From 352d79e5fc2495e4e885f55073e612ccc8d2708b Mon Sep 17 00:00:00 2001
From: gitea-admin <gitea-admin@hibachi.ninja>
Date: Wed, 20 May 2026 06:10:29 +0000
Subject: [PATCH] Initial import of demo-secure

---
 .gitignore        |   1 +
 Dockerfile        |  17 ++++++++
 README.md         |  26 ++++++++++++
 catalog-info.yaml |  27 ++++++++++++
 go.mod            |   5 +++
 go.sum            |   2 +
 main.go           | 102 ++++++++++++++++++++++++++++++++++++++++++++++
 7 files changed, 180 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Dockerfile
 create mode 100644 README.md
 create mode 100644 catalog-info.yaml
 create mode 100644 go.mod
 create mode 100644 go.sum
 create mode 100644 main.go

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..5a0af9b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+demo-secure
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..dc85b46
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,17 @@
+FROM registry.access.redhat.com/ubi9/go-toolset:1.22 AS build
+WORKDIR /opt/app-root/src
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+ARG GIT_COMMIT=unknown
+ENV CGO_ENABLED=0
+RUN go build -trimpath -ldflags "-s -w -X main.commit=${GIT_COMMIT}" -o /tmp/demo-secure .
+
+FROM registry.access.redhat.com/ubi9-minimal:latest
+LABEL org.opencontainers.image.title="demo-secure" \
+      org.opencontainers.image.description="RHADS supply-chain demo service" \
+      org.opencontainers.image.source="http://nas1.internal.hilltopcampground.net:23232/openshift-lab/bootstrap"
+COPY --from=build /tmp/demo-secure /usr/local/bin/demo-secure
+USER 1001
+EXPOSE 8080
+ENTRYPOINT ["/usr/local/bin/demo-secure"]
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..7d332bf
--- /dev/null
+++ b/README.md
@@ -0,0 +1,26 @@
+# demo-secure
+
+Minimal Go HTTP service used by the RHADS supply-chain demo.
+
+## The deliberate CVE
+
+`go.mod` pins `github.com/dgrijalva/jwt-go v3.2.0+incompatible`, which has a
+documented vulnerability (CVE-2020-26160 — `alg=none` not rejected). The
+`/verify` handler actually calls into this library, so SBOM scanners pick the
+dependency up as in-use and RHTPA flags it.
+
+## Fixing the CVE (the "patch" act)
+
+1. `go get github.com/golang-jwt/jwt/v5`
+2. `go mod tidy`
+3. Update the import in `main.go` from `github.com/dgrijalva/jwt-go` to
+   `github.com/golang-jwt/jwt/v5`
+4. Commit and push — the Tekton pipeline rebuilds, re-signs, ArgoCD redeploys,
+   RHTPA dashboard flips from red to green.
+
+## Endpoints
+
+- `GET /` — landing page
+- `GET /version` — JSON with Go version + dep list (proves which JWT lib is shipped)
+- `GET /healthz` — liveness probe target
+- `POST /verify` — `Authorization: Bearer <jwt>` → returns claims if valid
diff --git a/catalog-info.yaml b/catalog-info.yaml
new file mode 100644
index 0000000..65c301d
--- /dev/null
+++ b/catalog-info.yaml
@@ -0,0 +1,27 @@
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: demo-secure
+  description: Minimal Go service demonstrating the RHADS supply chain (build → sign → scan → patch).
+  annotations:
+    backstage.io/kubernetes-id: demo-secure
+    backstage.io/kubernetes-namespace: demo-secure
+    backstage.io/techdocs-ref: dir:.
+    janus-idp.io/tekton: demo-secure
+    argocd/app-name: demo-secure
+  links:
+    - url: https://demo-secure-demo-secure.apps.lab.hibachi.ninja
+      title: Live service
+spec:
+  type: service
+  lifecycle: experimental
+  owner: platform
+  system: rhads-demo
+---
+apiVersion: backstage.io/v1alpha1
+kind: System
+metadata:
+  name: rhads-demo
+  description: End-to-end RHADS supply-chain demo (RHDH + RHTAS + RHTPA).
+spec:
+  owner: platform
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..129c57b
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,5 @@
+module github.com/openshift-lab/demo-secure
+
+go 1.22
+
+require github.com/dgrijalva/jwt-go v3.2.0+incompatible
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..6a8f140
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,2 @@
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
diff --git a/main.go b/main.go
new file mode 100644
index 0000000..b4b2f80
--- /dev/null
+++ b/main.go
@@ -0,0 +1,102 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"runtime/debug"
+
+	jwt "github.com/dgrijalva/jwt-go"
+)
+
+func signingKey() []byte {
+	if k := os.Getenv("JWT_KEY"); k != "" {
+		return []byte(k)
+	}
+	return []byte("demo-only-not-for-real-use")
+}
+
+type versionInfo struct {
+	Service    string            `json:"service"`
+	Commit     string            `json:"commit"`
+	GoVersion  string            `json:"go_version"`
+	Deps       map[string]string `json:"deps"`
+	JWTLibrary string            `json:"jwt_library"`
+}
+
+func main() {
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", index)
+	mux.HandleFunc("/version", version)
+	mux.HandleFunc("/healthz", func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintln(w, "ok")
+	})
+	mux.HandleFunc("/verify", verifyToken)
+
+	port := os.Getenv("PORT")
+	if port == "" {
+		port = "8080"
+	}
+	log.Printf("demo-secure listening on :%s", port)
+	if err := http.ListenAndServe(":"+port, mux); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func index(w http.ResponseWriter, _ *http.Request) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	fmt.Fprintf(w, `<!doctype html>
+<html><head><title>demo-secure</title></head>
+<body style="font-family:sans-serif;max-width:40em;margin:3em auto">
+<h1>demo-secure</h1>
+<p>A minimal Go service used to demonstrate the RHADS supply chain:
+RHDH onboarding &rarr; RHTAS signing &rarr; RHTPA scanning &rarr; patch.</p>
+<ul>
+  <li><a href="/version">/version</a> &mdash; dependency info</li>
+  <li><a href="/healthz">/healthz</a> &mdash; liveness</li>
+  <li><code>POST /verify</code> with a Bearer token &mdash; exercises the JWT library</li>
+</ul>
+</body></html>`)
+}
+
+func version(w http.ResponseWriter, _ *http.Request) {
+	info := versionInfo{
+		Service: "demo-secure",
+		Commit:  os.Getenv("GIT_COMMIT"),
+		Deps:    map[string]string{},
+	}
+	if bi, ok := debug.ReadBuildInfo(); ok {
+		info.GoVersion = bi.GoVersion
+		for _, d := range bi.Deps {
+			info.Deps[d.Path] = d.Version
+			if d.Path == "github.com/dgrijalva/jwt-go" || d.Path == "github.com/golang-jwt/jwt/v5" {
+				info.JWTLibrary = fmt.Sprintf("%s@%s", d.Path, d.Version)
+			}
+		}
+	}
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(info)
+}
+
+func verifyToken(w http.ResponseWriter, r *http.Request) {
+	tok := r.Header.Get("Authorization")
+	if len(tok) > 7 && tok[:7] == "Bearer " {
+		tok = tok[7:]
+	}
+	if tok == "" {
+		http.Error(w, "missing bearer token", http.StatusUnauthorized)
+		return
+	}
+	parsed, err := jwt.Parse(tok, func(t *jwt.Token) (interface{}, error) {
+		return signingKey(), nil
+	})
+	if err != nil || !parsed.Valid {
+		http.Error(w, "invalid token", http.StatusUnauthorized)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(parsed.Claims)
+}