Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31635

Repository REST API allows invalid version policy value for Maven repo

    Details

    • Type: Bug
    • Status: New
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.38.0
    • Fix Version/s: None
    • Component/s: Maven, REST
    • Labels:
    • Notability:
      2

      Description

      Updating a Maven repository via the REST API allows an invalid Version Policy value to be set, resulting in an invalid configuration that can lead to start-up failures.

      To reproduce, update an existing Maven hosted repository via the PUT /service/rest/v1/repositories/maven/hosted/{repositoryName} API and the following payload:

      {
        "name": "SET_REPO_NAME_HERE",
        "online": true,
        "storage": {
          "blobStoreName": "default",
          "strictContentTypeValidation": true,
          "writePolicy": "allow_once"
        },
        "cleanup": {
          "policyNames": [
            "string"
          ]
        },
        "component": {
          "proprietaryComponents": true
        },
        "maven": {
          "versionPolicy": "",
          "layoutPolicy": "STRICT",
          "contentDisposition": "ATTACHMENT"
        }
      }
      

      Notice the versionPolicy attribute value is an empty string.

      Whilst the request will seemingly fail with a 400 response and the following error in the nexus.log:

      2022-03-24 15:00:23,467+0000 ERROR [qtp1551142751-662] admin org.sonatype.nexus.repository.manager.internal.RepositoryImpl - Failed to validate facet: org.sonatype.nexus.repository.maven.internal.orient.MavenFacetImpl$$EnhancerByGuice$$797528238@2a5acd612022-03-24 15:00:23,467+0000 ERROR [qtp1551142751-662] admin org.sonatype.nexus.repository.manager.internal.RepositoryImpl - Failed to validate facet: org.sonatype.nexus.repository.maven.internal.orient.MavenFacetImpl$$EnhancerByGuice$$797528238@2a5acd61java.lang.IllegalArgumentException: Cannot coerce empty String ("") to `org.sonatype.nexus.repository.maven.VersionPolicy` value (but could if coercion was enabled using `CoercionConfig`) at Source: UNKNOWN; byte offset: #UNKNOWN (through reference chain: org.sonatype.nexus.repository.maven.internal.orient.MavenFacetImpl$Config["versionPolicy"]) at com.fasterxml.jackson.databind.ObjectMapper._convert(ObjectMapper.java:4393) at com.fasterxml.jackson.databind.ObjectMapper.convertValue(ObjectMapper.java:4324) at org.sonatype.nexus.repository.config.internal.ConfigurationFacetImpl.convert(ConfigurationFacetImpl.java:75) at org.sonatype.nexus.repository.config.internal.ConfigurationFacetImpl.readSection(ConfigurationFacetImpl.java:84) at org.sonatype.nexus.repository.config.internal.ConfigurationFacetImpl.validateSection(ConfigurationFacetImpl.java:121) at org.sonatype.nexus.repository.maven.internal.orient.MavenFacetImpl.doValidate(MavenFacetImpl.java:184) at org.sonatype.nexus.repository.FacetSupport.validate(FacetSupport.java:113) at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39) at org.sonatype.nexus.common.stateguard.StateGuard$GuardImpl.run(StateGuard.java:272) at org.sonatype.nexus.common.stateguard.GuardedInterceptor.invoke(GuardedInterceptor.java:54) at org.sonatype.nexus.repository.manager.internal.RepositoryImpl.validate(RepositoryImpl.java:160) at org.sonatype.nexus.repository.manager.internal.RepositoryManagerImpl.updateRepositoryInMemory(RepositoryManagerImpl.java:441) at org.sonatype.nexus.repository.manager.internal.RepositoryManagerImpl.update(RepositoryManagerImpl.java:371) at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39) at org.sonatype.nexus.common.stateguard.StateGuard$GuardImpl.run(StateGuard.java:272) at org.sonatype.nexus.common.stateguard.GuardedInterceptor.invoke(GuardedInterceptor.java:54) at org.sonatype.nexus.repository.rest.internal.api.AuthorizingRepositoryManagerImpl.update(AuthorizingRepositoryManagerImpl.java:87) at org.sonatype.nexus.repository.rest.api.AbstractRepositoriesApiResource.updateRepository(AbstractRepositoriesApiResource.java:134) at org.sonatype.nexus.repository.maven.rest.MavenHostedRepositoriesApiResource.updateRepository(MavenHostedRepositoriesApiResource.java:79)

      The invalid versionPolicy value will be still be written to the database:

      orientdb {db=config}> select attributes.maven from repository where repository_name = 'test'
      +----+--------------------------------------------------------------------+
      |# |attributes |
      +----+--------------------------------------------------------------------+
      |0 |{contentDisposition=ATTACHMENT, versionPolicy=, layoutPolicy=STRICT}|
      +----+--------------------------------------------------------------------+
      

      Furthermore, if Nexus is restarted after this update, it will fail to start with a validation exception similar to above and the only ways to recover would be via data restore or changing the attribute value directly in the DB.

      This issue exists with both Orient and NewDB.

      Expected:

      Updating a repository via the REST API should not allow invalid attribute values to be set which could result in start up failures.

      Also, a misconfiguration of one repository should not prevent the entire instance from starting - there needs to be a method of recovery that does not require direct DB access or data restores.

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            hardeepn Hardeep Nagra
            Last Updated By:
            Peter Lynch Peter Lynch
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Date of First Response:

                tigCommentSecurity.panel-title