Added initial version

Author: mshytikov

.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status
+.rubocop-https*

.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

.rubocop.yml

@@ -0,0 +1,8 @@
+inherit_from:
+  - https://raw.githubusercontent.com/bloomon/style-guide/v0.1.0/ruby/rubocop.yml
+
+Rails:
+  Enabled: true
+
+AllCops:
+  TargetRubyVersion: 2.4

Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in gcp_iap_warden.gemspec
+gemspec

Gemfile.lock

@@ -0,0 +1,121 @@
+PATH
+  remote: .
+  specs:
+    gcp_iap_warden (0.1.0)
+      jwt (~> 2.1.0)
+      warden (~> 1.2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    abstract_type (0.0.7)
+    adamantium (0.2.0)
+      ice_nine (~> 0.11.0)
+      memoizable (~> 0.4.0)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
+    ast (2.3.0)
+    binding_of_caller (0.8.0)
+      debug_inspector (>= 0.0.1)
+    coderay (1.1.2)
+    concord (0.1.5)
+      adamantium (~> 0.2.0)
+      equalizer (~> 0.0.9)
+    crack (0.4.3)
+      safe_yaml (~> 1.0.0)
+    debug_inspector (0.0.3)
+    diff-lcs (1.3)
+    equalizer (0.0.11)
+    hashdiff (0.3.7)
+    ice_nine (0.11.2)
+    jwt (2.1.0)
+    memoizable (0.4.2)
+      thread_safe (~> 0.3, >= 0.3.1)
+    method_source (0.9.0)
+    parallel (1.12.1)
+    parser (2.4.0.2)
+      ast (~> 2.3)
+    powerpack (0.1.1)
+    proc_to_ast (0.1.0)
+      coderay
+      parser
+      unparser
+    procto (0.0.3)
+    pry (0.11.3)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
+    public_suffix (3.0.1)
+    rack (2.0.3)
+    rack-test (0.8.2)
+      rack (>= 1.0, < 3)
+    rainbow (3.0.0)
+    rake (10.5.0)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.1)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-its (1.2.0)
+      rspec-core (>= 3.0.0)
+      rspec-expectations (>= 3.0.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-parameterized (0.4.0)
+      binding_of_caller
+      parser
+      proc_to_ast
+      rspec (>= 2.13, < 4)
+      unparser
+    rspec-support (3.7.0)
+    rubocop (0.52.1)
+      parallel (~> 1.10)
+      parser (>= 2.4.0.2, < 3.0)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    ruby-progressbar (1.9.0)
+    safe_yaml (1.0.4)
+    thread_safe (0.3.6)
+    timecop (0.9.1)
+    unicode-display_width (1.3.0)
+    unparser (0.2.6)
+      abstract_type (~> 0.0.7)
+      adamantium (~> 0.2.0)
+      concord (~> 0.1.5)
+      diff-lcs (~> 1.3)
+      equalizer (~> 0.0.9)
+      parser (>= 2.3.1.2, < 2.5)
+      procto (~> 0.0.2)
+    vcr (4.0.0)
+    warden (1.2.7)
+      rack (>= 1.0)
+    webmock (3.3.0)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  gcp_iap_warden!
+  pry (~> 0.11.3)
+  rack-test (~> 0.8.0)
+  rake (~> 10.0)
+  rspec (~> 3.0)
+  rspec-its (~> 1.2.0)
+  rspec-parameterized (~> 0.4.0)
+  rubocop (~> 0.52.0)
+  timecop (~> 0.9.0)
+  vcr (~> 4.0.0)
+  webmock (~> 3.3.0)
+
+BUNDLED WITH
+   1.16.1

