Fixing IAP tests (#804)

* fixing IAP tests

* updating README

* enabling IAP

Author: jabubake

appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java

@@ -26,9 +26,10 @@
 public class JwtServlet extends HttpServlet {
 
   private static final String IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
+  private static final String IAP_AUTHENTICATED_USER_HEADER = "x-goog-authenticated-user-jwt";
 
   @Override
   public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
-    resp.getWriter().print(IAP_JWT_HEADER + ":" + req.getHeader(IAP_JWT_HEADER));
+    resp.getWriter().print(IAP_AUTHENTICATED_USER_HEADER + ":" + req.getHeader(IAP_JWT_HEADER));
   }
 }

iap/README.md

@@ -28,24 +28,22 @@ It will be used to test both the authorization of an incoming request to an IAP
 
 - Add the service account email to the Identity-Aware Proxy access list for the project.
 
-- Set the following environment variables to test sending a request to an IAP protected resource:
+- Update the following variables in [BuildAndVerifyIapRequestIT.java](src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java):
   - `IAP_PROTECTED_URL` : URL of your IAP protected resource . eg. `https://your-project-id.appspot.com`
 
   - `IAP_CLIENT_ID` to point to the [OAuth 2.0 Client ID](https://console.cloud.google.com/apis/credentials) of your IAP protected App Engine Application.
 
-- Set the following environment variables to test verifying a JWT issued for an App Engine protected application:
-  - `GOOGLE_CLOUD_PROJECT`: Google Cloud Project ID
+  - `IAP_PROJECT_ID` : Google Cloud Project ID of the IAP protected application
 
   - `IAP_PROJECT_NUMBER` : [Project number](https://console.cloud.google.com/home/dashboard) of the IAP protected resource.
-  Also available via `gcloud` using:
-    ```
-       gcloud projects describe PROJECT_ID
-    ```
-
+     Also available via `gcloud` using:
+     ```
+         gcloud projects describe PROJECT_ID
+     ```
 - Run the integration test:
-```
-    mvn -Dtest=com.example.iap.BuildAndVerifyIapRequestIT verify
-```
+  ```
+      mvn -Dtest=com.example.iap.BuildAndVerifyIapRequestIT verify
+  ```
 
 ## References
 - [JWT library for Java (jjwt)](https://github.com/jwtk/jjwt)

iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java

@@ -26,32 +26,29 @@
 import com.google.api.client.http.javanet.NetHttpTransport;
 import io.jsonwebtoken.Jwt;
 import org.apache.http.HttpStatus;
-import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 
 @RunWith(JUnit4.class)
 public class BuildAndVerifyIapRequestIT {
 
-  private String iapProtectedUrl = System.getenv("IAP_PROTECTED_URL");
-  private String iapClientId = System.getenv("IAP_CLIENT_ID");
-  private Long projectNumber = Long.parseLong(System.getenv("IAP_PROJECT_NUMBER"));
-  private String projectId = System.getenv("GOOGLE_CLOUD_PROJECT");
+  // Update these fields to reflect your IAP protected App Engine credentials
+  private static Long IAP_PROJECT_NUMBER = 320431926067L;
+  private static String IAP_PROJECT_ID = "gcp-devrel-iap-reflect";
+  private static String IAP_PROTECTED_URL = "https://gcp-devrel-iap-reflect.appspot.com";
+  private static String IAP_CLIENT_ID =
+      "320431926067-ldm6839p8l2sei41nlsfc632l4d0v2u1.apps.googleusercontent.com";
+
   private HttpTransport httpTransport = new NetHttpTransport();
   private VerifyIapRequestHeader verifyIapRequestHeader = new VerifyIapRequestHeader();
 
-  @Before
-  public void setUp() {
-    assertNotNull(iapProtectedUrl);
-    assertNotNull(iapClientId);
-  }
 
   // Access an IAP protected url without signed jwt authorization header
   @Test
   public void accessIapProtectedResourceFailsWithoutJwtHeader() throws Exception {
     HttpRequest request =
-        httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(iapProtectedUrl));
+        httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(IAP_PROTECTED_URL));
     try {
       request.execute();
     } catch (HttpResponseException e) {
@@ -63,23 +60,23 @@ public void accessIapProtectedResourceFailsWithoutJwtHeader() throws Exception {
   @Test
   public void testGenerateAndVerifyIapRequestIsSuccessful() throws Exception {
     HttpRequest request =
-        httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(iapProtectedUrl));
-    HttpRequest iapRequest = buildIAPRequest(request, iapClientId);
+        httpTransport.createRequestFactory().buildGetRequest(new GenericUrl(IAP_PROTECTED_URL));
+    HttpRequest iapRequest = buildIAPRequest(request, IAP_CLIENT_ID);
     HttpResponse response = iapRequest.execute();
     assertEquals(response.getStatusCode(), HttpStatus.SC_OK);
     String headerWithtoken = response.parseAsString();
     String[] split = headerWithtoken.split(":");
     assertNotNull(split);
-    assertEquals(split.length, 2);
-    assertEquals(split[0].trim(), "x-goog-iap-jwt-assertion");
+    assertEquals(2, split.length);
+    assertEquals("x-goog-authenticated-user-jwt", split[0].trim());
 
     String jwtToken = split[1].trim();
     HttpRequest verifyJwtRequest = httpTransport
         .createRequestFactory()
-        .buildGetRequest(new GenericUrl(iapProtectedUrl)).setHeaders(
+        .buildGetRequest(new GenericUrl(IAP_PROTECTED_URL)).setHeaders(
         new HttpHeaders().set("x-goog-iap-jwt-assertion", jwtToken));
     Jwt decodedJWT = verifyIapRequestHeader.verifyJWTTokenForAppEngine(
-        verifyJwtRequest, projectNumber, projectId);
+        verifyJwtRequest, IAP_PROJECT_NUMBER, IAP_PROJECT_ID);
     assertNotNull(decodedJWT);
   }
 }

pom.xml

@@ -55,9 +55,7 @@
 
         <module>dlp</module>
 
-<!-- TODO() turn back on once we setup IAP envvar
         <module>iap</module>
- -->
 
         <module>kms</module>