Initial commit of sshrimp.

* sshrimp-agent and sshrimp-ca building and deploying.
* mage build system working.
* successful deploy and SSH to host.
* need to tidy up and add tests.

.gitignore

@@ -0,0 +1,11 @@
+sshrimp.toml
+
+sshrimp-ca
+sshrimp-ca.tf.json
+sshrimp-ca.zip
+
+sshrimp-agent
+
+terraform.tfstate
+terraform.tfstate.backup
+.terraform

LICENSE

@@ -0,0 +1,7 @@
+Copyright 2020 Jeremy Stott
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,8 +1,72 @@
-# sshrimp-lambda
-🦐SSH Certificate Authority in a Lambda (on the barbie)
+# sshrimp 🦐
 
-As presented at linux.conf.au - Zero Trust SSH https://linux.conf.au/schedule/presentation/54/
+SSH Certificate Authority in a lambda, automated by an OpenID Connect enabled agent.
 
-http://youtu.be/lYzklWPTbsQ
+Why? Check out this presentation [Zero Trust SSH - linux.conf.au 2020](http://youtu.be/lYzklWPTbsQ).
 
-Code will be published shortly, Star the repo for updates ;)
+## ~~ Warning ~~
+
+This is still in very early development. Only use for testing. Not suitable for use in production yet. PR's welcome ;)
+
+## Quickstart
+
+This project uses [mage](https://magefile.org/) as a build tool. Install it.
+
+Build the agent, lambda, and generate terraform code ready for deployment:
+
+    mage
+
+## Deployment
+
+[Terraform](https://www.terraform.io/) files are defined in `/terraform` and the generated `sshrimp-ca.tf.json` file can be used to automatically deploy sshrimp into multiple AWS regions.
+
+    terraform init
+    terraform apply
+
+> You will need [AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) in your environment to run `terraform apply`. You can also use [aws-vault](https://github.com/99designs/aws-vault) or [aws-oidc](https://github.com/stoggi/aws-oidc) to more securely manage AWS credentials on the command line.
+
+
+## sshd_config (on your server)
+
+Server configruation is minimal. Get the public keys from KMS (using AWS credentials):
+
+    mage ca:keys
+
+Put these keys in a file on your server `/etc/ssh/trusted_user_ca_keys`, owned by `root` permissions `0644`.
+
+Modify `/etc/ssh/sshd_config` to add the line:
+
+    TrustedUserCAKeys /etc/ssh/trusted_user_ca_keys
+
+
+## ssh_config (on your local computer)
+
+Since OpenSSH (>= 7.3), you can use the [IdentityAgent](https://man.openbsd.org/ssh_config.5#IdentityAgent) option in your ssh config file to set the socketname you configured:
+
+    Host *.sshrimp.io
+        User jeremy
+        IdentityAgent /tmp/sshrimp-agent.sock
+
+This has the advantage of only using the agent for the group of hosts you need, and let other hosts use your regular agent (like github.com for cloning git repos). In fact, you can't add other identities to the sshrimp-agent. It's meant to be used for only the hosts you need it for.
+
+> For other SSH clients or older versions, set the `SSH_AUTH_SOCK` environment variable when invoking ssh: `SSH_AUTH_SOCK=/tmp/sshrimp-agent.sock ssh user@host`
+
+## Let's go!
+
+Start the agent:
+
+    sshrimp-agent /path/to/sshrimp.toml
+
+SSH to your host:
+
+    ssh example.server.sshrimp.io
+
+🎉
+
+## Why sshrimp?
+
+* Shrimp have shells.
+* Shrimp are lightweight.
+* Has a [backronym](https://en.wikipedia.org/wiki/Backronym): SSH. Really. Isn't. My. Problem.
+* Shrimp on a barbie?
+* Yeah...

cmd/sshrimp-agent/main.go

@@ -0,0 +1,92 @@
+package main
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"fmt"
+	"net"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+
+	"github.com/alecthomas/kong"
+
+	"github.com/stoggi/sshrimp/internal/config"
+	"github.com/stoggi/sshrimp/internal/sshrimpagent"
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
+)
+
+var cli struct {
+	Config string `kong:"arg,type='string',help='sshrimp config file (default: ${config_file} or ${env_var_name} environment variable)',default='${config_file}',env='SSHRIMP_CONFIG'"`
+}
+
+func main() {
+	ctx := kong.Parse(&cli,
+		kong.Name("sshrimp-agent"),
+		kong.Description("An SSH Agent that renews SSH certificates automatically from a SSHrimp Certificate Authority."),
+		kong.Vars{
+			"config_file":  config.DefaultPath,
+			"env_var_name": config.EnvVarName,
+		},
+	)
+
+	c := config.NewSSHrimpWithDefaults()
+	ctx.FatalIfErrorf(c.Read(cli.Config))
+	ctx.FatalIfErrorf(launchAgent(c, ctx))
+}
+
+func launchAgent(c *config.SSHrimp, ctx *kong.Context) error {
+
+	if _, err := os.Stat(c.Agent.Socket); err == nil {
+		return fmt.Errorf("socket %s already exists", c.Agent.Socket)
+	}
+
+	// This affects all files created for the process. Since this is a sensitive
+	// socket, only allow the current user to write to the socket.
+	syscall.Umask(0077)
+	listener, err := net.Listen("unix", c.Agent.Socket)
+	if err != nil {
+		return err
+	}
+	defer listener.Close()
+
+	ctx.Printf("listening on %s", c.Agent.Socket)
+
+	// Generate a new SSH private/public key pair
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return err
+	}
+	signer, err := ssh.NewSignerFromKey(privateKey)
+	if err != nil {
+		return err
+	}
+
+	// Create the sshrimp agent with our configuration and the private key signer
+	sshrimpAgent := sshrimpagent.NewSSHrimpAgent(c, signer)
+
+	// Listen for signals so that we can close the listener and exit nicely
+	osSignals := make(chan os.Signal)
+	signal.Notify(osSignals, os.Interrupt, os.Kill)
+	go func() {
+		_ = <-osSignals
+		listener.Close()
+	}()
+
+	// Accept connections and serve the agent
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			if strings.Contains(err.Error(), "use of closed network connection") {
+				// Occurs if the user interrupts the agent with a ctrl-c signal
+				return nil
+			}
+			return err
+		}
+		if err := agent.ServeAgent(sshrimpAgent, conn); err != nil {
+			return err
+		}
+	}
+}

