nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Introduce new vars_setup() regime

Browse Source 
vars_setup() now ignores some setup when this is 'init-pki'.
* Do not set anything which requires a PKI.

Remove some undocumented commands, which are known to break Windows.

Find 'vars' in preferred locations and only allow ONE instance.
* Probably a breaking change but only where things are already broken.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-04-05 01:27:17 +01:00
parent ee51c1cc91
commit 4d5a5d4a7b
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 98 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
easyrsa3/easyrsa
View File

@ -1927,53 +1927,110 @@ OpenSSL failure to process the input"
# vars setup # vars setup
# Here sourcing of 'vars' if present occurs. If not present, defaults are used # Here sourcing of 'vars' if present occurs. If not present, defaults are used
# to support running without a sourced config format # to support running without a sourced config format
# That is the intention, at least ..
vars_setup() { vars_setup() {
# Try to locate a 'vars' file in order of location preference. # Try to locate a 'vars' file in order of weird location preference.
# If one is found, source it # If one is found, source it
# NOTE: EASYRSA_PKI is never set here, unless cmd-line --pki-dir=<DIR> is set.
# NOTE: EASYRSA is never set here, unless done so outside of easyrsa.
vars= vars=
# set up program path # set up program path
prog_file="$0" prog_file="$0"
prog_file2="$(which -- "$prog_file" 2>/dev/null)" && prog_file="$prog_file2" # Removed for basic sanity - To re-enable provide a REASON
prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" && prog_file="$prog_file2" #prog_file2="$(which -- "$prog_file" 2>/dev/null)" && prog_file="$prog_file2"
# Removed for breaking New Windows - To re-enable provide a SOLUTION
#prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" && prog_file="$prog_file2"
prog_dir="${prog_file%/*}" prog_dir="${prog_file%/*}"
prog_vars="${prog_dir}/vars"
# set up PKI path
pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"
# command-line path: # Program dir vars - This location is least wanted. Weird order ..
if [ ! -z "$EASYRSA_VARS_FILE" ]; then prog_vars="${prog_dir}/vars"
if [ ! -f "$EASYRSA_VARS_FILE" ]; then # set up PKI path vars - Top preference
# If the --vars option does not point to a file, show helpful error. pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"
# Some other place vars, out of scope.
if [ "$EASYRSA" ]; then
easy_vars="${EASYRSA}/vars"
else
unset -v easy_vars
fi
# vars of last resort - Eventually this file must be removed from EasyRSA
pwd_vars="$PWD/vars"
# Explicit command-line path:
if [ -n "$EASYRSA_VARS_FILE" ]; then
if [ -f "$EASYRSA_VARS_FILE" ]; then
vars="$EASYRSA_VARS_FILE"
else
# If the --vars option does not point to a file, show helpful error.
die "The file '$EASYRSA_VARS_FILE' was not found." die "The file '$EASYRSA_VARS_FILE' was not found."
fi fi
vars="$EASYRSA_VARS_FILE" # Otherwise, find vars 'the new way' followed by 'the old way' ..
# PKI location, if present: else
elif [ -f "$pki_vars" ]; then # Clear flags
vars="$pki_vars" unset -v f_pki_vars f_prog_vars f_easyrsa_vars f_pwd_vars
# EASYRSA, if defined:
elif [ -n "$EASYRSA" ] && [ -f "$EASYRSA/vars" ]; then
vars="$EASYRSA/vars"
# program location:
elif [ -f "$prog_vars" ]; then
vars="$prog_vars"
fi
# If a vars file was located, source it # if NOT $want_init_pki
# If $EASYRSA_NO_VARS is defined (not blank) this is skipped if [ -z "$want_init_pki" ]; then
if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then # PKI location, if present:
