From f0a80ed302a518652de1c8211e937b37a2db8d6a Mon Sep 17 00:00:00 2001 From: Noah Beard Date: Fri, 21 Oct 2022 13:26:44 -0400 Subject: [PATCH 1/5] Use new CodeBuild workflow --- codebuild/samples/connect-linux.sh | 17 +++++++++++++ codebuild/samples/custom-auth-linux.sh | 18 +++++++++++++ codebuild/samples/linux-smoke-tests.yml | 4 +++ codebuild/samples/pkcs11-connect-linux.sh | 31 +++++++++++++++++++++++ codebuild/samples/pubsub-linux.sh | 2 +- codebuild/samples/setup-linux.sh | 5 ++-- codebuild/samples/shadow-linux.sh | 14 ++++++++++ 7 files changed, 88 insertions(+), 3 deletions(-) create mode 100644 codebuild/samples/connect-linux.sh create mode 100644 codebuild/samples/custom-auth-linux.sh create mode 100644 codebuild/samples/pkcs11-connect-linux.sh create mode 100644 codebuild/samples/shadow-linux.sh diff --git a/codebuild/samples/connect-linux.sh b/codebuild/samples/connect-linux.sh new file mode 100644 index 00000000..7bd39be7 --- /dev/null +++ b/codebuild/samples/connect-linux.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +env + +pushd $CODEBUILD_SRC_DIR/samples/ + +ENDPOINT=$(aws secretsmanager get-secret-value --secret-id "ci/endpoint" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g') + +echo "Basic Connect test" +python3 basic_connect.py --endpoint $ENDPOINT --key /tmp/privatekey.pem --cert /tmp/certificate.pem + +echo "Websocket Connect test" +python3 websocket_connect.py --endpoint $ENDPOINT --signing_region us-east-1 + +popd diff --git a/codebuild/samples/custom-auth-linux.sh b/codebuild/samples/custom-auth-linux.sh new file mode 100644 index 00000000..3912312a --- /dev/null +++ b/codebuild/samples/custom-auth-linux.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +set -e + +env + +pushd $CODEBUILD_SRC_DIR/samples/ + +ENDPOINT=$(aws secretsmanager get-secret-value --secret-id "ci/endpoint" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g') +AUTH_NAME=$(aws secretsmanager get-secret-value --secret-id "ci/CustomAuthorizer/name" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g') +AUTH_PASSWORD=$(aws secretsmanager get-secret-value --secret-id "ci/CustomAuthorizer/password" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g') + +mvn compile + +echo "Custom Authorizer test" +python3 custom_authorizer_connect.py --endpoint $ENDPOINT --custom_auth_authorizer_name $AUTH_NAME --custom_auth_password $AUTH_PASSWORD + +popd diff --git a/codebuild/samples/linux-smoke-tests.yml b/codebuild/samples/linux-smoke-tests.yml index 7fec9b56..f5a9b3a4 100644 --- a/codebuild/samples/linux-smoke-tests.yml +++ b/codebuild/samples/linux-smoke-tests.yml @@ -9,7 +9,11 @@ phases: commands: - echo Build started on `date` - $CODEBUILD_SRC_DIR/codebuild/samples/setup-linux.sh + - $CODEBUILD_SRC_DIR/codebuild/samples/connect-linux.sh + - $CODEBUILD_SRC_DIR/codebuild/samples/custom-auth-linux.sh + - $CODEBUILD_SRC_DIR/codebuild/samples/pkcs11-connect-linux.sh - $CODEBUILD_SRC_DIR/codebuild/samples/pubsub-linux.sh + - $CODEBUILD_SRC_DIR/codebuild/samples/shadow-linux.sh post_build: commands: - echo Build completed on `date` diff --git a/codebuild/samples/pkcs11-connect-linux.sh b/codebuild/samples/pkcs11-connect-linux.sh new file mode 100644 index 00000000..48c2d0c9 --- /dev/null +++ b/codebuild/samples/pkcs11-connect-linux.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +set -e +set -o pipefail + +pushd $CODEBUILD_SRC_DIR/samples/ + +ENDPOINT=$(aws secretsmanager get-secret-value --secret-id "ci/endpoint" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g') + +# from hereon commands are echoed. don't leak secrets +set -x + +softhsm2-util --version + +# SoftHSM2's default tokendir path might be invalid on this machine +# so set up a conf file that specifies a known good tokendir path +mkdir -p /tmp/tokens +export SOFTHSM2_CONF=/tmp/softhsm2.conf +echo "directories.tokendir = /tmp/tokens" > /tmp/softhsm2.conf + +# create token +softhsm2-util --init-token --free --label my-token --pin 0000 --so-pin 0000 + +# add private key to token (must be in PKCS#8 format) +openssl pkcs8 -topk8 -in /tmp/privatekey.pem -out /tmp/privatekey.p8.pem -nocrypt +softhsm2-util --import /tmp/privatekey.p8.pem --token my-token --label my-key --id BEEFCAFE --pin 0000 + +# run sample +python3 pkcs11_connect.py --endpoint $ENDPOINT --cert /tmp/certificate.pem --pkcs11_lib /usr/lib/softhsm/libsofthsm2.so --pin 0000 --token_label my-token --key_label my-key + +popd diff --git a/codebuild/samples/pubsub-linux.sh b/codebuild/samples/pubsub-linux.sh index 18e44ad5..7378fdaf 100755 --- a/codebuild/samples/pubsub-linux.sh +++ b/codebuild/samples/pubsub-linux.sh @@ -6,7 +6,7 @@ env pushd $CODEBUILD_SRC_DIR/samples/ -ENDPOINT=$(aws secretsmanager get-secret-value --secret-id "unit-test/endpoint" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g') +ENDPOINT=$(aws secretsmanager get-secret-value --secret-id "ci/endpoint" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g') echo "PubSub test" python3 pubsub.py --endpoint $ENDPOINT --key /tmp/privatekey.pem --cert /tmp/certificate.pem diff --git a/codebuild/samples/setup-linux.sh b/codebuild/samples/setup-linux.sh index b8047940..c20a7cdb 100755 --- a/codebuild/samples/setup-linux.sh +++ b/codebuild/samples/setup-linux.sh @@ -10,5 +10,6 @@ cd $CODEBUILD_SRC_DIR ulimit -c unlimited python3 -m pip install . -cert=$(aws secretsmanager get-secret-value --secret-id "unit-test/certificate" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$cert" > /tmp/certificate.pem -key=$(aws secretsmanager get-secret-value --secret-id "unit-test/privatekey" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$key" > /tmp/privatekey.pem +cert=$(aws secretsmanager get-secret-value --secret-id "ci/CodeBuild/cert" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$cert" > /tmp/certificate.pem +key=$(aws secretsmanager get-secret-value --secret-id "ci/CodeBuild/key" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$key" > /tmp/privatekey.pem +key_p8=$(aws secretsmanager get-secret-value --secret-id "ci/CodeBuild/keyp8" --query "SecretString" | cut -f2 -d":" | cut -f2 -d\") && echo -e "$key_p8" > /tmp/privatekey_p8.pem diff --git a/codebuild/samples/shadow-linux.sh b/codebuild/samples/shadow-linux.sh new file mode 100644 index 00000000..5cd02ddd --- /dev/null +++ b/codebuild/samples/shadow-linux.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +set -e + +env + +pushd $CODEBUILD_SRC_DIR/samples/ + +ENDPOINT=$(aws secretsmanager get-secret-value --secret-id "ci/endpoint" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g') + +echo "Shadow test" +python3 shadow.py --endpoint $ENDPOINT --key /tmp/privatekey.pem --cert /tmp/certificate.pem --thing_name CI_CodeBuild_Thing --is_ci true + +popd From c1fe9e4732271d0706d6f14da54a10e9b4b811a7 Mon Sep 17 00:00:00 2001 From: Noah Beard Date: Fri, 21 Oct 2022 13:34:50 -0400 Subject: [PATCH 2/5] Use proper permissions for CodeBuild files --- codebuild/samples/connect-linux.sh | 0 codebuild/samples/custom-auth-linux.sh | 0 codebuild/samples/pkcs11-connect-linux.sh | 0 codebuild/samples/shadow-linux.sh | 0 4 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 codebuild/samples/connect-linux.sh mode change 100644 => 100755 codebuild/samples/custom-auth-linux.sh mode change 100644 => 100755 codebuild/samples/pkcs11-connect-linux.sh mode change 100644 => 100755 codebuild/samples/shadow-linux.sh diff --git a/codebuild/samples/connect-linux.sh b/codebuild/samples/connect-linux.sh old mode 100644 new mode 100755 diff --git a/codebuild/samples/custom-auth-linux.sh b/codebuild/samples/custom-auth-linux.sh old mode 100644 new mode 100755 diff --git a/codebuild/samples/pkcs11-connect-linux.sh b/codebuild/samples/pkcs11-connect-linux.sh old mode 100644 new mode 100755 diff --git a/codebuild/samples/shadow-linux.sh b/codebuild/samples/shadow-linux.sh old mode 100644 new mode 100755 From 3b85082220f5e663f47f5f829055651e282b488c Mon Sep 17 00:00:00 2001 From: Noah Beard Date: Fri, 21 Oct 2022 13:45:25 -0400 Subject: [PATCH 3/5] This is not java, so no maven --- codebuild/samples/custom-auth-linux.