From 09e2c3b5c36d23985787c069393938f1f4e625ba Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Wed, 3 Jan 2018 18:54:23 -0600 Subject: [PATCH] This breaks stuff (probably) Attempts at making shellcheck happy and a little bit of sanity checking for travis-ci. Going to try and get some basic easyrsa commands going next, once I figure out what travis-ci's environment looks like. Signed-off-by: Eric F Crist --- .travis.yml | 2 ++ easyrsa3/easyrsa | 48 ++++++++++++++++++++++++++++++------------------ 2 files changed, 32 insertions(+), 18 deletions(-) diff --git a/.travis.yml b/.travis.yml index 5772f7a..e5e77ab 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,3 +11,5 @@ addons: script: - bash -c 'export SHELLCHECK_OPTS="-e SC2006"; shopt -s globstar; shellcheck **/*.sh easyrsa3/easyrsa' + - bash -c 'pwd' + - bash -c 'ls -la' diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4eadf1b..c3f5eba 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -229,19 +229,19 @@ die() { Easy-RSA error: $1" 1>&2 - exit ${2:-1} + exit "${2:-1}" } # => die() # non-fatal warning output warn() { - [ ! $EASYRSA_BATCH ] && \ + [ ! "$EASYRSA_BATCH" ] && \ print " $1" 1>&2 } # => warn() # informational notices to stdout notice() { - [ ! $EASYRSA_BATCH ] && \ + [ ! "$EASYRSA_BATCH" ] && \ print " $1" } # => notice() @@ -250,6 +250,7 @@ $1" # Returns 0 when input contains yes, 1 for no, 2 for no match # If both strings are present, returns 1; first matching line returns. awk_yesno() { + #shellcheck disable=SC2016 awkscript=' BEGIN {IGNORECASE=1; r=2} { if(match($0,"no")) {r=1; exit} @@ -261,7 +262,7 @@ BEGIN {IGNORECASE=1; r=2} # intent confirmation helper func # returns without prompting in EASYRSA_BATCH confirm() { - [ $EASYRSA_BATCH ] && return + [ "$EASYRSA_BATCH" ] && return prompt="$1" value="$2" msg="$3" @@ -271,6 +272,7 @@ $msg Type the word '$value' to continue, or any other input to abort." printf %s " $prompt" + #shellcheck disable=SC2162 read input [ "$input" = "$value" ] && return notice "Aborting without confirmation." @@ -458,12 +460,14 @@ current CA keypair. If you intended to start a new CA, run init-pki first." print "01" > "$EASYRSA_PKI/serial" || die "$err_file" # Default CN only when not in global EASYRSA_BATCH mode: - [ $EASYRSA_BATCH ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA" + # shellcheck disable=SC2015 + [ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA" out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp" out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp" # create the CA keypair: - "$EASYRSA_OPENSSL" req -utf8 -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \ + #shellcheck disable=SC2086 + "$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \ -config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $opts || \ die "Failed to build the CA" mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2= @@ -490,7 +494,7 @@ gen_dh() { verify_pki_init out_file="$EASYRSA_PKI/dh.pem" - "$EASYRSA_OPENSSL" dhparam -out "$out_file" $EASYRSA_KEY_SIZE || \ + "$EASYRSA_OPENSSL" dhparam -out "$out_file" "$EASYRSA_KEY_SIZE" || \ die "Failed to build DH params" notice "\ DH parameters of size $EASYRSA_KEY_SIZE created at $out_file @@ -506,7 +510,7 @@ Error: gen-req must have a file base as the first argument. Run easyrsa without commands for usage and commands." key_out="$EASYRSA_PKI/private/$1.key" req_out="$EASYRSA_PKI/reqs/$1.req" - [ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1" + [ ! "$EASYRSA_BATCH" ] && EASYRSA_REQ_CN="$1" shift # function opts support @@ -539,6 +543,7 @@ Continuing with key generation will replace this key." req_extensions = req_extra [ req_extra ] $EASYRSA_EXTRA_EXTS" + #shellcheck disable=SC2016 awkscript=' {if ( match($0, "^#%EXTRA_EXTS%") ) { while ( getline<"/dev/stdin" ) {print} next } @@ -556,7 +561,8 @@ $EASYRSA_EXTRA_EXTS" req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp" # generate request [ $EASYRSA_BATCH ] && opts="$opts -batch" - "$EASYRSA_OPENSSL" req -utf8 -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \ + # shellcheck disable=SC2086 + "$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \ -config "$EASYRSA_SSL_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \ || die "Failed to generate request" mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2= @@ -633,7 +639,7 @@ $(display_dn req "$req_in") cat "$EASYRSA_EXT_DIR/COMMON" cat "$EASYRSA_EXT_DIR/$crt_type" # copy req extensions - [ $EASYRSA_CP_EXT ] && print "copy_extensions = copy" + [ "$EASYRSA_CP_EXT" ] && print "copy_extensions = copy" # Support a dynamic CA path length when present: [ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \ @@ -655,7 +661,7 @@ $(display_dn req "$req_in") if [ "$crt_type" = 'server' ]; then echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName || - default_server_san $req_in + default_server_san "$req_in" fi # Add any advanced extensions supplied by env-var: @@ -667,9 +673,10 @@ Failed to create temp extension file (bad permissions?) at: $EASYRSA_TEMP_EXT" # sign request + # shellcheck disable=SC2086 crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp" "$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \ - -extfile "$EASYRSA_TEMP_EXT" -days $EASYRSA_CERT_EXPIRE -batch $opts \ + -extfile "$EASYRSA_TEMP_EXT" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \ || die "signing failed (openssl output above may have more detail)" mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2= notice "\ @@ -714,6 +721,7 @@ Matching file found at: " # create request EASYRSA_REQ_CN="$name" + #shellcheck disable=SC2086 gen_req "$name" batch $req_opts # Sign it @@ -866,7 +874,7 @@ Missing key expected at: $key_in" # export the p12: "$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \ - -out "$pkcs_out" $pkcs_opts || die "\ + -out "$pkcs_out" "$pkcs_opts" || die "\ Export of p12 failed: see above for related openssl errors." ;; p7) @@ -874,7 +882,7 @@ Export of p12 failed: see above for related openssl errors." # export the p7: "$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \ - -out "$pkcs_out" $pkcs_opts || die "\ + -out "$pkcs_out" "$pkcs_opts" || die "\ Export of p7 failed: see above for related openssl errors." ;; esac @@ -920,7 +928,7 @@ $file" If the key is currently encrypted you must supply the decryption passphrase. ${crypto:+You will then enter a new PEM passphrase for this key.$NL}" - "$EASYRSA_OPENSSL" $key_type -in "$file" -out "$file" $crypto || die "\ + "$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" "$crypto" || die "\ Failed to change the private key passphrase. See above for possible openssl error messages." @@ -940,7 +948,7 @@ Failed to perform update-db: see above for related openssl errors." # display cert DN info on a req/X509, passed by full pathname display_dn() { format="$1" path="$2" - print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)" + print "$("$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject -nameopt multiline)" } # => display_dn() # generate default SAN from req/X509, passed by full pathname @@ -951,6 +959,7 @@ default_server_san() { awk -F'=' '/^ *CN=/{print $2}' ) echo "$cn" | grep -E -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$' + #shellcheck disable=SC2181 if [ $? -eq 0 ]; then print "subjectAltName = IP:$cn" else @@ -962,7 +971,7 @@ default_server_san() { verify_file() { format="$1" path="$2" - "$EASYRSA_OPENSSL" $format -in "$path" -noout 2>/dev/null || return 1 + "$EASYRSA_OPENSSL" "$format" -in "$path" -noout 2>/dev/null || return 1 return 0 } # => verify_file() @@ -1052,7 +1061,10 @@ vars_setup() { # If a vars file was located, source it # If $EASYRSA_NO_VARS is defined (not blank) this is skipped if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then - EASYRSA_CALLER=1 . "$vars" + #shellcheck disable=SC2034 + EASYRSA_CALLER=1 + # shellcheck source=easyrsa3/vars.example + . "$vars" notice "\ Note: using Easy-RSA configuration from: $vars" fi