#!/usr/share/ucs-test/runner python
## desc: Check cron job script lock_expired_passwords
## roles: [domaincontroller_master]
## exposure: dangerous
## packages: [univention-directory-manager-tools]
## bugs: [35088]

import univention.admin.uldap
import univention.admin.modules as udm_modules
import univention.testing.udm as udm_test
import univention.testing.utils as utils
import pprint
import subprocess
import time


def main():
	print time.ctime()
	with udm_test.UCSTestUDM() as udm:
		udm_modules.update()
		lo, position = univention.admin.uldap.getAdminConnection()
		udm_modules.init(lo, position, udm_modules.get('users/user'))
		today = int(time.time() / 24 / 3600)

		def create_user(expiry_days_delta, locked_status):
			userdn, username = udm.create_user(locked=locked_status)
			oldattr = lo.get(userdn)
			shadowMax = 7
			lo.modify(userdn, [['shadowMax', oldattr.get('shadowMax', []), [str(shadowMax)]],
							   ['shadowLastChange', oldattr.get('shadowLastChange', []), [str(today + expiry_days_delta - shadowMax)]],
							   ])
			return username

		userdata = {}
		for delta, initial_state, expected_state in [[-9, 'none', 'posix'],
													 [-8, 'none', 'posix'],
													 [-7, 'none', 'posix'],
													 [-6, 'none', 'posix'],
													 [-5, 'none', 'posix'],
													 [-4, 'none', 'posix'],
													 [-3, 'none', 'posix'],
													 [-2, 'none', 'posix'],
													 [-1, 'none', 'posix'],
#													 [0, 'none', 'posix'],  disabled due to bug #36210
													 [1, 'none', 'none'],
													 [2, 'none', 'none'],
													 [-4, 'windows', 'all'],
#													 [0, 'windows', 'all'],  disabled due to bug #36210
													 [2, 'windows', 'windows'],
													 ]:
			userdata[create_user(delta, initial_state)] = [initial_state, expected_state]

		ldap_filter = '(|(uid=' + ')(uid='.join(userdata.keys()) + '))'

		results = udm_modules.lookup('users/user', None, lo, scope='sub', filter=ldap_filter)
		if len(results) != len(userdata):
			print 'RESULTS: %r' % (pprint.PrettyPrinter(indent=2).pformat(results),)
			utils.fail('Did not find all users prior to script execution!')
		for entry in results:
			entry.open()
			if not entry['locked'] == userdata[entry['username']][0]:
				utils.fail('uid=%s should not be locked for posix prior to script execution!' % (entry['username'],))

		print 'Calling lock_expired_passwords...'
		subprocess.call(['/usr/share/univention-directory-manager-tools/lock_expired_passwords'])
		print 'DONE'

		results = udm_modules.lookup('users/user', None, lo, scope='sub', filter=ldap_filter)
		if len(results) != len(userdata):
			print 'RESULTS: %r' % (pprint.PrettyPrinter(indent=2).pformat(results),)
			utils.fail('Did not find all users after script execution!')
		for entry in results:
			entry.open()
			if not entry['locked'] == userdata[entry['username']][1]:
				utils.fail('The account uid=%r is not in expected locking state: expected=%r  current=%r' % (entry['username'], userdata[entry['username']][1], entry['locked']))


if __name__ == '__main__':
	main()
