Revert "replace github.com/stoggi/aws-oidc with internal/aws-oidc"
Replace github.com/stoggi/aws-oidc with git.narnian.us/lordwelch/aws-oidc Update import paths to git.narnian.us/lordwelch/sshrimp Remove unnecessary logging This reverts commit 2ae68a7e316f6f692a4773ba4d2702bf144d5155.
This commit is contained in:
lordwelch
parent
761b329841
commit
be7e7d8541
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,11 +1,8 @@
|
||||
sshrimp.toml
|
||||
|
||||
sshrimp-ca
|
||||
sshrimp-ca.tf.json
|
||||
sshrimp-ca.zip
|
||||
|
||||
sshrimp-agent
|
||||
|
||||
terraform.tfstate
|
||||
terraform.tfstate.backup
|
||||
.terraform
|
||||
|
||||
@ -14,10 +14,10 @@ import (
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/config"
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/signer"
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/sshrimpagent"
|
||||
"github.com/sirupsen/logrus"
|
||||
"github.com/stoggi/sshrimp/internal/config"
|
||||
"github.com/stoggi/sshrimp/internal/signer"
|
||||
"github.com/stoggi/sshrimp/internal/sshrimpagent"
|
||||
"golang.org/x/crypto/ssh"
|
||||
"golang.org/x/crypto/ssh/agent"
|
||||
)
|
||||
|
||||
@ -5,10 +5,10 @@ import (
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/config"
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/signer"
|
||||
"github.com/aws/aws-lambda-go/lambda"
|
||||
"github.com/aws/aws-lambda-go/lambdacontext"
|
||||
"github.com/stoggi/sshrimp/internal/config"
|
||||
"github.com/stoggi/sshrimp/internal/signer"
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
|
||||
@ -8,9 +8,9 @@ import (
|
||||
"net/http"
|
||||
"os"
|
||||
|
||||
"github.com/stoggi/sshrimp/internal/config"
|
||||
"github.com/stoggi/sshrimp/internal/identity"
|
||||
"github.com/stoggi/sshrimp/internal/signer"
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/config"
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/identity"
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/signer"
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
|
||||
17
go.mod
17
go.mod
@ -1,29 +1,22 @@
|
||||
module github.com/stoggi/sshrimp
|
||||
module git.narnian.us/lordwelch/sshrimp
|
||||
|
||||
go 1.14
|
||||
go 1.13
|
||||
|
||||
replace github.com/b-b3rn4rd/gocfn => github.com/stoggi/gocfn v0.0.0-20200214083946-6202cea979b9
|
||||
|
||||
replace github.com/stoggi/aws-oidc => ./internal/aws-oidc
|
||||
|
||||
require (
|
||||
cloud.google.com/go v0.63.0
|
||||
git.narnian.us/lordwelch/aws-oidc v0.0.2
|
||||
github.com/AlecAivazis/survey/v2 v2.1.0
|
||||
github.com/BurntSushi/toml v0.3.1
|
||||
github.com/aws/aws-lambda-go v1.19.0
|
||||
github.com/aws/aws-sdk-go v1.33.21
|
||||
github.com/awslabs/goformation/v4 v4.14.0
|
||||
github.com/coreos/go-oidc v2.2.1+incompatible
|
||||
github.com/imdario/mergo v0.3.10 // indirect
|
||||
github.com/coreos/go-oidc v2.0.0+incompatible
|
||||
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
|
||||
github.com/magefile/mage v1.10.0
|
||||
github.com/mattn/go-colorable v0.1.7 // indirect
|
||||
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
|
||||
github.com/pkg/errors v0.9.1
|
||||
github.com/sirupsen/logrus v1.6.0
|
||||
github.com/stoggi/aws-oidc v0.0.0-20190621033350-d7c8067c7515
|
||||
github.com/sirupsen/logrus v1.7.0
|
||||
golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de
|
||||
golang.org/x/sys v0.0.0-20200806125547-5acd03effb82 // indirect
|
||||
google.golang.org/genproto v0.0.0-20200806141610-86f49bd18e98
|
||||
gopkg.in/square/go-jose.v2 v2.5.1 // indirect
|
||||
)
|
||||
|
||||
53
go.sum
53
go.sum
@ -34,7 +34,8 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl
|
||||
cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
|
||||
cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
|
||||
dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
|
||||
github.com/99designs/aws-vault v4.5.1+incompatible/go.mod h1:BKt7gBiUkiAOh7TP/c36gMpRJkIk5F8hStyQoWwC/Rw=
|
||||
git.narnian.us/lordwelch/aws-oidc v0.0.2 h1:75AOGD8IYvKpg772n4/4vku84kHOQETmQqp0YVLS/xw=
|
||||
git.narnian.us/lordwelch/aws-oidc v0.0.2/go.mod h1:lfAaTDbI5Ip4TjBDAvJnPNmSLCMAS9hNRWgqwmm4bTk=
|
||||
github.com/99designs/keyring v0.0.0-20190110203331-82da6802f65f h1:WXiWWJrYCaOaYimBAXlRdRJ7qOisrYyMLYnCvvhHVms=
|
||||
github.com/99designs/keyring v0.0.0-20190110203331-82da6802f65f/go.mod h1:aKt8W/yd91/xHY6ixZAJZ2vYbhr3pP8DcrvuGSGNPJk=
|
||||
github.com/AlecAivazis/survey/v2 v2.1.0 h1:AT4+23hOFopXYZaNGugbk7MWItkz0SfTmH/Hk92KeeE=
|
||||
@ -48,6 +49,7 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5Vpd
|
||||
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
|
||||
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
|
||||
github.com/aulanov/go.dbus v0.0.0-20150729231527-25c3068a42a0 h1:EEDvbomAQ+MFWqJ9FM6RXyJTkc4lckyWsbc5CGQkG1Y=
|
||||
github.com/aulanov/go.dbus v0.0.0-20150729231527-25c3068a42a0/go.mod h1:VHvUx+4lTCaJ8zUnEXF4cWEc9c8lnDt4PGLwlZ+3yaM=
|
||||
github.com/aws/aws-lambda-go v1.19.0 h1:Cn28zA8Mic4NpR7p4IlaEW2srI+U3+I7tRqjFMpt/fs=
|
||||
github.com/aws/aws-lambda-go v1.19.0/go.mod h1:jJmlefzPfGnckuHdXX7/80O3BvUUi12XOkbv4w9SGLU=
|
||||
@ -62,11 +64,12 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
|
||||
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
|
||||
github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
|
||||
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
|
||||
github.com/coreos/go-oidc v2.0.0+incompatible h1:+RStIopZ8wooMx+Vs5Bt8zMXxV1ABl5LbakNExNmZIg=
|
||||
github.com/coreos/go-oidc v2.0.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
|
||||
github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
|
||||
github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
|
||||
github.com/danieljoos/wincred v1.0.1 h1:fcRTaj17zzROVqni2FiToKUVg3MmJ4NtMSGCySPIr/g=
|
||||
github.com/danieljoos/wincred v1.0.1/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U=
|
||||
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
@ -81,8 +84,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
|
||||
github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
|
||||
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
|
||||
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
|
||||
github.com/go-ini/ini v1.42.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
|
||||
github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
|
||||
github.com/godbus/dbus v4.1.0+incompatible h1:WqqLRTsQic3apZUK9qC5sGNfXthmPXzUZ7nQPrNITa4=
|
||||
github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
|
||||
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
|
||||
github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
|
||||
@ -114,6 +117,7 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD
|
||||
github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
|
||||
github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
|
||||
github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
|
||||
github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
|
||||
github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
|
||||
github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
|
||||
github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
|
||||
@ -137,7 +141,7 @@ github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm4
|
||||
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
|
||||
github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
|
||||
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
|
||||
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
|
||||
github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8ZofjG1Y75iExal34USq5p+wiN1tpie8IrU=
|
||||
github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0=
|
||||
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
|
||||
github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
|
||||
@ -147,22 +151,19 @@ github.com/hinshun/vt10x v0.0.0-20180616224451-1954e6464174/go.mod h1:DqJ97dSdRW
|
||||
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
|
||||
github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
|
||||
github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
|
||||
github.com/imdario/mergo v0.3.10 h1:6q5mVkdH/vYmqngx7kZQTjJ5HRsx+ImorDIEQ+beJgc=
|
||||
github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
|
||||
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
|
||||
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
|
||||
github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc=
|
||||
github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik=
|
||||
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
|
||||
github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o=
|
||||
github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
|
||||
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
|
||||
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
|
||||
github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
|
||||
github.com/keybase/go-keychain v0.0.0-20190408194155-7f2ef9fddce6 h1:hfM5TYph19rQBp3oOg4SVckf4ZmYrycciBJCWmxOcIE=
|
||||
github.com/keybase/go-keychain v0.0.0-20190408194155-7f2ef9fddce6/go.mod h1:JJNrCn9otv/2QP4D7SMJBgaleKpOf66PnW6F5WGNRIc=
