util  Check-in [514964602b]

Overview
Comment:more updats
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 514964602ba7915d3adfdfcf110636397031594887a35d6b0a6956958b7cccc1
User & Date: lexi on 2019-05-04 03:20:18
Other Links: manifest | tags
Context
2019-05-06
23:35
add hue api check-in: 967c6eaf26 user: lexi tags: trunk
2019-05-04
03:20
more updats check-in: 514964602b user: lexi tags: trunk
02:38
updates check-in: 05feae3cd3 user: lexi tags: trunk
Changes

Modified vpn/vpn from [0b831e354e] to [4d7cc51848].

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

19
20
21
22
23
24
25
..
34
35
36
37
38
39
40





















41
42
43
44
45
46
47
..
72
73
74
75
76
77
78
79

80
81
82
83
84
85
86
..
87
88
89
90
91
92
93
94

95
96
97
98
99
100
101
...
142
143
144
145
146
147
148











149
150
151
152
153
154
155
...
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210

211
212
213



214
215
216

#!/usr/bin/env bash
# [ʞ] vpn
#  ~ lexi hale <lexi@hale.su>
#  ® affero general public license
#  $ vpn (join | part | info | clean | key) <name>
#  : vim:ft=bash

# vpn is a simple wrapper around openvpn to make it suitable
# for everyday  use. it  takes two  arguments: the  vpn, and
# what to do with it.
#   - vpn join <vpn>: opens a connection to vpn <name>
#   - vpn part <vpn>: closes an active connection to <name>
#   - vpn info <vpn>: reports the status of of a vpn
#   - vpn key <host>: automatically  provisions  the  client
#                     with RSA keys from  <host> and creates
#                     a  configuration file if one does  not
#                     already exist
#   - vpn part <vpn>: closes an active connection to <vpn>

#         - vpn help: display this text
#
# a number  of environment variables affect  the behavior of
# vpn. these  are listed in  the source with  their defaults
# and an  explantion of their  function. if you do  not wish
# users  to be  able  to  change the  behavior  of vpn  with
# setenv, you must  change the param invokation  to a simple
................................................................................
# pivot to the  account that invoked the script  after it is
# done with tasks that require privileged access.
#
# (it should  go without  saying, but ensure  you understand
# the  security implications  before  editing  sudoers on  a
# multiuser machine or  one that is directly  exposed to the
# internet.)






















_text_=$LINENO

param(){ eval $1=\${$1:-$2}; }

param vpn_basedir    ~/opt/vpn
	# the directory in which vpn's logfiles are stored, 
................................................................................

param USER			 $(whoami)
	# the user who should own all files and processes
	# created and destroyed by vpn

param vpn_pidbox     $TMPDIR/pid.$USER
	# a directory for storing pids in. this should be chmod
	# 700 and owned by the user invoking vpn, ideally


param vpn_bin        openvpn
	# the binary to use. if openvpn is not in your path,
	# enter its absolute path here

param vpn_script     $0
	# a path to the executable
................................................................................

param vpn_scrname    $(basename $vpn_script)
	# the name of the executable

# thus ends the admin-configurable portion of this script.
# abandon all hope, ye who enter here

err(){ echo -e "\e[1;31merror:\e[m" $* ; exit 1; }

assert(){ msg=$1; shift; test ! $@ && err $msg; }

test "$1" == help || assert "incorrect number of arguments" $# -eq 2

act=$1; target=$2
vpnd=$vpn_confdir/$target
conf=$vpnd/conf
................................................................................
		goodpid && err "\e[1m$target\e[m is already up!"

		# make sure a private pid directory exists
		test ! -e $vpn_pidbox &&
			mkdir -p $vpn_pidbox
		chmod 700 $vpn_pidbox












		# check and see if we're using automatic
		# host certificates; tell openvpn if so
		test -e $vpnd/ca.crt && {
			hostcert=$vpnd/$vpn_cn
			cmd=(
				--askpass
				--ca   $vpnd/ca.crt
................................................................................

