---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Drop Shibboleth Config
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: "{{ keystone_system_user_name }}"
    group: "{{ keystone_system_group_name }}"
    mode: "{{ item.mode|default('0644') }}"
  with_items:
    - { src: "shibboleth-attribute-map.xml.j2", dest: "/etc/shibboleth/attribute-map.xml" }
    - { src: "shibboleth2.xml.j2", dest: "/etc/shibboleth/shibboleth2.xml" }
  notify:
    - Restart Shibd
  tags:
    - keystone-config
    - keystone-federation-sp

- name: Generate the Shibboleth SP key-pair
  shell: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}"
  args:
    creates: "/etc/shibboleth/sp-cert.pem"
  when: inventory_hostname == groups['keystone_all'][0]
  notify:
    - Restart Apache
    - Restart Shibd
  tags:
    - keystone-config
    - keystone-federation-sp

- name: Store Shibboleth SP key-pair
  memcached:
    name: "{{ item.name }}"
    file_path: "{{ item.src }}"
    state: "present"
    server: "{{ memcached_servers }}"
    encrypt_string: "{{ memcached_encryption_key }}"
  with_items:
    - { src: "/etc/shibboleth/sp-cert.pem", name: "keystone_sp_cert" }
    - { src: "/etc/shibboleth/sp-key.pem", name: "keystone_sp_key" }
  register: memcache_keys
  until: memcache_keys|success
  retries: 5
  delay: 2
  when: inventory_hostname == groups['keystone_all'][0]
  tags:
    - keystone-config
    - keystone-federation-sp

- name: Distribute the Shibboleth SP key-pair
  memcached:
    name: "{{ item.name }}"
    file_path: "{{ item.src }}"
    state: "retrieve"
    file_mode: "{{ item.file_mode }}"
    dir_mode: "{{ item.dir_mode }}"
    server: "{{ memcached_servers }}"
    encrypt_string: "{{ memcached_encryption_key }}"
  with_items:
    - { src: "/etc/shibboleth/sp-cert.pem", name: "keystone_sp_cert", file_mode: "0640", dir_mode: "0750" }
    - { src: "/etc/shibboleth/sp-key.pem", name: "keystone_sp_key", file_mode: "0600", dir_mode: "0750" }
  register: memcache_keys
  until: memcache_keys|success
  retries: 5
  delay: 2
  when: inventory_hostname != groups['keystone_all'][0]
  notify:
    - Restart Apache
    - Restart Shibd
  tags:
    - keystone-config
    - keystone-federation-sp

- name: Set appropriate file ownership on the Shibboleth SP key-pair
  file:
    path: "{{ item }}"
    owner: "_shibd"
    group: "_shibd"
  with_items:
    - "/etc/shibboleth/sp-cert.pem"
    - "/etc/shibboleth/sp-key.pem"
  when: inventory_hostname != groups['keystone_all'][0]
  notify:
    - Restart Apache
    - Restart Shibd
  tags:
    - keystone-config
    - keystone-federation-sp