Upstream release 2.9.0

- SC2013: To read lines rather than words, pipe/redirect to a 'while
  read' loop.
- SC2086: Double quote to prevent globbing and word splitting.

CHANGELOG.md

@@ -18,6 +18,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Security
 
+## [2.9.0] - 2021-02-22
+
+### Added
+
+* bkctld-init: install check_policy template
+* bkctld-upgrade-config: install check_policy template if missing
+* test: bkctld check-incs shouldn't fail without incs_policy file
+
+### Changed
+
+* Rename incs_policy template
+* bkctld-check-incs: Correct shellsheck warnings
+
+### Fixed
+
+* tests: clean jail configuration after each test
+* bkctld-check-incs: Protect `jail_config_epoch`
+
 ## [2.8.0] - 2020-11-28
 
 ### Added

debian/changelog

@@ -1,4 +1,10 @@
-bkctld (2.8.0-1) unstalbe; urgency=low
+bkctld (2.9.0-1) stable; urgency=low
+
+  * Upstream release 2.9.0
+
+ -- Jeremy Lecour <jlecour@synopsis.evolix.net>  Mon, 22 Feb 2021 12:16:41 +0100
+
+bkctld (2.8.0-1) unstable; urgency=low
 
   * Upstream release 2.8.0
 

debian/postinst

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -e
+
+legacy_incs_policy_tpl="/usr/local/share/bkctld/inc.tpl"
+new_incs_policy_tpl="/usr/local/share/bkctld/incs_policy.tpl"
+
+if [ -e "${legacy_incs_policy_tpl}" ]; then
+    mv -f "${new_incs_policy_tpl}" "${new_incs_policy_tpl}.dpkg-new"
+    mv -f "${legacy_incs_policy_tpl}" "${new_incs_policy_tpl}"
+fi
+
+exit 0

lib/bkctld-check-incs

@@ -7,7 +7,7 @@
 set -u
 
 # shellcheck source=./includes
-LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes"
+LIBDIR="$(dirname "$0")" && . "${LIBDIR}/includes"
 
 # default return value is 0 (succes)
 rc=0
@@ -20,14 +20,14 @@ for jail_name in $("${LIBDIR}/bkctld-list"); do
     # Today in ISO format
     today_iso=$(date +"%Y-%m-%d")
 
-    # get jail last configuration date
-    jail_config_epoch=$(date --date "$(stat -c %y ${incs_policy_file})" +"%s")
-
     if [ -n "${incs_policy_file}" ]; then
-        # loop for each line in jail configuration
-        for line in $(cat ${incs_policy_file}); do
+        # get jail last configuration date
+        jail_config_epoch=$(date --date "$(stat -c %y "${incs_policy_file}")" +"%s")
+
+        # read each line in jail configuration
+        while read line; do
             # inc date in ISO format
-            inc_iso=$(relative_date ${line})
+            inc_iso=$(relative_date "${line}")
             # inc date in seconds from epoch
             inc_epoch=$(date --date "${inc_iso}" +"%s")
 
@@ -48,7 +48,7 @@ for jail_name in $("${LIBDIR}/bkctld-list"); do
                     echo "INFO: ${jail_name} : no inc expected for ${inc_iso}"
                 fi
             fi
-        done
+        done < "${incs_policy_file}"
     else
         echo "INFO: ${jail_name} : no inc expected at all"
     fi

lib/bkctld-upgrade-config

@@ -45,3 +45,24 @@ elif [ -f "${legacy_incs_policy_file}" ]; then
 
     info "${jail_name}: config has been upgraded"
 fi
+
+check_policy_file=$(jail_check_policy_file "${jail_name}")
+if [ ! -f "${check_policy_file}" ]; then
+    check_policy_tpl="${TPLDIR}/check_policy.tpl"
+    test -f "${LOCALTPLDIR}/check_policy.tpl" && check_policy_tpl="${LOCALTPLDIR}/check_policy.tpl"
+    mkdir --parents "$(dirname "${check_policy_file}")"
+    install -m 0640 "${check_policy_tpl}" "${check_policy_file}"
+
+    info "${jail_name}: check_policy template ha been installed"
+fi
+
+legacy_incs_policy_tpl="${LOCALTPLDIR}/inc.tpl"
+incs_policy_tpl="${LOCALTPLDIR}/incs_policy.tpl"
+if [ -f "${legacy_incs_policy_tpl}" ]; then
+    # Create directory if missing
+    mkdir -p "$(jail_config_dir "${jail_name}")"
+    # move the main config file
+    mv -f "${legacy_incs_policy_tpl}" "${incs_policy_tpl}"
+
+    info "${jail_name}: incs_policy local template has been renamed"
+fi

lib/includes

@@ -6,7 +6,7 @@
 
 [ -f /etc/default/bkctld ] && . /etc/default/bkctld
 
-VERSION="2.7.0"
+VERSION="2.9.0"
 
 LIBDIR=${LIBDIR:-/usr/lib/bkctld}
 CONFDIR="${CONFDIR:-/etc/evobackup}"
@@ -374,13 +374,20 @@ setup_jail_config() {
     info "4 - Copie default sshd_config"
     install -m 0640 "${sshd_config_tpl}" "${jail_sshd_config}"
 
