--- /dev/null
+#!/bin/sh
+
+authorized()
+{
+ local endp=$1 user=$2 action=$3 arg1=$4 arg2=$5 skip=yes cval
+ [ -z "$endp" -o -z "$user" -o -z "$action" ] && return 1
+
+ # Now we strip PHP wrapping(s) and process auth rules only.
+ # Accept more than one ruleset on the floor.
+ while read line; do
+ if [ "$skip" = "yes" -a "$line" = "# S-T-A-R-T" ]; then
+ skip=no
+ continue
+ fi
+ if [ "$skip" = "no" -a "$line" = "# S-T-O-P" ]; then
+ skip=yes
+ continue
+ fi
+ [ "$skip" = "yes" ] && continue
+ # Allow comments.
+ [ -z "${line###*}" ] && continue
+
+ # Parse the line and try to make a decision earliest possible.
+ # Username and endpoint must match values/regexps, action
+ # must exactly match. Action arguments are tested agains values
+ # or regexps, but only for 'change' action.
+ # If the current rule doesn't match, advance to the next one.
+ # We will fail authorization by default anyway.
+
+ # Test action.
+ cval=`echo "$line" | cut -s -d' ' -f3`
+ [ "$action" = "$cval" ] || continue
+
+ # Test username.
+ cval=`echo "$line" | cut -s -d' ' -f2 | cut -s -d'@' -f1`
+ [ -z "${user##$cval}" ] || continue
+
+ # Test endpoint.
+ cval=`echo "$line" | cut -s -d' ' -f2 | cut -s -d'@' -f2`
+ [ -z "${endp##$cval}" ] || continue
+
+ if [ "$action" = "change" ]; then
+ [ -z "$arg1" -o -z "$arg2" ] && return 1
+ cval=`echo "$line" | cut -s -d' ' -f4`
+ [ -z "${arg1##$cval}" ] || continue
+ cval=`echo "$line" | cut -s -d' ' -f5`
+ [ -z "${arg2##$cval}" ] || continue
+ fi
+
+ # All criterias match. Pick the permission and bail out.
+ cval=`echo "$line" | cut -s -d' ' -f1`
+ if [ "$cval" = "allow" ]; then
+ return 0
+ else
+ return 1
+ fi
+ done < "$MYDIR/userauth.php"
+ return 1
+}
--- /dev/null
+#!/bin/sh
+
+# This is a RackTables gateway for installing SLB configuration onto
+# a live load balancer. The only supported command is:
+#
+# * connect <endpoint> <hardware> <software> <username>: authorize transaction
+# * activate <filename>: call user-supplied configuration installer and remove
+# the temp file
+#
+
+endpoint=
+hw=
+sw=
+user=
+cfgfile=
+CONNECTED=0
+MYDIR=`dirname $0`
+source "$MYDIR/../lib.sh"
+
+do_connect()
+{
+ endpoint=`echo $args | cut -s -d' ' -f1`
+ hw=`echo $args | cut -s -d' ' -f2`
+ sw=`echo $args | cut -s -d' ' -f3`
+ user=`echo $args | cut -s -d' ' -f4`
+ # sanity checks
+ if [ -z "$endpoint" -o -z "$hw" -o -z "$sw" -o -z "$user" ]; then
+ echo 'ERR!too few arguments to connect'
+ return
+ fi
+
+ # authorize user, look for "connect" privilege
+ if ! authorized $endpoint $user connect; then
+ echo "ERR!User $user is not authorized to connect to $endpoint"
+ return
+ fi
+}
+
+do_activate()
+{
+ cfgfile=$1
+ if [ ! -s "$cfgfile" ]; then
+ echo "ERR!Configuration file $cfgfile is either missing or empty."
+ return
+ fi
+ if [ ! -x "$MYDIR/install" ]; then
+ echo "ERR!Missing user-supplied installer script $MYDIR/install"
+ return
+ fi
+ "$MYDIR/install $endpoint $hw $sw $user $cfgfile"
+}
+
+# main loop
+while read cmd args; do
+ case $cmd in
+ connect)
+ if [ $CONNECTED = 1 ]; then
+ echo 'ERR!Already connected'
+ else
+ do_connect $args
+ fi
+ ;;
+ activate)
+ if [ $CONNECTED = 1 ]; then
+ do_activate $args
+ else
+ echo 'ERR!Not connected'
+ fi
+ ;;
+ *)
+ echo "ERR!unknown command $cmd"
+ esac
+done
+
+[ -f "$cfgfile" ] && rm -f "$cfgfile"
+exit 0
handler=
CONNECTED=0
MYDIR=`dirname $0`
-
-authorized()
-{
- local endp=$1 user=$2 action=$3 arg1=$4 arg2=$5 skip=yes cval
- [ -z "$endp" -o -z "$user" -o -z "$action" ] && return 1
-
- # Now we strip PHP wrapping(s) and process auth rules only.
- # Accept more than one ruleset on the floor.
- while read line; do
- if [ "$skip" = "yes" -a "$line" = "# S-T-A-R-T" ]; then
- skip=no
- continue
- fi
- if [ "$skip" = "no" -a "$line" = "# S-T-O-P" ]; then
- skip=yes
- continue
- fi
- [ "$skip" = "yes" ] && continue
- # Allow comments.
- [ -z "${line###*}" ] && continue
-
- # Parse the line and try to make a decision earliest possible.
- # Username and endpoint must match values/regexps, action
- # must exactly match. Action arguments are tested agains values
- # or regexps, but only for 'change' action.
- # If the current rule doesn't match, advance to the next one.
- # We will fail authorization by default anyway.
-
- # Test action.
- cval=`echo "$line" | cut -s -d' ' -f3`
- [ "$action" = "$cval" ] || continue
-
- # Test username.
- cval=`echo "$line" | cut -s -d' ' -f2 | cut -s -d'@' -f1`
- [ -z "${user##$cval}" ] || continue
-
- # Test endpoint.
- cval=`echo "$line" | cut -s -d' ' -f2 | cut -s -d'@' -f2`
- [ -z "${endp##$cval}" ] || continue
-
- if [ "$action" = "change" ]; then
- [ -z "$arg1" -o -z "$arg2" ] && return 1
- cval=`echo "$line" | cut -s -d' ' -f4`
- [ -z "${arg1##$cval}" ] || continue
- cval=`echo "$line" | cut -s -d' ' -f5`
- [ -z "${arg2##$cval}" ] || continue
- fi
-
- # All criterias match. Pick the permission and bail out.
- cval=`echo "$line" | cut -s -d' ' -f1`
- if [ "$cval" = "allow" ]; then
- return 0
- else
- return 1
- fi
- done < "$MYDIR/userauth.php"
- return 1
-}
+source "$MYDIR/../lib.sh"
# Not only connect, but gather all the data at once and remember the context.
do_connect()