Commit b513462a authored by ssrq's avatar ssrq

Remove parameter validation

While a good idea in principal most parameters cannot be validated by just
comparing against a static list.
Firstly, the number or names of the valid options might change over time.
Secondly, Parameters like --digest have a dynamic list of permissible
values (e.g. dependant on the installed version of OpenSSL).

Doing this properly would take a lot of time, so I argue that it's better to
follow a "it will break on its own" philosophy.
parent 61004fc8
../../__easy_rsa_pki/files/check_parameter_validity.sh
\ No newline at end of file
......@@ -58,12 +58,6 @@ in
;;
esac
# Check validity of the supplied parameters
# shellcheck source=/dev/null
. "${__type:?}/files/check_parameter_validity.sh"
check_parameter_validity_digest
opt_params=
# loop through mapping file
while read -r param option
......
../../__easy_rsa_pki/files/check_parameter_validity.sh
\ No newline at end of file
......@@ -27,14 +27,6 @@ base_dir=$(cat "${__object:?}/parameter/dir")
state_should=$(cat "${__object:?}/parameter/state")
state_is=$(cat "${__object:?}/explorer/state")
# Check validity of the supplied parameters
# shellcheck source=/dev/null
. "${__type:?}/files/check_parameter_validity.sh"
check_parameter_validity_digest
check_parameter_validity_usealgo
# NOTE: The following block is a bit of a "hack" to work around the fact that
# requirements in cdist only work for code, but not for explorers. Due to
# this, it could happen that the state explorer executes before the PKI
......
#!/bin/sh -e
fail_parameter_value() {
printf 'Unsupported parameter for "%s": %s\n' "$1" "$2" >&2
exit 1
}
# matches() {
# # $1 value
# # $2 pattern
# value=$1
# regex_allowed_values=$2
# echo "${value}" | grep -q -E "${regex_allowed_values}"
# }
# check_parameter() {
# # $1 parameter-name supplied to cdist
# # $2 regex accepting parameter values
# parameter_name="$1"
# regex_allowed_values="$2"
# is_supplied=$(test -f "${__object:?}/parameter/${parameter_name}" && echo yes || echo no)
# if [ "${is_supplied}" = "yes" ]; then
# supplied_value=$(cat "${__object:?}/parameter/${parameter_name}")
# if ! matches "${supplied_value}" "${regex_allowed_values}"; then
# fail_parameter_value "${parameter_name}" "${supplied_value}"
# fi
# fi
# }
# check_parameter_validity_digest() {
# check_parameter "digest" "md5|sha1|sha256|sha224|sha384|sha512"
# }
# check_parameter_validity_usealgo(){
# check_parameter "use-algo" "rsa|ec"
# }
# check_parameter_validity_dnmode(){
# check_parameter "dn-mode" "cn_only|org"
# }
check_parameter_validity_digest() {
: "${__type:?}"
case ${__type##*/}
in
(*_pki)
parameter_name='default-digest'
;;
(*)
parameter_name='digest'
;;
esac
if [ -f "${__object:?}/parameter/${parameter_name}" ]
then
supplied_value=$(cat "${__object:?}/parameter/${parameter_name}")
case ${supplied_value}
in
(md5|sha1|sha256|sha224|sha384|sha512)
;; # ok
(*)
fail_parameter_value "${parameter_name}" "${supplied_value}"
;;
esac
fi
}
check_parameter_validity_usealgo() {
parameter_name='use-algo'
if [ -f "${__object:?}/parameter/${parameter_name}" ]
then
supplied_value=$(cat "${__object:?}/parameter/${parameter_name}")
case ${supplied_value}
in
(rsa|ec)
;; # ok
(*)
fail_parameter_value "${parameter_name}" "${supplied_value}"
;;
esac
fi
}
check_parameter_validity_dnmode() {
parameter_name='dn-mode'
if [ -f "${__object:?}/parameter/${parameter_name}" ]
then
supplied_value=$(cat "${__object:?}/parameter/${parameter_name}")
case ${supplied_value}
in
(cn_only|org)
;; # ok
(*)
fail_parameter_value "${parameter_name}" "${supplied_value}"
;;
esac
fi
}
......@@ -60,14 +60,6 @@ fi
################################################################################
# Update vars file
# Check validity of the supplied parameters
# shellcheck source=/dev/null
. "${__type:?}/files/check_parameter_validity.sh"
check_parameter_validity_digest
check_parameter_validity_usealgo
check_parameter_validity_dnmode
# Prepare the information to deremine if the vars file needs to be updated,
# and act accordingly
vars_and_values=$(
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment