#!/bin/bash # Copyright 2014 Red Hat, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or # implied. # See the License for the specific language governing permissions and # limitations under the License. # This script checks all files in the "elements" directory for some # common mistakes and exits with a non-zero status if it finds any. set -eu set -o pipefail ELEMENTS_DIR=${ELEMENTS_DIR:-diskimage_builder/elements} LIB_DIR=${LIB_DIR:-diskimage_builder/lib} parse_exclusions() { # Per-file exclusions # Example: # dib-lint: disable=sete setpipefail local filename=$1 local disable_pattern="# dib-lint: disable=" local exclusions=$(grep "^$disable_pattern.*$" $filename | sed "s/$disable_pattern//g") # Global exclusions read from tox.ini # Example section in tox.ini: # [dib-lint] # ignore = sete setu section="dib-lint" option="ignore" global_exclusions=$(python - < ${UNSORTED} sort ${UNSORTED} > ${SORTED} if [ -n "$(diff -c ${UNSORTED} ${SORTED})" ]; then error "$i is not sorted alphabetically" diff -y ${UNSORTED} ${SORTED} fi fi # for consistency, let's just use #!/bin/bash everywhere (not # /usr/bin/env, etc) regex='^#!.*bash' if [[ "$firstline" =~ $regex && "$firstline" != "#!/bin/bash" ]]; then error "$i : only use #!/bin/bash for scripts" fi # Check that all scripts are set -eu -o pipefail and look for # DIB_DEBUG_TRACE # NOTE(bnemec): This doesn't verify that the set call occurs high # enough in the file to be useful, but hopefully nobody will be # sticking set calls at the end of their file to trick us. And if # they are, that's easy enough to catch in reviews. # Also, this is only going to check bash scripts - we've decided to # explicitly require bash for any scripts that don't have a specific # need to run under other shells, and any exceptions to that rule # may not want these checks either. if [[ "$firstline" =~ '#!/bin/bash' ]]; then if ! excluded sete; then if [ -z "$(grep "^set -[^ ]*e" $i)" ]; then error "$i is not set -e" fi fi if ! excluded setu; then if [ -z "$(grep "^set -[^ ]*u" $i)" ]; then error "$i is not set -u" fi fi if ! excluded setpipefail; then if [ -z "$(grep "^set -o pipefail" $i)" ]; then error "$i is not set -o pipefail" fi fi if ! excluded dibdebugtrace; then if [ -z "$(grep "DIB_DEBUG_TRACE" $i)" ]; then error "$i does not follow DIB_DEBUG_TRACE" fi fi fi # check that environment files don't "set -x" and they have no executable # bits set if [[ "$i" =~ (environment.d) ]]; then if grep -q "set -x" $i; then error "Environment file $i should not set tracing" fi if [[ -x $i ]]; then error "Environment file $i should not be marked as executable" fi fi # check for # export FOO=$(bar) # calls. These are dangerous, because the export hides the return # code of the $(bar) call. Split this into 2 lines and -e will # fail on the assignment if grep -q 'export .*\$(' $i; then error "Split export and assignments in $i" fi # check that sudo calls in phases run outside the chroot look # "safe"; meaning that they seem to operate within the chroot # somehow. This is not fool-proof, but catches egregious errors, # and makes you think about it if you're doing something outside # the box. if ! excluded safe_sudo; then if [[ $(dirname $i) =~ (root.d|extra-data.d|block-device.d|finalise.d|cleanup.d) ]]; then while read LINE do if [[ $LINE =~ "sudo " ]]; then # messy regex ahead! Don't match: # - explicitly ignored # - basic comments # - install-packages ... sudo ... # - any of the paths passed into the out-of-chroot elements if [[ $LINE =~ (dib-lint: safe_sudo|^#|install-packages|TARGET_ROOT|IMAGE_BLOCK_DEVICE|TMP_MOUNT_PATH|TMP_IMAGE_PATH) ]]; then continue fi error "$i : potentially unsafe sudo\n -- $LINE" fi done < $i fi fi # check that which calls are not used. It is not built in and is missing # from some constrained environments if ! excluded which; then while read LINE do if [[ $LINE =~ "which " ]]; then # Don't match: # - explicitly ignored # - commented if [[ $LINE =~ (dib-lint: which|^#) ]]; then continue fi error "$i : potential use of which\n -- $LINE" fi done < $i fi done echo "Checking indents..." for i in $(find $ELEMENTS_DIR -type f -and -name '*.rst' -or -type f -executable) \ $(find $LIB_DIR -type f); do # Check for tab indentation if ! excluded tabindent; then if grep -q $'^ *\t' ${i}; then error "$i contains tab characters" fi fi if ! excluded newline; then if [ "$(tail -c 1 $i)" != "" ]; then error "No newline at end of file: $i" fi fi done if ! excluded mddocs; then md_docs=$(find $ELEMENTS_DIR -name '*.md') if [ -n "$md_docs" ]; then error ".md docs found: $md_docs" fi fi echo "Checking YAML parsing..." for i in $(find $ELEMENTS_DIR -type f -name '*.yaml'); do echo "Parsing $i" py_check=" import yaml import sys try: objs = yaml.safe_load(open('$i')) except yaml.parser.ParserError: sys.exit(1) " if ! python -c "$py_check"; then error "$i is not a valid YAML file" fi done echo "Checking pkg-map files..." for i in $(find $ELEMENTS_DIR -type f \ -name 'pkg-map' -a \! -executable); do echo "Parsing $i" py_check=" import json import sys try: objs = json.load(open('$i')) except ValueError: sys.exit(1) " if ! python -c "$py_check"; then error "$i is not a valid JSON file" fi done if [[ $rc == 0 ]]; then echo "PASS" else echo "*** FAIL: Some tests failed!" fi exit $rc