class GcpIapWarden::Strategy::GoogleJWTHeader

Constants

JWT_ALG
JWT_HEADER
JWT_ISS
PLATFORMS

Attributes

jwt_options[RW]
key_store[RW]

Public Class Methods

config(project:, backend:, platform: :gce) click to toggle source
# File lib/gcp_iap_warden/strategy/google_jwt_header.rb, line 24
def config(project:, backend:, platform: :gce)
  @jwt_options = {
    algorithm: JWT_ALG,
    verify_iss: true,
    verify_iat: true,
    verify_aud: true,
    iss: JWT_ISS,
    aud:  aud(project, platform, backend),
  }
end
config_reset!() click to toggle source
# File lib/gcp_iap_warden/strategy/google_jwt_header.rb, line 35
def config_reset!
  @jwt_options = nil
end

Private Class Methods

aud(project, platform, backend) click to toggle source
# File lib/gcp_iap_warden/strategy/google_jwt_header.rb, line 41
def aud(project, platform, backend)
  platform = PLATFORMS[platform]
  raise "Invalid config for project" if project.nil?
  raise "Invalid config for backend" if backend.nil?
  raise "Invalid config for platform" if platform.nil?
  "/projects/#{project}/#{platform}/#{backend}"
end

Private Instance Methods

decode_and_verify_jwt() click to toggle source
# File lib/gcp_iap_warden/strategy/google_jwt_header.rb, line 56
def decode_and_verify_jwt
  options = self.class.jwt_options
  raise("#{self.class} is not configured") if options.nil?
  key = nil
  token = env[JWT_HEADER]
  payload = ::JWT.decode(token, key, true, options) do |header|
    OpenSSL::PKey::EC.new(self.class.key_store.fetch(header["kid"]))
  end
  payload.first # take first part which has user info
end
decode_payload() click to toggle source
# File lib/gcp_iap_warden/strategy/google_jwt_header.rb, line 67
def decode_payload
  payload = decode_and_verify_jwt
  raise "Invalid jwt payload" if payload.nil?
  {
    google_email: payload["email"],
    google_user_id: GcpIapWarden::Utils.parse_google_value(payload["sub"]),
  }
end
gcp_iap_headers?() click to toggle source
# File lib/gcp_iap_warden/strategy/google_jwt_header.rb, line 52
def gcp_iap_headers?
  env.key?(JWT_HEADER)
end