#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# (c) 2015, René Moser <mail@renemoser.net>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

from __future__ import absolute_import, division, print_function
__metaclass__ = type

ANSIBLE_METADATA = {'metadata_version': '1.1',
                    'status': ['stableinterface'],
                    'supported_by': 'community'}


DOCUMENTATION = '''
---
module: cs_account
short_description: Manages accounts on Apache CloudStack based clouds.
description:
    - Create, disable, lock, enable and remove accounts.
author: René Moser (@resmo)
options:
  name:
    description:
      - Name of account.
    type: str
    required: true
  username:
    description:
      - Username of the user to be created if account did not exist.
      - Required on I(state=present).
    type: str
  password:
    description:
      - Password of the user to be created if account did not exist.
      - Required on I(state=present) if I(ldap_domain) is not set.
    type: str
  first_name:
    description:
      - First name of the user to be created if account did not exist.
      - Required on I(state=present) if I(ldap_domain) is not set.
    type: str
  last_name:
    description:
      - Last name of the user to be created if account did not exist.
      - Required on I(state=present) if I(ldap_domain) is not set.
    type: str
  email:
    description:
      - Email of the user to be created if account did not exist.
      - Required on I(state=present) if I(ldap_domain) is not set.
    type: str
  timezone:
    description:
      - Timezone of the user to be created if account did not exist.
    type: str
  network_domain:
    description:
      - Network domain of the account.
    type: str
  account_type:
    description:
      - Type of the account.
    type: str
    choices: [ user, root_admin, domain_admin ]
    default: user
  domain:
    description:
      - Domain the account is related to.
    type: str
    default: ROOT
  role:
    description:
      - Creates the account under the specified role name or id.
    type: str
  ldap_domain:
    description:
      - Name of the LDAP group or OU to bind.
      - If set, account will be linked to LDAP.
    type: str
  ldap_type:
    description:
      - Type of the ldap name. GROUP or OU, defaults to GROUP.
    type: str
    choices: [ GROUP, OU ]
    default: GROUP
  state:
    description:
      - State of the account.
      - C(unlocked) is an alias for C(enabled).
    type: str
    choices: [ present, absent, enabled, disabled, locked, unlocked ]
    default: present
  poll_async:
    description:
      - Poll async jobs until job has finished.
    type: bool
    default: yes
extends_documentation_fragment:
- community.general.cloudstack

'''

EXAMPLES = '''
- name: create an account in domain 'CUSTOMERS'
  cs_account:
    name: customer_xy
    username: customer_xy
    password: S3Cur3
    last_name: Doe
    first_name: John
    email: john.doe@example.com
    domain: CUSTOMERS
    role: Domain Admin
  delegate_to: localhost

- name: Lock an existing account in domain 'CUSTOMERS'
  cs_account:
    name: customer_xy
    domain: CUSTOMERS
    state: locked
  delegate_to: localhost

- name: Disable an existing account in domain 'CUSTOMERS'
  cs_account:
    name: customer_xy
    domain: CUSTOMERS
    state: disabled
  delegate_to: localhost

- name: Enable an existing account in domain 'CUSTOMERS'
  cs_account:
    name: customer_xy
    domain: CUSTOMERS
    state: enabled
  delegate_to: localhost

- name: Remove an account in domain 'CUSTOMERS'
  cs_account:
    name: customer_xy
    domain: CUSTOMERS
    state: absent
  delegate_to: localhost

- name: Create a single user LDAP account in domain 'CUSTOMERS'
  cs_account:
    name: customer_xy
    username: customer_xy
    domain: CUSTOMERS
    ldap_domain: cn=customer_xy,cn=team_xy,ou=People,dc=domain,dc=local
  delegate_to: localhost

- name: Create a LDAP account in domain 'CUSTOMERS' and bind it to a LDAP group
  cs_account:
    name: team_xy
    username: customer_xy
    domain: CUSTOMERS
    ldap_domain: cn=team_xy,ou=People,dc=domain,dc=local
  delegate_to: localhost
'''

RETURN = '''
---
id:
  description: UUID of the account.
  returned: success
  type: str
  sample: 87b1e0ce-4e01-11e4-bb66-0050569e64b8
name:
  description: Name of the account.
  returned: success
  type: str
  sample: linus@example.com
account_type:
  description: Type of the account.
  returned: success
  type: str
  sample: user
state:
  description: State of the account.
  returned: success
  type: str
  sample: enabled
network_domain:
  description: Network domain of the account.
  returned: success
  type: str
  sample: example.local
domain:
  description: Domain the account is related.
  returned: success
  type: str
  sample: ROOT
role:
  description: The role name of the account
  returned: success
  type: str
  sample: Domain Admin
'''

# import cloudstack common
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.community.general.plugins.module_utils.cloudstack import (
    AnsibleCloudStack,
    cs_argument_spec,
    cs_required_together
)


class AnsibleCloudStackAccount(AnsibleCloudStack):

    def __init__(self, module):
        super(AnsibleCloudStackAccount, self).__init__(module)
        self.returns = {
            'networkdomain': 'network_domain',
            'rolename': 'role',
        }
        self.account = None
        self.account_types = {
            'user': 0,
            'root_admin': 1,
            'domain_admin': 2,
        }

    def get_role_id(self):
        role_param = self.module.params.get('role')
        role_id = None

        if role_param:
            role_list = self.query_api('listRoles')
            for role in role_list['role']:
                if role_param in [role['name'], role['id']]:
                    role_id = role['id']

            if not role_id:
                self.module.fail_json(msg="Role not found: %s" % role_param)

        return role_id

    def get_account_type(self):
        account_type = self.module.params.get('account_type')
        return self.account_types[account_type]

