Run shellcheck

modules/augeasproviders_core/.travis.sh

@@ -10,10 +10,10 @@ PKG_VERSION=""
 
 sudo add-apt-repository -y ppa:raphink/augeas
 sudo apt-get update
-sudo apt-get install augeas-tools${PKG_VERSION} \
-                     augeas-lenses${PKG_VERSION} \
-                     libaugeas0${PKG_VERSION} \
-                     libaugeas-dev${PKG_VERSION} \
+sudo apt-get install "augeas-tools${PKG_VERSION}" \
+                     "augeas-lenses${PKG_VERSION}" \
+                     "libaugeas0${PKG_VERSION}" \
+                     "libaugeas-dev${PKG_VERSION}" \
                      libxml2-dev
 
 # Install gems

modules/augeasproviders_shellvar/.travis.sh

@@ -4,16 +4,16 @@ set -xe
 # Clone submodules in tree
 git submodule update --init
 
-if [ -z $AUGEAS ]; then
+if [ -z "$AUGEAS" ]; then
   # Use latest version of lenses
   cd augeas && git pull origin master
   PKG_VERSION=""
 else
-  if [ -z $LENSES ]; then
+  if [ -z "$LENSES" ]; then
     # Use matching version of lenses
-    cd augeas && git fetch && git checkout release-${AUGEAS}
+    cd augeas && git fetch && git checkout "release-${AUGEAS}"
   else
-    cd augeas && git fetch && git checkout $LENSES
+    cd augeas && git fetch && git checkout "$LENSES"
   fi
 
   PKG_VERSION="=${AUGEAS}*"
@@ -25,10 +25,10 @@ else
 fi
 sudo add-apt-repository -y ppa:raphink/augeas
 sudo apt-get update
-sudo apt-get install augeas-tools${PKG_VERSION} \
-                     augeas-lenses${PKG_VERSION} \
-                     libaugeas0${PKG_VERSION} \
-                     libaugeas-dev${PKG_VERSION} \
+sudo apt-get install "augeas-tools${PKG_VERSION}" \
+                     "augeas-lenses${PKG_VERSION}" \
+                     "libaugeas0${PKG_VERSION}" \
+                     "libaugeas-dev${PKG_VERSION}" \
                      libxml2-dev
 
 # Install gems

modules/base/files/environment/gen_fingerprints

@@ -38,8 +38,8 @@ declare -A ALGOS
 declare -a ASCII
 
 # fingerprints
-for host_key in $(awk '/^HostKey/ {sub(/^HostKey\s+/,"");print $0".pub"};' $SSHD_CONFIG); do
-    cipher=$(echo "$host_key" | sed -r 's/^.*ssh_host_([^_]+)_key\.pub$/\1/'| tr 'a-z' 'A-Z')
+while read -r host_key; do
+    cipher=$(echo "$host_key" | sed -r 's/^.*ssh_host_([^_]+)_key\.pub$/\1/'| tr '[:lower:]' '[:upper:]')
     if [[ -f "$host_key" ]]; then
         if ssh-keygen -E md5 -l -f "$host_key" &>/dev/null; then
         IFS=$'\n'
@@ -51,7 +51,7 @@ for host_key in $(awk '/^HostKey/ {sub(/^HostKey\s+/,"");print $0".pub"};' $SSHD
                 if [[ $n -eq 1 ]]; then
                     ALGOS[$algo]=$(echo "$line" | awk '{print $2}')
                 else
-                    ASCII[$n]="${ASCII[$n]} ${line}"
+                    ASCII[n]="${ASCII[$n]} ${line}"
                 fi
             done
         done
@@ -64,7 +64,7 @@ for host_key in $(awk '/^HostKey/ {sub(/^HostKey\s+/,"");print $0".pub"};' $SSHD
         echo "$cipher" SHA-256 "${ALGOS[sha256]}" | tablize
         echo "$LINE"
     fi
-done
+done < <(awk '/^HostKey/ {sub(/^HostKey\s+/,"");print $0".pub"};' $SSHD_CONFIG)
 
 echo
 for line in "${ASCII[@]}"; do

modules/base/files/firewall/check_ferm

@@ -8,7 +8,7 @@ if [ ! -x /sbin/iptables ]; then
 fi
 
 input_policy=$(iptables -nL INPUT | sed -nr 's/^Chain INPUT \(policy (.*)\)$/\1/p')
-if [ $input_policy = "DROP" ]; then
+if [ "$input_policy" = "DROP" ]; then
     echo "OK ferm input default policy is set"
     exit 0
 else

