diff --git a/cli/exec.go b/cli/exec.go index 1de93ea..38adcc9 100644 --- a/cli/exec.go +++ b/cli/exec.go @@ -5,10 +5,8 @@ import ( "fmt" "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/lambda" - "github.com/aws/aws-sdk-go/service/sts" + "github.com/aws/aws-sdk-go/service/cognitoidentity" "github.com/stoggi/aws-oidc/provider" kingpin "gopkg.in/alecthomas/kingpin.v2" @@ -49,7 +47,6 @@ func ConfigureExec(app *kingpin.Application, config *GlobalConfig) { cmd.Default() cmd.Flag("role_arn", "The AWS role you want to assume"). - Required(). StringVar(&execConfig.RoleArn) cmd.Flag("duration", "The duration to assume the role for in seconds"). @@ -105,53 +102,38 @@ func ExecCommand(app *kingpin.Application, config *GlobalConfig, execConfig *Exe authResult, err := provider.Authenticate(providerConfig) app.FatalIfError(err, "Error authenticating to identity provider: %v", err) - svcSTS := sts.New(session.New()) - inputSTS := &sts.AssumeRoleWithWebIdentityInput{ - DurationSeconds: aws.Int64(execConfig.Duration), - RoleArn: aws.String("arn:aws:iam::892845094662:role/onelogin-test-oidc"), - RoleSessionName: aws.String(authResult.Token.Subject), - WebIdentityToken: aws.String(authResult.JWT), - } - - assumeRoleResult, err := svcSTS.AssumeRoleWithWebIdentity(inputSTS) - app.FatalIfError(err, "Unable to assume role: %v", err) - - svcLambda := lambda.New(session.New(&aws.Config{ - Credentials: credentials.NewStaticCredentials( - *assumeRoleResult.Credentials.AccessKeyId, - *assumeRoleResult.Credentials.SecretAccessKey, - *assumeRoleResult.Credentials.SessionToken, - ), + svc := cognitoidentity.New(session.New(&aws.Config{ Region: aws.String("us-west-2"), })) - - lambdaPayload := LambdaPayload{ - Token: authResult.JWT, - Role: execConfig.RoleArn, + inputGetID := &cognitoidentity.GetIdInput{ + AccountId: aws.String("892845094662"), + IdentityPoolId: aws.String("us-west-2:a6f65a7d-becd-470b-81a8-d3657c2f0d9f"), + Logins: map[string]*string{ + "cognito-idp.us-west-2.amazonaws.com/us-west-2_eBYNmnpS9": aws.String(authResult.JWT), + }, } - lambdaPayloadJSON, err := json.Marshal(&lambdaPayload) - if err != nil { - app.Fatalf("Error creating lambda payload json") + getIDResult, err := svc.GetId(inputGetID) + app.FatalIfError(err, "Unable to get ID: %v", err) + + inputGetCredentials := &cognitoidentity.GetCredentialsForIdentityInput{ + IdentityId: getIDResult.IdentityId, + Logins: map[string]*string{ + "cognito-idp.us-west-2.amazonaws.com/us-west-2_eBYNmnpS9": aws.String(authResult.JWT), + }, + } + credentialsResult, err := svc.GetCredentialsForIdentity(inputGetCredentials) + app.FatalIfError(err, "Unable to get credentials: %v", err) + + expiry := *credentialsResult.Credentials.Expiration + credentialData := AwsCredentialHelperData{ + Version: 1, + AccessKeyID: *credentialsResult.Credentials.AccessKeyId, + SecretAccessKey: *credentialsResult.Credentials.SecretKey, + SessionToken: *credentialsResult.Credentials.SessionToken, + Expiration: expiry.Format("2006-01-02T15:04:05Z"), } - inputLambda := &lambda.InvokeInput{ - FunctionName: aws.String("identity-broker"), - InvocationType: aws.String("RequestResponse"), - Payload: lambdaPayloadJSON, - } - result, err := svcLambda.Invoke(inputLambda) - if err != nil { - app.Fatalf("Error invoking Lambda: " + err.Error()) - } - if *result.FunctionError != "" { - app.Fatalf("Remote error: " + string(result.Payload)) - } - - awsCreds := AwsCredentialHelperData{} - if err := json.Unmarshal(result.Payload, &awsCreds); err != nil { - app.Fatalf("Error decoding credential json") - } - output, err := json.Marshal(awsCreds) + output, err := json.Marshal(credentialData) if err != nil { app.Fatalf("Error encoding credential json") } diff --git a/provider/provider.go b/provider/provider.go index 22cc766..d76c427 100644 --- a/provider/provider.go +++ b/provider/provider.go @@ -51,11 +51,12 @@ func Authenticate(p *ProviderConfig) (Result, error) { return Result{"", nil}, err } - listener, err := net.Listen("tcp", "127.0.0.1:0") + listener, err := net.Listen("tcp", "127.0.0.1:8080") if err != nil { return Result{"", nil}, err } - baseURL := "http://" + listener.Addr().String() + // baseURL := "http://" + listener.Addr().String() + baseURL := "https://ce76f831.ngrok.io" redirectURL := baseURL + "/auth/callback" oidcConfig := &oidc.Config{ @@ -69,7 +70,7 @@ func Authenticate(p *ProviderConfig) (Result, error) { ClientSecret: p.ClientSecret, Endpoint: provider.Endpoint(), RedirectURL: redirectURL, - Scopes: []string{oidc.ScopeOpenID, "profile", "email", "groups"}, + Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, } stateData := make([]byte, 32)