lSrSSKJr SSKJr SSKJr SSKrSSKrSSKrSSKrSSK J r SSK J r SSKJr SSKJ r SS KJr SS KJr SS KJr SS KJr SS KJr SS KJr SSKJr SSKrSr\R"SSSSSSSSS.5r\"S/5r \R"SSS.5r!\RD"S5r#\RD"S5r$\RD"S5r%S r&S!r'S"r(S#r)/S$Qr*/S%Qr+S&r,SS'jr-SS(jr.S)r/S*r0S+r1S,r2S-r3S.r4SS/jr5S0r6SS1jr7S2r8S3r9SS4jr:S5r;S6rS9r?SS:jr@SS;jrAS<rBS=rCS>rDS?rES@rFSArGSBrHSCrISDrJSErKSFrLSGrMSHrNSIrOSJrPSSKjrQSLrRSMrSSNrTSOrUSPrVSQrWSRrXSSrYSTrZSUr[SVSWSXSYSZS[S\S]S^S_. r\\R"S`SVSa\ R"Sb5RR\\Sc9raSdSeSf.rb\R"SgSdSh\ R"Sb5RR\bSc9reSiSjSk.rf\R"SlSiSm\ R"Sb5RR\fSc9riSnSoSpSqSrSsStSuSv.rj\R"SwSx\ R"Sb5RR\jSy9rmSzrnS{roS|rpS}rqS~rrSSjrsSrtSruSrvSrwSrxSryg)z(Helpers for parsing flags and arguments.)absolute_import)division)unicode_literalsN)base)messages) arg_parsers) exceptions)preset_profiles) text_utils) arg_utils) console_io)timescriticalpermittedIpRangesexcludedIpRangespermittedEmailAddressesexcludedEmailAddresses permittedUris excludedUrispermittedDnsNamesexcludedDnsNames)name_permitted_ipname_excluded_ipname_permitted_emailname_excluded_emailname_permitted_uriname_excluded_uriname_permitted_dnsname_excluded_dnsname-constraintsaiaIssuingCertificateUrls crlAccessUrls)custom_aia_urlscustom_cdp_urlsz ^[^@]+@[^@]+$z^([^.]+\.)*[^.]+$z^([0-9a-f][0-9a-f])+$aD If this is enabled, the following will happen: 1) The CA certificates will be written to a known location within the CA distribution point. 2) The AIA extension in all issued certificates will point to the CA cert URL in that distribition point. Note that the same bucket may be used for the CRLs if --publish-crl is set. a If this is enabled, the following will happen: 1) The CA certificates will be written to a known location within the CA distribution point. 2) The AIA extension in all issued certificates will point to the CA cert URL in that distribution point. If this gets disabled, the AIA extension will not be written to any future certificates issued by this CA. However, an existing bucket will not be deleted, and the CA certificates will not be removed from that bucket. Note that the same bucket may be used for the CRLs if --publish-crl is set. a If this gets enabled, the following will happen: 1) CRLs will be written to a known location within the CA distribution point. 2) The CDP extension in all future issued certificates will point to the CRL URL in that distribution point. Note that the same bucket may be used for the CA cert if --publish-ca-cert is set. CRL publication is not supported for CAs in the DevOps tier. a If this gets enabled, the following will happen: 1) CRLs will be written to a known location within the CA distribution point. 2) The CDP extension in all future issued certificates will point to the CRL URL in that distribution point. If this gets disabled, the CDP extension will not be written to any future certificates issued by CAs in this pool, and new CRLs will not be published to that bucket (which affects existing certs). However, an existing bucket will not be deleted, and any existing CRLs will not be removed from that bucket. Note that the same bucket may be used for the CA cert if --publish-ca-cert is set. CRL publication is not supported for CAs in the DevOps tier. ) digital_signaturecontent_commitmentkey_enciphermentdata_encipherment key_agreement cert_signcrl_sign encipher_only decipher_only) server_auth client_auth code_signingemail_protection time_stamping ocsp_signingcP[R"SSSSS9RU5 g)zAdds the encryption key flag. Registers the flag for the Cloud KMS key (CMEK) used to encrypt certificates in this pool. Args: parser: The parser to add the flags to. z--encryption-keyzThe full resource name of the Cloud KMS key to use for encrypting certificate data at rest. The key must be