modules/base/files/secupgrade.sh

@@ -2,20 +2,30 @@
 #script to upgrade packages with pending security upgrades, and automatically log these upgrades to Tech:SAL
 #this is much easier than trying to use getopt or getopts
 if [ "$1" = "--include-kernel" ]; then
-  packages=$(apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " {"print $2"} | awk '{printf "%s ", $2}')
+  packages=$(apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " "{print $2}" | awk '{printf "%s ", $2}')
 else
-  packages=$(apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | grep -v "linux-image" | awk -F " " {"print $2"} | awk '{printf "%s ", $2}')
+  packages=$(apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | grep -v "linux-image" | awk -F " " "{print $2}" | awk '{printf "%s ", $2}')
 fi
 if [ -z "${packages//[[:space:]]}" ]; then
   echo "No packages to upgrade"
 else
-  packages_list=$(echo $packages | sed 's/ /, /g')
-  packages_count=$(echo $packages | wc -w)
-  if [ $packages_count -gt 1 ]; then
-    last_package=$(echo $packages_list | awk '{print $NF}')
-    packages_list=$(echo $packages_list | sed 's/ '$last_package'$/ and '$last_package'/')
+  # I feel like this is cleaner, therefore:
+  # shellcheck disable=SC2001
+  packages_list=$(echo "$packages" | sed 's/ /, /g')
+  packages_count=$(echo "$packages" | wc -w)
+  if [ "$packages_count" -gt 1 ]; then
+    last_package=$(echo "$packages_list" | awk '{print $NF}')
+    # shellcheck disable=SC2001
+    packages_list=$(echo "$packages_list" | sed 's/ '"$last_package"'$/ and '"$last_package"'/')
   fi
-  read -p "Upgrading packages $packages_list; press enter to confirm..."
-  sudo apt-get -o Dpkg::Options::='--force-confold' install --only-upgrade $packages
+  read -rp "Upgrading packages $packages_list; press enter to confirm..."
+  # Word splitting here is intentional (since we want each argument to be different),
+  # but globbing is not. Therefore, we disable globbing:
+  set -f
+  # And tell shellcheck to ignore the word splitting:
+  # shellcheck disable=SC2086
+  sudo apt-get -o Dpkg::Options::='--force-confold' install --only-upgrade -- $packages
+  # And reenable globbing, just in case (even though we have never used it in this script as of writing)
+  set +f
   logsalmsg "Upgraded packages $packages_list"
 fi

modules/base/templates/puppet/puppet-run.erb

@@ -5,7 +5,7 @@ set -e
 
 # Check this before apt-get update, so that our update doesn't screw up
 # package installs in a running (manual and/or initial install) puppet run
-PUPPETLOCK=`puppet agent --configprint agent_catalog_run_lockfile`
+PUPPETLOCK=$(puppet agent --configprint agent_catalog_run_lockfile)
 
 # From here out, make a best effort to continue in the face of failure
 set +e
@@ -18,21 +18,20 @@ set +e
 # before the sleep (but not after), and does not create the agent lockfile
 # until after the sleep, which creates a wide race window against tools trying
 # to avoid puppet agent concurrency with the "disable and then poll lockfile".
-SLEEPVAL=$(($RANDOM % 60))
+SLEEPVAL=$((RANDOM % 60))
 echo "Sleeping $SLEEPVAL for random splay" | logger -t puppet-agent-cronjob
 sleep $SLEEPVAL
 
-if [ -n "$PUPPETLOCK" -a -e "$PUPPETLOCK" ]; then
-    PUPPETPID=$(cat $PUPPETLOCK)
+if [ -n "$PUPPETLOCK" ] && [ -e "$PUPPETLOCK" ]; then
+    PUPPETPID=$(cat "$PUPPETLOCK")
     CMDLINE_FILE="/proc/$PUPPETPID/cmdline"
-    if [ -f $CMDLINE_FILE ]; then
-        grep -q puppet $CMDLINE_FILE
-        if [ $? -eq 0 ]; then
-            echo Skipping this run, puppet agent already running at pid `cat $PUPPETLOCK`  | logger -t puppet-agent-cronjob
+    if [ -f "$CMDLINE_FILE" ]; then
+        if grep -q puppet "$CMDLINE_FILE"; then
+            echo "Skipping this run, puppet agent already running at pid $PUPPETPID"  | logger -t puppet-agent-cronjob
             exit 0
         fi
     fi
-    echo Ignoring stale puppet agent lock for pid `cat $PUPPETLOCK` | logger -t puppet-agent-cronjob
+    echo "Ignoring stale puppet agent lock for pid $PUPPETPID" | logger -t puppet-agent-cronjob
 fi
 
