From 251e2b4064d10ca65fcf778d73a1bfa8611d1cc1 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Fri, 25 Aug 2023 08:55:29 -0700
Subject: [PATCH] openvpn: Ensure that re-running setup works as expected

- Don't overwrite the entire PKI directory or CA certificates.

- Don't re-enable app during setup.

Tests:

- Install app with patches. Rerun setup. It succeeds. Server certificate is not
changed.

- Disable app. Re-run setup. App is not re-enabled. OpenVPN is not running.

- Enable app. Re-run setup. OpenVPN is restarted.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 plinth/modules/openvpn/privileged.py | 29 +++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/plinth/modules/openvpn/privileged.py b/plinth/modules/openvpn/privileged.py
index fa783087d..d29dac594 100644
--- a/plinth/modules/openvpn/privileged.py
+++ b/plinth/modules/openvpn/privileged.py
@@ -84,8 +84,7 @@ def setup():
     _write_server_config()
     _create_certificates()
     _setup_firewall()
-    action_utils.service_enable(SERVICE_NAME)
-    action_utils.service_restart(SERVICE_NAME)
+    action_utils.service_try_restart(SERVICE_NAME)
 
 
 def _write_server_config():
@@ -145,14 +144,34 @@ def _write_easy_rsa_config():
             file_handle.write(f'set_var {key} "{value}"\n')
 
 
+def _is_renewable(cert_name):
+    """Return whether a certificate is within configured renewable days."""
+    try:
+        _run_easy_rsa(['renewable', cert_name])
+        return True
+    except subprocess.CalledProcessError:
+        return False
+
+
 def _create_certificates():
     """Generate CA and server certificates."""
     KEYS_DIRECTORY.mkdir(mode=0o700, exist_ok=True)
 
-    _run_easy_rsa(['init-pki'])
+    # Don't re-initialize PKI if it already exists. This will lead to wiping of
+    # all existing certificates and downloaded profiles.
+    if not (KEYS_DIRECTORY / 'pki').is_dir():
+        _run_easy_rsa(['init-pki'])
+
     _write_easy_rsa_config()
-    _run_easy_rsa(['build-ca', 'nopass'])
-    _run_easy_rsa(['build-server-full', 'server', 'nopass'])
+
+    # Don't reinitialize the CA certificates. This will invalidate all existing
+    # server/client certificates and downloaded client profiles.
+    if not CA_CERTIFICATE_PATH.exists():
+        _run_easy_rsa(['build-ca', 'nopass'])
+
+    server_cert = KEYS_DIRECTORY / 'pki' / 'issued' / 'server.crt'
+    if not server_cert.exists():
+        _run_easy_rsa(['build-server-full', 'server', 'nopass'])
 
 
 @privileged