updated bats to 1.7.0; shellcheck fixes and moved cfssl dir under testdata/ (#1584)

.gitmodules

@@ -1,6 +1,7 @@
 [submodule "tests/lib/bats-core"]
 	path = tests/lib/bats-core
 	url = https://github.com/crowdsecurity/bats-core.git
+        branch = v1.7.0
 [submodule "tests/lib/bats-file"]
 	path = tests/lib/bats-file
 	url = https://github.com/crowdsecurity/bats-file.git

tests/README.md

@@ -71,7 +71,8 @@ To repeat test runs without rebuilding crowdsec, use `make bats-test`.
 
 See `./tests/run-tests --help` to run/debug specific tests.
 
-Example: `./tests/run-tests tests/bats/02_nolapi.bats -f "cscli config backup"` (the string is a regexp)
+Example: `./tests/run-tests tests/bats/02_nolapi.bats -f "cscli config backup"` (the string is a regexp).
+You need to provide a path for a test file or directory (even if it's the full 'tests/bats') to use the `-f` option.
 
 
 # How does it work?

tests/assert-crowdsec-not-running

@@ -13,14 +13,14 @@ is_crowdsec_running || exit 0
 sleep 2
 is_crowdsec_running || exit 0
 
-PIDS=$(echo "$PIDS" | sed ':a;N;$!ba;s/\n/ /g')
-msg="CrowdSec is already running (PID $PIDS). Please terminate it and run the tests again."
+PIDS=$(echo "${PIDS}" | sed ':a;N;$!ba;s/\n/ /g')
+msg="CrowdSec is already running (PID ${PIDS}). Please terminate it and run the tests again."
 
 # Are we inside a setup() or @test? Is file descriptor 3 open?
 if { true >&3; } 2>/dev/null; then
-    echo "$msg" >&3
+    echo "${msg}" >&3
 else
-    echo "$msg" >&2
+    echo "${msg}" >&2
 fi
 
 # cause the calling setup() or @test to fail

tests/bats/01_crowdsec.bats

@@ -54,4 +54,3 @@ declare stderr
     run -0 echo "${stderr}"
     assert_line --partial "You must run at least the API Server or crowdsec"
 }
-

tests/bats/02_nolapi.bats

@@ -77,7 +77,7 @@ declare stderr
 
 @test "$FILE lapi status shouldn't be ok without api.server" {
     yq e 'del(.api.server)' -i "${CONFIG_YAML}"
-    ./instance-crowdsec start || true 
+    ./instance-crowdsec start || true
     run -1 --separate-stderr cscli machines list
     run -0 echo "$stderr"
     assert_output --partial "Local API is disabled, please run this command on the local API machine"

tests/bats/05_config_yaml_local.bats

@@ -26,7 +26,6 @@ teardown() {
     ./instance-crowdsec stop
 }
 
-
 #----------
 
 @test "${FILE} config.yaml.local - cscli (log_level)" {
@@ -34,7 +33,7 @@ teardown() {
     run -0 cscli config show --key Config.Common.LogLevel
     assert_output "warning"
 
-    echo "{'common':{'log_level':'debug'}}" > "${CONFIG_YAML}.local"
+    echo "{'common':{'log_level':'debug'}}" >"${CONFIG_YAML}.local"
     run -0 cscli config show --key Config.Common.LogLevel
     assert_output "debug"
 }
@@ -45,7 +44,7 @@ teardown() {
     assert_output "warning"
 
     export CROWDSEC_LOG_LEVEL=debug
-    echo "{'common':{'log_level':'${CROWDSEC_LOG_LEVEL}'}}" > "${CONFIG_YAML}.local"
+    echo "{'common':{'log_level':'${CROWDSEC_LOG_LEVEL}'}}" >"${CONFIG_YAML}.local"
     run -0 cscli config show --key Config.Common.LogLevel
     assert_output "debug"
 }
@@ -55,7 +54,7 @@ teardown() {
     run -0 ./lib/util/wait-for-port -q 8080
     run -0 ./instance-crowdsec stop
 
-    echo "{'api':{'server':{'listen_uri':127.0.0.1:8083}}}" > "${CONFIG_YAML}.local"
+    echo "{'api':{'server':{'listen_uri':127.0.0.1:8083}}}" >"${CONFIG_YAML}.local"
     run -0 ./instance-crowdsec start
     run -0 ./lib/util/wait-for-port -q 8083
     run -1 ./lib/util/wait-for-port -q 8080
@@ -68,32 +67,32 @@ teardown() {
 }
 
 @test "${FILE} local_api_credentials.yaml.local" {
-    echo "{'api':{'server':{'listen_uri':127.0.0.1:8083}}}" > "${CONFIG_YAML}.local"
+    echo "{'api':{'server':{'listen_uri':127.0.0.1:8083}}}" >"${CONFIG_YAML}.local"
     run -0 ./instance-crowdsec start
     run -0 ./lib/util/wait-for-port -q 8083
 
-    run -0 yq e '.api.client.credentials_path' < "${CONFIG_YAML}"
+    run -0 yq e '.api.client.credentials_path' <"${CONFIG_YAML}"
     LOCAL_API_CREDENTIALS="${output}"
 
     run -1 cscli decisions list
-    echo "{'url':'http://127.0.0.1:8083'}" > "${LOCAL_API_CREDENTIALS}.local"
+    echo "{'url':'http://127.0.0.1:8083'}" >"${LOCAL_API_CREDENTIALS}.local"
     run -0 cscli decisions list
 }
 
 @test "${FILE} simulation.yaml.local" {
-    run -0 yq e '.config_paths.simulation_path' < "${CONFIG_YAML}"
+    run -0 yq e '.config_paths.simulation_path' <"${CONFIG_YAML}"
     refute_output null
     SIMULATION="${output}"
 
-    echo "simulation: off" > "${SIMULATION}"
+    echo "simulation: off" >"${SIMULATION}"
     run -0 cscli simulation status -o human
     assert_output --partial "global simulation: disabled"
 
-    echo "simulation: on" > "${SIMULATION}"
+    echo "simulation: on" >"${SIMULATION}"
     run -0 cscli simulation status -o human
     assert_output --partial "global simulation: enabled"
 
-    echo "simulation: off" > "${SIMULATION}.local"
+    echo "simulation: off" >"${SIMULATION}.local"
     run -0 cscli simulation status -o human
     assert_output --partial "global simulation: disabled"
 
@@ -102,13 +101,12 @@ teardown() {
     assert_output --partial "global simulation: enabled"
 }
 
