Skip to content

Commit 4b97efc

Browse files
authored
chore: upgrade IAP samples to new samples format (GoogleCloudPlatform#1378)
1 parent 44924dc commit 4b97efc

File tree

6 files changed

+70
-151
lines changed

6 files changed

+70
-151
lines changed

iap/README.md

Lines changed: 14 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -25,38 +25,25 @@ You can also learn more by reading the [Cloud IAP conceptual overview][iap-conce
2525

2626
## Samples
2727

28-
To run the Cloud Identity Aware Proxy Samples:
28+
To run the IAP Samples, run any of the files in `src/` on the CLI:
2929

30-
$ php iap.php
31-
Cloud Identity Aware Proxy
30+
```
31+
$ php src/make_iap_request.php
3232
33-
Usage:
34-
command [options] [arguments]
33+
Usage: make_iap_request.php $url $clientId
3534
36-
Options:
37-
-h, --help Display this help message
38-
-q, --quiet Do not output any message
39-
-V, --version Display this application version
40-
--ansi Force ANSI output
41-
--no-ansi Disable ANSI output
42-
-n, --no-interaction Do not ask any interactive question
43-
-v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
35+
@param string $url The Identity-Aware Proxy-protected URL to fetch.
36+
@param string $clientId The client ID used by Identity-Aware Proxy.
37+
```
4438

45-
Available commands:
46-
request Make a request to an IAP-protected resource using a service account.
47-
validate Validates the JWT in the X-Goog-Iap-Jwt-Assertion header of an IAP-protected resource.
39+
```
40+
$ php src/validate_jwt.php
4841
49-
### Run Request
42+
Usage: validate_jwt.php $iapJwt $expectedAudience
5043
51-
To run the Request sample:
52-
53-
$ php iap.php request [YOUR_CLOUD_IAP_URL] [YOUR_CLIENT_ID] [PATH_TO_YOUR_SERVICE_ACCOUNT]
54-
55-
### Run Validate
56-
57-
To run the Analyze Sentiment sample:
58-
59-
$ php iap.php validate [YOUR_IAP_JWT] [YOUR_PROJECT_NUMBER] [YOUR_PROJECT_ID]
44+
@param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
45+
@param string $expectedAudience The expected audience of the JWT with the following formats:
46+
```
6047

6148
[iap]: http://cloud.google.com/iap
6249
[iap-quickstart]: https://cloud.google.com/iap/docs/app-engine-quickstart
@@ -68,4 +55,4 @@ To run the Analyze Sentiment sample:
6855
[composer]: http://getcomposer.org/doc/00-intro.md
6956
[iap-programmatic-authentication]: https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_service_account
7057
[iap-signed-headers]: https://cloud.google.com/iap/docs/signed-headers-howto
71-
[iap-conceptual-overview]: https://cloud.google.com/iap/docs/concepts-overview
58+
[iap-conceptual-overview]: https://cloud.google.com/iap/docs/concepts-overview

iap/composer.json

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,12 @@
11
{
22
"require": {
3-
"symfony/console": "^2.8",
3+
"kelvinmo/simplejwt": "^0.5.1",
44
"google/auth":"^1.8.0",
5-
"guzzlehttp/guzzle": "~7.2.0",
6-
"kelvinmo/simplejwt": "^0.5.0"
5+
"guzzlehttp/guzzle": "~7.2.0"
76
},
87
"autoload": {
98
"psr-4": {
109
"Google\\Cloud\\Samples\\Auth\\": "src/"
11-
},
12-
"files": [
13-
"src/make_iap_request.php",
14-
"src/validate_jwt.php"
15-
]
10+
}
1611
}
1712
}

iap/iap.php

Lines changed: 0 additions & 79 deletions
This file was deleted.

iap/src/make_iap_request.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,11 @@ function make_iap_request($url, $clientId)
5050
]);
5151

