- name: Test password lock
  when: ansible_facts.system in ['FreeBSD', 'OpenBSD', 'Linux']
  block:
    - name: Remove ansibulluser
      user:
        name: ansibulluser
        state: absent
        remove: yes

    - name: Create ansibulluser with password
      user:
        name: ansibulluser
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."

    - name: Lock account without password parameter
      user:
        name: ansibulluser
        password_lock: yes
      register: password_lock_1

    - name: Lock account without password parameter again
      user:
        name: ansibulluser
        password_lock: yes
      register: password_lock_2

    - name: Unlock account without password parameter
      user:
        name: ansibulluser
        password_lock: no
      register: password_lock_3

    - name: Unlock account without password parameter again
      user:
        name: ansibulluser
        password_lock: no
      register: password_lock_4

    - name: Lock account with password parameter
      user:
        name: ansibulluser
        password_lock: yes
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
      register: password_lock_5

    - name: Lock account with password parameter again
      user:
        name: ansibulluser
        password_lock: yes
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
      register: password_lock_6

    - name: Unlock account with password parameter
      user:
        name: ansibulluser
        password_lock: no
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
      register: password_lock_7

    - name: Unlock account with password parameter again
      user:
        name: ansibulluser
        password_lock: no
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
      register: password_lock_8

    - name: Ensure task reported changes appropriately
      assert:
        msg: The password_lock tasks did not make changes appropriately
        that:
          - password_lock_1 is changed
          - password_lock_2 is not changed
          - password_lock_3 is changed
          - password_lock_4 is not changed
          - password_lock_5 is changed
          - password_lock_6 is not changed
          - password_lock_7 is changed
          - password_lock_8 is not changed

    - name: Lock account
      user:
        name: ansibulluser
        password_lock: yes

    - name: Verify account lock for BSD
      when: ansible_facts.system in ['FreeBSD', 'OpenBSD']
      block:
        - name: BSD | Get account status
          shell: "{{ status_command[ansible_facts['system']] }}"
          register: account_status_locked

        - name: Unlock account
          user:
            name: ansibulluser
            password_lock: no

        - name: BSD | Get account status
          shell: "{{ status_command[ansible_facts['system']] }}"
          register: account_status_unlocked

        - name: FreeBSD | Ensure account is locked
          assert:
            that:
              - "'LOCKED' in account_status_locked.stdout"
              - "'LOCKED' not in account_status_unlocked.stdout"
          when: ansible_facts['system'] == 'FreeBSD'

    - name: Verify account lock for Linux
      when: ansible_facts.system == 'Linux'
      block:
        - name: LINUX | Get account status
          getent:
            database: shadow
            key: ansibulluser

        - name: LINUX | Ensure account is locked
          assert:
            that:
              - getent_shadow['ansibulluser'][0].startswith('!')

        - name: Unlock account
          user:
            name: ansibulluser
            password_lock: no

        - name: LINUX | Get account status
          getent:
            database: shadow
            key: ansibulluser

        - name: LINUX | Ensure account is unlocked
          assert:
            that:
              - not getent_shadow['ansibulluser'][0].startswith('!')

  always:
    - name: Unlock account
      user:
        name: ansibulluser
        password_lock: no