#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: "Test whether it works to set a password policy"
## exposure: careful
## packages:
##  - univention-samba
## roles-not:
## - basesystem
## - memberserver
## tags: [basic, skip_admember]
## versions:
##  3.1-1: skip
##  3.2-0: fixed

# shellcheck source=../../lib/base.sh
. "$TESTLIBPATH/base.sh" || exit 137
# shellcheck source=../../lib/user.sh
. "$TESTLIBPATH/user.sh" || exit 137
# shellcheck source=../../lib/random.sh
. "$TESTLIBPATH/random.sh" || exit 137
. /usr/share/univention-lib/ldap.sh || exit 137

##create user
echo "----create user"
SAMBA="true"
MAIL="false"
KERBEROS="true"
PERSON="false"
POSIX="true"

username="$(user_randomname)"
first_password="univention"
second_password="$(random_chars 8 ${_upperletters}${_lowerletters}${_ciphers}äöü)"

if [ -n "$tests_domainadmin_account" ]; then
	admin_account=$(ucs_convertDN2UID "$tests_domainadmin_account")
else
	admin_account=Administrator
fi

trap 'user_remove "$username"' INT TERM EXIT

user_create "$username" ||
	fail_fast 1 "User could not be created"

wait_for_replication

USER_DN="$(udm-test users/user list --filter uid="$username" | DN1)"

##test normal connection
echo "----net rpc: test normal connection"
output="$(net rpc info -S localhost -U"$username%$first_password")" ||
	fail_test 1 "initial authentication failed: $output"

##set pwdChangeNextLogin=1 so that the user has to change the password at the next login
echo "----set pwdChangeNextLogin=1"
output="$(udm-test users/user modify --dn "$USER_DN" --set pwdChangeNextLogin=1)" ||
	fail_test 1 "Could not modify the user using udm: $output"

wait_for_replication

##try to login without changing the password, should fail
echo "----net rpc: try to login without changing the password (should fail)"
output="$(net rpc info -S localhost -U"$username%$first_password")" &&
	fail_test 1 "Could login without changing the password."

##changing the password with net rpc / samba
echo "----changing the password with net rpc"
net rpc user password "$username" "$second_password" \
	-U"$admin_account%$tests_domainadmin_pwd" ||
	error "net rpc user password change returned a non-zero exit code: $?. Continuing anyway, see Bug #31794"

wait_for_replication

##try to login with a new password
echo "----net rpc: try to login with a new password"
try_login_with_new_password () { output="$(net rpc info -S localhost -U"$username%$second_password" 2>&1)"; }
retry 20 try_login_with_new_password ||
	fail_test 1 "Could not login using samba with new password after password change: $output"

##try to login with old password, should not work
echo "----net rpc: try to login with old password (should fail)"
output="$(net rpc info -S localhost -U"$username%$first_password")" &&
	fail_test 1 "Could login using samba with old password after password change: $output"

##check authentication with UDM
##--old password
echo "----UDM: try to login with old password (should fail)"
second_password_file=$(mktemp)
echo "$second_password" > "$second_password_file"
trap "rm -f '$second_password_file'" EXIT
output="$(udm users/user list --filter uid="$username" --binddn "$USER_DN" --bindpwdfile "$second_password_file")" ||
	fail_test 1 "Could not login using UDM with new password after password change: $output"
##--new password
echo "----UDM: try to login with new password"
first_password_file=$(mktemp)
echo "$first_password" > "$first_password_file"
trap "rm -f '$first_password_file'" EXIT
output="$(udm users/user list --filter uid="$username" --binddn "$USER_DN" --bindpwdfile "$first_password_file")" &&
	fail_test 1 "Could login using UDM with old password after password change: $output"

exit "$RETVAL"
