#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: "Test unauthorized password reset"
## exposure: safe
## packages:
##  - univention-samba4
## roles:
## - domaincontroller_master
## bugs: [46484]

# shellcheck source=../../lib/user.sh
. "$TESTLIBPATH/user.sh" || exit 137
# shellcheck source=../../lib/random.sh
. "$TESTLIBPATH/random.sh" || exit 137
# shellcheck source=../../lib/samba.sh
. "$TESTLIBPATH/samba.sh" || exit 137
# shellcheck source=../../lib/undo.sh
. "$TESTLIBPATH/undo.sh" || exit 137

RETVAL=100

username1=$(user_randomname)
user_create "$username1" &&
        undo user_remove "$username1" ||
        fail_fast 140 "cannot create user $username1"

username2=$(user_randomname)
user_create "$username2" &&
        undo user_remove "$username2" ||
        fail_fast 140 "cannot create user $username2"

wait_for_replication_and_postrun

userdn1=$(ldbsearch -H /var/lib/samba/private/sam.ldb sAMAccountName="$username1" 1.1 | sed -n 's/^dn: //p')
userdn2=$(ldbsearch -H /var/lib/samba/private/sam.ldb sAMAccountName="$username2" 1.1 | sed -n 's/^dn: //p')

ldapmodify -D "$userdn1" -w univention -h "$(hostname -f)" -x -ZZ <<EOF
dn: $userdn2
changetype: modify
delete: unicodePwd
-
add: unicodePwd
unicodePwd:: IgBVAG4AaQB2AGUAbgB0AGkAbwBuAC4AMQAiAA==
EOF

if wbinfo -a "$(wbinfo --own-domain)+$username2"%'Univention.1'; then
	fail_fast 110 "Regression: unautorized user password reset succeeded"
fi
