From 6a2aa8879bef797caa790e60016e7d5ce81f140a Mon Sep 17 00:00:00 2001 From: "john.bryan.j.sazon" Date: Thu, 30 Jun 2016 20:54:01 +0800 Subject: [PATCH 1/2] Added MOHH customizations specifically for creating custom roles, adding a proxy host and customizing LDAP authentication and have the option for Active Directory aligned some indentation to the original script aligned some indentation to the original script --- README.md | 23 ++++++- resources/nexus.sh | 166 +++++++++++++++++++++++++++++++++------------ 2 files changed, 144 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index f43e74c..c18f3e2 100644 --- a/README.md +++ b/README.md @@ -48,7 +48,7 @@ Example run command: -e LDAP_BIND_PASSWORD=password \ accenture/adop-nexus:VERSION -The image reads the following LDAP environment variables: +The image reads the following LDAP environment variables for ADOP OpenLDAP or LDAP_TYPE is 'openldap': * searchBase - `${LDAP_SEARCH_BASE}` * systemUsername - `${LDAP_BIND_DN}` @@ -68,6 +68,17 @@ The image reads the following LDAP environment variables: * userBaseDn - `${LDAP_USER_BASE_DN}` * userRealNameAttribute - `${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn}` +Additionally, the image reads the following LDAP environment variables if you want to use a Windows Active Directory or LDAP_TYPE is 'active_directory': + + * groupIdAttribute - `${LDAP_GROUP_ID_ATTRIBUTE:-cn}` + * groupMemberAttribute - `${LDAP_GROUP_MEMBER_ATTRIBUTE-uniqueMember}` + * groupObjectClass - `${LDAP_GROUP_OBJECT_CLASS:-groups}` + * userMemberOfAttribute - `${LDAP_USER_MEMBER_ATTRIBUTE:-memberOf}` + * userIdAttribute - `${LDAP_USER_ID_ATTRIBUTE:-sAMAccountName}` + * userObjectClass - `${LDAP_USER_OBJECT_CLASS:-person}` + * userBaseDn - `${LDAP_USER_BASE_DN}` + * userRealNameAttribute - `${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn}` + > [Sonatype/Nexus/plugin/LDAP/Documentation](https://books.sonatype.com/nexus-book/reference/ldap.html) ## Other configuration variables @@ -77,7 +88,15 @@ The image reads the following LDAP environment variables: * `MIN_HEAP`, passed as -Xms. Defaults to 256m. * `JAVA_OPTS`. Additional options can be passed to the JVM via this variable. Default: -server -XX:MaxPermSize=192m -Djava.net.preferIPv4Stack=true. * `NEXUS_BASE_URL`, the nexus base URL - + * `NEXUS_PROXY_HOST`, the proxy server that connects to Maven public repository. This is used if the Nexus Docker host has strict firewall implementation. + * `NEXUS_PROXY_PORT`, the proxy server port. + * `NEXUS_CENTRAL_REPO_URL`, if you want to change the Central Repo default maven public repository https://repo1.maven.org/maven2/ + * `NEXUS_CREATE_CUSTOM_ROLES`, if set to true, create custom roles according to the environment custom role variables:. + * `NEXUS_CUSTOM_ADMIN_ROLE` , if set, create a custom group name with nx-admin role. + * `NEXUS_CUSTOM_DEV_ROLE` , if set, create a custom group name with nx-developer role. + * `NEXUS_CUSTOM_DEPLOY_ROLE`, if set, create a custom group name with nx-deployment role. + + # License Please view [licence