---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# This playbook adds the privileges and IPA role needed to do the things that
# tripleo wants to do in FreeIPA to add hosts and services.  The operations in
# this playbook likely need admin privileges and should be executed on an
# IPA client.
#

- name: set keytab permissions facts
  set_fact:
    novajoin_perms:
      - {name: 'Modify host password', right: "write", type: "host", attrs: "userpassword"}
      - {name: 'Write host certificate', right: "write", type: "host", attrs: "usercertificate"}
      - {name: 'Modify host userclass', right: "write", type: "host", attrs: "userclass"}
      - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: "managedby"}
    novajoin_privilege_perms:
      - 'System: add hosts'
      - 'System: remove hosts'
      - 'Modify host password'
      - 'Modify host userclass'
      - 'System: Modify hosts'
      - 'Modify service managedBy attribute'
      - 'System: Add krbPrincipalName to a Host'
      - 'System: Add Services'
      - 'System: Remove Services'
      - 'Revoke certificate'
      - 'System: manage host keytab'
      - 'System: Manage host certificates'
      - 'System: modify services'
      - 'System: manage service keytab'
      - 'System: read dns entries'
      - 'System: remove dns entries'
      - 'System: add dns entries'
      - 'System: update dns entries'
      - 'System: Modify Realm Domains'
      - 'Retrieve Certificates from the CA'

# unfortunately we don't have ansible module yet to create perms
- name: add nova host management permissions
  shell: |
    ipa permission-find "{{ item.name }}"
    if [ $? -ne 0 ]; then
      ipa permission-add "{{ item.name }}" --right "{{ item.right }}" \
        --type "{{ item.type }}" --attrs "{{ item.attrs }}"
    fi
  loop: "{{ novajoin_perms|flatten(levels=1) }}"

# unfortunately we don't have ansible module yet to create privileges
- name: add Nova Host privilege
  shell: |
    ipa privilege-find 'Nova Host Management'
    if [ $? -ne 0 ]; then
      ipa privilege-add --desc='Nova Host Management' 'Nova Host Management'
    fi

- name: add permissions to the Nova Host privilege
  shell: |
    ipa privilege-add-permission 'Nova Host Management' \
      --permission "{{ item }}"
  register: add_perm_command
  failed_when:
    - add_perm_command.rc !=0
    - '"This entry is already a member" not in add_perm_command.stdout'
  loop: "{{ novajoin_privilege_perms|flatten(levels=1) }}"

- name: add Nova Host Manager role
  ipa_role:
    name: Nova Host Manager
    description: Nova Host Manager
    privilege:
      - Nova Host Management