Skip to content

make_iap_request: Replace base URL with client ID #979

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
theacodes merged 2 commits into from
Jun 23, 2017
Merged

make_iap_request: Replace base URL with client ID #979

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
39bd729
make_iap_request: Replace base URL with client ID
matthewg Jun 12, 2017
efd54d7
Update test to pass client ID to make_iap_request
Jun 23, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion iap/iap_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@
# The project must have the service account used by this test added as a
# member of the project.
REFLECT_SERVICE_HOSTNAME = 'gcp-devrel-iap-reflect.appspot.com'
IAP_CLIENT_ID = ('320431926067-ldm6839p8l2sei41nlsfc632l4d0v2u1'
'.apps.googleusercontent.com')


@flaky
Expand All @@ -37,7 +39,8 @@ def test_main(capsys):
# the JWT in order to expose it to this test. Thus, this test
# exercises both make_iap_request and validate_jwt.
iap_jwt = make_iap_request.make_iap_request(
'https://{}/'.format(REFLECT_SERVICE_HOSTNAME))
'https://{}/'.format(REFLECT_SERVICE_HOSTNAME),
IAP_CLIENT_ID)
iap_jwt = iap_jwt.split(': ').pop()
jwt_validation_result = validate_jwt.validate_iap_jwt(
'https://{}'.format(REFLECT_SERVICE_HOSTNAME), iap_jwt)
Expand Down
14 changes: 3 additions & 11 deletions iap/make_iap_request.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,30 +24,22 @@
import google.oauth2.service_account
import requests
import requests_toolbelt.adapters.appengine
from six.moves import urllib_parse as urlparse


IAM_SCOPE = 'https://www.googleapis.com/auth/iam'
OAUTH_TOKEN_URI = 'https://www.googleapis.com/oauth2/v4/token'


def make_iap_request(url):
def make_iap_request(url, client_id):
"""Makes a request to an application protected by Identity-Aware Proxy.

Args:
url: The Identity-Aware Proxy-protected URL to fetch.
client_id: The client ID used by Identity-Aware Proxy.

Returns:
The page body, or raises an exception if the page couldn't be retrieved.
"""
# Take the input URL and remove everything except the protocol, domain,
# and port. Examples:
# https://foo.example.com/ => https://foo.example.com
# https://example.com:8443/foo/bar?quuz=quux#lorem =>
# https://example.com:8443
base_url = urlparse.urlunparse(
urlparse.urlparse(url)._replace(path='', query='', fragment=''))

# Figure out what environment we're running in and get some preliminary
# information about the service account.
bootstrap_credentials, _ = google.auth.default(
Expand Down Expand Up @@ -90,7 +82,7 @@ def make_iap_request(url):
# and email acquired from the bootstrap credentials.
service_account_credentials = google.oauth2.service_account.Credentials(
signer, signer_email, token_uri=OAUTH_TOKEN_URI, additional_claims={
'target_audience': base_url
'target_audience': client_id
})

# service_account_credentials gives us a JWT signed by the service
Expand Down