From 1f819205fa886284dcd0f90adddb44bc3547be1c Mon Sep 17 00:00:00 2001
From: Mattias Axelsson <mattiaax@axis.com>
Date: Mon, 15 Apr 2024 09:14:55 +0200
Subject: [PATCH 1/2] Log warnings instead of errors for missing TLS certs

---
 app/Makefile                    |  8 ++--
 app/app_paths.h                 |  4 ++
 app/dockerdwrapperwithcompose.c | 67 +++++++--------------------------
 app/tls.c                       | 55 +++++++++++++++++++++++++++
 app/tls.h                       |  6 +++
 5 files changed, 83 insertions(+), 57 deletions(-)
 create mode 100644 app/app_paths.h
 create mode 100644 app/tls.c
 create mode 100644 app/tls.h

diff --git a/app/Makefile b/app/Makefile
index 9f370cf..43f63a0 100644
--- a/app/Makefile
+++ b/app/Makefile
@@ -1,5 +1,5 @@
-PROG1	= dockerdwrapperwithcompose
-OBJS1	= $(PROG1).o log.o sd_disk_storage.o
+PROG1	= dockerdwrapper
+OBJS1	= $(PROG1).o log.o sd_disk_storage.o tls.o
 
 PKGS = gio-2.0 glib-2.0 axparameter axstorage
 CFLAGS += $(shell PKG_CONFIG_PATH=$(PKG_CONFIG_PATH) pkg-config --cflags $(PKGS))
@@ -15,8 +15,10 @@ all:	$(PROG1)
 $(PROG1): $(OBJS1)
 	$(CC) $(CFLAGS) $(LDFLAGS) $^ $(LIBS) $(LDLIBS) -o $@
 
-$(PROG1).o log.o: log.h
+$(PROG1).o tls.o: app_paths.h
+$(PROG1).o log.o sd_disk_storage.o tls.o: log.h
 $(PROG1).o sd_disk_storage.o: sd_disk_storage.h
+$(PROG1).o tls.o: tls.h
 
 clean:
 	mv package.conf.orig package.conf || :
diff --git a/app/app_paths.h b/app/app_paths.h
new file mode 100644
index 0000000..a25d300
--- /dev/null
+++ b/app/app_paths.h
@@ -0,0 +1,4 @@
+#pragma once
+
+#define APP_DIRECTORY "/usr/local/packages/" APP_NAME
+#define APP_LOCALDATA APP_DIRECTORY "/localdata"
diff --git a/app/dockerdwrapperwithcompose.c b/app/dockerdwrapperwithcompose.c
index df5601b..3b14a55 100644
--- a/app/dockerdwrapperwithcompose.c
+++ b/app/dockerdwrapperwithcompose.c
@@ -15,8 +15,10 @@
  */
 
 #define _GNU_SOURCE  // For sigabbrev_np()
+#include "app_paths.h"
 #include "log.h"
 #include "sd_disk_storage.h"
+#include "tls.h"
 #include <axsdk/axparameter.h>
 #include <errno.h>
 #include <glib.h>
@@ -28,9 +30,6 @@
 #include <sysexits.h>
 #include <unistd.h>
 
-#define APP_DIRECTORY "/usr/local/packages/" APP_NAME
-#define APP_LOCALDATA APP_DIRECTORY "/localdata"
-
 #define PARAM_APPLICATION_LOG_LEVEL "ApplicationLogLevel"
 #define PARAM_DOCKERD_LOG_LEVEL     "DockerdLogLevel"
 #define PARAM_IPC_SOCKET            "IPCSocket"
@@ -109,10 +108,6 @@ static const char* ax_parameters[] = {PARAM_APPLICATION_LOG_LEVEL,
                                       PARAM_TCP_SOCKET,
                                       PARAM_USE_TLS};
 
-#define TLS_CERT_PATH APP_LOCALDATA
-
-static const char* tls_certs[] = {"ca.pem", "server-cert.pem", "server-key.pem"};
-
 #define main_loop_run()                                        \
     do {                                                       \
         log_debug("g_main_loop_run called by %s", __func__);   \
@@ -418,49 +413,18 @@ static char* prepare_data_root(AXParameter* param_handle, const char* sd_card_ar
  * @return True if successful, false otherwise.
  */
 static gboolean get_and_verify_tls_selection(AXParameter* param_handle, bool* use_tls_ret) {
-    gboolean return_value = false;
-    char* ca_path = NULL;
-    char* cert_path = NULL;
-    char* key_path = NULL;
-
     const bool use_tls = is_parameter_yes(param_handle, PARAM_USE_TLS);
-    {
-        if (use_tls) {
-            char* ca_path = g_strdup_printf("%s/%s", TLS_CERT_PATH, tls_certs[0]);
-            char* cert_path = g_strdup_printf("%s/%s", TLS_CERT_PATH, tls_certs[1]);
-            char* key_path = g_strdup_printf("%s/%s", TLS_CERT_PATH, tls_certs[2]);
-
-            bool ca_exists = access(ca_path, F_OK) == 0;
-            bool cert_exists = access(cert_path, F_OK) == 0;
-            bool key_exists = access(key_path, F_OK) == 0;
-
-            if (!ca_exists || !cert_exists || !key_exists) {
-                log_error("One or more TLS certificates missing.");
-            }
-
-            if (!ca_exists) {
-                log_error("Cannot start using TLS, no CA certificate found at %s", ca_path);
-            }
-            if (!cert_exists) {
-                log_error("Cannot start using TLS, no server certificate found at %s", cert_path);
-            }
-            if (!key_exists) {
-                log_error("Cannot start using TLS, no server key found at %s", key_path);
-            }
-
-            if (!ca_exists || !cert_exists || !key_exists) {
-                set_status_parameter(param_handle, STATUS_TLS_CERT_MISSING);
-                goto end;
-            }
+
+    if (use_tls) {
+        if (tls_missing_certs()) {
+            tls_log_missing_cert_warnings();
+            set_status_parameter(param_handle, STATUS_TLS_CERT_MISSING);
+            return false;
         }
-        *use_tls_ret = use_tls;
-        return_value = true;
     }
-end:
-    free(ca_path);
-    free(cert_path);
-    free(key_path);
-    return return_value;
+
+    *use_tls_ret = use_tls;
+    return true;
 }
 
