#!/usr/bin/python
# -*- coding: utf-8 -*-

# Copyright: (c) 2019, Markus Bergholz (markuman@gmail.com)
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type

DOCUMENTATION = '''
module: gitlab_project_variable
short_description: Creates/updates/deletes GitLab Projects Variables
description:
  - When a project variable does not exist, it will be created.
  - When a project variable does exist, its value will be updated when the values are different.
  - Variables which are untouched in the playbook, but are not untouched in the GitLab project,
    they stay untouched (I(purge) is C(false)) or will be deleted (I(purge) is C(true)).
author:
  - "Markus Bergholz (@markuman)"
requirements:
  - python >= 2.7
  - python-gitlab python module
extends_documentation_fragment:
- community.general.auth_basic

options:
  state:
    description:
      - Create or delete project variable.
      - Possible values are present and absent.
    default: present
    type: str
    choices: ["present", "absent"]
  api_token:
    description:
      - GitLab access token with API permissions.
    required: true
    type: str
  project:
    description:
      - The path and name of the project.
    required: true
    type: str
  purge:
    description:
      - When set to true, all variables which are not untouched in the task will be deleted.
    default: false
    type: bool
  vars:
    description:
      - When the list element is a simple key-value pair, masked and protected will be set to false.
      - When the list element is a dict with the keys I(value), I(masked) and I(protected), the user can
        have full control about whether a value should be masked, protected or both.
      - Support for protected values requires GitLab >= 9.3.
      - Support for masked values requires GitLab >= 11.10.
      - A I(value) must be a string or a number.
      - Field I(variable_type) must be a string with either C(env_var), which is the default, or C(file).
      - Field I(environment_scope) must be a string defined by scope environment.
      - When a value is masked, it must be in Base64 and have a length of at least 8 characters.
        See GitLab documentation on acceptable values for a masked variable (https://docs.gitlab.com/ce/ci/variables/#masked-variables).
    default: {}
    type: dict
'''


EXAMPLES = '''
- name: Set or update some CI/CD variables
  community.general.gitlab_project_variable:
    api_url: https://gitlab.com
    api_token: secret_access_token
    project: markuman/dotfiles
    purge: false
    vars:
      ACCESS_KEY_ID: abc123
      SECRET_ACCESS_KEY: 321cba

- name: Set or update some CI/CD variables
  community.general.gitlab_project_variable:
    api_url: https://gitlab.com
    api_token: secret_access_token
    project: markuman/dotfiles
    purge: false
    vars:
      ACCESS_KEY_ID: abc123
      SECRET_ACCESS_KEY:
        value: 3214cbad
        masked: true
        protected: true
        variable_type: env_var
        environment_scope: '*'

- name: Delete one variable
  community.general.gitlab_project_variable:
    api_url: https://gitlab.com
    api_token: secret_access_token
    project: markuman/dotfiles
    state: absent
    vars:
      ACCESS_KEY_ID: abc123
'''

RETURN = '''
project_variable:
  description: Four lists of the variablenames which were added, updated, removed or exist.
  returned: always
  type: dict
  contains:
    added:
      description: A list of variables which were created.
      returned: always
      type: list
      sample: "['ACCESS_KEY_ID', 'SECRET_ACCESS_KEY']"
    untouched:
      description: A list of variables which exist.
      returned: always
      type: list
      sample: "['ACCESS_KEY_ID', 'SECRET_ACCESS_KEY']"
    removed:
      description: A list of variables which were deleted.
      returned: always
      type: list
      sample: "['ACCESS_KEY_ID', 'SECRET_ACCESS_KEY']"
    updated:
      description: A list of variables whose values were changed.
      returned: always
      type: list
      sample: "['ACCESS_KEY_ID', 'SECRET_ACCESS_KEY']"
'''

import traceback

from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils._text import to_native
from ansible.module_utils.api import basic_auth_argument_spec
from ansible.module_utils.six import string_types
from ansible.module_utils.six import integer_types


