package main import ( "encoding/json" "fmt" "log" "net/http" "os" "runtime/debug" jwt "github.com/golang-jwt/jwt/v5" ) func signingKey() []byte { if k := os.Getenv("JWT_KEY"); k != "" { return []byte(k) } return []byte("demo-only-not-for-real-use") } type versionInfo struct { Service string `json:"service"` Commit string `json:"commit"` GoVersion string `json:"go_version"` Deps map[string]string `json:"deps"` JWTLibrary string `json:"jwt_library"` } func main() { mux := http.NewServeMux() mux.HandleFunc("/", index) mux.HandleFunc("/version", version) mux.HandleFunc("/healthz", func(w http.ResponseWriter, _ *http.Request) { w.WriteHeader(http.StatusOK) fmt.Fprintln(w, "ok") }) mux.HandleFunc("/verify", verifyToken) port := os.Getenv("PORT") if port == "" { port = "8080" } log.Printf("demo-secure listening on :%s", port) if err := http.ListenAndServe(":"+port, mux); err != nil { log.Fatal(err) } } func index(w http.ResponseWriter, _ *http.Request) { w.Header().Set("Content-Type", "text/html; charset=utf-8") jwtLib := "unknown" if bi, ok := debug.ReadBuildInfo(); ok { for _, d := range bi.Deps { if d.Path == "github.com/dgrijalva/jwt-go" || d.Path == "github.com/golang-jwt/jwt/v5" { jwtLib = d.Path + "@" + d.Version break } } } vulnerable := jwtLib == "github.com/dgrijalva/jwt-go@v3.2.0+incompatible" pillClass := "pill-good" pillText := "patched" if vulnerable { pillClass = "pill-bad" pillText = "vulnerable" } fmt.Fprintf(w, ` demo-secure · RHADS supply-chain demo

demo-secure

go service

A minimal HTTP service threaded through the Red Hat Advanced Developer Suite: RHDH golden-path scaffolding → Tekton build → RHTAS keyless signing → RHTPA SBOM scanning.

image signed (cosign + Fulcio) SBOM attested (CycloneDX) jwt-go %s

Active JWT library: %s

GET /version

Build info plus the full dependency tree. Proves at runtime which jwt-go version is shipped.

GET /healthz

Liveness probe endpoint. Returns 200 OK while the process is up.

POST /verify

Send Authorization: Bearer <jwt> to exercise the JWT library — this is the call path RHTPA sees as in-use.

`, pillClass, pillText, jwtLib) } func version(w http.ResponseWriter, _ *http.Request) { info := versionInfo{ Service: "demo-secure", Commit: os.Getenv("GIT_COMMIT"), Deps: map[string]string{}, } if bi, ok := debug.ReadBuildInfo(); ok { info.GoVersion = bi.GoVersion for _, d := range bi.Deps { info.Deps[d.Path] = d.Version if d.Path == "github.com/dgrijalva/jwt-go" || d.Path == "github.com/golang-jwt/jwt/v5" { info.JWTLibrary = fmt.Sprintf("%s@%s", d.Path, d.Version) } } } w.Header().Set("Content-Type", "application/json") _ = json.NewEncoder(w).Encode(info) } func verifyToken(w http.ResponseWriter, r *http.Request) { tok := r.Header.Get("Authorization") if len(tok) > 7 && tok[:7] == "Bearer " { tok = tok[7:] } if tok == "" { http.Error(w, "missing bearer token", http.StatusUnauthorized) return } parsed, err := jwt.Parse(tok, func(t *jwt.Token) (interface{}, error) { return signingKey(), nil }) if err != nil || !parsed.Valid { http.Error(w, "invalid token", http.StatusUnauthorized) return } w.Header().Set("Content-Type", "application/json") _ = json.NewEncoder(w).Encode(parsed.Claims) }