| 1 | import { GaxiosOptions, GaxiosPromise, GaxiosResponse } from 'gaxios';
|
| 2 | import { BodyResponseCallback } from '../transporters';
|
| 3 | import { Credentials } from './credentials';
|
| 4 | import { AuthClient, AuthClientOptions } from './authclient';
|
| 5 | import { GetAccessTokenResponse, Headers } from './oauth2client';
|
| 6 | /**
|
| 7 | * The maximum number of access boundary rules a Credential Access Boundary
|
| 8 | * can contain.
|
| 9 | */
|
| 10 | export declare const MAX_ACCESS_BOUNDARY_RULES_COUNT = 10;
|
| 11 | /**
|
| 12 | * Offset to take into account network delays and server clock skews.
|
| 13 | */
|
| 14 | export declare const EXPIRATION_TIME_OFFSET: number;
|
| 15 | /**
|
| 16 | * Internal interface for tracking the access token expiration time.
|
| 17 | */
|
| 18 | interface CredentialsWithResponse extends Credentials {
|
| 19 | res?: GaxiosResponse | null;
|
| 20 | }
|
| 21 | /**
|
| 22 | * Internal interface for tracking and returning the Downscoped access token
|
| 23 | * expiration time in epoch time (seconds).
|
| 24 | */
|
| 25 | interface DownscopedAccessTokenResponse extends GetAccessTokenResponse {
|
| 26 | expirationTime?: number | null;
|
| 27 | }
|
| 28 | /**
|
| 29 | * Defines an upper bound of permissions available for a GCP credential.
|
| 30 | */
|
| 31 | export interface CredentialAccessBoundary {
|
| 32 | accessBoundary: {
|
| 33 | accessBoundaryRules: AccessBoundaryRule[];
|
| 34 | };
|
| 35 | }
|
| 36 | /** Defines an upper bound of permissions on a particular resource. */
|
| 37 | interface AccessBoundaryRule {
|
| 38 | availablePermissions: string[];
|
| 39 | availableResource: string;
|
| 40 | availabilityCondition?: AvailabilityCondition;
|
| 41 | }
|
| 42 | /**
|
| 43 | * An optional condition that can be used as part of a
|
| 44 | * CredentialAccessBoundary to further restrict permissions.
|
| 45 | */
|
| 46 | interface AvailabilityCondition {
|
| 47 | expression: string;
|
| 48 | title?: string;
|
| 49 | description?: string;
|
| 50 | }
|
| 51 | /**
|
| 52 | * Defines a set of Google credentials that are downscoped from an existing set
|
| 53 | * of Google OAuth2 credentials. This is useful to restrict the Identity and
|
| 54 | * Access Management (IAM) permissions that a short-lived credential can use.
|
| 55 | * The common pattern of usage is to have a token broker with elevated access
|
| 56 | * generate these downscoped credentials from higher access source credentials
|
| 57 | * and pass the downscoped short-lived access tokens to a token consumer via
|
| 58 | * some secure authenticated channel for limited access to Google Cloud Storage
|
| 59 | * resources.
|
| 60 | */
|
| 61 | export declare class DownscopedClient extends AuthClient {
|
| 62 | private readonly authClient;
|
| 63 | private readonly credentialAccessBoundary;
|
| 64 | private cachedDownscopedAccessToken;
|
| 65 | private readonly stsCredential;
|
| 66 | /**
|
| 67 | * Instantiates a downscoped client object using the provided source
|
| 68 | * AuthClient and credential access boundary rules.
|
| 69 | * To downscope permissions of a source AuthClient, a Credential Access
|
| 70 | * Boundary that specifies which resources the new credential can access, as
|
| 71 | * well as an upper bound on the permissions that are available on each
|
| 72 | * resource, has to be defined. A downscoped client can then be instantiated
|
| 73 | * using the source AuthClient and the Credential Access Boundary.
|
| 74 | * @param authClient The source AuthClient to be downscoped based on the
|
| 75 | * provided Credential Access Boundary rules.
