Use the Proxy-Authorization header when using nomulus + IAP (#1921)

2025-04-30 12:07:51 +02:00 · 2023-01-26 15:16:32 -05:00 · 2023-01-26 15:16:32 -05:00 · bd66b3cef1
commit bd66b3cef1
parent ab146c4bf8
2 changed files with 8 additions and 5 deletions
--- a/core/src/main/java/google/registry/tools/RequestFactoryModule.java
+++ b/core/src/main/java/google/registry/tools/RequestFactoryModule.java
@ -69,14 +69,15 @@ class RequestFactoryModule {
      return new NetHttpTransport()
          .createRequestFactory(
              request -> {
+                // Use the standard credential initializer to set the Authorization header
+                credentialsBundle.getHttpRequestInitializer().initialize(request);
                // If using IAP, use the refresh token to acquire an IAP-enabled ID token and use
                // that for authentication.
                if (iapClientId.isPresent()) {
                  String idToken = getIdToken(credentialsBundle, iapClientId.get());
-                  request.getHeaders().setAuthorization("Bearer " + idToken);
-                } else {
-                  // Otherwise, use the standard credential HTTP initializer
-                  credentialsBundle.getHttpRequestInitializer().initialize(request);
+                  // Set the Proxy-Authentication header so that IAP can read from it, see
+                  // https://cloud.google.com/iap/docs/authentication-howto#authenticating_from_proxy-authorization_header
+                  request.getHeaders().set("Proxy-Authorization", "Bearer " + idToken);
                }
                // GAE request times out after 10 min, so here we set the timeout to 10 min. This is
                // needed to support some nomulus commands like updating premium lists that take
--- a/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
+++ b/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
@ -100,6 +100,7 @@ public class RequestFactoryModuleTest {

  @Test
  void test_provideHttpRequestFactory_remote_withIap() throws Exception {
+    when(credentialsBundle.getHttpRequestInitializer()).thenReturn(httpRequestInitializer);
    // Mock the request/response to/from the IAP server requesting an ID token
    UserCredentials mockUserCredentials = mock(UserCredentials.class);
    when(credentialsBundle.getGoogleCredentials()).thenReturn(mockUserCredentials);
@ -123,9 +124,10 @@ public class RequestFactoryModuleTest {
          RequestFactoryModule.provideHttpRequestFactory(
              credentialsBundle, Optional.of("iapClientId"));
      HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
-      assertThat(request.getHeaders().getAuthorization()).isEqualTo("Bearer iapIdToken");
+      assertThat(request.getHeaders().get("Proxy-Authorization")).isEqualTo("Bearer iapIdToken");
      assertThat(request.getConnectTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
      assertThat(request.getReadTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
+      verify(httpRequestInitializer).initialize(request);
      verifyNoMoreInteractions(httpRequestInitializer);
    } finally {
      RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = origIsLocal;