 static bool read_settings(struct settings* settings, const struct app_state* app_state) {
@@ -548,13 +512,8 @@ static bool start_dockerd(const struct settings* settings, struct app_state* app
         if (use_tls) {
             args_offset += g_snprintf(args + args_offset,
                                       args_len - args_offset,
-                                      " --tlsverify"
-                                      " --tlscacert %s/ca.pem"
-                                      " --tlscert %s/server-cert.pem"
-                                      " --tlskey %s/server-key.pem",
-                                      TLS_CERT_PATH,
-                                      TLS_CERT_PATH,
-                                      TLS_CERT_PATH);
+                                      " %s",
+                                      tls_args_for_dockerd());
             g_strlcat(msg, " in TLS mode", msg_len);
         } else {
             args_offset += g_snprintf(args + args_offset, args_len - args_offset, " --tls=false");
diff --git a/app/tls.c b/app/tls.c
new file mode 100644
index 0000000..2b6f1e2
--- /dev/null
+++ b/app/tls.c
@@ -0,0 +1,55 @@
+#include "tls.h"
+#include "app_paths.h"
+#include "log.h"
+#include <glib.h>
+#include <unistd.h>
+
+#define TLS_CERT_PATH APP_LOCALDATA
+
+struct cert {
+    const char* dockerd_option;
+    const char* filename;
+    const char* description;
+};
+
+static struct cert tls_certs[] = {{"--tlscacert", "ca.pem", "CA certificate"},
+                                  {"--tlscert", "server-cert.pem", "server certificate"},
+                                  {"--tlskey", "server-key.pem", "server key"}};
+
+#define NUM_TLS_CERTS (sizeof(tls_certs) / sizeof(tls_certs[0]))
+
+static bool cert_file_exists(const struct cert* tls_cert) {
+    g_autofree char* full_path = g_strdup_printf("%s/%s", TLS_CERT_PATH, tls_cert->filename);
+    return access(full_path, F_OK) == 0;
+}
+
+bool tls_missing_certs(void) {
+    for (size_t i = 0; i < NUM_TLS_CERTS; ++i)
+        if (!cert_file_exists(&tls_certs[i]))
+            return true;
+    return false;
+}
+
+void tls_log_missing_cert_warnings(void) {
+    for (size_t i = 0; i < NUM_TLS_CERTS; ++i)
+        if (!cert_file_exists(&tls_certs[i]))
+            log_warning("No %s found at %s/%s",
+                        tls_certs[i].description,
+                        TLS_CERT_PATH,
+                        tls_certs[i].filename);
+}
+
+const char* tls_args_for_dockerd(void) {
+    static char args[512];  // Too small buffer will cause truncated options, nothing more.
+    const char* end = args + sizeof(args);
+    char* ptr = args + g_snprintf(args, end - args, "--tlsverify");
+
+    for (size_t i = 0; i < NUM_TLS_CERTS; ++i)
+        ptr += g_snprintf(ptr,
+                          end - ptr,
+                          " %s %s/%s",
+                          tls_certs[i].dockerd_option,
+                          TLS_CERT_PATH,
+                          tls_certs[i].filename);
+    return args;
+}
diff --git a/app/tls.h b/app/tls.h
new file mode 100644
index 0000000..60e3203
--- /dev/null
+++ b/app/tls.h
@@ -0,0 +1,6 @@
+#pragma once
+#include <stdbool.h>
+
+bool tls_missing_certs(void);
+void tls_log_missing_cert_warnings(void);
+const char* tls_args_for_dockerd(void);

From 26251c419c3ce07ba89aa065eee00d5ed0c81b7f Mon Sep 17 00:00:00 2001
From: Mattias Axelsson <mattiaax@axis.com>
Date: Mon, 15 Apr 2024 09:17:27 +0200
Subject: [PATCH 2/2] Update Makefile

---
 app/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Makefile b/app/Makefile
index 43f63a0..eb937d4 100644
--- a/app/Makefile
+++ b/app/Makefile
@@ -1,4 +1,4 @@
-PROG1	= dockerdwrapper
+PROG1	= dockerdwrapperwithcompose
 OBJS1	= $(PROG1).o log.o sd_disk_storage.o tls.o
 
 PKGS = gio-2.0 glib-2.0 axparameter axstorage