From 3dc675ba375c48cd2cc4460091a419e8c6f7d8b2 Mon Sep 17 00:00:00 2001
From: hwdsl2 <hwdsl2@users.noreply.github.com>
Date: Sun, 16 Oct 2022 00:45:45 -0500
Subject: [PATCH] Add client validity option

- For IKEv2 mode, add a new variable VPN_CLIENT_VALIDITY for specifying
  the client certificate validity period (in months). Must be an integer
  between 1 and 120. Default value is 120. Users can define it as an
  environment variable when setting up IKEv2 in auto mode, or when
  adding a new IKEv2 client using "--addclient".
---
 extras/ikev2setup.sh | 44 ++++++++++++++++++++++++++++++++++----------
 extras/quickstart.sh |  1 +
 vpnsetup.sh          |  1 +
 vpnsetup_alpine.sh   |  1 +
 vpnsetup_amzn.sh     |  1 +
 vpnsetup_centos.sh   |  1 +
 vpnsetup_ubuntu.sh   |  1 +
 7 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh
index b596981..7d7d47c 100755
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@@ -157,7 +157,7 @@ confirm_or_abort() {
 show_header() {
 cat <<'EOF'
 
-IKEv2 Script   Copyright (c) 2020-2022 Lin Song   24 Sept 2022
+IKEv2 Script   Copyright (c) 2020-2022 Lin Song   16 Oct 2022
 
 EOF
 }
@@ -278,6 +278,11 @@ check_custom_dns() {
   fi
 }
 
+check_client_validity() {
+  ! { printf '%s' "$1" | LC_ALL=C grep -q '[^0-9]\+' || [ "$1" -lt "1" ] \
+  || [ "$1" -gt "120" ] || [ "$1" != "$((10#$1))" ]; }
+}
+
 check_and_set_client_name() {
   if [ -n "$VPN_CLIENT_NAME" ]; then
     client_name="$VPN_CLIENT_NAME"
@@ -289,6 +294,22 @@ check_and_set_client_name() {
   check_cert_exists "$client_name" && exiterr "Client '$client_name' already exists."
 }
 
+check_and_set_client_validity() {
+  if [ -n "$VPN_CLIENT_VALIDITY" ]; then
+    client_validity="$VPN_CLIENT_VALIDITY"
+    if ! check_client_validity "$client_validity"; then
+cat <<EOF
+WARNING: Invalid client cert validity period. Must be an integer between 1 and 120.
+         Falling back to default validity (120 months).
+EOF
+      VPN_CLIENT_VALIDITY=""
+      client_validity=120
+    fi
+  else
+    client_validity=120
+  fi
+}
+
 set_server_address() {
   if [ -n "$VPN_DNS_NAME" ]; then
     use_dns_name=1
@@ -331,14 +352,19 @@ EOF
 show_start_setup() {
   op_text=default
   if [ -n "$VPN_DNS_NAME" ] || [ -n "$VPN_CLIENT_NAME" ] \
-    || [ -n "$VPN_DNS_SRV1" ] || [ -n "$VPN_PROTECT_CONFIG" ]; then
+    || [ -n "$VPN_DNS_SRV1" ] || [ -n "$VPN_PROTECT_CONFIG" ] \
+    || [ -n "$VPN_CLIENT_VALIDITY" ]; then
     op_text=custom
   fi
   bigecho "Starting IKEv2 setup in auto mode, using $op_text options."
 }
 
 show_add_client() {
-  bigecho "Adding a new IKEv2 client '$client_name', using default options."
+  op_text=default
+  if [ -n "$VPN_CLIENT_VALIDITY" ]; then
+    op_text=custom
+  fi
+  bigecho "Adding a new IKEv2 client '$client_name', using $op_text options."
 }
 