-
 @test "${FILE} profiles.yaml.local" {
-    run -0 yq e '.api.server.profiles_path' < "${CONFIG_YAML}"
+    run -0 yq e '.api.server.profiles_path' <"${CONFIG_YAML}"
     refute_output null
     PROFILES="${output}"
 
-    cat <<-EOT > "${PROFILES}.local"
+    cat <<-EOT >"${PROFILES}.local"
 	name: default_ip_remediation
 	filters:
 	 - Alert.Remediation == true && Alert.GetScope() == "Ip"

tests/bats/06_crowdsec.bats

@@ -12,25 +12,28 @@ setup_file() {
     ./instance-data load
     tmpdir=$(mktemp -d)
     export tmpdir
+
+    CFDIR="${BATS_TEST_DIRNAME}/testdata/cfssl"
+    export CFDIR
+
     #gen the CA
-    cfssl gencert --initca ./cfssl/ca.json 2>/dev/null | cfssljson --bare "${tmpdir}/ca"
+    cfssl gencert --initca "${CFDIR}/ca.json" 2>/dev/null | cfssljson --bare "${tmpdir}/ca"
     #gen an intermediate
-    cfssl gencert --initca ./cfssl/intermediate.json 2>/dev/null | cfssljson --bare "${tmpdir}/inter"
-    cfssl sign -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config ./cfssl/profiles.json -profile intermediate_ca "${tmpdir}/inter.csr" 2>/dev/null | cfssljson --bare "${tmpdir}/inter"
-    #gen server cert for crowdsec with the intermediate 
-    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config ./cfssl/profiles.json -profile=server ./cfssl/server.json 2>/dev/null | cfssljson --bare "${tmpdir}/server"
+    cfssl gencert --initca "${CFDIR}/intermediate.json" 2>/dev/null | cfssljson --bare "${tmpdir}/inter"
+    cfssl sign -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" 2>/dev/null | cfssljson --bare "${tmpdir}/inter"
+    #gen server cert for crowdsec with the intermediate
+    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" 2>/dev/null | cfssljson --bare "${tmpdir}/server"
     #gen client cert for the bouncer
-    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config ./cfssl/profiles.json -profile=client ./cfssl/bouncer.json 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer"
+    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer"
     #gen client cert for the bouncer with an invalid OU
-    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config ./cfssl/profiles.json -profile=client ./cfssl/bouncer_invalid.json 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer_bad_ou"
+    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer_invalid.json" 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer_bad_ou"
     #gen client cert for the bouncer directly signed by the CA, it should be refused by crowdsec as uses the intermediate
-    cfssl gencert -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config ./cfssl/profiles.json -profile=client ./cfssl/bouncer.json 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer_invalid" 
-    
-    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config ./cfssl/profiles.json -profile=client ./cfssl/bouncer.json 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer_revoked"
-    serial="$(openssl x509 -noout -serial -in ${tmpdir}/bouncer_revoked.pem | cut -d '=' -f2)"
-    echo "ibase=16; $serial" | bc > "${tmpdir}/serials.txt"
-    cfssl gencrl "${tmpdir}/serials.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" | base64 -d | openssl crl -inform DER -out "${tmpdir}/crl.pem"
+    cfssl gencert -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer_invalid"
 
+    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/bouncer.json" 2>/dev/null | cfssljson --bare "${tmpdir}/bouncer_revoked"
+    serial="$(openssl x509 -noout -serial -in "${tmpdir}/bouncer_revoked.pem" | cut -d '=' -f2)"
+    echo "ibase=16; ${serial}" | bc >"${tmpdir}/serials.txt"
+    cfssl gencrl "${tmpdir}/serials.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" | base64 -d | openssl crl -inform DER -out "${tmpdir}/crl.pem"
 
     yq '
         .api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" |
@@ -39,14 +42,13 @@ setup_file() {
         .api.server.tls.crl_path=strenv(tmpdir) + "/crl.pem" | 
         .api.server.tls.bouncers_allowed_ou=["bouncer-ou"]
     ' -i "${CONFIG_YAML}"
- 
+
     config_disable_agent
 }
 
-
 teardown_file() {
     load "../lib/teardown_file.sh"
-    rm -rf $tmpdir
+    rm -rf "${tmpdir}"
 }
 
 setup() {
@@ -60,14 +62,14 @@ teardown() {
 
 #----------
 
-@test "$FILE there are 0 bouncers" {
+@test "${FILE} there are 0 bouncers" {
     run -0 cscli bouncers list -o json
     assert_output "[]"
 }
 
-@test "$FILE simulate one bouncer request with a valid cert" {
+@test "${FILE} simulate one bouncer request with a valid cert" {
     run -0 curl -s --cert "${tmpdir}/bouncer.pem" --key "${tmpdir}/bouncer-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
-    assert_output  "null"
+    assert_output "null"
     run -0 cscli bouncers list -o json
     run -0 jq '. | length' <(output)
     assert_output '1'
@@ -77,21 +79,21 @@ teardown() {
     run cscli bouncers delete localhost@127.0.0.1
 }
 
-@test "$FILE simulate one bouncer request with an invalid cert" {
+@test "${FILE} simulate one bouncer request with an invalid cert" {
     run curl -s --cert "${tmpdir}/bouncer_invalid.pem" --key "${tmpdir}/bouncer_invalid-key.pem" --cacert "${tmpdir}/ca-key.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
     run -0 cscli bouncers list -o json
     assert_output "[]"
 }
 
-@test "$FILE simulate one bouncer request with an invalid OU" {
+@test "${FILE} simulate one bouncer request with an invalid OU" {
     run curl -s --cert "${tmpdir}/bouncer_bad_ou.pem" --key "${tmpdir}/bouncer_bad_ou-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
     run -0 cscli bouncers list -o json
     assert_output "[]"
 }
 
