Add some validity testing for AccessBoundaryRules and add documentation.

google/downscope/downscoping.go

@@ -0,0 +1,161 @@
+/*
+Package downscope implements the ability to downwcope, or restrict, the
+Identity and AccessManagement permissions that a short-lived Token
+can use.  Please note that only Google Cloud Storage supports this feature.
+ */
+package downscope
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"golang.org/x/oauth2"
+	"net/http"
+	"net/url"
+	"time"
+)
+
+const (
+	identityBindingEndpoint = "https://sts.googleapis.com/v1beta/token"
+)
+
+// Defines an upper bound of permissions available for a GCP credential for one or more resources
+type AccessBoundary struct {
+	// One or more AccessBoundaryRules are required to define permissions
+	// for the new downscoped token.  Each one defines an access (or set of accesses)
+	// that the new token has to a given resource.
+	AccessBoundaryRules []AccessBoundaryRule `json:"accessBoundaryRules"`
+}
+
+// An AvailabilityCondition restricts access to a given Resource.
+type AvailabilityCondition struct {
+	// A condition expression that specifies the Cloud Storage objects where
+	// permissions are available. For further documentation, see
+	// https://cloud.google.com/iam/docs/conditions-overview
+	Expression  string `json:"expression"`
+	// Optional. A short string that identifies the purpose of the condition.
+	Title       string `json:"title,omitempty"`
+	// Optional. Details about the purpose of the condition.
+	Description string `json:"description,omitempty"`
+}
+
+// Sets the permissions (and optionally conditions) that the new
+// token has on given resource.
+type AccessBoundaryRule struct {
+	// AvailableResource is the full resource name of the Cloud Storage bucket that the rule applies to.
+	// Use the format //storage.googleapis.com/projects/_/buckets/bucket-name.
+	AvailableResource    string                 `json:"availableResource"`
+	// AvailablePermissions is a list that defines the upper bound on the available permissions
+	// for the resource.  Each value is the identifier for an IAM predefined role or custom role,
+	// with the prefix inRole:. For example: inRole:roles/storage.objectViewer.
+	// Only the permissions in these roles will be available.
+	AvailablePermissions []string               `json:"availablePermissions"`
+	// An optional Condition that restricts the availability of permissions
+	// to specific Cloud Storage objects.
+	//
+	// Use this field if you want to make permissions available for specific objects,
+	// rather than all objects in a Cloud Storage bucket.
+	Condition            *AvailabilityCondition `json:"availabilityCondition,omitempty"`
+}
+
+type downscopedTokenResponse struct {
+	AccessToken     string `json:"access_token"`
+	IssuedTokenType string `json:"issued_token_type"`
+	TokenType       string `json:"token_type"`
+	ExpiresIn       int    `json:"expires_in"`
+}
+
+// Specifies the information necessary to request a downscoped token.
+type DownscopingConfig struct {
+	// RootSource is the TokenSource used to create the downscoped token.
+	// The downscoped token therefore has some subset of the accesses of
+	// the original RootSource.
+	RootSource               oauth2.TokenSource
+	// CredentialAccessBoundary defines the accesses held by the new
+	// downscoped Token.
+	CredentialAccessBoundary AccessBoundary
+}
+
+// downscopedTokenWithEndpoint is a helper function used for unit testing
+// purposes, as it allows us to pass in a locally mocked endpoint.
+func downscopedTokenWithEndpoint(ctx context.Context, config DownscopingConfig, endpoint string) (oauth2.TokenSource, error) {
+	if config.RootSource == nil {
+		return nil, fmt.Errorf("downscope: rootTokenSource cannot be nil")
+	}
+	if len(config.CredentialAccessBoundary.AccessBoundaryRules) == 0 {
+		return nil, fmt.Errorf("downscope: length of AccessBoundaryRules must be at least 1")
+	}
+	for _, val := range config.CredentialAccessBoundary.AccessBoundaryRules {
+		if val.AvailableResource == "" {
+			return nil, fmt.Errorf("downscope: all rules must have a nonempty AvailableResource: %+v", val)
+		}
+		if len(val.AvailablePermissions) == 0 {
+			return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
+		}
+	}
+
+	downscopedOptions := struct {
+		Boundary AccessBoundary `json:"accessBoundary"`
+	}{
+		Boundary: config.CredentialAccessBoundary,
+	}
+
+	tok, err := config.RootSource.Token()
+	if err != nil {
+		return nil, fmt.Errorf("downscope: unable to obtain root token: %v", err)
+	}
+
+	b, err := json.Marshal(downscopedOptions)
+	if err != nil {
+		return nil, fmt.Errorf("downscope: Unable to marshall AccessBoundary payload %v", err)
+	}
+
+	form := url.Values{}
+	form.Add("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
+	form.Add("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
+	form.Add("requested_token_type", "urn:ietf:params:oauth:token-type:access_token")
+	form.Add("subject_token", tok.AccessToken)
+	form.Add("options", url.QueryEscape(string(b)))
+
+	myClient := oauth2.NewClient(ctx, nil)
+	resp, err := myClient.PostForm(endpoint, form)
+	if err != nil {
+		return nil, fmt.Errorf("unable to generate POST Request %v", err)
+	}
+	defer resp.Body.Close()
+
+	var tresp downscopedTokenResponse
+	err = json.NewDecoder(resp.Body).Decode(&tresp)
+	if err != nil {
+		return nil, fmt.Errorf("unable to unmarshal response body: %v", err)
+	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("unable to exchange token; %v", resp.StatusCode)
+	}
+
+	// an exchanged token that is derived from a service account (2LO) has an expired_in value
+	// a token derived from a users token (3LO) does not.
+	// The following code uses the time remaining on rootToken for a user as the value for the
+	// derived token's lifetime
+	var expiry_time time.Time
+	if tresp.ExpiresIn > 0 {
+		expiry_time = time.Now().Add(time.Duration(time.Duration(tresp.ExpiresIn) * time.Second))
+	} else {
+		expiry_time = tok.Expiry
+	}
+
+	newToken := &oauth2.Token{
+		AccessToken: tresp.AccessToken,
+		TokenType:   tresp.TokenType,
+		Expiry:      expiry_time,
+	}
+	return oauth2.StaticTokenSource(newToken), nil
+}
+
+// NewTokenSource takes a root TokenSource and returns a downscoped TokenSource
+// with a subset of the permissions held by the root source.  The
+// CredentialAccessBoundary in the config defines the permissions held
+// by the new TokenSource.
+func NewTokenSource(ctx context.Context, config DownscopingConfig) (oauth2.TokenSource, error) {
+	return downscopedTokenWithEndpoint(ctx, config, identityBindingEndpoint)
+}

