,SrSSKJr SSKJr SSKJr SSKJr SSKJ r SSKJ r SSKJ r SSK Jr SS KJr SS KJr SS KJr S rS rSrSrSrSrSrg)zHelpers for create commands.)absolute_import)division)unicode_literals) exceptions)base)certificate_utils) request_utils)flags) resource_args) labels_utilc`[R"US5 [R"US5 [R"US5 URRR 5n[R "USSS9 URR R 5nU(aJURUR:wa0[R"SSRUR55e[US5(a$URRR 5OS nURRR 5nU(aUUR5R5UR5R5:wa[R"S S 5eXU4$) zParses, validates and returns the resource args from the CLI. Args: args: The parsed arguments from the command-line. Returns: Tuple containing the Resource objects for (CA, source CA, issuer). kms_key_version issuer_poolfrom_caCERTIFICATE_AUTHORITYv1)version--kms-key-versionzGKMS key must be in the same location as the Certificate Authority ({}).N --from-cazYThe provided source CA must be a part of the same pool as the specified CA to be created.)r %ValidateResourceIsCompleteIfSpecifiedCONCEPTScertificate_authorityParseValidateResourceLocationr locationsIdrInvalidArgumentExceptionformathasattrrrParent RelativeName)argsca_refkms_key_version_ref issuer_ref source_ca_refs 8lib/googlecloudsdk/command_lib/privateca/create_utils.py_ParseCAResourceArgsr'se55d"U5U l O,U(a%UR8R:R@U l [RB"U 5 [RD"US S 9n U(a1[RF"U5(dUR8RHn [RJ"U5n U(a"UR/S5(d URLn [NRP"XRRRT5n[RV"X5n[RX"X5nURSU(a URRRZR\OURRRZR^U URaU U US9U SUUS9nUXF4$)zCreates a GA CA object from CA create flags. Args: args: The parser that contains the flag values. is_subordinate: If True, a subordinate CA is returned, otherwise a root CA. Returns: A tuple for the CA to create with (CA object, CA ref, issuer). r api_versionN)namerz.The provided source CA could not be retrieved.rz9The DevOps tier does not support user-specified KMS keys.)subjectsubjectAltNamer- subject_fileT) is_ca_commandvalidity) subjectConfig x509Config subjectKeyId)typelifetimeconfigkeySpec gcsBucketuserDefinedAccessUrlslabels)1privateca_baseGetClientInstanceGetMessagesModuler'r1projects_locations_caPools_certificateAuthoritiesGetAPrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesGetRequestr rrprojects_locations_caPools+PrivatecaProjectsLocationsCaPoolsGetRequestr ParseKeySpectierCaPoolTierValueValuesEnumDEVOPScloudKmsKeyVersion SubjectConfigSubjectSubjectAltNames IsSpecified ParseSubjectr-IsKnownAndSpecifiedParseSubjectFiler7r2SanFlagsAreSpecified ParseSanFlagsr.ValidateSubjectConfigParseX509ParametersX509ConfigFlagsAreSpecifiedr3ParseValidityFlagr6r ParseCreateArgsCertificateAuthority LabelsValueParseSubjectKeyIdParseUserDefinedAccessUrlsTypeValueValuesEnum SUBORDINATE SELF_SIGNEDCertificateConfig)r!is_subordinateclientmessagesr"r%r$pool_ref source_caca_poolkeyspecsubject_configx509_parametersr6r;skiuser_defined_access_urlsnew_cas r&CreateCAFromArgsrlRs4  + + =&  - -$ ?(&:4&@#& ]]_()HHLLRR++- S I   / / G   - - 1 1::$$&; '   t $' llhoo99@@@  $ $  - -C  )) 1I1I1K*. i  "//5N //"33D9N&--;;CCN %%$)$7$7$=N!