From e4ed6fed8dbd8417a200eff4e461fc80da77544e Mon Sep 17 00:00:00 2001
From: Clemens Schwaighofer <clemens.schwaighofer@egplusww.com>
Date: Wed, 4 Sep 2024 11:16:05 +0900
Subject: [PATCH] shellcheck based code cleanup

---
 bin/authorized_key_location_change.sh |  10 +--
 bin/create_user.sh                    | 109 +++++++++++++-------------
 2 files changed, 59 insertions(+), 60 deletions(-)

diff --git a/bin/authorized_key_location_change.sh b/bin/authorized_key_location_change.sh
index 5a6e17c..f87a4fe 100755
--- a/bin/authorized_key_location_change.sh
+++ b/bin/authorized_key_location_change.sh
@@ -7,14 +7,14 @@ LIST=0;
 SKIP_USERS=();
 while getopts ":gls:" opt; do
 	case "${opt}" in
-		g|go)
+		g) # go
 			# default we test
 			TEST=0;
 			;;
-		s|skip)
+		s) # skip
 			SKIP_USERS+=("${OPTARG}");
 			;;
-		l|list)
+		l) # list
 			LIST=1;
 			;;
 		\?)
@@ -29,7 +29,7 @@ done;
 # detect ssh authorized_keys setting
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
 SSH_MASTER_AUTHORIZED_FILE='';
-SSH_AUTHORIZED_FILE='';
+# SSH_AUTHORIZED_FILE='';
 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
 	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
 		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
@@ -66,7 +66,7 @@ if [ ${LIST} -eq 1 ]; then
 fi;
 
 # base folder
-BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
 # output printf
 PRINTF_INFO="%-8s [%3s]: %-25s: %s\n";
 # list of user accounts we will never touch
diff --git a/bin/create_user.sh b/bin/create_user.sh
index e12ec69..416c528 100755
--- a/bin/create_user.sh
+++ b/bin/create_user.sh
@@ -30,16 +30,16 @@ INFO=0; # no creation of anything, just print info strings
 GO=0; # without this flag the script will exit with an info box
 while getopts ":gtih:" opt; do
 	case "${opt}" in
-		g|go)
+		g) # go
 			GO=1;
 			;;
-		t|test)
+		t) # test
 			TEST=1;
 			;;
-		i|info)
+		i) # info
 			INFO=1;
 			;;
-		h|home)
+		h) # home
 			HOME_LOCATION="${OPTARG}";
 			;;
 		\?)
@@ -58,7 +58,7 @@ timestamp=$(date +%Y%m%d-%H%M%S)
 # character to set getween info blocks
 separator="#";
 # base folder for all data
-BASE_FOLDER=$(dirname $(readlink -f $0))"/";
+BASE_FOLDER=$(dirname "$(readlink -f "$0")")"/";
 # home folder is always thome
 HOME_BASE="/home/";
 # config location
@@ -66,10 +66,12 @@ CONFIG_BASE="${BASE_FOLDER}../config/";
 # check config folder for .env file with HOME_LOCATION
 # only use if HOME_LOCATION not yet set
 if [ -z "${HOME_LOCATION}" ] && [ -f "${CONFIG_BASE}create_user.cfg" ]; then
-	source <(grep = ${CONFIG_BASE}create_user.cfg | sed 's/ *= */=/g')
+	# shellcheck source=../config/create_user.cfg"
+	# shellcheck disable=SC1091
+	source <(grep "=" "${CONFIG_BASE}create_user.cfg" | sed 's/ *= */=/g')
 fi;
 
-if [ ! -z "${HOME_LOCATION}" ]; then
+if [ -n "${HOME_LOCATION}" ]; then
 	# must start with / as it has to be from root
 	if [ "${HOME_LOCATION##/*}" ]; then
 		echo "Home location folder must start with a slash (/): ${HOME_LOCATION}";
@@ -88,10 +90,10 @@ if [ ! -d "${HOME_FOLDER}" ]; then
