#!/bin/sh
#
#    Copyright (c) 2001-2007 Brocade Communications Systems, Inc.
#    All rights reserved.
#
#    File name:   passwd 
#    Module name: fabos/src/utils/sys
#
#    This script is wrapper to the traditional /bin/passwd command 
#    to be able to save the changed passwd into flash.
#

# we will not let the standby user user this command, if this is Ulyses
#Check for FIPS mode
checkFipsMode() {
        # "config get" for fips mode returns value only if called from
        # default VF. So, temporarily set FABOS_SWITCHNO to 0 and then
        # revert it back to its original value after "config get"
    	FABOS_SWITCHNO_TEMP=$FABOS_SWITCHNO
    	FABOS_SWITCHNO=0
    	retVal1=`/fabos/cliexec/config get fips.mode 2`
    	retVal2=`/fabos/cliexec/config get fips.simulate 2`
    	FABOS_SWITCHNO=$FABOS_SWITCHNO_TEMP
	retVal=0

	if [ $retVal1 -eq 1 ]; then
		return $retVal1
	elif [ $retVal2 -eq 1 ];  then
		return $retVal2
	else 
		return $retVal
	fi

}

PATH=/fabos/cliexec:/fabos/sbin:/fabos/bin:/fabos/libexec:/bin:/sbin:/usr/bin
restCaller=`echo $GEPS_APP_NAME`
# in order to skip the rbac check for call from REST.
# rbac check fails, as CURENT_VF environment variable is not set for rest
if [[ -z $restCaller ]]; then
# in order to skip the rbac check for call from REST.
# rbac check fails, as CURENT_VF environment variable is not set for rest
	if [ $# -eq 0 ]; then
    	# Check RBAC permission on command
	    /fabos/libexec/rbac_check `basename $0`
	elif [ "$1" == "$SWLOGNAME" -o "$3" == "$SWLOGNAME" -o "$5" == "$SWLOGNAME" ]; then
    	# Check RBAC permission on command
	        /fabos/libexec/rbac_check `basename $0`
	elif [ $# -eq 2 -o $# -eq 4 ]; then 
		# Check RBAC permission on command
    	/fabos/libexec/rbac_check `basename $0`
	else
	    # Check RBAC permission on identified options
    	/fabos/libexec/rbac_check `basename $0` $1
	fi
	if [ $? -ne 0 ]; then
		exit 127
	fi

	if [ $# -gt 5 ]; then
		/bin/passwd -help
		exit 1
	fi

	declare -a cmdargs
	count=0
	oflag=0

	for arg in "$@"
	do
		cmdargs[$count]=$arg
		count=`expr $count + 1`
	done
	cmdargs[$count]="NULL"
	count=0

	while [ 1 ]
	do
		case ${cmdargs[$count]} in
			"-old" )
			oflag=1
	        ;;

			"-new" )
			oflag=1
			;;

			"NULL" )
			break
			;;

			* )
			if [ $count -ne 0 -a $oflag -ne 1 ]; then
				/bin/passwd -help
				exit 1			
			fi
			oflag=0
			;;

		esac
		count=`expr $count + 1`
	done

fi
chassis_info=`getchassisconfig`
ischassis=`echo $chassis_info | \
	sed -n -e 's/.*Chassis based system: //gp' | \
	sed -n -e 's/ .*//gp'`
num_switches=`echo $chassis_info | \
	sed -n -e 's/Number of switches: //gp' | \
	sed -n -e 's/ .*//gp'`
if [ "$ischassis" = "Yes" ]; then
	ACTIVE=`/fabos/cliexec/hashow | /bin/grep Local | \
	    /bin/sed -e "s/[ ]*//g" | /usr/bin/cut -d: -f2 | \
	    /usr/bin/cut -d, -f1`
	if [ "$ACTIVE" != "Active" ]; then
		echo "password can not be changed on standby CP."
		exit
	fi
fi
checkFipsMode
if [ $? -eq 1 -a "$SWLOGNAME" = "admin" -a "$*" = "root" ]; then
    echo "FIPS mode is enabled. root account changes are disabled"
    exit 1;
fi
if [ $# != "0" ]; then
    chkpasswd $* 2>&1 /dev/null
    DEFAULT_PASSWD_CHANGED=$?
else 
        chkpasswd $SWLOGNAME 2>&1 /dev/null
        DEFAULT_PASSWD_CHANGED=$?
fi

