---
- hosts: all
  tasks:
  - name: Configure sshd
    include_role:
      name: ansible-sshd
    vars:
      # For Fedora containers, we need to make sure we have keys for sshd -T below
      sshd_verify_hostkeys:
        - /etc/ssh/ssh_host_rsa_key
      sshd:
        Match:
        - Condition: "User xusers"
          X11Forwarding: yes
          Banner: /tmp/xusers-banner
      sshd_match:
        - Condition: "User bot"
          AllowTcpForwarding: no
          Banner: /tmp/bot-banner
      sshd_match_1:
        - Condition: "User sftponly"
          ForceCommand: "internal-sftp"
          ChrootDirectory: "/var/uploads/"
      sshd_match_2:
        - Condition: "User root"
          PasswordAuthentication: no
          PermitTunnel: yes

  - name: Verify the options are correctly set
    vars:
      main_sshd_config: >-
        {{
          "/etc/ssh/sshd_config.d/00-ansible_system_role.conf"
          if ansible_facts['distribution'] == 'Fedora'
          else "/etc/ssh/sshd_config"
        }}
    block:
      - meta: flush_handlers

      - name: List effective configuration using sshd -T for xusers
        command: sshd -T -C user=xusers,addr=127.0.0.1,host=example.com
        register: xusers_effective

      - name: List effective configuration using sshd -T for bot
        command: sshd -T -C user=bot,addr=127.0.0.1,host=example.com
        register: bot_effective

      - name: List effective configuration using sshd -T for sftponly
        command: sshd -T -C user=sftponly,addr=127.0.0.1,host=example.com
        register: sftponly_effective

      - name: List effective configuration using sshd -T for root
        command: sshd -T -C user=root,addr=127.0.0.1,host=example.com
        register: root_effective

      - name: Print current configuration file
        slurp:
          src: "{{ main_sshd_config }}"
        register: config

      - name: Check the options are effective
        # note, the options are in lower-case here
        assert:
          that:
            - "'x11forwarding yes' in xusers_effective.stdout"
            - "'banner /tmp/xusers-banner' in xusers_effective.stdout"
            - "'allowtcpforwarding no' in bot_effective.stdout"
            - "'banner /tmp/bot-banner' in bot_effective.stdout"
            - "'forcecommand internal-sftp' in sftponly_effective.stdout"
            - "'chrootdirectory /var/uploads/' in sftponly_effective.stdout"
            - "'passwordauthentication no' in root_effective.stdout"
            - "'permittunnel yes' in root_effective.stdout"

      - name: Check the options are in configuration file
        assert:
          that:
            - "'Match User xusers' in config.content | b64decode"
            - "'Match User bot' in config.content | b64decode"
            - "'Match User sftponly' in config.content | b64decode"
            - "'Match User root' in config.content | b64decode"
    tags: tests::verify