-@test "$FILE simulate one bouncer request with a revoked certificate" {
+@test "${FILE} simulate one bouncer request with a revoked certificate" {
     run -0 curl -i -s --cert "${tmpdir}/bouncer_revoked.pem" --key "${tmpdir}/bouncer_revoked-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
     assert_output --partial "access forbidden"
     run -0 cscli bouncers list -o json
     assert_output "[]"
-}
+}

tests/bats/30_machines_tls.bats

@@ -4,29 +4,33 @@
 set -u
 
 setup_file() {
-   load "../lib/setup_file.sh"
+    load "../lib/setup_file.sh"
     ./instance-data load
+
     tmpdir=$(mktemp -d)
     export tmpdir
+
+    CFDIR="${BATS_TEST_DIRNAME}/testdata/cfssl"
+    export CFDIR
+
     #gen the CA
-    cfssl gencert --initca ./cfssl/ca.json 2>/dev/null | cfssljson --bare "${tmpdir}/ca"
+    cfssl gencert --initca "${CFDIR}/ca.json" 2>/dev/null | cfssljson --bare "${tmpdir}/ca"
     #gen an intermediate
-    cfssl gencert --initca ./cfssl/intermediate.json 2>/dev/null | cfssljson --bare "${tmpdir}/inter"
-    cfssl sign -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config ./cfssl/profiles.json -profile intermediate_ca "${tmpdir}/inter.csr" 2>/dev/null | cfssljson --bare "${tmpdir}/inter"
-    #gen server cert for crowdsec with the intermediate 
-    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config ./cfssl/profiles.json -profile=server ./cfssl/server.json 2>/dev/null | cfssljson --bare "${tmpdir}/server"
+    cfssl gencert --initca "${CFDIR}/intermediate.json" 2>/dev/null | cfssljson --bare "${tmpdir}/inter"
+    cfssl sign -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config "${CFDIR}/profiles.json" -profile intermediate_ca "${tmpdir}/inter.csr" 2>/dev/null | cfssljson --bare "${tmpdir}/inter"
+    #gen server cert for crowdsec with the intermediate
+    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=server "${CFDIR}/server.json" 2>/dev/null | cfssljson --bare "${tmpdir}/server"
     #gen client cert for the agent
-    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config ./cfssl/profiles.json -profile=client ./cfssl/agent.json 2>/dev/null | cfssljson --bare "${tmpdir}/agent"
+    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null | cfssljson --bare "${tmpdir}/agent"
     #gen client cert for the agent with an invalid OU
-    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config ./cfssl/profiles.json -profile=client ./cfssl/agent_invalid.json 2>/dev/null | cfssljson --bare "${tmpdir}/agent_bad_ou"
+    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent_invalid.json" 2>/dev/null | cfssljson --bare "${tmpdir}/agent_bad_ou"
     #gen client cert for the agent directly signed by the CA, it should be refused by crowdsec as uses the intermediate
-    cfssl gencert -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config ./cfssl/profiles.json -profile=client ./cfssl/agent.json 2>/dev/null | cfssljson --bare "${tmpdir}/agent_invalid" 
-    
-    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config ./cfssl/profiles.json -profile=client ./cfssl/agent.json 2>/dev/null | cfssljson --bare "${tmpdir}/agent_revoked"
-    serial="$(openssl x509 -noout -serial -in ${tmpdir}/agent_revoked.pem | cut -d '=' -f2)"
-    echo "ibase=16; $serial" | bc > "${tmpdir}/serials.txt"
-    cfssl gencrl "${tmpdir}/serials.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" | base64 -d | openssl crl -inform DER -out "${tmpdir}/crl.pem"
+    cfssl gencert -ca "${tmpdir}/ca.pem" -ca-key "${tmpdir}/ca-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null | cfssljson --bare "${tmpdir}/agent_invalid"
 
+    cfssl gencert -ca "${tmpdir}/inter.pem" -ca-key "${tmpdir}/inter-key.pem" -config "${CFDIR}/profiles.json" -profile=client "${CFDIR}/agent.json" 2>/dev/null | cfssljson --bare "${tmpdir}/agent_revoked"
+    serial="$(openssl x509 -noout -serial -in "${tmpdir}/agent_revoked.pem" | cut -d '=' -f2)"
+    echo "ibase=16; ${serial}" | bc >"${tmpdir}/serials.txt"
+    cfssl gencrl "${tmpdir}/serials.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" | base64 -d | openssl crl -inform DER -out "${tmpdir}/crl.pem"
 
     yq '
         .api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" |
@@ -53,8 +57,8 @@ teardown() {
 
 #----------
 
-@test "$FILE invalid OU for agent" {
-    CONFIG_DIR=$(dirname ${CONFIG_YAML})
+@test "${FILE} invalid OU for agent" {
+    CONFIG_DIR=$(dirname "${CONFIG_YAML}")
 
     yq '
         .ca_cert_path=strenv(tmpdir) + "/inter.pem" |
@@ -72,8 +76,8 @@ teardown() {
     assert_output '[]'
 }
 
-@test "$FILE we have exactly one machine registered with TLS" {
-    CONFIG_DIR=$(dirname ${CONFIG_YAML})
+@test "${FILE} we have exactly one machine registered with TLS" {
+    CONFIG_DIR=$(dirname "${CONFIG_YAML}")
 
     yq '
         .ca_cert_path=strenv(tmpdir) + "/inter.pem" |
@@ -96,9 +100,8 @@ teardown() {
     ./instance-crowdsec stop
 }
 
-
-@test "$FILE invalid cert for agent" {
-    CONFIG_DIR=$(dirname ${CONFIG_YAML})
+@test "${FILE} invalid cert for agent" {
+    CONFIG_DIR=$(dirname "${CONFIG_YAML}")
 
     yq '
         .ca_cert_path=strenv(tmpdir) + "/inter.pem" |
@@ -116,8 +119,8 @@ teardown() {
     assert_output '[]'
 }
 
-@test "$FILE revoked cert for agent" {
-    CONFIG_DIR=$(dirname ${CONFIG_YAML})
+@test "${FILE} revoked cert for agent" {
+    CONFIG_DIR=$(dirname "${CONFIG_YAML}")
 
     yq '
         .ca_cert_path=strenv(tmpdir) + "/inter.pem" |
@@ -133,4 +136,4 @@ teardown() {
     sleep 2
     run -0 cscli machines list -o json
     assert_output '[]'
-}
+}

tests/bats/70_http_plugin.bats

@@ -84,4 +84,3 @@ setup() {
     run -0 jq -r '.request_body[1].decisions[0].value' <"${MOCK_OUT}"
     assert_output 1.2.3.5
 }
-

tests/bats/71_dummy_plugin.bats

@@ -24,7 +24,7 @@ setup_file() {
        .format="{{.|toJson}}"
        ' -i "${DUMMY_YAML}"
 
