#!/usr/share/ucs-test/runner python2.7
## desc: tests if users can change their own passwords
## roles:
##  - domaincontroller_master
##  - domaincontroller_backup
## packages:
##  - univention-admingrp-user-passwordreset
## exposure: dangerous

from __future__ import print_function
from univention.testing.utils import fail
from univention.testing.ucr import UCSTestConfigRegistry
from univention.testing.udm import UCSTestUDM
import univention.testing.strings as uts
import univention.testing.utils as utils
import univention.config_registry

default_password = 'univention'


class Account(object):
	def __init__(self, description, dn, name, password=default_password):
		self.description = description
		self.dn = dn
		self.name = name
		self.password = password

	def __str__(self):
		return '%s "%s"' % (self.description, self.name)


try:
	with UCSTestConfigRegistry() as ucr, UCSTestUDM() as udm:

		def change_own_password_to_random(account):
			try:
				udm.modify_object('users/user', binnddn=account.dn, bindpwd=account.password, dn=account.dn, set={
					'password': uts.random_string()
				})
			except Exception:
				fail('%s can not change its own password' % account)
			else:
				print('%s changed its password successfully' % account)

		# Create new helpdesk group
		try:
			what = "Helpdesk group"
			helpdesk_group_dn, helpdesk_group_name = udm.create_group()
			helpdesk_group = Account(what, helpdesk_group_dn, helpdesk_group_name)
		except Exception as exc:
			fail('Creating %s failed: %s' % (what, exc))
		else:
			print('Created %s' % (helpdesk_group,))

		# Create new user
		try:
			what = "Helpdesk user"
			helpdesk_user_dn, helpdesk_user_name = udm.create_user()
			helpdesk_user = Account(what, helpdesk_user_dn, helpdesk_user_name)
		except Exception as exc:
			fail('Creating %s failed: %s' % (what, exc))
		else:
			print('Created %s' % (helpdesk_user,))

		# Create new user
		try:
			what = "Protected user"
			protected_user_dn, protected_user_name = udm.create_user()
			protected_user = Account(what, protected_user_dn, protected_user_name)
		except Exception as exc:
			fail('Creating %s failed: %s' % (what, exc))
		else:
			print('Created %s' % (protected_user,))

		# Create new unprotected user
		try:
			what = "Unprotected user"
			unprotected_user_dn, unprotected_user_name = udm.create_user()
			unprotected_user = Account(what, unprotected_user_dn, unprotected_user_name)
		except Exception as exc:
			fail('Creating %s failed: %s' % (what, exc))
		else:
			print('Created %s' % (unprotected_user,))

		# Add user to corresponding group
		try:
			udm.modify_object('groups/group', dn=helpdesk_group.dn, append={
				'users': [helpdesk_user.dn]
			})
		except Exception as exc:
			fail('Adding %s to corresponding group %s failed: %s' % (helpdesk_user, helpdesk_group, exc))
		else:
			print('Added %s to corresponding group' % helpdesk_user)

		# Allow users to modify their password in Univention Directory Manager
		univention.config_registry.handler_set([
			'ldap/acl/user/password/change=yes',
			'ldap/acl/user/passwordreset/accesslist/groups/helpdesk=%s' % (helpdesk_group.dn,),
			'ldap/acl/user/passwordreset/protected/uid=Administrator,%s' % (protected_user.name,)
		])

		# Activate passwordreset ACLs:
		utils.restart_slapd()

		# Check if helpdesk account can set its own password
		change_own_password_to_random(helpdesk_user)

		# Check if protected user account can set its own password
		change_own_password_to_random(protected_user)

		# Check if unprotected user account can set its own password
		change_own_password_to_random(unprotected_user)
finally:
	# Important: deactivate LDAP ACLs again
	utils.restart_slapd()

# vim: set ft=python ts=4 noexpandtab :
