From e085c5f1ddfe9bb74c0b70d68027d849f2dd6043 Mon Sep 17 00:00:00 2001
From: Gunter Winkler <gunter.winkler@vodafone.com>
Date: Thu, 13 Sep 2018 12:44:06 +0000
Subject: [PATCH 1/4] call nexus to detect if default/configured pw works

* checking the contents of nexus_data_dir_contents is not reliable to
  detect the default password because an empty volume already may contain
  a "lost+found" directory and the default password may be valid longer
  than during first time installation.
* trying to access Nexus using the default or configured admin password
  always works.
* additionally: fail immeditely if neither default nor configured admin
  password work
* bonus: changing the default password now also works at a later time
  (not only during first-time installation)
---
 tasks/nexus_install.yml | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/tasks/nexus_install.yml b/tasks/nexus_install.yml
index 6a7e5610..ada6c139 100644
--- a/tasks/nexus_install.yml
+++ b/tasks/nexus_install.yml
@@ -326,17 +326,42 @@
     recurse: false
   with_items: "{{ nexus_app_dir_settings_dirs }}"
 
+- name: Access scripts API endpoint with default admin password
+  uri:
+    url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}{{ nexus_rest_api_endpoint }}"
+    method: 'HEAD'
+    user: 'admin'
+    password: 'admin123'
+    force_basic_auth: yes
+    status_code: 200, 401
+  register: nexus_api_head_with_default_password
+
+- name: Access scripts API endpoint with defined admin password
+  uri:
+    url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}{{ nexus_rest_api_endpoint }}"
+    method: 'HEAD'
+    user: 'admin'
+    password: "{{ nexus_admin_password }}"
+    force_basic_auth: yes
+    status_code: 200, 401
+  register: nexus_api_head_with_defined_password
+
 - name: First-time install admin password
   set_fact:
     current_nexus_admin_password: 'admin123'
-  when: nexus_data_dir_contents.stdout == ""
+  when: nexus_api_head_with_default_password.status == 200
 
 - name: Subsequent re-provision admin password
   set_fact:
     current_nexus_admin_password: "{{ nexus_admin_password }}"
-  when: nexus_data_dir_contents.stdout != ""
+  when: nexus_api_head_with_defined_password.status == 200
   no_log: true
 
+- name: Ensure current Nexus password is known
+  fail:
+    msg: "Failed to determine current Nexus password (it is neither the default nor the defined password)"
+  when: current_nexus_admin_password is not defined
+
 - name: Force (re-)registration of groovy scripts (purge reference dir)
   file:
     path: "{{ nexus_data_dir }}/groovy-raw-scripts"

From 4b2b8066fb5e623d3db3b9269b03d53f27927cde Mon Sep 17 00:00:00 2001
From: Olivier Clavel <olivier.clavel@gmail.com>
Date: Fri, 14 Sep 2018 14:43:02 +0200
Subject: [PATCH 2/4] Refactor password detection/change

- Don't check default password if defined password is ok
- Call update_admin_password only when needed
- All tasks in nexus_install, remove included yml file
- Fix travis failure on check mode test
---
 tasks/admin_password_setup.yml | 11 ---------
 tasks/main.yml                 |  2 --
 tasks/nexus_install.yml        | 45 +++++++++++++++++++++++-----------
 3 files changed, 31 insertions(+), 27 deletions(-)
 delete mode 100644 tasks/admin_password_setup.yml

diff --git a/tasks/admin_password_setup.yml b/tasks/admin_password_setup.yml
deleted file mode 100644
index b94daa1e..00000000
--- a/tasks/admin_password_setup.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-- include_tasks: call_script.yml
-  vars:
-    script_name: update_admin_password
-    args:
-      new_password: "{{ nexus_admin_password }}"
-
-- name: Admin password changed
-  set_fact:
-    current_nexus_admin_password: "{{ nexus_admin_password }}"
-  no_log: true
diff --git a/tasks/main.yml b/tasks/main.yml
index 209c4b88..8b556ff1 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -22,8 +22,6 @@
 - include_tasks: httpd_reverse_proxy_config.yml
   when: httpd_setup_enable
 
-- import_tasks: admin_password_setup.yml
-
 - name: Deleting default repositories
   include_tasks: delete_repo_each.yml
   with_items:
diff --git a/tasks/nexus_install.yml b/tasks/nexus_install.yml
index ada6c139..f6deaa5d 100644
--- a/tasks/nexus_install.yml
+++ b/tasks/nexus_install.yml
@@ -326,36 +326,38 @@
     recurse: false
   with_items: "{{ nexus_app_dir_settings_dirs }}"
 