in the same region as the CA pool.FT)helprequiredhiddenNrArgument AddToParserparsers 1lib/googlecloudsdk/command_lib/privateca/flags.pyAddEncryptionKeyFlagr>s,--   KcxU(a[O[n[R"SUSSSS9R U5 g)N --publish-crl store_trueFTr5actionr6default)PUBLISH_CRL_UPDATE_HELPPUBLISH_CRL_CREATE_HELPrr9r:r<use_update_help_text help_texts r=AddPublishCrlFlagrKs=  " --    Kr?cxU(a[O[n[R"SUSSSS9R U5 g)Nz--publish-ca-certrBFTrC)PUBLISH_CA_CERT_UPDATE_HELPPUBLISH_CA_CERT_CREATE_HELPrr9r:rHs r=AddPublishCaCertFlagrOs= " & --    Kr?cJ[R"U5R5$N)six text_typestrip)vals r= _StripValrVs s  ! ! ##r?c [R"SSRSR[R "555SS9R U5 g)N--use-preset-profilezThe name of an existing preset profile used to encapsulate X.509 parameter values. USE_PRESET_PROFILE must be one of: {}. For more information, see https://cloud.google.com/certificate-authority-service/docs/certificate-profile.z, Fr5r6)rr9formatjoinr GetPresetProfileOptionsr:r;s r=AddUsePresetProfilesFlagr]sD-- ] tyy@@BCD Kr?cP[R"SSSSS9RU5 g)Nz --auto-enablez[If this flag is set, the Certificate Authority will be automatically enabled upon creation.rBFr5rDr6r8r;s r=AddAutoEnableFlagr`s*-- $Kr?c[R"SS[R"[S9SS9R U5 [R"SS[R"[S9SS9R U5 [R"S S [R"[S9S S9R U5 [R"S S [R"[S9SS9R U5 g)zAdds the Subject Alternative Name (san) flags. This will add --ip-san, --email-san, --dns-san, and --uri-san to the parser. Args: parser: The parser to add the flags to. --email-sanzA yaml file containing the RDN sequence for the Subject field.T)rhr5r7rgrr9rYAMLFileContentsr:r;s r=_AddSubjectFileFlagrvs2-- K   ' ' )  Kr?c [R"SSS[R"[[S9S9R U5 g)N --subjectSUBJECTzyX.501 name of the certificate subject. Example: --subject "C=US,ST=California,L=Mountain View,O=Google LLC,CN=google.com")key_type value_typerhr5rg)rr9rArgDictrVr:r;s r=_AddSubjectFlagr~s8-- L    i HKr?cfURSUS9n[U5 [U5 [U5 g)zAdds subject flags to the parser including subject string and SAN flags. Args: parser: The parser to add the flags to. subject_required: Whether the subject flag should be required. T)mutexr6N) add_groupr~rvrp)r<subject_required subject_groups r=AddSubjectFlagsr s9"" #-- m$!&)r?cL[R"SSS9RU5 g)N--subject-key-idzOptional field to specify subject key ID for certificate. DO NOT USE except to maintain a previously established identifier for a public key, whose SKI was not generated using method (1) described in RFC 5280 section 4.2.1.2.r5r8r;s r=AddSubjectKeyIdFlagrs"-- 3Kr?cl[R"SSRX5US9RU5 g)Nz --validityz@The validity of this {}, as an ISO8601 duration. Defaults to {}.r5rE)rr9rZr:)r< resource_name default_valuedefault_value_texts r=AddValidityFlagr)s/-- L 6- 4 Kr?cv[R"SS[R"5SS9R U5 g)N--issuance-policystorez6A YAML file describing this CA Pool's issuance policy.rDrgr5rtr;s r=AddCaPoolIssuancePolicyFlagr6s/--   ' ' ) C  Kr?cB[RRU5 grQ)_ENCODING_FORMAT_MAPPER choice_argr:r;s r=AddEncodingFormatFlagr?s$$008r?cF[X5 [X5 [U5 grQ)rOrKr)r<rIs r=AddPublishingOptionsFlagsrCsv4F1r?cN[R"SSSS9RU5 g)Nz--bucketzThe name of an existing storage bucket to use for storing the CA certificates and CRLs for CAs in this pool. If omitted, a new bucket will be created and managed by the service on your behalf.FrYr8r;s r= AddBucketFlagrIs(-- OKr?cR[R"SSSSSS9RU5 g)Nz--ignore-active-certificateszIf this flag is set, the Certificate Authority will be deleted even if the Certificate Authority has un-revoked or un-expired certificates after the grace period.rBFr5rDrEr6r8r;s r=AddIgnoreActiveCertificatesFlagrUs.--$ J Kr?cR[R"SSSSSS9RU5 g)Nz--skip-grace-periodzIf this flag is set, the Certificate Authority will be deleted as soon as possible without a 30-day grace period where undeletion would have been allowed. If you proceed, there will be no way to recover this CA.rBFrr8r;s r=AddSkipGracePeriodFlagrcs--- '  Kr?cR[R"SSSSSS9RU5 g)Nz--ignore-dependent-resourcesacThis field skips the integrity check that would normally prevent breaking a CA Pool if it is used by another cloud resource and allows the CA Pool to be in a state where it is not able to issue certificates. Doing so may result in unintended and unrecoverable effects on any dependent resource(s) since the CA Pool would not be able to issue certificates.rBFrr8r;s r=AddIgnoreDependentResourcesFlagrrs---$ ) Kr?c [R"SSSSS9RU5 [R"SSS[R"[ S 9S 9RU5 [R"S S S [R"[ S 9S9RU5 [R"SSS[R"[ S 9S9RU5 [R"SSS[R"[ S 9S9RU5 [R"SSS[R"[ S 9S9RU5 [R"SSS[R"[ S 9S9RU5 [R"SSS[R"[ S 9S 9RU5 [R"SSS [R"[ S 9S9RU5 g!)"zhAdds flags for inline name constraint x509 parameters. Args: parser: The parser to add the flags to. z--name-constraints-criticalzIndicates whether or not name constraints are marked as critical. Name constraints are considered critical unless explicitly set to false.TrB)r5rErDz--name-permitted-dnsaaOne or more comma-separated DNS names which are permitted to be issued certificates. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, `example.com`, `www.example.com`, `www.sub.example.com` would satisfy `example.com`, while `example1.com` does not.NAME_PERMITTED_DNSrcr5rhrgz--name-excluded-dnsNAME_EXCLUDED_DNSadOne or more comma-separated DNS names which are excluded from being issued certificates. Any DNS name that can be constructed by simply adding zero or more labels to the left-hand side of the name satisfies the name constraint. For example, `example.com`, `www.example.com`, `www.sub.example.com` would satisfy `example.com`, while `example1.com` does not.r|z--name-permitted-ipNAME_PERMITTED_IPzOne or more comma-separated IP ranges which are permitted to be issued certificates. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4z--name-excluded-ipNAME_EXCLUDED_IPzOne or more comma-separated IP ranges which are excluded from being issued certificates. For IPv4 addresses, the ranges are expressed using CIDR notation as specified in RFC 4632. For IPv6 addresses, the ranges are expressed in similar encoding as IPv4z--name-permitted-emailNAME_PERMITTED_EMAILa'One or more comma-separated email addresses which are permitted to be issued certificates. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. `.example.com`) to indicate all email addresses in that domain.z--name-excluded-emailNAME_EXCLUDED_EMAILa"One or more comma-separated emails which are excluded from being issued certificates. The value can be a particular email address, a hostname to indicate all email addresses on that host or a domain with a leading period (e.g. `.example.com`) to indicate all email addresses in that domain.z--name-permitted-urizOne or more comma-separated URIs which are permitted to be issued certificates. The value can be a hostname or a domain with a leading period (like `.example.com`)NAME_PERMITTED_URIz--name-excluded-uriNAME_EXCLUDED_URIzOne or more comma-separated URIs which are excluded from being issued certificates. The value can be a hostname or a domain with a leading period (like `.example.com`)N)rr9r:rrorVr;s r=AddNameConstraintParameterFlagsrs --#   K-- :#   I 6 K--! :   I 6 K--! A   I 6 K--  A   I 6 K--$ 0   I 6 K--# 0   I 6 K-- 1#   I 6 K--! 