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2018 
+Copyright (c) 2018 Bloomon
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -0,0 +1,65 @@
+# GCP IAP Warden
+
+Google Cloud [Cloud Identity-Aware Proxy](https://cloud.google.com/iap/)
+ strategies for [Warden](https://github.com/hassox/warden)
+
+## Usage
+
+Below is just an example for ussage with rails.
+But you can easily reuse the code for you rack based app.
+
+Read more about Warden [here](https://github.com/hassox/warden/wiki)
+
+You may have use different strategies:
+`gcp_iap_google_jwt_header` or `gcp_iap_google_header`
+
+Recommended is `gcp_iap_google_jwt_header` read more [here](https://cloud.google.com/iap/docs/signed-headers-howto)
+
+Initialize the warden with something like
+
+```
+# ./config/initializers/warden.rb
+
+require "gcp_iap_warden"
+
+GcpIapWarden::Strategy::GoogleJWTHeader.config(
+  project: ENV.fetch("GCP_PROJECT_ID"),
+  backend: ENV.fetch("GCP_BACKEND_ID")
+)
+
+Rails.application.config.middleware.insert_after(
+  ActionDispatch::Session::CookieStore, Warden::Manager
+) do |manager|
+  manager.default_strategies :gcp_iap_google_jwt_header
+  manager.failure_app = UnauthorizedController
+end
+```
+
+Your `UnauthorizedController` may look like
+
+```
+# app/controllers/unauthorized_controller.rb
+
+class UnauthorizedController < ActionController::Metal
+  def self.call(env)
+    env["warden"].errors.each do |message|
+      Rails.logger.warn("[unauthorized] reason: #{message}")
+    end
+    @respond ||= action(:respond)
+    @respond.call(env)
+  end
+
+  def respond
+    self.response_body = "Unauthorized Action"
+    self.status = :unauthorized
+  end
+end
+```
+
+## Development
+
+Setup and run tests
+
+```
+docker-compose run --rm app ./bin/setup
+```

Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

bin/console

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "gcp_iap_warden"
+
+require "pry"
+Pry.start

bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle check || bundle install
+bundle exec rspec
+bundle exec rubocop

docker-compose.yml

@@ -0,0 +1,10 @@
+version: '2'
+services:
+  app:
+    image: ruby:2.4
+    working_dir: /workdir
+    environment:
+      BUNDLE_PATH: /workdir/.bundle
+    command: ./bin/setup
+    volumes:
+      - .:/workdir

gcp_iap_warden.gemspec

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "gcp_iap_warden/version"
+
+Gem::Specification.new do |spec| # rubocop:disable Metrics/BlockLength
+  spec.name          = "gcp_iap_warden"
+  spec.version       = GcpIapWarden::VERSION
+  spec.authors       = ["Max Shytikov"]
+  spec.email         = ["mshytikov@gmail.com"]
+
+  spec.summary       = "GCP Cloud IAP strategy for Warden"
+  spec.description   = "GCP Cloud IAP strategy for Warden"
+
+  # Prevent pushing this gem to RubyGems.org.
+  # To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section
+  # to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
+  else
+    raise "RubyGems 2.0 or newer is required to protect against " \
+      "public gem pushes."
+  end
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "jwt", "~> 2.1.0"
+  spec.add_dependency "warden", "~> 1.2.0"
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "pry", "~>  0.11.3"
+  spec.add_development_dependency "rack-test", "~> 0.8.0"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rspec-its", "~> 1.2.0"
+  spec.add_development_dependency "rspec-parameterized", "~> 0.4.0"
+  spec.add_development_dependency "rubocop", "~> 0.52.0"
+  spec.add_development_dependency "timecop", "~> 0.9.0"
+  spec.add_development_dependency "vcr", "~> 4.0.0"
+  spec.add_development_dependency "webmock", "~> 3.3.0"
+end

lib/gcp_iap_warden.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "warden"
+
+require "gcp_iap_warden/version"
+
+module GcpIapWarden
+  require_relative "gcp_iap_warden/utils"
+  require_relative "gcp_iap_warden/key_store"
+  require_relative "gcp_iap_warden/strategy"
+end

lib/gcp_iap_warden/key_store.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "open-uri"
+
+module GcpIapWarden
+  class KeyStore
+    GOOGLE_PUBLIC_KEY_URL = "https://www.gstatic.com/iap/verify/public_key"
+
+    def initialize
+      @keys = {}
+    end
+
+    def fetch(key_id)
+      return if key_id.nil?
+      key = keys[key_id]
+      return key if key
+
+      update_keys!(key_id)
+      keys.fetch(key_id)
+    end
+
+    private
+
+    attr_accessor :keys
+
+    def update_keys!(key_id)
+      new_keys = load_keys
+      raise "Can't find key with id: #{key_id}" unless new_keys.key?(key_id)
+      self.keys = new_keys
+    end
+
+    def load_keys
+      ::JSON.parse(open(GOOGLE_PUBLIC_KEY_URL).read)
+    end
+  end
+end

lib/gcp_iap_warden/strategy.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module GcpIapWarden
+  module Strategy
+    require_relative "strategy/base"
+    require_relative "strategy/google_header"
+    require_relative "strategy/google_jwt_header"
+  end
+end