-- name: Access scripts API endpoint with default admin password
+- name: Access scripts API endpoint with defined admin password
   uri:
     url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}{{ nexus_rest_api_endpoint }}"
     method: 'HEAD'
     user: 'admin'
-    password: 'admin123'
+    password: "{{ nexus_admin_password }}"
     force_basic_auth: yes
     status_code: 200, 401
-  register: nexus_api_head_with_default_password
+  register: nexus_api_head_with_defined_password
+  check_mode: no
 
-- name: Access scripts API endpoint with defined admin password
+- name: Register defined admin password for next operations
+  set_fact:
+    current_nexus_admin_password: "{{ nexus_admin_password }}"
+  when: nexus_api_head_with_defined_password.status == 200
+  no_log: true
+
+- name: Access scripts API endpoint with default admin password
   uri:
     url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}{{ nexus_rest_api_endpoint }}"
     method: 'HEAD'
     user: 'admin'
-    password: "{{ nexus_admin_password }}"
+    password: 'admin123'
     force_basic_auth: yes
     status_code: 200, 401
-  register: nexus_api_head_with_defined_password
+  register: nexus_api_head_with_default_password
+  when: nexus_api_head_with_defined_password.status == 401
 
-- name: First-time install admin password
+- name: Register default admin password for next operations
   set_fact:
     current_nexus_admin_password: 'admin123'
-  when: nexus_api_head_with_default_password.status == 200
-
-- name: Subsequent re-provision admin password
-  set_fact:
-    current_nexus_admin_password: "{{ nexus_admin_password }}"
-  when: nexus_api_head_with_defined_password.status == 200
-  no_log: true
+  when: (nexus_api_head_with_default_password.status | default(false)) == 200
 
 - name: Ensure current Nexus password is known
   fail:
@@ -399,3 +401,18 @@
 - name: Declare new or changed groovy scripts in nexus
   include_tasks: declare_script_each.yml
   with_items: "{{ nexus_groovy_files_changed.stdout_lines}}"
+
+- name: Change admin password if we are still using default
+  block:
+    - include_tasks: call_script.yml
+      vars:
+        script_name: update_admin_password
+        args:
+          new_password: "{{ nexus_admin_password }}"
+
+    - name: Admin password changed
+      set_fact:
+        current_nexus_admin_password: "{{ nexus_admin_password }}"
+      no_log: true
+
+  when: (nexus_api_head_with_default_password.status | default(false)) == 200

From 70958ae18d129ecec32c3f70bb9831dfdaf08cb3 Mon Sep 17 00:00:00 2001
From: Olivier Clavel <olivier.clavel@gmail.com>
Date: Fri, 14 Sep 2018 15:42:26 +0200
Subject: [PATCH 3/4] Allow to change admin password after first setup

Will not work by defaut but with a special var on the command line
---
 README.md               | 23 +++++++++++++++++++----
 defaults/main.yml       | 13 ++++++++++++-
 tasks/nexus_install.yml |  4 ++--
 3 files changed, 33 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 460e07e6..d0b19b13 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@ _(Created with [gh-md-toc](https://github.com/ekalinin/github-markdown-toc))_
          * [Special maintenance/debug variables](#special-maintenancedebug-variables)
             * [Purge nexus](#purge-nexus)
             * [Force groovy scripts registration](#force-groovy-scripts-registration)
+            * [Change admin password after first install](#change-admin-password-after-first-install)
       * [Dependencies](#dependencies)
       * [Example Playbook](#example-playbook)
       * [Development, Contribution and Testing](#development-contribution-and-testing)
@@ -47,7 +48,7 @@ _(Created with [gh-md-toc](https://github.com/ekalinin/github-markdown-toc))_
       * [License](#license)
       * [Author Information](#author-information)
 
-<!-- Added by: olcla, at: 2018-09-11T11:37+02:00 -->
+<!-- Added by: olcla, at: 2018-09-14T15:30+02:00 -->
 
 <!--te-->
 
@@ -140,9 +141,10 @@ As a second warning, here is an extract from the above document:
 ```yaml
     nexus_admin_password: 'changeme'
 ```
+The 'admin' account password to setup. _This works only on first time install by default_. Please see [Change admin password after first install](#change-admin-password-after-first-install) if you want to change it later with the role.
+
+**It is strongly advised that you do not keep your password in clear text in you playbook and use [ansible-vault encryption](https://docs.ansible.com/ansible/latest/user_guide/vault.html) (either inline or in a separate file loaded with include_vars for example)**
 