-    cat <<- EOT >> "${DUMMY_YAML}"
+    cat <<-EOT >>"${DUMMY_YAML}"
 	---
 	type: dummy
 	name: dummy_2

tests/bats/72_plugin_badconfig.bats

@@ -117,4 +117,3 @@ teardown() {
     run -0 echo "${stderr}"
     assert_output --partial "api server init: unable to run local API: while loading plugin config: open /this/path/does/not/exist: no such file or directory"
 }
-

tests/bats/80_alerts.bats

@@ -105,9 +105,9 @@ declare stderr
 
     run -0 cscli alerts inspect "$ALERT_ID" -o json
     alert=$output
-    run jq -c '.decisions[] | [.origin,.scenario,.scope,.simulated,.type,.value]' <<< "$alert"
+    run jq -c '.decisions[] | [.origin,.scenario,.scope,.simulated,.type,.value]' <<<"$alert"
     assert_output --regexp "\[\"cscli\",\"manual 'ban' from 'githubciXXXXXXXXXXXXXXXXXXXXXXXX.*'\",\"Ip\",false,\"ban\",\"10.20.30.40\"\]"
-    run jq -c '.source' <<< "$alert"
+    run jq -c '.source' <<<"$alert"
     assert_output '{"ip":"10.20.30.40","scope":"Ip","value":"10.20.30.40"}'
 }
 

tests/bats/reformat

@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 
 # from https://github.com/bats-core/bats-core/issues/192#issuecomment-528315083
 # thanks Sean Leather
@@ -7,10 +8,10 @@ perl -pi -e 's/^(\@test.*) \{$/$1\n{/' ./*.bats
 
 tmpfile=$(mktemp)
 for file in *bats; do
-   shfmt -i 4 -ln bash -s $file >$tmpfile
-   mv $tmpfile $file
+   shfmt -i 4 -ln bash -s "${file}" > "${tmpfile}"
+   mv "${tmpfile}" "${file}"
 done
-rm -f $tmpfile
+rm -f "${tmpfile}"
 
 # Undo the changes to the Bats scripts in-place so that they work with Bats
 perl -pi -e 's/^\{\R//; s/(\@test.*$)/$1 {/' ./*.bats

tests/check-requirements

@@ -42,10 +42,10 @@ check_yq() {
     # shellcheck disable=SC2016
     howto_install='You can install it with your favorite package manager (including snap) or with "GO111MODULE=on go get github.com/mikefarah/yq/v4" and add ~/go/bin to $PATH.'
     if ! command -v yq >/dev/null; then
-        die "Missing required program 'yq'. $howto_install"
+        die "Missing required program 'yq'. ${howto_install}"
     fi
     if ! (yq --version | grep mikefarah >/dev/null); then
-        die "yq exists but it's not the one we need (mikefarah/yq). $howto_install"
+        die "yq exists but it's not the one we need (mikefarah/yq). ${howto_install}"
     fi
 }
 
@@ -63,7 +63,7 @@ check_daemonizer() {
             fi
             ;;
         *)
-            die "unsupported system: $SYSTEM"
+            die "unsupported system: ${SYSTEM}"
             ;;
     esac
 }
@@ -72,7 +72,7 @@ check_cfssl() {
     # shellcheck disable=SC2016
     howto_install='You can install it with "go get -u github.com/cloudflare/cfssl/cmd/cfssl" and add ~/go/bin to $PATH.'
     if ! command -v cfssl >/dev/null; then
-        die "Missing required program 'cfssl'. $howto_install"
+        die "Missing required program 'cfssl'. ${howto_install}"
     fi
 }
 
@@ -80,7 +80,7 @@ check_cfssljson() {
     # shellcheck disable=SC2016
     howto_install='You can install it with "go get -u github.com/cloudflare/cfssl/cmd/cfssljson" and add ~/go/bin to $PATH.'
     if ! command -v cfssljson >/dev/null; then
-        die "Missing required program 'cfssljson'. $howto_install"
+        die "Missing required program 'cfssljson'. ${howto_install}"
     fi
 }
 
@@ -98,7 +98,7 @@ check_jq
 check_nc
 check_python3
 check_yq
-if [ -n "${TEST_COVERAGE}" ]; then
+if [[ -n "${TEST_COVERAGE}" ]]; then
     check_gocovmerge
 fi
 

tests/collect-hub-coverage

@@ -18,7 +18,9 @@ coverage() {
     "${CSCLI}" --crowdsec "${CROWDSEC}" --cscli "${CSCLI}" hubtest coverage --"$1" --percent
 }
 
-cd "$hubdir" || die "Could not find hub test results"
+cd "${hubdir}" || die "Could not find hub test results"
+
+shopt -s inherit_errexit
 
 echo "PARSERS_COV=$(coverage parsers | cut -d = -f2)"
 echo "SCENARIOS_COV=$(coverage scenarios | cut -d = -f2)"

tests/crowdsec-wrapper

@@ -26,7 +26,7 @@ set +e
 output=$("${BIN_DIR}/crowdsec.cover" \
     -test.run="^TestBincoverRunMain$" \
     -test.coverprofile="${LOCAL_DIR}/var/lib/coverage/crowdsec-$(date +'%s')-$$-${RANDOM}.out" \
-    -args-file=<(for i; do echo "$i"; done))
+    -args-file=<(for i; do echo "${i}"; done))
 rc=$?
 
 # If there is bincover metadata, we take the status code from there. Otherwise,

tests/generate-hub-tests

@@ -40,7 +40,7 @@ echo "Generating hub tests..."
 for testname in $("${CSCLI}" --crowdsec "${CROWDSEC}" --cscli "${CSCLI}" hubtest --hub "${hubdir}" list -o json | grep -v NAME | grep -v -- '-------' | awk '{print $1}'); do
     cat << EOT >> "${HUBTESTS_BATS}"
 
-@test "\$FILE $testname" {
+@test "\$FILE ${testname}" {
     run "\${CSCLI}" --crowdsec "\${CROWDSEC}" --cscli "\${CSCLI}" --hub "${hubdir}" hubtest run "${testname}" --clean
     # in case of error, need to see what went wrong
     echo "\$output"

tests/instance-crowdsec

@@ -2,15 +2,15 @@
 
 #shellcheck disable=SC1007
 THIS_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
-cd "${THIS_DIR}"
+cd "${THIS_DIR}" || exit 1
 #shellcheck disable=SC1090
 . ./.environment.sh
 
 backend_script="./lib/init/crowdsec-${INIT_BACKEND}"
 
-if [ ! -x "$backend_script" ]; then
-    echo "unknown init system '$INIT_BACKEND'" >&2
+if [[ ! -x "${backend_script}" ]]; then
+    echo "unknown init system '${INIT_BACKEND}'" >&2
     exit 1
 fi
 
-exec "$backend_script" "$@"
+exec "${backend_script}" "$@"

tests/instance-data

@@ -2,15 +2,15 @@
 
 #shellcheck disable=SC1007
 THIS_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
-cd "${THIS_DIR}"
+cd "${THIS_DIR}" || exit 1
 #shellcheck disable=SC1090
 . ./.environment.sh
 
 backend_script="./lib/config/config-${CONFIG_BACKEND}"
 
