Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-17498

option to generate URL-safe user tokens for URL based authentication

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.12.1
    • Fix Version/s: 3.14.0
    • Component/s: PyPI, User Token
    • Labels:
    • Story Points:
      1
    • Release Note:
      Yes

      Description

      Certain primitive repository formats only support URL based authentication of the form:

      http://user:password@localhost:8081

      For example PyPI is known to have this problem:

      https://github.com/pypa/pip/issues/4315

      YUM auth has a similar problem.

      Admins may want to enforce authenticated access to repo manager using our User Tokens feature.

      Currently User Tokens may be generated with non-url safe characters which prevent using the above URL based authentication mechanism.

      Expected

      To support primitive url based auth, there should be an optional option to generate user tokens which only contain url safe characters.

      Possible Workaround Some Formats

      Take the user token name and value generated by Nexus and URL Encode them manually first, before adding them to the URL being used in your tool.

      For example, Nexus generates these tokens:

      Name Code: /pKsRLhn
      Pass Code: /HAx3rBkdsQAmsUhc2RWt73CY8zrMJPS9e1HnYeseYbh

      As expected, this URL will not parse correctly:

      curl -v "http:///pKsRLhn:/HAx3rBkdsQAmsUhc2RWt73CY8zrMJPS9e1HnYeseYbh@localhost:8081/repository/maven-central/abbot/abbot/0.13.0/abbot-0.13.0.pom" -o /dev/null
      * Unwillingly accepted illegal URL using 3 slashes!
      

      URL Encode each value:

      Name Code: %2FpKsRLhn
      Pass Code: %2FHAx3rBkdsQAmsUhc2RWt73CY8zrMJPS9e1HnYeseYbh

      All of these requests authenticate properly:

      curl -v -u "/pKsRLhn:/HAx3rBkdsQAmsUhc2RWt73CY8zrMJPS9e1HnYeseYbh" http://localhost:8081/repository/maven-central/abbot/abbot/0.13.0/abbot-0.13.0.pom -o /dev/null
      
      curl -v "http://%2FpKsRLhn:%2FHAx3rBkdsQAmsUhc2RWt73CY8zrMJPS9e1HnYeseYbh@localhost:8081/repository/maven-central/abbot/abbot/0.13.0/abbot-0.13.0.pom" -o /dev/null
      

      While no authentication for the same URL will fail:

      curl -v "http://localhost:8081/repository/maven-central/abbot/abbot/0.13.0/abbot-0.13.0.pom" -o /dev/null
       * TCP_NODELAY set
      * Connection failed
      * connect to ::1 port 8081 failed: Connection refused
      *   Trying 127.0.0.1...
      * TCP_NODELAY set
      * Connected to localhost (127.0.0.1) port 8081 (#0)
      > GET /repository/maven-central/abbot/abbot/0.13.0/abbot-0.13.0.pom HTTP/1.1
      > Host: localhost:8081
      > User-Agent: curl/7.57.0
      > Accept: */*
      > 
      < HTTP/1.1 401 Unauthorized
      < Date: Fri, 29 Jun 2018 16:47:22 GMT
      < Server: Nexus/3.13.0-SNAPSHOT (PRO)
      < X-Content-Type-Options: nosniff
      < Set-Cookie: NX-ANTI-CSRF-TOKEN=8d0c3bff-fe84-408e-a60d-c1c49eb07a17; Path=/
      < Content-Security-Policy: sandbox allow-forms allow-modals allow-popups allow-presentation allow-scripts allow-top-navigation
      < WWW-Authenticate: BASIC realm="Sonatype Nexus Repository Manager"
      < Content-Length: 0
      

       

      Windows Pip

      This workaround does not solve this issue for python/pip when running on Windows, see my comment below for details.

        Attachments

          Activity

            People

            Assignee:
            natemcafee Nate McAfee
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Peter Lynch
            Team:
            Nexus - Core
            Votes:
            3 Vote for this issue
            Watchers:
            10 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title