chore: upgrade IAP samples to new samples format (GoogleCloudPlatform#1378)

Author: bshaffer

iap/README.md

@@ -25,38 +25,25 @@ You can also learn more by reading the [Cloud IAP conceptual overview][iap-conce
 
 ## Samples
 
-To run the Cloud Identity Aware Proxy Samples:
+To run the IAP Samples, run any of the files in `src/` on the CLI:
 
-    $ php iap.php
-    Cloud Identity Aware Proxy
+```
+$ php src/make_iap_request.php
 
-    Usage:
-      command [options] [arguments]
+Usage: make_iap_request.php $url $clientId
 
-    Options:
-      -h, --help            Display this help message
-      -q, --quiet           Do not output any message
-      -V, --version         Display this application version
-          --ansi            Force ANSI output
-          --no-ansi         Disable ANSI output
-      -n, --no-interaction  Do not ask any interactive question
-      -v|vv|vvv, --verbose  Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
+  @param string $url The Identity-Aware Proxy-protected URL to fetch.
+  @param string $clientId The client ID used by Identity-Aware Proxy.
+```
 
-    Available commands:
-      request    Make a request to an IAP-protected resource using a service account.
-      validate   Validates the JWT in the X-Goog-Iap-Jwt-Assertion header of an IAP-protected resource.
+```
+$ php src/validate_jwt.php
 
-### Run Request
+Usage: validate_jwt.php $iapJwt $expectedAudience
 
-To run the Request sample:
-
-    $ php iap.php request [YOUR_CLOUD_IAP_URL] [YOUR_CLIENT_ID] [PATH_TO_YOUR_SERVICE_ACCOUNT]
-
-### Run Validate
-
-To run the Analyze Sentiment sample:
-
-    $ php iap.php validate [YOUR_IAP_JWT] [YOUR_PROJECT_NUMBER] [YOUR_PROJECT_ID]
+  @param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
+  @param string $expectedAudience The expected audience of the JWT with the following formats:
+```
 
 [iap]: http://cloud.google.com/iap
 [iap-quickstart]: https://cloud.google.com/iap/docs/app-engine-quickstart
@@ -68,4 +55,4 @@ To run the Analyze Sentiment sample:
 [composer]: http://getcomposer.org/doc/00-intro.md
 [iap-programmatic-authentication]: https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_a_service_account
 [iap-signed-headers]: https://cloud.google.com/iap/docs/signed-headers-howto
-[iap-conceptual-overview]: https://cloud.google.com/iap/docs/concepts-overview
+[iap-conceptual-overview]: https://cloud.google.com/iap/docs/concepts-overview

iap/composer.json

@@ -1,17 +1,12 @@
 {
     "require": {
-        "symfony/console": "^2.8",
+        "kelvinmo/simplejwt": "^0.5.1",
         "google/auth":"^1.8.0",
-        "guzzlehttp/guzzle": "~7.2.0",
-        "kelvinmo/simplejwt": "^0.5.0"
+        "guzzlehttp/guzzle": "~7.2.0"
     },
     "autoload": {
         "psr-4": {
             "Google\\Cloud\\Samples\\Auth\\": "src/"
-        },
-        "files": [
-            "src/make_iap_request.php",
-            "src/validate_jwt.php"
-        ]
+        }
     }
 }

iap/iap.php

@@ -50,6 +50,11 @@ function make_iap_request($url, $clientId)
     ]);
 
     // make the request
-    return $client->get($url);
+    $response = $client->get($url);
+    print('Printing out response body:');
+    print($response->getBody());
 }
 # [END iap_make_request]
+
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

iap/src/make_iap_request.php

@@ -29,53 +29,58 @@
 /**
  * Validate a JWT passed to your App Engine app by Identity-Aware Proxy.
  *
- * @param string $iap_jwt The contents of the X-Goog-IAP-JWT-Assertion header.
- * @param string $cloud_project_number The project *number* for your Google
+ * @param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
+ * @param string $cloudProjectNumber The project *number* for your Google
  *     Cloud project. This is returned by 'gcloud projects describe $PROJECT_ID',
  *     or in the Project Info card in Cloud Console.
  * @param string $cloud_project Your Google Cloud Project ID.
  *
  * @return (user_id, user_email).
  */
-function validate_jwt_from_app_engine($iap_jwt, $cloud_project_number, $cloud_project_id)
+function validate_jwt_from_app_engine($iapJwt, $cloudProjectNumber, $cloudProjectId)
 {
-    $expected_audience = sprintf(
+    $expectedAudience = sprintf(
         '/projects/%s/apps/%s',
-        $cloud_project_number,
-        $cloud_project_id
+        $cloudProjectNumber,
+        $cloudProjectId
     );
-    return validate_jwt($iap_jwt, $expected_audience);
+    return validate_jwt($iapJwt, $expectedAudience);
 }
 