3   I 6 Kr?c U(aSOSnUR5n[R"SSSRU5[R "[ [S9S9RU5 [R"SS S RU5[R "[ [S9S9RU5 URS S 9n[U5 URS S9n[R"SSUS9RU5 [R"SSSS9RU5 U(d([R"SSSSSS9RU5 gg)aAdds flags for providing inline x509 parameters. Args: parser: The parser to add the flags to. is_ca_command: Whether the current command is on a CA. This influences the help text, and whether the --is-ca-cert flag is added. default_max_chain_length: optional, The default value for maxPathLength to use if an explicit value is not specified. If this is omitted or set to None, no default max path length will be added. CA certificatez --key-usages KEY_USAGESzhThe list of key usages for this {}. This can only be provided if `--use-preset-profile` is not provided.)rdchoicesr|z--extended-key-usagesEXTENDED_KEY_USAGESzqThe list of extended key usages for this {}. This can only be provided if `--use-preset-profile` is not provided.z(The x509 name constraints configurationsrT)rz--max-chain-lengthzMaximum depth of subordinate CAs allowed under this CA for a CA certificate. This can only be provided if neither `--use-preset-profile` nor `--unconstrained-chain-length` are provided.rz--unconstrained-chain-lengthzIf set, allows an unbounded number of subordinate CAs under this newly issued CA certificate. This can only be provided if neither `--use-preset-profile` nor `--max-chain-length` are provided.rB)r5rDz --is-ca-certzWhether this certificate is for a CertificateAuthority or not. Indicates the Certificate Authority field in the x509 basic constraints extension.F)r5r6rErDN) rrr9rZrrorV_VALID_KEY_USAGESr:_VALID_EXTENDED_KEY_USAGESr)r< is_ca_commanddefault_max_chain_lengthrgroupname_constraints_groupchain_length_groups r=AddInlineX509ParametersFlagsrsW($]-    %-- 55;VM5J    *;  K--# AAGB     *D  K ?? 5+""89T2--  ' K"#--$ KK"# MM & k% r?c[R"SSS9RU5 [R"SSSUS9RU5 [R"SS SUS9RU5 g ) zAdds flags for expressing identity constraints. Args: parser: The argparse object to add the flags to. require_passthrough_flags: Whether the boolean --copy-* flags should be required. z--identity-cel-expressionzA CEL expression that will be evaluated against the identity in the certificate before it is issued, and returns a boolean signifying whether the request should be allowed.rz--copy-subjectzIf this is specified, the Subject from the certificate request will be copied into the signed certificate. Specify --no-copy-subject to drop any caller-specified subjects from the certificate request.rBr_z --copy-sanszIf this is specified, the Subject Alternative Name extension from the certificate request will be copied into the signed certificate. Specify --no-copy-sans to drop any caller-specified SANs in the certificate request.Nr8)r<require_passthrough_flagss r=AddIdentityConstraintsFlagsrAst--! >K-- ! ( K-- ! ( Kr?c [R"SSS[R"[S9S9R U5 [R"SSS[R"[S9S9R U5 g ) zzAdds flags for specifying user defined access URLs, such as CDP and AIA. Args: parser: The parser to add the flags to. z--custom-aia-urlszOne or more comma-separated URLs that will be added to the Authority Information Access extension in the issued certificate. These URLs are where the issuer CA certificate is located.CUSTOM_AIA_URLSrcrz--custom-cdp-urlszOne or more comma-separated URLs that will be added to the CRL Distribution Points (CDP) extension in the issued certificate. These URLs are where CRL information is located.CUSTOM_CDP_URLSNrnr;s r=AddUserDefinedAccessUrlsFlagsrksk -- H   I 6 K-- >   I 6 Kr?c [R"S5RRn[R "SUR 4SUR4SUR4SUR4SUR4SUR445$)Nv1zbase-key-usagezextended-key-usagez ca-optionsz policy-idszaia-ocsp-serversr ) privateca_baseGetMessagesModuleCertificateExtensionConstraints'KnownExtensionsValueListEntryValuesEnum collections OrderedDictBASE_KEY_USAGEEXTENDED_KEY_USAGE CA_OPTIONS POLICY_IDSAIA_OCSP_SERVERSNAME_CONSTRAINTS) enum_types r=GetKnownExtensionMappingrs.. ##$K$K   112Y99:Y))*Y))*95569556 " r?c[R"S5R[R"U5R 5R S5Vs/sHn[U5PM snS9$s snf)Nr.) objectIdPath)rrObjectIdrRrSrTsplitint)rUparts r=_StrToObjectIdrs]  ) )$ / 8 8*---*<*B*B*D*J*J3*OP*O$CI*OP 9 PsA/c [R"U5R5R5n[ 5nX#;aX2$[ R "USRSRUR5555e)Nzexpected one of [{}],) rRrSrTlowerrr UnknownArgumentExceptionrZr[keys)arg_namerU trimmed_valknown_extensionss r=_StrToKnownExtensionrsq c"((*002+-/$  ((  - -%%chh/?