---
- name: Determine root filesystem free space
  ansible.builtin.set_fact:
    cis_aix_root_mount: "{{ ansible_mounts | selectattr('mount', 'equalto', '/') | list | first | default({}) }}"

- name: Calculate root filesystem free space in MB
  ansible.builtin.set_fact:
    cis_aix_root_free_mb: "{{ ((cis_aix_root_mount.size_available | default(0) | int) / 1024 / 1024) | round(0, 'floor') | int }}"

- name: Collect AIX maintenance level
  ansible.builtin.command: oslevel -s
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_oslevel

- name: Check required AIX commands
  ansible.builtin.shell: "command -v {{ item | quote }} >/dev/null 2>&1 || whence {{ item | quote }} >/dev/null 2>&1"
  args:
    executable: /bin/ksh
  changed_when: false
  failed_when: false
  check_mode: false
  loop: "{{ cis_required_commands }}"
  register: cis_aix_required_command_checks

- name: Build missing required command list
  ansible.builtin.set_fact:
    cis_aix_missing_required_commands: >-
      {{
        cis_aix_required_command_checks.results
        | selectattr('rc', 'ne', 0)
        | map(attribute='item')
        | list
      }}

- name: Locate sshd binary
  ansible.builtin.stat:
    path: "{{ item }}"
  loop: "{{ cis_ssh_candidate_paths }}"
  register: cis_aix_sshd_path_checks

- name: Store detected sshd binary
  ansible.builtin.set_fact:
    cis_aix_sshd_path: >-
      {{
        (
          cis_aix_sshd_path_checks.results
          | selectattr('stat.exists')
          | map(attribute='item')
          | list
          | first
        )
        | default('')
      }}

- name: Validate SRC subsystem availability
  ansible.builtin.command: lssrc -a
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_src_summary

- name: Validate audit subsystem availability
  ansible.builtin.command: audit query
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_audit_query

- name: Collect LPAR summary when available
  ansible.builtin.shell: "command -v lparstat >/dev/null 2>&1 && lparstat -i || true"
  args:
    executable: /bin/ksh
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_lparstat

- name: Collect current network tunable summary
  ansible.builtin.command: no -a
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_network_summary

- name: Collect default AIX user security summary
  ansible.builtin.command: lssec -f /etc/security/user -s default -a ALL
  changed_when: false
  failed_when: false
  check_mode: false
  register: cis_aix_security_user_summary

- name: Report AIX precheck status
  ansible.builtin.debug:
    msg:
      - >-
        OK: Facts gathered for {{ ansible_distribution | default(ansible_system | default('unknown')) }}
        {{ ansible_distribution_version | default(ansible_kernel | default('unknown')) }}.
      - "OK: oslevel -s reports {{ cis_aix_oslevel.stdout | default('unavailable') }}."
      - "OK: Root filesystem free space is {{ cis_aix_root_free_mb }} MB."
      - >-
        {{ 'OK: sshd binary detected at ' ~ cis_aix_sshd_path
           if cis_aix_sshd_path | length > 0 else 'CRITICAL: sshd binary was not found in expected AIX paths.' }}
      - >-
        {{ 'OK: SRC subsystem commands are functional.'
           if cis_aix_src_summary.rc == 0 else 'CRITICAL: lssrc failed; SRC is unavailable or not usable.' }}
      - >-
        {{ 'OK: AIX audit subsystem responded to audit query.'
           if cis_aix_audit_query.rc == 0 else 'WARNING: audit query did not complete; audit may be disabled or unconfigured.' }}
      - >-
        {{ 'OK: Required commands are present.'
           if cis_aix_missing_required_commands | length == 0
           else 'CRITICAL: Missing required commands: ' ~ (cis_aix_missing_required_commands | join(', ')) }}

- name: Fail when operating system is unsupported
  ansible.builtin.assert:
    that:
      - ansible_system | default(ansible_distribution | default('')) == 'AIX'
      - ansible_distribution_version | default('') is match('^7\\.')
    fail_msg: >-
      CRITICAL: This role supports IBM AIX 7.x only.
      Detected {{ ansible_distribution | default(ansible_system | default('unknown')) }}
      {{ ansible_distribution_version | default('unknown') }}.
    success_msg: "OK: Supported IBM AIX 7.x platform detected."

- name: Fail when root filesystem free space is below safety threshold
  ansible.builtin.assert:
    that:
      - cis_aix_root_free_mb | int >= cis_min_root_free_mb | int
    fail_msg: >-
      CRITICAL: Root filesystem has {{ cis_aix_root_free_mb }} MB free.
      Minimum required free space is {{ cis_min_root_free_mb }} MB.
    success_msg: "OK: Root filesystem free space meets the safety threshold."

- name: Fail when critical AIX commands are missing
  ansible.builtin.assert:
    that:
      - cis_aix_missing_required_commands | length == 0
      - cis_aix_src_summary.rc == 0
      - cis_aix_sshd_path | length > 0
    fail_msg: >-
      CRITICAL: Required AIX hardening prerequisites are missing.
      Missing commands={{ cis_aix_missing_required_commands | join(', ') | default('none', true) }},
      SRC rc={{ cis_aix_src_summary.rc }},
      sshd={{ cis_aix_sshd_path | default('not found', true) }}.
    success_msg: "OK: Critical AIX hardening prerequisites are available."