Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-10794

user tokens do not work in combination with RUT Auth and LDAP realms

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.13
    • Fix Version/s: 2.14
    • Component/s: LDAP, RUT Auth, User Token
    • Labels:
      None
    • Story Points:
      1
    • Sprint:
      Sprint 77

      Description

      Setup Nexus

      1. Start with virgin Nexus 2.13.0-01
      2. Create a file at sonatype-work/nexus/conf/logback-overrides.xml with this content:
        <?xml version='1.0' encoding='UTF-8'?>
        
        <!--
            DO NOT EDIT - This file includes user customised loggers and is automatically generated.
        -->
        
        <included>
          <logger name="org.sonatype.nexus.security" level="TRACE"/>
          <logger name="org.sonatype.nexus.proxy.access" level="TRACE"/>
          <logger name="com.sonatype.security.ldap" level="DEBUG"/>
          <logger name="org.apache.shiro" level="TRACE"/>
          <logger name="com.sonatype.nexus.usertoken" level="TRACE"/>
          <logger name="org.eclipse.jetty.server.AbstractHttpConnection" level="DEBUG"/>
          <logger name="org.sonatype.security" level="TRACE"/>
          <logger name="org.sonatype.security.ldap" level="DEBUG"/>
          <logger name="org.sonatype.nexus.jsecurity" level="TRACE"/>
          <logger name="org.sonatype.nexus.security.ldap" level="DEBUG"/>
        </included>
        
        
      3. (Optional) Add Nexus patches at https://issues.sonatype.org/browse/NEXUS-10431 and set nexus.usertoken.noPopUps=true in nexus.properties - *this step is optional to reproduce the underlying problem*
      4. Start Nexus
      5. Disable Anonymous Access
      6. Enable the RUT Auth capability with header value as REMOTE_USER
      7. Configure Enterprise LDAP to a server with at least one user in one ldap group. ( can use Sonatype test LDAP )
      8. Map a single external ldap role into Nexus with a role member of Nexus Administrator Role
      9. Configure Nexus 2.13.0-01 Realms as:
      • RUT Auth
      • User Token
      • Xml Auth
      • Xml Authz
      • Enteprise LDAP

      The direct Nexus URL in this case will be http://localhost:8081/nexus

      *The attached nexus pro bundle has all of this configured already, with logs showing the problem*

      Setup Reverse Proxy

      You are going to need a reverse proxy that sets REMOTE_USER header to the name of the LDAP user who is in the mapped LDAP role.

      Example using this support tool:
      java -jar ./target/reverse-proxy-1.0-SNAPSHOT.jar -H "REMOTE_USER:whitney.haig"

      The reverse proxy URL will be http://localhost:18081 in this case

      Perform Test

      Step 1
      1. Clean browser cache or open an incognito window
      2. Login to UI at direct URL: http://locahost:8081/nexus , using the LDAP username and password, for the user name you setup with the Reverse proxy
      Step 2
      1. Open in another browser or incognito window the reverse proxy URL http://locahost:18081/ - this should automatically log you in as the LDAP user in the REMOTE_USER header.
      2. Go to your profile in and Access your user token. Make note of this value.
      Step 3

      Use curl to perform a basic auth request using the valid user token credentials obtained from step 2

      Example:

      curl -v http://localhost:8081/nexus/service/local/authentication/login -u "2e2MKSaH:Uwk+1UrICtBfBge8nIbeiRIYobtbgFYqdCqZn+gWQd4U" -v -o /dev/null
      

      *This fails with 401 instead of 200*

      The Nexus log records this information:

      jvm 1    | 2016-09-02 14:51:19,572-0300 DEBUG [qtp708525149-94 - /nexus/service/local/authentication/login] *UNKNOWN com.sonatype.nexus.usertoken.plugin.internal.UserTokenServiceImpl - Record: UserTokenRecord{userName='whitney.haig', principals=whitney.haig, userToken=UserToken{nameCode='2e2MKSaH'}, created=Fri Sep 02 14:40:31 ADT 2016}
      jvm 1    | 2016-09-02 14:51:19,572-0300 DEBUG [qtp708525149-94 - /nexus/service/local/authentication/login] *UNKNOWN com.sonatype.nexus.usertoken.plugin.realm.UserTokenRealm - Removing stale user-token, target principals are no longer valid
      jvm 1    | 2016-09-02 14:51:19,572-0300 DEBUG [qtp708525149-94 - /nexus/service/local/authentication/login] *UNKNOWN com.sonatype.nexus.usertoken.plugin.internal.UserTokenServiceImpl - Removing record for: 2e2MKSaH
      jvm 1    | 2016-09-02 14:51:19,572-0300 TRACE [qtp708525149-94 - /nexus/service/local/authentication/login] *UNKNOWN com.sonatype.nexus.usertoken.plugin.store.db.H2Database - Prepare: DELETE FROM USERTOKENS WHERE USERNAME=?
      

      Notice it said the token was deleted?

      Now go back to the Step 2 browser window. Click Access User Token again. You still see your user token there and you can see in the logs that Nexus still gets this from the user token database.

      Problems

      There are actually at least three bugs:

      1. Nexus detects a valid user token as stale when it is not stale
      2. Nexus claims to remove the stale user token, but it does not do this successfully, as later the same token can be retrieved from the usertoken db - it seems the query to DELETE tokens is broken
      3. Nexus uses the user token name code as the username to lookup in LDAP ( this is never expected to work )

      Expected

      • a basic auth request with a valid user token should work with all the stated realms enabled.
      • a request with a RUT Auth header of a valid user should authenticate and be properly authorized
      • a user account in LDAP should be able to authenticate to Nexus using either REMOTE_USER header or a valid user token name code, if both realms are enabled and set up correctly

        Attachments

          Activity

            People

            Assignee:
            bradbeck Brad Beck
            Reporter:
            ghunt2121 George Hunt
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title