-if [ ! -x "$backend_script" ]; then
-    echo "unknown config backend '$CONFIG_BACKEND'" >&2
+if [[ ! -x "${backend_script}" ]]; then
+    echo "unknown config backend '${CONFIG_BACKEND}'" >&2
     exit 1
 fi
 
-exec "$backend_script" "$@"
+exec "${backend_script}" "$@"

tests/instance-db

@@ -2,7 +2,7 @@
 
 #shellcheck disable=SC1007
 THIS_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
-cd "${THIS_DIR}"
+cd "${THIS_DIR}" || exit 1
 #shellcheck disable=SC1090
 . ./.environment.sh
 
@@ -10,9 +10,9 @@ cd "${THIS_DIR}"
 
 backend_script="./lib/db/instance-${DB_BACKEND}"
 
-if [ ! -x "$backend_script" ]; then
-    echo "unknown database '$DB_BACKEND'" >&2
+if [[ ! -x "${backend_script}" ]]; then
+    echo "unknown database '${DB_BACKEND}'" >&2
     exit 1
 fi
 
-exec "$backend_script" "$@"
+exec "${backend_script}" "$@"

tests/lib/bats-assert

@@ -1 +1 @@
-Subproject commit 4bdd58d3fbcdce3209033d44d884e87add1d8405
+Subproject commit 397c735212bf1a06cfdd0cb7806c5a6ea79582bf

tests/lib/bats-core

@@ -1 +1 @@
-Subproject commit 210acf3a8ed318ddedad3137c15451739beba7d4
+Subproject commit 410dd229a5ed005c68167cc90ed0712ad2a1c909

tests/lib/config/config-global

@@ -9,7 +9,7 @@ die() {
 }
 
 about() {
-    die "usage: $script_name [make | load | clean]"
+    die "usage: ${script_name} [make | load | clean]"
 }
 
 #shellcheck disable=SC1007
@@ -20,14 +20,14 @@ cd "${THIS_DIR}"/../../
 
 # you have not removed set -u above, have you?
 
-[ -z "${TEST_DIR-}" ] && die "\$TEST_DIR must be defined."
-[ -z "${LOCAL_DIR-}" ] && die "\$LOCAL_DIR must be defined."
-[ -z "${CSCLI-}" ] && die "\$CSCLI must be defined."
-[ -z "${LOCAL_INIT_DIR-}" ] && die "\$LOCAL_INIT_DIR must be defined."
-[ -z "${PLUGIN_DIR-}" ] && die "\$PLUGIN_DIR must be defined."
-[ -z "${DB_BACKEND-}" ] && die "\$DB_BACKEND must be defined."
+[[ -z "${TEST_DIR-}" ]] && die "\$TEST_DIR must be defined."
+[[ -z "${LOCAL_DIR-}" ]] && die "\$LOCAL_DIR must be defined."
+[[ -z "${CSCLI-}" ]] && die "\$CSCLI must be defined."
+[[ -z "${LOCAL_INIT_DIR-}" ]] && die "\$LOCAL_INIT_DIR must be defined."
+[[ -z "${PLUGIN_DIR-}" ]] && die "\$PLUGIN_DIR must be defined."
+[[ -z "${DB_BACKEND-}" ]] && die "\$DB_BACKEND must be defined."
 
-if [ ! -f "${CSCLI}" ]; then
+if [[ ! -f "${CSCLI}" ]]; then
     die "${CSCLI} is missing. Please build (with 'make bats-build') or install it."
 fi
 
@@ -53,14 +53,13 @@ make_init_data() {
 
     # when installed packages are always using sqlite, so no need to regenerate
     # local credz for sqlite
-   
-    [ "${DB_BACKEND}" == "sqlite" ] || ${CSCLI} machines add --auto
+
+    [[ "${DB_BACKEND}" == "sqlite" ]] || ${CSCLI} machines add --auto
 
     "${TEST_DIR}/instance-crowdsec" start
     "${CSCLI}" lapi status
-    [ -z "{PACKAGE_TESTING}" ] && "${CSCLI}" decisions delete --all
+    [[ -z "${PACKAGE_TESTING}" ]] && "${CSCLI}" decisions delete --all
     "${TEST_DIR}/instance-crowdsec" stop
-    
 
     mkdir -p "${LOCAL_INIT_DIR}"
 
@@ -68,22 +67,21 @@ make_init_data() {
 
     echo "${DB_BACKEND}" > "${LOCAL_INIT_DIR}/.backend"
     tar -C "${LOCAL_DIR}" --create \
-        --exclude "$REL_DATA_DIR"/crowdsec.db \
-        --file "${LOCAL_INIT_DIR}/init-config-data.tar" "$REL_CONFIG_DIR" "$REL_DATA_DIR"
+        --exclude "${REL_DATA_DIR}"/crowdsec.db \
+        --file "${LOCAL_INIT_DIR}/init-config-data.tar" "${REL_CONFIG_DIR}" "${REL_DATA_DIR}"
 
     ./instance-db setup
     remove_init_data
 }
 
-
 load_init_data() {
-    if [ ! -f "${LOCAL_INIT_DIR}/init-config-data.tar" ]; then
-        die "Initial data not found; did you run '$script_name make' ?"
+    if [[ ! -f "${LOCAL_INIT_DIR}/init-config-data.tar" ]]; then
+        die "Initial data not found; did you run '${script_name} make' ?"
     fi
 
     dump_backend="$(cat "${LOCAL_INIT_DIR}/.backend")"
-    if [ "$DB_BACKEND" != "$dump_backend" ]; then
-        die "Can't run with backend '$DB_BACKEND' because the test data was build with '$dump_backend'"
+    if [[ "${DB_BACKEND}" != "${dump_backend}" ]]; then
+        die "Can't run with backend '${DB_BACKEND}' because the test data was build with '${dump_backend}'"
     fi
 
     remove_init_data
@@ -97,7 +95,7 @@ load_init_data() {
 
 # ---------------------------
 
-[ $# -lt 1 ] && about
+[[ $# -lt 1 ]] && about
 
 
 case "$1" in

tests/lib/config/config-local

@@ -9,7 +9,7 @@ die() {
 }
 
 about() {
-    die "usage: $script_name [make | load | clean]"
+    die "usage: ${script_name} [make | load | clean]"
 }
 
