#!/usr/share/ucs-test/runner python
## desc: Checking if the UCR-Variable ldap/acl/user/password/change works
## roles: [domaincontroller_master]
## packages:
##  - univention-directory-manager-tools
## tags:
##  - basic
## exposure: dangerous

import univention.testing.strings as uts
import subprocess, sys

from univention.testing.ucr import UCSTestConfigRegistry
from univention.testing.udm import UCSTestUDM
from univention.config_registry import handler_set
from univention.lib.umc_connection import UMCConnection


def toggle_ucr_ldap_policy(mode='no'):
	print "Changing 'ldap/acl/user/password/change' to " + mode
	if mode == 'yes':
		handler_set(['ldap/acl/user/password/change=yes'])
	else:
		handler_set(['ldap/acl/user/password/change=no'])

	subprocess.call(['/etc/init.d/slapd', 'restart'])



def test_result(test_allowed, test_not_allowed):
	print
	print "(ldap/acl/user/password/change='yes')user can change password:   ",
	ok_or_fail(test_allowed)
	print "(ldap/acl/user/password/change='no')user can't change password:   ",
	ok_or_fail(test_allowed)
	print 
	if not test_allowed or not test_not_allowed:
		sys.exit(1)

def ok_or_fail(value):
	if value:
		print "OK"
	else:
		print "Fail"





if __name__ == '__main__':

	with UCSTestConfigRegistry() as ucr_test:
		with UCSTestUDM() as udm:
			# set ucr ldap/acl/user/password/change to yes
			toggle_ucr_ldap_policy('yes')

			#create a ldap container and a policy, afterwards apply policy to container
			ldapbase= ucr_test.get('ldap/base')
			policy_name = uts.random_string()
			container_name = uts.random_string()
			container = udm.create_object('container/cn', position = ldapbase, name = container_name)
			policy = udm.create_object('policies/umc', name = policy_name, allow = 'cn=udm-self,cn=operations,cn=UMC,cn=univention,%s'%ldapbase)
			modify_args = {'dn' : container, 'policy-reference' : policy}
			udm.modify_object('container/cn', **modify_args )

			#create random user
			user_name = uts.random_string()
			user_password = uts.random_string()
			user_args = { 'position' : container, 'lastname' : user_name, 'password' : user_password, 'username' : user_name }
			user_dn = udm.create_user('users/user', **user_args)[0]

			#generate new passwords
			(new_password, new_password2) = (uts.random_string(), uts.random_string())

			#try to change password of user, this should be possible since
			#ldap/acl/user/password/change=yes
			connection = UMCConnection('localhost', user_name, user_password)
			result = connection.request('udm/put', [{'object':{'$dn$':user_dn, 'password':new_password}, 'options':{}}], 'users/self')[0]
			test_allowed = result.get('success')

			# set ucr ldap/acl/user/password/change to no
			toggle_ucr_ldap_policy()

			#try to change password of user, this should now fail
			connection = UMCConnection('localhost', user_name, new_password)
			result = connection.request('udm/put', [{'object':{'$dn$':user_dn, 'password':new_password2}, 'options':{}}], 'users/self')[0]

			test_not_allowed = not (result.get('success'))

			#evaluate testing
			test_result(test_allowed, test_not_allowed)

