google-cloud-confidential_computing-v1 1.6.1 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5c69f3bb1cdca783e42b9248559897fd42cab5bc655fc19d5449543dd61b61ab
-  data.tar.gz: aa7f8f5dd2f353ed66898f0962cc675d3824997bbf1e8e9e475ae93ae013c713
+  metadata.gz: 57b75ce63cb2039f9c38df578852f71bb592dd7fc3c696af16c169d1e3d4437d
+  data.tar.gz: bc732ab1835317191b63c63cc752971e58b6592f3faa8c5bd18e9f6e61bad16f
 SHA512:
-  metadata.gz: 497baf54d0cbcbdd08dc4dd26a09baff2867421e0817641f39ec7ae6af8cfae748aef52640f7ce4d64fbb345f274c0185467dcfdde44eceb601e2a933ea83139
-  data.tar.gz: dc5d7db2959e03dcacd4ef87669a83e4883fb1e235e1bacb533a5b56698731a791bbf7cfc68d9407e1ccdba190b85c95309f90fc5bf35224cefcc5a55ad863ed
+  metadata.gz: dd688bfa63bf80b94d27fb1bdd67c4d255c52028d8de17cd1fd3490d6f6b2529c4050bfdb438a29bc06bf96b06be623d7a2217f1b3a6f06300d227249362c8d5
+  data.tar.gz: 0c7e7f7a3e7c3c739b2127da76a54c87e997affcc7894829cda83a9e0347e8b0f7ccdfc4d43e54ce5a87e42943261b64b90bfc123a405c5dc1a1305be585a22d

data/lib/google/cloud/confidential_computing/v1/bindings_override.rb

@@ -16,7 +16,7 @@
 
 # Auto-generated by gapic-generator-ruby. DO NOT EDIT!
 
-require "gapic/config"
+require "gapic/rest"
 
 module Google
   module Cloud
@@ -42,7 +42,7 @@ module Google
                               namespace.pop
                             end
 
-            default_config = Configuration.new parent_config
+            default_config = ::Gapic::Rest::HttpBindingOverrideConfiguration.new parent_config
             default_config.bindings_override["google.cloud.location.Locations.GetLocation"] = [
               Gapic::Rest::GrpcTranscoder::HttpBinding.create_with_validation(
                 uri_method: :get,
@@ -69,33 +69,6 @@ module Google
           yield @configure if block_given?
           @configure
         end
-
-        ##
-        # @private
-        # Configuration class for the google.cloud.confidentialcomputing.v1 package.
-        #
-        # This class contains common configuration for all services
-        # of the google.cloud.confidentialcomputing.v1 package.
-        #
-        # This configuration is for internal use of the client library classes,
-        # and it is not intended that the end-users will read or change it.
-        #
-        class Configuration
-          extend ::Gapic::Config
-
-          # @private
-          # Overrides for http bindings for the RPC of the mixins for this package.
-          # Services in this package should use these when creating clients for the mixin services.
-          # @return [::Hash{::Symbol=>::Array<::Gapic::Rest::GrpcTranscoder::HttpBinding>}]
-          config_attr :bindings_override, {}, ::Hash, nil
-
-          # @private
-          def initialize parent_config = nil
-            @parent_config = parent_config unless parent_config.nil?
-
-            yield self if block_given?
-          end
-        end
       end
     end
   end

data/lib/google/cloud/confidential_computing/v1/confidential_computing/client.rb

@@ -83,6 +83,16 @@ module Google
                   initial_delay: 1.0, max_delay: 60.0, multiplier: 1.3, retry_codes: [14]
                 }
 
+                default_config.rpcs.verify_confidential_space.timeout = 60.0
+                default_config.rpcs.verify_confidential_space.retry_policy = {
+                  initial_delay: 1.0, max_delay: 60.0, multiplier: 1.3, retry_codes: [14]
+                }
+
+                default_config.rpcs.verify_confidential_gke.timeout = 60.0
+                default_config.rpcs.verify_confidential_gke.retry_policy = {
+                  initial_delay: 1.0, max_delay: 60.0, multiplier: 1.3, retry_codes: [14]
+                }
+
                 default_config
               end
               yield @configure if block_given?
@@ -301,7 +311,8 @@ module Google
             end
 
             ##
-            # Verifies the provided attestation info, returning a signed OIDC token.
+            # Verifies the provided attestation info, returning a signed attestation
+            # token.
             #
             # @overload verify_attestation(request, options = nil)
             #   Pass arguments to `verify_attestation` via a request object, either of type
@@ -409,6 +420,206 @@ module Google
               raise ::Google::Cloud::Error.from_error(e)
             end
 
