Class: Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client

Inherits:
Object
  • Object
show all
Includes:
Paths
Defined in:
lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb

Overview

Client for the ConfidentialComputing service.

Service describing handlers for resources

Defined Under Namespace

Classes: Configuration

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Paths

#challenge_path, #instance_path, #location_path

Constructor Details

#initialize {|config| ... } ⇒ Client

Create a new ConfidentialComputing client object.

Examples:


# Create a client using the default configuration
client = ::Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client.new

# Create a client using a custom configuration
client = ::Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client.new do |config|
  config.timeout = 10.0
end

Yields:

  • (config)

    Configure the ConfidentialComputing client.

Yield Parameters:



147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
 
# File 'lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb', line 147

def initialize
  # These require statements are intentionally placed here to initialize
  # the gRPC module only when it's required.
  # See https://github.com/googleapis/toolkit/issues/446
  require "gapic/grpc"
  require "google/cloud/confidentialcomputing/v1/service_services_pb"

  # Create the configuration object
  @config = Configuration.new Client.configure

  # Yield the configuration if needed
  yield @config if block_given?

  # Create credentials
  credentials = @config.credentials
  # Use self-signed JWT if the endpoint is unchanged from default,
  # but only if the default endpoint does not have a region prefix.
  enable_self_signed_jwt = @config.endpoint.nil? ||
                           (@config.endpoint == Configuration::DEFAULT_ENDPOINT &&
                           !@config.endpoint.split(".").first.include?("-"))
  credentials ||= Credentials.default scope: @config.scope,
                                      enable_self_signed_jwt: enable_self_signed_jwt
  if credentials.is_a?(::String) || credentials.is_a?(::Hash)
    credentials = Credentials.new credentials, scope: @config.scope
  end
  @quota_project_id = @config.quota_project
  @quota_project_id ||= credentials.quota_project_id if credentials.respond_to? :quota_project_id

  @confidential_computing_stub = ::Gapic::ServiceStub.new(
    ::Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Stub,
    credentials: credentials,
    endpoint: @config.endpoint,
    endpoint_template: DEFAULT_ENDPOINT_TEMPLATE,
    universe_domain: @config.universe_domain,
    channel_args: @config.channel_args,
    interceptors: @config.interceptors,
    channel_pool_config: @config.channel_pool,
    logger: @config.logger
  )

  @confidential_computing_stub.stub_logger&.info do |entry|
    entry.set_system_name
    entry.set_service
    entry.message = "Created client for #{entry.service}"
    entry.set_credentials_fields credentials
    entry.set "customEndpoint", @config.endpoint if @config.endpoint
    entry.set "defaultTimeout", @config.timeout if @config.timeout
    entry.set "quotaProject", @quota_project_id if @quota_project_id
  end

  @location_client = Google::Cloud::Location::Locations::Client.new do |config|
    config.credentials = credentials
    config.quota_project = @quota_project_id
    config.endpoint = @confidential_computing_stub.endpoint
    config.universe_domain = @confidential_computing_stub.universe_domain
    config.logger = @confidential_computing_stub.logger if config.respond_to? :logger=
  end
end

Instance Attribute Details

#location_clientGoogle::Cloud::Location::Locations::Client (readonly)

Get the associated client for mix-in of the Locations.

Returns:

  • (Google::Cloud::Location::Locations::Client) 


211
212
213
 
# File 'lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb', line 211

def location_client
  @location_client
end

Class Method Details

.configure {|config| ... } ⇒ Client::Configuration

Configure the ConfidentialComputing Client class.

See Configuration for a description of the configuration fields.

Examples:


# Modify the configuration for all ConfidentialComputing clients
::Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client.configure do |config|
  config.timeout = 10.0
end

Yields:

  • (config)

    Configure the Client client.

Yield Parameters:

Returns:



63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
# File 'lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb', line 63

def self.configure
  @configure ||= begin
    namespace = ["Google", "Cloud", "ConfidentialComputing", "V1"]
    parent_config = while namespace.any?
                      parent_name = namespace.join "::"
                      parent_const = const_get parent_name
                      break parent_const.configure if parent_const.respond_to? :configure
                      namespace.pop
                    end
    default_config = Client::Configuration.new parent_config

    default_config.timeout = 60.0

    default_config.rpcs.create_challenge.timeout = 60.0
    default_config.rpcs.create_challenge.retry_policy = {
      initial_delay: 1.0, max_delay: 60.0, multiplier: 1.3, retry_codes: [14]
    }

    default_config.rpcs.verify_attestation.timeout = 60.0
    default_config.rpcs.verify_attestation.retry_policy = {
      initial_delay: 1.0, max_delay: 60.0, multiplier: 1.3, retry_codes: [14]
    }

