Improve shellcheck 2086 'Unquoted expansions' problem

Easy-RSA uses unquoted expansion. Each instance of SC2086 has been vetted, accepted and ignored. shellcheck will still find new exceptions. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
2022-04-07 02:03:00 +01:00 · 2022-04-07 02:03:00 +01:00 · 15386d4ee3
commit 15386d4ee3
parent 886043fe49
1 changed files with 52 additions and 28 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -839,7 +839,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	fi

 	# Insert x509-types COMMON and 'ca'
-	#shellcheck disable=SC2016
+	# shellcheck disable=SC2016
 	awkscript='
 {if ( match($0, "^#%X509_TYPES%") )
 	{ while ( getline<"/dev/stdin" ) {print} next }
@ -863,7 +863,12 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		unset -v EASYRSA_EXTRA_EXTS
 	fi

-	# Choose SSL Library version (1 or 3) and build CA
+	# Choose SSL Library version (1, 2(LibreSSL) or 3) and build CA
+	#
+	# * shellcheck SC2086 # Ignore unquoted variables
+	#   The "correct" solution is to not need unquoted substitutions ..
+	#
+	# shellcheck disable=SC2086 # Ignore unquoted variables
 	case "$osslv_major" in # => BEGIN SSL lib version

 	# BEGIN SSL V3
@ -880,7 +885,6 @@ current CA keypair. If you intended to start a new CA, run init-pki first."

 		# Generate CA Key - OpenSSL v3 'genpkey' is not compatible
 		# with easyrsa $opts and $no_password, do NOT use them here
-		# shellcheck disable=SC2086 # Ignore unquoted variables
 		case "$EASYRSA_ALGO" in
 		rsa)
 			# OpenSSL v3: 'genrsa' is deprecate, use 'genpkey'
@ -920,7 +924,6 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		fi

 		# create the CA keypair:
-		# shellcheck disable=SC2086
 		easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
 			-out "$out_file_tmp" ${opts} ${crypto_opts} \
 			${EASYRSA_CA_EXTRA_EXTS} \
@ -945,7 +948,6 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		fi

 		# create the CA key
-		#shellcheck disable=SC2086
 		case "$EASYRSA_ALGO" in
 		rsa)
 			"$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts \
@ -981,7 +983,6 @@ current CA keypair. If you intended to start a new CA, run init-pki first."

 		fi

-		#shellcheck disable=SC2086
 		easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
 			-keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \
 			${EASYRSA_CA_EXTRA_EXTS} \
@ -1119,6 +1120,7 @@ $EASYRSA_EXTRA_EXTS"
 	fi

 	# Generate request
+	# shellcheck disable=SC2086 # Ignore unquoted variables
 	easyrsa_openssl req -utf8 -new -newkey "$algo_opts" \
 		-keyout "$key_out_tmp" -out "$req_out_tmp" $opts \
 		${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} \
@ -1248,10 +1250,12 @@ $ext_tmp"

 	# sign request
 	crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
+	# shellcheck disable=SC2086 # Ignore unquoted variables
 	easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \
 		-extfile "$ext_tmp" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \
 		${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
 			|| die "signing failed (openssl output above may have more detail)"
+
 	mv "$crt_out_tmp" "$crt_out"
 	rm -f "$ext_tmp"
 	notice "\
@ -1297,7 +1301,7 @@ Matching file found at: "

 	# create request
 	EASYRSA_REQ_CN="$name"
-	#shellcheck disable=SC2086
+	#shellcheck disable=SC2086 # Ignore unquoted variables
 	gen_req "$name" batch $req_opts

 	# Sign it
@ -1366,7 +1370,7 @@ $(display_dn x509 "$crt_in")
 Unable to revoke as no certificate was found. Certificate was expected
 at: $crt_in"

-	# shellcheck disable=SC2086
+	# shellcheck disable=SC2086 # Ignore unquoted variables
 	easyrsa_openssl ca -utf8 -revoke "$crt_in" $opts \
 		${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\
 Failed to revoke certificate: revocation command failed."
@ -1495,15 +1499,20 @@ $(display_dn x509 "$crt_in")
 Unable to renew as no certificate was found. Certificate was expected
 at: $crt_in"

-	# Check if old cert is expired or expires within 30 days
+	# Check if old cert is expired or expires within 30
+	# - NOT using: shellcheck disable=SC2086 # Ignore unquoted variables
+	# - The "correct" solution is to not need unquoted substitutions ..
 	expire_date=$(
 		easyrsa_openssl x509 -in "$crt_in" -noout -enddate |
 		sed 's/^notAfter=//'
 		)
+
+	# - NOT using: shellcheck disable=SC2086 # Ignore unquoted variables
+	# - The "correct" solution is to not need unquoted substitutions ..
 	case $(uname 2>/dev/null) in
 	"Darwin"|*"BSD")
 		expire_date=$(date -j -f '%b %d %T %Y %Z' "$expire_date" +%s)
-				allow_renew_date=$(($(date -j +%s) + 24*60*60*$EASYRSA_CERT_RENEW))
+		allow_renew_date=$(($(date -j +%s) + 24*60*60*EASYRSA_CERT_RENEW))
 	;;
 	*)
 		# This works on Windows, too, since uname doesn't exist and this is catch-all
@ -1517,10 +1526,13 @@ Certificate expires in more than $EASYRSA_CERT_RENEW days.
 Renewal not allowed."

