Increase timeouts in SSM-Setup-CLI

cr: https://code.amazon.com/reviews/CR-122260975

Author: VishnuKarthikRavindran

agent/cli/clicommand/getdiagnostics.go

@@ -27,6 +27,7 @@ import (
 	"github.com/aws/amazon-ssm-agent/agent/cli/cliutil"
 	_ "github.com/aws/amazon-ssm-agent/agent/cli/diagnostics"
 	"github.com/aws/amazon-ssm-agent/agent/cli/diagnosticsutil"
+	"github.com/aws/amazon-ssm-agent/common/utility"
 )
 
 const (
@@ -285,7 +286,7 @@ func (c *GetDiagnosticsCommand) Execute(subcommands []string, parameters map[str
 	}
 
 	// Check if cli is running as admin/root
-	err = diagnosticsutil.IsRunningElevatedPermissions()
+	err = utility.IsRunningElevatedPermissions()
 	if err != nil {
 		return nil, err.Error()
 	}

agent/cli/diagnosticsutil/diagnosticsutil_darwin.go

@@ -18,7 +18,6 @@ package diagnosticsutil
 
 import (
 	"fmt"
-	"os/user"
 	"time"
 
 	"github.com/aws/amazon-ssm-agent/agent/log/logger"
@@ -34,20 +33,6 @@ const (
 	newlineCharacter = "\n"
 )
 
-// IsRunningElevatedPermissions checks if the ssm-cli is being executed as administrator
-func IsRunningElevatedPermissions() error {
-	currentUser, err := user.Current()
-	if err != nil {
-		return err
-	}
-
-	if currentUser.Username == ExpectedServiceRunningUser {
-		return nil
-	} else {
-		return fmt.Errorf("get-diagnostics needs to be executed by  %s", ExpectedServiceRunningUser)
-	}
-}
-
 // AssumeAgentEnvironmentProxy is a noop on darwin because there is no other special proxy configuration
 func AssumeAgentEnvironmentProxy() {
 	proxyconfig.SetProxyConfig(logger.NewSilentLogger())

agent/cli/diagnosticsutil/diagnosticsutil_unix.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"os/user"
 	"path"
 	"path/filepath"
 	"strings"
@@ -39,20 +38,6 @@ const (
 	newlineCharacter = "\n"
 )
 
-// IsRunningElevatedPermissions checks if the ssm-cli is being executed as administrator
-func IsRunningElevatedPermissions() error {
-	currentUser, err := user.Current()
-	if err != nil {
-		return err
-	}
-
-	if currentUser.Username == ExpectedServiceRunningUser {
-		return nil
-	} else {
-		return fmt.Errorf("get-diagnostics needs to be executed by %s", ExpectedServiceRunningUser)
-	}
-}
-
 // AssumeAgentEnvironmentProxy reads the amazon-ssm-agent environment variables and assumes the same proxy settings
 func AssumeAgentEnvironmentProxy() {
 	pid, err := getRunningAgentPid()

agent/cli/diagnosticsutil/diagnosticsutil_windows.go

@@ -37,6 +37,8 @@ const (
 
 	// newlineCharacter is the system specific newline character
 	newlineCharacter = "\r\n"
+
+	defaultCommandTimeOut = 30 * time.Second
 )
 
 var powershellArgs = []string{"-InputFormat", "None", "-Noninteractive", "-NoProfile", "-ExecutionPolicy", "unrestricted"}
@@ -52,24 +54,6 @@ func executePowershellScriptWithTimeout(timeout time.Duration, scriptPath string
 	return ExecuteCommandWithTimeout(timeout, appconfig.PowerShellPluginCommandName, args...)
 }
 