-The 'admin' account password to setup. Note : admin password change subsequent to first-time provisioning/install is *not implemented* by this role yet.
-**It is strongly advised that you do not keep your password in clear text in you playbook and include it from a separate ansible-vault encrypted files (loaded with include_vars for example)**
 
 ### Default anonymous access
 ```yaml
@@ -636,10 +638,23 @@ fatal: [nexus3-oss]: FAILED! => {"changed": false, "connection": "close", "conte
 ```
 
 In such cases, you can force the (re-)registration of the groovy scripts with the `nexus_force_groovy_scripts_registration` variable:
-```yaml
+```bash
 ansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_force_groovy_scripts_registration=true
 ```
 
+#### Change admin password after first install
+
+```yaml
+    nexus_default_admin_password: 'admin123'
+```
+**This should not be changed in your playbook**. This var is filled with the default nexus admin password on first install and ensures we can change the admin password to `nexus_admin_password`.
+
+If you want to change your admin password after first install, you can temporarily change this to your old password from the command line. After changing `nexus_admin_password` in your playbook, you can run:
+
+```bash
+ansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_default_admin_password=oldPassword
+```
+
 ## Dependencies
 
 The java and httpd requirements /can/ be fulfilled with the following galaxy roles :
diff --git a/defaults/main.yml b/defaults/main.yml
index b0ec2ac2..3b9fadc5 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -46,7 +46,18 @@ nexus_docker_proxy_port: 9081
 nexus_docker_group_port: 9082
 nexus_default_context_path: '/'
 
-nexus_admin_password: 'changeme'  # Note : admin password change subsequent to first-time install is *not implemented* yet
+# Nexus default admin password on first time install.
+# This should not be set in your playbook.
+# You can use your old password on the command line if
+# you want to change your admin password after first install
+# i.e.
+# - Set your new password in nexus_admin_password
+# - Run `ansible-playbook -i your/inventory.ini your_playbook.yml -e nexus_default_admin_password=oldpassword`
+nexus_default_admin_password: 'admin123'
+# Nexus admin password to set and use.
+# Note: this should be vault encrypted in your playbook.
+nexus_admin_password: 'changeme'
+
 nexus_anonymous_access: false
 
 public_hostname: 'nexus.vm'
diff --git a/tasks/nexus_install.yml b/tasks/nexus_install.yml
index f6deaa5d..dfb12311 100644
--- a/tasks/nexus_install.yml
+++ b/tasks/nexus_install.yml
@@ -348,7 +348,7 @@
     url: "http://localhost:{{ nexus_default_port }}{{ nexus_default_context_path }}{{ nexus_rest_api_endpoint }}"
     method: 'HEAD'
     user: 'admin'
-    password: 'admin123'
+    password: "{{ nexus_default_admin_password }}"
     force_basic_auth: yes
     status_code: 200, 401
   register: nexus_api_head_with_default_password
@@ -356,7 +356,7 @@
 
 - name: Register default admin password for next operations
   set_fact:
-    current_nexus_admin_password: 'admin123'
+    current_nexus_admin_password: "{{ nexus_default_admin_password }}"
   when: (nexus_api_head_with_default_password.status | default(false)) == 200
 
 - name: Ensure current Nexus password is known

From 239e028024f1f09e200d9f859628c3ad5e07b1e3 Mon Sep 17 00:00:00 2001
From: Olivier Clavel <olivier.clavel@gmail.com>
Date: Fri, 14 Sep 2018 15:53:36 +0200
Subject: [PATCH 4/4] Admin password change: enhanced fail message

---
 tasks/nexus_install.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/tasks/nexus_install.yml b/tasks/nexus_install.yml
index dfb12311..4d925fbe 100644
--- a/tasks/nexus_install.yml
+++ b/tasks/nexus_install.yml
@@ -361,7 +361,13 @@
 
 - name: Ensure current Nexus password is known
   fail:
-    msg: "Failed to determine current Nexus password (it is neither the default nor the defined password)"
+    msg: >-
+      Failed to determine current Nexus password
+      (it is neither the default nor the defined password).
+      If you are trying to change nexus_admin_password after first
+      install, please set `-e nexus_default_admin_password=oldPassword`
+      on the ansible-playbook command line.
+      See https://github.com/ansible-ThoTeam/nexus3-oss/blob/master/README.md#change-admin-password-after-first-install
   when: current_nexus_admin_password is not defined
 
 - name: Force (re-)registration of groovy scripts (purge reference dir)