 timeout -k 60 300 apt-get update -qq |& logger -t puppet-agent-cronjob

modules/httpd/files/apache-status

@@ -4,4 +4,4 @@ WHITE="$(/usr/bin/tput setaf 7; /usr/bin/tput bold)"
 RESET="$(/usr/bin/tput sgr0)"
 file="/tmp/apache_status.$(/bin/hostname).$(/bin/date +%s).txt"
 /usr/bin/links -dump http://127.0.0.1/server-status -width 80 | tee "$file"
-printf "\nOutput saved to ${WHITE}${file}${RESET}.\n"
+printf "\nOutput saved to %s%s%s.\n" "$WHITE" "$file" "$RESET"

modules/mediawiki/files/bin/fileLockScript.sh

@@ -2,9 +2,9 @@
 
 # To run this script do the following fileLockScript.sh <lock_name> "<script>"
 
-exec 100>$1 || exit 1
+exec 100>"$1" || exit 1
 flock -n 100 || exit 1
 
-trap "rm -f $1" EXIT
+trap 'rm -f $1' EXIT
 
 $2

modules/mediawiki/files/bin/foreachwikiindblist

@@ -12,7 +12,6 @@ dblist=$1
 if [ ! -f "$dblist" ]; then
         echo "dblist does not exist!"
         usage
-        exit 1
 fi
 
 if [[ "$dblist" == *.json ]]; then
@@ -28,11 +27,10 @@ elif [[ "$dblist" == *.php ]]; then
 else
         echo "Unsupported file format. Please provide a .json or .php file."
         usage
-        exit 1
 fi
 
 for wiki in $wikis
 do
         echo "Running ${*:2} for $wiki"
-        /usr/bin/php ${*:2} --wiki $wiki
+        /usr/bin/php "${*:2}" --wiki "$wiki"
 done

modules/mediawiki/files/cgroup/cgroup-mediawiki-clean

@@ -1,5 +1,5 @@
 #! /bin/bash
 
-if [[ $1 == /mediawiki* ]]; then
-    rmdir /sys/fs/cgroup/memory$1
+if [[ "$1" == /mediawiki* ]]; then
+    rmdir "/sys/fs/cgroup/memory$1"
 fi

modules/monitoring/files/scripts/ssl-renew.sh

@@ -21,4 +21,4 @@ curl -X POST -H 'Content-type: application/json' --data "{
   \"SERVICESTATE\": \"${SERVICESTATE}\",
   \"SERVICESTATETYPE\": \"${SERVICESTATETYPE}\",
   \"SERVICEDESC\": \"${SERVICEDESC}\"
-}" http://[2602:294:0:b12::101]:5000/renew >> /var/log/icinga2/ssl-let.log 2>&1
+}" "http://[2602:294:0:b12::101]:5000/renew" >> /var/log/icinga2/ssl-let.log 2>&1

modules/postgresql/files/prometheus/postgresql_replication_lag.sh

@@ -45,5 +45,5 @@ lag="$(/usr/bin/check_postgres_hot_standby_delay \
 --host="${pg_master}",localhost --dbuser=replication \
 --dbpass="${pg_password}" -dbname=template1 --output=simple)"
 
-echo "postgresql_replication_lag_bytes ${lag}" > ${prometheus_path}.$$
-mv ${prometheus_path}.$$ ${prometheus_path}
+echo "postgresql_replication_lag_bytes ${lag}" > "${prometheus_path}.$$"
+mv "${prometheus_path}.$$" "${prometheus_path}"

modules/prometheus/files/varnish/varnish-requests-exporter

@@ -1,7 +1,7 @@
 #!/bin/bash
 
-amount_of_accesslogs=`tail -500 /var/log/nginx/access.log | wc -l`
-amount_of_errors=`tail -500 /var/log/nginx/access.log | awk '{print $8}' | grep '^[45]' | grep -v '429' | wc -l`
+amount_of_accesslogs=$(tail -500 /var/log/nginx/access.log | wc -l)
+amount_of_errors=$(tail -500 /var/log/nginx/access.log | awk '{print $8}' | grep '^[45]' | grep -cv '429')
 error_rate=$(awk "BEGIN { pc=${amount_of_errors}/${amount_of_accesslogs}; print pc }")
 
 cat >/var/lib/prometheus/node.d/varnish_requests.prom <<EOL

modules/role/files/opensearch/opensearch-generate-admin-certificate.sh

@@ -7,11 +7,15 @@
 # openssl x509 -in <ca>.crt -out <ca>.pem -outform PEM
 # to convert private key from rsa to PKCS8:
 # openssl pkcs8 -topk8 -in <old_key>.crt -out <new_key>.pem -nocrypt
-CN=ADMIN_WIKITIDE,O=WikiTide Foundation,L=Washington,ST=DC,C=US
-openssl genrsa -out $1/wikitide-ca-key.pem 2048
-openssl req -new -x509 -sha256 -key $1/wikitide-ca-key.pem -subj "/C=US/ST=DC/L=Washington/O=WikiTide Foundation" -out $1/wikitide-ca.pem -days 730
 