	# kill an existing connection
	( part | down | disc* | stop | p | d )
		test -e $pidfile && {
			goodpid && {
				kill $(cat $pidfile) && rm -f $pidfile
			} || {
				echo -e "\e[1;33mwarn:\e[m pidfile exists but does not name an openvpn process"
				echo " → removing pidfile for safety"
				rm -f $pidfile
			}

		} || {
			echo -ne "\e[1mvpn $target\e[m is not up"
		} ;;

	# clean up dirty pidfiles
	( clean | wipe | clear | fix | tidy ) clean=1 ;&
	# return profile status
	( info | stat* | detail* | i )
		echo -ne "\e[1mvpn $target:\e[m "
		test ! -e $pidfile && {
			echo -ne "\e[31mno\e[m current connection"
			pids=($(pidof openvpn))
			let pidc=${#pids}
			((pidc > 0)) && {
				echo ", but $pidc vpn instances are running"
				exit 2
			} || { echo; exit 0; }
		} || {
			echo -n "pidfile exists"
			proc=$(ps ho fname $(cat $pidfile))
			(($? != 0)) && {
				echo ", but there are no processes with that pid"
				stale; exit 1
			} || test "$proc" == "openvpn" && {
				echo -e " and openvpn is \e[32mrunning\e[m"
				exit 0
			} || {
				echo -e " but named process is \e[31mnot a vpn instance!\e[m"
				stale; exit 1
			}
		} ;;

	( help ) head -n $(expr $_text_ - 2) $vpn_script |
		tail -n $(expr $_text_ - 2); exit 255;;




	( * ) err "action must be one of: join | part | info | clean" ;;
esac






|













>







 







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







 







|
>







 







|
>







 







>
>
>
>
>
>
>
>
>
>
>







 







|
|




|






|

|



|



|


|


|
<

|



>



>
>
>
|


>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
..
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
..
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
...
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
...
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
...
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239

240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
#!/usr/bin/env bash
# [ʞ] vpn
#  ~ lexi hale <lexi@hale.su>
#  ® affero general public license
#  $ vpn (join | part | info | clean | key | pid) <name>
#  : vim:ft=bash

# vpn is a simple wrapper around openvpn to make it suitable
# for everyday  use. it  takes two  arguments: the  vpn, and
# what to do with it.
#   - vpn join <vpn>: opens a connection to vpn <name>
#   - vpn part <vpn>: closes an active connection to <name>
#   - vpn info <vpn>: reports the status of of a vpn
#   - vpn key <host>: automatically  provisions  the  client
#                     with RSA keys from  <host> and creates
#                     a  configuration file if one does  not
#                     already exist
#   - vpn part <vpn>: closes an active connection to <vpn>
#    - vpn pid <vpn>: print the pid of an active connection
#         - vpn help: display this text
#
# a number  of environment variables affect  the behavior of
# vpn. these  are listed in  the source with  their defaults
# and an  explantion of their  function. if you do  not wish
# users  to be  able  to  change the  behavior  of vpn  with
# setenv, you must  change the param invokation  to a simple
................................................................................
# pivot to the  account that invoked the script  after it is
# done with tasks that require privileged access.
#
# (it should  go without  saying, but ensure  you understand
# the  security implications  before  editing  sudoers on  a
# multiuser machine or  one that is directly  exposed to the
# internet.)
#
# this   script   is   designed  to   automatically   handle
# certificate-based authentication. if there is a file named
# "ca.crt" in  the config  folder for  a script,  the script
# will  look for  files named  $vpn_cn.crt and  $vpn_cn.key,
# which are automatically passed  to openvpn (you don't need
# to name them in the  config file; this feature is designed
# to  enable the  syncing  of config  files across  multiple
# devices each with  their own certificate for  the host. it
# can also automatically  download the necessary certificate
# files  from the  server using  ssh (scp);  to enable  this
# feature, $vpn_srv_keydir  must be  set to the  location of
# the "pki" directory  on the server. users  may then invoke
# `vpn key  $server-url` to  create a  default configuration
# and  provision  the  device. $vpn_cn  should  probably  be
# set  to your  hostname  (the default)  or a  device-unique
# identifier issued by your organization.

