nexus3-x509-dn-security-plugin

Nexus 3 plugin for getting auth to work with x509 and a config file that defines roles

License

License

Categories

Categories

Security
GroupId

GroupId

com.github.vincentrussell
ArtifactId

ArtifactId

nexus3-x509-dn-security-plugin
Last Version

Last Version

1.1
Release Date

Release Date

Type

Type

bundle
Description

Description

nexus3-x509-dn-security-plugin
Nexus 3 plugin for getting auth to work with x509 and a config file that defines roles
Project URL

Project URL

https://github.com/vincentrussell/nexus3-x509-dn-security-plugin
Project Organization

Project Organization

Sonatype, Inc.
Source Code Management

Source Code Management

https://github.com/vincentrussell/nexus3-x509-dn-security-plugin

Download nexus3-x509-dn-security-plugin

Dependencies

compile (5)

Group / Artifact Type Version
org.codeartisans.shiro : shiro-ext-x509-core jar 1.1
org.codeartisans.shiro : shiro-ext-x509-web jar 1.1
org.yaml : snakeyaml jar 1.19
com.google.errorprone : error_prone_annotation jar 2.2.0
com.google.guava : guava jar

provided (7)

Group / Artifact Type Version
org.sonatype.nexus : nexus-plugin-api jar 3.2.1-01
org.sonatype.nexus : nexus-capability jar 3.2.1-01
org.sonatype.nexus : nexus-base jar 3.2.1-01
org.sonatype.nexus : nexus-rapture jar 3.2.1-01
org.sonatype.nexus : nexus-bootstrap jar 3.2.1-01
org.apache.shiro : shiro-web jar
com.google.code.gson : gson jar

test (5)

Group / Artifact Type Version
org.sonatype.goodies : goodies-testsupport jar
junit : junit jar
org.apache.commons : commons-io jar 1.3.2
org.objenesis : objenesis jar 2.6
org.springframework.security : spring-security-test jar 5.0.1.RELEASE

Project Modules

There are no modules declared in this project.

Nexus3 x509 DN Plugin

This plugin adds the ability for building a configuraiton file that defines which users have which roles based on their DN when using x509 two-way SSL authentication.

Nexus Compatibility

Should work with Nexus version 3.2.1 and newer (only tested with version 3.7.1)

Setup

2. Group / Roles Mapping

A yaml file is used to make the roles to DNs:

nx-admin:
    - CN=Firstname Lastname, OU=Unknown, O=Unknown, L=Annapolis Junction, ST=MD, C=US
nx-deploy:
    - CN=Firstname Lastname, OU=Unknown, O=Unknown, L=Annapolis Junction, ST=MD, C=US
    - CN=Firstname Lastname2, OU=Unknown, O=Unknown, L=Annapolis Junction, ST=MD, C=US

Installation

0. Prerequisites

Directory naming convention:

For the following commands we assume your nexus installation resides in /opt/sonatype/nexus. See https://books.sonatype.com/nexus-book/reference3/install.html#directories for reference.

1. Download and install

The following lines will:

  • create a directory in the nexus / kafka maven repository
  • download the latest release from github
  • unzip the releae to the maven repository
  • add the plugin to the karaf startup.properties.
mkdir -p /opt/sonatype/nexus/system/com/github/vincentrussell/ &&\
wget -O /opt/sonatype/nexus/system/com/github/vincentrussell/nexus3-x509-dn-security-plugin.zip https://github.com/vincentrussell/nexus3-x509-dn-security-plugin/releases/download/1.1/nexus3-x509-dn-security-plugin.zip &&\
unzip /opt/sonatype/nexus/system/com/github/vincentrussell/nexus3-x509-dn-security-plugin.zip -d /opt/sonatype/nexus/system/com/github/vincentrussell/ &&\
echo "reference\:file\:com/github/vincentrussell/nexus3-x509-dn-security-plugin/1.1/nexus3-x509-dn-security-plugin-1.1.jar = 200" >> /opt/sonatype/nexus/etc/karaf/startup.properties

2. Create configuration mapping file

Create /opt/sonatype/nexus/etc/x509-dn-security-config.yaml

Set the system property (X509DnAuthenticatingRealm.config.file) to point to that file:

The easiest way is to modify (/opt/sonatype/nexus/bin/nexus.vmoptions) and add:

-DX509DnAuthenticatingRealm.config.file=/opt/sonatype/nexus/etc/x509-dn-security-config.yaml

3. Restart Nexus

Restart your Nexus instance to let it pick up your changes.

4. Add the realm in the settings

Log in to your nexus and go to Administration > Security > Realms. Move the X509-Dn Authenticating Realm to the right. The realm order in the form determines the order of the realms in your authentication flow. We recommend putting X509-Dn Authenticating Realm after the built-in realms.

Development

Install software

homebrew (mac)

  • brew install docker-machine
  • brew install docker
  • docker-machine create --driver virtualbox nexus3-x509-oath-plugin
  • docker-machine env nexus3-x509-oath-plugin
  • eval "$(docker-machine env nexus3-x509-oath-plugin)"

You can build the project with the integrated maven wrapper like so: ./mvn clean package

Build and Run the docker container ...

docker build -t vincentrussell/nexus3-x509-oath-plugin .
docker run -p 8443:8443 -p 5005:5005 -it --rm vincentrussell/nexus3-x509-oath-plugin

You can build a ready to run docker image using the Dockerfile to quickly spin up a nexus with the plugin already preinstalled.

Credits

The whole project is heavily influenced by the nexus3-github-oauth-plugin.

Change Log

1.1 (2018-04-02)

  • expire cached auths after five mintues so that the server doesn't have to be restarted to respect changes to the config file

1.0 (2018-02-19)

Initial Release:

  • Initial Capability

Versions

Version
1.1
1.0