# test user add with password
- name: add an encrypted password for user
  user:
    name: ansibulluser
    password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
    state: present
    update_password: always
  register: test_user_encrypt0

- name: there should not be warnings
  assert:
    that: "'warnings' not in test_user_encrypt0"

# https://github.com/ansible/ansible/issues/65711
- name: Test updating password only on creation
  user:
    name: ansibulluser
    password: '*'
    update_password: on_create
  register: test_user_update_password

- name: Ensure password was not changed
  assert:
    that:
      - test_user_update_password is not changed

- name: Verify password hash for Linux
  when: ansible_facts.os_family in ['RedHat', 'Debian', 'Suse']
  block:
    - name: LINUX | Get shadow entry for ansibulluser
      getent:
        database: shadow
        key: ansibulluser

    - name: LINUX | Ensure password hash was not removed
      assert:
        that:
          - getent_shadow['ansibulluser'][1] != '*'

- name: Test plaintext warning
  when: ansible_facts.system != 'Darwin'
  block:
    - name: add an plaintext password for user
      user:
        name: ansibulluser
        password: "plaintextpassword"
        state: present
        update_password: always
      register: test_user_encrypt1

    - name: there should be a warning complains that the password is plaintext
      assert:
        that: "'warnings' in test_user_encrypt1"

    - name: add an invalid hashed password
      user:
        name: ansibulluser
        password: "$6$rounds=656000$tgK3gYTyRLUmhyv2$lAFrYUQwn7E6VsjPOwQwoSx30lmpiU9r/E0Al7tzKrR9mkodcMEZGe9OXD0H/clOn6qdsUnaL4zefy5fG+++++"
        state: present
        update_password: always
      register: test_user_encrypt2

    - name: there should be a warning complains about the character set of password
      assert:
        that: "'warnings' in test_user_encrypt2"

    - name: change password to '!'
      user:
        name: ansibulluser
        password: '!'
      register: test_user_encrypt3

    - name: change password to '*'
      user:
        name: ansibulluser
        password: '*'
      register: test_user_encrypt4

    - name: change password to '*************'
      user:
        name: ansibulluser
        password: '*************'
      register: test_user_encrypt5

    - name: there should be no warnings when setting the password to '!',  '*' or '*************'
      assert:
        that:
          - "'warnings' not in test_user_encrypt3"
          - "'warnings' not in test_user_encrypt4"
          - "'warnings' not in test_user_encrypt5"