Adding samples for Identity-Aware Proxy

infrastructure/README.md

@@ -5,6 +5,7 @@ A repository of Infrastructure solutions.
  * [dns-sync](#dns-sync)
  * [labelmaker](#labelmaker)
  * [cloudconnect](#cloudconnect)
+ * [identity-aware-proxy](#identity-aware-proxy)
 
 ### [dns-sync](dns-sync/)
   Sync a Cloud DNS zone with GCE resources. Instances and load balancers are added to the cloud DNS zone as they start from compute_engine_activity log events sent from a pub/sub push subscription. Can sync multiple projects to a single Cloud DNS zone.
@@ -14,3 +15,7 @@ A repository of Infrastructure solutions.
 
 ### [cloudconnect](cloudconnect/)
   CloudConnect is a package that automates the setup of dual VPN tunnels between AWS and GCP. While this connection is **NOT** meant for high throughput, low latency connections (1Gbps+), it can certainly support basic management and configuration traffic. Currently it supports the creation of both _static-routes_ and _bgp_ connections.
+
+### [identity-aware-proxy](identity-aware-proxy/)
+  This package contains samples which demonstrate how to properly
+  communicate with applications behind GCP's identity aware proxy (IAP). 

infrastructure/identity-aware-proxy/README.md

@@ -0,0 +1,36 @@
+# Identity-Aware Proxy Samples
+
+## Running iap_validating_server.py
+
+This sample script runs a simple python web server which validates all GET requests to verify if they're being proxied through Google's Identity-Aware Proxy. This sample depends on and uses the [validate_iap_jwt_from_compute_engine](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/3f5de8c8857784e90935379b63c352c0a5f7f8da/iap/validate_jwt.py#L49) function found in [validate_jwt.py](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/validate_jwt.py). Make sure you install the necessary libraries found in [requirements.txt](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/requirements.txt) by running:
+
+    pip install -r requirements.txt
+
+Once the libraries are installed, you can run the server by calling:
+
+    python iap_validating_server.py
+
+## Running main.py
+
+This sample script takes in two runtime arguments
+
+* URL - The URL corresponding to the resource sitting behind the Identity-Aware Proxy 
+* IAP Client Id - The OAuth Client Id of the service account assigned to Identity-Aware Proxy
+
+and passes them to the [make_iap_request](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/3f5de8c8857784e90935379b63c352c0a5f7f8da/iap/make_iap_request.py#L33) function found in [make_iap_request.py](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/make_iap_request.py). Make sure you install the necessary libraries found in [requirements.txt](https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/requirements.txt) by running:
+
+    pip install -r requirements.txt
+
+Once the libraries are installed, you can run the sample by calling:
+
+    python main.py URL IAP_CLIENT_ID
+
+making sure to replace the URL and IAP_CLIENT_ID placeholders with appropriate values.
+
+## Deploying with prog_auth_deploy.yaml
+
+This deployment manager template creates a virtual machine instance in compute engine and runs a custom startup script with specific steps to prepare the environment for testing programmatic authentication with IAP.
+
+Use gcloud to create a deployment with this template:
+
+    gcloud deployment-manager deployments create prog-auth-vm --config prog_auth_deploy.yaml

infrastructure/identity-aware-proxy/iap_validating_server.py

@@ -0,0 +1,58 @@
+# Copyright 2017 Google Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
+# validate_jwt github link: 
+#    https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/iap/validate_jwt.py
+from validate_jwt import *
+
+
+class RequestHandler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        """Intercepts all GET requests and validates 
+        the IAP JWT that is present in the header.
+        For this example, all requests must have the
+        load balancer's backend service id and the 
+        project number present in the url. 
+
+        Example request: 
+        https:testdomain.com/projectNumber/backendServiceId
+
+        """
+        print self.headers
+        backendServiceId = self.path.split("/")[-1]
+        projectNumber = self.path.split("/")[-2]
+        identity = validate_iap_jwt_from_compute_engine(
+                    self.headers.get("X-Goog-IAP-JWT-Assertion"),
+                    projectNumber,
+                    backendServiceId)          
+        if not identity[1]:
+            self.send_response(200)
+            self.send_header('Content-type', 'text/html')
+            self.end_headers()
+            self.wfile.write("IAP Validation Failed")
+        else:
+            self.send_response(200)
+            self.send_header('Content-type', 'text/html')
+            self.end_headers()
+            self.wfile.write("Hello " + identity[1] + "!")
+        return
+
+
+def main():
+    port = 80
+    print 'Listening on localhost:%s' % port
+    server = HTTPServer(('', port), RequestHandler)
+    server.serve_forever()
+if __name__ == "__main__":
+    main()

infrastructure/identity-aware-proxy/main.py

@@ -0,0 +1,7 @@
+import sys
+from make_iap_request import *
+
+if __name__ == "__main__":
+	# sys.argv[1] = URL
+	# sys.argv[2] = IAP Client Id
+	print make_iap_request(sys.argv[1],sys.argv[2])

infrastructure/identity-aware-proxy/prog_auth_deploy.yaml

@@ -0,0 +1,46 @@
+# Copyright 2016 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resources:
+- name: vm-created-by-deployment-manager
+  type: compute.v1.instance
+  properties:
+    zone: us-east4-a
+    machineType: zones/us-east4-a/machineTypes/n1-standard-1
+    disks:
+    - deviceName: boot
+      type: PERSISTENT
+      boot: true
+      autoDelete: true
+      initializeParams:
+        sourceImage: projects/debian-cloud/global/images/family/debian-8
+    networkInterfaces:
+    - network: global/networks/default
+      # Access Config required to give the instance a public IP address
+      accessConfigs:
+      - name: External NAT
+        type: ONE_TO_ONE_NAT
+    metadata:
+      items:
+      - key: startup-script
+        value: "apt-get update;
+                apt-get install python-pip build-essential libssl-dev libffi-dev python-dev -y;
+                wget https://raw.githubusercontent.com/GoogleCloudPlatform/python-docs-samples/master/iap/requirements.txt;
+                wget https://raw.githubusercontent.com/GoogleCloudPlatform/python-docs-samples/master/iap/make_iap_request.py? -O /home/make_iap_request.py;
+                sed -i 's/url,$/url, verify=False,/' /home/make_iap_request.py;
+                wget https://github.com/GoogleCloudPlatform/professional-services/raw/danieldeleo-identity-aware-proxy/infrastructure/identity-aware-proxy/main.py? -O /home/main.py;
+                easy_install --upgrade pip;
+                pip install virtualenv;
+                virtualenv /home/virtualenv;
+                /home/virtualenv/bin/pip install -r requirements.txt;"