 	error=1;
 fi;
 # allow 10 to 39 length for password
-if [ ! -z "${PASSWORD_LENGTH}" ] && ! [[ "${PASSWORD_LENGTH}" =~ ^[13][0-9]$ ]]; then
+if [ -n "${PASSWORD_LENGTH}" ] && ! [[ "${PASSWORD_LENGTH}" =~ ^[13][0-9]$ ]]; then
 	echo "Password length set error, can only be a value between 10 and 39";
 	error=1;
-elif [ -z ${PASSWORD_LENGTH} ]; then
+elif [ -z "${PASSWORD_LENGTH}" ]; then
 	PASSWORD_LENGTH=14;
 fi;
 # home dir error abort
@@ -114,9 +116,10 @@ ssh_forward_ok=0;
 # detect ssh authorized_keys setting
 SSH_CENTRAL_AUTHORIZED_FILE_FOLDER='';
 SSH_AUTHORIZED_FILE='';
+# shellcheck disable=SC2013
 for cf in $(grep "^AuthorizedKeysFile" /etc/ssh/sshd_config | grep "%u"); do
-	if [ ! -z $(echo "${cf}" | grep "%u") ]; then
-		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER=$(echo "${cf}" | sed -e 's/%u//');
+	if echo "$cf" | grep -q "%u"; then
+		SSH_CENTRAL_AUTHORIZED_FILE_FOLDER="${cf/%%u//}";
 		if [ ! -d "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 			echo "ssh central authorized_file folder could not be found: ${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}";
 			exit;
@@ -133,24 +136,21 @@ if [ ! -d "${ROOT_FOLDER}${output_zip_folder}" ]; then
 	mkdir "${ROOT_FOLDER}${output_zip_folder}";
 fi;
 # check if password generate software is installed
-# if [ ! command -v pwgen &> /dev/null ]; then
-if [ -z $(command -v pwgen) ]; then
+if [ -z "$(command -v pwgen)" ]; then
 	echo "Missing pwgen application, aborting";
 	error=1;
 fi;
 # check for zip
-# if [ ! command -v zip &> /dev/null ]; then
-if [ -z $(command -v zip) ]; then
+if [ -z "$(command -v zip)" ]; then
 	echo "Missing zip application, aborting";
 	error=1;
 fi;
-# check if sshallow or sshfoward group exists
-if [ -z $(cat /etc/group | grep "sshallow:") ]; then
+if ! grep -q  "sshallow:" "/etc/group"; then
 	echo "Missing ssh access group: sshallow";
 	error=1;
 fi;
 # flag if we can set ssh forward
-if [ ! -z $(cat /etc/group | grep "sshforward:") ]; then
+if ! grep -q  "sshforward:" "/etc/group"; then
 	ssh_forward_ok=1;
 fi;
 # check if user list file exists
@@ -159,10 +159,10 @@ if [ ! -f "${ROOT_FOLDER}${input_file}" ]; then
 	error=1;
 fi;
 # make sure my own folder is owned by root and 600 (except for testing)
-if [ $(stat -c %a .) != "600" ]; then
+if [ "$(stat -c %a .)" != "600" ]; then
 	echo "!!!! RECOMMENDED TO HAVE BASE FOLDER SET TO '600' AND USER 'root' !!!!"
 fi;
-if [ $(whoami) != "root" ]; then
+if [ "$(whoami)" != "root" ]; then
 	if [ ${TEST} -eq 0 ] && [ ${INFO} -eq 0 ]; then
 		echo "Script must be run as root user";
 		error=1;
@@ -183,14 +183,13 @@ if [ $error -eq 1 ]; then
 fi;
 
 # create users
-cat "${ROOT_FOLDER}${input_file}" |
-while read i; do
+while read -r i; do
 	# skip rows start with # (comment)
 	if [[ "${i}" =~ ^\# ]]; then
 		continue;
 	fi;
 	# POS 2: make lower case, remove spaces
-	username=$(echo "${i}" | cut -d ";" -f 2 | tr A-Z a-z | tr -d ' ');
+	username=$(echo "${i}" | cut -d ";" -f 2 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
 	# check username is alphanumeric with .
 	if ! [[ "${username}" =~ ^[a-z0-9]+([.a-z0-9_-]+[a-z0-9])?$ ]]; then
 		echo "User name can only be a-z 0-9 - _ . and cannot start or end with - . or _: ${username}";
@@ -199,11 +198,11 @@ while read i; do
 		fi;
 	fi;
 	# POS 3: groups
-	_group=$(echo "${i}" | cut -d ";" -f 3 | tr A-Z a-z | tr -d ' ');
+	_group=$(echo "${i}" | cut -d ";" -f 3 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
 	group=$(echo "${_group}" | cut -d "," -f 1);
 	sub_group="";
 	# POS 4: ssh access type
-	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr A-Z a-z | tr -d ' ');
+	ssh_access_type=$(echo "${i}" | cut -d ";" -f 4 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
 	# if not allow or forward, set to access
 	if [ "${ssh_access_type}" != "allow" ] && [ "${ssh_access_type}" != "forward" ]; then
 		echo "[!!] Not valid ssh access type ${ssh_access_type}, set to allow";
@@ -226,14 +225,14 @@ while read i; do
 	# POS 5: do we have a password preset
 	_password=$(echo "${i}" | cut -d ";" -f 5);
 	# POS 6: override host name, lowercase and spaces removed
-	_hostname=$(echo "${i}" | cut -d ";" -f 6 | tr A-Z a-z | tr -d ' ');
+	_hostname=$(echo "${i}" | cut -d ";" -f 6 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
 	if [ -z "${_hostname}" ]; then
 		hostname=${host};
 	else
 		hostname=${_hostname};
 	fi;
 	# POS 7: ssh keytype override
-	_ssh_keytype=$(echo "${i}" | cut -d ";" -f 7 | tr A-Z a-z | tr -d ' ');
+	_ssh_keytype=$(echo "${i}" | cut -d ";" -f 7 | tr "[:upper:]" "[:lower:]" | tr -d ' ');
 	if [ "${_ssh_keytype}" = "rsa" ]; then
 		ssh_keytype="${_ssh_keytype}";
 		#echo "[!!] BACKWARDS COMPATIBLE RSA TYPE SELECTION [!!]";
@@ -272,7 +271,7 @@ while read i; do
 	if [ ${INFO} -eq 1 ]; then
 		# test if pub file exists or not, test if user exists
 		echo -n "User: '${username}:${group}(${sub_group});${ssh_group}', SSH: ${ssh_keygen_id}";
-		if getent passwd ${username} > /dev/null 2>&1; then
+		if getent passwd "${username}" > /dev/null 2>&1; then
 			echo -n ", User exists";
 		fi;
 		if [ -f "${ssh_keyfile_check_pub}" ]; then
@@ -286,7 +285,7 @@ while read i; do
 	# add group for each entry in _group
 	for create_group in ${_group//,/ }; do
 		if [ ${TEST} -eq 0 ]; then
-			groupadd -f ${create_group};
+			groupadd -f "${create_group}";
 		else
 			echo "$> groupadd -f ${create_group}";
 		fi;
@@ -299,9 +298,9 @@ while read i; do
 		echo "++ Create '${username}:${group}(${sub_group})'";
 		if [ ${TEST} -eq 0 ]; then
 			# comment is user create time
-			useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username};
+			useradd -c "$(date +"%F")" -s /bin/bash -g "${group}${sub_group_opt}" -d "${HOME_FOLDER}${username}" -m "${username}";
 		else
-			echo "$> useradd -c `date +"%F"` -s /bin/bash -g ${group}${sub_group_opt} -d "${HOME_FOLDER}${username}" -m ${username}";
+			echo "$> useradd -c \"$(date +"%F")\" -s /bin/bash -g ${group}${sub_group_opt} -d \"${HOME_FOLDER}${username}\" -m \"${username}\"";
 		fi;
 	fi;
 	# set the auth file
@@ -316,7 +315,7 @@ while read i; do
 		# Note we only create a password if we need it
 		# password + store pwgen 10 1 -1
 		if [ -z "${_password}" ]; then
-			password=$(printf "%s" $(pwgen ${PASSWORD_LENGTH} 1));
+			password=$(printf "%s" "$(pwgen "${PASSWORD_LENGTH}" 1)");
 		elif [ "${_password}" = "SET_NO_PASSWORD" ]; then
 			# set empty
 			echo "* No password set";
@@ -329,7 +328,7 @@ while read i; do
 		echo " > Create ssh key-pair '${ssh_keyfile}'";
 		if [ ${TEST} -eq 0 ]; then
 			ssh-keygen \
-				-t ${ssh_keytype} \
+				-t "${ssh_keytype}" \
 				-f "${ssh_keyfile}" \
 				-C "${hostname}: ${username}@${group}" \
 				-a 100 -N "${password}"
@@ -339,9 +338,9 @@ while read i; do
