---

- name: Install tools
  package:
    name:
      - pwgen
      - openssl
  when: rand_pass_tools_installed is not defined or not rand_pass_tools_installed

# Mark tool sas installed so we do not check each time, as it can be slow
- set_fact: rand_pass_tools_installed=True

# Check if a non encrypted file exists. We do it first for backward compatibility
- name: Check if password file exists
  stat: path={{ pass_file }}
  register: pass_file_clear

# Now check if an encrypted file exists
- name: Check if an encrypted password file exists
  stat: path={{ pass_file }}.aes256
  register: pass_file_enc

# When no clear nor encrypted file exists, generate a random pass with pwgen
- name: Generate a random password
  shell: pwgen {% if complex | default(True) %}-y -r \`\'\"\\\|\^\# {% endif %}-s {{ pass_size | default(50) }} 1
  register: rand_pass
  when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists

# New pass generation ? Encrypt it with openssl, unless encryption is disabled, or the global rand_pass_encryption_key isn't defined
- when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists and encryption | default(True) and rand_pass_encryption_key is defined
  block:
    - name: Encrypt the generated password
      shell: openssl enc -e -a -aes256 -pass pass:{{ rand_pass_encryption_key | quote }}
      args:
        stdin: "{{ rand_pass.stdout }}"
      register: encrypted_rand_pass
    - copy: content={{ encrypted_rand_pass.stdout | trim }} dest={{ pass_file }}.aes256 mode=600

# New pass generation but with encryption disabled, or the global rand_pass_encryption_key not defined
# in this case, store the password as plain text
- name: Store the generated password as clear text
  copy: content={{ rand_pass.stdout | trim }} dest={{ pass_file }} mode=600
  when: not pass_file_clear.stat.exists and not pass_file_enc.stat.exists and (not encryption | default(True) or rand_pass_encryption_key is not defined)

# Read the encrypted pass
- when: not pass_file_clear.stat.exists and encryption | default(True) and rand_pass_encryption_key is defined
  block:

    - name: Read the encrypted password
      slurp: src={{ pass_file }}.aes256
      register: rand_pass

    - name: Decrypt the password
      shell: openssl enc -d -a -aes256 -pass pass:{{ rand_pass_encryption_key | quote }}
      args:
        stdin: "{{ rand_pass.content | b64decode | trim }}"
      register: rand_pass_decrypted
      changed_when: False

# Read unencrypted pass file
- when: not encryption | default(True) or rand_pass_encryption_key is not defined or pass_file_clear.stat.exists
  block:
    - name: Read the clear text password
      slurp: src={{ pass_file }}
      register: rand_pass_clear

# Now set either the decrypted, or the clear text pass in the rand_pass variable which will be used by the caller
- set_fact:
    rand_pass: >-
      {%- if (rand_pass_decrypted is defined and rand_pass_decrypted.stdout is defined) -%}{{ rand_pass_decrypted.stdout }}
      {%- elif rand_pass_clear is defined and rand_pass_clear.content is defined -%}{{ rand_pass_clear.content | b64decode | trim }}
      {%- else -%}{%- endif -%}