Lint: Shellcheck

client/container_preparation/entrypoint.sh

@@ -8,7 +8,7 @@ docker_path="/var/run/docker.sock"
 
 # Argument parser, arguments for both container preparation and key shipping should be handled here.
 parse_args() {
-	while [[ "$#" -gt 0 ]]; do
+	while [ "${#}" -gt 0 ]; do
 		case "$1" in
 		--config)
 			config="$2"
@@ -69,7 +69,7 @@ parse_args() {
 	done
 
 	# Check for required arguments
-	if [ -z "$config" ] || [ -z "$base_oci_image" ] || [ -z "$sif_path" ] || [ -z "$data_path" ] || [ -z "$data_path_at_rest" ] || ([ -z "$users" ] && [ -z "$groups" ]) || [ -z "$compute_nodes" ]; then
+	if [ -z "$config" ] || [ -z "$base_oci_image" ] || [ -z "$sif_path" ] || [ -z "$data_path" ] || [ -z "$data_path_at_rest" ] || { [ -z "$users" ] && [ -z "$groups" ]; } || [ -z "$compute_nodes" ]; then
 		echo echo "Please provides options for both of these programs : "
 		python3 ./prepare_container.py --help
 		python3 ./utils/ship_a_key.py --help
@@ -79,7 +79,7 @@ parse_args() {
 
 # Cleanup spire-agent generated files
 end_entrypoint() {
-	if ! [ -n "$encrypted" ]; then
+	if [ -z "$encrypted" ]; then
 		echo "No encryption, nothing to clean"
 	else
 		echo "Cleaning everything before leaving ..."
@@ -100,21 +100,21 @@ NC='\033[0m' # No Color
 # Parse arguments from cli
 parse_args "$@"
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Entering entrypoint"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Entering entrypoint"
 
 #
 ## [RUN] Perform node attestation (spawn agent, register it's and it's workload's spiffeID)
 #
 
 if [ -n "$encrypted" ]; then
-	echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is on. Registering and running SPIRE Agent"
+	printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is on. Registering and running SPIRE Agent"
 
-	python3 ./utils/spawn_agent.py --config $config >/dev/null 2>/dev/null &
+	python3 ./utils/spawn_agent.py --config "$config" >/dev/null 2>/dev/null &
 	spire_agent_pid=$!
 
 fi
 
-ps $spire_agent_pid >/dev/null || (
+ps "$spire_agent_pid" >/dev/null || (
 	echo "spire agent died, aborting"
 	end_entrypoint "$spire_agent_pid" 1
 )
@@ -123,7 +123,7 @@ ps $spire_agent_pid >/dev/null || (
 ## [END] Perform node attestation
 #
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Run container preparation"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Run container preparation"
 
 #
 ## [RUN] Run container preparation (Preparation of new image, build of new image, build of Apptainer/Singularity image)
@@ -139,7 +139,7 @@ fi
 ## [END] Run container preparation
 #
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Container preparation ended"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Container preparation ended"
 
 #
 ## [RUN] Ship private key to the vault (Creation of workload identity to give access to the key, writing key to the vault)
@@ -150,29 +150,29 @@ if [ -n "$encrypted" ]; then
 fi
 
 if [ -z "$encrypted" ]; then
-	echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is off, nothing to do"
+	printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is off, nothing to do"
 
 else
-	echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is on, writing key to the vault, using spiffeID $spiffeID"
+	printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Encryption mode is on, writing key to the vault, using spiffeID $spiffeID"
 
 	if [ -z "$users" ]; then
 		# If the user provided only groups
-		python3 ./utils/ship_a_key.py --config $config --username "$username" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
+		python3 ./utils/ship_a_key.py --config "$config" --username "$username" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
 	elif [ -z "$groups" ]; then
 		# If the user provided only users
-		python3 ./utils/ship_a_key.py --config $config --username "$username" -u "$users" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
+		python3 ./utils/ship_a_key.py --config "$config" --username "$username" -u "$users" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
 	else
 		# If the user provided both
-		python3 ./utils/ship_a_key.py --config $config --username "$username" -u "$users" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
+		python3 ./utils/ship_a_key.py --config "$config" --username "$username" -u "$users" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
 	fi
 
