From bb286d8099dd0565f0e3854ce116faa292a4641d Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Thu, 29 Oct 2020 11:12:01 -0700
Subject: [PATCH] Enhance the crypto-policy stuff to actually set the policy

Just writing a config file isn't enough, apparently. We need to
really call update-crypto-policies. This attempts to do so, but
only if it's really necessary, by using some handy check args.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
 roles/base/tasks/crypto-policies.yml | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/roles/base/tasks/crypto-policies.yml b/roles/base/tasks/crypto-policies.yml
index d7351ffde8..7dc2aed67d 100644
--- a/roles/base/tasks/crypto-policies.yml
+++ b/roles/base/tasks/crypto-policies.yml
@@ -1,10 +1,24 @@
-- name: Set crypto-policy on fedora 33 and higher hosts to allow 2fa to work
-  template:
-    dest: /etc/crypto-policies/config
-    src: crypto-policies-config
-    owner: root
-    mode: 644
-  when: ansible_distribution_major_version|int >= 33
+- name: Check current crypto-policy
+  command: "update-crypto-policies --show"
+  register: currentcryptopolicy
+  failed_when: "1 != 1"
+  changed_when: "1 != 1"
+  tags:
+  - crypto-policies
+  - base/crypto-policies
+
+- name: Check if policy is applied
+  command: "update-crypto-policies --is-applied"
+  register: cryptopolicyapplied
+  failed_when: "1 != 1"
+  changed_when: "1 != 1"
+  tags:
+  - crypto-policies
+  - base/crypto-policies
+
+- name: Set crypto-policy on fedora 33 and higher hosts to allow 2fa to work
+  command: "update-crypto-policies --set LEGACY"
+  when: "(ansible_distribution_major_version|int >= 33) and (currentcryptopolicy.stdout.find("LEGACY") == -1 or cryptopolicyapplied.rc != 0)"
   tags:
   - crypto-policies
   - base/crypto-policies