#!/usr/share/ucs-test/runner bash
## desc: univention-admingrp-user-passwordreset (grp in grp)
## roles:
##  - domaincontroller_master
##  - domaincontroller_backup
## packages:
##  - univention-admingrp-user-passwordreset
## exposure: dangerous

. "$TESTLIBPATH/base.sh" || exit 137
. "$TESTLIBPATH/user.sh" || exit 137
. "$TESTLIBPATH/group.sh" || exit 137
. "$TESTLIBPATH/random.sh" || exit 137
. "$TESTLIBPATH/maildomain.sh" || exit 137
. "$TESTLIBPATH/ucr.sh" || exit 137
. "$TESTLIBPATH/undo.sh" || exit 137

create_mail_domain "$domainname" && undo delete_mail_domain "$domainname"

# create helpdesk group
G_HELPDESK=$(group_randomname)
group_create "$G_HELPDESK" &&
	undo group_remove "$G_HELPDESK" ||
	fail_fast 140 "cannot create G_HELPDESK group $G_HELPDESK"
# create new user
U_HELPDESK=$(user_randomname)
user_create "$U_HELPDESK" &&
	undo user_remove "$U_HELPDESK" ||
	fail_fast 140 "cannot create U_HELPDESK user $U_HELPDESK"

# add user to corresponding group
udm-test groups/group modify \
	--dn "$(group_dn "$G_HELPDESK")" \
	--append users="$(user_dn "$U_HELPDESK")"

# create second helpdesk group
G_HELPDESK_B=$(group_randomname)
group_create "$G_HELPDESK_B" &&
	undo group_remove "$G_HELPDESK_B" ||
	fail_fast 140 "cannot create G_HELPDESK_B group $G_HELPDESK_B"
# create new user
U_HELPDESK_B=$(user_randomname)
user_create "$U_HELPDESK_B" &&
	undo user_remove "$U_HELPDESK_B" ||
	fail_fast 140 "cannot create U_HELPDESK_B user $U_HELPDESK_B"

# add user to corresponding group
udm-test groups/group modify \
	--dn "$(group_dn "$G_HELPDESK_B")" \
	--append users="$(user_dn "$U_HELPDESK_B")"
# create nested group
udm-test groups/group modify \
	--dn "$(group_dn "$G_HELPDESK")" \
	--append nestedGroup="$(group_dn "$G_HELPDESK_B")"

# create new protected test user
U_PROT=$(user_randomname)
user_create "$U_PROT" &&
	undo user_remove "$U_PROT" ||
	fail_fast 140 "cannot create U_PROT user $U_PROT"
# create new unprotected test user
U_UNPROT=$(user_randomname)
user_create "$U_UNPROT" &&
	undo user_remove "$U_UNPROT" ||
	fail_fast 140 "cannot create U_UNPROT user $U_UNPROT"

# prepare test
ucr set \
	ldap/acl/user/passwordreset/accesslist/groups/dn="$(group_dn "$G_HELPDESK")" \
	ldap/acl/user/passwordreset/protected/uid="Administrator,$U_PROT" \
	ldap/acl/nestedgroups=no
undo /etc/init.d/slapd crestart # reversed order
undo ucr_restore
/etc/init.d/slapd restart

. common.sh || exit 137
undo resetPwd Administrator

echo "==> test if helpdesk can reset password of unprotected user"
if ! hasPwdAccess "$U_HELPDESK" "$U_UNPROT" ; then
	fail_fast 1 "helpdesk $U_HELPDESK cannot set user password"
fi

echo "==> test if nested group helpdesk can reset password of unprotected user"
if hasPwdAccess "$U_HELPDESK_B" "$U_UNPROT" ; then
	fail_fast 1 "nested group helpdesk $U_HELPDESK_B can set user password - should not"
fi

# enable nested groups checks
ucr set	ldap/acl/nestedgroups=yes
/etc/init.d/slapd restart

echo "==> test if helpdesk can reset password of unprotected user"
if ! hasPwdAccess "$U_HELPDESK" "$U_UNPROT" ; then
	fail_fast 1 "helpdesk $U_HELPDESK cannot set user password"
fi

echo "==> test if nested group helpdesk can reset password of unprotected user"
if ! hasPwdAccess "$U_HELPDESK_B" "$U_UNPROT" ; then
	fail_fast 1 "nested group helpdesk $U_HELPDESK_B cannot set user password"
fi

exit "$RETVAL"
