From d8ca75d8a08c1320694d06bd5bc3b50f4082a25a Mon Sep 17 00:00:00 2001
From: Karla Felix <karla.karolinenogueirafelix@windriver.com>
Date: Thu, 22 Jun 2023 09:50:36 -0300
Subject: [PATCH] Add error handling during task "create-account"

This commit is adding a better error handling message when
"create-account" task fails, and allows the user to re-run
the playbook with the same username, for situations of bad
password for example, it also deletes the ldap user.

Test Plan:

PASS: Run the playbook with invalid password and verify if
      proper message of error is shown.
PASS: After the test above, run the playbook again with same user
      and valid password and verify if the playbook finishes
      with no error.
PASS: Run the playbook and verify if the user is created.
PASS: SSH using the  newly created user.
PASS: Use 'mode=delete' and verify if keystone and ldap
      users were deleted after playbook execution.

Closes-Bug: 2024906
Change-Id: Id1d6a15a3248f2c26280d0c50a4a7e5a382d4438
Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
---
 .../create-account/tasks/main.yml             | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml
index 7dafcfeb2..baed14d52 100644
--- a/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml
+++ b/playbookconfig/src/playbooks/roles/manage-local-ldap-account/create-account/tasks/main.yml
@@ -40,8 +40,23 @@
         New password: "{{ in_user_password }}"
         new password: "{{ in_user_password }}"
         "\\~\\$": exit
-    # do not show passwords in the logs
-    no_log: true
+    # This task does not log sensitive information.
+    # Setting this to no_log: false to allow better logging and debugging
+    no_log: false
+    register: change_password
+    failed_when: false
+
+  - name: Handle initial password change errors
+    block:
+      - name: Delete ldap user
+        shell: ldapdeleteuser {{ in_user_id }}
+        become: yes
+
+      - name: Fail if initial password change was not successful
+        fail:
+          msg: " {{ change_password.stdout }} \n\nFailed to change initial password, check the log above for more details."
+
+    when: change_password.rc != 0
   when: in_user_id_check.stdout == ""
 
 - name: Get distributed cloud role