information](LICENCE.md) for the software contained on this image. diff --git a/resources/nexus.sh b/resources/nexus.sh index 2e08319..23502a3 100644 --- a/resources/nexus.sh +++ b/resources/nexus.sh @@ -10,63 +10,143 @@ cp -R /resources/* ${NEXUS_HOME}conf # Delete lock file if instance was not shutdown cleanly. if [ -e "${NEXUS_HOME}/nexus.lock" ] - then - echo "$(date) Application was not shutdown cleanly, deleting lock file." - rm -rf ${NEXUS_HOME}/nexus.lock + then + echo "$(date) Application was not shutdown cleanly, deleting lock file." + rm -rf ${NEXUS_HOME}/nexus.lock fi - + if [ -n "${NEXUS_BASE_URL}" ] - then - # Add base url - requests timeout if incorrect - sed -i "s#.*#${NEXUS_BASE_URL}#" ${NEXUS_HOME}/conf/nexus.xml - echo "$(date) Base URL: ${NEXUS_BASE_URL}" + then + # Add base url - requests timeout if incorrect + sed -i "s#.*#${NEXUS_BASE_URL}#" ${NEXUS_HOME}/conf/nexus.xml + echo "$(date) - Base URL: ${NEXUS_BASE_URL}" +fi + +# Update Remote proxy configuration +if [[ -n "${NEXUS_PROXY_HOST}" ]] && [[ -n "${NEXUS_PROXY_PORT}" ]] + then + echo "$(date) - Proxy Host: ${NEXUS_PROXY_HOST}" + echo "$(date) - Proxy Port: ${NEXUS_PROXY_PORT}" + REMOTE_PROXY_SETTINGS="\ + \n \ + \n ${NEXUS_PROXY_HOST}\ + \n ${NEXUS_PROXY_PORT}\ + \n \ + \n " + sed -i "s++${REMOTE_PROXY_SETTINGS}+" ${NEXUS_HOME}/conf/nexus.xml +fi + +# Update Central Repo configuration +if [ ! -z "${NEXUS_CENTRAL_REPO_URL}" ] + then + echo "$(date) - Central Repository URL: ${NEXUS_CENTRAL_REPO_URL}" + sed -i "s#https://repo1.maven.org/maven2/#${NEXUS_CENTRAL_REPO_URL}#" ${NEXUS_HOME}/conf/nexus.xml +fi + +# Create a custom Nexus Roles +if [ ${NEXUS_CREATE_CUSTOM_ROLES} = true ] + then + echo "$(date) - Administrator role added: ${NEXUS_CUSTOM_ADMIN_ROLE}" + echo "$(date) - Developer role added: ${NEXUS_CUSTOM_DEV_ROLE}" + echo "$(date) - Deployment role added: ${NEXUS_CUSTOM_DEPLOY_ROLE}" + INSERT_ROLE="\ + \n \ + \n ${NEXUS_CUSTOM_ADMIN_ROLE}\ + \n ${NEXUS_CUSTOM_ADMIN_ROLE}\ + \n \ + \n nx-admin\ + \n \ + \n \ + \n \ + \n ${NEXUS_CUSTOM_DEV_ROLE}\ + \n ${NEXUS_CUSTOM_DEV_ROLE}\ + \n \ + \n nx-developer\ + \n \ + \n \ + \n \ + \n ${NEXUS_CUSTOM_DEPLOY_ROLE}\ + \n ${NEXUS_CUSTOM_DEPLOY_ROLE}\ + \n \ + \n nx-deployment\ + \n \ + \n \ + \n " + sed -i "s++\n ${INSERT_ROLE}+" ${NEXUS_HOME}/conf/security.xml fi if [ "${LDAP_ENABLED}" = true ] then - + # Delete default authentication realms (XMLauth..) from Nexus if LDAP auth is enabled # If you get locked out of nexus, restart nexus with LDAP_ENABLED=false. sed -i "/[a-zA-Z]*Xml*[a-zA-Z]/d" ${NEXUS_HOME}/conf/security-configuration.xml - cat > ${NEXUS_HOME}/conf/ldap.xml <<- EOM - - - 2.8.0 - - ${LDAP_SEARCH_BASE} - ${LDAP_BIND_DN} - ${LDAP_BIND_PASSWORD} - simple - ldap - ${LDAP_URL} - ${LDAP_PORT:-389} - - - ${LDAP_USER_EMAIL_ATTRIBUTE:-mail} - ${LDAP_GROUPS_AS_ROLES:-true} - ${LDAP_GROUP_BASE_DN} - ${LDAP_GROUP_ID_ATTRIBUTE:-cn} - ${LDAP_GROUP_MEMBER_ATTRIBUTE-uniqueMember} - \${${LDAP_GROUP_MEMBER_FORMAT:-dn}} - ${LDAP_GROUP_OBJECT_CLASS:-groupOfUniqueNames} - ${LDAP_PREFERRED_PASSWORD_ENCODING:-crypt} - ${LDAP_USER_ID_ATTRIBUTE:-uid} - ${LDAP_USER_PASSWORD_ATTRIBUTE:-password} - ${LDAP_USER_OBJECT_CLASS:-inetOrgPerson} - ${LDAP_USER_BASE_DN} - ${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn} - - - EOM +# Define the correct LDAP user and group mapping configurations + LDAP_TYPE=${LDAP_TYPE:-openldap} + echo "$(date) - LDAP Type: ${LDAP_TYPE}" + + case $LDAP_TYPE in + 'openldap') + LDAP_USER_GROUP_CONFIG=" + ${LDAP_USER_EMAIL_ATTRIBUTE:-mail} + ${LDAP_GROUPS_AS_ROLES:-true} + ${LDAP_GROUP_BASE_DN} + ${LDAP_GROUP_ID_ATTRIBUTE:-cn} + ${LDAP_GROUP_MEMBER_ATTRIBUTE-uniqueMember} + \${${LDAP_GROUP_MEMBER_FORMAT:-dn}} + ${LDAP_GROUP_OBJECT_CLASS:-groupOfUniqueNames} + ${LDAP_PREFERRED_PASSWORD_ENCODING:-crypt} + ${LDAP_USER_ID_ATTRIBUTE:-uid} + ${LDAP_USER_PASSWORD_ATTRIBUTE:-password} + ${LDAP_USER_OBJECT_CLASS:-inetOrgPerson} + ${LDAP_USER_BASE_DN} + ${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn} + " + ;; + + 'active_directory') + LDAP_USER_GROUP_CONFIG=" + mail + ${LDAP_GROUPS_AS_ROLES:-true} + ${LDAP_GROUP_ID_ATTRIBUTE:-cn} + ${LDAP_GROUP_MEMBER_ATTRIBUTE-uniqueMember} + \${${LDAP_GROUP_MEMBER_FORMAT:-dn}} + ${LDAP_GROUP_OBJECT_CLASS:-groups} + ${LDAP_USER_ID_ATTRIBUTE:-sAMAccountName} + ${LDAP_USER_OBJECT_CLASS:-person} + ${LDAP_USER_BASE_DN} + ${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn} + ${LDAP_USER_MEMBER_ATTRIBUTE:-memberOf} + " + ;; + esac + +cat > ${NEXUS_HOME}/conf/ldap.xml <<- EOM + + + 2.8.0 + + ${LDAP_SEARCH_BASE} + ${LDAP_BIND_DN} + ${LDAP_BIND_PASSWORD} + simple + ldap + ${LDAP_URL} + ${LDAP_PORT:-389} + +${LDAP_USER_GROUP_CONFIG} + +EOM + else - # Delete LDAP realm - sed -i "/[a-zA-Z]*Ldap*[a-zA-Z]/d" ${NEXUS_HOME}/conf/security-configuration.xml + # Delete LDAP realm + sed -i "/[a-zA-Z]*Ldap*[a-zA-Z]/d" ${NEXUS_HOME}/conf/security-configuration.xml fi - + # chown the nexus home directory chown -R nexus:nexus ${NEXUS_HOME} - + # start nexus as the nexus user su -c "java \ -Dnexus-work=${SONATYPE_WORK} -Dnexus-webapp-context-path=${CONTEXT_PATH} \ From f6bc731e2e28ae58a845a732f411f828483e4cf7 Mon Sep 17 00:00:00 2001 From: SachinKSingh28 Date: Wed, 7 Sep 2016 21:55:18 +0000 Subject: [PATCH 2/2] Updated the ldap configuration to work with active directory --- Dockerfile | 3 +- README.md | 2 +- resources/conf/{ => managed}/lvo-plugin.xml | 0 .../{ => managed}/security-configuration.xml | 0 resources/conf/{ => unmanaged}/nexus.xml | 0 resources/conf/{ => unmanaged}/security.xml | 5 +- resources/nexus.sh | 80 ++++++++++--------- 7 files changed, 49 insertions(+), 41 deletions(-) rename resources/conf/{ => managed}/lvo-plugin.xml (100%) rename resources/conf/{ => managed}/security-configuration.xml (100%) rename resources/conf/{ => unmanaged}/nexus.xml (100%) rename resources/conf/{ => unmanaged}/security.xml (92%) diff --git a/Dockerfile b/Dockerfile index e00e569..8c8265f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,6 +8,7 @@ ENV LDAP_ENABLED=true \ LDAP_SEARCH_BASE="" \ LDAP_URL="" \ LDAP_PORT=389 \ + LDAP_AUTH_PROTOCOL=ldap \ LDAP_USER_EMAIL_ATTRIBUTE=mail \ LDAP_GROUPS_AS_ROLES=true \ LDAP_GROUP_BASE_DN=ou=groups \ @@ -25,7 +26,7 @@ ENV LDAP_ENABLED=true \ USER root COPY resources/nexus.sh /usr/local/bin/ -COPY resources/conf/ /resources/ +COPY resources/ /resources/ RUN chmod u+x /usr/local/bin/nexus.sh diff --git a/README.md b/README.md index c18f3e2..ee01617 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,7 @@ The image reads the following LDAP environment variables for ADOP OpenLDAP or LD * searchBase - `${LDAP_SEARCH_BASE}` * systemUsername - `${LDAP_BIND_DN}` * systemPassword - `${LDAP_BIND_PASSWORD}` + * protocol - `${LDAP_AUTH_PROTOCOL}` * host - `${LDAP_URL}` * port - `${LDAP_PORT:-389}` * emailAddressAttribute - `${LDAP_USER_EMAIL_ATTRIBUTE:-mail}` @@ -73,7 +74,6 @@ Additionally, the image reads the following LDAP environment variables if you wa * groupIdAttribute - `${LDAP_GROUP_ID_ATTRIBUTE:-cn}` * groupMemberAttribute - `${LDAP_GROUP_MEMBER_ATTRIBUTE-uniqueMember}` * groupObjectClass - `${LDAP_GROUP_OBJECT_CLASS:-groups}` - * userMemberOfAttribute - `${LDAP_USER_MEMBER_ATTRIBUTE:-memberOf}` * userIdAttribute - `${LDAP_USER_ID_ATTRIBUTE:-sAMAccountName}` * userObjectClass - `${LDAP_USER_OBJECT_CLASS:-person}` * userBaseDn - `${LDAP_USER_BASE_DN}` diff --git a/resources/conf/lvo-plugin.xml b/resources/conf/managed/lvo-plugin.xml similarity index 100% rename from resources/conf/lvo-plugin.xml rename to resources/conf/managed/lvo-plugin.xml diff --git a/resources/conf/security-configuration.xml b/resources/conf/managed/security-configuration.xml similarity index 100% rename from resources/conf/security-configuration.xml rename to resources/conf/managed/security-configuration.xml diff --git a/resources/conf/nexus.xml b/resources/conf/unmanaged/nexus.xml similarity index 100% rename from resources/conf/nexus.xml rename to resources/conf/unmanaged/nexus.xml diff --git a/resources/conf/security.xml b/resources/conf/unmanaged/security.xml similarity index 92% rename from resources/conf/security.xml rename to resources/conf/unmanaged/security.xml index aaee3d6..8b7eb34 100644 --- a/resources/conf/security.xml +++ b/resources/conf/unmanaged/security.xml @@ -11,6 +11,9 @@ adop@adop + + + admin @@ -20,4 +23,4 @@ - \ No newline at end of file + diff --git a/resources/nexus.sh b/resources/nexus.sh index 23502a3..f45fc45 100644 --- a/resources/nexus.sh +++ b/resources/nexus.sh @@ -6,7 +6,13 @@ echo "$(date) - LDAP Enabled: ${LDAP_ENABLED}" # Copy config files. mkdir -p ${NEXUS_HOME}conf -cp -R /resources/* ${NEXUS_HOME}conf + +# Nexus configuration is split into two catagories - +# * Managed : Configuration which is updated everytime container is restarted +# * Unmanaged : Configuration which is copied only if the files is missing. +cp -R /resources/conf/managed/* ${NEXUS_HOME}conf +cp -R -n /resources/conf/unmanaged/* ${NEXUS_HOME}conf + # Delete lock file if instance was not shutdown cleanly. if [ -e "${NEXUS_HOME}/nexus.lock" ] @@ -43,46 +49,40 @@ if [ ! -z "${NEXUS_CENTRAL_REPO_URL}" ] sed -i "s#https://repo1.maven.org/maven2/#${NEXUS_CENTRAL_REPO_URL}#" ${NEXUS_HOME}/conf/nexus.xml fi -# Create a custom Nexus Roles -if [ ${NEXUS_CREATE_CUSTOM_ROLES} = true ] - then - echo "$(date) - Administrator role added: ${NEXUS_CUSTOM_ADMIN_ROLE}" - echo "$(date) - Developer role added: ${NEXUS_CUSTOM_DEV_ROLE}" - echo "$(date) - Deployment role added: ${NEXUS_CUSTOM_DEPLOY_ROLE}" - INSERT_ROLE="\ - \n \ - \n ${NEXUS_CUSTOM_ADMIN_ROLE}\ - \n ${NEXUS_CUSTOM_ADMIN_ROLE}\ - \n \ - \n nx-admin\ - \n \ - \n \ - \n \ - \n ${NEXUS_CUSTOM_DEV_ROLE}\ - \n ${NEXUS_CUSTOM_DEV_ROLE}\ - \n \ - \n nx-developer\ - \n \ - \n \ - \n \ - \n ${NEXUS_CUSTOM_DEPLOY_ROLE}\ - \n ${NEXUS_CUSTOM_DEPLOY_ROLE}\ +insert_role () { + ROLE=$1 + ROLE_TYPE=$2 + INSERT_ROLE="\ + \n ${ROLE}\ + \n ${ROLE}\ \n \ - \n nx-deployment\ + \n nx-${ROLE_TYPE}\ \n \ - \n \ - \n " - sed -i "s++\n ${INSERT_ROLE}+" ${NEXUS_HOME}/conf/security.xml -fi + \n " + if egrep "${ROLE}" ${NEXUS_HOME}/conf/security.xml >/dev/null ; then + echo "$(date) - Role ${ROLE} already exists, Skipping..." + else + echo "$(date) - ${ROLE_TYPE} role added: ${ROLE}" + sed -i "s++\n ${INSERT_ROLE}+" ${NEXUS_HOME}/conf/security.xml + fi +} if [ "${LDAP_ENABLED}" = true ] then - # Delete default authentication realms (XMLauth..) from Nexus if LDAP auth is enabled - # If you get locked out of nexus, restart nexus with LDAP_ENABLED=false. - sed -i "/[a-zA-Z]*Xml*[a-zA-Z]/d" ${NEXUS_HOME}/conf/security-configuration.xml - -# Define the correct LDAP user and group mapping configurations + if [ ${NEXUS_CREATE_CUSTOM_ROLES} = true ]; then + echo "$(date) - Creating custom roles and mappings..." + [[ -n "${NEXUS_CUSTOM_ADMIN_ROLE}" ]] && insert_role ${NEXUS_CUSTOM_ADMIN_ROLE} admin + [[ -n "${NEXUS_CUSTOM_DEPLOY_ROLE}" ]] && insert_role ${NEXUS_CUSTOM_DEPLOY_ROLE} deployment + [[ -n "${NEXUS_CUSTOM_DEV_ROLE}" ]] && insert_role ${NEXUS_CUSTOM_DEV_ROLE} developer + fi + + echo "$(date) - Disabling default XMLauth..." + # Delete default authentication realms (XMLauth..) from Nexus if LDAP auth is enabled + # If you get locked out of nexus, restart nexus with LDAP_ENABLED=false. + sed -i "/[a-zA-Z]*Xml*[a-zA-Z]/d" ${NEXUS_HOME}/conf/security-configuration.xml + + # Define the correct LDAP user and group mapping configurations LDAP_TYPE=${LDAP_TYPE:-openldap} echo "$(date) - LDAP Type: ${LDAP_TYPE}" @@ -107,8 +107,9 @@ if [ "${LDAP_ENABLED}" = true ] 'active_directory') LDAP_USER_GROUP_CONFIG=" - mail + ${LDAP_USER_EMAIL_ATTRIBUTE:-mail} ${LDAP_GROUPS_AS_ROLES:-true} + ${LDAP_GROUP_BASE_DN} ${LDAP_GROUP_ID_ATTRIBUTE:-cn} ${LDAP_GROUP_MEMBER_ATTRIBUTE-uniqueMember} \${${LDAP_GROUP_MEMBER_FORMAT:-dn}} @@ -117,9 +118,12 @@ if [ "${LDAP_ENABLED}" = true ] ${LDAP_USER_OBJECT_CLASS:-person} ${LDAP_USER_BASE_DN} ${LDAP_USER_REAL_NAME_ATTRIBUTE:-cn} - ${LDAP_USER_MEMBER_ATTRIBUTE:-memberOf} " ;; + *) + echo "Unsupported LDAP_TYPE - ${LDAP_TYPE}. Only supports openldap or active_directory." + exit 1 + ;; esac cat > ${NEXUS_HOME}/conf/ldap.xml <<- EOM @@ -131,7 +135,7 @@ cat > ${NEXUS_HOME}/conf/ldap.xml <<- EOM ${LDAP_BIND_DN} ${LDAP_BIND_PASSWORD} simple - ldap + ${LDAP_AUTH_PROTOCOL:-ldap} ${LDAP_URL} ${LDAP_PORT:-389}