Commit fb04519

mo khan <mo@mokhan.ca>
2022-04-22 20:40:41
embed insecure private key
main
1 parent 0815655
Changed files (7)
bin
00_metadata
01_authz_code
02_authz_code_token_request
03_sts
pkg
web
templates
insecure.pem
http_mux.go
well_known.go
bin/00_metadata
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+cd "$(dirname "$0")/.."
+HOST="${HOST:-http://localhost:8282}"
+
+curl -s "${HOST}/.well-known/openid-configuration" | jq '.'
+curl -s "${HOST}/.well-known/jwks.json" | jq '.'
bin/01_authz_code
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+cd "$(dirname "$0")/.."
+HOST="${HOST:-http://localhost:8282}"
+
+curl -s "${HOST}/authorize?response_type=code&scope=openid&client_id=client_id&state=potatoe&redirect_uri=http://example.org/callback"
bin/02_authz_code_token_request
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+cd "$(dirname "$0")/.."
+HOST="${HOST:-http://localhost:8282}"
+
+if [ $# -eq 0 ]; then
+  echo "Usage:"
+  echo "$0 <code>"
+  exit 1
+fi
+
+CODE="${1}"
+curl -s \
+  -u "client_id:client_secret" \
+  --basic \
+  -d "grant_type=authorization_code&code=${CODE}&redirect_uri=http://example.org/callback" \
+  "${HOST}/token"
bin/03_sts
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+cd "$(dirname "$0")/.."
+HOST="${HOST:-http://localhost:8282}"
+
+if [ $# -eq 0 ]; then
+  echo "Usage:"
+  echo "$0 <id_token> <role_arn>"
+  exit 1
+fi
+
+ID_TOKEN="${1}"
+ROLE_ARN="${2}"
+
+echo "$ID_TOKEN" | ruby -rjson -rbase64 -e "puts Base64.decode64(STDIN.read.split('.')[1])" | jq '.'
+
+aws sts assume-role-with-web-identity \
+  --role-arn "${ROLE_ARN}" \
+  --role-session-name="example-1" \
+  --duration-seconds 900 \
+  --web-identity-token="${ID_TOKEN}" \
+  --output json | cat
insecure.pem → pkg/web/templates/insecure.pem
File renamed without changes
pkg/web/http_mux.go
@@ -1,16 +1,18 @@
 package web
 
 import (
-	"io/ioutil"
+	_ "embed"
 	"log"
 	"net/http"
-	"os"
 	"time"
 
 	"github.com/golang-jwt/jwt"
 	"github.com/hashicorp/uuid"
 )
 
+//go:embed templates/insecure.pem
+var privateKey string
+
 var (
 	tokens = map[string]string{}
 )
@@ -23,13 +25,8 @@ func (h *HttpContext) createIdToken(clientId string) string {
 		clientId = "clientId"
 	}
 	expiresAt := now.Add(time.Hour * time.Duration(1))
-
-	host, ok := os.LookupEnv("HOST")
-	if !ok {
-		host = "http://localhost:8282"
-	}
 	idToken := jwt.NewWithClaims(jwt.SigningMethodRS256, &jwt.StandardClaims{
-		Issuer:    host,
+		Issuer:    h.issuer,
 		Subject:   "1",
 		Audience:  clientId,
 		ExpiresAt: expiresAt.Unix(),
@@ -50,7 +47,7 @@ type HttpContext struct {
 }
 
 func NewHandler(issuer string) http.Handler {
-	keyData, _ := ioutil.ReadFile("insecure.pem")
+	keyData := []byte(privateKey)
 	h := &HttpContext{
 		issuer:  issuer,
 		keyData: keyData,
pkg/web/well_known.go
@@ -13,10 +13,10 @@ import (
 )
 
 //go:embed templates/openid-configuration.json
-var data string
+var oidcConfig string
 
 var (
-	tmpl = template.Must(template.New("").Parse(string(data)))
+	tmpl = template.Must(template.New("").Parse(string(oidcConfig)))
 )
 
 func (h *HttpContext) WellKnown(w http.ResponseWriter, r *http.Request) {