-// IsRunningElevatedPermissions checks if the ssm-cli is being executed as administrator
-func IsRunningElevatedPermissions() error {
-	checkAdminCmd := `([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')`
-	output, err := executePowershellCommandWithTimeout(2*time.Second, checkAdminCmd)
-
-	if err != nil {
-		return fmt.Errorf("failed to check permissions: %s", err)
-	}
-
-	if output == "True" {
-		return nil
-	} else if output == "False" {
-		return fmt.Errorf("get-diagnostics needs to be executed by administrator")
-	} else {
-		return fmt.Errorf("unexpected permission check output: %s", output)
-	}
-}
-
 func isHttpOrHttpsProxyConfigured(proxyEnv map[string]string) bool {
 	_, ishttpSet := proxyEnv[proxyconfig.PROXY_VAR_HTTP]
 	_, ishttpsSet := proxyEnv[proxyconfig.PROXY_VAR_HTTPS]

agent/setupcli/managers/downloadmanager/downloadmanager.go

@@ -246,7 +246,7 @@ func (d *downloadManager) readVersionFromURL(versionURL string) (string, error)
 
 	var content string
 	err = backOffRetry(func() error {
-		httpTimeout := 15 * time.Second
+		httpTimeout := 30 * time.Second
 		tr := network.GetDefaultTransport(d.log, appconfig.DefaultConfig())
 		client := &http.Client{
 			Transport: tr,

agent/setupcli/setupcli.go

@@ -43,6 +43,7 @@ import (
 	"github.com/aws/amazon-ssm-agent/agent/setupcli/utility"
 	agentVersioning "github.com/aws/amazon-ssm-agent/agent/version"
 	"github.com/aws/amazon-ssm-agent/agent/versionutil"
+	utilityCmn "github.com/aws/amazon-ssm-agent/common/utility"
 	"github.com/aws/amazon-ssm-agent/core/executor"
 	"github.com/cihub/seelog"
 )
@@ -78,7 +79,7 @@ var (
 	getVerificationManager  = managers.GetVerificationManager
 	getDownloadManager      = managers.GetDownloadManager
 	startAgent              = servicemanagers.StartAgent
-	hasElevatedPermissions  = utility.IsRunningElevatedPermissions
+	hasElevatedPermissions  = utilityCmn.IsRunningElevatedPermissions
 
 	osExecutable         = os.Executable
 	evalSymLinks         = filepath.EvalSymlinks

agent/setupcli/utility/ssm_setup_cli_util_unix.go

@@ -6,7 +6,6 @@ package utility
 import (
 	"fmt"
 	"os"
-	"os/user"
 	"syscall"
 
 	"github.com/aws/amazon-ssm-agent/agent/appconfig"
@@ -22,20 +21,6 @@ const (
 	AgentBinary = appconfig.DefaultAgentName
 )
 
-// IsRunningElevatedPermissions checks if the ssm-setup-cli is being executed as administrator
-func IsRunningElevatedPermissions() error {
-	currentUser, err := user.Current()
-	if err != nil {
-		return err
-	}
-
-	if currentUser.Username == ExpectedServiceRunningUser {
-		return nil
-	} else {
-		return fmt.Errorf("ssm-setup-cli needs to be executed by %s", ExpectedServiceRunningUser)
-	}
-}
-
 // HasRootPermissions shows whether the folder path has root permission
 func HasRootPermissions(folderPath string) (bool, error) {
 	fileInfo, err := os.Stat(folderPath)

agent/setupcli/utility/ssm_setup_cli_util_windows.go

@@ -1,15 +1,22 @@
+// Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may not
+// use this file except in compliance with the License. A copy of the
+// License is located at
+//
+// http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+// either express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
 //go:build windows
 // +build windows
 
 package utility
 
 import (
-	"context"
-	"fmt"
-	"os/exec"
-	"strings"
-	"time"
-
 	"github.com/aws/amazon-ssm-agent/agent/appconfig"
 )
 
@@ -20,41 +27,6 @@ const (
 	AgentBinary = appconfig.DefaultAgentName + ".exe"
 )
 
