From 224312ed424571276ab38a6c840c34c4a60268c2 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Wed, 10 Jul 2024 14:36:05 +0200 Subject: [PATCH] feat: enable all optional shellcheck validations Make shell a little bit safer with: - add-default-case - check-extra-masked-returns - check-set-e-suppressed - quote-safe-variables - check-unassigned-uppercase Although there are some stylistic decisions for uniformity: - avoid-nullary-conditions - deprecated-which - require-variable-braces --- .github/workflows/main.yaml | 2 +- .pre-commit-config.yaml | 14 ++--- .shellcheckrc | 5 ++ rpm_spec/qusal-browser.spec | 3 + rpm_spec/qusal-dom0.spec | 3 + rpm_spec/qusal-dotfiles.spec | 3 + rpm_spec/qusal-fedora-minimal.spec | 3 + rpm_spec/qusal-reader.spec | 3 + rpm_spec/qusal-sys-bitcoin.spec | 3 + rpm_spec/qusal-sys-cacher.spec | 6 +- rpm_spec/qusal-sys-electrs.spec | 3 + rpm_spec/qusal-sys-git.spec | 3 + rpm_spec/qusal-sys-net.spec | 3 + rpm_spec/qusal-sys-ssh-agent.spec | 3 + rpm_spec/qusal-sys-syncthing.spec | 3 + rpm_spec/qusal-sys-wireguard.spec | 3 + .../kde-activity-changed-notifier | 14 ++--- salt/dom0/files/bin/qubes-kde-win-rules | 41 +++++++------ salt/dom0/files/bin/qvm-mgmt | 1 + salt/dom0/files/bin/qvm-pci-regain | 3 +- salt/dom0/files/bin/qvm-port-forward | 11 +++- salt/dom0/files/bin/qvm-screenshot | 15 ++++- salt/dotfiles | 2 +- .../files/client/profile/opam.sh | 9 +-- .../files/client/bin/gpg-qubes-builder | 2 +- .../files/server/bin/bitcoin-whitepaper | 6 +- .../files/server/rpc/qusal.BitcoinAuthGet | 1 + .../files/client/bin/apt-cacher-ng-repo | 16 +++-- .../files/client/git-core/git-init-qrexec | 7 ++- .../files/client/git-core/git-remote-qrexec | 5 +- .../client/git-core/git-remote-qrexec-connect | 3 +- salt/sys-git/files/server/rpc/qusal.GitInit | 3 +- .../admin/bin/qusal-report-updatevm-origin | 4 +- .../sys-net/files/server/rpc/qusal.ConnectTCP | 1 + salt/sys-pihole/files/admin/prefs.sh | 4 +- .../files/server/bin/qvm-ssh-agent | 38 ++++++------ .../files/server/rpc/qusal.SshAgent | 3 +- .../files/admin/bin/qvm-wireguard | 59 ++++++++++--------- scripts/best-program.sh | 4 +- scripts/markdown-lint.sh | 22 ++++--- scripts/python-lint.sh | 15 +++-- scripts/qubesbuilder-gen.sh | 6 +- scripts/release.sh | 4 +- scripts/salt-fix.sh | 15 +++-- scripts/salt-lint.sh | 27 +++++---- scripts/setup.sh | 7 ++- scripts/shell-lint.sh | 58 ++++++++---------- scripts/spec-build.sh | 9 ++- scripts/spec-gen.sh | 18 +++--- scripts/spec-get.sh | 12 ++-- scripts/spell-lint.sh | 14 +++-- scripts/toc-gen.sh | 13 ++-- scripts/unicode-prohibit.sh | 5 +- scripts/yaml-lint.sh | 14 +++-- scripts/yumrepo-gen.sh | 8 ++- 55 files changed, 343 insertions(+), 219 deletions(-) create mode 100644 .shellcheckrc diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 5e120b86..1a94c42b 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -54,7 +54,7 @@ jobs: run: | editorconfig-checker editorconfig-checker salt/dotfiles - - name: Lint commits + - name: Lint commit messages run: | if test "${{ github.event_name}}" = "pull_request" then diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 755ca648..38c50c6c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,7 +4,12 @@ # SPDX-License-Identifier: AGPL-3.0-or-later --- + +default_install_hook_types: + - pre-commit + repos: + - repo: local hooks: @@ -99,12 +104,3 @@ repos: language: python pass_filenames: false description: Lint files to comply with the REUSE Specification - - - id: commit-lint - name: commit-lint - language: python - entry: gitlint - args: [--staged, --msg-filename] - stages: [commit-msg] - pass_filenames: true - description: Lint Git commits diff --git a/.shellcheckrc b/.shellcheckrc new file mode 100644 index 00000000..6aadf67b --- /dev/null +++ b/.shellcheckrc @@ -0,0 +1,5 @@ +# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: MIT + +enable=all diff --git a/rpm_spec/qusal-browser.spec b/rpm_spec/qusal-browser.spec index 731942be..e1ff1a50 100644 --- a/rpm_spec/qusal-browser.spec +++ b/rpm_spec/qusal-browser.spec @@ -115,6 +115,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Thu Jul 04 2024 Ben Grande - 383c840 - doc: lint markdown files diff --git a/rpm_spec/qusal-dom0.spec b/rpm_spec/qusal-dom0.spec index 9e2ba25b..3d9a95df 100644 --- a/rpm_spec/qusal-dom0.spec +++ b/rpm_spec/qusal-dom0.spec @@ -107,6 +107,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Mon Jul 08 2024 Ben Grande - 523bca2 - fix: conform files to editorconfig specification diff --git a/rpm_spec/qusal-dotfiles.spec b/rpm_spec/qusal-dotfiles.spec index b76dfe14..eae0c245 100644 --- a/rpm_spec/qusal-dotfiles.spec +++ b/rpm_spec/qusal-dotfiles.spec @@ -118,6 +118,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Mon Jul 08 2024 Ben Grande - 28c298d - fix: add Python indentation to editorconfig diff --git a/rpm_spec/qusal-fedora-minimal.spec b/rpm_spec/qusal-fedora-minimal.spec index d6231261..c2dbec7c 100644 --- a/rpm_spec/qusal-fedora-minimal.spec +++ b/rpm_spec/qusal-fedora-minimal.spec @@ -108,6 +108,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Thu Jul 04 2024 Ben Grande - 383c840 - doc: lint markdown files diff --git a/rpm_spec/qusal-reader.spec b/rpm_spec/qusal-reader.spec index d485c30e..182e7293 100644 --- a/rpm_spec/qusal-reader.spec +++ b/rpm_spec/qusal-reader.spec @@ -110,6 +110,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Thu Jul 04 2024 Ben Grande - 383c840 - doc: lint markdown files diff --git a/rpm_spec/qusal-sys-bitcoin.spec b/rpm_spec/qusal-sys-bitcoin.spec index fb433d1f..e75363bd 100644 --- a/rpm_spec/qusal-sys-bitcoin.spec +++ b/rpm_spec/qusal-sys-bitcoin.spec @@ -137,6 +137,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Thu Jul 04 2024 Ben Grande - 383c840 - doc: lint markdown files diff --git a/rpm_spec/qusal-sys-cacher.spec b/rpm_spec/qusal-sys-cacher.spec index 73d141f8..3dcd4fce 100644 --- a/rpm_spec/qusal-sys-cacher.spec +++ b/rpm_spec/qusal-sys-cacher.spec @@ -130,6 +130,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Mon Jul 08 2024 Ben Grande - f60077f - doc: spell check @@ -276,6 +279,3 @@ fi * Wed Jan 10 2024 Ben Grande - 2b6daac - fix: shellcheck - -* Wed Dec 20 2023 Ben Grande - 38d98ec -- fix: nft shebang and table names diff --git a/rpm_spec/qusal-sys-electrs.spec b/rpm_spec/qusal-sys-electrs.spec index e76ab61a..27411ac7 100644 --- a/rpm_spec/qusal-sys-electrs.spec +++ b/rpm_spec/qusal-sys-electrs.spec @@ -123,6 +123,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Thu