Damcava35/test pre commit (#256)

damcav35 · Damien Cavagnini · web-flow · commit 99bc57571432 · 2025-06-23T10:23:43.000+02:00
* chore: make linter happy for existing code

* fix: add missing test 2.1.2_disable_bsd_intetd.sh

* feat: add basic pre commit

Ensure a check has a corresponding test

---------

Co-authored-by: Damien Cavagnini &lt;damien.cavagnini@corp.ovh.com&gt;
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,10 @@
+repos:
+  - repo: local
+    hooks:
+      - id: check_has_test
+        name: check_has_test.sh
+        description: Ensure a check has a corresponding test
+        entry: hooks/check_has_test.sh
+        language: script
+        pass_filenames: true
+        files: "^bin/hardening/"
diff --git a/bin/hardening/99.1.1.23_disable_usb_devices.sh b/bin/hardening/99.1.1.23_disable_usb_devices.sh
@@ -26,6 +26,8 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
     SEARCH_RES=0
+    # if SC2086 is fixed (double quotes) instead of skipped, then shellcheck will complain that double quotes will prevent the loop (SC2066)
+    # shellcheck disable=SC2086
     for FILE_SEARCHED in $FILES_TO_SEARCH; do
         if [ "$SEARCH_RES" = 1 ]; then break; fi
         if $SUDO_CMD test -d "$FILE_SEARCHED"; then
diff --git a/hooks/check_has_test.sh b/hooks/check_has_test.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+test_path="tests/hardening"
+failure=0
+failed_checks=""
+
+for check in "$@"; do
+    base_name=$(basename "$check")
+    if [ ! -f $test_path/"$base_name" ]; then
+        failure=1
+        failed_checks="$failed_checks $base_name"
+    fi
+done
+
+if [ $failure -ne 0 ]; then
+    for check in $failed_checks; do
+        echo "missing file $test_path/$check"
+    done
+fi
+
+exit $failure
diff --git a/lib/common.sh b/lib/common.sh
@@ -148,5 +148,5 @@ div() {
     fi
     local _r=$(($1$_n / $2))
     _r=${_r:0:-$_d}.${_r: -$_d}
-    echo $_r
+    echo "$_r"
 }
diff --git a/lib/utils.sh b/lib/utils.sh
@@ -11,6 +11,7 @@ has_sysctl_param_expected_result() {
     local SYSCTL_PARAM=$1
     local EXP_RESULT=$2
 
+    # shellcheck disable=SC2319
     if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
         FNRET=0
     elif [ "$?" = 255 ]; then
@@ -35,6 +36,7 @@ set_sysctl_param() {
     local SYSCTL_PARAM=$1
     local VALUE=$2
     debug "Setting $SYSCTL_PARAM to $VALUE"
+    # shellcheck disable=SC2319
     if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
         FNRET=0
     elif [ $? = 255 ]; then
diff --git a/shellcheck/launch_shellcheck.sh b/shellcheck/launch_shellcheck.sh
@@ -14,7 +14,8 @@ fi
 for f in $files; do
     if head "$f" | grep -qE "^# run-shellcheck$"; then
         printf "\e[1;36mRunning shellcheck on: %s  \e[0m\n" "$f"
-        if ! /usr/bin/shellcheck --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
+        # SC2317: command unreachable, sometimes has a hard time reaching the command in a function
+        if ! /usr/bin/shellcheck --exclude=SC2317 --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
             retval=$((retval + 1))
         fi
     fi
diff --git a/tests/hardening/2.1.2_disable_bsd_inetd.sh b/tests/hardening/2.1.2_disable_bsd_inetd.sh
@@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}
diff --git a/tests/launch_tests.sh b/tests/launch_tests.sh
@@ -13,7 +13,7 @@ cleanup_and_exit() {
     if [ "$totalerrors" -eq 255 ]; then
         fatal "RUNTIME ERROR"
     fi
-    exit $totalerrors
+    exit "$totalerrors"
 }
 trap "cleanup_and_exit" EXIT HUP INT
 
@@ -125,7 +125,7 @@ play_consistency_tests() {
         ok "$name logs are identical"
     fi
 
-    if [ 1 -eq $consist_test ]; then
+    if [ 1 -eq "$consist_test" ]; then
         nbfailedconsist=$((nbfailedconsist + 1))
         listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
     fi

Original file line number	Diff line number	Diff line change
`@@ -148,5 +148,5 @@ div() {`
`148`	`148`	`fi`
`149`	`149`	`local _r=$(($1$_n / $2))`
`150`	`150`	`_r=${_r:0:-$_d}.${_r: -$_d}`
`151`		`- echo $_r`
	`151`	`+ echo "$_r"`
`152`	`152`	`}`