lordwelch/aws-oidc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated to use AWS cognito, including retrieivng credentials with get-credentials-for-identity.

Browse Source
This commit is contained in:
Jeremy Stott 2019-04-16 22:14:53 +12:00
parent b4ce982c35
commit 33731ab51e
2 changed files with 32 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
cli/exec.go
View File

@ -5,10 +5,8 @@ import (
"fmt" "fmt"
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/lambda" "github.com/aws/aws-sdk-go/service/cognitoidentity"
"github.com/aws/aws-sdk-go/service/sts"
"github.com/stoggi/aws-oidc/provider" "github.com/stoggi/aws-oidc/provider"
kingpin "gopkg.in/alecthomas/kingpin.v2" kingpin "gopkg.in/alecthomas/kingpin.v2"
@ -49,7 +47,6 @@ func ConfigureExec(app *kingpin.Application, config *GlobalConfig) {
cmd.Default() cmd.Default()
cmd.Flag("role_arn", "The AWS role you want to assume"). cmd.Flag("role_arn", "The AWS role you want to assume").
Required().
StringVar(&execConfig.RoleArn) StringVar(&execConfig.RoleArn)
cmd.Flag("duration", "The duration to assume the role for in seconds"). cmd.Flag("duration", "The duration to assume the role for in seconds").
@ -105,53 +102,38 @@ func ExecCommand(app *kingpin.Application, config *GlobalConfig, execConfig *Exe
authResult, err := provider.Authenticate(providerConfig) authResult, err := provider.Authenticate(providerConfig)
app.FatalIfError(err, "Error authenticating to identity provider: %v", err) app.FatalIfError(err, "Error authenticating to identity provider: %v", err)
svcSTS := sts.New(session.New()) svc := cognitoidentity.New(session.New(&aws.Config{
inputSTS := &sts.AssumeRoleWithWebIdentityInput{
DurationSeconds: aws.Int64(execConfig.Duration),
RoleArn: aws.String("arn:aws:iam::892845094662:role/onelogin-test-oidc"),
RoleSessionName: aws.String(authResult.Token.Subject),
WebIdentityToken: aws.String(authResult.JWT),
}
assumeRoleResult, err := svcSTS.AssumeRoleWithWebIdentity(inputSTS)
app.FatalIfError(err, "Unable to assume role: %v", err)
svcLambda := lambda.New(session.New(&aws.Config{
Credentials: credentials.NewStaticCredentials(
*assumeRoleResult.Credentials.AccessKeyId,
*assumeRoleResult.Credentials.SecretAccessKey,
*assumeRoleResult.Credentials.SessionToken,
),
Region: aws.String("us-west-2"), Region: aws.String("us-west-2"),
})) }))
inputGetID := &cognitoidentity.GetIdInput{
lambdaPayload := LambdaPayload{ AccountId: aws.String("892845094662"),
Token: authResult.JWT, IdentityPoolId: aws.String("us-west-2:a6f65a7d-becd-470b-81a8-d3657c2f0d9f"),
Role: execConfig.RoleArn, Logins: map[string]*string{
"cognito-idp.us-west-2.amazonaws.com/us-west-2_eBYNmnpS9": aws.String(authResult.JWT),
},
} }
lambdaPayloadJSON, err := json.Marshal(&lambdaPayload) getIDResult, err := svc.GetId(inputGetID)
if err != nil { app.FatalIfError(err, "Unable to get ID: %v", err)
app.Fatalf("Error creating lambda payload json")
inputGetCredentials := &cognitoidentity.GetCredentialsForIdentityInput{
IdentityId: getIDResult.IdentityId,
Logins: map[string]*string{
"cognito-idp.us-west-2.amazonaws.com/us-west-2_eBYNmnpS9": aws.String(authResult.JWT),
},
}
credentialsResult, err := svc.GetCredentialsForIdentity(inputGetCredentials)
app.FatalIfError(err, "Unable to get credentials: %v", err)
expiry := *credentialsResult.Credentials.Expiration
credentialData := AwsCredentialHelperData{
Version: 1,
AccessKeyID: *credentialsResult.Credentials.AccessKeyId,
SecretAccessKey: *credentialsResult.Credentials.SecretKey,
SessionToken: *credentialsResult.Credentials.SessionToken,
Expiration: expiry.Format("2006-01-02T15:04:05Z"),
} }
inputLambda := &lambda.InvokeInput{ output, err := json.Marshal(credentialData)
FunctionName: aws.String("identity-broker"),
InvocationType: aws.String("RequestResponse"),
Payload: lambdaPayloadJSON,
}
result, err := svcLambda.Invoke(inputLambda)
if err != nil {
app.Fatalf("Error invoking Lambda: " + err.Error())
}
if *result.FunctionError != "" {
app.Fatalf("Remote error: " + string(result.Payload))
}
awsCreds := AwsCredentialHelperData{}
if err := json.Unmarshal(result.Payload, &awsCreds); err != nil {
app.Fatalf("Error decoding credential json")
}
output, err := json.Marshal(awsCreds)
if err != nil { if err != nil {
app.Fatalf("Error encoding credential json") app.Fatalf("Error encoding credential json")
} }

7
provider/provider.go
View File

@ -51,11 +51,12 @@ func Authenticate(p *ProviderConfig) (Result, error) {
return Result{"", nil}, err return Result{"", nil}, err
} }
listener, err := net.Listen("tcp", "127.0.0.1:0") listener, err := net.Listen("tcp", "127.0.0.1:8080")
if err != nil { if err != nil {
return Result{"", nil}, err return Result{"", nil}, err
} }
baseURL := "http://" + listener.Addr().String() // baseURL := "http://" + listener.Addr().String()
baseURL := "https://ce76f831.ngrok.io"
redirectURL := baseURL + "/auth/callback" redirectURL := baseURL + "/auth/callback"
oidcConfig := &oidc.Config{ oidcConfig := &oidc.Config{
@ -69,7 +70,7 @@ func Authenticate(p *ProviderConfig) (Result, error) {
ClientSecret: p.ClientSecret, ClientSecret: p.ClientSecret,
Endpoint: provider.Endpoint(), Endpoint: provider.Endpoint(),
RedirectURL: redirectURL, RedirectURL: redirectURL,
Scopes: []string{oidc.ScopeOpenID, "profile", "email", "groups"}, Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
} }
stateData := make([]byte, 32) stateData := make([]byte, 32)