#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: "Test whether UDM attribute pwdChangeNextLogin is honored"
## exposure: safe
## packages:
##  - univention-samba4
## roles:
## - domaincontroller_master
## - domaincontroller_backup
## - domaincontroller_slave
# shellcheck source=../../lib/user.sh
. "$TESTLIBPATH/user.sh" || exit 137
# shellcheck source=../../lib/random.sh
. "$TESTLIBPATH/random.sh" || exit 137
# shellcheck source=../../lib/samba.sh
. "$TESTLIBPATH/samba.sh" || exit 137

## create user
echo "----create user"
SAMBA="true"
MAIL="false"
KERBEROS="true"
PERSON="false"
POSIX="true"

username="$(user_randomname)"
first_password="univention"
second_password="$(random_chars 8 ${_upperletters}${_lowerletters}${_ciphers}äöü)Ui8ÄÖÜ"
third_password="$(random_chars 8 ${_upperletters}${_lowerletters}${_ciphers}äöü)Ui8ÄÖÜ"

trap 'user_remove "$username"' INT TERM EXIT

if ! user_create "$username"; then
	fail_fast 1 "User could not be created"
fi

wait_for_replication
# force_drs_replication
wait_for_drs_replication "(sAMAccountName=$username)"

USER_DN="$(udm-test users/user list --filter uid="$username" | sed -ne 's/^DN: //p')"

whenChanged="$(ldbsearch -H /var/lib/samba/private/sam.ldb "samaccountname=$username" whenChanged | sed -ne 's/^whenChanged: //p')"
whenChanged2="$whenChanged"

##set pwdChangeNextLogin=1 so that the user hast to change the password at the next login
echo "----set pwdChangeNextLogin=1"
output="$(udm-test users/user modify --dn "$USER_DN" --set pwdChangeNextLogin=1)"
if [ "$?" != 0 ];then
	echo "$output"
	fail_test 1 "Could not modify the user using udm."
fi

#wait until it is recognized in samba that the user has been modified
echo "----wait until it is recognized in samba that the user has been modified"
i=0
while [ "$whenChanged" = "$whenChanged2" ]
do
	whenChanged2="$(ldbsearch -H /var/lib/samba/private/sam.ldb "samaccountname=$username" whenChanged | sed -ne 's/^whenChanged: //p')"
	let i="$i"+1
	if [ "$i" = $DRS_REPLICATION_TIMEOUT ]; then
		echo "TIMEOUT: A change of the variable pwdChangeNextLogin could not be recognized."
		break
	fi
	sleep 1
done

#try to login without changing the password, should fail
echo "-----Log in without changing the password"
output="$(ldbsearch -U "$username%$first_password" -H ldap://localhost "samaccountname=$username" 2>&1)"
echo "$output" | grep -q "LDAP_INVALID_CREDENTIALS"
if [ "$?" != 0 ]; then
	if [ -n "$output" ]; then
		echo "$output"
	fi
	fail_test 1 'Expected return value "LDAP_INVALID_CREDENTIALS"'
fi

## change the password with samba-tool
echo "----Changing the password"
samba-tool user setpassword "$username" --newpassword="$second_password" 

## login with the new password
echo "----Checking password: "
i=0

while ! smbclient //localhost/netlogon -U "$username%$second_password" -c "exit" > /dev/null
do
	i=$((i+1))
	echo '.'
	if [ "$i" = $DRS_REPLICATION_TIMEOUT ]; then
		fail_fast 1 "Could not login using samba with new password after password change."
	fi
	sleep 1
done

## try to login with old password, should not work                                                                                                       
output="$(smbclient //localhost/netlogon -U "$username%$first_password" -c "exit" > /dev/null)"
if [ "$?" = 0 ]; then
	echo "$output"
	fail_test 1 "Could login using samba with old password after password change."
fi

exit $RETVAL
