---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

####################################################################
# WARNING: These are designed specifically for Ansible tests       #
# and should not be used as examples of how to write Ansible roles #
####################################################################

# Test matrix:
# * cryptography
# * DSA or ECC or ...
# * password protected private key or not

- name: Set up test combinations
  ansible.builtin.set_fact:
    all_tests: []
    backends: []
    key_types: []
    key_password:
      - passwd: nopasswd
      - passwd: passwd
        privatekey_passphrase: hunter2

- name: Add cryptography backend
  ansible.builtin.set_fact:
    backends: "{{ backends + [{'backend': 'cryptography'}] }}"

- name: Add RSA tests
  ansible.builtin.set_fact:
    key_types: "{{ key_types + [{'type': 'RSA', 'size': default_rsa_key_size}] }}"

- name: Add DSA + ECDSA tests
  ansible.builtin.set_fact:
    key_types: "{{ key_types + [{'type': 'DSA', 'size': 2048}, {'type': 'ECC', 'curve': 'secp256r1'}] }}"
  when:
    # FreeBSD 11 fails on secp256r1 keys
    - not ansible_facts.os_family == 'FreeBSD'

- name: Add Ed25519 + Ed448 tests
  ansible.builtin.set_fact:
    key_types: "{{ key_types + [{'type': 'Ed25519'}, {'type': 'Ed448'}] }}"
  when:
    # FreeBSD doesn't have support for Ed448/25519
    - not ansible_facts.os_family == 'FreeBSD'

- name: Create all test combinations
  ansible.builtin.set_fact:
    all_tests: "{{ [backends, key_types, key_password] | openssl_signatures_combiner }}"

- name: Generate private keys
  community.crypto.openssl_privatekey:
    path: '{{ remote_tmp_dir }}/{{ item.backend }}_privatekey_{{ item.type }}_{{ item.passwd }}.pem'
    type: '{{ item.type }}'
    curve: '{{ item.curve | default(omit) }}'
    size: '{{ item.size | default(omit) }}'
    passphrase: '{{ item.privatekey_passphrase | default(omit) }}'
    select_crypto_backend: cryptography
  loop: '{{ all_tests }}'

- name: Generate public keys
  community.crypto.openssl_publickey:
    path: '{{ remote_tmp_dir }}/{{ item.backend }}_publickey_{{ item.type }}_{{ item.passwd }}.pem'
    privatekey_path: '{{ remote_tmp_dir }}/{{ item.backend }}_privatekey_{{ item.type }}_{{ item.passwd }}.pem'
    privatekey_passphrase: '{{ item.privatekey_passphrase | default(omit) }}'
  loop: '{{ all_tests }}'

- name: Generate CSRs
  community.crypto.openssl_csr:
    path: '{{ remote_tmp_dir }}/{{ item.backend }}_{{ item.type }}_{{ item.passwd }}.csr'
    privatekey_path: '{{ remote_tmp_dir }}/{{ item.backend }}_privatekey_{{ item.type }}_{{ item.passwd }}.pem'
    privatekey_passphrase: '{{ item.privatekey_passphrase | default(omit) }}'
  loop: '{{ all_tests }}'

- name: Generate selfsigned certificates
  community.crypto.x509_certificate:
    provider: selfsigned
    path: '{{ remote_tmp_dir }}/{{ item.backend }}_certificate_{{ item.type }}_{{ item.passwd }}.pem'
    privatekey_path: '{{ remote_tmp_dir }}/{{ item.backend }}_privatekey_{{ item.type }}_{{ item.passwd }}.pem'
    privatekey_passphrase: '{{ item.privatekey_passphrase | default(omit) }}'
    csr_path: '{{ remote_tmp_dir }}/{{ item.backend }}_{{ item.type }}_{{ item.passwd }}.csr'
  loop: '{{ all_tests }}'

- name: Create statement to be signed
  ansible.builtin.copy:
    content: "Erst wenn der Subwoofer die Katze inhaliert, fickt der Bass richtig übel. -- W.A. Mozart"
    dest: '{{ remote_tmp_dir }}/statement.txt'

- name: Loop over all variants
  ansible.builtin.include_tasks: loop.yml
  loop: '{{ all_tests }}'