#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: Test users/ldap password handling
## tags: [udm]
## roles: [domaincontroller_master]
## exposure: dangerous
## packages:
##   - univention-config
##   - univention-directory-manager-tools

# shellcheck source=../../lib/base.sh
. "$TESTLIBPATH/base.sh" || exit 137
# shellcheck source=../../lib/user.sh
. "$TESTLIBPATH/user.sh" || exit 137

eval "$(ucr shell ldap/base)"

set -x

name="$(user_randomname)"

DN="uid=${name},$ldap_base"
udm users/ldap create --set username="${name}" --set password=a1 && fail_test 1 "Password should have been too short"

udm users/ldap create --set username="${name}${count}" --set password=univention || fail_test 1 "User creation failed"
ldapsearch -x -D "$DN" -w univention -s base  >/dev/null || fail_test 1 "LDAP search was not successful"
ldapsearch -x -D "$DN" -w univention1 -s base  >/dev/null && fail_test 1 "LDAP search with a wrong password was successful"
udm users/ldap modify --dn "$DN" --set password=univention1 || fail_test 1 "Password could not be set"
udm users/ldap modify --dn "$DN" --set password=univention && fail_test 1 "Password could be set to an old password"
udm users/ldap modify --dn "$DN" --set password=univention2 || fail_test 1 "Password could not be set"
udm users/ldap modify --dn "$DN" --set password=univention1 --set overridePWHistory=1 || fail_test "overridePWHistory has no effect"
udm users/ldap modify --dn "$DN" --set password=a && fail_test 1 "Password could be set to a too short value"
udm users/ldap modify --dn "$DN" --set password=a --set overridePWLength=1 || fail_test 1 "overridePWLength has no effect"
ldapsearch -x -D "$DN" -w a -s base  >/dev/null || fail_test 1 "LDAP search was not successful"
ldapsearch -x -D "$DN" -w univention1 -s base  >/dev/null && fail_test 1 "LDAP search with a wrong password was successful"

udm users/ldap modify --dn "$DN" --set disabled=1 || fail_test 1 "Password could not be disabled"
ldapsearch -x -D "$DN" -w a -s base  >/dev/null && fail_test 1 "Search with a disabled password was successful"
udm users/ldap modify --dn "$DN" --set disabled=0 || fail_test 1 "Password could not be enabled"
ldapsearch -x -D "$DN" -w a -s base  >/dev/null || fail_test 1 "Search with an enabled password failed"
ldapsearch -x -D "$DN" -w univention1 -s base  >/dev/null && fail_test 1 "Search with a wrong password was successful"

exit "$RETVAL"

