diff --git a/google/downscope/downscoping.go b/google/downscope/downscoping.go index 5d9ad53..5ef211c 100644 --- a/google/downscope/downscoping.go +++ b/google/downscope/downscoping.go @@ -24,13 +24,13 @@ for their function. For example, a token broker can be set up on a server in a private network. Various workloads (token consumers) in the same network will send authenticated requests to that broker for downscoped tokens to access or modify specific google -cloud storage buckets. See the NewTokenSource example for an example of how a +cloud storage buckets. See the NewTokenSource example for an example of how a token broker would use this package. The broker will use the functionality in this package to generate a downscoped token with the requested configuration, and then pass it back to the token -consumer. These downscoped access tokens can then be used to access Google -Storage resources. For instance, you can create a NewClient from the +consumer. These downscoped access tokens can then be used to access Google +Storage resources. For instance, you can create a NewClient from the "cloud.google.com/go/storage" package and pass in option.WithTokenSource(yourTokenSource)) */ package downscope @@ -81,7 +81,7 @@ type AccessBoundaryRule struct { // An Condition restricts the availability of permissions // to specific Cloud Storage objects. Optional. // - // A Condition can be used to make permissions available for specific objects, + // A Condition can be used to make permissions available for specific objects, // rather than all objects in a Cloud Storage bucket. Condition *AvailabilityCondition `json:"availabilityCondition,omitempty"` } @@ -183,7 +183,7 @@ func (dts downscopingTokenSource) Token() (*oauth2.Token, error) { if resp.StatusCode != http.StatusOK { b, err := ioutil.ReadAll(resp.Body) if err != nil { - return nil, fmt.Errorf("downscope: unable to exchange token; %v. Failed to read response body: %v", resp.StatusCode, err) + return nil, fmt.Errorf("downscope: unable to exchange token; %v. Failed to read response body: %v", resp.StatusCode, err) } return nil, fmt.Errorf("downscope: unable to exchange token; %v. Server responsed: %v", resp.StatusCode, string(b)) } diff --git a/google/downscope/tokenbroker_test.go b/google/downscope/tokenbroker_test.go index ebe03d8..4ba370b 100644 --- a/google/downscope/tokenbroker_test.go +++ b/google/downscope/tokenbroker_test.go @@ -7,16 +7,15 @@ package downscope_test import ( "context" "fmt" + "golang.org/x/oauth2/google" "golang.org/x/oauth2" "golang.org/x/oauth2/google/downscope" ) - - func ExampleNewTokenSource() { - // This shows how to generate a downscoped token. This code would be run on the + // This shows how to generate a downscoped token. This code would be run on the // token broker, which holds the root token used to generate the downscoped token. ctx := context.Background() // Initializes an accessBoundary with one Rule. @@ -48,9 +47,9 @@ func ExampleNewTokenSource() { // You can now pass tok to a token consumer however you wish, such as exposing // a REST API and sending it over HTTP. - // You can instead use the token held in myTokenSource to make + // You can instead use the token held in dts to make // Google Cloud Storage calls, as follows: - // storageClient, err := storage.NewClient(ctx, option.WithTokenSource(myTokenSource)) + // storageClient, err := storage.NewClient(ctx, option.WithTokenSource(dts)) } diff --git a/google/downscope/tokenconsumer_test.go b/google/downscope/tokenconsumer_test.go index 913b5b5..998e9e0 100644 --- a/google/downscope/tokenconsumer_test.go +++ b/google/downscope/tokenconsumer_test.go @@ -5,40 +5,36 @@ import ( ) type localTokenSource struct { - requestedPerms []string requestedObject string - brokerURL string + brokerURL string } -func (localTokenSource) Token() (*oauth2.Token, error){ +func (localTokenSource) Token() (*oauth2.Token, error) { var remoteToken oauth2.Token // retrieve remoteToken, an oauth2.Token, from token broker return &remoteToken, nil } - func Example() { - // A token consumer should define their own tokenSource. In the Token() method, + // A token consumer should define their own tokenSource. In the Token() method, // it should send a query to a token broker requesting a downscoped token. // The token broker holds the root credential that is used to generate the // downscoped token. thisTokenSource := localTokenSource{ - requestedPerms: []string{"inRole:roles/storage.objectViewer"}, requestedObject: "//storage.googleapis.com/projects/_/buckets/foo", - brokerURL: "yourURL.com/internal/broker", + brokerURL: "yourURL.com/internal/broker", } // Wrap the TokenSource in an oauth2.ReuseTokenSource to enable automatic refreshing refreshableTS := oauth2.ReuseTokenSource(nil, thisTokenSource) - // You can now use the token source to access Google Cloud Storage resources as follows. // storageClient, err := storage.NewClient(ctx, option.WithTokenSource(refreshableTS)) - // bkt := storageClient.Bucket(bucketName) + // bkt := storageClient.Bucket("foo"") // obj := bkt.Object(objectName) // rc, err := obj.NewReader(ctx) // defer rc.Close() // data, err := ioutil.ReadAll(rc) -} \ No newline at end of file +}