Skip to content

feat: downscoping with credential access boundaries#702

Merged
lsirac merged 6 commits intogoogleapis:masterfrom
lsirac:downscopingwithcab
Aug 3, 2021
Merged

feat: downscoping with credential access boundaries#702
lsirac merged 6 commits intogoogleapis:masterfrom
lsirac:downscopingwithcab

Conversation

@lsirac
Copy link
Copy Markdown
Contributor

@lsirac lsirac commented Jul 27, 2021
edited
Loading

See go/cab-client. This feature is publicly documented here.

Summary:

  • Adds a new DownscopedCredentials class that enables the ability to downscope, or restrict, the IAM permissions that a short-lived credential can use for Cloud Storage. This is done by defining a CredentialAccessBoundary which specifies the upper bound of permissions the downscoped credential will be able to access.
  • OAuth2CredentialsWithRefresh enables access token refresh via a developer defined refresh handler.
  • With CAB, STS may not always return an expires_in. The STS utility has been updated to reflect this. When not returned, the expires_in is copied from the source credential, when available.
  • Includes integration tests with a one time use setup script (already ran).
  • Samples/documentation will be provided in a separate PR.

lsirac and others added 4 commits July 26, 2021 16:22
@lsirac
feat: adds CAB rules classes (#687)
54fe103 
* feat: adds CAB rules classes

* fix: copyright

* fix: revert pom

* fix: review

* fix: bad link

* fix: more null and empty checks

* fix: expand javadoc

* fix: split null/empty checks

* fix: use checkNotNull
@lsirac
feat: downscoping with credential access boundaries (#691)
17e587f 
* feat: downscoping with credential access boundaries

* fix: rename RefreshableOAuth2Credentials to OAuth2CredentialsWithRefresh

* fix: review nits
@lsirac
test: adds integration tests for downscoping with credential access b…
474c61e 
…oundaries
@lsirac
fix: use source credential expiration when STS does not return expire…
94129b9 
…s_in
@lsirac lsirac requested a review from a team July 27, 2021 00:00
@google-cla google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Jul 27, 2021
@lsirac lsirac requested a review from TimurSadykov July 27, 2021 00:01
@lsirac lsirac requested a review from elharo July 27, 2021 02:32
elharo
elharo reviewed Jul 28, 2021
View reviewed changes
@lsirac lsirac requested a review from elharo July 28, 2021 20:18
TimurSadykov
TimurSadykov approved these changes Jul 30, 2021
View reviewed changes
Copy link
Copy Markdown

@TimurSadykov TimurSadykov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lsirac lsirac requested a review from Neenu1995 August 3, 2021 16:40
@lsirac lsirac merged commit aa7ede1 into googleapis:master Aug 3, 2021
gcf-merge-on-green bot pushed a commit that referenced this pull request Aug 18, 2021
@release-please
chore: release 1.1.0 (#713)
8e904ac 
🤖 I have created a release \*beep\* \*boop\*
---
## [1.1.0](https://www.github.com/googleapis/google-auth-library-java/compare/v1.0.0...v1.1.0) (2021-08-17)


### Features

* downscoping with credential access boundaries ([#702](https://www.github.com/googleapis/google-auth-library-java/issues/702)) ([aa7ede1](https://www.github.com/googleapis/google-auth-library-java/commit/aa7ede1d1c688ba437798f4204820c0506d5d969))


### Bug Fixes

* add validation for the token URL and service account impersonation URL for Workload Identity Federation ([#717](https://www.github.com/googleapis/google-auth-library-java/issues/717)) ([23cb8ef](https://www.github.com/googleapis/google-auth-library-java/commit/23cb8ef778d012bbd452c1dfdac5f096d1af6c95))


### Documentation

* updates README for downscoping with CAB ([#716](https://www.github.com/googleapis/google-auth-library-java/issues/716)) ([68bceba](https://www.github.com/googleapis/google-auth-library-java/commit/68bceba21c05870f6eb616cc057ddf0521c581b8))
---


This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
@release-please release-please bot mentioned this pull request Jan 4, 2022
Closed
@release-please release-please bot mentioned this pull request Aug 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elharo elharo Awaiting requested review from elharo

2 more reviewers

@TimurSadykov TimurSadykov TimurSadykov approved these changes

@Neenu1995 Neenu1995 Neenu1995 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla: yes This human has signed the Contributor License Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lsirac @elharo @TimurSadykov @Neenu1995