V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-31 23:04:30 +02:00
parent 930f47f827
commit 45ff672479
103 changed files with 1011 additions and 266 deletions
--- a/lib/cdi_0005_guard/0005_guard_sourcing.sh
+++ b/lib/cdi_0005_guard/0005_guard_sourcing.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Prevent the caller LIB-file from being sourced twice.
+# Derive a safe guard-variable name from the caller script filename.
+# Globals:
+#   BASH_SOURCE
+# Arguments:
+#   1: Explicitly provided Argument: filename of the caller LIB. (Better let the guard_sourcing() determine dynamically.)
+# Returns:
+#   0: Returns '0' in both cases as they are intended to be successful.
+#######################################
+guard_sourcing() {
+  ### Determine the caller script (the library being sourced).
+  declare var_src="${1:-${BASH_SOURCE[1]}}"
+  ### Strip path, keep only filename
+  declare var_file_name="${var_src##*/}"
+  ### Sanitize to valid var name.
+  declare var_safe_name="${var_file_name//[^a-zA-Z0-9_]/_}"
+  ### Build guard-variable name.
+  declare var_guard_var="_${var_safe_name}_LOADED"
+
+  ### If already loaded, abort sourcing
+  if [[ -n "${!var_guard_var:-}" ]]; then
+    return 0
+  fi
+
+  ### Mark as loaded (readonly + exported)
+  declare -grx "${var_guard_var}"=1
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0005_guard/0006_source_guard.sh
+++ b/lib/cdi_0005_guard/0006_source_guard.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+#######################################
+# Prevent the file to be sourced twice.
+# Arguments:
+#   1: File to source.
+#######################################
+source_guard() {
+  declare var_file="${1}"
+  declare var_name="${var_file##*/}"
+  declare var_guard="_${var_name//[^a-zA-Z0-9_]/_}_LOADED"
+
+  if ! declare -p "${var_guard}" &>/dev/null; then
+    # shellcheck disable=SC1090
+    . "${var_file}"
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0005_guard/0007_guard_safe_exec.sh
+++ b/lib/cdi_0005_guard/0007_guard_safe_exec.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Generic safe wrapper for external commands.
+# Arguments:
+#   *: full command (array, quoted!)
+#   2: ERR_CONST on failure
+#######################################
+safe_exec() {
+  declare -a ary_cmd=("${@:1:$#-1}")  # All but last arg.
+  declare var_errcode="${!#}"         # Last arg.
+  "${ary_cmd[@]}" && return 0
+  do_log "error" "file_only" "0011() Command '${ary_cmd[*]}' failed."
+  return "${var_errcode}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0005_guard/README.md
+++ b/lib/cdi_0005_guard/README.md
@@ -0,0 +1,61 @@
+---
+gitea: none
+include_toc: true
+---
+
+# 1. CISS.debian.installer
+
+**Centurion Intelligence Consulting Agency Information Security Standard**<br>
+*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
+**Master Version**: 8.00<br>
+**Build**: V8.00.000.2025.06.17<br>
+
+# 2. Guarding and Safe Execution – `cdi_0005_guard`
+
+This directory provides minimalistic but critical utility functions to ensure safe and idempotent sourcing and execution 
+semantics within the `CISS.debian.installer` framework. These wrappers act as foundational safeguards against redundant 
+sourcing, which are frequent sources of bugs and side effects in modular Bash-based systems.
+
+## 2.1. Purpose and Functionality
+
+- **0005_guard_sourcing.sh**  
+  Defines the `guard_sourcing()` function, which programmatically prevents a Bash library file from being sourced multiple 
+  times. It constructs a uniquely scoped read-only environment variable guard to mark the sourced state.
+
+- **0006_source_guard.sh**  
+  Implements the `source_guard()` function, which sources a given file only once. It uses the file’s basename to construct a 
+  similarly structured guard variable. Intended for cases where sourcing decisions must be made dynamically.
+
+- **0011_guard_safe_exec.sh**  
+  Provides a generic `safe_exec()` wrapper to execute external commands in a structured and error-controlled manner. It emits
+  meaningful error logs using `do_log()` and allows associating custom error codes per invocation context. This is essential 
+  for defensive script execution when `pipefail` and strict traps are enabled.
+
+## 2.2. Requirements
+
+- Bash version ≥ 5.1
+- Active error trapping via `trap 'trap_err' ERR`
+- `do_log()` must be declared elsewhere in the global context
+- All libraries must be sourced via `source_guard()` and invoke `guard_sourcing` on top
+
+## 2.3. Dependencies
+
+- Pure Bash implementation
+- Uses `declare -grx` to enforce immutability and exportability of guard variables
+- `safe_exec()` expects a predefined `do_log()` implementation
+
+## 2.4. License
+
+This component is dual-licensed under the **European Union Public License v1.2 (EUPL-1.2),** or the 
+**CoreSecret Custom Contributor License Agreement (CCLA-1.0)**. You may choose either license as per your usage context. 
+Usage is permitted under the condition that no warranty is implied. Use at your own risk.
+
+## 2.5. Author
+
+Developed and maintained by  
+**Marc S. Weidner**  
+*Centurion Intelligence Consulting Agency*  
+
+---
+**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
+<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->