Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-20683

API: Searching requires permissions from role that can view every artifact returned in results (admin)

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 3.23.0
    • Fix Version/s: 3.38.0
    • Component/s: REST, Staging
    • Labels:
    • Story Points:
      5
    • Sprint:
      NXRM MadMax Sprint 22
    • Notability:
      4

      Description

      Attempting to search for an artifact that appears in both a stage repo and release repo requires a user to have permissions to view both artifacts, even if the search is restricted to a single repository. For example:

       

      artifact company:root:0.0.1 exists in both pt-maven-stage and pt-maven-releases.

       

      user test has role nx-admin and executes search /service/rest/v1/search?maven.groupId=company&maven.artifactId=root&maven.baseVersion=0.0.1&repository=pt-maven-stage and receives back full results

       

       

      {
        "items": [
          {
            "id": "idhere",
            "repository": "pt-maven-releases",
            "format": "maven2",
            "group": "company",
            "name": "root",
            "version": "0.0.1",
            "assets": [
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1-javadoc.jar",
                "path": "company/root/0.0.1/root-0.0.1-javadoc.jar",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1-javadoc.jar.md5",
                "path": "company/root/0.0.1/root-0.0.1-javadoc.jar.md5",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1-javadoc.jar.sha1",
                "path": "company/root/0.0.1/root-0.0.1-javadoc.jar.sha1",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1-sources.jar",
                "path": "company/root/0.0.1/root-0.0.1-sources.jar",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1-sources.jar.md5",
                "path": "company/root/0.0.1/root-0.0.1-sources.jar.md5",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1-sources.jar.sha1",
                "path": "company/root/0.0.1/root-0.0.1-sources.jar.sha1",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1.jar",
                "path": "company/root/0.0.1/root-0.0.1.jar",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1.jar.md5",
                "path": "company/root/0.0.1/root-0.0.1.jar.md5",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1.jar.sha1",
                "path": "company/root/0.0.1/root-0.0.1.jar.sha1",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1.pom",
                "path": "company/root/0.0.1/root-0.0.1.pom",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1.pom.md5",
                "path": "company/root/0.0.1/root-0.0.1.pom.md5",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-releases/company/root/0.0.1/root-0.0.1.pom.sha1",
                "path": "company/root/0.0.1/root-0.0.1.pom.sha1",
                "id": "idhere",
                "repository": "pt-maven-releases",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              }
            ]
          },
          {
            "id": "idhere",
            "repository": "pt-maven-stage",
            "format": "maven2",
            "group": "company",
            "name": "root",
            "version": "0.0.1",
            "assets": [
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1-javadoc.jar",
                "path": "company/root/0.0.1/root-0.0.1-javadoc.jar",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1-javadoc.jar.md5",
                "path": "company/root/0.0.1/root-0.0.1-javadoc.jar.md5",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1-javadoc.jar.sha1",
                "path": "company/root/0.0.1/root-0.0.1-javadoc.jar.sha1",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1-sources.jar",
                "path": "company/root/0.0.1/root-0.0.1-sources.jar",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1-sources.jar.md5",
                "path": "company/root/0.0.1/root-0.0.1-sources.jar.md5",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1-sources.jar.sha1",
                "path": "company/root/0.0.1/root-0.0.1-sources.jar.sha1",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1.jar",
                "path": "company/root/0.0.1/root-0.0.1.jar",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1.jar.md5",
                "path": "company/root/0.0.1/root-0.0.1.jar.md5",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1.jar.sha1",
                "path": "company/root/0.0.1/root-0.0.1.jar.sha1",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1.pom",
                "path": "company/root/0.0.1/root-0.0.1.pom",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1.pom.md5",
                "path": "company/root/0.0.1/root-0.0.1.pom.md5",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              },
              {
                "downloadUrl": "http://nexus.com/repository/pt-maven-stage/company/root/0.0.1/root-0.0.1.pom.sha1",
                "path": "company/root/0.0.1/root-0.0.1.pom.sha1",
                "id": "idhere",
                "repository": "pt-maven-stage",
                "format": "maven2",
                "checksum": {
                  "sha1": "shahere",
                  "md5": "md5here"
                }
              }
            ]
          }
        ],
        "continuationToken": null
      }
      

       

      note that the results are coming from two separate repositories.

       

      now performing the same query with the user pt-stage-deployer which has the role pt-maven-stage-deployer which has the permissions 

       

      nx-repository-view-maven2-pt-maven-stage-add
      nx-repository-view-maven2-pt-maven-stage-browse
      nx-repository-view-maven2-pt-maven-stage-edit
      nx-repository-view-maven2-pt-maven-stage-read
      

      returns a 403 Forbidden.

       

      Doing the same with a user that has permission to both stage and release group repositories also results in the same error. Only credentials that include both non group roles works. Even if a role contains a lower role that doesn't work.

      Restricting the repository using the repository query param doesn't not solve the issue.

      If the artifact only appears in a single repository, the query returns successfully for both the release user and stage user. 

       

      No matter what my permissions are, I believe the bug here is that if you restrict the repository it shouldn't matter that other artifacts might have returned from the result.

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mlukaretkyi Maksym Lukaretkyi
              Reporter:
              snowe Tyler Thrailkill
              Last Updated By:
              Maksym Lukaretkyi Maksym Lukaretkyi
              Team:
              NXRM - Mad Max
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title