Updating release for 1.1-12

* Instance Metadata Service calls now use IMDSv2 * cURL handling has been rewritten to avoid the need for eval's * Various shellcheck corrections have been added * A few missing copyright notices have been added
aws · Jan 16, 2020 · 47de505 · 47de505
1 parent 32d7656
commit 47de505
Show file tree

Hide file tree

Showing 22 changed files with 411 additions and 216 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.1-11
+1.1-12
diff --git a/bin/integration-test/get_zone_instance_types.sh b/bin/integration-test/get_zone_instance_types.sh
@@ -1,5 +1,22 @@
 #!/bin/bash
 
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+# Reads authorized keys blob $3 and prints verified, unexpired keys
+# Openssl to use provided as $1
+# Signer public key file path provided as $2
+
 # Load the list of instance types supported in a given zone.
 # XXX: The mechanism for this is based on reserved instances. This may not be exhaustive in every zone.
 

diff --git a/bin/integration-test/run_instance.sh b/bin/integration-test/run_instance.sh
@@ -1,5 +1,22 @@
 #!/bin/bash
 
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+# Reads authorized keys blob $3 and prints verified, unexpired keys
+# Openssl to use provided as $1
+# Signer public key file path provided as $2
+
 # Attempts to launch an instance to the given specification
 # Outputs instance ID on success or where it failed otherwise
 
@@ -41,9 +58,9 @@ done
 
 launch_output=$(aws ec2 run-instances --region "${region}" --image-id "${ami_id}" --key-name "${key_name}" --security-group-ids "${security_group_id}" --subnet-id "${subnet_id}" --instance-initiated-shutdown-behavior "terminate" --instance-type "${instance_type}" --tag-specifications "[{\"ResourceType\":\"instance\",\"Tags\":[{\"Key\":\"Name\",\"Value\":\"${name_tag}\"}]}]")
 launch_code=$?
-if [ $launch_code -ne 0 ] ; then
+if [ "${launch_code}" -ne 0 ] ; then
     echo "Instance launch failed!"
-    exit $launch_code
+    exit "${launch_code}"
 fi
 
 instance_id=$(echo "${launch_output}" | grep \"InstanceId\" | cut -d '"' -f 4)
@@ -53,7 +70,7 @@ try="0"
 while [ $try -lt 60 ] ; do
     aws ec2 describe-instances --instance-ids "${instance_id}" | grep "Name" | grep -q "running"
     launch_code=$?
-    if [ $launch_code -eq 0 ] ; then
+    if [ "${launch_code}" -eq 0 ] ; then
         try="60"
         running=1
     else
@@ -71,7 +88,8 @@ ssh_try="0"
 public_ip=$(aws ec2 describe-instances --instance-ids "${instance_id}" | grep "PublicIp" | cut -d '"' -f 4 | uniq)
 while [ $ssh_try -lt 30 ] ; do
     ssh -q -i "${private_key}" -o StrictHostKeyChecking=no "${osuser}@${public_ip}" exit 2>&1
-    if [ $? -eq 0 ] ; then
+    launch_code="${?}"
+    if [ "${launch_code}" -eq 0 ] ; then
         # Everything's ready
         echo "${instance_id}"
         exit 0

diff --git a/bin/integration-test/run_test_sweep.sh b/bin/integration-test/run_test_sweep.sh
@@ -1,5 +1,22 @@
 #!/bin/bash
 
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+# Reads authorized keys blob $3 and prints verified, unexpired keys
+# Openssl to use provided as $1
+# Signer public key file path provided as $2
+
 TOPDIR=$(dirname "$( cd "$( dirname "$( dirname "${BASH_SOURCE[0]}" )" )" && pwd)")
 
 while getopts ":i:p:k:u:z:o:l:f:" opt ; do
@@ -37,8 +54,8 @@ overall_success=0
 for testscript in "${TOPDIR}"/integration-test/test/* ; do
     filename="${testscript##*/}"
     test_output=$($testscript -i "${instance_id}" -p "${public_ip}" -z "${zone}" -u "${osuser}" -k "${keypath}" -l "${distro}" -t "${package_path}")
-    test_exit=$?
-    if [ $test_exit -ne 0 ] ; then
+    test_exit="${?}"
+    if [ "${test_exit}" -ne 0 ] ; then
         echo "${test_output}" > "${output_directory}/${filename}"
         echo "Test ${filename} FAILED"
         overall_success=1
@@ -47,4 +64,4 @@ for testscript in "${TOPDIR}"/integration-test/test/* ; do
     fi
 done
 
-exit $overall_success
+exit "${overall_success}"
diff --git a/bin/integration_test_suite.sh b/bin/integration_test_suite.sh
@@ -1,5 +1,22 @@
 #!/bin/bash
 
+# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+
+# Reads authorized keys blob $3 and prints verified, unexpired keys
+# Openssl to use provided as $1
+# Signer public key file path provided as $2
+
 # Runs our full suite of integration tests against all known instance types
 
 # Basic string concat w/ newline
@@ -80,10 +97,10 @@ fi
 # Fetch information about the subnet (AZ, etc)
 subnet_output=$(aws ec2 describe-subnets --subnet-ids "${subnet_id}")
 subnet_status=$?
-if [ $subnet_status -ne 0 ] ; then
+if [ "${subnet_status}" -ne 0 ] ; then
     echo "Failed to query subnet information:"
     echo "${subnet_output}"
-    exit $subnet_status
+    exit "${subnet_status}"
 fi
 
 zone=$(echo "${subnet_output}" | grep "\"AvailabilityZone\"" | cut -d '"' -f 4)
@@ -103,7 +120,7 @@ for instance_type in "${instance_types[@]}" ; do
     # Run instance
     launch_output=$("${TOPDIR}/bin/integration-test/run_instance.sh" -t "${instance_type}" -a "${ami_id}" -k "${key_name}" -s "${subnet_id}" -g "${security_group_id}" -n "EIC Integration Test ${instance_type}" -r "${region}" -o "${osuser}" -p "${private_key}")
     launch_status=$?
-    if [ $launch_status -ne 0 ] ; then
+    if [ "${launch_status}" -ne 0 ] ; then
         output=$(concat "${output}" "${launch_output}")
         instance_exit=1
     else
@@ -114,22 +131,23 @@ for instance_type in "${instance_types[@]}" ; do
         scp_out=$(scp -i "${private_key}" -o StrictHostKeyChecking=no "${package_path}" "${osuser}@${public_ip}:/tmp/${package_name}" 2>&1)
         install_status=$?
         output=$(concat "${output}" "${scp_out}")
-        if [ $install_status -eq 0 ] ; then
+        if [ "${install_status}" -eq 0 ] ; then
             # FIXME: Ubuntu AMIs fail here due to dpkg lock contention
-            ssh_out=$(ssh -i "${private_key}" -o StrictHostKeyChecking=no "${osuser}@${public_ip}" "${INSTALL} /tmp/${package_name}" 2>&1)
+            ssh -i "${private_key}" -o StrictHostKeyChecking=no "${osuser}@${public_ip}" "${INSTALL} /tmp/${package_name}" 1>/dev/null 2>&1
             install_status=$?
             output=$(concat "${output}" "${scp_out}")
         else
+            output=$(concat "${output}" "Failed to scp package to instance.")
             instance_exit=1
         fi
-        if [ $install_status -ne 0 ] ; then
+        if [ "${install_status}" -ne 0 ] ; then
             output=$(concat "${output}" "Failed to install EIC package on instance.")
             instance_exit=1
         else
             # Run the actual tests
             "${TOPDIR}/bin/integration-test/run_test_sweep.sh" -i "${instance_id}" -p "${public_ip}" -k "${private_key}" -u "${osuser}" -z "${zone}" -o "${output_directory}/${instance_type}" -l "${distro}" -f "${package_path}"
             test_exit=$?
-            if [ $test_exit -ne 0 ] ; then
+            if [ "${test_exit}" -ne 0 ] ; then
                 overall_exit=1
             else
                 rmdir "${output_directory}/${instance_type}"
@@ -138,18 +156,18 @@ for instance_type in "${instance_types[@]}" ; do
         # Terminate the instance
         aws ec2 terminate-instances --instance-ids "${instance_id}" 1>/dev/null
     fi
-    if [ $instance_exit -ne 0 ] ; then
+    if [ "${instance_exit}" -ne 0 ] ; then
         echo "Could not run tests on instance."
         echo "${output}" > "${output_directory}/${instance_type}/setup"
         overall_exit=1
     fi
 done
 
