---
#
# Copyright (c) 2021 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASKS DESCRIPTION:
#   These tasks update docker registry credentials, keystone passwords in keystone
#   database, secure hieradata, relevant service config files as well as service
#   passwords in keyring.
#

- name: Update docker registry credentials
  command: "update_docker_registry_auth.sh 'sysinv' '{{ users['sysinv'] }}'"

- name: Get current time before update password
  # TODO(yuxing) The 'openstack user set' may fail to update password in
  # keystone database. Further, if we move it in a shell script and invoke the
  # script remotely, the ansible will fail to access the remote keystone
  # endpoint for authentication. Need to remove this workaround if we can
  # address either of these two problems.
  shell: START_TIME=$(date +%s); echo $START_TIME
  register: current_time_result

- name: Update keystone passwords
  # There's special characters in password, wrap the passwords with single quotes
  shell: >-
    source /etc/platform/openrc;
    openstack user set {{ item.name }} --password $'{{ item.password }}';
    {{ validate_keystone_passwords_script }} {{ item.name }} {{ current_time_result.stdout }}
  with_items:
    - { name: 'sysinv', password: "{{ users['sysinv'] }}" }
    - { name: 'patching', password: "{{ users['patching'] }}" }
    - { name: 'smapi', password: "{{ users['smapi'] }}" }
    - { name: 'mtce', password: "{{ users['mtce'] }}" }
    - { name: 'dcmanager', password: "{{ users['dcmanager'] }}" }
    - { name: 'barbican', password: "{{ users['barbican'] }}" }
  register: migrate_keystone_password_result
  until: migrate_keystone_password_result.rc == 0
  retries: 3
  delay: 20
  no_log: true

- name: Update services' passwords in hieradata
  lineinfile:
    path: "/opt/platform/puppet/{{ software_version }}/hieradata/secure_static.yaml"
    regexp: "{{ item.From }}"
    line: "{{ item.To }}"
  with_items:
    - { From: "^dcmanager::api::keystone_password",
        To: "dcmanager::api::keystone_password: !!python/unicode '{{ users['dcmanager'] }}'" }
    - { From: "^dcmanager::keystone::auth::password",
        To: "dcmanager::keystone::auth::password: !!python/unicode '{{ users['dcmanager'] }}'" }
    - { From: "^dcorch::api_proxy::dcmanager_keystone_password",
        To: "dcorch::api_proxy::dcmanager_keystone_password: !!python/unicode '{{ users['dcmanager'] }}'" }
    - { From: "^patching::api::keystone_password",
        To: "patching::api::keystone_password: !!python/unicode '{{ users['patching'] }}'" }
    - { From: "^patching::keystone::auth::password",
        To: "patching::keystone::auth::password: !!python/unicode '{{ users['patching'] }}'" }
    - { From: "^patching::keystone::authtoken::password",
        To: "patching::keystone::authtoken::password: !!python/unicode '{{ users['patching'] }}'" }
    - { From: "^platform::mtce::params::auth_pw",
        To: "platform::mtce::params::auth_pw: !!python/unicode '{{ users['mtce'] }}'" }
    - { From: "^platform::smapi::params::keystone_password",
        To: "platform::smapi::params::keystone_password: !!python/unicode '{{ users['smapi'] }}'" }
    - { From: "^smapi::auth::auth_password",
        To: "smapi::auth::auth_password: !!python/unicode '{{ users['smapi'] }}'" }
    - { From: "^smapi::keystone::auth::password",
        To: "smapi::keystone::auth::password: !!python/unicode '{{ users['smapi'] }}'" }
    - { From: "^smapi::keystone::authtoken::password",
        To: "smapi::keystone::authtoken::password: !!python/unicode '{{ users['smapi'] }}'" }
    - { From: "^sysinv::api::keystone_password",
        To: "sysinv::api::keystone_password: !!python/unicode '{{ users['sysinv'] }}'" }
    - { From: "^sysinv::certmon::local_keystone_password",
        To: "sysinv::certmon::local_keystone_password: !!python/unicode '{{ users['sysinv'] }}'" }
    - { From: "^sysinv::keystone::auth::password",
        To: "sysinv::keystone::auth::password: !!python/unicode '{{ users['sysinv'] }}'" }
    - { From: "^barbican::keystone::auth::password",
        To: "barbican::keystone::auth::password: !!python/unicode '{{ users['barbican'] }}'" }
    - { From: "^barbican::keystone::authtoken::password",
        To: "barbican::keystone::authtoken::password: !!python/unicode '{{ users['barbican'] }}'" }
  no_log: true

- name: Store service passwords in keyring
  vars:
    script_content: |
      import keyring
      import os
      os.environ['XDG_DATA_HOME'] = "/opt/platform/.keyring/{{ software_version }}"
      keyring.set_password("{{ item.username }}", "services", "{{ item.password }}")
      del os.environ['XDG_DATA_HOME']
  shell: "{{ script_content }}"
  with_items:
    - { username: 'sysinv', password: "{{ users['sysinv'] }}" }
    - { username: 'patching', password: "{{ users['patching'] }}" }
    - { username: 'mtce', password: "{{ users['mtce'] }}" }
    - { username: 'smapi', password: "{{ users['smapi'] }}" }
    - { username: 'dcmanager', password: "{{ users['dcmanager'] }}" }
    - { username: 'barbican', password: "{{ users['barbican'] }}" }
  args:
    executable: /usr/bin/python
  no_log: true