-var powershellArgs = []string{"-InputFormat", "None", "-Noninteractive", "-NoProfile", "-ExecutionPolicy", "unrestricted"}
-
-// IsRunningElevatedPermissions checks if the ssm-setup-cli is being executed as administrator
-func IsRunningElevatedPermissions() error {
-	checkAdminCmd := `([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')`
-	output, err := executePowershellCommandWithTimeout(2*time.Second, checkAdminCmd)
-
-	if err != nil {
-		return fmt.Errorf("failed to check permissions: %s", err)
-	}
-
-	if output == "True" {
-		return nil
-	} else if output == "False" {
-		return fmt.Errorf("ssm-setup-cli needs to be executed by administrator")
-	} else {
-		return fmt.Errorf("unexpected permission check output: %s", output)
-	}
-}
-
-func executePowershellCommandWithTimeout(timeout time.Duration, command string) (string, error) {
-	args := append(powershellArgs, "-Command", command)
-	return executeCommandWithTimeout(timeout, appconfig.PowerShellPluginCommandName, args...)
-}
-
-func executeCommandWithTimeout(timeout time.Duration, cmd string, args ...string) (string, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	byteArr, err := exec.CommandContext(ctx, cmd, args...).Output()
-	output := strings.TrimSpace(string(byteArr))
-
-	return output, err
-}
-
 // HasRootPermissions shows whether the folder path has root permission
 // For windows, this function is will always return true as Greengrass support is not available for windows still
 func HasRootPermissions(folderPath string) (bool, error) {

common/utility/utility_unix_test.go

@@ -0,0 +1,40 @@
+// Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may not
+// use this file except in compliance with the License. A copy of the
+// License is located at
+//
+// http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+// either express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+//go:build freebsd || linux || netbsd || openbsd || darwin
+// +build freebsd linux netbsd openbsd darwin
+
+package utility
+
+import (
+	"os/user"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_IsRunningElevatedPermissions_Success(t *testing.T) {
+	userCurrent = func() (*user.User, error) {
+		return &user.User{Username: ExpectedServiceRunningUser}, nil
+	}
+	err := IsRunningElevatedPermissions()
+	assert.Nil(t, err)
+}
+
+func Test_IsRunningElevatedPermissions_Failure(t *testing.T) {
+	userCurrent = func() (*user.User, error) {
+		return &user.User{Username: "DummyUser"}, nil
+	}
+	err := IsRunningElevatedPermissions()
+	assert.NotNil(t, err)
+}

common/utility/utility_windows.go

@@ -0,0 +1,72 @@
+// Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"). You may not
+// use this file except in compliance with the License. A copy of the
+// License is located at
+//
+// http://aws.amazon.com/apache2.0/
+//
+// or in the "license" file accompanying this file. This file is distributed
+// on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+// either express or implied. See the License for the specific language governing
+// permissions and limitations under the License.
+
+//go:build windows
+// +build windows
+
+package utility
+
+import (
+	"context"
+	"fmt"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/aws/amazon-ssm-agent/agent/appconfig"
+)
+
+const (
+	defaultCommandTimeOut = 30 * time.Second
+)
+
+var (
+	executePowershellCommandWithTimeoutFunc = executePowershellCommandWithTimeout
+)
+
+var powershellArgs = []string{"-InputFormat", "None", "-Noninteractive", "-NoProfile", "-ExecutionPolicy", "unrestricted"}
+
+// IsRunningElevatedPermissions checks if current user is administrator
+func IsRunningElevatedPermissions() error {
+	checkAdminCmd := `([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')`
+	isAdminTrue := "True"
+	isAdminFalse := "False"
+
+	output, err := executePowershellCommandWithTimeoutFunc(defaultCommandTimeOut, checkAdminCmd)
+	if err != nil {
+		return fmt.Errorf("failed to check permissions: %v", err)
+	}
+
+	if output == isAdminTrue {
+		return nil
+	} else if output == isAdminFalse {
+		return fmt.Errorf("binary needs to be executed by administrator")
+	} else {
+		return fmt.Errorf("unexpected permission check output: %v", output)
+	}
+}
+
+func executePowershellCommandWithTimeout(timeout time.Duration, command string) (string, error) {
+	args := append(powershellArgs, "-Command", command)
+	return executeCommandWithTimeout(timeout, appconfig.PowerShellPluginCommandName, args...)
+}
+
+func executeCommandWithTimeout(timeout time.Duration, cmd string, args ...string) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	byteArr, err := exec.CommandContext(ctx, cmd, args...).Output()
+	output := strings.TrimSpace(string(byteArr))
+
+	return output, err
+}