cmd/sshrimp-ca/main.go

@@ -0,0 +1,158 @@
+package main
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"math"
+	"math/big"
+	"regexp"
+	"time"
+
+	"github.com/aws/aws-lambda-go/lambda"
+	"github.com/aws/aws-lambda-go/lambdacontext"
+	"github.com/stoggi/sshrimp/internal/config"
+	"github.com/stoggi/sshrimp/internal/identity"
+	"github.com/stoggi/sshrimp/internal/signer"
+	"golang.org/x/crypto/ssh"
+)
+
+// HandleRequest handles a request to sign an SSH public key verified by an OpenIDConnect id_token
+func HandleRequest(ctx context.Context, event signer.SSHrimpEvent) (*signer.SSHrimpResult, error) {
+
+	// Make sure we are running in a lambda context, to get the requestid and ARN
+	lambdaContext, ok := lambdacontext.FromContext(ctx)
+	if !ok {
+		return nil, fmt.Errorf("lambdacontext not in ctx")
+	}
+
+	// Load the configuration file, if not exsits, exit.
+	c := config.NewSSHrimp()
+	if err := c.Read(config.GetPath()); err != nil {
+		return nil, err
+	}
+
+	// Validate the user supplied public key
+	publicKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(event.PublicKey))
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse public key: %v", err)
+	}
+
+	// Validate the user supplied identity token with the loaded configuration
+	i, err := identity.NewIdentity(c)
+	username, err := i.Validate(event.Token)
+	if err != nil {
+		return nil, err
+	}
+
+	// Validate and add force commands or source address options
+	criticalOptions := make(map[string]string)
+	if regexp.MustCompile(c.CertificateAuthority.ForceCommandRegex).MatchString(event.ForceCommand) {
+		if event.ForceCommand != "" {
+			criticalOptions["force-command"] = event.ForceCommand
+		}
+	} else {
+		return nil, errors.New("forcecommand validation failed")
+	}
+	if regexp.MustCompile(c.CertificateAuthority.SourceAddressRegex).MatchString(event.SourceAddress) {
+		if event.SourceAddress != "" {
+			criticalOptions["source-address"] = event.SourceAddress
+		}
+	} else {
+		return nil, errors.New("sourceaddress validation failed")
+	}
+
+	// Generate a random nonce for the certificate
+	bytes := make([]byte, 32)
+	nonce := make([]byte, len(bytes)*2)
+	if _, err := rand.Read(bytes); err != nil {
+		return nil, err
+	}
+	hex.Encode(nonce, bytes)
+
+	// Generate a random serial number
+	serial, err := rand.Int(rand.Reader, big.NewInt(math.MaxInt64))
+	if err != nil {
+		return nil, err
+	}
+
+	// Validate and set the certificate valid and expire times
+	now := time.Now()
+	validAfterOffset, err := time.ParseDuration(c.CertificateAuthority.ValidAfterOffset)
+	if err != nil {
+		return nil, err
+	}
+	validBeforeOffset, err := time.ParseDuration(c.CertificateAuthority.ValidBeforeOffset)
+	if err != nil {
+		return nil, err
+	}
+	validAfter := now.Add(validAfterOffset)
+	validBefore := now.Add(validBeforeOffset)
+
+	// Convert the extensions slice to a map
+	extensions := make(map[string]string, len(c.CertificateAuthority.Extensions))
+	for _, extension := range c.CertificateAuthority.Extensions {
+		extensions[extension] = ""
+	}
+
+	// Create a key ID to be added to the certificate. Follows BLESS Key ID format
+	// https://github.com/Netflix/bless
+	keyID := fmt.Sprintf("request[%s] for[%s] from[%s] command[%s] ssh_key[%s] ca[%s] valid_to[%s]",
+		lambdaContext.AwsRequestID,
+		username,
+		event.SourceAddress,
+		event.ForceCommand,
+		ssh.FingerprintSHA256(publicKey),
+		lambdaContext.InvokedFunctionArn,
+		validBefore.Format("2006/01/02 15:04:05"),
+	)
+
+	// Create the certificate struct with all our configured alues
+	certificate := ssh.Certificate{
+		Nonce:    nonce,
+		Key:      publicKey,
+		Serial:   serial.Uint64(),
+		CertType: ssh.UserCert,
+		KeyId:    keyID,
+		ValidPrincipals: []string{
+			username,
+		},
+		Permissions: ssh.Permissions{
+			CriticalOptions: criticalOptions,
+			Extensions:      extensions,
+		},
+		ValidAfter:  uint64(validAfter.Unix()),
+		ValidBefore: uint64(validBefore.Unix()),
+	}
+
+	// Setup our Certificate Authority signer backed by KMS
+	kmsSigner := signer.NewKMSSigner(c.CertificateAuthority.KeyAlias)
+	sshAlgorithmSigner, err := signer.NewAlgorithmSignerFromSigner(kmsSigner, ssh.SigAlgoRSASHA2256)
+	if err != nil {
+		return nil, err
+	}
+
+	// Sign the certificate!!
+	if err := certificate.SignCert(rand.Reader, sshAlgorithmSigner); err != nil {
+		return nil, err
+	}
+
+	// Extract the public key (certificate) to return to the user
+	pubkey, err := ssh.ParsePublicKey(certificate.Marshal())
+	if err != nil {
+		return nil, err
+	}
+
+	// Success!
+	return &signer.SSHrimpResult{
+		Certificate:  string(ssh.MarshalAuthorizedKey(pubkey)),
+		ErrorMessage: "",
+		ErrorType:    "",
+	}, nil
+}
+
+func main() {
+	lambda.Start(HandleRequest)
+}

go.mod

@@ -0,0 +1,33 @@
+module github.com/stoggi/sshrimp
+
+go 1.13
+
+replace github.com/b-b3rn4rd/gocfn => github.com/stoggi/gocfn v0.0.0-20200214083946-6202cea979b9
+
+require (
+	github.com/AlecAivazis/survey/v2 v2.0.5
+	github.com/BurntSushi/toml v0.3.1
+	github.com/alecthomas/colour v0.1.0 // indirect
+	github.com/alecthomas/kong v0.2.2
+	github.com/aws/aws-lambda-go v1.13.3
+	github.com/aws/aws-sdk-go v1.25.43
+	github.com/awslabs/goformation v1.4.1 // indirect
+	github.com/awslabs/goformation/v4 v4.4.0
+	github.com/b-b3rn4rd/gocfn v0.0.0-20180729083956-9f400ac88956
+	github.com/coreos/go-oidc v2.1.0+incompatible
+	github.com/ghodss/yaml v1.0.0 // indirect
+	github.com/google/uuid v1.1.1
+	github.com/hashicorp/aws-sdk-go-base v0.4.0
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
+	github.com/magefile/mage v1.9.0
+	github.com/manifoldco/promptui v0.7.0
+	github.com/pkg/errors v0.9.1
+	github.com/sirupsen/logrus v1.4.2
+	github.com/spf13/afero v1.2.2 // indirect
+	github.com/stoggi/aws-oidc v0.0.0-20190621033350-d7c8067c7515
+	golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
+	golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a // indirect
+	gopkg.in/alecthomas/kingpin.v2 v2.2.6
+	gopkg.in/square/go-jose.v2 v2.4.1 // indirect
+)