+            ##
+            # Verifies whether the provided attestation info is valid, returning a signed
+            # attestation token if so.
+            #
+            # @overload verify_confidential_space(request, options = nil)
+            #   Pass arguments to `verify_confidential_space` via a request object, either of type
+            #   {::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest} or an equivalent Hash.
+            #
+            #   @param request [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest, ::Hash]
+            #     A request object representing the call parameters. Required. To specify no
+            #     parameters, or to keep all the default parameter values, pass an empty Hash.
+            #   @param options [::Gapic::CallOptions, ::Hash]
+            #     Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
+            #
+            # @overload verify_confidential_space(td_ccel: nil, tpm_attestation: nil, challenge: nil, gcp_credentials: nil, signed_entities: nil, gce_shielded_identity: nil, options: nil)
+            #   Pass arguments to `verify_confidential_space` via keyword arguments. Note that at
+            #   least one keyword argument is required. To specify no parameters, or to keep all
+            #   the default parameter values, pass an empty Hash as a request object (see above).
+            #
+            #   @param td_ccel [::Google::Cloud::ConfidentialComputing::V1::TdxCcelAttestation, ::Hash]
+            #     Input only. A TDX with CCEL and RTMR Attestation Quote.
+            #
+            #     Note: The following parameters are mutually exclusive: `td_ccel`, `tpm_attestation`. At most one of these parameters can be set. If more than one is set, only one will be used, and it is not defined which one.
+            #   @param tpm_attestation [::Google::Cloud::ConfidentialComputing::V1::TpmAttestation, ::Hash]
+            #     Input only. The TPM-specific data provided by the attesting platform,
+            #     used to populate any of the claims regarding platform state.
+            #
+            #     Note: The following parameters are mutually exclusive: `tpm_attestation`, `td_ccel`. At most one of these parameters can be set. If more than one is set, only one will be used, and it is not defined which one.
+            #   @param challenge [::String]
+            #     Required. The name of the Challenge whose nonce was used to generate the
+            #     attestation, in the format `projects/*/locations/*/challenges/*`. The
+            #     provided Challenge will be consumed, and cannot be used again.
+            #   @param gcp_credentials [::Google::Cloud::ConfidentialComputing::V1::GcpCredentials, ::Hash]
+            #     Optional. Credentials used to populate the "emails" claim in the
+            #     claims_token. If not present, token will not contain the "emails" claim.
+            #   @param signed_entities [::Array<::Google::Cloud::ConfidentialComputing::V1::SignedEntity, ::Hash>]
+            #     Optional. A list of signed entities containing container image signatures
+            #     that can be used for server-side signature verification.
+            #   @param gce_shielded_identity [::Google::Cloud::ConfidentialComputing::V1::GceShieldedIdentity, ::Hash]
+            #     Optional. Information about the associated Compute Engine instance.
+            #     Required for td_ccel requests only - tpm_attestation requests will provide
+            #     this information in the attestation.
+            #   @param options [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest::ConfidentialSpaceOptions, ::Hash]
+            #     Optional. A collection of fields that modify the token output.
+            #
+            # @yield [response, operation] Access the result along with the RPC operation
+            # @yieldparam response [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse]
+            # @yieldparam operation [::GRPC::ActiveCall::Operation]
+            #
+            # @return [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse]
+            #
+            # @raise [::Google::Cloud::Error] if the RPC is aborted.
+            #
+            # @example Basic example
+            #   require "google/cloud/confidential_computing/v1"
+            #
+            #   # Create a client object. The client can be reused for multiple calls.
+            #   client = Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client.new
+            #
+            #   # Create a request. To set request fields, pass in keyword arguments.
+            #   request = Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest.new
+            #
+            #   # Call the verify_confidential_space method.
+            #   result = client.verify_confidential_space request
+            #
+            #   # The returned object is of type Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse.
+            #   p result
+            #
+            def verify_confidential_space request, options = nil
+              raise ::ArgumentError, "request must be provided" if request.nil?
+
+              request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest
+
+              # Converts hash and nil to an options object
+              options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
+
+              # Customize the options with defaults
+              metadata = @config.rpcs.verify_confidential_space.metadata.to_h
+
+              # Set x-goog-api-client, x-goog-user-project and x-goog-api-version headers
+              metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
+                lib_name: @config.lib_name, lib_version: @config.lib_version,
+                gapic_version: ::Google::Cloud::ConfidentialComputing::V1::VERSION
+              metadata[:"x-goog-api-version"] = API_VERSION unless API_VERSION.empty?
+              metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
+
+              header_params = {}
+              if request.challenge
+                header_params["challenge"] = request.challenge
+              end
+
+              request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
+              metadata[:"x-goog-request-params"] ||= request_params_header
+
+              options.apply_defaults timeout:      @config.rpcs.verify_confidential_space.timeout,
+                                     metadata:     metadata,
+                                     retry_policy: @config.rpcs.verify_confidential_space.retry_policy
+
+              options.apply_defaults timeout:      @config.timeout,
+                                     metadata:     @config.metadata,
+                                     retry_policy: @config.retry_policy
+
+              @confidential_computing_stub.call_rpc :verify_confidential_space, request, options: options do |response, operation|
+                yield response, operation if block_given?
+              end
+            rescue ::GRPC::BadStatus => e
+              raise ::Google::Cloud::Error.from_error(e)
+            end
+
+            ##
+            # Verifies the provided Confidential GKE attestation info, returning a signed
+            # OIDC token.
+            #
+            # @overload verify_confidential_gke(request, options = nil)
+            #   Pass arguments to `verify_confidential_gke` via a request object, either of type
+            #   {::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest} or an equivalent Hash.
+            #
+            #   @param request [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest, ::Hash]
+            #     A request object representing the call parameters. Required. To specify no
+            #     parameters, or to keep all the default parameter values, pass an empty Hash.
+            #   @param options [::Gapic::CallOptions, ::Hash]
+            #     Overrides the default settings for this call, e.g, timeout, retries, etc. Optional.
+            #
+            # @overload verify_confidential_gke(tpm_attestation: nil, challenge: nil)
+            #   Pass arguments to `verify_confidential_gke` via keyword arguments. Note that at
+            #   least one keyword argument is required. To specify no parameters, or to keep all
+            #   the default parameter values, pass an empty Hash as a request object (see above).
+            #
+            #   @param tpm_attestation [::Google::Cloud::ConfidentialComputing::V1::TpmAttestation, ::Hash]
+            #     The TPM-specific data provided by the attesting platform, used to
+            #     populate any of the claims regarding platform state.
+            #   @param challenge [::String]
+            #     Required. The name of the Challenge whose nonce was used to generate the
+            #     attestation, in the format projects/*/locations/*/challenges/*. The
+            #     provided Challenge will be consumed, and cannot be used again.
+            #
+            # @yield [response, operation] Access the result along with the RPC operation
+            # @yieldparam response [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse]
+            # @yieldparam operation [::GRPC::ActiveCall::Operation]
+            #
+            # @return [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse]
+            #
+            # @raise [::Google::Cloud::Error] if the RPC is aborted.
+            #
+            # @example Basic example
+            #   require "google/cloud/confidential_computing/v1"
+            #
+            #   # Create a client object. The client can be reused for multiple calls.
+            #   client = Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client.new
+            #
+            #   # Create a request. To set request fields, pass in keyword arguments.
+            #   request = Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest.new
+            #
+            #   # Call the verify_confidential_gke method.
+            #   result = client.verify_confidential_gke request
+            #
+            #   # The returned object is of type Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse.
+            #   p result
+            #
+            def verify_confidential_gke request, options = nil
+              raise ::ArgumentError, "request must be provided" if request.nil?
+
+              request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest
+
+              # Converts hash and nil to an options object
+              options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
+
+              # Customize the options with defaults
+              metadata = @config.rpcs.verify_confidential_gke.metadata.to_h
+
+              # Set x-goog-api-client, x-goog-user-project and x-goog-api-version headers
+              metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
+                lib_name: @config.lib_name, lib_version: @config.lib_version,
+                gapic_version: ::Google::Cloud::ConfidentialComputing::V1::VERSION
+              metadata[:"x-goog-api-version"] = API_VERSION unless API_VERSION.empty?
+              metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
+
+              header_params = {}
+              if request.challenge
+                header_params["challenge"] = request.challenge
+              end
+
+              request_params_header = header_params.map { |k, v| "#{k}=#{v}" }.join("&")
+              metadata[:"x-goog-request-params"] ||= request_params_header
+
+              options.apply_defaults timeout:      @config.rpcs.verify_confidential_gke.timeout,
+                                     metadata:     metadata,
+                                     retry_policy: @config.rpcs.verify_confidential_gke.retry_policy
+
+              options.apply_defaults timeout:      @config.timeout,
+                                     metadata:     @config.metadata,
+                                     retry_policy: @config.retry_policy
+
+              @confidential_computing_stub.call_rpc :verify_confidential_gke, request, options: options do |response, operation|
+                yield response, operation if block_given?
+              end
+            rescue ::GRPC::BadStatus => e
+              raise ::Google::Cloud::Error.from_error(e)
+            end
+
             ##
             # Configuration class for the ConfidentialComputing API.
             #
@@ -444,8 +655,6 @@ module Google
             #   @return [::String,nil]
             # @!attribute [rw] credentials
             #   Credentials to send with calls. You may provide any of the following types:
-            #    *  (`String`) The path to a service account key file in JSON format
-            #    *  (`Hash`) A service account key as a Hash
             #    *  (`Google::Auth::Credentials`) A googleauth credentials object
             #       (see the [googleauth docs](https://rubydoc.info/gems/googleauth/Google/Auth/Credentials))
             #    *  (`Signet::OAuth2::Client`) A signet oauth2 client object
@@ -454,7 +663,26 @@ module Google
             #    *  (`GRPC::Core::ChannelCredentials`) a gRPC credentails object
             #    *  (`nil`) indicating no credentials
             #
-            #   Warning: If you accept a credential configuration (JSON file or Hash) from an
+            #   @note Warning: Passing a `String` to a keyfile path or a `Hash` of credentials
+            #     is deprecated. Providing an unvalidated credential configuration to
+            #     Google APIs can compromise the security of your systems and data.
+            #
+            #   @example
+            #
+            #     # The recommended way to provide credentials is to use the `make_creds` method
+            #     # on the appropriate credentials class for your environment.
+            #
+            #     require "googleauth"
+            #
+            #     credentials = ::Google::Auth::ServiceAccountCredentials.make_creds(
+            #       json_key_io: ::File.open("/path/to/keyfile.json")
+            #     )
+            #
+            #     client = ::Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Client.new do |config|
+            #       config.credentials = credentials
+            #     end
+            #
+            #   @note Warning: If you accept a credential configuration (JSON file or Hash) from an
             #   external source for authentication to Google Cloud, you must validate it before
             #   providing it to a Google API client library. Providing an unvalidated credential
             #   configuration to Google APIs can compromise the security of your systems and data.
@@ -585,6 +813,16 @@ module Google
                 # @return [::Gapic::Config::Method]
                 #
                 attr_reader :verify_attestation
+                ##
+                # RPC-specific configuration for `verify_confidential_space`
+                # @return [::Gapic::Config::Method]
+                #
+                attr_reader :verify_confidential_space
+                ##
+                # RPC-specific configuration for `verify_confidential_gke`
+                # @return [::Gapic::Config::Method]
+                #
+                attr_reader :verify_confidential_gke
 
                 # @private
                 def initialize parent_rpcs = nil
@@ -592,6 +830,10 @@ module Google
                   @create_challenge = ::Gapic::Config::Method.new create_challenge_config
                   verify_attestation_config = parent_rpcs.verify_attestation if parent_rpcs.respond_to? :verify_attestation
                   @verify_attestation = ::Gapic::Config::Method.new verify_attestation_config
+                  verify_confidential_space_config = parent_rpcs.verify_confidential_space if parent_rpcs.respond_to? :verify_confidential_space
+                  @verify_confidential_space = ::Gapic::Config::Method.new verify_confidential_space_config
+                  verify_confidential_gke_config = parent_rpcs.verify_confidential_gke if parent_rpcs.respond_to? :verify_confidential_gke
+                  @verify_confidential_gke = ::Gapic::Config::Method.new verify_confidential_gke_config
 
                   yield self if block_given?
                 end

data/lib/google/cloud/confidential_computing/v1/confidential_computing/rest/client.rb

@@ -85,6 +85,16 @@ module Google
                     initial_delay: 1.0, max_delay: 60.0, multiplier: 1.3, retry_codes: [14]
                   }
 
+                  default_config.rpcs.verify_confidential_space.timeout = 60.0
+                  default_config.rpcs.verify_confidential_space.retry_policy = {
+                    initial_delay: 1.0, max_delay: 60.0, multiplier: 1.3, retry_codes: [14]
+                  }
+
+                  default_config.rpcs.verify_confidential_gke.timeout = 60.0
+                  default_config.rpcs.verify_confidential_gke.retry_policy = {
+                    initial_delay: 1.0, max_delay: 60.0, multiplier: 1.3, retry_codes: [14]
+                  }
+
                   default_config
                 end
                 yield @configure if block_given?
@@ -288,7 +298,8 @@ module Google
               end
 
               ##
-              # Verifies the provided attestation info, returning a signed OIDC token.
+              # Verifies the provided attestation info, returning a signed attestation
+              # token.
               #
               # @overload verify_attestation(request, options = nil)
               #   Pass arguments to `verify_attestation` via a request object, either of type
@@ -389,6 +400,192 @@ module Google
                 raise ::Google::Cloud::Error.from_error(e)
               end
 
