From 776a9ed8a346db676f05a4deef8b056eba887dc5 Mon Sep 17 00:00:00 2001
From: Patrick Jones <ithuriel@google.com>
Date: Mon, 14 Jun 2021 13:51:56 -0700
Subject: [PATCH] downscope: move example files to a separate file & package

---
 google/downscope/downscoping_test.go | 61 +------------------------
 google/downscope/example_test.go     | 67 ++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 60 deletions(-)
 create mode 100644 google/downscope/example_test.go

diff --git a/google/downscope/downscoping_test.go b/google/downscope/downscoping_test.go
index 95ae5ba..84e53c3 100644
--- a/google/downscope/downscoping_test.go
+++ b/google/downscope/downscoping_test.go
@@ -7,7 +7,6 @@ package downscope
 import (
 	"context"
 	"io/ioutil"
-	"log"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -16,7 +15,7 @@ import (
 )
 
 var (
-	standardReqBody  = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&options=%257B%2522accessBoundary%2522%253A%257B%2522accessBoundaryRules%2522%253A%255B%257B%2522availableResource%2522%253A%2522test1%2522%252C%2522availablePermissions%2522%253A%255B%2522Perm1%252C%2Bperm2%2522%255D%257D%255D%257D%257D&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&subject_token=Mellon&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token"
+	standardReqBody  = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&options=%257B%2522accessBoundary%2522%253A%257B%2522accessBoundaryRules%2522%253A%255B%257B%2522availableResource%2522%253A%2522test1%2522%252C%2522availablePermissions%2522%253A%255B%2522Perm1%2522%252C%2522Perm2%2522%255D%257D%255D%257D%257D&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&subject_token=Mellon&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token"
 	standardRespBody = `{"access_token":"Open Sesame","expires_in":432,"issued_token_type":"urn:ietf:params:oauth:token-type:access_token","token_type":"Bearer"}`
 )
 
@@ -56,61 +55,3 @@ func Test_DownscopedTokenSource(t *testing.T) {
 		t.Fatalf("Token() call failed with error %v", err)
 	}
 }
-
-func ExampleNewTokenSource() {
-	ctx := context.Background()
-	// Initializes an accessBoundary with one Rule
-	accessBoundary := []AccessBoundaryRule{
-		AccessBoundaryRule{
-			AvailableResource:    "//storage.googleapis.com/projects/_/buckets/foo",
-			AvailablePermissions: []string{"inRole:roles/storage.objectViewer"},
-		},
-	}
-
-	var rootSource oauth2.TokenSource
-	// This Source can be initialized using Application Default Credentials as follows:
-
-	// rootSource, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
-
-	myTokenSource, err := NewTokenSource(ctx, DownscopingConfig{RootSource: rootSource, Rules: accessBoundary})
-	//myTokenSource, err := NewSource(rootSource, myBoundary)
-	if err != nil {
-		log.Fatalf("failed to generate downscoped token source: %v", err)
-	}
-	_ = myTokenSource
-	// You can now use the token held in myTokenSource to make
-	// Google Cloud Storage calls, as follows:
-
-	// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(myTokenSource))
-}
-
-type localTokenSource struct {
-	tokenBrokerURL       string
-	tokenSourceForBroker oauth2.TokenSource
-}
-
-func (lts localTokenSource) Token() (*oauth2.Token, error) {
-	// Make a call to a remote token broker, which runs downscope.NewTokenSource
-	// to generate a downscoped version of a token it holds.  Return
-	var tok oauth2.Token
-	return &tok, nil
-}
-
-// ExampleRefreshableToken provices a sample of how a token consumer would
-// construct a refreshable token by wrapping a method that requests a
-// downscoped token from a token broker in an oauth2.ReuseTokenSource
-func ExampleRefreshableToken() {
-	var myCredentials oauth2.TokenSource
-	// This Source contains the credentials that the token consumer uses to
-	// authenticate itself to the token broker from which it is requesting
-	// a downscoped token.
-	myTokenSource := localTokenSource{
-		tokenBrokerURL:       "www.foo.bar",
-		tokenSourceForBroker: myCredentials,
-	}
-
-	downscopedToken := oauth2.ReuseTokenSource(nil, myTokenSource)
-	// downscopedToken can now be used as a refreshable token for Google Cloud Storage calls
-	// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(myTokenSource))
-	_ = downscopedToken
-}
diff --git a/google/downscope/example_test.go b/google/downscope/example_test.go
new file mode 100644
index 0000000..ed2e317
--- /dev/null
+++ b/google/downscope/example_test.go
@@ -0,0 +1,67 @@
+package downscope_test
+
+import (
+	"context"
+	"log"
+
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google/downscope"
+)
+
+func ExampleNewTokenSource() {
+	ctx := context.Background()
+	// Initializes an accessBoundary with one Rule
+	accessBoundary := []downscope.AccessBoundaryRule{
+		downscope.AccessBoundaryRule{
+			AvailableResource:    "//storage.googleapis.com/projects/_/buckets/foo",
+			AvailablePermissions: []string{"inRole:roles/storage.objectViewer"},
+		},
+	}
+
+	var rootSource oauth2.TokenSource
+	// This Source can be initialized using Application Default Credentials as follows:
+
+	// rootSource, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
+
+	myTokenSource, err := downscope.NewTokenSource(ctx, downscope.DownscopingConfig{RootSource: rootSource, Rules: accessBoundary})
+	//myTokenSource, err := NewSource(rootSource, myBoundary)
+	if err != nil {
+		log.Fatalf("failed to generate downscoped token source: %v", err)
+	}
+	_ = myTokenSource
+	// You can now use the token held in myTokenSource to make
+	// Google Cloud Storage calls, as follows:
+
+	// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(myTokenSource))
+}
+
+type localTokenSource struct {
+	tokenBrokerURL       string
+	tokenSourceForBroker oauth2.TokenSource
+}
+
+func (lts localTokenSource) Token() (*oauth2.Token, error) {
+	// Make a call to a remote token broker, which runs downscope.NewTokenSource
+	// to generate a downscoped version of a token it holds.  Return
+	var tok oauth2.Token
+	return &tok, nil
+}
+
+// ExampleRefreshableToken provices a sample of how a token consumer would
+// construct a refreshable token by wrapping a method that requests a
+// downscoped token from a token broker in an oauth2.ReuseTokenSource
+func ExampleRefreshableToken() {
+	var myCredentials oauth2.TokenSource
+	// This Source contains the credentials that the token consumer uses to
+	// authenticate itself to the token broker from which it is requesting
+	// a downscoped token.
+	myTokenSource := localTokenSource{
+		tokenBrokerURL:       "www.foo.bar",
+		tokenSourceForBroker: myCredentials,
+	}
+
+	downscopedToken := oauth2.ReuseTokenSource(nil, myTokenSource)
+	// downscopedToken can now be used as a refreshable token for Google Cloud Storage calls
+	// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(myTokenSource))
+	_ = downscopedToken
+}