#!/usr/share/ucs-test/runner bash
## desc: Test that Domain Admins members are protected by default
## roles:
##  - domaincontroller_master
##  - domaincontroller_backup
## packages:
##  - univention-admingrp-user-passwordreset
## exposure: dangerous

. "$TESTLIBPATH/base.sh" || exit 137
. "$TESTLIBPATH/user.sh" || exit 137
. "$TESTLIBPATH/group.sh" || exit 137
. "$TESTLIBPATH/random.sh" || exit 137
. "$TESTLIBPATH/maildomain.sh" || exit 137
. "$TESTLIBPATH/ucr.sh" || exit 137
. "$TESTLIBPATH/undo.sh" || exit 137
. "$TESTLIBPATH/samba.sh" || exit 137

. common.sh || exit 137

create_mail_domain "$domainname" && undo delete_mail_domain "$domainname"

# create helpdesk user
U_HELPDESK=$(user_randomname)
user_create "$U_HELPDESK" &&
	undo user_remove "$U_HELPDESK" ||
	fail_fast 140 "cannot create U_HELPDESK user $U_HELPDESK"

udm-test groups/group modify \
	--dn "cn=User Password Admins,cn=groups,$ldap_base" \
	--append users="$(user_dn "$U_HELPDESK")"

# create domain admin member
U_ADMIN1=$(user_randomname)
user_create "$U_ADMIN1" &&
	undo user_remove "$U_ADMIN1" ||
	fail_fast 140 "cannot create U_ADMIN1 user $U_ADMIN1"
udm-test groups/group modify \
	--dn "cn=Domain Admins,cn=groups,$ldap_base" \
	--append users="$(user_dn "$U_ADMIN1")"

# create admin with primary group domain admins
U_ADMIN2=$(user_randomname)
user_create "$U_ADMIN2" &&
	undo user_remove "$U_ADMIN2" ||
	fail_fast 140 "cannot create U_ADMIN2 user $U_ADMIN2"
udm-test users/user modify \
	--dn "$(user_dn "$U_ADMIN2")" \
	--set primaryGroup="cn=Domain Admins,cn=groups,$ldap_base"

U_USER=$(user_randomname)
user_create "$U_USER" &&
	undo user_remove "$U_USER" ||
	fail_fast 140 "cannot create U_USER user $U_USER"

# wait for slapd restart
wait_for_replication_and_postrun
sleep 20

if hasPwdAccess "$U_HELPDESK" "$U_ADMIN1"; then
	univention-ldapsearch cn="Domain Admins"
	univention-ldapsearch uid="$U_ADMIN1"
	fail_fast 1 "$U_HELPDESK can set password of domain admin user $U_ADMIN1"
fi

if hasPwdAccess "$U_HELPDESK" "$U_ADMIN2"; then
	univention-ldapsearch cn="Domain Admins"
	univention-ldapsearch uid="$U_ADMIN2"
	fail_fast 1 "$U_HELPDESK can set password of domain admin user $U_ADMIN2"
fi

if ! hasPwdAccess "$U_HELPDESK" "$U_USER"; then
	univention-ldapsearch cn="Domain Admins"
	univention-ldapsearch cn="User Password Admins"
	univention-ldapsearch uid="$U_HELPDESK"
	univention-ldapsearch uid="$U_USER"
	fail_fast 1 "$U_HELPDESK can not set password of user $U_USER"
fi

# wait for slapd restart
wait_for_replication_and_postrun
sleep 10

exit "$RETVAL"