    def get_account(self):
        if not self.account:
            args = {
                'listall': True,
                'domainid': self.get_domain(key='id'),
                'fetch_list': True,
            }
            accounts = self.query_api('listAccounts', **args)
            if accounts:
                account_name = self.module.params.get('name')
                for a in accounts:
                    if account_name == a['name']:
                        self.account = a
                        break

        return self.account

    def enable_account(self):
        account = self.get_account()
        if not account:
            account = self.present_account()

        if account['state'].lower() != 'enabled':
            self.result['changed'] = True
            args = {
                'id': account['id'],
                'account': self.module.params.get('name'),
                'domainid': self.get_domain(key='id')
            }
            if not self.module.check_mode:
                res = self.query_api('enableAccount', **args)
                account = res['account']
        return account

    def lock_account(self):
        return self.lock_or_disable_account(lock=True)

    def disable_account(self):
        return self.lock_or_disable_account()

    def lock_or_disable_account(self, lock=False):
        account = self.get_account()
        if not account:
            account = self.present_account()

        # we need to enable the account to lock it.
        if lock and account['state'].lower() == 'disabled':
            account = self.enable_account()

        if (lock and account['state'].lower() != 'locked' or
                not lock and account['state'].lower() != 'disabled'):
            self.result['changed'] = True
            args = {
                'id': account['id'],
                'account': self.module.params.get('name'),
                'domainid': self.get_domain(key='id'),
                'lock': lock,
            }
            if not self.module.check_mode:
                account = self.query_api('disableAccount', **args)

                poll_async = self.module.params.get('poll_async')
                if poll_async:
                    account = self.poll_job(account, 'account')
        return account

    def present_account(self):
        account = self.get_account()

        if not account:
            self.result['changed'] = True

            if self.module.params.get('ldap_domain'):
                required_params = [
                    'domain',
                    'username',
                ]
                self.module.fail_on_missing_params(required_params=required_params)

                account = self.create_ldap_account(account)

            else:
                required_params = [
                    'email',
                    'username',
                    'password',
                    'first_name',
                    'last_name',
                ]
                self.module.fail_on_missing_params(required_params=required_params)

                account = self.create_account(account)

        return account

    def create_ldap_account(self, account):
        args = {
            'account': self.module.params.get('name'),
            'domainid': self.get_domain(key='id'),
            'accounttype': self.get_account_type(),
            'networkdomain': self.module.params.get('network_domain'),
            'username': self.module.params.get('username'),
            'timezone': self.module.params.get('timezone'),
            'roleid': self.get_role_id()
        }
        if not self.module.check_mode:
            res = self.query_api('ldapCreateAccount', **args)
            account = res['account']

            args = {
                'account': self.module.params.get('name'),
                'domainid': self.get_domain(key='id'),
                'accounttype': self.get_account_type(),
                'ldapdomain': self.module.params.get('ldap_domain'),
                'type': self.module.params.get('ldap_type')
            }

            self.query_api('linkAccountToLdap', **args)

        return account

    def create_account(self, account):
        args = {
            'account': self.module.params.get('name'),
            'domainid': self.get_domain(key='id'),
            'accounttype': self.get_account_type(),
            'networkdomain': self.module.params.get('network_domain'),
            'username': self.module.params.get('username'),
            'password': self.module.params.get('password'),
            'firstname': self.module.params.get('first_name'),
            'lastname': self.module.params.get('last_name'),
            'email': self.module.params.get('email'),
            'timezone': self.module.params.get('timezone'),
            'roleid': self.get_role_id()
        }
        if not self.module.check_mode:
            res = self.query_api('createAccount', **args)
            account = res['account']

        return account

    def absent_account(self):
        account = self.get_account()
        if account:
            self.result['changed'] = True

            if not self.module.check_mode:
                res = self.query_api('deleteAccount', id=account['id'])

                poll_async = self.module.params.get('poll_async')
                if poll_async:
                    self.poll_job(res, 'account')
        return account

    def get_result(self, account):
        super(AnsibleCloudStackAccount, self).get_result(account)
        if account:
            if 'accounttype' in account:
                for key, value in self.account_types.items():
                    if value == account['accounttype']:
                        self.result['account_type'] = key
                        break
        return self.result


def main():
    argument_spec = cs_argument_spec()
    argument_spec.update(dict(
        name=dict(required=True),
        state=dict(choices=['present', 'absent', 'enabled', 'disabled', 'locked', 'unlocked'], default='present'),
        account_type=dict(choices=['user', 'root_admin', 'domain_admin'], default='user'),
        network_domain=dict(),
        domain=dict(default='ROOT'),
        email=dict(),
        first_name=dict(),
        last_name=dict(),
        username=dict(),
        password=dict(no_log=True),
        timezone=dict(),
        role=dict(),
        ldap_domain=dict(),
        ldap_type=dict(choices=['GROUP', 'OU'], default='GROUP'),
        poll_async=dict(type='bool', default=True),
    ))

    module = AnsibleModule(
        argument_spec=argument_spec,
        required_together=cs_required_together(),
        supports_check_mode=True
    )

    acs_acc = AnsibleCloudStackAccount(module)

    state = module.params.get('state')

    if state in ['absent']:
        account = acs_acc.absent_account()

    elif state in ['enabled', 'unlocked']:
        account = acs_acc.enable_account()

    elif state in ['disabled']:
        account = acs_acc.disable_account()

    elif state in ['locked']:
        account = acs_acc.lock_account()

    else:
        account = acs_acc.present_account()

    result = acs_acc.get_result(account)

    module.exit_json(**result)


if __name__ == '__main__':
    main()