From 07a0b9f3c881f3efdc7ef31aa179047be835262a Mon Sep 17 00:00:00 2001
From: Jake Buchholz <tomalok@gmail.com>
Date: Fri, 1 May 2020 15:00:36 -0700
Subject: Support IMDSv2 / Make shellcheck Happier

* get/use Instance MetaData Service v2 token, thanks @junkb (resolves #6)
* make shellcheck happier
* fix installation of multiple SSH keys for EC2_USER
* use 'grep -q' to detect shebang in user_data
---
 tiny-ec2-bootstrap | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/tiny-ec2-bootstrap b/tiny-ec2-bootstrap
index 9c62afb..a8dea2e 100644
--- a/tiny-ec2-bootstrap
+++ b/tiny-ec2-bootstrap
@@ -5,15 +5,22 @@ description="Provides EC2 cloud bootstrap"
 
 # override in /etc/conf.d/tiny-ec2-bootstrap
 EC2_USER=${EC2_USER:-alpine}
+IMDS2_TOKEN_TTL=${IMDS2_TOKEN_TTL:-5}
 
 depend() {
     need net
     provide cloud-final
 }
 
+_get_metadata_token() {
+  echo -ne "PUT /latest/api/token HTTP/1.0\r\nX-aws-ec2-metadata-token-ttl-seconds: $IMDS2_TOKEN_TTL\r\n\r\n" |
+    nc 169.254.169.254 80 | tail -n 1
+}
+
 _get_metadata() {
     local uri="$1"
-    wget -qO - "http://169.254.169.254/latest/$uri" 2>/dev/null
+    wget -qO - --header "X-aws-ec2-metadata-token: $(_get_metadata_token)" \
+      "http://169.254.169.254/latest/$uri" 2>/dev/null
 }
 
 _update_hostname() {
@@ -26,8 +33,8 @@ _update_hostname() {
 
 _set_ssh_keys() {
     local user="$1"
-    local group="$(getent passwd $user | cut -d: -f4)"
-    local ssh_dir="$(getent passwd $user | cut -d: -f6)/.ssh"
+    local group="$(getent passwd "$user" | cut -d: -f4)"
+    local ssh_dir="$(getent passwd "$user" | cut -d: -f6)/.ssh"
     local keys_file="$ssh_dir/authorized_keys"
 
     if [ ! -d "$ssh_dir" ]; then
@@ -39,16 +46,16 @@ _set_ssh_keys() {
 
     touch "$keys_file"
     chmod 600 "$keys_file"
-    chown -R $user:$group "$ssh_dir"
+    chown -R "$user:$group" "$ssh_dir"
 
-    for key in "$(_get_metadata meta-data/public-keys/)"; do
-        echo $(_get_metadata "meta-data/public-keys/${key%=*}/openssh-key/") >> "$keys_file"
+    for key in $(_get_metadata meta-data/public-keys/); do
+        _get_metadata "meta-data/public-keys/${key%=*}/openssh-key/" >> "$keys_file"
     done
 }
 
 _run_userdata() {
     user_data=$(_get_metadata user-data)
-    if echo $user_data | grep '^#!/' 2>&1 >/dev/null; then
+    if echo "$user_data" | grep -q '^#!/'; then
         echo "$user_data" > /var/lib/cloud/user-data.sh
         chmod +x  /var/lib/cloud/user-data.sh
         /var/lib/cloud/user-data.sh 2>&1 | tee /var/log/cloud-bootstrap.log
@@ -57,7 +64,7 @@ _run_userdata() {
 }
 
 _resize_root_partition() {
-    resize2fs $(mountpoint -n / | cut -d' ' -f1)
+    resize2fs "$(mountpoint -n / | cut -d' ' -f1)"
 }
 
 _disable_password() {
-- 
cgit v1.2.3