-	echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Key written to the vault"
+	printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Key written to the vault"
 fi
 
 #
 ## [END] Ship private key to the vault
 #
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Leaving entrypoint"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Container preparation]${NC} Leaving entrypoint"
 
 end_entrypoint "$spire_agent_pid" 0

client/container_preparation/input_logic/run.sh

@@ -7,10 +7,12 @@ PATH="$PATH:/sd-container/tools/input_logic/"
 echo "[SD-Container][Input-Logic] : Getting data decryption key from vault"
 
 # Get token via vault login. The data_login environment variable need to be exported from calling script
-data_token=$(curl -s --request POST --data "$data_login" $vault/v1/auth/jwt/login | jq '.auth.client_token' -r) || exit 1
+# shellcheck disable=SC2154 # data_login and vault are actually environment variables someone at some point decided to use lower case letters for <- TODO: fix this
+data_token=$(curl -s --request POST --data "$data_login" "$vault/v1/auth/jwt/login" | jq '.auth.client_token' -r) || exit 1
 
 # Use the token to access the key. The data_path environment variable needs to be exported from calling script
-data_key=$(curl -s -H "X-Vault-Token: $data_token" $vault/v1/kv/data/${data_path} | jq '.data.data.key' -r) || exit 1
+# shellcheck disable=SC2154 # data_path and vault are actually environment variables someone at some point decided to use lower case letters for <- TODO: fix this
+data_key=$(curl -s -H "X-Vault-Token: $data_token" "$vault/v1/kv/data/${data_path}" | jq '.data.data.key' -r) || exit 1
 
 # Write the key in an encrypted volume
 echo "$data_key" >/sd-container/encrypted/decryption_key
@@ -26,7 +28,7 @@ rm /sd-container/encrypted/decryption_key
 echo "[SD-Container][Input-Logic] : Data decrypted"
 
 # Untar the not anymore encrypted archive
-cd /sd-container/encrypted
+cd /sd-container/encrypted || exit 1
 tar xvf /sd-container/encrypted/decrypted_data.tgz || exit 1
 
 echo "[SD-Container][Input-Logic] : Data untared"

client/data_preparation/entrypoint.sh

@@ -5,7 +5,7 @@
 
 # Argument parser, arguments for both Data preparation and key shipping should be handled here.
 parse_args() {
-	while [[ "$#" -gt 0 ]]; do
+	while [ "$#" -gt 0 ]; do
 		case "$1" in
 		--config)
 			config="$2"
@@ -58,7 +58,7 @@ parse_args() {
 	done
 
 	# Check for required arguments
-	if [ -z "$config" ] || [ -z "$input_data" ] || [ -z "$output_data" ] || [ -z "$data_path" ] || [ -z "$data_path_at_rest" ] || [ -z "$username" ] || ([ -z "$users" ] && [ -z "$groups" ]) || [ -z "$compute_nodes" ]; then
+	if [ -z "$config" ] || [ -z "$input_data" ] || [ -z "$output_data" ] || [ -z "$data_path" ] || [ -z "$data_path_at_rest" ] || [ -z "$username" ] || { [ -z "$users" ] && [ -z "$groups" ]; } || [ -z "$compute_nodes" ]; then
 		echo echo "Please provides options for both of these programs : "
 		python3 ./prepare_data.py --help
 		python3 ./utils/ship_a_key.py --help
@@ -86,21 +86,21 @@ NC='\033[0m' # No Color
 # Parse arguments from cli
 parse_args "$@"
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Entering entrypoint"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Entering entrypoint"
 
 #
 ## [RUN] Perform node attestation (spawn agent, register it's and it's workload's spiffeID)
 #
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Registering and running SPIRE Agent"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Registering and running SPIRE Agent"
 
