krombel/oauth2
1
0
Fork 0
forked from remote/oauth2
Code Pull Requests 1 Activity

Compare commits

base: krombel:452d0a63bf67235f155e26e5a092e65bd0d74048
Branches Tags
krombel:master
krombel:v0.17.0-1 krombel:v0.16.0-1 krombel:v0.16.0 krombel:v0.15.0 krombel:v0.14.0 krombel:v0.13.0 krombel:v0.12.0 krombel:v0.11.0 krombel:v0.10.0 krombel:v0.9.0 krombel:v0.8.0 krombel:v0.7.0 krombel:v0.6.0 krombel:v0.5.0 krombel:v0.4.0 krombel:v0.3.0 krombel:v0.2.0 krombel:v0.1.0
..
compare: krombel:35c2a7f1881738dc342a0e56ec8d291b9935c0d8
Branches Tags
krombel:master
krombel:v0.17.0-1 krombel:v0.16.0-1 krombel:v0.16.0 krombel:v0.15.0 krombel:v0.14.0 krombel:v0.13.0 krombel:v0.12.0 krombel:v0.11.0 krombel:v0.10.0 krombel:v0.9.0 krombel:v0.8.0 krombel:v0.7.0 krombel:v0.6.0 krombel:v0.5.0 krombel:v0.4.0 krombel:v0.3.0 krombel:v0.2.0 krombel:v0.1.0

1 Commits
452d0a63bf ... 35c2a7f188

Author SHA1 Message Date
Matthias Kesler
35c2a7f188 remove usage of appengine to get rid of unsafe imports 2024-01-17 13:45:16 +01:00
4 changed files with 10 additions and 91 deletions
Expand all files Collapse all files

30
google/downscope/downscoping.go
View File

@@ -42,16 +42,13 @@ import (
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"strings"
"time" "time"
"golang.org/x/oauth2" "golang.org/x/oauth2"
) )
const ( var (
universeDomainPlaceholder = "UNIVERSE_DOMAIN" identityBindingEndpoint = "https://sts.googleapis.com/v1/token"
identityBindingEndpointTemplate = "https://sts.UNIVERSE_DOMAIN/v1/token"
universeDomainDefault = "googleapis.com"
) )
type accessBoundary struct { type accessBoundary struct {
@@ -108,18 +105,6 @@ type DownscopingConfig struct {
// access (or set of accesses) that the new token has to a given resource. // access (or set of accesses) that the new token has to a given resource.
// There can be a maximum of 10 AccessBoundaryRules. // There can be a maximum of 10 AccessBoundaryRules.
Rules []AccessBoundaryRule Rules []AccessBoundaryRule
// UniverseDomain is the default service domain for a given Cloud universe.
// The default value is "googleapis.com". Optional.
UniverseDomain string
}
// identityBindingEndpoint returns the identity binding endpoint with the
// configured universe domain.
func (dc *DownscopingConfig) identityBindingEndpoint() string {
if dc.UniverseDomain == "" {
return strings.Replace(identityBindingEndpointTemplate, universeDomainPlaceholder, universeDomainDefault, 1)
}
return strings.Replace(identityBindingEndpointTemplate, universeDomainPlaceholder, dc.UniverseDomain, 1)
} }
// A downscopingTokenSource is used to retrieve a downscoped token with restricted // A downscopingTokenSource is used to retrieve a downscoped token with restricted
@@ -129,9 +114,6 @@ type downscopingTokenSource struct {
ctx context.Context ctx context.Context
// config holds the information necessary to generate a downscoped Token. // config holds the information necessary to generate a downscoped Token.
config DownscopingConfig config DownscopingConfig
// identityBindingEndpoint is the identity binding endpoint with the
// configured universe domain.
identityBindingEndpoint string
} }
// NewTokenSource returns a configured downscopingTokenSource. // NewTokenSource returns a configured downscopingTokenSource.
@@ -153,11 +135,7 @@ func NewTokenSource(ctx context.Context, conf DownscopingConfig) (oauth2.TokenSo
return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val) return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
} }
} }
return downscopingTokenSource{ return downscopingTokenSource{ctx: ctx, config: conf}, nil
ctx: ctx,
config: conf,
identityBindingEndpoint: conf.identityBindingEndpoint(),
}, nil
} }
// Token() uses a downscopingTokenSource to generate an oauth2 Token. // Token() uses a downscopingTokenSource to generate an oauth2 Token.
@@ -193,7 +171,7 @@ func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
form.Add("options", string(b)) form.Add("options", string(b))
myClient := oauth2.NewClient(dts.ctx, nil) myClient := oauth2.NewClient(dts.ctx, nil)
resp, err := myClient.PostForm(dts.identityBindingEndpoint, form) resp, err := myClient.PostForm(identityBindingEndpoint, form)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to generate POST Request %v", err) return nil, fmt.Errorf("unable to generate POST Request %v", err)
} }

35
google/downscope/downscoping_test.go
View File

@@ -38,43 +38,18 @@ func Test_DownscopedTokenSource(t *testing.T) {
w.Write([]byte(standardRespBody)) w.Write([]byte(standardRespBody))
})) }))
myTok := oauth2.Token{AccessToken: "Mellon"} new := []AccessBoundaryRule{
tmpSrc := oauth2.StaticTokenSource(&myTok)
rules := []AccessBoundaryRule{
{ {
AvailableResource: "test1", AvailableResource: "test1",
AvailablePermissions: []string{"Perm1", "Perm2"}, AvailablePermissions: []string{"Perm1", "Perm2"},
}, },
} }
dts := downscopingTokenSource{ myTok := oauth2.Token{AccessToken: "Mellon"}
ctx: context.Background(), tmpSrc := oauth2.StaticTokenSource(&myTok)
config: DownscopingConfig{ dts := downscopingTokenSource{context.Background(), DownscopingConfig{tmpSrc, new}}
RootSource: tmpSrc, identityBindingEndpoint = ts.URL
Rules: rules,
},
identityBindingEndpoint: ts.URL,
}
_, err := dts.Token() _, err := dts.Token()
if err != nil { if err != nil {
t.Fatalf("NewDownscopedTokenSource failed with error: %v", err) t.Fatalf("NewDownscopedTokenSource failed with error: %v", err)
} }
} }
func Test_DownscopingConfig(t *testing.T) {
tests := []struct {
universeDomain string
want string
}{
{"", "https://sts.googleapis.com/v1/token"},
{"googleapis.com", "https://sts.googleapis.com/v1/token"},
{"example.com", "https://sts.example.com/v1/token"},
}
for _, tt := range tests {
c := DownscopingConfig{
UniverseDomain: tt.universeDomain,
}
if got := c.identityBindingEndpoint(); got != tt.want {
t.Errorf("got %q, want %q", got, tt.want)
}
}
}

2
google/internal/externalaccount/executablecredsource.go
View File

@@ -19,7 +19,7 @@ import (
"time" "time"
) )
var serviceAccountImpersonationRE = regexp.MustCompile("https://iamcredentials\\..+/v1/projects/-/serviceAccounts/(.*@.*):generateAccessToken") var serviceAccountImpersonationRE = regexp.MustCompile("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/(.*@.*):generateAccessToken")
const ( const (
executableSupportedMaxVersion = 1 executableSupportedMaxVersion = 1

34
google/internal/externalaccount/executablecredsource_test.go
View File

@@ -1021,37 +1021,3 @@ func TestRetrieveOutputFileSubjectTokenJwt(t *testing.T) {
}) })
} }
} }
func TestServiceAccountImpersonationRE(t *testing.T) {
tests := []struct {
name string
serviceAccountImpersonationURL string
want string
}{
{
name: "universe domain Google Default Universe (GDU) googleapis.com",
serviceAccountImpersonationURL: "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/test@project.iam.gserviceaccount.com:generateAccessToken",
want: "test@project.iam.gserviceaccount.com",
},
{
name: "email does not match",
serviceAccountImpersonationURL: "test@project.iam.gserviceaccount.com",
want: "",
},
{
name: "universe domain non-GDU",
serviceAccountImpersonationURL: "https://iamcredentials.apis-tpclp.goog/v1/projects/-/serviceAccounts/test@project.iam.gserviceaccount.com:generateAccessToken",
want: "test@project.iam.gserviceaccount.com",
},
}
for _, tt := range tests {
matches := serviceAccountImpersonationRE.FindStringSubmatch(tt.serviceAccountImpersonationURL)
if matches == nil {
if tt.want != "" {
t.Errorf("%q: got nil, want %q", tt.name, tt.want)
}
} else if matches[1] != tt.want {
t.Errorf("%q: got %q, want %q", tt.name, matches[1], tt.want)
}
}
}