/D/D/F&GH r?c URSSSS9nURSSSS9n[R"SS[R"[ S9S S 9R U5 [5n[R"S S [R"UR5[S 9SS 9R U5 [R"SSSSS9R U5 g)ziAdds flags for expressing extension constraints. Args: parser: The argparser to add the arguments to. TFzConstraints on requested X.509 extensions. If unspecified, all extensions from certificate request will be ignored when signing the certificate.rr6r5@Specify exact x509 extensions to copy by OID or known extension.--copy-extensions-by-oid|If this is set, then extensions with the given OIDs will be copied from the certificate request into the signed certificate.rc OBJECT_IDrf--copy-known-extensionsrIf this is set, then the given extensions will be copied from the certificate request into the signed certificate.rhidden_choicesKNOWN_EXTENSIONS--copy-all-requested-extensionszpIf this is set, all extensions specified in the certificate request will be copied into the signed certificate. store_constr5rDconstN rrr9rrorr:rr_HIDDEN_KNOWN_EXTENSIONS)r<extension_group copy_grouprs r=AddExtensionConstraintsFlagsrs $$   %/((  M)* --  F   N ;K -/-- F   "'')1 ! K --' A K r?cL[R"SSS9RU5 g)ztAdds flag for specifying maximum lifetime in cert template. Args: parser: The argparser to add the arguments to. z--maximum-lifetimeaIf this is set, then issued certificate's lifetime will be truncated to the value provided. If the issuing CaPool's IssuancePolicy specifies a maximum lifetime the minimum of the two durations will be the maximum lifetime for the issued certificate. Note that if the issuing CertificateAuthority expires before a Certificate's requested maximum_lifetime, the effective lifetime will be explicitly truncated to match it.rNr8r;s r=AddMaximumLifetimeFlagrs$-- / Kr?c SnURSSUS9nURSSSS9nURSSSS9n[R"SS[R"[ S 9S S 9R U5 [R"S S SSS9R U5 URSSSS9n[5n[R"SS[R"UR5[S9SS 9R U5 [R"SSSSS9R U5 [R"SSSSS9R U5 g)zgAdds flags for updating extension constraints. Args: parser: The argparser to add the arguments to. z*Constraints on requested X.509 extensions.TFrrz0Constraints on unknown extensions by their OIDs.rrrcrrfz--drop-oid-extensionszIf this is set, then all existing OID extensions will be removed from the template, prohibiting any extensions specified by OIDs to be specified by the requester.rrz Constraints on known extensions.rrrrz--drop-known-extensionszIf this is set, then all known extensions will be removed from the template, prohibiting any known x509 extensions to be specified by the requester.rzIf this is set, all extensions, whether known or specified by OID, that are specified in the certificate request will be copied into the signed certificate.Nr)r<extension_group_helprr oid_group known_grouprs r=%AddExtensionConstraintsFlagsForUpdaters F$$ 5';%/((  M)* ""  =#) --  F   N ;K -- 3  K $$ 5'I%+./-- F   "'')1 ! K -- +  K --' )  K r?cv[R"SS[R"5SS9R U5 g)zOAdds a flag for the predefined x509 extensions file for a Certificate Template.--predefined-values-filera8A YAML file describing any predefined X.509 values set by this template. The provided extensions will be copied over to any certificate requests that use this template, taking precedent over any allowed extensions in the certificate request. The format of this file should be a YAML representation of the X509Parameters message, which is defined here: https://cloud.google.com/certificate-authority-service/docs/reference/rest/v1/X509Parameters. Some examples can be found here: https://cloud.google.com/certificate-authority-service/docs/creating-certificate-templaterNrtr;s r=AddPredefinedValuesFileFlagrGs4--   ' ' ) f Kr?cURS5(dg[R"S5nURURS9$)z)Parses the