#!/bin/sh
#
#    Copyright (c) 2001-2007 Brocade Communications Systems, Inc.
#    All rights reserved.
#
#    File name:   passwddefault.sh.in 
#    Module name: fabos/src/utils/sys
#
#    This script resets all account passwords to factory default.

PATH=/fabos/bin:/bin:/sbin

PASSWD_FILE=/etc/passwd
PASSWD_DEF=/etc/passwd.default
PASSWD_FILE_BACK=/mnt/etc/passwd
PASSWD_PERM=/etc/passwd.perm
PASSWD_BACKUP=/etc/passwd.bak
GROUP_FILE=/etc/group
GROUP_DEF=/etc/group.default
GROUP_FILE_BACK=/mnt/etc/group
SHADOW_FILE=/etc/shadow
SHADOW_DEF=/etc/shadow.default
SHADOW_BACKUP=/etc/shadow.bak
SHADOW_FILE_BACK=/mnt/etc/shadow
DRBAC_FILE=/etc/fabos/rbac/dynamic
DRBAC_DEF=/etc/fabos/rbac/dynamic.default
DRBAC_FILE_BACK=/mnt/etc/fabos/rbac/dynamic
PASSWDCFG=/fabos/libexec/passwdcfgdefault
PASSWDSCN=/fabos/libexec/passwd_notify
FAILLOG_FILE=/etc/fabos/faillog
FAILLOG_FILE_BACK=/mnt/etc/fabos/faillog
OPASSWD_FILE=/etc/fabos/opasswd
OPASSWD_FILE_BACK=/mnt/etc/fabos/opasswd
USERDB_FILE=/etc/fabos/user.db
USERDB_AD_DEF=/etc/fabos/user.db.default
USERDB_FILE_BACK=/mnt/etc/fabos/user.db
USERDB_VF_DEF=/etc/fabos/user_vf.db.default
LOGFILE=/var/log/user.log
IMPORT_PUBKEY_DIR=/fabos/users/admin/.ssh
IMPORT_PUBKEY_FILE=authorized_keys
MNT_IMPORT_PUBKEY_DIR=/mnt/fabos/users/admin/.ssh
TIME_CONF=/etc/time.conf
STATUS=""
curlogin=`echo $SWLOGNAME`
/sbin/getvf
if [ $? -eq 1 ]
then	
	USERDB_DEF=$USERDB_VF_DEF
else	
	USERDB_DEF=$USERDB_AD_DEF
fi

echo "PASSWDDEFAULT" >> $LOGFILE
echo `date` >> $LOGFILE
echo "GETVF Value:" >> $LOGFILE
/sbin/getvf
echo "$?" >> $LOGFILE
echo "USERDB Name:" >> $LOGFILE
echo "$USERDB_DEF" >> $LOGFILE

#zeroize the password related files
zeroize() {
	PASSWD_LEN=`ls -l $1 | awk -F' ' ' { print $5 } '`
	dd if=/dev/zero of=$1 bs=$PASSWD_LEN count=1 2> /dev/null
}
# Block the command in secure mode:w

runlev=`runlevel`
#Check for FIPS mode
checkFipsMode() {
        # "config get" for fips mode returns value only if called from
        # default VF. So, temporarily set FABOS_SWITCHNO to 0 and then
        # revert it back to its original value after "config get"
    	FABOS_SWITCHNO_TEMP=$FABOS_SWITCHNO
    	FABOS_SWITCHNO=0
    	retVal1=`/fabos/cliexec/config get fips.mode 2`
    	retVal2=`/fabos/cliexec/config get fips.simulate 2`
    	FABOS_SWITCHNO=$FABOS_SWITCHNO_TEMP
	retVal=0

	if [ $retVal1 -eq 1 ]; then
		return $retVal1
	elif [ $retVal2 -eq 1 ];  then
		return $retVal2
	else 
		return $retVal
	fi
}

if [ $0 != "/fabos/libexec/passwdDefaultInt" ]
then
if [ "$runlev" = "N 3" ]
then
        checkFipsMode
	if [ $? -eq 1 ] && [ "$1" != "zeroize" ]; then
		echo "Command not allowed in FIPS mode."
        	exit 1
	fi

	secmode=`/fabos/libexec/secModeGet $FABOS_SWITCHNO`
	if [ "$secmode" = "1" ]
	then
		echo "passwdDefault: This command may not be executed on a"\
			"secured switch."
		exit 1
	fi
fi
fi
                    
echo "Warning! All user(s) and password configuration will be reset to factory default."
echo "      Do you want to continue? [y/n] :"
read response
if [ "$response" != "y" -a "$response" != "Y" ]; then
	echo "Operation cancelled."
	exit
fi

