google-cloud-security-private_ca-v1 0.8.1 → 0.10.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 518d115fbb96b547758f43a3ee3a75a9fca28264a24bbc96281f6238975f3712
4
- data.tar.gz: e3719c2ff974494620f2ec91585774dac26522be5d47ab77bb34b0e926e401c1
3
+ metadata.gz: 27f616641563821eaa3a6e4d017cf54eb45ec81d0c5ff95fbf0fe02da9bde12d
4
+ data.tar.gz: 77939d4e9509ce60b3adecd187d7826695c87812aa4d6381a7f1e0a1b1db6cf6
5
5
  SHA512:
6
- metadata.gz: 42d64eda0a40921b52d663caacf4182b7b8a0b5fc80d27396ae5b3aa629aef3a43684986b01a03b2b609a4448c081833a109a810dc008f64cf16647d283c756b
7
- data.tar.gz: 94d4b13c8417f8362338d4791e4e962d6a7846daa58a5ebf4ede7c182d707b8bebfb4c0b076aa6e7929c89ae8b2c1dd750a9368a801a9bd09e72649bccdc9197
6
+ metadata.gz: 448e8d3442a7cc5cbdf13329df0996c2e98c7d70b04c69f492afedda384a3415bad973ad470f72e9a41cb6abfe347c2c5a6d413d21a655d03ba241f708d18240
7
+ data.tar.gz: 4d0012b595bbf57ab8ba5ddf9fd6cc46234b18a8b29d7aa9fca9aeff0d66ca4956604411ff22238e90a4e78e51796a2512b5e7e35309adf99caea6a741ec4f86
data/AUTHENTICATION.md CHANGED
@@ -1,151 +1,122 @@
1
1
  # Authentication
2
2
 
3
- In general, the google-cloud-security-private_ca-v1 library uses
4
- [Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts)
5
- credentials to connect to Google Cloud services. When running within
6
- [Google Cloud Platform environments](#google-cloud-platform-environments) the
7
- credentials will be discovered automatically. When running on other
8
- environments, the Service Account credentials can be specified by providing the
9
- path to the
10
- [JSON keyfile](https://cloud.google.com/iam/docs/managing-service-account-keys)
11
- for the account (or the JSON itself) in
12
- [environment variables](#environment-variables). Additionally, Cloud SDK
13
- credentials can also be discovered automatically, but this is only recommended
14
- during development.
3
+ The recommended way to authenticate to the google-cloud-security-private_ca-v1 library is to use
4
+ [Application Default Credentials (ADC)](https://cloud.google.com/docs/authentication/application-default-credentials).
5
+ To review all of your authentication options, see [Credentials lookup](#credential-lookup).
15
6
 
16
7
  ## Quickstart
17
8
 
18
- 1. [Create a service account and credentials](#creating-a-service-account).
19
- 2. Set the [environment variable](#environment-variables).
9
+ The following example shows how to set up authentication for a local development
10
+ environment with your user credentials.
20
11
 
21
- ```sh
22
- export PRIVATE_CA_CREDENTIALS=path/to/keyfile.json
23
- ```
24
-
25
- 3. Initialize the client.
12
+ **NOTE:** This method is _not_ recommended for running in production. User credentials
13
+ should be used only during development.
26
14
 
