# Copyright 2019 Nokia

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Ensures AM Configuration dir exists
  file:
    dest: "{{ am_server_config_dir }}"
    state: directory

- name: Ensures AM temp dir exists
  file:
    dest: "{{ am_server_temp_dir }}"
    state: directory
  tags:
    - am_dbfiller
    - am_rc

- name: Ensures AM values dir exists
  file:
    dest: "{{ am_server_values_dir }}"
    state: directory
  tags:
    - am_dbfiller

- name: AM backend log file creation and rights set
  file:
    path: "{{ am_config.Logging.logdir }}/am.log"
    owner: access-manager
    group: access-manager
    mode: 0600
    state: touch

- name: Patch log file creation and rights set
  file:
    path: "{{ am_config.Logging.logdir }}/keystone_users_patch.log"
    owner: access-manager
    group: access-manager
    mode: 0600
    state: touch

- name: Create AM Plugin Config
  template:
    src: am.plugin.conf.j2
    dest: "{{ am_plugin_config_path }}"
    owner: restapi
    group: restapi
    mode: 0400

- name: Create AM Backend Config
  template:
    src: am.backend.conf.j2
    dest: "{{ am_backend_config_path }}"
    owner: access-manager
    group: access-manager
    mode: 0400

- name: Ensure project for um_admin exists
  run_once: true
  keystone:
    command: ensure_project
    project_name: "{{ am_project_name }}"
    domain_name: "{{ am_project_domain }}"
    login_user: "{{ keystone_admin_user_name }}"
    login_password: "{{ keystone_auth_admin_password }}"
    login_project_name: "{{ keystone_admin_tenant_name }}"
    endpoint: "{{ keystone_service_adminurl }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"

- name: Ensure um_admin user
  run_once: true
  keystone:
    command: "ensure_user"
    endpoint: "{{ keystone_service_adminurl }}"
    login_user: "{{ keystone_admin_user_name }}"
    login_password: "{{ keystone_auth_admin_password }}"
    login_project_name: "{{ keystone_admin_tenant_name }}"
    user_name: "{{ infrastructure_admin_user_name }}"
    tenant_name: "{{ am_project_name }}"
    password: "{{ infrastructure_admin_password }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: um_admin_uuid
  until: um_admin_uuid|success
  retries: 5
  delay: 10

- name: Ensure UM admin user added to admin role
  run_once: true
  keystone:
    command: "ensure_user_role"
    endpoint: "{{ keystone_service_adminurl }}"
    login_user: "{{ keystone_admin_user_name }}"
    login_password: "{{ keystone_auth_admin_password }}"
    login_project_name: "{{ keystone_admin_tenant_name }}"
    user_name: "{{ infrastructure_admin_user_name }}"
    tenant_name: "{{ am_project_name }}"
    role_name: "{{ am_admin_role_name }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
  until: add_service|success
  retries: 5
  delay: 10

- name: Ensure keystone admin user added to member role
  run_once: true
  keystone:
    command: "ensure_user_role"
    endpoint: "{{ keystone_service_adminurl }}"
    login_user: "{{ keystone_admin_user_name }}"
    login_password: "{{ keystone_auth_admin_password }}"
    login_project_name: "{{ keystone_admin_tenant_name }}"
    user_name: "{{ keystone_admin_user_name }}"
    tenant_name: "{{ am_project_name }}"
    role_name: "{{ am_member_role_name }}"
    insecure: "{{ keystone_service_adminuri_insecure }}"
  register: add_service
  until: add_service|success
  retries: 5
  delay: 10

- name: Set default project for keystone admin user
  run_once: true
  command: openstack user set {{ keystone_admin_user_name }} --project {{ am_project_name }} --os-cloud default

- name: Add the security_compliance section to keystone.conf
  ini_file:
    path: /etc/keystone/keystone.conf
    section: security_compliance
    option: "{{ item.option }}"
    value: "{{ item.value }}"
  with_items:
    - { option: "lockout_failure_attempts", value: "{{ host_os.failed_login_attempts | default(5) }}" }
    - { option: "lockout_duration", value: "{{ host_os.lockout_time | default(300) }}" }
    - { option: "change_password_upon_first_use", value: "True" }
    - { option: "password_expires_days", value: "90" }
    - { option: "unique_last_password_count", value: "12" }
    - { option: "minimum_password_age", value: "0" }
    - { option: "password_regex", value: "^(?=.*?[A-Z])(?=.*?[0-9])(?=.*?[][.,:;/(){}<>~\\!?@#$%^&*_=+-])[][a-zA-Z0-9.,:;/(){}<>~\\!?@#$%^&*_=+-]{8,255}$" }
    - { option: "password_regex_description", value: "The password must have a minimum length of 8 characters (maximum is 255 characters). The allowed characters are lower case letters (a-z), upper case letters (A-Z), digits (0-9), and special characters (.,:;/(){}<>~\\!?@#$%^&*_=+-). The password must contain at least one upper case letter, one digit and one special character." }

- name: Restart Keystone WSGI services
  service:
    name: "{{ item }}"
    enabled: yes
    state: "restarted"
    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
  register: _start1
  until: _start1 | success
  retries: 5
  delay: 3
  with_items:
    - keystone-wsgi-public
    - keystone-wsgi-admin

- name: Wait for Keystone WSGI services to restart
  wait_for:
    port: "{{ item }}"
    host: "{{ extra_hosts_entries.haproxyvip }}"
    timeout: 25
    delay: 10
  with_items:
    - "{{ keystone_service_port }}"
    - "{{ keystone_admin_port }}"
  register: _wait_check1
  until: _wait_check1 | success
  retries: 5

- name:  Wait for Keystone WSGI services to respond
  shell: openstack user list --os-cloud default
  register: result
  until: result | success
  delay: 2
  retries: 5

- name: Create OpenStack client configuration directory
  file:
    dest: "{{ openrc_openstack_client_config_dir_dest }}"
    owner: "{{ openrc_openstack_client_config_dir_owner }}"
    group: "{{ openrc_openstack_client_config_dir_group }}"
    state: directory

- name: Change authorization in YARF config
  lineinfile:
    path: "/etc/yarf/config.ini"
    regexp: "auth_method=.*"
    line: "auth_method=access_management.backend.am_auth.AMAuth"

- name: Restart YARF service
  service:
    name: restapi
    enabled: yes
    state: "restarted"
    daemon_reload: "{{ (ansible_service_mgr == 'systemd') | ternary('yes', omit) }}"
  register: _start2
  until: _start2 | success
  retries: 5
  delay: 3

- name: Wait for YARF service to restart
  wait_for:
    port: "{{ restful_service_port }}"
    host: "{{ extra_hosts_entries.haproxyvip }}"
    timeout: 25
    delay: 10
  register: _wait_check2
  until: _wait_check2 | success
  retries: 5