    default_config.rpcs.verify_confidential_space.timeout = 60.0
    default_config.rpcs.verify_confidential_space.retry_policy = {
      initial_delay: 1.0, max_delay: 60.0, multiplier: 1.3, retry_codes: [14]
    }

    default_config.rpcs.verify_confidential_gke.timeout = 60.0
    default_config.rpcs.verify_confidential_gke.retry_policy = {
      initial_delay: 1.0, max_delay: 60.0, multiplier: 1.3, retry_codes: [14]
    }

    default_config
  end
  yield @configure if block_given?
  @configure
end

Instance Method Details

#configure {|config| ... } ⇒ Client::Configuration

Configure the ConfidentialComputing Client instance.

The configuration is set to the derived mode, meaning that values can be changed, but structural changes (adding new fields, etc.) are not allowed. Structural changes should be made on configure.

See Configuration for a description of the configuration fields.

Yields:

  • (config)

    Configure the Client client.

Yield Parameters:

Returns:



117
118
119
120
 
# File 'lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb', line 117

def configure
  yield @config if block_given?
  @config
end

#create_challenge(request, options = nil) ⇒ ::Google::Cloud::ConfidentialComputing::V1::Challenge #create_challenge(parent: nil, challenge: nil) ⇒ ::Google::Cloud::ConfidentialComputing::V1::Challenge

Creates a new Challenge in a given project and location.

Examples:

Basic example

require "google/cloud/confidential_computing/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Cloud::ConfidentialComputing::V1::CreateChallengeRequest.new

# Call the create_challenge method.
result = client.create_challenge request

# The returned object is of type Google::Cloud::ConfidentialComputing::V1::Challenge.
p result

Overloads:

Yields:

  • (response, operation)

    Access the result along with the RPC operation

Yield Parameters:

Returns:

Raises:

  • (::Google::Cloud::Error)

    if the RPC is aborted.



272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
 
# File 'lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb', line 272

def create_challenge request, options = nil
  raise ::ArgumentError, "request must be provided" if request.nil?

  request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::ConfidentialComputing::V1::CreateChallengeRequest

  # Converts hash and nil to an options object
  options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h

  # Customize the options with defaults
  metadata = @config.rpcs.create_challenge.metadata.to_h

  # Set x-goog-api-client, x-goog-user-project and x-goog-api-version headers
  metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
    lib_name: @config.lib_name, lib_version: @config.lib_version,
    gapic_version: ::Google::Cloud::ConfidentialComputing::V1::VERSION
  metadata[:"x-goog-api-version"] = API_VERSION unless API_VERSION.empty?
  metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id

  header_params = {}
  if request.parent
    header_params["parent"] = request.parent
  end

  request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
  metadata[:"x-goog-request-params"] ||= request_params_header

  options.apply_defaults timeout:      @config.rpcs.create_challenge.timeout,
                         metadata:     metadata,
                         retry_policy: @config.rpcs.create_challenge.retry_policy

  options.apply_defaults timeout:      @config.timeout,
                         metadata:     @config.metadata,
                         retry_policy: @config.retry_policy

  @confidential_computing_stub.call_rpc :create_challenge, request, options: options do |response, operation|
    yield response, operation if block_given?
  end
rescue ::GRPC::BadStatus => e
  raise ::Google::Cloud::Error.from_error(e)
end

#loggerLogger

The logger used for request/response debug logging.

Returns:

  • (Logger) 


218
219
220
 
# File 'lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb', line 218

def logger
  @confidential_computing_stub.logger
end

#universe_domainString

The effective universe domain

Returns:

  • (String) 


127
128
129
 
# File 'lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb', line 127

def universe_domain
  @confidential_computing_stub.universe_domain
end

#verify_attestation(request, options = nil) ⇒ ::Google::Cloud::ConfidentialComputing::V1::VerifyAttestationResponse #verify_attestation(td_ccel: nil, sev_snp_attestation: nil, nvidia_attestation: nil, challenge: nil, gcp_credentials: nil, tpm_attestation: nil, confidential_space_info: nil, token_options: nil, attester: nil, instance: nil) ⇒ ::Google::Cloud::ConfidentialComputing::V1::VerifyAttestationResponse

Verifies the provided attestation info, returning a signed attestation token.

Examples:

Basic example

require "google/cloud/confidential_computing/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Cloud::ConfidentialComputing::V1::VerifyAttestationRequest.new

# Call the verify_attestation method.
result = client.verify_attestation request

# The returned object is of type Google::Cloud::ConfidentialComputing::V1::VerifyAttestationResponse.
p result

Overloads:

  • #verify_attestation(request, options = nil) ⇒ ::Google::Cloud::ConfidentialComputing::V1::VerifyAttestationResponse

    Pass arguments to verify_attestation via a request object, either of type VerifyAttestationRequest or an equivalent Hash.