27
- ```ruby
28
- require "google/cloud/security/private_ca/v1"
15
+ 1. [Download and install the Google Cloud CLI](https://cloud.google.com/sdk).
16
+ 2. Set up a local ADC file with your user credentials:
29
17
 
30
- client = ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client.new
18
+ ```sh
19
+ gcloud auth application-default login
31
20
  ```
32
21
 
33
- ## Credential Lookup
34
-
35
- The google-cloud-security-private_ca-v1 library aims to make authentication
36
- as simple as possible, and provides several mechanisms to configure your system
37
- without requiring **Service Account Credentials** directly in code.
38
-
39
- **Credentials** are discovered in the following order:
40
-
41
- 1. Specify credentials in method arguments
42
- 2. Specify credentials in configuration
43
- 3. Discover credentials path in environment variables
44
- 4. Discover credentials JSON in environment variables
45
- 5. Discover credentials file in the Cloud SDK's path
46
- 6. Discover GCP credentials
47
-
48
- ### Google Cloud Platform environments
22
+ 3. Write code as if already authenticated.
49
23
 
50
- When running on Google Cloud Platform (GCP), including Google Compute Engine
51
- (GCE), Google Kubernetes Engine (GKE), Google App Engine (GAE), Google Cloud
52
- Functions (GCF) and Cloud Run, **Credentials** are discovered automatically.
53
- Code should be written as if already authenticated.
24
+ For more information about setting up authentication for a local development environment, see
25
+ [Set up Application Default Credentials](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-dev).
54
26
 
55
- ### Environment Variables
27
+ ## Credential Lookup
56
28
 
57
- The **Credentials JSON** can be placed in environment variables instead of
58
- declaring them directly in code. Each service has its own environment variable,
59
- allowing for different service accounts to be used for different services. (See
60
- the READMEs for the individual service gems for details.) The path to the
61
- **Credentials JSON** file can be stored in the environment variable, or the
62
- **Credentials JSON** itself can be stored for environments such as Docker
63
- containers where writing files is difficult or not encouraged.
29
+ The google-cloud-security-private_ca-v1 library provides several mechanisms to configure your system.
30
+ Generally, using Application Default Credentials to facilitate automatic
31
+ credentials discovery is the easist method. But if you need to explicitly specify
32
+ credentials, there are several methods available to you.
64
33
 
65
- The environment variables that google-cloud-security-private_ca-v1
66
- checks for credentials are configured on the service Credentials class (such as
67
- {::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Credentials}):
34
+ Credentials are accepted in the following ways, in the following order or precedence:
68
35
 
69
- * `PRIVATE_CA_CREDENTIALS` - Path to JSON file, or JSON contents
70
- * `PRIVATE_CA_KEYFILE` - Path to JSON file, or JSON contents
71
- * `GOOGLE_CLOUD_CREDENTIALS` - Path to JSON file, or JSON contents
72
- * `GOOGLE_CLOUD_KEYFILE` - Path to JSON file, or JSON contents
73
- * `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file
36
+ 1. Credentials specified in method arguments
37
+ 2. Credentials specified in configuration
38
+ 3. Credentials pointed to or included in environment variables
39
+ 4. Credentials found in local ADC file
40
+ 5. Credentials returned by the metadata server for the attached service account (GCP)
74
41
 
75
- ```ruby
76
- require "google/cloud/security/private_ca/v1"
77
-
78
- ENV["PRIVATE_CA_CREDENTIALS"] = "path/to/keyfile.json"
42
+ ### Configuration
79
43
 
80
- client = ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client.new
81
- ```
44
+ You can configure a path to a JSON credentials file, either for an individual client object or
45
+ globally, for all client objects. The JSON file can contain credentials created for
46
+ [workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation),
47
+ [workforce identity federation](https://cloud.google.com/iam/docs/workforce-identity-federation), or a
48
+ [service account key](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-key).
82
49
 
83
- ### Configuration
50
+ Note: Service account keys are a security risk if not managed correctly. You should
51
+ [choose a more secure alternative to service account keys](https://cloud.google.com/docs/authentication#auth-decision-tree)
52
+ whenever possible.
84
53
 
85
- The path to the **Credentials JSON** file can be configured instead of storing
86
- it in an environment variable. Either on an individual client initialization:
54
+ To configure a credentials file for an individual client initialization:
87
55
 
88
56
  ```ruby
89
57
  require "google/cloud/security/private_ca/v1"
90
58
 
