---
- name: Check for presence of roxctl-token
  stat:
    path: "{{ ansible_facts['user_dir'] }}/roxctl-token"
  register: user_token_file

- name: Alternatively, fall back to api-token
  stat:
    path: "{{ ansible_facts['user_dir'] }}/api-token"
  register: auto_token_file

- assert:
    that: user_token_file.stat.exists or auto_token_file.stat.exists
    fail_msg: "ERROR: No roxctl-token file found."
    success_msg: "OK, proceeding with token from roxctl-token."

- name: Symlink api-token to roxctl-token if latter is missing
  file:
    path: "{{ ansible_facts['user_dir'] }}/roxctl-token"
    src: "{{ ansible_facts['user_dir'] }}/api-token"
    state: link
  when: not user_token_file.stat.exists
  register: symlink_token

- name: Ensure the scripts/ directory is there
  file:
    path: "{{ ansible_facts['user_dir'] }}/scripts"
    state: directory
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: 0755

- name: Ensure the two scripts are there
  copy:
    src: files/{{ item }}
    dest: "{{ ansible_facts['user_dir'] }}/scripts/{{ item }}"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: 0755
  loop:
    - dump-policies.sh
    - fix-policies.sh

- name: Does policyexport exist?
  stat:
    path: "{{ ansible_facts['user_dir'] }}/policyexport"
  register: policy_export

- name: Does api-policies exist?
  stat:
    path: "{{ ansible_facts['user_dir'] }}/api-policies"
  register: policy_backup

- name: Fall back to api-policies if one exists
  file:
    path: "{{ ansible_facts['user_dir'] }}/policyexport"
    src: "{{ ansible_facts['user_dir'] }}/api-policies"
    state: link
  when:
    - not policy_export.stat.exists
    - policy_backup.stat.exists
  register: symlink_policies

- name: Dump the policies
  ansible.builtin.shell:
    chdir: "{{ ansible_facts['user_dir'] }}"
    cmd: ./scripts/dump-policies.sh > policyexport
    creates: "{{ ansible_facts['user_dir'] }}/policyexport"

- name: Fix the policies
  ansible.builtin.command:
    chdir: "{{ ansible_facts['user_dir'] }}"
    cmd: ./scripts/fix-policies.sh

- name: Clean up token symlink
  file:
    path: "{{ ansible_facts['user_dir'] }}/roxctl-token"
    state: absent
  when:
    - symlink_token is defined
    - not symlink_token.skipped

- name: Clean up policy symlink
  file:
    path: "{{ ansible_facts['user_dir'] }}/policyexport"
    state: absent
  when:
    - symlink_policies is defined
    - not symlink_policies.skipped

# Get a list of policies:
# curl -ks -H "Authorization: Bearer $(cat roxctl-token)" -XGET https://central-rhacs.apps.ocp4.example.com/v1/policies | jq -r '[ .policies[].id ]'
#
# Dump the policies in that list:
# curl -ks -H "Authorization: Bearer $(cat roxctl-token)" -XPOST -d "{ \"policyIds\": $(cat policyids) }" https://central-rhacs.apps.ocp4.example.com/v1/policies/export
#
# Match a policy by name and print its ID:
# jq '.policies[] | select(.name | test("(?i)docker cis 4\\.1")) | .id'
#
# Fix a policy and return the fixed list:
# jq '.policies |= map(if .name | test("(?i)docker cis 4\\.1") then .exclusions = [ { "name": "Skip system namespaces", "deployment": { "name": "", "scope": { "cluster": "", "namespace": "^kube-.*|^openshift-.*|^istio-.*|^rhacs$|^stackrox$", "label": null } }, "image": null, "expiration": null } ] else . end)'
#
# Extract one policy and fix it (along with its name):
# jq '.policies[] | select(.name | test("(?i)docker cis 4\\.1")) | .exclusions |= [ { "name": "Skip system namespaces", "deployment": { "name": "", "scope": { "cluster": "", "namespace": "^kube-.*|^openshift-.*|^istio-.*|^rhacs$|^stackrox$", "label": null } }, "image": null, "expiration": null } ] | .name |= . + " (non-system)"'
...