+              ##
+              # Verifies whether the provided attestation info is valid, returning a signed
+              # attestation token if so.
+              #
+              # @overload verify_confidential_space(request, options = nil)
+              #   Pass arguments to `verify_confidential_space` via a request object, either of type
+              #   {::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest} or an equivalent Hash.
+              #
+              #   @param request [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest, ::Hash]
+              #     A request object representing the call parameters. Required. To specify no
+              #     parameters, or to keep all the default parameter values, pass an empty Hash.
+              #   @param options [::Gapic::CallOptions, ::Hash]
+              #     Overrides the default settings for this call, e.g, timeout, retries etc. Optional.
+              #
+              # @overload verify_confidential_space(td_ccel: nil, tpm_attestation: nil, challenge: nil, gcp_credentials: nil, signed_entities: nil, gce_shielded_identity: nil, options: nil)
+              #   Pass arguments to `verify_confidential_space` via keyword arguments. Note that at
+              #   least one keyword argument is required. To specify no parameters, or to keep all
+              #   the default parameter values, pass an empty Hash as a request object (see above).
+              #
+              #   @param td_ccel [::Google::Cloud::ConfidentialComputing::V1::TdxCcelAttestation, ::Hash]
+              #     Input only. A TDX with CCEL and RTMR Attestation Quote.
+              #
+              #     Note: The following parameters are mutually exclusive: `td_ccel`, `tpm_attestation`. At most one of these parameters can be set. If more than one is set, only one will be used, and it is not defined which one.
+              #   @param tpm_attestation [::Google::Cloud::ConfidentialComputing::V1::TpmAttestation, ::Hash]
+              #     Input only. The TPM-specific data provided by the attesting platform,
+              #     used to populate any of the claims regarding platform state.
+              #
+              #     Note: The following parameters are mutually exclusive: `tpm_attestation`, `td_ccel`. At most one of these parameters can be set. If more than one is set, only one will be used, and it is not defined which one.
+              #   @param challenge [::String]
+              #     Required. The name of the Challenge whose nonce was used to generate the
+              #     attestation, in the format `projects/*/locations/*/challenges/*`. The
+              #     provided Challenge will be consumed, and cannot be used again.
+              #   @param gcp_credentials [::Google::Cloud::ConfidentialComputing::V1::GcpCredentials, ::Hash]
+              #     Optional. Credentials used to populate the "emails" claim in the
+              #     claims_token. If not present, token will not contain the "emails" claim.
+              #   @param signed_entities [::Array<::Google::Cloud::ConfidentialComputing::V1::SignedEntity, ::Hash>]
+              #     Optional. A list of signed entities containing container image signatures
+              #     that can be used for server-side signature verification.
+              #   @param gce_shielded_identity [::Google::Cloud::ConfidentialComputing::V1::GceShieldedIdentity, ::Hash]
+              #     Optional. Information about the associated Compute Engine instance.
+              #     Required for td_ccel requests only - tpm_attestation requests will provide
+              #     this information in the attestation.
+              #   @param options [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest::ConfidentialSpaceOptions, ::Hash]
+              #     Optional. A collection of fields that modify the token output.
+              # @yield [result, operation] Access the result along with the TransportOperation object
+              # @yieldparam result [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse]
+              # @yieldparam operation [::Gapic::Rest::TransportOperation]
+              #
+              # @return [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse]
+              #
+              # @raise [::Google::Cloud::Error] if the REST call is aborted.
+              #
+              # @example Basic example
+              #   require "google/cloud/confidential_computing/v1"
+              #
+              #   # Create a client object. The client can be reused for multiple calls.
+              #   client = Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Rest::Client.new
+              #
+              #   # Create a request. To set request fields, pass in keyword arguments.
+              #   request = Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest.new
+              #
+              #   # Call the verify_confidential_space method.
+              #   result = client.verify_confidential_space request
+              #
+              #   # The returned object is of type Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse.
+              #   p result
+              #
+              def verify_confidential_space request, options = nil
+                raise ::ArgumentError, "request must be provided" if request.nil?
+
+                request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest
+
+                # Converts hash and nil to an options object
+                options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
+
+                # Customize the options with defaults
+                call_metadata = @config.rpcs.verify_confidential_space.metadata.to_h
+
+                # Set x-goog-api-client, x-goog-user-project and x-goog-api-version headers
+                call_metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
+                  lib_name: @config.lib_name, lib_version: @config.lib_version,
+                  gapic_version: ::Google::Cloud::ConfidentialComputing::V1::VERSION,
+                  transports_version_send: [:rest]
+
+                call_metadata[:"x-goog-api-version"] = API_VERSION unless API_VERSION.empty?
+                call_metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
+
+                options.apply_defaults timeout:      @config.rpcs.verify_confidential_space.timeout,
+                                       metadata:     call_metadata,
+                                       retry_policy: @config.rpcs.verify_confidential_space.retry_policy
+
+                options.apply_defaults timeout:      @config.timeout,
+                                       metadata:     @config.metadata,
+                                       retry_policy: @config.retry_policy
+
+                @confidential_computing_stub.verify_confidential_space request, options do |result, operation|
+                  yield result, operation if block_given?
+                end
+              rescue ::Gapic::Rest::Error => e
+                raise ::Google::Cloud::Error.from_error(e)
+              end
+
+              ##
+              # Verifies the provided Confidential GKE attestation info, returning a signed
+              # OIDC token.
+              #
+              # @overload verify_confidential_gke(request, options = nil)
+              #   Pass arguments to `verify_confidential_gke` via a request object, either of type
+              #   {::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest} or an equivalent Hash.
+              #
+              #   @param request [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest, ::Hash]
+              #     A request object representing the call parameters. Required. To specify no
+              #     parameters, or to keep all the default parameter values, pass an empty Hash.
+              #   @param options [::Gapic::CallOptions, ::Hash]
+              #     Overrides the default settings for this call, e.g, timeout, retries etc. Optional.
+              #
+              # @overload verify_confidential_gke(tpm_attestation: nil, challenge: nil)
+              #   Pass arguments to `verify_confidential_gke` via keyword arguments. Note that at
+              #   least one keyword argument is required. To specify no parameters, or to keep all
+              #   the default parameter values, pass an empty Hash as a request object (see above).
+              #
+              #   @param tpm_attestation [::Google::Cloud::ConfidentialComputing::V1::TpmAttestation, ::Hash]
+              #     The TPM-specific data provided by the attesting platform, used to
+              #     populate any of the claims regarding platform state.
+              #   @param challenge [::String]
+              #     Required. The name of the Challenge whose nonce was used to generate the
+              #     attestation, in the format projects/*/locations/*/challenges/*. The
+              #     provided Challenge will be consumed, and cannot be used again.
+              # @yield [result, operation] Access the result along with the TransportOperation object
+              # @yieldparam result [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse]
+              # @yieldparam operation [::Gapic::Rest::TransportOperation]
+              #
+              # @return [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse]
+              #
+              # @raise [::Google::Cloud::Error] if the REST call is aborted.
+              #
+              # @example Basic example
+              #   require "google/cloud/confidential_computing/v1"
+              #
+              #   # Create a client object. The client can be reused for multiple calls.
+              #   client = Google::Cloud::ConfidentialComputing::V1::ConfidentialComputing::Rest::Client.new
+              #
+              #   # Create a request. To set request fields, pass in keyword arguments.
+              #   request = Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest.new
+              #
+              #   # Call the verify_confidential_gke method.
+              #   result = client.verify_confidential_gke request
+              #
+              #   # The returned object is of type Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse.
+              #   p result
+              #
+              def verify_confidential_gke request, options = nil
+                raise ::ArgumentError, "request must be provided" if request.nil?
+
+                request = ::Gapic::Protobuf.coerce request, to: ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest
+
+                # Converts hash and nil to an options object
+                options = ::Gapic::CallOptions.new(**options.to_h) if options.respond_to? :to_h
+
+                # Customize the options with defaults
+                call_metadata = @config.rpcs.verify_confidential_gke.metadata.to_h
+
+                # Set x-goog-api-client, x-goog-user-project and x-goog-api-version headers
+                call_metadata[:"x-goog-api-client"] ||= ::Gapic::Headers.x_goog_api_client \
+                  lib_name: @config.lib_name, lib_version: @config.lib_version,
+                  gapic_version: ::Google::Cloud::ConfidentialComputing::V1::VERSION,
+                  transports_version_send: [:rest]
+
+                call_metadata[:"x-goog-api-version"] = API_VERSION unless API_VERSION.empty?
+                call_metadata[:"x-goog-user-project"] = @quota_project_id if @quota_project_id
+
+                options.apply_defaults timeout:      @config.rpcs.verify_confidential_gke.timeout,
+                                       metadata:     call_metadata,
+                                       retry_policy: @config.rpcs.verify_confidential_gke.retry_policy
+
+                options.apply_defaults timeout:      @config.timeout,
+                                       metadata:     @config.metadata,
+                                       retry_policy: @config.retry_policy
+
+                @confidential_computing_stub.verify_confidential_gke request, options do |result, operation|
+                  yield result, operation if block_given?
+                end
+              rescue ::Gapic::Rest::Error => e
+                raise ::Google::Cloud::Error.from_error(e)
+              end
+
               ##
               # Configuration class for the ConfidentialComputing REST API.
               #
@@ -552,6 +749,16 @@ module Google
                   # @return [::Gapic::Config::Method]
                   #
                   attr_reader :verify_attestation
+                  ##
+                  # RPC-specific configuration for `verify_confidential_space`
+                  # @return [::Gapic::Config::Method]
+                  #
+                  attr_reader :verify_confidential_space
+                  ##
+                  # RPC-specific configuration for `verify_confidential_gke`
+                  # @return [::Gapic::Config::Method]
+                  #
+                  attr_reader :verify_confidential_gke
 