    Parameters:

    • request (::Google::Cloud::ConfidentialComputing::V1::VerifyAttestationRequest, ::Hash)

      A request object representing the call parameters. Required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash.

    • options (::Gapic::CallOptions, ::Hash) (defaults to: nil)

      Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.

  • #verify_attestation(td_ccel: nil, sev_snp_attestation: nil, nvidia_attestation: nil, challenge: nil, gcp_credentials: nil, tpm_attestation: nil, confidential_space_info: nil, token_options: nil, attester: nil, instance: nil) ⇒ ::Google::Cloud::ConfidentialComputing::V1::VerifyAttestationResponse

    Pass arguments to verify_attestation via keyword arguments. Note that at least one keyword argument is required. To specify no parameters, or to keep all the default parameter values, pass an empty Hash as a request object (see above).

    Parameters:

    • td_ccel (::Google::Cloud::ConfidentialComputing::V1::TdxCcelAttestation, ::Hash) (defaults to: nil)

      Optional. A TDX with CCEL and RTMR Attestation Quote.

      Note: The following parameters are mutually exclusive: td_ccel, sev_snp_attestation. At most one of these parameters can be set. If more than one is set, only one will be used, and it is not defined which one.

    • sev_snp_attestation (::Google::Cloud::ConfidentialComputing::V1::SevSnpAttestation, ::Hash) (defaults to: nil)

      Optional. An SEV-SNP Attestation Report.

      Note: The following parameters are mutually exclusive: sev_snp_attestation, td_ccel. At most one of these parameters can be set. If more than one is set, only one will be used, and it is not defined which one.

    • nvidia_attestation (::Google::Cloud::ConfidentialComputing::V1::NvidiaAttestation, ::Hash) (defaults to: nil)

      Optional. An Nvidia attestation report for GPU and NVSwitch devices.

    • challenge (::String) (defaults to: nil)

      Required. The name of the Challenge whose nonce was used to generate the attestation, in the format projects/*/locations/*/challenges/*. The provided Challenge will be consumed, and cannot be used again.

    • gcp_credentials (::Google::Cloud::ConfidentialComputing::V1::GcpCredentials, ::Hash) (defaults to: nil)

      Optional. Credentials used to populate the "emails" claim in the claims_token.

    • tpm_attestation (::Google::Cloud::ConfidentialComputing::V1::TpmAttestation, ::Hash) (defaults to: nil)

      Required. The TPM-specific data provided by the attesting platform, used to populate any of the claims regarding platform state.

    • confidential_space_info (::Google::Cloud::ConfidentialComputing::V1::ConfidentialSpaceInfo, ::Hash) (defaults to: nil)

      Optional. Optional information related to the Confidential Space TEE.

    • token_options (::Google::Cloud::ConfidentialComputing::V1::TokenOptions, ::Hash) (defaults to: nil)

      Optional. A collection of optional, workload-specified claims that modify the token output.

    • attester (::String) (defaults to: nil)

      Optional. An optional indicator of the attester, only applies to certain products.

    • instance (::String) (defaults to: nil)

      Optional. Optional resource link of the Compute Engine instance. Format: projects/{project_number}/zones/{zone}/instances/{instance_id}

Yields:

  • (response, operation)

    Access the result along with the RPC operation

Yield Parameters:

Returns:

Raises:

  • (::Google::Cloud::Error)

    if the RPC is aborted.



388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
 
# File 'lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb', line 388

def verify_attestation request, options = nil
  raise ::ArgumentError, "request must be provided" if request.nil?

  request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::ConfidentialComputing::V1::VerifyAttestationRequest

  # Converts hash and nil to an options object
  options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h

  # Customize the options with defaults
  metadata = @config.rpcs.verify_attestation.metadata.to_h

  # Set x-goog-api-client, x-goog-user-project and x-goog-api-version headers
  metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
    lib_name: @config.lib_name, lib_version: @config.lib_version,
    gapic_version: ::Google::Cloud::ConfidentialComputing::V1::VERSION
  metadata[:"x-goog-api-version"] = API_VERSION unless API_VERSION.empty?
  metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id

  header_params = {}
  if request.challenge
    header_params["challenge"] = request.challenge
  end

  request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
  metadata[:"x-goog-request-params"] ||= request_params_header

  options.apply_defaults timeout:      @config.rpcs.verify_attestation.timeout,
                         metadata:     metadata,
                         retry_policy: @config.rpcs.verify_attestation.retry_policy

  options.apply_defaults timeout:      @config.timeout,
                         metadata:     @config.metadata,
                         retry_policy: @config.retry_policy

  @confidential_computing_stub.call_rpc :verify_attestation, request, options: options do |response, operation|
    yield response, operation if block_given?
  end
rescue ::GRPC::BadStatus => e
  raise ::Google::Cloud::Error.from_error(e)
end

#verify_confidential_gke(request, options = nil) ⇒ ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse #verify_confidential_gke(tpm_attestation: nil, challenge: nil, options: nil) ⇒ ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse

Verifies the provided Confidential GKE attestation info, returning a signed OIDC token.