 #shellcheck disable=SC1007
@@ -20,14 +20,14 @@ cd "${THIS_DIR}"/../../
 
 # you have not removed set -u above, have you?
 
-[ -z "${TEST_DIR-}" ] && die "\$TEST_DIR must be defined."
-[ -z "${LOCAL_DIR-}" ] && die "\$LOCAL_DIR must be defined."
-[ -z "${CSCLI-}" ] && die "\$CSCLI must be defined."
-[ -z "${LOCAL_INIT_DIR-}" ] && die "\$LOCAL_INIT_DIR must be defined."
-[ -z "${PLUGIN_DIR-}" ] && die "\$PLUGIN_DIR must be defined."
-[ -z "${DB_BACKEND-}" ] && die "\$DB_BACKEND must be defined."
+[[ -z "${TEST_DIR-}" ]] && die "\$TEST_DIR must be defined."
+[[ -z "${LOCAL_DIR-}" ]] && die "\$LOCAL_DIR must be defined."
+[[ -z "${CSCLI-}" ]] && die "\$CSCLI must be defined."
+[[ -z "${LOCAL_INIT_DIR-}" ]] && die "\$LOCAL_INIT_DIR must be defined."
+[[ -z "${PLUGIN_DIR-}" ]] && die "\$PLUGIN_DIR must be defined."
+[[ -z "${DB_BACKEND-}" ]] && die "\$DB_BACKEND must be defined."
 
-if [ ! -f "${CSCLI}" ]; then
+if [[ ! -f "${CSCLI}" ]]; then
     die "${CSCLI} is missing. Please build (with 'make bats-build') or install it."
 fi
 
@@ -96,7 +96,7 @@ make_init_data() {
     "${CSCLI}" collections install crowdsecurity/linux
 
     "${TEST_DIR}/instance-crowdsec" start
-    [[ "$DB_BACKEND" =~ ^postgres|pgx$ ]] && sleep 4
+    [[ "${DB_BACKEND}" =~ ^postgres|pgx$ ]] && sleep 4
     "${CSCLI}" lapi status
 
     # a restart is required to receive community pull
@@ -119,20 +119,20 @@ make_init_data() {
     echo "${DB_BACKEND}" > "${LOCAL_INIT_DIR}/.backend"
 
     tar -C "${LOCAL_DIR}" --create \
-        --exclude "$REL_DATA_DIR"/crowdsec.db \
-        --file "${LOCAL_INIT_DIR}/init-config-data.tar" "$REL_CONFIG_DIR" "$REL_DATA_DIR"
+        --exclude "${REL_DATA_DIR}"/crowdsec.db \
+        --file "${LOCAL_INIT_DIR}/init-config-data.tar" "${REL_CONFIG_DIR}" "${REL_DATA_DIR}"
 
     remove_init_data
 }
 
 load_init_data() {
-    if [ ! -f "${LOCAL_INIT_DIR}/init-config-data.tar" ]; then
-        die "Initial data not found; did you run '$script_name make' ?"
+    if [[ ! -f "${LOCAL_INIT_DIR}/init-config-data.tar" ]]; then
+        die "Initial data not found; did you run '${script_name} make' ?"
     fi
 
     dump_backend="$(cat "${LOCAL_INIT_DIR}/.backend")"
-    if [ "$DB_BACKEND" != "$dump_backend" ]; then
-        die "Can't run with backend '$DB_BACKEND' because the test data was build with '$dump_backend'"
+    if [[ "${DB_BACKEND}" != "${dump_backend}" ]]; then
+        die "Can't run with backend '${DB_BACKEND}' because the test data was build with '${dump_backend}'"
     fi
 
     remove_init_data
@@ -144,7 +144,7 @@ load_init_data() {
 
 # ---------------------------
 
-[ $# -lt 1 ] && about
+[[ $# -lt 1 ]] && about
 
 
 case "$1" in

tests/lib/db/instance-mysql

@@ -2,7 +2,7 @@
 
 set -eu
 script_name=$0
-DB_BACKEND=$(echo $script_name | cut -d- -f2)
+DB_BACKEND=$(echo "${script_name}" | cut -d- -f2)
 export DB_BACKEND
 
 die() {
@@ -16,7 +16,7 @@ MYSQL_PASSWORD=${MYSQL_PASSWORD:-password}
 MYSQL_USER=${MYSQL_USER:-root}
 
 about() {
-    die "usage: $script_name [ config_yaml | setup | dump <backup_file> | restore <backup_file> ]"
+    die "usage: ${script_name} [ config_yaml | setup | dump <backup_file> | restore <backup_file> ]"
 }
 
 check_requirements() {
@@ -27,7 +27,7 @@ check_requirements() {
 
 silence_password_warning() {
     ( ( ( "$@" >&9 ) 2>&1 \
-        | fgrep -v "[Warning] Using a password on the command line interface can be insecure." ) >&2 ) 9>&1 || [[ $? == 1 ]]
+        | grep -F -v "[Warning] Using a password on the command line interface can be insecure." ) >&2 ) 9>&1 || [[ $? == 1 ]]
 }
 
 exec_sql() {
@@ -38,7 +38,7 @@ exec_sql() {
         "--host=${MYSQL_HOST}" \
         "--user=${MYSQL_USER}" \
         "--port=${MYSQL_PORT}" \
-        "--password=${MYSQL_PASSWORD}" <<< "$cmd"
+        "--password=${MYSQL_PASSWORD}" <<< "${cmd}"
 }
 
 setup() {
@@ -58,24 +58,24 @@ dump() {
 
     silence_password_warning \
         mysqldump \
-        $COLUMN_STATISTICS \
+        "${COLUMN_STATISTICS}" \
         "--host=${MYSQL_HOST}" \
         "--port=${MYSQL_PORT}" \
         "--user=${MYSQL_USER}" \
         "--password=${MYSQL_PASSWORD}" \
-        --databases crowdsec_test > "$backup_file"
+        --databases crowdsec_test > "${backup_file}"
 }
 
 restore() {
     backup_file="${1?missing file to restore database from}"
-    [ -f "$backup_file" ] || die "Backup file $backup_file doesn't exist"
+    [[ -f "${backup_file}" ]] || die "Backup file ${backup_file} doesn't exist"
 
     silence_password_warning \
         mysql \
         "--host=${MYSQL_HOST}" \
         "--user=${MYSQL_USER}" \
         "--port=${MYSQL_PORT}" \
-        "--password=${MYSQL_PASSWORD}" < "$backup_file"
+        "--password=${MYSQL_PASSWORD}" < "${backup_file}"
 
     exec_sql "DROP USER IF EXISTS 'crowdsec_test';"
     exec_sql "CREATE USER 'crowdsec_test' IDENTIFIED BY 'crowdsec_test';"
@@ -94,7 +94,7 @@ config_yaml() {
     ' -i "${CONFIG_YAML}"
 }
 
