oauth2/google/downscope/downscoping.go

192 lines
7.3 KiB
Go
Raw Normal View History

// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
/*
Package downscope implements the ability to downscope, or restrict, the
Identity and AccessManagement permissions that a short-lived Token
can use. Please note that only Google Cloud Storage supports this feature.
2021-06-11 14:43:37 -04:00
For complete documentation, see https://cloud.google.com/iam/docs/downscoping-short-lived-credentials
2021-06-10 17:55:56 -04:00
*/
package downscope
import (
2021-06-09 17:25:06 -04:00
"context"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"time"
"golang.org/x/oauth2"
)
const (
2021-06-16 15:14:24 -04:00
identityBindingEndpoint = "https://sts.googleapis.com/v1/token"
)
type accessBoundary struct {
AccessBoundaryRules []AccessBoundaryRule `json:"accessBoundaryRules"`
}
// An AvailabilityCondition restricts access to a given Resource.
type AvailabilityCondition struct {
// An Expression specifies the Cloud Storage objects where
// permissions are available. For further documentation, see
// https://cloud.google.com/iam/docs/conditions-overview
2021-06-10 17:55:56 -04:00
Expression string `json:"expression"`
// Title is short string that identifies the purpose of the condition. Optional.
2021-06-10 17:55:56 -04:00
Title string `json:"title,omitempty"`
// Description details about the purpose of the condition. Optional.
Description string `json:"description,omitempty"`
}
2021-06-11 14:43:37 -04:00
// An AccessBoundaryRule Sets the permissions (and optionally conditions)
// that the new token has on given resource.
type AccessBoundaryRule struct {
// AvailableResource is the full resource name of the Cloud Storage bucket that the rule applies to.
// Use the format //storage.googleapis.com/projects/_/buckets/bucket-name.
2021-06-10 17:55:56 -04:00
AvailableResource string `json:"availableResource"`
// AvailablePermissions is a list that defines the upper bound on the available permissions
// for the resource. Each value is the identifier for an IAM predefined role or custom role,
// with the prefix inRole:. For example: inRole:roles/storage.objectViewer.
// Only the permissions in these roles will be available.
2021-06-10 17:55:56 -04:00
AvailablePermissions []string `json:"availablePermissions"`
// An Condition restricts the availability of permissions
// to specific Cloud Storage objects. Optional.
//
2021-06-22 12:25:17 -04:00
// A Condition can be used to make permissions available for specific objects,
// rather than all objects in a Cloud Storage bucket.
2021-06-10 17:55:56 -04:00
Condition *AvailabilityCondition `json:"availabilityCondition,omitempty"`
}
2021-06-09 17:25:06 -04:00
type downscopedTokenResponse struct {
AccessToken string `json:"access_token"`
IssuedTokenType string `json:"issued_token_type"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
}
// DownscopingConfig specifies the information necessary to request a downscoped token.
type DownscopingConfig struct {
// RootSource is the TokenSource used to create the downscoped token.
// The downscoped token therefore has some subset of the accesses of
// the original RootSource.
2021-06-10 17:55:56 -04:00
RootSource oauth2.TokenSource
// Rules defines the accesses held by the new
// downscoped Token. One or more AccessBoundaryRules are required to
// define permissions for the new downscoped token. Each one defines an
// access (or set of accesses) that the new token has to a given resource.
// There can be a maximum of 10 AccessBoundaryRules.
Rules []AccessBoundaryRule
}
2021-06-22 12:25:17 -04:00
// A downscopingTokenSource is used to retrieve a downscoped token with restricted
// permissions compared to the root Token that is used to generate it.
