From b74b0944f513b47371999cea7bb0ebf762df300d Mon Sep 17 00:00:00 2001 From: Patrick Jones Date: Thu, 5 Aug 2021 10:27:23 -0700 Subject: [PATCH] more nits --- google/downscope/downscoping.go | 10 +++++----- google/downscope/tokenbroker_test.go | 4 +++- google/downscope/tokenconsumer_test.go | 6 +++--- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/google/downscope/downscoping.go b/google/downscope/downscoping.go index 5ef211c..ac5c00d 100644 --- a/google/downscope/downscoping.go +++ b/google/downscope/downscoping.go @@ -9,13 +9,13 @@ can use. Please note that only Google Cloud Storage supports this feature. For complete documentation, see https://cloud.google.com/iam/docs/downscoping-short-lived-credentials To downscope permissions of a source credential, you need to define -a Credential Access Boundary. Said Boundary specifies which resources +a Credential Access Boundary. Said Boundary specifies which resources the newly created credential can access, an upper bound on the permissions -it has over those resources, and optionally attribute-based conditional -access to the aforementioned resources. For more information on IAM +it has over those resources, and optionally attribute-based conditional +access to the aforementioned resources. For more information on IAM Conditions, see https://cloud.google.com/iam/docs/conditions-overview. -This functionality would typically be used to provide a third party with +This functionality can be used to provide a third party with limited access to and permissions on resources held by the owner of the root credential or internally in conjunction with the principle of least privilege to ensure that internal services only hold the minimum necessary privileges @@ -185,7 +185,7 @@ func (dts downscopingTokenSource) Token() (*oauth2.Token, error) { if err != nil { return nil, fmt.Errorf("downscope: unable to exchange token; %v. Failed to read response body: %v", resp.StatusCode, err) } - return nil, fmt.Errorf("downscope: unable to exchange token; %v. Server responsed: %v", resp.StatusCode, string(b)) + return nil, fmt.Errorf("downscope: unable to exchange token; %v. Server responsed: %v", resp.StatusCode, string(b)) } var tresp downscopedTokenResponse diff --git a/google/downscope/tokenbroker_test.go b/google/downscope/tokenbroker_test.go index 4ba370b..cb16878 100644 --- a/google/downscope/tokenbroker_test.go +++ b/google/downscope/tokenbroker_test.go @@ -18,7 +18,9 @@ func ExampleNewTokenSource() { // This shows how to generate a downscoped token. This code would be run on the // token broker, which holds the root token used to generate the downscoped token. ctx := context.Background() - // Initializes an accessBoundary with one Rule. + // Initializes an accessBoundary with one Rule which restricts the downscoped + // token to only be able to access the bucket "foo" and only grants it the + // permission "storage.objectViewer". accessBoundary := []downscope.AccessBoundaryRule{ { AvailableResource: "//storage.googleapis.com/projects/_/buckets/foo", diff --git a/google/downscope/tokenconsumer_test.go b/google/downscope/tokenconsumer_test.go index 998e9e0..548b6eb 100644 --- a/google/downscope/tokenconsumer_test.go +++ b/google/downscope/tokenconsumer_test.go @@ -11,7 +11,7 @@ type localTokenSource struct { func (localTokenSource) Token() (*oauth2.Token, error) { var remoteToken oauth2.Token - // retrieve remoteToken, an oauth2.Token, from token broker + // Retrieve remoteToken, an oauth2.Token, from token broker return &remoteToken, nil } @@ -26,13 +26,13 @@ func Example() { brokerURL: "yourURL.com/internal/broker", } - // Wrap the TokenSource in an oauth2.ReuseTokenSource to enable automatic refreshing + // Wrap the TokenSource in an oauth2.ReuseTokenSource to enable automatic refreshing. refreshableTS := oauth2.ReuseTokenSource(nil, thisTokenSource) // You can now use the token source to access Google Cloud Storage resources as follows. // storageClient, err := storage.NewClient(ctx, option.WithTokenSource(refreshableTS)) - // bkt := storageClient.Bucket("foo"") + // bkt := storageClient.Bucket("foo") // obj := bkt.Object(objectName) // rc, err := obj.NewReader(ctx) // defer rc.Close()