|
||||
github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
|
||||
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
|
||||
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
|
||||
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
|
||||
@ -174,16 +175,10 @@ github.com/magefile/mage v1.10.0 h1:3HiXzCUY12kh9bIuyXShaVe529fJfyqoVM42o/uom2g=
|
||||
github.com/magefile/mage v1.10.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
|
||||
github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU=
|
||||
github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
|
||||
github.com/mattn/go-colorable v0.1.7 h1:bQGKb3vps/j0E9GfJQ03JyhRuxsvdAanXlT9BTw3mdw=
|
||||
github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
|
||||
github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE=
|
||||
github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
|
||||
github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
|
||||
github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
|
||||
github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b h1:j7+1HpAFS1zy5+Q4qx1fWh90gTKwiN4QCGoY9TWyyO4=
|
||||
github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
|
||||
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
|
||||
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
|
||||
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
|
||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||
github.com/onsi/ginkgo v1.5.0 h1:uZr+v/TFDdYkdA+j02sPO1kA5owrfjBGCJAogfIyThE=
|
||||
@ -196,18 +191,20 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
|
||||
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
|
||||
github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac h1:jWKYCNlX4J5s8M0nHYkh7Y7c9gRVDEb3mq51j5J0F5M=
|
||||
github.com/pquerna/cachecontrol v0.0.0-20201205024021-ac21108117ac/go.mod h1:hoLfEwdY11HjRfKFH6KqnPsfxlo3BP6bJehpDv8t6sQ=
|
||||
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
|
||||
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||
github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
|
||||
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
||||
github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b h1:jUK33OXuZP/l6babJtnLo1qsGvq6G9so9KMflGAm4YA=
|
||||
github.com/sanathkr/go-yaml v0.0.0-20170819195128-ed9d249f429b/go.mod h1:8458kAagoME2+LN5//WxE71ysZ3B7r22fdgb7qVmXSY=
|
||||
github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522 h1:fOCp11H0yuyAt2wqlbJtbyPzSgaxHTv8uN1pMpkG1t8=
|
||||
github.com/sanathkr/yaml v0.0.0-20170819201035-0056894fa522/go.mod h1:tQTYKOQgxoH3v6dEmdHiz4JG+nbxWwM5fgPQUpSZqVQ=
|
||||
github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
|
||||
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
|
||||
github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
|
||||
github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
|
||||
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
|
||||
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
|
||||
github.com/sirupsen/logrus v1.7.0 h1:ShrD1U9pZB12TX0cVy0DtePoCH97K8EtX+mg7ZARUtM=
|
||||
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/testify v1.2.1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
|
||||
@ -263,6 +260,7 @@ golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHl
|
||||
golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
|
||||
golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
|
||||
golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
|
||||
golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
|
||||
golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
|
||||
golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
|
||||
golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
|
||||
@ -271,6 +269,7 @@ golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
|
||||
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
|
||||
golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
|
||||
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||
golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
|
||||
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
|
||||
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
@ -314,6 +313,7 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ
|
||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA=
|
||||
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
@ -321,8 +321,6 @@ golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5h
|
||||
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
|
||||
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
|
||||
golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190530182044-ad28b68e88f1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
@ -330,10 +328,10 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w
|
||||
golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
@ -345,9 +343,8 @@ golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7w
|
||||
golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200803210538-64077c9b5642 h1:B6caxRw+hozq68X2MY7jEpZh/cr4/aHLv9xU8Kkadrw=
|
||||
golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20200806125547-5acd03effb82 h1:6cBnXxYO+CiRVrChvCosSv7magqTPbyAgz1M8iOv5wM=
|
||||
golang.org/x/sys v0.0.0-20200806125547-5acd03effb82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
@ -365,7 +362,6 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3
|
||||
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
|
||||
golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
|
||||
golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
|
||||
@ -491,15 +487,14 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
|
||||
gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||
gopkg.in/square/go-jose.v2 v2.3.0 h1:nLzhkFyl5bkblqYBoiWJUt5JkWOzmiaBtCxdJAqJd3U=
|
||||
gopkg.in/square/go-jose.v2 v2.3.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
|
||||
gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
|
||||
gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
|
||||
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
|
||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
|
||||
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
|
||||
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
|
||||
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
|
||||
1
internal/aws-oidc/.gitignore
vendored
1
internal/aws-oidc/.gitignore
vendored
@ -1 +0,0 @@
|
||||
aws-oidc
|
||||
@ -1,21 +0,0 @@
|
||||
MIT License
|
||||
|
||||
Copyright (c) 2019 Jeremy Stott
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
@ -1,101 +0,0 @@
|
||||
# aws-oidc
|
||||
|
||||
Assume roles in AWS using an OpenID Connect identity provider.
|
||||
|
||||
|
||||
|
||||
It is intended to be used as a `credentials_process` in ~/.aws/config that outputs temporary AWS credentials in a JSON format.
|
||||
|
||||
https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
|
||||
|
||||
## Getting Started
|
||||
|
||||
Add the following to **~/.aws/config**:
|
||||
|
||||
[profile default]
|
||||
region = us-east-1
|
||||
credential_process = /Users/jeremy/projects/aws-oidc/aws-oidc auth google
|
||||
|
||||
And configure aws-oidc by creating **~/.aws-oidc/config** and setting the `role_arn` and `client_id`:
|
||||
|
||||
region = "us-east-1"
|
||||
|
||||
[[AuthProvider]]
|
||||
name = "google"
|
||||
role_arn = "arn:aws:iam::0123456789012:role/your-role-name"
|
||||
duration = 900
|
||||
provider_url = "https://accounts.google.com"
|
||||
client_id = "YOUR_CLIENT_ID"
|
||||
client_secret = "YOUR_CLIENT_SECRET" # only specify this if your OIDC provider requires it even when using PKCE
|
||||
agent = ["open", "-b", "com.google.chrome"]
|
||||
|
||||
Then you can assume the role using the AWS cli:
|
||||
|
||||
aws sts get-caller-identity
|
||||
|
||||
Most AWS SDK implementations should be able to use the `credential_process` configuration, including:
|
||||
|
||||
* aws-sdk-go
|
||||
* aws-cli
|
||||
* boto3
|
||||
|
||||
## Sign into the AWS Console
|
||||
|
||||
Use the `login` command to exchange the temporary credentials with an [AWS Console login URL](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
|
||||
|
||||
aws-oidc login
|
||||
|
||||
|
||||
|
||||
## Open Chrome with a particular profile
|
||||
|
||||
Open `chrome://version/` in the Chrome profile you want to authenticate in, and make a note of the last part of the profile path.
|
||||
|
||||
Update the `agent` option with the path in your **~/.aws-oidc/config** file:
|
||||
|
||||
agent = ["open", "-b", "com.google.chrome", "-n", "--args", "--profile-directory=Profile 1", "{}"]
|
||||
|
||||
## Configure More Roles
|
||||
|
||||
Add the profiles for each role you want to assume to **~/.aws/config**. Specify the provider name from the configuration file, and override any default settings:
|
||||
|
||||
[profile engineer]
|
||||
credential_process = aws-oidc auth onelogin --role_arn=arn:aws:iam::0123456789012:role/your-role-name --duration 7200
|
||||
|
||||
Make sure each authentication provider exists in **~/.aws-oidc/config**. You can also override any of the configured settings here on the command line.
