docs(samples): added samples for issuance policy and certificate templates (#264)

* docs(samples): init commit - set issuance policy

* docs(samples): added certificate template CRUD samples

* refactor(samples): modified the samples for test coherence

* test(samples): Added tests for issuance policy and certificate templates.

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* refactor(samples): included filter condition and comments

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* refactor(samples): included review comments

* 🦉 Updates from OwlBot

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: Sita04

privateca/cloud-client/src/main/java/privateca/CreateCertificate.java

@@ -85,7 +85,7 @@ public static void createCertificate(
       // certificateLifetime: The validity of the certificate in seconds.
       String commonName = "common-name";
       String orgName = "org-name";
-      String domainName = "dnsname.com";
+      String domainName = "dns.your-domain.com";
       long certificateLifetime = 1000L;
 
       // Set the Public Key and its format.

privateca/cloud-client/src/main/java/privateca/CreateCertificateTemplate.java

@@ -0,0 +1,121 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package privateca;
+
+// [START privateca_create_certificate_template]
+
+import com.google.api.core.ApiFuture;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
+import com.google.cloud.security.privateca.v1.CertificateIdentityConstraints;
+import com.google.cloud.security.privateca.v1.CertificateTemplate;
+import com.google.cloud.security.privateca.v1.CreateCertificateTemplateRequest;
+import com.google.cloud.security.privateca.v1.KeyUsage;
+import com.google.cloud.security.privateca.v1.KeyUsage.ExtendedKeyUsageOptions;
+import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
+import com.google.cloud.security.privateca.v1.LocationName;
+import com.google.cloud.security.privateca.v1.X509Parameters;
+import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
+import com.google.longrunning.Operation;
+import com.google.type.Expr;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+public class CreateCertificateTemplate {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* TODO(developer): Replace these variables before running the sample.
+    location: For a list of locations, see:
+    https://cloud.google.com/certificate-authority-service/docs/locations */
+    String project = "your-project-id";
+    String location = "ca-location";
+    String certificateTemplateId = "certificate-template-id";
+
+    createCertificateTemplate(project, location, certificateTemplateId);
+  }
+
+  /* Creates a Certificate template. These templates can be reused for common
+  certificate issuance scenarios. */
+  public static void createCertificateTemplate(
+      String project, String location, String certificateTemplateId)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* Initialize client that will be used to send requests. This client only needs to be created
+    once, and can be reused for multiple requests. After completing all of your requests, call
+    the `certificateAuthorityServiceClient.close()` method on the client to safely
+    clean up any remaining background resources. */
+    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
+        CertificateAuthorityServiceClient.create()) {
+
+      /* Describes any predefined X.509 values set by this template.
+      The provided extensions are copied over to certificate requests that use this template.*/
+      KeyUsage keyUsage =
+          KeyUsage.newBuilder()
+              .setBaseKeyUsage(
+                  KeyUsageOptions.newBuilder()
+                      .setDigitalSignature(true)
+                      .setKeyEncipherment(true)
+                      .build())
+              .setExtendedKeyUsage(ExtendedKeyUsageOptions.newBuilder().setServerAuth(true).build())
+              .build();
+
+      CaOptions caOptions = CaOptions.newBuilder().setIsCa(false).build();
+
+      /* CEL expression that is evaluated against the Subject and
+      Subject Alternative Name of the certificate before it is issued. */
+      Expr expr =
+          Expr.newBuilder().setExpression("subject_alt_names.all(san, san.type == DNS)").build();
+
+      // Set the certificate issuance schema.
+      CertificateTemplate certificateTemplate =
+          CertificateTemplate.newBuilder()
+              .setPredefinedValues(
+                  X509Parameters.newBuilder().setKeyUsage(keyUsage).setCaOptions(caOptions).build())
+              .setIdentityConstraints(
+                  CertificateIdentityConstraints.newBuilder()
+                      .setCelExpression(expr)
+                      .setAllowSubjectPassthrough(false)
+                      .setAllowSubjectAltNamesPassthrough(false)
+                      .build())
+              .build();
+
+      // Set the parent and certificate template properties.
+      CreateCertificateTemplateRequest certificateTemplateRequest =
+          CreateCertificateTemplateRequest.newBuilder()
+              .setParent(LocationName.of(project, location).toString())
+              .setCertificateTemplate(certificateTemplate)
+              .setCertificateTemplateId(certificateTemplateId)
+              .build();
+
+      // Create Template request.
+      ApiFuture<Operation> futureCall =
+          certificateAuthorityServiceClient
+              .createCertificateTemplateCallable()
+              .futureCall(certificateTemplateRequest);
+
+      Operation response = futureCall.get(60, TimeUnit.SECONDS);
+
+      if (response.hasError()) {
+        System.out.println("Error creating certificate template ! " + response.getError());
+        return;
+      }
+
+      System.out.println("Successfully created certificate template ! " + response.getName());
+    }
+  }
+}
+// [END privateca_create_certificate_template]

