downscope: implement support for token downscoping

Implements support for token downscoping to allow for the creation of tokens with restricted permissions Change-Id: I52459bdb0dfdd5e8d86e6043ba0362f4bf4b823c GitHub-Last-Rev: 941cf10a8e GitHub-Pull-Request: golang/oauth2#502 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/326529 Reviewed-by: Chris Broadfoot <cbro@golang.org> Run-TryBot: Chris Broadfoot <cbro@golang.org> TryBot-Result: Go Bot <gobot@golang.org> Trust: Tyler Bui-Palsulich <tbp@google.com> Trust: Cody Oss <codyoss@google.com>
2021-06-24 23:26:16 +00:00
parent a8dc77f794
commit a41e5a7819
3 changed files with 283 additions and 0 deletions
--- a/google/downscope/example_test.go
+++ b/google/downscope/example_test.go
@@ -0,0 +1,38 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package downscope_test
+
+import (
+	"context"
+
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google/downscope"
+)
+
+func ExampleNewTokenSource() {
+	ctx := context.Background()
+	// Initializes an accessBoundary with one Rule.
+	accessBoundary := []downscope.AccessBoundaryRule{
+		{
+			AvailableResource:    "//storage.googleapis.com/projects/_/buckets/foo",
+			AvailablePermissions: []string{"inRole:roles/storage.objectViewer"},
+		},
+	}
+
+	var rootSource oauth2.TokenSource
+	// This Source can be initialized in multiple ways; the following example uses
+	// Application Default Credentials.
+
+	// rootSource, err := google.DefaultTokenSource(ctx, "https://www.googleapis.com/auth/cloud-platform")
+
+	dts, err := downscope.NewTokenSource(ctx, downscope.DownscopingConfig{RootSource: rootSource, Rules: accessBoundary})
+	if err != nil {
+		_ = dts
+	}
+	// You can now use the token held in myTokenSource to make
+	// Google Cloud Storage calls, as follows:
+
+	// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(myTokenSource))
+}