From 7e6a9fa896ade4c24866fc4883ca21b44b563860 Mon Sep 17 00:00:00 2001
From: Juan David Hurtado G <jdhurtado@orbiware.com>
Date: Sun, 8 Dec 2024 20:37:02 -0500
Subject: [PATCH] [WIP] shellcheck linting

---
 .github/workflows/shellcheck.yml     |  3 ++-
 usr/local/share/bastille/common.sh   |  6 +++---
 usr/local/share/bastille/mount.sh    | 11 +++++++++--
 usr/local/share/bastille/template.sh | 18 +++++++++---------
 usr/local/share/bastille/verify.sh   |  2 +-
 usr/local/share/bastille/zfs.sh      |  4 ++--
 6 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
index ac17c63a..c183dd37 100644
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -21,7 +21,8 @@ jobs:
           # Excluding SC2154: Variable is referenced but not assigned. Because we include files in the scripts
           # Excluding SC3037: In POSIX sh, echo flags are undefined. Ignoring temporarily until we decide to keep it or
           #                   use printf instead
-          SHELLCHECK_OPTS: -e SC3043 -e SC2154 -e SC3037
+          # Excluding SC2155: Declare and assign separately to avoid masking return values.
+          SHELLCHECK_OPTS: -e SC3043 -e SC2154 -e SC3037 -e SC2155
         with:
           severity: warning
           scandir: "./usr/local/share/bastille"
diff --git a/usr/local/share/bastille/common.sh b/usr/local/share/bastille/common.sh
index 74c12e67..9940d9e6 100644
--- a/usr/local/share/bastille/common.sh
+++ b/usr/local/share/bastille/common.sh
@@ -47,7 +47,7 @@ enable_color() {
 
 # If "NO_COLOR" environment variable is present, or we aren't speaking to a
 # tty, disable output colors.
-if [ -z "${NO_COLOR}" -a -t 1 ]; then
+if [ -z "${NO_COLOR}" ] && [ -t 1 ]; then
     enable_color
 fi
 
@@ -77,9 +77,9 @@ generate_vnet_jail_netblock() {
     ## determine number of containers + 1
     ## iterate num and grep all jail configs
     ## define uniq_epair
-    local jail_list=$(bastille list jails)
+    local jail_list="$(bastille list jails)"
     if [ -n "${jail_list}" ]; then
-        local list_jails_num=$(echo "${jail_list}" | wc -l | awk '{print $1}')
+        local list_jails_num="$(echo "${jail_list}" | wc -l | awk '{print $1}')"
         local num_range=$((list_jails_num + 1))
         for _num in $(seq 0 "${num_range}"); do
             if ! grep -q "e[0-9]b_bastille${_num}" "${bastille_jailsdir}"/*/jail.conf; then
diff --git a/usr/local/share/bastille/mount.sh b/usr/local/share/bastille/mount.sh
index a2ab85fc..7ccb3813 100644
--- a/usr/local/share/bastille/mount.sh
+++ b/usr/local/share/bastille/mount.sh
@@ -45,8 +45,10 @@ esac
 if [ $# -lt 2 ]; then
     usage
 elif [ $# -eq 2 ]; then
+    # shellcheck disable=SC2124
     _fstab="$@ nullfs ro 0 0"
 else
+    # shellcheck disable=SC2124
     _fstab="$@"
 fi
 
@@ -67,8 +69,13 @@ if [ -z "${_hostpath}" ] || [ -z "${_jailpath}" ] || [ -z "${_type}" ] || [ -z "
     exit 1
 fi
 
