add support for ldap user authentication

.gitignore

@@ -2,3 +2,4 @@
 .idea/
 provision/provision-nexus/sources/
 shared/
+binaries/

README.md

@@ -10,6 +10,7 @@ This will:
   * Configure the NuGet `nuget-hosted` repository to accept pushing with an API key.
   * Schedule a task to remove the old snapshots from the `maven-snapshots` repository.
   * Create users and a custom `deployer` role.
+  * Setup an Active Directory LDAP user authentication source (when `config_authentication='ldap'` is set inside the `provision-nexus.sh` file).
   * For more details look inside the [provision/provision-nexus](provision/provision-nexus) directory.
 * Setup nginx as a Nexus HTTPS proxy and static file server.
 * Test the installed repositories by [using and publishing to them](provision/test.sh).

Vagrantfile

@@ -50,4 +50,9 @@ Vagrant.configure(2) do |config|
     config.vm.provision :shell, path: 'provision/windows/ps.ps1', args: ['use-chocolatey-repository.ps1', nexus_domain]
     config.vm.provision :shell, path: 'provision/windows/ps.ps1', args: ['use-powershell-repository.ps1', nexus_domain]
   end
+
+  config.trigger.before :up, :vm => ['nexus'] do
+    ldap_ca_cert_path = '../windows-domain-controller-vagrant/tmp/ExampleEnterpriseRootCA.der'
+    run "sh -c 'mkdir -p shared && cp #{ldap_ca_cert_path} shared'" if File.file? ldap_ca_cert_path
+  end
 end

provision/execute-provision-ldap.groovy-script.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -eux
+
+. /vagrant/provision/nexus-groovy.sh
+
+# run the provision script.
+response=$(nexus-groovy provision-ldap)
+echo "$response" | jq '.result | fromjson'

provision/provision-nexus.sh

@@ -2,6 +2,13 @@
 set -eux
 
 
+# use the local nexus user database.
+config_authentication='nexus'
+# OR use LDAP.
+# NB this assumes you are running the Active Directory from https://github.com/rgl/windows-domain-controller-vagrant.
+#config_authentication='ldap'
+
+
 # install java.
 apt-get install -y default-jre
 
@@ -45,6 +52,15 @@ sed -i -E 's,\.\./sonatype-work/,,g' bin/nexus.vmoptions
 popd
 
 
+# trust the LDAP server certificate for user authentication (when enabled).
+# NB this assumes you are running the Active Directory from https://github.com/rgl/windows-domain-controller-vagrant.
+if [ "$config_authentication" = 'ldap' ]; then
+echo '192.168.56.2 dc.example.com' >>/etc/hosts
+openssl x509 -inform der -in /vagrant/shared/ExampleEnterpriseRootCA.der -out /usr/local/share/ca-certificates/ExampleEnterpriseRootCA.crt
+update-ca-certificates
+fi
+
+
 # start nexus.
 cat >/etc/systemd/system/nexus.service <<'EOF'
 [Unit]
@@ -78,3 +94,8 @@ wget -qO- http://localhost:8081/service/extdirect/poll/rapture_State_get | jq .d
 
 # configure nexus with the groovy script.
 bash /vagrant/provision/execute-provision.groovy-script.sh
+
+# configure nexus ldap with a groovy script.
+if [ "$config_authentication" = 'ldap' ]; then
+    bash /vagrant/provision/execute-provision-ldap.groovy-script.sh
+fi

provision/provision-nexus/Makefile

@@ -1,3 +1,5 @@
+all: sources binaries
+
 sources: sources-download
 	mkdir -p sources
 	cd sources && \
@@ -11,7 +13,14 @@ sources: sources-download
 sources-download:
 	mvn dependency:sources
 
-clean:
+binaries: binaries-download
-	rm -rf sources
 
-.PHONY: sources sources-download clean
+binaries-download:
+	mkdir -p binaries
+	wget -qO- https://sonatype-download.global.ssl.fastly.net/nexus/3/nexus-3.6.0-02-unix.tar.gz \
+		| tar xzf - --strip-components 1 -C binaries
+
+clean:
+	rm -rf sources binaries
+
+.PHONY: sources sources-download binaries-download clean

provision/provision-nexus/README.md

@@ -3,7 +3,7 @@ Open this directory with [IntelliJ IDEA Community Edition](https://www.jetbrains
 Inside IDEA you can browse the sources with `control+left-click` to see which methods are available.
 
