#!/usr/share/ucs-test/runner bash
# shellcheck shell=bash
## desc: "Access a share as a user whitelisted by sambaValidUsers"
## exposure: safe
## packages:
##  - univention-samba | univention-samba4
## tags: [skip_admember]
## roles:
## - domaincontroller_master
## - domaincontroller_backup
## - domaincontroller_slave
## - memberserver

# shellcheck source=../../lib/user.sh
. "$TESTLIBPATH/user.sh" || exit 137
# shellcheck source=../../lib/shares.sh
. "$TESTLIBPATH/shares.sh" || exit 137
# shellcheck source=../../lib/random.sh
. "$TESTLIBPATH/random.sh" || exit 137
# shellcheck source=../../lib/samba.sh
. "$TESTLIBPATH/samba.sh" || exit 137
. /usr/share/univention-lib/ldap.sh || exit 137

kdestroy || true # see Bug 52130

listener_replication_sleep_seconds=1
listener_replication_retry_max=30

echo "## create user"
SAMBA="true"
MAIL="false"
KERBEROS="true"
PERSON="false"
POSIX="true"

username="$(user_randomname)"
password=univention
sharename="$(random_share)"

trap 'user_remove "$username";share_remove "$sharename";wait_for_replication_and_postrun; rm -rf "/${sharename:?}";' INT TERM EXIT
if ! user_create "$username"; then
	fail_fast 1 "Could not create user $username."
fi

udm-test shares/share create \
	--position "$SHARE_POSITION" \
	--set name="$sharename" \
	--set path="/$sharename" \
	--set host="$SHARE_HOST" \
	--set owner="$SHARE_UNIX_OWNER" \
	--set group="$SHARE_UNIX_GROUP" \
	--set directorymode="$SHARE_UNIX_DIRECTORYMODE" \
	--set writeable="$SHARE_NFS_WRITEABLE" \
	--set sambaWriteable="$SHARE_SAMBA_WRITEABLE" \
	--set sambaInvalidUsers="@\"Domain Users\"" \
	--set sambaValidUsers="$username"

if [ "$?" != 0 ]; then
	fail_fast 1 "could not create share"
fi

wait_for_replication_and_postrun

if dpkg -s univention-samba4 2>&1 | grep "install ok installed" > /dev/null; then
# force_drs_replication
	wait_for_drs_replication "(sAMAccountName=$username)"
fi

admin_account="$(ucs_convertDN2UID "$tests_domainadmin_account")"

sleep 10
echo "## wait for samba share export"
i=0
while ( output=$(smbclient -U "$admin_account%$tests_domainadmin_pwd" "//$hostname.$domainname/$sharename" -c "exit" 2>&1); grep -q "NT_STATUS_BAD_NETWORK_NAME" <<<"$output" )
do
	let i="$i"+1
	if [ "$i" = "$listener_replication_retry_max" ]; then
		fail_fast 1 "TIMEOUT: Access to share still failed after $((i * $listener_replication_sleep_seconds)) seconds: $output"
	fi
	sleep "$listener_replication_sleep_seconds"
done

echo "## access share"
output="$(smbclient -U "$username%$password" "//$hostname.$domainname/$sharename" -c "exit" 2>&1)"
echo "$output" | grep -q "NT_STATUS_ACCESS_DENIED"
if [ "$?" != 0 ]; then
	fail_test 1 "Expected return value NT_STATUS_ACCESS_DENIED, but received: $output"
fi


exit "$RETVAL"