                   # @private
                   def initialize parent_rpcs = nil
@@ -559,6 +766,10 @@ module Google
                     @create_challenge = ::Gapic::Config::Method.new create_challenge_config
                     verify_attestation_config = parent_rpcs.verify_attestation if parent_rpcs.respond_to? :verify_attestation
                     @verify_attestation = ::Gapic::Config::Method.new verify_attestation_config
+                    verify_confidential_space_config = parent_rpcs.verify_confidential_space if parent_rpcs.respond_to? :verify_confidential_space
+                    @verify_confidential_space = ::Gapic::Config::Method.new verify_confidential_space_config
+                    verify_confidential_gke_config = parent_rpcs.verify_confidential_gke if parent_rpcs.respond_to? :verify_confidential_gke
+                    @verify_confidential_gke = ::Gapic::Config::Method.new verify_confidential_gke_config
 
                     yield self if block_given?
                   end

data/lib/google/cloud/confidential_computing/v1/confidential_computing/rest/service_stub.rb

@@ -153,6 +153,86 @@ module Google
                 end
               end
 
+              ##
+              # Baseline implementation for the verify_confidential_space REST call
+              #
+              # @param request_pb [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest]
+              #   A request object representing the call parameters. Required.
+              # @param options [::Gapic::CallOptions]
+              #   Overrides the default settings for this call, e.g, timeout, retries etc. Optional.
+              #
+              # @yield [result, operation] Access the result along with the TransportOperation object
+              # @yieldparam result [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse]
+              # @yieldparam operation [::Gapic::Rest::TransportOperation]
+              #
+              # @return [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse]
+              #   A result object deserialized from the server's reply
+              def verify_confidential_space request_pb, options = nil
+                raise ::ArgumentError, "request must be provided" if request_pb.nil?
+
+                verb, uri, query_string_params, body = ServiceStub.transcode_verify_confidential_space_request request_pb
+                query_string_params = if query_string_params.any?
+                                        query_string_params.to_h { |p| p.split "=", 2 }
+                                      else
+                                        {}
+                                      end
+
+                response = @client_stub.make_http_request(
+                  verb,
+                  uri: uri,
+                  body: body || "",
+                  params: query_string_params,
+                  method_name: "verify_confidential_space",
+                  options: options
+                )
+                operation = ::Gapic::Rest::TransportOperation.new response
+                result = ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse.decode_json response.body, ignore_unknown_fields: true
+                catch :response do
+                  yield result, operation if block_given?
+                  result
+                end
+              end
+
+              ##
+              # Baseline implementation for the verify_confidential_gke REST call
+              #
+              # @param request_pb [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest]
+              #   A request object representing the call parameters. Required.
+              # @param options [::Gapic::CallOptions]
+              #   Overrides the default settings for this call, e.g, timeout, retries etc. Optional.
+              #
+              # @yield [result, operation] Access the result along with the TransportOperation object
+              # @yieldparam result [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse]
+              # @yieldparam operation [::Gapic::Rest::TransportOperation]
+              #
+              # @return [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse]
+              #   A result object deserialized from the server's reply
+              def verify_confidential_gke request_pb, options = nil
+                raise ::ArgumentError, "request must be provided" if request_pb.nil?
+
+                verb, uri, query_string_params, body = ServiceStub.transcode_verify_confidential_gke_request request_pb
+                query_string_params = if query_string_params.any?
+                                        query_string_params.to_h { |p| p.split "=", 2 }
+                                      else
+                                        {}
+                                      end
+
+                response = @client_stub.make_http_request(
+                  verb,
+                  uri: uri,
+                  body: body || "",
+                  params: query_string_params,
+                  method_name: "verify_confidential_gke",
+                  options: options
+                )
+                operation = ::Gapic::Rest::TransportOperation.new response
+                result = ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse.decode_json response.body, ignore_unknown_fields: true
+                catch :response do
+                  yield result, operation if block_given?
+                  result
+                end
+              end
+
               ##
               # @private
               #
@@ -196,6 +276,50 @@ module Google
                                                         )
                 transcoder.transcode request_pb
               end
+
+              ##
+              # @private
+              #
+              # GRPC transcoding helper method for the verify_confidential_space REST call
+              #
+              # @param request_pb [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest]
+              #   A request object representing the call parameters. Required.
+              # @return [Array(String, [String, nil], Hash{String => String})]
+              #   Uri, Body, Query string parameters
+              def self.transcode_verify_confidential_space_request request_pb
+                transcoder = Gapic::Rest::GrpcTranscoder.new
+                                                        .with_bindings(
+                                                          uri_method: :post,
+                                                          uri_template: "/v1/{challenge}:verifyConfidentialSpace",
+                                                          body: "*",
+                                                          matches: [
+                                                            ["challenge", %r{^projects/[^/]+/locations/[^/]+/challenges/[^/]+/?$}, false]
+                                                          ]
+                                                        )
+                transcoder.transcode request_pb
+              end
+
+              ##
+              # @private
+              #
+              # GRPC transcoding helper method for the verify_confidential_gke REST call
+              #
+              # @param request_pb [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest]
+              #   A request object representing the call parameters. Required.
+              # @return [Array(String, [String, nil], Hash{String => String})]
+              #   Uri, Body, Query string parameters
+              def self.transcode_verify_confidential_gke_request request_pb
+                transcoder = Gapic::Rest::GrpcTranscoder.new
+                                                        .with_bindings(
+                                                          uri_method: :post,
+                                                          uri_template: "/v1/{challenge}:verifyConfidentialGke",
+                                                          body: "*",
+                                                          matches: [
+                                                            ["challenge", %r{^projects/[^/]+/locations/[^/]+/challenges/[^/]+/?$}, false]
+                                                          ]
+                                                        )
+                transcoder.transcode request_pb
+              end
             end
           end
         end

data/lib/google/cloud/confidential_computing/v1/version.rb

@@ -21,7 +21,7 @@ module Google
   module Cloud
     module ConfidentialComputing
       module V1
-        VERSION = "1.6.1"
+        VERSION = "2.0.1"
       end
     end
   end

data/lib/google/cloud/confidentialcomputing/v1/service_pb.rb

@@ -12,7 +12,7 @@ require 'google/protobuf/timestamp_pb'
 require 'google/rpc/status_pb'
 
