nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'TinCanTech-improve-vars-handling'

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-08-24 13:24:07 +01:00
commit a123d05fa9
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 125 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

215
easyrsa3/easyrsa
View File

@ -525,7 +525,8 @@ notice() {
print " print "
Notice Notice
------ ------
$1" $1
"
} # => notice() } # => notice()
# Helpful information # Helpful information
@ -533,7 +534,8 @@ information() {
[ "$EASYRSA_SILENT" ] && return [ "$EASYRSA_SILENT" ] && return
[ "$EASYRSA_BATCH" ] && return [ "$EASYRSA_BATCH" ] && return
[ "$EASYRSA_QUIET" ] && return [ "$EASYRSA_QUIET" ] && return
print "$1" print "* $1
"
} # => notice() } # => notice()
# yes/no case-insensitive match (operates on stdin pipe) # yes/no case-insensitive match (operates on stdin pipe)
@ -655,7 +657,8 @@ cleanup() {
*) warn "Host OS undefined." *) warn "Host OS undefined."
esac esac
if [ "$EASYRSA_SILENT" ] || [ "$EASYRSA_BATCH" ] || [ "$EASYRSA_QUIET" ] if [ "$1" = ok ] || [ "$EASYRSA_BATCH" ] || \
[ "$EASYRSA_SILENT" ] || [ "$EASYRSA_QUIET" ]
then then
: # ok : # ok
else else
@ -923,7 +926,7 @@ init_pki() {
while [ "$1" ]; do while [ "$1" ]; do
case "$1" in case "$1" in
hard-reset|hard) reset="hard" ;; hard-reset|hard) reset="hard" ;;
soft-reset|soft) reset="soft" ;; soft-reset|soft) reset="soft"; old_vars_true=1 ;;
*) warn "Ignoring unknown command option: '$1'" *) warn "Ignoring unknown command option: '$1'"
esac esac
shift shift
@ -956,6 +959,11 @@ and initialize a fresh PKI here."
*) *)
die "Removal of PKI dir failed. Unknown reset type: $reset" die "Removal of PKI dir failed. Unknown reset type: $reset"
esac esac
# If vars was in the old pki then it has been removed
# If vars was somewhere else then it is user defined
# Clear found_vars because we MUST not find pki/vars
if [ "$vars_in_pki" ]; then unset -v found_vars; fi
fi fi
# new dirs: # new dirs:
@ -982,14 +990,35 @@ and initialize a fresh PKI here."
Your newly created PKI dir is: Your newly created PKI dir is:
* $EASYRSA_PKI" * $EASYRSA_PKI"
if [ "$user_vars_true" ] || [ "$old_vars_true" ]; then # Installation information
: # ok - No message required # if $no_new_vars then there are one or more known vars
else # which are not in the PKI. All further commands will fail
# until vars is manually corrected
[ "$no_new_vars" ] || information "Using Easy-RSA configuration: $vars"
# For new PKIs where pki/vars was auto-created, show user message
if [ "$new_vars_true" ]; then
information "\ information "\
IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above." IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
Edit this 'vars' file to customise the settings for your PKI."
elif [ "$user_vars_true" ] || [ "$old_vars_true" ] || [ "$no_new_vars" ]
then
: # ok - User defined, old or no vars file exist
else
# Not in PKI and not user defined
prefer_vars_in_pki_msg
fi fi
information "Using x509-types directory: $EASYRSA_EXT_DIR"
} # => init_pki() } # => init_pki()
# Must be used in two places, so made it a function
prefer_vars_in_pki_msg() {
information "\
The preferred location for 'vars' is within the PKI folder.
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=<FILE>"
} # => prefer_vars_in_pki_msg()
# Copy data-files from various sources # Copy data-files from various sources
install_data_to_pki () { install_data_to_pki () {
# #
@ -1071,7 +1100,9 @@ install_data_to_pki () {
# Declare in preferred order, first wins, beaten by command line. # Declare in preferred order, first wins, beaten by command line.
# Only set if not in PKI; Same condition made in vars_setup() # Only set if not in PKI; Same condition made in vars_setup()
if [ ! -d "$EASYRSA_PKI/x509-types" ]; then if [ -d "$EASYRSA_PKI/x509-types" ]; then
continue
else
set_var EASYRSA_EXT_DIR "${area}/${x509_types_dir}" set_var EASYRSA_EXT_DIR "${area}/${x509_types_dir}"
fi fi
done done
@ -1083,36 +1114,32 @@ install_data_to_pki () {
fi fi
# Create PKI/vars from PKI/example # Create PKI/vars from PKI/example
unset -v old_vars_true unset -v new_vars_true
case "$context" in if [ "$found_vars" ] || [ "$user_vars_true" ] || [ "$no_new_vars" ]
init-pki) then
if [ -e ./vars ]; then : # ok - Do not make a PKI/vars if another vars exists
# If the old vars exists then do nothing else
old_vars_true=1 case "$context" in
else init-pki|vars-setup)
if [ -e "${EASYRSA_PKI}/${vars_file_example}" ]; then if [ -e "${EASYRSA_PKI}/${vars_file_example}" ]; then
[ -e "${EASYRSA_PKI}/${vars_file}" ] || \ if [ ! -e "${EASYRSA_PKI}/${vars_file}" ] && \
[ "$reset" = hard ]
then
# Failure means that no vars will exist and
# 'cp' will generate an error message
# This is not a fatal error
cp "${EASYRSA_PKI}/${vars_file_example}" \ cp "${EASYRSA_PKI}/${vars_file_example}" \
"${EASYRSA_PKI}/${vars_file}" || : "${EASYRSA_PKI}/${vars_file}" && \
new_vars_true=1
fi
fi fi
fi ;;
;; '')
vars-setup) die "install_data_to_pki - unspecified context" ;;
if [ "$found_vars" ] || [ "$user_vars_true" ]; then *)
: # ok - Do not make a PKI/vars if another vars exists die "install_data_to_pki - unknown context: $context"
else esac
if [ -e "${EASYRSA_PKI}/${vars_file_example}" ]; then fi
[ -e "${EASYRSA_PKI}/${vars_file}" ] || \
cp "${EASYRSA_PKI}/${vars_file_example}" \
"${EASYRSA_PKI}/${vars_file}" || :
fi
fi
;;
'')
die "install_data_to_pki - unspecified context" ;;
*)
die "install_data_to_pki - unknown context: $context"
esac
# Check PKI is updated - Omit unnecessary checks # Check PKI is updated - Omit unnecessary checks
#[ -e "${EASYRSA_PKI}/${vars_file}" ] || return #[ -e "${EASYRSA_PKI}/${vars_file}" ] || return
@ -3775,43 +3802,47 @@ vars_setup() {
fi fi
unset -v prog_vars pwd_vars easy_vars pki_vars expected_pki_vars unset -v prog_vars pwd_vars easy_vars pki_vars expected_pki_vars
# Otherwise, find vars 'the new way' followed by 'the old way' .. # Otherwise, find vars 'the new way'
else else
# if PKI is required # Clear flags - This is the preferred order to find:
if [ "$no_pki_required" ]; then unset -v e_pki_vars e_easy_vars e_pwd_vars e_prog_vars \
: # ok - No vars required either found_vars vars_in_pki
else
# Clear flags - This is the preferred order to find:
unset -v e_pki_vars e_easy_vars e_pwd_vars e_prog_vars \
found_vars vars_in_pki
# PKI location, if present: # PKI location, if present:
[ -e "$pki_vars" ] && e_pki_vars=1 [ -e "$pki_vars" ] && e_pki_vars=1
# EASYRSA, if defined: # EASYRSA, if defined:
[ -e "$easy_vars" ] && e_easy_vars=1 [ -e "$easy_vars" ] && e_easy_vars=1
# Eventually the file below must be removed from EasyRSA # vars of last resort
# To use a file in PWD use $EASYRSA/vars above [ -e "$pwd_vars" ] && e_pwd_vars=1
# vars of last resort
[ -e "$pwd_vars" ] && e_pwd_vars=1
# program location: # program location:
[ -e "$prog_vars" ] && e_prog_vars=1 [ -e "$prog_vars" ] && e_prog_vars=1
# Filter duplicates # Filter duplicates
if [ "$e_prog_vars" ] && [ "$e_pwd_vars" ] && [ "$prog_in_pwd" ]; then if [ "$e_prog_vars" ] && [ "$e_pwd_vars" ] && [ "$prog_in_pwd" ]