-[ $# -lt 1 ] && about
+[[ $# -lt 1 ]] && about
 
 check_requirements
 

tests/lib/db/instance-postgres

@@ -2,7 +2,7 @@
 
 set -eu
 script_name=$0
-DB_BACKEND=$(echo $script_name | cut -d- -f2)
+DB_BACKEND=$(echo "${script_name}" | cut -d- -f2)
 export DB_BACKEND
 
 die() {
@@ -20,7 +20,7 @@ export PGPASSWORD
 export PGUSER
 
 about() {
-    die "usage: $script_name [ config_yaml | setup | dump <backup_file> | restore <backup_file> ]"
+    die "usage: ${script_name} [ config_yaml | setup | dump <backup_file> | restore <backup_file> ]"
 }
 
 check_requirements() {
@@ -37,7 +37,7 @@ check_requirements() {
 
 exec_sql() {
     cmd="${1?Missing required sql command}"
-    psql <<< "$cmd"
+    psql <<< "${cmd}"
 }
 
 setup() {
@@ -50,13 +50,13 @@ setup() {
 
 dump() {
     backup_file="${1?Missing file to backup database to}"
-    pg_dump -Ft --dbname crowdsec_test --clean --create --file "$backup_file"
+    pg_dump -Ft --dbname crowdsec_test --clean --create --file "${backup_file}"
 }
 
 restore() {
     backup_file="${1?missing file to restore database from}"
-    [ -f "$backup_file" ] || die "Backup file $backup_file doesn't exist"
-    pg_restore --dbname crowdsec_test --clean "$backup_file"
+    [[ -f "${backup_file}" ]] || die "Backup file ${backup_file} doesn't exist"
+    pg_restore --dbname crowdsec_test --clean "${backup_file}"
 }
 
 config_yaml() {
@@ -72,7 +72,7 @@ config_yaml() {
     ' -i "${CONFIG_YAML}"
 }
 
-[ $# -lt 1 ] && about
+[[ $# -lt 1 ]] && about
 
 check_requirements
 

tests/lib/db/instance-sqlite

@@ -2,7 +2,7 @@
 
 set -eu
 script_name=$0
-DB_BACKEND=$(echo $script_name | cut -d- -f2)
+DB_BACKEND=$(echo "${script_name}" | cut -d- -f2)
 export DB_BACKEND
 
 die() {
@@ -11,7 +11,7 @@ die() {
 }
 
 about() {
-    die "usage: $script_name [ config-yaml | setup | dump <backup_file> | restore <backup_file> ]"
+    die "usage: ${script_name} [ config-yaml | setup | dump <backup_file> | restore <backup_file> ]"
 }
 
 #shellcheck disable=SC1007
@@ -21,7 +21,6 @@ cd "${THIS_DIR}"/../../
 . ./.environment.sh
 
 exec_sql() {
-    cmd="${1?Missing required sql command}"
     sqlite3 "${DB_FILE}" "$@"
 }
 
@@ -32,35 +31,36 @@ setup() {
 dump() {
     backup_file="${1?Missing file to backup database to}"
     # dirty fast cp. nothing should be accessing it right now, anyway.
-    [ -f "${DB_FILE}" ] || die "missing file ${DB_FILE}"
-    cp "${DB_FILE}" "$backup_file"
+    [[ -f "${DB_FILE}" ]] || die "missing file ${DB_FILE}"
+    cp "${DB_FILE}" "${backup_file}"
 }
 
 restore() {
     backup_file="${1?missing file to restore database from}"
-    [ -f "$backup_file" ] || die "Backup file $backup_file doesn't exist"
-    cp "$backup_file" "${DB_FILE}"
+    [[ -f "${backup_file}" ]] || die "Backup file ${backup_file} doesn't exist"
+    cp "${backup_file}" "${DB_FILE}"
 }
 
 # you have not removed set -u above, have you?
 
-[ -z "${CONFIG_YAML-}" ] && die "\$CONFIG_YAML must be defined."
+[[ -z "${CONFIG_YAML-}" ]] && die "\$CONFIG_YAML must be defined."
 
 # ---------------------------
 # In most cases this is called with setup argument, and it shouldn't fail for missing config file.
-if [ -f "${CONFIG_YAML}" ] ; then
+if [[ -f "${CONFIG_YAML}" ]]; then
     DATA_DIR=$(yq e '.config_paths.data_dir' - <"${CONFIG_YAML}")
     DB_FILE="${DATA_DIR}/crowdsec.db"
+    export DB_FILE
 fi
 
 config_yaml() {
     yq e '
         .db_config.type=strenv(DB_BACKEND) |
-        .db_config.db_path="${DB_FILE}"
+            .db_config.db_path=strenv(DB_FILE)
     ' -i "${CONFIG_YAML}"
 }
 
-[ $# -lt 1 ] && about
+[[ $# -lt 1 ]] && about
 
 case "$1" in
     config-yaml)

tests/lib/init/crowdsec-daemon

@@ -9,7 +9,7 @@ die() {
 }
 
 about() {
-    die "usage: $script_name [ start | stop ]"
+    die "usage: ${script_name} [ start | stop ]"
 }
 
 #shellcheck disable=SC1007
@@ -20,11 +20,11 @@ cd "${THIS_DIR}"/../../
 
 # you have not removed set -u above, have you?
 
-[ -z "${CROWDSEC-}" ] && die "\$CROWDSEC must be defined."
-[ -z "${LOG_DIR-}" ] && die "\$LOG_DIR must be defined."
-[ -z "${PID_DIR-}" ] && die "\$PID_DIR must be defined."
+[[ -z "${CROWDSEC-}" ]] && die "\$CROWDSEC must be defined."
+[[ -z "${LOG_DIR-}" ]] && die "\$LOG_DIR must be defined."
+[[ -z "${PID_DIR-}" ]] && die "\$PID_DIR must be defined."
 