#Set the passwd policies to default.
if [ -f $PASSWDCFG ] && [ $0 != "/fabos/libexec/passwdDefaultInt" ] &&
	[ "$runlev" = "N 3" ]; then
	$PASSWDCFG 
fi

if [ ! -f $PASSWD_DEF ]; then
	echo "Cannot find the default password file!"
	exit 1
fi
zeroize $PASSWD_FILE
cp $PASSWD_DEF $PASSWD_FILE
stat=$?
if [ $stat -ne 0 ]; then
	echo "Failed to set password to default."
	exit 1
fi

if [ -f $PASSWD_PERM ]; then
	zeroize $PASSWD_PERM
	zeroize /mnt/$PASSWD_PERM
	rm -f $PASSWD_PERM /mnt$PASSWD_PERM
fi

if [ -f $PASSWD_BACKUP ]; then
	zeroize $PASSWD_BACKUP
	zeroize /mnt$PASSWD_BACKUP
	rm -f $PASSWD_BACKUP /mnt$PASSWD_BACKUP
fi

if [ -f $SHADOW_BACKUP ]; then
	zeroize $SHADOW_BACKUP
	zeroize /mnt$SHADOW_BACKUP
	rm -f $SHADOW_BACKUP /mnt$SHADOW_BACKUP
fi

if [ -f $GROUP_DEF ]; then
	zeroize $GROUP_FILE
    cp $GROUP_DEF $GROUP_FILE
    if [ $? -ne 0 ]; then
	echo "Failed to set group to default."
	exit 1
    fi
fi

if [ -f $SHADOW_DEF ]; then
	zeroize $SHADOW_FILE
	cp $SHADOW_DEF $SHADOW_FILE
	if [ $? -ne 0 ]; then
	echo "Failed to set shadow to default."
	exit 1
	fi
fi

if [ -f $DRBAC_DEF ]; then
	cp $DRBAC_DEF $DRBAC_FILE
	if [ $? -ne 0 ]; then
	echo "Failed to set role database to default."
	exit 1
	fi
fi

if [ -f $FAILLOG_FILE ]; then
	cp /dev/null $FAILLOG_FILE
	if [ $? -ne 0 ]; then
	echo "Failed to set faillog to default."
	exit 1
	fi
fi

if [ -f $OPASSWD_FILE ]; then
	if [ -s $OPASSWD_FILE ]; then	
		zeroize $OPASSWD_FILE
	fi
	cp /dev/null $OPASSWD_FILE
	if [ $? -ne 0 ]; then
	echo "Failed to set passwd history to default."
	exit 1
	fi
fi

if [ -f $USERDB_DEF ]; then
	cp $USERDB_DEF $USERDB_FILE
	if [ $? -ne 0 ]; then
	echo "Failed to set user database to default."
	exit 1
	fi
	rm -f $USERDB_FILE.rpm*
fi

zeroize $PASSWD_FILE_BACK
cp $PASSWD_DEF $PASSWD_FILE_BACK
stat=$?
if [ $stat -ne 0 ]; then
	echo "Failed to set password to default."
	exit 1
fi

if [ -f $GROUP_DEF ]; then
	zeroize $GROUP_FILE_BACK
    cp $GROUP_DEF $GROUP_FILE_BACK
    if [ $? -ne 0 ]; then
	echo "Failed to set group to default."
	exit 1
    fi
fi

if [ -f $SHADOW_DEF ]; then
	zeroize $SHADOW_FILE_BACK
	cp $SHADOW_DEF $SHADOW_FILE_BACK
	if [ $? -ne 0 ]; then
	echo "Failed to set shadow to default."
	exit 1
	fi
fi

if [ -f $DRBAC_DEF ]; then
	cp $DRBAC_DEF $DRBAC_FILE_BACK
	if [ $? -ne 0 ]; then
	echo "Failed to set role database to default."
	exit 1
	fi
fi

if [ -f $FAILLOG_FILE_BACK ]; then
	cp /dev/null $FAILLOG_FILE_BACK
	if [ $? -ne 0 ]; then
	echo "Failed to set faillog to default."
	exit 1
	fi
fi

if [ -f $OPASSWD_FILE_BACK ]; then
	if [ -s $OPASSWD_FILE ]; then	
		zeroize $OPASSWD_FILE_BACK
	fi	
	cp /dev/null $OPASSWD_FILE_BACK
	if [ $? -ne 0 ]; then
	echo "Failed to set passwd history to default."
	exit 1
	fi
fi

if [ -f $USERDB_DEF ]; then
	cp $USERDB_DEF $USERDB_FILE_BACK
	if [ $? -ne 0 ]; then
	echo "Failed to set user database to default."
	exit 1
	rm -f $USERDB_FILE_BACK.rpm*
	fi
fi

