#!/usr/share/ucs-test/runner bash 
# shellcheck shell=bash
## desc: "Reset password in AD and verify shadowMax, shadowLastChange (posix pw expiry) and krb5PasswordEnd"
## exposure: dangerous
## packages:
##  - univention-ad-connector
## roles:
## - domaincontroller_master
## - domaincontroller_backup
## - domaincontroller_slave
## bugs:
##  - 45760
## tags:
##  - basic
##  - apptest
##  - skip_admember

# shellcheck source=../../lib/base.sh
. "$TESTLIBPATH/base.sh" || exit 137
# shellcheck source=../../lib/udm.sh
. "$TESTLIBPATH/udm.sh" || exit 137
# shellcheck source=../../lib/random.sh
. "$TESTLIBPATH/random.sh" || exit 137
. "adconnector.sh" || exit 137

RETVAL=100

test -n "$connector_ad_ldap_host" || exit 137
ad_is_connector_running || exit 137


SYNCMODE="$(ad_get_sync_mode)"
HOST="$(ucr get connector/ad/ldap/host)"
SHADOW_LASTCHANGE="$(( $(date +"%s") / 3600 / 24 ))"
SHADOW_MAX=99
KRB5_PASSWORD_END=$(date +"%Y%m%d000000Z" --date="@$(( $(date -u +"%s") + ($SHADOW_MAX * 24 * 3600)))")

ad_set_sync_mode "sync"

####################################################
# check shadowLastChange=now and shadowMax=x, krb5PasswordEnd=x
section "Test AD password reset with expiry policy"
####################################################

UDM_policies_pwhistory_name="$(random_chars)"
UDM_policies_pwhistory_expiryInterval=$SHADOW_MAX
udm_create "policies/pwhistory" || fail_test 110

UDM_users_user_username="$(random_chars)"
UDM_users_user_lastname="$(random_chars)"
UDM_users_user_password="univention"
UDM_users_user_firstname="$(random_chars)"
udm_create "users/user" || fail_test 110
udm_modify "users/user" "" "" "" "" \
	--policy-reference="cn=$UDM_policies_pwhistory_name,cn=pwhistory,cn=users,cn=policies,$ldap_base" || fail_test 110
ad_wait_for_synchronization; fail_bool 0 110
ad_reset_password "$UDM_users_user_username" "123-abc-ABC-?" || fail_test 110
ad_wait_for_synchronization; fail_bool 0 110
smbclient //"${HOST}"/sysvol -c ls -U "${UDM_users_user_username}%123-abc-ABC-?" ; fail_bool 0 100
udm_verify_ldap_attribute "shadowLastChange" "$SHADOW_LASTCHANGE" "users/user" || fail_test 110
udm_verify_ldap_attribute "shadowMax" "$SHADOW_MAX" "users/user" || fail_test 110
udm_verify_ldap_attribute "krb5PasswordEnd" "$KRB5_PASSWORD_END" "users/user" || fail_test 110
univention-ldapsearch uid="$UDM_users_user_username"

#######################################################
# check shadowLastChange=now and no shadowMax, krb5PasswordEnd
section "Test AD password reset without expiry policy"
#######################################################

udm_modify "users/user" "" "" "" "" \
	--policy-dereference="cn=$UDM_policies_pwhistory_name,cn=pwhistory,cn=users,cn=policies,$ldap_base" || fail_test 110
ad_wait_for_synchronization; fail_bool 0 110
ad_reset_password "$UDM_users_user_username" "Univention.99" || fail_test 110
ad_wait_for_synchronization; fail_bool 0 110
smbclient //"${HOST}"/sysvol -c ls -U "${UDM_users_user_username}%Univention.99" ; fail_bool 0 100
udm_verify_ldap_attribute "shadowLastChange" "$SHADOW_LASTCHANGE" "users/user" || fail_test 110
udm_verify_ldap_attribute "shadowMax" "" "users/user" || fail_test 110
udm_verify_ldap_attribute "krb5PasswordEnd" "" "users/user" || fail_test 110

##################
section "Clean up"
##################

udm_remove "users/user" || fail_test 110
udm_remove "policies/pwhistory" || fail_test 110
ad_wait_for_synchronization; fail_bool 0 110
udm_exists "users/user"; fail_bool 1 110
udm_exists "policies/pwhistory"; fail_bool 1 110
ad_set_sync_mode "$SYNCMODE"

exit "$RETVAL"
