Cloud IAP samples

README.md

@@ -19,6 +19,7 @@ Technology Samples:
 * [Bigquery](bigquery)
 * [Datastore](datastore)
 * [Endpoints](endpoints)
+* [Identity-Aware Proxy](iap)
 * [Key Management Service](kms)
 * [Logging](logging)
 * [Monitoring](monitoring)

appengine/iap/README.md

@@ -0,0 +1,37 @@
+# Cloud Identity-Aware Proxy sample for Google App Engine
+
+This sample demonstrates how to use the [Cloud Identity-Aware Proxy][iap-docs] on [Google App
+Engine][ae-docs].
+
+[iap-docs]: https://cloud.google.com/iap/docs/
+[ae-docs]: https://cloud.google.com/appengine/docs/java/
+
+## Setup
+
+Install the [Google Cloud SDK](https://cloud.google.com/sdk/) and run:
+```
+   gcloud init
+```
+If this is your first time creating an App engine application:
+```
+   gcloud app create
+```
+
+## Running locally
+
+This application depends on being enabled behind an IAP, so this program should not be run locally.
+
+## Deploying
+
+- Deploy the application to the project
+  ```
+       mvn clean appengine:deploy
+    ```
+- [Enable](https://cloud.google.com/iap/docs/app-engine-quickstart) Identity-Aware Proxy on the App Engine app.
+- Add the email account you'll be running the test as to the Identity-Aware Proxy access list for the project.
+
+## Test
+
+Once deployed, access `https://your-project-id.appspot.com` . This should now prompt you to sign in for access.
+Sign in with the email account that was added to the Identity-Aware proxy access list.
+You should now see the jwt token that was received from the IAP server.

appengine/iap/pom.xml

@@ -0,0 +1,57 @@
+<!--
+Copyright 2017 Google Inc.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <packaging>war</packaging>
+  <version>1.0-SNAPSHOT</version>
+  <groupId>com.example.appengine</groupId>
+  <artifactId>appengine-iap</artifactId>
+
+  <parent>
+    <groupId>com.google.cloud</groupId>
+    <artifactId>appengine-doc-samples</artifactId>
+    <version>1.0.0</version>
+    <relativePath>..</relativePath>
+  </parent>
+  <dependencies>
+    <dependency>
+      <groupId>javax.servlet</groupId>
+      <artifactId>servlet-api</artifactId>
+      <version>2.5</version>
+      <scope>provided</scope>
+    </dependency>
+  </dependencies>
+  <build>
+    <!-- for hot reload of the web application -->
+    <outputDirectory>${project.build.directory}/${project.build.finalName}/WEB-INF/classes</outputDirectory>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <version>3.3</version>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <configuration>
+          <source>1.7</source>
+          <target>1.7</target>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>com.google.cloud.tools</groupId>
+        <artifactId>appengine-maven-plugin</artifactId>
+        <version>1.3.1</version>
+      </plugin>
+    </plugins>
+  </build>
+</project>

appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java

@@ -0,0 +1,34 @@
+/**
+ * Copyright 2017 Google Inc.
+ *
+ * <p>Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of the License at
+ *
+ * <p>http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * <p>Unless required by applicable law or agreed to in writing, software distributed under the
+ * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.example.appengine.iap;
+
+import java.io.IOException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Identity Aware Proxy (IAP) Test application to reflect jwt token issued by IAP. IAP must be
+ * enabled on application. {@see https://cloud.google.com/iap/docs/app-engine-quickstart}
+ */
+@SuppressWarnings("serial")
+public class JwtServlet extends HttpServlet {
+
+  private static final String IAP_JWT_HEADER = "x-goog-authenticated-user-jwt";
+
+  @Override
+  public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+    resp.getWriter().print(IAP_JWT_HEADER + ":" + req.getHeader(IAP_JWT_HEADER));
+  }
+}

appengine/iap/src/main/webapp/WEB-INF/appengine-web.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+  Copyright 2017 Google Inc.
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+        http://www.apache.org/licenses/LICENSE-2.0
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<appengine-web-app xmlns="http://appengine.google.com/ns/1.0">
+  <threadsafe>true</threadsafe>
+</appengine-web-app>

appengine/iap/src/main/webapp/WEB-INF/web.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee"
+  xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
+  version="2.5">
+  <servlet>
+    <servlet-name>hello</servlet-name>
+    <servlet-class>com.example.appengine.iap.JwtServlet</servlet-class>
+  </servlet>
+  <servlet-mapping>
+    <servlet-name>hello</servlet-name>
+    <url-pattern>/</url-pattern>
+  </servlet-mapping>
+</web-app>

appengine/pom.xml

@@ -61,6 +61,7 @@
         <module>guestbook-objectify</module>
         <module>helloworld</module>
         <module>helloworld-new-plugins</module>
+        <module>iap</module>
         <module>images</module>
         <module>logs</module>
         <module>mailgun</module>

iap/README.md

@@ -0,0 +1,34 @@
+# Cloud Identity-Aware Proxy Java Samples
+Cloud Identity-Aware Proxy (Cloud IAP) lets you manage access to applications running in Compute Engine, App Engine standard environment, and Container Engine. Cloud IAP establishes a central authorization layer for applications accessed by HTTPS, enabling you to adopt an application-level access control model instead of relying on network-level firewalls. When you enable Cloud IAP, you must also use signed headers or the App Engine standard environment Users API to secure your app.
+
+## Setup
+- A Google Cloud project with billing enabled
+- A service account with private key credentials is required to create signed bearer tokens.
+  - [Create an App engine service account](https://cloud.google.com/docs/authentication#getting_credentials_for_server-centric_flow) and download the credentials file as JSON.
+  - Set the environment variable `GOOGLE_APPLICATION_CREDENTIALS` to point to the service account credentials file.
+- Install the [Google Cloud SDK](https://cloud.google.com/sdk/) and run:
+```
+   gcloud init
+```
+
+## Description
+- [BuildIapRequest.java](src/main/java/com/example/iap/BuildIapRequest.java) demonstrates how to set the
+`Authorization : Bearer` header with a signed JWT token to authorize access to an IAP protected URL.
+- [VerifyIapRequestHeader.java](src/main/java/com/example/iap/VerifyIapRequestHeader.java) demonstrates how to
+verify the JWT token in an incoming request to an IAP protected resource.
+
+## Testing
+- Deploy the [demo app engine application](../appengine/iap/README.md). This application will return the JWT token to an authorized incoming request.
+It will be used to test both the authorization of an incoming request to an IAP protected resource and the JWT token returned from IAP.
+- [Enable](https://cloud.google.com/iap/docs/app-engine-quickstart) Identity-Aware Proxy on the App Engine app.
+- Add the service account email to the Identity-Aware Proxy access list for the project.
+- Set the environment variable `IAP_PROTECTED_URL` to point to `https://your-project-id.appspot.com`
+- Run the integration test:
+```
+    mvn -Dtest=com.example.iap.BuildAndVerifyIapRequestIT verify
+```
+
+## References
+[JWT library for Java](https://github.com/auth0/java-jwt)
+[Cloud IAP docs](https://cloud.google.com/iap/docs/)
+[Service account credentials](https://cloud.google.com/docs/authentication#getting_credentials_for_server-centric_flow)

iap/pom.xml

@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright 2017 Google Inc.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<!-- [START pom] -->
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <packaging>jar</packaging>
+  <groupId>com.example</groupId>
+  <artifactId>iap-samples</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <properties>
+    <maven.compiler.source>1.8</maven.compiler.source>
+    <maven.compiler.target>1.8</maven.compiler.target>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+  </properties>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>com.fasterxml.jackson.core</groupId>
+        <artifactId>jackson-core</artifactId>
+        <version>2.8.6</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
+  <dependencies>
+    <dependency>                        <!-- REQUIRED -->
+      <groupId>javax.servlet</groupId>  <!-- Java Servlet API -->
+      <artifactId>javax.servlet-api</artifactId>
+      <version>3.1.0</version>
+    </dependency>
+
+    <!-- [START dependencies] -->
+    <dependency>
+      <groupId>com.google.auth</groupId>
+      <artifactId>google-auth-library-oauth2-http</artifactId>
+      <version>0.6.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.auth0</groupId>
+      <artifactId>java-jwt</artifactId>
+      <version>3.2.0</version>
+    </dependency>
+    <!-- [END dependencies] -->
+
+    <!-- Test dependencies -->
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.12</version>
+    </dependency>
+  </dependencies>
+</project>
+<!-- [END pom] -->