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/codebuild/samples/custom-auth-linux.sh b/codebuild/samples/custom-auth-linux.sh index 3912312a..5f0b3753 100755 --- a/codebuild/samples/custom-auth-linux.sh +++ b/codebuild/samples/custom-auth-linux.sh @@ -10,8 +10,6 @@ ENDPOINT=$(aws secretsmanager get-secret-value --secret-id "ci/endpoint" --query AUTH_NAME=$(aws secretsmanager get-secret-value --secret-id "ci/CustomAuthorizer/name" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g') AUTH_PASSWORD=$(aws secretsmanager get-secret-value --secret-id "ci/CustomAuthorizer/password" --query "SecretString" | cut -f2 -d":" | sed -e 's/[\\\"\}]//g') -mvn compile - echo "Custom Authorizer test" python3 custom_authorizer_connect.py --endpoint $ENDPOINT --custom_auth_authorizer_name $AUTH_NAME --custom_auth_password $AUTH_PASSWORD From ae532bdcec13e15a64a07312b739d8a6ef0a4bb4 Mon Sep 17 00:00:00 2001 From: Noah Beard Date: Wed, 9 Nov 2022 16:07:02 -0500 Subject: [PATCH 4/5] Add build logging info to logs --- codebuild/samples/linux-smoke-tests.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/codebuild/samples/linux-smoke-tests.yml b/codebuild/samples/linux-smoke-tests.yml index f5a9b3a4..ca20bbc7 100644 --- a/codebuild/samples/linux-smoke-tests.yml +++ b/codebuild/samples/linux-smoke-tests.yml @@ -5,6 +5,10 @@ phases: - add-apt-repository ppa:ubuntu-toolchain-r/test - apt-get update -y - apt-get install python3 softhsm -y + - echo "\nBuild version data:" + - echo "\nPython Version:"; python3 --version + - echo "\nSoftHSM (PKCS11) version:"; softhsm2-util --version + - echo "\n" build: commands: - echo Build started on `date` From e9df8b844536b9aa6f822a6a57dee2fe78986395 Mon Sep 17 00:00:00 2001 From: Noah Beard Date: Thu, 10 Nov 2022 10:33:32 -0500 Subject: [PATCH 5/5] Review adjustments: Add a note on AWS CLI and use pipefail everywhere --- codebuild/samples/connect-linux.sh | 1 + codebuild/samples/custom-auth-linux.sh | 1 + codebuild/samples/linux-smoke-tests.yml | 3 +++ codebuild/samples/pubsub-linux.sh | 1 + codebuild/samples/setup-linux.sh | 1 + codebuild/samples/shadow-linux.sh | 1 + 6 files changed, 8 insertions(+) diff --git a/codebuild/samples/connect-linux.sh b/codebuild/samples/connect-linux.sh index 7bd39be7..5cecd2b9 100755 --- a/codebuild/samples/connect-linux.sh +++ b/codebuild/samples/connect-linux.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e +set -o pipefail env diff --git a/codebuild/samples/custom-auth-linux.sh b/codebuild/samples/custom-auth-linux.sh index 5f0b3753..6fc7c2a2 100755 --- a/codebuild/samples/custom-auth-linux.sh +++ b/codebuild/samples/custom-auth-linux.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e +set -o pipefail env diff --git a/codebuild/samples/linux-smoke-tests.yml b/codebuild/samples/linux-smoke-tests.yml index ca20bbc7..0c931f61 100644 --- a/codebuild/samples/linux-smoke-tests.yml +++ b/codebuild/samples/linux-smoke-tests.yml @@ -1,3 +1,6 @@ +# Assumes are running using the Ubuntu Codebuild standard image +# NOTE: This script assumes that the AWS CLI-V2 is pre-installed! +# - AWS CLI-V2 is a requirement to run this script. version: 0.2 phases: install: diff --git a/codebuild/samples/pubsub-linux.sh b/codebuild/samples/pubsub-linux.sh index 7378fdaf..c7b5d797 100755 --- a/codebuild/samples/pubsub-linux.sh +++ b/codebuild/samples/pubsub-linux.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e +set -o pipefail env diff --git a/codebuild/samples/setup-linux.sh b/codebuild/samples/setup-linux.sh index c20a7cdb..b04450fd 100755 --- a/codebuild/samples/setup-linux.sh +++ b/codebuild/samples/setup-linux.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e +set -o pipefail env diff --git a/codebuild/samples/shadow-linux.sh b/codebuild/samples/shadow-linux.sh index 5cd02ddd..1fc1b54f 100755 --- a/codebuild/samples/shadow-linux.sh +++ b/codebuild/samples/shadow-linux.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e +set -o pipefail env