# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
---

- name: Include base_vars of control plane
  include_vars: "{{ role_path }}/../../control_plane/input_params/base_vars.yml"

- name: Unset ipa server status on MS
  set_fact:
    ipa_server_ms: false

- name: Check if ipa server file of MS exists
  stat:
    path: "{{ ipa_secret_file }}"
  register: ms_file_exists

- name: Check if ipa server is installed on MS
  block:
    - name: Check login_vars file is encrypted
      command: cat "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
      changed_when: false
      register: config_content
      no_log: true

    - name: Decrpyt login_vars.yml
      command: >-
        ansible-vault decrypt "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
        --vault-password-file "{{ role_path }}/../../control_plane/{{ vault_filename }}"
      changed_when: false
      when: "'$ANSIBLE_VAULT;' in config_content.stdout"

    - name: Include variable file login_vars.yml
      include_vars: "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
      no_log: true

    - name: Save variables of ipa server from Management Station
      set_fact:
        ms_ipa_admin_password: '{{ ipa_admin_password }}'

    - name: Create ansible vault key
      set_fact:
        vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
      when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

    - name: Save vault key
      copy:
        dest: "{{ role_path }}/../../control_plane/{{ vault_filename }}"
        content: |
          {{ vault_key }}
        owner: root
        force: yes
        mode: "{{ vault_file_perm }}"
      when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

    - name: Encrypt input config file
      command: >-
        ansible-vault encrypt "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
        --vault-password-file "{{ role_path }}/../../control_plane/{{ vault_filename }}"
      changed_when: false

    - name: Update login_vars.yml permission
      file:
        path: "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
        mode: "{{ vault_file_perm }}"

    - name: Include ipa server hostname and domain name
      include_vars: "{{ ipa_secret_file }}"

    - name: Set ipa server status on MS
      set_fact:
        ipa_server_ms: true
  when:
    - enable_security_support
    - ms_file_exists.stat.exists