 
-descriptor_data = "\n3google/cloud/confidentialcomputing/v1/service.proto\x12%google.cloud.confidentialcomputing.v1\x1a\x1cgoogle/api/annotations.proto\x1a\x17google/api/client.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x19google/api/resource.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x17google/rpc/status.proto\"\xa5\x02\n\tChallenge\x12\x11\n\x04name\x18\x01 \x01(\tB\x03\xe0\x41\x03\x12\x34\n\x0b\x63reate_time\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x34\n\x0b\x65xpire_time\x18\x03 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x11\n\x04used\x18\x04 \x01(\x08\x42\x03\xe0\x41\x03\x12\x16\n\ttpm_nonce\x18\x06 \x01(\tB\x03\xe0\x41\x03:n\xea\x41k\n.confidentialcomputing.googleapis.com/Challenge\x12\x39projects/{project}/locations/{location}/challenges/{uuid}\"\x9d\x01\n\x16\x43reateChallengeRequest\x12\x39\n\x06parent\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!locations.googleapis.com/Location\x12H\n\tchallenge\x18\x02 \x01(\x0b\x32\x30.google.cloud.confidentialcomputing.v1.ChallengeB\x03\xe0\x41\x02\"\x9f\x05\n\x18VerifyAttestationRequest\x12Q\n\x07td_ccel\x18\x06 \x01(\x0b\x32\x39.google.cloud.confidentialcomputing.v1.TdxCcelAttestationB\x03\xe0\x41\x01H\x00\x12\\\n\x13sev_snp_attestation\x18\x07 \x01(\x0b\x32\x38.google.cloud.confidentialcomputing.v1.SevSnpAttestationB\x03\xe0\x41\x01H\x00\x12I\n\tchallenge\x18\x01 \x01(\tB6\xe0\x41\x02\xfa\x41\x30\n.confidentialcomputing.googleapis.com/Challenge\x12S\n\x0fgcp_credentials\x18\x02 \x01(\x0b\x32\x35.google.cloud.confidentialcomputing.v1.GcpCredentialsB\x03\xe0\x41\x01\x12S\n\x0ftpm_attestation\x18\x03 \x01(\x0b\x32\x35.google.cloud.confidentialcomputing.v1.TpmAttestationB\x03\xe0\x41\x02\x12\x62\n\x17\x63onfidential_space_info\x18\x04 \x01(\x0b\x32<.google.cloud.confidentialcomputing.v1.ConfidentialSpaceInfoB\x03\xe0\x41\x01\x12O\n\rtoken_options\x18\x05 \x01(\x0b\x32\x33.google.cloud.confidentialcomputing.v1.TokenOptionsB\x03\xe0\x41\x01\x12\x15\n\x08\x61ttester\x18\x08 \x01(\tB\x03\xe0\x41\x01\x42\x11\n\x0ftee_attestation\"\x83\x01\n\x12TdxCcelAttestation\x12\x1c\n\x0f\x63\x63\x65l_acpi_table\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x16\n\tccel_data\x18\x02 \x01(\x0c\x42\x03\xe0\x41\x01\x12 \n\x13\x63\x61nonical_event_log\x18\x03 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x15\n\x08td_quote\x18\x04 \x01(\x0c\x42\x03\xe0\x41\x01\"?\n\x11SevSnpAttestation\x12\x13\n\x06report\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x15\n\x08\x61ux_blob\x18\x02 \x01(\x0c\x42\x03\xe0\x41\x01\"l\n\x19VerifyAttestationResponse\x12\x1e\n\x11oidc_claims_token\x18\x02 \x01(\tB\x03\xe0\x41\x03\x12/\n\x0epartial_errors\x18\x03 \x03(\x0b\x32\x12.google.rpc.StatusB\x03\xe0\x41\x03\"3\n\x0eGcpCredentials\x12!\n\x19service_account_id_tokens\x18\x02 \x03(\t\"\xa6\x05\n\x0cTokenOptions\x12v\n\x1a\x61ws_principal_tags_options\x18\x04 \x01(\x0b\x32K.google.cloud.confidentialcomputing.v1.TokenOptions.AwsPrincipalTagsOptionsB\x03\xe0\x41\x01H\x00\x12\x15\n\x08\x61udience\x18\x01 \x01(\tB\x03\xe0\x41\x01\x12\x12\n\x05nonce\x18\x02 \x03(\tB\x03\xe0\x41\x01\x12I\n\ntoken_type\x18\x03 \x01(\x0e\x32\x30.google.cloud.confidentialcomputing.v1.TokenTypeB\x03\xe0\x41\x01\x1a\x91\x03\n\x17\x41wsPrincipalTagsOptions\x12\x85\x01\n\x16\x61llowed_principal_tags\x18\x01 \x01(\x0b\x32`.google.cloud.confidentialcomputing.v1.TokenOptions.AwsPrincipalTagsOptions.AllowedPrincipalTagsB\x03\xe0\x41\x01\x1a\xed\x01\n\x14\x41llowedPrincipalTags\x12\xa2\x01\n\x1a\x63ontainer_image_signatures\x18\x01 \x01(\x0b\x32y.google.cloud.confidentialcomputing.v1.TokenOptions.AwsPrincipalTagsOptions.AllowedPrincipalTags.ContainerImageSignaturesB\x03\xe0\x41\x01\x1a\x30\n\x18\x43ontainerImageSignatures\x12\x14\n\x07key_ids\x18\x01 \x03(\tB\x03\xe0\x41\x01\x42\x14\n\x12token_type_options\"\x8f\x03\n\x0eTpmAttestation\x12K\n\x06quotes\x18\x01 \x03(\x0b\x32;.google.cloud.confidentialcomputing.v1.TpmAttestation.Quote\x12\x15\n\rtcg_event_log\x18\x02 \x01(\x0c\x12\x1b\n\x13\x63\x61nonical_event_log\x18\x03 \x01(\x0c\x12\x0f\n\x07\x61k_cert\x18\x04 \x01(\x0c\x12\x12\n\ncert_chain\x18\x05 \x03(\x0c\x1a\xd6\x01\n\x05Quote\x12\x11\n\thash_algo\x18\x01 \x01(\x05\x12^\n\npcr_values\x18\x02 \x03(\x0b\x32J.google.cloud.confidentialcomputing.v1.TpmAttestation.Quote.PcrValuesEntry\x12\x11\n\traw_quote\x18\x03 \x01(\x0c\x12\x15\n\rraw_signature\x18\x04 \x01(\x0c\x1a\x30\n\x0ePcrValuesEntry\x12\x0b\n\x03key\x18\x01 \x01(\x05\x12\r\n\x05value\x18\x02 \x01(\x0c:\x02\x38\x01\"j\n\x15\x43onfidentialSpaceInfo\x12Q\n\x0fsigned_entities\x18\x01 \x03(\x0b\x32\x33.google.cloud.confidentialcomputing.v1.SignedEntityB\x03\xe0\x41\x01\"w\n\x0cSignedEntity\x12g\n\x1a\x63ontainer_image_signatures\x18\x01 \x03(\x0b\x32>.google.cloud.confidentialcomputing.v1.ContainerImageSignatureB\x03\xe0\x41\x01\"\xaf\x01\n\x17\x43ontainerImageSignature\x12\x14\n\x07payload\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x16\n\tsignature\x18\x02 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x17\n\npublic_key\x18\x03 \x01(\x0c\x42\x03\xe0\x41\x01\x12M\n\x07sig_alg\x18\x04 \x01(\x0e\x32\x37.google.cloud.confidentialcomputing.v1.SigningAlgorithmB\x03\xe0\x41\x01*\x7f\n\x10SigningAlgorithm\x12!\n\x1dSIGNING_ALGORITHM_UNSPECIFIED\x10\x00\x12\x15\n\x11RSASSA_PSS_SHA256\x10\x01\x12\x1a\n\x16RSASSA_PKCS1V15_SHA256\x10\x02\x12\x15\n\x11\x45\x43\x44SA_P256_SHA256\x10\x03*\x8e\x01\n\tTokenType\x12\x1a\n\x16TOKEN_TYPE_UNSPECIFIED\x10\x00\x12\x13\n\x0fTOKEN_TYPE_OIDC\x10\x01\x12\x12\n\x0eTOKEN_TYPE_PKI\x10\x02\x12\x1a\n\x16TOKEN_TYPE_LIMITED_AWS\x10\x03\x12 \n\x1cTOKEN_TYPE_AWS_PRINCIPALTAGS\x10\x04\x32\xb7\x04\n\x15\x43onfidentialComputing\x12\xd8\x01\n\x0f\x43reateChallenge\x12=.google.cloud.confidentialcomputing.v1.CreateChallengeRequest\x1a\x30.google.cloud.confidentialcomputing.v1.Challenge\"T\xda\x41\x10parent,challenge\x82\xd3\xe4\x93\x02;\"./v1/{parent=projects/*/locations/*}/challenges:\tchallenge\x12\xe8\x01\n\x11VerifyAttestation\x12?.google.cloud.confidentialcomputing.v1.VerifyAttestationRequest\x1a@.google.cloud.confidentialcomputing.v1.VerifyAttestationResponse\"P\x82\xd3\xe4\x93\x02J\"E/v1/{challenge=projects/*/locations/*/challenges/*}:verifyAttestation:\x01*\x1aX\xca\x41$confidentialcomputing.googleapis.com\xd2\x41.https://www.googleapis.com/auth/cloud-platformB\x97\x02\n)com.google.cloud.confidentialcomputing.v1B\x0cServiceProtoP\x01Z_cloud.google.com/go/confidentialcomputing/apiv1/confidentialcomputingpb;confidentialcomputingpb\xaa\x02%Google.Cloud.ConfidentialComputing.V1\xca\x02%Google\\Cloud\\ConfidentialComputing\\V1\xea\x02(Google::Cloud::ConfidentialComputing::V1b\x06proto3"
+descriptor_data = "\n3google/cloud/confidentialcomputing/v1/service.proto\x12%google.cloud.confidentialcomputing.v1\x1a\x1cgoogle/api/annotations.proto\x1a\x17google/api/client.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x19google/api/resource.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x17google/rpc/status.proto\"\xa5\x02\n\tChallenge\x12\x11\n\x04name\x18\x01 \x01(\tB\x03\xe0\x41\x03\x12\x34\n\x0b\x63reate_time\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x34\n\x0b\x65xpire_time\x18\x03 \x01(\x0b\x32\x1a.google.protobuf.TimestampB\x03\xe0\x41\x03\x12\x11\n\x04used\x18\x04 \x01(\x08\x42\x03\xe0\x41\x03\x12\x16\n\ttpm_nonce\x18\x06 \x01(\tB\x03\xe0\x41\x03:n\xea\x41k\n.confidentialcomputing.googleapis.com/Challenge\x12\x39projects/{project}/locations/{location}/challenges/{uuid}\"\x9d\x01\n\x16\x43reateChallengeRequest\x12\x39\n\x06parent\x18\x01 \x01(\tB)\xe0\x41\x02\xfa\x41#\n!locations.googleapis.com/Location\x12H\n\tchallenge\x18\x02 \x01(\x0b\x32\x30.google.cloud.confidentialcomputing.v1.ChallengeB\x03\xe0\x41\x02\"\x9f\x05\n\x18VerifyAttestationRequest\x12Q\n\x07td_ccel\x18\x06 \x01(\x0b\x32\x39.google.cloud.confidentialcomputing.v1.TdxCcelAttestationB\x03\xe0\x41\x01H\x00\x12\\\n\x13sev_snp_attestation\x18\x07 \x01(\x0b\x32\x38.google.cloud.confidentialcomputing.v1.SevSnpAttestationB\x03\xe0\x41\x01H\x00\x12I\n\tchallenge\x18\x01 \x01(\tB6\xe0\x41\x02\xfa\x41\x30\n.confidentialcomputing.googleapis.com/Challenge\x12S\n\x0fgcp_credentials\x18\x02 \x01(\x0b\x32\x35.google.cloud.confidentialcomputing.v1.GcpCredentialsB\x03\xe0\x41\x01\x12S\n\x0ftpm_attestation\x18\x03 \x01(\x0b\x32\x35.google.cloud.confidentialcomputing.v1.TpmAttestationB\x03\xe0\x41\x02\x12\x62\n\x17\x63onfidential_space_info\x18\x04 \x01(\x0b\x32<.google.cloud.confidentialcomputing.v1.ConfidentialSpaceInfoB\x03\xe0\x41\x01\x12O\n\rtoken_options\x18\x05 \x01(\x0b\x32\x33.google.cloud.confidentialcomputing.v1.TokenOptionsB\x03\xe0\x41\x01\x12\x15\n\x08\x61ttester\x18\x08 \x01(\tB\x03\xe0\x41\x01\x42\x11\n\x0ftee_attestation\"\x83\x01\n\x12TdxCcelAttestation\x12\x1c\n\x0f\x63\x63\x65l_acpi_table\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x16\n\tccel_data\x18\x02 \x01(\x0c\x42\x03\xe0\x41\x01\x12 \n\x13\x63\x61nonical_event_log\x18\x03 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x15\n\x08td_quote\x18\x04 \x01(\x0c\x42\x03\xe0\x41\x01\"?