go.sum

@@ -0,0 +1,200 @@
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/99designs/aws-vault v4.5.1+incompatible/go.mod h1:BKt7gBiUkiAOh7TP/c36gMpRJkIk5F8hStyQoWwC/Rw=
+github.com/99designs/keyring v0.0.0-20190110203331-82da6802f65f h1:WXiWWJrYCaOaYimBAXlRdRJ7qOisrYyMLYnCvvhHVms=
+github.com/99designs/keyring v0.0.0-20190110203331-82da6802f65f/go.mod h1:aKt8W/yd91/xHY6ixZAJZ2vYbhr3pP8DcrvuGSGNPJk=
+github.com/AlecAivazis/survey v1.8.8 h1:Y4yypp763E8cbqb5RBqZhGgkCFLRFnbRBHrxnpMMsgQ=
+github.com/AlecAivazis/survey/v2 v2.0.5 h1:xpZp+Q55wi5C7Iaze+40onHnEkex1jSc34CltJjOoPM=
+github.com/AlecAivazis/survey/v2 v2.0.5/go.mod h1:WYBhg6f0y/fNYUuesWQc0PKbJcEliGcYHB9sNT3Bg74=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8 h1:xzYJEypr/85nBpB11F9br+3HUrpgb+fcm5iADzXXYEw=
+github.com/Netflix/go-expect v0.0.0-20180615182759-c93bf25de8e8/go.mod h1:oX5x61PbNXchhh0oikYAH+4Pcfw5LKv21+Jnpr6r6Pc=
+github.com/alecthomas/colour v0.1.0 h1:nOE9rJm6dsZ66RGWYSFrXw461ZIt9A6+nHgL7FRrDUk=
+github.com/alecthomas/colour v0.1.0/go.mod h1:QO9JBoKquHd+jz9nshCh40fOfO+JzsoXy8qTHF68zU0=
+github.com/alecthomas/kong v0.2.2 h1:sk9ucwuUP/T4+byYEdNU13ZNYzoQRML4IsrMbbUUKLk=
+github.com/alecthomas/kong v0.2.2/go.mod h1:kQOmtJgV+Lb4aj+I2LEn40cbtawdWJ9Y8QLq+lElKxE=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/aulanov/go.dbus v0.0.0-20150729231527-25c3068a42a0/go.mod h1:VHvUx+4lTCaJ8zUnEXF4cWEc9c8lnDt4PGLwlZ+3yaM=
+github.com/aws/aws-lambda-go v1.13.3 h1:SuCy7H3NLyp+1Mrfp+m80jcbi9KYWAs9/BXwppwRDzY=
+github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
+github.com/aws/aws-sdk-go v1.19.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.25.3/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.25.43 h1:R5YqHQFIulYVfgRySz9hvBRTWBjudISa+r0C8XQ1ufg=
+github.com/aws/aws-sdk-go v1.25.43/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
+github.com/aws/aws-sdk-go v1.29.2 h1:muUfu006FBFvEaDzt4Wq6Ng9E7ufedf8zrB4hmY65QA=
+github.com/awslabs/goformation v1.4.1 h1:jws9kTrcI53Hq2COJAy50uAhgxB5N/Enb9Gmclr/MP4=
+github.com/awslabs/goformation v1.4.1/go.mod h1:HezUyH08DSwwGn3GioVXWZYUhkdvC+oGJ7ya7vBRm7k=
+github.com/awslabs/goformation/v3 v3.1.0/go.mod h1:hQ5RXo3GNm2laHWKizDzU5DsDy+yNcenSca2UxN0850=
+github.com/awslabs/goformation/v4 v4.4.0 h1:MwHqnYX+ebauk3EmQX8WXirI8OmHg/Cg34dt4/BThc4=
+github.com/awslabs/goformation/v4 v4.4.0/go.mod h1:MBDN7u1lMNDoehbFuO4uPvgwPeolTMA2TzX1yO6KlxI=
+github.com/b-b3rn4rd/gocfn v0.0.0-20180729083956-9f400ac88956 h1:AR0vL4FEL1H4yhjXYtz8RJZ5xWO1CBs8IladWiCV3aU=
+github.com/b-b3rn4rd/gocfn v0.0.0-20180729083956-9f400ac88956/go.mod h1:kOCOw4KbqX3dYcTLjMneEELuPQ9drjIRtGMpwqhBrak=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/coreos/go-oidc v2.0.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/coreos/go-oidc v2.1.0+incompatible h1:sdJrfw8akMnCuUlaZU3tE/uYXFgfqom8DBE9so9EBsM=
+github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/danieljoos/wincred v1.0.1/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dvsekhvalnov/jose2go v0.0.0-20180829124132-7f401d37b68a h1:mq+R6XEM6lJX5VlLyZIrUSP8tSuJp82xTK89hvBwJbU=
+github.com/dvsekhvalnov/jose2go v0.0.0-20180829124132-7f401d37b68a/go.mod h1:7BvyPhdbLxMXIYTFPLsyJRFMsKmOZnQmzh6Gb+uquuM=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-ini/ini v1.42.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
+github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
+github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0=
+github.com/hashicorp/aws-sdk-go-base v0.4.0 h1:zH9hNUdsS+2G0zJaU85ul8D59BGnZBaKM+KMNPAHGwk=
+github.com/hashicorp/aws-sdk-go-base v0.4.0/go.mod h1:eRhlz3c4nhqxFZJAahJEFL7gh6Jyj5rQmQc7F9eHFyQ=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.0 h1:wvCrVc9TjDls6+YGAF2hAifE1E5U1+b4tH6KdvN3Gig=
+github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
+github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174 h1:WlZsjVhE8Af9IcZDGgJGQpNflI3+MJSBhsgT5PCtzBQ=
+github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174/go.mod h1:DqJ97dSdRW1W22yXSB90986pcOyQ7r45iio1KN2ez1A=
+github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
+github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a h1:FaWFmfWdAUKbSCtOU2QjDaorUexogfaMgbipgYATUMU=
+github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a/go.mod h1:UJSiEoRfvx3hP73CvoARgeLjaIOjybY9vj8PUPPFGeU=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
+github.com/keybase/go-keychain v0.0.0-20190408194155-7f2ef9fddce6 h1:hfM5TYph19rQBp3oOg4SVckf4ZmYrycciBJCWmxOcIE=
+github.com/keybase/go-keychain v0.0.0-20190408194155-7f2ef9fddce6/go.mod h1:JJNrCn9otv/2QP4D7SMJBgaleKpOf66PnW6F5WGNRIc=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.4 h1:5Myjjh3JY/NaAi4IsUbHADytDyl1VE1Y9PXDlL+P/VQ=
+github.com/kr/pty v1.1.4/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lunixbochs/vtclean v0.0.0-20180621232353-2d01aacdc34a h1:weJVJJRzAJBFRlAiJQROKQs8oC9vOxvm4rZmBBk0ONw=
+github.com/lunixbochs/vtclean v0.0.0-20180621232353-2d01aacdc34a/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
+github.com/magefile/mage v1.9.0 h1:t3AU2wNwehMCW97vuqQLtw6puppWXHO+O2MHo5a50XE=
+github.com/magefile/mage v1.9.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/manifoldco/promptui v0.7.0 h1:3l11YT8tm9MnwGFQ4kETwkzpAwY2Jt9lCrumCUW4+z4=
+github.com/manifoldco/promptui v0.7.0/go.mod h1:n4zTdgP0vr0S3w7/O/g98U+e0gwLScEXGwov2nIKuGQ=
+github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU=
+github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs=
+github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b h1:j7+1HpAFS1zy5+Q4qx1fWh90gTKwiN4QCGoY9TWyyO4=
+github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/onsi/ginkgo v1.5.0 h1:uZr+v/TFDdYkdA+j02sPO1kA5owrfjBGCJAogfIyThE=
+github.com/onsi/ginkgo v1.5.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v1.2.0 h1:tQjc4uvqBp0z424R9V/S2L18penoUiwZftoY0t48IZ4=
+github.com/onsi/gomega v1.2.0/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
+github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b h1:jUK33OXuZP/l6babJtnLo1qsGvq6G9so9KMflGAm4YA=
+github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b/go.mod h1:8458kAagoME2+LN5//WxE71ysZ3B7r22fdgb7qVmXSY=
+github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522 h1:fOCp11H0yuyAt2wqlbJtbyPzSgaxHTv8uN1pMpkG1t8=
+github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/stoggi/aws-oidc v0.0.0-20190621033350-d7c8067c7515 h1:+hB8m3lZcit6hNP/wgKXyYu40HBnqOZ1qeTqfR3R2SM=
+github.com/stoggi/aws-oidc v0.0.0-20190621033350-d7c8067c7515/go.mod h1:SIKyxDgizI85GJhq5gKSaAx95RVsVY3zm2pwe9jKJ+E=
+github.com/stoggi/gocfn v0.0.0-20200214083946-6202cea979b9 h1:ldPJnZz4pMqMvrHXWGGXJjj8xpbpTRE+ebRKqKnlx38=
+github.com/stoggi/gocfn v0.0.0-20200214083946-6202cea979b9/go.mod h1:BeVU0jP5A5p0orflxiMya9WiTToEr84235rsJKU8a1Y=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/xeipuuv/gojsonpointer v0.0.0-20170225233418-6fe8760cad35/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20150808065054-e02fc20de94c/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v0.0.0-20181112162635-ac52e6811b56/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190530122614-20be4c3c3ed5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1 h1:anGSYQpPhQwXlwsu5wmfq0nWkCNaMEMUwAv13Y92hd8=
+golang.org/x/crypto v0.0.0-20191128160524-b544559bb6d1/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/net v0.0.0-20170809000501-1c05540f6879/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20191021144547-ec77196f6094 h1:5O4U9trLjNpuhpynaDsqwCk+Tw6seqJz1EbqbnzHrc8=
+golang.org/x/net v0.0.0-20191021144547-ec77196f6094/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20170814044513-c84c1ab9fd18/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190530182044-ad28b68e88f1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a h1:aYOabOQFp6Vj6W1F80affTUvO9UxmJRx8K0gsfABByQ=
+golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.0.0-20170814122439-e56139fd9c5b/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/square/go-jose.v2 v2.3.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/square/go-jose.v2 v2.4.1 h1:H0TmLt7/KmzlrDOpa1F+zr0Tk90PbJYBfsVUmRLrf9Y=
+gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

internal/config/config.go

@@ -0,0 +1,461 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"net/url"
+	"os"
+	"reflect"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/AlecAivazis/survey/v2"
+	"github.com/BurntSushi/toml"
+	"github.com/kballard/go-shellquote"
+)
+
+// Agent config for the sshrimp-agent agent
+type Agent struct {
+	ProviderURL    string
+	ClientID       string
+	ClientSecret   string
+	BrowserCommand []string
+	Socket         string
+}
+
+// CertificateAuthority config for the sshrimp-ca lambda
+type CertificateAuthority struct {
+	AccountID          int
+	Regions            []string
+	FunctionName       string
+	KeyAlias           string
+	ForceCommandRegex  string
+	SourceAddressRegex string
+	UsernameRegex      string
+	UsernameClaim      string
+	ValidAfterOffset   string
+	ValidBeforeOffset  string
+	Extensions         []string
+}
+
+// SSHrimp main configuration struct for sshrimp-agent and sshrimp-ca
+type SSHrimp struct {
+	Agent                Agent
+	CertificateAuthority CertificateAuthority
+}
+
+// List of supported regions for the config wizard
+var supportedAwsRegions = []string{
+	"ap-east-1",
+	"ap-northeast-1",
+	"ap-northeast-2",
+	"ap-south-1",
+	"ap-southeast-1",
+	"ap-southeast-2",
+	"ca-central-1",
+	"eu-central-1",
+	"eu-north-1",
+	"eu-west-1",
+	"eu-west-2",
+	"eu-west-3",
+	"me-south-1",
+	"sa-east-1",
+	"us-east-1",
+	"us-east-2",
+	"us-west-1",
+	"us-west-2",
+}
+
+var supportedExtensions = []string{
+	"no-agent-forwarding",
+	"no-port-forwarding",
+	"no-pty",
+	"no-user-rc",
+	"no-x11-forwarding",
+	"permit-agent-forwarding",
+	"permit-port-forwarding",
+	"permit-pty",
+	"permit-user-rc",
+	"permit-x11-forwarding",
+}
+
+// NewSSHrimp returns SSHrimp
+func NewSSHrimp() *SSHrimp {
+	return &SSHrimp{}
+}
+
+// NewSSHrimpWithDefaults returns SSHrimp with defaults already set
+func NewSSHrimpWithDefaults() *SSHrimp {
+
+	sshrimp := SSHrimp{
+		Agent{
+			ProviderURL: "https://accounts.google.com",
+			Socket:      "/tmp/sshrimp.sock",
+		},
+		CertificateAuthority{
+			FunctionName:       "sshrimp",
+			KeyAlias:           "alias/sshrimp",
+			ForceCommandRegex:  "^$",
+			SourceAddressRegex: "^$",
+			UsernameRegex:      `^(.*)@example\.com$`,
+			UsernameClaim:      "email",
+			ValidAfterOffset:   "-5m",
+			ValidBeforeOffset:  "+12h",
+			Extensions: []string{
+				"permit-agent-forwarding",
+				"permit-port-forwarding",
+				"permit-pty",
+				"permit-user-rc",
+				"no-x11-forwarding",
+			},
+		},
+	}
+	return &sshrimp
+}
+
+// DefaultPath of the sshrimp config file
+var DefaultPath = "./sshrimp.toml"
+
+// EnvVarName is the optional environment variable that if set overrides DefaultPath
+var EnvVarName = "SSHRIMP_CONFIG"
+
+// GetPath returns the default sshrimp config file path taking into account EnvVarName
+func GetPath() string {
+	if configPathFromEnv, ok := os.LookupEnv(EnvVarName); ok && configPathFromEnv != "" {
+		return configPathFromEnv
+	}
+	return DefaultPath
+}
+
+func validateInt(val interface{}) error {
+	if str, ok := val.(string); ok {
+		if _, err := strconv.Atoi(str); err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("expected type string got %v", reflect.TypeOf(val).Name())
+	}
+
+	return nil
+}
+
+func validateURL(val interface{}) error {
+	if str, ok := val.(string); ok {
+		if _, err := url.ParseRequestURI(str); err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("expected type string got %v", reflect.TypeOf(val).Name())
+	}
+
+	return nil
+}
+
+func validateDuration(val interface{}) error {
+	if str, ok := val.(string); ok {
+		if _, err := time.ParseDuration(str); err != nil {
+			return err
+		}
+	} else {
+		return fmt.Errorf("expected type string got %v", reflect.TypeOf(val).Name())
+	}
+
+	return nil
+}
+
+func validateAlias(val interface{}) error {
+	if str, ok := val.(string); ok {
+		if !strings.HasPrefix(str, "alias/") {
+			return errors.New("KMS alias must begin with alias/")
+		}
+	} else {
+		return fmt.Errorf("expected type string got %v", reflect.TypeOf(val).Name())
+	}
+
+	return nil
+}
+
+func validateRegions(val interface{}) error {
+	if regions, ok := val.([]string); ok {
+		if len(regions) < 1 {
+			return errors.New("need at least one region")
+		}
+	} else {
+		return fmt.Errorf("expected type []string got %v", reflect.TypeOf(val).Name())
+	}
+
+	return nil
+}
+
+func certificateAuthorityQuestions(config *SSHrimp) []*survey.Question {
+	defaultAccountID := ""
+	if config.CertificateAuthority.AccountID > 0 {
+		defaultAccountID = strconv.Itoa(config.CertificateAuthority.AccountID)
+	}
+	return []*survey.Question{
+		{
+			Name: "AccountID",
+			Prompt: &survey.Input{
+				Message: "AWS Account ID:",
+				Default: defaultAccountID,
+				Help:    "12 Digit account ID. You could get this by running `aws sts get-caller-identity`",
+			},
+			Validate: survey.ComposeValidators(
+				survey.Required,
+				validateInt,
+				survey.MaxLength(12),
+				survey.MinLength(12),
+			),
+		},
+		{
+			Name: "Regions",
+			Prompt: &survey.MultiSelect{
+				Message:  "AWS Region:",
+				Default:  config.CertificateAuthority.Regions,
+				Help:     "Select multiple regions for high availability. Each region gets it's own Lambda function and KMS key.",
+				Options:  supportedAwsRegions,
+				PageSize: 10,
+			},
+			Validate: survey.ComposeValidators(
+				survey.Required,
+				validateRegions,
+			),
+		},
+		{
+			Name: "FunctionName",
+			Prompt: &survey.Input{
+				Message: "Lambda Function Name:",
+				Help:    "The sshrimp certificate authority lambda will have this name.",
+				Default: config.CertificateAuthority.FunctionName,
+			},
+			Validate: survey.Required,
+		},
+		{
+			Name: "KeyAlias",
+			Prompt: &survey.Input{
+				Message: "KMS Key Alias:",
+				Help:    "A name beginning with 'alias/' to easily refer to KMS keys in IAM policies and configuration files.",
+				Default: config.CertificateAuthority.KeyAlias,
+			},
+			Validate: survey.ComposeValidators(
+				survey.Required,
+				validateAlias,
+			),
+		},
+		{
+			Name: "UsernameClaim",
+			Prompt: &survey.Input{
+				Message: "Username claim in JWT",
+				Help:    "Which claim in the JWT should be used as the username. See https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims",
+				Default: config.CertificateAuthority.UsernameClaim,
+			},
+			Validate: survey.Required,
+		},
+		{
+			Name: "UsernameRegex",
+			Prompt: &survey.Input{
+				Message: "Username regular expression",
+				Help:    "A regular expression to validate the username present in the identity token. The first matching group will be used as the username enforced in the certificate.",
+				Default: config.CertificateAuthority.UsernameRegex,
+			},
+			Validate: survey.Required,
+		},
+		{
+			Name: "ForceCommandRegex",
+			Prompt: &survey.Input{
+				Message: "ForceCommand regular expression:",
+				Help:    "A regular expression to validate the force command supplied by the user, but enforced in the certificate. See https://man.openbsd.org/sshd_config#ForceCommand",
+				Default: config.CertificateAuthority.ForceCommandRegex,
+			},
+			Validate: survey.Required,
+		},
+		{
+			Name: "SourceAddressRegex",
+			Prompt: &survey.Input{
+				Message: "Source IP address regular expression",
+				Help:    "A regular expression to validate the source IP address supplied by the user, but enforced in the certificate.",
+				Default: config.CertificateAuthority.SourceAddressRegex,
+			},
+			Validate: survey.Required,
+		},
+		{
+			Name: "ValidAfterOffset",
+			Prompt: &survey.Input{
+				Message: "A time.now() offset for valid_after",
+				Help:    "The amount to add to time.now() that the certificate will be valid FROM.",
+				Default: config.CertificateAuthority.ValidAfterOffset,
+			},
+			Validate: survey.ComposeValidators(
+				survey.Required,
+				validateDuration,
+			),
+		},
+		{
+			Name: "ValidBeforeOffset",
+			Prompt: &survey.Input{
+				Message: "A time.now() offset for valid_before",
+				Help:    "The amount to add to time.now() that the certificate will be valid TO.",
+				Default: config.CertificateAuthority.ValidBeforeOffset,
+			},
+			Validate: survey.ComposeValidators(
+				survey.Required,
+				validateDuration,
+			),
+		},
+		{
+			Name: "Extensions",
+			Prompt: &survey.MultiSelect{
+				Message:  "Certificate extensions",
+				Help:     "Extensions to be added to the certificate, see https://man.openbsd.org/ssh-keygen#CERTIFICATES",
+				Default:  config.CertificateAuthority.Extensions,
+				Options:  supportedExtensions,
+				PageSize: 10,
+			},
+			Validate: survey.Required,
+		},
+	}
+}
+
+func agentQuestions(config *SSHrimp) []*survey.Question {
+	return []*survey.Question{
+		{
+			Name: "ProviderURL",
+			Prompt: &survey.Input{
+				Message: "OpenIDConnect Provider URL:",
+				Default: config.Agent.ProviderURL,
+				Help:    "Get this from your OIDC provider. For example Google's is https://accounts.google.com.",
+			},
+			Validate: survey.ComposeValidators(survey.Required, validateURL),
+		},
+		{
+			Name: "ClientID",
+			Prompt: &survey.Input{
+				Message: "OpenIDConnect Client ID:",
+				Default: config.Agent.ClientID,
+				Help:    "Get this from your OIDC provider. For example Google uses the format 1234-0a1b2bc3.apps.googleusercontent.com",
+			},
+			Validate: survey.Required,
+		},
+		{
+			Name: "ClientSecret",
+			Prompt: &survey.Input{
+				Message: "OpenIDConnect Client Secret (only if required):",
+				Default: config.Agent.ClientSecret,
+				Help:    "Google requires the Client Secret even when using PKCE. Most OpenIDConnect provdiders don't. Read more about PKCE: https://tools.ietf.org/html/rfc7636",
+			},
+		},
+		{
+			Name: "Socket",
+			Prompt: &survey.Input{
+				Message: "sshrimp-agent socket:",
+				Default: config.Agent.Socket,
+				Help:    "Path of the socket for the sshrimp-agent to listen on. Create a unique one for each instance of sshrimp-agent.",
+			},
+			Validate: survey.Required,
+		},
+	}
+}
+
+func browserCommandQuestions(config *SSHrimp) []*survey.Question {
+	return []*survey.Question{
+		{
+			Name: "BrowserCommand",
+			Prompt: &survey.Input{
+				Message: "Command to open a browser:",
+				Default: shellquote.Join(config.Agent.BrowserCommand...),
+				Help:    "Optionally {} will be substituted with the URL to open.",
+			},
+			Validate: survey.Required,
+		},
+	}
+}
+
+func configFileQuestions(configPath string) []*survey.Question {
+	return []*survey.Question{
+		{
+			Name: "ConfigPath",
+			Prompt: &survey.Input{
+				Message: "File path to write the new config:",
+				Default: configPath,
+				Help:    "Set environment variable SSHRIMP_CONFIG to this path if different from ./sshrimp.toml",
+			},
+			Validate: survey.Required,
+		},
+	}
+}
+
+func (c *SSHrimp) Read(configPath string) error {
+	_, err := toml.DecodeFile(configPath, c)
+	return err
+}
+
+func (c *SSHrimp) Write(configPath string) error {
+	// Create the new config file
+	configFile, err := os.Create(configPath)
+	if err != nil {
+		return err
+	}
+	defer configFile.Close()
+
+	// Encode the configuration values as a TOML file
+	encoder := toml.NewEncoder(configFile)
+	if err := encoder.Encode(c); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// Wizard launches a interactive question/answer terminal prompt to create a config file
+func Wizard(configPath string, config *SSHrimp) (string, error) {
+
+	// Create a new config that doesn't have any default values, otherwise survey appends to the defaults.
+	newConfig := NewSSHrimp()
+
+	if err := survey.Ask(certificateAuthorityQuestions(config), &newConfig.CertificateAuthority); err != nil {
+		return "", err
+	}
+
+	if err := survey.Ask(agentQuestions(config), &newConfig.Agent); err != nil {
+		return "", err
+	}
+
+	// Ask BrowserCommand separately so we can store it as a []string, currently not supported by survey.
+	var browserCommand string
+	if err := survey.Ask(browserCommandQuestions(config), &browserCommand); err != nil {
+		return "", err
+	}
+	// Split the command by sh rules using shellquote. The command is stored as a slice of arguments.
+	words, err := shellquote.Split(browserCommand)
+	if err != nil {
+		return "", err
+	}
+	newConfig.Agent.BrowserCommand = words
+
+	// Confirm config file path, and keep prompting if exists and user chooses not to overwrite
+	var overwriteIfExists = false
+	for !overwriteIfExists {
+		if err := survey.Ask(configFileQuestions(configPath), &configPath); err != nil {
+			return "", err
+		}
+
+		if _, err := os.Stat(configPath); err == nil {
+			// File exists, confirm to be overwritten
+			if err := survey.AskOne(&survey.Confirm{
+				Message: "File exists, overwrite?",
+				Default: false,
+			}, &overwriteIfExists); err != nil {
+				return "", err
+			}
+		} else {
+			// File doesn't exist, break and save the file
+			break
+		}
+	}
+
+	// Write the new configuration to a file
+	newConfig.Write(configPath)
+
+	return configPath, nil
+}

internal/identity/identity.go

@@ -0,0 +1,67 @@
+package identity
+
+import (
+	"context"
+	"errors"
+	"regexp"
+
+	"github.com/coreos/go-oidc"
+	"github.com/stoggi/sshrimp/internal/config"
+)
+
+// Identity holds information required to verify an OIDC identity token
+type Identity struct {
+	ctx           context.Context
+	verifier      *oidc.IDTokenVerifier
+	usernameRE    *regexp.Regexp
+	usernameClaim string
+}
+
+// NewIdentity return a new Identity, with default values and oidc proivder information populated
+func NewIdentity(c *config.SSHrimp) (*Identity, error) {
+	ctx := context.Background()
+	provider, err := oidc.NewProvider(ctx, c.Agent.ProviderURL)
+	if err != nil {
+		return nil, err
+	}
+
+	oidcConfig := &oidc.Config{
+		ClientID:             c.Agent.ClientID,
+		SupportedSigningAlgs: []string{"RS256"},
+	}
+
+	return &Identity{
+		ctx:           ctx,
+		verifier:      provider.Verifier(oidcConfig),
+		usernameRE:    regexp.MustCompile(c.CertificateAuthority.UsernameRegex),
+		usernameClaim: c.CertificateAuthority.UsernameClaim,
+	}, nil
+}
+
+// Validate an identity token
+func (i *Identity) Validate(token string) (string, error) {
+
+	idToken, err := i.verifier.Verify(i.ctx, token)
+	if err != nil {
+		return "", errors.New("failed to verify identity token: " + err.Error())
+	}
+
+	var claims map[string]interface{}
+	if err := idToken.Claims(&claims); err != nil {
+		return "", errors.New("failed to parse claims: " + err.Error())
+	}
+
+	claimedUsername, ok := claims[i.usernameClaim].(string)
+	if !ok {
+		return "", errors.New("configured username claim not in identity token")
+	}
+
+	return i.parseUsername(claimedUsername)
+}
+
+func (i *Identity) parseUsername(username string) (string, error) {
+	if match := i.usernameRE.FindStringSubmatch(username); match != nil {
+		return match[1], nil
+	}
+	return "", errors.New("unable to parse username from claim")
+}

internal/signer/algorithm.go

@@ -0,0 +1,42 @@
+package signer
+
+import (
+	"crypto"
+	"errors"
+	"io"
+
+	"golang.org/x/crypto/ssh"
+)
+
+type sshAlgorithmSigner struct {
+	algorithm string
+	signer    ssh.AlgorithmSigner
+}
+
+// PublicKey returns the wrapped signers public key
+func (s *sshAlgorithmSigner) PublicKey() ssh.PublicKey {
+	return s.signer.PublicKey()
+}
+
+// Sign uses the correct algorithm to sign the certificate
+func (s *sshAlgorithmSigner) Sign(rand io.Reader, data []byte) (*ssh.Signature, error) {
+	return s.signer.SignWithAlgorithm(rand, data, s.algorithm)
+}
+
+// NewAlgorithmSignerFromSigner returns a ssh.Signer with a different default algorithm.
+// Waiting for upstream changes to x/crypto/ssh, see: https://github.com/golang/go/issues/36261
+func NewAlgorithmSignerFromSigner(signer crypto.Signer, algorithm string) (ssh.Signer, error) {
+	sshSigner, err := ssh.NewSignerFromSigner(signer)
+	if err != nil {
+		return nil, err
+	}
+	algorithmSigner, ok := sshSigner.(ssh.AlgorithmSigner)
+	if !ok {
+		return nil, errors.New("unable to cast to ssh.AlgorithmSigner")
+	}
+	s := sshAlgorithmSigner{
+		signer:    algorithmSigner,
+		algorithm: algorithm,
+	}
+	return &s, nil
+}

internal/signer/kms.go

@@ -0,0 +1,67 @@
+package signer
+
+import (
+	"crypto"
+	"crypto/x509"
+	"fmt"
+	"io"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/aws/aws-sdk-go/service/kms/kmsiface"
+)
+
+// KMSSigner an AWS asymetric crypto signer
+type KMSSigner struct {
+	crypto.Signer
+	client kmsiface.KMSAPI
+	key    string
+}
+
+// NewKMSSigner return a new instsance of KMSSigner
+func NewKMSSigner(key string) *KMSSigner {
+
+	sess := session.Must(session.NewSession())
+
+	return &KMSSigner{
+		key:    key,
+		client: kms.New(sess),
+	}
+}
+
+// Public returns the public key from KMS
+func (s *KMSSigner) Public() crypto.PublicKey {
+
+	response, err := s.client.GetPublicKey(&kms.GetPublicKeyInput{
+		KeyId: &s.key,
+	})
+	if err != nil {
+		fmt.Printf(err.Error())
+		return nil
+	}
+
+	publicKey, err := x509.ParsePKIXPublicKey(response.PublicKey)
+	if err != nil {
+		fmt.Printf(err.Error())
+		return nil
+	}
+
+	return publicKey
+}
+
+// Sign a digest with the private key in KMS
+func (s *KMSSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+
+	response, err := s.client.Sign(&kms.SignInput{
+		KeyId:            &s.key,
+		Message:          digest,
+		MessageType:      aws.String(kms.MessageTypeDigest),
+		SigningAlgorithm: aws.String(kms.SigningAlgorithmSpecRsassaPkcs1V15Sha256),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return response.Signature, nil
+}

internal/signer/sshrimp.go

@@ -0,0 +1,92 @@
+package signer
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/lambda"
+	"github.com/pkg/errors"
+	"github.com/stoggi/sshrimp/internal/config"
+	"golang.org/x/crypto/ssh"
+)
+
+// SSHrimpResult encodes the payload format returned from the sshrimp-ca lambda
+type SSHrimpResult struct {
+	Certificate  string `json:"certificate"`
+	ErrorMessage string `json:"errorMessage"`
+	ErrorType    string `json:"errorType"`
+}
+
+// SSHrimpEvent encodes the user input for the sshrimp-ca lambda
+type SSHrimpEvent struct {
+	PublicKey     string `json:"publickey"`
+	Token         string `json:"token"`
+	SourceAddress string `json:"sourceaddress"`
+	ForceCommand  string `json:"forcecommand"`
+}
+
+// SignCertificateAllRegions iterate through each configured region if there is an error signing the certificate
+func SignCertificateAllRegions(publicKey ssh.PublicKey, token string, forceCommand string, c *config.SSHrimp) (*ssh.Certificate, error) {
+	var err error
+
+	// Try each configured region before exiting if there is an error
+	for _, region := range c.CertificateAuthority.Regions {
+		cert, err := SignCertificateOneRegion(publicKey, token, forceCommand, region, c)
+		if err == nil {
+			return cert, nil
+		}
+	}
+	return nil, err
+}
+
+// SignCertificateOneRegion given a public key, identity token and forceCommand, invoke the sshrimp-ca lambda function
+func SignCertificateOneRegion(publicKey ssh.PublicKey, token string, forceCommand string, region string, c *config.SSHrimp) (*ssh.Certificate, error) {
+	// Create a lambdaService using the new temporary credentials for the role
+	session := session.Must(session.NewSession(&aws.Config{
+		Region: aws.String(region),
+	}))
+	lambdaService := lambda.New(session)
+
+	// Setup the JSON payload for the SSHrimp CA
+	payload, err := json.Marshal(SSHrimpEvent{
+		PublicKey:    string(ssh.MarshalAuthorizedKey(publicKey)),
+		Token:        token,
+		ForceCommand: forceCommand,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// Invoke the SSHrimp lambda
+	result, err := lambdaService.Invoke(&lambda.InvokeInput{
+		FunctionName: aws.String(c.CertificateAuthority.FunctionName),
+		Payload:      payload,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if *result.StatusCode != 200 {
+		return nil, fmt.Errorf("sshrimp returned status code %d", *result.StatusCode)
+	}
+
+	// Parse the result form the lambda to extract the certificate
+	sshrimpResult := SSHrimpResult{}
+	err = json.Unmarshal(result.Payload, &sshrimpResult)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse json response from sshrimp-ca")
+	}
+
+	// These error types and messages can also come from the aws-sdk-go lambda handler
+	if sshrimpResult.ErrorType != "" || sshrimpResult.ErrorMessage != "" {
+		return nil, fmt.Errorf("%s: %s", sshrimpResult.ErrorType, sshrimpResult.ErrorMessage)
+	}
+
+	// Parse the certificate received by sshrimp-ca
+	cert, _, _, _, err := ssh.ParseAuthorizedKey([]byte(sshrimpResult.Certificate))
+	if err != nil {
+		return nil, err
+	}
+	return cert.(*ssh.Certificate), nil
+}

internal/sshrimpagent/sshrimpagent.go

@@ -0,0 +1,109 @@
+package sshrimpagent
+
+import (
+	"crypto/rand"
+	"errors"
+	"time"
+
+	"github.com/stoggi/aws-oidc/provider"
+	"github.com/stoggi/sshrimp/internal/config"
+	"github.com/stoggi/sshrimp/internal/signer"
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/agent"
+)
+
+type sshrimpAgent struct {
+	providerConfig provider.ProviderConfig
+	signer         ssh.Signer
+	certificate    *ssh.Certificate
+	token          *provider.OAuth2Token
+	config         *config.SSHrimp
+}
+
+// NewSSHrimpAgent returns an agent.Agent capable of signing certificates with a SSHrimp Certificate Authority
+func NewSSHrimpAgent(c *config.SSHrimp, signer ssh.Signer) agent.Agent {
+
+	providerConfig := provider.ProviderConfig{
+		ClientID:     c.Agent.ClientID,
+		ClientSecret: c.Agent.ClientSecret,
+		ProviderURL:  c.Agent.ProviderURL,
+		PKCE:         true,
+		Nonce:        true,
+		AgentCommand: c.Agent.BrowserCommand,
+	}
+
+	return &sshrimpAgent{
+		providerConfig: providerConfig,
+		signer:         signer,
+		certificate:    &ssh.Certificate{},
+		token:          &provider.OAuth2Token{},
+		config:         c,
+	}
+}
+
+// RemoveAll clears the current certificate and identity token (including refresh token)
+func (r *sshrimpAgent) RemoveAll() error {
+	r.certificate = &ssh.Certificate{}
+	r.token = &provider.OAuth2Token{}
+	return nil
+}
+
+// Remove has the same functionality as RemoveAll
+func (r *sshrimpAgent) Remove(key ssh.PublicKey) error {
+	return r.RemoveAll()
+}
+
+// Lock is not supported on this agent
+func (r *sshrimpAgent) Lock(passphrase []byte) error {
+	return errors.New("sshrimp-agent: locking not supported")
+}
+
+// Unlock is not supported on this agent
+func (r *sshrimpAgent) Unlock(passphrase []byte) error {
+	return errors.New("sshrimp-agent: unlocking not supported")
+}
+
+// List returns the identities, but also signs the certificate using sshrimp-ca if expired.
+func (r *sshrimpAgent) List() ([]*agent.Key, error) {
+
+	unixNow := time.Now().Unix()
+	before := int64(r.certificate.ValidBefore)
+	if r.certificate.ValidBefore != uint64(ssh.CertTimeInfinity) && (unixNow >= before || before < 0) {
+		// Certificate has expired
+		err := r.providerConfig.Authenticate(r.token)
+		if err != nil {
+			return nil, err
+		}
+
+		cert, err := signer.SignCertificateAllRegions(r.signer.PublicKey(), r.token.IDToken, "", r.config)
+		if err != nil {
+			return nil, err
+		}
+		r.certificate = cert
+	}
+
+	var ids []*agent.Key
+	ids = append(ids, &agent.Key{
+		Format:  r.certificate.Type(),
+		Blob:    r.certificate.Marshal(),
+		Comment: r.certificate.KeyId,
+	})
+	return ids, nil
+}
+
+// Add is not supported on this agent. For multiple OIDC backends, run multiple agents.
+func (r *sshrimpAgent) Add(key agent.AddedKey) error {
+	return errors.New("sshrimp-agent: adding identities not supported")
+}
+
+// Sign uses our private key to sign the challenge required to authenticate to the ssh host.
+func (r *sshrimpAgent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signature, error) {
+	return r.signer.Sign(rand.Reader, data)
+}
+
+// Signers list our current signers which there is only one.
+func (r *sshrimpAgent) Signers() ([]ssh.Signer, error) {
+	return []ssh.Signer{
+		r.signer,
+	}, nil
+}

magefile.go

@@ -0,0 +1,38 @@
+//+build mage
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/magefile/mage/mg"
+
+	// mage:import ca
+	"github.com/stoggi/sshrimp/tools/mage/ca"
+	// mage:import agent
+	"github.com/stoggi/sshrimp/tools/mage/agent"
+)
+
+var Default = All
+
+// Builds all the targets
+func Build() {
+	mg.Deps(ca.Build, agent.Build)
+}
+
+// Remove all build output (except generated configuration files)
+func Clean() {
+	mg.Deps(ca.Clean, agent.Clean)
+}
+
+// Build and deploy the ca and agent
+func All() {
+	mg.Deps(agent.Build, ca.Package, ca.Generate)
+
+	if _, err := os.Stat("./terraform"); os.IsNotExist(err) {
+		fmt.Println("All done. Run `terraform init` then `terraform apply` to deploy.")
+	} else {
+		fmt.Println("All done. Run `terraform apply` to deploy.")
+	}
+}

terraform/iam.tf

@@ -0,0 +1,47 @@
+
+data "aws_iam_policy_document" "sshrimp_ca_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "sshrimp_ca" {
+  statement {
+    actions = [
+      "kms:Sign",
+      "kms:GetPublicKey"
+    ]
+    resources = [
+      "${aws_kms_key.sshrimp_ca_private_key.arn}",
+    ]
+  }
+
+  statement {
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+
+resource "aws_iam_role_policy" "sshrimp_ca" {
+  name   = "sshrimp-ca-${data.aws_region.current.name}"
+  role   = aws_iam_role.sshrimp_ca.id
+  policy = data.aws_iam_policy_document.sshrimp_ca.json
+}
+
+resource "aws_iam_role" "sshrimp_ca" {
+  name               = "sshrimp-ca-${data.aws_region.current.name}"
+  assume_role_policy = data.aws_iam_policy_document.sshrimp_ca_assume_role.json
+}

terraform/kms.tf

@@ -0,0 +1,64 @@
+data "aws_iam_policy_document" "sshrimp_ca_private_key" {
+  // Allow the root account to administer the key, but not encrypt/decrypt/sign
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+
+    actions = [
+      "kms:CancelKeyDeletion",
+      "kms:Create*",
+      "kms:Delete*",
+      "kms:Describe*",
+      "kms:Disable*",
+      "kms:Enable*",
+      "kms:Get*",
+      "kms:List*",
+      "kms:Put*",
+      "kms:Revoke*",
+      "kms:ScheduleKeyDeletion",
+      "kms:TagResource",
+      "kms:UntagResource",
+      "kms:Update*",
+    ]
+
+    resources = ["*"]
+  }
+
+  // Allow the SSHrimp lambda to sign and get the public key
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["${aws_iam_role.sshrimp_ca.arn}"]
+    }
+
+    actions = [
+      "kms:Sign",
+      "kms:GetPublicKey",
+    ]
+
+    resources = ["*"]
+  }
+}
+
+
+resource "aws_kms_key" "sshrimp_ca_private_key" {
+  description              = "KMS key used to sign SSH certificates for the SSHrimp Certificate Authority"
+  deletion_window_in_days  = 10
+  customer_master_key_spec = "RSA_4096"
+  key_usage                = "SIGN_VERIFY"
+  policy                   = data.aws_iam_policy_document.sshrimp_ca_private_key.json
+  depends_on = [
+    aws_iam_role.sshrimp_ca,
+  ]
+}
+
+resource "aws_kms_alias" "sshrimp_ca_private_key" {
+  name          = "alias/${var.key_alias}"
+  target_key_id = aws_kms_key.sshrimp_ca_private_key.key_id
+}

terraform/lambda.tf

@@ -0,0 +1,11 @@
+
+resource "aws_lambda_function" "sshrimp_ca" {
+  function_name = var.lambda_name
+  filename      = "sshrimp-ca.zip"
+  role          = aws_iam_role.sshrimp_ca.arn
+  timeout       = 120
+  memory_size   = 512
+  description   = "SSHrimp Certificate Authority"
+  handler       = "sshrimp-ca"
+  runtime       = "go1.x"
+}

terraform/main.tf

@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}

terraform/variables.tf

@@ -0,0 +1,9 @@
+variable "lambda_name" {
+  type    = string
+  default = "sshrimp"
+}
+
+variable "key_alias" {
+  type    = string
+  default = "sshrimp"
+}

tools/mage/agent/agent.go

@@ -0,0 +1,20 @@
+package agent
+
+import (
+	"github.com/magefile/mage/sh"
+)
+
+// Build Builds the local ssh agent
+func Build() error {
+	return sh.Run("go", "build", "./cmd/sshrimp-agent")
+}
+
+// Clean Cleans the output files for sshrimp-agent
+func Clean() error {
+	return sh.Rm("sshrimp-agent")
+}
+
+// Install Installs the sshrimp-agent
+func Install() error {
+	return sh.Run("go", "install", "./cmd/sshrimp-agent")
+}

