Insert required errors and warning to control vars location

Error-1: For multiple vars files when 'pki/vars' is true.
Not thrown for multiple vars if 'pki/vars' is not true.
When multiple vars are found one is selected based on priority.
Priority is: "$PWD/vars" (default); Program folder; 'pki/vars'
Not thrown if user specifies 'vars' by either specifying
* EASYRSA, can only be set externally.
* --vars=<FILE>, user set vars is respected.

Error-2: When the default 'pki/vars' sets EASYRSA_PKI, causing
the PKI to be changed during setup proceedure.
This is a rare error but must be caught, otherwise it is very
easy to use 'init-pki' to remove the wrong PKI.

Warning: When 'pki/vars' is true.
After completing any command, this warning will be issued,
if the sourced 'vars' file is in the default 'pki' AND
if the user did not specifically select a vars file.

Allow commands 'version', 'upgrade' and 'show-host' to
complete without using any 'vars' file.

Upgrade warning to error for 'export' or 'unset' used in
the 'vars' file.

Downgrade die to user_error for simple 'vars' file problems.

Signed-off-by: Richard T Bonhomme <[email protected]>

ChangeLog

@@ -3,6 +3,7 @@ Easy-RSA 3 ChangeLog
 3.2.0 (TBD)
 
 3.1.7 (ETA 2023-10-13)
+   * Insert required errors and warning to control vars location (#1014)
    * Guard against default 'pki/vars' setting a different PKI (#1014)
    * Retract preference for 'vars' file to exist in the PKI (#1014)
    * Disable all code which requests vars in PKI (#1014)

easyrsa3/easyrsa

@@ -93,10 +93,6 @@ DIRECTORY STATUS (commands would take effect on these locations)
    vars-file: $vars_status
   x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined}
 $CA_status"
-
-	# if the vars file in use is in the PKI
-	# and not user defined then Show the message
-	vars_in_pki_msg
 } # => usage()
 
 # Detailed command help
@@ -875,6 +871,10 @@ Temporary session not preserved."
 		*) warn "prompt_restore: '$prompt_restore'"
 	esac
 
+	# if the vars file in use is in the PKI
+	# and not user defined then Show the message
+	vars_in_pki_msg
+
 	# Get a clean line
 	[ "$EASYRSA_SILENT" ] || print
 
@@ -892,7 +892,7 @@ Temporary session not preserved."
 
 	# Exit: SIGINT
 	if [ "$1" = 2 ]; then
-		verbose "exit SIGINT = true"
+		verbose "Exit: SIGINT = true"
 		kill -2 "$$"
 	fi
 
@@ -5599,10 +5599,30 @@ setup_vars() {
 		# Program location:
 		[ -e "$prog_vars" ] && e_prog_vars=1
 
-		# PKI location, if present:
+		# PKI location, least desirable:
 		if [ -e "$pki_vars" ]; then
 			e_pki_vars=1
 			vars_in_pki=1
+
+			# Conflicting vars:
+			if [ "$e_pwd_vars" ] || [ "$e_prog_vars" ]
+			then
+				user_error "\
+There is a 'vars' file located inside the default PKI.
+This 'vars' file must be moved to the working directory.
+
+  'vars' file:
+  * $pki_vars
+
+  PKI directory:
+  * ${pki_vars%/vars}
+
+  Working directory:
+  * $PWD
+
+  Info:
+  * https://github.com/OpenVPN/easy-rsa/issues/1009"
+			fi
 		fi
 
 		# Count found vars files
@@ -5698,12 +5718,12 @@ No Easy-RSA 'vars' configuration file exists."
 	# If a vars file was located then source it
 	else
 		# 'vars' MUST not be a directory
-		[ -d "$vars" ] && die "\
+		[ -d "$vars" ] && user_error "\
 Missing vars file:
 * $vars"
 
 		# 'vars' now MUST exist
-		[ -e "$vars" ] || die "\
+		[ -e "$vars" ] || user_error "\
 Missing vars file:
 * $vars"
 
@@ -5736,7 +5756,7 @@ Please, correct these errors and try again."
 			-e '[[:blank:]]unset[[:blank:]]*' \
 			"$vars"
 		then
-			warn "\
+			user_error "\
 One or more of these problems has been found in your 'vars' file:
 
 * Use of 'export':
@@ -5815,33 +5835,26 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'"
 
 	set_var EASYRSA_MAX_TEMP		4
 
+	# https://github.com/OpenVPN/easy-rsa/issues/1009
 	# expected_pki is set when default 'pki/vars' is used
-	# This blocks pki/vars changing EASYRSA_PKI
-	if [ "$expected_pki" ] # && [ "$require_pki" ]
-	then
-		if [ "$expected_pki" = "$EASYRSA_PKI" ]
-		then
+	# This blocks pki/vars UNEXPECTEDLY changing EASYRSA_PKI
+	if [ "$expected_pki" ]; then
+		if [ "$expected_pki" = "$EASYRSA_PKI" ]; then
 			: # ok
 		else
-			# Show warning
 			user_error "\
-'EASYRSA_PKI' is set incorrectly in the 'vars' file.
+'EASYRSA_PKI' is set incorrectly in the default 'vars' file.
 
-  This vars file:
+  The default pki/vars file:
   * $vars
 
-  Uses this PKI:
+  Uses a different PKI:
   * $EASYRSA_PKI
 
 Cannot continue with invalid configuration."
 		fi
 	fi
 
-	# if the vars file in use is not in the PKI
-	# and not user defined then Show the messages
-	if [ "$require_pki" ]; then
-		vars_in_pki_msg
-	fi
 	verbose "source_vars: COMPLETED"
 } # => source_vars()
 
@@ -5894,7 +5907,7 @@ verify_working_env - install_data_to_pki vars-setup failed"
 			# Last setup msg
 			information "
 Using SSL:
-* $EASYRSA_OPENSSL $ssl_version"
+* $EASYRSA_OPENSSL $ssl_version${NL}"
 
 		else
 			# The directory does not exist
@@ -7226,10 +7239,12 @@ cmd="$1"
 # Establish PKI and CA initialisation requirements
 # This avoids unnecessary warnings and notices
 case "$cmd" in
-	init-pki|clean-all|\
-	help|-h|--help|--usage|\
-	show-host|\
-	version|upgrade|'')
+	version|upgrade|show-host)
+		unset -v require_pki require_ca
+		EASYRSA_NO_VARS=1
+	;;
+	help|-h|--help|--usage|''| \
+	init-pki|clean-all)
 		unset -v require_pki require_ca
 	;;
 	*)