Preston_PLB
/
oauth2
forked from Mirrors/oauth2
1
0
Fork 0
Code Pull Requests Activity
oauth2/google/downscoped/downscoping.go

116 lines
3.7 KiB
Go
Raw Blame History

package downscoped
import (
"context"
"encoding/json"
"fmt"
"golang.org/x/oauth2"
"net/http"
"net/url"
"time"
)
const (
identityBindingEndpoint = "https://sts.googleapis.com/v1beta/token"
)
// Defines an upper bound of permissions available for a GCP credential for one or more resources
type AccessBoundary struct {
// One or more AccessBoundaryRules are required to define permissions for the new downscoped token
AccessBoundaryRules []AccessBoundaryRule `json:"accessBoundaryRules"`
}
type AvailabilityCondition struct {
Title string `json:"title,omitempty"`
Expression string `json:"expression"`
Description string `json:"description,omitempty"`
}
type AccessBoundaryRule struct {
AvailableResource string `json:"availableResource"`
AvailablePermissions []string `json:"availablePermissions"`
Condition *AvailabilityCondition `json:"availabilityCondition,omitempty"`
}
type downscopedTokenResponse struct {
AccessToken string `json:"access_token"`
IssuedTokenType string `json:"issued_token_type"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
}
type DownscopingConfig struct {
RootSource oauth2.TokenSource
CredentialAccessBoundary AccessBoundary
}
func downscopedTokenWithEndpoint(ctx context.Context, config DownscopingConfig, endpoint string) (oauth2.TokenSource, error) {
if config.RootSource == nil {
return nil, fmt.Errorf("oauth2/google/downscoped: rootTokenSource cannot be nil")
}
if len(config.CredentialAccessBoundary.AccessBoundaryRules) == 0 {
return nil, fmt.Errorf("oauth2/google/downscoped: length of AccessBoundaryRules must be at least 1")
}
downscopedOptions := struct {
Boundary AccessBoundary `json:"accessBoundary"`
}{
Boundary: config.CredentialAccessBoundary,
}
tok, err := config.RootSource.Token()
if err != nil {
return nil, fmt.Errorf("oauth2/google/downscoped: unable to refresh root token %v", err)
}
b, err := json.Marshal(downscopedOptions)
if err != nil {
return nil, fmt.Errorf("oauth2/google/downscoped: Unable to marshall AccessBoundary payload %v", err)
}
form := url.Values{}
form.Add("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
form.Add("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
form.Add("requested_token_type", "urn:ietf:params:oauth:token-type:access_token")
form.Add("subject_token", tok.AccessToken)
form.Add("options", url.QueryEscape(string(b)))
myClient := oauth2.NewClient(ctx, nil)
resp, err := myClient.PostForm(endpoint, form)
if err != nil {
return nil, fmt.Errorf("unable to generate POST Request %v", err)
}
defer resp.Body.Close()
var tresp downscopedTokenResponse
err = json.NewDecoder(resp.Body).Decode(&tresp)
if err != nil {
return nil, fmt.Errorf("unable to unmarshal response body: %v", err)
}
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("unable to exchange token %v", tresp)
}
// an exchanged token that is derived from a service account (2LO) has an expired_in value
// a token derived from a users token (3LO) does not.
// The following code uses the time remaining on rootToken for a user as the value for the
// derived token's lifetime
var expiry_time time.Time
if tresp.ExpiresIn > 0 {
expiry_time = time.Now().Add(time.Duration(time.Duration(tresp.ExpiresIn) * time.Second))
} else {
expiry_time = tok.Expiry
}
newToken := &oauth2.Token{
AccessToken: tresp.AccessToken,
TokenType: tresp.TokenType,
Expiry: expiry_time,
}
return oauth2.StaticTokenSource(newToken), nil
}
func NewDownscopedTokenSource(ctx context.Context, config DownscopingConfig) (oauth2.TokenSource, error) {
return downscopedTokenWithEndpoint(ctx, config, identityBindingEndpoint)
}
View Git Blame Copy Permalink