|
||||
|
||||
To make use of this new role, simply specify the `profile` in your AWS SDK:
|
||||
|
||||
aws --profile engineer sts get-caller-identity
|
||||
|
||||
## Run other commands with AWS credentials
|
||||
|
||||
Most AWS SDK's should be able to pick up the profile parameter, and support the `credentials_process` setting in your **~/.aws/config** file. If not, you can run an arbitary command with the temporary credentials with `exec`:
|
||||
|
||||
aws-oidc exec engineer -- ./path/to/command with arguments
|
||||
|
||||
This will use the profiles defined in **~/.aws/config** to assume the role by calling `aws-oidc auth` and then set `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_SESSION_TOKEN` environment variables for the new process.
|
||||
|
||||
## Find roles that an oidc client could assume
|
||||
|
||||
Use the `list` command to find roles that your claim and client_id can assume:
|
||||
|
||||
aws-oidc list --claim="accounts.google.com:aud" --client_id="CLIENT_ID"
|
||||
|
||||
Example using only the AWS CLI:
|
||||
|
||||
aws iam list-roles --query <<EOF '
|
||||
Roles[?
|
||||
AssumeRolePolicyDocument.Statement[?
|
||||
Condition.StringEquals."accounts.google.com:aud"
|
||||
]
|
||||
].{
|
||||
RoleName:RoleName,
|
||||
Arn:Arn,
|
||||
ClientId:AssumeRolePolicyDocument.Statement[*].Condition.StringEquals."accounts.google.com:aud" | [0]
|
||||
} | [?
|
||||
contains(ClientId, `CLIENT_ID`)
|
||||
]'
|
||||
EOF
|
||||
|
||||
Note, your default profile will need `iam:ListRoles` permission. To use a different profile use the `--profile` option.
|
||||
@ -1,55 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"io"
|
||||
"log"
|
||||
"os"
|
||||
|
||||
"github.com/BurntSushi/toml"
|
||||
"github.com/stoggi/aws-oidc/cli"
|
||||
"gopkg.in/alecthomas/kingpin.v2"
|
||||
)
|
||||
|
||||
// Version is provided at compile time
|
||||
var Version = "dev"
|
||||
|
||||
func main() {
|
||||
run(os.Args[1:], os.Exit)
|
||||
}
|
||||
|
||||
func run(args []string, exit func(int)) {
|
||||
|
||||
f, err := os.OpenFile(GetLogPath(), os.O_RDWR|os.O_CREATE|os.O_APPEND, 0666)
|
||||
if err != nil {
|
||||
log.Fatalf("error opening file: %v", err)
|
||||
}
|
||||
defer f.Close()
|
||||
wrt := io.MultiWriter(os.Stderr, f)
|
||||
log.SetOutput(wrt)
|
||||
|
||||
// Default configuration, values are overridden by command line options.
|
||||
config := cli.GlobalConfig{}
|
||||
if _, err := toml.DecodeFile(GetConfigFilePath(), &config); err != nil {
|
||||
if !os.IsNotExist(err) {
|
||||
log.Printf("Error decoding TOML: %v\n", err)
|
||||
}
|
||||
}
|
||||
|
||||
app := kingpin.New(
|
||||
"aws-oidc",
|
||||
"Assume roles in AWS using an OIDC identity provider",
|
||||
)
|
||||
|
||||
app.Version(Version)
|
||||
app.Terminate(exit)
|
||||
app.UsageWriter(os.Stdout)
|
||||
app.ErrorWriter(wrt)
|
||||
|
||||
cli.ConfigureGlobal(app, &config)
|
||||
cli.ConfigureAuth(app, &config)
|
||||
cli.ConfigureExec(app, &config)
|
||||
cli.ConfigureList(app, &config)
|
||||
cli.ConfigureLogin(app, &config)
|
||||
|
||||
kingpin.MustParse(app.Parse(args))
|
||||
}
|
||||
@ -1,211 +0,0 @@
|
||||
package cli
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/url"
|
||||
"strconv"
|
||||
|
||||
"github.com/99designs/keyring"
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/arn"
|
||||
"github.com/aws/aws-sdk-go/aws/session"
|
||||
"github.com/aws/aws-sdk-go/service/sts"
|
||||
"github.com/stoggi/aws-oidc/provider"
|
||||
|
||||
"gopkg.in/alecthomas/kingpin.v2"
|
||||
)
|
||||
|
||||
// AuthConfig defines a single OpenIDConnect provider
|
||||
type AuthConfig struct {
|
||||
// The name of the provider when definied in the TOML configuration file
|
||||
Name string `toml:"name"`
|
||||
|
||||
// RoleARN the role in AWS that should be assumed with the identity token
|
||||
RoleArn string `toml:"role_arn"`
|
||||
|
||||
// Duration in seconds that the temporary AWS credentials should last for
|
||||
// Between 900 (15 minutes) and 43200 (12 hours)
|
||||
Duration int64 `toml:"duration"`
|
||||
|
||||
// ProviderURL the endpoint that defines the OIDC provider.
|
||||
// Should serve https://[ProviderURL]/.well-known/openid-configuration
|
||||
ProviderURL string `toml:"provider_url"`
|
||||
|
||||
// ClientID configured with your OIDC provider
|
||||
ClientID string `toml:"client_id"`
|
||||
|
||||
// ClientSecret should only be specified if your OIDC provider requires it.
|
||||
// Normally with PKCE you don't require a client_secret.
|
||||
ClientSecret string `toml:"client_secret"`
|
||||
|
||||
// DisablePKCE removes the code_challenge and code_verifier parameters of a
|
||||
// proof key for code exchange OAuth flow. Only disbale this if your identity
|
||||
// provider does not support PKCE.
|
||||
DisablePKCE bool `toml:"disable_pkce"`
|
||||
|
||||
// DisableNonce removes a random nonce sent to the server, and added to the token
|
||||
// This nonce is verified when the token is received by the command line app.
|
||||
DisableNonce bool `toml:"disable_nonce"`
|
||||
|
||||
// AgentCommand contains the command and arguments that open a browser. The URL
|
||||
// to be opened will be appended, or use a parameter of {} to substitute the URL.
|
||||
AgentCommand []string `toml:"agent"`
|
||||
}
|
||||
|
||||
// AwsCredentialHelperData for AWS credential process
|
||||
// https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
|
||||
type AwsCredentialHelperData struct {
|
||||
Version int `json:"Version"`
|
||||
AccessKeyID string `json:"AccessKeyId"`
|
||||
SecretAccessKey string `json:"SecretAccessKey"`
|
||||
SessionToken string `json:"SessionToken"`
|
||||
Expiration string `json:"Expiration,omitempty"`
|
||||
}
|
||||
|
||||
func configureFlags(cmd *kingpin.CmdClause, authConfig *AuthConfig) {
|
||||
|
||||
cmd.Flag("role_arn", "The AWS role you want to assume").
|
||||
Default(authConfig.RoleArn).
|
||||
StringVar(&authConfig.RoleArn)
|
||||
|
||||
cmd.Flag("duration", "The duration to assume the role for in seconds").
|
||||
Default(strconv.FormatInt(max(authConfig.Duration, 900), 10)).
|
||||
Int64Var(&authConfig.Duration)
|
||||
|
||||
cmd.Flag("provider_url", "The OpenID Connect Provider URL").
|
||||
Default(authConfig.ProviderURL).
|
||||
StringVar(&authConfig.ProviderURL)
|
||||
|
||||
cmd.Flag("client_id", "The OpenID Connect Client ID").
|
||||
Default(authConfig.ClientID).
|
||||
StringVar(&authConfig.ClientID)
|
||||
|
||||
cmd.Flag("client_secret", "The OpenID Connect Client Secret").
|
||||
StringVar(&authConfig.ClientSecret)
|
||||
|
||||
cmd.Flag("disable_pkce", "Disable the use of PKCE in the OIDC code flow").
|
||||
BoolVar(&authConfig.DisablePKCE)
|
||||
|
||||
cmd.Flag("disable_nonce", "Disable the use of a nonce included and verified in the token").
|
||||
BoolVar(&authConfig.DisableNonce)
|
||||
|
||||
cmd.Flag("agent", "The executable and arguments of the local browser to use").