if grep -Eq 'EASYRSA_PASSIN|EASYRSA_PASSOUT' "$vars"; then [ -f "$pki_vars" ] && f_pki_vars=1 && \
die "\ print "Found: $pki_vars"
# program location:
[ -f "$prog_vars" ] && f_prog_vars=1 && \
print "Found: $prog_vars"
# EASYRSA, if defined:
[ -n "$easy_vars" ] && [ -f "$easy_vars" ] && f_easyrsa_vars=1 && \
print "Found: $easy_vars"
# vars of last resort - Eventually this file must be removed from EasyRSA
[ -f "$pwd_vars" ] && f_pwd_vars=1 && \
print "Found: $pwd_vars"
# These are likely duplicates
[ "$pwd_vars" = "$easy_vars" ] && unset -v f_easyrsa_vars
# Allow only one vars to be found, No exceptions!
vars_found="$((f_pki_vars +f_prog_vars +f_easyrsa_vars +f_pwd_vars))"
case "$vars_found" in
0|1) : ;; # ok
*) die "Conflicting 'vars' files found.
Priority should be given to your PKI vars file:
* $pki_vars
"
esac
# Assign vars in order of preference, there should be only one anyway.
[ -n "$found_pki_vars" ] && [ -z "$vars" ] && vars="$pki_vars"
[ -n "$found_prog_vars" ] && [ -z "$vars" ] && vars="$prog_vars"
[ -n "$found_pwd_vars" ] && [ -z "$vars" ] && vars="$pwd_vars"
[ -n "$found_easyrsa_vars" ] && [ -z "$vars" ] && vars="$easy_vars"
fi
# If $EASYRSA_NO_VARS is defined (not blank) then do not use vars
# if $want_init_pki then do not use vars
if [ -z "$EASYRSA_NO_VARS" ] && [ -z "$want_init_pki" ]; then
# If a vars file was located then source it
if [ -n "$vars" ]; then
if grep -Eq 'EASYRSA_PASSIN|EASYRSA_PASSOUT' "$vars"; then
die "\
Variable EASYRSA_PASSIN or EASYRSA_PASSOUT has been found in the configuration \ Variable EASYRSA_PASSIN or EASYRSA_PASSOUT has been found in the configuration \
file. Storing sensitive information in the configuration file is not \ file. Storing sensitive information in the configuration file is not \
recommended - please remove it from there before continuing." recommended - please remove it from there before continuing."
fi fi
#shellcheck disable=SC2034 #shellcheck disable=SC2034
EASYRSA_CALLER=1 EASYRSA_CALLER=1
# shellcheck disable=SC1090 # shellcheck disable=SC1090
. "$vars" . "$vars"
notice "\ notice "\
Note: using Easy-RSA configuration from: $vars" Note: using Easy-RSA configuration from: $vars"
else
# $vars remains undefined .. no vars found
warn " No vars file found!"
fi
else
# EASYRSA_NO_VARS is defined or want_init_pki, no vars is required.
:
fi
# END: Find vars 'the new way' followed by 'the old way' ..
fi fi
# Set defaults, preferring existing env-vars if present # Set defaults, preferring existing env-vars if present
@ -2062,7 +2119,7 @@ Note: using Easy-RSA configuration from: $vars"
mkdir -p "$EASYRSA_TEMP_DIR" || \ mkdir -p "$EASYRSA_TEMP_DIR" || \
die "Cannot create $EASYRSA_TEMP_DIR (permission?)" die "Cannot create $EASYRSA_TEMP_DIR (permission?)"
EASYRSA_TEMP_DIR_session="$( EASYRSA_TEMP_DIR_session="$(
mktemp -du "$EASYRSA_TEMP_DIR/easy-rsa-$$.XXXXXX" mktemp -du "$EASYRSA_TEMP_DIR/easy-rsa-$$.XXXXXX"
)" )"
rm -rf "$EASYRSA_TEMP_DIR" rm -rf "$EASYRSA_TEMP_DIR"
fi fi
@ -2773,6 +2830,14 @@ subjectAltName = $val" ;;
shift shift
done done
# Set cmd now because vars_setup needs to know if this is init-pki
cmd="$1"
[ -n "$1" ] && shift # scrape off command
case "$cmd" in
init-pki|clean-all) want_init_pki=1 ;;
*) unset -v want_init_pki
esac
# Intelligent env-var detection and auto-loading: # Intelligent env-var detection and auto-loading:
vars_setup vars_setup
@ -2791,8 +2856,6 @@ trap "exit 14" 15
#up23_manage_upgrade_23 #up23_manage_upgrade_23
# determine how we were called, then hand off to the function responsible # determine how we were called, then hand off to the function responsible
cmd="$1"
[ -n "$1" ] && shift # scrape off command
case "$cmd" in case "$cmd" in
init-pki|clean-all) init-pki|clean-all)
init_pki "$@" init_pki "$@"