# Beyond Corp Enterprise - Demo

The following notebook is used to guide you through setting up Beyond Corp Enterprise (BCE) on Google Cloud Platform (GCP). 

## How to use this colab notebook

*   **You can use this notebook either as a reference and copy the commands directly into GCP Cloud Shell, or you use it with a Jupyter Notebook with a bash kernel.**
*   If you like to execute a block use STRG+ENTER
*   If you just want to run highlighted commands use STRG+SHIFT+ENTER

## Getting ready
Let's try it out by checking the version of the gcloud sdk. Click into the next line and press STRG+ENTER

In [1]:
gcloud version

Google Cloud SDK 317.0.0
alpha 2020.10.30
beta 2020.10.30
bq 2.0.62
core 2020.10.30
gsutil 4.54
kubectl 1.16.13


We do not need to authenticate ourselfs to run gcloud commands. It automatically uses the Compute Engine Service Account which was copied onto the VM during creation.

You can check this by running the command:

In [2]:
gcloud auth list

                       Credentialed Accounts
ACTIVE  ACCOUNT
*       bce-project-editor@hewagner-demos-2.iam.gserviceaccount.com

To set the active account, run:
    $ gcloud config set account `ACCOUNT`



This Service Account should have all necessary rights to proceed.

We also double check if we are in the right project:

In [3]:
gcloud projects list

PROJECT_ID        NAME              PROJECT_NUMBER
hewagner-demos-2  hewagner-demos-2  1023990209690


If the project is wrong you can set your project with 'gcloud config set project [project_name].

## Deploy a first sample application
We start with a first sample application on GCP. 
For this we will use the __App Engine__, which was the first GCP service (2008) and is a PaaS for hosting web applications. 

Our Git repository we cloned onto this machine contains an App Engine sample code.

In [4]:
cd ~/bce/samples/appengine
ls

app.yaml  main.py  main_test.py


Now we can deploy the simple sample to App Engine:

In [14]:
gcloud app create --region=europe-west3

You are creating an app for project [hewagner-demos-2].
cannot be changed. More information about regions is at
<https://cloud.google.com/appengine/docs/locations>.

[1;31mERROR:[0m (gcloud.app.create) The project [hewagner-demos-2] already contains an App Engine application. You can deploy your application using `gcloud app deploy`.


: 1

Wait until you see the message gcloud app browse

In [18]:
gcloud app deploy --quiet

Services to deploy:

descriptor:      [/home/jupyter/bce/samples/appengine/app.yaml]
source:          [/home/jupyter/bce/samples/appengine]
target project:  [hewagner-demos-2]
target service:  [default]
target version:  [20201110t190726]
target url:      [https://hewagner-demos-2.ey.r.appspot.com]


Beginning deployment of service [default]...
╔════════════════════════════════════════════════════════════╗
╠═ Uploading 0 files to Google Cloud Storage                ═╣
╚════════════════════════════════════════════════════════════╝
File upload done.
Updating service [default]...done.                                             
Setting traffic split for service [default]...done.                            
Deployed service [default] to [https://hewagner-demos-2.ey.r.appspot.com]

You can stream logs from the command line by running:
  $ gcloud app logs tail -s default

To view your application in the web browser run:
  $ gcloud app browse


In [19]:
gcloud app browse

Did not detect your browser. Go to this link to view your app:
https://hewagner-demos-2.ey.r.appspot.com


When you follow the link you should see an empty website with a simple sign in link.
Now that we have our app running it's time to secure it with Identity-aware proxy.

## Configure OAuth 
### The Consent Screen (=Brand)
(https://cloud.google.com/iap/docs/programmatic-oauth-clients)

Because IAP accesses Google users’ data (email address) you need to configure the OAuth.
This needs to be done once per GCP Project. Typically you manage multiple on-prem or AWS/Azure web apps from the same projects, so it only need to be done rearily. 

The OAuth consent screen, which contains branding information for users, is known as a brand. Brands can be limited to internal users or public users. An __internal brand__ makes the OAuth flow accessible to someone who belongs to the same Google Workspace organization as the project. A __public brand__ makes the OAuth flow available to anyone on the internet. There is only one brand per GCP project.

OAuth API verification is a little bit difficult to understand - read more about it here: https://support.google.com/cloud/answer/9110914

Let's create our brand:

In [21]:
APP_TITLE=IAP_TEST
SUPPORT_EMAIL=hewagner@google.com

gcloud alpha iap oauth-brands create --application_title=$APP_TITLE --support_email=$SUPPORT_EMAIL

[1;31mERROR:[0m (gcloud.alpha.iap.oauth-brands.create) Resource in projects [hewagner-demos-2] is the subject of a conflict: Requested entity already exists


: 1

The support email displayed on the OAuth consent screen. This email address can either be a user's address or a Google Groups alias.

Now we can list our new brand and extract the Brand-ID:

In [31]:
gcloud alpha iap oauth-brands list
BRAND=$(gcloud alpha iap oauth-brands list --format="value(name)")

echo "BRAND: $BRAND"

---
applicationTitle: Traffic Director Test
name: projects/1023990209690/brands/1023990209690
supportEmail: hewagner@google.com
BRAND: projects/1023990209690/brands/1023990209690


### The OAuth Client
(https://cloud.google.com/iap/docs/programmatic-oauth-clients#creating_an_oauth_client)

Now we create our OAuth Client for the IAP. You configure one OAuth client per app.

In [35]:
CLIENT_NAME=iap
PROJECT_ID=$(gcloud config get-value core/project)

gcloud alpha iap oauth-clients create $BRAND --display_name=$CLIENT_NAME
#gcloud alpha iap oauth-clients create projects/$PROJECT_ID/brands/1023990209690 --display_name=NAME

[1;31mERROR:[0m (gcloud.alpha.iap.oauth-clients.create) FAILED_PRECONDITION: Precondition check failed.


: 1

Be aware that it's only possible to create oauth clients via gcloud if the brand is __internal__. Otherwise you have to use the GUI.

Now we enable IAP for the web service:

In [None]:
$CLIENT_ID=
$SECRET=
gcloud alpha iap web enable --resource-type=app-engine --oauth2-client-id=$CLIENT_ID --oauth2-client-secret=$SECRET