Skip to content
This repository has been archived by the owner on Oct 11, 2018. It is now read-only.

kr7ysztof/gargoyle-sts

BranchesTags

Repository files navigation

Build Status codecov.io

The project has been moved to https://github.com/ing-bank/airlock-sts

Gargoyle STS

STS service for gargoyle-s3proxy project.

It simulates two sts actions:

and has two internals endpoints:

  • /isCredentialActive?accessKey=userAccessKey&sessionToken=userSessionToken - checks in the user credentials are active

    Response status:

    • OK
    • FORBIDDEN

  • /userInfo?accessKey=userAccessKey - return a user information

    Response:

    • Status OK
  {
    "userId": "testuser",
    "groups": [
        "testgroup",
        "groupTwo"
    ]
  }
  • Status NOTFOUND

Architecture

MVP1

Test (mock version)

docker run -p 12345:12345 kr7ysztof/gargoyle-sts:master

to get the credential you need to provide a valid token in on of the places:

  • header Authorization Bearer valid
  • cookie X-Authorization-Token: valid
  • parameter or form WebIdentityToken=valid

http://localhost:12345?Action=AssumeRoleWithWebIdentity&DurationSeconds=3600&ProviderId=testRrovider.com&RoleSessionName=app1&RoleArn=arn:aws:iam::123456789012:role/FederatedWebIdentityRole&WebIdentityToken=valid

returns:

<AssumeRoleWithWebIdentityResponse>
      <AssumeRoleWithWebIdentityResult>
          <SubjectFromWebIdentityToken>amzn1.account.AF6RHO7KZU5XRVQJGXK6HB56KR2A</SubjectFromWebIdentityToken>
          <Audience>[email protected]</Audience>
          <AssumedRoleUser>
              <Arn>arn:aws:sts::123456789012:assumed-role/FederatedWebIdentityRole/app1</Arn>
              <AssumedRoleId>AROACLKWSDQRAOEXAMPLE:app1</AssumedRoleId>
          </AssumedRoleUser>
          <Credentials>
              <SessionToken>okSessionToken</SessionToken>
              <SecretAccessKey>secretKey</SecretAccessKey>
              <Expiration>2019-10-24T23:00:23Z</Expiration>
              <AccessKeyId>okAccessKey</AccessKeyId>
          </Credentials>
          <Provider>www.amazon.com</Provider>
      </AssumeRoleWithWebIdentityResult>
      <ResponseMetadata>
          <RequestId>ad4156e9-bce1-11e2-82e6-6b6efEXAMPLE</RequestId>
      </ResponseMetadata>
  </AssumeRoleWithWebIdentityResponse>

http://localhost:12345?Action=GetSessionToken

returns:

<GetSessionTokenResponse>
    <GetSessionTokenResult>
        <Credentials>
            <SessionToken>
             okSessionToken
            </SessionToken>
            <SecretAccessKey>
             secretKey
            </SecretAccessKey>
            <Expiration>2019-07-11T19:55:29.611Z</Expiration>
            <AccessKeyId>okAccessKey</AccessKeyId>
        </Credentials>
    </GetSessionTokenResult>
    <ResponseMetadata>
        <RequestId>58c5dbae-abef-11e0-8cfe-09039844ac7d</RequestId>
    </ResponseMetadata>
</GetSessionTokenResponse>

http://localhost:12345/isCredentialActive?accessKey=okAccessKey&sessionToken=okSessionToken returns status OK or Forbidden

http://localhost:12345/userInfo?accessKey=okAccessKey returns returns status OK or NotFound

aws cli

aws sts get-session-token  --endpoint-url http://localhost:12345 --region localhost --token-code validToken

aws sts assume-role-with-web-identity --role-arn arn:test:resource:name --role-session-name testsession --web-identity-token validToken --endpoint-url http://localhost:12345

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

3 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

8 tags

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages