# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
---

- name: Check login_vars file is encrypted
  command: cat {{ login_vars_filename }}
  changed_when: false
  register: config_content
  no_log: true
  tags: init

- name: Decrpyt login_vars.yml
  command: >-
    ansible-vault decrypt {{ login_vars_filename }}
    --vault-password-file {{ vault_filename }}
  changed_when: false
  when: "'$ANSIBLE_VAULT;' in config_content.stdout"
  tags: init

- name: Include variable file login_vars.yml
  include_vars: "{{ login_vars_filename }}"
  no_log: true
  tags: init

- name: Validate input parameters are not empty
  fail:
    msg: "{{ login_input_config_failure_msg }}"
  register: input_config_check
  when:
    - provision_password | length < 1 or
      cobbler_password | length < 1
  tags: [ validate, pxe, idrac ]

- name: Validate security parameters when enable_security_support is set to true
  fail:
    msg: "{{ login_input_config_failure_msg }} for ipa server installation"
  tags: [ validate, security ]
  when:
    - ( ms_directory_manager_password | length < 1 or
      ms_kerberos_admin_password | length < 1 ) and
      enable_security_support

- name: Assert provision credentials
  block:
    - name: Assert provision_password
      assert:
        that:
          - provision_password | length > min_length | int - 1
          - provision_password | length < max_length | int + 1
          - '"-" not in provision_password '
          - '"\\" not in provision_password '
          - '"\"" not in provision_password '
          - " \"'\" not in provision_password "
      no_log: true
  rescue:
    - name: Provision password validation check
      fail:
        msg: "{{ fail_msg_provision_password }}"
  tags: [ validate, pxe, idrac ]

- name: Assert cobbler credentials
  block:
    - name: Assert cobbler_password
      assert:
        that:
          - cobbler_password | length > min_length | int - 1
          - cobbler_password | length < max_length | int + 1
          - '"-" not in cobbler_password '
          - '"\\" not in cobbler_password '
          - '"\"" not in cobbler_password '
          - " \"'\" not in cobbler_password "
      no_log: true
  rescue:
    - name: Cobbler password validation check
      fail:
        msg: "{{ fail_msg_cobbler_password }}"
  tags: [ validate, pxe ]

- name: Assert idrac credentials
  block:
    - name: Assert idrac_username and idrac_password
      assert:
        that:
          - idrac_username | length >= min_username_length
          - idrac_username | length < max_length
          - '"-" not in idrac_username '
          - '"\\" not in idrac_username '
          - '"\"" not in idrac_username '
          - " \"'\" not in idrac_username "
          - idrac_password | length > min_username_length | int - 1
          - idrac_password | length < max_length | int + 1
          - '"-" not in idrac_password '
          - '"\\" not in idrac_password '
          - '"\"" not in idrac_password '
          - " \"'\" not in idrac_password "
      no_log: true
  rescue:
    - name: idrac credentials validation check
      fail:
        msg: "{{ fail_msg_idrac_credentials }}"
  when: device_support_status
  tags: [ validate, idrac ]

- name: Assert grafana credentials
  block:
    - name: Assert grafana_username and grafana_username
      assert:
        that:
          - grafana_username | length >= min_length_grafana
          - grafana_username | length <= max_length
          - '"-" not in grafana_username '
          - '"\\" not in grafana_username '
          - '"\"" not in grafana_username '
          - " \"'\" not in grafana_username "
          - grafana_password | length >= min_length_grafana
          - grafana_password | length <= max_length
          - not grafana_password == 'admin'
          - '"-" not in grafana_password '
          - '"\\" not in grafana_password '
          - '"\"" not in grafana_password '
          - " \"'\" not in grafana_password "
      no_log: true
  rescue:
    - name: grafana credentials validation check
      fail:
        msg: "{{ fail_msg_grafana_credentials }}"
  tags: [ validate, monitoring ]

- name: Assert username and password for ethernet switches
  block:
    - name: Verify ethernet_switch_username and ethernet_switch_password are not empty
      assert:
        that:
          - ethernet_switch_username | length >= min_username_length
          - ethernet_switch_username | length < max_length
          - '"-" not in ethernet_switch_username '
          - '"\\" not in ethernet_switch_username '
          - '"\"" not in ethernet_switch_username '
          - " \"'\" not in ethernet_switch_username "
          - ethernet_switch_password | length > min_username_length | int - 1
          - ethernet_switch_password | length < max_length | int + 1
          - '"-" not in ethernet_switch_password '
          - '"\\" not in ethernet_switch_password '
          - '"\"" not in ethernet_switch_password '
          - " \"'\" not in ethernet_switch_password "
      no_log: true
  rescue:
    - name: ethernet switch credentials validation check
      fail:
        msg: "{{ fail_msg_ethernet_credentials }}"
  when:
    - device_support_status
    - ethernet_switch_support
  tags: [ validate, network-device ]

