- name: Test password lock
  when: ansible_facts.system in ['FreeBSD', 'OpenBSD', 'Linux']
  block:
    - name: Remove ansibulluser
      user:
        name: ansibulluser
        state: absent
        remove: yes

    - name: Create ansibulluser with password and locked
      user:
        name: ansibulluser
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
        password_lock: yes
      register: create_with_lock_1

    - name: Create ansibulluser with password and locked again
      user:
        name: ansibulluser
        password: "$6$rounds=656000$TT4O7jz2M57npccl$33LF6FcUMSW11qrESXL1HX0BS.bsiT6aenFLLiVpsQh6hDtI9pJh5iY7x8J7ePkN4fP8hmElidHXaeD51pbGS."
        password_lock: yes
      register: create_with_lock_2

    - name: Ensure task reported changes appropriately
      assert:
        msg: The password_lock tasks did not make changes appropriately
        that:
          - create_with_lock_1 is changed
          - create_with_lock_2 is not changed

    - name: Verify account lock for BSD
      when: ansible_facts.system in ['FreeBSD', 'OpenBSD']
      block:
        - name: BSD | Get account status
          shell: "{{ status_command[ansible_facts['system']] }}"
          register: account_status_locked

        - name: FreeBSD | Ensure account is locked
          assert:
            that:
              - "'LOCKED' in account_status_locked.stdout"
          when: ansible_facts.system == 'FreeBSD'


    - name: Verify account lock for Linux
      when: ansible_facts.system == 'Linux'
      block:
        - name: LINUX | Get account status
          getent:
            database: shadow
            key: ansibulluser

        - name: LINUX | Ensure account is locked
          assert:
            that:
              - getent_shadow['ansibulluser'][0].startswith('!')


  always:
    - name: Unlock account
      user:
        name: ansibulluser
        password_lock: no