#!/usr/share/ucs-test/runner bash
## desc: Test UMC password change on expired password
## roles:
##  - domaincontroller_master
## packages:
##  - univention-directory-manager-tools
##  - univention-management-console
## exposure: dangerous

. "$TESTLIBPATH/base.sh" || exit 137
. "$TESTLIBPATH/user.sh" || exit 137
. "$TESTLIBPATH/random.sh" || exit 137
. "$TESTLIBPATH/undo.sh" || exit 137

COOKIEJAR="$(mktemp)"
TARGET="localhost"

RETVAL=100

PASSWORD=univention
SHORT_PASSWORD=Test
SIMPLE_PASSWORD=univention2
NEW_PASSWORD=Univention.99

# create test user
test_username=$(user_randomname)
user_create "$test_username" &&
	undo user_remove "$test_username" ||
	fail_fast 140 "cannot create user $test_username"

## basic test #1: Login with invalid user
output=$(curl -s -H 'Accept-Language: en-US' --cookie-jar "$COOKIEJAR" -d "{\"options\":{\"username\":\"UNKNOWN$test_username\",\"password\":\"$PASSWORD\"}}" -H "Content-Type: application/json" "http://$TARGET/umcp/auth")
if [ -z "$output" ]; then
	fail_fast 110 "UMC authentication with invalid user succeeded!"
fi

## basic test #2: Login with invalid password
output=$(curl -s -H 'Accept-Language: en-US' --cookie-jar "$COOKIEJAR" -d "{\"options\":{\"username\":\"$test_username\",\"password\":\"INVALID$PASSWORD\"}}" -H "Content-Type: application/json" "http://$TARGET/umcp/auth")
if [ -z "$output" ]; then
	fail_fast 110 "UMC authentication with invalid password succeeded!"
fi



## Now simulate expiration of the user password
test_userdn=$(user_dn "$test_username")

udm-test users/user modify --dn "$test_userdn" \
	--set pwdChangeNextLogin=1 --set locked=posix

wait_for_replication_and_postrun

## And check the UMC logon:
output=$(curl -s -H 'Accept-Language: en-US' --cookie-jar "$COOKIEJAR" -d "{\"options\":{\"username\":\"$test_username\",\"password\":\"$PASSWORD\"}}" -H "Content-Type: application/json" "http://$TARGET/umcp/auth")
if [ -z "$output" ]; then
	fail_fast 110 "UMC authentication against expired password succeeded!"
fi

if [ "$(python -c "output=$output; print output['message']")" != "The password has expired and must be renewed" ]; then
	fail_test 110 "unexpected message returned by UMC: $output, expected: The password has expired"
fi

## Now change password case #1: short password, should fail
output=$(curl -s -H 'Accept-Language: en-US' --cookie-jar "$COOKIEJAR" -d "{\"options\":{\"username\":\"$test_username\",\"password\":\"$PASSWORD\",\"new_password\":\"$SHORT_PASSWORD\"}}" -H "Content-Type: application/json" "http://$TARGET/umcp/auth")
if [ "$(python -c "output=$output; print output['message']")" != "Changing password failed. The password is too short" ]; then
	fail_test 110 "unexpected message returned by UMC while trying to set short password: $output"
fi
if [ "$(python -c "output=$output; print output['status']")" != "411 Length Required" ]; then
	fail_test 110 "unexpected status returned by UMC while trying to set short password: $output"
fi

## Now change password case #2: simple password, should fail
output=$(curl -s -H 'Accept-Language: en-US' --cookie-jar "$COOKIEJAR" -d "{\"options\":{\"username\":\"$test_username\",\"password\":\"$PASSWORD\",\"new_password\":\"$SIMPLE_PASSWORD\"}}" -H "Content-Type: application/json" "http://$TARGET/umcp/auth")
if [ "$(python -c "output=$output; print output['message']")" != "Changing password failed. The password is too simple" ]; then
	fail_test 110 "unexpected message returned by UMC while trying to set simple password: $output"
fi
if [ "$(python -c "output=$output; print output['status']")" != "411 Length Required" ]; then
	fail_test 110 "unexpected status returned by UMC while trying to set simple password: $output"
fi

## Now change password case #3: proper new password, must work
output=$(curl -s -H 'Accept-Language: en-US' --cookie-jar "$COOKIEJAR" -d "{\"options\":{\"username\":\"$test_username\",\"password\":\"$PASSWORD\",\"new_password\":\"$NEW_PASSWORD\"}}" -H "Content-Type: application/json" "http://$TARGET/umcp/auth")
if [ -n "$output" ]; then
	fail_fast 110 "Unexpected output returned by UMC during password change: $output"
fi

wait_for_replication_and_postrun

## Finally confirm logon with new password
output=$(curl -s -H 'Accept-Language: en-US' --cookie-jar "$COOKIEJAR" -d "{\"options\":{\"username\":\"$test_username\",\"password\":\"$NEW_PASSWORD\"}}" -H "Content-Type: application/json" "http://$TARGET/umcp/auth")
if [ -n "$output" ]; then
	fail_test 110 "Unexpected output returned by UMC after password change: $output"
fi

exit "$RETVAL"
