Dell-Omnia-Clusters-HPC-AI/control_plane/roles/control_plane_common/tasks/password_config.yml

# Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
---

- name: Check login_vars file is encrypted
  command: cat {{ login_vars_filename }}
  changed_when: false
  register: config_content
  no_log: true

- name: Decrpyt login_vars.yml
  command: >-
    ansible-vault decrypt {{ login_vars_filename }}
    --vault-password-file {{ vault_filename }}
  changed_when: false
  when: "'$ANSIBLE_VAULT;' in config_content.stdout"

- name: Include variable file login_vars.yml
  include_vars: "{{ login_vars_filename }}"
  no_log: true

- name: Validate input parameters are not empty
  fail:
    msg: "{{ input_config_failure_msg }}"
  register: input_config_check
  when:
    - provision_password | length < 1 or
      cobbler_password | length < 1 or      
      idrac_username | length < 1 or
      idrac_password | length < 1

- name: Assert provision_password
  assert:
    that:
      - provision_password | length > min_length | int - 1
      - provision_password | length < max_length | int + 1
      - '"-" not in provision_password '
      - '"\\" not in provision_password '
      - '"\"" not in provision_password '
      - " \"'\" not in provision_password "
    success_msg: "{{ success_msg_provision_password }}"
    fail_msg: "{{ fail_msg_provision_password }}"
  register: provision_password_check

- name: Assert cobbler_password
  assert:
    that:
      - cobbler_password | length > min_length | int - 1
      - cobbler_password | length < max_length | int + 1
      - '"-" not in cobbler_password '
      - '"\\" not in cobbler_password '
      - '"\"" not in cobbler_password '
      - " \"'\" not in cobbler_password "
    success_msg: "{{ success_msg_cobbler_password }}"
    fail_msg: "{{ fail_msg_cobbler_password }}"
  register: cobbler_password_check

- name: Assert idrac_username
  assert:
    that:
      - idrac_username | length >= min_username_length
      - idrac_username | length < max_length
      - '"-" not in idrac_username '
      - '"\\" not in idrac_username '
      - '"\"" not in idrac_username '
      - " \"'\" not in idrac_username "
    success_msg: "{{ success_idrac_username }}"
    fail_msg: "{{ fail_idrac_username }}"

- name: Assert idrac_password
  assert:
    that:
      - idrac_password | length > min_username_length | int - 1
      - idrac_password | length < max_length | int + 1
      - '"-" not in idrac_password '
      - '"\\" not in idrac_password '
      - '"\"" not in idrac_password '
      - " \"'\" not in idrac_password "
    success_msg: "{{ success_msg_idrac_password }}"
    fail_msg: "{{ fail_msg_idrac_password }}"
  register: idrac_password_check

- name: Verify ethernet_switch_username and ethernet_switch_password are not empty
  assert:
    that:
      - ethernet_switch_username | length > 0
      - ethernet_switch_password | length > 0
    success_msg: "{{ ethernet_params_success_msg }}"
    fail_msg: "{{ ethernet_params_empty_fail_msg }}"
  when: ethernet_switch_support

- name: Assert ethernet_switch_username
  assert:
    that:
      - ethernet_switch_username | length >= min_username_length
      - ethernet_switch_username | length < max_length
      - '"-" not in ethernet_switch_username '
      - '"\\" not in ethernet_switch_username '
      - '"\"" not in ethernet_switch_username '
      - " \"'\" not in ethernet_switch_username "
    success_msg: "{{ success_ethernet_switch_username }}"
    fail_msg: "{{ fail_ethernet_switch_username }}"
  when: ethernet_switch_support

- name: Assert ethernet_switch_password
  assert:
    that:
      - ethernet_switch_password | length > min_username_length | int - 1
      - ethernet_switch_password | length < max_length | int + 1
      - '"-" not in ethernet_switch_password '
      - '"\\" not in ethernet_switch_password '
      - '"\"" not in ethernet_switch_password '
      - " \"'\" not in ethernet_switch_password "
    success_msg: "{{ success_msg_ethernet_switch_password }}"
    fail_msg: "{{ fail_msg_ethernet_switch_password }}"
  when: ethernet_switch_support

- name: Verify ib_username and ib_password are not empty
  assert:
    that:
      - ib_username | length > 0
      - ib_password | length > 0
    success_msg: "{{ ib_params_success_msg }}"
    fail_msg: "{{ ib_params_empty_fail_msg }}"
  when: ib_switch_support

- name: Assert ib_username
  assert:
    that:
      - ib_username | length >= min_username_length
      - ib_username | length < max_length
      - '"-" not in ib_username '
      - '"\\" not in ib_username '
      - '"\"" not in ib_username '
      - " \"'\" not in ib_username "
    success_msg: "{{ success_ib_username }}"
    fail_msg: "{{ fail_ib_username }}"
  when: ib_switch_support

- name: Assert ib_password
  assert:
    that:
      - ib_password | length > min_username_length | int - 1
      - ib_password | length < max_length | int + 1
      - '"-" not in ib_password '
      - '"\\" not in ib_password '
      - '"\"" not in ib_password '
      - " \"'\" not in ib_password "
    success_msg: "{{ success_msg_ib_password }}"
    fail_msg: "{{ fail_msg_ib_password }}"
  when: ib_switch_support

- name: Verify powervault_me4_username and powervault_me4_password are not empty
  assert:
    that:
      - powervault_me4_username | length > 0
      - powervault_me4_password | length > 0
    success_msg: "{{ pv_params_success_msg }}"
    fail_msg: "{{ pv_params_empty_fail_msg }}"
  when: powervault_support

- name: Assert powervault_me4_username
  assert:
    that:
      - powervault_me4_username | length >= min_username_length
      - powervault_me4_username | length < max_length
      - '"-" not in powervault_me4_username '
      - '"\\" not in powervault_me4_username '
      - '"\"" not in powervault_me4_username '
      - " \"'\" not in powervault_me4_username "
    success_msg: "{{ success_powervault_me4_username }}"
    fail_msg: "{{ fail_powervault_me4_username }}"
  when: powervault_support

- name: Assert powervault_me4_password
  assert:
    that:
      - powervault_me4_password | length > min_length | int - 1
      - powervault_me4_password | length < max_length | int + 1
      - '"-" not in powervault_me4_password '
      - '"," not in powervault_me4_password '
      - '"." not in powervault_me4_password '
      - '"<" not in powervault_me4_password '
      - '"\\" not in powervault_me4_password '
      - '"\"" not in powervault_me4_password '
      - " \"'\" not in powervault_me4_password "
      - powervault_me4_password | regex_search('^(?=.*[a-z]).+$')
      - powervault_me4_password | regex_search('^(?=.*[A-Z]).+$')
      - powervault_me4_password | regex_search('^(?=.*\\d).+$')
      - powervault_me4_password | regex_search('^(?=.*[!#$%&()*+/:;=>?@^_`{} ~]).+$')
    success_msg: "{{ success_msg_powervault_me4_password }}"
    fail_msg: "{{ fail_msg_powervault_me4_password }}"
  when: powervault_support

- name: Create ansible vault key
  set_fact:
    vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Save vault key
  copy:
    dest: "{{ vault_filename }}"
    content: |
      {{ vault_key }}
    owner: root
    force: yes
    mode: "{{ vault_file_perm }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Encrypt input config file
  command: >-
    ansible-vault encrypt {{ login_vars_filename }}
    --vault-password-file {{ vault_filename }}
  changed_when: false

- name: Update login_vars.yml permission
  file:
    path: "{{ login_vars_filename }}"
    mode: "{{ vault_file_perm }}"