Skip to content

Stacked commits for credential vending (draft, to be split)#90

Draft
snazy wants to merge 4 commits into
floci-io:mainfrom
snazy:cred-vending-stack
Draft

Stacked commits for credential vending (draft, to be split)#90
snazy wants to merge 4 commits into
floci-io:mainfrom
snazy:cred-vending-stack

Conversation

@snazy

@snazy snazy commented Jul 15, 2026

Copy link
Copy Markdown

No description provided.

snazy added 4 commits July 15, 2026 13:07
Adds the IAM Credentials REST emulator surface for local credential vending, including generateAccessToken validation, service enablement wiring, REST tests, and Java generated-client compatibility coverage.

- [x] New feature (`feat:`)

Implements the IAM Credentials v1 HTTP/JSON generateAccessToken path used by the Google Java IAM Credentials client. Verified with IamCredentialsServiceTest, IamCredentialsRestIntegrationTest, IamCredentialsDisabledRestIntegrationTest, IamServiceTest, and compatibility-tests/sdk-test-java IamCredentialsTest against a running emulator.

- [x] `./mvnw test` passes locally
- [x] New or updated integration test added
- [x] Commit messages follow Conventional Commits
Adds the IAM Credentials REST emulator surface for local credential vending, including generateAccessToken validation, service enablement wiring, REST tests, and Java generated-client compatibility coverage.

- [x] New feature (`feat:`)

Implements the IAM Credentials v1 HTTP/JSON generateAccessToken path used by the Google Java IAM Credentials client. Verified with IamCredentialsServiceTest, IamCredentialsRestIntegrationTest, IamCredentialsDisabledRestIntegrationTest, IamServiceTest, and compatibility-tests/sdk-test-java IamCredentialsTest against a running emulator.

- [x] `./mvnw test` passes locally
- [x] New or updated integration test added
- [x] Commit messages follow Conventional Commits
Adds the STS token-exchange endpoint used by Google Java DownscopedCredentials, a deliberately limited GCS CAB parser, global Floci credential token storage, and stored impersonated-token handling for later GCS enforcement.

- [x] New feature (`feat:`)

Implements the STS v1 form token-exchange contract needed by the Google Java auth-library downscoping flow. Verified with STS REST tests, CAB parser tests, token-store tests, disablement coverage, and compatibility-tests/sdk-test-java StsTokenExchangeTest against a running emulator.

- [x] `./mvnw test` passes locally
- [x] New or updated integration test added
- [x] Commit messages follow Conventional Commits
Enforces Floci downscoped-token CAB rules across GCS object, upload, XML, compose, copy, rewrite, resumable, and batch paths while preserving existing bypass behavior for missing, static, and stored impersonated credentials.

- [x] New feature (`feat:`)

Implements the intentionally limited GCS Credential Access Boundary subset produced by the Google Java downscoped credentials flow. Verified with GcsAuthorizationTest, GcsScopedTokenRestIntegrationTest, existing GCS service coverage, and compatibility-tests/sdk-test-java GcsDownscopedTokenTest against a running emulator.

- [x] `./mvnw test` passes locally
- [x] New or updated integration test added
- [x] Commit messages follow Conventional Commits
@snazy
snazy force-pushed the cred-vending-stack branch from 29f56f9 to ab511df Compare July 15, 2026 11:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant