From 9205c22bf64fead9618fc6139fcf372cc4a5adbc Mon Sep 17 00:00:00 2001 From: Rikard Gynnerstedt Date: Tue, 27 Jun 2017 10:26:43 +0200 Subject: [PATCH] shellchecks cleared --- deploy/s3.sh | 83 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 52 insertions(+), 31 deletions(-) diff --git a/deploy/s3.sh b/deploy/s3.sh index 5b1e2523..685af5ac 100644 --- a/deploy/s3.sh +++ b/deploy/s3.sh @@ -1,10 +1,16 @@ #!/bin/sh -#Here is a sample custom api script. -#This file name is "myapi.sh" -#So, here must be a method myapi_deploy() -#Which will be called by acme.sh to deploy the cert -#returns 0 means success, otherwise error. +# This script deploys your cert to a s3 bucket. +# export S3_BUCKET=acme +# export S3_REGION=eu-central-1 +# export AWS_PROFILE=default +# export AWS_ACCESS_KEY_ID=exampleid +# export AWS_SECRET_ACCESS_KEY=examplekey +# +# Checks to see if awscli present +# If not, use curl + aws v4 signature to upload object +# Make sure your keys have access to upload objects. +# Also make sure your default region is correct, otherwise, override with $S3_REGION ######## Public functions ##################### @@ -23,12 +29,17 @@ s3_deploy() { return 1 fi + if [ -z "$AWS_PROFILE" ]; then + AWS_PROFILE="default" + fi + if ! _exists aws; then _debug "AWS CLI not installed, defaulting to curl method" _aws_cli_installed=0 else _debug "AWS CLI installed, defaulting ignoring curl method" _aws_cli_installed=1 + S3_REGION="$(aws configure get region --profile ${AWS_PROFILE})" fi if [ "$_aws_cli_installed" -eq "0" ] && ([ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]); then @@ -44,6 +55,7 @@ s3_deploy() { # Save s3 options if it's succesful (First run case) _saveaccountconf S3_BUCKET "$S3_BUCKET" _saveaccountconf S3_REGION "$S3_REGION" + _saveaccountconf AWS_PROFILE "$AWS_PROFILE" _debug _cdomain "$_cdomain" _debug _ckey "$_ckey" @@ -51,9 +63,13 @@ s3_deploy() { _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" _debug S3_BUCKET "$S3_BUCKET" + _debug AWS_PROFILE "$AWS_PROFILE" _secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" _secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" + # REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING + _aws_cli_installed=1 + _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" if [ "$_aws_cli_installed" -eq "0" ]; then @@ -63,13 +79,13 @@ s3_deploy() { fi # private - _deploy_to_bucket $_ckey "$_cdomain/$_cdomain.key" + _deploy_to_bucket "$_ckey" "$_cdomain/$_cdomain.key" # public - _deploy_to_bucket $_ccert "$_cdomain/$_cdomain.cer" + _deploy_to_bucket "$_ccert" "$_cdomain/$_cdomain.cer" # ca - _deploy_to_bucket $_cca "$_cdomain/ca.cer" + _deploy_to_bucket "$_cca" "$_cdomain/ca.cer" # fullchain - _deploy_to_bucket $_cfullchain "$_cdomain/fullchain.cer" + _deploy_to_bucket "$_cfullchain" "$_cdomain/fullchain.cer" return 0 @@ -79,19 +95,16 @@ s3_deploy() { _deploy_to_bucket() { if [ "$_aws_cli_installed" -eq "0" ]; then - _deploy_with_curl $1 $2 + _deploy_with_curl "$1" "$2" else - _deploy_with_awscli $1 $2 + _deploy_with_awscli "$1" "$2" fi } _deploy_with_awscli() { file="$1" - bucket="$S3_BUCKET" prefix="$2" - region="$S3_REGION" - - aws s3 cp "$file" s3://"$bucket"/"$prefix" --region "$region" + aws s3 cp "$file" s3://"$S3_BUCKET"/"$prefix" --region "$S3_REGION" --profile "$AWS_PROFILE" } _deploy_with_curl() { @@ -104,7 +117,7 @@ _deploy_with_curl() { timestamp="$(date -u "+%Y-%m-%d %H:%M:%S")" signed_headers="date;host;x-amz-acl;x-amz-content-sha256;x-amz-date" - if [[ $(uname) == "Darwin" ]]; then + if [ "$(uname)" = "Darwin" ]; then iso_timestamp=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%dT%H%M%SZ") date_scope=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%d") date_header=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%a, %d %h %Y %T %Z") @@ -116,16 +129,23 @@ _deploy_with_curl() { _info "Uploading $S3_BUCKET/$prefix" - export _H1="Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" - export _H2="Date:${date_header}" - export _H3="x-amz-acl:${acl}" - export _H4="x-amz-content-sha256:$(_payload_hash)" - export _H5="x-amz-date:${iso_timestamp}" + export _H1 + export _H2 + export _H3 + export _H4 + export _H5 - response=$(_post "${file}" "https://${bucket}.s3.${region}.amazonaws.com/${prefix}") - _debug2 response + _H1="Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" + _H2="Date:${date_header}" + _H3="x-amz-acl:${acl}" + _H4="x-amz-content-sha256:$(_payload_hash)" + _H5="x-amz-date:${iso_timestamp}" + + _debug2 "$(_post "${file}" "https://$bucket.s3.$region.amazonaws.com/$prefix")" } +#################### Private functions below ################################## + _payload_hash() { echo "$(shasum -ba 256 "$file")%% *" } @@ -141,7 +161,8 @@ _canonical_request() { echo "x-amz-date:${iso_timestamp}" echo "" echo "${signed_headers}" - printf "$(_payload_hash)" + + _payload_hash } _canonical_request_hash() { @@ -152,17 +173,17 @@ _string_to_sign() { echo "AWS4-HMAC-SHA256" echo "${iso_timestamp}" echo "${date_scope}/${region}/s3/aws4_request" - printf "$(_canonical_request_hash)" + _canonical_request_hash } _signature_key() { - secret_key=$(printf "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump) - date_key=$(printf ${date_scope} | _hmac "sha256" "${secret_key}" | _hex_dump) - region_key=$(printf ${region} | _hmac "sha256" "${date_key}" | _hex_dump) - service_key=$(printf "s3" | _hmac "sha256" "${region_key}" | _hex_dump) - printf "aws4_request" | _hmac "sha256" "${service_key}" | _hex_dump + secret_key=$(echo "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump) + date_key=$(echo "${date_scope}" | _hmac "sha256" "${secret_key}" hex | _hex_dump) + region_key=$(echo "${region}" | _hmac "sha256" "${date_key}" hex | _hex_dump) + service_key=$(echo "s3" | _hmac "sha256" "${region_key}" hex | _hex_dump) + printf "aws4_request" | _hmac "sha256" "${service_key}" hex | _hex_dump } _signature() { - _string_to_sign | _hmac "sha256" $(_signature_key) | _hex_dump | sed "s/^.* //" + _string_to_sign | _hmac "sha256" "$(_signature_key)" | _hex_dump | sed "s/^.* //" }