Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-15422

NuGet API Key generated by a user authenticated with RUT will get purged by Purge Orphaned API Keys task

    Details

    • Story Points:
      2

      Description

      Setup

      • Nexus 3.7.1
      • NuGet API Key realm is active
      • RUT Auth realm is active
      • RUT Auth Capability is enabled

      Problem Reproduce

      1. Authenticate to Nexus 3 UI using RUT Auth ( your user account can be ldap, crowd or default realm user account )
      2. Go to your profile and generate a NuGet API Key by clicking Access Key. ( You will be prompted for authentication due to NEXUS-10692 ). When prompted for password, enter your password. Record the displayed API Key.
      3. Schedule and run a Purge Orphaned API Key task. After the task completes, your Nuget API Key previously displayed will no longer be valid as the task considered it orphaned and removed it.

      Debug logging while the task is run shows why the task considered it orphaned:

      2018-01-08 13:34:04,439-0400 DEBUG [quartz-5-thread-5] *SYSTEM org.sonatype.nexus.internal.security.apikey.ApiKeyStoreImpl - Stale user found
      org.sonatype.nexus.security.user.UserNotFoundException: User not found: adminuser; User-manager not found: rutauth-realm
          at org.sonatype.nexus.security.UserPrincipalsHelper.getUserStatus(UserPrincipalsHelper.java:66)
          at org.sonatype.nexus.internal.security.apikey.ApiKeyStoreImpl.lambda$5(ApiKeyStoreImpl.java:183)
          at org.sonatype.nexus.orient.transaction.OrientOperations.lambda$2(OrientOperations.java:63)
          at org.sonatype.nexus.transaction.OperationPoint.lambda$0(OperationPoint.java:53)
          at org.sonatype.nexus.transaction.OperationPoint.proceed(OperationPoint.java:64)
          at org.sonatype.nexus.transaction.TransactionalWrapper.proceedWithTransaction(TransactionalWrapper.java:56)
          at org.sonatype.nexus.transaction.Operations.transactional(Operations.java:200)
          at org.sonatype.nexus.transaction.Operations.run(Operations.java:155)
          at org.sonatype.nexus.orient.transaction.OrientOperations.run(OrientOperations.java:63)
          at org.sonatype.nexus.internal.security.apikey.ApiKeyStoreImpl.purgeApiKeys(ApiKeyStoreImpl.java:179)
          at org.sonatype.nexus.internal.security.apikey.ApiKeyStoreImpl$$EnhancerByGuice$$a608dc72.CGLIB$purgeApiKeys$6(<generated>)
          at org.sonatype.nexus.internal.security.apikey.ApiKeyStoreImpl$$EnhancerByGuice$$a608dc72$$FastClassByGuice$$1cc8105f.invoke(<generated>)
          at com.google.inject.internal.cglib.proxy.$MethodProxy.invokeSuper(MethodProxy.java:228)
          at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:76)
          at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
          at org.sonatype.nexus.common.stateguard.StateGuard$GuardImpl.run(StateGuard.java:270)
          at org.sonatype.nexus.common.stateguard.GuardedInterceptor.invoke(GuardedInterceptor.java:53)
          at com.google.inject.internal.InterceptorStackCallback$InterceptedMethodInvocation.proceed(InterceptorStackCallback.java:77)
          at com.google.inject.internal.InterceptorStackCallback.intercept(InterceptorStackCallback.java:55)
          at org.sonatype.nexus.internal.security.apikey.ApiKeyStoreImpl$$EnhancerByGuice$$a608dc72.purgeApiKeys(<generated>)
          at org.sonatype.nexus.internal.security.apikey.PurgeApiKeysTask.execute(PurgeApiKeysTask.java:42)
          at org.sonatype.nexus.internal.security.apikey.PurgeApiKeysTask.execute(PurgeApiKeysTask.java:1)
          at org.sonatype.nexus.scheduling.TaskSupport.call(TaskSupport.java:93)
          at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.doExecute(QuartzTaskJob.java:145)
          at org.sonatype.nexus.quartz.internal.task.QuartzTaskJob.execute(QuartzTaskJob.java:108)
          at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
          at org.sonatype.nexus.thread.internal.MDCAwareRunnable.run(MDCAwareRunnable.java:40)
          at org.apache.shiro.subject.support.SubjectRunnable.doRun(SubjectRunnable.java:120)
          at org.apache.shiro.subject.support.SubjectRunnable.run(SubjectRunnable.java:108)
          at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
          at java.util.concurrent.FutureTask.run(FutureTask.java:266)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
          at java.lang.Thread.run(Thread.java:748)
      Caused by: org.sonatype.nexus.security.user.NoSuchUserManagerException: User-manager not found: rutauth-realm
          at org.sonatype.nexus.security.UserPrincipalsHelper.findUserManager(UserPrincipalsHelper.java:102)
          at org.sonatype.nexus.security.UserPrincipalsHelper.getUserStatus(UserPrincipalsHelper.java:60)
          ... 33 common frames omitted
      2018-01-08 13:34:04,443-0400 INFO  [quartz-5-thread-5] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task nexus.1ac98aef-a616-4c66-96a5-1906efb9b2d4 : 'purge-api' [security.purge-api-keys] state change RUNNING -> WAITING (OK)
      

      Expected

      When a RUT authed user creates an API key ( for NuGet or any other key realm ) the API key should be associated to the realm that actually stores the user's account for the purposes of authentication as determined by the order of realms in the active realms list ( default, ldap, crowd), instead of rutauth-realm. In this way, the key will not normally be considered orphaned and not be removed by the the purge task.

      Regression

      Nexus 2.x is not known to have this same problem so this issue may affect upgraded configurations from Nexus 2x to 3x.

        Attachments

          Activity

            People

            Assignee:
            bradbeck Brad Beck
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch Peter Lynch
            Team:
            Nexus - Core
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title