initial commit

.editorconfig

@@ -0,0 +1,21 @@
+
+# EditorConfig https://EditorConfig.org
+
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[Makefile]
+indent_style = tab
+
+[*.yml]
+indent_style = space
+indent_size = 2
+
+[*.tf]
+indent_stype = space
+indent_size = 2

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @chanzuckerberg/czi-shared-infra

.gitignore

@@ -0,0 +1,6 @@
+coverage.txt
+bin/
+dist/
+.vscode
+.env
+.envrc

.goreleaser.prerelease.yml

@@ -0,0 +1,36 @@
+before:
+  hooks:
+    - make clean
+
+builds:
+  - binary: aws-oidc
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - linux
+    goarch:
+      - amd64
+    ldflags:
+      - "-w -s -X github.com/chanzuckerberg/aws-oidc/pkg/util.GitSha={{.Commit}} -X github.com/chanzuckerberg/aws-oidc/pkg/util.Version={{.Version}} -X github.com/chanzuckerberg/aws-oidc/pkg/util.Dirty=false -X github.com/chanzuckerberg/aws-oidc/pkg/util.Release=true"
+
+dockers:
+  - dockerfile: Dockerfile
+    image_templates:
+      - docker.pkg.github.com/chanzuckerberg/aws-oidc/aws-oidc:{{.ShortCommit}}
+    extra_files:
+      - cmd
+      - pkg
+      - go.mod
+      - go.sum
+      - main.go
+
+archives:
+  - files:
+      - none*
+
+release:
+  prerelease: true
+
+env_files:
+  github_token: ~/.config/goreleaser/github_token

.goreleaser.yml

@@ -0,0 +1,44 @@
+before:
+  hooks:
+    - make clean
+
+builds:
+  - binary: aws-oidc
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - linux
+    goarch:
+      - amd64
+    ldflags:
+      - "-w -s -X github.com/chanzuckerberg/aws-oidc/pkg/util.GitSha={{.Commit}} -X github.com/chanzuckerberg/aws-oidc/pkg/util.Version={{.Version}} -X github.com/chanzuckerberg/aws-oidc/pkg/util.Dirty=false -X github.com/chanzuckerberg/aws-oidc/pkg/util.Release=true"
+
+dockers:
+  - dockerfile: Dockerfile
+    image_templates:
+      - docker.pkg.github.com/chanzuckerberg/aws-oidc/aws-oidc:v{{.Version}}
+    extra_files:
+      - cmd
+      - pkg
+      - go.mod
+      - go.sum
+      - main.go
+
+archives:
+  - files:
+      - none*
+
+release:
+  prerelease: false
+
+brews:
+  - description: "A command line utility tool to help generate AWS STS credentials from an OIDC application."
+    github:
+      owner: chanzuckerberg
+      name: homebrew-tap
+    homepage: "https://github.com/chanzuckerberg/aws-oidc"
+    test: system "#{bin}/aws-oidc version"
+
+env_files:
+  github_token: ~/.config/goreleaser/github_token

.reviewdog.yml

@@ -0,0 +1,8 @@
+runner:
+  golangci:
+    cmd: ./bin/golangci-lint run --out-format=line-number
+    errorformat:
+      - '%E%f:%l:%c: %m'
+      - '%E%f:%l: %m'
+      - '%C%.%#'
+    level: warning

.travis.yml

@@ -0,0 +1,25 @@
+dist: bionic
+language: go
+go:
+  - '1.14.1'
+os:
+  - linux
+env:
+  - GO111MODULE=on
+install:
+  - make setup
+jobs:
+  include:
+    - name: check-mod
+      stage: test
+      script: make check-mod
+    - name: lint
+      stage: test
+      script:
+        - make lint-ci
+    - name: test
+      stage: test
+      script:
+        - make test
+      after_success:
+        - bash <(curl -s https://codecov.io/bash)

