---

- name: Set-up fixtures
  hosts: localhost
  connection: local
  gather_facts: false
  tasks:

    - name: Initialise CA hierarchy
      command: "gimmecert init"
      args:
        creates: ".gimmecert/ca/level1.cert.pem"
        chdir: "tests/data/"

    - name: Generate server private keys and certificates
      command:
      args:
        chdir: "tests/data/"
        creates: ".gimmecert/server/{{ item.name }}.cert.pem"
        argv: "{{ ['gimmecert', 'server', item.name] + item.fqdn }}"
      with_items:
        - name: ldap-server_ldap
          fqdn:
            - ldap-server
        - name: parameters-mandatory-buster64_xmpp
          fqdn:
            - parameters-mandatory
            - domain1
            - proxy.domain1
            - conference.domain1
        - name: parameters-optional-buster64_xmpp
          fqdn:
            - parameters-optional
            - domain2
            - proxy.domain2
            - conference.domain2
            - domain3
            - proxy.domain3
            - conference.domain3
        - name: deprecated-buster64_xmpp
          fqdn:
            - deprecated
            - domain4
            - proxy.domain4
            - conference.domain4

    - name: Set-up link to generated X.509 material
      file:
        src: ".gimmecert"
        dest: "tests/data/x509"
        state: link

- name: Prepare
  hosts: all
  gather_facts: false
  tasks:
    - name: Install python for Ansible
      raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)
      become: true
      changed_when: false

- hosts: all
  become: true
  tasks:

    - name: Update all caches to avoid errors due to missing remote archives
      apt:
        update_cache: true
      changed_when: false

    - name: Install tools for testing
      apt:
        name:
          - gnutls-bin
          - nmap
        state: present

    - name: Use name provided via CLI when running STARTTLS handshake for XMPP via nmap
      replace:
        path: "/usr/share/nmap/nselib/sslcert.lua"
        regexp: "host\\.name\\)"
        replace: "host.targetname)"

- hosts: buster
  become: true
  tasks:

    - name: Set-up the hosts file
      lineinfile:
        path: /etc/hosts
        regexp: "^{{ item.key }}"
        line: "{{ item.key }} {{ item.value }}"
        owner: root
        group: root
        mode: 0644
        state: present
      with_dict:
        192.168.56.10: "ldap-server backup-server"
        192.168.56.20: "client-buster"
        192.168.56.30: "parameters-mandatory domain1 proxy.domain1 conference.domain1"
        192.168.56.31: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"
        192.168.56.32: "deprecated domain4 proxy.domain4 conference.domain4"

    - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the xmpp_server_tls_protocol parameter
      lineinfile:
        path: "/etc/ssl/openssl.cnf"
        regexp: "^MinProtocol ="
        line: "MinProtocol = TLSv1.0"
        owner: root
        group: root
        mode: 0644
        state: present

    # @WORKAROUND: Prosody repository override
    #
    # Prosody project has killed off Debian Buster repositories. Trick
    # the system to install packages from custom repository location
    # instead.
    - name: Override server IP for Prosody repository via hosts file
      lineinfile:
        path: /etc/hosts
        regexp:
        line: "{{ lookup('dig', 'prosody.repo.majic.rs') }} packages.prosody.im"
        owner: root
        group: root
        mode: 0644
        state: present
      tags:
        - workaround:prosody_repository_override

    - name: Add workaround Prosody repository signing key
      apt_key:
        data: "{{ lookup('file', 'workaround_prosody_repository_signing_key.asc') }}"
        state: present
      tags:
        - workaround:prosody_repository_override

- hosts: deprecated
  become: true
  tasks:

    - name: Add Prosody repository signing key
      apt_key:
        data: "{{ lookup('file', 'prosody-debian-gpg-key.asc') }}"
        state: present

    - name: Add Prosody repository
      apt_repository:
        repo: "deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main"
        state: present

    - name: Install Prosody (from Prosody repository)
      apt:
        name: prosody-0.11
        state: present

    - name: Set-up directory for storing additional Prosody modules
      file:
        path: "/usr/local/lib/prosody/modules/"
        state: directory
        owner: root
        group: root
        mode: 0755

- hosts: clients
  become: true
  tasks:

