Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-17231

user role mappings do not match user ids case insensitively

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.8.0
    • Fix Version/s: 3.13.0
    • Component/s: Security
    • Labels:
    • Story Points:
      2

      Description

      User ids are intentionally matched case insensitively. This issue demonstrates a case where they are not.

      Setup Nexus to connect to an LDAP realm which contains a user record which has a userid of lowercase testuser1. Verify that you can authenticate as that user id.

      Create a new role in nexus called custom_role.

      Create a script to map roles to users like this and put in an Execute Script task:

      import org.sonatype.nexus.security.role.RoleIdentifier
      import org.sonatype.nexus.security.user.User
      def userid = `TESTUSER1`
      try {
          User user = security.securitySystem.getUser(userid, 'LDAP')
          if (user != null) {
              RoleIdentifier newRole = new RoleIdentifier('default', 'custom_role');
              user.addRole(newRole)
              security.securitySystem.setUsersRoles(userid, 'LDAP', user.getRoles())
              log.info("Role of $newRole role has been added to $userId")
          } else {
              log.warn("$userId not found.")
          }
      } catch (Exception e) {
          log.error(e.toString())
      }
      

      Execute the script. The script creates a record in the Nexus security database similar to this:

      {
            "@type": "d",
            "@rid": "#38:7",
            "@version": 1,
            "@class": "user_role_mapping",
            "userId": "TESTUSER1",
            "source": "LDAP",
            "roles": [
              "custom_role"
            ],
            "@fieldTypes": "roles=e"
          },
      

      One can authenticate the userid as testuser1 or TESTUSER1. However when the user record is found in the Users list in nexus, there will be no roles shown in the Active role list and after signin, the user will not have the permissions granted by the custom_role either.

      Conversely if the user mapping is created using the Nexus UI, the userid is stored in Nexus with the lettercase matching that as stored in the LDAP server. In that case, when the custom_role is mapped to the user, there is no problem reading back its active roles.

      Expected

      Since userids are to be authenticated case insensitively, a users roles should also be looked up by userid from the Nexus database case insensitively.
      Since it is also possible that NXRM has allowed multiple user role mappings to the same userid ( but with different lettercase ), there should be a way for an admin to reconcile these duplicate userids either by way of running a script or from an upgrade step.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jbryan Jeremy Bryan
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch
              Team:
              Nexus - Core
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title