if [ $# != "0" ]; then
    if [ "$ROLE_ID" != "root" ] && [ "$1" = "root" ]; then
        echo "You must login as root to change the password for root account"
        exit 1
    fi
fi


#allow setting password if called by script through absolute path
if [ $DEFAULT_PASSWD_CHANGED -eq 1 ] && [ $0 != "/fabos/bin/passwd" ]; then
	
    rootenable=0;
    rootenable=`/fabos/bin/userConfig --show root | /bin/grep "Enabled" | /bin/grep "Yes" | /usr/bin/wc -l`
    if [ $rootenable != "0" ]; then
	    echo "You must first login as root or admin and answer password "
	    echo "prompts before the passwd command may be run."
	    exit 1
    else
 	    echo "You must first login as admin and answer password "
	    echo "prompts before the passwd command may be run."
	    exit 1
	
    fi
fi

#If Radius is enabled, username must be specified as an argument.
#The value of AUTH_TYPE is 1 when Radius is enabled.
if [ $AUTH_TYPE -eq 1 ]; then
	if [ $# -lt 1 ]; then
		echo "RADIUS authentication is turned on."
		echo "Please specify a switch local account name with passwd command."
		exit 1
	fi
fi

warning=0

if [ $# != "0" ]; then
    # If root, then a warning message is needed.
    if [ "$*" = "root" ]; then
        warning=1
    fi
else # Check if current user is root
    if [ "$SWLOGNAME" = "root" ]; then
        warning=1
    fi
fi

if [ $warning != 0 ]; then
    # Defect 35041 Requires warning before chaninge root
    echo
    echo "Warning:  Access to  the Root account may be required  for"
    echo "proper  support  of  the switch.  Please  ensure  the Root"
    echo "password is  documented in a secure location.  Recovery of"
    echo "a lost Root password will result in fabric downtime."
    echo
fi
# non secure mode
if [ $# -eq 0 -o $# -eq 1 ]; then
	/bin/passwd $*
elif [ $# -eq 2 ]; then
	/bin/passwd "$1" "$2"
elif [ $# -eq 3 ]; then
    /bin/passwd "$1" "$2" "$3"
elif [ $# -eq 4 ]; then
    /bin/passwd "$1" "$2" "$3" "$4"
elif [ $# -eq 5 ]; then
	if [[ -z $restCaller ]]; then
	    /bin/passwd "$1" "$2" "$3" "$4" "$5"
	else
	    /bin/passwd "$1" "$2" "$3" "$4" "$5" > /dev/stdout 2>&1
	fi
fi

if [ $? -eq 0 ]; then
    trap "" INT
    echo "Saving password to stable storage."
    config save /etc/passwd
	configsave_result1=$?
	config save /etc/shadow
	configsave_result2=$?
    if [ $configsave_result1 -eq 0 -a $configsave_result2 -eq 0 ]; then
		echo "Password saved to stable storage successfully."
		if [ $# -eq 0 ]; then
			passwd_notify -s $FABOS_SWITCHNO $SWLOGNAME > /dev/null 2>&1
		else
		    passwd_notify -s $FABOS_SWITCHNO $1 > /dev/null 2>&1
		fi
		exit 0
    else
		echo "Failed to update password in stable storage."
		exit 1
	fi
else
	if [[ ! -z $restCaller ]]; then
                echo "Password change failed:"$?
        fi
	exit 1
fi