\n\x11SevSnpAttestation\x12\x13\n\x06report\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x15\n\x08\x61ux_blob\x18\x02 \x01(\x0c\x42\x03\xe0\x41\x01\"l\n\x19VerifyAttestationResponse\x12\x1e\n\x11oidc_claims_token\x18\x02 \x01(\tB\x03\xe0\x41\x03\x12/\n\x0epartial_errors\x18\x03 \x03(\x0b\x32\x12.google.rpc.StatusB\x03\xe0\x41\x03\"3\n\x0eGcpCredentials\x12!\n\x19service_account_id_tokens\x18\x02 \x03(\t\"\x85\x02\n\x0cTokenOptions\x12i\n\x1a\x61ws_principal_tags_options\x18\x04 \x01(\x0b\x32>.google.cloud.confidentialcomputing.v1.AwsPrincipalTagsOptionsB\x03\xe0\x41\x01H\x00\x12\x15\n\x08\x61udience\x18\x01 \x01(\tB\x03\xe0\x41\x01\x12\x12\n\x05nonce\x18\x02 \x03(\tB\x03\xe0\x41\x01\x12I\n\ntoken_type\x18\x03 \x01(\x0e\x32\x30.google.cloud.confidentialcomputing.v1.TokenTypeB\x03\xe0\x41\x01\x42\x14\n\x12token_type_options\"\xf6\x02\n\x17\x41wsPrincipalTagsOptions\x12x\n\x16\x61llowed_principal_tags\x18\x01 \x01(\x0b\x32S.google.cloud.confidentialcomputing.v1.AwsPrincipalTagsOptions.AllowedPrincipalTagsB\x03\xe0\x41\x01\x1a\xe0\x01\n\x14\x41llowedPrincipalTags\x12\x95\x01\n\x1a\x63ontainer_image_signatures\x18\x01 \x01(\x0b\x32l.google.cloud.confidentialcomputing.v1.AwsPrincipalTagsOptions.AllowedPrincipalTags.ContainerImageSignaturesB\x03\xe0\x41\x01\x1a\x30\n\x18\x43ontainerImageSignatures\x12\x14\n\x07key_ids\x18\x01 \x03(\tB\x03\xe0\x41\x01\"\x8f\x03\n\x0eTpmAttestation\x12K\n\x06quotes\x18\x01 \x03(\x0b\x32;.google.cloud.confidentialcomputing.v1.TpmAttestation.Quote\x12\x15\n\rtcg_event_log\x18\x02 \x01(\x0c\x12\x1b\n\x13\x63\x61nonical_event_log\x18\x03 \x01(\x0c\x12\x0f\n\x07\x61k_cert\x18\x04 \x01(\x0c\x12\x12\n\ncert_chain\x18\x05 \x03(\x0c\x1a\xd6\x01\n\x05Quote\x12\x11\n\thash_algo\x18\x01 \x01(\x05\x12^\n\npcr_values\x18\x02 \x03(\x0b\x32J.google.cloud.confidentialcomputing.v1.TpmAttestation.Quote.PcrValuesEntry\x12\x11\n\traw_quote\x18\x03 \x01(\x0c\x12\x15\n\rraw_signature\x18\x04 \x01(\x0c\x1a\x30\n\x0ePcrValuesEntry\x12\x0b\n\x03key\x18\x01 \x01(\x05\x12\r\n\x05value\x18\x02 \x01(\x0c:\x02\x38\x01\"j\n\x15\x43onfidentialSpaceInfo\x12Q\n\x0fsigned_entities\x18\x01 \x03(\x0b\x32\x33.google.cloud.confidentialcomputing.v1.SignedEntityB\x03\xe0\x41\x01\"w\n\x0cSignedEntity\x12g\n\x1a\x63ontainer_image_signatures\x18\x01 \x03(\x0b\x32>.google.cloud.confidentialcomputing.v1.ContainerImageSignatureB\x03\xe0\x41\x01\"\xaf\x01\n\x17\x43ontainerImageSignature\x12\x14\n\x07payload\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x16\n\tsignature\x18\x02 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x17\n\npublic_key\x18\x03 \x01(\x0c\x42\x03\xe0\x41\x01\x12M\n\x07sig_alg\x18\x04 \x01(\x0e\x32\x37.google.cloud.confidentialcomputing.v1.SigningAlgorithmB\x03\xe0\x41\x01\"\x96\x08\n\x1eVerifyConfidentialSpaceRequest\x12Q\n\x07td_ccel\x18\x03 \x01(\x0b\x32\x39.google.cloud.confidentialcomputing.v1.TdxCcelAttestationB\x03\xe0\x41\x04H\x00\x12U\n\x0ftpm_attestation\x18\x04 \x01(\x0b\x32\x35.google.cloud.confidentialcomputing.v1.TpmAttestationB\x03\xe0\x41\x04H\x00\x12I\n\tchallenge\x18\x01 \x01(\tB6\xe0\x41\x02\xfa\x41\x30\n.confidentialcomputing.googleapis.com/Challenge\x12S\n\x0fgcp_credentials\x18\x02 \x01(\x0b\x32\x35.google.cloud.confidentialcomputing.v1.GcpCredentialsB\x03\xe0\x41\x01\x12Q\n\x0fsigned_entities\x18\x05 \x03(\x0b\x32\x33.google.cloud.confidentialcomputing.v1.SignedEntityB\x03\xe0\x41\x01\x12^\n\x15gce_shielded_identity\x18\x06 \x01(\x0b\x32:.google.cloud.confidentialcomputing.v1.GceShieldedIdentityB\x03\xe0\x41\x01\x12t\n\x07options\x18\x07 \x01(\x0b\x32^.google.cloud.confidentialcomputing.v1.VerifyConfidentialSpaceRequest.ConfidentialSpaceOptionsB\x03\xe0\x41\x01\x1a\xed\x02\n\x18\x43onfidentialSpaceOptions\x12i\n\x1a\x61ws_principal_tags_options\x18\x05 \x01(\x0b\x32>.google.cloud.confidentialcomputing.v1.AwsPrincipalTagsOptionsB\x03\xe0\x41\x01H\x00\x12\x15\n\x08\x61udience\x18\x01 \x01(\tB\x03\xe0\x41\x01\x12O\n\rtoken_profile\x18\x02 \x01(\x0e\x32\x33.google.cloud.confidentialcomputing.v1.TokenProfileB\x03\xe0\x41\x01\x12\x12\n\x05nonce\x18\x03 \x03(\tB\x03\xe0\x41\x01\x12Q\n\x0esignature_type\x18\x04 \x01(\x0e\x32\x34.google.cloud.confidentialcomputing.v1.SignatureTypeB\x03\xe0\x41\x01\x42\x17\n\x15token_profile_optionsB\x11\n\x0ftee_attestation\"G\n\x13GceShieldedIdentity\x12\x14\n\x07\x61k_cert\x18\x01 \x01(\x0c\x42\x03\xe0\x41\x01\x12\x1a\n\rak_cert_chain\x18\x02 \x03(\x0c\x42\x03\xe0\x41\x01\"r\n\x1fVerifyConfidentialSpaceResponse\x12\x1e\n\x11\x61ttestation_token\x18\x01 \x01(\tB\x03\xe0\x41\x03\x12/\n\x0epartial_errors\x18\x02 \x03(\x0b\x32\x12.google.rpc.StatusB\x03\xe0\x41\x03\"\xce\x01\n\x1cVerifyConfidentialGkeRequest\x12P\n\x0ftpm_attestation\x18\x02 \x01(\x0b\x32\x35.google.cloud.confidentialcomputing.v1.TpmAttestationH\x00\x12I\n\tchallenge\x18\x01 \x01(\tB6\xe0\x41\x02\xfa\x41\x30\n.confidentialcomputing.googleapis.com/ChallengeB\x11\n\x0ftee_attestation\"?\n\x1dVerifyConfidentialGkeResponse\x12\x1e\n\x11\x61ttestation_token\x18\x01 \x01(\tB\x03\xe0\x41\x03*\x7f\n\x10SigningAlgorithm\x12!\n\x1dSIGNING_ALGORITHM_UNSPECIFIED\x10\x00\x12\x15\n\x11RSASSA_PSS_SHA256\x10\x01\x12\x1a\n\x16RSASSA_PKCS1V15_SHA256\x10\x02\x12\x15\n\x11\x45\x43\x44SA_P256_SHA256\x10\x03*\x8e\x01\n\tTokenType\x12\x1a\n\x16TOKEN_TYPE_UNSPECIFIED\x10\x00\x12\x13\n\x0fTOKEN_TYPE_OIDC\x10\x01\x12\x12\n\x0eTOKEN_TYPE_PKI\x10\x02\x12\x1a\n\x16TOKEN_TYPE_LIMITED_AWS\x10\x03\x12 \n\x1cTOKEN_TYPE_AWS_PRINCIPALTAGS\x10\x04*`\n\rSignatureType\x12\x1e\n\x1aSIGNATURE_TYPE_UNSPECIFIED\x10\x00\x12\x17\n\x13SIGNATURE_TYPE_OIDC\x10\x01\x12\x16\n\x12SIGNATURE_TYPE_PKI\x10\x02*c\n\x0cTokenProfile\x12\x1d\n\x19TOKEN_PROFILE_UNSPECIFIED\x10\x00\x12\x1d\n\x19TOKEN_PROFILE_DEFAULT_EAT\x10\x01\x12\x15\n\x11TOKEN_PROFILE_AWS\x10\x02\x32\xb5\x08\n\x15\x43onfidentialComputing\x12\xd8\x01\n\x0f\x43reateChallenge\x12=.google.cloud.confidentialcomputing.v1.CreateChallengeRequest\x1a\x30.google.cloud.confidentialcomputing.v1.Challenge\"T\xda\x41\x10parent,challenge\x82\xd3\xe4\x93\x02;\"./v1/{parent=projects/*/locations/*}/challenges:\tchallenge\x12\xe8\x01\n\x11VerifyAttestation\x12?.google.cloud.confidentialcomputing.v1.VerifyAttestationRequest\x1a@.google.cloud.confidentialcomputing.v1.VerifyAttestationResponse\"P\x82\xd3\xe4\x93\x02J\"E/v1/{challenge=projects/*/locations/*/challenges/*}:verifyAttestation:\x01*\x12\x80\x02\n\x17VerifyConfidentialSpace\x12\x45.google.cloud.confidentialcomputing.v1.VerifyConfidentialSpaceRequest\x1a\x46.google.cloud.confidentialcomputing.v1.VerifyConfidentialSpaceResponse\"V\x82\xd3\xe4\x93\x02P\"K/v1/{challenge=projects/*/locations/*/challenges/*}:verifyConfidentialSpace:\x01*\x12\xf8\x01\n\x15VerifyConfidentialGke\x12\x43.google.cloud.confidentialcomputing.v1.VerifyConfidentialGkeRequest\x1a\x44.google.cloud.confidentialcomputing.v1.VerifyConfidentialGkeResponse\"T\x82\xd3\xe4\x93\x02N\"I/v1/{challenge=projects/*/locations/*/challenges/*}:verifyConfidentialGke:\x01*\x1aX\xca\x41$confidentialcomputing.googleapis.com\xd2\x41.https://www.googleapis.com/auth/cloud-platformB\x97\x02\n)com.google.cloud.confidentialcomputing.v1B\x0cServiceProtoP\x01Z_cloud.google.com/go/confidentialcomputing/apiv1/confidentialcomputingpb;confidentialcomputingpb\xaa\x02%Google.Cloud.ConfidentialComputing.V1\xca\x02%Google\\Cloud\\ConfidentialComputing\\V1\xea\x02(Google::Cloud::ConfidentialComputing::V1b\x06proto3"
 
