---
- name: Verify
  hosts: all
  become: true

  vars:
    private_keys:
      - koji-ca.key
      - "{{ koji_server_ca_fqdn }}.key"

    public_keys:
      - koji-ca.crt
      - "{{ koji_server_ca_fqdn }}.crt"
      - "{{ koji_server_ca_fqdn }}.chain.crt"

  tasks:
    - name: Collect Koji CA private keys stats
      ansible.builtin.stat:
        path: "{{ ('/etc/pki/koji', item) | path_join }}"
      loop: "{{ private_keys }}"
      register: private_keys_stats

    - name: Verify Koji CA private keys stats
      ansible.builtin.assert:
        that: |
          item.stat.exists and
          item.stat.mode == '0600' and
          item.stat.pw_name == 'root' and
          item.stat.gr_name == 'root'
      loop: "{{ private_keys_stats.results }}"

    - name: Collect Koji CA public keys stats
      ansible.builtin.stat:
        path: "{{ ('/etc/pki/koji', item) | path_join }}"
      loop: "{{ public_keys }}"
      register: public_keys_stats

    - name: Verify Koji CA public keys stats
      ansible.builtin.assert:
        that: |
          item.stat.exists and
          item.stat.mode == '0644' and
          item.stat.pw_name == 'root' and
          item.stat.gr_name == 'root'
      loop: "{{ public_keys_stats.results }}"

    - name: Verify Koji certificate chain
      ansible.builtin.command:
        argv:
          - openssl
          - verify
          - -CAfile
          - /etc/pki/koji/koji-ca.crt
          - -untrusted
          - "/etc/pki/koji/{{ koji_server_ca_fqdn }}.chain.crt"
          - "/etc/pki/koji/{{ koji_server_ca_fqdn }}.crt"
      register: openssl_verify

    - name: Check Koji certificate chain verification status
      ansible.builtin.assert:
        that: |
          openssl_verify.rc == 0 and
          openssl_verify.stdout == '/etc/pki/koji/{{ koji_server_ca_fqdn }}.crt: OK'