+++ /dev/null
-#!/bin/sh
-
-if [ ! -s "$MYDIR/userauth.php" ]; then
- echo "ERR!Authorization file $MYDIR/userauth.php is either missing or empty"
- return
-fi
-
-authorized()
-{
- local endp=$1 user=$2 action=$3 arg1=$4 arg2=$5 skip=yes cval
- [ -z "$endp" -o -z "$user" -o -z "$action" ] && return 1
-
- # Now we strip PHP wrapping(s) and process auth rules only.
- # Accept more than one ruleset on the floor.
- while read line; do
- if [ "$skip" = "yes" -a "$line" = "# S-T-A-R-T" ]; then
- skip=no
- continue
- fi
- if [ "$skip" = "no" -a "$line" = "# S-T-O-P" ]; then
- skip=yes
- continue
- fi
- [ "$skip" = "yes" ] && continue
- # Allow comments.
- [ -z "${line###*}" ] && continue
-
- # Parse the line and try to make a decision earliest possible.
- # Username and endpoint must match values/regexps, action
- # must exactly match. Action arguments are tested agains values
- # or regexps, but only for 'change' action.
- # If the current rule doesn't match, advance to the next one.
- # We will fail authorization by default anyway.
-
- # Test action.
- cval=`echo "$line" | cut -s -d' ' -f3`
- [ "$action" = "$cval" ] || continue
-
- # Test username.
- cval=`echo "$line" | cut -s -d' ' -f2 | cut -s -d'@' -f1`
- [ -z "${user##$cval}" ] || continue
-
- # Test endpoint.
- cval=`echo "$line" | cut -s -d' ' -f2 | cut -s -d'@' -f2`
- [ -z "${endp##$cval}" ] || continue
-
- if [ "$action" = "change" ]; then
- [ -z "$arg1" -o -z "$arg2" ] && return 1
- cval=`echo "$line" | cut -s -d' ' -f4`
- [ -z "${arg1##$cval}" ] || continue
- cval=`echo "$line" | cut -s -d' ' -f5`
- [ -z "${arg2##$cval}" ] || continue
- fi
-
- # All criterias match. Pick the permission and bail out.
- cval=`echo "$line" | cut -s -d' ' -f1`
- if [ "$cval" = "allow" ]; then
- return 0
- else
- return 1
- fi
- done < "$MYDIR/userauth.php"
- return 1
-}
handler=
CONNECTED=0
MYDIR=`dirname $0`
-. "$MYDIR/../lib.sh"
# Not only connect, but gather all the data at once and remember the context.
do_connect()
;;
esac
- # authorize user, look for "connect" privilege
- if ! authorized $endpoint $user connect; then
- echo "ERR!User $user is not authorized to connect to $endpoint"
- return
- fi
-
# prepare temp files
PORTINFO=`mktemp /tmp/racktables.XXXX`
if ! [ -f "$PORTINFO" ]; then
continue
fi
[ "$curvlan" = "$newvlan" ] && continue
- # Authorize user for each change.
- if ! authorized $endpoint $user change $curvlan $newvlan; then
- echo "E!User $user is not authorized to assign port $portname@$endpoint from VLAN $curvlan to VLAN $newvlan" >> "$REPLIES"
- continue
- fi
echo "$portname $newvlan" >> "$REQUESTS"
cmembers=`grep -c ",$newvlan$" "$PORTINFO"`
if [ "$cmembers" = "0" -a $newvlan -lt 4096 ]; then
+++ /dev/null
-<?php
-echo "Unauthorized access attempt has been logged. Cheers.";
-exit();
-# S-T-A-R-T
-deny intruder@test connect
-allow *@test connect
-allow admin@core* connect
-# temp entry
-allow admin@switch1 connect
-allow admin@switch2 connect
-deny *@s* connect
-allow username@endpoint change 1 2
-allow username@* change 999 *
-allow username@* change * 999
-allow *@s* change * 999
-allow *@s1 change 400 999
-allow *@s2 change * 999
-deny *@* change * *
-# S-T-O-P
-?>
projects / racktables / commitdiff
