i.rbac revision 6331
6331N/A# The contents of this file are subject to the terms of the 6331N/A# Common Development and Distribution License (the "License"). 6331N/A# You may not use this file except in compliance with the License. 6331N/A# See the License for the specific language governing permissions 6331N/A# and limitations under the License. 6331N/A# When distributing Covered Code, include this CDDL HEADER in each 6331N/A# If applicable, add the following below this CDDL HEADER, with the 6331N/A# fields enclosed by brackets "[]" replaced with your own identifying 6331N/A# information: Portions Copyright [yyyy] [name of copyright owner] 6331N/A# Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. 6331N/A# Portions Copyright 2013 Jens Elkner. 6331N/A# class action script for "rbac" class files 6331N/A# 2 - warning or possible error condition. Installation continues. A warning 6331N/A# message is displayed at the time of completion. 6331N/A# $3 is the "new (to be merged)" file 6331N/A# returns 2 on failure if nawk fails with non-zero exit status 6331N/A# If the new file has a Sun copyright, remove the Sun copyright from the old 6331N/A -e '/^# All rights reserved./d' \ 6331N/A -e '/^# Use is subject to license terms./d' \ 6331N/A# If the new file has an Oracle copyright, remove both the Sun and Oracle 6331N/A# copyrights from the old file. 6331N/A if [ -n "${oracle_cr}" ]; then 6331N/A -e '/^# All rights reserved./d' \ 6331N/A -e '/^# Use is subject to license terms./d' \ 6331N/A -e '/^# Copyright.*Oracle and\/or its affiliates./d' \ 6331N/A# If the new file has the CDDL, remove it from the old file. 6331N/A# Remove empty lines and multiple instances of these comments: 6331N/A -e '/^# execution attributes for profiles./d' \ 6331N/A -e '/^# See exec_attr(4)/d' \ 6331N/A -e '/^# \/etc\/user_attr/d' \ 6331N/A -e '/^# user attributes. see user_attr(4)/d' \ 6331N/A -e '/^# \/etc\/security\/prof_attr/d' \ 6331N/A -e '/^# profiles attributes. see prof_attr(4)/d' \ 6331N/A -e '/^# See prof_attr(4)/d' \ 6331N/A -e '/^# \/etc\/security\/auth_attr/d' \ 6331N/A -e '/^# authorizations. see auth_attr(4)/d' \ 6331N/A -e '/^# authorization attributes. see auth_attr(4)/d' \ 6331N/A# Retain old and new header comments. 6331N/A# If the output file now has both Sun and Oracle copyrights, remove 6331N/A if [ -n "${sun_cr}" ] && [ -n "${oracle_cr}" ]; then 6331N/A -e '/^# All rights reserved./d' \ 6331N/A -e '/^# Use is subject to license terms./d' \ 6331N/A# Handle line continuations (trailing \) 6331N/A -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 6331N/A -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 6331N/A -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 6331N/A -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 6331N/A -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 6331N/A -e '/\\$/{N;s/\\\n//;}' -e '/\\$/{N;s/\\\n//;}' \ 6331N/A# The nawk script below processes the old and new files using up to 6331N/A# three passes. If the old file is empty, only the final pass over 6331N/A# dbmerge type=[auth|prof|user|exec] [ old-file new-file ] new-file 6331N/A# Merge two versions of an RBAC database file. The output 6331N/A# consists of the lines from the new-file, while preserving 6331N/A# user customizations in the old-file. 6331N/A# Entries in the new-file replace corresponding entries in the 6331N/A# old-file, except as follows: For exec_attr, all old entries 6331N/A# for profiles contained in the new-file are discarded. For 6331N/A# user_attr, the "root" entry from the old-file is retained, 6331N/A# and new keywords from the new-file are merged into it. 6331N/A# Records with the same key field(s) are merged, so that the 6331N/A# of the keywords found in all input records with the same key 6331N/A# field(s). For selected multi-value keywords [1] the values from 6331N/A# the new-file are merged with retained values from the old-file. 6331N/A# Otherwise, the value for each keyword is the final value found 6331N/A# in the new-file, except for keywords in the user_attr entry for 6331N/A# "root" where values from the old-file are always retained. 6331N/A# [1] The following file type and keyword combinations are merged: 6331N/A# prof_attr: auths, profiles, privs 6331N/A# user_attr: auths, profiles, roles 6331N/A# The output is run through sort except for the comments 6331N/A# which will appear first in the output. 6331N/A# This script may be invoked with up to three file names. Each file 6331N/A# name corresponds to a separate processing pass. The passes are 6331N/A# Pass 1: Read existing data. 6331N/A# Data from the old-file is read into memory. 6331N/A# Pass 2: Remove obsolete data. 6331N/A# Discard any data from the old-file that is part of profiles that 6331N/A# are also in the new-file. (As a special case, the user_attr entry 6331N/A# Data from the new-file is merged with the remaining old-file data. 6331N/A# (As a special case, exec_attr entries are replaced, not merged.) 6331N/A # The variable 'pass' specifies which type of processing to perform. 6331N/A # When processing only one file, skip passes 1 and 2. 6331N/A # [type, keyword] combinations subject to value merging. 6331N/A keyword_behavior["prof", "auths"] = "merge"; 6331N/A keyword_behavior["prof", "profiles"] = "merge"; 6331N/A keyword_behavior["prof", "privs"] = "merge"; 6331N/A keyword_behavior["user", "auths"] = "merge"; 6331N/A keyword_behavior["user", "profiles"] = "merge"; 6331N/A keyword_behavior["user", "roles"] = "merge"; 6331N/A# When FNR (current file record number) is 1 it indicates that nawk 6331N/A# is starting to read the next file specified on its command line, 6331N/A# and is beginning the next processing pass. 6331N/A # For each input line, nawk automatically assigns the complete 6331N/A # line to $0 and also splits the line at field separators and 6331N/A # assigns each field to a variable $1..$n. Assignment to $0 6331N/A # re-splits the line into the field variables. Conversely, 6331N/A # assgnment to a variable $1..$n will cause $0 to be recomputed 6331N/A # from the field variable values. 6331N/A # This code adds awareness of escaped field separators by using 6331N/A # a custom function to split the line into a temporary array. 6331N/A # It assigns the empty string to $0 to clear any excess field 6331N/A # variables, and assigns the desired elements of the temporary 6331N/A # array back to the field variables $1..$7. 6331N/A # Subsequent code must not assign directly to $0 or the fields 6331N/A # will be re-split without regard to escaped field separators. 6331N/A record[key] = merge_attrs(record[key], $6); 6331N/A record[key] = merge_attrs(record[key], $5); 6331N/A key = $1 ":" $2 ":" $3 ":" $4 ":" $5 ":" $6 ; 6331N/A # For exec_attr, deletion is based on the 'name' field only, 6331N/A # so that all old entries for the profile are removed. 6331N/A split_escape(oldkey, oldkey_fields, ":"); 6331N/A if (oldkey_fields[1] == $1) 6331N/A # Substitute new entries, do not merge. 6331N/A key = $1 ":" $2 ":" $3 ":" $4 ; 6331N/A record[key] = merge_attrs(record[key], $5); 6331N/A print key ":" comment[key] ":" record[key]; 6331N/A print key ":" short_comment[key] ":" \ 6331N/A long_comment[key] ":" record[key]; 6331N/Afunction merge_attrs(old, new, cnt, new_cnt, i, j, list, new_list, keyword) 6331N/A cnt = split_escape(old, list, ";"); 6331N/A new_cnt = split_escape(new, new_list, ";"); 6331N/A for (i = 1; i <= new_cnt; i++) { 6331N/A keyword = substr(new_list[i], 1, index(new_list[i], "=")-1); 6331N/A for (j = 1; j <= cnt; j++) { 6331N/A if (match(list[j], "^" keyword "=")) { 6331N/A list[j] = merge_values(keyword, list[j], 6331N/A return unsplit(list, cnt, ";"); \ 6331N/Afunction merge_values(keyword, old, new, cnt, new_cnt, i, j, list, new_list, d) 6331N/A # Keywords with multivalued attributes that are subject to merging 6331N/A # are processed by the algorithm implemented further below. 6331N/A # Otherwise, the keyword is not subject to merging, and: 6331N/A # For user_attr, the existing value is retained. 6331N/A # For any other file, the new value is substituted. 6331N/A if (keyword_behavior[type, keyword] != "merge") { 6331N/A cnt = split(substr(old, length(keyword)+2), list, ","); 6331N/A new_cnt = split(substr(new, length(keyword)+2), new_list, ","); 6331N/A # If the existing list contains "All", remove it and add it 6331N/A # to the new list; that way "All" will appear at the only valid 6331N/A # location, the end of the list. 6331N/A if (keyword == "profiles") { 6331N/A for (i = 1; i <= cnt; i++) { 6331N/A new_list[++new_cnt] = "All"; 6331N/A for (i = 1; i <= new_cnt; i++) { 6331N/A for (j = 1; j <= cnt; j++) { 6331N/A if (list[j] == new_list[i]) 6331N/A return keyword "=" unsplit(list, cnt, ","); 6331N/A# This function is similar to the nawk built-in split() function, 6331N/A# except that a "\" character may be used to escape any subsequent 6331N/A# character, so that the escaped character will not be treated as a 6331N/A# field separator or as part of a field separator regular expression. 6331N/A# The "\" characters will remain in the elements of the output array 6331N/Afunction split_escape(str, list, fs, cnt, saved, sep) 6331N/A # initialize empty list, cnt, saved 6331N/A # track whether last token was a field separator 6331N/A # nonzero str length indicates more string left to scan 6331N/A # field separator, terminates current field 6331N/A str = substr(str, RLENGTH + 1); 6331N/A } else if (substr(str, 1, 1) == "\\") { 6331N/A saved = saved substr(str, 1, 2); 6331N/A saved = saved substr(str, 1, 1); 6331N/A # if required, append final field to list 6331N/Afunction unsplit(list, cnt, delim, str) 6331N/A # Make sure that the last mv uses rename(2) by first moving to 6331N/A # Assumes basename $1 returns one of 6331N/A # prof_attr, exec_attr, auth_attr, or user_attr 6331N/A "prof"|"exec"|"user"|"auth") ;; 6331N/A echo "$0 : $src not one of {prof,exec,auth,user}_attr" 6331N/Aif [
"$1" =
"ENDOFCLASS" ];
then