#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: "Test to set a NTACL with an Allow ACE"
## exposure: safe
## packages:
## - univention-samba4
## roles:
## - domaincontroller_master
## - domaincontroller_backup
## - domaincontroller_slave

# shellcheck source=../../lib/user.sh
. "$TESTLIBPATH/user.sh" || exit 137
# shellcheck source=../../lib/shares.sh
. "$TESTLIBPATH/shares.sh" || exit 137
# shellcheck source=../../lib/random.sh
. "$TESTLIBPATH/random.sh" || exit 137
# shellcheck source=../../lib/samba.sh
. "$TESTLIBPATH/samba.sh" || exit 137

##----create User
SAMBA="true"
MAIL="false"
KERBEROS="true"
PERSON="false"
POSIX="true"

username="$(user_randomname)"
first_password="univention"
sharename="$(random_share)"

trap 'user_remove "$username";
share_remove "$sharename";
rm -rf "/${sharename:?}";
wait_for_replication_and_postrun;
' INT TERM EXIT

check_domainadmin_credentials || fail_fast 77 "UCR variables for admin credentials are not set"
ADMINISTRATOR_NAME="$(univention-ldapsearch -b "$tests_domainadmin_account" uid | grep uid | sed -ne 's/^uid: //p')"

if ! user_create "$username"; then
	fail_fast 1 "User could not be created"
fi


##----create Share
SHARE_POSITION="cn=shares,$ldap_base"
SHARE_DIRECTORYMODE=0777
SHARE_HOST="$hostname.$domainname"
if ! share_create "$sharename" "/$sharename"; then
	fail_fast 1 "could not create share"
fi
sleep 10	## wait a bit for listener module postrun



wait_for_replication
# force_drs_replication
wait_for_drs_replication "(sAMAccountName=$username)"

## wait for samba share export
i=0
sleep_seconds=3
while ! output="$(smbclient -U "$username%$first_password" "//$hostname.$domainname/$sharename" -c "exit" >/dev/null 2>&1)"
do
	let i="$i"+1
	if [ "$i" = 10 ]; then
		print "$output"
		fail_fast 1 "TIMEOUT: Samba did not export the share '$sharename' after $((i * $sleep_seconds)) seconds"
	fi
	sleep "$sleep_seconds"
done

##--Tests

echo "----create a folder as Administrator, so that the testuser has no rights to write in it"
output="$(smbclient -U "$ADMINISTRATOR_NAME%$tests_domainadmin_pwd" "//$hostname.$domainname/$sharename" -c "mkdir folder" 2>&1)"
if [ -n "$output" ] && echo "$output" | grep -q "^NT_STATUS_"; then
	echo "$output"
	fail_fast 1 "Failed to make a folder as Administrator even though it should work."
fi

echo "----attempt to create a folder without permission"
output=$(smbclient -U "$username%$first_password" "//$hostname.$domainname/$sharename" -c "mkdir folder\folder2" 2>&1)
if ! echo "$output" | grep -q "NT_STATUS_ACCESS_DENIED"; then
	if [ -n "$output" ]; then
		echo "$output"
	fi
	fail_test 1 "Expected return value NT_STATUS_ACCESS_DENIED"
fi

## get objectSID
sid="$(ldbsearch -H ldap://localhost -U"$username%$first_password" cn=$username | sed -n 's/^objectSid: //p')"
if [ -z "$sid" ]; then
	fail_fast 1 "Could not retrieve objectSid of samba user account '$username'"
fi

## get and set NTACL
echo "----get NTACL"
NTACL_old="$(samba-tool ntacl get "/$sharename/folder" --as-sddl 2>/dev/null)"
if ! echo "$NTACL_old" | grep -q "^O:"; then
	fail_test 1 "Could not retrieve NTACL"
fi
echo "----set NTACL"
if ! samba-tool ntacl set "$NTACL_old""(A;;CC;;;$sid)" "/$sharename/folder"; then
	fail_test 1 "Failed to set NTACL"
fi

echo "----attempt to create a folder with permission"
if ! output="$(smbclient -U "$username%$first_password" "//$hostname.$domainname/$sharename" -c "mkdir folder\folder3")"
then
	if [ -n "$output" ]; then
		echo "$output"
	fi
	fail_test 1 "Failed to make a folder even though it should work."
fi

exit $RETVAL
