Damcava35/test pre commit (#256)

* chore: make linter happy for existing code * fix: add missing test 2.1.2_disable_bsd_intetd.sh * feat: add basic pre commit Ensure a check has a corresponding test --------- Co-authored-by: Damien Cavagnini <damien.cavagnini@corp.ovh.com>
2025-06-23 19:14:34 +02:00 · 2025-06-23 10:23:43 +02:00
parent 9a225c6157
commit 99bc575714
8 changed files with 56 additions and 4 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -0,0 +1,10 @@
+repos:
+  - repo: local
+    hooks:
+      - id: check_has_test
+        name: check_has_test.sh
+        description: Ensure a check has a corresponding test
+        entry: hooks/check_has_test.sh
+        language: script
+        pass_filenames: true
+        files: "^bin/hardening/"
--- a/bin/hardening/99.1.1.23_disable_usb_devices.sh
+++ b/bin/hardening/99.1.1.23_disable_usb_devices.sh
@ -26,6 +26,8 @@ FILE='/etc/udev/rules.d/10-CIS_99.2_usb_devices.sh'
 # This function will be called if the script status is on enabled / audit mode
 audit() {
    SEARCH_RES=0
+    # if SC2086 is fixed (double quotes) instead of skipped, then shellcheck will complain that double quotes will prevent the loop (SC2066)
+    # shellcheck disable=SC2086
    for FILE_SEARCHED in $FILES_TO_SEARCH; do
        if [ "$SEARCH_RES" = 1 ]; then break; fi
        if $SUDO_CMD test -d "$FILE_SEARCHED"; then
--- a/hooks/check_has_test.sh
+++ b/hooks/check_has_test.sh
@ -0,0 +1,21 @@
+#!/bin/bash
+
+test_path="tests/hardening"
+failure=0
+failed_checks=""
+
+for check in "$@"; do
+    base_name=$(basename "$check")
+    if [ ! -f $test_path/"$base_name" ]; then
+        failure=1
+        failed_checks="$failed_checks $base_name"
+    fi
+done
+
+if [ $failure -ne 0 ]; then
+    for check in $failed_checks; do
+        echo "missing file $test_path/$check"
+    done
+fi
+
+exit $failure
--- a/lib/common.sh
+++ b/lib/common.sh
@ -148,5 +148,5 @@ div() {
    fi
    local _r=$(($1$_n / $2))
    _r=${_r:0:-$_d}.${_r: -$_d}
-    echo $_r
+    echo "$_r"
 }
--- a/lib/utils.sh
+++ b/lib/utils.sh
@ -11,6 +11,7 @@ has_sysctl_param_expected_result() {
    local SYSCTL_PARAM=$1
    local EXP_RESULT=$2

+    # shellcheck disable=SC2319
    if [ "$($SUDO_CMD sysctl "$SYSCTL_PARAM" 2>/dev/null)" = "$SYSCTL_PARAM = $EXP_RESULT" ]; then
        FNRET=0
    elif [ "$?" = 255 ]; then
@ -35,6 +36,7 @@ set_sysctl_param() {
    local SYSCTL_PARAM=$1
    local VALUE=$2
    debug "Setting $SYSCTL_PARAM to $VALUE"
+    # shellcheck disable=SC2319
    if [ "$(sysctl -w "$SYSCTL_PARAM"="$VALUE" 2>/dev/null)" = "$SYSCTL_PARAM = $VALUE" ]; then
        FNRET=0
    elif [ $? = 255 ]; then
--- a/shellcheck/launch_shellcheck.sh
+++ b/shellcheck/launch_shellcheck.sh
@ -14,7 +14,8 @@ fi
 for f in $files; do
    if head "$f" | grep -qE "^# run-shellcheck$"; then
        printf "\e[1;36mRunning shellcheck on: %s  \e[0m\n" "$f"
-        if ! /usr/bin/shellcheck --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
+        # SC2317: command unreachable, sometimes has a hard time reaching the command in a function
+        if ! /usr/bin/shellcheck --exclude=SC2317 --color=always --shell=bash -x --source-path=SCRIPTDIR "$f"; then
            retval=$((retval + 1))
        fi
    fi
--- a/tests/hardening/2.1.2_disable_bsd_inetd.sh
+++ b/tests/hardening/2.1.2_disable_bsd_inetd.sh
@ -0,0 +1,16 @@
+# shellcheck shell=bash
+# run-shellcheck
+test_audit() {
+    describe Running on blank host
+    register_test retvalshouldbe 0
+    dismiss_count_for_test
+    # shellcheck disable=2154
+    run blank "${CIS_CHECKS_DIR}/${script}.sh" --audit-all
+
+    ##################################################################
+    # For this test, we only check that it runs properly on a blank  #
+    # host, and we check root/sudo consistency. But, we don't test   #
+    # the apply function because it can't be automated or it is very #
+    # long to test and not very useful.                              #
+    ##################################################################
+}
--- a/tests/launch_tests.sh
+++ b/tests/launch_tests.sh
@ -13,7 +13,7 @@ cleanup_and_exit() {
    if [ "$totalerrors" -eq 255 ]; then
        fatal "RUNTIME ERROR"
    fi
-    exit $totalerrors
+    exit "$totalerrors"
 }
 trap "cleanup_and_exit" EXIT HUP INT

@ -125,7 +125,7 @@ play_consistency_tests() {
        ok "$name logs are identical"
    fi

-    if [ 1 -eq $consist_test ]; then
+    if [ 1 -eq "$consist_test" ]; then
        nbfailedconsist=$((nbfailedconsist + 1))
        listfailedconsist="$listfailedconsist $(make_usecase_name "$usecase" consist)"
    fi