From 6ddae06837f88b93023cb25b5b9b97de1c1be4bd Mon Sep 17 00:00:00 2001
From: Matthew Sachs <matthewg@zevils.com>
Date: Thu, 13 Jul 2017 16:33:27 -0700
Subject: [PATCH 1/2] Update JWT validation to use new JWT header

---
 .../example/iap/VerifyIapRequestHeader.java   | 32 +++++++++++--------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java b/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java
index d99d7af4907..aa6f01bcc75 100644
--- a/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java
+++ b/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java
@@ -100,25 +100,31 @@ private Key resolveSigningKey(JwsHeader header) {
         }
       };
 
-  private static String getBaseUrl(URL url) throws Exception {
-    String urlFilePath = url.getFile();
-    int pathDelim = urlFilePath.lastIndexOf('/');
-    String path = (pathDelim > 0) ? urlFilePath.substring(0, pathDelim) : "";
-    return (url.getProtocol() + "://" + url.getHost() + path).trim();
+  Jwt verifyJWTTokenForAppEngine(HttpRequest request, long project_number, String project_id) throws Exception {
+    // Check for iap jwt header in incoming request
+    String jwtToken =
+        request.getHeaders().getFirstHeaderStringValue("x-goog-iap-jwt-assertion");
+    if (jwtToken == null) {
+      return null;
+    }
+    return verifyJWTToken(jwtToken, String.format("/projects/%s/apps/%s",
+                                                  Long.toUnsignedString(project_number),
+                                                 project_id));
   }
-
-  Jwt verifyJWTToken(HttpRequest request) throws Exception {
+  
+  Jwt verifyJWTTokenForComputeEngine(HttpRequest request, long project_number, long backend_service_id) throws Exception {
     // Check for iap jwt header in incoming request
     String jwtToken =
-        request.getHeaders().getFirstHeaderStringValue("x-goog-authenticated-user-jwt");
+        request.getHeaders().getFirstHeaderStringValue("x-goog-iap-jwt-assertion");
     if (jwtToken == null) {
       return null;
     }
-    String baseUrl = getBaseUrl(request.getUrl().toURL());
-    return verifyJWTToken(jwtToken, baseUrl);
+    return verifyJWTToken(jwtToken, String.format("/projects/%s/global/backendServices/%s",
+                                                  Long.toUnsignedString(project_number),
+                                                  Long.toUnsignedString(backend_service_id)));
   }
-
-  Jwt verifyJWTToken(String jwtToken, String baseUrl) throws Exception {
+  
+  Jwt verifyJWTToken(String jwtToken, String expectedAudience) throws Exception {
     // Time constraints are automatically checked, use setAllowedClockSkewSeconds
     // to specify a leeway window
     // The token was issued in a past date "iat" < TODAY
@@ -126,7 +132,7 @@ Jwt verifyJWTToken(String jwtToken, String baseUrl) throws Exception {
     Jwt jwt =
         Jwts.parser()
             .setSigningKeyResolver(resolver)
-            .requireAudience(baseUrl)
+            .requireAudience(expectedAudience)
             .requireIssuer(IAP_ISSUER_URL)
             .parse(jwtToken);
     DefaultClaims claims = (DefaultClaims) jwt.getBody();

From da8591232c92955a091de6b1968b968b2beac838 Mon Sep 17 00:00:00 2001
From: Jisha Abubaker <jishaa@google.com>
Date: Fri, 14 Jul 2017 14:30:36 -0700
Subject: [PATCH 2/2] IAP samples patch to use new JWT header

---
 .../com/example/appengine/iap/JwtServlet.java |  2 +-
 iap/README.md                                 | 19 +++++++++++++++++--
 .../example/iap/VerifyIapRequestHeader.java   | 19 +++++++++++--------
 .../iap/BuildAndVerifyIapRequestIT.java       | 14 ++++++++++++--
 pom.xml                                       |  1 +
 5 files changed, 42 insertions(+), 13 deletions(-)

diff --git a/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java b/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java
index b6f7d95584f..0405d259c3b 100644
--- a/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java
+++ b/appengine/iap/src/main/java/com/example/appengine/iap/JwtServlet.java
@@ -25,7 +25,7 @@
 @SuppressWarnings("serial")
 public class JwtServlet extends HttpServlet {
 
-  private static final String IAP_JWT_HEADER = "x-goog-authenticated-user-jwt";
+  private static final String IAP_JWT_HEADER = "x-goog-iap-jwt-assertion";
 
