#
# Create and destroy user, test 'password' and 'encrypted' parameters
#
# unencrypted values are not supported on newer versions
# do not run the encrypted: no tests if on 10+
- set_fact:
    encryption_values:
    - 'yes'

- set_fact:
    encryption_values: '{{ encryption_values + ["no"]}}'
  when: postgres_version_resp.stdout is version('10', '<=')

- include_tasks: test_password.yml
  vars:
    encrypted: '{{ loop_item }}'
    db_password1: 'secretù' # use UTF-8
  loop: '{{ encryption_values }}'
  loop_control:
    loop_var: loop_item

# BYPASSRLS role attribute was introduced in PostgreSQL 9.5, so
# we want to test attribute management differently depending
# on the version.
- set_fact:
    bypassrls_supported: "{{ postgres_version_resp.stdout is version('9.5.0', '>=') }}"

# test 'no_password_change' and 'role_attr_flags' parameters
- include_tasks: test_no_password_change.yml
  vars:
    no_password_changes: '{{ loop_item }}'
  loop:
    - 'yes'
    - 'no'
  loop_control:
    loop_var: loop_item

### TODO: fail_on_user

#
# Test login_user functionality
#
- name: Create a user to test login module parameters
  become: yes
  become_user: "{{ pg_user }}"
  postgresql_user:
    name: "{{ db_user1 }}"
    state: "present"
    encrypted: 'yes'
    password: "password"
    role_attr_flags: "CREATEDB,LOGIN,CREATEROLE"
    login_user: "{{ pg_user }}"
    trust_input: no
    db: postgres

- name: Create db
  postgresql_db:
    name: "{{ db_name }}"
    state: "present"
    login_user: "{{ db_user1 }}"
    login_password: "password"
    login_host: "localhost"

- name: Check that database created
  become: yes
  become_user: "{{ pg_user }}"
  shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres
  register: result

- assert:
    that:
      - "result.stdout_lines[-1] == '(1 row)'"

- name: Create a user
  postgresql_user:
    name: "{{ db_user2 }}"
    state: "present"
    encrypted: 'yes'
    password: "md55c8ccfd9d6711fc69a7eae647fc54f51"
    db: "{{ db_name }}"
    login_user: "{{ db_user1 }}"
    login_password: "password"
    login_host: "localhost"
    trust_input: no

- name: Check that it was created
  become: yes
  become_user: "{{ pg_user }}"
  shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres
  register: result

- assert:
    that:
      - "result.stdout_lines[-1] == '(1 row)'"

- name: Grant database privileges
  postgresql_privs:
    type: "database"
    state: "present"
    roles: "{{ db_user2 }}"
    privs: "CREATE,connect"
    objs: "{{ db_name }}"
    db: "{{ db_name }}"
    login: "{{ db_user1 }}"
    password: "password"
    host: "localhost"

- name: Check that the user has the requested permissions (database)
  become: yes
  become_user: "{{ pg_user }}"
  shell: echo "select datacl from pg_database where datname='{{ db_name }}';" | psql {{ db_name }}
  register: result_database

- assert:
    that:
      - "result_database.stdout_lines[-1] == '(1 row)'"
      - "db_user2 ~ '=Cc' in result_database.stdout"

- name: Remove user
  postgresql_user:
    name: "{{ db_user2 }}"
    state: 'absent'
    priv: "ALL"
    db: "{{ db_name }}"
    login_user: "{{ db_user1 }}"
    login_password: "password"
    login_host: "localhost"
    trust_input: no

- name: Check that they were removed
  become: yes
  become_user: "{{ pg_user }}"
  shell: echo "select * from pg_user where usename='{{ db_user2 }}';" | psql -d postgres
  register: result

- assert:
    that:
      - "result.stdout_lines[-1] == '(0 rows)'"

- name: Destroy DB
  postgresql_db:
    state: absent
    name: "{{ db_name }}"
    login_user: "{{ db_user1 }}"
    login_password: "password"
    login_host: "localhost"

- name: Check that database was destroyed
  become: yes
  become_user: "{{ pg_user }}"
  shell: echo "select datname from pg_database where datname = '{{ db_name }}';" | psql -d postgres
  register: result

- assert:
    that:
      - "result.stdout_lines[-1] == '(0 rows)'"