Google Git
Sign in
go / build / 8cc3517581090ba52a473fc0602e02169929d921^! / .
commit8cc3517581090ba52a473fc0602e02169929d921[log] [tgz]
authorCarlos Amedee <carlos@golang.org>Fri Jan 14 10:34:37 2022 -0500
committerCarlos Amedee <carlos@golang.org>Sat Jan 15 00:29:14 2022 +0000
tree84a37675b293c344e243c08300cc322682f8792d
parent09d18253d412a5a6c4177d5056a968953fe6269e [diff]
internal/access, cmd/coordinator: add option to disable audience check

This change adds the option to skip the validation of the audience
field in JWT tokens. We understand that validating the JWT token is
enough to know that the packet came from a valid source.

Updates golang/go#48742

Change-Id: I77c79e4b7f7273c3fb74f088c402c0a55efc3169
Reviewed-on: https://go-review.googlesource.com/c/build/+/378574
Trust: Carlos Amedee <carlos@golang.org>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>

diff --git a/cmd/coordinator/coordinator.go b/cmd/coordinator/coordinator.go
index f4b9c5e..661befb 100644
--- a/cmd/coordinator/coordinator.go
+++ b/cmd/coordinator/coordinator.go

@@ -346,8 +346,8 @@
 		if serviceID = env.IAPServiceID(coordinatorBackend); serviceID == "" {
 			log.Fatalf("unable to retrieve Service ID for backend service=%q", coordinatorBackend)
 		}
-		opts = append(opts, grpc.UnaryInterceptor(access.RequireIAPAuthUnaryInterceptor(access.IAPAudienceGCE(env.ProjectNumber, serviceID))))
-		opts = append(opts, grpc.StreamInterceptor(access.RequireIAPAuthStreamInterceptor(access.IAPAudienceGCE(env.ProjectNumber, serviceID))))
+		opts = append(opts, grpc.UnaryInterceptor(access.RequireIAPAuthUnaryInterceptor(access.IAPSkipAudienceValidation)))
+		opts = append(opts, grpc.StreamInterceptor(access.RequireIAPAuthStreamInterceptor(access.IAPSkipAudienceValidation)))
 	}
 	// grpcServer is a shared gRPC server. It is global, as it needs to be used in places that aren't factored otherwise.
 	grpcServer := grpc.NewServer(opts...)

diff --git a/internal/access/access.go b/internal/access/access.go
index 6342cbd..197dafa 100644
--- a/internal/access/access.go
+++ b/internal/access/access.go

@@ -29,6 +29,10 @@
 	iapHeaderEmail = "X-Goog-Authenticated-User-Email"
 	// iapHeaderID is the header IAP stores the user id in.
 	iapHeaderID = "X-Goog-Authenticated-User-Id"
+
+	// IAPSkipAudienceValidation is the audience string used when the validation is not
+	// necessary. https://pkg.go.dev/google.golang.org/api/idtoken#Validate
+	IAPSkipAudienceValidation = ""
 )
 
 // IAPFields contains the values for the headers retrieved from Identity Aware