Shellcheck linting (#641)

Author: buchdag

app/cert_status

@@ -35,9 +35,8 @@ for cert in /etc/nginx/certs/*/fullchain.pem; do
     [[ -e "$cert" ]] || continue
     if [[ -e "${cert%fullchain.pem}chain.pem" ]]; then
         # Verify the certificate with OpenSSL.
-        verify=$(openssl verify -CAfile "${cert%fullchain.pem}chain.pem" "$cert" 2>&1)
-        if [[ $? -eq 0 ]]; then
-            echo $verify
+        if verify=$(openssl verify -CAfile "${cert%fullchain.pem}chain.pem" "$cert" 2>&1); then
+            echo "$verify"
             # Print certificate info.
             print_cert_info "$cert"
         else
@@ -57,7 +56,8 @@ for cert in /etc/nginx/certs/*/fullchain.pem; do
     for symlink in /etc/nginx/certs/*.crt; do
         [[ -e "$symlink" ]] || continue
         if [[ "$(readlink -f "$symlink")" == "$cert" ]]; then
-            domain="$(echo "${symlink%.crt}" | sed 's#/etc/nginx/certs/##g')"
+            domain="${symlink%.crt}"
+            domain="${domain//\/etc\/nginx\/certs\//}"
             symlinked_domains+=("$domain")
         fi
     done

app/entrypoint.sh

@@ -1,8 +1,11 @@
 #!/bin/bash
-# shellcheck disable=SC2155
 
 set -u
 
+# shellcheck source=functions.sh
+source /app/functions.sh
+DEBUG="$(lc "$DEBUG")"
+
 function check_deprecated_env_var {
     if [[ -n "${ACME_TOS_HASH:-}" ]]; then
         echo "Info: the ACME_TOS_HASH environment variable is no longer used by simp_le and has been deprecated."
@@ -24,8 +27,9 @@ function check_docker_socket {
 function check_writable_directory {
     local dir="$1"
     if [[ $(get_self_cid) ]]; then
-        docker_api "/containers/$(get_self_cid)/json" | jq ".Mounts[].Destination" | grep -q "^\"$dir\"$"
-        [[ $? -ne 0 ]] && echo "Warning: '$dir' does not appear to be a mounted volume."
+        if ! docker_api "/containers/$(get_self_cid)/json" | jq ".Mounts[].Destination" | grep -q "^\"$dir\"$"; then
+            echo "Warning: '$dir' does not appear to be a mounted volume."
+        fi
     else
         echo "Warning: can't check if '$dir' is a mounted volume without self container ID."
     fi
@@ -34,13 +38,12 @@ function check_writable_directory {
         echo "Check that '$dir' directory is declared as a writable volume." >&2
         exit 1
     fi
-    touch $dir/.check_writable 2>/dev/null
-    if [[ $? -ne 0 ]]; then
+    if ! touch "$dir/.check_writable" 2>/dev/null ; then
         echo "Error: can't write to the '$dir' directory !" >&2
         echo "Check that '$dir' directory is export as a writable volume." >&2
         exit 1
     fi
-    rm -f $dir/.check_writable
+    rm -f "$dir/.check_writable"
 }
 
 function check_dh_group {
@@ -59,9 +62,9 @@ function check_dh_group {
     local GEN_LOCKFILE="/tmp/le_companion_dhparam_generating.lock"
 