GITLAB_IMP_ERR = None
try:
    import gitlab
    HAS_GITLAB_PACKAGE = True
except Exception:
    GITLAB_IMP_ERR = traceback.format_exc()
    HAS_GITLAB_PACKAGE = False

from ansible_collections.community.general.plugins.module_utils.gitlab import gitlabAuthentication


class GitlabProjectVariables(object):

    def __init__(self, module, gitlab_instance):
        self.repo = gitlab_instance
        self.project = self.get_project(module.params['project'])
        self._module = module

    def get_project(self, project_name):
        return self.repo.projects.get(project_name)

    def list_all_project_variables(self):
        page_nb = 1
        variables = []
        vars_page = self.project.variables.list(page=page_nb)
        while len(vars_page) > 0:
            variables += vars_page
            page_nb += 1
            vars_page = self.project.variables.list(page=page_nb)
        return variables

    def create_variable(self, key, value, masked, protected, variable_type, environment_scope):
        if self._module.check_mode:
            return
        var = {
            "key": key, "value": value,
            "masked": masked, "protected": protected,
            "variable_type": variable_type
        }
        if environment_scope is not None:
            var["environment_scope"] = environment_scope
        return self.project.variables.create(var)

    def update_variable(self, key, var, value, masked, protected, variable_type, environment_scope):
        if (var.value == value and var.protected == protected and var.masked == masked
                and var.variable_type == variable_type
                and (var.environment_scope == environment_scope or environment_scope is None)):
            return False

        if self._module.check_mode:
            return True

        if (var.protected == protected and var.masked == masked
                and var.variable_type == variable_type
                and (var.environment_scope == environment_scope or environment_scope is None)):
            var.value = value
            var.save()
            return True

        self.delete_variable(key)
        self.create_variable(key, value, masked, protected, variable_type, environment_scope)
        return True

    def delete_variable(self, key):
        if self._module.check_mode:
            return
        return self.project.variables.delete(key)


def native_python_main(this_gitlab, purge, var_list, state, module):

    change = False
    return_value = dict(added=list(), updated=list(), removed=list(), untouched=list())

    gitlab_keys = this_gitlab.list_all_project_variables()
    existing_variables = [x.get_id() for x in gitlab_keys]

    for key in var_list:

        if isinstance(var_list[key], string_types) or isinstance(var_list[key], (integer_types, float)):
            value = var_list[key]
            masked = False
            protected = False
            variable_type = 'env_var'
            environment_scope = None
        elif isinstance(var_list[key], dict):
            value = var_list[key].get('value')
            masked = var_list[key].get('masked', False)
            protected = var_list[key].get('protected', False)
            variable_type = var_list[key].get('variable_type', 'env_var')
            environment_scope = var_list[key].get('environment_scope')
        else:
            module.fail_json(msg="value must be of type string, integer or dict")

        if key in existing_variables:
            index = existing_variables.index(key)
            existing_variables[index] = None

            if state == 'present':
                single_change = this_gitlab.update_variable(key,
                                                            gitlab_keys[index],
                                                            value, masked,
                                                            protected,
                                                            variable_type,
                                                            environment_scope)
                change = single_change or change
                if single_change:
                    return_value['updated'].append(key)
                else:
                    return_value['untouched'].append(key)

            elif state == 'absent':
                this_gitlab.delete_variable(key)
                change = True
                return_value['removed'].append(key)

        elif key not in existing_variables and state == 'present':
            this_gitlab.create_variable(key, value, masked, protected, variable_type, environment_scope)
            change = True
            return_value['added'].append(key)

    existing_variables = list(filter(None, existing_variables))
    if purge:
        for item in existing_variables:
            this_gitlab.delete_variable(item)
            change = True
            return_value['removed'].append(item)
    else:
        return_value['untouched'].extend(existing_variables)

    return change, return_value


def main():
    argument_spec = basic_auth_argument_spec()
    argument_spec.update(
        api_token=dict(type='str', required=True, no_log=True),
        project=dict(type='str', required=True),
        purge=dict(type='bool', required=False, default=False),
        vars=dict(type='dict', required=False, default=dict(), no_log=True),
        state=dict(type='str', default="present", choices=["absent", "present"])
    )

    module = AnsibleModule(
        argument_spec=argument_spec,
        mutually_exclusive=[
            ['api_username', 'api_token'],
            ['api_password', 'api_token'],
        ],
        required_together=[
            ['api_username', 'api_password'],
        ],
        required_one_of=[
            ['api_username', 'api_token']
        ],
        supports_check_mode=True
    )

    purge = module.params['purge']
    var_list = module.params['vars']
    state = module.params['state']

    if not HAS_GITLAB_PACKAGE:
        module.fail_json(msg=missing_required_lib("python-gitlab"), exception=GITLAB_IMP_ERR)

    gitlab_instance = gitlabAuthentication(module)

    this_gitlab = GitlabProjectVariables(module=module, gitlab_instance=gitlab_instance)

    change, return_value = native_python_main(this_gitlab, purge, var_list, state, module)

    module.exit_json(changed=change, project_variable=return_value)


if __name__ == '__main__':
    main()