Allow reuse of select_vars() by not also calling source_vars().
Minor improvement to error detection in source_vars().
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
sanitize_path() is unnecessary and simply replaced by a condition
in init_pki(), to protect against use of root / directory.
Push the dubious Easy-RSA Windows "security" warning to verbose mode.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Dependency, completed:
- Upload new shellcheck binary to Openvpn/easyrsa-unit-tests repository.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If either EASYRSA or EASYRSA_PKI is already defined when searching for
default "$PWD/pki/var" then ignore this default vars file.
If EASYRSA_PKI is defined then do not load a vars file from a different PKI.
If EASYRSA is defined then do not load a vars file from any PKI.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Vars 'expected_EASYRSA' and 'expected_EASYRSA_PKI' must only be set
when "$PWD/pki/vars" is used. This is the only file which can set the
PKI to an "unexpected" location.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Additional:
Caveat: The default '$PWD/pki/vars' file is forbidden to change either
EASYRSA or EASYRSA_PKI, which are both implied by default.
NOTICE: vars-auto-detect no longer searches easyrsa program directory.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
All candidate vars-files are searched for and EASYRSA_VARS_FILE is set
to the first valid vars-file found. According to Advanced.md
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Check that sourcing default pki/vars has NOT changed EASYRSA or EASYRSA_PKI.
This will be resolved in v3.2.0 - See #comment for details.
Refactor select_vars():
To: single if/elif/else/fi.
From: separate if/fi statements.
Always set EASYRSA_VARS_FILE to the used vars-file.
(Required for 'help' status)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
vars_setup was trying to do more work than only setting up vars.
These tasks have been broken down as follows:
select_vars:
* Choose only ONE vars file to source by priority specified in Advanced.md
* Apply restrictions to default vars changing EASYRSA or EASYRSA_PKI.
source_vars:
* Verify and source a vars file.
default_vars:
* Set all default values as expected.
Note: Also disable use of vars_setup.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Correct auto-load order:
The previous order was to search the default PKI before EASYRSA.
Change: EASYRSA is moved to a higher priority than a default PKI.
Remove 'program location' as a valid target for auto-loading vars.
Keeping writable data files in the same folder as executable code
is not necessary. If it is required then use of other options is
preferred. eg: --vars=<FILE> or $EASYRSA
Add additional information regarding use of default PKI.
Add section to advise the preferred use of --pki over --vars.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If a vars file in the PKI tries to change the expected PKI then fail.
Allow vars file in the working directory to change the PKI.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The main changes made are:
* If EASYRSA is set then only allow default vars file. No auto-load
* If EASYRSA_PKI is set then allow also EASYRSA_PKI/vars. Use auto-load.
This is something like "The Three Laws"; vars auto-load is unnecassary
and should be replaced by a single default vars file. However, here is
the latest version:
1. The DEFAULT vars file is in the working directory: ./vars
2. Using --vars=<FILE>, takes priority ALWAYS. NO auto-load!
3. Using --pki-dir=<DIR>, allows "$EASYRSA_PKI/vars". Use auto-load!
Note:
A user set PKI can auto-load a default vars file in the PKI, however,
that can also conflict with a default ./vars file.
4. ERROR, if vars auto-load finds more than one VIABLE vars file.
Viable vars files and conflicts:
1. "$PWD/vars" - Can conflict.
2. "$PWD/pki/vars" - Can conflict.
3. "$EASYRSA/vars" - User defined EASYRSA, no conflict.
4. "$EASYRSA_PKI/vars" - User defined EASYRSA_PKI, can conflict.
This is achieved by making the following changes:
Prioritise user-set EASYRSA to force "$EASYRSA/vars" ONLY.
No auto-load.
Expand assigning EASYRSA_PKI/vars to test for user-set PKI or default PKI.
Use auto-load.
Remove unused code and improve comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
