#!/bin/bash

# Author: Iain Douglas <centos@1n6.org.uk>

#

function ExitFail

{

    t_Log "FAIL"

    exit $FAIL

}

#

# Test the command line options for passwd that are restricted to root.

#

t_Log "Running $0 - Check root only actions"

t_Log "Create test user passtest"

userdel -rf passtest; useradd passtest && echo passtest | passwd --stdin passtest &>/dev/null

t_CheckExitStatus $?

# Check that passwd -l locks the password - the field in /etc/shadow has 

# a ! prepended

t_Log "Check account can be locked"

passwd -l passtest &>/dev/null

if [ $? -eq "0" ]

then

    getent shadow passtest | cut -f2 -d: | grep '^!' &>/dev/null

    t_CheckExitStatus $?

else

    ExitFail

fi

# Check that passwd -u will unlock the account - removes the ! from the 

# start of the password field in /etc/shadow

t_Log "Check account can be unlocked"

passwd -u passtest &>/dev/null

if [ $? -eq "0" ]

then

    getent shadow passtest | cut -f2 -d: | grep -v '^!' &>/dev/null

    t_CheckExitStatus $?

else

    ExitFail

fi

# Check that passwd -e expires an account. Field 3 of /etc/shadow is set to 0

t_Log "Check password can be expired"

if [ $centos_ver == '5' ]

  then

  t_Log 'This is a C5 system - option -e does not exist - skipping'

else

  passwd -e passtest &>/dev/null

  if [ $? -eq "0" ]

  then

    getent shadow passtest | cut -f3 -d: | grep '^0' &>/dev/null 

    t_CheckExitStatus $?

    echo passtest | passwd --stdin passtest &>/dev/null

  else

    ExitFail

  fi

fi

# Check that passwd -n, -x, -w -i set the mindays, maxdays, warndays and

# inactive fields (4-7) in /etc/shadow

t_Log "Check password aging data can be set"

passwd -n 11 -x 22 -w 33 -i 44 passtest &>/dev/null

if [ $? -eq "0" ]

then

    getent shadow passtest | cut -f4-7 -d: | grep '^11:22:33:44' &>/dev/null

    t_CheckExitStatus $?

else

    ExitFail

fi

# Check that passwd -d deletes the password - the field in /etc/shadow is

# cleared

t_Log "Check password can be deleted"

passwd -d passtest &>/dev/null

if [ $? -eq "0" ]

then

    password=$(getent shadow passtest | cut -f2 -d:)

    if [ -z "${password}" ]

    then

        t_Log "PASS"

    else

        ExitFail

    fi

else

    ExitFail

fi

# Passwd won't, without being forced, unlock an account with a blank password

# so check this is the case.

t_Log "Check blank password cannot be unlocked"

passwd -l passtest &>/dev/null

passwd -u passtest &>/dev/null 

if [ $? -ne "0" ]

then

    t_Log PASS

else

    ExitFail

fi

# Force passwd to unlock an account with a blank password passwd -uf.

t_Log "Check blank password can be force unlocked"

passwd -uf passtest &>/dev/null

t_CheckExitStatus $?

# Check the output of passwd -S at this point it should be

# passtest NP YYYY-MM-DD  11 22 33 44 (Empty password.)

# It's possible that this will run on a different side of midnight to earlier 

# commands so if checking the output for today fails check yesterday too

t_Log "Check output of passwd -S"

expected="passtest NP "$(date +'%F')" 11 22 33 44 (Empty password.)"

passwd -S passtest | grep "$expected" &>/dev/null

if [ $? -eq "0" ]

then

    t_Log "PASS"

else

    expected="passtest NP "$(date +'%F' -d yesterday)" 11 22 33 44 (Empty password.)"

    passwd -S passtest | grep "$expected" &>/dev/null

    t_CheckExitStatus $?

fi