From 6c2dbd52fe6406a5037374f7258cfec739a4706c Mon Sep 17 00:00:00 2001 From: Jisha Abubaker Date: Thu, 10 Aug 2017 12:34:30 -0700 Subject: [PATCH 1/3] fixing IAP tests --- .../com/example/appengine/iap/JwtServlet.java | 3 +- iap/README.md | 20 ++++++------ .../iap/BuildAndVerifyIapRequestIT.java | 31 +++++++++---------- 3 files changed, 25 insertions(+), 29 deletions(-) diff --git a/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java b/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java index 0405d259c3b..974c8e14a09 100644 --- a/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java +++ b/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java @@ -26,9 +26,10 @@ public class JwtServlet extends HttpServlet { private static final String IAP_JWT_HEADER = "x-goog-iap-jwt-assertion"; + private static final String IAP_AUTHENTICATED_USER_HEADER = "x-goog-authenticated-user-jwt"; @Override public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { - resp.getWriter().print(IAP_JWT_HEADER + ":" + req.getHeader(IAP_JWT_HEADER)); + resp.getWriter().print(IAP_AUTHENTICATED_USER_HEADER + ":" + req.getHeader(IAP_JWT_HEADER)); } } diff --git a/iap/README.md b/iap/README.md index d8819ed64e3..d2705caee01 100644 --- a/iap/README.md +++ b/iap/README.md @@ -28,24 +28,22 @@ It will be used to test both the authorization of an incoming request to an IAP - Add the service account email to the Identity-Aware Proxy access list for the project. -- Set the following environment variables to test sending a request to an IAP protected resource: +- Update the following variables in [BuildAndVerifyIapRequestIT.java](src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java): - `IAP_PROTECTED_URL` : URL of your IAP protected resource . eg. `https://your-project-id.appspot.com` - `IAP_CLIENT_ID` to point to the [OAuth 2.0 Client ID](https://console.cloud.google.com/apis/credentials) of your IAP protected App Engine Application. -- Set the following environment variables to test verifying a JWT issued for an App Engine protected application: - - `GOOGLE_CLOUD_PROJECT`: Google Cloud Project ID + - `IAP_PROJECT_ID` : Google Cloud Project ID - `IAP_PROJECT_NUMBER` : [Project number](https://console.cloud.google.com/home/dashboard) of the IAP protected resource. - Also available via `gcloud` using: - ``` - gcloud projects describe PROJECT_ID - ``` - + Also available via `gcloud` using: + ``` + gcloud projects describe PROJECT_ID + ``` - Run the integration test: -``` - mvn -Dtest=com.example.iap.BuildAndVerifyIapRequestIT verify -``` + ``` + mvn -Dtest=com.example.iap.BuildAndVerifyIapRequestIT verify + ``` ## References - [JWT library for Java (jjwt)](https://github.com/jwtk/jjwt) diff --git a/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java b/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java index e043afb8b5c..5183b0053da 100644 --- a/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java +++ b/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java @@ -26,7 +26,6 @@ import com.google.api.client.http.javanet.NetHttpTransport; import io.jsonwebtoken.Jwt; import org.apache.http.HttpStatus; -import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.JUnit4; @@ -34,24 +33,22 @@ @RunWith(JUnit4.class) public class BuildAndVerifyIapRequestIT { - private String iapProtectedUrl = System.getenv("IAP_PROTECTED_URL"); - private String iapClientId = System.getenv("IAP_CLIENT_ID"); - private Long projectNumber = Long.parseLong(System.getenv("IAP_PROJECT_NUMBER")); - private String projectId = System.getenv("GOOGLE_CLOUD_PROJECT"); + // Update these fields to reflect your IAP