 show_export_client() {
@@ -514,13 +540,11 @@ enter_client_name_for() {
 enter_client_validity() {
   echo
   echo "Specify the validity period (in months) for this client certificate."
-  read -rp "Enter a number between 1 and 120: [120] " client_validity
+  read -rp "Enter an integer between 1 and 120: [120] " client_validity
   [ -z "$client_validity" ] && client_validity=120
-  while printf '%s' "$client_validity" | LC_ALL=C grep -q '[^0-9]\+' \
-    || [ "$client_validity" -lt "1" ] || [ "$client_validity" -gt "120" ] \
-    || [ "$client_validity" != "$((10#$client_validity))" ]; do
+  while ! check_client_validity "$client_validity"; do
     echo "Invalid validity period."
-    read -rp "Enter a number between 1 and 120: [120] " client_validity
+    read -rp "Enter an integer between 1 and 120: [120] " client_validity
     [ -z "$client_validity" ] && client_validity=120
   done
 }
@@ -1492,9 +1516,9 @@ ikev2setup() {
   get_export_dir
 
   if [ "$add_client" = 1 ]; then
+    check_and_set_client_validity
     show_header
     show_add_client
-    client_validity=120
     create_client_cert
     export_client_config
     print_client_added
@@ -1639,7 +1663,7 @@ ikev2setup() {
     check_server_dns_name
     check_custom_dns
     check_and_set_client_name
-    client_validity=120
+    check_and_set_client_validity
     show_header
     show_start_setup
     set_server_address
diff --git a/extras/quickstart.sh b/extras/quickstart.sh
index 4254810..3997b62 100755
--- a/extras/quickstart.sh
+++ b/extras/quickstart.sh
@@ -274,6 +274,7 @@ run_setup() {
       VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
       VPN_DNS_NAME="$VPN_DNS_NAME" VPN_CLIENT_NAME="$VPN_CLIENT_NAME" \
       VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
+      VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
       VPN_SKIP_IKEV2="$VPN_SKIP_IKEV2" \
       /bin/bash "$tmpdir/vpn.sh" || status=1
     else
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 4254810..3997b62 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -274,6 +274,7 @@ run_setup() {
       VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
       VPN_DNS_NAME="$VPN_DNS_NAME" VPN_CLIENT_NAME="$VPN_CLIENT_NAME" \
       VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
+      VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
       VPN_SKIP_IKEV2="$VPN_SKIP_IKEV2" \
       /bin/bash "$tmpdir/vpn.sh" || status=1
     else
diff --git a/vpnsetup_alpine.sh b/vpnsetup_alpine.sh
index 8f54c93..bf538db 100755
--- a/vpnsetup_alpine.sh
+++ b/vpnsetup_alpine.sh
@@ -557,6 +557,7 @@ set_up_ikev2() {
       VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
       VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
       VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
+      VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
       /bin/bash /opt/src/ikev2.sh --auto || status=1
     fi
   elif [ -s /opt/src/ikev2.sh ]; then
diff --git a/vpnsetup_amzn.sh b/vpnsetup_amzn.sh
index b598636..7566f22 100755
--- a/vpnsetup_amzn.sh
+++ b/vpnsetup_amzn.sh
@@ -575,6 +575,7 @@ set_up_ikev2() {
       VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
       VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
       VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
+      VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
       /bin/bash /opt/src/ikev2.sh --auto || status=1
     fi
   elif [ -s /opt/src/ikev2.sh ]; then
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 1915505..d3562f6 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -749,6 +749,7 @@ set_up_ikev2() {
       VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
       VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
       VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
+      VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
       /bin/bash /opt/src/ikev2.sh --auto || status=1
     fi
   elif [ -s /opt/src/ikev2.sh ]; then
diff --git a/vpnsetup_ubuntu.sh b/vpnsetup_ubuntu.sh
index 91a0ae0..5be3bf6 100755
--- a/vpnsetup_ubuntu.sh
+++ b/vpnsetup_ubuntu.sh
@@ -692,6 +692,7 @@ set_up_ikev2() {
       VPN_CLIENT_NAME="$VPN_CLIENT_NAME" VPN_XAUTH_POOL="$VPN_XAUTH_POOL" \
       VPN_DNS_SRV1="$VPN_DNS_SRV1" VPN_DNS_SRV2="$VPN_DNS_SRV2" \
       VPN_PROTECT_CONFIG="$VPN_PROTECT_CONFIG" \
+      VPN_CLIENT_VALIDITY="$VPN_CLIENT_VALIDITY" \
       /bin/bash /opt/src/ikev2.sh --auto || status=1
     fi
   elif [ -s /opt/src/ikev2.sh ]; then