---
# Copyright (c) Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later

- name: "({{ select_crypto_backend }}) Generate privatekey"
  openssl_privatekey:
    path: '{{ remote_tmp_dir }}/privatekey.pem'
    size: '{{ default_rsa_key_size }}'

- name: "({{ select_crypto_backend }}) Generate CSR (check mode)"
  openssl_csr_pipe:
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    subject:
      commonName: www.ansible.com
    select_crypto_backend: '{{ select_crypto_backend }}'
  check_mode: true
  register: generate_csr_check

- name: "({{ select_crypto_backend }}) Generate CSR"
  openssl_csr_pipe:
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    subject:
      commonName: www.ansible.com
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: generate_csr

- name: "({{ select_crypto_backend }}) Generate CSR (idempotent)"
  openssl_csr_pipe:
    content: "{{ generate_csr.csr }}"
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    subject:
      commonName: www.ansible.com
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: generate_csr_idempotent

- name: "({{ select_crypto_backend }}) Generate CSR (idempotent, check mode)"
  openssl_csr_pipe:
    content: "{{ generate_csr.csr }}"
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    subject:
      commonName: www.ansible.com
    select_crypto_backend: '{{ select_crypto_backend }}'
  check_mode: true
  register: generate_csr_idempotent_check

- name: "({{ select_crypto_backend }}) Generate CSR (changed)"
  openssl_csr_pipe:
    content: "{{ generate_csr.csr }}"
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    subject:
      commonName: ansible.com
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: generate_csr_changed

- name: "({{ select_crypto_backend }}) Generate CSR (changed, check mode)"
  openssl_csr_pipe:
    content: "{{ generate_csr.csr }}"
    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
    subject:
      commonName: ansible.com
    select_crypto_backend: '{{ select_crypto_backend }}'
  check_mode: true
  register: generate_csr_changed_check

- name: "({{ select_crypto_backend }}) Validate CSR (test - privatekey modulus)"
  shell: '{{ openssl_binary }} rsa -noout -modulus -in {{ remote_tmp_dir }}/privatekey.pem'
  register: privatekey_modulus

- name: "({{ select_crypto_backend }}) Validate CSR (test - Common Name)"
  shell: "{{ openssl_binary }} req -noout -subject -in /dev/stdin -nameopt oneline,-space_eq"
  args:
    stdin: "{{ generate_csr.csr }}"
  register: csr_cn

- name: "({{ select_crypto_backend }}) Validate CSR (test - csr modulus)"
  shell: '{{ openssl_binary }} req -noout -modulus -in /dev/stdin'
  args:
    stdin: "{{ generate_csr.csr }}"
  register: csr_modulus

- name: "({{ select_crypto_backend }}) Validate CSR (assert)"
  assert:
    that:
      - csr_cn.stdout.split('=')[-1] == 'www.ansible.com'
      - csr_modulus.stdout == privatekey_modulus.stdout

- name: "({{ select_crypto_backend }}) Validate CSR (check mode, idempotency)"
  assert:
    that:
      - generate_csr_check is changed
      - generate_csr is changed
      - generate_csr_idempotent is not changed
      - generate_csr_idempotent_check is not changed
      - generate_csr_changed is changed
      - generate_csr_changed_check is changed