#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 2016-2021 Ondřej Kuzník, Symas Corp.
## Copyright 2021-2024 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.

echo "running defines.sh"
. $SRCDIR/scripts/defines.sh

if test $OTP = otpno; then
    echo "OTP overlay not available, test skipped"
    exit 0
fi

OTP_DATA=$DATADIR/otp/hotp.ldif

# OTPs for this token
TOKEN_0=818800
TOKEN_1=320382
TOKEN_2=404533
TOKEN_3=127122
TOKEN_4=892599
TOKEN_5=407030
TOKEN_6=880935
TOKEN_7=920291
TOKEN_8=145192
TOKEN_9=316404
TOKEN_10=409144

# OTPs for the second set of parameters
TOKEN_SHA512_11=17544155
TOKEN_SHA512_12=48953477

mkdir -p $TESTDIR $DBDIR1

echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND < $CONF > $ADDCONF
$SLAPADD -f $ADDCONF -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
    echo "slapadd failed ($RC)!"
    exit $RC
fi

mkdir $TESTDIR/confdir
. $CONFFILTER $BACKEND < $CONF > $CONF1

$SLAPPASSWD -g -n >$CONFIGPWF
echo "database config" >>$CONF1
echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >>$CONF1

echo "Starting slapd on TCP/IP port $PORT1..."
$SLAPD -f $CONF1 -F $TESTDIR/confdir -h $URI1 -d $LVL > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
    echo PID $PID
    read foo
fi
KILLPIDS="$PID"

sleep $SLEEP0

for i in 0 1 2 3 4 5; do
    $LDAPSEARCH -s base -b "$MONITOR" -H $URI1 \
        'objectclass=*' > /dev/null 2>&1
    RC=$?
    if test $RC = 0 ; then
        break
    fi
    echo "Waiting ${SLEEP1} seconds for slapd to start..."
    sleep ${SLEEP1}
done

if [ "$OTP" = otpmod ]; then
$LDAPADD -D cn=config -H $URI1 -y $CONFIGPWF \
    >> $TESTOUT 2>&1 <<EOMOD
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: $TESTWD/../servers/slapd/overlays
olcModuleLoad: otp.la
EOMOD
RC=$?
if test $RC != 0 ; then
    echo "ldapmodify failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi
fi

echo "Loading test otp configuration..."
$LDAPMODIFY -v -D cn=config -H $URI1 -y $CONFIGPWF \
    >> $TESTOUT 2>&1 <<EOMOD
dn: olcOverlay={0}otp,olcDatabase={1}$BACKEND,cn=config
changetype: add
objectClass: olcOverlayConfig
EOMOD
RC=$?
if test $RC != 0 ; then
    echo "ldapmodify failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "Provisioning tokens and configuration..."
$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
    >> $TESTOUT 2>&1 < $OTP_DATA
RC=$?
if test $RC != 0 ; then
    echo "ldapmodify failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi


echo "Authentication tests:"
echo "\ttoken that's not valid yet..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_10" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "\ta valid and expected token..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_4" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
    echo "ldapwhoami failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "\ta valid token skipping some..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_6" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
    echo "ldapwhoami failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "\treusing the same token..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_6" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "\tanother account sharing the same token..."
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjorn$TOKEN_7" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
    echo "ldapwhoami failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "\ttrying an old token..."
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjorn$TOKEN_5" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "\tright token, wrong password..."
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjensen$TOKEN_8" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "\tmaking sure previous token has been retired too..."
$LDAPWHOAMI -D "$BJORNSDN" -H $URI1 -w "bjorn$TOKEN_8" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "\tthe first token we tested that's just become valid..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_10" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
    echo "ldapwhoami failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "Reconfiguring token parameters..."
$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \
	>/dev/null 2>&1 << EOMODS
dn: ou=Information Technology Division,ou=People,dc=example,dc=com
changetype: modify
replace: oathHOTPParams
oathHOTPParams: ou=Alumni Association,ou=People,dc=example,dc=com
EOMODS
RC=$?
if test $RC != 0 ; then
    echo "ldapmodify failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "A new round of tests:"

echo "\ta long token that's not valid yet..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_12" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 49 ; then
    echo "ldapwhoami should have failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "\ta valid and expected token..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_11" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
    echo "ldapwhoami failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "\tthe previous long token that's just become valid..."
$LDAPWHOAMI -D "$BABSDN" -H $URI1 -w "bjensen$TOKEN_SHA512_12" \
    >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
    echo "ldapwhoami failed ($RC)!"
    test $KILLSERVERS != no && kill -HUP $KILLPIDS
    exit $RC
fi

echo "Retrieving token status..."
$LDAPSEARCH -b "ou=Information Technology Division,ou=People,dc=example,dc=com" \
    -H $URI1 objectclass=oathHOTPToken '@oathHOTPToken' \
    >> $SEARCHOUT 2>&1
RC=$?
if test $RC != 0 ; then
	echo "ldapsearch failed ($RC)!"
	test $KILLSERVERS != no && kill -HUP $KILLPIDS
	exit $RC
fi

test $KILLSERVERS != no && kill -HUP $KILLPIDS

LDIF=$DATADIR/otp/test001-out.ldif

echo "Filtering ldapsearch results..."
$LDIFFILTER < $SEARCHOUT > $SEARCHFLT
echo "Filtering ldif with expected data..."
$LDIFFILTER < $LDIF > $LDIFFLT
echo "Comparing filter output..."
$CMP $SEARCHFLT $LDIFFLT > $CMPOUT

if test $? != 0 ; then
	echo "Comparison failed"
	exit 1
fi

echo ">>>>> Test succeeded"

test $KILLSERVERS != no && wait

exit 0