     # The hash of the pregenerated dhparam file is used to check if the pregen dhparam is already in use
-    local PREGEN_HASH=$(sha256sum "$PREGEN_DHPARAM_FILE" | cut -d ' ' -f1)
+    local PREGEN_HASH; PREGEN_HASH=$(sha256sum "$PREGEN_DHPARAM_FILE" | cut -d ' ' -f1)
     if [[ -f "$DHPARAM_FILE" ]]; then
-        local CURRENT_HASH=$(sha256sum "$DHPARAM_FILE" | cut -d ' ' -f1)
+        local CURRENT_HASH; CURRENT_HASH=$(sha256sum "$DHPARAM_FILE" | cut -d ' ' -f1)
         if [[ "$PREGEN_HASH" != "$CURRENT_HASH" ]]; then
             # There is already a dhparam, and it's not the default
             set_ownership_and_permissions "$DHPARAM_FILE"
@@ -106,7 +109,7 @@ function check_default_cert_key {
         # than 3 months / 7776000 seconds (60 x 60 x 24 x 30 x 3).
         check_cert_min_validity /etc/nginx/certs/default.crt 7776000
         cert_validity=$?
-        [[ "$(lc $DEBUG)" == true ]] && echo "Debug: a default certificate with $default_cert_cn is present."
+        [[ "$DEBUG" == true ]] && echo "Debug: a default certificate with $default_cert_cn is present."
     fi
 
     # Create a default cert and private key if:
@@ -123,17 +126,15 @@ function check_default_cert_key {
         && mv /etc/nginx/certs/default.key.new /etc/nginx/certs/default.key \
         && mv /etc/nginx/certs/default.crt.new /etc/nginx/certs/default.crt
         echo "Info: a default key and certificate have been created at /etc/nginx/certs/default.key and /etc/nginx/certs/default.crt."
-    elif [[ "$(lc $DEBUG)" == true && "${default_cert_cn:-}" =~ $cn ]]; then
+    elif [[ "$DEBUG" == true && "${default_cert_cn:-}" =~ $cn ]]; then
         echo "Debug: the self generated default certificate is still valid for more than three months. Skipping default certificate creation."
-    elif [[ "$(lc $DEBUG)" == true ]]; then
+    elif [[ "$DEBUG" == true ]]; then
         echo "Debug: the default certificate is user provided. Skipping default certificate creation."
     fi
     set_ownership_and_permissions "/etc/nginx/certs/default.key"
     set_ownership_and_permissions "/etc/nginx/certs/default.crt"
 }
 
-source /app/functions.sh
-
 if [[ "$*" == "/bin/bash /app/start.sh" ]]; then
     acmev1_r='acme-(v01\|staging)\.api\.letsencrypt\.org'
     if [[ "${ACME_CA_URI:-}" =~ $acmev1_r ]]; then

app/force_renew

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+# shellcheck source=letsencrypt_service
 source /app/letsencrypt_service --source-only
 
 update_certs --force-renew

app/functions.sh

@@ -1,5 +1,11 @@
 #!/bin/bash
-# shellcheck disable=SC2155
+
+# Convert argument to lowercase (bash 4 only)
+function lc {
+	echo "${@,,}"
+}
+
+DEBUG="$(lc "$DEBUG")"
 
 [[ -z "${VHOST_DIR:-}" ]] && \
  declare -r VHOST_DIR=/etc/nginx/vhost.d
@@ -9,7 +15,7 @@
  declare -r END_HEADER='## End of configuration add by letsencrypt container'
 
 function check_nginx_proxy_container_run {
-    local _nginx_proxy_container=$(get_nginx_proxy_container)
+    local _nginx_proxy_container; _nginx_proxy_container=$(get_nginx_proxy_container)
     if [[ -n "$_nginx_proxy_container" ]]; then
         if [[ $(docker_api "/containers/${_nginx_proxy_container}/json" | jq -r '.State.Status') = "running" ]];then
             return 0
@@ -156,22 +162,22 @@ function docker_api {
         return 1
     fi
     if [[ $DOCKER_HOST == unix://* ]]; then
-        curl_opts+=(--unix-socket ${DOCKER_HOST#unix://})
+        curl_opts+=(--unix-socket "${DOCKER_HOST#unix://}")
         scheme='http://localhost'
     else
         scheme="http://${DOCKER_HOST#*://}"
     fi
     [[ $method = "POST" ]] && curl_opts+=(-H 'Content-Type: application/json')
-    curl "${curl_opts[@]}" -X${method} ${scheme}$1
+    curl "${curl_opts[@]}" -X "${method}" "${scheme}$1"
 }
 
