#!/usr/share/ucs-test/runner bash
## desc: Test that ldap/acl/user/passwordreset/protected/gid members are protected
## roles:
##  - domaincontroller_master
##  - domaincontroller_backup
## packages:
##  - univention-admingrp-user-passwordreset
## exposure: dangerous

. "$TESTLIBPATH/base.sh" || exit 137
. "$TESTLIBPATH/user.sh" || exit 137
. "$TESTLIBPATH/group.sh" || exit 137
. "$TESTLIBPATH/random.sh" || exit 137
. "$TESTLIBPATH/maildomain.sh" || exit 137
. "$TESTLIBPATH/ucr.sh" || exit 137
. "$TESTLIBPATH/undo.sh" || exit 137

. common.sh || exit 137

create_mail_domain "$domainname" && undo delete_mail_domain "$domainname"

# check LDAP Server
#  https://forge.univention.org/bugzilla/show_bug.cgi?id=33992
trap "if [ ! -e /var/run/slapd/slapd.pid ]; then pkill -9 -f /usr/sbin/slapd; /etc/init.d/slapd start; fi" EXIT

# create helpdesk user
U_HELPDESK=$(user_randomname)
user_create "$U_HELPDESK" &&
	undo user_remove "$U_HELPDESK" ||
	fail_fast 140 "cannot create U_HELPDESK user $U_HELPDESK"

udm-test groups/group modify \
	--dn "cn=User Password Admins,cn=groups,$ldap_base" \
	--append users="$(user_dn "$U_HELPDESK")"

# create admin group
G_ADMIN=$(group_randomname)
group_create "$G_ADMIN" &&
	undo group_remove "$G_ADMIN" ||
	fail_fast 140 "cannot create G_ADMIN group $G_ADMIN"

# create admin member
U_ADMIN1=$(user_randomname)
user_create "$U_ADMIN1" &&
	undo user_remove "$U_ADMIN1" ||
	fail_fast 140 "cannot create U_ADMIN1 user $U_ADMIN1"
udm-test groups/group modify \
	--dn "$(group_dn "$G_ADMIN")" \
	--append users="$(user_dn "$U_ADMIN1")"

# create admin with primary group domain admins
U_ADMIN2=$(user_randomname)
user_create "$U_ADMIN2" &&
	undo user_remove "$U_ADMIN2" ||
	fail_fast 140 "cannot create U_ADMIN2 user $U_ADMIN2"
udm-test users/user modify \
	--dn "$(user_dn "$U_ADMIN2")" \
	--set primaryGroup="$(group_dn "$G_ADMIN")"

U_USER=$(user_randomname)
user_create "$U_USER" &&
	undo user_remove "$U_USER" ||
	fail_fast 140 "cannot create U_USER user $U_USER"

# wait for slapd restart
wait_for_replication_and_postrun
sleep 3

undo ucr_restore
ucr set ldap/acl/user/passwordreset/protected/gid="Domain Admins,$G_ADMIN"

if hasPwdAccess "$U_HELPDESK" "$U_ADMIN1"; then
	univention-ldapsearch cn="Domain Admins"
	univention-ldapsearch uid="$U_ADMIN1"
	fail_fast 1 "$U_HELPDESK can set password of domain admin user $U_ADMIN1"
fi

if hasPwdAccess "$U_HELPDESK" "$U_ADMIN2"; then
	univention-ldapsearch cn="Domain Admins"
	univention-ldapsearch uid="$U_ADMIN2"
	fail_fast 1 "$U_HELPDESK can set password of domain admin user $U_ADMIN2"
fi

if ! hasPwdAccess "$U_HELPDESK" "$U_USER"; then
	univention-ldapsearch cn="Domain Admins"
	univention-ldapsearch cn="User Password Admins"
	univention-ldapsearch uid="$U_HELPDESK"
	univention-ldapsearch uid="$U_USER"
	fail_fast 1 "$U_HELPDESK can not set password of user $U_USER"
fi

# wait for slapd restart
wait_for_replication_and_postrun
sleep 3


exit "$RETVAL"