   @Override
   public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
diff --git a/iap/README.md b/iap/README.md
index efc22864d21..d8819ed64e3 100644
--- a/iap/README.md
+++ b/iap/README.md
@@ -23,10 +23,25 @@ verify the JWT token in an incoming request to an IAP protected resource.
 ## Testing
 - Deploy the [demo app engine application](../appengine/iap/README.md). This application will return the JWT token to an authorized incoming request.
 It will be used to test both the authorization of an incoming request to an IAP protected resource and the JWT token returned from IAP.
+
 - [Enable](https://cloud.google.com/iap/docs/app-engine-quickstart) Identity-Aware Proxy on the App Engine app.
+
 - Add the service account email to the Identity-Aware Proxy access list for the project.
-- Set the environment variable `IAP_PROTECTED_URL` to point to `https://your-project-id.appspot.com`
-- Set the environment variable `IAP_CLIENT_ID` to point to the [OAuth 2.0 Client ID](https://console.cloud.google.com/apis/credentials) of your IAP protected App Engine Application.
+
+- Set the following environment variables to test sending a request to an IAP protected resource:
+  - `IAP_PROTECTED_URL` : URL of your IAP protected resource . eg. `https://your-project-id.appspot.com`
+
+  - `IAP_CLIENT_ID` to point to the [OAuth 2.0 Client ID](https://console.cloud.google.com/apis/credentials) of your IAP protected App Engine Application.
+
+- Set the following environment variables to test verifying a JWT issued for an App Engine protected application:
+  - `GOOGLE_CLOUD_PROJECT`: Google Cloud Project ID
+
+  - `IAP_PROJECT_NUMBER` : [Project number](https://console.cloud.google.com/home/dashboard) of the IAP protected resource.
+  Also available via `gcloud` using:
+    ```
+       gcloud projects describe PROJECT_ID
+    ```
+
 - Run the integration test:
 ```
     mvn -Dtest=com.example.iap.BuildAndVerifyIapRequestIT verify
diff --git a/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java b/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java
index aa6f01bcc75..fa10e607f9d 100644
--- a/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java
+++ b/iap/src/main/java/com/example/iap/VerifyIapRequestHeader.java
@@ -31,7 +31,6 @@
 
 import java.io.IOException;
 import java.io.StringReader;
-import java.net.URL;
 import java.security.Key;
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
@@ -100,7 +99,11 @@ private Key resolveSigningKey(JwsHeader header) {
         }
       };
 
-  Jwt verifyJWTTokenForAppEngine(HttpRequest request, long project_number, String project_id) throws Exception {
+  // Verify jwt tokens addressed to IAP protected resources on App Engine.
+  // The project *number* for your Google Cloud project available via 'gcloud projects describe $PROJECT_ID'
+  // or in the Project Info card in Cloud Console.
+  // projectId is The project *ID* for your Google Cloud Project.
+  Jwt verifyJWTTokenForAppEngine(HttpRequest request, long projectNumber, String projectId) throws Exception {
     // Check for iap jwt header in incoming request
     String jwtToken =
         request.getHeaders().getFirstHeaderStringValue("x-goog-iap-jwt-assertion");
@@ -108,11 +111,11 @@ Jwt verifyJWTTokenForAppEngine(HttpRequest request, long project_number, String
       return null;
     }
     return verifyJWTToken(jwtToken, String.format("/projects/%s/apps/%s",
-                                                  Long.toUnsignedString(project_number),
-                                                 project_id));
+                                                  Long.toUnsignedString(projectNumber),
+                                                 projectId));
   }
-  
-  Jwt verifyJWTTokenForComputeEngine(HttpRequest request, long project_number, long backend_service_id) throws Exception {
+
+  Jwt verifyJWTTokenForComputeEngine(HttpRequest request, long projectNumber, long backendServiceId) throws Exception {
     // Check for iap jwt header in incoming request
     String jwtToken =
         request.getHeaders().getFirstHeaderStringValue("x-goog-iap-jwt-assertion");
@@ -120,8 +123,8 @@ Jwt verifyJWTTokenForComputeEngine(HttpRequest request, long project_number, lon
       return null;
     }
     return verifyJWTToken(jwtToken, String.format("/projects/%s/global/backendServices/%s",
-                                                  Long.toUnsignedString(project_number),
-                                                  Long.toUnsignedString(backend_service_id)));
+                                                  Long.toUnsignedString(projectNumber),
+                                                  Long.toUnsignedString(backendServiceId)));
   }
   
   Jwt verifyJWTToken(String jwtToken, String expectedAudience) throws Exception {
diff --git a/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java b/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java
index 020444e9b56..e043afb8b5c 100644
--- a/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java
+++ b/iap/src/test/java/com/example/iap/BuildAndVerifyIapRequestIT.java
@@ -18,6 +18,7 @@
 import static org.junit.Assert.assertNotNull;
 
 import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpHeaders;
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpResponse;
 import com.google.api.client.http.HttpResponseException;
@@ -35,6 +36,8 @@ public class BuildAndVerifyIapRequestIT {
 
   private String iapProtectedUrl = System.getenv("IAP_PROTECTED_URL");
   private String iapClientId = System.getenv("IAP_CLIENT_ID");
+  private Long projectNumber = Long.parseLong(System.getenv("IAP_PROJECT_NUMBER"));
+  private String projectId = System.getenv("GOOGLE_CLOUD_PROJECT");
   private HttpTransport httpTransport = new NetHttpTransport();
   private VerifyIapRequestHeader verifyIapRequestHeader = new VerifyIapRequestHeader();
 
@@ -68,8 +71,15 @@ public void testGenerateAndVerifyIapRequestIsSuccessful() throws Exception {
     String[] split = headerWithtoken.split(":");
     assertNotNull(split);
     assertEquals(split.length, 2);
-    assertEquals(split[0].trim(), "x-goog-authenticated-user-jwt");
-    Jwt decodedJWT = verifyIapRequestHeader.verifyJWTToken(split[1].trim(), iapProtectedUrl);
+    assertEquals(split[0].trim(), "x-goog-iap-jwt-assertion");
+
+    String jwtToken = split[1].trim();
+    HttpRequest verifyJwtRequest = httpTransport
+        .createRequestFactory()
+        .buildGetRequest(new GenericUrl(iapProtectedUrl)).setHeaders(
+        new HttpHeaders().set("x-goog-iap-jwt-assertion", jwtToken));
+    Jwt decodedJWT = verifyIapRequestHeader.verifyJWTTokenForAppEngine(
+        verifyJwtRequest, projectNumber, projectId);
     assertNotNull(decodedJWT);
   }
 }
diff --git a/pom.xml b/pom.xml
index 73b0c5ba6dc..f2a4b975147 100644
--- a/pom.xml
+++ b/pom.xml
@@ -78,6 +78,7 @@
         <module>compute/sendgrid</module>
         <module>datastore</module>
         <module>datastore/cloud-client</module>
+        <module>iap</module>
         <module>kms</module>
         <module>language/analysis</module>
         <module>language/cloud-client</module>