#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
---

- name: Include base_vars of control plane
  include_vars: "{{ role_path }}/../../control_plane/input_params/base_vars.yml"

- name: Check if omnia_vault_key exists
  stat:
    path: "{{ role_path }}/../../{{ config_vaultname }}"
  register: vault_key_result

- name: Create ansible vault key if it does not exist
  set_fact:
    vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
  when: not vault_key_result.stat.exists

- name: Save vault key
  copy:
    dest: "{{ role_path }}/../../{{ config_vaultname }}"
    content: |
      {{ vault_key }}
    owner: root
    force: yes
    mode: '0600'
  when: not vault_key_result.stat.exists

- name: Check if omnia config file is encrypted
  command: cat {{ role_path }}/../../{{ config_filename }}
  changed_when: false
  register: config_content
  no_log: True

- name: Decrpyt omnia_config.yml
  command: >-
    ansible-vault decrypt {{ role_path }}/../../{{ config_filename }}
    --vault-password-file {{ role_path }}/../../{{ config_vaultname }}
  when: "'$ANSIBLE_VAULT;' in config_content.stdout"

- name: Include variable file omnia_config.yml
  include_vars: "{{ role_path }}/../../{{ config_filename }}"
  no_log: True

- name: Validate input parameters are not empty
  fail:
    msg: "{{ input_config_failure_msg }}"
  register: input_config_check
  when:
    - mariadb_password | length < 1 or
      k8s_version | length < 1 or
      k8s_cni | length < 1 or
      k8s_pod_network_cidr | length < 1 or
      ansible_config_file_path | length < 1

- name: Assert mariadb_password
  assert:
    that:
      - mariadb_password | length > min_length | int - 1
      - mariadb_password | length < max_length | int + 1
      - '"-" not in mariadb_password '
      - '"\\" not in mariadb_password '
      - '"\"" not in mariadb_password '
      - " \"'\" not in mariadb_password "
    success_msg: "{{ success_msg_mariadb_password }}"
    fail_msg: "{{ fail_msg_mariadb_password }}"

- name: Assert kubernetes version
  assert:
    that: "('1.16.7' in k8s_version) or ('1.19.3' in k8s_version)"
    success_msg: "{{ success_msg_k8s_version }}"
    fail_msg: "{{ fail_msg_k8s_version }}"

- name: Assert kubernetes cni
  assert:
    that:
      - "('calico' in k8s_cni) or ('flannel' in k8s_cni)"
    success_msg: "{{ success_msg_k8s_cni }}"
    fail_msg: "{{ fail_msg_k8s_cni }}"

- name: Assert kubernetes pod network CIDR
  assert:
    that:
      - k8s_pod_network_cidr | length > 9
      - '"/" in k8s_pod_network_cidr '
    success_msg: "{{ success_msg_k8s_pod_network_cidr }}"
    fail_msg: "{{ fail_msg_k8s_pod_network_cidr }}"

- name: Save input variables from file
  set_fact:
    db_password: "{{ mariadb_password }}"
    k8s_version: "{{ k8s_version }}"
    k8s_cni: "{{ k8s_cni }}"
    k8s_pod_network_cidr: "{{ k8s_pod_network_cidr }}"
    docker_username: "{{ docker_username }}"
    docker_password: "{{ docker_password }}"
    ansible_conf_file_path: "{{ ansible_config_file_path }}"
  no_log: True

- name: Verify the value of login_node_required
  assert:
    that:
      - login_node_required == true or login_node_required == false
    success_msg: "{{ login_node_required_success_msg }}"
    fail_msg: "{{ login_node_required_fail_msg }}"

- name: Initialize ipa_server_ms
  set_fact:
    ipa_server_ms: false

- name: Check if ipa server file of MS exists
  stat:
    path: "{{ ipa_secret_file }}"
  register: ms_file_exists

- name: Set ipa server status on MS
  set_fact:
    ipa_server_ms: true
  when:
    - enable_security_support
    - ms_file_exists.stat.exists

- name: Validate login node parameters when login_node_reqd is set to true
  fail:
    msg: "{{ input_config_failure_msg }} for login_node"
  when:
    - ( domain_name | length < 1 or
      realm_name | length < 1 or
      directory_manager_password | length < 1 or
      kerberos_admin_password | length < 1 ) 
    - login_node_required
    - not ipa_server_ms

- name: Verify the value of enable_secure_login_node
  assert:
    that:
      - enable_secure_login_node == true or enable_secure_login_node == false
    success_msg: "{{ secure_login_node_success_msg }}"
    fail_msg: "{{ secure_login_node_fail_msg }}"
  when: login_node_required

- name: Login node to contain exactly 1 node
  assert:
    that:
      - "groups['login_node'] | length | int == 1"
    fail_msg: "{{ login_node_group_fail_msg }}"
    success_msg: "{{ login_node_group_success_msg }}"
  when: login_node_required

- name: Validate the domain name
  assert:
    that:
      - domain_name is regex("^(?!-)[A-Za-z0-9-]+([\\-\\.]{1}[a-z0-9]+)*\\.[A-Za-z]{2,}$")
    success_msg: "{{ domain_name_success_msg }}"
    fail_msg: "{{ domain_name_fail_msg }}"
  when:
    - login_node_required
    - not ipa_server_ms

- name: Validate the realm name
  assert:
    that:
      - realm_name is regex("^(?!-)[A-Z0-9-]+([\\-\\.]{1}[a-z0-9]+)*\\.[A-Z]{2,}$")
      - '"." in realm_name'
    success_msg: "{{ realm_name_success_msg }}"
    fail_msg: "{{ realm_name_fail_msg }}"
  when:
    - login_node_required
    - not ipa_server_ms

- name: Assert directory_manager_password
  assert:
    that:
      - directory_manager_password | length > min_length | int - 1
      - directory_manager_password | length < max_length | int + 1
      - '"-" not in directory_manager_password '
      - '"\\" not in directory_manager_password '
      - '"\"" not in directory_manager_password '
      - " \"'\" not in directory_manager_password "
    success_msg: "{{ success_msg_directory_manager_password }}"
    fail_msg: "{{ fail_msg_directory_manager_password }}"
  when:
    - login_node_required
    - not ipa_server_ms

- name: Assert kerberos_admin_password
  assert:
    that:
      - kerberos_admin_password | length > min_length | int - 1
      - kerberos_admin_password | length < max_length | int + 1
      - '"-" not in kerberos_admin_password '
      - '"\\" not in kerberos_admin_password '
      - '"\"" not in kerberos_admin_password '
      - " \"'\" not in kerberos_admin_password "
    success_msg: "{{ success_msg_kerberos_admin_password }}"
    fail_msg: "{{ fail_msg_kerberos_admin_password }}"
  when:
    - login_node_required
    - not ipa_server_ms

- name: Encrypt input config file
  command: >-
    ansible-vault encrypt {{ role_path }}/../../{{ config_filename }}
    --vault-password-file {{ role_path }}/../../{{ config_vaultname }}
  changed_when: false

- name: Fetch security inputs
  include_tasks: fetch_security_inputs.yml
  when: 
    - login_node_required
    - enable_secure_login_node