Examples:

Basic example

require "google/cloud/confidential_computing/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest.new

# Call the verify_confidential_gke method.
result = client.verify_confidential_gke request

# The returned object is of type Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse.
p result

Overloads:

Yields:

  • (response, operation)

    Access the result along with the RPC operation

Yield Parameters:

Returns:

Raises:

  • (::Google::Cloud::Error)

    if the RPC is aborted.



593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
 
# File 'lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb', line 593

def verify_confidential_gke request, options = nil
  raise ::ArgumentError, "request must be provided" if request.nil?

  request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest

  # Converts hash and nil to an options object
  options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h

  # Customize the options with defaults
  metadata = @config.rpcs.verify_confidential_gke.metadata.to_h

  # Set x-goog-api-client, x-goog-user-project and x-goog-api-version headers
  metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
    lib_name: @config.lib_name, lib_version: @config.lib_version,
    gapic_version: ::Google::Cloud::ConfidentialComputing::V1::VERSION
  metadata[:"x-goog-api-version"] = API_VERSION unless API_VERSION.empty?
  metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id

  header_params = {}
  if request.challenge
    header_params["challenge"] = request.challenge
  end

  request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
  metadata[:"x-goog-request-params"] ||= request_params_header

  options.apply_defaults timeout:      @config.rpcs.verify_confidential_gke.timeout,
                         metadata:     metadata,
                         retry_policy: @config.rpcs.verify_confidential_gke.retry_policy

  options.apply_defaults timeout:      @config.timeout,
                         metadata:     @config.metadata,
                         retry_policy: @config.retry_policy

  @confidential_computing_stub.call_rpc :verify_confidential_gke, request, options: options do |response, operation|
    yield response, operation if block_given?
  end
rescue ::GRPC::BadStatus => e
  raise ::Google::Cloud::Error.from_error(e)
end

#verify_confidential_space(request, options = nil) ⇒ ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse #verify_confidential_space(td_ccel: nil, tpm_attestation: nil, challenge: nil, gcp_credentials: nil, signed_entities: nil, gce_shielded_identity: nil, options: nil, nvidia_attestation: nil) ⇒ ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse

Verifies whether the provided attestation info is valid, returning a signed attestation token if so.

Examples:

Basic example

require "google/cloud/confidential_computing/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest.new

# Call the verify_confidential_space method.
result = client.verify_confidential_space request

# The returned object is of type Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse.
p result

Overloads:

Yields:

  • (response, operation)

    Access the result along with the RPC operation

Yield Parameters:

Returns:

Raises:

  • (::Google::Cloud::Error)

    if the RPC is aborted.



500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
 
# File 'lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb', line 500

def verify_confidential_space request, options = nil
  raise ::ArgumentError, "request must be provided" if request.nil?

  request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest

  # Converts hash and nil to an options object
  options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h

  # Customize the options with defaults
  metadata = @config.rpcs.verify_confidential_space.metadata.to_h

  # Set x-goog-api-client, x-goog-user-project and x-goog-api-version headers
  metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
    lib_name: @config.lib_name, lib_version: @config.lib_version,
    gapic_version: ::Google::Cloud::ConfidentialComputing::V1::VERSION
  metadata[:"x-goog-api-version"] = API_VERSION unless API_VERSION.empty?
  metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id

  header_params = {}
  if request.challenge
    header_params["challenge"] = request.challenge
  end

  request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
  metadata[:"x-goog-request-params"] ||= request_params_header

  options.apply_defaults timeout:      @config.rpcs.verify_confidential_space.timeout,
                         metadata:     metadata,
                         retry_policy: @config.rpcs.verify_confidential_space.retry_policy

  options.apply_defaults timeout:      @config.timeout,
                         metadata:     @config.metadata,
                         retry_policy: @config.retry_policy

  @confidential_computing_stub.call_rpc :verify_confidential_space, request, options: options do |response, operation|
    yield response, operation if block_given?
  end
rescue ::GRPC::BadStatus => e
  raise ::Google::Cloud::Error.from_error(e)
end