Change the cookie auth mechanism to use IAP-provided JWTs (#1877)

2025-08-20 00:14:07 +02:00 · 2022-12-12 13:51:33 -05:00 · 2022-12-12 13:51:33 -05:00 · f7b7461891
commit f7b7461891
parent 2a222ca935
8 changed files with 135 additions and 114 deletions
--- a/core/src/test/java/google/registry/request/auth/CookieOAuth2AuthenticationMechanismTest.java
+++ b/core/src/test/java/google/registry/request/auth/CookieOAuth2AuthenticationMechanismTest.java
@ -18,16 +18,15 @@ import static com.google.common.truth.Truth.assertThat;
 import static google.registry.testing.DatabaseHelper.insertInDb;
 import static org.mockito.Mockito.when;

-import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
 import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
-import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
+import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.api.client.json.webtoken.JsonWebSignature.Header;
+import com.google.auth.oauth2.TokenVerifier;
 import com.google.common.truth.Truth8;
 import google.registry.model.console.GlobalRole;
 import google.registry.model.console.User;
 import google.registry.model.console.UserRoles;
 import google.registry.persistence.transaction.JpaTestExtensions;
-import java.security.GeneralSecurityException;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import org.junit.jupiter.api.BeforeEach;
@ -36,28 +35,33 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.jupiter.api.extension.RegisterExtension;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.mockito.junit.jupiter.MockitoSettings;
+import org.mockito.quality.Strictness;

-/** Tests for {@link CookieOAuth2AuthenticationMechanism}. */
+/** Tests for {@link IapHeaderAuthenticationMechanism}. */
@ExtendWith(MockitoExtension.class)
-public class CookieOAuth2AuthenticationMechanismTest {
+@MockitoSettings(strictness = Strictness.LENIENT)
+public class IapHeaderAuthenticationMechanismTest {

  @RegisterExtension
  public final JpaTestExtensions.JpaUnitTestExtension jpaExtension =
      new JpaTestExtensions.Builder().withEntityClass(User.class).buildUnitTestExtension();

-  @Mock private GoogleIdTokenVerifier tokenVerifier;
+  @Mock private TokenVerifier tokenVerifier;
  @Mock private HttpServletRequest request;

-  private GoogleIdToken token;
-  private CookieOAuth2AuthenticationMechanism authenticationMechanism;
+  private JsonWebSignature token;
+  private IapHeaderAuthenticationMechanism authenticationMechanism;

  @BeforeEach
-  void beforeEach() {
-    authenticationMechanism = new CookieOAuth2AuthenticationMechanism(tokenVerifier);
+  void beforeEach() throws Exception {
+    authenticationMechanism = new IapHeaderAuthenticationMechanism(tokenVerifier);
+    when(request.getHeader("X-Goog-IAP-JWT-Assertion")).thenReturn("jwtValue");
    Payload payload = new Payload();
    payload.setEmail("email@email.com");
    payload.setSubject("gaiaId");
-    token = new GoogleIdToken(new Header(), payload, new byte[0], new byte[0]);
+    token = new JsonWebSignature(new Header(), payload, new byte[0], new byte[0]);
+    when(tokenVerifier.verify("jwtValue")).thenReturn(token);
  }

  @Test
@ -94,7 +98,7 @@ public class CookieOAuth2AuthenticationMechanismTest {
  @Test
  void testFailure_errorVerifyingToken() throws Exception {
    when(request.getCookies()).thenReturn(new Cookie[] {new Cookie("idToken", "asdf")});
-    when(tokenVerifier.verify("asdf")).thenThrow(new GeneralSecurityException("hi"));
+    when(tokenVerifier.verify("asdf")).thenThrow(new TokenVerifier.VerificationException("hi"));
    assertThat(authenticationMechanism.authenticate(request).isAuthenticated()).isFalse();
  }

--- a/core/src/test/java/google/registry/server/RegistryTestServerMain.java
+++ b/core/src/test/java/google/registry/server/RegistryTestServerMain.java
@ -19,7 +19,11 @@ import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.collect.ImmutableList;
 import com.google.common.net.HostAndPort;
+import google.registry.model.console.GlobalRole;
+import google.registry.model.console.User;
+import google.registry.model.console.UserRoles;
 import google.registry.persistence.transaction.JpaTestExtensions;
+import google.registry.request.auth.IapHeaderAuthenticationMechanism;
 import google.registry.testing.AppEngineExtension;
 import google.registry.testing.UserInfo;
 import google.registry.tools.params.HostAndPortParameter;
@ -138,6 +142,16 @@ public final class RegistryTestServerMain {
                loginIsAdmin ? UserInfo.createAdmin(loginEmail) : UserInfo.create(loginEmail))
            .build();
    appEngine.setUp();
+    UserRoles userRoles =
+        new UserRoles.Builder().setIsAdmin(loginIsAdmin).setGlobalRole(GlobalRole.FTE).build();
+    User user =
+        new User.Builder()
+            .setEmailAddress(loginEmail)
+            .setGaiaId("123457890")
+            .setUserRoles(userRoles)
+            .setRegistryLockPassword("registryLockPassword")
+            .build();
+    IapHeaderAuthenticationMechanism.setUserAuthInfoForTestServer(user);
    new JpaTestExtensions.Builder().buildIntegrationTestExtension().beforeEach(null);
    AppEngineExtension.loadInitialData();
    System.out.printf("%sLoading fixtures...%s\n", BLUE, RESET);