Signed-off-by: Richard T Bonhomme <[email protected]>

Signed-off-by: Richard T Bonhomme <[email protected]>

intall_data_to_pki init-pki: Never create a vars file.
Creating a vars file in the PKI is not recommended due to the possibility
of defining use of a different PKI via EASYRSA_PKI variable.

vars_setup: Never allow multiple vars files to exist for any commands.
If there are multiple vars file found then EasyRSA has no way to prioritise
one over another.

Remove unused variable: expected_pki_vars

Standardise some verbose messages.

Correct some comments related to 'vars in PKI', no longer suitable.

Signed-off-by: Richard T Bonhomme <[email protected]>

Having a pki/vars.example file exist, leads to the incorrect conclusion
that a pki/vars file is suitable. Therefore, never create an example file.

Signed-off-by: Richard T Bonhomme <[email protected]>

Signed-off-by: Richard T Bonhomme <[email protected]>

Signed-off-by: Richard T Bonhomme <[email protected]>

Signed-off-by: Richard T Bonhomme <[email protected]>

Finding multiple vars files will result in a WARNING instead of a
FATAL error, then a vars file is selected.

If --vars=<FILE> is used or EASYRSA_VARS_FILE is defined then only
the vars file defined is used, all other vars files are ignored
without warning.

If multiple vars files are found then select in the following order:
* EASYRSA/vars - User has preset EASYRSA, highest priority.
* PWD/vars - The expected default.
* Program directory - This is essentially the same as PWD/vars
  However, it is explicitly listed due to code history.
* pki/vars - This is least wanted. See note below.

Note:
The pki/vars was an attempt to change the default expected location
of the vars file. After extensive testing, this change has proven to
be fraught with misuse. Specifically, setting EASYRSA_PKI from with
in a different PKI, an obvious conflict of inerests.

If a single vars file is found then select it with the same priority
as multiple vars files.

Signed-off-by: Richard T Bonhomme <[email protected]>

There is no built-in way to set EASYRSA as a variable, it must be set
externally by the user.

Therefore, when EASYRSA is set allow ONLY "$EASYRSA/vars".
Allow "$EASYRSA/vars" to NOT exist.

Command option --vars=<FILE> has priority.

Signed-off-by: Richard T Bonhomme <[email protected]>

Signed-off-by: Richard T Bonhomme <[email protected]>

setup_vars: Determine which vars file to use.

source_vars: Validate and source accepted vars file.

Signed-off-by: Richard T Bonhomme <[email protected]>

Use the same logic as "prefer vars in pki" but change the message
to "warn against vars in the pki".

Signed-off-by: Richard T Bonhomme <[email protected]>

If the default 'pki/vars' exists and sets EASYRSA_PKI to a different PKI,
anything other than "$PWD/pki", then issue a warning with an explicit user
confirmation to proceed with this invalid configuration.

This is a left-over by-product of trying to move the vars file to the PKI.

Problem: 'pki/vars' sets EASYRSA_PKI to a different PKI.

Conclusion: Easy-RSA v3.1.7 does NOT support a vars file in the PKI.

Signed-off-by: Richard T Bonhomme <[email protected]>

Signed-off-by: Richard T Bonhomme <[email protected]>

Previously, this was a warning and confirmation to continue.
Changed to, NEVER allow this invalid configuration.

Signed-off-by: Richard T Bonhomme <[email protected]>

Remove second warning on hard-reset which promotes soft-reset,
soft-reset will be removed.

Remove information concerning 'vars' file. 'init-pki' does not
create a 'vars' file in the PKI, therefore, the information is
no longer relevant.

Signed-off-by: Richard T Bonhomme <[email protected]>

Signed-off-by: Richard T Bonhomme <[email protected]>

Error-1: For multiple vars files when 'pki/vars' is true.
Not thrown for multiple vars if 'pki/vars' is not true.
When multiple vars are found one is selected based on priority.
Priority is: "$PWD/vars" (default); Program folder; 'pki/vars'
Not thrown if user specifies 'vars' by either specifying
* EASYRSA, can only be set externally.
* --vars=<FILE>, user set vars is respected.

Error-2: When the default 'pki/vars' sets EASYRSA_PKI, causing
the PKI to be changed during setup proceedure.
This is a rare error but must be caught, otherwise it is very
easy to use 'init-pki' to remove the wrong PKI.

Warning: When 'pki/vars' is true.
After completing any command, this warning will be issued,
if the sourced 'vars' file is in the default 'pki' AND
if the user did not specifically select a vars file.

Allow commands 'version', 'upgrade' and 'show-host' to
complete without using any 'vars' file.

Upgrade warning to error for 'export' or 'unset' used in
the 'vars' file.

Downgrade die to user_error for simple 'vars' file problems.

Signed-off-by: Richard T Bonhomme <[email protected]>

Forbid default 'pki/vars', if it exists, from setting EASYRSA_PKI
to any other value except "$PWD/pki", for command 'init-pki'.

When 'init-pki' is called with all default options then
it will load a dafault 'pki/vars' file, if it exists.
This EXPECTS the PKI to be 'pki' ONLY.

For 'init-pki';
This 'pki/vars' file MUST NOT be allowed to set EASYRSA_PKI.
This MUST include setting EASYRSA_PKI to 'pki'.

Otherwise, this allows default command 'init-pki' to delete
a non-default PKI.

This change also forbids using command line settings for
--vars and --pki-dir, to set the expected vars file or PKI,
when a default 'pki/vars' exists AND changes the expected
PKI, to anything other than "$PWD/pki".

Example of the problem:

  If 'easyrsa' is executed with all default settings then
  the expected value for EASYRSA_PKI is "$PWD/pki" and
  if 'pki/vars' file exists, it IS loaded.

  If 'pki/vars' sets EASYRSA_PKI to a different PKI, 'bad-pki',
  then this would allow 'init-pki' to delete 'bad-pki' not 'pki'.

For the record:
All of these changes have been extensively tested.

Signed-off-by: Richard T Bonhomme <[email protected]>

When souring 'vars' file, allow user set EASYRSA_PKI and EASYRSA
to take priority over default settings.

This will still error out when default 'pki/vars' sets EASYRSA_PKI to
a non-default PKI.

Signed-off-by: Richard T Bonhomme <[email protected]>

This setup assigns values for '$expected_pki' to before
sourcing the vars file.  This prioritises command line
options above 'vars' file assignments.

Minor improvement to error message given when subshell
testing of sourcing 'vars' fails.

On user_error(), exit_with_error via cleanup().

Minor improvements to error and verbose messages.

Signed-off-by: Richard T Bonhomme <[email protected]>