Dockerfile

@@ -0,0 +1,30 @@
+# First stage: build the executable
+FROM golang:1.14 AS builder
+
+# Enable Go modules
+ENV GO111MODULE=on CGO_ENABLED=0 GOOS=linux
+
+# Set the Current Working Directory inside the container
+WORKDIR /app
+
+# Copy the source from the current directory to the Working Directory inside the container
+COPY cmd cmd
+COPY go.mod go.sum main.go ./
+COPY pkg pkg
+
+# Build the Go app
+RUN go build -o aws-oidc .
+
+# Final stage: the running container
+FROM alpine:latest AS final
+
+# Install SSL root certificates
+RUN apk update && apk --no-cache add ca-certificates curl
+
+COPY --from=builder /app/aws-oidc /bin/aws-oidc
+
+ADD https://github.com/segmentio/chamber/releases/download/v2.7.5/chamber-v2.7.5-linux-amd64 /bin/chamber
+RUN chmod +x /bin/chamber
+
+
+CMD ["aws-oidc"]

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019-2020 Chan Zuckerberg Initiative, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,83 @@
+SHA=$(shell git rev-parse --short HEAD)
+VERSION=$(shell cat VERSION)
+DIRTY=false
+GO_PACKAGE=$(shell go list)
+LDFLAGS=-ldflags "-w -s -X $(GO_PACKAGE)/pkg/util.GitSha=${SHA} -X $(GO_PACKAGE)/pkg/util.Version=${VERSION} -X $(GO_PACKAGE)/pkg/util.Dirty=${DIRTY}"
+export GO111MODULE=on
+
+clean: ## clean the repo
+	rm aws-oidc 2>/dev/null || true
+	go clean
+	go clean -testcache
+	rm -rf dist 2>/dev/null || true
+	rm coverage.out 2>/dev/null || true
+	if [ -e /tmp/aws-oidc.lock ]; then \
+        rm /tmp/aws-oidc.lock; \
+    fi \
+
+setup: # setup development dependencies
+	export GO111MODULE=on
+	curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh
+	curl -sfL https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh| sh -s -- v0.9.14
+	curl -sfL https://raw.githubusercontent.com/chanzuckerberg/bff/master/download.sh | sh
+.PHONY: setup
+
+install:
+	go install
+.PHONY: install
+
+test:
+	go test -coverprofile=coverage.txt -covermode=atomic ./...
+.PHONY: test
+
+test-all:
+	go test -v -coverprofile=coverage.txt -covermode=atomic ./... -tags=integration
+.PHONY: test-all
+
+test-coverage:  ## run the test with proper coverage reporting
+	go test  -coverprofile=coverage.out -covermode=atomic ./...
+	go tool cover -html=coverage.out
+.PHONY: test-coverage
+
+test-coverage-integration:  ## run the test with proper coverage reporting
+	go test -coverprofile=coverage.out -covermode=atomic ./... -tags=integration
+	go tool cover -html=coverage.out
+.PHONY: test-coverage-all
+
+deps:
+	go get -u ./...
+	go mod tidy
+.PHONY: deps
+
+lint:
+	golangci-lint run -E whitespace --exclude-use-default
+.PHONY: lint
+
+lint-ci: ## run the fast go linters
+	./bin/reviewdog -conf .reviewdog.yml  -reporter=github-pr-review
+.PHONY: lint-ci
+
+release: ## run a release
+	bff bump
+	git push
+	goreleaser release --rm-dist
+.PHONY: release
+
+release-prerelease: ## release to github as a 'pre-release'
+	go build ${LDFLAGS} .
+	commit=`git rev-parse --short HEAD`; \
+	version=`cat VERSION`; \
+	git tag v"$$version"+"$$commit"; \
+	git push
+	git push --tags
+	goreleaser release -f .goreleaser.prerelease.yml --debug --rm-dist
+.PHONY: release-prelease
+
+fmt:
+	goimports -w -d $$(find . -type f -name '*.go' -not -path "./vendor/*")
+.PHONY: fmt
+
+check-mod:
+	go mod tidy
+	git diff --exit-code -- go.mod go.sum
+.PHONY: check-mod