encryption-key flag from args.encryption_keyNr) cloudKmsKey) IsSpecifiedrrEncryptionSpecrargsrs r=ParseEncryptionSpecr `sA  * + +   - -d 3(  T-@-@ AAr?c[R"S5nURURURUR S5(aUR URS9S9$SS9$)zGParses the identity flags into a CertificateIdentityConstraints object.ridentity_cel_expression) expressionN)allowSubjectPassthroughallowSubjectAltNamesPassthrough celExpression)rrCertificateIdentityConstraints copy_subject copy_sansrExprr rs r=ParseIdentityConstraintsrjsv  - -d 3(  0 0"//&*nn  3 4 4MMT-I-IMJ 1   1 r?cURS5(ag[R"S5n/nURS5(d<URS5(a&URVs/sHn[ SU5PM nn/nURS5(d"URS5(a UR nURX$S 9$s snf) aParse extension constraints flags into CertificateExtensionConstraints API message. Assumes that the parser defined by args has the flags copy_all_requested_extensions, copy_known_extesnions, and copy-extensions-by-oid. Also supports drop_known_extensions and drop_oid_extensions for clearing the extension lists. Args: args: The argparse object to read flags from. Returns: The CertificateExtensionConstraints API message. copy_all_requested_extensionsNrdrop_known_extensionscopy_known_extensionsrdrop_oid_extensionscopy_extensions_by_oid)knownExtensionsadditionalExtensions)rrrIsKnownAndSpecifiedrrrr)rr known_extsextoidss r=ParseExtensionConstraintsr!ws 566   - -d 3(* ! !"9 : :t?O?O@@ ---C 6<- $ ! !"7 8 8T=M=M>>  & &D  1 1  2 s*C cURS5(dg[R"[R"UR55$)zParses the maximum_lifetime flag from args. Args: args: The argparse object to read flags from. Returns: The JSON formatted duration of the maximum lifetime or none. maximum_lifetimeN)rrFormatDurationForJson ParseDurationr#rs r=ParseMaximumLifetimer's;   , - -   $ $U%8%89N9N%O PPr?cURS5(dg[R"UR[R "S5R 5$![R[4a [R"SS5ef=f)zOParses an X509Parameters proto message from the predefined values file in args.predefined_values_fileNrrz.Unrecognized field in the X509Parameters file.) r messages_utilDictToMessageWithErrorCheckr)rrX509Parameters DecodeErrorAttributeErrorr InvalidArgumentExceptionr&s r=ParsePredefinedValuesr0s  2 3 3    4 4 ##((.==   # #^ 4  - -"8  >A2B cNURnSSSSSSS.n0nUR5HupEXB;aXSX$'MXSU'M [R"U[R "S5R 5$![Ra [R"S S 5ef=f) zParses a dictionary with subject attributes into a API Subject type. Args: args: The argparse namespace that contains the flag values. Returns: Subject: the Subject type represented in the api. commonName countryCodeprovincelocality organizationorganizationalUnit)CNCSTLOOUrrxzUnrecognized subject attribute.) subjectitemsr*r+rrSubjectr-r r/)r subject_args remap_args mapped_argskeyrUs r= ParseSubjectrFs,      *+$$&hc %(*/"# '   4 4^55d;CC   " "  - -6 s 4A88,B$c////4upp4URS5(a#[[[UR55nURS5(a#[[[ UR 55nURS5(a#[[[UR55nURS5(a URn[R"S5RUUUUS9$)zValidates the san flags and creates a SubjectAltNames message from them. Args: args: The parser that contains the flags. Returns: The SubjectAltNames message with the flag data. email_sandns_sanip_sanuri_sanr)emailAddressesdnsNames ipAddressesuris) rlistmapValidateEmailSanFlagrHValidateDnsSanFlagrIValidateIpSanFlagrJrKrrSubjectAltNames)remail_addresses dns_names ip_addressesrOs r= ParseSanFlagsrYs46r2r>0/l k""33T^^DEO i  S+T\\:;I h-t{{;,>    > **A/A   =! ''+T  1 12D EE  r?c/nUR(aVURRURRURRURR/nUR R (dY[UVs/sH o"(+PM sn5(a3UR R(d[R"SS5egggs snf)z!Validates a SubjectConfig object.rxz^The certificate you are creating does not contain a common name or a subject alternative name.N) subjectAltNamerLrMrNrOr?r3all rdnSequencer r/)subject_config san_nameselems r=ValidateSubjectConfigrm)s)""%%44%%..