SYSTEMD: Don't mix up responders' socket and monitor activation

Let's ensure that in case a responder is explicitly configured in the
sssd.conf its socket won't even start.

The patchset introduces a new binary that will be distributed and will
be called before starting the responders' sockets, ensuring the sockets
will only start in case the responder is supposed to be socket-activated
and its been configured accordingly. Otherwise the responders' socket
startup will fail with a quite helpful debug message leading the admins
to choose between using systemd or not and what has to be done to achieve
their desire.

This suggestion came from Sumit Bose.

The reason for adding a new binary instead of a simple python script is
to avoid dragging unnecessary dependencies to sssd-common package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3300

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

10 files changed, 226 insertions, 0 deletions

diff --git a/Makefile.am b/Makefile.am
index 182a84e3a..34da1f002 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -190,6 +190,9 @@ endif
 if BUILD_PAC_RESPONDER
     sssdlibexec_PROGRAMS += sssd_pac
 endif
+if HAVE_SYSTEMD_UNIT
+sssdlibexec_PROGRAMS += sssd_check_socket_activated_responders
+endif
 
 if HAVE_CHECK
     non_interactive_check_based_tests = \
@@ -1688,6 +1691,22 @@ sss_ssh_knownhostsproxy_LDADD = \
     $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS)
 endif
 
+if HAVE_SYSTEMD_UNIT
+sssd_check_socket_activated_responders_SOURCES = \
+    src/tools/sssd_check_socket_activated_responders.c \
+    $(NULL)
+sssd_check_socket_activated_responders_CFLAGS = \
+    $(AM_CFLAGS) \
+    $(NULL)
+sssd_check_socket_activated_responders_LDADD = \
+    $(SSSD_INTERNAL_LTLIBS) \
+    $(LTLIBINTL) \
+    $(TALLOC_LIBS) \
+    $(POPT_LIBS) \
+    $(INI_CONFIG_LIBS) \
+    $(NULL)
+endif
+
 #################
 # Feature Tests #
 #################
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 9b970f1bf..5bd2beb89 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -828,6 +828,9 @@ done
 %{_libexecdir}/%{servicename}/sssd_ssh
 %{_libexecdir}/%{servicename}/sssd_sudo
 %{_libexecdir}/%{servicename}/p11_child
+%if (0%{?use_systemd} == 1)
+%{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders
+%endif
 
 %dir %{_libdir}/%{name}
 %{_libdir}/%{name}/libsss_simple.so
diff --git a/src/sysv/systemd/sssd-autofs.socket.in b/src/sysv/systemd/sssd-autofs.socket.in
index 48b651f9d..201b33d90 100644
--- a/src/sysv/systemd/sssd-autofs.socket.in
+++ b/src/sysv/systemd/sssd-autofs.socket.in
@@ -7,6 +7,7 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 
 [Socket]
+ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r autofs
 ListenStream=@pipepath@/autofs
 SocketUser=@SSSD_USER@
 SocketGroup=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd-nss.socket.in b/src/sysv/systemd/sssd-nss.socket.in
index d0af6b03f..39d30e8c0 100644
--- a/src/sysv/systemd/sssd-nss.socket.in
+++ b/src/sysv/systemd/sssd-nss.socket.in
@@ -7,6 +7,7 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 
 [Socket]
+ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r nss
 ListenStream=@pipepath@/nss
 SocketUser=@SSSD_USER@
 SocketGroup=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd-pac.socket.in b/src/sysv/systemd/sssd-pac.socket.in
index fc778243e..40dec4491 100644
--- a/src/sysv/systemd/sssd-pac.socket.in
+++ b/src/sysv/systemd/sssd-pac.socket.in
@@ -7,6 +7,7 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 
 [Socket]
+ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pac
 ListenStream=@pipepath@/pac
 SocketUser=@SSSD_USER@
 SocketGroup=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd-pam-priv.socket.in b/src/sysv/systemd/sssd-pam-priv.socket.in
index 490fd0dd1..27f2cf73a 100644
--- a/src/sysv/systemd/sssd-pam-priv.socket.in
+++ b/src/sysv/systemd/sssd-pam-priv.socket.in
@@ -8,6 +8,7 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 
 [Socket]
+ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam
 Service=sssd-pam.service
 ListenStream=@pipepath@/private/pam
 SocketUser=root
diff --git a/src/sysv/systemd/sssd-pam.socket.in b/src/sysv/systemd/sssd-pam.socket.in
index d278bcc2f..cbbb7623b 100644
--- a/src/sysv/systemd/sssd-pam.socket.in
+++ b/src/sysv/systemd/sssd-pam.socket.in
@@ -8,6 +8,7 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 
 [Socket]
+ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam
 ListenStream=@pipepath@/pam
 SocketUser=root
 SocketGroup=root
diff --git a/src/sysv/systemd/sssd-ssh.socket.in b/src/sysv/systemd/sssd-ssh.socket.in
index 727b6c478..4772ef3c0 100644
--- a/src/sysv/systemd/sssd-ssh.socket.in
+++ b/src/sysv/systemd/sssd-ssh.socket.in
@@ -7,6 +7,7 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 
 [Socket]
+ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r ssh
 ListenStream=@pipepath@/ssh
 SocketUser=@SSSD_USER@
 SocketGroup=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
index 359f6f2cc..c9abb875f 100644
--- a/src/sysv/systemd/sssd-sudo.socket.in
+++ b/src/sysv/systemd/sssd-sudo.socket.in
@@ -7,6 +7,7 @@ DefaultDependencies=no
 Conflicts=shutdown.target
 