README.md

@@ -0,0 +1,94 @@
+**Please note**: If you believe you have found a security issue, _please responsibly disclose_ by contacting us at [[email protected]](mailto:[email protected]).
+
+----
+
+# Introduction
+AWS-OIDC is a command-line utility tool for generating temporary AWS STS credentials from an OIDC application. This works by:
+- opening a browser window with the Identity Provider URL. this helps offboard the heavy logic around authentication + MFA to browser
+- doing a local redirection to a temporary server on localhost to return the credentials back to our process
+- Verifying flow with PKCE/public client
+- Redeeming an id_token with the appropriate scopes
+- Exchanging that token for temporary STS credentials
+
+We also included a config generation web service that displays an AWS-OIDC-based Configuration file for authorized clients. The authorization requires an Okta Identity Provider, an AWS master role, and AWS worker roles for the accounts needed in the Config file.
+
+# Install
+```
+brew tap chanzuckerberg/tap
+brew install aws-oidc
+```
+
+# Command-Line Tools
+### creds-process
+Authenticates into AWS and prints structured AWS credentials to stdout. The stdout output is based on [AWS Configuration for External Processes](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html).
+``` bash
+$ aws-oidc creds-process --issuer-url=<issuer url> --client-id=<client ID> --aws-role-arn=<AWS role you want credentials for>
+{
+  "Version": 1,
+  "AccessKeyId": "an AWS access key",
+  "SecretAccessKey": "your AWS secret access key",
+  "SessionToken": "the AWS session token for temporary credentials",
+  "Expiration": "ISO8601 timestamp when the credentials expire"
+}
+```
+
+### exec
+Executes a command with AWS credentials loaded in the environment
+``` bash
+$ aws-oidc exec --issuer-url=<issuer url> --client-id=<client ID> --aws-role-arn=<AWS role you want credentials for>   -- aws sts get-caller-identity
+{
+	“UserId”: <...>
+	“Account”: <Account from that role-arn flag>
+	“Arn:”: <AWS STS ARN for the role-arn flag>
+}
+```
+### serve-config
+Deploys a service that displays an AWS Config file for any authorized visitor (see [Deployment Requirements](#deployment-requirements))
+
+### version
+Prints the version of aws-oidc to stdout.
+
+
+# Deployment Requirements
+Deploying the web service requires a few things:
+A master role with permission to run [List Accounts](https://docs.aws.amazon.com/cli/latest/reference/organizations/list-accounts.html) in the AWS Organization
+A reader role in each account with permission to run [List Roles](https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html) in the accounts
+An Okta Identity Provider with a private key, client ID, and issuer URL.
+
+This deployment relies on a working identity provider, which will provide the ID Token needed for identifying any clients that try to interact with the server. The aws-oidc docker image includes [chamber](https://github.com/segmentio/chamber/), which we use for loading sensitive environment variables.
+
+Using the latest version of aws-oidc, run `aws-oidc serve-config --web-server-port=8080`
+
+Ping localhost:8080/health to make sure your service is up and running.
+
+## Environment Variables for Deploying
+### Okta Identity Provider:
+OKTA_PRIVATE_KEY: the private key from the Okta
+
+OKTA_SERVICE_CLIENT_ID: The client ID of the Okta Client that manages Okta apps for your clients
+
+OKTA_CLIENT_ID: the client ID of the Okta Identity Provider that verifies your clients
+
+OKTA_ISSUER_URL: the URL of the identity provider
+
+You can create create those values using [this tutorial](https://developer.okta.com/docs/guides/create-an-api-token/overview/)
+
+
+###  AWS Config Generation:
+AWS_READER_ROLE_NAME: role name that can run AWS List Roles in any account in your AWS Organization
+
+AWS_MASTER_ROLE_ARNS: a list of role ARNs that can list accounts in your AWS Organization
+
+# Contributing
+We use standard go tools + makefiles to build aws-oidc. Getting started should be as simple as-
+
+1. install go
+1. Clone this repo from `[email protected]:chanzuckerberg/aws-oidc.git`
+1. `make setup && make`
+
+We follow the [Contributor Conduct](https://www.contributor-covenant.org/version/2/0/code_of_conduct/).
+
+# Copyright
+Copyright 2019-2020, Chan Zuckerberg Initiative, LLC
+
+For our license, see [LICENSE](LICENSE).

VERSION

@@ -0,0 +1 @@
+0.5.1

cmd/auth_helper.go

@@ -0,0 +1 @@
+package cmd