# TODO set up `key` mode so that it is able to accept
#      paths from the command line as well as  in the
#      $vpn_srv_keydir environment variable.

_text_=$LINENO

param(){ eval $1=\${$1:-$2}; }

param vpn_basedir    ~/opt/vpn
	# the directory in which vpn's logfiles are stored, 
................................................................................

param USER			 $(whoami)
	# the user who should own all files and processes
	# created and destroyed by vpn

param vpn_pidbox     $TMPDIR/pid.$USER
	# a directory for storing pids in. this should be chmod
	# 700 and owned by the user invoking vpn, ideally on a
	# tmpfs

param vpn_bin        openvpn
	# the binary to use. if openvpn is not in your path,
	# enter its absolute path here

param vpn_script     $0
	# a path to the executable
................................................................................

param vpn_scrname    $(basename $vpn_script)
	# the name of the executable

# thus ends the admin-configurable portion of this script.
# abandon all hope, ye who enter here

err(){ echo -e "\e[1;31merror:\e[m" $* >&2; exit 1; }
warn(){ echo -e "\e[1;33mwarn:\e[m " $* >&2; }
assert(){ msg=$1; shift; test ! $@ && err $msg; }

test "$1" == help || assert "incorrect number of arguments" $# -eq 2

act=$1; target=$2
vpnd=$vpn_confdir/$target
conf=$vpnd/conf
................................................................................
		goodpid && err "\e[1m$target\e[m is already up!"

		# make sure a private pid directory exists
		test ! -e $vpn_pidbox &&
			mkdir -p $vpn_pidbox
		chmod 700 $vpn_pidbox

		# make sure a private base directory exists
		test ! -e $vpn_basedir && {
			mkdir -p $vpn_basedir && {
				chmod 700 $USER $vpn_pidbox
			} || {
				err '$vpn_basedir is not set or points to a nonexistent directory you cannot create.'
			}
		}

		test -e $vpn_global || err "global configuration file $vpn_global does not exist or is not in $vpn_basedir"

		# check and see if we're using automatic
		# host certificates; tell openvpn if so
		test -e $vpnd/ca.crt && {
			hostcert=$vpnd/$vpn_cn
			cmd=(
				--askpass
				--ca   $vpnd/ca.crt
................................................................................

	# kill an existing connection
	( part | down | disc* | stop | p | d )
		test -e $pidfile && {
			goodpid && {
				kill $(cat $pidfile) && rm -f $pidfile
			} || {
				warn 'pidfile exists but does not name an openvpn process'
				echo ' → removing pidfile for safety' >&2
				rm -f $pidfile
			}

		} || {
			echo -ne "\e[1mvpn $target\e[m is not up" >&2
		} ;;

	# clean up dirty pidfiles
	( clean | wipe | clear | fix | tidy ) clean=1 ;&
	# return profile status
	( info | stat* | detail* | i )
		echo -ne "\e[1mvpn $target:\e[m " >&2
		test ! -e $pidfile && {
			echo -ne "\e[31mno\e[m current connection" >&2
			pids=($(pidof openvpn))
			let pidc=${#pids}
			((pidc > 0)) && {
				echo ", but $pidc vpn instances are running" >&2
				exit 2
			} || { echo; exit 0; }
		} || {
			echo -n "pidfile exists" >&2
			proc=$(ps ho fname $(cat $pidfile))
			(($? != 0)) && {
				echo ", but there are no processes with that pid" >&2
				stale; exit 1
			} || test "$proc" == "openvpn" && {
				echo -e " and openvpn is \e[32mrunning\e[m" >&2

			} || {
				echo -e " but named process is \e[31mnot a vpn instance!\e[m" >&2
				stale; exit 1
			}
		} ;;

	( help ) head -n $(expr $_text_ - 2) $vpn_script |
		tail -n $(expr $_text_ - 2); exit 255;;

	( pid ) test -e $pidfile && cat $pidfile ||
		err "no pidfile exists for \e[1m$target\e[m; are you sure you're connected" ;;

	( * ) err "action must be one of: join | part | info | clean | key | pid | help" ;;
esac

exit 0