- name: Assert username and password for IB switches
  block:
    - name: Assert ib_username and ib_password
      assert:
        that:
          - ib_username | length >= min_username_length
          - ib_username | length < max_length
          - '"-" not in ib_username '
          - '"\\" not in ib_username '
          - '"\"" not in ib_username '
          - " \"'\" not in ib_username "
          - ib_password | length > min_username_length | int - 1
          - ib_password | length < max_length | int + 1
          - '"-" not in ib_password '
          - '"\\" not in ib_password '
          - '"\"" not in ib_password '
          - " \"'\" not in ib_password "
      no_log: true
  rescue:
    - name: IB switch credentials validation check
      fail:
        msg: "{{ fail_msg_ib_credentials }}"
  when:
    - device_support_status
    - ib_switch_support
  tags: [ validate, network-ib ]

- name: Assert username and password for powervault me4
  block:
    - name: Assert powervault_me4_username and powervault_me4_password
      assert:
        that:
          - powervault_me4_username | length >= min_username_length
          - powervault_me4_username | length < max_length
          - '"-" not in powervault_me4_username '
          - '"\\" not in powervault_me4_username '
          - '"\"" not in powervault_me4_username '
          - " \"'\" not in powervault_me4_username "
          - powervault_me4_password | length > min_length | int - 1
          - powervault_me4_password | length < max_length | int + 1
          - '"-" not in powervault_me4_password '
          - '"," not in powervault_me4_password '
          - '"." not in powervault_me4_password '
          - '"<" not in powervault_me4_password '
          - '"\\" not in powervault_me4_password '
          - '"\"" not in powervault_me4_password '
          - " \"'\" not in powervault_me4_password "
          - powervault_me4_password | regex_search('^(?=.*[a-z]).+$')
          - powervault_me4_password | regex_search('^(?=.*[A-Z]).+$')
          - powervault_me4_password | regex_search('^(?=.*\\d).+$')
          - powervault_me4_password | regex_search('^(?=.*[!#$%&()*+/:;=>?@^_`{} ~]).+$')
      no_log: true
  rescue:
    - name: Powervault me4 credentials validation check
      fail:
        msg: "{{ fail_msg_me4_credentials }}"
  when:
    - device_support_status
    - powervault_support
  tags: [ validate, network-device ]

- name: Assert ms_directory_manager_password
  assert:
    that:
      - ms_directory_manager_password | length > min_length | int - 1
      - ms_directory_manager_password | length < max_length | int + 1
      - '"-" not in ms_directory_manager_password '
      - '"\\" not in ms_directory_manager_password '
      - '"\"" not in ms_directory_manager_password '
      - " \"'\" not in ms_directory_manager_password "
    success_msg: "{{ success_msg_dir_manager_password }}"
    fail_msg: "{{ fail_msg_dir_manager_password }}"
  when: enable_security_support
  tags: [ validate, security ]

- name: Assert ms_kerberos_admin_password
  assert:
    that:
      - ms_kerberos_admin_password | length > min_length | int - 1
      - ms_kerberos_admin_password | length < max_length | int + 1
      - '"-" not in ms_kerberos_admin_password '
      - '"\\" not in ms_kerberos_admin_password '
      - '"\"" not in ms_kerberos_admin_password '
      - " \"'\" not in ms_kerberos_admin_password "
    success_msg: "{{ success_msg_ipa_admin_pwd }}"
    fail_msg: "{{ fail_msg_ipa_admin_pwd }}"
  when: enable_security_support
  tags: [ validate, security ]

- name: Create ansible vault key
  set_fact:
    vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"
  tags: init

- name: Save vault key
  copy:
    dest: "{{ vault_filename }}"
    content: |
      {{ vault_key }}
    owner: root
    force: yes
    mode: "{{ vault_file_perm }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"
  tags: init

- name: Encrypt input config file
  command: >-
    ansible-vault encrypt {{ login_vars_filename }}
    --vault-password-file {{ vault_filename }}
  changed_when: false
  tags: init

- name: Update login_vars.yml permission
  file:
    path: "{{ login_vars_filename }}"
    mode: "{{ file_perm }}"
  tags: init