forked from Mirrors/oauth2
downscope: move validation checks
This commit is contained in:
parent
fec7137f21
commit
941cf10a8e
|
@ -92,8 +92,25 @@ type downscopingTokenSource struct {
|
|||
}
|
||||
|
||||
// NewTokenSource returns an empty downscopingTokenSource.
|
||||
func NewTokenSource(ctx context.Context, conf DownscopingConfig) oauth2.TokenSource {
|
||||
return downscopingTokenSource{ctx: ctx, config: conf}
|
||||
func NewTokenSource(ctx context.Context, conf DownscopingConfig) (oauth2.TokenSource, error) {
|
||||
if conf.RootSource == nil {
|
||||
return nil, fmt.Errorf("downscope: rootSource cannot be nil")
|
||||
}
|
||||
if len(conf.Rules) == 0 {
|
||||
return nil, fmt.Errorf("downscope: length of AccessBoundaryRules must be at least 1")
|
||||
}
|
||||
if len(conf.Rules) > 10 {
|
||||
return nil, fmt.Errorf("downscope: length of AccessBoundaryRules may not be greater than 10")
|
||||
}
|
||||
for _, val := range conf.Rules {
|
||||
if val.AvailableResource == "" {
|
||||
return nil, fmt.Errorf("downscope: all rules must have a nonempty AvailableResource: %+v", val)
|
||||
}
|
||||
if len(val.AvailablePermissions) == 0 {
|
||||
return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
|
||||
}
|
||||
}
|
||||
return downscopingTokenSource{ctx: ctx, config: conf}, nil
|
||||
}
|
||||
|
||||
// Token() uses a downscopingTokenSource to generate an oauth2 Token.
|
||||
|
@ -102,23 +119,6 @@ func NewTokenSource(ctx context.Context, conf DownscopingConfig) oauth2.TokenSou
|
|||
// TokenSource struct with the Token held by the StaticTokenSource and wrap
|
||||
// that TokenSource in an oauth2.ReuseTokenSource.
|
||||
func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
|
||||
if dts.config.RootSource == nil {
|
||||
return nil, fmt.Errorf("downscope: rootSource cannot be nil")
|
||||
}
|
||||
if len(dts.config.Rules) == 0 {
|
||||
return nil, fmt.Errorf("downscope: length of AccessBoundaryRules must be at least 1")
|
||||
}
|
||||
if len(dts.config.Rules) > 10 {
|
||||
return nil, fmt.Errorf("downscope: length of AccessBoundaryRules may not be greater than 10")
|
||||
}
|
||||
for _, val := range dts.config.Rules {
|
||||
if val.AvailableResource == "" {
|
||||
return nil, fmt.Errorf("downscope: all rules must have a nonempty AvailableResource: %+v", val)
|
||||
}
|
||||
if len(val.AvailablePermissions) == 0 {
|
||||
return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
|
||||
}
|
||||
}
|
||||
|
||||
downscopedOptions := struct {
|
||||
Boundary accessBoundary `json:"accessBoundary"`
|
||||
|
|
|
@ -27,8 +27,10 @@ func ExampleNewTokenSource() {
|
|||
|
||||
// rootSource, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
|
||||
|
||||
dts := downscope.NewTokenSource(ctx, downscope.DownscopingConfig{RootSource: rootSource, Rules: accessBoundary})
|
||||
dts, err := downscope.NewTokenSource(ctx, downscope.DownscopingConfig{RootSource: rootSource, Rules: accessBoundary})
|
||||
if err != nil {
|
||||
_ = dts
|
||||
}
|
||||
// You can now use the token held in myTokenSource to make
|
||||
// Google Cloud Storage calls, as follows:
|
||||
|
||||
|
|
Loading…
Reference in New Issue