#!/bin/sh
#
#    Copyright (c) 2001-2007 Brocade Communications Systems, Inc.
#    All rights reserved.
#
#    File name:   passwd 
#    Module name: fabos/src/utils/sys
#
#    This script is wrapper to the traditional /bin/passwd command 
#    to be able to save the changed passwd into flash.
#

# we will not let the standby user user this command, if this is Ulyses
#Check for FIPS mode
checkFipsMode() {
        # "config get" for fips mode returns value only if called from
        # default VF. So, temporarily set FABOS_SWITCHNO to 0 and then
        # revert it back to its original value after "config get"
    	FABOS_SWITCHNO_TEMP=$FABOS_SWITCHNO
    	FABOS_SWITCHNO=0
    	retVal1=`/fabos/cliexec/config get fips.mode 2`
    	retVal2=`/fabos/cliexec/config get fips.simulate 2`
    	FABOS_SWITCHNO=$FABOS_SWITCHNO_TEMP
	retVal=0

	if [ $retVal1 -eq 1 ]; then
		return $retVal1
	elif [ $retVal2 -eq 1 ];  then
		return $retVal2
	else 
		return $retVal
	fi

}

PATH=/fabos/cliexec:/fabos/sbin:/fabos/bin:/fabos/libexec:/bin:/sbin:/usr/bin
if [ $# -eq 0 ]; then
    # Check RBAC permission on command
    /fabos/libexec/rbac_check `basename $0`
elif [ "$1" == "$SWLOGNAME" -o "$3" == "$SWLOGNAME" -o "$5" == "$SWLOGNAME" ]; then
    # Check RBAC permission on command
        /fabos/libexec/rbac_check `basename $0`
elif [ $# -eq 2 -o $# -eq 4 ]; then 
	# Check RBAC permission on command
        /fabos/libexec/rbac_check `basename $0`
else
    # Check RBAC permission on identified options
    /fabos/libexec/rbac_check `basename $0` $1
fi
if [ $? -ne 0 ]; then
	exit 127
fi

chassis_info=`getchassisconfig`
ischassis=`echo $chassis_info | \
	sed -n -e 's/.*Chassis based system: //gp' | \
	sed -n -e 's/ .*//gp'`
num_switches=`echo $chassis_info | \
	sed -n -e 's/Number of switches: //gp' | \
	sed -n -e 's/ .*//gp'`
if [ "$ischassis" = "Yes" ]; then
	ACTIVE=`/fabos/cliexec/hashow | /bin/grep Local | \
	    /bin/sed -e "s/[ ]*//g" | /usr/bin/cut -d: -f2 | \
	    /usr/bin/cut -d, -f1`
	if [ "$ACTIVE" != "Active" ]; then
		echo "password can not be changed on standby CP."
		exit
	fi
fi
checkFipsMode
if [ $? -eq 1 -a "$SWLOGNAME" = "admin" -a "$*" = "root" ]; then
    echo "FIPS mode is enabled. root account changes are disabled"
    exit 1;
fi
if [ $# != "0" ]; then
    chkpasswd $* 2>&1 /dev/null
    DEFAULT_PASSWD_CHANGED=$?
else 
        chkpasswd $SWLOGNAME 2>&1 /dev/null
        DEFAULT_PASSWD_CHANGED=$?
fi

#allow setting password if called by script through absolute path
if [ $DEFAULT_PASSWD_CHANGED -eq 1 ] && [ $0 != "/fabos/bin/passwd" ]; then
	
    rootenable=0;
    rootenable=`/fabos/bin/userConfig --show root | /bin/grep "Enabled" | /bin/grep "Yes" | /usr/bin/wc -l`
    if [ $rootenable != "0" ]; then
	    echo "You must first login as root or admin and answer password "
	    echo "prompts before the passwd command may be run."
	    exit 1
    else
 	    echo "You must first login as admin and answer password "
	    echo "prompts before the passwd command may be run."
	    exit 1
	
    fi
fi

#If Radius is enabled, username must be specified as an argument.
#The value of AUTH_TYPE is 1 when Radius is enabled.
if [ $AUTH_TYPE -eq 1 ]; then
	if [ $# -lt 1 ]; then
		echo "RADIUS authentication is turned on."
		echo "Please specify a switch local account name with passwd command."
		exit 1
	fi
fi

if [ $# != "0" ]; then
    if [ "$ROLE_ID" != "root" ] && [ "$1" = "root" ]; then
        echo "You must first login as root to change the password"
        exit 1
    fi
fi

warning=0

if [ $# != "0" ]; then
    # If root, then a warning message is needed.
    if [ "$*" = "root" ]; then
        warning=1
    fi
else # Check if current user is root
    if [ "$SWLOGNAME" = "root" ]; then
        warning=1
    fi
fi

if [ $warning != 0 ]; then
    # Defect 35041 Requires warning before chaninge root
    echo
    echo "Warning:  Access to  the Root account may be required  for"
    echo "proper  support  of  the switch.  Please  ensure  the Root"
    echo "password is  documented in a secure location.  Recovery of"
    echo "a lost Root password will result in fabric downtime."
    echo
fi

# non secure mode
/bin/passwd $*
if [ $? -eq 0 ]; then
    trap "" INT
    echo "Saving password to stable storage."
    config save /etc/passwd
	configsave_result1=$?
	config save /etc/shadow
	configsave_result2=$?
    if [ $configsave_result1 -eq 0 -a $configsave_result2 -eq 0 ]; then
		echo "Password saved to stable storage successfully."
		if [ $# -eq 0 ]; then
			passwd_notify -s $FABOS_SWITCHNO $SWLOGNAME > /dev/null 2>&1
		else
		    passwd_notify -s $FABOS_SWITCHNO $1 > /dev/null 2>&1
		fi
		exit 0
    else
		echo "Failed to update password in stable storage."
		exit 1
	fi
else
	exit 1
fi
