---
- name: Validate admin console password
  ansible.builtin.assert:
    that:
      - keycloak_quarkus_admin_pass | length > 12
    quiet: true
    fail_msg: "The console administrator password is empty or invalid. Please set the keycloak_quarkus_admin_pass to a 12+ char long string"
    success_msg: "{{ 'Console administrator password OK' }}"

- name: Validate relative path
  ansible.builtin.assert:
    that:
      - keycloak_quarkus_http_relative_path is regex('^/.*')
    quiet: true
    fail_msg: "The relative path for keycloak_quarkus_http_relative_path must begin with /"
    success_msg: "{{ 'Relative path OK' }}"

- name: Validate configuration
  ansible.builtin.assert:
    that:
      - (keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or
        (not keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled) or
        (not keycloak_quarkus_ha_enabled and not keycloak_quarkus_db_enabled)
    quiet: true
    fail_msg: "HA setup requires a backend database service. Check keycloak_quarkus_ha_enabled and keycloak_quarkus_db_enabled"
    success_msg: "{{ 'Configuring HA' if keycloak_quarkus_ha_enabled else 'Configuring standalone' }}"

- name: Validate OS family
  ansible.builtin.assert:
    that:
      - ansible_os_family in ["RedHat", "Debian"]
    quiet: true
    fail_msg: "Can only install on RedHat or Debian OS families; found {{ ansible_os_family }}"
    success_msg: "Installing on {{ ansible_os_family }}"

- name: Load OS specific variables
  ansible.builtin.include_vars: "vars/{{ ansible_os_family | lower }}.yml"
  tags:
    - always

- name: Ensure required packages are installed
  ansible.builtin.include_tasks: fastpackages.yml
  vars:
    packages_list: "{{ keycloak_quarkus_prereq_package_list }}"

- name: "Validate keytool"
  when: keycloak_quarkus_config_key_store_password | length > 0
  block:
    - name: "Attempt to run keytool"
      changed_when: false
      ansible.builtin.command: keytool -help
      register: keytool_check
      ignore_errors: true

    - name: "Fail when no keytool found"
      when: keytool_check.rc != 0
      ansible.builtin.fail:
        msg: "keytool NOT found in the PATH, but is required for setting up the configuration key store"

- name: "Validate providers"
  ansible.builtin.assert:
    that:
      - item.id is defined and item.id | length > 0
      - (item.spi is defined and item.spi | length > 0) or (item.url is defined and item.url | length > 0) or (item.maven is defined and item.maven.repository_url is defined and item.maven.repository_url | length > 0 and item.maven.group_id is defined and item.maven.group_id | length > 0 and item.maven.artifact_id is defined and item.maven.artifact_id | length > 0)
    quiet: true
    fail_msg: "Providers definition is incorrect; `id` and one of `spi`, `url`, or `maven` are mandatory. `key` and `value` are mandatory for each property"
  loop: "{{ keycloak_quarkus_providers }}"

- name: "Validate policies"
  ansible.builtin.assert:
    that:
      - item.name is defined and item.name | length > 0
      - item.url is defined and item.url | length > 0
      - item.type is not defined or item.type | lower in keycloak_quarkus_supported_policy_types
    quiet: true
    fail_msg: "Policy definition is incorrect: `name` and one of `url` are mandatory, `type` needs to be left empty or one of {{ keycloak_quarkus_supported_policy_types }}."
  loop: "{{ keycloak_quarkus_policies }}"