-## if host path doesn't exist, type is not "nullfs" or are using advanced mount type "tmpfs,linprocfs,linsysfs, fdescfs, procfs"	
-if [ "${_hostpath}" == "tmpfs" -a "$_type" == "tmpfs" ] || [ "${_hostpath}" == "linprocfs" -a "${_type}" == "linprocfs" ] || [ "${_hostpath}" == "linsysfs" -a "${_type}" == "linsysfs" ] || [ "${_hostpath}" == "proc" -a "${_type}" == "procfs" ] || [ "${_hostpath}" == "fdesc" -a "${_type}" == "fdescfs" ]  ;  then
+# if host path doesn't exist, type is not "nullfs" or are using advanced mount type "tmpfs,linprocfs,linsysfs, fdescfs,
+# procfs"
+if [ "${_hostpath}" = "tmpfs" ] && [ "$_type" = "tmpfs" ] ||
+   [ "${_hostpath}" = "linprocfs" ] && [ "${_type}" = "linprocfs" ] ||
+   [ "${_hostpath}" = "linsysfs" ] && [ "${_type}" = "linsysfs" ] ||
+   [ "${_hostpath}" = "proc" ] && [ "${_type}" = "procfs" ] ||
+   [ "${_hostpath}" = "fdesc" ] && [ "${_type}" = "fdescfs" ]; then
     warn "Detected advanced mount type ${_hostpath}"
 elif [ ! -d "${_hostpath}" ] || [ "${_type}" != "nullfs" ]; then
     error_notify "Detected invalid host path or incorrect mount type in FSTAB."
diff --git a/usr/local/share/bastille/template.sh b/usr/local/share/bastille/template.sh
index d9634f5a..1ab68364 100644
--- a/usr/local/share/bastille/template.sh
+++ b/usr/local/share/bastille/template.sh
@@ -96,7 +96,7 @@ render() {
     if [ -d "${_file_path}" ]; then # Recursively render every file in this directory. -- cwells
         echo "Rendering Directory: ${_file_path}"
         find "${_file_path}" \( -type d -name .git -prune \) -o -type f
-        find "${_file_path}" \( -type d -name .git -prune \) -o -type f -print0 | $(eval "xargs -0 sed -i '' ${ARG_REPLACEMENTS}")
+        find "${_file_path}" \( -type d -name .git -prune \) -o -type f -print0 | eval "xargs -0 sed -i '' ${ARG_REPLACEMENTS}"
     elif [ -f "${_file_path}" ]; then
         echo "Rendering File: ${_file_path}"
         eval "sed -i '' ${ARG_REPLACEMENTS} '${_file_path}'"
@@ -128,9 +128,9 @@ fi
 # Special case conversion of hook-style template files into a Bastillefile. -- cwells
 if [ "${TARGET}" = '--convert' ]; then
     if [ -d "${TEMPLATE}" ]; then # A relative path was provided. -- cwells
-        cd "${TEMPLATE}"
+        cd "${TEMPLATE}" || error_exit "Failed to change to directory: ${TEMPLATE}"
     elif [ -d "${bastille_template}" ]; then
-        cd "${bastille_template}"
+        cd "${bastille_template}" || error_exit "Failed to change to directory: ${TEMPLATE}"
     else
         error_exit "Template not found: ${TEMPLATE}"
     fi
@@ -232,7 +232,7 @@ for _jail in ${JAILS}; do
     if [ "$(bastille config $TARGET get vnet)" != 'enabled' ]; then
         _jail_ip=$(/usr/sbin/jls -j "${_jail}" ip4.addr 2>/dev/null)
         _jail_ip6=$(/usr/sbin/jls -j "${_jail}" ip6.addr 2>/dev/null)
-        if [ -z "${_jail_ip}" -o "${_jail_ip}" = "-" ]; then
+        if [ -z "${_jail_ip}" ] || [ "${_jail_ip}" = "-" ]; then
             error_notify "Jail IP not found: ${_jail}"
             _jail_ip='' # In case it was -. -- cwells
         fi
@@ -299,12 +299,12 @@ for _jail in ${JAILS}; do
                     # Escape single-quotes in the command being executed. -- cwells
                     _args=$(echo "${_args}" | sed "s/'/'\\\\''/g")
                     # Allow redirection within the jail. -- cwells
-                    _args="sh -c '${_args}'"
+                    _args="sh -c ${_args}"
                     ;;
                 cp|copy)
                     _cmd='cp'
                     # Convert relative "from" path into absolute path inside the template directory. -- cwells
-                    if [ "${_args%${_args#?}}" != '/' ] && [ "${_args%${_args#??}}" != '"/' ]; then
+                    if [ "${_args%"${_args#?}"}" != '/' ] && [ "${_args%"${_args#??}"}" != '"/' ]; then
                         _args="${bastille_template}/${_args}"
                     fi
                     ;;
@@ -368,9 +368,9 @@ for _jail in ${JAILS}; do
 
             info "[${_jail}]:${_hook} -- START"
             if [ "${_hook}" = 'CMD' ] || [ "${_hook}" = 'PRE' ]; then
-                bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || exit 1
+                bastille cmd "${_jail}" /bin/sh < "${bastille_template}/${_hook}" || error_exit "Failed to execute command."
             elif [ "${_hook}" = 'PKG' ]; then
-                bastille pkg "${_jail}" install -y $(cat "${bastille_template}/PKG") || exit 1
+                bastille pkg "${_jail}" install -y "$(cat "${bastille_template}/PKG")" || error_exit "Failed to install packages."
                 bastille pkg "${_jail}" audit -F
             else
                 while read _line; do
@@ -380,7 +380,7 @@ for _jail in ${JAILS}; do
                     # Replace "arg" variables in this line with the provided values. -- cwells
                     _line=$(echo "${_line}" | eval "sed ${ARG_REPLACEMENTS}")
                     eval "_args=\"${_args_template}\""
-                    bastille "${_cmd}" "${_jail}" ${_args} || exit 1
+                    bastille "${_cmd} ${_jail} ${_args}" || error_exit "Failed to execute command."
                 done < "${bastille_template}/${_hook}"
             fi
             info "[${_jail}]:${_hook} -- END"
diff --git a/usr/local/share/bastille/verify.sh b/usr/local/share/bastille/verify.sh
index cffb9f0b..87b0d07b 100644
--- a/usr/local/share/bastille/verify.sh
+++ b/usr/local/share/bastille/verify.sh
@@ -78,7 +78,7 @@ verify_template() {
             info "Detected ${_hook} hook."
 
             ## line count must match newline count
-            if [ $(wc -l "${_path}" | awk '{print $1}') -ne $(grep -c $'\n' "${_path}") ]; then
+            if [ "$(wc -l "${_path}" | awk '{print $1}')" -ne "$(grep -c printf '\n' "${_path}")" ]; then
                 info "[${_hook}]:"
                 error_notify "${BASTILLE_TEMPLATE}:${_hook} [failed]."
                 error_notify "Line numbers don't match line breaks."
diff --git a/usr/local/share/bastille/zfs.sh b/usr/local/share/bastille/zfs.sh
index ab6f45eb..0c771d3b 100644
--- a/usr/local/share/bastille/zfs.sh
+++ b/usr/local/share/bastille/zfs.sh
@@ -38,7 +38,7 @@ usage() {
 zfs_snapshot() {
 for _jail in ${JAILS}; do
     info "[${_jail}]:"
-    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}"
+    zfs snapshot -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}@${TAG}"
     echo
 done
 }
@@ -46,7 +46,7 @@ done
 zfs_destroy_snapshot() {
 for _jail in ${JAILS}; do
     info "[${_jail}]:"
-    zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}"@"${TAG}"
+    zfs destroy -r "${bastille_zfs_zpool}/${bastille_zfs_prefix}/jails/${_jail}@${TAG}"
     echo
 done
 }