 	# Extract certificate usage from old cert
+	# - NOT using: shellcheck disable=SC2086 # Ignore unquoted variables
+	# - The "correct" solution is to not need unquoted substitutions ..
 	cert_ext_key_usage=$(
 		easyrsa_openssl x509 -in "$crt_in" -noout -text |
 		sed -n "/X509v3 Extended Key Usage:/{n;s/^ *//g;p;}"
 		)
+
 	case $cert_ext_key_usage in
 		"TLS Web Client Authentication")
 			cert_type=client
@ -1534,6 +1546,9 @@ Renewal not allowed."
 	esac

 	# Use SAN from --subject-alt-name if set else use SAN from old cert
+	# - NOT using: shellcheck disable=SC2086 # Ignore unquoted variables
+	# - The "correct" solution is to not need unquoted substitutions ..
+	# How did this ever get in ?
 	echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName || \
 	{
 		san=$(
@ -1550,7 +1565,7 @@ subjectAltName = $san"
 	move_renewed "$1"

 	# renew certificate
-	# shellcheck disable=SC2086
+	# shellcheck disable=SC2086 # Ignore unquoted variables
 	build_full $cert_type "$1" $opts || die "\
 Failed to renew certificate: renew command failed."

@ -1650,6 +1665,8 @@ gen_crl() {

 	out_file="$EASYRSA_PKI/crl.pem"
 	out_file_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
+
+	# shellcheck disable=SC2086 # Ignore unquoted variables
 	easyrsa_openssl ca -utf8 -gencrl -out "$out_file_tmp" \
 		${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\
 CRL Generation failed.
@ -1754,7 +1771,7 @@ Missing key expected at: $key_in"
 		fi

 		# export the p12:
-		# shellcheck disable=SC2086
+		# shellcheck disable=SC2086 # Ignore unquoted variables
 		easyrsa_openssl pkcs12 -in "$crt_in" -inkey "$key_in" -export \
 			-out "$pkcs_out" $pkcs_opts \
 			${pkcs_certfile_path:+-certfile "$pkcs_certfile_path"} \
@ -1766,7 +1783,7 @@ Export of p12 failed: see above for related openssl errors."
 		pkcs_out="$EASYRSA_PKI/issued/$short_name.p7b"

 		# export the p7:
-		# shellcheck disable=SC2086
+		# shellcheck disable=SC2086 # Ignore unquoted variables
 		easyrsa_openssl crl2pkcs7 -nocrl -certfile "$crt_in" \
 			-out "$pkcs_out" \
 			${pkcs_certfile_path:+-certfile "$pkcs_certfile_path"} \
@ -1781,7 +1798,7 @@ Export of p7 failed: see above for related openssl errors."
 		pkcs_out="$EASYRSA_PKI/private/$short_name.p8"

 		# export the p8:
-		# shellcheck disable=SC2086
+		# shellcheck disable=SC2086 # Ignore unquoted variables
 		easyrsa_openssl pkcs8 -in "$key_in" -topk8 \
 			-out "$pkcs_out" $pkcs_opts \
 			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
@ -1831,7 +1848,9 @@ $file"
 If the key is currently encrypted you must supply the decryption passphrase.
 ${crypto:+You will then enter a new PEM passphrase for this key.$NL}"

+	# Set password
 	out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
+	# shellcheck disable=SC2086 # Ignore unquoted variables
 	easyrsa_openssl "$key_type" -in "$file" -out "$out_key_tmp" $crypto \
 		${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
 		${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || die "\
@ -1952,6 +1971,7 @@ Run easyrsa without commands for usage help."
 No such $type file with a basename of '$name' is present.
 Expected to find this file at:
 $in_file"
+	# shellcheck disable=SC2086 # Ignore unquoted variables
 	verify_file $format "$in_file" || die "\
 This file is not a valid $type file:
 $in_file"
@ -1961,6 +1981,7 @@ Showing $type details for '$name'.
 This file is stored at:
 $in_file
 "
+	# shellcheck disable=SC2086 # Ignore unquoted variables
 	easyrsa_openssl $format -in "$in_file" -noout -text\
 		-nameopt multiline $opts || die "\
 OpenSSL failure to process the input"
@ -1988,6 +2009,7 @@ show_ca() {
 No such $type file with a basename of '$name' is present.
 Expected to find this file at:
 $in_file"
+
 	verify_file $format "$in_file" || die "\
 This file is not a valid $type file:
 $in_file"
@ -1997,6 +2019,8 @@ Showing $type details for 'ca'.
 This file is stored at:
 $in_file
 "
+
+	# shellcheck disable=SC2086 # Ignore unquoted variables
 	easyrsa_openssl $format -in "$in_file" -noout -text\
 		-nameopt multiline $opts || die "\
 OpenSSL failure to process the input"
@ -2112,7 +2136,7 @@ recommended - please remove it from there before continuing."
 				fi
 				# shellcheck disable=SC2034 # EASYRSA_CALLER appears unused.
 				EASYRSA_CALLER=1
-				# shellcheck source=vars.example
+				# shellcheck disable=1090 # can't follow non-constant source. vars
 				. "$vars"
 				notice "\
 Note: using Easy-RSA configuration from: $vars"
@ -2391,8 +2415,8 @@ up23_show_current_ca ()
 {
 	printf "%s\n" "-------------------------------------------------------------------------"
 	# $opts is always set here
-	# shellcheck disable=SC2086
-	easyrsa_openssl $format -in "$in_file" -noout -text\
+	# shellcheck disable=SC2086 # Ignore unquoted variables
+	easyrsa_openssl $format -in "$in_file" -noout -text \
 		-nameopt multiline $opts || die "\
 	OpenSSL failure to process the input CA certificate: $in_file"
 	printf "%s\n" "-------------------------------------------------------------------------"