|
||||
StringsVar(&authConfig.AgentCommand)
|
||||
}
|
||||
|
||||
// ConfigureAuth configures the auth command with arguments and flags
|
||||
func ConfigureAuth(app *kingpin.Application, config *GlobalConfig) {
|
||||
|
||||
cmd := app.Command("auth", "Authenticate to the identity provider, and assume a role in AWS")
|
||||
|
||||
providers := append(config.AuthProvider, AuthConfig{Name: "default"})
|
||||
|
||||
for _, a := range providers {
|
||||
authConfig := a
|
||||
|
||||
pcmd := cmd.Command(authConfig.Name, "Authenticate using the named profile in the config file")
|
||||
configureFlags(pcmd, &authConfig)
|
||||
|
||||
pcmd.Action(func(c *kingpin.ParseContext) error {
|
||||
if authConfig.ClientID == "" {
|
||||
return fmt.Errorf("Missing ClientID for provider %s", authConfig.Name)
|
||||
}
|
||||
if _, err := url.ParseRequestURI(authConfig.ProviderURL); err != nil {
|
||||
return fmt.Errorf("Missing ProviderURL, or invalid format for provider %s", authConfig.Name)
|
||||
}
|
||||
if len(authConfig.AgentCommand) == 0 {
|
||||
return fmt.Errorf("Missing Agent command for provider %s", authConfig.Name)
|
||||
}
|
||||
if _, err := arn.Parse(authConfig.RoleArn); err != nil {
|
||||
return fmt.Errorf("Missing RoleArn, or invalid format for provider %s", authConfig.Name)
|
||||
}
|
||||
|
||||
AuthCommand(app, config, &authConfig)
|
||||
return nil
|
||||
})
|
||||
|
||||
if authConfig.Name == "default" {
|
||||
pcmd.Default()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// AuthCommand executes the authentication with the selected OpenIDConnect provider
|
||||
func AuthCommand(app *kingpin.Application, config *GlobalConfig, authConfig *AuthConfig) {
|
||||
|
||||
p := &provider.ProviderConfig{
|
||||
ClientID: authConfig.ClientID,
|
||||
ClientSecret: authConfig.ClientSecret,
|
||||
ProviderURL: authConfig.ProviderURL,
|
||||
PKCE: !authConfig.DisablePKCE,
|
||||
Nonce: !authConfig.DisableNonce,
|
||||
AgentCommand: authConfig.AgentCommand,
|
||||
}
|
||||
oauth2Token := provider.OAuth2Token{}
|
||||
|
||||
item, err := (*config.Keyring).Get(authConfig.ClientID)
|
||||
if err != keyring.ErrKeyNotFound {
|
||||
if err := json.Unmarshal(item.Data, &oauth2Token); err != nil {
|
||||
// Log this error only, because we can attempt to recover by getting a new token
|
||||
app.Errorf("Unable to unmarshal OAuth2Token from keychain: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
err = p.Authenticate(&oauth2Token)
|
||||
app.FatalIfError(err, "Error authenticating with identity provider")
|
||||
|
||||
AWSCredentialsJSON, err := assumeRoleWithWebIdentity(authConfig, oauth2Token.IDToken)
|
||||
app.FatalIfError(err, "Error assume role with web identity")
|
||||
|
||||
json, err := json.Marshal(&oauth2Token)
|
||||
app.FatalIfError(err, "Error marshalling OAuth2 token")
|
||||
err = (*config.Keyring).Set(keyring.Item{
|
||||
Key: authConfig.ClientID,
|
||||
Data: json,
|
||||
Label: fmt.Sprintf("OAuth2 token for %s", authConfig.RoleArn),
|
||||
Description: "OIDC OAuth2 Token",
|
||||
})
|
||||
app.FatalIfError(err, "Error storing OAuth2 Token in keychain")
|
||||
|
||||
fmt.Printf(AWSCredentialsJSON)
|
||||
}
|
||||
|
||||
func assumeRoleWithWebIdentity(authConfig *AuthConfig, idToken string) (string, error) {
|
||||
|
||||
svc := sts.New(session.New())
|
||||
|
||||
input := &sts.AssumeRoleWithWebIdentityInput{
|
||||
DurationSeconds: aws.Int64(authConfig.Duration),
|
||||
RoleArn: aws.String(authConfig.RoleArn),
|
||||
RoleSessionName: aws.String("aws-oidc"),
|
||||
WebIdentityToken: aws.String(idToken),
|
||||
}
|
||||
|
||||
assumeRoleResult, err := svc.AssumeRoleWithWebIdentity(input)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
expiry := *assumeRoleResult.Credentials.Expiration
|
||||
credentialData := AwsCredentialHelperData{
|
||||
Version: 1,
|
||||
AccessKeyID: *assumeRoleResult.Credentials.AccessKeyId,
|
||||
SecretAccessKey: *assumeRoleResult.Credentials.SecretAccessKey,
|
||||
SessionToken: *assumeRoleResult.Credentials.SessionToken,
|
||||
Expiration: expiry.Format("2006-01-02T15:04:05Z"),
|
||||
}
|
||||
|
||||
credentialJSON, err := json.Marshal(&credentialData)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return string(credentialJSON), nil
|
||||
}
|
||||
|
||||
func max(x, y int64) int64 {
|
||||
if x > y {
|
||||
return x
|
||||
}
|
||||
return y
|
||||
}
|
||||
@ -1,140 +0,0 @@
|
||||
package cli
|
||||
|
||||
import (
|
||||
"log"
|
||||
"os"
|
||||
"os/exec"
|
||||
"os/signal"
|
||||
"strings"
|
||||
"syscall"
|
||||
|
||||
"gopkg.in/alecthomas/kingpin.v2"
|
||||
)
|
||||
|
||||
// ExecConfig stores the parameters needed for an exec command
|
||||
type ExecConfig struct {
|
||||
Profile string
|
||||
Command string
|
||||
Args []string
|
||||
Signals chan os.Signal
|
||||
}
|
||||
|
||||
// ConfigureExec configures the exec command with arguments and flags
|
||||
func ConfigureExec(app *kingpin.Application, config *GlobalConfig) {
|
||||
|
||||
execConfig := ExecConfig{}
|
||||
|
||||
cmd := app.Command("exec", "Retrieve temporary credentials and set them as environment variables")
|
||||
|
||||
cmd.Arg("profile", "Name of the profile").
|
||||
StringVar(&config.Profile)
|
||||
|
||||
cmd.Arg("cmd", "Command to execute").
|
||||
Default(os.Getenv("SHELL")).
|
||||
StringVar(&execConfig.Command)
|
||||
|
||||
cmd.Arg("args", "Command arguments").
|
||||
StringsVar(&execConfig.Args)
|
||||
|
||||
cmd.Action(func(c *kingpin.ParseContext) error {
|
||||
execConfig.Signals = make(chan os.Signal)
|
||||
ExecCommand(app, config, &execConfig)
|
||||
return nil
|
||||
})
|
||||
}
|
||||
|
||||
// ExecCommand retrieves temporary credentials and sets them as environment variables
|
||||
func ExecCommand(app *kingpin.Application, config *GlobalConfig, execConfig *ExecConfig) {
|
||||
|
||||
if os.Getenv("AWS_OIDC") != "" {
|
||||
app.Fatalf("aws-vault sessions should be nested with care, unset $AWS_OIDC to force")
|
||||
return
|
||||
}
|
||||
|
||||
val, err := config.Session.Config.Credentials.Get()
|
||||
if err != nil {
|
||||
app.Fatalf("Unable to get credentials for profile: %s", config.Profile)
|
||||
}
|
||||
|
||||
env := environ(os.Environ())
|
||||
env.Set("AWS_OIDC", config.Profile)
|
||||
|
||||
env.Unset("AWS_ACCESS_KEY_ID")
|
||||
env.Unset("AWS_SECRET_ACCESS_KEY")
|
||||
env.Unset("AWS_CREDENTIAL_FILE")
|
||||
env.Unset("AWS_DEFAULT_PROFILE")
|
||||
env.Unset("AWS_PROFILE")
|
||||
|
||||
if config.Region != "" {
|
||||
log.Printf("Setting subprocess env: AWS_DEFAULT_REGION=%s, AWS_REGION=%s", config.Region, config.Region)
|
||||
env.Set("AWS_DEFAULT_REGION", config.Region)
|
||||
env.Set("AWS_REGION", config.Region)
|
||||
}
|
||||
|
||||
log.Println("Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY")
|
||||
env.Set("AWS_ACCESS_KEY_ID", val.AccessKeyID)
|
||||
env.Set("AWS_SECRET_ACCESS_KEY", val.SecretAccessKey)
|
||||
|
||||
if val.SessionToken != "" {
|
||||
log.Println("Setting subprocess env: AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN")
|
||||
env.Set("AWS_SESSION_TOKEN", val.SessionToken)
|
||||
env.Set("AWS_SECURITY_TOKEN", val.SessionToken)
|
||||
}
|
||||
|
||||
cmd := exec.Command(execConfig.Command, execConfig.Args...)
