#!/bin/bash
# Copyright 2010 Novell, Inc.
# Copyright 2008 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# Licensed under the Amazon Software License (the "License").
#
# You may not use this file except in compliance with the License. A copy of
# the License is located at http://aws.amazon.com/asl or in the
# "AMAZON-LICENSE" file accompanying this file.
#
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
# CONDITIONS OF ANY KIND, either express or implied. See the License for the
# specific language governing permissions and limitations under the License.

##private function: cleanup
function cleanup {
  [ "$tdir" -a -d "$tdir" ] && rm -rf "$tdir"
}

##private function: fail
function fail {
    echo "$*" |logit
    echo "Unable to update ec2-ami-tools" |logit
    cleanup
    exit 2
}

# Copies stdin to syslog
##function: logit
function logit {
    logger -s -t "ec2"
}

##function: remove_compat_links
function remove_compat_links {
    # These are old links we created to handle older ec2-ami-tools packages
    for link in /usr/lib64/ruby/site_ruby/aes \
                /usr/lib64/ruby/site_ruby/ec2 \
                /usr/lib/ruby/site_ruby/aes \
                /usr/lib/ruby/site_ruby/ec2\
    ; do
        if [ -L "$link" ]; then
            rm -f "$link"
        fi
    done
}

if [ "$1" = "--remove-links" ]; then
    remove_compat_links
    exit 0
fi

# These conflict, so we will just skip updating
rpm -q ec2-ami-tools-nda &>/dev/null
if [ $? -eq 0 ]; then
    exit 0
fi

trap cleanup INT TERM
tdir=$(mktemp -d)

if [ ! -d "$tdir" ]; then
    echo "Failed to create temporary directory for ec2-ami-tools package" |logit
    exit 1
fi

# It should already be 0700, but make sure
chmod 0700 "$tdir"

# All URLs should be HTTP over SSL/TLS (a little extra security)
local_key_file="/etc/ec2/aws-gpg-pubkey.asc"
key_url="https://aws.amazon.com/ec2/public-key.asc"
key_file="$tdir/aws-public-key.asc"
tools_url="https://ec2-downloads.s3.amazonaws.com/ec2-ami-tools.noarch.rpm"
tools_file="$tdir/ec2-ami-tools.noarch.rpm"
sig_url="https://ec2-downloads.s3.amazonaws.com/ec2-ami-tools.noarch.rpm.asc"
sig_file="$tdir/ec2-ami-tools.noarch.rpm.asc"

curl --location --retry 3 --retry-delay 0 --silent --fail -o "$tools_file" "$tools_url"
if [ $? -ne 0 -o ! -s "$tools_file" ]; then
    fail "Failed to retreive ec2-ami-tools from S3"
fi

curl --location --retry 3 --retry-delay 0 --silent --fail -o "$sig_file" "$sig_url"
if [ $? -ne 0 -o ! -s "$sig_file" ]; then
    fail "Failed to retreive ec2-ami-tools signature from S3"
fi

HAVEGPG=$(type -p gpg)
HAVEGPGV=$(type -p gpgv)
if [ "$HAVEGPG" -a "$HAVEGPGV" ]; then
    if [ -f "$local_key_file" -a -s "$local_key_file" ]; then
        cat "$local_key_file" > "$key_file"
    else
        # If we don't have the public key, trying to get it from the 'net is 
        #  better than nothing
        curl --location --retry 3 --retry-delay 0 --silent --fail -o "$key_file" "$key_url"
        if [ $? -ne 0 -o ! -s "$key_file" ]; then
            fail "Failed to retreive AWS public key"
        fi
    fi
    gpg --quiet --no-default-keyring --homedir "$tdir" \
        --keyring "$tdir/aws.gpg" --import "$key_file"
    if [ $? -ne 0 ]; then
        fail "Failed to import AWS gpg key"
    fi
    gpgv --quiet --keyring "$tdir/aws.gpg" "$sig_file" "$tools_file" 2>/dev/null
    if [ $? -ne 0 ]; then
        fail "Signature check failed for ec2-ami-tools"
    fi
else
    echo "Skipped signature check on ec2-ami-tools" |logit
fi
    
PNVR=$(rpm -qp --nomanifest "$tools_file")
rpm -q "$PNVR" >/dev/null
# If 0, then we already have this version installed
if [ $? -ne 0 ]; then
    remove_compat_links
    rpm -Uvh --nomanifest "$tools_file"|logit
    if [ $? -ne 0 ]; then
        fail "RPM upgrade of ec2-ami-tools failed"
    fi
    echo "Updated ec2-ami-tools from S3"|logit
fi
cleanup
exit 0
