load_lib "helpers.exp"

set timeout 30

spawn stty -a
expect { eof {} }
wait

# Setup: make sure the principals we will use have V4 salt
fix_salt "CPW.setup" testuser notathena notathena
fix_salt "CPW.setup" pol1 pol111111 pol111111
fix_salt "CPW.setup" pol2 pol222222 pol222222
unexpire "CPW.setup" testuser
unexpire "CPW.setup" pol1
unexpire "CPW.setup" pol2
unexpire "CPW.setup" changepw/kerberos

server_start "CPW.all" "-n" 1 {
	"KADM Server starting in the OVSEC_KADM mode" {}
}

kpasswd_v4 CPW.1 testuser 0 notathena foobar { "Password changed." {} }
kpasswd_v4 CPW.1 testuser 0 foobar notathena { "Password changed." {} }

kpasswd_v4 CPW.3 pol1 -1 pol111111 foo {
	"New password is too short." {}
} {
	"$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
}

kpasswd_v4 CPW.4 pol1 -1 pol111111 foooooooo {
	"New password does not have enough character classes." {}
} {
	"$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
}

kpasswd_v4 CPW.5 pol1 -1 pol111111 Abyssinia {
	"New password was found in a dictionary" {}
} {
	"$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
}

kpasswd_v4 CPW.6.setup pol1 0 pol111111 polAAAAAA { "Password changed." {} }
kpasswd_v4 CPW.6 pol1 -1 polAAAAAA pol111111 {
	"New password was used previously." {}
} {
	"$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
}

# We used to use kdb5_edit, which reset last_pwd_change.  Now we used
# kadmin.local, which doesn't, so we have to wait out the min life.
exec $sleep 30
kpasswd_v4 CPW.7.setup pol2 0 pol222222 polBBBBBB { "Password changed." {} }
kpasswd_v4 CPW.7 pol2 -1 polBBBBBB pol222222 {
	"Password cannot be changed because it was changed too recently." {}
} {
	"$kpasswd_v4: Insecure password rejected while attempting to change password." { send "\003\n"; close; break }
}

server_exit "CPW.all" -1