#!/usr/share/ucs-test/runner bash
## desc: univention-admingrp-user-passwordreset
## roles:
##  - domaincontroller_master
##  - domaincontroller_backup
## packages:
##  - univention-admingrp-user-passwordreset
## exposure: dangerous


. "$TESTLIBPATH/base.sh" || exit 137
. "$TESTLIBPATH/user.sh" || exit 137
. "$TESTLIBPATH/group.sh" || exit 137
. "$TESTLIBPATH/random.sh" || exit 137
. "$TESTLIBPATH/maildomain.sh" || exit 137
. "$TESTLIBPATH/ucr.sh" || exit 137
. "$TESTLIBPATH/undo.sh" || exit 137

create_mail_domain "$domainname" && undo delete_mail_domain "$domainname"

# create helpdesk group
G_HELPDESK=$(group_randomname)
group_create "$G_HELPDESK" &&
	undo group_remove "$G_HELPDESK" ||
	fail_fast 140 "cannot create G_HELPDESK group $G_HELPDESK"
# create new user
U_HELPDESK=$(user_randomname)
user_create "$U_HELPDESK" &&
	undo user_remove "$G_HELPDESK" ||
	fail_fast 140 "cannot create U_HELPDESK user $U_HELPDESK"

# add user to corresponding group
udm-test groups/group modify \
	--dn "$(group_dn "$G_HELPDESK")" \
	--append users="$(user_dn "$U_HELPDESK")"

# create additional helpdesk group
G_HELPDESK_B=$(group_randomname)
group_create "$G_HELPDESK_B" &&
	undo group_remove "$G_HELPDESK_B" ||
	fail_fast 140 "cannot create g_HELPDESK_B group $G_HELPDESK_B"
# create new user
U_HELPDESK_B=$(user_randomname)
user_create "$U_HELPDESK_B" &&
	undo user_remove "$U_HELPDESK_B" ||
	fail_fast 140 "cannot create U_HELPDESK_B user $U_HELPDESK_B"

# add user to corresponding group
udm-test groups/group modify \
	--dn "$(group_dn "$G_HELPDESK_B")" \
	--append users="$(user_dn "$U_HELPDESK_B")"

# create new test user
U_UNPROT=$(user_randomname)
user_create "$U_UNPROT" &&
	undo user_remove "$U_UNPROT" ||
	fail_fast 140 "cannot create U_UNPROT user $U_UNPROT"

U_UNPROT_B=$(user_randomname)
user_create "$U_UNPROT_B" &&
	undo user_remove "$U_UNPROT_B" ||
	fail_fast 140 "cannot create U_UNPROT_B user $U_UNPROT_B"
# create new protected test user
U_PROT=$(user_randomname)
user_create "$U_PROT" &&
	undo user_remove "$U_PROT" ||
	fail_fast 140 "cannot create U_PROT user $U_PROT"

# configure new group
UCRKEY="dn"
ucr set \
	ldap/acl/user/passwordreset/accesslist/groups/$UCRKEY="$(group_dn "$G_HELPDESK")" \
	ldap/acl/user/passwordreset/protected/uid="Administrator,$U_PROT"
undo /etc/init.d/slapd crestart # reversed order
undo ucr_restore
/etc/init.d/slapd crestart

. common.sh || exit 137
undo resetPwd Administrator

# test if Administrator can set passwords
echo "==> Test 1"
for u in "$U_HELPDESK" "$U_UNPROT" "$U_PROT"
do
	if ! hasPwdAccess "Administrator" "$u" ; then
		fail_fast 1 "Administrator cannot set password of $u"
	fi
	resetPwd "$u"
done

# test if helpdesk user can set passwords
echo "==> Test 2"
for u in "$U_UNPROT"
do
	if ! hasPwdAccess "$U_HELPDESK" "$u" ; then
		fail_fast 1 "helpdesk user $U_HELPDESK cannot set password of unprotected user $u"
	fi
	resetPwd "$u"
done

echo "==> Test 3"
for u in "Administrator" "$U_PROT"
do
	if hasPwdAccess "$U_HELPDESK" "$u" ; then
		fail_fast 1 "helpdesk user $U_HELPDESK can set password of protected user $u"
	fi
	resetPwd "$u"
done

# do test with two helpdesk groups
UCRKEY_B="$(random_chars 8 "${_lowerletters}")"
ucr set ldap/acl/user/passwordreset/accesslist/groups/$UCRKEY_B="$(group_dn "$G_HELPDESK_B")"
/etc/init.d/slapd crestart

