Merge pull request #113 from guwi17/improve-admin-pw-detection

- improve admin pw detection (default or configured) on edge situations
- call update_admin_password groovy script only when needed
- allow to change admin password after first install passing the old password as extra var

README.md

@@ -36,6 +36,7 @@ _(Created with [gh-md-toc](https://github.com/ekalinin/github-markdown-toc))_
          * [Special maintenance/debug variables](#special-maintenancedebug-variables)
             * [Purge nexus](#purge-nexus)
             * [Force groovy scripts registration](#force-groovy-scripts-registration)
+            * [Change admin password after first install](#change-admin-password-after-first-install)
       * [Dependencies](#dependencies)
       * [Example Playbook](#example-playbook)
       * [Development, Contribution and Testing](#development-contribution-and-testing)
@@ -47,7 +48,7 @@ _(Created with [gh-md-toc](https://github.com/ekalinin/github-markdown-toc))_
       * [License](#license)
       * [Author Information](#author-information)
 
-<!-- Added by: olcla, at: 2018-09-11T11:37+02:00 -->
+<!-- Added by: olcla, at: 2018-09-14T15:30+02:00 -->
 
 <!--te-->
 
@@ -140,9 +141,10 @@ As a second warning, here is an extract from the above document:
 ```yaml
     nexus_admin_password: 'changeme'
 ```
+The 'admin' account password to setup. _This works only on first time install by default_. Please see [Change admin password after first install](#change-admin-password-after-first-install) if you want to change it later with the role.
+
+**It is strongly advised that you do not keep your password in clear text in you playbook and use [ansible-vault encryption](https://docs.ansible.com/ansible/latest/user_guide/vault.html) (either inline or in a separate file loaded with include_vars for example)**
 
-The 'admin' account password to setup. Note : admin password change subsequent to first-time provisioning/install is *not implemented* by this role yet.
-**It is strongly advised that you do not keep your password in clear text in you playbook and include it from a separate ansible-vault encrypted files (loaded with include_vars for example)**
 
 ### Default anonymous access
 ```yaml
@@ -636,10 +638,23 @@ fatal: [nexus3-oss]: FAILED! => {"changed": false, "connection": "close", "conte
 ```
 
 In such cases, you can force the (re-)registration of the groovy scripts with the `nexus_force_groovy_scripts_registration` variable:
-```yaml
+```bash
 ansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_force_groovy_scripts_registration=true
 ```
 
+#### Change admin password after first install
+
+```yaml
+    nexus_default_admin_password: 'admin123'
+```
+**This should not be changed in your playbook**. This var is filled with the default nexus admin password on first install and ensures we can change the admin password to `nexus_admin_password`.
+
+If you want to change your admin password after first install, you can temporarily change this to your old password from the command line. After changing `nexus_admin_password` in your playbook, you can run:
+
+```bash
+ansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_default_admin_password=oldPassword
+```
+
 ## Dependencies
 
 The java and httpd requirements /can/ be fulfilled with the following galaxy roles :

defaults/main.yml

@@ -46,7 +46,18 @@ nexus_docker_proxy_port: 9081
 nexus_docker_group_port: 9082
 nexus_default_context_path: '/'
 
-nexus_admin_password: 'changeme'  # Note : admin password change subsequent to first-time install is *not implemented* yet
+# Nexus default admin password on first time install.
+# This should not be set in your playbook.
+# You can use your old password on the command line if
+# you want to change your admin password after first install
+# i.e.
+# - Set your new password in nexus_admin_password
+# - Run `ansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_default_admin_password=oldpassword`
+nexus_default_admin_password: 'admin123'
+# Nexus admin password to set and use.
+# Note: this should be vault encrypted in your playbook.
+nexus_admin_password: 'changeme'
+
 nexus_anonymous_access: false
 
 public_hostname: 'nexus.vm'

tasks/main.yml

@@ -22,8 +22,6 @@
 - include_tasks: httpd_reverse_proxy_config.yml
   when: httpd_setup_enable
 
-- import_tasks: admin_password_setup.yml
-
 - name: Deleting default repositories
   include_tasks: delete_repo_each.yml
   with_items:

tasks/nexus_install.yml

@@ -326,17 +326,50 @@
     recurse: false
   with_items: "{{ nexus_app_dir_settings_dirs }}"
 
-- name: First-time install admin password
-  set_fact:
-    current_nexus_admin_password: 'admin123'
-  when: nexus_data_dir_contents.stdout == ""
+- name: Access scripts API endpoint with defined admin password
+  uri:
+    url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}{{ nexus_rest_api_endpoint }}"
+    method: 'HEAD'
+    user: 'admin'
+    password: "{{ nexus_admin_password }}"
+    force_basic_auth: yes
+    status_code: 200, 401
+  register: nexus_api_head_with_defined_password
+  check_mode: no
 
-- name: Subsequent re-provision admin password
+- name: Register defined admin password for next operations
   set_fact:
     current_nexus_admin_password: "{{ nexus_admin_password }}"
-  when: nexus_data_dir_contents.stdout != ""
+  when: nexus_api_head_with_defined_password.status == 200
   no_log: true
 
+- name: Access scripts API endpoint with default admin password
+  uri:
+    url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}{{ nexus_rest_api_endpoint }}"
+    method: 'HEAD'
+    user: 'admin'
+    password: "{{ nexus_default_admin_password }}"
+    force_basic_auth: yes
+    status_code: 200, 401
+  register: nexus_api_head_with_default_password
+  when: nexus_api_head_with_defined_password.status == 401
+
+- name: Register default admin password for next operations
+  set_fact:
+    current_nexus_admin_password: "{{ nexus_default_admin_password }}"
+  when: (nexus_api_head_with_default_password.status | default(false)) == 200
+
+- name: Ensure current Nexus password is known
+  fail:
+    msg: >-
+      Failed to determine current Nexus password
+      (it is neither the default nor the defined password).
+      If you are trying to change nexus_admin_password after first
+      install, please set `-e nexus_default_admin_password=oldPassword`
+      on the ansible-playbook command line.
+      See https://github.com/ansible-ThoTeam/nexus3-oss/blob/master/README.md#change-admin-password-after-first-install
+  when: current_nexus_admin_password is not defined
+
 - name: Force (re-)registration of groovy scripts (purge reference dir)
   file:
     path: "{{ nexus_data_dir }}/groovy-raw-scripts"
@@ -374,3 +407,18 @@
 - name: Declare new or changed groovy scripts in nexus
   include_tasks: declare_script_each.yml
   with_items: "{{ nexus_groovy_files_changed.stdout_lines}}"
+
+- name: Change admin password if we are still using default
+  block:
+    - include_tasks: call_script.yml
+      vars:
+        script_name: update_admin_password
+        args:
+          new_password: "{{ nexus_admin_password }}"
+
+    - name: Admin password changed
+      set_fact:
+        current_nexus_admin_password: "{{ nexus_admin_password }}"
+      no_log: true
+
+  when: (nexus_api_head_with_default_password.status | default(false)) == 200