google/downscope: add DownscopingConfig.UniverseDomain to support TPC

Change-Id: I3669352b382414ea640ca176afa4071995fc5ff1
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/557135
Reviewed-by: Cody Oss <codyoss@google.com>
TryBot-Bypass: Cody Oss <codyoss@google.com>
Auto-Submit: Cody Oss <codyoss@google.com>
This commit is contained in:
Chris Smith 2024-01-19 11:51:13 -07:00 committed by Gopher Robot
parent 39adbb7807
commit deefa7e836
2 changed files with 56 additions and 9 deletions

View File

@ -42,13 +42,16 @@ import (
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"strings"
"time" "time"
"golang.org/x/oauth2" "golang.org/x/oauth2"
) )
var ( const (
identityBindingEndpoint = "https://sts.googleapis.com/v1/token" universeDomainPlaceholder = "UNIVERSE_DOMAIN"
identityBindingEndpointTemplate = "https://sts.UNIVERSE_DOMAIN/v1/token"
universeDomainDefault = "googleapis.com"
) )
type accessBoundary struct { type accessBoundary struct {
@ -105,6 +108,18 @@ type DownscopingConfig struct {
// access (or set of accesses) that the new token has to a given resource. // access (or set of accesses) that the new token has to a given resource.
// There can be a maximum of 10 AccessBoundaryRules. // There can be a maximum of 10 AccessBoundaryRules.
Rules []AccessBoundaryRule Rules []AccessBoundaryRule
// UniverseDomain is the default service domain for a given Cloud universe.
// The default value is "googleapis.com". Optional.
UniverseDomain string
}
// identityBindingEndpoint returns the identity binding endpoint with the
// configured universe domain.
func (dc *DownscopingConfig) identityBindingEndpoint() string {
if dc.UniverseDomain == "" {
return strings.Replace(identityBindingEndpointTemplate, universeDomainPlaceholder, universeDomainDefault, 1)
}
return strings.Replace(identityBindingEndpointTemplate, universeDomainPlaceholder, dc.UniverseDomain, 1)
} }
// A downscopingTokenSource is used to retrieve a downscoped token with restricted // A downscopingTokenSource is used to retrieve a downscoped token with restricted
@ -114,6 +129,9 @@ type downscopingTokenSource struct {
ctx context.Context ctx context.Context
// config holds the information necessary to generate a downscoped Token. // config holds the information necessary to generate a downscoped Token.
config DownscopingConfig config DownscopingConfig
// identityBindingEndpoint is the identity binding endpoint with the
// configured universe domain.
identityBindingEndpoint string
} }
// NewTokenSource returns a configured downscopingTokenSource. // NewTokenSource returns a configured downscopingTokenSource.
@ -135,7 +153,11 @@ func NewTokenSource(ctx context.Context, conf DownscopingConfig) (oauth2.TokenSo
return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val) return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
} }
} }
return downscopingTokenSource{ctx: ctx, config: conf}, nil return downscopingTokenSource{
ctx: ctx,
config: conf,
identityBindingEndpoint: conf.identityBindingEndpoint(),
}, nil
} }
// Token() uses a downscopingTokenSource to generate an oauth2 Token. // Token() uses a downscopingTokenSource to generate an oauth2 Token.
@ -171,7 +193,7 @@ func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
form.Add("options", string(b)) form.Add("options", string(b))
myClient := oauth2.NewClient(dts.ctx, nil) myClient := oauth2.NewClient(dts.ctx, nil)
resp, err := myClient.PostForm(identityBindingEndpoint, form) resp, err := myClient.PostForm(dts.identityBindingEndpoint, form)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to generate POST Request %v", err) return nil, fmt.Errorf("unable to generate POST Request %v", err)
} }

View File

@ -38,18 +38,43 @@ func Test_DownscopedTokenSource(t *testing.T) {
w.Write([]byte(standardRespBody)) w.Write([]byte(standardRespBody))
})) }))
new := []AccessBoundaryRule{ myTok := oauth2.Token{AccessToken: "Mellon"}
tmpSrc := oauth2.StaticTokenSource(&myTok)
rules := []AccessBoundaryRule{
{ {
AvailableResource: "test1", AvailableResource: "test1",
AvailablePermissions: []string{"Perm1", "Perm2"}, AvailablePermissions: []string{"Perm1", "Perm2"},
}, },
} }
myTok := oauth2.Token{AccessToken: "Mellon"} dts := downscopingTokenSource{
tmpSrc := oauth2.StaticTokenSource(&myTok) ctx: context.Background(),
dts := downscopingTokenSource{context.Background(), DownscopingConfig{tmpSrc, new}} config: DownscopingConfig{
identityBindingEndpoint = ts.URL RootSource: tmpSrc,
Rules: rules,
},
identityBindingEndpoint: ts.URL,
}
_, err := dts.Token() _, err := dts.Token()
if err != nil { if err != nil {
t.Fatalf("NewDownscopedTokenSource failed with error: %v", err) t.Fatalf("NewDownscopedTokenSource failed with error: %v", err)
} }
} }
func Test_DownscopingConfig(t *testing.T) {
tests := []struct {
universeDomain string
want string
}{
{"", "https://sts.googleapis.com/v1/token"},
{"googleapis.com", "https://sts.googleapis.com/v1/token"},
{"example.com", "https://sts.example.com/v1/token"},
}
for _, tt := range tests {
c := DownscopingConfig{
UniverseDomain: tt.universeDomain,
}
if got := c.identityBindingEndpoint(); got != tt.want {
t.Errorf("got %q, want %q", got, tt.want)
}
}
}