google

package module

v0.0.0-...-b3a3517 Latest Latest Go to latest Published: Sep 13, 2022 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/salrashid123/oauth2

Documentation ¶

Index ¶

Constants
func DownScopedTokenSource(tokenConfig *DownScopedTokenConfig) (oauth2.TokenSource, error)
type AccessBoundary
type AccessBoundaryRule
type AvailabilityCondition
type DownScopedTokenConfig
type DownScopedTokenResponse
type DownscopedOptions

Constants ¶

View Source

const (
	TOKEN_INFO_ENDPOINT       = "https://www.googleapis.com/oauth2/v3/tokeninfo"
	IDENTITY_BINDING_ENDPOINT = "https://sts.googleapis.com/v1beta/token"
)

Variables ¶

This section is empty.

Functions ¶

func DownScopedTokenSource ¶

func DownScopedTokenSource(tokenConfig *DownScopedTokenConfig) (oauth2.TokenSource, error)

DownScopedTokenSource returns a reduced capability Google Cloud TokenSource derived a higher privileged TokenSource.

Use this TokenSource to limit the resources a credential can access on GCP. For example, if a given TokenSource can access GCS buckets A and B, a DownScopedTokenSource derived from the root would represent the _same_ user but IAM permissions are restricted to bucket A or even more specifically to bucket+object (bucketA/objectC.txt).

 For more information, see:  https://github.com/salrashid123/downscoped_token

 RootTokenSource (string): The root token to derive the restricted one from
 DownScopedTokenConfig ([]AccessBoundaryRule): List of AccessBoundary structures defining the
    what restriction policies to apply on a resource.  In the following, the token that is returned
    will only be valid to as an objectViewer on bucketA
    {
	    "accessBoundary": {
	    	"accessBoundaryRules" : [
	 	      	{
	 		    	"availableResource" : "//storage.googleapis.com/projects/_/buckets/bucketA",
	 		    	"availablePermissions": ["inRole:roles/storage.objectViewer"],
					"availabilityCondition" : {
		 				"title" : "obj-prefixes",
						"expression" : "resource.name.startsWith(\"projects/_/buckets/bucketA/objects/objectC.txt\")"
					}
	 	      	}
	    	]
		}
    }

Types ¶

type AccessBoundary ¶

type AccessBoundary struct {
	AccessBoundaryRules []AccessBoundaryRule `json:"accessBoundaryRules"`
}

type AccessBoundaryRule ¶

type AccessBoundaryRule struct {
	AvailableResource     string                 `json:"availableResource"`
	AvailablePermissions  []string               `json:"availablePermissions"`
	AvailabilityCondition *AvailabilityCondition `json:"availabilityCondition,omitempty"`
}

type AvailabilityCondition ¶

type AvailabilityCondition struct {
	Title      string `json:"title,omitempty"`
	Expression string `json:"expression,omitempty"`
}

type DownScopedTokenConfig ¶

type DownScopedTokenConfig struct {
	RootTokenSource   oauth2.TokenSource
	DownscopedOptions DownscopedOptions
}

type DownScopedTokenResponse ¶

type DownScopedTokenResponse struct {
	AccessToken     string `json:"access_token"`
	IssuedTokenType string `json:"issued_token_type"`
	TokenType       string `json:"token_type"`
	ExpiresIn       int    `json:"expires_in"`
}

type DownscopedOptions ¶

type DownscopedOptions struct {
	AccessBoundary AccessBoundary `json:"accessBoundary"`
}

Source Files ¶

View all Source files

downscoped.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL