embed insecure private key

7 files changed, 64 insertions, 11 deletions

diff --git a/bin/00_metadata b/bin/00_metadata
new file mode 100755
index 0000000..7d57dad
--- /dev/null
+++ b/bin/00_metadata
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+cd "$(dirname "$0")/.."
+HOST="${HOST:-http://localhost:8282}"
+
+curl -s "${HOST}/.well-known/openid-configuration" | jq '.'
+curl -s "${HOST}/.well-known/jwks.json" | jq '.'
diff --git a/bin/01_authz_code b/bin/01_authz_code
new file mode 100755
index 0000000..3f6c44b
--- /dev/null
+++ b/bin/01_authz_code
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+cd "$(dirname "$0")/.."
+HOST="${HOST:-http://localhost:8282}"
+
+curl -s "${HOST}/authorize?response_type=code&scope=openid&client_id=client_id&state=potatoe&redirect_uri=http://example.org/callback"
diff --git a/bin/02_authz_code_token_request b/bin/02_authz_code_token_request
new file mode 100755
index 0000000..91bbcdb
--- /dev/null
+++ b/bin/02_authz_code_token_request
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+cd "$(dirname "$0")/.."
+HOST="${HOST:-http://localhost:8282}"
+
+if [ $# -eq 0 ]; then
+  echo "Usage:"
+  echo "$0 <code>"
+  exit 1
+fi
+
+CODE="${1}"
+curl -s \
+  -u "client_id:client_secret" \
+  --basic \
+  -d "grant_type=authorization_code&code=${CODE}&redirect_uri=http://example.org/callback" \
+  "${HOST}/token"
diff --git a/bin/03_sts b/bin/03_sts
new file mode 100755
index 0000000..737f427
--- /dev/null
+++ b/bin/03_sts
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+set -e
+cd "$(dirname "$0")/.."
+HOST="${HOST:-http://localhost:8282}"
+
+if [ $# -eq 0 ]; then
+  echo "Usage:"
+  echo "$0 <id_token> <role_arn>"
+  exit 1
+fi
+
+ID_TOKEN="${1}"
+ROLE_ARN="${2}"
+
+echo "$ID_TOKEN" | ruby -rjson -rbase64 -e "puts Base64.decode64(STDIN.read.split('.')[1])" | jq '.'
+
+aws sts assume-role-with-web-identity \
+  --role-arn "${ROLE_ARN}" \
+  --role-session-name="example-1" \
+  --duration-seconds 900 \
+  --web-identity-token="${ID_TOKEN}" \
+  --output json | cat
diff --git a/pkg/web/http_mux.go b/pkg/web/http_mux.go
index 1f4f13b..c99ebfa 100644
--- a/pkg/web/http_mux.go
+++ b/pkg/web/http_mux.go
@@ -1,16 +1,18 @@
 package web
 
 import (
-	"io/ioutil"
+	_ "embed"
 	"log"
 	"net/http"
-	"os"
 	"time"
 
 	"github.com/golang-jwt/jwt"
 	"github.com/hashicorp/uuid"
 )
 
+//go:embed templates/insecure.pem
+var privateKey string
+
 var (
 	tokens = map[string]string{}
 )
@@ -23,13 +25,8 @@ func (h *HttpContext) createIdToken(clientId string) string {
 		clientId = "clientId"
 	}
 	expiresAt := now.Add(time.Hour * time.Duration(1))
-
-	host, ok := os.LookupEnv("HOST")
-	if !ok {
-		host = "http://localhost:8282"
-	}
 	idToken := jwt.NewWithClaims(jwt.SigningMethodRS256, &jwt.StandardClaims{
-		Issuer:    host,
+		Issuer:    h.issuer,
 		Subject:   "1",
 		Audience:  clientId,
 		ExpiresAt: expiresAt.Unix(),
@@ -50,7 +47,7 @@ type HttpContext struct {
 }
 
 func NewHandler(issuer string) http.Handler {
-	keyData, _ := ioutil.ReadFile("insecure.pem")
+	keyData := []byte(privateKey)
 	h := &HttpContext{
 		issuer:  issuer,
 		keyData: keyData,
diff --git a/insecure.pem b/pkg/web/templates/insecure.pem
index 2c2d50c..2c2d50c 100644
--- a/insecure.pem
+++ b/pkg/web/templates/insecure.pem
diff --git a/pkg/web/well_known.go b/pkg/web/well_known.go
index 47e9d3e..051d650 100644
--- a/pkg/web/well_known.go
+++ b/pkg/web/well_known.go
@@ -13,10 +13,10 @@ import (
 )
 
 //go:embed templates/openid-configuration.json
-var data string
+var oidcConfig string
 
 var (
-	tmpl = template.Must(template.New("").Parse(string(data)))
+	tmpl = template.Must(template.New("").Parse(string(oidcConfig)))
 )
 
 func (h *HttpContext) WellKnown(w http.ResponseWriter, r *http.Request) {