---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

- name: Check if octavia CA file exists on host
  become: true
  stat:
    path: "{{ octavia_confd_prefix }}/{{ ca_cert_path }}"
  register: ca_file_stat

- name: Get and store CA data
  block:
    - name: Get CA file if exists
      become: true
      slurp:
        src: "{{ octavia_confd_prefix }}/{{ ca_cert_path }}"
      register: ca_file_data
    - name: Store CA data
      set_fact:
        ca_cert: "{{ ca_file_data.content | b64decode }}"

    - name: Get remaining validity period of the CA
      shell: |
        now=$(date +%s)
        enddate=$(date +%s -d "$(openssl x509 -enddate -noout -in {{ octavia_confd_prefix }}/{{ ca_cert_path }} | cut -d= -f2)")
        echo $((enddate - now))
      register: validity_period

    - name: Force CA update if remaining validity is less than 1 year
      set_fact:
        force_certs_update: true
      when:
        - (validity_period.stdout| int) < 31622400  # 31622400 seconds == 366 days
  when:
    - ca_file_stat.stat.exists | bool

- name: Check if octavia CA private key exists on host
  become: true
  stat:
    path: "{{ octavia_confd_prefix }}/{{ ca_private_key_path }}"
  register: ca_key_file_stat

- name: Get and store CA private key
  block:
    - name: Get CA private key file if exists
      become: true
      slurp:
        src: "{{ octavia_confd_prefix }}/{{ ca_private_key_path }}"
      register: key_file_data
    - name: Store CA private key
      set_fact:
        ca_private_key: "{{ key_file_data.content | b64decode }}"

    - name: Detect if key is encrypted with AES256
      shell: grep -q 'AES-256-CBC' {{ octavia_confd_prefix }}/{{ ca_private_key_path }}
      failed_when: false
      register: ca_private_key_aes_256
    - name: Store flag if a private key update is required
      set_fact:
        force_private_key_update: true
        force_certs_update: true
      when:
        - ca_private_key_aes_256.rc != 0
  when:
    - ca_key_file_stat.stat.exists | bool

- name: Check if octavia client certificate exists on host
  become: true
  stat:
    path: "{{ octavia_confd_prefix }}/{{ client_cert_path }}"
  register: client_cert_file_stat

# TODO(gthiemon) Remove those tasks when we support per-controller and
# per-process client certificates for Octavia.
- name: Get and store client certificate
  block:
    - name: Get client certificate file if exists
      become: true
      slurp:
        src: "{{ octavia_confd_prefix }}/{{ client_cert_path }}"
      register: client_file_data
    - name: Store client certificate data
      set_fact:
        service_pem_content: "{{ client_file_data.content | b64decode }}"
  when:
    - client_cert_file_stat.stat.exists | bool