From a913b25ed347c0d3557057da3d1b6d95ee760721 Mon Sep 17 00:00:00 2001 From: Alexei Ledenev Date: Tue, 17 May 2016 16:02:25 +0300 Subject: [PATCH] shellcheck cleaning Signed-off-by: Alexei Ledenev --- bats_tests/1_host_configuration.bats | 6 ++--- .../3_docker_daemon_configuration_files.bats | 12 +++++----- ...4_1_create_user_in_container.bats.template | 6 ++--- bats_tests/5_container_runtime.bats.template | 12 +++++----- generate_tests.sh | 10 ++++----- run_tests.sh | 22 +++++++++---------- 6 files changed, 33 insertions(+), 35 deletions(-) diff --git a/bats_tests/1_host_configuration.bats b/bats_tests/1_host_configuration.bats index 97eee29..6ed2e6e 100644 --- a/bats_tests/1_host_configuration.bats +++ b/bats_tests/1_host_configuration.bats @@ -48,9 +48,9 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" declare -a trusted_users=("vagrant" "docker" "ubuntu") users_string=$(awk -F':' '/^docker/{print $4}' /etc/group) docker_users=(${users_string//,/ }) - for u in ${docker_users[@]}; do + for u in "${docker_users[@]}"; do local found=1 - for tu in ${trusted_users[@]}; do + for tu in "${trusted_users[@]}"; do if [ "$u" = "$tu" ]; then found=0 fi @@ -75,7 +75,7 @@ test_audit_directory() { assert [ -d "$directory" ] run command -v auditctl >/dev/null assert_success - run auditctl -l | grep $directory + run auditctl -l | grep "$directory" assert_success } diff --git a/bats_tests/3_docker_daemon_configuration_files.bats b/bats_tests/3_docker_daemon_configuration_files.bats index de99861..cec8963 100644 --- a/bats_tests/3_docker_daemon_configuration_files.bats +++ b/bats_tests/3_docker_daemon_configuration_files.bats @@ -8,7 +8,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" @test "3.1 - Verify that docker.service file ownership is set to root:root" { file="$(get_systemd_service_file docker.service)" if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -ne 00 ]; then + if [ "$(stat -c %u%g "$file")" -ne 00 ]; then fail "Wrong ownership for $file" fi fi @@ -18,7 +18,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" @test "3.2 - Verify that docker.service file permissions are set to 644" { file="$(get_systemd_service_file docker.service)" if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -ne 644 ]; then + if [ "$(stat -c %a "$file")" -ne 644 ]; then fail "Wrong permissions for $file" fi fi @@ -28,7 +28,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" @test "3.3 - Verify that docker.socket file ownership is set to root:root" { file="$(get_systemd_service_file docker.socket)" if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -ne 00 ]; then + if [ "$(stat -c %u%g "$file")" -ne 00 ]; then fail "Wrong ownership for $file" fi fi @@ -38,7 +38,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" @test "3.4 - Verify that docker.socket file permissions are set to 644" { file="$(get_systemd_service_file docker.socket)" if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -ne 644 ]; then + if [ "$(stat -c %a "$file")" -ne 644 ]; then fail "Wrong permissions for $file" fi fi @@ -58,7 +58,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" @test "3.6 - Verify that /etc/docker directory permissions are set to 755 or 700" { directory="/etc/docker" if [ -d "$directory" ]; then - if [ "$(stat -c %a $directory)" -ne 755 -a "$(stat -c %a $directory)" -ne 700 ]; then + if [ "$(stat -c %a $directory)" -ne 755 ] && [ "$(stat -c %a $directory)" -ne 700 ]; then fail "Wrong permissions for $directory : $(stat -c %a $directory)" fi fi @@ -89,7 +89,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" fail=0 perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}') for p in $perms; do - if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then + if [ "$p" != "-r--r--r--." ] && [ "$p" = "-r--------." ]; then fail=1 fi done diff --git a/bats_tests/4_1_create_user_in_container.bats.template b/bats_tests/4_1_create_user_in_container.bats.template index 8e1fbaf..f3a2be8 100644 --- a/bats_tests/4_1_create_user_in_container.bats.template +++ b/bats_tests/4_1_create_user_in_container.bats.template @@ -7,10 +7,10 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" # 4.1 @test "4.1 - Create a user for the container: {{c}}" { - local user=$(docker inspect --format 'User={{.Config.User}}' "{{c}}") - if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=" ]; then + user=$(docker inspect --format 'User={{.Config.User}}' "{{c}}") + if [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=" ]; then # get PID 1 and check if it's running as root (uid=0) - local uid=$(docker exec {{c}} awk '/^Uid:/{print $2}' /proc/1/status) + uid=$(docker exec {{c}} awk '/^Uid:/{print $2}' /proc/1/status) if [ $uid -eq 0 ]; then fail "Running as root: {{c}}" fi diff --git a/bats_tests/5_container_runtime.bats.template b/bats_tests/5_container_runtime.bats.template index 3bbf13f..22f73e0 100644 --- a/bats_tests/5_container_runtime.bats.template +++ b/bats_tests/5_container_runtime.bats.template @@ -7,7 +7,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" # 5.1 @test "5.1 - Verify AppArmor Profile, if applicable: {{c}}" { policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "{{c}}") - if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=" ]; then + if [ "$policy" = "AppArmorProfile=" ] || [ "$policy" = "AppArmorProfile=[]" ] || [ "$policy" = "AppArmorProfile=" ]; then fail "No AppArmorProfile Found: {{c}}" fi } @@ -15,7 +15,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" # 5.2 @test "5.2 - Verify SELinux security options, if applicable: {{c}}" { policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "{{c}}") - if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=" ]; then + if [ "$policy" = "SecurityOpt=" ] || [ "$policy" = "SecurityOpt=[]" ] || [ "$policy" = "SecurityOpt=" ]; then fail "No SecurityOptions Found: {{c}}" fi } @@ -23,7 +23,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" # 5.3 @test "5.3 - Restrict Linux Kernel Capabilities within containers: {{c}}" { caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "{{c}}") - if [ "$caps" != 'CapAdd=' -a "$caps" != 'CapAdd=[]' -a "$caps" != 'CapAdd=' -a "$caps" != 'CapAdd=' ]; then + if [ "$caps" != 'CapAdd=' ] && [ "$caps" != 'CapAdd=[]' ] && [ "$caps" != 'CapAdd=' ] && [ "$caps" != 'CapAdd=' ]; then fail "Capabilities added: $caps to {{c}}" fi } @@ -48,7 +48,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" volumes=$(docker inspect --format '{{ .Mounts }}' "{{c}}") fi # Go over each directory in sensitive dir and see if they exist in the volumes - for v in ${sensitive_dirs[@]}; do + for v in "${sensitive_dirs[@]}"; do run contains "$volumes" "$v" if [ $status -eq 0 ]; then fail "Sensitive directory $v mounted in: {{c}}" @@ -146,7 +146,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" # 5.17 @test "5.17 - Do not directly expose host devices to containers: {{c}}" { devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "{{c}}") - if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=" ]; then + if [ "$devices" != "Devices=" ] && [ "$devices" != "Devices=[]" ] && [ "$devices" != "Devices=" ]; then fail "Container has devices exposed directly: {{c}}" fi } @@ -154,7 +154,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh" # 5.18 @test "5.18 - Override default ulimit at runtime only if needed: {{c}}" { ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "{{c}}") - if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=" ]; then + if [ "$ulimits" = "Ulimits=" ] || [ "$ulimits" = "Ulimits=[]" ] || [ "$ulimits" = "Ulimits=" ]; then fail "Container no default ulimit override: {{c}}" fi } diff --git a/generate_tests.sh b/generate_tests.sh index 908cbfa..5ef4ac3 100644 --- a/generate_tests.sh +++ b/generate_tests.sh @@ -20,10 +20,10 @@ prepare_tests_directory() list_running_containers() { # List all running containers - local containers=$(docker ps | sed '1d' | awk '{print $NF}') + containers=($(docker ps | sed '1d' | awk '{print $NF}' | tr "\n" " ")) # If there is a container with label docker_bench_security, memorize it: local benchcont="nil" - for c in $containers; do + for c in "${containers[@]}"; do labels=$(docker inspect --format '{{ .Config.Labels }}' "$c") contains "$labels" "docker_bench_security" && benchcont="$c" done @@ -35,9 +35,9 @@ generate_all_tests() { # prepare test direcory: copy tests and templates prepare_tests_directory # generate tests from templates for running containers - local containers=$(list_running_containers) - ( cd $TEST_ROOT - for c in ${containers[@]}; do + containers=($(list_running_containers)) + ( cd $TEST_ROOT || exit 1 + for c in "${containers[@]}"; do for t in *.bats.template; do sed -e "s/{{c}}/$c/g" "${t}" > "${t%.*.*}_${c}.bats" done diff --git a/run_tests.sh b/run_tests.sh index b1c4afd..214490b 100755 --- a/run_tests.sh +++ b/run_tests.sh @@ -2,8 +2,6 @@ . ./generate_tests.sh -TERMINFO=/usr/share/terminfo - TEST_RESULTS=$BENCH_ROOT/results # make result folder (inside VOLUME) @@ -23,9 +21,9 @@ OPT_RESULTS=1 #Set fonts for Help. if [ -e "/usr/bin/tput" ]; then - BOLD=`tput bold` - REV=`tput smso` - NORM=`tput sgr0` + BOLD=$(tput bold) + REV=$(tput smso) + NORM=$(tput sgr0) else BOLD="" REV="" @@ -50,7 +48,7 @@ HELP() { #Check the number of arguments. If none are passed, print help and exit. NUMARGS=$# -if [ $NUMARGS -eq 0 ]; then +if [ "$NUMARGS" -eq 0 ]; then HELP fi @@ -73,7 +71,7 @@ while getopts o:rptcgh FLAG; do ;; c) # count tests if [ -d "$TEST_ROOT" ]; then - echo -e "There are ${BOLD}$(bats $TEST_ROOT -c)${NORM} tests in ${BOLD}$TEST_ROOT${NORM}" + echo -e "There are ${BOLD}$(bats "${TEST_ROOT}" -c)${NORM} tests in ${BOLD}${TEST_ROOT}${NORM}" else echo -e "No tests found, run ${BOLD}${SCRIPT}${NORM} with ${REV}-g${NORM} option first." fi @@ -99,8 +97,8 @@ shift $((OPTIND-1)) #This tells getopts to move on to the next argument. ### Run Bats tests ### -TESTS=$TEST_ROOT -if [ ! -d $TEST_ROOT ]; then # generate tests if needed +TESTS="${TEST_ROOT}" +if [ ! -d "${TEST_ROOT}" ]; then # generate tests if needed generate_all_tests fi @@ -108,13 +106,13 @@ if [ $# -ne 0 ]; then # get tests from command line TESTS=$* fi -if [ $OPT_RESULTS -eq 0 ]; then # run tests and [create test result file] +if [ ${OPT_RESULTS} -eq 0 ]; then # run tests and [create test result file] if [ ! -d "$OPT_OUTPUT" ]; then mkdir -p "$OPT_OUTPUT" fi - bats $TESTS -${OPT_FORMAT} > "${OPT_OUTPUT}/tests_$(date +%s).tap" + bats "${TESTS}" -${OPT_FORMAT} > "${OPT_OUTPUT}/tests_$(date +%s).tap" else - bats $TESTS -${OPT_FORMAT} + bats "${TESTS}" -${OPT_FORMAT} fi exit 0