Preston_PLB
/
oauth2
forked from Mirrors/oauth2
1
0
Fork 0
Code Pull Requests Activity

downscope: further updates and nits

This commit is contained in:
Patrick Jones 2021-06-22 09:25:17 -07:00
parent a362f28044
commit 304d28ba9e
3 changed files with 23 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
google/downscope/downscoping.go
View File

@ -56,7 +56,7 @@ type AccessBoundaryRule struct {
// An Condition restricts the availability of permissions // An Condition restricts the availability of permissions
// to specific Cloud Storage objects. Optional. // to specific Cloud Storage objects. Optional.
// //
// Use this field if you want to make permissions available for specific objects, // A Condition can be used to make permissions available for specific objects,
// rather than all objects in a Cloud Storage bucket. // rather than all objects in a Cloud Storage bucket.
Condition *AvailabilityCondition `json:"availabilityCondition,omitempty"` Condition *AvailabilityCondition `json:"availabilityCondition,omitempty"`
} }
@ -82,13 +82,18 @@ type DownscopingConfig struct {
Rules []AccessBoundaryRule Rules []AccessBoundaryRule
} }
// A DownscopingTokenSource is used to retrieve a downscoped token with restricted // A downscopingTokenSource is used to retrieve a downscoped token with restricted
// permissions compared to the root Token that is used to generate it. // permissions compared to the root Token that is used to generate it.
type DownscopingTokenSource struct { type downscopingTokenSource struct {
// Ctx is the context used to query the API to retrieve a downscoped Token. // ctx is the context used to query the API to retrieve a downscoped Token.
Ctx context.Context ctx context.Context
// Config holds the information necessary to generate a downscoped Token. // config holds the information necessary to generate a downscoped Token.
Config DownscopingConfig config DownscopingConfig
}
// NewTokenSource returns an empty downscopingTokenSource.
func NewTokenSource(ctx context.Context, conf DownscopingConfig) downscopingTokenSource {
return downscopingTokenSource{ctx: ctx, config: conf}
} }
// downscopedTokenWithEndpoint is a helper function used for unit testing // downscopedTokenWithEndpoint is a helper function used for unit testing
@ -176,11 +181,11 @@ func downscopedTokenWithEndpoint(ctx context.Context, config DownscopingConfig,
return newToken, nil return newToken, nil
} }
// Token() uses a DownscopingTokenSource to generate an oauth2 Token. // Token() uses a downscopingTokenSource to generate an oauth2 Token.
// Do note that the returned TokenSource is an oauth2.StaticTokenSource. If you wish // Do note that the returned TokenSource is an oauth2.StaticTokenSource. If you wish
// to refresh this token automatically, then initialize a locally defined // to refresh this token automatically, then initialize a locally defined
// TokenSource struct with the Token held by the StaticTokenSource and wrap // TokenSource struct with the Token held by the StaticTokenSource and wrap
// that TokenSource in an oauth2.ReuseTokenSource. // that TokenSource in an oauth2.ReuseTokenSource.
func (dts DownscopingTokenSource) Token() (*oauth2.Token, error) { func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
return downscopedTokenWithEndpoint(dts.Ctx, dts.Config, identityBindingEndpoint) return downscopedTokenWithEndpoint(dts.ctx, dts.config, identityBindingEndpoint)
} }

6
google/downscope/downscoping_test.go
View File

@ -46,12 +46,8 @@ func Test_DownscopedTokenSource(t *testing.T) {
} }
myTok := oauth2.Token{AccessToken: "Mellon"} myTok := oauth2.Token{AccessToken: "Mellon"}
tmpSrc := oauth2.StaticTokenSource(&myTok) tmpSrc := oauth2.StaticTokenSource(&myTok)
out, err := downscopedTokenWithEndpoint(context.Background(), DownscopingConfig{tmpSrc, new}, ts.URL) _, err := downscopedTokenWithEndpoint(context.Background(), DownscopingConfig{tmpSrc, new}, ts.URL)
if err != nil { if err != nil {
t.Fatalf("NewDownscopedTokenSource failed with error: %v", err) t.Fatalf("NewDownscopedTokenSource failed with error: %v", err)
} }
_, err = out.Token()
if err != nil {
t.Fatalf("Token() call failed with error %v", err)
}
} }

10
google/downscope/example_test.go
View File

@ -1,3 +1,7 @@
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package downscope_test package downscope_test
import ( import (
@ -9,9 +13,9 @@ import (
func ExampleNewTokenSource() { func ExampleNewTokenSource() {
ctx := context.Background() ctx := context.Background()
// Initializes an accessBoundary with one Rule // Initializes an accessBoundary with one Rule.
accessBoundary := []downscope.AccessBoundaryRule{ accessBoundary := []downscope.AccessBoundaryRule{
downscope.AccessBoundaryRule{ {
AvailableResource: "//storage.googleapis.com/projects/_/buckets/foo", AvailableResource: "//storage.googleapis.com/projects/_/buckets/foo",
AvailablePermissions: []string{"inRole:roles/storage.objectViewer"}, AvailablePermissions: []string{"inRole:roles/storage.objectViewer"},
}, },
@ -23,7 +27,7 @@ func ExampleNewTokenSource() {
// rootSource, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform") // rootSource, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
dts := downscope.DownscopingTokenSource{ctx, downscope.DownscopingConfig{RootSource: rootSource, Rules: accessBoundary}} dts := downscope.NewTokenSource(ctx, downscope.DownscopingConfig{RootSource: rootSource, Rules: accessBoundary})
_ = dts _ = dts
// You can now use the token held in myTokenSource to make // You can now use the token held in myTokenSource to make
// Google Cloud Storage calls, as follows: // Google Cloud Storage calls, as follows: