docs(samples): added samples and tests for updating and monitoring CA (#274)

Sita04 · gcf-owl-bot[bot] · Sita04 · commit 9344d7414ebf · 2023-01-18T04:58:08.000+05:30
* docs(samples): added samples and tests for updating and monitoring CA * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * docs(samples): added review comments * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md * 🦉 Updates from OwlBot See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
diff --git a/privateca/cloud-client/src/main/java/privateca/MonitorCertificateAuthority.java b/privateca/cloud-client/src/main/java/privateca/MonitorCertificateAuthority.java
@@ -0,0 +1,91 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package privateca;
+
+// [START privateca_monitor_ca_expiry]
+
+import com.google.cloud.monitoring.v3.AlertPolicyServiceClient;
+import com.google.cloud.monitoring.v3.NotificationChannelServiceClient;
+import com.google.monitoring.v3.AlertPolicy;
+import com.google.monitoring.v3.AlertPolicy.Condition;
+import com.google.monitoring.v3.AlertPolicy.Condition.MonitoringQueryLanguageCondition;
+import com.google.monitoring.v3.AlertPolicy.ConditionCombinerType;
+import com.google.monitoring.v3.NotificationChannel;
+import com.google.monitoring.v3.ProjectName;
+import java.io.IOException;
+
+public class MonitorCertificateAuthority {
+
+  public static void main(String[] args) throws IOException {
+    // TODO(developer): Replace these variables before running the sample.
+    String project = "your-project-id";
+    createCaMonitoringPolicy(project);
+  }
+
+  // Creates a monitoring policy that notifies you 30 days before a managed CA expires.
+  public static void createCaMonitoringPolicy(String project) throws IOException {
+    /* Initialize client that will be used to send requests. This client only needs to be created
+    once, and can be reused for multiple requests. After completing all of your requests, call
+    the `client.close()` method on the client to safely
+    clean up any remaining background resources. */
+    try (AlertPolicyServiceClient client = AlertPolicyServiceClient.create();
+        NotificationChannelServiceClient notificationClient =
+            NotificationChannelServiceClient.create()) {
+
+      String policyName = "policy-name";
+
+      /* Query which indicates the resource to monitor and the constraints.
+      Here, the alert policy notifies you 30 days before a managed CA expires.
+      For more info on creating queries, see: https://cloud.google.com/monitoring/mql/alerts */
+      String query =
+          "fetch privateca.googleapis.com/CertificateAuthority"
+              + "| metric 'privateca.googleapis.com/ca/cert_chain_expiration'"
+              + "| group_by 5m,"
+              + "[value_cert_chain_expiration_mean: mean(value.cert_chain_expiration)]"
+              + "| every 5m"
+              + "| condition val() < 2.592e+06 's'";
+
+      // Create a notification channel.
+      NotificationChannel notificationChannel =
+          NotificationChannel.newBuilder()
+              .setType("email")
+              .putLabels("email_address", "java-docs-samples-testing@google.com")
+              .build();
+      NotificationChannel channel =
+          notificationClient.createNotificationChannel(
+              ProjectName.of(project), notificationChannel);
+
+      // Set the query and notification channel.
+      AlertPolicy alertPolicy =
+          AlertPolicy.newBuilder()
+              .setDisplayName(policyName)
+              .addConditions(
+                  Condition.newBuilder()
+                      .setDisplayName("ca-cert-chain-expiration")
+                      .setConditionMonitoringQueryLanguage(
+                          MonitoringQueryLanguageCondition.newBuilder().setQuery(query).build())
+                      .build())
+              .setCombiner(ConditionCombinerType.AND)
+              .addNotificationChannels(channel.getName())
+              .build();
+
+      AlertPolicy policy = client.createAlertPolicy(ProjectName.of(project), alertPolicy);
+
+      System.out.println("Monitoring policy successfully created !" + policy.getName());
+    }
+  }
+}
+// [END privateca_monitor_ca_expiry]
diff --git a/privateca/cloud-client/src/main/java/privateca/UpdateCertificateAuthority.java b/privateca/cloud-client/src/main/java/privateca/UpdateCertificateAuthority.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package privateca;
+
+// [START privateca_update_ca_label]
+
+import com.google.api.core.ApiFuture;
+import com.google.cloud.security.privateca.v1.CertificateAuthority;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityName;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
