forked from remote/oauth2
downscope: update examples
This commit is contained in:
Patrick Jones
@@ -24,13 +24,13 @@ for their function.
|
|||||||
For example, a token broker can be set up on a server in a private network.
|
For example, a token broker can be set up on a server in a private network.
|
||||||
Various workloads (token consumers) in the same network will send authenticated
|
Various workloads (token consumers) in the same network will send authenticated
|
||||||
requests to that broker for downscoped tokens to access or modify specific google
|
requests to that broker for downscoped tokens to access or modify specific google
|
||||||
cloud storage buckets. See the NewTokenSource example for an example of how a
|
cloud storage buckets. See the NewTokenSource example for an example of how a
|
||||||
token broker would use this package.
|
token broker would use this package.
|
||||||
|
|
||||||
The broker will use the functionality in this package to generate a downscoped
|
The broker will use the functionality in this package to generate a downscoped
|
||||||
token with the requested configuration, and then pass it back to the token
|
token with the requested configuration, and then pass it back to the token
|
||||||
consumer. These downscoped access tokens can then be used to access Google
|
consumer. These downscoped access tokens can then be used to access Google
|
||||||
Storage resources. For instance, you can create a NewClient from the
|
Storage resources. For instance, you can create a NewClient from the
|
||||||
"cloud.google.com/go/storage" package and pass in option.WithTokenSource(yourTokenSource))
|
"cloud.google.com/go/storage" package and pass in option.WithTokenSource(yourTokenSource))
|
||||||
*/
|
*/
|
||||||
package downscope
|
package downscope
|
||||||
@@ -81,7 +81,7 @@ type AccessBoundaryRule struct {
|
|||||||
// An Condition restricts the availability of permissions
|
// An Condition restricts the availability of permissions
|
||||||
// to specific Cloud Storage objects. Optional.
|
// to specific Cloud Storage objects. Optional.
|
||||||
//
|
//
|
||||||
// A Condition can be used to make permissions available for specific objects,
|
// A Condition can be used to make permissions available for specific objects,
|
||||||
// rather than all objects in a Cloud Storage bucket.
|
// rather than all objects in a Cloud Storage bucket.
|
||||||
Condition *AvailabilityCondition `json:"availabilityCondition,omitempty"`
|
Condition *AvailabilityCondition `json:"availabilityCondition,omitempty"`
|
||||||
}
|
}
|
||||||
@@ -183,7 +183,7 @@ func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
|
|||||||
if resp.StatusCode != http.StatusOK {
|
if resp.StatusCode != http.StatusOK {
|
||||||
b, err := ioutil.ReadAll(resp.Body)
|
b, err := ioutil.ReadAll(resp.Body)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("downscope: unable to exchange token; %v. Failed to read response body: %v", resp.StatusCode, err)
|
return nil, fmt.Errorf("downscope: unable to exchange token; %v. Failed to read response body: %v", resp.StatusCode, err)
|
||||||
}
|
}
|
||||||
return nil, fmt.Errorf("downscope: unable to exchange token; %v. Server responsed: %v", resp.StatusCode, string(b))
|
return nil, fmt.Errorf("downscope: unable to exchange token; %v. Server responsed: %v", resp.StatusCode, string(b))
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -7,16 +7,15 @@ package downscope_test
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
|
||||||
"golang.org/x/oauth2/google"
|
"golang.org/x/oauth2/google"
|
||||||
|
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
"golang.org/x/oauth2/google/downscope"
|
"golang.org/x/oauth2/google/downscope"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
func ExampleNewTokenSource() {
|
func ExampleNewTokenSource() {
|
||||||
// This shows how to generate a downscoped token. This code would be run on the
|
// This shows how to generate a downscoped token. This code would be run on the
|
||||||
// token broker, which holds the root token used to generate the downscoped token.
|
// token broker, which holds the root token used to generate the downscoped token.
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
// Initializes an accessBoundary with one Rule.
|
// Initializes an accessBoundary with one Rule.
|
||||||
@@ -48,9 +47,9 @@ func ExampleNewTokenSource() {
|
|||||||
// You can now pass tok to a token consumer however you wish, such as exposing
|
// You can now pass tok to a token consumer however you wish, such as exposing
|
||||||
// a REST API and sending it over HTTP.
|
// a REST API and sending it over HTTP.
|
||||||
|
|
||||||
// You can instead use the token held in myTokenSource to make
|
// You can instead use the token held in dts to make
|
||||||
// Google Cloud Storage calls, as follows:
|
// Google Cloud Storage calls, as follows:
|
||||||
|
|
||||||
// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(myTokenSource))
|
// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(dts))
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,40 +5,36 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
type localTokenSource struct {
|
type localTokenSource struct {
|
||||||
requestedPerms []string
|
|
||||||
requestedObject string
|
requestedObject string
|
||||||
brokerURL string
|
brokerURL string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (localTokenSource) Token() (*oauth2.Token, error){
|
func (localTokenSource) Token() (*oauth2.Token, error) {
|
||||||
var remoteToken oauth2.Token
|
var remoteToken oauth2.Token
|
||||||
// retrieve remoteToken, an oauth2.Token, from token broker
|
// retrieve remoteToken, an oauth2.Token, from token broker
|
||||||
return &remoteToken, nil
|
return &remoteToken, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
func Example() {
|
func Example() {
|
||||||
// A token consumer should define their own tokenSource. In the Token() method,
|
// A token consumer should define their own tokenSource. In the Token() method,
|
||||||
// it should send a query to a token broker requesting a downscoped token.
|
// it should send a query to a token broker requesting a downscoped token.
|
||||||
// The token broker holds the root credential that is used to generate the
|
// The token broker holds the root credential that is used to generate the
|
||||||
// downscoped token.
|
// downscoped token.
|
||||||
|
|
||||||
thisTokenSource := localTokenSource{
|
thisTokenSource := localTokenSource{
|
||||||
requestedPerms: []string{"inRole:roles/storage.objectViewer"},
|
|
||||||
requestedObject: "//storage.googleapis.com/projects/_/buckets/foo",
|
requestedObject: "//storage.googleapis.com/projects/_/buckets/foo",
|
||||||
brokerURL: "yourURL.com/internal/broker",
|
brokerURL: "yourURL.com/internal/broker",
|
||||||
}
|
}
|
||||||
|
|
||||||
// Wrap the TokenSource in an oauth2.ReuseTokenSource to enable automatic refreshing
|
// Wrap the TokenSource in an oauth2.ReuseTokenSource to enable automatic refreshing
|
||||||
refreshableTS := oauth2.ReuseTokenSource(nil, thisTokenSource)
|
refreshableTS := oauth2.ReuseTokenSource(nil, thisTokenSource)
|
||||||
|
|
||||||
|
|
||||||
// You can now use the token source to access Google Cloud Storage resources as follows.
|
// You can now use the token source to access Google Cloud Storage resources as follows.
|
||||||
|
|
||||||
// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(refreshableTS))
|
// storageClient, err := storage.NewClient(ctx, option.WithTokenSource(refreshableTS))
|
||||||
// bkt := storageClient.Bucket(bucketName)
|
// bkt := storageClient.Bucket("foo"")
|
||||||
// obj := bkt.Object(objectName)
|
// obj := bkt.Object(objectName)
|
||||||
// rc, err := obj.NewReader(ctx)
|
// rc, err := obj.NewReader(ctx)
|
||||||
// defer rc.Close()
|
// defer rc.Close()
|
||||||
// data, err := ioutil.ReadAll(rc)
|
// data, err := ioutil.ReadAll(rc)
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user