 /**
  * Validate a JWT passed to your Compute / Container Engine app by Identity-Aware Proxy.
  *
- * @param string $iap_jwt The contents of the X-Goog-IAP-JWT-Assertion header.
- * @param string $cloud_project_number The project *number* for your Google
+ * @param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
+ * @param string $cloudProjectNumber The project *number* for your Google
  *     Cloud project. This is returned by 'gcloud projects describe $PROJECT_ID',
  *     or in the Project Info card in Cloud Console.
- * @param string $backend_service_id The ID of the backend service used to access the
+ * @param string $backendServiceId The ID of the backend service used to access the
  *     application. See https://cloud.google.com/iap/docs/signed-headers-howto
  *     for details on how to get this value.
- *
- * @return (user_id, user_email).
  */
-function validate_jwt_from_compute_engine($iap_jwt, $cloud_project_number, $backend_service_id)
+function validate_jwt_from_compute_engine($iapJwt, $cloudProjectNumber, $backendServiceId)
 {
-    $expected_audience = sprintf(
+    $expectedAudience = sprintf(
         '/projects/%s/global/backendServices/%s',
-        $cloud_project_number,
-        $backend_service_id
+        $cloudProjectNumber,
+        $backendServiceId
     );
-    return validate_jwt($iap_jwt, $expected_audience);
+    validate_jwt($iapJwt, $expectedAudience);
 }
 
-
-function validate_jwt($iap_jwt, $expected_audience)
+/**
+ * Validate a JWT passed to your app by Identity-Aware Proxy.
+ *
+ * @param string $iapJwt The contents of the X-Goog-IAP-JWT-Assertion header.
+ * @param string $expectedAudience The expected audience of the JWT with the following formats:
+ *     App Engine:     /projects/{PROJECT_NUMBER}/apps/{PROJECT_ID}
+ *     Compute Engine: /projects/{PROJECT_NUMBER}/global/backendServices/{BACKEND_SERVICE_ID}
+ */
+function validate_jwt($iapJwt, $expectedAudience)
 {
     // Validate the signature using the IAP cert URL.
     $token = new AccessToken();
-    $jwt = $token->verify($iap_jwt, [
+    $jwt = $token->verify($iapJwt, [
         'certsLocation' => AccessToken::IAP_CERT_URL
     ]);
 
@@ -85,9 +90,14 @@ function validate_jwt($iap_jwt, $expected_audience)
 
     // Validate token by checking issuer and audience fields.
     assert($jwt['iss'] == 'https://cloud.google.com/iap');
-    assert($jwt['aud'] == $expected_audience);
+    assert($jwt['aud'] == $expectedAudience);
 
-    // Return the user identity (subject and user email) if JWT verification is successful.
-    return array('sub' => $jwt['sub'], 'email' => $jwt['email']);
+
+    print('Printing user identity information from ID token payload:');
+    printf('sub: %s', $jwt['sub']);
+    printf('email: %s', $jwt['email']);
 }
 # [END iap_validate_jwt]
+
+require_once __DIR__ . '/../../testing/sample_helpers.php';
+\Google\Cloud\Samples\execute_sample(__FILE__, __NAMESPACE__, $argv);

iap/src/validate_jwt.php

@@ -17,36 +17,34 @@
 namespace Google\Cloud\Samples\Iap;
 
 use Google\Cloud\TestUtils\TestTrait;
-use Google\Cloud\TestUtils\ExecuteCommandTrait;
 use PHPUnit\Framework\TestCase;
 
 /**
  * Unit Tests for IAP commands.
  */
 class iapTest extends TestCase
 {
-    use TestTrait, ExecuteCommandTrait;
-
-    private static $commandFile = __DIR__ . '/../iap.php';
+    use TestTrait;
 
     public function testRequestAndValidate()
     {
         // Make a request to our IAP URL, which returns the IAP's JWT Assertion.
-        $output = $this->runCommand('request', [
+        $output = $this->runFunctionSnippet('make_iap_request', [
             'url' => $this->requireEnv('IAP_URL'),
-            'clientId' => $this->requireEnv('IAP_CLIENT_ID'),
-            'serviceAccountPath' => $this->requireEnv('GOOGLE_APPLICATION_CREDENTIALS'),
+            'clientId' => $this->requireEnv('IAP_CLIENT_ID')
         ]);
 
         // Verify an ID token was returned
         $this->assertStringContainsString('Printing out response body:', $output);
         list($_, $iapJwt) = explode(':', $output);
 
+        $projectNumber = $this->requireEnv('IAP_PROJECT_NUMBER');
+        $projectId = $this->requireEnv('IAP_PROJECT_ID');
+
         // Now validate the JWT using the validation command
-        $output = $this->runCommand('validate', [
-            'jwt' => $iapJwt,
-            'projectNumber' => $this->requireEnv('IAP_PROJECT_NUMBER'),
-            'projectId' => $this->requireEnv('IAP_PROJECT_ID'),
+        $output = $this->runFunctionSnippet('validate_jwt', [
+            $iapJwt,
+            sprintf('/projects/%s/apps/%s', $projectNumber, $projectId),
         ]);
         $this->assertStringContainsString('Printing user identity information from ID token payload:', $output);
         $this->assertStringContainsString('sub: accounts.google.com', $output);
@@ -55,7 +53,10 @@ public function testRequestAndValidate()
 
     public function testInvalidJwt()
     {
-        validate_jwt('fake_j.w.t', 'fake_expected_audience');
-        $this->expectOutputRegex('/Failed to validate JWT:/');
+        $output = $this->runFunctionSnippet('validate_jwt', [
+            'fake_j.w.t',
+            'fake_expected_audience'
+        ]);
+        $this->assertStringContainsString('Failed to validate JWT:', $output);
     }
 }