#!/usr/share/ucs-test/runner bash
## desc: univention-admingrp-user-passwordreset (selfmodify)
## roles:
##  - domaincontroller_master
##  - domaincontroller_backup
## packages:
##  - univention-admingrp-user-passwordreset
## exposure: dangerous

. "$TESTLIBPATH/base.sh" || exit 137
. "$TESTLIBPATH/user.sh" || exit 137
. "$TESTLIBPATH/group.sh" || exit 137
. "$TESTLIBPATH/random.sh" || exit 137
. "$TESTLIBPATH/maildomain.sh" || exit 137
. "$TESTLIBPATH/ucr.sh" || exit 137
. "$TESTLIBPATH/undo.sh" || exit 137

create_mail_domain "$domainname" && undo delete_mail_domain "$domainname"

# create helpdesk group
G_HELPDESK=$(group_randomname)
group_create "$G_HELPDESK" &&
	undo group_remove "$G_HELPDESK" ||
	fail_fast 140 "cannot create G_HELPDESK group $G_HELPDESK"
# create new user
U_HELPDESK=$(user_randomname)
user_create "$U_HELPDESK" &&
	undo user_remove "$U_HELPDESK" ||
	fail_fast 140 "cannot create U_HELPDESK user $U_HELPDESK"

# add user to corresponding group
udm-test groups/group modify \
	--dn "$(group_dn "$G_HELPDESK")" \
	--append users="$(user_dn "$U_HELPDESK")"

# create new protected test user
U_PROT=$(user_randomname)
user_create "$U_PROT" &&
	undo user_remove "$U_PROT" ||
	fail_fast 140 "cannot create U_PROT user $U_PROT"

# create new unprotected test user
U_UNPROT=$(user_randomname)
user_create "$U_UNPROT" &&
	undo user_remove "$U_UNPROT" ||
	fail_fast 140 "cannot create U_UNPROT user $U_UNPROT"

UCRKEY="dn"
# users can modify their own password
# Allow users to modify their password in Univention Directory Manager
ucr set ldap/acl/user/password/change=yes \
	ldap/acl/user/passwordreset/accesslist/groups/$UCRKEY="$(group_dn $G_HELPDESK)" \
	ldap/acl/user/passwordreset/protected/uid="Administrator,$U_PROT"
undo /etc/init.d/slapd crestart # reversed order
undo ucr_restore
/etc/init.d/slapd crestart

. common.sh || exit 137
undo resetPwd Administrator

echo "==> reset all passwords"
for user in Administrator "$U_HELPDESK" "$U_PROT" "$U_UNPROT"
do
	resetPwd "$user"
done

# test if Administrator can set it's own password
echo "==> Test 1"
if ! hasPwdAccess "Administrator" "Administrator" ; then
	fail_fast 1 "Administrator cannot set its own password"
fi

# test if helpdesk user can set it's own password
echo "==> Test 2"
if ! hasPwdAccess "$U_HELPDESK" "$U_HELPDESK" ; then
	fail_fast 1 "Helpdesk user $U_HELPDESK cannot set its own password"
fi

# test if unprotected user can set it's own password
echo "==> Test 3"
if ! hasPwdAccess "$U_PROT" "$U_PROT" ; then
	fail_fast 1 "Unportected user $U_PROT cannot set its own password"
fi

exit "$RETVAL"
