---
#Security specific configuration done here

#TODO: 1. Skip users with no password defined or error 2. Passwords | length > 6

#Ensure x-pack conf directory is created if necessary
- name: Ensure x-pack conf directory exists (file)
  file: path={{ conf_dir }}{{ es_xpack_conf_subdir }} state=directory owner={{ es_user }} group={{ es_group }}
  changed_when: False
  when:
    - es_enable_xpack and "security" in es_xpack_features
    - (es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined) or (es_role_mapping is defined)

#-----------------------------Create Bootstrap User-----------------------------------
### START BLOCK elasticsearch keystore ###
- name: create the elasticsearch keystore
  when: (es_enable_xpack and "security" in es_xpack_features) and (es_version | version_compare('6.0.0', '>'))
  block:
  - name: create the keystore if it doesn't exist yet
    become: yes
    command: >
     {{es_home}}/bin/elasticsearch-keystore create
    args:
      creates: "{{ conf_dir }}/elasticsearch.keystore"
    environment:
      ES_PATH_CONF: "{{ conf_dir }}"

  - name: Check if bootstrap password is set
    become: yes
    command: >
     {{es_home}}/bin/elasticsearch-keystore list
    register: list_keystore
    changed_when: False
    environment:
      ES_PATH_CONF: "{{ conf_dir }}"

  - name: Create Bootstrap password for elastic user
    become: yes
    shell: echo "{{es_api_basic_auth_password}}" | {{es_home}}/bin/elasticsearch-keystore add -x 'bootstrap.password'
    when:
      - es_api_basic_auth_username is defined and list_keystore is defined and es_api_basic_auth_username == 'elastic' and 'bootstrap.password' not in list_keystore.stdout_lines
    environment:
      ES_PATH_CONF: "{{ conf_dir }}"
    no_log: true
### END BLOCK elasticsearch keystore ###

#-----------------------------FILE BASED REALM----------------------------------------

- include: elasticsearch-security-file.yml
  when: (es_enable_xpack and "security" in es_xpack_features) and ((es_users is defined and es_users.file is defined) or (es_roles is defined and es_roles.file is defined))

#-----------------------------ROLE MAPPING ----------------------------------------

#Copy Roles files
- name: Copy role_mapping.yml File for Instance
  become: yes
  template: src=security/role_mapping.yml.j2 dest={{conf_dir}}{{es_xpack_conf_subdir}}/role_mapping.yml owner={{ es_user }} group={{ es_group }} mode=0644 force=yes
  when: es_role_mapping is defined

#-----------------------------AUTH FILE----------------------------------------

- name: Copy message auth key to elasticsearch
  become: yes
  copy: src={{ es_message_auth_file }} dest={{conf_dir}}{{es_xpack_conf_subdir}}/system_key owner={{ es_user }} group={{ es_group }} mode=0600 force=yes
  when: es_message_auth_file is defined

#------------------------------------------------------------------------------------

#Ensure security conf directory is created
- name: Ensure security conf directory exists
  become: yes
  file: path={{ conf_dir }}/security state=directory owner={{ es_user }} group={{ es_group }}
  changed_when: False
  when: es_enable_xpack and "security" in es_xpack_features