Disable prefer_vars_in_pki_msg(), until further notice #1014
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
This was referenced Aug 29, 2023
intall_data_to_pki init-pki: Never create a vars file. Creating a vars file in the PKI is not recommended due to the possibility of defining use of a different PKI via EASYRSA_PKI variable. vars_setup: Never allow multiple vars files to exist for any commands. If there are multiple vars file found then EasyRSA has no way to prioritise one over another. Remove unused variable: expected_pki_vars Standardise some verbose messages. Correct some comments related to 'vars in PKI', no longer suitable. Signed-off-by: Richard T Bonhomme <[email protected]>
Having a pki/vars.example file exist, leads to the incorrect conclusion that a pki/vars file is suitable. Therefore, never create an example file. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
disable-vars-in-pki-msg
branch
from
fcb1011 to
d05a89e
Compare
Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Finding multiple vars files will result in a WARNING instead of a FATAL error, then a vars file is selected. If --vars=<FILE> is used or EASYRSA_VARS_FILE is defined then only the vars file defined is used, all other vars files are ignored without warning. If multiple vars files are found then select in the following order: * EASYRSA/vars - User has preset EASYRSA, highest priority. * PWD/vars - The expected default. * Program directory - This is essentially the same as PWD/vars However, it is explicitly listed due to code history. * pki/vars - This is least wanted. See note below. Note: The pki/vars was an attempt to change the default expected location of the vars file. After extensive testing, this change has proven to be fraught with misuse. Specifically, setting EASYRSA_PKI from with in a different PKI, an obvious conflict of inerests. If a single vars file is found then select it with the same priority as multiple vars files. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
disable-vars-in-pki-msg
branch
from
a364299 to
b19beb2
Compare
There is no built-in way to set EASYRSA as a variable, it must be set externally by the user. Therefore, when EASYRSA is set allow ONLY "$EASYRSA/vars". Allow "$EASYRSA/vars" to NOT exist. Command option --vars=<FILE> has priority. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
setup_vars: Determine which vars file to use. source_vars: Validate and source accepted vars file. Signed-off-by: Richard T Bonhomme <[email protected]>
Use the same logic as "prefer vars in pki" but change the message to "warn against vars in the pki". Signed-off-by: Richard T Bonhomme <[email protected]>
If the default 'pki/vars' exists and sets EASYRSA_PKI to a different PKI, anything other than "$PWD/pki", then issue a warning with an explicit user confirmation to proceed with this invalid configuration. This is a left-over by-product of trying to move the vars file to the PKI. Problem: 'pki/vars' sets EASYRSA_PKI to a different PKI. Conclusion: Easy-RSA v3.1.7 does NOT support a vars file in the PKI. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
disable-vars-in-pki-msg
branch
from
4283ad2 to
92a6341
Compare
Signed-off-by: Richard T Bonhomme <[email protected]>
Previously, this was a warning and confirmation to continue. Changed to, NEVER allow this invalid configuration. Signed-off-by: Richard T Bonhomme <[email protected]>
Remove second warning on hard-reset which promotes soft-reset, soft-reset will be removed. Remove information concerning 'vars' file. 'init-pki' does not create a 'vars' file in the PKI, therefore, the information is no longer relevant. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Error-1: For multiple vars files when 'pki/vars' is true. Not thrown for multiple vars if 'pki/vars' is not true. When multiple vars are found one is selected based on priority. Priority is: "$PWD/vars" (default); Program folder; 'pki/vars' Not thrown if user specifies 'vars' by either specifying * EASYRSA, can only be set externally. * --vars=<FILE>, user set vars is respected. Error-2: When the default 'pki/vars' sets EASYRSA_PKI, causing the PKI to be changed during setup proceedure. This is a rare error but must be caught, otherwise it is very easy to use 'init-pki' to remove the wrong PKI. Warning: When 'pki/vars' is true. After completing any command, this warning will be issued, if the sourced 'vars' file is in the default 'pki' AND if the user did not specifically select a vars file. Allow commands 'version', 'upgrade' and 'show-host' to complete without using any 'vars' file. Upgrade warning to error for 'export' or 'unset' used in the 'vars' file. Downgrade die to user_error for simple 'vars' file problems. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
disable-vars-in-pki-msg
branch
from
5b215b0 to
6f88df3
Compare
Forbid default 'pki/vars', if it exists, from setting EASYRSA_PKI to any other value except "$PWD/pki", for command 'init-pki'. When 'init-pki' is called with all default options then it will load a dafault 'pki/vars' file, if it exists. This EXPECTS the PKI to be 'pki' ONLY. For 'init-pki'; This 'pki/vars' file MUST NOT be allowed to set EASYRSA_PKI. This MUST include setting EASYRSA_PKI to 'pki'. Otherwise, this allows default command 'init-pki' to delete a non-default PKI. This change also forbids using command line settings for --vars and --pki-dir, to set the expected vars file or PKI, when a default 'pki/vars' exists AND changes the expected PKI, to anything other than "$PWD/pki". Example of the problem: If 'easyrsa' is executed with all default settings then the expected value for EASYRSA_PKI is "$PWD/pki" and if 'pki/vars' file exists, it IS loaded. If 'pki/vars' sets EASYRSA_PKI to a different PKI, 'bad-pki', then this would allow 'init-pki' to delete 'bad-pki' not 'pki'. For the record: All of these changes have been extensively tested. Signed-off-by: Richard T Bonhomme <[email protected]>
|
Unit tests, doing a good job. |
When souring 'vars' file, allow user set EASYRSA_PKI and EASYRSA to take priority over default settings. This will still error out when default 'pki/vars' sets EASYRSA_PKI to a non-default PKI. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
disable-vars-in-pki-msg
branch
from
924159c to
dc15f35
Compare
This setup assigns values for '$expected_pki' to before sourcing the vars file. This prioritises command line options above 'vars' file assignments. Minor improvement to error message given when subshell testing of sourcing 'vars' fails. On user_error(), exit_with_error via cleanup(). Minor improvements to error and verbose messages. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
disable-vars-in-pki-msg
branch
from
fe867ba to
0c8fd82
Compare
|
Replaced-by: #1021 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch set completes the following:
1
4cb05fe
No other changes.
2
2e5865a
Stop 'init-pki' creating a new vars file inside the new PKI.
Disable confirmation advising user to use 'init-pki soft'
('init-pki soft' is no longer useful and will be removed)
3
f18c9a0
Completely disable creating any vars file
If more than one vars file exists is a fatal error
(Changed from FATAL to WARNING in b19beb2 below)
4
d05a89e
5
8d55b9f
6
53f443c
7
3b4ac2e
8
b19beb2
Finding multiple vars files will result in a WARNING instead of a
FATAL error, then a vars file is selected.
9
1c0228b
EASYRSA can only be set by the user so prioritise "$EASYRSA/vars"
10
b75c8b0
11
4a80b21
12
b9914c6
13
92a6341
(Possible bug (Fix) caused by moving vars to the PKI)
14
a68edb3
15
bb1adae
(Changes 13 92a6341 above)
16
fab09e6
17
0e53ae1
18
6f88df3
19
d2c25de
20
dc15f35
21
0c8fd82
Prioritise command line options above 'vars' file assignments