91
59
  client = ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client.new do |config|
92
- config.credentials = "path/to/keyfile.json"
60
+ config.credentials = "path/to/credentialfile.json"
93
61
  end
94
62
  ```
95
63
 
96
- Or globally for all clients:
64
+ To configure a credentials file globally for all clients:
97
65
 
98
66
  ```ruby
99
67
  require "google/cloud/security/private_ca/v1"
100
68
 
101
69
  ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client.configure do |config|
102
- config.credentials = "path/to/keyfile.json"
70
+ config.credentials = "path/to/credentialfile.json"
103
71
  end
104
72
 
105
73
  client = ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client.new
106
74
  ```
107
75
 
108
- ### Cloud SDK
76
+ ### Environment Variables
109
77
 
110
- This option allows for an easy way to authenticate during development. If
111
- credentials are not provided in code or in environment variables, then Cloud SDK
112
- credentials are discovered.
78
+ You can also use an environment variable to provide a JSON credentials file.
79
+ The environment variable can contain a path to the credentials file or, for
80
+ environments such as Docker containers where writing files is not encouraged,
81
+ you can include the credentials file itself.
113
82
 
114
- To configure your system for this, simply:
83
+ The JSON file can contain credentials created for
84
+ [workload identity federation](https://cloud.google.com/iam/docs/workload-identity-federation),
85
+ [workforce identity federation](https://cloud.google.com/iam/docs/workforce-identity-federation), or a
86
+ [service account key](https://cloud.google.com/docs/authentication/provide-credentials-adc#local-key).
115
87
 
116
- 1. [Download and install the Cloud SDK](https://cloud.google.com/sdk)
117
- 2. Authenticate using OAuth 2.0 `$ gcloud auth application-default login`
118
- 3. Write code as if already authenticated.
88
+ Note: Service account keys are a security risk if not managed correctly. You should
89
+ [choose a more secure alternative to service account keys](https://cloud.google.com/docs/authentication#auth-decision-tree)
90
+ whenever possible.
91
+
92
+ The environment variables that google-cloud-security-private_ca-v1
93
+ checks for credentials are:
119
94
 
120
- **NOTE:** This is _not_ recommended for running in production. The Cloud SDK
121
- *should* only be used during development.
95
+ * `GOOGLE_CLOUD_CREDENTIALS` - Path to JSON file, or JSON contents
96
+ * `GOOGLE_APPLICATION_CREDENTIALS` - Path to JSON file
122
97
 
123
- ## Creating a Service Account
98
+ ```ruby
99
+ require "google/cloud/security/private_ca/v1"
124
100
 
125
- Google Cloud requires **Service Account Credentials** to
126
- connect to the APIs. You will use the **JSON key file** to
127
- connect to most services with google-cloud-security-private_ca-v1.
101
+ ENV["GOOGLE_APPLICATION_CREDENTIALS"] = "path/to/credentialfile.json"
128
102
 
