Add an optional IAP-enabled ID token when using the Nomulus tool (#1887)

We can use the saved refresh token associated with the nomulus tool to request an ID token with an audience of the IAP client in order to satisfy IAP with with the Nomulus tool. Note: this requires that the user of the Nomulus tool, e.g. "gbrodman@google.com" has a User object stored in SQL. Tested on QA
2025-08-16 14:34:05 +02:00 · 2023-01-04 11:43:31 -05:00 · 2023-01-04 11:43:31 -05:00 · de9dee4623
commit de9dee4623
parent dae5a0b6b6
5 changed files with 114 additions and 4 deletions
--- a/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
+++ b/core/src/test/java/google/registry/tools/RequestFactoryModuleTest.java
@ -16,6 +16,8 @@ package google.registry.tools;

 import static com.google.common.truth.Truth.assertThat;
 import static google.registry.tools.RequestFactoryModule.REQUEST_TIMEOUT_MS;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
@ -25,9 +27,15 @@ import com.google.api.client.http.GenericUrl;
 import com.google.api.client.http.HttpRequest;
 import com.google.api.client.http.HttpRequestFactory;
 import com.google.api.client.http.HttpRequestInitializer;
+import com.google.api.client.http.HttpResponse;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.json.gson.GsonFactory;
+import com.google.api.client.util.GenericData;
+import com.google.auth.oauth2.UserCredentials;
 import google.registry.config.RegistryConfig;
 import google.registry.testing.SystemPropertyExtension;
 import google.registry.util.GoogleCredentialsBundle;
+import java.util.Optional;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@ -57,7 +65,7 @@ public class RequestFactoryModuleTest {
    RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = true;
    try {
      HttpRequestFactory factory =
-          RequestFactoryModule.provideHttpRequestFactory(credentialsBundle);
+          RequestFactoryModule.provideHttpRequestFactory(credentialsBundle, Optional.empty());
      HttpRequestInitializer initializer = factory.getInitializer();
      assertThat(initializer).isNotNull();
      HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
@ -76,7 +84,7 @@ public class RequestFactoryModuleTest {
    RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = false;
    try {
      HttpRequestFactory factory =
-          RequestFactoryModule.provideHttpRequestFactory(credentialsBundle);
+          RequestFactoryModule.provideHttpRequestFactory(credentialsBundle, Optional.empty());
      HttpRequestInitializer initializer = factory.getInitializer();
      assertThat(initializer).isNotNull();
      // HttpRequestFactory#buildGetRequest() calls initialize() once.
@ -89,4 +97,38 @@ public class RequestFactoryModuleTest {
      RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = origIsLocal;
    }
  }
+
+  @Test
+  void test_provideHttpRequestFactory_remote_withIap() throws Exception {
+    // Mock the request/response to/from the IAP server requesting an ID token
+    UserCredentials mockUserCredentials = mock(UserCredentials.class);
+    when(credentialsBundle.getGoogleCredentials()).thenReturn(mockUserCredentials);
+    HttpTransport mockTransport = mock(HttpTransport.class);
+    when(credentialsBundle.getHttpTransport()).thenReturn(mockTransport);
+    when(credentialsBundle.getJsonFactory()).thenReturn(GsonFactory.getDefaultInstance());
+    HttpRequestFactory mockRequestFactory = mock(HttpRequestFactory.class);
+    when(mockTransport.createRequestFactory()).thenReturn(mockRequestFactory);
+    HttpRequest mockPostRequest = mock(HttpRequest.class);
+    when(mockRequestFactory.buildPostRequest(any(), any())).thenReturn(mockPostRequest);
+    HttpResponse mockResponse = mock(HttpResponse.class);
+    when(mockPostRequest.execute()).thenReturn(mockResponse);
+    GenericData genericDataResponse = new GenericData();
+    genericDataResponse.set("id_token", "iapIdToken");
+    when(mockResponse.parseAs(GenericData.class)).thenReturn(genericDataResponse);
+
+    boolean origIsLocal = RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal;
+    RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = false;
+    try {
+      HttpRequestFactory factory =
+          RequestFactoryModule.provideHttpRequestFactory(
+              credentialsBundle, Optional.of("iapClientId"));
+      HttpRequest request = factory.buildGetRequest(new GenericUrl("http://localhost"));
+      assertThat(request.getHeaders().getAuthorization()).isEqualTo("Bearer iapIdToken");
+      assertThat(request.getConnectTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
+      assertThat(request.getReadTimeout()).isEqualTo(REQUEST_TIMEOUT_MS);
+      verifyNoMoreInteractions(httpRequestInitializer);
+    } finally {
+      RegistryConfig.CONFIG_SETTINGS.get().gcpProject.isLocal = origIsLocal;
+    }
+  }
 }