&&55!n---d$G/u88>>&&11O $ $T *(t'' 33!!H  & & ) ) 5 5 & /##==dM  ( (   ( ( < < H H  ( ( < < H H  ' '&$( 4  ) & & %%r(cvUH3nURURRR:XdM3 g g)z3Checks if there are any enabled CAs in the CA list.TF)staterXStateValueValuesEnumENABLED)ca_listrbcas r& HasEnabledCarss2 b xx800EEMMM   r(c[R"SS9nURRRURRR /nSnUH&nSR U5UR;dM$UnM( U(d&[R"SSR X55eURU;a&[R"SSR X55eg) a4Checks that an issuing CA is in the CA Pool and has a valid state. Args: ca_pool_name: The resource name of the containing CA Pool. issuing_ca_id: The CA ID of the CA to verify. ca_list: The list of JSON CA objects in the CA pool to check from Raises: InvalidArgumentException on validation errors rr*NzcertificateAuthorities/{}z --issuer-caz;The specified CA with ID [{}] was not found in CA Pool [{}] --issuer-poolzThe specified CA with ID [{}] in CA Pool [{}] is not ENABLED or STAGED. Please choose a CA that has one of these states to issue the CA certificate from.) r<r>rXrorpSTAGEDrr,rrrn) ca_pool_name issuing_ca_idrqrballowd_issuing_states issuing_carrs r&_ValidateIssuingCar{s - -$ ?(##88@@##88??* b"))-8BGGCj    - -ELL   22  - - &} C  3r(c L[R"SS9n[R"SS9nURRR nUR RURUS95nURnU(a [XU5 gUVs/sHowRPM nnXH;a0[R"SSRU[U555egs snf![ R"a' [R"SSRU55ef=f)aChecks that a CA Pool is valid to be issuing Pool for a subordinate. Args: ca_pool_name: The resource name of the issuing CA Pool. issuing_ca_id: The optional CA ID in the CA Pool to validate. Raises: InvalidArgumentException if the CA Pool does not exist or is not enabled. rr*)parentNruzThe issuing CA Pool [{}] did not have any CAs in ENABLED state of the {} CAs found. Please create or enable a CA and try again.z`The issuing CA Pool [{}] was not found. Please verify this information is correct and try again.)r<r=r>rXrorpr?ListBPrivatecaProjectsLocationsCaPoolsCertificateAuthoritiesListRequestcertificateAuthoritiesr{rnrrrlenapitools_exceptionsHttpNotFoundError) rwrxrarb enabled_stateca_list_responserqrr ca_statess r&ValidateIssuingPoolrs   - -$ ?F//DAH11FFNNMOOTTSS T  55Gg> %,,GbGI,%  / /  K 6,G -  &-  . .  - - %%+VL%9 s$BC(C(C#+7C(#C((;D#c [R"SS9nSR[R"55nUR 5nSRXe5nUR nURUU[R"5UURUUUS9S9n URRRR(a/URRR U R"lU $)a8Returns the certificate create request with the given settings. Args: issuer_pool_ref: The resource reference for the issuing CA pool. csr: The Certificate Signing Request. issuer_ca_id: The CA ID of the CA to sign the CSR, if specified. new_ca: The CA object. Returns: A certificate create request. rr*zsubordinate-{}z{}/certificates/{})r,r6pemCsr) certificateIdr} requestIdissuingCertificateAuthorityId certificate)r<r>rrGenerateCertIdr r6:PrivatecaProjectsLocationsCaPoolsCertificatesCreateRequestr GenerateRequestId Certificater7r2r- rdnSequenceSubjectModeValueValuesEnum RDN_SEQUENCEr subjectMode) issuer_pool_refcsr issuer_ca_idrkrbcertificate_idissuer_pool_namecertificate_namer6 cert_requests r&_CreateCertificateCreateRequestrs - -$ ?(#**+<+K+K+MN.$113)00__(II&!!335(4**#+ J  ]]  ((4477DD( r(cx[R"SS9n[XX#5nURR U5$)a?Issues a certificate under the given issuer with the given settings. Args: issuer_pool_ref: The resource reference for the issuing CA pool. csr: The Certificate Signing Request. issuer_ca_id: The CA ID of the CA to sign the CSR, if specified. new_ca: The CA object. Returns: The certificate for the new CA. rr*)r<r=r'projects_locations_caPools_certificatesCreate)rrrrkrars r&SignCsrr<s<  + + =&0L,  7 7 > >| LLr(N)__doc__ __future__rrrapitools.base.pyrr googlecloudsdk.api_lib.privatecarr<rr googlecloudsdk.calliope$googlecloudsdk.command_lib.privatecar r $googlecloudsdk.command_lib.util.argsr r'rlrsr{rrrr(r&rsU#&'>C>:.6><0-fb&J#L*Z'TMr(