tools/mage/ca/ca.go

@@ -0,0 +1,143 @@
+package ca
+
+import (
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/magefile/mage/mg"
+	"github.com/magefile/mage/sh"
+	"github.com/magefile/mage/target"
+	"github.com/stoggi/sshrimp/internal/config"
+	"golang.org/x/crypto/ssh"
+)
+
+// Config Generate a sshrimp configuration file if it doesn't exsit
+func Config() error {
+	c := config.NewSSHrimpWithDefaults()
+
+	// Read the existing config if it doesn't exist, generate a new one
+	if err := c.Read(config.GetPath()); err != nil {
+		configPath, err := config.Wizard(config.GetPath(), c)
+		if err != nil {
+			return err
+		}
+		// If a different config path is chosen, use it for the rest of the build
+		os.Setenv("SSHRIMP_CONFIG", configPath)
+	}
+
+	return nil
+}
+
+// Build Builds the certificate authority
+func Build() error {
+	env := map[string]string{
+		"GOOS": "linux",
+	}
+	return sh.RunWith(env, "go", "build", "./cmd/sshrimp-ca")
+}
+
+// Package Packages the certificate authority files into a zip archive
+func Package() error {
+	if modified, err := target.Path("sshrimp-ca", config.GetPath()); err == nil && !modified {
+		return nil
+	}
+
+	mg.Deps(Build, Config)
+
+	zipFile, err := os.Create("sshrimp-ca.zip")
+	if err != nil {
+		return err
+	}
+	defer zipFile.Close()
+
+	if err := lambdaCreateArchive(zipFile, "sshrimp-ca", config.GetPath()); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Generate Generates a CloudFormation template used to deploy the certificate authority
+func Generate() error {
+	if modified, err := target.Path("sshrimp-ca.tf.json", config.GetPath()); err == nil && !modified {
+		return nil
+	}
+
+	mg.Deps(Config)
+
+	c := config.NewSSHrimp()
+	if err := c.Read(config.GetPath()); err != nil {
+		return err
+	}
+
+	template, err := generateTerraform(c)
+	if err != nil {
+		return err
+	}
+	ioutil.WriteFile("sshrimp-ca.tf.json", template, 0644)
+	return nil
+}
+
+// Keys Get the public keys of all configured KMS keys in OpenSSH format
+func Keys() error {
+
+	c := config.NewSSHrimp()
+	if err := c.Read(config.GetPath()); err != nil {
+		return err
+	}
+
+	// For each configured region, get the public key from KMS and format it in an OpenSSH authorized_keys format
+	for _, region := range c.CertificateAuthority.Regions {
+
+		// Create a new session in the correct region
+		session := session.Must(session.NewSession(&aws.Config{
+			Region: aws.String(region),
+		}))
+		svc := kms.New(session)
+
+		// Get the public key from KMS
+		response, err := svc.GetPublicKey(&kms.GetPublicKeyInput{
+			KeyId: aws.String(c.CertificateAuthority.KeyAlias),
+		})
+		if err != nil {
+			return err
+		}
+
+		// Parse the public key from KMS
+		publicKey, err := x509.ParsePKIXPublicKey(response.PublicKey)
+		if err != nil {
+			return err
+		}
+
+		// Convert the public key into an SSH public key
+		sshPublicKey, err := ssh.NewPublicKey(publicKey)
+		if err != nil {
+			return err
+		}
+
+		// Generate the final string to output on stdout
+		authorizedKey := strings.TrimSuffix(string(ssh.MarshalAuthorizedKey(sshPublicKey)), "\n")
+		fmt.Printf("%s sshrimp-ca@%s\n", authorizedKey, region)
+	}
+
+	return nil
+}
+
+// Clean Cleans the output files for sshrimp-ca
+func Clean() error {
+	if err := sh.Rm("sshrimp-ca"); err != nil {
+		return err
+	}
+	if err := sh.Rm("sshrimp-ca.tf.json"); err != nil {
+		return err
+	}
+	if err := sh.Rm("sshrimp-ca.zip"); err != nil {
+		return err
+	}
+	return nil
+}

tools/mage/ca/lambda.go

@@ -0,0 +1,43 @@
+package ca
+
+import (
+	"archive/zip"
+	"io"
+	"os"
+)
+
+// Packages the certificate authority lambda into a zip archive on writer
+func lambdaCreateArchive(wr io.Writer, filename ...string) error {
+
+	archive := zip.NewWriter(wr)
+	defer archive.Close()
+
+	for _, path := range filename {
+		info, err := os.Stat(path)
+		if err != nil {
+			return err
+		}
+
+		header, err := zip.FileInfoHeader(info)
+		if err != nil {
+			return err
+		}
+
+		writer, err := archive.CreateHeader(header)
+		if err != nil {
+			return err
+		}
+
+		file, err := os.Open(path)
+		if err != nil {
+			return err
+		}
+		defer file.Close()
+
+		if _, err := io.Copy(writer, file); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

tools/mage/ca/template.go

@@ -0,0 +1,88 @@
+package ca
+
+import (
+	"github.com/awslabs/goformation/v4/cloudformation"
+	"github.com/awslabs/goformation/v4/cloudformation/iam"
+	"github.com/awslabs/goformation/v4/cloudformation/kms"
+	"github.com/awslabs/goformation/v4/cloudformation/lambda"
+	"github.com/stoggi/sshrimp/internal/config"
+)
+
+func makePolicyDocument(statement map[string]interface{}) map[string]interface{} {
+	return map[string]interface{}{
+		"Version": "2012-10-17",
+		"Statement": []interface{}{
+			statement,
+		},
+	}
+}
+
+func makeAssumeRolePolicyDocument(service string) map[string]interface{} {
+	return makePolicyDocument(map[string]interface{}{
+		"Effect": "Allow",
+		"Principal": map[string][]string{
+			"Service": []string{service},
+		},
+		"Action": []string{"sts:AssumeRole"},
+	})
+}
+
+func generateTemplate(c *config.SSHrimp) ([]byte, error) {
+
+	// Create a new CloudFormation template
+	template := cloudformation.NewTemplate()
+
+	template.Resources["SSHrimpPrivateKey"] = &kms.Key{
+		Description:         "SSHrimp Certificate Authority Private Key",
+		PendingWindowInDays: 7,
+		KeyUsage:            "SIGN_VERIFY",
+		KeyPolicy: makePolicyDocument(map[string]interface{}{
+			"Effect": "Allow",
+			"Principal": map[string][]string{
+				"AWS": []string{
+					cloudformation.GetAtt("SSHrimpLambdaExecutionRole", "Arn"),
+				},
+			},
+			"Action": []string{
+				"kms:GetPublicKey",
+				"kms:Sign",
+			},
+			"Resource": cloudformation.GetAtt("SSHrimpLambda", "Arn"),
+		}),
+	}
+
+	template.Resources["SSHrimpLambdaExecutionRole"] = &iam.Role{
+		AssumeRolePolicyDocument: makeAssumeRolePolicyDocument("lambda.amazonaws.com"),
+		RoleName:                 "sshrimp-ca",
+		Policies: []iam.Role_Policy{
+			{
+				PolicyDocument: makePolicyDocument(map[string]interface{}{
+					"Effect":   "Allow",
+					"Action":   "kms:Sign",
+					"Resource": "*",
+				}),
+				PolicyName: "sshrimp-ca-lambda",
+			},
+		},
+	}
+
+	template.Resources["SSHrimpLambda"] = &lambda.Function{
+		FunctionName: c.CertificateAuthority.FunctionName,
+		Description:  "SSHrimp Certificate Authority",
+		Role:         cloudformation.GetAtt("SSHrimpLambdaExecutionRole", "Arn"),
+		Handler:      "sshrimp-ca",
+		MemorySize:   512,
+		Runtime:      "python3.7",
+		Code: &lambda.Function_Code{
+			ZipFile: "sshrimp-ca.zip",
+		},
+	}
+
+	// Generate the YAML AWS CloudFormation template
+	y, err := template.YAML()
+	if err != nil {
+		return nil, err
+	}
+
+	return y, nil
+}

tools/mage/ca/terraform.go

@@ -0,0 +1,57 @@
+package ca
+
+import (
+	"encoding/json"
+	"strconv"
+
+	"github.com/stoggi/sshrimp/internal/config"
+)
+
+// Provider describes an AWS provider
+type Provider struct {
+	Version           string   `json:"version"`
+	Alias             string   `json:"alias"`
+	Region            string   `json:"region"`
+	AllowedAccountIDs []string `json:"allowed_account_ids"`
+}
+
+// Module describes a terraform module
+type Module struct {
+	Source    string            `json:"source"`
+	Providers map[string]string `json:"providers"`
+}
+
+// TerraformOutput represents the main.tf.json struct
+type TerraformOutput struct {
+	Provider map[string][]Provider `json:"provider"`
+	Module   map[string]Module     `json:"module"`
+}
+
+func generateTerraform(c *config.SSHrimp) ([]byte, error) {
+
+	providers := make([]Provider, len(c.CertificateAuthority.Regions))
+	modules := make(map[string]Module, len(c.CertificateAuthority.Regions))
+	for index, region := range c.CertificateAuthority.Regions {
+		providers[index].Version = "~> 2.49"
+		providers[index].Alias = region
+		providers[index].Region = region
+		providers[index].AllowedAccountIDs = []string{
+			strconv.Itoa(c.CertificateAuthority.AccountID),
+		}
+		modules["sshrimp-"+region] = Module{
+			Source: "./terraform",
+			Providers: map[string]string{
+				"aws": "aws." + region,
+			},
+		}
+	}
+
+	output := TerraformOutput{
+		Provider: map[string][]Provider{
+			"aws": providers,
+		},
+		Module: modules,
+	}
+
+	return json.MarshalIndent(output, "", "  ")
+}