#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: Test faillog via ssh for root
## roles: [domaincontroller_master]
## tags: [basic, univention]
## packages: [univention-directory-manager-tools, openssh-server]
## exposure: dangerous
## versions:
##  1.0-0: skip
##  2.4-0: fixed

# shellcheck source=../../lib/ucr.sh
. "$TESTLIBPATH/ucr.sh" || exit 137
# shellcheck source=../../lib/base.sh
. "$TESTLIBPATH/base.sh" || exit 137

RETVAL=100
NAME=root

ucr set \
	auth/faillog=yes \
	auth/faillog/limit=6 \
	auth/faillog/root=yes \
	sshd/challengeresponse=yes \
	sshd/passwordauthentication=no

invoke-rc.d ssh restart

tdir=$(mktemp -d)
trap "rm -rf '$tdir' ; ucr_restore ; invoke-rc.d ssh restart" EXIT
fake_passwd="$tdir/fake_passwd"
echo "foobar1234" >"$fake_passwd"

ssh_login () {
	univention-ssh -timeout 10 "$1" -o NumberOfPasswordPrompts=3 "$NAME@$hostname.$domainname" /usr/sbin/ucr get hostname
}

info "Lock reset"
pam_tally --user "$NAME" --reset
ssh_hostname="$(ssh_login "$tests_root_pwdfile")"
if [ "$ssh_hostname" != "$hostname" ]
then
	fail_test 110 "ssh login wasn't successful"
fi


info "Lock all after tally"
ssh_login "$fake_passwd" # 3
ssh_login "$fake_passwd" # 6
ssh_hostname="$(ssh_login "$tests_root_pwdfile")"
if [ "$ssh_hostname" = "$hostname" ]
then
	fail_test 110 "ssh login was successful, but the user should be locked"
fi


info "Reset"
pam_tally --user "$NAME" --reset
ssh_hostname="$(ssh_login "$tests_root_pwdfile")"
if [ "$ssh_hostname" != "$hostname" ]
then
	fail_test 110 "ssh login wasn't successful"
fi

exit $RETVAL
# vim: set ft=sh :
