Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.31.1
-
Fix Version/s: 3.36.0
-
Component/s: Repository, REST
-
Labels:
-
Notability:3
Description
SYMPTOM:
Deleting a component with the component ID returns 404 with Content Selector, otherwise 403, if no "browse" privilege.
$ curl -i -u testuser:testuser -X DELETE "${_NEXUS_URL%/}/service/rest/v1/components/${_COMP_ID}"
HTTP/1.1 404 Not Found
Date: Tue, 20 Jul 2021 07:18:18 GMT
Strict-Transport-Security: max-age=7776000
Server: Nexus/3.31.1-01 (PRO)
X-Content-Type-Options: nosniff
X-Siesta-FaultId: 1c1f8752-9697-4972-8a77-e683db4b6c16
Content-Length: 0
REPRODUCE STEPS:
- Create raw-hosted repository
- Upload some test file:
curl -u "admin:admin123" -T <(echo 'to be deleted') "http://localhost:8081/repository/raw-hosted/test/delete.txt"
- Create testuser with test role which has the nx-repository-view---add|read|edit|delete (no browse)
- Search above component to find the component ID
curl -u admin:admin123 "http://localhost:8081/service/rest/v1/search?repository=raw-hosted&name=test/delete.txt"
- Delete this component with the testuser, and get 403:
$ curl -i -u testuser:testuser -X DELETE "http://localhost:8081/service/rest/v1/components/cmF3LWhvc3RlZDo5ODU4MWI5ZTE1YzNkZmE1NGU1ZWMxOWI5YTFmMmQwMQ" HTTP/1.1 403 Forbidden Date: Tue, 20 Jul 2021 07:32:46 GMT Server: Nexus/3.31.1-01 (PRO) X-Content-Type-Options: nosniff X-Siesta-FaultId: 33043899-4c33-4ab8-8a48-78d84b642ef8 Content-Length: 0
- Add nx-repository-view---browse into the test role, and run above curl again.
EXPECTED BEHAVIOUR:
As this test user is not browsing/reading but just deleting, the first "curl -X DELETE" should work.
ACTUAL BEHAVIOUR:
The first "curl -X DELETE" returns 403 (forbidden) and 2nd one returns 204, and the component was deleted.
POTENTIAL CAUSE:
The org.sonatype.nexus.repository.browse.internal.BrowseServiceImpl#getById method generates the SQL statement which uses ContentAuth OSQLFunction, and inside of this function, org.sonatype.nexus.repository.selector.internal.OrientContentAuthHelper#checkPathPermissions is used, and this function checks "BROWSE".
NOTE: If my observation is right, when "docker" repository is used, setting a correct Content Selector might be difficult, because in above function, it is probably checking the image name (not the path).
So, when the CSEL contains the expression "path =^ '/v2/deletetest/" and when the "deletetest/alpine:3.7" image is going to be deleted, it seems Nexus is checking if "deletetest/alpine" starts with "/v2/deletetest".
Attachments
Issue Links
- relates
-
NEXUS-31100 REST API operations using content selector privileges match against docker image name instead of access path
-
- Closed
-