import groovy.transform.Field
import org.jenkinsci.plugins.pipeline.modeldefinition.Utils

@Field
def DOCKER_ARGS = '''\
-v /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
'''

def call(rw_limit, stages) {
    properties([
        pipelineTriggers([cron('H H * * *')])
    ])

    timeout(time: 1, unit: 'HOURS') {
        lock('cfgpol') {
            node {
                checkout scm
                docker.build("configpolicy", 'ci').inside(DOCKER_ARGS) {
                    withEnv(["KRB5CCNAME=${WORKSPACE}/.krb5cc"]) {
                        try {
                            stageKinit()
                            stageRemountRW(rw_limit)
                            generateStages(stages)
                            stageRemountRO(rw_limit)
                        } catch (err) {
                            postFailure(err)
                        } finally {
                            postCleanup()
                        }
                    }
                }
            }
        }
    }
}

def stageKinit() {
    stage('kinit') {
        withCredentials([file(
            credentialsId: 'keytab-jenkins@pyrocufflink.blue',
            variable: 'KEYTAB'
        )]) {
            sh 'kinit -kt "${KEYTAB}" jenkins@PYROCUFFLINK.BLUE'
        }
        withCredentials([file(
            credentialsId: 'vault-jenkins@pyrocufflink.blue',
            variable: 'SUDO_PASS_FILE'
        )]) {
            sh 'cp "${SUDO_PASS_FILE}" group_vars/pyrocufflink/sudo-pass'
        }
        sh 'rm -rf .fact-cache'
    }
}


def stageRemountRW(limit) {
    def STAGE_NAME = 'Remount R/W'
    stage(STAGE_NAME) {
        if (limit) {
            ansiblePlaybook \
                playbook: 'remount.yml',
                limit: limit,
                become: true,
                credentialsId: 'jenkins-cfgmgmt',
                vaultCredentialsId: 'ansible-vault',
                extraVars: [
                    remount_state: 'rw',
                ]
        } else {
            Utils.markStageSkippedForConditional(STAGE_NAME)
        }
    }
}

def generateStages(stages) {
    stages.each { name, playbooks ->
        stage(name) {
            playbooks.each { playbook -> 
                ansiblePlaybook \
                    playbook: playbook,
                    become: true,
                    credentialsId: 'jenkins-cfgmgmt',
                    vaultCredentialsId: 'ansible-vault',
                    extras: '--diff',
                    skippedTags: 'install'
            }
        }
    }
}

def stageRemountRO(limit) {
    def STAGE_NAME = 'Remount R/O'
    stage(STAGE_NAME) {
        if (limit) {
            ansiblePlaybook \
                playbook: 'remount.yml',
                limit: limit + ':!rw-root',
                become: true,
                credentialsId: 'jenkins-cfgmgmt',
                vaultCredentialsId: 'ansible-vault',
                extras: '--diff'
        } else {
            Utils.markStageSkippedForConditional(STAGE_NAME)
        }
    }
}

def postCleanup() {
    sh 'kdestroy'
    sh 'find . -name sudo-pass -delete'
}

def postFailure(err) {
    currentBuild.result = 'FAILURE'
    emailext \
        to: 'gyrfalcon@ebonfire.com',
        subject: '$DEFAULT_SUBJECT',
        body: '$DEFAULT_CONTENT'
    error "${err}"
}