GCP IAP Warden
Google Cloud Cloud Identity-Aware Proxy strategies for Warden
Usage
Below is just an example for ussage with rails. But you can easily reuse the code for you rack based app.
Read more about Warden here
You may have use different strategies:
gcp_iap_google_jwt_header
or gcp_iap_google_header
Recommended is gcp_iap_google_jwt_header
read more here
Initialize the warden with something like
# ./config/initializers/warden.rb
require "gcp_iap_warden"
GcpIapWarden::Strategy::GoogleJWTHeader.config(
project: ENV.fetch("GCP_PROJECT_ID"),
backend: ENV.fetch("GCP_BACKEND_ID")
)
Rails.application.config.middleware.insert_after(
ActionDispatch::Session::CookieStore, Warden::Manager
) do |manager|
manager.default_strategies :gcp_iap_google_jwt_header
manager.failure_app = UnauthorizedController
end
Or for AppEngine like
# ./config/initializers/warden.rb
require "gcp_iap_warden"
GcpIapWarden::Strategy::GoogleJWTHeader.config(
project: ENV.fetch("GCP_PROJECT_ID"),
backend: ENV.fetch("APP_ENGINE_PROJECT_ID")
platform: :app_engine
)
Rails.application.config.middleware.insert_after(
ActionDispatch::Session::CookieStore, Warden::Manager
) do |manager|
manager.default_strategies :gcp_iap_google_jwt_header
manager.failure_app = UnauthorizedController
end
Your UnauthorizedController
may look like
# app/controllers/unauthorized_controller.rb
class UnauthorizedController < ActionController::Metal
def self.call(env)
env["warden"].errors.each do |message|
Rails.logger.warn("[unauthorized] reason: #{message}")
end
@respond ||= action(:respond)
@respond.call(env)
end
def respond
self.response_body = "Unauthorized Action"
self.status = :unauthorized
end
end
Development
Setup and run tests
docker-compose run --rm app ./bin/setup