mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-22 12:50:16 +00:00
b00205c83d
The action if the user does not input anything when revoking a certificate is to not revoke. Let the text reflect that by making N uppercase.
173 lines
5 KiB
Bash
Executable file
173 lines
5 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
# PiVPN: revoke client script
|
|
|
|
setupVars="/etc/pivpn/openvpn/setupVars.conf"
|
|
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
|
|
|
|
if [ ! -f "${setupVars}" ]; then
|
|
echo "::: Missing setup vars file!"
|
|
exit 1
|
|
fi
|
|
|
|
# shellcheck disable=SC1090
|
|
source "${setupVars}"
|
|
|
|
helpFunc() {
|
|
echo "::: Revoke a client ovpn profile"
|
|
echo ":::"
|
|
echo "::: Usage: pivpn <-r|revoke> [-y|--yes] [-h|--help] [<client-1>] ... [<client-n>] ..."
|
|
echo ":::"
|
|
echo "::: Commands:"
|
|
echo "::: [none] Interactive mode"
|
|
echo "::: <client> Client(s) to to revoke"
|
|
echo "::: -y,--yes Remove Client(s) without confirmation"
|
|
echo "::: -h,--help Show this help dialog"
|
|
}
|
|
|
|
# Parse input arguments
|
|
while test $# -gt 0
|
|
do
|
|
_key="$1"
|
|
case "$_key" in
|
|
-h|--help)
|
|
helpFunc
|
|
exit 0
|
|
;;
|
|
-y|--yes)
|
|
CONFIRM=true
|
|
;;
|
|
*)
|
|
CERTS_TO_REVOKE+=("$1")
|
|
;;
|
|
esac
|
|
shift
|
|
done
|
|
|
|
if [ ! -f "${INDEX}" ]; then
|
|
printf "The file: %s was not found\n" "$INDEX"
|
|
exit 1
|
|
fi
|
|
|
|
# Disabling SC2128, just checking if variable is empty or not
|
|
# shellcheck disable=SC2128
|
|
if [[ -z "${CERTS_TO_REVOKE}" ]]; then
|
|
printf "\n"
|
|
printf " ::\e[4m Certificate List \e[0m:: \n"
|
|
|
|
i=0
|
|
while read -r line || [ -n "$line" ]; do
|
|
STATUS=$(echo "$line" | awk '{print $1}')
|
|
if [[ "${STATUS}" = "V" ]]; then
|
|
# Disabling SC2001 warning, suggested method doesn't work with regexp
|
|
# shellcheck disable=SC2001
|
|
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
|
|
if [ "$i" != 0 ]; then
|
|
# Prevent printing "server" certificate
|
|
CERTS[$i]=$(echo -e "${NAME}")
|
|
fi
|
|
((i++))
|
|
fi
|
|
done <${INDEX}
|
|
|
|
i=1
|
|
len=${#CERTS[@]}
|
|
while [ $i -le "${len}" ]; do
|
|
printf "%0${#len}s) %s\r\n" ${i} "${CERTS[(($i))]}"
|
|
((i++))
|
|
done
|
|
printf "\n"
|
|
|
|
echo -n "::: Please enter the Index/Name of the client to be revoked from the list above: "
|
|
read -r NAME
|
|
|
|
if [[ -z "${NAME}" ]]; then
|
|
echo "You can not leave this blank!"
|
|
exit 1
|
|
fi
|
|
|
|
re='^[0-9]+$'
|
|
if [[ ${NAME} =~ $re ]] ; then
|
|
NAME=${CERTS[$((NAME))]}
|
|
fi
|
|
|
|
for((x=1;x<=i;++x)); do
|
|
if [ "${CERTS[$x]}" = "${NAME}" ]; then
|
|
VALID=1
|
|
fi
|
|
done
|
|
|
|
if [ -z "${VALID}" ]; then
|
|
printf "You didn't enter a valid cert name!\n"
|
|
exit 1
|
|
fi
|
|
|
|
CERTS_TO_REVOKE=( "${NAME}" )
|
|
else
|
|
i=0
|
|
while read -r line || [ -n "$line" ]; do
|
|
STATUS=$(echo "$line" | awk '{print $1}')
|
|
if [[ "${STATUS}" = "V" ]]; then
|
|
NAME=$(echo -e "$line" | sed -e 's:.*/CN=::')
|
|
CERTS[$i]=${NAME}
|
|
((i++))
|
|
fi
|
|
done <${INDEX}
|
|
|
|
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
|
|
VALID=0
|
|
for((x=1;x<=i;++x)); do
|
|
if [ "${CERTS[$x]}" = "${CERTS_TO_REVOKE[ii]}" ]; then
|
|
VALID=1
|
|
fi
|
|
done
|
|
|
|
if [ "${VALID}" != 1 ]; then
|
|
printf "You passed an invalid cert name: '%s'! \n" "${CERTS_TO_REVOKE[ii]}"
|
|
exit 1
|
|
fi
|
|
done
|
|
fi
|
|
|
|
cd /etc/openvpn/easy-rsa || exit
|
|
|
|
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
|
|
if [ -n "$CONFIRM" ]; then
|
|
REPLY="y"
|
|
else
|
|
read -r -p "Do you really want to revoke '${CERTS_TO_REVOKE[ii]}'? [y/N] "
|
|
fi
|
|
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
|
printf "\n::: Revoking certificate '%s'. \n" "${CERTS_TO_REVOKE[ii]}"
|
|
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"
|
|
./easyrsa gen-crl
|
|
printf "\n::: Certificate revoked, and CRL file updated.\n"
|
|
printf "::: Removing certs and client configuration for this profile.\n"
|
|
rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req"
|
|
rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key"
|
|
rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
|
|
|
|
# Disabling SC2154 $pivpnNET sourced externally
|
|
# shellcheck disable=SC2154
|
|
# Grab the client IP address
|
|
NET_REDUCED="${pivpnNET::-2}"
|
|
STATIC_IP=$(grep -v "^#" /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}" | grep -w ifconfig-push | grep -oE "${NET_REDUCED}\.[0-9]{1,3}")
|
|
rm -rf /etc/openvpn/ccd/"${CERTS_TO_REVOKE[ii]}"
|
|
|
|
# disablung warning SC2154, $install_home sourced externally
|
|
# shellcheck disable=SC2154
|
|
rm -rf "${install_home}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
|
|
rm -rf "/etc/openvpn/easy-rsa/pki/${CERTS_TO_REVOKE[ii]}.ovpn"
|
|
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
|
|
|
|
# If using Pi-hole, remove the client from the hosts file
|
|
if [ -f /etc/pivpn/hosts.openvpn ]; then
|
|
sed "\#${STATIC_IP} ${CERTS_TO_REVOKE[ii]}.pivpn#d" -i /etc/pivpn/hosts.openvpn
|
|
if killall -SIGHUP pihole-FTL; then
|
|
echo "::: Updated hosts file for Pi-hole"
|
|
else
|
|
echo "::: Failed to reload pihole-FTL configuration"
|
|
fi
|
|
fi
|
|
fi
|
|
done
|
|
printf "::: Completed!\n"
|