# Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---

- name: Include provision_idrac vars
  include_vars: "{{ playbook_dir }}/../roles/provision_idrac/vars/main.yml"
  run_once: true

- name: Include control_plane_common vars
  include_vars: "{{ playbook_dir }}/../roles/control_plane_common/vars/main.yml"
  run_once: true

- name: Include idrac_vars.yml
  include_vars: "{{ playbook_dir }}/../{{ idrac_input_filename }}"
  run_once: true

- name: Set ldap_directory_services in lowercase
  set_fact:
    ldap_directory_services: "{{ ldap_directory_services | lower }}"

- name: Assert ldap_directory_services value
  assert:
    that:
      - ldap_directory_services | length > 1
      - ldap_directory_services == "enabled" or ldap_directory_services == "disabled"
    success_msg: "{{ ldap_success_msg }}"
    fail_msg: "{{ ldap_fail_msg }}"

- block:
    - name: Check idrac_tools_vars.yml file is encrypted
      command: cat "{{ playbook_dir }}/../{{ idrac_tools_vars_filename }}"
      changed_when: false
      run_once: true
      register: config_content
    
    - name: Decrpyt idrac_tools_vars.yml
      command: >-
        ansible-vault decrypt "{{ playbook_dir }}/../{{ idrac_tools_vars_filename }}"
        --vault-password-file "{{ playbook_dir }}/../{{ idrac_tools_vaultname }}"
      changed_when: false
      run_once: true
      when: "'$ANSIBLE_VAULT;' in config_content.stdout"
    
    - name: Include variable file idrac_tools_vars.yml
      include_vars: "{{ playbook_dir }}/../{{ idrac_tools_vars_filename }}"
      run_once: true
      no_log: true
    
    - name: Validate LDAP parameters are not empty
      fail:
        msg: "{{ ldap_input_fail_msg }}"
      when:
        - cert_validation_enable | length < 1 or
          ldap_server_address | length < 1 or
          ldap_port | length < 1 or
          base_dn | length < 1 or
          group_attribute_is_dn | length < 1 or
          role_group1_dn | length < 1 or
          role_group1_privilege | length < 1
    
    - name: Set ldap_directory_services in lowercase
      set_fact:
        cert_validation_enable: "{{ cert_validation_enable | lower }}"
        group_attribute_is_dn: "{{ group_attribute_is_dn | lower }}"
        base_dn: "{{ base_dn | lower }}"
        role_group1_dn: "{{ role_group1_dn | lower }}"
        bind_dn: "{{ bind_dn | lower }}"
        
         
    - name: Assert cert_validation_enable value
      assert:
        that: cert_validation_enable == "disabled"
        success_msg: "{{ cert_validation_success_msg }}"
        fail_msg: "{{ cert_validation_fail_msg }}"

    - name: Assert bind_dn value
      assert:
        that: 
          - '"dc=" in bind_dn'
          - '"ou="  in bind_dn'
        success_msg: "{{ bind_dn_success_msg }}"
        fail_msg: "{{ bind_dn_fail_msg }}"
      when: bind_dn | length > 1

    - name: Assert base_dn value
      assert:
        that: '"dc=" in base_dn'
        success_msg: "{{ base_dn_success_msg }}"
        fail_msg: "{{ base_dn_fail_msg }}"

    - name: Assert group_attribute_is_dn value
      assert:
        that: group_attribute_is_dn == "disabled" or group_attribute_is_dn == "enabled"
        success_msg: "{{ group_attribute_success_msg }}"
        fail_msg: "{{ group_attribute_fail_msg }}"

    - name: Assert role_group1_dn value
      assert:
        that:
          - '"dc=" in role_group1_dn'
          - '"ou="  in role_group1_dn'
        success_msg: "{{ role_group1_dn_success_msg }}"
        fail_msg: "{{ role_group1_dn_fail_msg }}"

    - name: Assert role_group1_privilege value
      assert:
        that: 
          - role_group1_privilege == "Administrator" or
            role_group1_privilege == "Operator"  or
            role_group1_privilege == "ReadOnly"
        success_msg: "{{ role_group1_privilege_success_msg }}"
        fail_msg: "{{ role_group1_privilege_fail_msg }}"
     
    - name: Set role_group1_privilege value
      set_fact:
        role_group1_privilege_id: "{{ item.value }}"
      when: item.name == role_group1_privilege
      with_items:
        - { name: "Administrator", value: "511" }
        - { name: "Operator", value: "499" }
        - { name: "ReadOnly", value: "1" }

    - name: Encrypt idrac_tools_vars.yml
      command: >-
        ansible-vault encrypt "{{ playbook_dir }}/../{{ idrac_tools_vars_filename }}"
        --vault-password-file "{{ playbook_dir }}/../{{ idrac_tools_vaultname }}"
      changed_when: false
      run_once: true
      when: "'$ANSIBLE_VAULT;' in config_content.stdout"
  when: ldap_directory_services == "enabled"