+import com.google.cloud.security.privateca.v1.UpdateCertificateAuthorityRequest;
+import com.google.longrunning.Operation;
+import com.google.protobuf.FieldMask;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+public class UpdateCertificateAuthority {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    // TODO(developer): Replace these variables before running the sample.
+    // location: For a list of locations, see:
+    // https://cloud.google.com/certificate-authority-service/docs/locations
+    // pool_Id: Set it to the CA Pool under which the CA should be created.
+    // certificateAuthorityName: Unique name for the CA.
+    String project = "your-project-id";
+    String location = "ca-location";
+    String pool_Id = "ca-pool-id";
+    String certificateAuthorityName = "certificate-authority-name";
+
+    updateCaLabel(project, location, pool_Id, certificateAuthorityName);
+  }
+
+  // Updates the labels in a certificate authority.
+  public static void updateCaLabel(
+      String project, String location, String pool_Id, String certificateAuthorityName)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* Initialize client that will be used to send requests. This client only needs to be created
+    once, and can be reused for multiple requests. After completing all of your requests, call
+    the `certificateAuthorityServiceClient.close()` method on the client to safely
+    clean up any remaining background resources. */
+    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
+        CertificateAuthorityServiceClient.create()) {
+
+      // Set the parent path and the new labels.
+      String certificateAuthorityParent =
+          CertificateAuthorityName.of(project, location, pool_Id, certificateAuthorityName)
+              .toString();
+      CertificateAuthority certificateAuthority =
+          CertificateAuthority.newBuilder()
+              .setName(certificateAuthorityParent)
+              .putLabels("env", "test")
+              .build();
+
+      // Create a request to update the CA.
+      UpdateCertificateAuthorityRequest request =
+          UpdateCertificateAuthorityRequest.newBuilder()
+              .setCertificateAuthority(certificateAuthority)
+              .setUpdateMask(FieldMask.newBuilder().addPaths("labels").build())
+              .build();
+
+      // Update the CA and wait for the operation to complete.
+      ApiFuture<Operation> futureCall =
+          certificateAuthorityServiceClient
+              .updateCertificateAuthorityCallable()
+              .futureCall(request);
+      Operation operation = futureCall.get(60, TimeUnit.SECONDS);
+
+      // Check for errors.
+      if (operation.hasError()) {
+        System.out.println("Error in updating labels ! " + operation.getError());
+      }
+
+      // Get the updated CA and check if it contains the new label.
+      CertificateAuthority response =
+          certificateAuthorityServiceClient.getCertificateAuthority(certificateAuthorityParent);
+      if (response.getLabelsMap().containsKey("env")
+          && response.getLabelsMap().get("env").equalsIgnoreCase("test")) {
+        System.out.println("Successfully updated the labels ! ");
+      }
+    }
+  }
+}
+// [END privateca_update_ca_label]
diff --git a/privateca/cloud-client/src/test/java/privateca/SnippetsIT.java b/privateca/cloud-client/src/test/java/privateca/SnippetsIT.java
@@ -320,6 +320,19 @@ public void testListCertificateAuthorities() throws IOException {
     assertThat(stdOut.toString()).contains(CA_NAME);
   }
 
+  @Test
+  public void testUpdateCertificateAuthority()
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    privateca.UpdateCertificateAuthority.updateCaLabel(PROJECT_ID, LOCATION, CA_POOL_ID, CA_NAME);
+    assertThat(stdOut.toString()).contains("Successfully updated the labels ! ");
+  }
+
+  @Test
+  public void testMonitorCertificateAuthority() throws IOException, InterruptedException {
+    privateca.MonitorCertificateAuthority.createCaMonitoringPolicy(PROJECT_ID);
+    assertThat(stdOut.toString()).contains("Monitoring policy successfully created !");
+  }
+
   @Test
   public void testEnableDisableCertificateAuthority()
       throws InterruptedException, ExecutionException, IOException {
diff --git a/privateca/pom.xml b/privateca/pom.xml
@@ -63,6 +63,10 @@
       <groupId>com.google.cloud</groupId>
       <artifactId>google-cloud-kms</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.google.cloud</groupId>
+      <artifactId>google-cloud-monitoring</artifactId>
+    </dependency>
 
     <dependency>
       <groupId>junit</groupId>