protected App Engine credentials + private static Long IAP_PROJECT_NUMBER = 320431926067L; + private static String IAP_PROJECT_ID = "gcp-devrel-iap-reflect"; + private static String IAP_PROTECTED_URL = "https://gcp-devrel-iap-reflect.appspot.com"; + private static String IAP_CLIENT_ID = + "320431926067-ldm6839p8l2sei41nlsfc632l4d0v2u1.apps.googleusercontent.com"; + private HttpTransport httpTransport = new NetHttpTransport(); private VerifyIapRequestHeader verifyIapRequestHeader = new VerifyIapRequestHeader(); - @Before - public void setUp() { - assertNotNull(iapProtectedUrl); - assertNotNull(iapClientId); - } // Access an IAP protected url without signed jwt authorization header @Test public void accessIapProtectedResourceFailsWithoutJwtHeader() throws Exception { HttpRequest request = - httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(iapProtectedUrl)); + httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(IAP_PROTECTED_URL)); try { request.execute(); } catch (HttpResponseException e) { @@ -63,23 +60,23 @@ public void accessIapProtectedResourceFailsWithoutJwtHeader() throws Exception { @Test public void testGenerateAndVerifyIapRequestIsSuccessful() throws Exception { HttpRequest request = - httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(iapProtectedUrl)); - HttpRequest iapRequest = buildIAPRequest(request, iapClientId); + httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(IAP_PROTECTED_URL)); + HttpRequest iapRequest = buildIAPRequest(request, IAP_CLIENT_ID); HttpResponse response = iapRequest.execute(); assertEquals(response.getStatusCode(), HttpStatus.SC_OK); String headerWithtoken = response.parseAsString(); String[] split = headerWithtoken.split(":"); assertNotNull(split); - assertEquals(split.length, 2); - assertEquals(split[0].trim(), "x-goog-iap-jwt-assertion"); + assertEquals(2, split.length); + assertEquals("x-goog-authenticated-user-jwt", split[0].trim()); String jwtToken = split[1].trim(); HttpRequest verifyJwtRequest = httpTransport .createRequestFactory() - .buildGetRequest(new GenericUrl(iapProtectedUrl)).setHeaders( + .buildGetRequest(new GenericUrl(IAP_PROTECTED_URL)).setHeaders( new HttpHeaders().set("x-goog-iap-jwt-assertion", jwtToken)); Jwt decodedJWT = verifyIapRequestHeader.verifyJWTTokenForAppEngine( - verifyJwtRequest, projectNumber, projectId); + verifyJwtRequest, IAP_PROJECT_NUMBER, IAP_PROJECT_ID); assertNotNull(decodedJWT); } } From 091d57fc49fb476471f516fd9546789f7aed0748 Mon Sep 17 00:00:00 2001 From: Jisha Abubaker Date: Thu, 10 Aug 2017 12:37:05 -0700 Subject: [PATCH 2/3] updating README --- iap/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iap/README.md b/iap/README.md index d2705caee01..6407754900e 100644 --- a/iap/README.md +++ b/iap/README.md @@ -33,7 +33,7 @@ It will be used to test both the authorization of an incoming request to an IAP - `IAP_CLIENT_ID` to point to the [OAuth 2.0 Client ID](https://console.cloud.google.com/apis/credentials) of your IAP protected App Engine Application. - - `IAP_PROJECT_ID` : Google Cloud Project ID + - `IAP_PROJECT_ID` : Google Cloud Project ID of the IAP protected application - `IAP_PROJECT_NUMBER` : [Project number](https://console.cloud.google.com/home/dashboard) of the IAP protected resource. Also available via `gcloud` using: From 455601053f5fcb001b1d47f0a82004c0267272a4 Mon Sep 17 00:00:00 2001 From: Jisha Abubaker Date: Thu, 10 Aug 2017 13:16:59 -0700 Subject: [PATCH 3/3] enabling IAP --- pom.xml | 2 -- 1 file changed, 2 deletions(-) diff --git a/pom.xml b/pom.xml index 1d854809c36..e4405b64b0a 100644 --- a/pom.xml +++ b/pom.xml @@ -55,9 +55,7 @@ dlp - kms