Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: downscoping with credential access boundaries #702

Merged
merged 6 commits into from
Aug 3, 2021
Merged

feat: downscoping with credential access boundaries #702

merged 6 commits into from
Aug 3, 2021

Conversation

lsirac
Copy link
Contributor

@lsirac lsirac commented Jul 27, 2021
edited
Loading

See go/cab-client. This feature is publicly documented here.

Summary:

  • Adds a new DownscopedCredentials class that enables the ability to downscope, or restrict, the IAM permissions that a short-lived credential can use for Cloud Storage. This is done by defining a CredentialAccessBoundary which specifies the upper bound of permissions the downscoped credential will be able to access.
  • OAuth2CredentialsWithRefresh enables access token refresh via a developer defined refresh handler.
  • With CAB, STS may not always return an expires_in. The STS utility has been updated to reflect this. When not returned, the expires_in is copied from the source credential, when available.
  • Includes integration tests with a one time use setup script (already ran).
  • Samples/documentation will be provided in a separate PR.

lsirac and others added 4 commits July 26, 2021 16:22
@lsirac
feat: adds CAB rules classes (#687)
54fe103 
* feat: adds CAB rules classes

* fix: copyright

* fix: revert pom

* fix: review

* fix: bad link

* fix: more null and empty checks

* fix: expand javadoc

* fix: split null/empty checks

* fix: use checkNotNull
@lsirac
feat: downscoping with credential access boundaries (#691)
17e587f 
* feat: downscoping with credential access boundaries

* fix: rename RefreshableOAuth2Credentials to OAuth2CredentialsWithRefresh

* fix: review nits
@lsirac
test: adds integration tests for downscoping with credential access b…
474c61e 
…oundaries
@lsirac
fix: use source credential expiration when STS does not return expire…
94129b9 
…s_in
@lsirac lsirac requested a review from a team as a code owner July 27, 2021 00:00
@google-cla google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Jul 27, 2021
@lsirac lsirac requested a review from TimurSadykov July 27, 2021 00:01
@lsirac lsirac requested a review from elharo July 27, 2021 02:32
@lsirac lsirac requested a review from elharo July 28, 2021 20:18
TimurSadykov
TimurSadykov approved these changes Jul 30, 2021
View reviewed changes
Copy link
Contributor

@TimurSadykov TimurSadykov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lsirac lsirac requested a review from Neenu1995 August 3, 2021 16:40
@lsirac lsirac merged commit aa7ede1 into googleapis:master Aug 3, 2021
gcf-merge-on-green bot pushed a commit that referenced this pull request Aug 18, 2021
@release-please
chore: release 1.1.0 (#713)
8e904ac 
🤖 I have created a release \*beep\* \*boop\*
---
## [1.1.0](https://www.github.com/googleapis/google-auth-library-java/compare/v1.0.0...v1.1.0) (2021-08-17)


### Features

* downscoping with credential access boundaries ([#702](https://www.github.com/googleapis/google-auth-library-java/issues/702)) ([aa7ede1](https://www.github.com/googleapis/google-auth-library-java/commit/aa7ede1d1c688ba437798f4204820c0506d5d969))


### Bug Fixes

* add validation for the token URL and service account impersonation URL for Workload Identity Federation ([#717](https://www.github.com/googleapis/google-auth-library-java/issues/717)) ([23cb8ef](https://www.github.com/googleapis/google-auth-library-java/commit/23cb8ef778d012bbd452c1dfdac5f096d1af6c95))


### Documentation

* updates README for downscoping with CAB ([#716](https://www.github.com/googleapis/google-auth-library-java/issues/716)) ([68bceba](https://www.github.com/googleapis/google-auth-library-java/commit/68bceba21c05870f6eb616cc057ddf0521c581b8))
---


This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
@release-please release-please bot mentioned this pull request Jan 4, 2022
Closed
@release-please release-please bot mentioned this pull request Aug 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Neenu1995 Neenu1995 Neenu1995 approved these changes

@TimurSadykov TimurSadykov TimurSadykov approved these changes

@elharo elharo Awaiting requested review from elharo

Assignees
No one assigned
Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lsirac @elharo @TimurSadykov @Neenu1995