-if [ $overall_exit -ne 0 ] ; then
+if [ "${overall_exit}" -ne 0 ] ; then
     echo "Some instance types failed.  Please check the contents of ${output_directory} for details."
 else
     echo "All instance types passed!  Removing failed output directory since it is empty."
     rmdir "${output_directory}"
 fi
 
-exit $overall_exit
+exit "${overall_exit}"
diff --git a/bin/make_deb.sh b/bin/make_deb.sh
@@ -31,15 +31,15 @@ if [ $# -ne 2 ] ; then
 fi
 
 md5 () {
-    /bin/echo -n "${val}" | /usr/bin/md5sum | /bin/sed 's/\s.*$//'
+    echo -n "${1}" | md5sum | sed 's/\s.*$//'
 }
 
 sha1 () {
-    /bin/echo -n "${val}" | /usr/bin/sha1sum | /bin/sed 's/\s.*$//'
+    echo -n "${1}" | sha1sum | sed 's/\s.*$//'
 }
 
 sha256 () {
-    /bin/echo -n "${val}" | /usr/bin/sha256sum | /bin/sed 's/\s.*$//'
+    echo -n "${1}" | sha256sum | sed 's/\s.*$//'
 }
 
 TOPDIR=$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")
@@ -49,26 +49,26 @@ release=$2
 pkgdir="${TOPDIR}/ec2-instance-connect-${version}-${release}"
 
 # Copy source files
-mkdir $pkgdir
-mkdir -p $pkgdir/ec2-instance-connect
-cp $TOPDIR/src/bin/* $pkgdir/ec2-instance-connect/
+mkdir "${pkgdir}"
+mkdir -p "${pkgdir}/ec2-instance-connect"
+cp "${TOPDIR}"/src/bin/* "${pkgdir}/ec2-instance-connect/"
 # Dump /bin, /usr/bin, etc from binary paths names since we want to use $PATH on Ubuntu/etc
-sed -i "s%/usr/bin/%%g" $pkgdir/ec2-instance-connect/*
-sed -i "s%^/bin/%%g" $pkgdir/ec2-instance-connect/*
-sed -i "s%\([^\#][^\!]\)/bin/%\1%g" $pkgdir/ec2-instance-connect/*
+sed -i "s%/usr/bin/%%g" "${pkgdir}"/ec2-instance-connect/*
+sed -i "s%^/bin/%%g" "${pkgdir}"/ec2-instance-connect/*
+sed -i "s%\([^\#][^\!]\)/bin/%\1%g" "${pkgdir}"/ec2-instance-connect/*
 # Copy ec2-instance-connect service file
-cp -r $TOPDIR/src/deb_systemd/ec2-instance-connect.service $pkgdir/
-cp -r $TOPDIR/src/ec2-instance-connect.preset $pkgdir/95-ec2-instance-connect.preset
+cp -r "${TOPDIR}/src/deb_systemd/ec2-instance-connect.service" "${pkgdir}/"
+cp -r "${TOPDIR}/src/ec2-instance-connect.preset" "${pkgdir}/95-ec2-instance-connect.preset"
 
-mkdir $pkgdir/debian
-cp -r $TOPDIR/debian/* $pkgdir/debian/
-sed -i "s/\!VERSION\!/${version}-${release}/" $pkgdir/debian/control
+mkdir "${pkgdir}/debian"
+cp -r "${TOPDIR}"/debian/* "${pkgdir}/debian/"
+sed -i "s/\!VERSION\!/${version}-${release}/" "${pkgdir}/debian/control"
 
 # Do the actual packaging
 return_dir=$(pwd)
-cd $pkgdir
+cd "${pkgdir}" || exit 1
 debuild
 
 # Clean up
-cd $return_dir
-rm -rf $pkgdir
+cd "${return_dir}" || exit 1
+rm -rf "${pkgdir}"
diff --git a/bin/make_rpm.sh b/bin/make_rpm.sh
@@ -26,46 +26,46 @@ if [ $# -ne 2 ] ; then
 fi
 
