Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve vars auto load #1025

Merged
merged 7 commits into from Sep 21, 2023
Merged

Improve vars auto load #1025

merged 7 commits into from Sep 21, 2023

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Sep 19, 2023
edited

This refines the automatic loading of a vars file.

@TinCanTech
vars: Improve auto-load logic
8d7e017 
The main changes made are:
* If EASYRSA is set then only allow default vars file. No auto-load
* If EASYRSA_PKI is set then allow also EASYRSA_PKI/vars. Use auto-load.

This is something like "The Three Laws"; vars auto-load is unnecassary
and should be replaced by a single default vars file. However, here is
the latest version:

1. The DEFAULT vars file is in the working directory: ./vars
2. Using --vars=<FILE>, takes priority ALWAYS. NO auto-load!
3. Using --pki-dir=<DIR>, allows "$EASYRSA_PKI/vars". Use auto-load!

Note:
A user set PKI can auto-load a default vars file in the PKI, however,
that can also conflict with a default ./vars file.

4. ERROR, if vars auto-load finds more than one VIABLE vars file.

Viable vars files and conflicts:
1. "$PWD/vars" - Can conflict.
2. "$PWD/pki/vars" - Can conflict.
3. "$EASYRSA/vars" - User defined EASYRSA, no conflict.
4. "$EASYRSA_PKI/vars" - User defined EASYRSA_PKI, can conflict.

This is achieved by making the following changes:

Prioritise user-set EASYRSA to force "$EASYRSA/vars" ONLY.
No auto-load.

Expand assigning EASYRSA_PKI/vars to test for user-set PKI or default PKI.
Use auto-load.

Remove unused code and improve comments.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
vars: Remove program directory as a valid "vars auto-load" candidate
f47b491 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech self-assigned this Sep 19, 2023
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Sep 19, 2023
edited

The FINAL stage:

  • If the vars in use is within the PKI then it MUST NOT reassign EASYRSA_PKI. Which only effects hard-coded pki/vars.

@TinCanTech
vars: Forbid auto-loaded "$EASYRSA_PKI/vars" from changing the PKI
7b38d99 
If a vars file in the PKI tries to change the expected PKI then fail.

Allow vars file in the working directory to change the PKI.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech linked an issue Sep 19, 2023 that may be closed by this pull request
The default vars file problem #1015
Closed
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Sep 19, 2023
edited

auto-load result is as follows:

If EASYRSA_VARS_FILE --vars=FILE is set then use it and no auto-load.

Reminder: easyrsa program location is no longer considered a viable place to keep a vars file.

Working directory:

  • $PWD/vars is the default.
  • NOTE: This vars file is allowed to set the PKI.

Working directory Default PKI:

  • $PWD/pki/vars auto-loaded if $PWD/vars does NOT exist.
  • Otherwise conflict.
  • NOTE: If this vars changes the EASYRSA_PKI then it is a fatal error.

if EASYRSA_PKI --pki-dir=DIR is set then allow auto-load:

  • Either $EASYRSA_PKI/vars (User set PKI directory)
  • OR $PWD/vars (Working directory)
  • If both exist then conflict.
  • NOTE: This vars cannot change EASYRSA_PKI because it is already set.

This allows --pki-dir=DIR to auto-load a vars file inside the user set PKI.

How to use vars with multiple PKI directories

Use --vars=FILE:
This will always use ONLY the specified file, which is allowed to set the PKI.

Use --pki-dir=DIR
If no default vars file exists then the PKI vars file will be used.
This file cannot change the PKI in use.

Thus, for a multiple PKI installation with multiple vars files:

./pki-home/vars
./pki-work/vars

The SAFEST use is with --pki-dir=DIR, which can then differentiate between the two vars files shown.

To use --vars=FILE the following setup is required:

./vars.pki-home
./vars.pki-work
./pki-home/
./pki-work/

Use --vars=vars.pki-home to set EASYRSA_PKI to pki-home. etc. This is more prone to user error.

Add this to https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md

@TinCanTech
Rename option --pki-dir to --pki but continue support for --pki-dir
0f1064e 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Ignore conflicting vars files for commands which do not require vars
3b4b5f3 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Remove EASYRSA and EASYRSA_PKI from built-in vars file generation
de3d484 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
vars_setup: Add advice to "Conflicting vars files" error message
ebbb51d 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech merged commit 49ffffc into OpenVPN:master Sep 21, 2023
3 checks passed
@TinCanTech TinCanTech mentioned this pull request Sep 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
ChangeLog Item development Possible changes Version 3.1.7
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The default vars file problem
1 participant
@TinCanTech