#!/bin/bash

eval "$(ucr shell)"

testusername=user2
password=univention
wrong_password=foo

udm users/user create \
	--position "cn=users,$ldap_base" \
	--set username="$testusername" \
	--set lastname=s1 \
	--set password="$password"

samba-tool domain passwordsettings set \
	--account-lockout-duration=1 \
	--account-lockout-threshold=3 \
	--reset-account-lockout-after=2 2>/dev/null

### Show basic unlock functionality
sleep 5
echo -e "\nPerform a couple of invalid logons (one less than allowed):"
smbclient //localhost/sysvol -U "$testusername"%"$wrong_password" -c quit 2>/dev/null
smbclient //localhost/sysvol -U "$testusername"%"$wrong_password" -c quit 2>/dev/null
echo -e "\nAccount state:"
univention-s4search samaccountname="$testusername" badPwdCount badPasswordTime lockoutTime 2>/dev/null | grep -E '^(badPwdCount|badPasswordTime|lockoutTime)' | sort

echo -e "\nAfter the next logon the account should get locked:"
smbclient //localhost/sysvol -U "$testusername"%"$wrong_password" -c quit 2>/dev/null

echo -e "\nVerify that the account is locked:"
echo -e "\nAccount state:"
univention-s4search samaccountname="$testusername" badPwdCount badPasswordTime lockoutTime 2>/dev/null | grep -E '^(badPwdCount|badPasswordTime|lockoutTime)' | sort
echo -e "\nLogon test:"
smbclient //localhost/sysvol -U "$testusername"%"$wrong_password" -c quit 2>/dev/null && echo "FAIL: Logon succeeded!" || echo "OK: Logon with invalid password denied"
smbclient //localhost/sysvol -U "$testusername"%"$password" -c quit 2>/dev/null && echo "FAIL: Logon succeeded!" || echo "OK: Logon with correct password denied"

echo -e "\nWait 65 seconds for unlock:"
sleep 65

echo -e "\nThe next logon should work:"
smbclient //localhost/sysvol -U "$testusername"%"$password" -c quit 2>/dev/null && echo "Logon OK"

### Show strange behaviour:
echo -e "\nLock the account again:"
smbclient //localhost/sysvol -U "$testusername"%"$wrong_password" -c quit 2>/dev/null
smbclient //localhost/sysvol -U "$testusername"%"$wrong_password" -c quit 2>/dev/null
smbclient //localhost/sysvol -U "$testusername"%"$wrong_password" -c quit 2>/dev/null
smbclient //localhost/sysvol -U "$testusername"%"$wrong_password" -c quit 2>/dev/null

echo -e "\nWait 65 seconds for unlock:"
sleep 65
echo -e "\nAccount state:"
univention-s4search samaccountname="$testusername" badPwdCount badPasswordTime lockoutTime 2>/dev/null | grep -E '^(badPwdCount|badPasswordTime|lockoutTime)' | sort

echo -e "\nNow attempt to logon again with an invalid password:"
smbclient //localhost/sysvol -U "$testusername"%"$wrong_password" -c quit 2>/dev/null
echo -e "\nAccount state:"
univention-s4search samaccountname="$testusername" badPwdCount badPasswordTime lockoutTime 2>/dev/null | grep -E '^(badPwdCount|badPasswordTime|lockoutTime)' | sort
echo -e "\nNOTE: the badPwdCount has been inceased another time by one and the badPasswordTime has been updated!"

echo -e "\nWait another 10 seconds just to be sure that his is no replication issue:"
sleep 10
echo "Now attempt to logon again with the correct password:"
smbclient //localhost/sysvol -U "$testusername"%"$password" -c quit 2>/dev/null
echo -e "\nAccount state:"
univention-s4search samaccountname="$testusername" badPwdCount badPasswordTime lockoutTime 2>/dev/null | grep -E '^(badPwdCount|badPasswordTime|lockoutTime)' | sort
echo -e "\nNOTE: This is a bit unexpected: The badPwdCount is not reset to 1 on the first bad attempt after unlock."