2021-06-22 12:25:17 -04:00
type downscopingTokenSource struct {
// ctx is the context used to query the API to retrieve a downscoped Token.
ctx context.Context
// config holds the information necessary to generate a downscoped Token.
config DownscopingConfig
}
// NewTokenSource returns an empty downscopingTokenSource.
func NewTokenSource(ctx context.Context, conf DownscopingConfig) downscopingTokenSource {
return downscopingTokenSource{ctx: ctx, config: conf}
}
// downscopedTokenWithEndpoint is a helper function used for unit testing
// purposes, as it allows us to pass in a locally mocked endpoint.
func downscopedTokenWithEndpoint(ctx context.Context, config DownscopingConfig, endpoint string) (*oauth2.Token, error) {
if config.RootSource == nil {
return nil, fmt.Errorf("downscope: rootTokenSource cannot be nil")
}
if len(config.Rules) == 0 {
return nil, fmt.Errorf("downscope: length of AccessBoundaryRules must be at least 1")
}
if len(config.Rules) > 10 {
return nil, fmt.Errorf("downscope: length of AccessBoundaryRules may not be greater than 10")
}
for _, val := range config.Rules {
if val.AvailableResource == "" {
return nil, fmt.Errorf("downscope: all rules must have a nonempty AvailableResource: %+v", val)
}
if len(val.AvailablePermissions) == 0 {
return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
}
}
downscopedOptions := struct {
Boundary accessBoundary `json:"accessBoundary"`
}{
Boundary: accessBoundary{
AccessBoundaryRules: config.Rules,
},
}
tok, err := config.RootSource.Token()
if err != nil {
return nil, fmt.Errorf("downscope: unable to obtain root token: %v", err)
}
2021-06-09 17:25:06 -04:00
b, err := json.Marshal(downscopedOptions)
if err != nil {
return nil, fmt.Errorf("downscope: unable to marshall AccessBoundary payload %v", err)
}
form := url.Values{}
form.Add("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
form.Add("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
form.Add("requested_token_type", "urn:ietf:params:oauth:token-type:access_token")
form.Add("subject_token", tok.AccessToken)
2021-06-16 15:14:24 -04:00
form.Add("options", string(b))
2021-06-09 17:25:06 -04:00
myClient := oauth2.NewClient(ctx, nil)
resp, err := myClient.PostForm(endpoint, form)
if err != nil {
return nil, fmt.Errorf("unable to generate POST Request %v", err)
}
2021-06-09 17:25:06 -04:00
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
b, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("downscope: unable to exchange token; %v. Failed to read response body: %v", resp.StatusCode, err)
}
return nil, fmt.Errorf("downscope: unable to exchange token; %v. Server responsed: %v", resp.StatusCode, string(b))
}
2021-06-09 17:25:06 -04:00
var tresp downscopedTokenResponse
err = json.NewDecoder(resp.Body).Decode(&tresp)
if err != nil {
return nil, fmt.Errorf("downscope: unable to unmarshal response body: %v", err)
2021-06-09 17:25:06 -04:00
}
// an exchanged token that is derived from a service account (2LO) has an expired_in value
// a token derived from a users token (3LO) does not.
// The following code uses the time remaining on rootToken for a user as the value for the
// derived token's lifetime
2021-06-16 15:14:24 -04:00
var expiryTime time.Time
if tresp.ExpiresIn > 0 {
2021-06-16 15:14:24 -04:00
expiryTime = time.Now().Add(time.Duration(tresp.ExpiresIn) * time.Second)
} else {
2021-06-16 15:14:24 -04:00
expiryTime = tok.Expiry
}
newToken := &oauth2.Token{
AccessToken: tresp.AccessToken,
TokenType: tresp.TokenType,
2021-06-16 15:14:24 -04:00
Expiry: expiryTime,
}
return newToken, nil
}
2021-06-22 12:25:17 -04:00
// Token() uses a downscopingTokenSource to generate an oauth2 Token.
// Do note that the returned TokenSource is an oauth2.StaticTokenSource. If you wish
// to refresh this token automatically, then initialize a locally defined
// TokenSource struct with the Token held by the StaticTokenSource and wrap
// that TokenSource in an oauth2.ReuseTokenSource.
2021-06-22 12:25:17 -04:00
func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
return downscopedTokenWithEndpoint(dts.ctx, dts.config, identityBindingEndpoint)
}