Refactor use of rhsm_password to prevent display to CLI

3 files changed, 50 insertions, 12 deletions

diff --git a/roles/subscription-manager/README.md b/roles/subscription-manager/README.md
index e604c7475..a5dd1ac44 100644
--- a/roles/subscription-manager/README.md
+++ b/roles/subscription-manager/README.md
@@ -18,7 +18,9 @@ Default: none
 
 ### rhsm_password
 
-Subscription Manager password. Required for RHSM Hosted. Can be optionally used for Satellite, but it may be better to use **rhsm_activationkey** for this.
+Subscription Manager password. Required for RHSM Hosted. Can be optionally used for Satellite, but it may be better to use **rhsm_activationkey** for this. 
+
+NOTE: This variable is prompted for at the start of the playbook run. This is for security purposes so the password is not left in the command history. If specified on the command-line or set in a variable file it will be ignored and the value captured from the prompt will overwrite it instead.
 
 Default: none
 
@@ -50,7 +52,25 @@ rhsm_repos='["rhel-7-server-rpms", "rhel-7-server-ose-3.1-rpms", "rhel-7-server-
 
 Default: none
 
-## Pre-tasks
+## Calling This Role
+Calling this role requires adding a **vars_prompt**, **pre_tasks**, and **roles** section of a play
+
+### vars_prompt
+Unfortunately **vars_prompt** can only be used at the play level before role tasks are executed, so this is the only place it can go. See http://stackoverflow.com/questions/25466675/ansible-to-conditionally-prompt-for-a-variable
+
+Add a prompt to capture **rhsm_password**
+
+```
+- hosts: localhost
+  vars_prompt:
+  # Unfortunately vars_prompt can only be used at the play level before role tasks, so this is the only place it can go. See http://stackoverflow.com/questions/25466675/ansible-to-conditionally-prompt-for-a-variable
+    - name: "rhsm_password"
+      prompt: "Subscription Manager password (enter blank if using rhsm_activationkey or to disable registration)"
+      confirm: yes
+      private: yes
+```
+
+### pre-tasks
 
 A number of variable checks are performed before any tasks to ensure the proper parameters are set. To include these checks call the pre_task yaml before any roles:
 
@@ -59,7 +79,7 @@ A number of variable checks are performed before any tasks to ensure the proper
   - include: roles/subscription-manager/pre_tasks/pre_tasks.yml 
 ```
 
-## Tasks
+### roles
 
 The bulk of the work is performed in the main.yml for this role. The pre-task play will set a variable which can be checked to contitionally include this role as such:
 
@@ -73,7 +93,7 @@ The bulk of the work is performed in the main.yml for this role. The pre-task pl
 To register to RHSM Hosted with username and password:
 
 ```
-ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_username=vvaldez rhsm_password=hunter2"
+ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_username=vvaldez"
 ```
 
 To register to a Satellite server with an activation key:
@@ -82,4 +102,4 @@ To register to a Satellite server with an activation key:
 ansible-playbook -i inventory/ose-provision ose-provision.yml -e "rhsm_satellite=satellite.example.com rhsm_org=example_org rhsm_activationkey=rhel-7-ose-3-1"
 ```
 
-To ignore any Subscription Manager activities, simply do not set any parameters.
+To ignore any Subscription Manager activities, simply do not set any parameters. When prompted for the password, hit **Enter** to set a blank password.
diff --git a/roles/subscription-manager/pre_tasks/pre_tasks.yml b/roles/subscription-manager/pre_tasks/pre_tasks.yml
index dcd56b2b9..31441785e 100644
--- a/roles/subscription-manager/pre_tasks/pre_tasks.yml
+++ b/roles/subscription-manager/pre_tasks/pre_tasks.yml
@@ -1,4 +1,13 @@
 ---
+- name: Set password fact
+  set_fact:
+    rhsm_password: "{{ rhsm_password }}"
+  no_log: true
+  when:
+    - rhsm_password is defined
+    - rhsm_password is not none
+    - rhsm_password|trim != ''
+
 - name: Initialize Subscription Manager fact
   set_fact:
     rhsm_register: true
diff --git a/roles/subscription-manager/tasks/main.yml b/roles/subscription-manager/tasks/main.yml
index 414bf8f7a..6e51be7e4 100644
--- a/roles/subscription-manager/tasks/main.yml
+++ b/roles/subscription-manager/tasks/main.yml
@@ -1,5 +1,12 @@
 ---
-
+- name: Initialize rhsm_password variable if vars_prompt was used
+  set_fact:
+    rhsm_password: "{{ hostvars.localhost.rhsm_password }}"
+  when:
+      - rhsm_password is defined
+      - rhsm_password is not none
+      - rhsm_password|trim != ''
+  
 - name: Initializing Subscription Manager authenticaiton method
   set_fact:
     rhsm_authentication: false
@@ -19,8 +26,12 @@
   set_fact:
     rhsm_authentication: "password"
   when:
-    - rhsm_username is defined and rhsm_username is not none and rhsm_username|trim != ''
-    - rhsm_password is defined and rhsm_password is not none and rhsm_password|trim != ''
+    - rhsm_username is defined
+    - rhsm_username is not none
+    - rhsm_username|trim != ''
+    - rhsm_password is defined
+    - rhsm_password is not none
+    - rhsm_password|trim != ''
     - not rhsm_authentication
 
 - name: Initializing registration status
@@ -62,18 +73,17 @@
     - rhsm_satellite|trim != ''
 
 # This can apply to either Hosted or Satellite
-
 - name: Register using username and password
   command: "/usr/bin/subscription-manager register --username={{ rhsm_username }} --password={{ rhsm_password }}"
+  no_log: true
   when:
     - not registered
-    - rhsm_authentication != "key"
+    - rhsm_authentication == "password"
 
 - name: Auto-attach to Subscription Manager Pool
   command: "/usr/bin/subscription-manager attach --auto"
   when:
     - not registered
-    - rhsm_authentication != "key"
     - rhsm_pool is undefined or rhsm_pool is none or rhsm_pool|trim == ''
 
 - name: Attach to a specific pool
@@ -83,7 +93,6 @@
     - rhsm_pool is not none
     - rhsm_pool|trim != ''
     - not registered
-    - rhsm_authentication != "key"
 
 - name: Disable all repositories
   command: "/usr/bin/subscription-manager repos --disable=*"