From: Thierry Parmentelat <thierry.parmentelat@inria.fr>
Date: Thu, 21 Nov 2024 13:18:08 +0000 (+0100)
Subject: superficial reformatting of plc.d/ssl
X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=090359fa083753b8f9f3f1f3660cf4c8b36ef1e9;p=myplc.git

superficial reformatting of plc.d/ssl
---

diff --git a/plc.d/ssl b/plc.d/ssl
index f09294a..432ea31 100755
--- a/plc.d/ssl
+++ b/plc.d/ssl
@@ -16,62 +16,61 @@
 set -x
 
 # Print the CNAME of an SSL certificate
-ssl_cname ()
-{
-    openssl x509 -noout -in $1 -subject | \
+function ssl_cname() {
+	local crt=$1; shift
+    openssl x509 -noout -in $crt -subject | \
 	sed -e 's|.*CN *= *\([-_a-zA-Z0-9.]*\).*|\1|' | \
 	lower
 }
 
-backup_file ()
-{
-    filepath=$1
-    filename=$(basename ${filepath})
-    dir=$(dirname ${filepath})
+function backup_file() {
+    local filepath=$1
+    local filename=$(basename ${filepath})
+    local dir=$(dirname ${filepath})
     mv -f ${filepath} ${dir}/${filename}-`date +%Y-%m-%d-%H-%M-%S`.bak
 }
 
 # Verify a certificate. If invalid, generate a new self-signed
 # certificate.
-verify_or_generate_certificate() {
-    crt=$1
-    key=$2
-    ca=$3
-    cname=$(lower $4)
+function verify_or_generate_certificate() {
+    local crt=$1
+    local key=$2
+    local ca=$3
+    local cname=$(lower $4)
 
     # If the CA certificate does not exist, assume that the
     # certificate is self-signed.
     if [ ! -f $ca ] ; then
-	cp -a $crt $ca
+		cp -a $crt $ca
     fi
 
     if [ -f $crt ] ; then
-	# Check if certificate is valid
-	# Backup if invalid or if the subject has changed
-	if openssl verify -CAfile $ca $crt | grep -q "error" || \
-	    [ "$(ssl_cname $crt)" != "$cname" ] ; then
-            backup_file $crt
-            backup_file $ca
-            backup_file $key
-	fi
+		# Check if certificate is valid
+		# Backup if invalid or if the subject has changed
+		if openssl verify -CAfile $ca $crt | grep -q "error" || \
+			[ "$(ssl_cname $crt)" != "$cname" ] ; then
+				backup_file $crt
+				backup_file $ca
+				backup_file $key
+		fi
     fi
 
     if [ ! -f $crt ] ; then
         # Set subject
-	subj=
-	if [ -n "$cname" ] ; then
-	    subj="$subj/CN=$cname"
-	fi
-
-	# Generate new self-signed certificate
-	mkdir -p $(dirname $crt)
-	openssl req -new -x509 -days 3650 -set_serial $RANDOM \
-	    -batch -subj "$subj" \
-	    -nodes -keyout $key -out $crt
-	check
-
-	# The certificate it self-signed, so it is its own CA
-	cp -a $crt $ca
+		local subj=
+		if [ -n "$cname" ] ; then
+			subj="$subj/CN=$cname"
+		fi
+
+		# Generate new self-signed certificate
+		mkdir -p $(dirname $crt)
+		openssl req -new -x509 -days 3650 -set_serial $RANDOM \
+			-batch -subj "$subj" \
+			-nodes -keyout $key -out $crt
+		check
+
+		# The certificate it self-signed, so it is its own CA
+		cp -a $crt $ca
     fi
 
     # Fix permissions
@@ -85,18 +84,19 @@ case "$1" in
 	# certificate for each enabled server with a different
 	# hostname. These self-signed certificates may be overridden
 	# later.
-        MESSAGE=$"Generating SSL certificates for"
-        dialog "$MESSAGE"
+	local MESSAGE=$"Generating SSL certificates for"
+	dialog "$MESSAGE"
 
 	for server in WWW API BOOT MONITOR; do
-	    eval "a=\$PLC_${server}_ENABLED"
-            echo $a
-            if [ "$a" -ne 1 ] ; then
-		echo "Skipping"
-                continue
-            fi
+		enabled=PLC_${server}_ENABLED
+		if [ "${!enabled}" != "1" ] ; then
+			echo "Skipping disabled server $server"
+			continue
+		fi
 	    dialog "$server"
-            ssl_key=PLC_${server}_SSL_KEY
+		# not local - we're not in a function
+		# plus, that breaks the ${!var} thing below
+		ssl_key=PLC_${server}_SSL_KEY
 	    ssl_crt=PLC_${server}_SSL_CRT
 	    ca_ssl_crt=PLC_${server}_CA_SSL_CRT
 	    hostname=PLC_${server}_HOST
@@ -104,26 +104,24 @@ case "$1" in
 	    # Check if we have already generated a certificate for
 	    # the same hostname.
 	    for previous_server in WWW API BOOT MONITOR; do
-		if [ "$server" = "$previous_server" ] ; then
-		    break
-		fi
-		previous_ssl_key=PLC_${previous_server}_SSL_KEY
-		previous_ssl_crt=PLC_${previous_server}_SSL_CRT
-		previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
-		previous_hostname=PLC_${previous_server}_HOST
-
-		if [ -f ${!previous_ssl_crt} ] && \
-		    [ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
-		    cp -a ${!previous_ssl_key} ${!ssl_key}
-		    cp -a ${!previous_ssl_crt} ${!ssl_crt}
-		    cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
-		    break
-		fi
+			if [ "$server" = "$previous_server" ] ; then
+				break
+			fi
+			previous_ssl_key=PLC_${previous_server}_SSL_KEY
+			previous_ssl_crt=PLC_${previous_server}_SSL_CRT
+			previous_ca_ssl_crt=PLC_${previous_server}_CA_SSL_CRT
+			previous_hostname=PLC_${previous_server}_HOST
+
+			if [ -f ${!previous_ssl_crt} ] && \
+				[ "$(ssl_cname ${!previous_ssl_crt})" = "${!hostname}" ] ; then
+				cp -a ${!previous_ssl_key} ${!ssl_key}
+				cp -a ${!previous_ssl_crt} ${!ssl_crt}
+				cp -a ${!previous_ca_ssl_crt} ${!ca_ssl_crt}
+				break
+			fi
 	    done
 
-	    verify_or_generate_certificate \
-		${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} \
-		${!hostname}
+	    verify_or_generate_certificate ${!ssl_crt} ${!ssl_key} ${!ca_ssl_crt} ${!hostname}
 	done
 
 	# Install HTTPS certificates into both /etc/pki (Fedora Core
@@ -133,11 +131,11 @@ case "$1" in
 	for server in API BOOT MONITOR WWW; do
 	    enabled=PLC_${server}_ENABLED
 	    if [ "${!enabled}" != "1" ] ; then
-		continue
+			continue
 	    fi
-	    ssl_key=PLC_${server}_SSL_KEY
-	    ssl_crt=PLC_${server}_SSL_CRT
-	    ssl_ca_crt=PLC_${server}_CA_SSL_CRT
+		ssl_key=PLC_${server}_SSL_KEY
+		ssl_crt=PLC_${server}_SSL_CRT
+		ssl_ca_crt=PLC_${server}_CA_SSL_CRT
 
 	    symlink ${!ssl_crt} /etc/pki/tls/certs/localhost.crt
 	    symlink ${!ssl_key} /etc/pki/tls/private/localhost.key