 TOPDIR=$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")
-BUILDDIR=$TOPDIR/rpmbuild
-mkdir -p $BUILDDIR
+BUILDDIR="${TOPDIR}/rpmbuild"
+mkdir -p "${BUILDDIR}"
 
-version=$1
-release=$2
+version="${1}"
+release="${2}"
 
-mkdir -p $BUILDDIR/{BUILD,RPMS,SOURCES,SPECS,SRPMS,ec2-instance-connect-${version},tmp}
-mkdir -p $BUILDDIR/ec2-instance-connect-$version/opt/aws/bin
-cp $TOPDIR/rpmsrc/SPECS/generic.spec $BUILDDIR/SPECS/ec2-instance-connect.spec
-cp $TOPDIR/src/bin/* $BUILDDIR/ec2-instance-connect-$version/opt/aws/bin/
-cp $TOPDIR/rpmsrc/.rpmmacros $BUILDDIR/
+mkdir -p "${BUILDDIR}"/{BUILD,RPMS,SOURCES,SPECS,SRPMS,ec2-instance-connect-"${version}",tmp}
+mkdir -p "${BUILDDIR}/ec2-instance-connect-${version}/opt/aws/bin"
+cp "${TOPDIR}"/rpmsrc/SPECS/generic.spec "${BUILDDIR}/SPECS/ec2-instance-connect.spec"
+cp "${TOPDIR}"/src/bin/* "${BUILDDIR}/ec2-instance-connect-${version}/opt/aws/bin/"
+cp "${TOPDIR}"/rpmsrc/.rpmmacros "${BUILDDIR}/"
 
-/bin/sed -i "s%^ca_path=/etc/ssl/certs$%ca_path=/etc/ssl/certs/ca-bundle.crt%" $BUILDDIR/ec2-instance-connect-$version/opt/aws/bin/eic_curl_authorized_keys
+/bin/sed -i "s%^ca_path=/etc/ssl/certs$%ca_path=/etc/ssl/certs/ca-bundle.crt%" "${BUILDDIR}/ec2-instance-connect-${version}/opt/aws/bin/eic_curl_authorized_keys"
 
 # Trick rpmbuild into thinking this is homedir to read .rpmmacros
-REALHOME=$HOME
-export HOME=$BUILDDIR
+REALHOME="${HOME}"
+export HOME="${BUILDDIR}"
 
 function cleanup {
-    export HOME=$REALHOME
-    rm -rf $BUILDDIR/${BUILD,SOURCES,tmp}
-    rm -rf $BUILDDIR/BUILDROOT # In case we got far enough for this to exist
-    rm -rf $BUILDDIR/ec2-instance-connect-$version
+    export HOME="${REALHOME}"
+    rm -rf "${BUILDDIR}"/{BUILD,SOURCES,tmp}
+    rm -rf "${BUILDDIR}/BUILDROOT" # In case we got far enough for this to exist
+    rm -rf "${BUILDDIR}/ec2-instance-connect-${version}"
 }
 trap cleanup EXIT
 
-cp $TOPDIR/src/rpm_systemd/ec2-instance-connect.service $BUILDDIR/SOURCES/
-cp $TOPDIR/src/ec2-instance-connect.preset $BUILDDIR/SOURCES
-ls $BUILDDIR/SOURCES
+cp "${TOPDIR}/src/rpm_systemd/ec2-instance-connect.service" "${BUILDDIR}/SOURCES/"
+cp "${TOPDIR}/src/ec2-instance-connect.preset" "${BUILDDIR}/SOURCES"
+ls "${BUILDDIR}/SOURCES"
 
-cd $BUILDDIR # Will ensure some paths are set correctly in rpmbuild
+cd "${BUILDDIR}" || exit 1 # Will ensure some paths are set correctly in rpmbuild
 
 # Compress the scripts
-tar -czf $BUILDDIR/SOURCES/ec2-instance-connect-$version.tar.gz ec2-instance-connect-$version/
+tar -czf "${BUILDDIR}/SOURCES/ec2-instance-connect-${version}.tar.gz" "ec2-instance-connect-${version}/"
 