129
- If you are not running this client within
130
- [Google Cloud Platform environments](#google-cloud-platform-environments), you
131
- need a Google Developers service account.
103
+ client = ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Client.new
104
+ ```
132
105
 
133
- 1. Visit the [Google Cloud Console](https://console.cloud.google.com/project).
134
- 2. Create a new project or click on an existing project.
135
- 3. Activate the menu in the upper left and select **APIs & Services**. From
136
- here, you will enable the APIs that your application requires.
106
+ ### Local ADC file
137
107
 
138
- *Note: You may need to enable billing in order to use these services.*
108
+ You can set up a local ADC file with your user credentials for authentication during
109
+ development. If credentials are not provided in code or in environment variables,
110
+ then the local ADC credentials are discovered.
139
111
 
140
- 4. Select **Credentials** from the side navigation.
112
+ Follow the steps in [Quickstart](#quickstart) to set up a local ADC file.
141
113
 
142
- Find the "Create credentials" drop down near the top of the page, and select
143
- "Service account" to be guided through downloading a new JSON key file.
114
+ ### Google Cloud Platform environments
144
115
 
145
- If you want to re-use an existing service account, you can easily generate a
146
- new key file. Just select the account you wish to re-use, click the pencil
147
- tool on the right side to edit the service account, select the **Keys** tab,
148
- and then select **Add Key**.
116
+ When running on Google Cloud Platform (GCP), including Google Compute Engine
117
+ (GCE), Google Kubernetes Engine (GKE), Google App Engine (GAE), Google Cloud
118
+ Functions (GCF) and Cloud Run, credentials are retrieved from the attached
119
+ service account automatically. Code should be written as if already authenticated.
149
120
 
150
- The key file you download will be used by this library to authenticate API
151
- requests and should be stored in a secure location.
121
+ For more information, see
122
+ [Set up ADC for Google Cloud services](https://cloud.google.com/docs/authentication/provide-credentials-adc#attached-sa).
@@ -35,6 +35,9 @@ module Google
35
35
  # manages private certificate authorities and issued certificates.
36
36
  #
37
37
  class Client
38
+ # @private
39
+ DEFAULT_ENDPOINT_TEMPLATE = "privateca.$UNIVERSE_DOMAIN$"
40
+
38
41
  include Paths
39
42
 
40
43
  # @private
@@ -100,6 +103,15 @@ module Google
100
103
  @config
101
104
  end
102
105
 
106
+ ##
107
+ # The effective universe domain
108
+ #
109
+ # @return [String]
110
+ #
111
+ def universe_domain
112
+ @certificate_authority_service_stub.universe_domain
113
+ end
114
+
103
115
  ##
104
116
  # Create a new CertificateAuthorityService client object.
105
117
  #
@@ -133,8 +145,9 @@ module Google
133
145
  credentials = @config.credentials
134
146
  # Use self-signed JWT if the endpoint is unchanged from default,
135
147
  # but only if the default endpoint does not have a region prefix.
136
- enable_self_signed_jwt = @config.endpoint == Configuration::DEFAULT_ENDPOINT &&
137
- !@config.endpoint.split(".").first.include?("-")
148
+ enable_self_signed_jwt = @config.endpoint.nil? ||
149
+ (@config.endpoint == Configuration::DEFAULT_ENDPOINT &&
150
+ !@config.endpoint.split(".").first.include?("-"))
138
151
  credentials ||= Credentials.default scope: @config.scope,
139
152
  enable_self_signed_jwt: enable_self_signed_jwt
140
153
  if credentials.is_a?(::String) || credentials.is_a?(::Hash)
@@ -147,26 +160,32 @@ module Google
147
160
  config.credentials = credentials
148
161
  config.quota_project = @quota_project_id
149
162
  config.endpoint = @config.endpoint
163
+ config.universe_domain = @config.universe_domain
150
164
  end
151
165
 
152
166
  @location_client = Google::Cloud::Location::Locations::Client.new do |config|
153
167
  config.credentials = credentials
154
168
  config.quota_project = @quota_project_id
155
169
  config.endpoint = @config.endpoint
170
+ config.universe_domain = @config.universe_domain
156
171
  end
157
172
 
158
173
  @iam_policy_client = Google::Iam::V1::IAMPolicy::Client.new do |config|
159
174
  config.credentials = credentials
160
175
  config.quota_project = @quota_project_id
161
176
  config.endpoint = @config.endpoint
177
+ config.universe_domain = @config.universe_domain
162
178
  end
163
179
 
164
180
  @certificate_authority_service_stub = ::Gapic::ServiceStub.new(
165
181
  ::Google::Cloud::Security::PrivateCA::V1::CertificateAuthorityService::Stub,
166
- credentials: credentials,
167
- endpoint: @config.endpoint,
182
+ credentials: credentials,
183
+ endpoint: @config.endpoint,
184
+ endpoint_template: DEFAULT_ENDPOINT_TEMPLATE,
185
+ universe_domain: @config.universe_domain,
168
186
  channel_args: @config.channel_args,
169
- interceptors: @config.interceptors
187
+ interceptors: @config.interceptors,
188
+ channel_pool_config: @config.channel_pool
170
189
  )
171
190
  end
172
191
 
@@ -3368,9 +3387,9 @@ module Google
3368
3387
  # end
3369
3388
  #
3370
3389
  # @!attribute [rw] endpoint
3371
- # The hostname or hostname:port of the service endpoint.
3372
- # Defaults to `"privateca.googleapis.com"`.
3373
- # @return [::String]
3390
+ # A custom service endpoint, as a hostname or hostname:port. The default is
3391
+ # nil, indicating to use the default endpoint in the current universe domain.
3392
+ # @return [::String,nil]
3374
3393
  # @!attribute [rw] credentials
3375
3394
  # Credentials to send with calls. You may provide any of the following types:
3376
3395
  # * (`String`) The path to a service account key file in JSON format
@@ -3416,13 +3435,20 @@ module Google
3416
3435
  # @!attribute [rw] quota_project
3417
3436
  # A separate project against which to charge quota.
3418
3437
  # @return [::String]
3438
+ # @!attribute [rw] universe_domain
3439
+ # The universe domain within which to make requests. This determines the
3440
+ # default endpoint URL. The default value of nil uses the environment
3441
+ # universe (usually the default "googleapis.com" universe).
3442
+ # @return [::String,nil]
3419
3443
  #
3420
3444
  class Configuration
3421
3445
  extend ::Gapic::Config
3422
3446
 
3447
+ # @private
3448
+ # The endpoint specific to the default "googleapis.com" universe. Deprecated.
3423
3449
  DEFAULT_ENDPOINT = "privateca.googleapis.com"
3424
3450
 
3425
- config_attr :endpoint, DEFAULT_ENDPOINT, ::String
3451
+ config_attr :endpoint, nil, ::String, nil
3426
3452
  config_attr :credentials, nil do |value|
3427
3453
  allowed = [::String, ::Hash, ::Proc, ::Symbol, ::Google::Auth::Credentials, ::Signet::OAuth2::Client, nil]
3428
3454
  allowed += [::GRPC::Core::Channel, ::GRPC::Core::ChannelCredentials] if defined? ::GRPC
@@ -3437,6 +3463,7 @@ module Google
3437
3463
  config_attr :metadata, nil, ::Hash, nil
3438
3464
  config_attr :retry_policy, nil, ::Hash, ::Proc, nil
3439
3465
  config_attr :quota_project, nil, ::String, nil
3466
+ config_attr :universe_domain, nil, ::String, nil
3440
3467
 
3441
3468
  # @private
3442
3469
  def initialize parent_config = nil
@@ -3457,6 +3484,14 @@ module Google
3457
3484
  end
3458
3485
  end
3459
3486
 
3487
+ ##
3488
+ # Configuration for the channel pool
3489
+ # @return [::Gapic::ServiceStub::ChannelPool::Configuration]
3490
+ #
3491
+ def channel_pool
3492
+ @channel_pool ||= ::Gapic::ServiceStub::ChannelPool::Configuration.new
3493
+ end
3494
+
3460
3495
  ##
3461
3496
  # Configuration RPC class for the CertificateAuthorityService API.
3462
3497
  #
@@ -27,6 +27,9 @@ module Google
27
27
  module CertificateAuthorityService
28
28
  # Service that implements Longrunning Operations API.
29
29
  class Operations
30
+ # @private
31
+ DEFAULT_ENDPOINT_TEMPLATE = "privateca.$UNIVERSE_DOMAIN$"
32
+
30
33
  # @private
31
34
  attr_reader :operations_stub
32
35
 
@@ -61,6 +64,15 @@ module Google
61
64
  @config
62
65
  end
63
66
 
67
+ ##
68
+ # The effective universe domain
69
+ #
70
+ # @return [String]
71
+ #
72
+ def universe_domain
73
+ @operations_stub.universe_domain
74
+ end
75
+
64
76
  ##
65
77
  # Create a new Operations client object.
66
78
  #
@@ -91,10 +103,13 @@ module Google
91
103
 
92
104
  @operations_stub = ::Gapic::ServiceStub.new(
93
105
  ::Google::Longrunning::Operations::Stub,
94
- credentials: credentials,
95
- endpoint: @config.endpoint,
106
+ credentials: credentials,
107
+ endpoint: @config.endpoint,
108
+ endpoint_template: DEFAULT_ENDPOINT_TEMPLATE,
109
+ universe_domain: @config.universe_domain,
96
110
  channel_args: @config.channel_args,
97
- interceptors: @config.interceptors
111
+ interceptors: @config.interceptors,
112
+ channel_pool_config: @config.channel_pool
98
113
  )
99
114
 
100
115
  # Used by an LRO wrapper for some methods of this service
@@ -613,9 +628,9 @@ module Google
613
628
  # end
614
629
  #
615
630
  # @!attribute [rw] endpoint
616
- # The hostname or hostname:port of the service endpoint.
617
- # Defaults to `"privateca.googleapis.com"`.
618
- # @return [::String]
631
+ # A custom service endpoint, as a hostname or hostname:port. The default is
632
+ # nil, indicating to use the default endpoint in the current universe domain.
633
+ # @return [::String,nil]
619
634
  # @!attribute [rw] credentials
620
635
  # Credentials to send with calls. You may provide any of the following types:
621
636
  # * (`String`) The path to a service account key file in JSON format
@@ -661,13 +676,20 @@ module Google
661
676
  # @!attribute [rw] quota_project
662
677
  # A separate project against which to charge quota.
663
678
  # @return [::String]
679
+ # @!attribute [rw] universe_domain
680
+ # The universe domain within which to make requests. This determines the
681
+ # default endpoint URL. The default value of nil uses the environment
682
+ # universe (usually the default "googleapis.com" universe).
683
+ # @return [::String,nil]
664
684
  #
665
685
  class Configuration
666
686
  extend ::Gapic::Config
667
687
 
688
+ # @private
689
+ # The endpoint specific to the default "googleapis.com" universe. Deprecated.
668
690
  DEFAULT_ENDPOINT = "privateca.googleapis.com"
669
691
 
670
- config_attr :endpoint, DEFAULT_ENDPOINT, ::String
692
+ config_attr :endpoint, nil, ::String, nil
671
693
  config_attr :credentials, nil do |value|
672
694
  allowed = [::String, ::Hash, ::Proc, ::Symbol, ::Google::Auth::Credentials, ::Signet::OAuth2::Client, nil]
673
695
  allowed += [::GRPC::Core::Channel, ::GRPC::Core::ChannelCredentials] if defined? ::GRPC
@@ -682,6 +704,7 @@ module Google
682
704
  config_attr :metadata, nil, ::Hash, nil
683
705
  config_attr :retry_policy, nil, ::Hash, ::Proc, nil
684
706
  config_attr :quota_project, nil, ::String, nil
707
+ config_attr :universe_domain, nil, ::String, nil
685
708
 
686
709
  # @private
687
710
  def initialize parent_config = nil
@@ -702,6 +725,14 @@ module Google
702
725
  end
703
726
  end
704
727
 
728
+ ##
729
+ # Configuration for the channel pool
730
+ # @return [::Gapic::ServiceStub::ChannelPool::Configuration]
731
+ #
732
+ def channel_pool
733
+ @channel_pool ||= ::Gapic::ServiceStub::ChannelPool::Configuration.new
734
+ end
735
+
705
736
  ##
706
737
  # Configuration RPC class for the Operations API.
707
738
  #