MDEV-24098: SHOW CREATE USER invalid for both PASSWORD and LOCKED

The parser of CREATE USER accepts ACCOUNT LOCK before PASSWORD
EXPIRE but not the other way around.

This just changes the SHOW CREATE USER to output a sql syntax that
is valid.

Thanks to Robert Bindar for analysis.

mysql-test/main/lock_user.result

@@ -130,5 +130,13 @@ connection default;
 #
 alter user user1@localhost account lock;
 ERROR HY000: Access denied, this account is locked
+#
+# MDEV-24098 SHOW CREATE USER invalid for both PASSWORD EXPIRE and
+# and LOCKED
+#
+alter user user1@localhost PASSWORD EXPIRE;
+show create user user1@localhost;
+CREATE USER for user1@localhost
+CREATE USER `user1`@`localhost` ACCOUNT LOCK PASSWORD EXPIRE
 drop user user1@localhost;
 drop user user2@localhost;

mysql-test/main/lock_user.test

@@ -137,6 +137,13 @@ alter user user1@localhost account lock;
 --error ER_ACCOUNT_HAS_BEEN_LOCKED
 --change_user user1
 
+--echo #
+--echo # MDEV-24098 SHOW CREATE USER invalid for both PASSWORD EXPIRE and
+--echo # and LOCKED
+--echo #
+alter user user1@localhost PASSWORD EXPIRE;
+show create user user1@localhost;
+
 drop user user1@localhost;
 drop user user2@localhost;
 

sql/sql_acl.cc

@@ -8950,6 +8950,9 @@ bool mysql_show_create_user(THD *thd, LEX_USER *lex_user)
   append_identifier(thd, &result, username, strlen(username));
   add_user_parameters(thd, &result, acl_user, false);
 
+  if (acl_user->account_locked)
+    result.append(STRING_WITH_LEN(" ACCOUNT LOCK"));
+
   if (acl_user->password_expired)
     result.append(STRING_WITH_LEN(" PASSWORD EXPIRE"));
   else if (!acl_user->password_lifetime)
@@ -8961,9 +8964,6 @@ bool mysql_show_create_user(THD *thd, LEX_USER *lex_user)
     result.append(STRING_WITH_LEN(" DAY"));
   }
 
-  if (acl_user->account_locked)
-    result.append(STRING_WITH_LEN(" ACCOUNT LOCK"));
-
   protocol->prepare_for_resend();
   protocol->store(result.ptr(), result.length(), result.charset());
   if (protocol->write())