---
#Security specific configuration done here

#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6

#-----------------------------Create Bootstrap User-----------------------------------
### START BLOCK elasticsearch keystore ###
- name: create the elasticsearch keystore
  block:
  - name: create the keystore if it doesn't exist yet
    become: yes
    command: >
     {{es_home}}/bin/elasticsearch-keystore create
    args:
      creates: "{{ es_conf_dir }}/elasticsearch.keystore"
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"

  - name: Check if bootstrap password is set
    become: yes
    command: >
     {{es_home}}/bin/elasticsearch-keystore list
    register: list_keystore
    changed_when: False
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"
    check_mode: no

  - name: Create Bootstrap password for elastic user
    become: yes
    shell: echo {{ es_api_basic_auth_password | quote }} | {{ es_home }}/bin/elasticsearch-keystore add -x 'bootstrap.password'
    when:
      - es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"
    no_log: true

  - name: Remove keystore entries
    become: yes
    command: >
     echo {{ es_api_basic_auth_password | quote }} | {{ es_home }}/bin/elasticsearch-keystore remove '{{ item.key }}'
    with_items: "{{ es_keystore_entries }}"
    when:
      - es_keystore_entries is defined and es_keystore_entries | length > 0
      - item.state is defined and item.state == 'absent'
      - item.key in list_keystore.stdout_lines
      - ('bootstrap.password' not in item.key)
    no_log: true

  - name: Reload keystore entries
    become: yes
    command: >
     {{es_home}}/bin/elasticsearch-keystore list
    register: list_keystore
    changed_when: False
    environment:
      ES_PATH_CONF: "{{ es_conf_dir }}"
    check_mode: no

  - name: Add keystore entries
    become: yes
    shell: echo {{ item.value | quote }} | {{ es_home }}/bin/elasticsearch-keystore add -x -f {{ item.key }}
    with_items: "{{ es_keystore_entries }}"
    when:
      - es_keystore_entries is defined and es_keystore_entries | length > 0
      - item.state is undefined or item.state == 'present'
      - item.force|default(False) or ( not item.force|default(False) and item.key not in list_keystore.stdout_lines )
      - ('bootstrap.password' not in item.key)
    no_log: true


### END BLOCK elasticsearch keystore ###

#-----------------------------FILE BASED REALM----------------------------------------

- include: elasticsearch-security-file.yml
  when: (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined)

#-----------------------------ROLE MAPPING ----------------------------------------

#Copy Roles files
- name: Copy role_mapping.yml file for instance
  become: yes
  template: 
    src: security/role_mapping.yml.j2
    dest: "{{ es_conf_dir }}/role_mapping.yml"
    owner: root
    group: "{{ es_group }}"
    mode: "0660"
    force: yes
  when: es_role_mapping is defined