#	Default password hash/rootaccess config - set in default switch 
	FABOS_SWITCHNO_TEMP=$FABOS_SWITCHNO
	FABOS_SWITCHNO=0
	/fabos/cliexec/config set passwdcfg.hash 5 sha512
	/fabos/cliexec/config set passwdcfg.manualHashChange 2 0 
	SUPPLIER_ID=`/fabos/bin/chassisshow | /bin/awk '/ID/ {print $2}'`
	if [ "$SUPPLIER_ID" == "BRD0000HU" ]; then
		/fabos/cliexec/config set root.access 5 none
	else
		/fabos/cliexec/config set root.access 5 consoleonly
	fi
	/fabos/cliexec/config update
	FABOS_SWITCHNO=$FABOS_SWITCHNO_TEMP

#	Check for Pizza based or Chassis Based switch
	hashow_cmd=$(ls /fabos/cliexec/hashow)
	if [ "$hashow_cmd" != "/fabos/cliexec/hashow" ]; then
		hashow_cmd="/fabos/bin/hashow"
	fi

	passwd_default_cp=0
	case "$($hashow_cmd | ( read a; echo $a ))" in
			*Local*Active*)
			passwd_default_cp=1
			;;
			*"Not supported"*)
			passwd_default_cp=0
			;;
			*)
			;;
	esac

	if [ $passwd_default_cp -eq 1 ]; then
		#   Make sure CPs are synchronized.
		sync=`/fabos/bin/hashow | sed -n -e 's/^.\+\(State sync\).\+$/\1/gp'`
		if [ "$sync" != "State sync" ]; then
			echo "HA is out of sync. passworddefault is done only on current CP"
		else
			/fabos/cliexec/config save /etc/passwd
			/fabos/cliexec/config save /etc/group
			/fabos/cliexec/config save /etc/shadow
			/fabos/cliexec/config save /etc/fabos/rbac/dynamic # 6.5(A)-6.4(S)??
		fi
	fi	
		
sync;sync;sync
# After defaulting settings,user accounts' authorized keys need to be removed.
cd $IMPORT_PUBKEY_DIR
for file in `ls $IMPORT_PUBKEY_FILE*`; do
	cat /dev/null > $file
done 2>/dev/null
rm -f $IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE*
cd $MNT_IMPORT_PUBKEY_DIR
for file in `ls $IMPORT_PUBKEY_FILE*`; do
	cat /dev/null > $file
done 2>/dev/null
rm -f $MNT_IMPORT_PUBKEY_DIR/$IMPORT_PUBKEY_FILE*
if [ -f $IMPORT_PUBKEY_DIR/authorizedKeys.tar ]; then
	cat /dev/null > $IMPORT_PUBKEY_DIR/authorizedKeys.tar
fi	
/fabos/cliexec/config save $IMPORT_PUBKEY_DIR/authorizedKeys.tar
"/fabos/cliexec/secInternalScript" updateallowedlogin admin
cd -
# After defaulting settings, peruser passwdcfg needs to be removed
if [ `/fabos/cliexec/configshow -all | grep -c "passwdcfg.perusercfg" ` -eq 1 ]; then
	echo 'Y' | /fabos/abin/passwdcfg --deleteuser -all > /dev/null 
	if [ $? -ne 0 ]; then
		echo "Passwdcfg reset not successful."
	fi
fi	

#Generate password change notification (SCN) to the clients
if [ -f $PASSWDSCN ] && [ "$runlev" = "N 3" ]; then
	$PASSWDSCN -s $FABOS_SWITCHNO "all" > /dev/null 2>&1
fi

if [ -f $TIME_CONF ]; then
        zeroize $TIME_CONF
        zeroize /mnt$TIME_CONF
        rm -f $TIME_CONF /mnt$TIME_CONF
fi
echo "All account passwords have been successfully set to factory default."

if [ "$1" != "zeroize" ]; then
	/fabos/libexec/usrlogout -user root genericmsg
fi
exit 0
