Prepare ini schema with rules for validation

Resolves:
https://fedorahosted.org/sssd/ticket/2028

Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

4 files changed, 621 insertions, 3 deletions

diff --git a/Makefile.am b/Makefile.am
index d87896df4..241086355 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -453,6 +453,7 @@ AM_CPPFLAGS = \
     -DSSS_STATEDIR=\"$(sss_statedir)\" \
     -DSYSCONFDIR=\"$(sysconfdir)\" \
     -DSHLIBEXT=\"$(SHLIBEXT)\" \
+    -DSSSDDATADIR=\"$(sssddatadir)\" \
     -DSSSD_LIBEXEC_PATH=\"$(sssdlibexecdir)\" \
     -DSSSD_CONF_DIR=\"$(sssdconfdir)\" \
     -DSSSD_DEFAULT_CONF_DIR=\"$(sssddefaultconfdir)\" \
@@ -3804,7 +3805,9 @@ endif
 
 
 dist_sssddata_DATA = \
-    src/config/etc/sssd.api.conf
+    src/config/etc/sssd.api.conf \
+    src/config/cfg_rules.ini \
+    $(NULL)
 dist_sssdapiplugin_DATA = \
     src/config/etc/sssd.api.d/sssd-ipa.conf \
     src/config/etc/sssd.api.d/sssd-ad.conf \
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 1c2c593da..475a07e0b 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -796,6 +796,7 @@ done
 %{_sysconfdir}/pam.d/sssd-shadowutils
 %{_libdir}/%{name}/conf/sssd.conf
 
+%{_datadir}/sssd/cfg_rules.ini
 %{_datadir}/sssd/sssd.api.conf
 %{_datadir}/sssd/sssd.api.d
 %{_mandir}/man1/sss_ssh_authorizedkeys.1*
diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c
index 614aa2206..09b6fee0d 100644
--- a/src/confdb/confdb_setup.c
+++ b/src/confdb/confdb_setup.c
@@ -233,9 +233,8 @@ static int confdb_init_db(const char *config_file, const char *config_dir,
         goto done;
     }
 