%%11%%** I  + + I.IDxI. / /$$00  - - % 1 0 ,.sCcz[R"S5nURUR5UR 5S9nUR S5(a[ U5UlO&UR S5(a[U5Ul[U5(a[U5Ul [U5 U$)zParses subject flags into a subject config. Args: args: The parser that contains all the flag values Returns: A subject config representing the parsed flags. r)r?rgr? subject_file) rr SubjectConfigrArUrrFr?ParseSubjectFileSanFlagsAreSpecifiedrYrgrm)rrrjs r=ParseSubjectFlagsrs?s - -d 3()) 1I1I1K*. i  )$/N ''-d3N$$1$$7N!' r?c [SVs/sH)nU[U5;=(a URU5PM+ sn5$s snf)z,Returns true if any san flags are specified.)rIrHrJrKanyvarsrrflags r=rrrrYsK ??$ d4j3T--d33? 0AcURS5(dg[R"UR[R "S5R 5$![R[4a [R"SS5ef=f)z5Parses an IssuancePolicy proto message from the args.issuance_policyNrrz*Unrecognized field in the Issuance Policy.) rr*r+r|rrIssuancePolicyr-r.r r/r&s r=ParseIssuancePolicyr~as  + , ,    4 4 ((.==   # #^ 4  - -I r1c[R"UR[R"S5R 5$![R [4a [R"SS5ef=f)zAParses an a Subject from a file to a proto message from the args.rrrz"Unrecognized field in the Subject.) r*r+rorrrAr-r.r r/r&s r=rqrqrsl   4 4 ((.66   # #^ 4  - -> s >A2A3c@[RUR5$rQ)rGetEnumForChoicepublishing_encoding_formatr&s r=ParseEncodingFormatFlagrs 1 1 %% r?c[R"S5nURnURn[ U5nUR S5=(a, [ U5URRR:HnU(a6URS5(aU(a[R"SS5eSnURUUUS9$)z8Parses the PublshingOptions proto message from the args.rtier publish_crlrAz4CRL publication is not supported in the DevOps tier.F) publishCaCert publishCrlencodingFormat)rrpublish_ca_certrrr ParseTierFlagCaPoolTierValueValuesEnumDEVOPSrr r/PublishingOptions)rrrrencoding_formatis_devops_tiers r=ParsePublishingOptionsrs  - -d 3(((/  ++D1/++F3DX__@@GGG  &&;  / /  @  K  # ##$ $ r?ct[R"[U5(d[R"SS5eU$)NrbzInvalid email address.)rematch_EMAIL_SAN_REGEXr r/sans r=rRrRs4 "C ( (  - -/  *r?ct[R"[U5(d[R"SS5eU$)NrkzInvalid domain name value)rr_DNS_SAN_REGEXr r/rs r=rSrSs3 .# & &  - -0  *r?c~[R"U5 U$![a [R"SS5ef=f)NrizInvalid IP address value.) ipaddress ip_address ValueErrorr r/rs r=rTrTsF  *   - -/ s"< unspecifiedzkey-compromisez certificate-authority-compromisezaffiliation-changed supersededzcessation-of-operationzcertificate-holdzprivilege-withdrawnzattribute-authority-compromise) REVOCATION_REASON_UNSPECIFIEDKEY_COMPROMISE CERTIFICATE_AUTHORITY_COMPROMISEAFFILIATION_CHANGED SUPERSEDEDCESSATION_OF_OPERATIONCERTIFICATE_HOLDPRIVILEGE_WITHDRAWNATTRIBUTE_AUTHORITY_COMPROMISEz--reasonz(Revocation reason to include in the CRL.r)rrEhelp_str message_enumcustom_mappingspemder)PEMDERz--publishing-encoding-formatz@The encoding format of the content published to storage buckets. enterprisedevops) ENTERPRISErz--tierz'The tier for the Certificate Authority.zrsa-pss-2048-sha256zrsa-pss-3072-sha256zrsa-pss-4096-sha256zrsa-pkcs1-2048-sha256zrsa-pkcs1-3072-sha256rsa-pkcs1-4096-sha256zec-p256-sha256zec-p384-sha384)RSA_PSS_2048_SHA256RSA_PSS_3072_SHA256RSA_PSS_4096_SHA256RSA_PKCS1_2048_SHA256RSA_PKCS1_3072_SHA256RSA_PKCS1_4096_SHA256EC_P256_SHA256EC_P384_SHA384z--key-algorithmzYThe crypto algorithm to use for creating a managed KMS key for the Certificate Authority.)rrrrcB[RRU5 g)zjAdd a revocation reason enum flag to the parser. Args: parser: The argparse parser to add the flag to. N)_REVOCATION_REASON_MAPPERrr:r;s r=AddRevocationReasonFlagr s &&226:r?c,[RU5$)zReturn the apitools revocation reason enum value from the string choice. Args: choice: The string value of the revocation reason. Returns: The revocation enum value for the choice text. )rr)choices r=ParseRevocationChoiceToEnumrs # 3 3F ;;r?cj[R"[R"UR55$)zParses the validity from args.)rr$r%validityr&s r=ParseValidityFlagr s"  $ $U%8%8%G HHr?cB[RRU5 grQ) _TIER_MAPPERrr:r;s r= AddTierFlagr%s%%f-r?c@[RUR5$rQ)rrrr&s r=rr)s  & &tyy 11r?c[RRU5 [RRX5 grQ)_KEY_ALGORITHM_MAPPERrr: SetDefault) parser_grouprEs r=AddKeyAlgorithmFlagr-s*""..|<""--lDr?c4[R"S5nURS5(aAURRR 5nUR UR5S9$UR [RUR5S9$)zHParses a specified KMS key version or algorithm to get a KeyVersionSpec.rkms_key_version)cloudKmsKeyVersion) algorithm) rrrCONCEPTSrParseKeyVersionSpec RelativeNamerr key_algorithm)rrkms_key_version_refs r= ParseKeySpecr2s  - -d 3( '((--77==?  " ".;;= #   %66t7I7IJ ! r?c0n[R5H*up4URU5(dM[X5X$'M, U(dgURU[ '[ R"X!RS9$)zParses the name constraints in x509Parameters. Args: args: The parsed argument values messages: PrivateCA's messages modules Returns: A NameConstraints message object N message_type) _NAME_CONSTRAINT_MAPPINGSr@rgetattrname_constraints_critical_NAME_CONSTRAINT_CRITICALr*r+NameConstraints)rrname_constraint_dictconstraint_arg constraints r=ParseNameConstraintsr@s|$=$C$C$E n //)0)F&%F   $$01  2 2)A)A r?cURS5(dgURn[R"[U5(d[ R "SS5eURUS9$)zParses the subject key id for input into CertificateConfig. Args: args: The parsed argument values messages: PrivateCA's messages modules Returns: A CertificateConfigKeyId message object subject_key_idNrz;Subject key id must be an even length lowercase hex string.)keyId)rrrr _SKID_REGEXr r/CertificateConfigKeyId)rrskids r=ParseSubjectKeyIdrZsd   * + +   $ +t $ $  - -E   ( (t ( 44r?c bURS5n/SQ[[R55-n[ UVs/sHo@RU5PM sn5nU(aU(a[ R "SS5eU(a [R"UR5$UR(aSUl UR=(d /nU=(d$ URS5=(a URnU(aURSS/5 0nUHn [R "U 5n S X'M 0n UR"=(d /Hn [R "U 5n S X'M [$R&"S 5n U R)U R+[,R."XR05[,R."XR25S 9U R5UU(a"URb[7UR5OSS 9[9X 5S 9$s snf)zParses the X509 parameters flags into an API X509Parameters. Args: args: The parsed argument values. is_ca_command: Whether the current command is on a CA. If so, certSign and crlSign key usages are added. Returns: An X509Parameters object. use_preset_profile) key_usagesextended_key_usagesmax_chain_length is_ca_certunconstrained_chain_lengthrXz--use-preset-profile may not be specified if one or more of --key-usages, --extended-key-usages, --unconstrained_chain_length or --max-chain-length are specified.Nrr*r+Tr) baseKeyUsageextendedKeyUsage)isCamaxIssuerPathLength)keyUsage caOptionsnameConstraints)rrPrrrvr r/r GetPresetX509Parametersrrrrrextendr SnakeCaseToCamelCaserrrr,KeyUsager*r+KeyUsageOptionsExtendedKeyUsageOptions CaOptionsrr) rrpreset_profile_set inline_argsryhas_inline_valuesbase_key_usagesis_cakey_usage_dict key_usageextended_key_usage_dictextended_key_usagers r=ParseX509Parametersr ps//0DE  $ ) ) +, -+2=>+$%+>-  - - ,    2 243J3J KK $$ DOO)r/   |,@ K45."i// :I $N# 44::#889KL26/; - -d 3(    $@@66 )DD%'G'G !""t,,8"$"7"78 #+4:! ! A?sH,c [SVs/sH)nU[U5;=(a URU5PM+ sn5$s snf)z4Returns true if any x509 config flags are specified.)rrrrrrrurxs r=X509ConfigFlagsAreSpecifiedr sQ  $ d4j3T--d33    rzc0n[R5H*up4URU5(dM[X5X$'M, U(dg[R "X!R S9$)zParses the user defined access URLs into a UserDefinedAccessUrls message. Args: args: The parsed argument values messages: PrivateCA's messages modules Returns: A UserDefinedAccessUrls message object Nr)"_USER_DEFINED_ACCESS_URLS_MAPPINGSr@rrr*r+UserDefinedAccessUrls)rruser_defined_access_urlsurl_arg url_fields r=ParseUserDefinedAccessUrlsrsd >DDFg ((,3D,B)G "   2 2-K-K r?)F)P10Yz10 yearsrQ)T)FFF)r)z__doc__ __future__rrrrrr frozendict googlecloudsdk.api_lib.privatecarrgooglecloudsdk.api_lib.utilrr*googlecloudsdk.callioperr $googlecloudsdk.command_lib.privatecar]r r $googlecloudsdk.command_lib.util.apisr googlecloudsdk.core.consoler googlecloudsdk.core.utilrrRrr frozensetrrcompilerrrrNrMrGrFrrr>rKrOrVr]r`rprvr~rrrrrrrrrrrrrrrrrrrrrr rr!r'r0rFrYrermrsrrr~rqrrrRrSrT_REVOCATION_MAPPINGChoiceEnumMapperrRevokeCertificateRequestReasonValueValuesEnumr_ENCODING_FORMAT_MAPPINGrEncodingFormatValueValuesEnumr _TIER_MAPPINGrrr_KEY_ALGORITHM_MAPPINGrAlgorithmValueValuesEnumrrrrrrrrrrr r rr?r=r,s/&' CA/(.S@;:2* &&11,*53)'-+ 3 %&8%9:%/%:%:2&<&" ::o.01jj12    *  $  D  * EO 9   "k^59M`'T8  5!p*P!f2B #L Q$!H:JO(FV,4"   :   &3&(J06*0&F &66   711 44'   $44 +  O11 55, ))   611  f ! 100444&& "22  % 11 n--* ; <I .2E 45,IX r?