#!@PERL@
# -*- perl -*-
#
# Password prompting tests for the wallet client.
#
# Written by Russ Allbery <eagle@eyrie.org>
# Copyright 2018 Russ Allbery <eagle@eyrie.org>
# Copyright 2008, 2010, 2014
#     The Board of Trustees of the Leland Stanford Junior University
#
# SPDX-License-Identifier: MIT

use strict;
use warnings;

use Test::More tests => 5;

use lib "$ENV{C_TAP_SOURCE}/../perl/lib";
use Wallet::Admin;

use lib "$ENV{C_TAP_SOURCE}/../perl/t/lib";
use Util;

# cd to the correct directory.
chdir "$ENV{C_TAP_SOURCE}" or die "Cannot chdir to $ENV{C_TAP_SOURCE}: $!\n";

SKIP: {
    skip 'no password configuration', 5
        unless -f "$ENV{C_TAP_BUILD}/config/password";
    my $remctld = '@REMCTLD@';
    skip 'remctld not found', 5 unless $remctld;
    eval { require Expect };
    skip 'Expect module not found', 5 if $@;

    # Disable sending of wallet's output to our standard output.  Do this
    # twice to avoid Perl warnings.
    $Expect::Log_Stdout = 0;
    $Expect::Log_Stdout = 0;

    # Spawn remctld and set up with a different ticket cache.
    unlink ('krb5cc_test', 'test-pid');
    my $principal = contents ("$ENV{C_TAP_BUILD}/config/principal");
    remctld_spawn ($remctld, $principal, "$ENV{C_TAP_BUILD}/config/keytab",
                   "$ENV{C_TAP_SOURCE}/data/basic.conf");
    $ENV{KRB5CCNAME} = 'krb5cc_test';

    # Read in the principal and password.
    open (PASS, '<', "$ENV{C_TAP_BUILD}/config/password")
        or die "Cannot open $ENV{C_TAP_BUILD}/config/password: $!\n";
    my $user = <PASS>;
    my $password = <PASS>;
    close PASS;
    chomp ($user, $password);

    # Spawn wallet and check an invalid password.
    my $wallet = Expect->spawn ("$ENV{C_TAP_BUILD}/../client/wallet", '-k',
                                $principal, '-p', 14373, '-s', 'localhost',
                                '-c', 'fake-wallet', '-u', $user, 'get',
                                'keytab', 'service/fake-output');
    is ($wallet->expect (2, '-re', 'Password.*: '), 1, 'Saw password prompt');
    $wallet->send ("invalid-$password\n");
    is ($wallet->expect (2, 'wallet: authentication failed: '), 1,
        ' and saw error message from an invalid password');
    $wallet->soft_close;

    # Now check a valid password.
    $wallet = Expect->spawn ("$ENV{C_TAP_BUILD}/../client/wallet", '-k',
                             $principal, '-p', 14373, '-s', 'localhost',
                             '-c', 'fake-wallet', '-u', $user, 'get',
                             'keytab', 'service/fake-output');
    is ($wallet->expect (2, '-re', 'Password.*: '), 1, 'Saw password prompt');
    $wallet->send ("$password\n");
    is ($wallet->expect (2, 'This is a fake keytab'), 1,
        ' and saw the right output');
    $wallet->soft_close;
    ok (!-f 'krb5cc_test', ' and no ticket cache is left behind');

    # All done.
    remctld_stop;
    unlink 'test-pid';
}