 	else
 		found='';
 		if [ -f "${SSH_AUTHORIZED_FILE}" ]; then
-			found=$(grep "$(cat ${ssh_keyfile_check_pub})" ${SSH_AUTHORIZED_FILE});
+			found=$(grep "$(cat "${ssh_keyfile_check_pub}")" "${SSH_AUTHORIZED_FILE}");
 		fi;
-		if [ ! -z "${found}" ]; then
+		if [ -n "${found}" ]; then
 			skip_ssh=1;
 			echo "-- Skip SSH Key creation: ${ssh_keygen_id}.pub";
 		else
@@ -359,30 +358,30 @@ while read i; do
 		else
 			create_output_file="${ROOT_FOLDER}${output_file}.TEST";
 		fi;
-		echo $(date +"%F %T")";"${host}";"${_hostname}";"${username}";"${password}";"${ssh_access_type} >> ${create_output_file};
+		echo "$(date +"%F %T");${host};${_hostname};${username};${password};${ssh_access_type}" >> "${create_output_file}";
 		# create folder only if we do not have central
 		# create the SSH foler and authorized access file with correct permissions
 		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 			echo " > Create .ssh folder";
 			if [ ${TEST} -eq 0 ]; then
-				mkdir ${HOME_FOLDER}${username}/.ssh/;
+				mkdir "${HOME_FOLDER}${username}/.ssh/";
 			else
-				echo "$> mkdir ${HOME_FOLDER}${username}/.ssh/";
+				echo "$> mkdir \"${HOME_FOLDER}${username}/.ssh/\"";
 			fi;
 		fi;
 		# add
 		echo " > Add public into authorized_keys file";
 		if [ ${TEST} -eq 0 ]; then
 			if
-				[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
+				[ -n "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
 				[ -f "${SSH_AUTHORIZED_FILE}" ];
 			then
-				chattr -i ${SSH_AUTHORIZED_FILE};
+				chattr -i "${SSH_AUTHORIZED_FILE}";
 			fi;
-			cat "${ssh_keyfile_pub}" > ${SSH_AUTHORIZED_FILE};
+			cat "${ssh_keyfile_pub}" > "${SSH_AUTHORIZED_FILE}";
 		else
 			if
-				[ ! -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
+				[ -n "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ] &&
 				[ -f "${SSH_AUTHORIZED_FILE}" ];
 			then
 				echo "$> chattr -i ${SSH_AUTHORIZED_FILE}";
@@ -393,29 +392,29 @@ while read i; do
 		if [ -z "${SSH_CENTRAL_AUTHORIZED_FILE_FOLDER}" ]; then
 			echo " > Secure home directory folder .ssh and authorized_keys file";
 			if [ ${TEST} -eq 0 ]; then
-				chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/;
-				chmod 700 ${HOME_FOLDER}${username}/.ssh/;
-				chmod 600 ${SSH_AUTHORIZED_FILE};
+				chown -R "${username}":"${group}" "${HOME_FOLDER}${username}/.ssh/";
+				chmod 700 "${HOME_FOLDER}${username}/.ssh/";
+				chmod 600 "${SSH_AUTHORIZED_FILE}";
 			else
-				echo "$> chown -R ${username}:${group} ${HOME_FOLDER}${username}/.ssh/";
-				echo "$> chmod 700 ${HOME_FOLDER}${username}/.ssh/";
-				echo "$> chmod 600 ${SSH_AUTHORIZED_FILE}";
+				echo "$> chown -R \"${username}\":\"${group}\" \"${HOME_FOLDER}${username}/.ssh/\"";
+				echo "$> chmod 700 \"${HOME_FOLDER}${username}/.ssh/\"";
+				echo "$> chmod 600 \"${SSH_AUTHORIZED_FILE}\"";
 			fi;
 		else
 			echo " > Secure central authorized_keys file";
 			if [ ${TEST} -eq 0 ]; then
-				chown ${username}:root ${SSH_AUTHORIZED_FILE};
-				chmod 400 ${SSH_AUTHORIZED_FILE};
+				chown "${username}":root "${SSH_AUTHORIZED_FILE}";
+				chmod 400 "${SSH_AUTHORIZED_FILE}";
 				# set +i so user can't change file
-				chattr +i ${SSH_AUTHORIZED_FILE};
+				chattr +i "${SSH_AUTHORIZED_FILE}";
 			else
-				echo "$> chown ${username}:root ${SSH_AUTHORIZED_FILE}";
-				echo "$> chmod 400 ${SSH_AUTHORIZED_FILE}";
-				echo "$> chattr +i ${SSH_AUTHORIZED_FILE}";
+				echo "$> chown \"${username}\":root \"${SSH_AUTHORIZED_FILE}\"";
+				echo "$> chmod 400 \"${SSH_AUTHORIZED_FILE}\"";
+				echo "$> chattr +i \"${SSH_AUTHORIZED_FILE}\"";
 			fi;
 		fi;
 	fi;
-done;
+done <<< "$(cat "${ROOT_FOLDER}${input_file}")";
 
 # End before anything because this is just info run
 if [ ${INFO} -eq 1 ]; then