 # Fill in the placeholders
-sed -i "s/\!VERSION\!/${version}/" $BUILDDIR/SPECS/ec2-instance-connect.spec
-sed -i "s/\!RELEASE\!/${release}/" $BUILDDIR/SPECS/ec2-instance-connect.spec
+sed -i "s/\!VERSION\!/${version}/" "${BUILDDIR}/SPECS/ec2-instance-connect.spec"
+sed -i "s/\!RELEASE\!/${release}/" "${BUILDDIR}/SPECS/ec2-instance-connect.spec"
 
 # Build the package
-rpmbuild -ba $BUILDDIR/SPECS/ec2-instance-connect.spec
+rpmbuild -ba "${BUILDDIR}/SPECS/ec2-instance-connect.spec"
 
-cp $BUILDDIR/RPMS/noarch/ec2-instance-connect-$version-$release.noarch.rpm $TOPDIR/
+cp "${BUILDDIR}/RPMS/noarch/ec2-instance-connect-${version}-${release}.noarch.rpm" "${TOPDIR}/"
diff --git a/bin/make_tarball.sh b/bin/make_tarball.sh
@@ -19,15 +19,15 @@
 
 TOPDIR=$(dirname "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )")
 
-verrel=$(cat $TOPDIR/VERSION)
-version=${verrel%-*}
+verrel="$(cat "${TOPDIR}/VERSION")"
+version="${verrel%-*}"
 pkgver="ec2-instance-connect-${version}"
 
-mkdir -p $TOPDIR/$pkgver/opt/aws/bin
-cp $TOPDIR/src/bin/* $TOPDIR/$pkgver/opt/aws/bin/
+mkdir -p "${TOPDIR}/${pkgver}/opt/aws/bin"
+cp "${TOPDIR}"/src/bin/* "${TOPDIR}/${pkgver}/opt/aws/bin/"
 if [ $# -eq 1 ] ; then # TODO: better check.  Low-priority.
-    /bin/sed -i "s%^ca_path=/etc/ssl/certs$%ca_path=/etc/ssl/certs/ca-bundle.crt%" $TOPDIR/$pkgver/opt/aws/bin/eic_curl_authorized_keys
+    /bin/sed -i "s%^ca_path=/etc/ssl/certs$%ca_path=/etc/ssl/certs/ca-bundle.crt%" "${TOPDIR}/${pkgver}/opt/aws/bin/eic_curl_authorized_keys"
 fi
-tar -czf $TOPDIR/$pkgver.tar.gz -C $TOPDIR $pkgver/
-rm -rf $TOPDIR/$pkgver/*
-rmdir $TOPDIR/$pkgver
+tar -czf "${TOPDIR}/${pkgver}.tar.gz" -C "${TOPDIR}" "${pkgver}/"
+rm -rf "${TOPDIR:?}/${pkgver:?}"/*
+rmdir "${TOPDIR}/${pkgver}"
diff --git a/bin/unit-test/generate_ocsp.sh b/bin/unit-test/generate_ocsp.sh
@@ -43,11 +43,11 @@ tmpfile=$(mktemp /dev/shm/tmp-XXXXXXXX)
 
 # Generate the OCSP request
 
-$1 ocsp -no_nonce -issuer $3.crt -cert $2 -VAfile $3.crt -reqout $tmpfile
+"${1}" ocsp -no_nonce -issuer "${3}.crt" -cert "${2}" -VAfile "${3}".crt -reqout "${tmpfile}"
 
 # Generate the response
 # Yes, we're using the CA to sign the response as well.  Since this is for unit testing use we don't need strict security.
-$1 ocsp -index $3.db.index -rsigner $3.crt -rkey $3.key -CA $3.crt -VAfile $3.crt -reqin $tmpfile -respout $4 > /dev/null 2>&1
+"${1}" ocsp -index "${3}.db.index" -rsigner "${3}.crt" -rkey "${3}.key" -CA "${3}.crt" -VAfile "${3}.crt" -reqin "${tmpfile}" -respout "${4}" > /dev/null 2>&1
 
 # Drop the request, we don't need it anymore
-rm -f $tmpfile
+rm -f "${tmpfile}"