#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: "Test whether it works to set a password policy"
## exposure: safe
## packages:
##  - univention-samba
## roles-not:
## - basesystem
## - memberserver
## tags: [basic, skip_admember]
## versions:
##  3.1-1: skip
##  3.2-0: fixed

# shellcheck source=../../lib/base.sh
. "$TESTLIBPATH/base.sh" || exit 137
# shellcheck source=../../lib/user.sh
. "$TESTLIBPATH/user.sh" || exit 137
# shellcheck source=../../lib/random.sh
. "$TESTLIBPATH/random.sh" || exit 137
. /usr/share/univention-lib/ldap.sh || exit 137

##create user
echo "----create user"
SAMBA="true"
MAIL="false"
KERBEROS="true"
PERSON="false"
POSIX="true"

username="$(user_randomname)"
first_password="univention"
second_password="$(random_chars 8 ${_upperletters}${_lowerletters}${_ciphers}äöü)"
third_password="$(random_chars 8 ${_upperletters}${_lowerletters}${_ciphers}äöü)"

if [ -n "$tests_domainadmin_account" ]; then
	admin_account=$(ucs_convertDN2UID "$tests_domainadmin_account")
else
	admin_account=Administrator
fi

trap 'user_remove "$username"' INT TERM EXIT

if ! user_create "$username"; then
	fail_fast 1 "User could not be created"
fi

wait_for_replication

USER_DN="$(udm-test users/user list --filter uid="$username" | sed -ne 's/^DN: //p')"

##test normal connection
echo "----net rpc: test normal connection"
output="$(net rpc info -S localhost -U"$username%$first_password")"

if [ "$?" != 0 ];then
	echo "$output"
	fail_test 1 "initial authentication failed"
fi

##set pwdChangeNextLogin=1 so that the user has to change the password at the next login
echo "----set pwdChangeNextLogin=1"
output="$(udm-test users/user modify --dn "$USER_DN" --set pwdChangeNextLogin=1)"
if [ "$?" != 0 ];then
	echo "$output"
	fail_test 1 "Could not modify the user using udm."
fi

wait_for_replication

##try to login without changing the password, should fail
echo "----net rpc: try to login without changing the password (should fail)"
output="$(net rpc info -S localhost -U"$username%$first_password")"
if [ "$?" = 0 ];then
	fail_test 1 "Could login without changing the password."
fi

##changing the password with net rpc / samba
echo "----changing the password with net rpc"
net rpc user password "$username" "$second_password" \
	-U"$admin_account%$tests_domainadmin_pwd"
if [ "$?" != 0 ]; then
	error "net rpc user password change returned a non-zero exit code: $?. Continuing anyway, see Bug #31794"
fi

wait_for_replication

##try to login with a new password
echo "----net rpc: try to login with a new password"
i=0
while ! output="$(net rpc info -S localhost -U"$username%$second_password" 2>&1)"
do
	let i="$i"+1
	sleep 1
	if [ "$i" = 20 ]; then
		echo "$output"
		fail_test 1 "Could not login using samba with new password after password change."
		break
	fi
done

##try to login with old password, should not work                                                                                                       
echo "----net rpc: try to login with old password (should fail)"
output="$(net rpc info -S localhost -U"$username%$first_password")"
if [ "$?" = 0 ];then
	echo "$output"
	fail_test 1 "Could login using samba with old password after password change."
fi

##check authentication with UDM                                                                                                                                                            
##--old password
echo "----UDM: try to login with old password (should fail)"
output="$(udm users/user list --filter uid="$username" --binddn "$USER_DN" --bindpwd "$second_password")"
if [ "$?" != 0 ];then
	echo "$output"
	fail_test 1 "Could not login using UDM with new password after password change."
fi

##--new password
echo "----UDM: try to login with new password"
output="$(udm users/user list --filter uid="$username" --binddn "$USER_DN" --bindpwd "$first_password")"
if [ "$?" = 0 ];then
	echo "$output"
	fail_test 1 "Could login using UDM with old password after password change."
fi

exit $RETVAL