|
| 76 | * @param credentialAccessBoundary The Credential Access Boundary which
|
| 77 | * contains a list of access boundary rules. Each rule contains information
|
| 78 | * on the resource that the rule applies to, the upper bound of the
|
| 79 | * permissions that are available on that resource and an optional
|
| 80 | * condition to further restrict permissions.
|
| 81 | * @param additionalOptions **DEPRECATED, set this in the provided `authClient`.**
|
| 82 | * Optional additional behavior customization options.
|
| 83 | * @param quotaProjectId **DEPRECATED, set this in the provided `authClient`.**
|
| 84 | * Optional quota project id for setting up in the x-goog-user-project header.
|
| 85 | */
|
| 86 | constructor(authClient: AuthClient, credentialAccessBoundary: CredentialAccessBoundary, additionalOptions?: AuthClientOptions, quotaProjectId?: string);
|
| 87 | /**
|
| 88 | * Provides a mechanism to inject Downscoped access tokens directly.
|
| 89 | * The expiry_date field is required to facilitate determination of the token
|
| 90 | * expiration which would make it easier for the token consumer to handle.
|
| 91 | * @param credentials The Credentials object to set on the current client.
|
| 92 | */
|
| 93 | setCredentials(credentials: Credentials): void;
|
| 94 | getAccessToken(): Promise<DownscopedAccessTokenResponse>;
|
| 95 | /**
|
| 96 | * The main authentication interface. It takes an optional url which when
|
| 97 | * present is the endpoint being accessed, and returns a Promise which
|
| 98 | * resolves with authorization header fields.
|
| 99 | *
|
| 100 | * The result has the form:
|
| 101 | * { Authorization: 'Bearer <access_token_value>' }
|
| 102 | */
|
| 103 | getRequestHeaders(): Promise<Headers>;
|
| 104 | /**
|
| 105 | * Provides a request implementation with OAuth 2.0 flow. In cases of
|
| 106 | * HTTP 401 and 403 responses, it automatically asks for a new access token
|
| 107 | * and replays the unsuccessful request.
|
| 108 | * @param opts Request options.
|
| 109 | * @param callback callback.
|
| 110 | * @return A promise that resolves with the HTTP response when no callback
|
| 111 | * is provided.
|
| 112 | */
|
| 113 | request<T>(opts: GaxiosOptions): GaxiosPromise<T>;
|
| 114 | request<T>(opts: GaxiosOptions, callback: BodyResponseCallback<T>): void;
|
| 115 | /**
|
| 116 | * Authenticates the provided HTTP request, processes it and resolves with the
|
| 117 | * returned response.
|
| 118 | * @param opts The HTTP request options.
|
| 119 | * @param reAuthRetried Whether the current attempt is a retry after a failed attempt due to an auth failure
|
| 120 | * @return A promise that resolves with the successful response.
|
| 121 | */
|
| 122 | protected requestAsync<T>(opts: GaxiosOptions, reAuthRetried?: boolean): Promise<GaxiosResponse<T>>;
|
| 123 | /**
|
| 124 | * Forces token refresh, even if unexpired tokens are currently cached.
|
| 125 | * GCP access tokens are retrieved from authclient object/source credential.
|
| 126 | * Then GCP access tokens are exchanged for downscoped access tokens via the
|
| 127 | * token exchange endpoint.
|
| 128 | * @return A promise that resolves with the fresh downscoped access token.
|
| 129 | */
|
| 130 | protected refreshAccessTokenAsync(): Promise<CredentialsWithResponse>;
|
| 131 | /**
|
| 132 | * Returns whether the provided credentials are expired or not.
|
| 133 | * If there is no expiry time, assumes the token is not expired or expiring.
|
| 134 | * @param downscopedAccessToken The credentials to check for expiration.
|
| 135 | * @return Whether the credentials are expired or not.
|
| 136 | */
|
| 137 | private isExpired;
|
| 138 | }
|
| 139 | export {};
|