#!/usr/share/ucs-test/runner bash
## desc: Test UMC ACLs
## roles:
##  - domaincontroller_master
## packages:
##  - univention-directory-manager-tools
##  - univention-management-console
## exposure: dangerous

. "$TESTLIBPATH/base.sh" || exit 137
. "$TESTLIBPATH/user.sh" || exit 137
. "$TESTLIBPATH/random.sh" || exit 137

eval "$(ucr shell)"

RETVAL=100

USERNAME=$(user_randomname)
PASSWORD=univention

info "Create user"
user_create "$USERNAME"

# Create UMC operation sets
for((i=1;i<11;i++)); do
	udm settings/umc_operationset create --position "cn=operations,cn=UMC,cn=univention,$ldap_base" \
			--set name=join$i \
			--set description="Join$i" \
			--append operation="join/*" \
			--append operation="lib/server/*"
done

udm policies/umc create --position "cn=UMC,cn=policies,$ldap_base" \
		--set name=test-umc-policy

udm users/user modify --dn "uid=$USERNAME,cn=users,$ldap_base" \
		--policy-reference "cn=test-umc-policy,cn=UMC,cn=policies,$ldap_base"

cleanup()
{
	udm policies/umc remove --dn "cn=test-umc-policy,cn=UMC,cn=policies,$ldap_base"
	for((i=1;i<11;i++)); do
		udm settings/umc_operationset remove --dn "cn=join$i,cn=operations,cn=UMC,cn=univention,$ldap_base"
	done
	user_remove "$USERNAME"
}

assign_acl ()
{
	operationset="cn=$1,cn=operations,cn=UMC,cn=univention,$ldap_base"
	udm policies/umc modify --dn "cn=test-umc-policy,cn=UMC,cn=policies,$ldap_base" \
		--set allow="$operationset"
}
test_acl ()
{
	python -c "from univention.testing.umc import Client; data = Client(None, '$USERNAME', 'univention').umc_command('join/scripts/query').result; assert isinstance(data, list), data"
}

modify_acl ()
{
	echo "dn: cn=$1,cn=operations,cn=UMC,cn=univention,$ldap_base
changetype: modify
replace: umcOperationSetHost
$2
" | ldapmodify -x -D cn=admin,$ldap_base -w $(</etc/ldap.secret)
}

modify_acl join1 "umcOperationSetHost: systemrole:domaincontroller_master
umcOperationSetHost: systemrole:domaincontroller_backup"
assign_acl join1
test_acl || fail_test 110

modify_acl join2 "umcOperationSetHost: systemrole:domaincontroller_master"
assign_acl join2
test_acl || fail_test 110

modify_acl join3 "umcOperationSetHost: systemrole:domaincontroller_backup"
assign_acl join3
test_acl && fail_test 110

modify_acl join4 "umcOperationSetHost: foo
umcOperationSetHost: $hostname"
assign_acl join4
test_acl || fail_test 110

modify_acl join5 "umcOperationSetHost: *"
assign_acl join5
test_acl || fail_test 110

modify_acl join6 "umcOperationSetHost: foo"
assign_acl join6
test_acl && fail_test 110

modify_acl join7 "umcOperationSetHost: service:LDAP"
assign_acl join7
test_acl || fail_test 110

modify_acl join8 "umcOperationSetHost: service:LDAP
umcOperationSetHost: service:FOO"
assign_acl join8
test_acl || fail_test 110

modify_acl join9 "umcOperationSetHost: service:BAR"
assign_acl join9
test_acl && fail_test 110

modify_acl join10 "umcOperationSetHost: *${hostname:2}"
assign_acl join10
test_acl || fail_test 110

cleanup

exit $RETVAL

