-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: adds README, samples and integration tests for downscoping with CAB #1311
Merged
Merged
Changes from all commits
Commits
Show all changes
23 commits
Select commit
Hold shift + click to select a range
bb89f2b
Add description, samples and integration tests for CAB
xil222 ff0560c
fix lints
xil222 2dabb8d
fix copyright format and import
xil222 406a329
Merge branch 'main' into xinxinxin-cabsamples
xil222 b025c24
add storage dependency
xil222 2051d0f
try on header fix
xil222 901472d
Merge branch 'main' into xinxinxin-cabsamples
lsirac 6410b28
fix some comments
xil222 e4034ab
Merge branch 'xinxinxin-cabsamples' of https://github.com/xil222/goog…
xil222 041615b
Merge branch 'main' into xinxinxin-cabsamples
xil222 1941ba5
update readme
xil222 9724ac2
Merge branch 'main' into xinxinxin-cabsamples
xil222 22af7eb
🦉 Updates from OwlBot
gcf-owl-bot[bot] bedfbb8
change yaml and fixes comments
xil222 6d3c73c
fix conflicts
xil222 db1a9a6
🦉 Updates from OwlBot
gcf-owl-bot[bot] 13a113a
revertbucketName and objectName
xil222 898df51
Merge branch 'xinxinxin-cabsamples' of https://github.com/xil222/goog…
xil222 7f10832
revert logic in try blocks
xil222 cfcc49c
Merge branch 'main' into xinxinxin-cabsamples
xil222 02cf854
tweak child exec process
xil222 087ccd0
fix lint
xil222 b7d91a7
set bucket name and object name environment variable
xil222 File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
// Copyright 2021 Google LLC | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
'use strict'; | ||
|
||
/** | ||
* Imports the Google Auth and Google Cloud libraries. | ||
*/ | ||
const { | ||
OAuth2Client, | ||
GoogleAuth, | ||
DownscopedClient, | ||
} = require('google-auth-library'); | ||
const {Storage} = require('@google-cloud/storage'); | ||
|
||
/** | ||
* The following sample demonstrates how to initialize a DownscopedClient using | ||
* a credential access boundary and a client obtained via ADC. The | ||
* DownscopedClient is used to create downscoped tokens which can be consumed | ||
* via the OAuth2Client. A refresh handler is used to obtain new downscoped | ||
* tokens seamlessly when they expire. Then the oauth2Client is used to define | ||
* a cloud storage object and call GCS APIs to access specified object and | ||
* print the contents. | ||
*/ | ||
async function main() { | ||
const bucketName = process.env.BUCKET_NAME; | ||
const objectName = process.env.OBJECT_NAME; | ||
// Defines a credential access boundary that grants objectViewer access in | ||
// the specified bucket. | ||
const cab = { | ||
accessBoundary: { | ||
accessBoundaryRules: [ | ||
{ | ||
availableResource: `//storage.googleapis.com/projects/_/buckets/${bucketName}`, | ||
availablePermissions: ['inRole:roles/storage.objectViewer'], | ||
availabilityCondition: { | ||
expression: | ||
"resource.name.startsWith('projects/_/buckets/" + | ||
`${bucketName}/objects/${objectName}')`, | ||
}, | ||
}, | ||
], | ||
}, | ||
}; | ||
|
||
const oauth2Client = new OAuth2Client(); | ||
const googleAuth = new GoogleAuth({ | ||
scopes: 'https://www.googleapis.com/auth/cloud-platform', | ||
}); | ||
const projectId = await googleAuth.getProjectId(); | ||
// Obtain an authenticated client via ADC. | ||
const client = await googleAuth.getClient(); | ||
// Use the client to generate a DownscopedClient. | ||
const cabClient = new DownscopedClient(client, cab); | ||
// Define a refreshHandler that will be used to refresh the downscoped token | ||
// when it expires. | ||
oauth2Client.refreshHandler = async () => { | ||
const refreshedAccessToken = await cabClient.getAccessToken(); | ||
return { | ||
access_token: refreshedAccessToken.token, | ||
expiry_date: refreshedAccessToken.expirationTime, | ||
}; | ||
}; | ||
|
||
const storageOptions = { | ||
projectId, | ||
authClient: { | ||
getCredentials: async () => { | ||
Promise.reject(); | ||
}, | ||
request: opts => { | ||
return oauth2Client.request(opts); | ||
}, | ||
sign: () => { | ||
Promise.reject('unsupported'); | ||
}, | ||
authorizeRequest: async opts => { | ||
opts = opts || {}; | ||
const url = opts.url || opts.uri; | ||
const headers = await oauth2Client.getRequestHeaders(url); | ||
opts.headers = Object.assign(opts.headers || {}, headers); | ||
return opts; | ||
}, | ||
}, | ||
}; | ||
|
||
const storage = new Storage(storageOptions); | ||
const downloadFile = await storage | ||
.bucket(bucketName) | ||
.file(objectName) | ||
.download(); | ||
console.log(downloadFile.toString('utf8')); | ||
} | ||
|
||
main().catch(console.error); |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The approach you came up with here ends up not looking quite as ugly as I was fearing.
How does this compare to Python and other languages? Is there work we should be tracking to make this API easier?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In Python and Java directly passing authClient as variable to create Storage object without need to redefine a couple of APIs such as sign() or getCredentials().
And, yes, the long-term work is referred in last PR
GoogleCloudPlatform/nodejs-docs-samples#2368 (comment)
and you can track in bug b/196442993