%global project aws-ec2-instance-connect-config
%global modulename ec2-instance-connect
%global selinuxtype targeted

Name:           ec2-instance-connect
Summary:        EC2 Instance Connect scripts
Version:        1.1.17
Release:        1%{?dist}

License:        Apache-2.0
URL:            https://github.com/aws/%{project}
Source0:        https://github.com/aws/%{project}/archive/%{version}/%{project}-%{version}.tar.gz
# SELinux Policy
Source1:        %{modulename}.te
Source2:        %{modulename}.if
Source3:        %{modulename}.fc
# User definition
Source4:        %{modulename}.sysusers
# Systemd drop-in file
Source5:        %{modulename}.conf

# Mentioned as v1.1.18 fix in upstream .spec but never released. Backport till upstream releases >1.1.17
Patch1:         0001-Update-curl-command-to-not-fail-silently-on-HTTP-ser.patch

BuildArch:      noarch

BuildRequires:  systemd-rpm-macros
%{?sysusers_requires_compat}

Requires:       openssh >= 6.9.0
Requires:       coreutils
Requires:       openssh-server >= 6.9.0
Requires:       openssl
Requires:       curl
Requires:       systemd

Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
Recommends:     %{name}-config

%description
%{summary}


# SELinux subpackage
%package selinux
Summary:        ec2-instance-connect SELinux policy
BuildArch:      noarch
Requires:       selinux-policy-%{selinuxtype}
Requires:       ec2-instance-connect
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires:  selinux-policy-devel
%{?selinux_requires}

%description selinux
Custom SELinux policy module for ec2-instance-connect


# Configuration subpackage
%package config
Summary:        ec2-instance-connect configuration
BuildArch:      noarch
Requires:       ec2-instance-connect
BuildRequires:  systemd-rpm-macros
%{?systemd_requires}

%description config
Systemd drop-in for sshd.service to set ec2-instance-connect specific AuthorizedKeysCommand and AuthorizedKeysCommandUser


%prep
%autosetup -p1 -n %{project}-%{version}


%build
# SELinux policy (originally from selinux-policy-contrib)
# this policy module will override the production module
mkdir selinux
cp -p %{SOURCE1} selinux/
cp -p %{SOURCE2} selinux/
cp -p %{SOURCE3} selinux/

make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
bzip2 -9 %{modulename}.pp


%install
mkdir -p %{buildroot}/%{_bindir}
install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_run_authorized_keys" %{buildroot}/%{_bindir}
install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_curl_authorized_keys" %{buildroot}/%{_bindir}
install -p -m 755 "%{_builddir}/%{project}-%{version}/src/bin/eic_parse_authorized_keys" %{buildroot}/%{_bindir}

install -D -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
install -D -p -m 0644 selinux/%{modulename}.if %{buildroot}%{_datadir}/selinux/devel/include/distributed/%{modulename}.if

install -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/%{modulename}.conf

install -p -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/sshd.service.d/%{modulename}.conf


# SELinux contexts are saved so that only affected files can be
# relabeled after the policy module installation
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}

%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2

%postun selinux
if [ $1 -eq 0 ]; then
    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
fi

%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}

%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%{_datadir}/selinux/devel/include/distributed/%{modulename}.if
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}


%post config
%systemd_post sshd.service

%postun config
%systemd_postun_with_restart sshd.service


%files config
%{_unitdir}/sshd.service.d/%{modulename}.conf


%files
%doc README.md CONTRIBUTING.md CODE_OF_CONDUCT.md
%license LICENSE NOTICE

%attr(0755,root,root) %{_bindir}/eic_run_authorized_keys
%attr(0755,root,root) %{_bindir}/eic_curl_authorized_keys
%attr(0755,root,root) %{_bindir}/eic_parse_authorized_keys

%{_sysusersdir}/%{modulename}.conf


%pre
%sysusers_create_compat %{SOURCE4}


%changelog
* Mon Apr 30 2024 Dominik Wombacher <dominik@wombacher.cc> 1.1.17-1
- Initial package
- Fix: Update curl command to not fail silently on HTTP server error.
* Mon May 9 2022 Jacob Meisler <meislerj@amazon.com> 1.1-17
- OpenSSL 3.0.2 breaks strict x509 verification for one of our intermediate CA certificates.
- Only verify CA certificates that aren't already trusted in /etc/ssl/certs.
- OpenSSL 3.0.2 also changes the formatting of the SHA1 fingerprint of an x509 certificate. Switch to a case insensitive match to be backwards and forwards compatible between OpenSSL versions.
* Thu Sep 9 2021 Vishrutha Konappa Reddy <vkreddy@amazon.com> 1.1-15
- Change EIC Hostkeys Harvesting to be asynchronous from SSHD to improve instance boot time
- Rename and enable ec2-instance-connect-harvest-hostkeys.service. Remove pointer to old ec2-instance-connect.service.
* Fri Feb 26 2021 Paul Oh <pauoh@amazon.com> 1.1-14
- Ensure failure to run host key harvesting does not leave instances in degraded state
* Thu Oct 22 2020 Jacob Meisler <meislerj@amazon.com> 1.1-13
- Verify that domain returned from IMDS is an AWS domain
* Tue Nov 19 2019 Daniel Anderson <dnde@amazon.com> 1.1-12
- Adding support for Instance Metadata Service Version 2
- Modifying cURL invocation to avoid need for eval
- Cleaning up shellcheck catches
* Wed Aug 21 2019 Daniel Anderson <dnde@amazon.com> 1.1-11
- Removing errant write to /tmp
- Cleaning up bad bash practices, including umask race condition
* Wed Jul 3 2019  Daniel Anderson <dnde@amazon.com> 1.1-10
- Fix for an update to openssl (or dependencies) affecting behavior of CApath option on openssl verify
- Fixing Nitro behavior of hostkey harvesting and post-installation systemd hooks
* Wed May 15 2019  Daniel Anderson <dnde@amazon.com> 1.1-9
- Fixing existing AuthorizedKeysCommand detection
- Adding additional licensing headers
- Improved mechanism for detection if script is running on an EC2 instance
* Wed Apr 24 2019  Daniel Anderson <dnde@amazon.com> 1.1-8
- Better detection of existing user customization
* Fri Mar 29 2019  Daniel Anderson <dnde@amazon.com> 1.1-7
- Change to Amazon Linux configuration
* Wed Mar 20 2019  Daniel Anderson <dnde@amazon.com> 1.1-6
- Verification of EC2 hypervisor UUID
* Fri Mar 15 2019  Daniel Anderson <dnde@amazon.com> 1.1-5
- Added slightly stronger checks that we're getting valid data from Instance Metadata Service/on an instance
* Wed Jan 30 2019  Daniel Anderson <dnde@amazon.com> 1.1-4
- Fixed a bug in reading instance-identity credentials as part of hostkey harvesting and dropped AWS CLI dependency
- Added support for non-Amazon Linux yum distributions, such as RHEL and CentOS
- Hardened error handling
* Fri Dec 21 2018  Daniel Anderson <dnde@amazon.com> 1.1-3
- Fixing an issue with the hostkey harvesting script - it was using default creds instead of instance-identity
* Fri Dec 7 2018  Daniel Anderson <dnde@amazon.com> 1.1-2
- Minor changes to package build process to share code with Debian packaging
* Tue Oct 23 2018  Anshumali Prasad <anspr@amazon.com> 1.1-1
- Hostkey harvesting for EC2 Instance Connect.
* Mon Oct 22 2018  Daniel Anderson <dnde@amazon.com> 1.0-3
- Updating exit status on no-data case, improving support for newer openssl versions
* Tue Oct 9 2018  Daniel Anderson <dnde@amazon.com> 1.0-2
- Cleaning up package requirements & post installation hook
* Wed Jun 13 2018  Daniel Anderson <dnde@amazon.com> 1.0-1
- Initial RPM build for EC2 Instance Connect targeting Amazon Linux 2.