5252
// make the request
53-
return $client->get($url);
53+
$response = $client->get($url);
54+
print('Printing out response body:');
55+
print($response->getBody());
5456
}
5557
# [END iap_make_request]
58+
59+
require_once __DIR__ . '/../../testing/sample_helpers.php';
60+
\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

iap/src/validate_jwt.php

Lines changed: 33 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -29,53 +29,58 @@
2929
/**
3030
* Validate a JWT passed to your App Engine app by Identity-Aware Proxy.
3131
*
32-
* @param string $iap_jwt The contents of the X-Goog-IAP-JWT-Assertion header.
33-
* @param string $cloud_project_number The project *number* for your Google
32+
* @param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
33+
* @param string $cloudProjectNumber The project *number* for your Google
3434
* Cloud project. This is returned by 'gcloud projects describe $PROJECT_ID',
3535
* or in the Project Info card in Cloud Console.
3636
* @param string $cloud_project Your Google Cloud Project ID.
3737
*
3838
* @return (user_id, user_email).
3939
*/
40-
function validate_jwt_from_app_engine($iap_jwt, $cloud_project_number, $cloud_project_id)
40+
function validate_jwt_from_app_engine($iapJwt, $cloudProjectNumber, $cloudProjectId)
4141
{
42-
$expected_audience = sprintf(
42+
$expectedAudience = sprintf(
4343
'/projects/%s/apps/%s',
44-
$cloud_project_number,
45-
$cloud_project_id
44+
$cloudProjectNumber,
45+
$cloudProjectId
4646
);
47-
return validate_jwt($iap_jwt, $expected_audience);
47+
return validate_jwt($iapJwt, $expectedAudience);
4848
}
4949

5050
/**
5151
* Validate a JWT passed to your Compute / Container Engine app by Identity-Aware Proxy.
5252
*
53-
* @param string $iap_jwt The contents of the X-Goog-IAP-JWT-Assertion header.
54-
* @param string $cloud_project_number The project *number* for your Google
53+
* @param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
54+
* @param string $cloudProjectNumber The project *number* for your Google
5555
* Cloud project. This is returned by 'gcloud projects describe $PROJECT_ID',
5656
* or in the Project Info card in Cloud Console.
57-
* @param string $backend_service_id The ID of the backend service used to access the
57+
* @param string $backendServiceId The ID of the backend service used to access the
5858
* application. See https://cloud.google.com/iap/docs/signed-headers-howto
5959
* for details on how to get this value.
60-
*
61-
* @return (user_id, user_email).
6260
*/
63-
function validate_jwt_from_compute_engine($iap_jwt, $cloud_project_number, $backend_service_id)
61+
function validate_jwt_from_compute_engine($iapJwt, $cloudProjectNumber, $backendServiceId)
6462
{
65-
$expected_audience = sprintf(
63+
$expectedAudience = sprintf(
6664
'/projects/%s/global/backendServices/%s',
67-
$cloud_project_number,
68-
$backend_service_id
65+
$cloudProjectNumber,
66+
$backendServiceId
6967
);
70-
return validate_jwt($iap_jwt, $expected_audience);
68+
validate_jwt($iapJwt, $expectedAudience);
7169
}
7270

73-
74-
function validate_jwt($iap_jwt, $expected_audience)
71+
/**
72+
* Validate a JWT passed to your app by Identity-Aware Proxy.
73+
*
74+
* @param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
75+
* @param string $expectedAudience The expected audience of the JWT with the following formats:
76+
* App Engine: /projects/{PROJECT_NUMBER}/apps/{PROJECT_ID}
77+
* Compute Engine: /projects/{PROJECT_NUMBER}/global/backendServices/{BACKEND_SERVICE_ID}
78+
*/
79+
function validate_jwt($iapJwt, $expectedAudience)
7580
{
7681
// Validate the signature using the IAP cert URL.
7782
$token = new AccessToken();
78-
$jwt = $token->verify($iap_jwt, [
83+
$jwt = $token->verify($iapJwt, [
7984
'certsLocation' => AccessToken::IAP_CERT_URL
8085
]);
8186