-    /* FIXME: Do not hardcode the path */
     ret = sss_ini_call_validators(init_data,
-                                  "/var/lib/sss/cfg_rules.ini");
+                                  SSSDDATADIR"/cfg_rules.ini");
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to call validators\n");
         /* This is not fatal, continue */
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
new file mode 100644
index 000000000..d738ddf5a
--- /dev/null
+++ b/src/config/cfg_rules.ini
@@ -0,0 +1,615 @@
+[rule/allowed_sections]
+validator = ini_allowed_sections
+section = sssd
+section = nss
+section = pam
+section = sudo
+section = autofs
+section = ssh
+section = pac
+section = ifp
+section_re = ^domain/.*$
+
+[rule/allowed_sssd_options]
+validator = ini_allowed_options
+section_re = ^sssd$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# Monitor service
+option = services
+option = domains
+option = timeout
+option = sbus_timeout
+option = re_expression
+option = full_name_format
+option = krb5_rcache_dir
+option = user
+option = default_domain_suffix
+option = certificate_verification
+
+[rule/allowed_nss_options]
+validator = ini_allowed_options
+section_re = ^nss$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# Name service
+option = enum_cache_timeout
+option = entry_cache_nowait_percentage
+option = entry_negative_timeout
+option = local_negative_timeout
+option = filter_users
+option = filter_groups
+option = filter_users_in_groups
+option = pwfield
+option = override_homedir
+option = fallback_homedir
+option = homedir_substring
+option = override_shell
+option = allowed_shells
+option = vetoed_shells
+option = shell_fallback
+option = default_shell
+option = get_domains_timeout
+option = memcache_timeout
+option = override_space
+
+[rule/allowed_pam_options]
+validator = ini_allowed_options
+section_re = ^pam$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# Authentication service
+option = offline_credentials_expiration
+option = offline_failed_login_attempts
+option = offline_failed_login_delay
+option = pam_verbosity
+option = pam_id_timeout
+option = pam_pwd_expiration_warning
+option = get_domains_timeout
+option = pam_trusted_users
+option = pam_public_domains
+option = pam_account_expired_message
+option = pam_account_locked_message
+option = pam_cert_auth
+option = pam_cert_db_path
+option = p11_child_timeout
+
+[rule/allowed_sudo_options]
+validator = ini_allowed_options
+section_re = ^sudo$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# sudo service
+option = sudo_timed
+option = sudo_inverse_order
+
+[rule/allowed_autofs_options]
+validator = ini_allowed_options
+section_re = ^autofs$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# autofs service
+option = autofs_negative_timeout
+
+[rule/allowed_ssh_options]
+validator = ini_allowed_options
+section_re = ^ssh$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# ssh service
+option = ssh_hash_known_hosts
+option = ssh_known_hosts_timeout
+option = ca_db
+
+[rule/allowed_pac_options]
+validator = ini_allowed_options
+section_re = ^pac$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# PAC responder
+option = allowed_uids
+option = user_attributes
+option = pac_lifetime
+
+[rule/allowed_ifp_options]
+validator = ini_allowed_options
+section_re = ^ifp$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+# InfoPipe responder
+option = allowed_uids
+option = user_attributes
+
+[rule/allowed_domain_options]
+validator = ini_allowed_options
+section_re = ^domain/.*$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_to_files
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = force_timeout
+option = description
+option = diag_cmd
+
+#Available provider types
+option = id_provider
+option = auth_provider
+option = access_provider
+option = chpass_provider
+option = sudo_provider
+option = autofs_provider
+option = session_provider
+option = hostid_provider
+option = subdomains_provider
+
+# Options available to all domains
+option = min_id
+option = max_id
+option = timeout
+option = try_inotify
+option = enumerate
+option = subdomain_enumerate
+option = force_timeout
+option = offline_timeout
+option = cache_credentials
+option = cache_credentials_minimal_first_factor_length
+option = store_legacy_passwords
+option = use_fully_qualified_names
+option = ignore_group_members
+option = entry_cache_timeout
+option = lookup_family_order
+option = account_cache_expiration
+option = pwd_expiration_warning
+option = filter_users
+option = filter_groups
+option = dns_resolver_timeout
+option = dns_discovery_domain
+option = override_gid
+option = case_sensitive
+option = override_homedir
+option = fallback_homedir
+option = homedir_substring
+option = override_shell
+option = default_shell
+option = description
+option = realmd_tags
+option = subdomain_refresh_interval
+option = subdomain_inherit
+option = cached_auth_timeout
+option = wildcard_limit
+
+#Entry cache timeouts
+option = entry_cache_user_timeout
+option = entry_cache_group_timeout
+option = entry_cache_netgroup_timeout
