---
# ============================================================================
# Sophos Common Role - Main Tasks
# ============================================================================
# This role performs common setup tasks for all Sophos XGS firewalls:
#   - Validates required variables
#   - Tests API connectivity
#   - Authenticates to the firewall
#   - Gathers basic system facts
#
# This role should always run first before other configuration roles.
# ============================================================================

- name: Validate required variables are defined
  ansible.builtin.assert:
    that:
      - sophos_mgmt_host is defined
      - sophos_mgmt_host | length > 0
      - sophos_mgmt_port is defined
      - (sophos_api_key is defined) or (sophos_api_username is defined and sophos_api_password is defined)
    fail_msg: |
      Required variables are missing for {{ inventory_hostname }}.
      Please ensure the following are defined in host_vars:
        - sophos_mgmt_host (management IP or hostname)
        - sophos_mgmt_port (API port, default 4444)
        - Authentication: either sophos_api_key OR (sophos_api_username AND sophos_api_password)
    success_msg: "All required variables are defined for {{ inventory_hostname }}"
  tags: ['validation']

- name: Display firewall connection information
  ansible.builtin.debug:
    msg:
      - "Connecting to Sophos XGS Firewall:"
      - "  Hostname: {{ inventory_hostname }}"
      - "  Management IP: {{ sophos_mgmt_host }}"
      - "  API Port: {{ sophos_mgmt_port }}"
      - "  Auth Method: {{ 'API Key' if sophos_api_key is defined else 'Username/Password' }}"
      - "  Validate Certs: {{ sophos_validate_certs }}"
  tags: ['always']

# ============================================================================
# Test API connectivity
# ============================================================================

- name: Test HTTPS connectivity to Sophos XGS API
  ansible.builtin.wait_for:
    host: "{{ sophos_mgmt_host }}"
    port: "{{ sophos_mgmt_port }}"
    timeout: 10
    state: started
  delegate_to: localhost
  tags: ['validation', 'connectivity']

- name: Display connectivity success
  ansible.builtin.debug:
    msg: "Successfully connected to {{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}"
  tags: ['validation', 'connectivity']

# ============================================================================
# Authenticate and gather system information
# ============================================================================

- name: Authenticate to Sophos XGS firewall and retrieve system status
  ansible.builtin.uri:
    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController?reqxml=<Request><Login><Username>{{ sophos_api_username }}</Username><Password>{{ sophos_api_password }}</Password></Login><Get><System/></Get></Request>"
    method: POST
    validate_certs: "{{ sophos_validate_certs }}"
    headers:
      Content-Type: "application/x-www-form-urlencoded"
    return_content: true
    status_code: [200, 201]
    timeout: "{{ sophos_api_timeout }}"
  register: sophos_system_info
  no_log: "{{ sophos_no_log_sensitive }}"
  retries: "{{ sophos_api_retries }}"
  delay: "{{ sophos_api_retry_delay }}"
  tags: ['authentication', 'facts']

- name: Parse system information from API response
  ansible.builtin.set_fact:
    sophos_facts:
      hostname: "{{ sophos_system_info.content | regex_search('<HostName>(.*?)</HostName>', '\\1') | first | default('unknown') }}"
      serial_number: "{{ sophos_system_info.content | regex_search('<SerialNumber>(.*?)</SerialNumber>', '\\1') | first | default('unknown') }}"
      firmware_version: "{{ sophos_system_info.content | regex_search('<FirmwareVersion>(.*?)</FirmwareVersion>', '\\1') | first | default('unknown') }}"
      device_model: "{{ sophos_system_info.content | regex_search('<ApplianceModel>(.*?)</ApplianceModel>', '\\1') | first | default('unknown') }}"
      uptime_days: "{{ sophos_system_info.content | regex_search('<Uptime>(.*?)</Uptime>', '\\1') | first | default('0') }}"
  tags: ['facts']

- name: Display Sophos XGS system information
  ansible.builtin.debug:
    msg:
      - "======================================"
      - "Sophos XGS System Information"
      - "======================================"
      - "Hostname: {{ sophos_facts.hostname }}"
      - "Model: {{ sophos_facts.device_model }}"
      - "Serial Number: {{ sophos_facts.serial_number }}"
      - "Firmware Version: {{ sophos_facts.firmware_version }}"
      - "Uptime: {{ sophos_facts.uptime_days }} days"
  tags: ['facts']

# ============================================================================
# Check firmware version compatibility (optional warning)
# ============================================================================

- name: Check if firmware version is recent
  ansible.builtin.debug:
    msg: "WARNING: This automation was tested with firmware version 19.x and 20.x. Current version: {{ sophos_facts.firmware_version }}"
  when:
    - sophos_facts.firmware_version is defined
    - not sophos_facts.firmware_version is match('^(19|20)\.')
  tags: ['validation']

# ============================================================================
# Store authentication token for subsequent API calls (if using token-based auth)
# ============================================================================

- name: Store API authentication credentials for use in other roles
  ansible.builtin.set_fact:
    sophos_api_auth_header: "{{ sophos_api_key | default('') }}"
    sophos_api_credentials:
      username: "{{ sophos_api_username | default('') }}"
      password: "{{ sophos_api_password | default('') }}"
  no_log: "{{ sophos_no_log_sensitive }}"
  tags: ['authentication']

- name: Common role tasks completed successfully
  ansible.builtin.debug:
    msg: "Sophos common role completed for {{ inventory_hostname }}"
  tags: ['always']