 pool = Google::Protobuf::DescriptorPool.generated_pool
 
@@ -52,16 +52,24 @@ module Google
         VerifyAttestationResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.VerifyAttestationResponse").msgclass
         GcpCredentials = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.GcpCredentials").msgclass
         TokenOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.TokenOptions").msgclass
-        TokenOptions::AwsPrincipalTagsOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.TokenOptions.AwsPrincipalTagsOptions").msgclass
-        TokenOptions::AwsPrincipalTagsOptions::AllowedPrincipalTags = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.TokenOptions.AwsPrincipalTagsOptions.AllowedPrincipalTags").msgclass
-        TokenOptions::AwsPrincipalTagsOptions::AllowedPrincipalTags::ContainerImageSignatures = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.TokenOptions.AwsPrincipalTagsOptions.AllowedPrincipalTags.ContainerImageSignatures").msgclass
+        AwsPrincipalTagsOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.AwsPrincipalTagsOptions").msgclass
+        AwsPrincipalTagsOptions::AllowedPrincipalTags = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.AwsPrincipalTagsOptions.AllowedPrincipalTags").msgclass
+        AwsPrincipalTagsOptions::AllowedPrincipalTags::ContainerImageSignatures = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.AwsPrincipalTagsOptions.AllowedPrincipalTags.ContainerImageSignatures").msgclass
         TpmAttestation = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.TpmAttestation").msgclass
         TpmAttestation::Quote = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.TpmAttestation.Quote").msgclass
         ConfidentialSpaceInfo = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.ConfidentialSpaceInfo").msgclass
         SignedEntity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.SignedEntity").msgclass
         ContainerImageSignature = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.ContainerImageSignature").msgclass
+        VerifyConfidentialSpaceRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.VerifyConfidentialSpaceRequest").msgclass
+        VerifyConfidentialSpaceRequest::ConfidentialSpaceOptions = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.VerifyConfidentialSpaceRequest.ConfidentialSpaceOptions").msgclass
+        GceShieldedIdentity = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.GceShieldedIdentity").msgclass
+        VerifyConfidentialSpaceResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.VerifyConfidentialSpaceResponse").msgclass
+        VerifyConfidentialGkeRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.VerifyConfidentialGkeRequest").msgclass
+        VerifyConfidentialGkeResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.VerifyConfidentialGkeResponse").msgclass
         SigningAlgorithm = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.SigningAlgorithm").enummodule
         TokenType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.TokenType").enummodule
+        SignatureType = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.SignatureType").enummodule
+        TokenProfile = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.confidentialcomputing.v1.TokenProfile").enummodule
       end
     end
   end

data/lib/google/cloud/confidentialcomputing/v1/service_services_pb.rb

@@ -35,8 +35,15 @@ module Google
 
             # Creates a new Challenge in a given project and location.
             rpc :CreateChallenge, ::Google::Cloud::ConfidentialComputing::V1::CreateChallengeRequest, ::Google::Cloud::ConfidentialComputing::V1::Challenge
-            # Verifies the provided attestation info, returning a signed OIDC token.
+            # Verifies the provided attestation info, returning a signed attestation
+            # token.
             rpc :VerifyAttestation, ::Google::Cloud::ConfidentialComputing::V1::VerifyAttestationRequest, ::Google::Cloud::ConfidentialComputing::V1::VerifyAttestationResponse
+            # Verifies whether the provided attestation info is valid, returning a signed
+            # attestation token if so.
+            rpc :VerifyConfidentialSpace, ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest, ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceResponse
+            # Verifies the provided Confidential GKE attestation info, returning a signed
+            # OIDC token.
+            rpc :VerifyConfidentialGke, ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeRequest, ::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialGkeResponse
           end
 
           Stub = Service.rpc_stub_class

data/proto_docs/google/cloud/confidentialcomputing/v1/service.rb

@@ -58,8 +58,8 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
-        # A request for an OIDC token, providing all the necessary information needed
-        # for this service to verify the platform state of the requestor.
+        # A request for an attestation token, providing all the necessary information
+        # needed for this service to verify the platform state of the requestor.
         # @!attribute [rw] td_ccel
         #   @return [::Google::Cloud::ConfidentialComputing::V1::TdxCcelAttestation]
         #     Optional. A TDX with CCEL and RTMR Attestation Quote.
@@ -141,7 +141,7 @@ module Google
         end
 
         # A response once an attestation has been successfully verified, containing a
-        # signed OIDC token.
+        # signed attestation token.
         # @!attribute [r] oidc_claims_token
         #   @return [::String]
         #     Output only. Same as claims_token, but as a string.
@@ -166,8 +166,8 @@ module Google
 
         # Options to modify claims in the token to generate custom-purpose tokens.
         # @!attribute [rw] aws_principal_tags_options
-        #   @return [::Google::Cloud::ConfidentialComputing::V1::TokenOptions::AwsPrincipalTagsOptions]
-        #     Optional. Options for the Limited AWS token type.
+        #   @return [::Google::Cloud::ConfidentialComputing::V1::AwsPrincipalTagsOptions]
+        #     Optional. Options for AWS token type.
         # @!attribute [rw] audience
         #   @return [::String]
         #     Optional. Optional string to issue the token with a custom audience claim.
@@ -183,35 +183,35 @@ module Google
         class TokenOptions
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
 
-          # Token options that only apply to the AWS Principal Tags token type.
-          # @!attribute [rw] allowed_principal_tags
-          #   @return [::Google::Cloud::ConfidentialComputing::V1::TokenOptions::AwsPrincipalTagsOptions::AllowedPrincipalTags]
-          #     Optional. Principal tags to allow in the token.
-          class AwsPrincipalTagsOptions
+        # Token options that only apply to the AWS Principal Tags token type.
+        # @!attribute [rw] allowed_principal_tags
+        #   @return [::Google::Cloud::ConfidentialComputing::V1::AwsPrincipalTagsOptions::AllowedPrincipalTags]
+        #     Optional. Principal tags to allow in the token.
+        class AwsPrincipalTagsOptions
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Allowed principal tags is used to define what principal tags will be
+          # placed in the token.
+          # @!attribute [rw] container_image_signatures
+          #   @return [::Google::Cloud::ConfidentialComputing::V1::AwsPrincipalTagsOptions::AllowedPrincipalTags::ContainerImageSignatures]
+          #     Optional. Container image signatures allowed in the token.
+          class AllowedPrincipalTags
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods
 
