#!/bin/sh
#
#    Copyright (c) 2001 Brocade Communications Systems, Inc.
#    All rights reserved.
#
#    File name:   chkdefaultpasswds 
#    Module name: fabos/src/utils/sys
#
#    This script is to check at admin login time if
#    the default passwords have been changed or not. If passwords 
#    for admin, factory or user are still default then admin is prompted
#    for new passwords, and finally the changes are saved to stable storage.
#
PATH=/bin:/fabos/bin:/fabos/sbin:/fabos/libexec:/fabos/cliexec
ECHO=/bin/echo
myexit( ) 
{
   if [ $root_passwd_change_interrupted -eq 1 ]; then
   	if [ $paschanged -eq 1 ]; then
		 /fabos/cliexec/config save /etc/passwd
		 /fabos/cliexec/config save /etc/shadow
   	fi
	exit 2 
   fi
   printf "\n"
   printf "Password was not changed. Will prompt again at next login\n"
   printf "until password is changed."
   printf "\n"
   /bin/stty echo
   if [ $paschanged -eq 1 ]; then
	 /fabos/cliexec/config save /etc/passwd
	 /fabos/cliexec/config save /etc/shadow
   fi
   exit 1
}

currentuser=`$ECHO $SWLOGNAME`
if [ "$currentuser" == "root" ]; then
	USERS="root admin user"
else
	USERS="admin user"
fi

# To change the default passwords user should have root or admin or factory chassisrole. It is depending on the CHASSIS_ROLE_ID which is the GID for the CHASSIS Role. 
# However, we must add an exception for "user" userid to enforce "user" default password change when logging into "user" 
if [ "$VF_ENABLED" != 0 ]; then
	if [ "$CHASSIS_ROLEID" != "0" ] && [ "$CHASSIS_ROLEID" != "600" ]; then
		if [ "$currentuser" != "user" ]; then
			exit 1
		fi
	fi
fi

INPUT=""
exit_msg_displayed=0
warning_msg_displayed=0
trap myexit  INT
paschanged=0
root_passwd_change_interrupted=0

for username in $USERS;
do {
	# If "user" userid is used, we need to skip loop for "admin" since "user" has less prvilege than "admin"
	if [[ "$currentuser" == "user" && "$username" = "admin" ]]; then
		continue
	fi
	
	if [ "$currentuser" == "admin" ]; then
		warn="Warning: Default password not changed for"
		message=". Please login as 'root' to change it."
		chkpasswd "root" "admin"
		stat1=$?
		if [ $stat1 -eq 1 ]; then
			warn1=" 'root'"
		fi
		if [ $warning_msg_displayed -eq 0 ]; then
			if [ $stat1 -eq 1 ]; then
				rootenable=0;
				rootenable=`/fabos/bin/userConfig --show root | /bin/grep "Enabled" | /bin/grep "Yes" | /usr/bin/wc -l`
				if [ $rootenable != "0" ]; then
					$ECHO $warn$warn1$message
					warning_msg_displayed=1
				fi
			fi
		fi
	fi
chkpasswd $username
stat=$?
if [ $stat -eq 1 ]; then
	if [ "$username" = "root" ]; then
			root_passwd_change_interrupted=1
			$ECHO "Warning:  Access to  the Root account may be required  for"
			$ECHO "proper  support  of  the switch.  Please  ensure  the Root "
			$ECHO "password is documented in a secure location.  Recovery of a lost Root"
			$ECHO "password will result in fabric downtime."
			$ECHO
	elif [[ "$username" = "admin" || "$username" = "user" ]]; then
	 	root_passwd_change_interrupted=1
	fi
		$ECHO "for user - $username"
		# "user" profile does not have root/admin chassisrole so "passwd" cannot take args
		if [[ "$currentuser" == "user" && "$username" = "user" ]]; then
			/bin/passwd
		else
			/bin/passwd $username
		fi		
		stat=$?
		if [ $stat -eq 0 ]; then
			paschanged=1
			if [[ "$username" = "root" || "$username" = "admin" || "$username" = "user" ]]; then
				root_passwd_change_interrupted=0
			fi
			passwd_notify -s $FABOS_SWITCHNO $username
		else
			$ECHO "Failed to change password for '$username' account"
			exit 2
		fi

fi
}
done

trap  "" INT
if [ $paschanged -eq 1 ]; then
	$ECHO "Saving passwords to stable storage."
	/fabos/cliexec/config save /etc/passwd
	configsave_result=$?
	if [ $configsave_result -ne 0 ]; then
		$ECHO "Failed to update passwords in stable storage"
	fi
	/fabos/cliexec/config save /etc/shadow
	configsave_result=$?
	if [ $configsave_result -ne 0 ]; then
		$ECHO "Failed to update passwords in stable storage"
	else 
		$ECHO "Passwords saved to stable storage successfully"
	fi
fi
