Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vars hierarchy v2 #1029

Merged
merged 14 commits into from
Oct 1, 2023
Merged

Vars hierarchy v2 #1029

merged 14 commits into from
Oct 1, 2023

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Sep 24, 2023

Replace over used vars_setup() with three separate functions:

  1. select_vars: Choose the correct vars file. And restrict default pki/vars from changing EASYRSA and EASYRSA_PKI, which are implied by the location of the default pki/vars file.
  2. source_vars: Verify and source a given vars file.
  3. default_vars: Set the expected defaults.

Additional: verify_default_vars: Check that default pki/vars does not change EASYRSA and/or EASYRSA_PKI (Could be moved to mutual_exclusions())

Correct auto-load order:
The previous order was to search the default PKI before EASYRSA.
Change: EASYRSA is moved to a higher priority than a default PKI.

Remove 'program location' as a valid target for auto-loading vars.
Keeping writable data files in the same folder as executable code
is not necessary.  If it is required then use of other options is
preferred. eg: --vars=<FILE> or $EASYRSA

Add additional information regarding use of default PKI.
Add section to advise the preferred use of --pki over --vars.

Signed-off-by: Richard T Bonhomme <[email protected]>
vars_setup was trying to do more work than only setting up vars.
These tasks have been broken down as follows:

select_vars:
* Choose only ONE vars file to source by priority specified in Advanced.md
* Apply restrictions to default vars changing EASYRSA or EASYRSA_PKI.

source_vars:
* Verify and source a vars file.

default_vars:
* Set all default values as expected.

Note: Also disable use of vars_setup.

Signed-off-by: Richard T Bonhomme <[email protected]>
Check that sourcing default pki/vars has NOT changed EASYRSA or EASYRSA_PKI.
This will be resolved in v3.2.0 - See #comment for details.

Refactor select_vars():
To: single if/elif/else/fi.
From: separate if/fi statements.
Always set EASYRSA_VARS_FILE to the used vars-file.
(Required for 'help' status)

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech linked an issue Sep 24, 2023 that may be closed by this pull request
All candidate vars-files are searched for and EASYRSA_VARS_FILE is set
to the first valid vars-file found. According to Advanced.md

Signed-off-by: Richard T Bonhomme <[email protected]>
Replaced by: select_vars(), source_vars() and default_vars().

Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Also, remove unused variable $expected_pki.

Signed-off-by: Richard T Bonhomme <[email protected]>
Additional:
Caveat: The default '$PWD/pki/vars' file is forbidden to change either
        EASYRSA or EASYRSA_PKI, which are both implied by default.

NOTICE: vars-auto-detect no longer searches easyrsa program directory.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Sep 28, 2023

Bug: Default pki/vars is still not quite right - Can conflict with --pki=DIR vars file.

Fix: 29bd64c below

Vars 'expected_EASYRSA' and 'expected_EASYRSA_PKI' must only be set
when "$PWD/pki/vars" is used. This is the only file which can set the
PKI to an "unexpected" location.

Signed-off-by: Richard T Bonhomme <[email protected]>
If either EASYRSA or EASYRSA_PKI is already defined when searching for
default "$PWD/pki/var" then ignore this default vars file.

If EASYRSA_PKI is defined then do not load a vars file from a different PKI.
If EASYRSA is defined then do not load a vars file from any PKI.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Sep 29, 2023

This looks ready.

FTR: easyrsa has never searched for $EASYRSA/pki/vars, it still does not.

@TinCanTech TinCanTech merged commit eba3a82 into OpenVPN:master Oct 1, 2023
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Setting a PKI in vars allows the PKI to change unexpectedly
1 participant