From 850c4dbaad4d809161039b6f7fc9a8a4e1920cfa Mon Sep 17 00:00:00 2001 From: Denis Ovsienko Date: Mon, 23 Jun 2008 12:45:43 +0000 Subject: [PATCH] r1992 + switchvlans and slbconfig gateways now rely on the higher-level RackCode authorization --- gateways/lib.sh | 64 ------------------------ gateways/slbconfig/main | 6 --- gateways/switchvlans/main | 12 ----- gateways/switchvlans/userauth.php-sample | 20 -------- 4 files changed, 102 deletions(-) delete mode 100644 gateways/lib.sh delete mode 100644 gateways/switchvlans/userauth.php-sample diff --git a/gateways/lib.sh b/gateways/lib.sh deleted file mode 100644 index 83465593..00000000 --- a/gateways/lib.sh +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/sh - -if [ ! -s "$MYDIR/userauth.php" ]; then - echo "ERR!Authorization file $MYDIR/userauth.php is either missing or empty" - return -fi - -authorized() -{ - local endp=$1 user=$2 action=$3 arg1=$4 arg2=$5 skip=yes cval - [ -z "$endp" -o -z "$user" -o -z "$action" ] && return 1 - - # Now we strip PHP wrapping(s) and process auth rules only. - # Accept more than one ruleset on the floor. - while read line; do - if [ "$skip" = "yes" -a "$line" = "# S-T-A-R-T" ]; then - skip=no - continue - fi - if [ "$skip" = "no" -a "$line" = "# S-T-O-P" ]; then - skip=yes - continue - fi - [ "$skip" = "yes" ] && continue - # Allow comments. - [ -z "${line###*}" ] && continue - - # Parse the line and try to make a decision earliest possible. - # Username and endpoint must match values/regexps, action - # must exactly match. Action arguments are tested agains values - # or regexps, but only for 'change' action. - # If the current rule doesn't match, advance to the next one. - # We will fail authorization by default anyway. - - # Test action. - cval=`echo "$line" | cut -s -d' ' -f3` - [ "$action" = "$cval" ] || continue - - # Test username. - cval=`echo "$line" | cut -s -d' ' -f2 | cut -s -d'@' -f1` - [ -z "${user##$cval}" ] || continue - - # Test endpoint. - cval=`echo "$line" | cut -s -d' ' -f2 | cut -s -d'@' -f2` - [ -z "${endp##$cval}" ] || continue - - if [ "$action" = "change" ]; then - [ -z "$arg1" -o -z "$arg2" ] && return 1 - cval=`echo "$line" | cut -s -d' ' -f4` - [ -z "${arg1##$cval}" ] || continue - cval=`echo "$line" | cut -s -d' ' -f5` - [ -z "${arg2##$cval}" ] || continue - fi - - # All criterias match. Pick the permission and bail out. - cval=`echo "$line" | cut -s -d' ' -f1` - if [ "$cval" = "allow" ]; then - return 0 - else - return 1 - fi - done < "$MYDIR/userauth.php" - return 1 -} diff --git a/gateways/slbconfig/main b/gateways/slbconfig/main index 6aed0dc9..91ad8f66 100755 --- a/gateways/slbconfig/main +++ b/gateways/slbconfig/main @@ -14,7 +14,6 @@ user= cfgfile= CONNECTED=0 MYDIR=`dirname $0` -. "$MYDIR/../lib.sh" do_connect() { @@ -28,11 +27,6 @@ do_connect() return fi - # authorize user, look for "connect" privilege - if ! authorized $endpoint $user connect; then - echo "ERR!User $user is not authorized to connect to $endpoint" - return - fi CONNECTED=1 echo "OK!connected to $endpoint" } diff --git a/gateways/switchvlans/main b/gateways/switchvlans/main index 5e82a4df..565b3b22 100755 --- a/gateways/switchvlans/main +++ b/gateways/switchvlans/main @@ -27,7 +27,6 @@ user= handler= CONNECTED=0 MYDIR=`dirname $0` -. "$MYDIR/../lib.sh" # Not only connect, but gather all the data at once and remember the context. do_connect() @@ -51,12 +50,6 @@ do_connect() ;; esac - # authorize user, look for "connect" privilege - if ! authorized $endpoint $user connect; then - echo "ERR!User $user is not authorized to connect to $endpoint" - return - fi - # prepare temp files PORTINFO=`mktemp /tmp/racktables.XXXX` if ! [ -f "$PORTINFO" ]; then @@ -128,11 +121,6 @@ do_set() continue fi [ "$curvlan" = "$newvlan" ] && continue - # Authorize user for each change. - if ! authorized $endpoint $user change $curvlan $newvlan; then - echo "E!User $user is not authorized to assign port $portname@$endpoint from VLAN $curvlan to VLAN $newvlan" >> "$REPLIES" - continue - fi echo "$portname $newvlan" >> "$REQUESTS" cmembers=`grep -c ",$newvlan$" "$PORTINFO"` if [ "$cmembers" = "0" -a $newvlan -lt 4096 ]; then diff --git a/gateways/switchvlans/userauth.php-sample b/gateways/switchvlans/userauth.php-sample deleted file mode 100644 index c34d02a6..00000000 --- a/gateways/switchvlans/userauth.php-sample +++ /dev/null @@ -1,20 +0,0 @@ - -- 2.25.1