 function docker_exec {
     local id="${1?missing id}"
     local cmd="${2?missing command}"
-    local data=$(printf '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Tty":false,"Cmd": %s }' "$cmd")
+    local data; data=$(printf '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Tty":false,"Cmd": %s }' "$cmd")
     exec_id=$(docker_api "/containers/$id/exec" "POST" "$data" | jq -r .Id)
     if [[ -n "$exec_id" && "$exec_id" != "null" ]]; then
-        docker_api /exec/$exec_id/start "POST" '{"Detach": false, "Tty":false}'
+        docker_api "/exec/${exec_id}/start" "POST" '{"Detach": false, "Tty":false}'
     else
         echo "$(date "+%Y/%m/%d %T"), Error: can't exec command ${cmd} in container ${id}. Check if the container is running." >&2
         return 1
@@ -190,12 +196,12 @@ function docker_kill {
 }
 
 function labeled_cid {
-    docker_api "/containers/json" | jq -r '.[] | select(.Labels["'$1'"])|.Id'
+    docker_api "/containers/json" | jq -r '.[] | select(.Labels["'"$1"'"])|.Id'
 }
 
 function is_docker_gen_container {
     local id="${1?missing id}"
-    if [[ $(docker_api "/containers/$id/json" | jq -r '.Config.Env[]' | egrep -c '^DOCKER_GEN_VERSION=') = "1" ]]; then
+    if [[ $(docker_api "/containers/$id/json" | jq -r '.Config.Env[]' | grep -c -E '^DOCKER_GEN_VERSION=') = "1" ]]; then
         return 0
     else
         return 1
@@ -204,7 +210,7 @@ function is_docker_gen_container {
 
 function get_docker_gen_container {
     # First try to get the docker-gen container ID from the container label.
-    local docker_gen_cid="$(labeled_cid com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen)"
+    local docker_gen_cid; docker_gen_cid="$(labeled_cid com.github.jrcs.letsencrypt_nginx_proxy_companion.docker_gen)"
 
     # If the labeled_cid function dit not return anything and the env var is set, use it.
     if [[ -z "$docker_gen_cid" ]] && [[ -n "${NGINX_DOCKER_GEN_CONTAINER:-}" ]]; then
@@ -218,7 +224,7 @@ function get_docker_gen_container {
 function get_nginx_proxy_container {
     local volumes_from
     # First try to get the nginx container ID from the container label.
-    local nginx_cid="$(labeled_cid com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy)"
+    local nginx_cid; nginx_cid="$(labeled_cid com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy)"
 
     # If the labeled_cid function dit not return anything ...
     if [[ -z "${nginx_cid}" ]]; then
@@ -230,7 +236,7 @@ function get_nginx_proxy_container {
             volumes_from=$(docker_api "/containers/$(get_self_cid)/json" | jq -r '.HostConfig.VolumesFrom[]' 2>/dev/null)
             for cid in $volumes_from; do
                 cid="${cid%:*}" # Remove leading :ro or :rw set by remote docker-compose (thx anoopr)
-                if [[ $(docker_api "/containers/$cid/json" | jq -r '.Config.Env[]' | egrep -c '^NGINX_VERSION=') = "1" ]];then
+                if [[ $(docker_api "/containers/$cid/json" | jq -r '.Config.Env[]' | grep -c -E '^NGINX_VERSION=') = "1" ]];then
                     nginx_cid="$cid"
                     break
                 fi
@@ -244,8 +250,8 @@ function get_nginx_proxy_container {
 
 ## Nginx
 function reload_nginx {
-    local _docker_gen_container=$(get_docker_gen_container)
-    local _nginx_proxy_container=$(get_nginx_proxy_container)
+    local _docker_gen_container; _docker_gen_container=$(get_docker_gen_container)
+    local _nginx_proxy_container; _nginx_proxy_container=$(get_nginx_proxy_container)
 
     if [[ -n "${_docker_gen_container:-}" ]]; then
         # Using docker-gen and nginx in separate container
@@ -285,16 +291,16 @@ function set_ownership_and_permissions {
     return 1
   fi
 
-  [[ "$(lc $DEBUG)" == true ]] && echo "Debug: checking $path ownership and permissions."
+  [[ "$DEBUG" == true ]] && echo "Debug: checking $path ownership and permissions."
 