-python3 ./utils/spawn_agent.py --config $config >/dev/null 2>/dev/null &
+python3 ./utils/spawn_agent.py --config "$config" >/dev/null 2>/dev/null &
 spire_agent_pid=$!
 
 until [ -e /tmp/agent.sock ]; do
-	echo -e "${RED}[LUMI-SD][Data preparation] Spire workload api socket doesn't exist, waiting 10 seconds ${NC}"
+	printf "%b" "${RED}[LUMI-SD][Data preparation] Spire workload api socket doesn't exist, waiting 10 seconds ${NC}"
 	sleep 10
-	if ! ps | grep $spire_agent_pid >/dev/null; then
+	if pgrep -q -f "$spire_agent_pid"; then
 		echo "spire agent died, aborting"
 		end_entrypoint "$spire_agent_pid" 1
 	fi
@@ -110,7 +110,7 @@ done
 ## [END] Perform node attestation
 #
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Run Data preparation"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Run Data preparation"
 
 #
 ## [RUN] Run Data preparation (Encryption of input data)
@@ -122,34 +122,34 @@ python3 ./prepare_data.py -i "$input_data" -o "$output_data" || end_entrypoint "
 ## [END] Run Data preparation
 #
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Data preparation ended"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Data preparation ended"
 
 #
 ## [RUN] Ship private key to the vault (Creation of workload identity to give access to the key, writing key to the vault)
 #
 
 spiffeID=$(spire-agent api fetch --output json -socketPath /tmp/agent.sock | jq '.svids[0].spiffe_id' -r)
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Writing key to the vault, using spiffeID $spiffeID"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Writing key to the vault, using spiffeID $spiffeID"
 
 # Handle different cases of user provided compute nodes / user / groups
 if [ -z "$users" ]; then
 	# If the user provided only groups
-	python3 ./utils/ship_a_key.py --config $config --username "$username" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
+	python3 ./utils/ship_a_key.py --config "$config" --username "$username" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
 elif [ -z "$groups" ]; then
 	# If the user provided only users
-	python3 ./utils/ship_a_key.py --config $config --username "$username" -u "$users" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
+	python3 ./utils/ship_a_key.py --config "$config" --username "$username" -u "$users" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
 else
 	# If the user provided both
-	python3 ./utils/ship_a_key.py --config $config --username "$username" -u "$users" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
+	python3 ./utils/ship_a_key.py --config "$config" --username "$username" -u "$users" -g "$groups" -c "$compute_nodes" --data-path "$data_path" --data-path-at-rest "$data_path_at_rest" -i "$spiffeID" || end_entrypoint "$spire_agent_pid" 1
 fi
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Key written to the vault"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Key written to the vault"
 
 #
 ## [END] Ship private key to the vault
 #
 
-echo -e "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Leaving entrypoint"
+printf "%b" "${YELLOW}[LUMI-SD]${NC}${BLUE}[Data preparation]${NC} Leaving entrypoint"
 
 end_entrypoint "$spire_agent_pid" 0

server/entrypoint.sh

@@ -21,11 +21,14 @@ rm -rf /tmp/data
 spire-agent run -config /tmp/agent.conf || end_entrypoint 0 1 &
 spire_agent_pid=$!
 
-agent_socket_path=$(cat /tmp/agent.conf | grep "socket_path" | cut -d "=" -f2 | cut -d '"' -f1)
+agent_socket_path=$(grep "socket_path" /tmp/agent.conf | cut -d "=" -f2 | cut -d '"' -f1)
+
+RED='\033[0;31m'
+NC='\033[0m'
 
 sleep 10
-until [ -e $agent_socket_path ]; do
-	echo -e "${RED}[LUMI-SD][Data preparation] Spire workload api socket doesn't exist, waiting 10 seconds ${NC}"
+until [ -e "${agent_socket_path}" ]; do
+	printf "%b[LUMI-SD][Data preparation] Spire workload api socket doesn't exist, waiting 10 seconds %b" "${RED}" "${NC}"
 	sleep 10
 done