privateca/cloud-client/src/main/java/privateca/CreateSubordinateCa.java

@@ -29,6 +29,7 @@
 import com.google.cloud.security.privateca.v1.KeyUsage;
 import com.google.cloud.security.privateca.v1.KeyUsage.KeyUsageOptions;
 import com.google.cloud.security.privateca.v1.Subject;
+import com.google.cloud.security.privateca.v1.SubjectAltNames;
 import com.google.cloud.security.privateca.v1.X509Parameters;
 import com.google.cloud.security.privateca.v1.X509Parameters.CaOptions;
 import com.google.longrunning.Operation;
@@ -65,6 +66,7 @@ public static void createSubordinateCertificateAuthority(
 
       String commonName = "common-name";
       String orgName = "csr-org-name";
+      String domainName = "dns.your-domain.com";
       int caDuration = 100000; // Validity of this CA in seconds.
 
       // Set the type of Algorithm.
@@ -76,6 +78,8 @@ public static void createSubordinateCertificateAuthority(
           SubjectConfig.newBuilder()
               .setSubject(
                   Subject.newBuilder().setCommonName(commonName).setOrganization(orgName).build())
+              // Set the fully qualified domain name.
+              .setSubjectAltName(SubjectAltNames.newBuilder().addDnsNames(domainName).build())
               .build();
 
       //  Set the key usage options for X.509 fields.

privateca/cloud-client/src/main/java/privateca/DeleteCertificateTemplate.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package privateca;
+
+// [START privateca_delete_certificate_template]
+
+import com.google.api.core.ApiFuture;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
+import com.google.cloud.security.privateca.v1.CertificateTemplateName;
+import com.google.cloud.security.privateca.v1.DeleteCertificateTemplateRequest;
+import com.google.longrunning.Operation;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+public class DeleteCertificateTemplate {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* TODO(developer): Replace these variables before running the sample.
+    location: For a list of locations, see:
+    https://cloud.google.com/certificate-authority-service/docs/locations
+    certificateTemplateId: Id of the certificate template to delete. */
+    String project = "your-project-id";
+    String location = "ca-location";
+    String certificateTemplateId = "certificate-template-id";
+
+    deleteCertificateTemplate(project, location, certificateTemplateId);
+  }
+
+  // Deletes the certificate template present in the given project and location.
+  public static void deleteCertificateTemplate(
+      String project, String location, String certificateTemplateId)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* Initialize client that will be used to send requests. This client only needs to be created
+    once, and can be reused for multiple requests. After completing all of your requests, call
+    the `certificateAuthorityServiceClient.close()` method on the client to safely
+    clean up any remaining background resources. */
+    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
+        CertificateAuthorityServiceClient.create()) {
+
+      // Set the parent name of the certificate template to be deleted.
+      DeleteCertificateTemplateRequest request =
+          DeleteCertificateTemplateRequest.newBuilder()
+              .setName(
+                  CertificateTemplateName.of(project, location, certificateTemplateId).toString())
+              .build();
+
+      ApiFuture<Operation> futureCall =
+          certificateAuthorityServiceClient.deleteCertificateTemplateCallable().futureCall(request);
+
+      Operation response = futureCall.get(60, TimeUnit.SECONDS);
+
+      // Check for errors.
+      if (response.hasError()) {
+        System.out.println("Error deleting the certificate template ! " + response.getError());
+        return;
+      }
+
+      System.out.println("Successfully created certificate template ! " + response.getName());
+    }
+  }
+}
+// [END privateca_delete_certificate_template]

privateca/cloud-client/src/main/java/privateca/FilterCertificates.java

@@ -30,21 +30,16 @@ public static void main(String[] args) throws IOException {
     // location: For a list of locations, see:
     // https://cloud.google.com/certificate-authority-service/docs/locations
     // pool_Id: Id of the CA pool which contains the certificates to be listed.
-    // filterCondition: Filter certificates based on the given condition.
-    // For more info on conditions supported,
-    // see:
-    // https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support
     String project = "your-project-id";
     String location = "ca-location";
     String pool_Id = "ca-pool-id";
-    String filterCondition = "filter-condition";
 
