---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# This playbook adds the privileges and IPA role needed to do the things that
# tripleo wants to do in FreeIPA to add hosts and services.  The operations in
# this playbook likely need admin privileges and should be executed on an
# IPA client.
#

- name: set keytab permissions facts
  set_fact:
    novajoin_perms:
      - {name: 'Modify host password', right: "write", type: "host", attrs: ["userpassword"]}
      - {name: 'Write host certificate', right: "write", type: "host", attrs: ["usercertificate"]}
      - {name: 'Modify host userclass', right: "write", type: "host", attrs: ["userclass"]}
      - {name: 'Modify service managedBy attribute', right: "write", type: "service", attrs: ["managedby"]}
    novajoin_privilege_perms:
      - 'System: add hosts'
      - 'System: remove hosts'
      - 'Modify host password'
      - 'Modify host userclass'
      - 'System: Modify hosts'
      - 'Modify service managedBy attribute'
      - 'System: Add krbPrincipalName to a Host'
      - 'System: Add Services'
      - 'System: Remove Services'
      - 'Revoke certificate'
      - 'System: manage host keytab'
      - 'System: Manage host certificates'
      - 'System: modify services'
      - 'System: manage service keytab'
      - 'System: read dns entries'
      - 'System: remove dns entries'
      - 'System: add dns entries'
      - 'System: update dns entries'
      - 'System: Modify Realm Domains'
      - 'Retrieve Certificates from the CA'

- name: add nova host management permissions
  ipapermission:
    name: "{{ item.name }}"
    right: "{{ item.right }}"
    object_type: "{{ item.type }}"
    attrs: "{{ item.attrs }}"
  loop: "{{ novajoin_perms|flatten(levels=1) }}"

- name: add Nova Host privilege
  ipaprivilege:
    name: Nova Host Management
    description: Nova Host Management

- name: add permissions to the Nova Host privilege
  ipaprivilege:
    name: Nova Host Management
    action: member
    permission: "{{ item }}"
  register: add_perm_command
  failed_when:
    - add_perm_command.failed
    - '"This entry is already a member" not in add_perm_command.msg'
  loop: "{{ novajoin_privilege_perms }}"

- name: add Nova Host Manager role
  iparole:
    name: Nova Host Manager
    description: Nova Host Manager
    privilege:
      - Nova Host Management