r1992 + switchvlans and slbconfig gateways now rely on the higher-level RackCode...
authorDenis Ovsienko <infrastation@yandex.ru>
Mon, 23 Jun 2008 12:45:43 +0000 (12:45 +0000)
committerDenis Ovsienko <infrastation@yandex.ru>
Mon, 23 Jun 2008 12:45:43 +0000 (12:45 +0000)
gateways/lib.sh [deleted file]
gateways/slbconfig/main
gateways/switchvlans/main
gateways/switchvlans/userauth.php-sample [deleted file]

diff --git a/gateways/lib.sh b/gateways/lib.sh
deleted file mode 100644 (file)
index 8346559..0000000
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/bin/sh
-
-if [ ! -s "$MYDIR/userauth.php" ]; then
-       echo "ERR!Authorization file $MYDIR/userauth.php is either missing or empty"
-       return
-fi
-
-authorized()
-{
-       local endp=$1 user=$2 action=$3 arg1=$4 arg2=$5 skip=yes cval
-       [ -z "$endp" -o -z "$user" -o -z "$action" ] && return 1
-
-       # Now we strip PHP wrapping(s) and process auth rules only.
-       # Accept more than one ruleset on the floor.
-       while read line; do
-               if [ "$skip" = "yes" -a "$line" = "# S-T-A-R-T" ]; then
-                       skip=no
-                       continue
-               fi
-               if [ "$skip" = "no" -a "$line" = "# S-T-O-P" ]; then
-                       skip=yes
-                       continue
-               fi
-               [ "$skip" = "yes" ] && continue
-               # Allow comments.
-               [ -z "${line###*}" ] && continue
-
-               # Parse the line and try to make a decision earliest possible.
-               # Username and endpoint must match values/regexps, action
-               # must exactly match. Action arguments are tested agains values
-               # or regexps, but only for 'change' action.
-               # If the current rule doesn't match, advance to the next one.
-               # We will fail authorization by default anyway.
-
-               # Test action.
-               cval=`echo "$line" | cut -s -d' ' -f3`
-               [ "$action" = "$cval" ] || continue
-
-               # Test username.
-               cval=`echo "$line" | cut -s -d' ' -f2 | cut -s -d'@' -f1`
-               [ -z "${user##$cval}" ] || continue
-
-               # Test endpoint.
-               cval=`echo "$line" | cut -s -d' ' -f2 | cut -s -d'@' -f2`
-               [ -z "${endp##$cval}" ] || continue
-
-               if [ "$action" = "change" ]; then
-                       [ -z "$arg1" -o -z "$arg2" ] && return 1
-                       cval=`echo "$line" | cut -s -d' ' -f4`
-                       [ -z "${arg1##$cval}" ] || continue
-                       cval=`echo "$line" | cut -s -d' ' -f5`
-                       [ -z "${arg2##$cval}" ] || continue
-               fi
-
-               # All criterias match. Pick the permission and bail out.
-               cval=`echo "$line" | cut -s -d' ' -f1`
-               if [ "$cval" = "allow" ]; then
-                       return 0
-               else
-                       return 1
-               fi
-       done < "$MYDIR/userauth.php"
-       return 1
-}
index 6aed0dc91bff9c0e1752ae8053278df262f05a9d..91ad8f663fff9fc9582a5645c5316937a9d54ba9 100755 (executable)
@@ -14,7 +14,6 @@ user=
 cfgfile=
 CONNECTED=0
 MYDIR=`dirname $0`
-. "$MYDIR/../lib.sh"
 
 do_connect()
 {
@@ -28,11 +27,6 @@ do_connect()
                return
        fi
 
-       # authorize user, look for "connect" privilege
-       if ! authorized $endpoint $user connect; then
-               echo "ERR!User $user is not authorized to connect to $endpoint"
-               return
-       fi
        CONNECTED=1
        echo "OK!connected to $endpoint"
 }
index 5e82a4df63b2ed6e2c2d94411a7ac7a009015cee..565b3b2267a56247906cf5e61da7e68702f03d32 100755 (executable)
@@ -27,7 +27,6 @@ user=
 handler=
 CONNECTED=0
 MYDIR=`dirname $0`
-. "$MYDIR/../lib.sh"
 
 # Not only connect, but gather all the data at once and remember the context.
 do_connect()
@@ -51,12 +50,6 @@ do_connect()
                ;;
        esac
 
-       # authorize user, look for "connect" privilege
-       if ! authorized $endpoint $user connect; then
-               echo "ERR!User $user is not authorized to connect to $endpoint"
-               return
-       fi
-
        # prepare temp files
        PORTINFO=`mktemp /tmp/racktables.XXXX`
        if ! [ -f "$PORTINFO" ]; then
@@ -128,11 +121,6 @@ do_set()
                        continue
                fi
                [ "$curvlan" = "$newvlan" ] && continue
-               # Authorize user for each change.
-               if ! authorized $endpoint $user change $curvlan $newvlan; then
-                       echo "E!User $user is not authorized to assign port $portname@$endpoint from VLAN $curvlan to VLAN $newvlan" >> "$REPLIES"
-                       continue
-               fi
                echo "$portname $newvlan" >> "$REQUESTS"
                cmembers=`grep -c ",$newvlan$" "$PORTINFO"`
                if [ "$cmembers" = "0" -a $newvlan -lt 4096 ]; then
diff --git a/gateways/switchvlans/userauth.php-sample b/gateways/switchvlans/userauth.php-sample
deleted file mode 100644 (file)
index c34d02a..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-<?php
-echo "Unauthorized access attempt has been logged. Cheers.";
-exit();
-# S-T-A-R-T
-deny intruder@test connect
-allow *@test connect
-allow admin@core* connect
-# temp entry
-allow admin@switch1 connect
-allow admin@switch2 connect
-deny *@s* connect
-allow username@endpoint change 1 2
-allow username@* change 999 *
-allow username@* change * 999
-allow *@s* change * 999
-allow *@s1 change 400 999
-allow *@s2 change * 999
-deny *@* change * *
-# S-T-O-P
-?>