google/downscope/downscoping_test.go

@@ -0,0 +1,56 @@
+package downscope
+
+import (
+	"context"
+	"golang.org/x/oauth2"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+)
+
+var (
+	standardReqBody  = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&options=%257B%2522accessBoundary%2522%253A%257B%2522accessBoundaryRules%2522%253A%255B%257B%2522availableResource%2522%253A%2522test1%2522%252C%2522availablePermissions%2522%253A%255B%2522Perm1%252C%2Bperm2%2522%255D%257D%255D%257D%257D&requested_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token&subject_token=Mellon&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aaccess_token"
+	standardRespBody = `{"access_token":"Open Sesame","expires_in":432,"issued_token_type":"urn:ietf:params:oauth:token-type:access_token","token_type":"Bearer"}`
+)
+
+func Test_NewAccessBoundary(t *testing.T) {
+	got := AccessBoundary{make([]AccessBoundaryRule, 0)}
+	want := AccessBoundary{nil}
+	if got.AccessBoundaryRules == nil || len(got.AccessBoundaryRules) != 0 {
+		t.Errorf("NewAccessBoundary() = %v; want %v", got, want)
+	}
+}
+
+func Test_DownscopedTokenSource(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "POST" {
+			t.Errorf("Unexpected request method, %v is found", r.Method)
+		}
+		if r.URL.String() != "/" {
+			t.Errorf("Unexpected request URL, %v is found", r.URL)
+		}
+		body, err := ioutil.ReadAll(r.Body)
+		if err != nil {
+			t.Fatalf("Failed to read request body: %v", err)
+		}
+		if got, want := string(body), standardReqBody; got != want {
+			t.Errorf("Unexpected exchange payload: got %v but want %v,", got, want)
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.Write([]byte(standardRespBody))
+
+	}))
+	new := AccessBoundary{make([]AccessBoundaryRule, 0)}
+	new.AccessBoundaryRules = append(new.AccessBoundaryRules, AccessBoundaryRule{"test1", []string{"Perm1, perm2"}, nil})
+	myTok := oauth2.Token{AccessToken: "Mellon"}
+	tmpSrc := oauth2.StaticTokenSource(&myTok)
+	out, err := downscopedTokenWithEndpoint(context.Background(), DownscopingConfig{tmpSrc, new}, ts.URL)
+	if err != nil {
+		t.Fatalf("NewDownscopedTokenSource failed with error: %v", err)
+	}
+	_, err = out.Token()
+	if err != nil {
+		t.Fatalf("Token() call failed with error %v", err)
+	}
+}