-    inctpl="${TPLDIR}/inc.tpl"
-    test -f "${LOCALTPLDIR}/inc.tpl" && inctpl="${LOCALTPLDIR}/inc.tpl"
 
     info "5 - Copie default inc configuration"
+    incs_policy_tpl="${TPLDIR}/incs_policy.tpl"
+    test -f "${LOCALTPLDIR}/incs_policy.tpl" && incs_policy_tpl="${LOCALTPLDIR}/incs_policy.tpl"
     jail_incs_policy_file=$(jail_incs_policy_file "${jail_name}")
     mkdir --parents "$(dirname "${jail_incs_policy_file}")"
-    install -m 0640 "${inctpl}" "${jail_incs_policy_file}"
+    install -m 0640 "${incs_policy_tpl}" "${jail_incs_policy_file}"
+
+    check_policy_tpl="${TPLDIR}/check_policy.tpl"
+    test -f "${LOCALTPLDIR}/check_policy.tpl" && check_policy_tpl="${LOCALTPLDIR}/check_policy.tpl"
+    jail_check_policy_file=$(jail_check_policy_file "${jail_name}")
+    mkdir --parents "$(dirname "${jail_check_policy_file}")"
+    install -m 0640 "${check_policy_tpl}" "${jail_check_policy_file}"
+
     "${LIBDIR}/bkctld-port" "${jail_name}" auto
 }
 

test/checks.bats

@@ -235,4 +235,18 @@ OUT
     run /usr/lib/bkctld/bkctld-check-incs
     assert_equal "0" "$status"
 }
+
+@test "Check-incs doesn't fail without incs_policy file" {
+    # Delete all possible incs polixy files
+    rm -f /etc/evobackup/${JAILNAME}
+    rm -rf /etc/evobackup/${JAILNAME}.d/incs_policy
+
+    # Run bkctld-check-incs and store stderr in a file
+    local stderrPath="${BATS_TMPDIR}/${BATS_TEST_NAME}.stderr"
+    /usr/lib/bkctld/bkctld-check-incs 2> ${stderrPath}
+
+    # Verify if 
+    run grep -E "^stat:" ${stderrPath}
+    assert_failure
+}
 # TODO: write many more tests for bkctld-check-incs

test/main.bats

@@ -15,6 +15,16 @@ load test_helper
     fi
 }
 
+@test "New jail should have a incs_policy file" {
+    run test -f "/etc/evobackup/${JAILNAME}.d/incs_policy"
+    assert_success
+}
+
+@test "New jail should have a check_policy file" {
+    run test -f "/etc/evobackup/${JAILNAME}.d/check_policy"
+    assert_success
+}
+
 @test "A jail should be able to be started" {
     /usr/lib/bkctld/bkctld-start "${JAILNAME}"
     pid=$(cat "${JAILPATH}/${SSHD_PID}")

test/test_helper.bash

@@ -20,7 +20,8 @@ setup() {
 
 teardown() {
     remove_variable "/etc/default/bkctld" "BACKUP_DISK"
-    FORCE=1 /usr/lib/bkctld/bkctld-remove "${JAILNAME}" && rm -rf "${INCSPATH}"
+    FORCE=1 /usr/lib/bkctld/bkctld-remove "${JAILNAME}" \
+      && rm -rf "${INCSPATH}" "/etc/evobackup/${JAILNAME}" "/etc/evobackup/${JAILNAME}.d"
 }
 
 random_jail_name() {

tpl/check_policy.tpl

@@ -0,0 +1,3 @@
+## Uncomment and adapt thresholds (values are in hours)
+# WARNING=24
+# CRITICAL=48

zzz_evobackup

@@ -32,17 +32,18 @@ SERVERS_FALLBACK=${SERVERS_FALLBACK:-1}
 # timeout (in seconds) for SSH connections
 SSH_CONNECT_TIMEOUT=${SSH_CONNECT_TIMEOUT:-90}
 
-## We use /home/backup : feel free to use your own dir
+# We use /home/backup : feel free to use your own dir
 LOCAL_BACKUP_DIR="/home/backup"
 
 # You can set "linux" or "bsd" manually or let it choose automatically
 SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
 
-# Change these 2 variables if you have more than one backup cron
-PIDFILE="/var/run/evobackup.pid"
-LOGFILE="/var/log/evobackup.log"
+# Store pid and logs in a file named after this program's name
+PROGNAME=$(basename $0)
+PIDFILE="/var/run/${PROGNAME}.pid"
+LOGFILE="/var/log/${PROGNAME}.log"
 
-## Enable/Disable tasks
+# Enable/Disable tasks
 LOCAL_TASKS=${LOCAL_TASKS:-1}
 SYNC_TASKS=${SYNC_TASKS:-1}
 
@@ -145,6 +146,8 @@ if [ "${LOCAL_TASKS}" = "1" ]; then
     # You can comment or uncomment sections below to customize the backup
 
     ## OpenLDAP : example with slapcat
+    # slapcat -n 0 -l ${LOCAL_BACKUP_DIR}/config.ldap.bak
+    # slapcat -n 1 -l ${LOCAL_BACKUP_DIR}/data.ldap.bak
     # slapcat -l ${LOCAL_BACKUP_DIR}/ldap.bak
 
     ## MySQL
@@ -403,6 +406,7 @@ if [ "${SYNC_TASKS}" = "1" ]; then
         --exclude "/var/log/evobackup*"                    \
         --exclude "/var/run"                               \
         --exclude "/var/spool/postfix"                     \
+        --exclude "/var/spool/smtpd"                       \
         --exclude "/var/spool/squid"                       \
         --exclude "/var/state"                             \
         --exclude "lxc/*/rootfs/usr/doc"                   \