#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: "Testing password change with UDM and Samba"
## exposure: careful
## packages:
##  - univention-samba
## roles:
## - domaincontroller_master
## - domaincontroller_backup
## - domaincontroller_slave
## - memberserver
## tags:
##  - basic
##  - skip_admember
## versions:
##  3.1-1: skip
##  3.2-0: fixed

# shellcheck source=../../lib/base.sh
. "$TESTLIBPATH/base.sh" || exit 137
# shellcheck source=../../lib/user.sh
. "$TESTLIBPATH/user.sh" || exit 137
# shellcheck source=../../lib/random.sh
. "$TESTLIBPATH/random.sh" || exit 137
. /usr/share/univention-lib/ldap.sh || exit 137

echo "----create user"
##create user
SAMBA="true"
MAIL="false"
KERBEROS="true"
PERSON="false"
POSIX="true"

username="$(user_randomname)"
first_password="univention"
second_password="$(random_chars 8 ${_upperletters}${_lowerletters}${_ciphers}äöü)1AÄÜÖ"
third_password="$(random_chars 8 ${_upperletters}${_lowerletters}${_ciphers}äöü)1AÄÜÖ"

if [ -n "$tests_domainadmin_account" ]; then
	admin_account=$(ucs_convertDN2UID "$tests_domainadmin_account")
else
	admin_account=Administrator
fi

trap 'user_remove "$username"' INT TERM EXIT

user_create "$username" ||
	fail_fast 1 "User could not be created"

if [ "${samba_domain_security:-}" = "ads" ]; then
	net_mode="ads"
else
	net_mode="rpc user"
fi

sleep 10 ## wait for S4-Connector and maybe DC backups to replicate
wait_for_replication

USER_DN="$(udm-test users/user list --filter uid="$username" | DN1)"

##test normal connection with smbclient
echo "----test normal connection with smbclient"
test_normal_connection () { output="$(smbclient -U "${username}%${first_password}" -L "${hostname:?}.${domainname:?}")"; }
retry 30 test_normal_connection ||
	fail_test 1 "Could not authenticate with smbclient: $output"

##changing the password with net rpc / Samba
echo "----changing the password with net $net_mode"
log_and_execute net "$net_mode" password "$username" "$second_password" -U"$admin_account%$tests_domainadmin_pwd" ||
	error "net $net_mode password change returned a non-zero exit code: $?. Continuing anyway, see Bug #31794"

sleep 3
wait_for_replication

##test login with UDM with new password
echo "----test login with udm with new password"
second_password_file="$(mktemp)"
echo "$second_password" > "$second_password_file"
trap 'rm -f "$second_password_file"' EXIT
test_login_with_udm () { output="$(univention-directory-manager users/user list --filter uid="$username" --binddn "$USER_DN" --bindpwdfile "$second_password_file")"; }
retry 30 test_login_with_udm ||
		fail_test 1 "Could not authenticate with UDM after password change with smbpasswd: $output"

##change the password with UDM
echo "----change the password with udm"
output="$(udm-test users/user modify --dn "$USER_DN" --set "password=$third_password")" ||
	fail_test 1 "Could not change password with UDM: $output"

sleep 10 ## wait for S4-Connector and maybe DC backups to replicate
wait_for_replication

##test login with smbclient with new password
echo "----test login with smbclient with new password"
test_login_with_smbclient () { output="$(smbclient -U "$username%$third_password" -L "$hostname.$domainname")"; }
retry 30 test_login_with_smbclient ||
	fail_test 1 "Could not authenticate with smbclient after password change with UDM: $output"

exit "$RETVAL"