@@ -85,9 +90,14 @@ function validate_jwt($iap_jwt, $expected_audience)
8590

8691
// Validate token by checking issuer and audience fields.
8792
assert($jwt['iss'] == 'https://cloud.google.com/iap');
88-
assert($jwt['aud'] == $expected_audience);
93+
assert($jwt['aud'] == $expectedAudience);
8994

90-
// Return the user identity (subject and user email) if JWT verification is successful.
91-
return array('sub' => $jwt['sub'], 'email' => $jwt['email']);
95+
96+
print('Printing user identity information from ID token payload:');
97+
printf('sub: %s', $jwt['sub']);
98+
printf('email: %s', $jwt['email']);
9299
}
93100
# [END iap_validate_jwt]
101+
102+
require_once __DIR__ . '/../../testing/sample_helpers.php';
103+
\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

iap/test/iapTest.php

Lines changed: 14 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -17,36 +17,34 @@
1717
namespace Google\Cloud\Samples\Iap;
1818

1919
use Google\Cloud\TestUtils\TestTrait;
20-
use Google\Cloud\TestUtils\ExecuteCommandTrait;
2120
use PHPUnit\Framework\TestCase;
2221

2322
/**
2423
* Unit Tests for IAP commands.
2524
*/
2625
class iapTest extends TestCase
2726
{
28-
use TestTrait, ExecuteCommandTrait;
29-
30-
private static $commandFile = __DIR__ . '/../iap.php';
27+
use TestTrait;
3128

3229
public function testRequestAndValidate()
3330
{
3431
// Make a request to our IAP URL, which returns the IAP's JWT Assertion.
35-
$output = $this->runCommand('request', [
32+
$output = $this->runFunctionSnippet('make_iap_request', [
3633
'url' => $this->requireEnv('IAP_URL'),
37-
'clientId' => $this->requireEnv('IAP_CLIENT_ID'),
38-
'serviceAccountPath' => $this->requireEnv('GOOGLE_APPLICATION_CREDENTIALS'),
34+
'clientId' => $this->requireEnv('IAP_CLIENT_ID')
3935
]);
4036

4137
// Verify an ID token was returned
4238
$this->assertStringContainsString('Printing out response body:', $output);
4339
list($_, $iapJwt) = explode(':', $output);
4440

41+
$projectNumber = $this->requireEnv('IAP_PROJECT_NUMBER');
42+
$projectId = $this->requireEnv('IAP_PROJECT_ID');
43+
4544
// Now validate the JWT using the validation command
46-
$output = $this->runCommand('validate', [
47-
'jwt' => $iapJwt,
48-
'projectNumber' => $this->requireEnv('IAP_PROJECT_NUMBER'),
49-
'projectId' => $this->requireEnv('IAP_PROJECT_ID'),
45+
$output = $this->runFunctionSnippet('validate_jwt', [
46+
$iapJwt,
47+
sprintf('/projects/%s/apps/%s', $projectNumber, $projectId),
5048
]);
5149
$this->assertStringContainsString('Printing user identity information from ID token payload:', $output);
5250
$this->assertStringContainsString('sub: accounts.google.com', $output);
@@ -55,7 +53,10 @@ public function testRequestAndValidate()
5553

5654
public function testInvalidJwt()
5755
{
58-
validate_jwt('fake_j.w.t', 'fake_expected_audience');
59-
$this->expectOutputRegex('/Failed to validate JWT:/');
56+
$output = $this->runFunctionSnippet('validate_jwt', [
57+
'fake_j.w.t',
58+
'fake_expected_audience'
59+
]);
60+
$this->assertStringContainsString('Failed to validate JWT:', $output);
6061
}
6162
}

0 commit comments

Comments
 (0)