+option = entry_cache_service_timeout
+option = entry_cache_autofs_timeout
+option = entry_cache_sudo_timeout
+option = entry_cache_ssh_host_timeout
+option = refresh_expired_interval
+
+# Dynamic DNS updates
+option = dyndns_update
+option = dyndns_ttl
+option = dyndns_iface
+option = dyndns_refresh_interval
+option = dyndns_update_ptr
+option = dyndns_force_tcp
+option = dyndns_auth
+option = dyndns_server
+
+# local provider specific options
+option = create_homedir
+option = remove_homedir
+option = homedir_umask
+option = skel_dir
+option = mail_dir
+option = userdel_cmd
+option = base_directory
+
+# proxy provider specific options
+option = proxy_lib_name
+option = proxy_fast_alias
+option = proxy_pam_target
+
+# simple access provider specific options
+option = simple_allow_users
+option = simple_deny_users
+option = simple_allow_groups
+option = simple_deny_groups
+
+# AD provider specific options
+option = ad_access_filter
+option = ad_backup_server
+option = ad_domain
+option = ad_enable_dns_sites
+option = ad_enable_gc
+option = ad_gpo_access_control
+option = ad_gpo_cache_timeout
+option = ad_gpo_default_right
+option = ad_gpo_map_batch
+option = ad_gpo_map_deny
+option = ad_gpo_map_interactive
+option = ad_gpo_map_network
+option = ad_gpo_map_permit
+option = ad_gpo_map_remote_interactive
+option = ad_gpo_map_service
+option = ad_hostname
+option = ad_machine_account_password_renewal_opts
+option = ad_maximum_machine_account_password_age
+option = ad_server
+option = ad_site
+
+# IPA provider specific options
+option = ipa_anchor_uuid
+option = ipa_automount_location
+option = ipa_backup_server
+option = ipa_domain
+option = ipa_dyndns_iface
+option = ipa_dyndns_ttl
+option = ipa_dyndns_update
+option = ipa_enable_dns_sites
+option = ipa_group_override_object_class
+option = ipa_hbac_refresh
+option = ipa_hbac_search_base
+option = ipa_hbac_support_srchost
+option = ipa_host_fqdn
+option = ipa_hostgroup_memberof
+option = ipa_hostgroup_member
+option = ipa_hostgroup_name
+option = ipa_hostgroup_objectclass
+option = ipa_hostgroup_uuid
+option = ipa_host_member_of
+option = ipa_host_name
+option = ipa_hostname
+option = ipa_host_object_class
+option = ipa_host_search_base
+option = ipa_host_serverhostname
+option = ipa_host_ssh_public_key
+option = ipa_host_uuid
+option = ipa_master_domain_search_base
+option = ipa_netgroup_domain
+option = ipa_netgroup_member_ext_host
+option = ipa_netgroup_member_host
+option = ipa_netgroup_member_of
+option = ipa_netgroup_member
+option = ipa_netgroup_member_user
+option = ipa_netgroup_name
+option = ipa_netgroup_object_class
+option = ipa_netgroup_uuid
+option = ipa_overide_object_class
+option = ipa_ranges_search_base
+option = ipa_selinux_refresh
+option = ipa_selinux_usermap_enabled
+option = ipa_selinux_usermap_host_category
+option = ipa_selinux_usermap_member_host
+option = ipa_selinux_usermap_member_user
+option = ipa_selinux_usermap_name
+option = ipa_selinux_usermap_object_class
+option = ipa_selinux_usermap_see_also
+option = ipa_selinux_usermap_selinux_user
+option = ipa_selinux_usermap_user_category
+option = ipa_selinux_usermap_uuid
+option = ipa_server_mode
+option = ipa_server
+option = ipa_subdomains_search_base
+option = ipa_sudocmdgroup_entry_usn
+option = ipa_sudocmdgroup_member
+option = ipa_sudocmdgroup_name
+option = ipa_sudocmdgroup_object_class
+option = ipa_sudocmdgroup_uuid
+option = ipa_sudocmd_memberof
+option = ipa_sudocmd_object_class
+option = ipa_sudocmd_sudoCmd
+option = ipa_sudocmd_uuid
+option = ipa_sudorule_allowcmd
+option = ipa_sudorule_cmdcategory
+option = ipa_sudorule_denycmd
+option = ipa_sudorule_enabled_flag
+option = ipa_sudorule_entry_usn
+option = ipa_sudorule_externaluser
+option = ipa_sudorule_hostcategory
+option = ipa_sudorule_host
+option = ipa_sudorule_name
+option = ipa_sudorule_notafter
+option = ipa_sudorule_notbefore
+option = ipa_sudorule_object_class
+option = ipa_sudorule_option
+option = ipa_sudorule_runasextgroup
+option = ipa_sudorule_runasextusergroup
+option = ipa_sudorule_runasextuser
+option = ipa_sudorule_runasgroupcategory
+option = ipa_sudorule_runasgroup
+option = ipa_sudorule_runasusercategory
+option = ipa_sudorule_sudoorder
+option = ipa_sudorule_usercategory
+option = ipa_sudorule_user
+option = ipa_sudorule_uuid
+option = ipa_user_override_object_class
+option = ipa_view_class
+option = ipa_view_name
+option = ipa_views_search_base
+
+# krb5 provider specific options
+option = krb5_auth_timeout
+option = krb5_backup_kpasswd
+option = krb5_backup_server
+option = krb5_canonicalize
+option = krb5_ccachedir
+option = krb5_ccname_template
+option = krb5_confd_path
+option = krb5_fast_principal
+option = krb5_kdcip
+option = krb5_keytab
+option = krb5_kpasswd
+option = krb5_lifetime
+option = krb5_map_user
+option = krb5_realm
+option = krb5_realm
+option = krb5_renewable_lifetime
+option = krb5_renew_interval
+option = krb5_server
+option = krb5_store_password_if_offline
+option = krb5_use_enterprise_principal
+option = krb5_use_fast
+option = krb5_use_kdcinfo
+option = krb5_validate
+
