|
1 | 1 | # nexus-google-iam-proxy |
2 | 2 | A proxy for authenticating Nexus Repository Manager OSS users against Google Cloud IAM. |
| 3 | + |
| 4 | +## Pre-requisites |
| 5 | + |
| 6 | +* JDK 8. |
| 7 | +* A GCP organization. |
| 8 | +* A GCP project with the _Cloud Resources Manager_ API enabled. |
| 9 | +* A set of credentials of type _OAuth Client ID_ obtained from _GCP > API Manager > Credentials_. |
| 10 | +* Proper configuration of the resulting client with respect to the redirect URL. |
| 11 | +* A running and properly configured instance of Nexus. |
| 12 | + |
| 13 | +## Generating the Keystore |
| 14 | + |
| 15 | +The following command will generate a suitable keystore for signing JWTs: |
| 16 | + |
| 17 | +```bash |
| 18 | +$ keytool -genkey \ |
| 19 | + -keystore keystore.jceks \ |
| 20 | + -storetype jceks \ |
| 21 | + -keyalg RSA \ |
| 22 | + -keysize 2048 \ |
| 23 | + -alias RS256 \ |
| 24 | + -sigalg SHA256withRSA \ |
| 25 | + -dname "CN=,OU=,O=,L=,ST=,C=" \ |
| 26 | + -validity 3651 |
| 27 | +``` |
| 28 | + |
| 29 | +You will be prompted for two passwords. Please make sure they are the same. Feel free to change the value of the `dname`, `keystore` and `validity` parameters. |
| 30 | + |
| 31 | +## Building |
| 32 | + |
| 33 | +The following command will build the project and generate a runnable jar: |
| 34 | + |
| 35 | +```bash |
| 36 | +$ ./gradlew build |
| 37 | +``` |
| 38 | + |
| 39 | +## Running |
| 40 | + |
| 41 | +The following command will run the proxy on port `8080` pointing to a local |
| 42 | +Nexus instance: |
| 43 | + |
| 44 | +```bash |
| 45 | +$ ALLOWED_USER_AGENTS_ON_ROOT_REGEX="GoogleHC" \ |
| 46 | + AUTH_CACHE_TTL="60000" \ |
| 47 | + BIND_PORT="8080" \ |
| 48 | + CLIENT_ID="my-client-id" \ |
| 49 | + CLIENT_SECRET="my-client-secret" \ |
| 50 | + KEYSTORE_PATH="./.secrets/keystore.jceks" \ |
| 51 | + KEYSTORE_PASS="my-keystore-password" \ |
| 52 | + NEXUS_DOCKER_HOST="containers.example.com" \ |
| 53 | + NEXUS_HTTP_HOST="nexus.example.com" \ |
| 54 | + NEXUS_RUT_HEADER="X-Forwarded-User" \ |
| 55 | + ORGANIZATION_ID="123412341234" \ |
| 56 | + REDIRECT_URL="https://nexus.example.com/oauth/callback" \ |
| 57 | + SESSION_TTL="1440000" \ |
| 58 | + TLS_ENABLED="false" \ |
| 59 | + UPSTREAM_DOCKER_PORT="5000" \ |
| 60 | + UPSTREAM_HTTP_PORT="8081" \ |
| 61 | + UPSTREAM_HOST="localhost" \ |
| 62 | + java -jar ./build/libs/nexus-proxy.jar |
| 63 | +``` |
| 64 | + |
| 65 | +Please check below for a description of all the supported environment variables. |
| 66 | + |
| 67 | +## Environment Variables |
| 68 | + |
| 69 | +| Name | Description | |
| 70 | +|-------------------------------------|-------------| |
| 71 | +| `ALLOWED_USER_AGENTS_ON_ROOT_REGEX` | A regex against which to match the `User-Agent` of requests to `GET /` so that they can be answered with `200 OK`. | |
| 72 | +| `AUTH_CACHE_TTL` | The amount of time (in _milliseconds_) during which to cache the fact that a given user is authorized to make requests. | |
| 73 | +| `BIND_PORT` | The port on which to listen for incoming requests. | |
| 74 | +| `CLIENT_ID` | The application's client ID in _GCP / API Manager / Credentials_. | |
| 75 | +| `CLIENT_SECRET` | The abovementioned application's client secret. | |
| 76 | +| `KEYSTORE_PATH` | The path to the keystore containing the key with which to sign JWTs. | |
| 77 | +| `KEYSTORE_PASS` | The password of the abovementioned keystore. | |
| 78 | +| `NEXUS_DOCKER_HOST` | The host used to access the Nexus Docker registry. | |
| 79 | +| `NEXUS_HTTP_HOST` | The host used to access the Nexus UI and Maven repositories. | |
| 80 | +| `NEXUS_RUT_HEADER` | The name of the header which will convey auth info to Nexus. | |
| 81 | +| `ORGANIZATION_ID` | The ID of the organization against which to validate users' membership. | |
| 82 | +| `REDIRECT_URL` | The URL where to redirect users after the OAuth2 consent screen. | |
| 83 | +| `SESSION_TTL` | The TTL (in _milliseconds_) of a user's session. | |
| 84 | +| `TLS_CERT_PK12_PATH` | The path to the PK12 file to use when enabling TLS. | |
| 85 | +| `TLS_CERT_PK12_PASS` | The password of the PK12 file to use when enabling TLS. | |
| 86 | +| `TLS_ENABLED` | Whether to enable TLS. | |
| 87 | +| `UPSTREAM_DOCKER_PORT` | The port where the proxied Nexus Docker registry listens. | |
| 88 | +| `UPSTREAM_HTTP_PORT` | The port where the proxied Nexus instance listens. | |
| 89 | +| `UPSTREAM_HOST` | The host where the proxied Nexus instance listens. | |
0 commit comments