This breaks stuff (probably)

Attempts at making shellcheck happy and a little bit of sanity checking for travis-ci. Going to try and get some basic easyrsa commands going next, once I figure out what travis-ci's environment looks like. Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
2018-01-03 18:54:23 -06:00 · 2018-01-03 18:54:23 -06:00 · 09e2c3b5c3
commit 09e2c3b5c3
parent 8fbc4eee53
2 changed files with 32 additions and 18 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -11,3 +11,5 @@ addons:

 script:
 - bash -c 'export SHELLCHECK_OPTS="-e SC2006"; shopt -s globstar; shellcheck **/*.sh easyrsa3/easyrsa'
+ - bash -c 'pwd'
+ - bash -c 'ls -la'
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -229,19 +229,19 @@ die() {
 Easy-RSA error:

 $1" 1>&2
-	exit ${2:-1}
+	exit "${2:-1}"
 } # => die()

 # non-fatal warning output
 warn() {
-	[ ! $EASYRSA_BATCH ] && \
+	[ ! "$EASYRSA_BATCH" ] && \
 		print "
 $1" 1>&2
 } # => warn()

 # informational notices to stdout
 notice() {
-	[ ! $EASYRSA_BATCH ] && \
+	[ ! "$EASYRSA_BATCH" ] && \
 		print "
 $1"
 } # => notice()
@ -250,6 +250,7 @@ $1"
 # Returns 0 when input contains yes, 1 for no, 2 for no match
 # If both strings are present, returns 1; first matching line returns.
 awk_yesno() {
+	#shellcheck disable=SC2016
 	awkscript='
 BEGIN {IGNORECASE=1; r=2}
 {       if(match($0,"no")) {r=1; exit}
@ -261,7 +262,7 @@ BEGIN {IGNORECASE=1; r=2}
 # intent confirmation helper func
 # returns without prompting in EASYRSA_BATCH
 confirm() {
-	[ $EASYRSA_BATCH ] && return
+	[ "$EASYRSA_BATCH" ] && return
 	prompt="$1"
 	value="$2" 
 	msg="$3" 
@ -271,6 +272,7 @@ $msg

 Type the word '$value' to continue, or any other input to abort."
 	printf %s "  $prompt"
+	#shellcheck disable=SC2162
 	read input
 	[ "$input" = "$value" ] && return
 	notice "Aborting without confirmation."
@ -458,12 +460,14 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	print "01" > "$EASYRSA_PKI/serial" || die "$err_file"

 	# Default CN only when not in global EASYRSA_BATCH mode:
-	[ $EASYRSA_BATCH ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"
+	# shellcheck disable=SC2015
+	[ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"

 	out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp"
 	out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp"
 	# create the CA keypair:
-	"$EASYRSA_OPENSSL" req -utf8 -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \
+	#shellcheck disable=SC2086
+	"$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
 		-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $opts || \
 		die "Failed to build the CA"
 	mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
@ -490,7 +494,7 @@ gen_dh() {
 	verify_pki_init

 	out_file="$EASYRSA_PKI/dh.pem"
-	"$EASYRSA_OPENSSL" dhparam -out "$out_file" $EASYRSA_KEY_SIZE || \
+	"$EASYRSA_OPENSSL" dhparam -out "$out_file" "$EASYRSA_KEY_SIZE" || \
 		die "Failed to build DH params"
 	notice "\
 DH parameters of size $EASYRSA_KEY_SIZE created at $out_file
@ -506,7 +510,7 @@ Error: gen-req must have a file base as the first argument.
 Run easyrsa without commands for usage and commands."
 	key_out="$EASYRSA_PKI/private/$1.key"
 	req_out="$EASYRSA_PKI/reqs/$1.req"
-	[ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1"
+	[ ! "$EASYRSA_BATCH" ] && EASYRSA_REQ_CN="$1"
 	shift