unset -v prog_vars e_prog_vars then
fi unset -v prog_vars e_prog_vars
fi
# Allow only one vars to be found, No exceptions! # Allow only one vars to be found, No exceptions!
found_vars="$((e_pki_vars + e_easy_vars + e_pwd_vars + e_prog_vars))" found_vars="$((e_pki_vars + e_easy_vars + e_pwd_vars + e_prog_vars))"
# If found_vars greater than 1 then output user info and exit # If found_vars greater than 1 then output user info and exit
case "$found_vars" in case "$found_vars" in
0) unset -v found_vars ;; 0) unset -v found_vars ;;
1) : ;; # ok 1)
*) # If a SINGLE vars file is found then assign $vars
[ "$e_prog_vars" ] && vars="$prog_vars"
[ "$e_pwd_vars" ] && vars="$pwd_vars"
[ "$e_easy_vars" ] && vars="$easy_vars"
[ "$e_pki_vars" ] && vars="$pki_vars" && vars_in_pki=1
: # Wipe error status
;;
*)
# For init-pki, skip this check
if [ "$pki_is_required" ]; then
[ "$e_pki_vars" ] && print "Found: $pki_vars" [ "$e_pki_vars" ] && print "Found: $pki_vars"
[ "$e_easy_vars" ] && print "Found: $easy_vars" [ "$e_easy_vars" ] && print "Found: $easy_vars"
[ "$e_pwd_vars" ] && print "Found: $pwd_vars" [ "$e_pwd_vars" ] && print "Found: $pwd_vars"
@ -3821,30 +3852,31 @@ Conflicting 'vars' files found.
Priority should be given to your PKI vars file: Priority should be given to your PKI vars file:
* $expected_pki_vars" * $expected_pki_vars"
esac fi
# If a SINGLE vars file is found then assign $vars # For init-pki, pki/vars will be deleted
[ "$e_prog_vars" ] && vars="$prog_vars" # Another vars file exists, so don't create pki/vars
[ "$e_pwd_vars" ] && vars="$pwd_vars" no_new_vars=1
[ "$e_easy_vars" ] && vars="$easy_vars" esac
[ "$e_pki_vars" ] && vars="$pki_vars" && vars_in_pki=1
# Clean up # Clean up
unset -v prog_vars pwd_vars easy_vars pki_vars unset -v prog_vars pwd_vars easy_vars pki_vars
fi
# END: Find vars # END: Find vars
fi fi
# Find vars 'the old way'
# If $EASYRSA_NO_VARS is defined (not blank) then do not use vars. # If $EASYRSA_NO_VARS is defined (not blank) then do not use vars.
# If $no_pki_required then located vars files are not required. # If $no_pki_required then located vars files are not required.
if [ "$EASYRSA_NO_VARS" ] || [ "$no_pki_required" ]; then if [ "$EASYRSA_NO_VARS" ] || [ "$no_pki_required" ]; then
: # ok : # ok
# If a vars file was located then source it
else else
# If a vars file was located then source it # $vars remains undefined .. no vars found
# 'install_data_to_pki vars-setup' will NOT create a default PKI/vars
if [ -z "$vars" ]; then if [ -z "$vars" ]; then
# $vars remains undefined .. no vars found information "No Easy-RSA configuration file exists!"
# install_data_to_pki() will create a default 'PKI/vars' no_new_vars=1
: # ok
else else
# 'vars' now MUST exist # 'vars' now MUST exist
[ -e "$vars" ] || die "Missing vars file, expected: $vars" [ -e "$vars" ] || die "Missing vars file, expected: $vars"
@ -3880,17 +3912,6 @@ Sourcing the vars file and building certificates will probably fail ..'
. "$vars" 2>/dev/null . "$vars" 2>/dev/null
unset -v EASYRSA_CALLER unset -v EASYRSA_CALLER
information "Using Easy-RSA configuration from: $vars"
if [ "$vars_in_pki" ] || [ "$user_vars_true" ]; then
: # ok - No message required
else
information "\
The preferred location for 'vars' is within the PKI folder:
${EASYRSA_PKI:-$PWD/pki}
To silence this message move your 'vars' file to your PKI
or declare your 'vars' file with option: --vars=./vars"
fi
fi fi
fi fi
@ -3954,7 +3975,21 @@ The preferred location for 'vars' is within the PKI folder:
# This will find x509-types and export EASYRSA_EXT_DIR or die. # This will find x509-types and export EASYRSA_EXT_DIR or die.
# Other errors only require warning. # Other errors only require warning.
install_data_to_pki vars-setup || \ install_data_to_pki vars-setup || \
warn "Failed to install new required data-dir to PKI. (vars_setup)" warn "install_data_to_pki vars-setup Failed"
# Installation information
[ "$no_new_vars" ] || \
information "Using Easy-RSA configuration: $vars"
# if the vars file in use is not in the PKI and not user defined
# Show messages
if [ "$vars_in_pki" ] || [ "$user_vars_true" ] || \
[ "$no_new_vars" ]
then
: # ok - No message required
else
prefer_vars_in_pki_msg
fi
information "Using x509-types directory: $EASYRSA_EXT_DIR"
# export OPENSSL_CONF for OpenSSL, OpenSSL config file MUST exist # export OPENSSL_CONF for OpenSSL, OpenSSL config file MUST exist
# EASYRSA_SAFE_CONF is output by 'install_data_to_pki()' # EASYRSA_SAFE_CONF is output by 'install_data_to_pki()'