mirror of
https://github.com/golang/oauth2.git
synced 2025-07-21 00:00:09 +08:00
google/downscope: add DownscopingConfig.UniverseDomain to support TPC
Change-Id: I3669352b382414ea640ca176afa4071995fc5ff1 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/557135 Reviewed-by: Cody Oss <codyoss@google.com> TryBot-Bypass: Cody Oss <codyoss@google.com> Auto-Submit: Cody Oss <codyoss@google.com>
This commit is contained in:
parent
39adbb7807
commit
deefa7e836
@ -42,13 +42,16 @@ import (
|
|||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
const (
|
||||||
identityBindingEndpoint = "https://sts.googleapis.com/v1/token"
|
universeDomainPlaceholder = "UNIVERSE_DOMAIN"
|
||||||
|
identityBindingEndpointTemplate = "https://sts.UNIVERSE_DOMAIN/v1/token"
|
||||||
|
universeDomainDefault = "googleapis.com"
|
||||||
)
|
)
|
||||||
|
|
||||||
type accessBoundary struct {
|
type accessBoundary struct {
|
||||||
@ -105,6 +108,18 @@ type DownscopingConfig struct {
|
|||||||
// access (or set of accesses) that the new token has to a given resource.
|
// access (or set of accesses) that the new token has to a given resource.
|
||||||
// There can be a maximum of 10 AccessBoundaryRules.
|
// There can be a maximum of 10 AccessBoundaryRules.
|
||||||
Rules []AccessBoundaryRule
|
Rules []AccessBoundaryRule
|
||||||
|
// UniverseDomain is the default service domain for a given Cloud universe.
|
||||||
|
// The default value is "googleapis.com". Optional.
|
||||||
|
UniverseDomain string
|
||||||
|
}
|
||||||
|
|
||||||
|
// identityBindingEndpoint returns the identity binding endpoint with the
|
||||||
|
// configured universe domain.
|
||||||
|
func (dc *DownscopingConfig) identityBindingEndpoint() string {
|
||||||
|
if dc.UniverseDomain == "" {
|
||||||
|
return strings.Replace(identityBindingEndpointTemplate, universeDomainPlaceholder, universeDomainDefault, 1)
|
||||||
|
}
|
||||||
|
return strings.Replace(identityBindingEndpointTemplate, universeDomainPlaceholder, dc.UniverseDomain, 1)
|
||||||
}
|
}
|
||||||
|
|
||||||
// A downscopingTokenSource is used to retrieve a downscoped token with restricted
|
// A downscopingTokenSource is used to retrieve a downscoped token with restricted
|
||||||
@ -114,6 +129,9 @@ type downscopingTokenSource struct {
|
|||||||
ctx context.Context
|
ctx context.Context
|
||||||
// config holds the information necessary to generate a downscoped Token.
|
// config holds the information necessary to generate a downscoped Token.
|
||||||
config DownscopingConfig
|
config DownscopingConfig
|
||||||
|
// identityBindingEndpoint is the identity binding endpoint with the
|
||||||
|
// configured universe domain.
|
||||||
|
identityBindingEndpoint string
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewTokenSource returns a configured downscopingTokenSource.
|
// NewTokenSource returns a configured downscopingTokenSource.
|
||||||
@ -135,7 +153,11 @@ func NewTokenSource(ctx context.Context, conf DownscopingConfig) (oauth2.TokenSo
|
|||||||
return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
|
return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return downscopingTokenSource{ctx: ctx, config: conf}, nil
|
return downscopingTokenSource{
|
||||||
|
ctx: ctx,
|
||||||
|
config: conf,
|
||||||
|
identityBindingEndpoint: conf.identityBindingEndpoint(),
|
||||||
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Token() uses a downscopingTokenSource to generate an oauth2 Token.
|
// Token() uses a downscopingTokenSource to generate an oauth2 Token.
|
||||||
@ -171,7 +193,7 @@ func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
|
|||||||
form.Add("options", string(b))
|
form.Add("options", string(b))
|
||||||
|
|
||||||
myClient := oauth2.NewClient(dts.ctx, nil)
|
myClient := oauth2.NewClient(dts.ctx, nil)
|
||||||
resp, err := myClient.PostForm(identityBindingEndpoint, form)
|
resp, err := myClient.PostForm(dts.identityBindingEndpoint, form)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to generate POST Request %v", err)
|
return nil, fmt.Errorf("unable to generate POST Request %v", err)
|
||||||
}
|
}
|
||||||
|
@ -38,18 +38,43 @@ func Test_DownscopedTokenSource(t *testing.T) {
|
|||||||
w.Write([]byte(standardRespBody))
|
w.Write([]byte(standardRespBody))
|
||||||
|
|
||||||
}))
|
}))
|
||||||
new := []AccessBoundaryRule{
|
myTok := oauth2.Token{AccessToken: "Mellon"}
|
||||||
|
tmpSrc := oauth2.StaticTokenSource(&myTok)
|
||||||
|
rules := []AccessBoundaryRule{
|
||||||
{
|
{
|
||||||
AvailableResource: "test1",
|
AvailableResource: "test1",
|
||||||
AvailablePermissions: []string{"Perm1", "Perm2"},
|
AvailablePermissions: []string{"Perm1", "Perm2"},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
myTok := oauth2.Token{AccessToken: "Mellon"}
|
dts := downscopingTokenSource{
|
||||||
tmpSrc := oauth2.StaticTokenSource(&myTok)
|
ctx: context.Background(),
|
||||||
dts := downscopingTokenSource{context.Background(), DownscopingConfig{tmpSrc, new}}
|
config: DownscopingConfig{
|
||||||
identityBindingEndpoint = ts.URL
|
RootSource: tmpSrc,
|
||||||
|
Rules: rules,
|
||||||
|
},
|
||||||
|
identityBindingEndpoint: ts.URL,
|
||||||
|
}
|
||||||
_, err := dts.Token()
|
_, err := dts.Token()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("NewDownscopedTokenSource failed with error: %v", err)
|
t.Fatalf("NewDownscopedTokenSource failed with error: %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func Test_DownscopingConfig(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
universeDomain string
|
||||||
|
want string
|
||||||
|
}{
|
||||||
|
{"", "https://sts.googleapis.com/v1/token"},
|
||||||
|
{"googleapis.com", "https://sts.googleapis.com/v1/token"},
|
||||||
|
{"example.com", "https://sts.example.com/v1/token"},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
c := DownscopingConfig{
|
||||||
|
UniverseDomain: tt.universeDomain,
|
||||||
|
}
|
||||||
|
if got := c.identityBindingEndpoint(); got != tt.want {
|
||||||
|
t.Errorf("got %q, want %q", got, tt.want)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user