+# ldap provider specific options
+option = ldap_access_filter
+option = ldap_access_order
+option = ldap_account_expire_policy
+option = ldap_autofs_entry_key
+option = ldap_autofs_entry_object_class
+option = ldap_autofs_entry_value
+option = ldap_autofs_map_master_name
+option = ldap_autofs_map_name
+option = ldap_autofs_map_object_class
+option = ldap_autofs_search_base
+option = ldap_backup_uri
+option = ldap_chpass_backup_uri
+option = ldap_chpass_dns_service_name
+option = ldap_chpass_update_last_change
+option = ldap_chpass_uri
+option = ldap_connection_expire_timeout
+option = ldap_default_authtok
+option = ldap_default_authtok_type
+option = ldap_default_bind_dn
+option = ldap_deref
+option = ldap_deref_threshold
+option = ldap_disable_paging
+option = ldap_disable_range_retrieval
+option = ldap_dns_service_name
+option = ldap_entry_usn
+option = ldap_enumeration_refresh_timeout
+option = ldap_enumeration_search_timeout
+option = ldap_force_upper_case_realm
+option = ldap_group_entry_usn
+option = ldap_group_external_member
+option = ldap_group_gid_number
+option = ldap_group_member
+option = ldap_group_modify_timestamp
+option = ldap_group_name
+option = ldap_group_nesting_level
+option = ldap_group_object_class
+option = ldap_group_objectsid
+option = ldap_group_search_base
+option = ldap_group_search_filter
+option = ldap_group_search_scope
+option = ldap_groups_use_matching_rule_in_chain
+option = ldap_group_type
+option = ldap_group_uuid
+option = ldap_idmap_autorid_compat
+option = ldap_idmap_default_domain_sid
+option = ldap_idmap_default_domain
+option = ldap_idmap_helper_table_size
+option = ldap_id_mapping
+option = ldap_idmap_range_max
+option = ldap_idmap_range_min
+option = ldap_idmap_range_size
+option = ldap_id_use_start_tls
+option = ldap_initgroups_use_matching_rule_in_chain
+option = ldap_krb5_init_creds
+option = ldap_krb5_keytab
+option = ldap_krb5_ticket_lifetime
+option = ldap_max_id
+option = ldap_min_id
+option = ldap_netgroup_member
+option = ldap_netgroup_modify_timestamp
+option = ldap_netgroup_name
+option = ldap_netgroup_object_class
+option = ldap_netgroup_search_base
+option = ldap_netgroup_triple
+option = ldap_network_timeout
+option = ldap_ns_account_lock
+option = ldap_offline_timeout
+option = ldap_opt_timeout
+option = ldap_page_size
+option = ldap_purge_cache_timeout
+option = ldap_pwd_attribute
+option = ldap_pwdlockout_dn
+option = ldap_pwd_policy
+option = ldap_referrals
+option = ldap_rfc2307_fallback_to_local_users
+option = ldap_rootdse_last_usn
+option = ldap_sasl_authid
+option = ldap_sasl_canonicalize
+option = ldap_sasl_mech
+option = ldap_sasl_minssf
+option = ldap_schema
+option = ldap_search_base
+option = ldap_search_timeout
+option = ldap_service_entry_usn
+option = ldap_service_name
+option = ldap_service_object_class
+option = ldap_service_port
+option = ldap_service_proto
+option = ldap_service_search_base
+option = ldap_sudo_full_refresh_interval
+option = ldap_sudo_hostnames
+option = ldap_sudo_include_netgroups
+option = ldap_sudo_include_regexp
+option = ldap_sudo_ip
+option = ldap_sudorule_command
+option = ldap_sudorule_host
+option = ldap_sudorule_name
+option = ldap_sudorule_notafter
+option = ldap_sudorule_notbefore
+option = ldap_sudorule_object_class
+option = ldap_sudorule_option
+option = ldap_sudorule_order
+option = ldap_sudorule_runasgroup
+option = ldap_sudorule_runas
+option = ldap_sudorule_runasuser
+option = ldap_sudorule_user
+option = ldap_sudo_search_base
+option = ldap_sudo_smart_refresh_interval
+option = ldap_sudo_use_host_filter
+option = ldap_tls_cacertdir
+option = ldap_tls_cacert
+option = ldap_tls_cert
+option = ldap_tls_cipher_suite
+option = ldap_tls_key
+option = ldap_tls_reqcert
+option = ldap_uri
+option = ldap_user_ad_account_expires
+option = ldap_user_ad_user_account_control
+option = ldap_user_authorized_host
+option = ldap_user_authorized_service
+option = ldap_user_auth_type
+option = ldap_user_certificate
+option = ldap_user_entry_usn
+option = ldap_user_extra_attrs
+option = ldap_user_fullname
+option = ldap_user_gecos
+option = ldap_user_gid_number
+option = ldap_user_home_directory
+option = ldap_user_krb_last_pwd_change
+option = ldap_user_krb_password_expiration
+option = ldap_user_member_of
+option = ldap_user_modify_timestamp
+option = ldap_user_name
+option = ldap_user_nds_login_allowed_time_map
+option = ldap_user_nds_login_disabled
+option = ldap_user_nds_login_expiration_time
+option = ldap_user_object_class
+option = ldap_user_objectsid
+option = ldap_user_primary_group
+option = ldap_user_principal
+option = ldap_user_search_base
+option = ldap_user_search_filter
+option = ldap_user_search_scope
+option = ldap_user_shadow_expire
+option = ldap_user_shadow_flag
+option = ldap_user_shadow_inactive
+option = ldap_user_shadow_last_change
+option = ldap_user_shadow_max
+option = ldap_user_shadow_min
+option = ldap_user_shadow_warning
+option = ldap_user_shell
+option = ldap_user_ssh_public_key
+option = ldap_user_uid_number
+option = ldap_user_uuid
+option = ldap_use_tokengroups