UNPKG

google-auth-library

Version:

Google APIs Authentication Client Library for Node.js

github.com/googleapis/google-auth-library-nodejs

googleapis/google-auth-library-nodejs

150 lines (149 loc) 6.69 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
import { GaxiosOptions, GaxiosPromise, GaxiosResponse } from 'gaxios'; import { Credentials } from './credentials'; import { AuthClient, AuthClientOptions, GetAccessTokenResponse, BodyResponseCallback } from './authclient'; /** * The maximum number of access boundary rules a Credential Access Boundary * can contain. */ export declare const MAX_ACCESS_BOUNDARY_RULES_COUNT = 10; /** * Offset to take into account network delays and server clock skews. */ export declare const EXPIRATION_TIME_OFFSET: number; /** * Internal interface for tracking the access token expiration time. */ interface CredentialsWithResponse extends Credentials { res?: GaxiosResponse | null; } /** * Internal interface for tracking and returning the Downscoped access token * expiration time in epoch time (seconds). */ interface DownscopedAccessTokenResponse extends GetAccessTokenResponse { expirationTime?: number | null; } /** * Defines an upper bound of permissions available for a GCP credential. */ export interface CredentialAccessBoundary { accessBoundary: { accessBoundaryRules: AccessBoundaryRule[]; }; } /** Defines an upper bound of permissions on a particular resource. */ interface AccessBoundaryRule { availablePermissions: string[]; availableResource: string; availabilityCondition?: AvailabilityCondition; } /** * An optional condition that can be used as part of a * CredentialAccessBoundary to further restrict permissions. */ interface AvailabilityCondition { expression: string; title?: string; description?: string; } export interface DownscopedClientOptions extends AuthClientOptions { /** * The source AuthClient to be downscoped based on the provided Credential Access Boundary rules. */ authClient: AuthClient; /** * The Credential Access Boundary which contains a list of access boundary rules. * Each rule contains information on the resource that the rule applies to, the upper bound of the * permissions that are available on that resource and an optional * condition to further restrict permissions. */ credentialAccessBoundary: CredentialAccessBoundary; } /** * Defines a set of Google credentials that are downscoped from an existing set * of Google OAuth2 credentials. This is useful to restrict the Identity and * Access Management (IAM) permissions that a short-lived credential can use. * The common pattern of usage is to have a token broker with elevated access * generate these downscoped credentials from higher access source credentials * and pass the downscoped short-lived access tokens to a token consumer via * some secure authenticated channel for limited access to Google Cloud Storage * resources. */ export declare class DownscopedClient extends AuthClient { private readonly authClient; private readonly credentialAccessBoundary; private cachedDownscopedAccessToken; private readonly stsCredential; /** * Instantiates a downscoped client object using the provided source * AuthClient and credential access boundary rules. * To downscope permissions of a source AuthClient, a Credential Access * Boundary that specifies which resources the new credential can access, as * well as an upper bound on the permissions that are available on each * resource, has to be defined. A downscoped client can then be instantiated * using the source AuthClient and the Credential Access Boundary. * @param options the {@link DownscopedClientOptions `DownscopedClientOptions`} to use. Passing an `AuthClient` directly is **@DEPRECATED**. * @param credentialAccessBoundary **@DEPRECATED**. Provide a {@link DownscopedClientOptions `DownscopedClientOptions`} object in the first parameter instead. */ constructor( /** * AuthClient is for backwards-compatibility. */ options: AuthClient | DownscopedClientOptions, /** * @deprecated - provide a {@link DownscopedClientOptions `DownscopedClientOptions`} object in the first parameter instead */ credentialAccessBoundary?: CredentialAccessBoundary); /** * Provides a mechanism to inject Downscoped access tokens directly. * The expiry_date field is required to facilitate determination of the token * expiration which would make it easier for the token consumer to handle. * @param credentials The Credentials object to set on the current client. */ setCredentials(credentials: Credentials): void; getAccessToken(): Promise<DownscopedAccessTokenResponse>; /** * The main authentication interface. It takes an optional url which when * present is the endpoint being accessed, and returns a Promise which * resolves with authorization header fields. * * The result has the form: * { authorization: 'Bearer <access_token_value>' } */ getRequestHeaders(): Promise<Headers>; /** * Provides a request implementation with OAuth 2.0 flow. In cases of * HTTP 401 and 403 responses, it automatically asks for a new access token * and replays the unsuccessful request. * @param opts Request options. * @param callback callback. * @return A promise that resolves with the HTTP response when no callback * is provided. */ request<T>(opts: GaxiosOptions): GaxiosPromise<T>; request<T>(opts: GaxiosOptions, callback: BodyResponseCallback<T>): void; /** * Authenticates the provided HTTP request, processes it and resolves with the * returned response. * @param opts The HTTP request options. * @param reAuthRetried Whether the current attempt is a retry after a failed attempt due to an auth failure * @return A promise that resolves with the successful response. */ protected requestAsync<T>(opts: GaxiosOptions, reAuthRetried?: boolean): Promise<GaxiosResponse<T>>; /** * Forces token refresh, even if unexpired tokens are currently cached. * GCP access tokens are retrieved from authclient object/source credential. * Then GCP access tokens are exchanged for downscoped access tokens via the * token exchange endpoint. * @return A promise that resolves with the fresh downscoped access token. */ protected refreshAccessTokenAsync(): Promise<CredentialsWithResponse>; /** * Returns whether the provided credentials are expired or not. * If there is no expiry time, assumes the token is not expired or expiring. * @param downscopedAccessToken The credentials to check for expiration. * @return Whether the credentials are expired or not. */ private isExpired; } export {};