From 6f88df35b4633d67f6222f8ea5ec63731d84de89 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 6 Sep 2023 19:54:36 +0100 Subject: [PATCH] Insert required errors and warning to control vars location Error-1: For multiple vars files when 'pki/vars' is true. Not thrown for multiple vars if 'pki/vars' is not true. When multiple vars are found one is selected based on priority. Priority is: "$PWD/vars" (default); Program folder; 'pki/vars' Not thrown if user specifies 'vars' by either specifying * EASYRSA, can only be set externally. * --vars=, user set vars is respected. Error-2: When the default 'pki/vars' sets EASYRSA_PKI, causing the PKI to be changed during setup proceedure. This is a rare error but must be caught, otherwise it is very easy to use 'init-pki' to remove the wrong PKI. Warning: When 'pki/vars' is true. After completing any command, this warning will be issued, if the sourced 'vars' file is in the default 'pki' AND if the user did not specifically select a vars file. Allow commands 'version', 'upgrade' and 'show-host' to complete without using any 'vars' file. Upgrade warning to error for 'export' or 'unset' used in the 'vars' file. Downgrade die to user_error for simple 'vars' file problems. Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + easyrsa3/easyrsa | 71 +++++++++++++++++++++++++++++------------------- 2 files changed, 44 insertions(+), 28 deletions(-) diff --git a/ChangeLog b/ChangeLog index d904e13a0..0c96341f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) 3.1.7 (ETA 2023-10-13) + * Insert required errors and warning to control vars location (#1014) * Guard against default 'pki/vars' setting a different PKI (#1014) * Retract preference for 'vars' file to exist in the PKI (#1014) * Disable all code which requests vars in PKI (#1014) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 9035b2094..e5ffe50f1 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -93,10 +93,6 @@ DIRECTORY STATUS (commands would take effect on these locations) vars-file: $vars_status x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined} $CA_status" - - # if the vars file in use is in the PKI - # and not user defined then Show the message - vars_in_pki_msg } # => usage() # Detailed command help @@ -875,6 +871,10 @@ Temporary session not preserved." *) warn "prompt_restore: '$prompt_restore'" esac + # if the vars file in use is in the PKI + # and not user defined then Show the message + vars_in_pki_msg + # Get a clean line [ "$EASYRSA_SILENT" ] || print @@ -892,7 +892,7 @@ Temporary session not preserved." # Exit: SIGINT if [ "$1" = 2 ]; then - verbose "exit SIGINT = true" + verbose "Exit: SIGINT = true" kill -2 "$$" fi @@ -5599,10 +5599,30 @@ setup_vars() { # Program location: [ -e "$prog_vars" ] && e_prog_vars=1 - # PKI location, if present: + # PKI location, least desirable: if [ -e "$pki_vars" ]; then e_pki_vars=1 vars_in_pki=1 + + # Conflicting vars: + if [ "$e_pwd_vars" ] || [ "$e_prog_vars" ] + then + user_error "\ +There is a 'vars' file located inside the default PKI. +This 'vars' file must be moved to the working directory. + + 'vars' file: + * $pki_vars + + PKI directory: + * ${pki_vars%/vars} + + Working directory: + * $PWD + + Info: + * https://github.com/OpenVPN/easy-rsa/issues/1009" + fi fi # Count found vars files @@ -5698,12 +5718,12 @@ No Easy-RSA 'vars' configuration file exists." # If a vars file was located then source it else # 'vars' MUST not be a directory - [ -d "$vars" ] && die "\ + [ -d "$vars" ] && user_error "\ Missing vars file: * $vars" # 'vars' now MUST exist - [ -e "$vars" ] || die "\ + [ -e "$vars" ] || user_error "\ Missing vars file: * $vars" @@ -5736,7 +5756,7 @@ Please, correct these errors and try again." -e '[[:blank:]]unset[[:blank:]]*' \ "$vars" then - warn "\ + user_error "\ One or more of these problems has been found in your 'vars' file: * Use of 'export': @@ -5815,33 +5835,26 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" set_var EASYRSA_MAX_TEMP 4 + # https://github.com/OpenVPN/easy-rsa/issues/1009 # expected_pki is set when default 'pki/vars' is used - # This blocks pki/vars changing EASYRSA_PKI - if [ "$expected_pki" ] # && [ "$require_pki" ] - then - if [ "$expected_pki" = "$EASYRSA_PKI" ] - then + # This blocks pki/vars UNEXPECTEDLY changing EASYRSA_PKI + if [ "$expected_pki" ]; then + if [ "$expected_pki" = "$EASYRSA_PKI" ]; then : # ok else - # Show warning user_error "\ -'EASYRSA_PKI' is set incorrectly in the 'vars' file. +'EASYRSA_PKI' is set incorrectly in the default 'vars' file. - This vars file: + The default pki/vars file: * $vars - Uses this PKI: + Uses a different PKI: * $EASYRSA_PKI Cannot continue with invalid configuration." fi fi - # if the vars file in use is not in the PKI - # and not user defined then Show the messages - if [ "$require_pki" ]; then - vars_in_pki_msg - fi verbose "source_vars: COMPLETED" } # => source_vars() @@ -5894,7 +5907,7 @@ verify_working_env - install_data_to_pki vars-setup failed" # Last setup msg information " Using SSL: -* $EASYRSA_OPENSSL $ssl_version" +* $EASYRSA_OPENSSL $ssl_version${NL}" else # The directory does not exist @@ -7226,10 +7239,12 @@ cmd="$1" # Establish PKI and CA initialisation requirements # This avoids unnecessary warnings and notices case "$cmd" in - init-pki|clean-all|\ - help|-h|--help|--usage|\ - show-host|\ - version|upgrade|'') + version|upgrade|show-host) + unset -v require_pki require_ca + EASYRSA_NO_VARS=1 + ;; + help|-h|--help|--usage|''| \ + init-pki|clean-all) unset -v require_pki require_ca ;; *)