|
||||
cmd.Env = env
|
||||
cmd.Stdin = os.Stdin
|
||||
cmd.Stdout = os.Stdout
|
||||
cmd.Stderr = os.Stderr
|
||||
signal.Notify(execConfig.Signals, os.Interrupt, os.Kill)
|
||||
|
||||
if err := cmd.Start(); err != nil {
|
||||
app.Fatalf("%v", err)
|
||||
}
|
||||
// wait for the command to finish
|
||||
waitCh := make(chan error, 1)
|
||||
go func() {
|
||||
waitCh <- cmd.Wait()
|
||||
close(waitCh)
|
||||
}()
|
||||
|
||||
for {
|
||||
select {
|
||||
case sig := <-execConfig.Signals:
|
||||
if err = cmd.Process.Signal(sig); err != nil {
|
||||
app.Errorf("%v", err)
|
||||
break
|
||||
}
|
||||
case err := <-waitCh:
|
||||
var waitStatus syscall.WaitStatus
|
||||
if exitError, ok := err.(*exec.ExitError); ok {
|
||||
waitStatus = exitError.Sys().(syscall.WaitStatus)
|
||||
os.Exit(waitStatus.ExitStatus())
|
||||
}
|
||||
if err != nil {
|
||||
app.Fatalf("%v", err)
|
||||
}
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// environ is a slice of strings representing the environment, in the form "key=value".
|
||||
type environ []string
|
||||
|
||||
// Unset an environment variable by key
|
||||
func (e *environ) Unset(key string) {
|
||||
for i := range *e {
|
||||
if strings.HasPrefix((*e)[i], key+"=") {
|
||||
(*e)[i] = (*e)[len(*e)-1]
|
||||
*e = (*e)[:len(*e)-1]
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Set adds an environment variable, replacing any existing ones of the same key
|
||||
func (e *environ) Set(key, val string) {
|
||||
e.Unset(key)
|
||||
*e = append(*e, key+"="+val)
|
||||
}
|
||||
@ -1,55 +0,0 @@
|
||||
package cli
|
||||
|
||||
import (
|
||||
"github.com/99designs/keyring"
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/session"
|
||||
kingpin "gopkg.in/alecthomas/kingpin.v2"
|
||||
)
|
||||
|
||||
// GlobalConfig used for defaults and command line arguments
|
||||
type GlobalConfig struct {
|
||||
//Region in AWS used by KMSAuth and BLESS
|
||||
Region string
|
||||
Profile string
|
||||
AuthProvider []AuthConfig
|
||||
|
||||
Session *session.Session
|
||||
Keyring *keyring.Keyring
|
||||
}
|
||||
|
||||
// ConfigureGlobal application arguments and flags
|
||||
func ConfigureGlobal(app *kingpin.Application, config *GlobalConfig) {
|
||||
|
||||
app.Flag("region", "The region in AWS").
|
||||
Default(config.Region).
|
||||
Envar("AWS_REGION").
|
||||
StringVar(&config.Region)
|
||||
|
||||
app.Flag("profile", "The profile to use as defined in the AWS config file").
|
||||
Default(config.Profile).
|
||||
Envar("AWS_PROFILE").
|
||||
StringVar(&config.Profile)
|
||||
|
||||
app.PreAction(func(c *kingpin.ParseContext) (err error) {
|
||||
|
||||
// Attempt to open the aws-vault keychain
|
||||
keychain, err := keyring.Open(keyring.Config{
|
||||
KeychainName: "aws-oidc",
|
||||
ServiceName: "aws-oidc",
|
||||
AllowedBackends: []keyring.BackendType{keyring.KeychainBackend},
|
||||
KeychainTrustApplication: true,
|
||||
})
|
||||
kingpin.FatalIfError(err, "Could not open aws-vault keychain")
|
||||
config.Keyring = &keychain
|
||||
|
||||
config.Session = session.Must(session.NewSessionWithOptions(session.Options{
|
||||
Config: aws.Config{Region: aws.String(config.Region)},
|
||||
Profile: config.Profile,
|
||||
SharedConfigState: session.SharedConfigEnable,
|
||||
}))
|
||||
|
||||
return nil
|
||||
})
|
||||
|
||||
}
|
||||
@ -1,66 +0,0 @@
|
||||
package cli
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/url"
|
||||
|
||||
"github.com/aws/aws-sdk-go/service/iam"
|
||||
jmespath "github.com/jmespath/go-jmespath"
|
||||
"gopkg.in/alecthomas/kingpin.v2"
|
||||
)
|
||||
|
||||
// ListConfig stores the parameters needed for a List command
|
||||
type ListConfig struct {
|
||||
ClientID string
|
||||
Claim string
|
||||
}
|
||||
|
||||
// ConfigureList configures the list command with arguments and flags
|
||||
func ConfigureList(app *kingpin.Application, config *GlobalConfig) {
|
||||
|
||||
listConfig := ListConfig{}
|
||||
|
||||
cmd := app.Command("list", "List roles that a ClientID can assume")
|
||||
|
||||
cmd.Flag("client_id", "The OpenID Connect Client ID").
|
||||
Required().
|
||||
StringVar(&listConfig.ClientID)
|
||||
|
||||
cmd.Flag("claim", "The claim used in the IAM policies, prrovider:claim").
|
||||
Required().
|
||||
StringVar(&listConfig.Claim)
|
||||
|
||||
cmd.Action(func(c *kingpin.ParseContext) error {
|
||||
ListCommand(app, config, &listConfig)
|
||||
return nil
|
||||
})
|
||||
}
|
||||
|
||||
// ListCommand retrieves the list of AWS roles that have trust policues that accept a given client_id
|
||||
func ListCommand(app *kingpin.Application, config *GlobalConfig, listConfig *ListConfig) {
|
||||
|
||||
svc := iam.New(config.Session)
|
||||
|
||||
input := &iam.ListRolesInput{}
|
||||
listRoleResult, err := svc.ListRoles(input)
|
||||
app.FatalIfError(err, "Unable to list roles")
|
||||
|
||||
for _, role := range listRoleResult.Roles {
|
||||
|
||||
decodedValue, err := url.QueryUnescape(*role.AssumeRolePolicyDocument)
|
||||
app.FatalIfError(err, "Unable to urldecode document")
|
||||
|
||||
var d interface{}
|
||||
err = json.Unmarshal([]byte(decodedValue), &d)
|
||||
app.FatalIfError(err, "Unable to unmarshall AssumeRolePolicyDocument")
|
||||
|
||||
query := fmt.Sprintf("contains(Statement[].Condition.StringEquals.\"%s\", '%s')", listConfig.Claim, listConfig.ClientID)
|
||||
containsClientID, err := jmespath.Search(query, d)
|
||||
app.FatalIfError(err, "Unable to parse AssumeRolePolicyDocument")
|
||||
if containsClientID.(bool) {
|
||||
fmt.Println(*role.RoleName)
|
||||
fmt.Println(*role.Arn)
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,97 +0,0 @@
|
||||
package cli
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"time"
|
||||
|
||||
"gopkg.in/alecthomas/kingpin.v2"
|
||||
)
|
||||
|
||||
// LoginConfig stores the parameters needed for an login command
|
||||
type LoginConfig struct {
|
||||
Profile string
|
||||
}
|
||||
|
||||
type signinSession struct {
|
||||
SessionID string `json:"sessionId"`
|
||||
SessionKey string `json:"sessionKey"`
|
||||
SessionToken string `json:"sessionToken"`
|
||||
}
|
||||
|
||||
type signinToken struct {
|
||||
SigninToken string
|
||||
}
|
||||
|
||||
// ConfigureLogin configures the login command with arguments and flags
|
||||
func ConfigureLogin(app *kingpin.Application, config *GlobalConfig) {
|
||||
|
||||
loginConfig := LoginConfig{}
|
||||
|
||||
cmd := app.Command("login", "Login to the AWS console for a given profile")
|
||||
|
||||
cmd.Arg("profile", "Name of the profile").
|
||||
StringVar(&config.Profile)
|
||||
|
||||
cmd.Action(func(c *kingpin.ParseContext) error {
|
||||
LoginCommand(app, config, &loginConfig)
|
||||
return nil
|
||||
})
|
||||
}
|
||||
|
||||
// LoginCommand exchanges temporary credentials for an AWS Console signin url
|
||||
// https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
||||
func LoginCommand(app *kingpin.Application, config *GlobalConfig, loginConfig *LoginConfig) {
|
||||
|
||||
// Retrieve credentials from current session. This will try and get credentials
|
||||
// using aws-oidc itself if configured in ~/.aws/config.
|
||||
val, err := config.Session.Config.Credentials.Get()
|
||||
if err != nil {
|
||||
app.Fatalf("Unable to get credentials for profile: %s", config.Profile)
|
||||
}
|
||||
|
||||
credentialData := signinSession{
|
||||
SessionID: val.AccessKeyID,
|
||||
SessionKey: val.SecretAccessKey,
|
||||
SessionToken: val.SessionToken,
|
||||
}
|
||||
credentialJSON, err := json.Marshal(&credentialData)
|
||||
if err != nil {
|
||||
app.Fatalf("Unable to marshal credentials for profile: %s", config.Profile)
|
||||
}
|
||||
|
||||
// Create the federation URL to exchange access keys for a session token
|
||||
tokenURL, _ := url.Parse("https://signin.aws.amazon.com/federation")
|
||||
tokenQuery := url.Values{}
|
||||
tokenQuery.Set("Action", "getSigninToken")
|
||||
tokenQuery.Set("Session", string(credentialJSON))
|
||||
tokenURL.RawQuery = tokenQuery.Encode()
|
||||
|
||||
var client = &http.Client{
|
||||
Timeout: time.Second * 60,
|
||||
}
|
||||
resp, err := client.Get(tokenURL.String())
|
||||
if err != nil {
|
||||
app.Fatalf("Unable to get signin token for profile: %s", config.Profile)
|
||||
} else if resp.StatusCode != 200 {
|
||||
app.Fatalf("GetSigninToken returned %d instead of 200 for profile: %s", resp.StatusCode, config.Profile)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
token := signinToken{}
|
||||
if err := json.NewDecoder(resp.Body).Decode(&token); err != nil {
|
||||
app.Fatalf("Unable to decode GetSigninToken response for profile: %s", config.Profile)
|
||||
}
|
||||
|
||||
// Create the federation URL to exchange the session token for a login URL
|
||||
loginURL, _ := url.Parse("https://signin.aws.amazon.com/federation")
|
||||
loginQuery := url.Values{}
|
||||
loginQuery.Set("Action", "login")
|
||||
loginQuery.Set("Destination", "https://console.aws.amazon.com/")
|
||||
loginQuery.Set("SigninToken", token.SigninToken)
|
||||
loginURL.RawQuery = loginQuery.Encode()
|
||||
|
||||
fmt.Println(loginURL)
|
||||
}
|
||||
@ -1,31 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"os"
|
||||
"os/user"
|
||||
"path/filepath"
|
||||
)
|
||||
|
||||
func homeDir() string {
|
||||
if currentUser, err := user.Current(); err == nil {
|
||||
return currentUser.HomeDir
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
func execDir() string {
|
||||
if currentExecutable, err := os.Executable(); err == nil {
|
||||
return filepath.Dir(currentExecutable)
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// GetConfigFilePath returns the path of the configuration file
|
||||
func GetConfigFilePath() string {
|
||||
return filepath.Join(homeDir(), ".aws-oidc/config")
|
||||
}
|
||||
|
||||
// GetLogPath returns the path that should be used to store logs
|
||||
func GetLogPath() string {
|
||||
return filepath.Join(homeDir(), "Library/Logs/aws-oidc.log")
|
||||
}
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 3.6 MiB |
Binary file not shown.
|
Before Width: | Height: | Size: 3.8 MiB |
@ -1,30 +0,0 @@
|
||||
module github.com/stoggi/aws-oidc
|
||||
|
||||
require (
|
||||
github.com/99designs/aws-vault v4.5.1+incompatible
|
||||
github.com/99designs/keyring v0.0.0-20190110203331-82da6802f65f
|
||||
github.com/BurntSushi/toml v0.3.1
|
||||
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc // indirect
|
||||
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect
|
||||
github.com/aulanov/go.dbus v0.0.0-20150729231527-25c3068a42a0 // indirect
|
||||
github.com/aws/aws-sdk-go v1.19.11
|
||||
github.com/coreos/go-oidc v2.0.0+incompatible
|
||||
github.com/danieljoos/wincred v1.0.1 // indirect
|
||||
github.com/dvsekhvalnov/jose2go v0.0.0-20180829124132-7f401d37b68a // indirect
|
||||
github.com/go-ini/ini v1.42.0 // indirect
|
||||
github.com/godbus/dbus v4.1.0+incompatible // indirect
|
||||
github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
|
||||
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af
|
||||
github.com/keybase/go-keychain v0.0.0-20190408194155-7f2ef9fddce6 // indirect
|
||||
github.com/kr/pretty v0.1.0 // indirect
|
||||
github.com/mitchellh/go-homedir v1.1.0 // indirect
|
||||
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect
|
||||
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a // indirect
|
||||
github.com/stretchr/testify v1.3.0 // indirect
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3
|
||||
golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a
|
||||
gopkg.in/alecthomas/kingpin.v2 v2.2.6
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
|
||||
gopkg.in/ini.v1 v1.42.0 // indirect
|
||||
gopkg.in/square/go-jose.v2 v2.3.0 // indirect
|
||||
)
|
||||
@ -1,84 +0,0 @@
|
||||
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
|
||||
github.com/99designs/aws-vault v4.5.1+incompatible h1:VjWncFWraO5K5HTRo34YMq2MkpKYphZy5luMSe76pkg=
|
||||
github.com/99designs/aws-vault v4.5.1+incompatible/go.mod h1:BKt7gBiUkiAOh7TP/c36gMpRJkIk5F8hStyQoWwC/Rw=
|
||||
github.com/99designs/keyring v0.0.0-20190110203331-82da6802f65f h1:WXiWWJrYCaOaYimBAXlRdRJ7qOisrYyMLYnCvvhHVms=
|
||||
github.com/99designs/keyring v0.0.0-20190110203331-82da6802f65f/go.mod h1:aKt8W/yd91/xHY6ixZAJZ2vYbhr3pP8DcrvuGSGNPJk=
|
||||
github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
|
||||
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
|
||||
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc h1:cAKDfWh5VpdgMhJosfJnn5/FoN2SRZ4p7fJNX58YPaU=
|
||||
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZqLG4oE62mJzwPIB8+Tee4RNCL9ulrY=
|
||||
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
|
||||
github.com/aulanov/go.dbus v0.0.0-20150729231527-25c3068a42a0 h1:EEDvbomAQ+MFWqJ9FM6RXyJTkc4lckyWsbc5CGQkG1Y=
|
||||
github.com/aulanov/go.dbus v0.0.0-20150729231527-25c3068a42a0/go.mod h1:VHvUx+4lTCaJ8zUnEXF4cWEc9c8lnDt4PGLwlZ+3yaM=
|
||||
github.com/aws/aws-sdk-go v1.19.11 h1:tqaTGER6Byw3QvsjGW0p018U2UOqaJPeJuzoaF7jjoQ=
|
||||
github.com/aws/aws-sdk-go v1.19.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
|
||||
github.com/coreos/go-oidc v2.0.0+incompatible h1:+RStIopZ8wooMx+Vs5Bt8zMXxV1ABl5LbakNExNmZIg=
|
||||
github.com/coreos/go-oidc v2.0.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
|
||||
github.com/danieljoos/wincred v1.0.1 h1:fcRTaj17zzROVqni2FiToKUVg3MmJ4NtMSGCySPIr/g=
|
||||
github.com/danieljoos/wincred v1.0.1/go.mod h1:SnuYRW9lp1oJrZX/dXJqr0cPK5gYXqx3EJbmjhLdK9U=
|
||||
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/dvsekhvalnov/jose2go v0.0.0-20180829124132-7f401d37b68a h1:mq+R6XEM6lJX5VlLyZIrUSP8tSuJp82xTK89hvBwJbU=
|
||||
github.com/dvsekhvalnov/jose2go v0.0.0-20180829124132-7f401d37b68a/go.mod h1:7BvyPhdbLxMXIYTFPLsyJRFMsKmOZnQmzh6Gb+uquuM=
|
||||
github.com/go-ini/ini v1.42.0 h1:TWr1wGj35+UiWHlBA8er89seFXxzwFn11spilrrj+38=
|
||||
github.com/go-ini/ini v1.42.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
|
||||
github.com/godbus/dbus v4.1.0+incompatible h1:WqqLRTsQic3apZUK9qC5sGNfXthmPXzUZ7nQPrNITa4=
|
||||
github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
|
||||
github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
|
||||
github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
|
||||
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
|
||||
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
|
||||
github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8ZofjG1Y75iExal34USq5p+wiN1tpie8IrU=
|
||||
github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0=
|
||||
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
|
||||
github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
|
||||
github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
|
||||
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
|
||||
github.com/keybase/go-keychain v0.0.0-20190408194155-7f2ef9fddce6 h1:hfM5TYph19rQBp3oOg4SVckf4ZmYrycciBJCWmxOcIE=
|
||||
github.com/keybase/go-keychain v0.0.0-20190408194155-7f2ef9fddce6/go.mod h1:JJNrCn9otv/2QP4D7SMJBgaleKpOf66PnW6F5WGNRIc=
|
||||
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
|
||||
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
|
||||
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
|
||||
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
|
||||
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
|
||||
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
|
||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
|
||||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
|
||||
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 h1:J9b7z+QKAmPf4YLrFg6oQUotqHQeUNWwkvo7jZp1GLU=
|
||||
github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
|
||||
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
|
||||
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
|
||||
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs=
|
||||
github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
|
||||
github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
|
||||
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
|
||||
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
|
||||
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
||||
golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a h1:tImsplftrFpALCYumobsd0K86vlAs/eXGFms2txfJfA=
|
||||
golang.org/x/oauth2 v0.0.0-20190402181905-9f3314589c9a/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
|
||||
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
|
||||
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
|
||||
google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
|
||||
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
|
||||
gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
|
||||
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
|
||||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/ini.v1 v1.42.0 h1:7N3gPTt50s8GuLortA00n8AqRTk75qOP98+mTPpgzRk=
|
||||
gopkg.in/ini.v1 v1.42.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
|
||||
gopkg.in/square/go-jose.v2 v2.3.0 h1:nLzhkFyl5bkblqYBoiWJUt5JkWOzmiaBtCxdJAqJd3U=
|
||||
gopkg.in/square/go-jose.v2 v2.3.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
|
||||
@ -1,253 +0,0 @@
|
||||
package provider
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"log"
|
||||
"net"
|
||||
"net/http"
|
||||
"os/exec"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/coreos/go-oidc"
|
||||
|
||||
"golang.org/x/net/context"
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
type ProviderConfig struct {
|
||||
ClientID string
|
||||
ClientSecret string
|
||||
ProviderURL string
|
||||
PKCE bool
|
||||
Nonce bool
|
||||
AgentCommand []string
|
||||
}
|
||||
|
||||
type Result struct {
|
||||
JWT string
|
||||
Token *oidc.IDToken
|
||||
Claims *TokenClaims
|
||||
}
|
||||
|
||||
type TokenClaims struct {
|
||||
Issuer string `json:"iss"`
|
||||
Audience string `json:"aud"`
|
||||
Subject string `json:"sub"`
|
||||
Picture string `json:"picture"`
|
||||
Email string `json:"email"`
|
||||
EmailVerified bool `json:"email_verified"`
|
||||
Groups []string `json:"groups"`
|
||||
}
|
||||
|
||||
type OAuth2Token struct {
|
||||
AccessToken string `json:"access_token"`
|
||||
TokenType string `json:"token_type,omitempty"`
|
||||
RefreshToken string `json:"refresh_token,omitempty"`
|
||||
Expiry time.Time `json:"expiry,omitempty"`
|
||||
IDToken string `json:"id_token,omitempty"`
|
||||
}
|
||||
|
||||
func refresh(config oauth2.Config, t *OAuth2Token) error {
|
||||
ctx := context.Background()
|
||||
|
||||
tokenSourceToken := oauth2.Token{
|
||||
AccessToken: t.AccessToken,
|
||||
TokenType: t.TokenType,
|
||||
RefreshToken: t.RefreshToken,
|
||||
Expiry: t.Expiry,
|
||||
}
|
||||
ts := config.TokenSource(ctx, tokenSourceToken.WithExtra(map[string]interface{}{
|
||||
"id_token": t.IDToken,
|
||||
}))
|
||||
|
||||
res, err := ts.Token()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
idtoken, ok := res.Extra("id_token").(string)
|
||||
if !ok {
|
||||
return errors.New("can't extract id_token")
|
||||
}
|
||||
t.AccessToken = res.AccessToken
|
||||
t.RefreshToken = res.RefreshToken
|
||||
t.Expiry = res.Expiry
|
||||
t.TokenType = res.TokenType
|
||||
t.IDToken = idtoken
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p ProviderConfig) Authenticate(t *OAuth2Token) error {
|
||||
ctx := context.Background()
|
||||
resultChannel := make(chan *oauth2.Token)
|
||||
errorChannel := make(chan error)
|
||||
Mux := http.NewServeMux()
|
||||
server := &http.Server{
|
||||
Handler: Mux,
|
||||
}
|
||||
|
||||
provider, err := oidc.NewProvider(ctx, p.ProviderURL)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
listener, err := net.Listen("tcp", "127.0.0.1:0")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer listener.Close()
|
||||
baseURL := "http://" + listener.Addr().String()
|
||||
redirectURL := baseURL + "/auth/callback"
|
||||
|
||||
oidcConfig := &oidc.Config{
|
||||
ClientID: p.ClientID,
|
||||
SupportedSigningAlgs: []string{"RS256"},
|
||||
}
|
||||
verifier := provider.Verifier(oidcConfig)
|
||||
|
||||
config := oauth2.Config{
|
||||
ClientID: p.ClientID,
|
||||
ClientSecret: p.ClientSecret,
|
||||
Endpoint: provider.Endpoint(),
|
||||
RedirectURL: redirectURL,
|
||||
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
||||
}
|
||||
|
||||
if t != nil {
|
||||
if err := refresh(config, t); err == nil {
|
||||
return nil
|
||||
}
|
||||
log.Println(err)
|
||||
}
|
||||
|
||||
stateData := make([]byte, 32)
|
||||
if _, err = rand.Read(stateData); err != nil {
|
||||
return err
|
||||
}
|
||||
state := base64.URLEncoding.EncodeToString(stateData)
|
||||
|
||||
codeData := make([]byte, 32)
|
||||
if _, err = rand.Read(codeData); err != nil {
|
||||
return err
|
||||
}
|
||||
codeVerifier := base64.StdEncoding.EncodeToString(codeData)
|
||||
codeDigest := sha256.Sum256([]byte(codeVerifier))
|
||||
codeChallenge := base64.URLEncoding.EncodeToString(codeDigest[:])
|
||||
codeChallengeEncoded := strings.Replace(codeChallenge, "=", "", -1)
|
||||
|
||||
nonceData := make([]byte, 32)
|
||||
_, _ = rand.Read(nonceData)
|
||||
nonce := base64.URLEncoding.EncodeToString(nonceData)
|
||||
|
||||
var authCodeOptions []oauth2.AuthCodeOption
|
||||
var tokenCodeOptions []oauth2.AuthCodeOption
|
||||
|
||||
if p.PKCE {
|
||||
authCodeOptions = append(authCodeOptions,
|
||||
oauth2.SetAuthURLParam("code_challenge", codeChallengeEncoded),
|
||||
oauth2.SetAuthURLParam("code_challenge_method", "S256"),
|
||||
)
|
||||
tokenCodeOptions = append(tokenCodeOptions,
|
||||
oauth2.SetAuthURLParam("code_verifier", codeVerifier),
|
||||
)
|
||||
}
|
||||
|
||||
if p.Nonce {
|
||||
authCodeOptions = append(authCodeOptions, oauth2.SetAuthURLParam("nonce", nonce))
|
||||
}
|
||||
|
||||
Mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
|
||||
url := config.AuthCodeURL(state, authCodeOptions...)
