-monitoring</artifactId>
</dependency>

<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.google.truth</groupId>
<artifactId>truth</artifactId>
<version>1.1.3</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
/*
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package privateca;

// [START privateca_activate_subordinateca]

import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.ActivateCertificateAuthorityRequest;
import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.SubordinateConfig;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;

public class ActivateSubordinateCa {

public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.

// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// pool_Id: Set a unique id for the CA pool.
// subordinateCaName: The CA to be activated.
// pemCACertificate: The signed certificate, obtained by signing the CSR.
String project = "your-project-id";
String location = "ca-location";
String pool_Id = "ca-pool-id";
String subordinateCaName = "subordinate-certificate-authority-name";
String pemCACertificate =
"-----BEGIN CERTIFICATE-----\n" + "sample-pem-certificate\n" + "-----END CERTIFICATE-----";

// certificateAuthorityName: The name of the certificate authority which signed the CSR.
// If an external CA (CA not present in Google Cloud) was used for signing,
// then use the CA's issuerCertificateChain.
String certificateAuthorityName = "certificate-authority-name";

activateSubordinateCA(
project, location, pool_Id, certificateAuthorityName, subordinateCaName, pemCACertificate);
}

// Activate a subordinate CA.
// *Prerequisite*: Get the CSR of the subordinate CA signed by another CA. Pass in the signed
// certificate and (issuer CA's name or the issuer CA's Certificate chain).
// *Post*: After activating the subordinate CA, it should be enabled before issuing certificates.
public static void activateSubordinateCA(
String project,
String location,
String pool_Id,
String certificateAuthorityName,
String subordinateCaName,
String pemCACertificate)
throws ExecutionException, InterruptedException, IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {
// Subordinate CA parent.
String subordinateCaParent =
CertificateAuthorityName.of(project, location, pool_Id, subordinateCaName).toString();

// Construct the "Activate CA Request".
ActivateCertificateAuthorityRequest activateCertificateAuthorityRequest =
ActivateCertificateAuthorityRequest.newBuilder()
.setName(subordinateCaParent)
// The signed certificate.
.setPemCaCertificate(pemCACertificate)
.setSubordinateConfig(
SubordinateConfig.newBuilder()
// Follow one of the below methods:

// Method 1: If issuer CA is in Google Cloud, set the Certificate Authority
// Name.
.setCertificateAuthority(
CertificateAuthorityName.of(
project, location, pool_Id, certificateAuthorityName)
.toString())

// Method 2: If issuer CA is external to Google Cloud, set the issuer's
// certificate chain.
// The certificate chain of the CA (which signed the CSR) from leaf to root.
// .setPemIssuerChain(
// SubordinateConfigChain.newBuilder()
// .addAllPemCertificates(issuerCertificateChain)
// .build())

.build())
.build();

// Activate the CA.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient
.activateCertificateAuthorityCallable()
.futureCall(activateCertificateAuthorityRequest);

Operation response = futureCall.get();

if (response.hasError()) {
System.out.println("Error while activating the subordinate CA! " + response.getError());
return;
}

System.out.println(
"Subordinate Certificate Authority activated successfully ! !" + subordinateCaName);
TimeUnit.SECONDS.sleep(3);
// The current state will be STAGED.
// The Subordinate CA has to be ENABLED before issuing certificates.
System.out.println(
"Current State: "
+ certificateAuthorityServiceClient
.getCertificateAuthority(subordinateCaParent)
.getState());
}
}
}
// [END privateca_activate_subordinateca]
80 changes: 80 additions & 0 deletions privateca/snippets/src/main/java/privateca/CreateCaPool.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
/*
* Copyright 2021 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package privateca;

// [START privateca_create_ca_pool]

import com.google.api.core.ApiFuture;
import com.google.cloud.security.privateca.v1.CaPool;
import com.google.cloud.security.privateca.v1.CaPool.Tier;
import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
import com.google.cloud.security.privateca.v1.CreateCaPoolRequest;
import com.google.cloud.security.privateca.v1.LocationName;
import com.google.longrunning.Operation;
import java.io.IOException;
import java.util.concurrent.ExecutionException;

public class CreateCaPool {

public static void main(String[] args)
throws InterruptedException, ExecutionException, IOException {
// TODO(developer): Replace these variables before running the sample.
// location: For a list of locations, see:
// https://cloud.google.com/certificate-authority-service/docs/locations
// pool_Id: Set a unique pool_Id for the CA pool.
String project = "your-project-id";
String location = "ca-location";
String pool_Id = "ca-pool-id";
createCaPool(project, location, pool_Id);
}

// Create a Certificate Authority Pool. All certificates created under this CA pool will
// follow the same issuance policy, IAM policies,etc.,
public static void createCaPool(String project, String location, String pool_Id)
throws InterruptedException, ExecutionException, IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the `certificateAuthorityServiceClient.close()` method on the client to safely
// clean up any remaining background resources.
try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
CertificateAuthorityServiceClient.create()) {

/* Create the pool request
Set Parent which denotes the project id and location.
Set the Tier (see: https://cloud.google.com/certificate-authority-service/docs/tiers).
*/
CreateCaPoolRequest caPoolRequest =
CreateCaPoolRequest.newBuilder()
.setParent(LocationName.of(project, location).toString())
.setCaPoolId(pool_Id)
.setCaPool(CaPool.newBuilder().setTier(Tier.ENTERPRISE).build())
.build();

// Create the CA pool.
ApiFuture<Operation> futureCall =
certificateAuthorityServiceClient.createCaPoolCallable().futureCall(caPoolRequest);
Operation response = futureCall.get();

if (response.hasError()) {
System.out.println("Error while creating CA pool !" + response.getError());
return;
}

System.out.println("CA pool created successfully: " + pool_Id);
}
}
}
// [END privateca_create_ca_pool]
Loading