    - name: Install tool for testing TCP connectivity
      apt:
        name: hping3
        state: present

    - name: Deploy CA certificate
      copy:
        src: tests/data/x509/ca/level1.cert.pem
        dest: /usr/local/share/ca-certificates/testca.crt
        owner: root
        group: root
        mode: 0644
      notify:
        - Update CA certificate cache

    - name: Install console-based XMPP client (for interactive testing)
      apt:
        name: mcabber
        state: present

    - name: Install console-based XMPP tool (for non-interactive testing)
      apt:
        name: sendxmpp
        state: present

    - name: Create dedicated group for testing
      group:
        name: user
        state: present

    - name: Create dedicated user for testing
      user:
        name: user
        group: user
        shell: /bin/bash

    - name: Deploy mcabber configuration files
      template:
        src: tests/data/mcabber.cfg.j2
        dest: "~user/{{ item.jid }}.cfg"
        owner: user
        group: user
        mode: 0600
      with_items:
        - jid: john.doe@domain1
          password: johnpassword
          server: domain1
          security: tls
          nickname: john.doe
        - jid: jane.doe@domain2
          password: janepassword
          server: domain2
          security: ssl
          nickname: jane.doe
        - jid: mick.doe@domain3
          password: mickpassword
          server: domain3
          security: tls
          nickname: mick.doe
        - jid: noxmpp@domain1
          password: noxmpppassword
          server: domain1
          security: tls
          nickname: noxmpp
        - jid: eve.doe@domain4
          password: evepassword
          server: domain4
          security: tls
          nickname: eve.doe

  handlers:

    - name: Update CA certificate cache
      command: /usr/sbin/update-ca-certificates --fresh

- hosts: ldap-server
  become: true
  roles:
    - ldap_server
    - backup_server

- hosts: ldap-server
  become: true
  tasks:

    - name: Create LDAP accounts for testing
      ldap_entry:
        dn: "{{ item.dn }}"
        objectClass: "{{ item.objectClass }}"
        attributes: "{{ item.attributes }}"
      with_items:
        - dn: uid=john,ou=people,dc=local
          objectClass:
            - inetOrgPerson
            - simpleSecurityObject
          attributes:
            userPassword: johnpassword
            uid: john
            cn: John Doe
            sn: Doe
            mail: john.doe@domain1

        - dn: uid=jane,ou=people,dc=local
          objectClass:
            - inetOrgPerson
            - simpleSecurityObject
          attributes:
            userPassword: janepassword
            uid: jane
            cn: Jane Doe
            sn: Doe
            mail: jane.doe@domain2

        - dn: uid=mick,ou=people,dc=local
          objectClass:
            - inetOrgPerson
            - simpleSecurityObject
          attributes:
            userPassword: mickpassword
            uid: mick
            cn: Mick Doe
            sn: Doe
            mail: mick.doe@domain3

        - dn: uid=noxmpp,ou=people,dc=local
          objectClass:
            - inetOrgPerson
            - simpleSecurityObject
          attributes:
            userPassword: noxmpppassword
            uid: noxmpp
            cn: No XMPP
            sn: XMPP
            mail: noxmpp@domain1

        - dn: uid=eve,ou=people,dc=local
          objectClass:
            - inetOrgPerson
            - simpleSecurityObject
          attributes:
            userPassword: evepassword
            uid: eve
            cn: Eve Doe
            sn: Doe
            mail: eve.doe@domain4

    - name: Add test accounts to correct group
      ldap_attr:
        dn: "cn=xmpp,ou=groups,dc=local"
        name: uniqueMember
        state: exact
        values:
          - uid=john,ou=people,dc=local
          - uid=jane,ou=people,dc=local
          - uid=mick,ou=people,dc=local
          - uid=eve,ou=people,dc=local

- hosts: parameters-mandatory,parameters-optional,deprecated
  become: true
  tasks:

    - name: Install console-based XMPP tool (for non-interactive testing)
      apt:
        name: sendxmpp
        state: present

    - name: Deploy small Lua script for listing the enabled modules in Prosody
      copy:
        src: list_prosody_modules.lua
        dest: "/usr/local/bin/list_prosody_modules.lua"
        owner: root
        group: root
        mode: 0755