   # Find the user numeric ID if the FILES_UID environment variable isn't numeric.
   if [[ "$user" =~ ^[0-9]+$ ]]; then
     user_num="$user"
   # Check if this user exist inside the container
   elif id -u "$user" > /dev/null 2>&1; then
     # Convert the user name to numeric ID
-    local user_num="$(id -u "$user")"
-    [[ "$(lc $DEBUG)" == true ]] && echo "Debug: numeric ID of user $user is $user_num."
+    local user_num; user_num="$(id -u "$user")"
+    [[ "$DEBUG" == true ]] && echo "Debug: numeric ID of user $user is $user_num."
   else
     echo "Warning: user $user not found in the container, please use a numeric user ID instead of a user name. Skipping ownership and permissions check."
     return 1
@@ -306,8 +312,8 @@ function set_ownership_and_permissions {
   # Check if this group exist inside the container
   elif getent group "$group" > /dev/null 2>&1; then
     # Convert the group name to numeric ID
-    local group_num="$(getent group "$group" | awk -F ':' '{print $3}')"
-    [[ "$(lc $DEBUG)" == true ]] && echo "Debug: numeric ID of group $group is $group_num."
+    local group_num; group_num="$(getent group "$group" | awk -F ':' '{print $3}')"
+    [[ "$DEBUG" == true ]] && echo "Debug: numeric ID of group $group is $group_num."
   else
     echo "Warning: group $group not found in the container, please use a numeric group ID instead of a group name. Skipping ownership and permissions check."
     return 1
@@ -316,7 +322,7 @@ function set_ownership_and_permissions {
   # Check and modify ownership if required.
   if [[ -e "$path" ]]; then
     if [[ "$(stat -c %u:%g "$path" )" != "$user_num:$group_num" ]]; then
-      [[ "$(lc $DEBUG)" == true ]] && echo "Debug: setting $path ownership to $user:$group."
+      [[ "$DEBUG" == true ]] && echo "Debug: setting $path ownership to $user:$group."
       if [[ -L "$path" ]]; then
         chown -h "$user_num:$group_num" "$path"
       else
@@ -326,21 +332,21 @@ function set_ownership_and_permissions {
     # If the path is a folder, check and modify permissions if required.
     if [[ -d "$path" ]]; then
       if [[ "$(stat -c %a "$path")" != "$d_perms" ]]; then
-        [[ "$(lc $DEBUG)" == true ]] && echo "Debug: setting $path permissions to $d_perms."
+        [[ "$DEBUG" == true ]] && echo "Debug: setting $path permissions to $d_perms."
         chmod "$d_perms" "$path"
       fi
     # If the path is a file, check and modify permissions if required.
     elif [[ -f "$path" ]]; then
       # Use different permissions for private files (private keys and ACME account files) ...
       if [[ "$path" =~ ^.*(default\.key|key\.pem|\.json)$ ]]; then
         if [[ "$(stat -c %a "$path")" != "$f_perms" ]]; then
-          [[ "$(lc $DEBUG)" == true ]] && echo "Debug: setting $path permissions to $f_perms."
+          [[ "$DEBUG" == true ]] && echo "Debug: setting $path permissions to $f_perms."
           chmod "$f_perms" "$path"
         fi
       # ... and for public files (certificates, chains, fullchains, DH parameters).
       else
         if [[ "$(stat -c %a "$path")" != "644" ]]; then
-          [[ "$(lc $DEBUG)" == true ]] && echo "Debug: setting $path permissions to 644."
+          [[ "$DEBUG" == true ]] && echo "Debug: setting $path permissions to 644."
           chmod "644" "$path"
         fi
       fi
@@ -350,8 +356,3 @@ function set_ownership_and_permissions {
     return 1
   fi
 }
-
-# Convert argument to lowercase (bash 4 only)
-function lc {
-	echo "${@,,}"
-}