---
- name: Create a user without a password
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: present
    name: ansible_user
    email: ansible.user@nowhere.net
    domain: default
    description: "ansible user"
    default_project: demo
  register: user

- name: Assert return values of identity_user module
  assert:
    that:
      - user.user.name == 'ansible_user'
      - user.user.description == 'ansible user'
      # allow new fields to be introduced but prevent fields from being removed
      - expected_fields|difference(user.user.keys())|length == 0

- name: Fail when update_password is always but no password specified
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: present
    name: ansible_user
    update_password: always
    email: ansible.user@nowhere.net
    domain: default
    default_project: demo
  register: user
  ignore_errors: true

- name: Assert that update failed
  assert:
    that:
      - user is failed
      - user.msg == "update_password is 'always' but password is missing"

- name: Delete user
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: absent
    name: ansible_user


- name: Create user with a password
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: present
    name: ansible_user
    password: secret
    email: ansible.user@nowhere.net
    update_password: on_create
    domain: default
    default_project: demo

- name: Create user with a password again
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: present
    name: ansible_user
    password: secret
    email: ansible.user@nowhere.net
    update_password: on_create
    domain: default
    default_project: demo
  register: user

- name: Assert user was not changed
  assert:
    that:
      - user is not changed

- name: Update user with password
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: present
    name: ansible_user
    password: secret2
    email: updated.ansible.user@nowhere.net
  register: user

- name: Ensure user was changed
  assert:
    that:
      - user is changed

- name: Update user without password and update_password set to always
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: present
    name: ansible_user
    update_password: always
    email: updated.ansible.user@nowhere.net
  register: user
  ignore_errors: true

- name: Assert user update failed
  assert:
    that:
      - user is failed
      - user.msg == "update_password is 'always' but password is missing"

- name: Ensure user with update_password set to on_create
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: present
    name: ansible_user
    update_password: on_create
    password: secret3
    email: updated.ansible.user@nowhere.net
  register: user

- name: Ensure user was not changed
  assert:
    that:
      - user is not changed

- name: Ensure user with update_password set to always
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: present
    name: ansible_user
    update_password: always
    password: secret3
    email: updated.ansible.user@nowhere.net
  register: user

- name: Ensure user was changed
  assert:
    that:
      - user is changed

- name: Create user without a password
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: present
    name: ansible_user2
    password: secret
    email: ansible.user2@nowhere.net
    update_password: on_create
    domain: default
    default_project: demo
  register: user

- name: Fetch users
  openstack.cloud.identity_user_info:
    cloud: "{{ cloud }}"
  register: users

- name: Assert return values of identity_user_info module
  assert:
    that:
      - users.users | length > 0
      # allow new fields to be introduced but prevent fields from being removed
      - expected_fields|difference(users.users.0.keys())|length == 0

- name: Fetch user by name
  openstack.cloud.identity_user_info:
    cloud: "{{ cloud }}"
    name: ansible_user
  register: users

- name: Assert named user
  assert:
    that:
      - users.users | length == 1

- name: Delete user
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: absent
    name: ansible_user2

- name: Delete user
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: absent
    name: ansible_user

- name: Ensure user was changed
  assert:
    that:
      - user is changed

- name: Delete user again
  openstack.cloud.identity_user:
    cloud: "{{ cloud }}"
    state: absent
    name: ansible_user
  register: user

- name: Ensure user was not changed
  assert:
    that:
      - user is not changed

- name: Fetch ansible_user
  openstack.cloud.identity_user_info:
    cloud: "{{ cloud }}"
    name: ansible_user
  register: users

- name: Assert ansible_user does not exist
  assert:
    that:
      - users.users | length == 0

- name: Fetch ansible_user2
  openstack.cloud.identity_user_info:
    cloud: "{{ cloud }}"
    name: ansible_user2
  register: users

- name: Assert ansible_user2 does not exist
  assert:
    that:
      - users.users | length == 0