-openssl genrsa -out $1/admin-key-temp.pem 2048
-openssl pkcs8 -inform PEM -outform PEM -in $1/admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out $1/admin-key.pem
-openssl req -new -key $1/admin-key.pem -subj "/C=US/ST=DC/L=Washington/O=WikiTide Foundation/CN=ADMIN_WIKITIDE" -out $1/admin.csr
-openssl x509 -req -in $1/admin.csr -CA $1/wikitide-ca.pem -CAkey $1/wikitide-ca-key.pem -CAcreateserial -sha256 -out $1/admin.pem -days 730
+# No idea why this is here, but this was initially just a command
+# (yes, no quotes and all) (and if it were an environment variable,
+# it would actually be used here, but nope!)
+# CN=ADMIN_WIKITIDE,O=WikiTide Foundation,L=Washington,ST=DC,C=US
+openssl genrsa -out "$1/wikitide-ca-key.pem" 2048
+openssl req -new -x509 -sha256 -key "$1/wikitide-ca-key.pem" -subj "/C=US/ST=DC/L=Washington/O=WikiTide Foundation" -out "$1/wikitide-ca.pem" -days 730
+
+openssl genrsa -out "$1/admin-key-temp.pem" 2048
+openssl pkcs8 -inform PEM -outform PEM -in "$1/admin-key-temp.pem" -topk8 -nocrypt -v1 PBE-SHA1-3DES -out "$1/admin-key.pem"
+openssl req -new -key "$1/admin-key.pem" -subj "/C=US/ST=DC/L=Washington/O=WikiTide Foundation/CN=ADMIN_WIKITIDE" -out "$1/admin.csr"
+openssl x509 -req -in "$1/admin.csr" -CA "$1/wikitide-ca.pem" -CAkey "$1/wikitide-ca-key.pem" -CAcreateserial -sha256 -out "$1/admin.pem" -days 730

modules/ssl/files/ssl-acme

@@ -7,10 +7,6 @@
 set -e
 set -u
 
-function log {
-    echo "$@"
-}
-
 function usage {
     echo "Usage: $0 [-h] [-s <state>] [-t <service_type>] [-u <URL>]"
     echo "  -h      display help"
@@ -40,11 +36,11 @@ while getopts ":hs:t:u:" option; do
     esac
 done
 
-test -z ${STATE} && usage
-test -z ${TYPE} && usage
-test -z ${URL} && usage
+test -z "${STATE}" && usage
+test -z "${TYPE}" && usage
+test -z "${URL}" && usage
 
-case $STATE in
+case "$STATE" in
 OK)
         # It's all good
         ;;
@@ -58,7 +54,7 @@ WARNING)
                 # Lets Renew here
                 if [ -f "/etc/letsencrypt/live/${URL}/fullchain.pem" ]
                 then
-                    sudo /root/ssl-certificate -d $URL -r -p -o
+                    sudo /root/ssl-certificate -d "$URL" -r -p -o
                 fi
                 ;;
         esac

modules/swift/files/swift-account-stats-timer.sh

@@ -9,5 +9,5 @@ account_statsd_prefix=${2:?}
 statsd_host=${3:?}
 statsd_port=${4:?}
 
-. ${account_file}
-/usr/local/bin/swift-account-stats --prefix ${account_statsd_prefix} --statsd-host ${statsd_host} --statsd-port ${statsd_port}
+. "${account_file}"
+/usr/local/bin/swift-account-stats --prefix "${account_statsd_prefix}" --statsd-host "${statsd_host}" --statsd-port "${statsd_port}"

modules/varnish/files/icinga/check_nginx_errorrate

@@ -1,6 +1,6 @@
 #! /bin/bash
-amount_of_accesslogs=`tail -500 /var/log/nginx/access.log | wc -l`
-amount_of_errors=`tail -500 /var/log/nginx/access.log | awk '{print $8}' | grep '^[45]' | grep -v '429' | wc -l`
+amount_of_accesslogs=$(tail -500 /var/log/nginx/access.log | wc -l)
+amount_of_errors=$(tail -500 /var/log/nginx/access.log | awk '{print $8}' | grep '^[45]' | grep -cv '429')
 
 # http://stackoverflow.com/a/24299222
 error_rate=$(awk "BEGIN { pc=100*${amount_of_errors}/${amount_of_accesslogs}; i=int(pc); print (pc-i<0.5)?i:i+1 }")
@@ -18,7 +18,7 @@ case $error_rate in
         echo "WARNING - NGINX Error Rate is $error_rate%"
         exit 1
         ;;
-        [5][1-9]|[6789][0-9]|[100]*)
+        [5][1-9]|[6789][0-9]|100*)
         echo "CRITICAL - NGINX Error Rate is $error_rate%"
         exit 2
         ;;