feat: Adds Client-Side Credential Access Boundary Factory example.

[nbayati]

Description

Adds a sample for the client-side CAB token generation.

Note: The client-side cab token generator hasn't been released yet. The SDK team is targeting a release on Feb 3rd (PR)

Checklist

• I have followed Sample Format Guide
• pom.xml parent set to latest shared-configuration
• Appropriate changes to README are included in PR
• These samples need a new API enabled in testing projects to pass (let us know which ones)
• These samples need a new/updated env vars in testing projects set to pass (let us know which ones)
• Tests pass: mvn clean verify required
• Lint passes: mvn -P lint checkstyle:check required
• Static Analysis: mvn -P lint clean compile pmd:cpd-check spotbugs:check advisory only
• This sample adds a new sample directory, and I updated the CODEOWNERS file with the codeowners for this sample
• This sample adds a new Product API, and I updated the Blunderbuss issue/PR auto-assigner with the codeowners for this sample
• Please merge this PR for me once it is approved

[ghost]

Hi team,

I'm currently reviewing this pull request and will provide my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed:

This pull request adds a new sample demonstrating how to use the Client-Side Credential Access Boundary (CAB) factory to generate downscoped tokens. The primary goal is to provide a clear example of how to leverage CAB for more granular access control.

Here's a breakdown of the changes:

• New File: auth/src/main/java/com/google/cloud/auth/samples/ClientSideCredentialAccessBoundaryFactoryExample.java was added. This file contains the complete example code, showcasing the generation and usage of downscoped tokens.
• Code Changes: The new Java file includes methods for:
  • Retrieving source credentials using GoogleCredentials.getApplicationDefault()
  • Defining Credential Access Boundary rules, specifying the resource (//storage.googleapis.com/projects/_/buckets/<bucketName>), permission (inRole:roles/storage.objectViewer), and an expression to control access based on object prefixes.
  • Creating a ClientSideCredentialAccessBoundaryFactory instance.
  • Generating a downscoped token using factory.generateToken(credentialAccessBoundary).
  • Simulating a token consumer that uses the downscoped token to access a Cloud Storage object.

The checklist in the pull request description indicates that the author has followed the sample format guide, updated the pom.xml, README, CODEOWNERS, and blunderbuss files appropriately. Tests and lint checks have been performed and passed. Static analysis is advisory only.

Overall, the changes appear well-structured and documented. I'll be checking the code for correctness, security, and best practices in my full review.

---

And now, a little haiku to lighten the mood:

Scoped tokens flow,
Access controlled, precise, clean,
Code's grace takes flight.

[ghost]

This pull request adds an example for client-side Credential Access Boundary (CAB) token generation. The example demonstrates how to generate downscoped tokens for accessing Google Cloud Storage (GCS) objects. Overall, the code is well-structured and easy to follow. However, there are a few minor improvements that can be made.

I've summarized the Google Java Style Guide elements referenced in this review below:

• Naming: Class names should be nouns, in mixed case with the first letter of each internal word capitalized. Method names should be verbs, in mixed case with the first letter lowercase, with the first letter of each internal word capitalized.
• Comments: Every class, method, and field declaration should have a documentation comment.
• TODO Comments: Use TODO comments for code that is temporary, a short-term solution, or good-enough but not perfect.

I've also included suggestions for updating the README file to reflect the new example.

[snippet-bot]

Here is the summary of changes.

You are about to add 4 region tags.

• auth/src/main/java/com/google/cloud/auth/samples/DownscopedAccessTokenConsumer.java:19, tag auth_client_cab_consumer
• auth/src/main/java/com/google/cloud/auth/samples/DownscopedAccessTokenConsumer.java:56, tag auth_client_cab_consumer
• auth/src/main/java/com/google/cloud/auth/samples/DownscopedAccessTokenGenerator.java:19, tag auth_client_cab_token_broker
• auth/src/main/java/com/google/cloud/auth/samples/DownscopedAccessTokenGenerator.java:42, tag auth_client_cab_token_broker

---

This comment is generated by snippet-bot.
If you find problems with this result, please file an issue at:
https://github.com/googleapis/repo-automation-bots/issues.
To update this comment, add snippet-bot:force-run label or use the checkbox below:

• Refresh this comment

[minherz]

please align PR to follow guidelines

[minherz]

lgtm. Very solid and easy to understand code. Please, notice the feedback regarding lengthy comments.

[minherz]

nit: for further notice, we discourage placing lengthy explanations in the code. you should collaborate with tech writer to have these recommendations placed in the documentation that demonstrates the code snippet instead.