gcs

package

v0.0.0-...-2c20f17 Latest Latest Go to latest Published: May 16, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/ALRubinger/aileron

Links

Open Source Insights

Documentation ¶

Overview ¶

Package gcs provides a TEE client and attestation verifier for Google Confidential Space. The client communicates with the enclave binary over HTTPS; the verifier validates Confidential Space OIDC attestation tokens.

Index ¶

type Client
- func New(cfg Config) *Client
type Config
type Verifier
- func (v *Verifier) Verify(ctx context.Context, token string, nonce []byte) (enclave.AttestationClaims, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

Client communicates with the enclave binary running inside a Google Confidential Space VM over HTTPS.

func New ¶

func New(cfg Config) *Client

New creates a new Google Confidential Space enclave client.

func (*Client) Attest ¶

func (c *Client) Attest(ctx context.Context, req enclave.AttestationRequest) (enclave.AttestationResponse, error)

Attest requests attestation evidence from the enclave.

func (*Client) Close ¶

func (c *Client) Close() error

Close clears session-bound request authentication material.

func (*Client) EscrowList ¶

func (c *Client) EscrowList(ctx context.Context) (enclave.EscrowListResponse, error)

EscrowList returns metadata for all non-expired escrow entries.

func (*Client) EscrowRevoke ¶

func (c *Client) EscrowRevoke(ctx context.Context, req enclave.EscrowRevokeRequest) error

EscrowRevoke sends an escrow revoke request to the enclave.

func (*Client) EscrowStore ¶

func (c *Client) EscrowStore(ctx context.Context, req enclave.EscrowStoreRequest) (enclave.EscrowStoreResponse, error)

EscrowStore sends an escrow store request to the enclave.

func (*Client) EstablishSession ¶

func (c *Client) EstablishSession(ctx context.Context, req enclave.SessionRequest) (enclave.SessionResponse, error)

EstablishSession completes the ECDH key exchange with the enclave.

func (*Client) Execute ¶

func (c *Client) Execute(ctx context.Context, req enclave.ExecuteRequest) (enclave.ExecuteResponse, error)

Execute sends an execution request to the enclave.

func (*Client) OAuthExchange ¶

func (c *Client) OAuthExchange(ctx context.Context, req enclave.OAuthExchangeRequest) (enclave.OAuthExchangeResponse, error)

OAuthExchange asks the enclave to exchange an OAuth code for tokens.

func (*Client) Ready ¶

func (c *Client) Ready(ctx context.Context) error

Ready checks whether the enclave is reachable by calling GET /health.

func (*Client) SourceExecute ¶

func (c *Client) SourceExecute(ctx context.Context, req enclave.SourceExecuteRequest) (enclave.SourceExecuteResponse, error)

SourceExecute sends a source connector tool execution request to the enclave. The credential never leaves the enclave — only the tool results are returned.

func (*Client) TransmitKEK ¶

func (c *Client) TransmitKEK(ctx context.Context, req enclave.TransmitKEKRequest) (enclave.TransmitKEKResponse, error)

TransmitKEK sends a user's KEK to the enclave.

type Config ¶

type Config struct {
	// BaseURL is the enclave binary's address, e.g. "https://enclave.internal:8443".
	BaseURL string
	// HTTPClient is an optional custom HTTP client. If nil, http.DefaultClient is used.
	HTTPClient *http.Client
}

Config holds configuration for the GCS enclave client.

type Verifier ¶

type Verifier struct {
	// ExpectedImageDigest is the required container image digest (sha256:...).
	ExpectedImageDigest string
	// ExpectedProjectID is the required GCP project ID.
	ExpectedProjectID string
	// HTTPClient is used to fetch the OIDC discovery document and JWKS.
	// If nil, http.DefaultClient is used.
	HTTPClient *http.Client
	// DiscoveryURL overrides the Google OIDC discovery endpoint (for testing).
	DiscoveryURL string
	// NowFunc overrides time.Now (for testing).
	NowFunc func() time.Time
}

Verifier validates Google Confidential Space OIDC attestation tokens.

func (*Verifier) Verify ¶

func (v *Verifier) Verify(ctx context.Context, token string, nonce []byte) (enclave.AttestationClaims, error)

Verify validates a Confidential Space attestation OIDC token.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL