---

- vars:
    mysql_parameters: &mysql_params
      login_user: '{{ mysql_user }}'
      login_password: '{{ mysql_password }}'
      login_host: '{{ mysql_host }}'
      login_port: '{{ mysql_primary_port }}'

  block:

    - name: Issue-121 | Setup | Get server certificate
      copy:
        content: "{{ lookup('pipe', \"openssl s_client -starttls mysql -connect {{ mysql_host }}:3307 -showcerts 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'\") }}"
        dest: /tmp/cert.pem
      delegate_to: localhost

    - name: Issue-121 | Setup | Drop mysql user if exists
      mysql_user:
        <<: *mysql_params
        name: '{{ item }}'
        host_all: true
        state: absent
      ignore_errors: true
      loop:
        - "{{ user_name_1 }}"
        - "{{ user_name_2 }}"

    - name: Issue-121 | Create user with REQUIRESSL privilege
      mysql_user:
        <<: *mysql_params
        name: "{{ user_name_1 }}"
        password: "{{ user_password_1 }}"
        priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'

    - name: Issue-121 | Verify REQUIRESSL is assigned to the user
      mysql_query:
        <<: *mysql_params
        query: "SHOW CREATE USER '{{ user_name_1}}'@'localhost'"
      register: result

    - name: Issue-121 | Assert that requiressl is assigned to the user
      assert:
        that:
          - result is succeeded and 'REQUIRE SSL' in (result.query_result | string)

    - name: Issue-121 | Create user with equivalent ssl requirement in tls_requires (expect unchanged)
      mysql_user:
        <<: *mysql_params
        name: "{{ user_name_1 }}"
        password: "{{ user_password_1 }}"
        priv: '*.*:SELECT,CREATE USER,GRANT'
        tls_requires:
          SSL:
      register: result

    - name: Issue-121 | Assert that create user with equivalent ssl is not changed
      assert:
        that:
          - result is not changed

    - name: Issue-121 | Create the same user again, with REQUIRESSL privilege once more
      mysql_user:
        <<: *mysql_params
        name: "{{ user_name_1 }}"
        password: "{{ user_password_1 }}"
        priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
      register: result

    - name: Issue-121 | Assert error granting privileges
      assert:
        that:
          - result is not changed

    # Disabled on stable-2
    # This test makes no sense to me and the second task is changed making the
    # assertion fails.
    # - name: >-
    #     Issue-121 | Create user with both REQUIRESSL privilege and an incompatible
    #     tls_requires option
    #   mysql_user:
    #     <<: *mysql_params
    #     name: "{{ user_name_1 }}"
    #     host: '{{ gateway_addr }}'
    #     password: "{{ user_password_1 }}"
    #     priv: '*.*:SELECT,CREATE USER,REQUIRESSL,GRANT'
    #     tls_requires:
    #       X509:

    # - name: Issue-121 | Create same user again without REQUIRESSL privilege
    #   mysql_user:
    #     <<: *mysql_params
    #     name: "{{ user_name_1 }}"
    #     password: "{{ user_password_1 }}"
    #     priv: '*.*:SELECT,CREATE USER,GRANT'
    #     tls_requires:
    #       X509:
    #   register: result

    # - name: Issue-121 | Assert that create same user again without REQUIRESSL is not changed
    #   assert:
    #     that: result is not changed

    - name: Issue-121 | Teardown | Drop mysql user
      mysql_user:
        <<: *mysql_params
        name: '{{ item }}'
        host_all: true
        state: absent
      with_items:
        - "{{ user_name_1 }}"
        - "{{ user_name_2 }}"