 	# function opts support
@ -539,6 +543,7 @@ Continuing with key generation will replace this key."
 req_extensions = req_extra
 [ req_extra ]
 $EASYRSA_EXTRA_EXTS"
+		#shellcheck disable=SC2016
 		awkscript='
 {if ( match($0, "^#%EXTRA_EXTS%") )
 	{ while ( getline<"/dev/stdin" ) {print} next }
@ -556,7 +561,8 @@ $EASYRSA_EXTRA_EXTS"
 	req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp"
 	# generate request
 	[ $EASYRSA_BATCH ] && opts="$opts -batch"
-	"$EASYRSA_OPENSSL" req -utf8 -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \
+	# shellcheck disable=SC2086
+	"$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
 		-config "$EASYRSA_SSL_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \
 		|| die "Failed to generate request"
 	mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2=
@ -633,7 +639,7 @@ $(display_dn req "$req_in")
 		cat "$EASYRSA_EXT_DIR/COMMON"
 		cat "$EASYRSA_EXT_DIR/$crt_type"
 		# copy req extensions
-		[ $EASYRSA_CP_EXT ] && print "copy_extensions = copy"
+		[ "$EASYRSA_CP_EXT" ] && print "copy_extensions = copy"

 		# Support a dynamic CA path length when present:
 		[ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \
@ -655,7 +661,7 @@ $(display_dn req "$req_in")
 		if [ "$crt_type" = 'server' ]; then
 			echo "$EASYRSA_EXTRA_EXTS" | 
 				grep -q subjectAltName || 
-				default_server_san $req_in
+				default_server_san "$req_in"
 		fi

 		# Add any advanced extensions supplied by env-var:
@ -667,9 +673,10 @@ Failed to create temp extension file (bad permissions?) at:
 $EASYRSA_TEMP_EXT"

 	# sign request
+	# shellcheck disable=SC2086
 	crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
 	"$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \
-		-extfile "$EASYRSA_TEMP_EXT" -days $EASYRSA_CERT_EXPIRE -batch $opts \
+		-extfile "$EASYRSA_TEMP_EXT" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \
 		|| die "signing failed (openssl output above may have more detail)"
 	mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2=
 	notice "\
@ -714,6 +721,7 @@ Matching file found at: "

 	# create request
 	EASYRSA_REQ_CN="$name"
+	#shellcheck disable=SC2086
 	gen_req "$name" batch $req_opts

 	# Sign it
@ -866,7 +874,7 @@ Missing key expected at: $key_in"

 		# export the p12:
 		"$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \
-			-out "$pkcs_out" $pkcs_opts || die "\
+			-out "$pkcs_out" "$pkcs_opts" || die "\
 Export of p12 failed: see above for related openssl errors."
 	;;
 	p7)
@ -874,7 +882,7 @@ Export of p12 failed: see above for related openssl errors."

 		# export the p7:
 		"$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \
-			-out "$pkcs_out" $pkcs_opts || die "\
+			-out "$pkcs_out" "$pkcs_opts" || die "\
 Export of p7 failed: see above for related openssl errors."
 	;;
 esac
@ -920,7 +928,7 @@ $file"
 If the key is currently encrypted you must supply the decryption passphrase.
 ${crypto:+You will then enter a new PEM passphrase for this key.$NL}"

-	"$EASYRSA_OPENSSL" $key_type -in "$file" -out "$file" $crypto || die "\
+	"$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" "$crypto" || die "\
 Failed to change the private key passphrase. See above for possible openssl
 error messages."

@ -940,7 +948,7 @@ Failed to perform update-db: see above for related openssl errors."
 # display cert DN info on a req/X509, passed by full pathname
 display_dn() {
 	format="$1" path="$2"
-	print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)"
+	print "$("$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject -nameopt multiline)"
 } # => display_dn()

 # generate default SAN from req/X509, passed by full pathname
@ -951,6 +959,7 @@ default_server_san() {
 		awk -F'=' '/^  *CN=/{print $2}'
 		)
 	echo "$cn" | grep -E -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
+	#shellcheck disable=SC2181
 	if [ $? -eq 0 ]; then
 		print "subjectAltName = IP:$cn"
 	else
@ -962,7 +971,7 @@ default_server_san() {
 verify_file() {
 	format="$1" 
 	path="$2"
-	"$EASYRSA_OPENSSL" $format -in "$path" -noout 2>/dev/null || return 1
+	"$EASYRSA_OPENSSL" "$format" -in "$path" -noout 2>/dev/null || return 1
 	return 0
 } # => verify_file()

@ -1052,7 +1061,10 @@ vars_setup() {
 	# If a vars file was located, source it
 	# If $EASYRSA_NO_VARS is defined (not blank) this is skipped
 	if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
-		EASYRSA_CALLER=1 . "$vars"
+		#shellcheck disable=SC2034
+		EASYRSA_CALLER=1 
+		# shellcheck source=easyrsa3/vars.example
+		. "$vars"
 		notice "\
 Note: using Easy-RSA configuration from: $vars"
 	fi