New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce install_data_to_pki() - Copy data-files to PKI #510
Conversation
The purpose here is to force EasyRSA find the required data-files: * 'openssl-easyrsa.cnf' MUST be found. * 'x509-types' MUST be found. * 'vars.example' should be found. * 'vars' The 'vars' file is more complicated due to user expectations. This patch does not copy 'vars', the code is included but DISABED. The reasons are: * Allow running 'easyrsa' from PATH. * Make standard packaging work correctly. Bug fixes: * #499 and associated issues with missing files. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
NOTE: Fix multiple typos and structure in commit message! This is the final version of #508. Please, tear it to pieces with me My version: https://github.com/TinCanTech/easy-rsa/blob/master/easyrsa3/easyrsa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice.
I reviewed all the changes, and agree mostly.
There are some things I would suggest though.
"$area_prog" \ | ||
"$area_etc" \ | ||
"$area_ubuntu" \ | ||
# EOL - # Add more distros here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any advantage to the area_*
style variables?
Writing the Paths directly in the for loop seems alright.
And adding another directory for example /usr/local/share
would just be more convenient in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent observation, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, there does not seem to be a better way to present maintainable code. This code is clear, alternatives are less clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think adding a string in a for loop is more clear, than declaring your own unique area_*
variable with said string and also add that area_*
variable into the for loop.
In any case the loop is altered.
That's two changes to support another directory as opposed to one:
for area in \
"$PWD" \
"${0%/*}" \
'/etc/easy-rsa' \
'/usr/share/easy-rsa' \
# EOL - # Add more distros here
do
Now that I've written it, I kind of see what you mean.
I am still convinced that this solution is preferable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a style choice, I prefer my way because it has good comments.
May be swing back to this another day?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have decided; Your way is better, thanks !
# Currently, *if* 'vars' is copied to the PKI then the PKI 'vars' will take | ||
# priority over './vars'. But it will not be updated if './vars' is changed. | ||
# | ||
# Copying 'vars' to the PKI is complicated, code is included but DISABLED. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After some consideration, I would not touch vars
at all for some reasons:
- Providing the user with
vars.example
when they just have to rename it tovars
for it to work is fine - Users who already rely on the functionality of a shared
./vars
file will find it annoying that afterinit-pki
they have to remove$EASYRSA_PKI/vars
because of priorities - Fewer files in
$EASYRSA_PKI
- We wouldn't have to implement it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do agree ..
However, moving all PKI related files into said PKI is where EasyRSA is trying to get. It is just vars
is going to be tricky.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't vars
optional?
If it's not found the default values are loaded from within easyrsa
, or am I wrong?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be in favour of removing ./vars
altogether and moving vars
into the PKI at init-pki
, so there is never any external-to-PKI vars
, at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't
vars
optional? If it's not found the default values are loaded from withineasyrsa
, or am I wrong?
You are absolutely correct.
EasyRSA wants to change this default, to enable PATH and fix some bugs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem is, old PKIs will have either nothing or fixed ./vars
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The real problem is: Once pki/vars
exists it will take priority and that is a breaking change.
easyrsa
would have to remove ./vars
and present a severe warning to the user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This patch-set gets things in place so that a more invasive change is less objectionable, in time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There may be a way to infiltrate all new PKIs so that ./vars
can be copied to the PKI but only if it does not grep
for a specific string.
@Prouflon you are to blame ;-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I absolutely support the notion of a warning, that appears if a ./vars
file ist detected, that tells the user that this file is not read and that this default behaviour has changed.
We can expect users to move old vars
files into the /pki
on their own when the time comes, right?
@Prouflon I would like to credit you for your effort on this but I'm not sure that you would agree .. Let me know your thoughts, thanks. |
Credit me as much as you |
@Prouflon I give my thanks to you here All feedback is invaluable. |
@Prouflon shall we throw this to the wolves ? LGTM. |
This sounds crazy:
pfffft .. as if .. |
I think this patch needs one more change:
|
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
+1 |
As in merge? Sorry, not sure what you mean exactly ... |
LGTM -> Looks good to me. |
Thanks to excellent community feedback, this patch forces a single, reliable list of sources for EasyRSA data-files. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This is a deliberate misuse of shellcheck: Reminder to fix PKI/vars. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
I have looked for typos and the like and come up empty. |
@Prouflon When the trifle hits the fan, I am going to blame all of this on you! Genuinely: Thank you very much. Your participation has been invaluable. 🍰 🍺 |
The purpose here is to force EasyRSA find the required data-files:
The 'vars' file is more complicated due to user expectations.
This patch does not copy 'vars', the code is included but DISABED.
The reasons are:
Bug fixes:
Signed-off-by: Richard T Bonhomme tincantech@protonmail.com