Jul 04 2024 Ben Grande - 383c840 - doc: lint markdown files diff --git a/rpm_spec/qusal-sys-git.spec b/rpm_spec/qusal-sys-git.spec index 671b250e..39a30a89 100644 --- a/rpm_spec/qusal-sys-git.spec +++ b/rpm_spec/qusal-sys-git.spec @@ -111,6 +111,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Thu Jul 04 2024 Ben Grande - 383c840 - doc: lint markdown files diff --git a/rpm_spec/qusal-sys-net.spec b/rpm_spec/qusal-sys-net.spec index 5ae3f294..07e929b1 100644 --- a/rpm_spec/qusal-sys-net.spec +++ b/rpm_spec/qusal-sys-net.spec @@ -114,6 +114,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Thu Jul 04 2024 Ben Grande - 383c840 - doc: lint markdown files diff --git a/rpm_spec/qusal-sys-ssh-agent.spec b/rpm_spec/qusal-sys-ssh-agent.spec index 0a488899..d28c0006 100644 --- a/rpm_spec/qusal-sys-ssh-agent.spec +++ b/rpm_spec/qusal-sys-ssh-agent.spec @@ -120,6 +120,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Mon Jul 08 2024 Ben Grande - f60077f - doc: spell check diff --git a/rpm_spec/qusal-sys-syncthing.spec b/rpm_spec/qusal-sys-syncthing.spec index 8a5f8fd8..3a9c908e 100644 --- a/rpm_spec/qusal-sys-syncthing.spec +++ b/rpm_spec/qusal-sys-syncthing.spec @@ -120,6 +120,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Thu Jul 04 2024 Ben Grande - 383c840 - doc: lint markdown files diff --git a/rpm_spec/qusal-sys-wireguard.spec b/rpm_spec/qusal-sys-wireguard.spec index b25f8e7c..d15bfca5 100644 --- a/rpm_spec/qusal-sys-wireguard.spec +++ b/rpm_spec/qusal-sys-wireguard.spec @@ -108,6 +108,9 @@ fi %dnl TODO: missing '%ghost', files generated during %post, such as Qrexec policies. %changelog +* Tue Jul 09 2024 Ben Grande - 011a71a +- style: limit line length per file extension + * Fri Jul 05 2024 Ben Grande - 80482bf - fix: use systemd-resolved DNS on boot diff --git a/salt/dom0/files/autostart-scripts/kde-activity-changed-notifier b/salt/dom0/files/autostart-scripts/kde-activity-changed-notifier index 98021a81..1c39b000 100755 --- a/salt/dom0/files/autostart-scripts/kde-activity-changed-notifier +++ b/salt/dom0/files/autostart-scripts/kde-activity-changed-notifier @@ -21,19 +21,19 @@ case "${XDG_SESSION_DESKTOP:-}" in esac service="org.kde.ActivityManager" -interface="$service.Activities" +interface="${service}.Activities" path="/ActivityManager/Activities" signal="CurrentActivityChanged" dbus-monitor --profile \ - "type=signal,path=$path,interface=$interface,member=$signal" | \ + "type=signal,path=${path},interface=${interface},member=${signal}" | \ while read -r _ _ _ _ _ path interface member; do - test "$member" = "$signal" || continue - id="$(qdbus "$service" "$path" "$interface.CurrentActivity")" - name="$(qdbus "$service" "$path" "$interface.ActivityName" "$id")" + test "${member}" = "${signal}" || continue + id="$(qdbus "${service}" "${path}" "${interface}.CurrentActivity")" + name="$(qdbus "${service}" "${path}" "${interface}.ActivityName" "${id}")" if command -v kdialog >/dev/null; then - kdialog --title "Activity: $name" --passivepopup "Switched Activities" 3 + kdialog --title "Activity: ${name}" --passivepopup "Switched Activities" 3 elif command -v notify-send >/dev/null; then - notify-send -u normal -t 3000 "Activity: $name" "Switched activities" + notify-send -u normal -t 3000 "Activity: ${name}" "Switched activities" fi done diff --git a/salt/dom0/files/bin/qubes-kde-win-rules b/salt/dom0/files/bin/qubes-kde-win-rules index f3d6f63b..d69fcfe2 100755 --- a/salt/dom0/files/bin/qubes-kde-win-rules +++ b/salt/dom0/files/bin/qubes-kde-win-rules @@ -8,7 +8,7 @@ # shellcheck disable=SC1090,SC2317 set -eu -file="${XDG_CONFIG_HOME:=$HOME/.config}/kwinrulesrc" +file="${XDG_CONFIG_HOME:=${HOME}/.config}/kwinrulesrc" usage(){ echo "Usage: ${0##*/} @@ -25,10 +25,10 @@ writeconf(){ key="$2" value="$3" - group_id="$(grep -B1 -- "^Description=$group$" "$file" | head -1 | + group_id="$(grep -B1 -- "^Description=${group}$" "${file}" | head -1 | tr -d "[" | tr -d "]")" if test -z "${group_id}"; then - highest_id="$(grep -- "\[[0-9]\+\]" "$file" | tr -d "[" | tr -d "]" | + highest_id="$(grep -- "\[[0-9]\+\]" "${file}" | tr -d "[" | tr -d "]" | sort | tail -1)" if test -n "${highest_id}"; then group_id="$((highest_id+1))" @@ -37,38 +37,41 @@ writeconf(){ fi fi - kwriteconfig --file "$file" --group "$group_id" --key "$key" "$value" + kwriteconfig --file "${file}" --group "${group_id}" --key "${key}" \ + "${value}" } writeconf_group(){ chosen_group="$1" chosen_activity="$2" - writeconf "$chosen_group" Description "$chosen_group" - if test -n "$chosen_activity"; then + writeconf "${chosen_group}" Description "${chosen_group}" + if test -n "${chosen_activity}"; then chosen_activity_id="$(kactivities-cli --list-activities | - awk -v activity="$chosen_activity" '$3 ~ activity {print $2}')" - if test -z "$chosen_activity_id"; then - printf '%s\n' "Invalid activity name: $chosen_activity" + awk -v activity="${chosen_activity}" '$3 ~ activity {print $2}')" + if test -z "${chosen_activity_id}"; then + printf '%s\n' "Invalid activity name: ${chosen_activity}" exit 1 fi - writeconf "$chosen_group" activity "$chosen_activity_id" - writeconf "$chosen_group" activityrule 2 + writeconf "${chosen_group}" activity "${chosen_activity_id}" + writeconf "${chosen_group}" activityrule 2 fi ## Regex: https://doc.qt.io/qt-6/qregularexpression.html - writeconf "$chosen_group" title \ - "^\\[(disp-|dvm-)?$chosen_group(-\\S+)?\\] .*" - writeconf "$chosen_group" titlematch 3 - writeconf "$chosen_group" wmclass "$chosen_group" - writeconf "$chosen_group" wmclasscomplete false - writeconf "$chosen_group" wmclassmatch 2 + writeconf "${chosen_group}" title \ + "^\\[(disp-|dvm-)?${chosen_group}(-\\S+)?\\] .