 To execute the `src/main/groovy/provision.groovy` file inside the Vagrant
-environment run `bash /vagrant/execute-provision.groovy-script.sh`.
+environment run `bash /vagrant/provision/execute-provision.groovy-script.sh`.
 
 For more information see the Nexus [scripting documentation](https://help.sonatype.com/display/NXRM3/REST+and+Integration+API) and [examples](https://github.com/sonatype/nexus-book-examples/tree/nexus-3.x/scripting).
 

provision/provision-nexus/pom.xml

@@ -46,5 +46,12 @@
       <artifactId>nexus-script-plugin</artifactId>
       <version>${nx-version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.sonatype.nexus.plugins</groupId>
+      <artifactId>nexus-ldap-plugin</artifactId>
+      <version>${nx-version}</version>
+      <scope>system</scope>
+      <systemPath>${project.basedir}/binaries/system/com/sonatype/nexus/plugins/nexus-ldap-plugin/${nx-version}/nexus-ldap-plugin-${nx-version}.jar</systemPath>
+    </dependency>
   </dependencies>
 </project>

provision/provision-nexus/provision-nexus.iml

@@ -139,5 +139,14 @@
     <orderEntry type="library" name="Maven: org.apache.maven.archetype:archetype-catalog:2.4" level="project" />
     <orderEntry type="library" name="Maven: org.sonatype.nexus.plugins:nexus-repository-raw:3.6.0-02" level="project" />
     <orderEntry type="library" name="Maven: org.sonatype.nexus.plugins:nexus-script-plugin:3.6.0-02" level="project" />
+    <orderEntry type="module-library">
+      <library name="Maven: org.sonatype.nexus.plugins:nexus-ldap-plugin:3.6.0-02">
+        <CLASSES>
+          <root url="jar://$MODULE_DIR$/binaries/system/com/sonatype/nexus/plugins/nexus-ldap-plugin/3.6.0-02/nexus-ldap-plugin-3.6.0-02.jar!/" />
+        </CLASSES>
+        <JAVADOC />
+        <SOURCES />
+      </library>
+    </orderEntry>
   </component>
 </module>

provision/provision-nexus/src/main/groovy/provision-ldap.groovy

@@ -0,0 +1,47 @@
+// run this file inside the Vagrant environment with bash /vagrant/provision/execute-provision-ldap.groovy-script.sh
+// see https://help.sonatype.com/display/NXRM3/REST+and+Integration+API
+// see https://github.com/sonatype/nexus-book-examples/tree/nexus-3.x/scripting/nexus-script-example
+
+import groovy.json.JsonOutput
+import org.sonatype.nexus.ldap.persist.LdapConfigurationManager
+import org.sonatype.nexus.ldap.persist.entity.Connection
+import org.sonatype.nexus.ldap.persist.entity.LdapConfiguration
+import org.sonatype.nexus.ldap.persist.entity.Mapping
+
+ldapManager = container.lookup(LdapConfigurationManager.class.name)
+
+if (!ldapManager.listLdapServerConfigurations().any { it.name == "dc.example.com" }) {
+    ldapManager.addLdapServerConfiguration(
+            new LdapConfiguration(
+                    name: 'dc.example.com',
+                    connection: new Connection(
+                            host: new Connection.Host(Connection.Protocol.ldaps, 'dc.example.com', 636),
+                            connectionTimeout: 30,
+                            connectionRetryDelay: 300,
+                            maxIncidentsCount: 3,
+                            searchBase: 'dc=example,dc=com',
+                            authScheme: 'simple',
+                            systemUsername: 'jane.doe@example.com',
+                            systemPassword: 'HeyH0Password',
+                    ),
+                    mapping: new Mapping(
+                            userBaseDn: 'cn=users',
+                            userObjectClass: 'user',
+                            ldapFilter: '(&(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))',
+                            userIdAttribute: 'sAMAccountName',
+                            userRealNameAttribute: 'cn',
+                            emailAddressAttribute: 'mail',
+                            userPasswordAttribute: '',
+                            ldapGroupsAsRoles: true,
+                            userMemberOfAttribute: 'memberOf',
+                    )
+            )
+    )
+}
+
+ldapUsers = security.securitySystem.searchUsers(new UserSearchCriteria(source: 'LDAP'))
+return JsonOutput.toJson([
+        ldapUsers: ldapUsers.sort { it.userId },
+        ldapGroups: security.securitySystem.listRoles('LDAP').sort { it.roleId },
+        roles: security.securitySystem.listRoles().sort { it.roleId },
+])