fix: updates IAP samples for new IAP service URL (GoogleCloudPlatform#1109)

Author: bshaffer

.kokoro/secrets.sh.enc

@@ -44,7 +44,7 @@ To run the Cloud Identity Aware Proxy Samples:
 
     Available commands:
       request    Make a request to an IAP-protected resource using a service account.
-      validate   Make a request to an IAP-protected resource using a service account and then validate the JWT.
+      validate   Validates the JWT in the X-Goog-Iap-Jwt-Assertion header of an IAP-protected resource.
 
 ### Run Request
 
@@ -56,7 +56,7 @@ To run the Request sample:
 
 To run the Analyze Sentiment sample:
 
-    $ php iap.php validate [YOUR_CLOUD_IAP_URL] [YOUR_CLIENT_ID] [PATH_TO_YOUR_SERVICE_ACCOUNT] [YOUR_PROJECT_NUMBER] [YOUR_PROJECT_ID]
+    $ php iap.php validate [YOUR_IAP_JWT] [YOUR_PROJECT_NUMBER] [YOUR_PROJECT_ID]
 
 [iap]: http://cloud.google.com/iap
 [iap-quickstart]: https://cloud.google.com/iap/docs/app-engine-quickstart

iap/README.md

@@ -51,27 +51,19 @@
 
 // Create a validate Command.
 $application->add((new Command('validate'))
-    ->addArgument('url', InputArgument::REQUIRED, 'The Identity-Aware Proxy-protected URL to fetch.')
-    ->addArgument('clientId', InputArgument::REQUIRED, 'The client ID used by Identity-Aware Proxy.')
-    ->addArgument('serviceAccountPath', InputArgument::REQUIRED, 'Path for the service account you want to use.')
+    ->addArgument('jwt', InputArgument::REQUIRED, 'A JWT from the X-Goog-Iap-Jwt-Assertion header')
     ->addArgument('projectNumber', InputArgument::REQUIRED, 'The project *number* for your Google Cloud project. This is returned by gcloud projects describe $PROJECT_ID or in the Project Info card in Cloud Console.')
     ->addArgument('projectId', InputArgument::REQUIRED, 'The project ID for your Google Cloud Platform project.')
-    ->setDescription('Makes a request to an IAP-protected resource using a service account and then validates the JWT.')
+    ->setDescription('Validates the JWT in the X-Goog-Iap-Jwt-Assertion header of an IAP-protected resource.')
     ->setHelp(<<
 The %command.name% command makes a request to an IAP-protected resource and then validates the JWT.
     php %command.full_name%
 
 EOF
     )
     ->setCode(function ($input, $output) {
-        $response = make_iap_request(
-            $input->getArgument('url'),
-            $input->getArgument('clientId'),
-            $input->getArgument('serviceAccountPath'));
-        $response_body = (string)$response->getBody();
-        $iap_jwt = explode(': ', $response_body)[1];
         $user_identity = validate_jwt_from_app_engine(
-            $iap_jwt,
+            $input->getArgument('jwt'),
             $input->getArgument('projectNumber'),
             $input->getArgument('projectId'));
         print('Printing user identity information from ID token payload:');

iap/iap.php

@@ -29,33 +29,33 @@ class iapTest extends TestCase
 
     private static $commandFile = __DIR__ . '/../iap.php';
 
-    public function testRequest()
+    public function testRequestAndValidate()
     {
+        // Make a request to our IAP URL, which returns the IAP's JWT Assertion.
         $output = $this->runCommand('request', [
             'url' => $this->requireEnv('IAP_URL'),
             'clientId' => $this->requireEnv('IAP_CLIENT_ID'),
             'serviceAccountPath' => $this->requireEnv('GOOGLE_APPLICATION_CREDENTIALS'),
         ]);
-        $this->assertContains('x-goog-authenticated-user-jwt:', $output);
-    }
 
-    public function testInvalidJwt()
-    {
-        validate_jwt('fake_jwt', 'fake_expected_audience');
-        $this->expectOutputRegex('/Failed to validate JWT:/');
-    }
+        // Verify an ID token was returned
+        $this->assertContains('Printing out response body:', $output);
+        list($_, $iapJwt) = explode(':', $output);
 
-    public function testValidate()
-    {
+        // Now validate the JWT using the validation command
         $output = $this->runCommand('validate', [
-            'url' => $this->requireEnv('IAP_URL'),
-            'clientId' => $this->requireEnv('IAP_CLIENT_ID'),
-            'serviceAccountPath' => $this->requireEnv('GOOGLE_APPLICATION_CREDENTIALS'),
+            'jwt' => $iapJwt,
             'projectNumber' => $this->requireEnv('IAP_PROJECT_NUMBER'),
             'projectId' => $this->requireEnv('IAP_PROJECT_ID'),
         ]);
         $this->assertContains('Printing user identity information from ID token payload:', $output);
         $this->assertContains('sub: accounts.google.com', $output);
         $this->assertContains('email:', $output);
     }
+
+    public function testInvalidJwt()
+    {
+        validate_jwt('fake_jwt', 'fake_expected_audience');
+        $this->expectOutputRegex('/Failed to validate JWT:/');
+    }
 }