[iris] Make IAP validation optional for initial testing

ravwojdyla · claude · ravwojdyla · commit 093c7b0f6a8a · 2026-04-10T19:29:45.000Z
Add REQUIRE_IAP env var (default: false). When disabled, the proxy
forwards all requests without IAP JWT validation and deploys with
--allow-unauthenticated. Set REQUIRE_IAP=true and switch to
--no-allow-unauthenticated once the LB + IAP stack is configured.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/infra/iris-iap-proxy/deploy.sh b/infra/iris-iap-proxy/deploy.sh
@@ -133,11 +133,11 @@ gcloud run deploy "${SERVICE}" \
   --region="${REGION}" \
   --source=. \
   --service-account="${SA_EMAIL}" \
-  --no-allow-unauthenticated \
+  --allow-unauthenticated \
   --network="${VPC_NETWORK}" \
   --subnet="${VPC_SUBNET}" \
   --vpc-egress=private-ranges-only \
-  --set-env-vars="GCP_PROJECT=${PROJECT},CONTROLLER_ZONE=us-central1-a,CONTROLLER_LABEL=iris-marin-controller,CONTROLLER_PORT=10000,PROXY_TOKEN_SECRET=iris-iap-proxy-token" \
+  --set-env-vars="GCP_PROJECT=${PROJECT},CONTROLLER_ZONE=us-central1-a,CONTROLLER_LABEL=iris-marin-controller,CONTROLLER_PORT=10000,PROXY_TOKEN_SECRET=iris-iap-proxy-token,REQUIRE_IAP=false" \
   --timeout=300 \
   --memory=512Mi \
   --cpu=1 \
diff --git a/infra/iris-iap-proxy/main.py b/infra/iris-iap-proxy/main.py
@@ -1,19 +1,13 @@
 # Copyright The Marin Authors
 # SPDX-License-Identifier: Apache-2.0
 
-"""GAE reverse proxy for the Iris controller, protected by GCP IAP.
+"""Cloud Run reverse proxy for the Iris controller.
 
 All requests are forwarded to the controller VM discovered via GCE labels.
-IAP handles authentication at the Google infrastructure layer; this app
-re-validates the IAP JWT for defense-in-depth and extracts the caller's
-email for audit logging.
-
-CLI / programmatic callers send:
-  - ``Authorization: Bearer <iap-oidc-token>``  (consumed by IAP)
-  - ``X-Iris-Token: <controller-jwt>``           (forwarded as Authorization to controller)
-
-Browser callers authenticate via IAP's OAuth flow; their controller session
-cookie (``iris_session``) is forwarded transparently.
+When IAP is enabled, the proxy validates the ``X-Goog-IAP-JWT-Assertion``
+header for defense-in-depth.  When ``REQUIRE_IAP=false`` (the default),
+IAP validation is skipped and all requests are forwarded without auth —
+useful for initial testing before the LB + IAP stack is configured.
 """
 
 import logging
@@ -27,10 +21,11 @@
 from starlette.routing import Route
 
 from discovery import get_controller_url
-from iap import IapValidationError, validate_iap_jwt
 
 logger = logging.getLogger(__name__)
 
+REQUIRE_IAP = os.environ.get("REQUIRE_IAP", "false").lower() in ("true", "1", "yes")
+
 _IRIS_TOKEN_HEADER = "x-iris-token"
 
 # Headers that should not be forwarded to the controller.
@@ -126,15 +121,16 @@ def _build_upstream_headers(request: Request, iap_email: str | None) -> dict[str
 
 async def _proxy(request: Request) -> Response:
     """Forward any request to the controller."""
-    # Validate IAP JWT (defense-in-depth).
     iap_email: str | None = None
-    try:
-        iap_email = validate_iap_jwt(dict(request.headers))
-    except IapValidationError as exc:
-        logger.warning("IAP validation failed: %s", exc)
-        # In production IAP is enforced at the infra layer, so this should
-        # not happen.  Return 401 rather than silently forwarding.
-        return JSONResponse({"error": str(exc)}, status_code=401)
+
+    if REQUIRE_IAP:
+        from iap import IapValidationError, validate_iap_jwt
+
+        try:
+            iap_email = validate_iap_jwt(dict(request.headers))
+        except IapValidationError as exc:
+            logger.warning("IAP validation failed: %s", exc)
+            return JSONResponse({"error": str(exc)}, status_code=401)
 
     client = await _get_client()
     path = request.url.path