 [Socket]
+ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
 ListenStream=@pipepath@/sudo
 SocketUser=@SSSD_USER@
 SocketGroup=@SSSD_USER@
diff --git a/src/tools/sssd_check_socket_activated_responders.c b/src/tools/sssd_check_socket_activated_responders.c
new file mode 100644
index 000000000..fb9df3909
--- /dev/null
+++ b/src/tools/sssd_check_socket_activated_responders.c
@@ -0,0 +1,197 @@
+/*
+    Authors:
+        Fabiano Fidêncio <fidencio@redhat.com>
+
+    Copyright (C) 2017 Red Hat
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "config.h"
+
+#include <popt.h>
+#include <stdio.h>
+#include <ini_configobj.h>
+
+#include "util/util.h"
+#include "confdb/confdb.h"
+
+static errno_t check_socket_activated_responder(const char *responder)
+{
+    errno_t ret;
+    struct ini_cfgfile *file_ctx = NULL;
+    struct ini_cfgobj *ini_config = NULL;
+    struct ini_cfgobj *modified_ini_config = NULL;
+    struct value_obj *vobj = NULL;
+    struct access_check snip_check;
+    const char *services;
+    const char *patterns[] = { "^[^\\.].*\\.conf$", NULL };
+    const char *sections[] = { "sssd", NULL };
+    const char *str;
+    TALLOC_CTX *tmp_ctx;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        return ENOMEM;
+    }
+
+    ret = ini_config_create(&ini_config);
+    if (ret != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_create() failed [%d][%s]\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
+    ret = ini_config_file_open(SSSD_CONFIG_FILE, 0, &file_ctx);
+    if (ret != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_file_open() failed [%d][%s]\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
+    /* Using the same flags used by sss_ini_get_config(), which is used to
+     * load the config file ... */
+    ret = ini_config_parse(file_ctx,
+                           INI_STOP_ON_ANY,
+                           INI_MV1S_OVERWRITE,
+                           INI_PARSE_NOWRAP,
+                           ini_config);
+    if (ret != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_parse() failed [%d][%s]\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
+    /* And also check the snippets ... */
+    snip_check.flags = INI_ACCESS_CHECK_MODE |
+                       INI_ACCESS_CHECK_UID |
+                       INI_ACCESS_CHECK_GID;
+    snip_check.uid = 0; /* owned by root */
+    snip_check.gid = 0; /* owned by root */
+    snip_check.mode = S_IRUSR; /* r**------ */
+    snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR);
+
+    ret = ini_config_augment(ini_config,
+                             CONFDB_DEFAULT_CONFIG_DIR,
+                             patterns,
+                             sections,
+                             &snip_check,
+                             INI_STOP_ON_ANY,
+                             INI_MV1S_OVERWRITE,
+                             INI_PARSE_NOWRAP,
+                             INI_MV2S_OVERWRITE,
+                             &modified_ini_config,
+                             NULL,
+                             NULL);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_augment failed [%d][%s]\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
+    if (modified_ini_config != NULL) {
+        ini_config_destroy(ini_config);
+        ini_config = modified_ini_config;
+    }
+
+    ret = ini_get_config_valueobj("sssd", "services", ini_config,
+                                  INI_GET_FIRST_VALUE, &vobj);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "ini_get_config_valueobj() failed [%d][%s]\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
+    /* In case there's no services' line at all, just return EOK. */
+    if (vobj == NULL) {
+        ret = EOK;
+        goto done;
+    }
+
+    services = ini_get_string_config_value(vobj, &ret);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "ini_get_string_config_value() failed [%d][%s]\n",
+              ret, sss_strerror(ret));
+        goto done;
+    }
+
+    str = strstr(services, responder);
+    if (str != NULL) {
+        ret = EEXIST;
+        goto done;
+    }
+
+    ret = EOK;
+
+done:
+    ini_config_file_destroy(file_ctx);
+    ini_config_destroy(ini_config);
+    talloc_free(tmp_ctx);
+
+    return ret;
+}
+
+int main(int argc, const char *argv[])
+{
+    int ret;
+    int opt;
+    poptContext pc;
+    char *responder = NULL;
+
+    struct poptOption long_options[] = {
+        POPT_AUTOHELP
+        {"responders", 'r', POPT_ARG_STRING, &responder, 0,
+         _("The name of the responder to be checked"), NULL},
+        POPT_TABLEEND
+    };
+
+    pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+    while ((opt = poptGetNextOpt(pc)) != -1) {
+        switch (opt) {
+        default:
+            fprintf(stderr, "\nInvalid option %s: %s\n\n",
+                    poptBadOption(pc, 0), poptStrerror(opt));
+            poptPrintUsage(pc, stderr, 0);
+            ret = 1;
+            goto done;
+        }
+    }
+
+    if (responder == NULL) {
+        poptPrintUsage(pc, stderr, 0);
+        ret = 1;
+        goto done;
+    }
+
+    ret = check_socket_activated_responder(responder);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_DEFAULT,
+              "Misconfiguration found for the %s responder.\n"
+              "The %s responder has been configured to be socket-activated "
+              "but it's still mentioned in the services' line in %s.\n"
+              "Please, consider either adjusting your services' line in %s "
+              "or disabling the %s's socket by calling:\n"
+              "\"systemctl disable sssd-%s.socket\"",
+              responder, responder, SSSD_CONFIG_FILE, SSSD_CONFIG_FILE,
+              responder, responder);
+        goto done;
+    }
+
+    ret = EOK;
+done:
+    poptFreeContext(pc);
+    return ret;
+}