Preston_PLB
/
oauth2
forked from Mirrors/oauth2
1
0
Fork 0
Code Pull Requests Activity

downscope: move validation checks

This commit is contained in:
Patrick Jones 2021-06-24 16:24:14 -07:00
parent fec7137f21
commit 941cf10a8e
2 changed files with 23 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
google/downscope/downscoping.go
View File

@ -92,8 +92,25 @@ type downscopingTokenSource struct {
} }
// NewTokenSource returns an empty downscopingTokenSource. // NewTokenSource returns an empty downscopingTokenSource.
func NewTokenSource(ctx context.Context, conf DownscopingConfig) oauth2.TokenSource { func NewTokenSource(ctx context.Context, conf DownscopingConfig) (oauth2.TokenSource, error) {
return downscopingTokenSource{ctx: ctx, config: conf} if conf.RootSource == nil {
return nil, fmt.Errorf("downscope: rootSource cannot be nil")
}
if len(conf.Rules) == 0 {
return nil, fmt.Errorf("downscope: length of AccessBoundaryRules must be at least 1")
}
if len(conf.Rules) > 10 {
return nil, fmt.Errorf("downscope: length of AccessBoundaryRules may not be greater than 10")
}
for _, val := range conf.Rules {
if val.AvailableResource == "" {
return nil, fmt.Errorf("downscope: all rules must have a nonempty AvailableResource: %+v", val)
}
if len(val.AvailablePermissions) == 0 {
return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
}
}
return downscopingTokenSource{ctx: ctx, config: conf}, nil
} }
// Token() uses a downscopingTokenSource to generate an oauth2 Token. // Token() uses a downscopingTokenSource to generate an oauth2 Token.
@ -102,23 +119,6 @@ func NewTokenSource(ctx context.Context, conf DownscopingConfig) oauth2.TokenSou
// TokenSource struct with the Token held by the StaticTokenSource and wrap // TokenSource struct with the Token held by the StaticTokenSource and wrap
// that TokenSource in an oauth2.ReuseTokenSource. // that TokenSource in an oauth2.ReuseTokenSource.
func (dts downscopingTokenSource) Token() (*oauth2.Token, error) { func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
if dts.config.RootSource == nil {
return nil, fmt.Errorf("downscope: rootSource cannot be nil")
}
if len(dts.config.Rules) == 0 {
return nil, fmt.Errorf("downscope: length of AccessBoundaryRules must be at least 1")
}
if len(dts.config.Rules) > 10 {
return nil, fmt.Errorf("downscope: length of AccessBoundaryRules may not be greater than 10")
}
for _, val := range dts.config.Rules {
if val.AvailableResource == "" {
return nil, fmt.Errorf("downscope: all rules must have a nonempty AvailableResource: %+v", val)
}
if len(val.AvailablePermissions) == 0 {
return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
}
}
downscopedOptions := struct { downscopedOptions := struct {
Boundary accessBoundary `json:"accessBoundary"` Boundary accessBoundary `json:"accessBoundary"`

6
google/downscope/example_test.go
View File

@ -27,8 +27,10 @@ func ExampleNewTokenSource() {
// rootSource, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform") // rootSource, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
dts := downscope.NewTokenSource(ctx, downscope.DownscopingConfig{RootSource: rootSource, Rules: accessBoundary}) dts, err := downscope.NewTokenSource(ctx, downscope.DownscopingConfig{RootSource: rootSource, Rules: accessBoundary})
_ = dts if err != nil {
_ = dts
}
// You can now use the token held in myTokenSource to make // You can now use the token held in myTokenSource to make
// Google Cloud Storage calls, as follows: // Google Cloud Storage calls, as follows: