From d39103bbb19b54384013cd7e1d373129e6f56b41 Mon Sep 17 00:00:00 2001 From: Rui Lopes Date: Mon, 9 Dec 2024 08:39:45 +0000 Subject: [PATCH] use the nexus api to retrieve the nuget api key --- README.md | 3 +- .../groovy/get-jenkins-nuget-api-key.groovy | 16 ---------- .../src/main/groovy/provision.groovy | 31 +------------------ provision/use-nuget-repository.sh | 26 ++++++++++++++-- 4 files changed, 27 insertions(+), 49 deletions(-) delete mode 100644 provision/provision-nexus/src/main/groovy/get-jenkins-nuget-api-key.groovy diff --git a/README.md b/README.md index 4d23025..54bf99d 100644 --- a/README.md +++ b/README.md @@ -2,12 +2,13 @@ This is a Vagrant Environment for a [Nexus Repository OSS](https://github.com/so This will: +* Configure Nexus through the API. + * Configure the NuGet `nuget-hosted` repository to accept pushing with an API key. * Configure Nexus through Groovy scripts. * Create the `adhoc-package` repository. * Create the `npm-group`, `npm-hosted` and `npmjs.org-proxy` repositories. * Create the `chocolatey-group`, `chocolatey-hosted` and `chocolatey.org-proxy` repositories. * Create the `powershell-group`, `powershell-hosted` and `powershellgallery.com-proxy` repositories. - * Configure the NuGet `nuget-hosted` repository to accept pushing with an API key. * Schedule a task to remove the old snapshots from the `maven-snapshots` repository. * Create users and a custom `deployer` role. * Setup an Active Directory LDAP user authentication source (when `config_authentication='ldap'` is set inside the `provision-nexus.sh` file). diff --git a/provision/provision-nexus/src/main/groovy/get-jenkins-nuget-api-key.groovy b/provision/provision-nexus/src/main/groovy/get-jenkins-nuget-api-key.groovy deleted file mode 100644 index 53d6b1e..0000000 --- a/provision/provision-nexus/src/main/groovy/get-jenkins-nuget-api-key.groovy +++ /dev/null @@ -1,16 +0,0 @@ -import groovy.json.JsonOutput -import org.sonatype.nexus.security.authc.apikey.ApiKeyStore -import org.apache.shiro.subject.SimplePrincipalCollection - -def getNuGetApiKey(String userName) { - realmName = "NexusAuthenticatingRealm" - apiKeyDomain = "NuGetApiKey" - principal = new SimplePrincipalCollection(userName, realmName) - keyStore = container.lookup(ApiKeyStore.class.getName()) - apiKey = keyStore.getApiKey(apiKeyDomain, principal) - return apiKey.toString() -} - -return JsonOutput.toJson([ - apiKey: getNuGetApiKey("jenkins"), -]) diff --git a/provision/provision-nexus/src/main/groovy/provision.groovy b/provision/provision-nexus/src/main/groovy/provision.groovy index 23c480d..c20a728 100644 --- a/provision/provision-nexus/src/main/groovy/provision.groovy +++ b/provision/provision-nexus/src/main/groovy/provision.groovy @@ -6,7 +6,6 @@ import groovy.json.JsonOutput import org.sonatype.nexus.capability.CapabilityRegistry import org.sonatype.nexus.repository.config.WritePolicy import org.sonatype.nexus.security.user.UserSearchCriteria -import org.sonatype.nexus.security.authc.apikey.ApiKeyStore import org.sonatype.nexus.security.realm.RealmManager import org.apache.shiro.subject.SimplePrincipalCollection import org.sonatype.nexus.scheduling.TaskScheduler @@ -93,15 +92,6 @@ repository.createDockerProxy("docker-hub-proxy", "https://registry-1.docker.io", repository.createDockerGroup("docker-group", 6001, null, ["docker-hosted", "docker-hub-proxy"], true, "default", true) -// see http://stackoverflow.com/questions/8138164/groovy-generate-random-string-from-given-character-set -def random(String alphabet, int n) { - new Random().with { - (1..n).collect { alphabet[nextInt(alphabet.length())] }.join() - } -} -jenkinsPassword = random((('A'..'Z')+('a'..'z')+('0'..'9')).join(), 16) - - // set the base url. this is used when sending emails. // see https://help.sonatype.com/display/NXRM3/Configuration#Configuration-BaseURLCreation core.baseUrl("https://" + java.net.InetAddress.localHost.canonicalHostName) @@ -141,20 +131,6 @@ security.anonymousAccess = true // password is easier to remember. security.securitySystem.changePassword('admin', 'admin') -// the intent is to get or create an NuGet API Key like the one we can see on the user page: -// http://nexus.example.com:8081/#user/nugetapitoken. -def getOrCreateNuGetApiKey(String userName) { - realmName = "NexusAuthenticatingRealm" - apiKeyDomain = "NuGetApiKey" - principal = new SimplePrincipalCollection(userName, realmName) - keyStore = container.lookup(ApiKeyStore.class.name) - apiKey = keyStore.getApiKey(apiKeyDomain, principal) - if (apiKey == null) { - apiKey = keyStore.createApiKey(apiKeyDomain, principal) - } - return apiKey.toString() -} - // create users in the deployer role. // see https://github.com/sonatype/nexus-book-examples/blob/nexus-3.x/scripting/complex-script/security.groovy#L38 @@ -174,16 +150,11 @@ def addDeployerUser(firstName, lastName, email, userName, password) { } catch (org.sonatype.nexus.security.user.UserNotFoundException e) { user = security.addUser(userName, firstName, lastName, email, true, password, ["deployer"]) } - nuGetApiKey = getOrCreateNuGetApiKey(userName) } -addDeployerUser("Jenkins", "Doe", "jenkins@example.com", "jenkins", jenkinsPassword) +addDeployerUser("Jenkins", "Doe", "jenkins@example.com", "jenkins", "password") addDeployerUser("Alice", "Doe", "alice.doe@example.com", "alice.doe", "password") addDeployerUser("Bob", "Doe", "bob.doe@example.com", "bob.doe", "password") - -// get the jenkins NuGet API Key. -jenkinsNuGetApiKey = getOrCreateNuGetApiKey("jenkins") - realms = realmManager.configuration.realmNames users = security.securitySystem.searchUsers(new UserSearchCriteria()) repositories = repository.repositoryManager.browse().collect { [name:it.name,type:it.type.value] } diff --git a/provision/use-nuget-repository.sh b/provision/use-nuget-repository.sh index eb9b338..fcd4f16 100644 --- a/provision/use-nuget-repository.sh +++ b/provision/use-nuget-repository.sh @@ -3,7 +3,29 @@ set -euxo pipefail nexus_domain=$(hostname --fqdn) -. /vagrant/provision/nexus-groovy.sh +# see the requests made when using https://nexus.example.com/#user/nugetapitoken UI. +function get-jenkins-nuget-api-key { + local username='jenkins' + local password='password' + local user_token=$(http \ + -a "$username:$password" \ + --ignore-stdin \ + --check-status \ + POST https://$nexus_domain/service/extdirect \ + action=rapture_Security \ + method=authenticationToken \ + type=rpc \ + tid:=0 \ + data:="[\"$(echo -n "$username" | base64 -w0)\",\"$(echo -n "$password" | base64 -w0)\"]" \ + | jq -r .result.data) + http \ + -a "$username:$password" \ + --ignore-stdin \ + --check-status \ + GET https://$nexus_domain/service/rest/internal/nuget-api-key \ + authToken=="$(echo -n "$user_token" | base64 -w0)" \ + | jq -r .apiKey +} mkdir -p tmp/use-nuget-repository && cd tmp/use-nuget-repository @@ -19,7 +41,7 @@ fi nuget_source_url=https://$nexus_domain/repository/nuget-group/index.json nuget_source_push_url=https://$nexus_domain/repository/nuget-hosted/ -nuget_source_push_api_key=$(nexus-groovy get-jenkins-nuget-api-key | jq -r '.result | fromjson | .apiKey') +nuget_source_push_api_key=$(get-jenkins-nuget-api-key) echo -n $nuget_source_push_api_key >/vagrant/shared/jenkins-nuget-api-key nuget_source_push_api_key="$(cat /vagrant/shared/jenkins-nuget-api-key)"