-if [ ! -f "${CROWDSEC}" ]; then
+if [[ ! -f "${CROWDSEC}" ]]; then
     die "${CROWDSEC} is missing. Please build (with 'make bats-build') or install it."
 fi
 
@@ -38,12 +38,12 @@ start() {
 }
 
 stop() {
-    if [ -f "${DAEMON_PID}" ]; then
+    if [[ -f "${DAEMON_PID}" ]]; then
        # terminate quickly with extreme prejudice, all the application data will be
        # thrown away anyway. also terminate the child processes (notification plugin).
        PGID="$(ps -o pgid= -p "$(cat "${DAEMON_PID}")" | tr -d ' ')"
        # ps above should work on linux, freebsd, busybox..
-       if [ -n "${PGID}" ]; then
+       if [[ -n "${PGID}" ]]; then
            kill -- "-${PGID}"
        fi
        rm -f -- "${DAEMON_PID}"
@@ -53,7 +53,7 @@ stop() {
 
 # ---------------------------
 
-[ $# -lt 1 ] && about
+[[ $# -lt 1 ]] && about
 
 case "$1" in
     start)

tests/lib/init/crowdsec-systemd

@@ -9,7 +9,7 @@ die() {
 }
 
 about() {
-    die "usage: $script_name [ start | stop ]"
+    die "usage: ${script_name} [ start | stop ]"
 }
 
 #shellcheck disable=SC1007
@@ -20,13 +20,13 @@ cd "${THIS_DIR}"/../../
 
 # you have not removed set -u above, have you?
 
-[ -z "${CROWDSEC-}" ] && die "\$CROWDSEC must be defined."
-[ -z "${CSCLI-}" ] && die "\$CSCLI must be defined."
-[ -z "${LOG_DIR-}" ] && die "\$LOG_DIR must be defined."
-[ -z "${PID_DIR-}" ] && die "\$PID_DIR must be defined."
+[[ -z "${CROWDSEC-}" ]] && die "\$CROWDSEC must be defined."
+[[ -z "${CSCLI-}" ]] && die "\$CSCLI must be defined."
+[[ -z "${LOG_DIR-}" ]] && die "\$LOG_DIR must be defined."
+[[ -z "${PID_DIR-}" ]] && die "\$PID_DIR must be defined."
 
 
-if [ ! -f "${CROWDSEC}" ]; then
+if [[ ! -f "${CROWDSEC}" ]]; then
     die "${CROWDSEC} is missing. Please build (with 'make bats-build') or install it."
 fi
 
@@ -45,7 +45,7 @@ stop() {
 
 # ---------------------------
 
-[ $# -lt 1 ] && about
+[[ $# -lt 1 ]] && about
 
 case "$1" in
     start)

tests/lib/setup.sh

@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 
 # these plugins are always available
 

tests/lib/setup_file.sh

@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 
 debug() {
     echo 'exec 1<&-; exec 2<&-; exec 1>&3; exec 2>&1'
@@ -48,28 +49,28 @@ export -f config_yq
 
 # shellcheck disable=SC2154
 stderr() {
-    printf '%s' "$stderr"
+    printf '%s' "${stderr}"
 }
 export -f stderr
 
 # shellcheck disable=SC2154
 output() {
-    printf '%s' "$output"
+    printf '%s' "${output}"
 }
 export -f output
 
 is_db_postgres() {
-    [[ "$DB_BACKEND" =~ ^postgres|pgx$ ]]
+    [[ "${DB_BACKEND}" =~ ^postgres|pgx$ ]]
 }
 export -f is_db_postgres
 
 is_db_mysql() {
-    [[ "$DB_BACKEND" == "mysql" ]]
+    [[ "${DB_BACKEND}" == "mysql" ]]
 }
 export -f is_db_mysql
 
 is_db_sqlite() {
-    [[ "$DB_BACKEND" == "sqlite" ]]
+    [[ "${DB_BACKEND}" == "sqlite" ]]
 }
 export -f is_db_sqlite
 

tests/lib/teardown_file.sh

@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 
 # any stdout, stderr from now on will go to &3
 eval "$(debug)"

tests/lib/util/wait-for-port

@@ -13,7 +13,7 @@ about() {
     die "usage: ${script_name} [-q] <port_number>"
 }
 
-[ $# -lt 1 ] && about
+[[ $# -lt 1 ]] && about
 
 QUIET=
 if [[ "$1" == "-q" ]]; then
@@ -21,7 +21,7 @@ if [[ "$1" == "-q" ]]; then
     shift
 fi
 
-[ $# -lt 1 ] && about
+[[ $# -lt 1 ]] && about
 
 port_number=$1
 

tests/run-as-daemon

@@ -7,6 +7,9 @@ die() {
     exit 1
 }
 
+[[ -n "${DAEMON_PID}" ]] || die "\$DAEMON_PID is required and must be the path of the pid file"
+[[ -n "${OUT_FILE}" ]] || die "\$OUT_FILE is required and must be the path of the resulting stdout"
+
 # Simplified dudeist daemonizer. Don't care about lock files, separate
 # stdout/stderr and fancy stuff. #YOLO
 
@@ -18,7 +21,7 @@ case "${SYSTEM,,}" in
         daemon -p "${DAEMON_PID}" -o "${OUT_FILE}" "$@"
         ;;
     *)
-        die "unsupported system: $SYSTEM"
+        die "unsupported system: ${SYSTEM}"
         ;;
 esac
 

tests/run-tests

@@ -15,8 +15,8 @@ TEST_DIR=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
 "${TEST_DIR}/check-requirements"
 
 echo "Running tests..."
-echo "DB_BACKEND: $DB_BACKEND"
-if [ -z "$TEST_COVERAGE" ]; then
+echo "DB_BACKEND: ${DB_BACKEND}"
+if [[ -z "${TEST_COVERAGE}" ]]; then
     echo "Coverage report: no"
 else
     echo "Coverage report: yes"
@@ -26,15 +26,16 @@ fi
 
 
 dump_backend="$(cat "${LOCAL_INIT_DIR}/.backend")"
-if [ "$DB_BACKEND" != "$dump_backend" ]; then
-    die "Can't run with backend '$DB_BACKEND' because the test data was build with '$dump_backend'"
+if [[ "${DB_BACKEND}" != "${dump_backend}" ]]; then
+    die "Can't run with backend '${DB_BACKEND}' because the test data was build with '${dump_backend}'"
 fi
 
-if [ $# -ge 1 ]; then
+if [[ $# -ge 1 ]]; then
     echo "test files: $*"
     "${TEST_DIR}/lib/bats-core/bin/bats" \
         --jobs 1 \
         --print-output-on-failure \
+        --timing \
         "$@"
 else
     echo "test files: ${TEST_DIR}/bats ${TEST_DIR}/dyn-bats"
@@ -44,7 +45,7 @@ else
         -T "${TEST_DIR}/bats" "${TEST_DIR}/dyn-bats"
 fi
 
-if [ -n "$TEST_COVERAGE" ]; then
+if [[ -n "${TEST_COVERAGE}" ]]; then
     # empty files just to avoid merge errors
     touch "${LOCAL_DIR}"/var/lib/coverage/crowdsec-
     touch "${LOCAL_DIR}"/var/lib/coverage/cscli-