internal/access,internal/relui: use IAPFields instead of one-of context key

For gRPC, we have a nice IAPFields type and IAPFromContext helper. Use
that for HTTP as well rather than a one-off undocumented context key.

Change-Id: I6a6a636c1a48f7bf194a7e15fcbfaec77808646a
Reviewed-on: https://go-review.googlesource.com/c/build/+/666497
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Author: prattmic

internal/access/access.go

@@ -73,8 +73,7 @@ func RequireIAPAuthHandler(h http.Handler, audience string) http.Handler {
 			log.Printf("JWT validation error: %v", err)
 			return
 		}
-		ctx := context.WithValue(r.Context(), "subject", iap.ID)
-		ctx = context.WithValue(ctx, "email", iap.Email)
+		ctx := ContextWithIAP(r.Context(), iap)
 		h.ServeHTTP(w, r.WithContext(ctx))
 	})
 }

internal/relui/web.go

@@ -25,6 +25,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v4"
 	"github.com/julienschmidt/httprouter"
+	"golang.org/x/build/internal/access"
 	"golang.org/x/build/internal/criadb"
 	"golang.org/x/build/internal/metrics"
 	"golang.org/x/build/internal/relui/db"
@@ -676,16 +677,16 @@ func (s *Server) authorizedForWorkflow(ctx context.Context, d *workflow.Definiti
 		return true
 	}
 
-	email := ctx.Value("email")
-	if email == nil {
-		log.Printf("request context did not contain expected 'email' value from IAP JWT")
+	iap, err := access.IAPFromContext(ctx)
+	if err != nil {
+		log.Printf("Error getting IAP fields from context: %v", err)
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return false
 	}
 
-	isMember, err := s.cria.IsMemberOfAny(ctx, fmt.Sprintf("user:%s", email), authorizedGroups)
+	isMember, err := s.cria.IsMemberOfAny(ctx, fmt.Sprintf("user:%s", iap.Email), authorizedGroups)
 	if err != nil {
-		log.Printf("cria.IsMemberOfAny(user:%s) failed: %s", email, err)
+		log.Printf("cria.IsMemberOfAny(user:%s) failed: %s", iap.Email, err)
 		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		return false
 	}

internal/relui/web_test.go

@@ -29,6 +29,7 @@ import (
 	"github.com/jackc/pgx/v4"
 	"github.com/jackc/pgx/v4/pgxpool"
 	"github.com/julienschmidt/httprouter"
+	"golang.org/x/build/internal/access"
 	"golang.org/x/build/internal/criadb"
 	"golang.org/x/build/internal/releasetargets"
 	"golang.org/x/build/internal/relui/db"
@@ -844,6 +845,11 @@ func testWorkflowACL(t *testing.T, acld bool, authorized bool, wantSucceed bool)
 	}
 	s := NewServer(p, worker, nil, SiteHeader{}, nil, criadb.NewTestDatabase(memberships))
 
+	iap := access.IAPFields{
+		Email: "test@google.com",
+		ID:    "testid",
+	}
+
 	hourAgo := time.Now().Add(-1 * time.Hour)
 	q := db.New(p)
 
@@ -854,7 +860,7 @@ func testWorkflowACL(t *testing.T, acld bool, authorized bool, wantSucceed bool)
 			"workflow.schedule":    []string{string(ScheduleImmediate)},
 		}.Encode()))
 		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-		req = req.WithContext(context.WithValue(req.Context(), "email", "test@google.com"))
+		req = req.WithContext(access.ContextWithIAP(req.Context(), iap))
 		rec := httptest.NewRecorder()
 
 		s.createWorkflowHandler(rec, req)
@@ -892,7 +898,7 @@ func testWorkflowACL(t *testing.T, acld bool, authorized bool, wantSucceed bool)
 		params := httprouter.Params{{Key: "id", Value: wfID.String()}, {Key: "name", Value: "beep"}}
 		req := httptest.NewRequest(http.MethodPost, path.Join("/workflows/", wfID.String(), "tasks", "beep", "retry"), nil)
 		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-		req = req.WithContext(context.WithValue(req.Context(), "email", "test@google.com"))
+		req = req.WithContext(access.ContextWithIAP(req.Context(), iap))
 		rec := httptest.NewRecorder()
 
 		s.retryTaskHandler(rec, req, params)
@@ -933,7 +939,7 @@ func testWorkflowACL(t *testing.T, acld bool, authorized bool, wantSucceed bool)
 		params := httprouter.Params{{Key: "id", Value: wfID.String()}, {Key: "name", Value: "approve"}}
 		req := httptest.NewRequest(http.MethodPost, path.Join("/workflows/", wfID.String(), "tasks", "approve", "approve"), nil)
 		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-		req = req.WithContext(context.WithValue(req.Context(), "email", "test@google.com"))
+		req = req.WithContext(access.ContextWithIAP(req.Context(), iap))
 		rec := httptest.NewRecorder()
 
 		s.approveTaskHandler(rec, req, params)
@@ -965,7 +971,7 @@ func testWorkflowACL(t *testing.T, acld bool, authorized bool, wantSucceed bool)
 		params := httprouter.Params{{Key: "id", Value: wfID.String()}}
 		req := httptest.NewRequest(http.MethodPost, path.Join("/workflows/", wfID.String(), "stop"), nil)
 		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-		req = req.WithContext(context.WithValue(req.Context(), "email", "test@google.com"))
+		req = req.WithContext(access.ContextWithIAP(req.Context(), iap))
 		rec := httptest.NewRecorder()
 
 		s.stopWorkflowHandler(rec, req, params)
@@ -989,7 +995,7 @@ func testWorkflowACL(t *testing.T, acld bool, authorized bool, wantSucceed bool)
 		params := httprouter.Params{{Key: "id", Value: strconv.Itoa(int(sched.ID))}}
 		req := httptest.NewRequest(http.MethodPost, path.Join("/schedules/", strconv.Itoa(int(sched.ID)), "delete"), nil)
 		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-		req = req.WithContext(context.WithValue(req.Context(), "email", "test@google.com"))
+		req = req.WithContext(access.ContextWithIAP(req.Context(), iap))
 		rec := httptest.NewRecorder()
 
 		s.deleteScheduleHandler(rec, req, params)