-            # Allowed principal tags is used to define what principal tags will be
-            # placed in the token.
-            # @!attribute [rw] container_image_signatures
-            #   @return [::Google::Cloud::ConfidentialComputing::V1::TokenOptions::AwsPrincipalTagsOptions::AllowedPrincipalTags::ContainerImageSignatures]
-            #     Optional. Container image signatures allowed in the token.
-            class AllowedPrincipalTags
+            # Allowed Container Image Signatures. Key IDs are required to allow
+            # this claim to fit within the narrow AWS IAM restrictions.
+            # @!attribute [rw] key_ids
+            #   @return [::Array<::String>]
+            #     Optional. List of key ids to filter into the Principal tags. Only keys
+            #     that have been validated and added to the token will be filtered into
+            #     principal tags. Unrecognized key ids will be ignored.
+            class ContainerImageSignatures
               include ::Google::Protobuf::MessageExts
               extend ::Google::Protobuf::MessageExts::ClassMethods
-
-              # Allowed Container Image Signatures. Key IDs are required to allow this
-              # claim to fit within the narrow AWS IAM restrictions.
-              # @!attribute [rw] key_ids
-              #   @return [::Array<::String>]
-              #     Optional. List of key ids to filter into the Principal tags. Only
-              #     keys that have been validated and added to the token will be filtered
-              #     into principal tags. Unrecognized key ids will be ignored.
-              class ContainerImageSignatures
-                include ::Google::Protobuf::MessageExts
-                extend ::Google::Protobuf::MessageExts::ClassMethods
-              end
             end
           end
         end
@@ -321,6 +321,133 @@ module Google
           extend ::Google::Protobuf::MessageExts::ClassMethods
         end
 
+        # A request for an attestation token, providing all the necessary information
+        # needed for this service to verify the platform state of the requestor.
+        # @!attribute [rw] td_ccel
+        #   @return [::Google::Cloud::ConfidentialComputing::V1::TdxCcelAttestation]
+        #     Input only. A TDX with CCEL and RTMR Attestation Quote.
+        #
+        #     Note: The following fields are mutually exclusive: `td_ccel`, `tpm_attestation`. If a field in that set is populated, all other fields in the set will automatically be cleared.
+        # @!attribute [rw] tpm_attestation
+        #   @return [::Google::Cloud::ConfidentialComputing::V1::TpmAttestation]
+        #     Input only. The TPM-specific data provided by the attesting platform,
+        #     used to populate any of the claims regarding platform state.
+        #
+        #     Note: The following fields are mutually exclusive: `tpm_attestation`, `td_ccel`. If a field in that set is populated, all other fields in the set will automatically be cleared.
+        # @!attribute [rw] challenge
+        #   @return [::String]
+        #     Required. The name of the Challenge whose nonce was used to generate the
+        #     attestation, in the format `projects/*/locations/*/challenges/*`. The
+        #     provided Challenge will be consumed, and cannot be used again.
+        # @!attribute [rw] gcp_credentials
+        #   @return [::Google::Cloud::ConfidentialComputing::V1::GcpCredentials]
+        #     Optional. Credentials used to populate the "emails" claim in the
+        #     claims_token. If not present, token will not contain the "emails" claim.
+        # @!attribute [rw] signed_entities
+        #   @return [::Array<::Google::Cloud::ConfidentialComputing::V1::SignedEntity>]
+        #     Optional. A list of signed entities containing container image signatures
+        #     that can be used for server-side signature verification.
+        # @!attribute [rw] gce_shielded_identity
+        #   @return [::Google::Cloud::ConfidentialComputing::V1::GceShieldedIdentity]
+        #     Optional. Information about the associated Compute Engine instance.
+        #     Required for td_ccel requests only - tpm_attestation requests will provide
+        #     this information in the attestation.
+        # @!attribute [rw] options
+        #   @return [::Google::Cloud::ConfidentialComputing::V1::VerifyConfidentialSpaceRequest::ConfidentialSpaceOptions]
+        #     Optional. A collection of fields that modify the token output.
+        class VerifyConfidentialSpaceRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+
+          # Token options for Confidential Space attestation.
+          # @!attribute [rw] aws_principal_tags_options
+          #   @return [::Google::Cloud::ConfidentialComputing::V1::AwsPrincipalTagsOptions]
+          #     Optional. Options for the AWS token type.
+          # @!attribute [rw] audience
+          #   @return [::String]
+          #     Optional. Optional string to issue the token with a custom audience
+          #     claim. Required if custom nonces are specified.
+          # @!attribute [rw] token_profile
+          #   @return [::Google::Cloud::ConfidentialComputing::V1::TokenProfile]
+          #     Optional. Optional specification for token claims profile.
+          # @!attribute [rw] nonce
+          #   @return [::Array<::String>]
+          #     Optional. Optional parameter to place one or more nonces in the eat_nonce
+          #     claim in the output token. The minimum size for JSON-encoded EATs is 10
+          #     bytes and the maximum size is 74 bytes.
+          # @!attribute [rw] signature_type
+          #   @return [::Google::Cloud::ConfidentialComputing::V1::SignatureType]
+          #     Optional. Optional specification for how to sign the attestation token.
+          #     Defaults to SIGNATURE_TYPE_OIDC if unspecified.
+          class ConfidentialSpaceOptions
+            include ::Google::Protobuf::MessageExts
+            extend ::Google::Protobuf::MessageExts::ClassMethods
+          end
+        end
+
+        # GceShieldedIdentity contains information about a Compute Engine instance.
+        # @!attribute [rw] ak_cert
+        #   @return [::String]
+        #     Optional. DER-encoded X.509 certificate of the Attestation Key (otherwise
+        #     known as an AK or a TPM restricted signing key) used to generate the
+        #     quotes.
+        # @!attribute [rw] ak_cert_chain
+        #   @return [::Array<::String>]
+        #     Optional. List of DER-encoded X.509 certificates which, together with the
+        #     ak_cert, chain back to a trusted Root Certificate.
+        class GceShieldedIdentity
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # VerifyConfidentialSpaceResponse is returned once a Confidential Space
+        # attestation has been successfully verified, containing a signed token.
+        # @!attribute [r] attestation_token
+        #   @return [::String]
+        #     Output only. The attestation token issued by this service. It contains
+        #     specific platform claims based on the contents of the provided attestation.
+        # @!attribute [r] partial_errors
+        #   @return [::Array<::Google::Rpc::Status>]
+        #     Output only. A list of messages that carry the partial error details
+        #     related to VerifyConfidentialSpace. This field is populated by errors
+        #     during container image signature verification, which may reflect problems
+        #     in the provided image signatures. This does not block the issuing of an
+        #     attestation token, but the token will not contain claims for the failed
+        #     image signatures.
+        class VerifyConfidentialSpaceResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # A request for an attestation token, providing all the necessary information
+        # needed for this service to verify Confidential GKE platform state of the
+        # requestor.
+        # @!attribute [rw] tpm_attestation
+        #   @return [::Google::Cloud::ConfidentialComputing::V1::TpmAttestation]
+        #     The TPM-specific data provided by the attesting platform, used to
+        #     populate any of the claims regarding platform state.
+        # @!attribute [rw] challenge
+        #   @return [::String]
+        #     Required. The name of the Challenge whose nonce was used to generate the
+        #     attestation, in the format projects/*/locations/*/challenges/*. The
+        #     provided Challenge will be consumed, and cannot be used again.
+        class VerifyConfidentialGkeRequest
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
+        # VerifyConfidentialGkeResponse response is returened once a Confidential GKE
+        # attestation has been successfully verified, containing a signed OIDC token.
+        # @!attribute [r] attestation_token
+        #   @return [::String]
+        #     Output only. The attestation token issued by this service for Confidential
+        #     GKE. It contains specific platform claims based on the contents of the
+        #     provided attestation.
+        class VerifyConfidentialGkeResponse
+          include ::Google::Protobuf::MessageExts
+          extend ::Google::Protobuf::MessageExts::ClassMethods
+        end
+
         # SigningAlgorithm enumerates all the supported signing algorithms.
         module SigningAlgorithm
           # Unspecified signing algorithm.
@@ -354,6 +481,30 @@ module Google
           # Principal-tag-based token for AWS integration
           TOKEN_TYPE_AWS_PRINCIPALTAGS = 4
         end
+
+        # SignatureType enumerates supported signature types for attestation tokens.
+        module SignatureType
+          # Unspecified signature type.
+          SIGNATURE_TYPE_UNSPECIFIED = 0
+
+          # Google OIDC signature.
+          SIGNATURE_TYPE_OIDC = 1
+
+          # Public Key Infrastructure (PKI) signature.
+          SIGNATURE_TYPE_PKI = 2
+        end
+
+        # TokenProfile enumerates the supported token claims profiles.
+        module TokenProfile
+          # Unspecified token profile.
+          TOKEN_PROFILE_UNSPECIFIED = 0
+
+          # EAT claims.
+          TOKEN_PROFILE_DEFAULT_EAT = 1
+
+          # AWS Principal Tags claims.
+          TOKEN_PROFILE_AWS = 2
+        end
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: google-cloud-confidential_computing-v1
 version: !ruby/object:Gem::Version
-  version: 1.6.1
+  version: 2.0.1
 platform: ruby
 authors:
 - Google LLC
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: google-cloud-errors
   requirement: !ruby/object:Gem::Requirement