*" + writeconf "${chosen_group}" titlematch 3 + writeconf "${chosen_group}" wmclass "${chosen_group}" + writeconf "${chosen_group}" wmclasscomplete false + writeconf "${chosen_group}" wmclassmatch 2 } case "${1-}" in - ""|-h|--?help) usage + ""|-h|--?help) usage;; + *) ;; esac case "${2-}" in - "") usage + "") usage;; + *) ;; esac writeconf_group "${1}" "${2}" diff --git a/salt/dom0/files/bin/qvm-mgmt b/salt/dom0/files/bin/qvm-mgmt index d706ce7d..334975ab 100755 --- a/salt/dom0/files/bin/qvm-mgmt +++ b/salt/dom0/files/bin/qvm-mgmt @@ -59,6 +59,7 @@ case "${class}" in StandaloneVM|TemplateVM) get_qube_feat "${wanted_qube}" ;; + *) echo "Unsupported qube class" >&2; exit 1;; esac wanted_mgmt="$(qvm-prefs "${wanted_qube}" management_dispvm)" echo "${wanted_qube} management_dispvm: ${wanted_mgmt}" diff --git a/salt/dom0/files/bin/qvm-pci-regain b/salt/dom0/files/bin/qvm-pci-regain index 820e6951..2e3aaf7b 100755 --- a/salt/dom0/files/bin/qvm-pci-regain +++ b/salt/dom0/files/bin/qvm-pci-regain @@ -34,7 +34,8 @@ case "${2-}" in *) device="${2}" esac -test "$(id -u)" = "0" || exec sudo "${0}" +uid="$(id -u)" +test "${uid}" = "0" || exec sudo "${0}" echo "${device}" | tee /sys/bus/pci/drivers/pciback/unbind modalias="$(cat "/sys/bus/pci/devices/${device}/modalias")" diff --git a/salt/dom0/files/bin/qvm-port-forward b/salt/dom0/files/bin/qvm-port-forward index caed8fbe..c252e37b 100755 --- a/salt/dom0/files/bin/qvm-port-forward +++ b/salt/dom0/files/bin/qvm-port-forward @@ -32,6 +32,7 @@ validate_handle(){ echo "error: ${qube}: invalid handle" >&2 exit 1 ;; + *) ;; esac } @@ -43,6 +44,7 @@ validate_ipv4(){ echo "error: ${qube}: invalid IPv4 address" >&2 exit 1 ;; + *) ;; esac } @@ -54,6 +56,7 @@ validate_ipv6(){ echo "error: ${qube}: invalid IPv6 address" >&2 exit 1 ;; + *) ;; esac } @@ -65,6 +68,7 @@ validate_dev(){ echo "error: ${qube}: invalid device name" >&2 exit 1 ;; + *) ;; esac } @@ -150,7 +154,8 @@ add rule ip qubes ${forward_chain} ${forward_rule}'" run_qube "${from_qube}" "${full_rule}" if test "${persistent}" = "1"; then - if test "$(qvm-prefs --get -- "${from_qube}" klass)" = "DispVM"; then + class="$(qvm-prefs --get -- "${from_qube}" klass)" + if test "${class}" = "DispVM"; then from_qube="$(qvm-prefs --get -- "${from_qube}" template)" fi @@ -258,6 +263,7 @@ get_lan(){ test_qvm_run(){ qube="${1}" + # shellcheck disable=SC2310 if ! run_qube "${qube}" echo "Test QUBESRPC" >/dev/null 2>&1; then echo "error: ${qube}: RPC qubes.VMShell failed, use a different qube" >&2 exit 1 @@ -272,12 +278,14 @@ recurse_netvms() { case "${cmd}" in show-upstream) test_qvm_run "${rec_qube}";; apply-rules) forward "${rec_netvm}" "${rec_qube}";; + *) echo "Unsupported command passed to recurse_netvms()" >&2; exit 1;; esac recurse_netvms "${cmd}" "${rec_netvm}" fi case "${cmd}" in show-upstream) get_lan "${rec_qube}";; apply-rules) ;; + *) echo "Unsupported command passed to recurse_netvms()" >&2; exit 1;; esac } @@ -358,6 +366,7 @@ while test "${#}" -gt "0"; do -n|--proto) proto="${2}"; shift;; -s|--persistent) persistent=1; shift;; -h|--help) usage;; + *) echo "Unsupported option" >&2; exit 1;; esac shift done diff --git a/salt/dom0/files/bin/qvm-screenshot b/salt/dom0/files/bin/qvm-screenshot index be0dd56e..7446aac5 100755 --- a/salt/dom0/files/bin/qvm-screenshot +++ b/salt/dom0/files/bin/qvm-screenshot @@ -20,26 +20,31 @@ take_screenshot() { case "${screenshot_type}" in window) spectacle -a -o "${screenshot_file}";; fullscreen) spectacle -f -o "${screenshot_file}";; + *) echo "Unsupported screenshot type" >&2; exit 1;; esac ;; xfce4-screenshooter) case "${screenshot_type}" in window) xfce4-screenshooter -w -s "${screenshot_file}";; fullscreen) xfce4-screenshooter -f -s "${screenshot_file}";; + *) echo "Unsupported screenshot type" >&2; exit 1;; esac ;; scrot) case "${screenshot_type}" in window) scrot -s -b "${screenshot_file}";; fullscreen) scrot -b "${screenshot_file}";; + *) echo "Unsupported screenshot type" >&2; exit 1;; esac ;; maim) case "${screenshot_type}" in window) maim -s -o -u "${screenshot_file}";; fullscreen) maim -o -u "${screenshot_file}";; + *) echo "Unsupported screenshot type" >&2; exit 1;; esac ;; + *) echo "Unsupported screenshot tool" >&2; exit 1;; esac } @@ -157,6 +162,7 @@ if test -n "${screenshot_cmd_wanted}"; then case "${dialog_cmd}" in zenity) zenity --info --text "${msg}";; kdialog) kdialog --msgbox "${msg}";; + *) echo "Unsupported dialog command" >&2; exit 1;; esac exit 1 fi @@ -186,6 +192,7 @@ else case "${dialog_cmd}" in zenity) zenity --info --text "${msg}";; kdialog) kdialog --msgbox "${msg}";; + *) echo "Unsupported dialog command" >&2; exit 1;; esac exit 1 fi @@ -210,6 +217,7 @@ if test -z "${screenshot_type_text}"; then "Fullscreen" "Fullscreen" off \ )" ;; + *) echo "Unsupported dialog command" >&2; exit 1;; esac fi @@ -225,6 +233,7 @@ if ! test -f "${screenshot_file}"; then case "${dialog_cmd}" in zenity) zenity --warning --text "${msg}";; kdialog) kdialog --sorry "${msg}";; + *) echo "Unsupported dialog command" >&2; exit 1;; esac exit 1 fi @@ -250,6 +259,7 @@ if test "${screenshot_action_supplied}" != "1"; then "Move file" "Move file" off )" ;; + *) echo "Unsupported dialog command" >&2; exit 1;; esac if test -z "${screenshot_action_text}"; then @@ -293,6 +303,7 @@ if test -z "${qube}"; then # shellcheck disable=SC2086 qube="$(kdialog --radiolist "${dialog_title}" ${qube_list})" ;; + *) echo "Unsupported dialog command" >&2; exit 1;; esac if test -z "${qube}"; then msg="qube was not selected" @@ -300,6 +311,7 @@ if test -z "${qube}"; then case "${dialog_cmd}" in zenity) zenity --error --text "${msg}";; kdialog) kdialog --error "${msg}";; + *) echo "Unsupported dialog command" >&2; exit 1;; esac exit 1 fi @@ -311,6 +323,7 @@ if ! qvm-check -- "${qube}" >/dev/null 2>&1; then case "${dialog_cmd}" in zenity) zenity --error --text "${msg}";; kdialog) kdialog --error "${msg}";; + *) echo "Unsupported dialog command" >&2; exit 1;; esac exit 1 fi @@ -319,7 +332,7 @@ qvm-run "${qube}" -- "mkdir -p \"${qube_pictures_dir}\"" qvm-run --pass-io "${qube}" -- "cat > \"${qube_screenshot_file}\"" \ < "${screenshot_file}" -if test ${file_move} = "1"; then +if test "${file_move}" = "1"; then rm -f "${screenshot_file}" fi diff --git a/salt/dotfiles b/salt/dotfiles index 024e9c46..69c14a24 160000 --- a/salt/dotfiles +++ b/salt/dotfiles @@ -1 +1 @@ -Subproject commit 024e9c469de634181ec77eb52420f25339f4f01e +Subproject commit 69c14a2429aeb80b7bc01c9b875d7114450e4e72 diff --git a/salt/mirage-builder/files/client/profile/opam.sh b/salt/mirage-builder/files/client/profile/opam.sh index 08dd78e0..36f7b0ba 100755 --- a/salt/mirage-builder/files/client/profile/opam.sh +++ b/salt/mirage-builder/files/client/profile/opam.sh @@ -5,8 +5,9 @@ ## SPDX-License-Identifier: AGPL-3.0-or-later # shellcheck disable=SC1091 -if test -n "${ZSH_VERSION-}" && test -r "$HOME/.opam/opam-init/init.zsh"; then - . "$HOME/.opam/opam-init/init.zsh" >/dev/null 2>&1 -elif test -r "$HOME/.opam/opam-init/init.sh"; then - . "$HOME/.opam/opam-init/init.sh" >/dev/null 2>&1 +if test -n "${ZSH_VERSION-}" && test -r "${HOME}/.opam/opam-init/init.zsh" +then + . "${HOME}/.opam/opam-init/init.zsh" >/dev/null 2>&1 +elif test -r "${HOME}/.opam/opam-init/init.sh"; then + . "${HOME}/.opam/opam-init/init.sh" >/dev/null 2>&1 fi diff --git a/salt/qubes-builder/files/client/bin/gpg-qubes-builder b/salt/qubes-builder/files/client/bin/gpg-qubes-builder index 08003ed6..752c9e27 100755 --- a/salt/qubes-builder/files/client/bin/gpg-qubes-builder +++ b/salt/qubes-builder/files/client/bin/gpg-qubes-builder @@ -3,4 +3,4 @@ # # SPDX-License-Identifier: AGPL-3.0-or-later set -eu -env GNUPGHOME="$HOME/.gnupg/qubes-builder" gpg2 "$@" +env GNUPGHOME="${HOME}/.gnupg/qubes-builder" gpg2 "${@}" diff --git a/salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper b/salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper index 6fee7190..db87da5c 100755 --- a/salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper +++ b/salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper @@ -20,6 +20,7 @@ has(){ check_installed(){ missing_programs=0 for prog in "${@}"; do + # shellcheck disable=SC2310 if ! has "${prog}"; then echo "Missing program: ${prog}" >&2 missing_programs=1 @@ -43,6 +44,7 @@ validate_dir(){ getblock(){ check_installed bitcoin-cli xxd + # shellcheck disable=SC2312 bitcoin-cli getblock "${block_hash}" 0 \ | tail -c+92167 \ | for ((o=0;o<946;++o)); do \ @@ -57,6 +59,7 @@ getblock(){ getrawtransaction(){ check_installed bitcoin-cli xxd + # shellcheck disable=SC2312 bitcoin-cli getrawtransaction "${txid}" 0 "${block_hash}" \ | sed 's/0100000000000000/\n/g' \ | tail -n +2 \ @@ -69,6 +72,7 @@ getrawtransaction(){ gettxout(){ check_installed bitcoin-cli jq xxd seq + # shellcheck disable=SC2312 seq 0 947 \ | (while read -r n; do bitcoin-cli gettxout "${txid}" "${n}" \ | jq -r '.scriptPubKey.asm' \ @@ -82,7 +86,7 @@ gettxout(){ usage(){ echo "Usage: ${0##*/} getblock|getrawtransaction|gettxout [DIR]" echo "Note: gettxout works with pruned node" - echo "Note: DIR defaults to \$HOME" + echo "Note: DIR defaults to \${HOME}" exit 1 } diff --git a/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet b/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet index 78a061e1..a9c199fd 100755 --- a/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet +++ b/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet @@ -11,6 +11,7 @@ set -eu bitcoin_conf="/home/user/.bitcoin/conf.d/rpcauth.conf" bitcoin_pass="/home/user/.bitcoin/rpcclient.pass" +# shellcheck disable=SC2154 user="${QREXEC_REMOTE_DOMAIN}" if ! systemctl is-active bitcoind >/dev/null 2>&1; then diff --git a/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo b/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo index cbe74194..e83a51fe 100755 --- a/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo +++ b/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo @@ -14,9 +14,9 @@ ## beneficial as 'find' fails if file is not existent and sending all 'find' ## output to /dev/stderr is not great. ## -## Assigning the repositories files to '$@' avoids having to parse their names -## in case they contain spaces, newlines and other dangerous characters to the -## shell, it is also an easy way to use an array for /bin/sh. +## Assigning the repositories files to '${@}' avoids having to parse their +## names in case they contain spaces, newlines and other dangerous characters +## to the shell, it is also an easy way to use an array for /bin/sh. set -eu @@ -183,6 +183,7 @@ EOF -e "s|^\s*#.*metalink\s*=|metalink=|w ${changes_file}" \ {} \+ 2>/dev/null || true ;; + *) echo "Unsupported action" >&2; exit 1 esac elif test -e /etc/debian_version && test ! -e /usr/share/whonix/marker; then @@ -235,6 +236,7 @@ EOF -e "${list_expr}" -e "${sources_expr}" \ {} \+ ;; + *) echo "Unsupported action" >&2; exit 1 esac elif test -e /etc/arch-release; then @@ -246,11 +248,11 @@ EOF fi cat >/run/qubes/bin/pacman </etc/profile.d/qubes-proxy.sh << EOF -export PATH=/run/qubes/bin:\$PATH +export PATH=/run/qubes/bin:\${PATH} EOF else rm -f /run/qubes/bin/pacman /etc/profile.d/qubes-proxy.sh @@ -287,6 +289,7 @@ EOF -e "${repo_regex}" \ {} \+ ;; + *) echo "Unsupported action" >&2; exit 1 esac else @@ -325,7 +328,8 @@ case "${1-}" in *) usage;; esac -if test "$(id -u)" != "0"; then +uid="$(id -u)" +if test "${uid}" != "0"; then echo "Error: Permission denied, action requires root privileges." exit 1 fi diff --git a/salt/sys-git/files/client/git-core/git-init-qrexec b/salt/sys-git/files/client/git-core/git-init-qrexec index c2574d84..6ef642c1 100755 --- a/salt/sys-git/files/client/git-core/git-init-qrexec +++ b/salt/sys-git/files/client/git-core/git-init-qrexec @@ -8,6 +8,7 @@ set -eu case "${GIT_TRACE_HELPER:-}" in true|1) set -x;; + *) ;; esac usage(){ @@ -32,7 +33,11 @@ case "${1-}" in *) authority="${1}";; esac case "${2-}" in - "") is_git_repo; repo="$(basename "$(git rev-parse --show-toplevel)")";; + "") + is_git_repo + repo="$(git rev-parse --show-toplevel)" + repo="$(basename "${repo}")" + ;; *) repo="${2}";; esac diff --git a/salt/sys-git/files/client/git-core/git-remote-qrexec b/salt/sys-git/files/client/git-core/git-remote-qrexec index 54928333..13c9b843 100755 --- a/salt/sys-git/files/client/git-core/git-remote-qrexec +++ b/salt/sys-git/files/client/git-core/git-remote-qrexec @@ -25,7 +25,8 @@ die(){ log(){ case "${GIT_TRACE_REMOTE_HELPER:-}" in - true|1) echo "${@}" >&2 + true|1) echo "${@}" >&2;; + *) ;; esac } @@ -164,7 +165,7 @@ capabilities="$(find_capabilities)" ## Communicate with the git-remote-helpers protocol. while read -r cmd arg; do - log "<- $cmd $arg" + log "<- ${cmd} ${arg}" case "${cmd}" in capabilities) for c in ${capabilities}; do log "-> ${c}"; done; log "->" diff --git a/salt/sys-git/files/client/git-core/git-remote-qrexec-connect b/salt/sys-git/files/client/git-core/git-remote-qrexec-connect index f99cec90..3e41ffd2 100755 --- a/salt/sys-git/files/client/git-core/git-remote-qrexec-connect +++ b/salt/sys-git/files/client/git-core/git-remote-qrexec-connect @@ -19,7 +19,8 @@ die(){ log(){ case "${GIT_TRACE_REMOTE_HELPER:-}" in - true|1) echo "${@}" >&2 + true|1) echo "${@}" >&2;; + *) ;; esac } diff --git a/salt/sys-git/files/server/rpc/qusal.GitInit b/salt/sys-git/files/server/rpc/qusal.GitInit index 6ce14132..e4155091 100644 --- a/salt/sys-git/files/server/rpc/qusal.GitInit +++ b/salt/sys-git/files/server/rpc/qusal.GitInit @@ -16,6 +16,7 @@ if ! command -v git >/dev/null; then fi ## TODO: subdirectory? dir+repo +# shellcheck disable=SC2154 untrusted_repo="${QREXEC_SERVICE_ARGUMENT}" if test -z "${untrusted_repo}"; then @@ -35,7 +36,7 @@ if test "${#untrusted_repo}" -gt 128; then die "Repository name is too long: ${#untrusted_repo}" fi -base_path="$HOME/src" +base_path="${HOME}/src" repo="${untrusted_repo}" case "${repo}" in diff --git a/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin b/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin index 0fc0e1f2..6ff9aeeb 100755 --- a/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin +++ b/salt/sys-net/files/admin/bin/qusal-report-updatevm-origin @@ -13,8 +13,10 @@ case "${updatevm_class}" in StandaloneVM) proxy_target="${updatevm}";; AppVM) proxy_target="$(qvm-prefs "${updatevm}" template)";; DispVM) - proxy_target="$(qvm-prefs "$(qvm-prefs "${updatevm}" template)" template)" + proxy_target="$(qvm-prefs "${updatevm}" template)" + proxy_target="$(qvm-prefs "${proxy_target}" template)" ;; + *) echo "Unsupported qube class" >&2; exit 1;; esac if test -n "${proxy_target}"; then echo "${proxy_target}" diff --git a/salt/sys-net/files/server/rpc/qusal.ConnectTCP b/salt/sys-net/files/server/rpc/qusal.ConnectTCP index ffaef99d..e7ac74c1 100755 --- a/salt/sys-net/files/server/rpc/qusal.ConnectTCP +++ b/salt/sys-net/files/server/rpc/qusal.ConnectTCP @@ -17,6 +17,7 @@ set -eu +# shellcheck disable=SC2154 arg="${QREXEC_SERVICE_ARGUMENT}" host="${arg%%+*}" port="${arg##*+}" diff --git a/salt/sys-pihole/files/admin/prefs.sh b/salt/sys-pihole/files/admin/prefs.sh index 16ba79b2..f079717d 100755 --- a/salt/sys-pihole/files/admin/prefs.sh +++ b/salt/sys-pihole/files/admin/prefs.sh @@ -13,9 +13,9 @@ for qube in $(qvm-ls --raw-data --fields=NAME,NETVM | do ## Avoid overwriting netvm to sys-pihole when instead it should use the ## default_netvm, so better to prevent overwriting user choices. - qvm-prefs "$qube" | grep -q "^netvm[[:space:]]\+D" && continue + qvm-prefs "${qube}" | grep -q "^netvm[[:space:]]\+D" && continue ## Set netvm for qubes that were using (disp-)sys-firewall to sys-pihole. - qvm-prefs "$qube" netvm sys-pihole + qvm-prefs "${qube}" netvm sys-pihole done exit 0 diff --git a/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent b/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent index 86749e8f..e84fd131 100755 --- a/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent +++ b/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent @@ -21,24 +21,24 @@ Example: } ls_agent(){ - socket="/tmp/${service}/$agent.sock" - test -S "$socket" || return 1 - agent="$(echo "$socket" | sed "s|.*${service}/||;s/\.sock//")" - echo "Agent: ($agent) $socket" - SSH_AUTH_SOCK="$socket" ssh-add -l || true + socket="/tmp/${service}/${agent}.sock" + test -S "${socket}" || return 1 + agent="$(echo "${socket}" | sed "s|.*${service}/||;s/\.sock//")" + echo "Agent: (${agent}) ${socket}" + SSH_AUTH_SOCK="${socket}" ssh-add -l || true } add_agent(){ # shellcheck disable=SC2174 mkdir -m 0700 -p "/tmp/${service}" - dir="$HOME/.ssh/identities.d/${agent}" - if ! test -d "$dir"; then - echo "Directory not found: $dir" >&2 + dir="${HOME}/.ssh/identities.d/${agent}" + if ! test -d "${dir}"; then + echo "Directory not found: ${dir}" >&2 return 1 fi dir="${dir##*/}" socket="/tmp/${service}/${dir}.sock" - if ! test -S "$socket"; then + if ! test -S "${socket}"; then reload_agent=1 ssh-agent -a "/tmp/${service}/${agent}.sock" fi @@ -46,20 +46,20 @@ add_agent(){ return fi keys="$(grep -sl -- "-----BEGIN OPENSSH PRIVATE KEY-----" \ - "$HOME/.ssh/identities.d/$dir"/* || true)" - if test -z "$keys"; then - echo "Directory has no key: $dir" >&2 + "${HOME}/.ssh/identities.d/${dir}"/* || true)" + if test -z "${keys}"; then + echo "Directory has no key: ${dir}" >&2 return 1 fi - SSH_AUTH_SOCK="$socket" ssh-add -D 2>/dev/null || true - for k in $(printf '%s\n' "$keys"); do - test -f "$k" || continue + SSH_AUTH_SOCK="${socket}" ssh-add -D 2>/dev/null || true + for k in $(printf '%s\n' "${keys}"); do + test -f "${k}" || continue ssh_add_option="" - if test -f "$k.ssh-add-option"; then - ssh_add_option="$(cat "$k.ssh-add-option")" + if test -f "${k}.ssh-add-option"; then + ssh_add_option="$(cat "${k}.ssh-add-option")" fi # shellcheck disable=SC2086 - SSH_AUTH_SOCK="$socket" ssh-add $ssh_add_option "$k" + SSH_AUTH_SOCK="${socket}" ssh-add ${ssh_add_option} "${k}" done } @@ -68,7 +68,7 @@ action="${1-}" agent="${2-}" reload_agent="" -case "$action" in +case "${action}" in ls) ls_agent;; add) add_agent;; reload) reload_agent="1"; add_agent;; diff --git a/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent b/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent index 4c0922b7..8c708a06 100644 --- a/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent +++ b/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent @@ -11,7 +11,8 @@ die(){ exit 1 } -untrusted_agent="$QREXEC_SERVICE_ARGUMENT" +# shellcheck disable=SC2154 +untrusted_agent="${QREXEC_SERVICE_ARGUMENT}" if test -z "${untrusted_agent}"; then die "Agent name is empty" diff --git a/salt/sys-wireguard/files/admin/bin/qvm-wireguard b/salt/sys-wireguard/files/admin/bin/qvm-wireguard index 1b3b024f..b91e6eb1 100755 --- a/salt/sys-wireguard/files/admin/bin/qvm-wireguard +++ b/salt/sys-wireguard/files/admin/bin/qvm-wireguard @@ -7,7 +7,8 @@ set -eu -test "$(id -u)" = "0" || exec sudo "$0" "$@" +uid="$(id -u)" +test "${uid}" = "0" || exec sudo "$0" "${@}" usage(){ echo "Usage: ${0##*/} [QUBE]" @@ -21,34 +22,34 @@ case "${1-}" in *) qube="${1}";; esac -if ! qvm-check -q -- "$qube" >/dev/null 2>&1; then - echo "Qube '$qube' doesn't exist" >&2 +if ! qvm-check -q -- "${qube}" >/dev/null 2>&1; then + echo "Qube '${qube}' doesn't exist" >&2 usage 1 fi user_conf="/home/user/wireguard.conf" system_conf="/etc/wireguard/wireguard.conf" -qvm-run "$qube" -- "test -f ${user_conf}" || { +qvm-run "${qube}" -- "test -f ${user_conf}" || { echo "File '${user_conf}' was not found" >&2 - if qvm-check -q --running -- "$qube" >/dev/null 2>&1; then - qvm-pause --verbose -- "$qube" + if qvm-check -q --running -- "${qube}" >/dev/null 2>&1; then + qvm-pause --verbose -- "${qube}" fi - echo "Firewalling $qube to drop all connections" - qvm-firewall --verbose -- "$qube" reset - qvm-firewall --verbose -- "$qube" del --rule-no 0 - qvm-firewall --verbose -- "$qube" add drop - if qvm-check -q --paused -- "$qube" >/dev/null 2>&1; then - qvm-unpause --verbose -- "$qube" + echo "Firewalling ${qube} to drop all connections" + qvm-firewall --verbose -- "${qube}" reset + qvm-firewall --verbose -- "${qube}" del --rule-no 0 + qvm-firewall --verbose -- "${qube}" add drop + if qvm-check -q --paused -- "${qube}" >/dev/null 2>&1; then + qvm-unpause --verbose -- "${qube}" fi exit 1 } -qvm-run -u root "$qube" -- "cp ${user_conf} ${system_conf}" +qvm-run -u root "${qube}" -- "cp ${user_conf} ${system_conf}" ## TOFU # shellcheck disable=SC2016 -endpoint="$(qvm-run -p -u root "$qube" -- awk '/Endpoint/{print $3}' \ +endpoint="$(qvm-run -p -u root "${qube}" -- awk '/Endpoint/{print $3}' \ "${system_conf}")" if echo "${endpoint}" | grep -qF "["; then ip="${ip##[\[]}" @@ -59,27 +60,27 @@ else port="${endpoint##*:}" fi -if test -z "$ip" || test -z "$port";then +if test -z "${ip}" || test -z "${port}";then echo "Endpoint (IP:Port) not found: ${system_conf}" >&2 exit 1 fi -if qvm-check -q --running -- "$qube" >/dev/null 2>&1; then - qvm-pause --verbose -- "$qube" +if qvm-check -q --running -- "${qube}" >/dev/null 2>&1; then + qvm-pause --verbose -- "${qube}" fi -echo "Firewalling $qube to reach only '$ip:$port'" -qvm-firewall --verbose -- "$qube" reset -qvm-firewall --verbose -- "$qube" del --rule-no 0 -qvm-firewall --verbose -- "$qube" add accept dsthost="$ip" dstports="$port" \ - proto=udp -qvm-firewall --verbose -- "$qube" add accept dsthost="$ip" dstports="$port" \ - proto=tcp -qvm-firewall --verbose -- "$qube" add drop +echo "Firewalling ${qube} to reach only '${ip}:${port}'" +qvm-firewall --verbose -- "${qube}" reset +qvm-firewall --verbose -- "${qube}" del --rule-no 0 +qvm-firewall --verbose -- "${qube}" add accept dsthost="${ip}" \ + dstports="${port}" proto=udp +qvm-firewall --verbose -- "${qube}" add accept dsthost="${ip}" \ + dstports="${port}" proto=tcp +qvm-firewall --verbose -- "${qube}" add drop -if qvm-check -q --paused -- "$qube" >/dev/null 2>&1; then - qvm-unpause --verbose -- "$qube" +if qvm-check -q --paused -- "${qube}" >/dev/null 2>&1; then + qvm-unpause --verbose -- "${qube}" fi -qvm-run -u root "$qube" -- "systemctl restart wg-quick@wireguard" -qvm-run -u root "$qube" -- "/rw/config/network-hooks.d/50-sys-wireguard" +qvm-run -u root "${qube}" -- "systemctl restart wg-quick@wireguard" +qvm-run -u root "${qube}" -- "/rw/config/network-hooks.d/50-sys-wireguard" diff --git a/scripts/best-program.sh b/scripts/best-program.sh index 7f2b6b5e..06aa6346 100755 --- a/scripts/best-program.sh +++ b/scripts/best-program.sh @@ -8,7 +8,9 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel for tool in "${@}"; do if ./scripts/requires-program.sh "${tool}" >/dev/null 2>&1; then diff --git a/scripts/markdown-lint.sh b/scripts/markdown-lint.sh index b1dba6eb..78af072b 100755 --- a/scripts/markdown-lint.sh +++ b/scripts/markdown-lint.sh @@ -8,7 +8,9 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel ./scripts/requires-program.sh mdl extra_files_rules="~MD002,~MD012,~MD022,~MD032,~MD041" @@ -17,24 +19,25 @@ find_tool="$(./scripts/best-program.sh fd fdfind find)" if test -n "${1-}"; then files="" extra_files="" - for f in "$@"; do - test -f "$f" || continue + for f in "${@}"; do + test -f "${f}" || continue extension="${f##*.}" - case "$extension" in + case "${extension}" in md) case "${f}" in - .github/*) extra_files="$extra_files $f"; continue;; + .github/*) extra_files="${extra_files} ${f}"; continue;; + *) ;; esac - files="$files $f";; + files="${files} ${f}";; *) continue ;; esac done if test -n "${extra_files}"; then - mdl --rules ${extra_files_rules} ${extra_files} + mdl --rules "${extra_files_rules}" ${extra_files} fi - test -n "$files" || exit 0 + test -n "${files}" || exit 0 exec mdl ${files} fi @@ -47,9 +50,10 @@ case "${find_tool}" in files="$(find . -not -path './.github/*' -type f -name "*.md")" extra_files="$(find .github -type f -name "*.md")" ;; + *) echo "Unsupported find tool" >&2; exit 1;; esac if test -n "${extra_files}"; then - mdl --rules ${extra_files_rules} ${extra_files} + mdl --rules "${extra_files_rules}" ${extra_files} fi exec mdl ${files} diff --git a/scripts/python-lint.sh b/scripts/python-lint.sh index 05ffd6bb..fbf655db 100755 --- a/scripts/python-lint.sh +++ b/scripts/python-lint.sh @@ -8,29 +8,32 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel ./scripts/requires-program.sh pylint find_tool="$(./scripts/best-program.sh fd fdfind find)" if test -n "${1-}"; then files="" - for f in "$@"; do - test -f "$f" || continue + for f in "${@}"; do + test -f "${f}" || continue extension="${f##*.}" - case "$extension" in - py) files="$files $f";; + case "${extension}" in + py) files="${files} ${f}";; *) continue ;; esac done - test -n "$files" || exit 0 + test -n "${files}" || exit 0 exec pylint ${files} fi case "${find_tool}" in fd|fdfind) files="$(${find_tool} . -H -t f -e py)";; find) files="$(find . -type f -name "*.py")";; + *) echo "Unsupported find tool" >&2; exit 1;; esac exec pylint ${files} diff --git a/scripts/qubesbuilder-gen.sh b/scripts/qubesbuilder-gen.sh index 32dfbec9..470b3ec9 100755 --- a/scripts/qubesbuilder-gen.sh +++ b/scripts/qubesbuilder-gen.sh @@ -7,7 +7,9 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel template=".qubesbuilder.template" target=".qubesbuilder" @@ -16,7 +18,7 @@ if test "${1-}" = "test"; then tmpdir="$(mktemp -d)" target="${tmpdir}/.qubesbuilder" # shellcheck disable=SC2154 - trap 'ec="$?"; rm -rf -- "${tmpdir}"; exit "$ec"' EXIT INT HUP QUIT ABRT + trap 'ec="$?"; rm -rf -- "${tmpdir}"; exit "${ec}"' EXIT INT HUP QUIT ABRT fi ignored="$(git ls-files --exclude-standard --others --ignored salt/)" untracked="$(git ls-files --exclude-standard --others salt/)" diff --git a/scripts/release.sh b/scripts/release.sh index c04008a2..2519b33b 100755 --- a/scripts/release.sh +++ b/scripts/release.sh @@ -7,7 +7,9 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel ./scripts/qubesbuilder-gen.sh ./scripts/spec-build.sh diff --git a/scripts/salt-fix.sh b/scripts/salt-fix.sh index 7f4eba1d..fd278d9a 100755 --- a/scripts/salt-fix.sh +++ b/scripts/salt-fix.sh @@ -13,19 +13,24 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel find_tool="$(./scripts/best-program.sh fd fdfind find)" case "${find_tool}" in fd|fdfind) - files="$(${find_tool} . minion.d/ --extension=conf) - $(${find_tool} . salt/ --max-depth=2 --type=f --extension=sls)" + conf_files="$(${find_tool} . minion.d/ -e conf)" + sls_files="$(${find_tool} . salt/ -d 2 -t f -e sls)" + files="${conf_files}\n${sls_files}" ;; find) - files="$(find minion.d/ -type f -name "*.conf") - $(find salt/ -maxdepth 2 -type f -name '*.sls')" + conf_files="$(find minion.d/ -type f -name "*.conf")" + sls_files="$(find salt/ -maxdepth 2 -type f -name '*.sls')" + files="${conf_files}\n${sls_files}" ;; + *) echo "Unsupported find tool" >&2; exit 1;; esac ## 201 - Fix trailing whitespace: diff --git a/scripts/salt-lint.sh b/scripts/salt-lint.sh index 8fb259ab..1bd53b5f 100755 --- a/scripts/salt-lint.sh +++ b/scripts/salt-lint.sh @@ -8,7 +8,9 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel ./scripts/requires-program.sh salt-lint find_tool="$(./scripts/best-program.sh fd fdfind find)" @@ -18,28 +20,31 @@ test -f "${possible_conf}" && conf="-c ${possible_conf}" if test -n "${1-}"; then files="" - for f in "$@"; do - test -f "$f" || continue + for f in "${@}"; do + test -f "${f}" || continue extension="${f##*.}" - case "$extension" in - top|sls) files="$files $f";; + case "${extension}" in + top|sls) files="${files} ${f}";; *) continue;; esac done - test -n "$files" || exit 0 + test -n "${files}" || exit 0 exec salt-lint ${conf} ${files} fi case "${find_tool}" in fd|fdfind) - files="$(${find_tool} . minion.d/ --e conf) - $(${find_tool} . salt/ -d 2 -t f -e sls -e top | sort -d)" + conf_files="$(${find_tool} . minion.d/ -e conf)" + sls_files="$(${find_tool} . salt/ -d 2 -t f -e sls -e top | sort -d)" + files="${conf_files}\n${sls_files}" ;; find) - files="$(find minion.d/ -type f -name "*.conf") - $(find salt/* -maxdepth 2 -type f \( -name '*.sls' -o -name '*.top' \) | - sort -d)" + conf_files="$(find minion.d/ -type f -name "*.conf")" + sls_files="$(find salt/* -maxdepth 2 -type f \ + \( -name '*.sls' -o -name '*.top' \) | sort -d)" + files="${conf_files}\n${sls_files}" ;; + *) echo "Unsupported find tool" >&2; exit 1;; esac exec salt-lint ${conf} ${files} diff --git a/scripts/setup.sh b/scripts/setup.sh index 97cb17ac..093a270e 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -6,8 +6,11 @@ set -eu -test "$(hostname)" = "dom0" || { echo "Must be run from dom0" >&2; exit 1; } -test "$(id -u)" = "0" || exec sudo "${0}" +# shellcheck disable=3028 +hostname="$(hostname)}" +test "${hostname}" = "dom0" || { echo "Must be run from dom0" >&2; exit 1; } +uid="$(id -u)" +test "${uid}" = "0" || exec sudo "${0}" group="qusal" file_roots="/srv/salt/${group}" diff --git a/scripts/shell-lint.sh b/scripts/shell-lint.sh index 410eadab..4ec5b11e 100755 --- a/scripts/shell-lint.sh +++ b/scripts/shell-lint.sh @@ -10,7 +10,9 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel ./scripts/requires-program.sh shellcheck file exit_code=0 @@ -23,54 +25,48 @@ show_long_lines(){ fi awk -v color="${tty_stderr}" ' BEGIN { + exit_code=0 MAGENTA="" GREEN="" RESET="" - if (color == 1) { + if (color==1) { MAGENTA="\033[1;35m" GREEN="\033[1;32m" RESET="\033[0m" } } { - nlines++; - if (length > 78 && !/^\s*#.*(:\/\/|SPDX-)/) { - exit_code=1 - prefix = MAGENTA FILENAME RESET ":" GREEN FNR RESET - print prefix ": line too long: " length " > 78" >"/dev/stderr" - if (nlines==NR) { if (exit_code==1) { exit 1; }; } + if (length($0)>78 && !/^\s*#.*(:\/\/|SPDX-)/) { + prefix = MAGENTA FILENAME RESET ":" GREEN FNR RESET + print prefix ": line too long: " length " > 78" >"/dev/stderr" + exit_code=1 + } } - if (nlines==NR) { if (exit_code==1) { exit 1; }; } - } - ' "${@}" >&2 + END { + if (exit_code==1) exit 1 + }' "${@}" } if test -n "${1-}"; then files="" - sh_files="" - for f in "$@"; do - test -f "$f" || continue + for f in "${@}"; do + test -f "${f}" || continue case "${f}" in */zsh/*) continue;; *.yml|*.yaml|*.vim|*.sls|*.top|*.toml|*.timer|*.service|*.socket| \ *.spec|*/config|*.txt|*/version|*.sources|*.asc|*.repo) continue;; - */rc.local) sh_files="$sh_files $f"; continue;; - *) files="$files $f" + *) files="${files} ${f}" esac done - files="$(file $files | awk -F ":" '/ shell script,/{ print $1 }')" - if test -z "$files" && test -z "$sh_files"; then + files="$(file ${files} | awk -F ":" '/ shell script,/{ print $1 }')" + if test -z "${files}"; then exit 0 fi - if test -n "${files}" || test -n "${sh_files}"; then - show_long_lines ${files} ${sh_files} || exit_code=1 - fi if test -n "${files}"; then + # shellcheck disable=SC2310 + show_long_lines ${files} || exit_code=1 shellcheck ${files} || exit_code=1 fi - if test -n "${sh_files}"; then - shellcheck -s sh ${sh_files} || exit_code=1 - fi exit "${exit_code}" fi @@ -79,23 +75,17 @@ case "${find_tool}" in # shellcheck disable=2016,2215 files="$(${find_tool} . scripts/ salt/ -H -E zsh -t f -X file | awk -F ":" '/ shell script,/{ print $1 }')" - ## No Shebang - sh_files="$(${find_tool} rc.local salt/ --type=f)" ;; find) files="$(find scripts/ salt/ -not \( -path "*/zsh" -prune \) -type f \ -exec file {} \+ | awk -F ":" '/ shell script,/{ print $1 }')" - ## No Shebang - sh_files="$(find salt/ -type f -name "rc.local")" ;; + *) echo "Unsupported find tool" >&2; exit 1;; esac -files="$(echo "$files" | sort -u)" -sh_files="$(echo "$sh_files" | sort -u)" +files="$(echo "${files}" | sort -u)" -show_long_lines ${files} ${sh_files} || exit_code=1 +# shellcheck disable=SC2310 +show_long_lines ${files} || exit_code=1 shellcheck ${files} || exit_code=1 -if test -n "$sh_files"; then - shellcheck -s sh ${sh_files} || exit_code=1 -fi exit "${exit_code}" diff --git a/scripts/spec-build.sh b/scripts/spec-build.sh index 31fb4259..d114ac12 100755 --- a/scripts/spec-build.sh +++ b/scripts/spec-build.sh @@ -59,10 +59,13 @@ build_rpm(){ case "${1-}" in -h|--?help) usage;; + *) ;; esac command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel ./scripts/requires-program.sh dnf rpmlint rpmbuild rpmsign build_dir="${HOME}/rpmbuild" @@ -79,11 +82,11 @@ spec_gen="./scripts/spec-gen.sh" spec_get="./scripts/spec-get.sh" if test -z "${1-}"; then - # shellcheck disable=SC2046 + # shellcheck disable=SC2046,SC2312 set -- $(find salt/ -mindepth 1 -maxdepth 1 -type d -printf '%f\n' \ | sort -d | tr "\n" " ") fi counter=0 -for p in "$@"; do +for p in "${@}"; do build_rpm "${p}" done diff --git a/scripts/spec-gen.sh b/scripts/spec-gen.sh index 817f8e01..b9557a92 100755 --- a/scripts/spec-gen.sh +++ b/scripts/spec-gen.sh @@ -81,7 +81,8 @@ gen_spec(){ bug_url="$(get_spec bug_url)" requires="$(get_spec requires)" summary="$(get_spec summary)" - description="$(escape_key text "$(get_spec description)")" + description="$(get_spec description)" + description="$(escape_key text "${description}")" file_roots="$(get_spec file_roots)" changelog="$(get_spec changelog)" @@ -132,7 +133,8 @@ gen_spec(){ diff --color=auto "${intended_target}" "${target}" || true fail=1 else - if