# test if helpdesk user can set passwords
echo "==> Test 4"
for u in "$U_UNPROT"
do
	if ! hasPwdAccess "$U_HELPDESK" "$u" ; then
		fail_fast 1 "helpdesk user $U_HELPDESK cannot set password of unprotected user $u"
	fi
	resetPwd "$u"
done

echo "==> Test 5"
for u in "Administrator" "$U_PROT"
do
	if hasPwdAccess "$U_HELPDESK" "$u" ; then
		fail_fast 1 "helpdesk user $U_HELPDESK can set password of protected user $u"
	fi
	resetPwd "$u"
done

# test if helpdesk user can set passwords
echo "==> Test 6"
for u in "$U_UNPROT"
do
	if ! hasPwdAccess "$U_HELPDESK_B" "$u" ; then
		fail_fast 1 "helpdesk_b user $U_HELPDESK_B cannot set password of unprotected user $u"
	fi
	resetPwd "$u"
done

echo "==> Test 7"
for u in "Administrator" "$U_PROT"
do
	if hasPwdAccess "$U_HELPDESK_B" "$u" ; then
		fail_fast 1 "helpdesk_b user $U_HELPDESK_B can set password of protected user $u"
	fi
	resetPwd "$u"
done

# test if unprotected user with expired password can be reset
echo "==> Test 8"
udm-test users/user modify \
	--dn "uid=${U_UNPROT_B},cn=users,$ldap_base" \
	--set password="univention" \
	--set overridePWHistory=1 \
	--set overridePWLength=1 \
	--set pwdChangeNextLogin=1
for u in "$U_UNPROT_B"
do
	if ! hasPwdAccess "$U_HELPDESK" "$u" ; then
		fail_fast 1 "helpdesk user $U_HELPDESK cannot set password of unprotected user $u"
	fi
	resetPwd "$u"
done

# test if unprotected user with pw expiry policy can be set
echo "==> Test 9"
POLNAME="pwdpol-$(random_chars 8 "${_lowerletters}")"
udm-test policies/pwhistory create \
	--position "cn=policies,$ldap_base" \
	--set name="$POLNAME" \
	--set length=5 \
	--set expiryInterval=7 \
	--set pwLength=8 &&
	undo udm-test policies/pwhistory remove --dn "cn=$POLNAME,cn=policies,$ldap_base" ||
	fail_fast 140 "Creating policies/pwhistory failed"

if ! udm-test users/user modify \
	--dn "uid=$U_UNPROT_B,cn=users,$ldap_base" \
	--policy-reference "cn=$POLNAME,cn=policies,$ldap_base"
then
	fail_fast 140 "Setting reference of policies/pwhistory object $POLNAME to $U_UNPROT_B failed"
fi
for u in "$U_UNPROT_B"
do
	if ! hasPwdAccess "$U_HELPDESK" "$u" ; then
		fail_fast 1 "helpdesk user $U_HELPDESK cannot set password of unprotected user $u"
	fi
	resetPwd "$u"
done
udm-test policies/pwhistory remove --dn "cn=$POLNAME,cn=policies,$ldap_base"


# do test with additional attributes
# test if helpdesk user can set description BEFORE enabling it
echo "==> Test 10"
for u in "$U_UNPROT"
do
	if hasDescrAccess "$U_HELPDESK" "$u" ; then
		fail_fast 1 "helpdesk user $U_HELPDESK can set description of unprotected user $u"
	fi
done

ucr set ldap/acl/user/passwordreset/attributes="$old_ldap_acl_user_passwordreset_attributes,description"
/etc/init.d/slapd crestart
# test if helpdesk user can set description AFTER enabling it
echo "==> Test 11"
for u in "$U_UNPROT"
do
	if ! hasDescrAccess "$U_HELPDESK" "$u" ; then
		fail_fast 1 "helpdesk user $U_HELPDESK cannot set description of unprotected user $u"
	fi
done
# test if unprotected (simple) user can set description of other users
echo "==> Test 12"
for u in "$U_HELPDESK" "Administrator" "$U_HELPDESK_B"
do
	if hasDescrAccess "$U_UNPROT" "$u" ; then
		fail_fast 1 "simple user $U_UNPROT can set description of (helpdesk) user $u"
	fi
done
# test if unprotected (simple) user can set password of other users
echo "==> Test 13"
for u in "$U_HELPDESK" "Administrator" "$U_HELPDESK_B"
do
	if hasPwdAccess "$U_UNPROT" "$u" ; then
		fail_fast 1 "simple user $U_UNPROT can set password of (helpdesk) user $u"
	fi
done

exit "$RETVAL"
