Skip to content

Commit

Permalink
google/downscope: add DownscopingConfig.UniverseDomain to support TPC
Browse files Browse the repository at this point in the history
Change-Id: I3669352b382414ea640ca176afa4071995fc5ff1
Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/557135
Reviewed-by: Cody Oss <codyoss@google.com>
TryBot-Bypass: Cody Oss <codyoss@google.com>
Auto-Submit: Cody Oss <codyoss@google.com>
  • Loading branch information
quartzmo authored and gopherbot committed Jan 19, 2024
1 parent 39adbb7 commit deefa7e
Show file tree
Hide file tree
Showing 2 changed files with 56 additions and 9 deletions.
30 changes: 26 additions & 4 deletions google/downscope/downscoping.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,16 @@ import (
"io/ioutil"
"net/http"
"net/url"
"strings"
"time"

"golang.org/x/oauth2"
)

var (
identityBindingEndpoint = "https://sts.googleapis.com/v1/token"
const (
universeDomainPlaceholder = "UNIVERSE_DOMAIN"
identityBindingEndpointTemplate = "https://sts.UNIVERSE_DOMAIN/v1/token"
universeDomainDefault = "googleapis.com"
)

type accessBoundary struct {
Expand Down Expand Up @@ -105,6 +108,18 @@ type DownscopingConfig struct {
// access (or set of accesses) that the new token has to a given resource.
// There can be a maximum of 10 AccessBoundaryRules.
Rules []AccessBoundaryRule
// UniverseDomain is the default service domain for a given Cloud universe.
// The default value is "googleapis.com". Optional.
UniverseDomain string
}

// identityBindingEndpoint returns the identity binding endpoint with the
// configured universe domain.
func (dc *DownscopingConfig) identityBindingEndpoint() string {
if dc.UniverseDomain == "" {
return strings.Replace(identityBindingEndpointTemplate, universeDomainPlaceholder, universeDomainDefault, 1)
}
return strings.Replace(identityBindingEndpointTemplate, universeDomainPlaceholder, dc.UniverseDomain, 1)
}

// A downscopingTokenSource is used to retrieve a downscoped token with restricted
Expand All @@ -114,6 +129,9 @@ type downscopingTokenSource struct {
ctx context.Context
// config holds the information necessary to generate a downscoped Token.
config DownscopingConfig
// identityBindingEndpoint is the identity binding endpoint with the
// configured universe domain.
identityBindingEndpoint string
}

// NewTokenSource returns a configured downscopingTokenSource.
Expand All @@ -135,7 +153,11 @@ func NewTokenSource(ctx context.Context, conf DownscopingConfig) (oauth2.TokenSo
return nil, fmt.Errorf("downscope: all rules must provide at least one permission: %+v", val)
}
}
return downscopingTokenSource{ctx: ctx, config: conf}, nil
return downscopingTokenSource{
ctx: ctx,
config: conf,
identityBindingEndpoint: conf.identityBindingEndpoint(),
}, nil
}

// Token() uses a downscopingTokenSource to generate an oauth2 Token.
Expand Down Expand Up @@ -171,7 +193,7 @@ func (dts downscopingTokenSource) Token() (*oauth2.Token, error) {
form.Add("options", string(b))

myClient := oauth2.NewClient(dts.ctx, nil)
resp, err := myClient.PostForm(identityBindingEndpoint, form)
resp, err := myClient.PostForm(dts.identityBindingEndpoint, form)
if err != nil {
return nil, fmt.Errorf("unable to generate POST Request %v", err)
}
Expand Down
35 changes: 30 additions & 5 deletions google/downscope/downscoping_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,18 +38,43 @@ func Test_DownscopedTokenSource(t *testing.T) {
w.Write([]byte(standardRespBody))

}))
new := []AccessBoundaryRule{
myTok := oauth2.Token{AccessToken: "Mellon"}
tmpSrc := oauth2.StaticTokenSource(&myTok)
rules := []AccessBoundaryRule{
{
AvailableResource: "test1",
AvailablePermissions: []string{"Perm1", "Perm2"},
},
}
myTok := oauth2.Token{AccessToken: "Mellon"}
tmpSrc := oauth2.StaticTokenSource(&myTok)
dts := downscopingTokenSource{context.Background(), DownscopingConfig{tmpSrc, new}}
identityBindingEndpoint = ts.URL
dts := downscopingTokenSource{
ctx: context.Background(),
config: DownscopingConfig{
RootSource: tmpSrc,
Rules: rules,
},
identityBindingEndpoint: ts.URL,
}
_, err := dts.Token()
if err != nil {
t.Fatalf("NewDownscopedTokenSource failed with error: %v", err)
}
}

func Test_DownscopingConfig(t *testing.T) {
tests := []struct {
universeDomain string
want string
}{
{"", "https://sts.googleapis.com/v1/token"},
{"googleapis.com", "https://sts.googleapis.com/v1/token"},
{"example.com", "https://sts.example.com/v1/token"},
}
for _, tt := range tests {
c := DownscopingConfig{
UniverseDomain: tt.universeDomain,
}
if got := c.identityBindingEndpoint(); got != tt.want {
t.Errorf("got %q, want %q", got, tt.want)
}
}
}

0 comments on commit deefa7e

Please # to comment.