test -n "$(git diff --name-only "${intended_target}")"; then + unstaged_target="$(git diff --name-only "${intended_target}")" || true + if test -n "${unstaged_target}"; then echo "warn: ${intended_target} is up to date but it is not staged" >&2 fi fi @@ -141,13 +143,15 @@ gen_spec(){ case "${1-}" in -h|--?help) usage; exit 1;; + *) ;; esac command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel spec_get="./scripts/spec-get.sh" - ignored="$(git ls-files --exclude-standard --others --ignored salt/)" untracked="$(git ls-files --exclude-standard --others salt/)" unwanted="$(printf %s"${ignored}\n${untracked}\n" \ @@ -164,14 +168,14 @@ fi if echo "${@}" | grep -qE "(^scripts/| scripts/|/template.spec)" || test -z "${1-}" then - # shellcheck disable=SC2046 + # shellcheck disable=SC2046,SC2312 set -- $(find salt/ -mindepth 1 -maxdepth 1 -type d -printf '%f\n' \ | sort -d | tr "\n" " ") fi projects_seen="" -for p in "$@"; do - gen_spec "${p}" ${gen_mode} +for p in "${@}"; do + gen_spec "${p}" "${gen_mode}" done if test "${fail}" = "1" && test "${gen_mode}" = "test"; then diff --git a/scripts/spec-get.sh b/scripts/spec-get.sh index 5e7ccfd4..e4641077 100755 --- a/scripts/spec-get.sh +++ b/scripts/spec-get.sh @@ -10,10 +10,11 @@ set -eu usage(){ names="$(find salt/ -mindepth 1 -maxdepth 1 -type d -printf '%f\n' \ | sort -d | tr "\n" " ")" + keys_trimmed="$(echo "${keys}" | tr "\n" " ")" echo "Usage: ${0##*/} " echo "Example: ${0##*/} qubes-builder description" echo "Names: ${names}" - echo "Keys: $(echo "${keys}" | tr "\n" " ")" + echo "Keys: ${keys_trimmed}" } block_max_chars(){ @@ -59,12 +60,14 @@ case "${1-}" in *) key="${1}"; shift;; esac if test -z "${key##* }"; then - echo "Key is empty: ${key}" >&2 + echo "Key was not given" >&2 exit 1 fi command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel ./scripts/requires-program.sh reuse if test "${key}" = "branch"; then @@ -163,7 +166,6 @@ if test "${key}" = "saltfiles" || test "${key}" = "requires"; then fi case "${key}" in - "") exit 1;; branch) echo "${branch}";; changelog) echo "${changelog}";; description) echo "${description}";; @@ -183,4 +185,6 @@ case "${key}" in vendor) echo "${vendor}";; packager) echo "${packager}";; version) echo "${version}";; + "") exit 1;; + *) echo "Unsupported key" >&2; exit 1;; esac diff --git a/scripts/spell-lint.sh b/scripts/spell-lint.sh index bfc26df5..92454bcb 100755 --- a/scripts/spell-lint.sh +++ b/scripts/spell-lint.sh @@ -8,22 +8,24 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel ./scripts/requires-program.sh codespell if test -n "${1-}"; then files="" - for f in "$@"; do - test -f "$f" || continue - case "$f" in + for f in "${@}"; do + test -f "${f}" || continue + case "${f}" in *LICENSES/*|.git/*|*.asc|rpm_spec/*-*.spec|*.muttrc| \ salt/sys-cacher/files/server/conf/*_mirrors_*|\ salt/dotfiles/files/vim/.config/vim/after/plugin/update-time.vim) continue;; - *) files="$files $f";; + *) files="${files} ${f}";; esac done - test -n "$files" || exit 0 + test -n "${files}" || exit 0 exec codespell --check-filenames --check-hidden ${files} fi diff --git a/scripts/toc-gen.sh b/scripts/toc-gen.sh index a68d338c..11833e4a 100755 --- a/scripts/toc-gen.sh +++ b/scripts/toc-gen.sh @@ -14,6 +14,7 @@ usage(){ case "${1-}" in ""|-h|--help) usage;; + *) ;; esac ## vim-markdown-toc deletes lines if they are folded, can't rely on its native @@ -25,13 +26,13 @@ then fi -for f in "$@"; do - if ! test -f "$f"; then - echo "Error: Not a regular file: $f" >&2 +for f in "${@}"; do + if ! test -f "${f}"; then + echo "Error: Not a regular file: ${f}" >&2 exit 1 fi - if ! grep -q "^## Table of Contents$" "$f"; then - echo "Could not find table of contents in file: $f, skipping" >&2 + if ! grep -q "^## Table of Contents$" "${f}"; then + echo "Could not find table of contents in file: ${f}, skipping" >&2 continue fi ## This is fragile, the table of contents should have at least one block @@ -39,5 +40,5 @@ for f in "$@"; do ## the rest of the file. vim -c 'norm zRgg' -c '/^## Table of Contents$' -c 'norm jd}k' \ -c ':GenTocGFM' -c 'norm ddgg' -c wq -- "${f}" - echo "Updated TOC in file: $f" + echo "Updated TOC in file: ${f}" done diff --git a/scripts/unicode-prohibit.sh b/scripts/unicode-prohibit.sh index 6b950974..fe9f311b 100755 --- a/scripts/unicode-prohibit.sh +++ b/scripts/unicode-prohibit.sh @@ -9,7 +9,9 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel files="" if test -n "${1-}"; then @@ -30,6 +32,7 @@ if test -n "${unicode_match}"; then line_file="$(echo "${line}" | cut -d ":" -f1)" case "${line_file}" in git/*|LICENSES/*|.reuse/dep5|*.asc) continue;; + *) ;; esac line_number="$(echo "${line}" | cut -d ":" -f2)" line_unicode="$(echo "${line}" | cut -d ":" -f3 | od -A n -vt c)" diff --git a/scripts/yaml-lint.sh b/scripts/yaml-lint.sh index 977fe1b7..29c8c492 100755 --- a/scripts/yaml-lint.sh +++ b/scripts/yaml-lint.sh @@ -8,20 +8,22 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel ./scripts/requires-program.sh yamllint if test -n "${1-}"; then files="" - for f in "$@"; do - test -f "$f" || continue + for f in "${@}"; do + test -f "${f}" || continue extension="${f##*.}" - case "$extension" in - yaml|yml) files="$files $f";; + case "${extension}" in + yaml|yml) files="${files} ${f}";; *) continue;; esac done - test -n "$files" || exit 0 + test -n "${files}" || exit 0 exec yamllint ${files} fi diff --git a/scripts/yumrepo-gen.sh b/scripts/yumrepo-gen.sh index 37f03e67..75d83c88 100755 --- a/scripts/yumrepo-gen.sh +++ b/scripts/yumrepo-gen.sh @@ -7,7 +7,9 @@ set -eu command -v git >/dev/null || { echo "Missing program: git" >&2; exit 1; } -cd "$(git rev-parse --show-toplevel)" || exit 1 +repo_toplevel="$(git rev-parse --show-toplevel)" +test -d "${repo_toplevel}" || exit 1 +unset repo_toplevel ./scripts/requires-program.sh createrepo_c gpg key_id="$(git config --get user.signingKey)" || true @@ -15,7 +17,7 @@ build_dir="${HOME}/rpmbuild" qubes_release="r4.2" repo="current" dist="fc37" -yum_repo_root="$HOME/rpmrepo" +yum_repo_root="${HOME}/rpmrepo" yum_repo="${yum_repo_root}/${qubes_release}/${repo}/host/${dist}" mkdir -p "${yum_repo}/rpm" @@ -27,7 +29,7 @@ if test -d "${yum_repo}/repodata"; then createrepo_args="--update" fi # shellcheck disable=SC2086 -createrepo_c ${createrepo_args} --checksum sha512 "${yum_repo}" +createrepo_c "${createrepo_args}" --checksum sha512 "${yum_repo}" if test -n "${key_id}"; then rm -f -- "${yum_repo}/repodata/repomd.xml.asc"