-    filterCertificates(project, location, pool_Id, filterCondition);
+    filterCertificates(project, location, pool_Id);
   }
 
   // Filter certificates based on a condition and list them.
-  public static void filterCertificates(
-      String project, String location, String pool_Id, String filterCondition) throws IOException {
+  public static void filterCertificates(String project, String location, String pool_Id)
+      throws IOException {
     // Initialize client that will be used to send requests. This client only needs to be created
     // once, and can be reused for multiple requests. After completing all of your requests, call
     // the `certificateAuthorityServiceClient.close()` method on the client to safely
@@ -63,8 +58,16 @@ public static void filterCertificates(
       ListCertificatesRequest listCertificatesRequest =
           ListCertificatesRequest.newBuilder()
               .setParent(caPool.toString())
-              // Filter certificates according to the given condition.
-              .setFilter(filterCondition)
+              /* Filter certificates based on the given condition.
+              For more info on conditions supported,
+              see:
+              https://cloud.google.com/certificate-authority-service/docs/sorting-filtering-certificates#filtering_support
+              Few examples for constructing conditions:
+              certificate_description.subject_description.not_after_time=timestamp(com.google.protobuf)
+              certificate_description.subject_description.subject_alt_name.dns_names:my-dns
+              Here, we are filtering certificates which has organization name = csr-org-name */
+              .setFilter(
+                  "certificate_description.subject_description.subject.organization=csr-org-name")
               .build();
 
       // Retrieve and print the certificate names.

privateca/cloud-client/src/main/java/privateca/ListCertificateTemplates.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package privateca;
+
+// [START privateca_list_certificate_template]
+
+import com.google.api.core.ApiFuture;
+import com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient;
+import com.google.cloud.security.privateca.v1.CertificateTemplate;
+import com.google.cloud.security.privateca.v1.ListCertificateTemplatesRequest;
+import com.google.cloud.security.privateca.v1.ListCertificateTemplatesResponse;
+import com.google.cloud.security.privateca.v1.LocationName;
+import java.io.IOException;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+
+public class ListCertificateTemplates {
+
+  public static void main(String[] args)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* TODO(developer): Replace these variables before running the sample.
+    location: For a list of locations, see:
+    https://cloud.google.com/certificate-authority-service/docs/locations */
+    String project = "your-project-id";
+    String location = "ca-location";
+
+    listCertificateTemplates(project, location);
+  }
+
+  // Lists the certificate templates present in the given project and location.
+  public static void listCertificateTemplates(String project, String location)
+      throws IOException, ExecutionException, InterruptedException, TimeoutException {
+    /* Initialize client that will be used to send requests. This client only needs to be created
+    once, and can be reused for multiple requests. After completing all of your requests, call
+    the `certificateAuthorityServiceClient.close()` method on the client to safely
+    clean up any remaining background resources. */
+    try (CertificateAuthorityServiceClient certificateAuthorityServiceClient =
+        CertificateAuthorityServiceClient.create()) {
+
+      // Set the parent name to list the certificate templates.
+      ListCertificateTemplatesRequest request =
+          ListCertificateTemplatesRequest.newBuilder()
+              .setParent(LocationName.of(project, location).toString())
+              .build();
+
+      ApiFuture<ListCertificateTemplatesResponse> futureCall =
+          certificateAuthorityServiceClient.listCertificateTemplatesCallable().futureCall(request);
+
+      // Get the response.
+      ListCertificateTemplatesResponse response = futureCall.get(60, TimeUnit.SECONDS);
+
+      // List all templates.
+      for (CertificateTemplate template : response.getCertificateTemplatesList()) {
+        System.out.println(template.getName());
+      }
+    }
+  }
+}
+// [END privateca_list_certificate_template]