|
||||
http.Redirect(w, r, url, http.StatusFound)
|
||||
})
|
||||
|
||||
Mux.HandleFunc("/auth/callback", func(w http.ResponseWriter, r *http.Request) {
|
||||
if r.URL.Query().Get("state") != state {
|
||||
http.Error(w, "state did not match", http.StatusBadRequest)
|
||||
errorChannel <- errors.New("state did not match")
|
||||
return
|
||||
}
|
||||
|
||||
oauth2Token, err := config.Exchange(ctx, r.URL.Query().Get("code"), tokenCodeOptions...)
|
||||
if err != nil {
|
||||
http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
|
||||
errorChannel <- errors.New("failed to exchange token: " + err.Error())
|
||||
return
|
||||
}
|
||||
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
|
||||
if !ok {
|
||||
http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError)
|
||||
errorChannel <- errors.New("no id_token field in oauth2 token")
|
||||
return
|
||||
}
|
||||
idToken, err := verifier.Verify(ctx, rawIDToken)
|
||||
if err != nil {
|
||||
http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
|
||||
errorChannel <- errors.New("failed to verify ID Token: " + err.Error())
|
||||
return
|
||||
}
|
||||
if p.Nonce && idToken.Nonce != nonce {
|
||||
http.Error(w, "Failed to verify Nonce", http.StatusInternalServerError)
|
||||
errorChannel <- errors.New("failed to verify Nonce")
|
||||
return
|
||||
}
|
||||
|
||||
var claims = new(TokenClaims)
|
||||
if err := idToken.Claims(&claims); err != nil {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
errorChannel <- errors.New("failed to verify Claims: " + err.Error())
|
||||
return
|
||||
}
|
||||
w.Write([]byte("Signed in successfully, return to cli app"))
|
||||
resultChannel <- oauth2Token
|
||||
})
|
||||
|
||||
// Filter the commands, and replace "{}" with our callback url
|
||||
c := make([]string, 0, len(p.AgentCommand))
|
||||
replacedURL := false
|
||||
for _, arg := range p.AgentCommand {
|
||||
if arg == "{}" {
|
||||
c = append(c, baseURL)
|
||||
replacedURL = true
|
||||
} else {
|
||||
c = append(c, arg)
|
||||
}
|
||||
}
|
||||
if !replacedURL {
|
||||
c = append(c, baseURL)
|
||||
}
|
||||
|
||||
//TODO Drop privileges
|
||||
cmd := exec.Command(c[0], c[1:]...)
|
||||
cmd.Start()
|
||||
cmd.Process.Release()
|
||||
|
||||
go func() {
|
||||
server.Serve(listener)
|
||||
}()
|
||||
|
||||
select {
|
||||
case err := <-errorChannel:
|
||||
server.Shutdown(ctx)
|
||||
return err
|
||||
case res := <-resultChannel:
|
||||
server.Shutdown(ctx)
|
||||
IDToken, ok := res.Extra("id_token").(string)
|
||||
if !ok {
|
||||
return errors.New("can't extract id_token")
|
||||
}
|
||||
t.AccessToken = res.AccessToken
|
||||
t.RefreshToken = res.RefreshToken
|
||||
t.Expiry = res.Expiry
|
||||
t.TokenType = res.TokenType
|
||||
t.IDToken = IDToken
|
||||
return nil
|
||||
case <-time.After(2 * time.Minute):
|
||||
server.Shutdown(ctx)
|
||||
return errors.New("no oauth2 flow callback received within last 2 minutes, exiting")
|
||||
}
|
||||
}
|
||||
@ -5,8 +5,8 @@ import (
|
||||
"errors"
|
||||
"regexp"
|
||||
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/config"
|
||||
"github.com/coreos/go-oidc"
|
||||
"github.com/stoggi/sshrimp/internal/config"
|
||||
)
|
||||
|
||||
// Identity holds information required to verify an OIDC identity token
|
||||
|
||||
@ -14,13 +14,13 @@ import (
|
||||
"sort"
|
||||
"time"
|
||||
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/config"
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/identity"
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/session"
|
||||
"github.com/aws/aws-sdk-go/service/lambda"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/sirupsen/logrus"
|
||||
"github.com/stoggi/sshrimp/internal/config"
|
||||
"github.com/stoggi/sshrimp/internal/identity"
|
||||
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
@ -91,7 +91,7 @@ func SignCertificateGCP(publicKey ssh.PublicKey, token string, forceCommand stri
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "failed to parse json response from sshrimp-ca.: "+string(resbody))
|
||||
}
|
||||
Log.Traceln("SSHrimpResult:", sshrimpResult)
|
||||
|
||||
if result.StatusCode != 200 {
|
||||
return nil, fmt.Errorf("sshrimp returned status code %d. Message: %s", result.StatusCode, string(resbody))
|
||||
}
|
||||
|
||||
@ -5,10 +5,10 @@ import (
|
||||
"errors"
|
||||
"time"
|
||||
|
||||
"git.narnian.us/lordwelch/aws-oidc/provider"
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/config"
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/signer"
|
||||
"github.com/sirupsen/logrus"
|
||||
"github.com/stoggi/aws-oidc/provider"
|
||||
"github.com/stoggi/sshrimp/internal/config"
|
||||
"github.com/stoggi/sshrimp/internal/signer"
|
||||
"golang.org/x/crypto/ssh"
|
||||
"golang.org/x/crypto/ssh/agent"
|
||||
)
|
||||
@ -125,7 +125,7 @@ func (r *sshrimpAgent) SignWithFlags(key ssh.PublicKey, data []byte, flags agent
|
||||
Log.Traceln("sha 512 requested")
|
||||
s, err := sign.SignWithAlgorithm(rand.Reader, data, ssh.SigAlgoRSASHA2512)
|
||||
if err == nil {
|
||||
Log.Debugln("sha 512 available:", err)
|
||||
Log.Debugln("sha 512 available")
|
||||
return s, nil
|
||||
}
|
||||
}
|
||||
@ -133,7 +133,7 @@ func (r *sshrimpAgent) SignWithFlags(key ssh.PublicKey, data []byte, flags agent
|
||||
Log.Traceln("sha 256 requested")
|
||||
s, err := sign.SignWithAlgorithm(rand.Reader, data, ssh.SigAlgoRSASHA2256)
|
||||
if err == nil {
|
||||
Log.Debugln("sha 256 available:", err)
|
||||
Log.Debugln("sha 256 available")
|
||||
return s, nil
|
||||
}
|
||||
}
|
||||
|
||||
@ -9,9 +9,9 @@ import (
|
||||
"github.com/magefile/mage/mg"
|
||||
|
||||
// mage:import ca
|
||||
"github.com/stoggi/sshrimp/tools/mage/ca"
|
||||
"git.narnian.us/lordwelch/sshrimp/tools/mage/ca"
|
||||
// mage:import agent
|
||||
"github.com/stoggi/sshrimp/tools/mage/agent"
|
||||
"git.narnian.us/lordwelch/sshrimp/tools/mage/agent"
|
||||
)
|
||||
|
||||
var Default = All
|
||||
|
||||
@ -8,13 +8,13 @@ import (
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/config"
|
||||
"github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/session"
|
||||
"github.com/aws/aws-sdk-go/service/kms"
|
||||
"github.com/magefile/mage/mg"
|
||||
"github.com/magefile/mage/sh"
|
||||
"github.com/magefile/mage/target"
|
||||
"github.com/stoggi/sshrimp/internal/config"
|
||||
"golang.org/x/crypto/ssh"
|
||||
)
|
||||
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
package ca
|
||||
|
||||
import (
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/config"
|
||||
"github.com/awslabs/goformation/v4/cloudformation"
|
||||
"github.com/awslabs/goformation/v4/cloudformation/iam"
|
||||
"github.com/awslabs/goformation/v4/cloudformation/kms"
|
||||
"github.com/awslabs/goformation/v4/cloudformation/lambda"
|
||||
"github.com/stoggi/sshrimp/internal/config"
|
||||
)
|
||||
|
||||
func makePolicyDocument(statement map[string]interface{}) map[string]interface{} {
|
||||
|
||||
@ -4,7 +4,7 @@ import (
|
||||
"encoding/json"
|
||||
"strconv"
|
||||
|
||||
"github.com/stoggi/sshrimp/internal/config"
|
||||
"git.narnian.us/lordwelch/sshrimp/internal/config"
|
||||
)
|
||||
|
||||
// Provider describes an AWS provider
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user