# Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
---

- name: Check login_vars file is encrypted
  command: cat {{ login_vars_filename }}
  changed_when: false
  register: config_content
  no_log: true

- name: Decrpyt login_vars.yml
  command: >-
    ansible-vault decrypt {{ login_vars_filename }}
    --vault-password-file {{ vault_filename }}
  changed_when: false
  when: "'$ANSIBLE_VAULT;' in config_content.stdout"

- name: Include variable file login_vars.yml
  include_vars: "{{ login_vars_filename }}"
  no_log: true

- name: Validate input parameters are not empty
  fail:
    msg: "{{ login_input_config_failure_msg }}"
  register: input_config_check
  when:
    - provision_password | length < 1 or
      cobbler_password | length < 1 or      
      idrac_username | length < 1 or
      idrac_password | length < 1

- name: Assert provision credentials
  block:
    - name: Assert provision_password
      assert:
        that:
          - provision_password | length > min_length | int - 1
          - provision_password | length < max_length | int + 1
          - '"-" not in provision_password '
          - '"\\" not in provision_password '
          - '"\"" not in provision_password '
          - " \"'\" not in provision_password "
      no_log: true
  rescue:
    - name: Provision password validation check
      fail:
        msg: "{{ fail_msg_provision_password }}"

- name: Assert cobbler credentials
  block:
    - name: Assert cobbler_password
      assert:
        that:
          - cobbler_password | length > min_length | int - 1
          - cobbler_password | length < max_length | int + 1
          - '"-" not in cobbler_password '
          - '"\\" not in cobbler_password '
          - '"\"" not in cobbler_password '
          - " \"'\" not in cobbler_password "
      no_log: true
  rescue:
    - name: Cobbler password validation check
      fail:
        msg: "{{ fail_msg_cobbler_password }}"

- name: Assert idrac credentials
  block:
    - name: Assert idrac_username and idrac_password
      assert:
        that:
          - idrac_username | length >= min_username_length
          - idrac_username | length < max_length
          - '"-" not in idrac_username '
          - '"\\" not in idrac_username '
          - '"\"" not in idrac_username '
          - " \"'\" not in idrac_username "
          - idrac_password | length > min_username_length | int - 1
          - idrac_password | length < max_length | int + 1
          - '"-" not in idrac_password '
          - '"\\" not in idrac_password '
          - '"\"" not in idrac_password '
          - " \"'\" not in idrac_password "
      no_log: true
  rescue:
    - name: idrac credentials validation check
      fail:
        msg: "{{ fail_msg_idrac_credentials }}"

- name: Assert username and password for ethernet switches
  block:
    - name: Verify ethernet_switch_username and ethernet_switch_password are not empty
      assert:
        that:
          - ethernet_switch_username | length >= min_username_length
          - ethernet_switch_username | length < max_length
          - '"-" not in ethernet_switch_username '
          - '"\\" not in ethernet_switch_username '
          - '"\"" not in ethernet_switch_username '
          - " \"'\" not in ethernet_switch_username "
          - ethernet_switch_password | length > min_username_length | int - 1
          - ethernet_switch_password | length < max_length | int + 1
          - '"-" not in ethernet_switch_password '
          - '"\\" not in ethernet_switch_password '
          - '"\"" not in ethernet_switch_password '
          - " \"'\" not in ethernet_switch_password "
      no_log: true
  rescue:
    - name: ethernet switch credentials validation check
      fail:
        msg: "{{ fail_msg_ethernet_credentials }}"
  when: ethernet_switch_support

- name: Assert username and password for IB switches
  block:
    - name: Assert ib_username and ib_password
      assert:
        that:
          - ib_username | length >= min_username_length
          - ib_username | length < max_length
          - '"-" not in ib_username '
          - '"\\" not in ib_username '
          - '"\"" not in ib_username '
          - " \"'\" not in ib_username "
          - ib_password | length > min_username_length | int - 1
          - ib_password | length < max_length | int + 1
          - '"-" not in ib_password '
          - '"\\" not in ib_password '
          - '"\"" not in ib_password '
          - " \"'\" not in ib_password "
      no_log: true
  rescue:
    - name: IB switch credentials validation check
      fail:
        msg: "{{ fail_msg_ib_credentials }}"
  when: ib_switch_support

- name: Assert username and password for powervault me4
  block:
    - name: Assert powervault_me4_username and powervault_me4_password
      assert:
        that:
          - powervault_me4_username | length >= min_username_length
          - powervault_me4_username | length < max_length
          - '"-" not in powervault_me4_username '
          - '"\\" not in powervault_me4_username '
          - '"\"" not in powervault_me4_username '
          - " \"'\" not in powervault_me4_username "
          - powervault_me4_password | length > min_length | int - 1
          - powervault_me4_password | length < max_length | int + 1
          - '"-" not in powervault_me4_password '
          - '"," not in powervault_me4_password '
          - '"." not in powervault_me4_password '
          - '"<" not in powervault_me4_password '
          - '"\\" not in powervault_me4_password '
          - '"\"" not in powervault_me4_password '
          - " \"'\" not in powervault_me4_password "
          - powervault_me4_password | regex_search('^(?=.*[a-z]).+$')
          - powervault_me4_password | regex_search('^(?=.*[A-Z]).+$')
          - powervault_me4_password | regex_search('^(?=.*\\d).+$')
          - powervault_me4_password | regex_search('^(?=.*[!#$%&()*+/:;=>?@^_`{} ~]).+$')
      no_log: true
  rescue:
    - name: Powervault me4 credentials validation check
      fail:
        msg: "{{ fail_msg_me4_credentials }}"
  when: powervault_support

- name: Create ansible vault key
  set_fact:
    vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Save vault key
  copy:
    dest: "{{ vault_filename }}"
    content: |
      {{ vault_key }}
    owner: root
    force: yes
    mode: "{{ vault_file_perm }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Encrypt input config file
  command: >-
    ansible-vault encrypt {{ login_vars_filename }}
    --vault-password-file {{ vault_filename }}
  changed_when: false

- name: Update login_vars.yml permission
  file:
    path: "{{ login_vars_filename }}"
    mode: "{{ file_perm }}"