Nexus 3 | How to create (external) users using Nexus 3 APIs? - nexus

I'm trying to create external user on Nexus 3 using nexus 3 APIs. Following are the details:
Posting Groovy Script using: http://localhost:8081/nexus3/service/rest/v1/script
{
"name": "d8b3baeb-628a-43cc-9a9c-9a156f399e2",
"type": "groovy",
"content": "security.addUser('q018246a', '', '', '', true, 'd8b3baeb-628a-43cc-9a9c-9a156f399ae2', ['abc_test_role Developer Role']);"
}
Running Script using: http://localhost:8081/nexus3/service/rest/v1/script/d8b3baeb-628a-43cc-9a9c-9a156f399e2/run
Response:
{
"name": "d8b3baeb-628a-43cc-9a9c-9a156f399e2",
"result": "User{userId='q018246a', firstName='', lastName='', source='default'}"
}
Hitting though Postman, all working fine and users getting created. But through Application server it is giving Bad request.
Awkward behavior is, it's letting me create user using postman post script with blank first_name, last_name, email, password, but all these parameters are required on UI.
Another thing, It's showing source as default but how to I ensure source as LDAP?

I assume you're trying to map an LDAP user? If so, this will work:
import org.sonatype.nexus.security.role.RoleIdentifier;
import org.sonatype.nexus.security.user.User;
String userId = 'someuser';
String newRoleId = 'nx-admin'
User user = security.securitySystem.getUser(userId, 'LDAP')
if(user != null) {
RoleIdentifier newRole = new RoleIdentifier('default', newRoleId);
user.addRole(newRole)
security.securitySystem.setUsersRoles(user.getUserId(), 'LDAP', user.getRoles());
} else {
log.warn("No user with ID of $userId found.")
}

Related

Hasura permissions question difference between admin and user

I am trying to figure out the difference between the admin role and the user role permissions when querying a Remote Schema, they both show that they have full access. However, when doing a query the user role cannot find one of the inputs for some reason. The query is
query SearchFacilities($getFacilitiesInput: GetFacilitiesInput!, $startDateInput: StartDateInput!) {
facilities(getFacilitiesInput: $getFacilitiesInput) {
facilityID
permitEntrances(startDateInput: $startDateInput) {
availability {
remaining
}
}
}
}
When running the query with the x-hasura-admin-secret it works fine. However, when I switch to the user role by setting a Bearer token for the user, I get the following error:
{
"errors": [
{
"extensions": {
"code": "validation-failed",
"path": "$.selectionSet.facilities.selectionSet.permitEntrances"
},
"message": "'permitEntrances' has no argument named 'startDateInput'"
}
]
}
They both have the same permissions according to the UI, in the remote schema section. Any ideas on what is causing this discrepancy? Been trying to figure this one out for a while, thanks for any help.

MS Graph API v1.0 cannot filter by onPremisesSamAccountName using Python requests

I'm attempting to use Python + requests to talk with MS Graph API (v1.0) in order to filter user objects by the onPremisesSamAccountName property but am receiving this error when sending the simple query:
endpoint = "https://graph.microsoft.com/v1.0/users"
query_parameters = {
'$filter': 'onPremisesSamAccountName eq \'somevalue\'',
'$select': 'id,displayName,mail,onPremisesSamAccountName'
}
user_graph_data = requests.get(
endpoint,
headers={'Authorization': 'Bearer ' + result['access_token']},
params=query_parameters
).json()
==============================
{
"error": {
"code": "Request_UnsupportedQuery",
"message": "Unsupported or invalid query filter clause specified for property 'onPremisesSamAccountName' of resource 'User'.",
"innerError": {
"date": "...",
"request-id": "...",
"client-request-id": "..."
}
}
}
I am able to filter using this field while using Microsoft's Graph Explorer:
https://developer.microsoft.com/en-us/graph/graph-explorer and the corresponding Javascript call in the developer console shows a successful call and response based on the filter with onPremisesSamAccountName.
The MS Graph docs for v1.0 state that this is a supported field for filtering as well:
Returned only on $select. Supports $filter (eq, ne, NOT, ge, le, in,
startsWith).
I'm also able to successfully filter using other fields such as 'mail' (i.e. changing the $filter string from 'onPremisesSamAccountName eq \'somevalue\'' to 'mail eq \'somevalue\'' works just fine, so I don't believe this is a syntactical error)

Certificate issue in Kestrel ssl JSON configuration

Referencing to Kestrel documentation is it possible to configure https using appsettings.json file:
"HttpsInlineCertStore": {
"Url": "https://+:5002",
"Certificate": {
"Subject": "<coma separated multi-line subject name>",
"Store": "Root",
"Location": "LocalMachine"
}
This certificate exist for sure and next code returns finds it:
using (var certStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine))
{
certStore.Open(OpenFlags.ReadOnly);
var certificates = certStore.Certificates.Find(
X509FindType.FindBySubjectDistinguishedName, "<coma separated multi-line subject name>", true);
return certificates .Count > 0 ? certificates [0] : null;;
}
At the same time if to search certificate by X509FindType.FindBySubjectName it founds nothing and I believe this is the issue even though microsoft says that FindBySubjectDistinguishedName is more specific search.
Finally I was able to fix this issue:
is something like "CN=name, C=UK, ..." but if you want to FindBySubjectName you must remove "CN=" from search string and leave only the name so it is looks not like "CN=name" but like "name".

Can't create cloudsql role for Service Account via api

I have been trying to use the api to create service accounts in GCP.
To create a service account I send the following post request:
base_url = f"https://iam.googleapis.com/v1/projects/{project}/serviceAccounts"
auth = f"?access_token={access_token}"
data = {"accountId": name}
# Create a service Account
r = requests.post(base_url + auth, json=data)
this returns a 200 and creates a service account:
Then, this is the code that I use to create the specific roles:
sa = f"{name}#dotmudus-service.iam.gserviceaccount.com"
sa_url = base_url + f'/{sa}:setIamPolicy' + auth
data = {"policy":
{"bindings": [
{
"role": roles,
"members":
[
f"serviceAccount:{sa}"
]
}
]}
}
If roles is set to one of roles/viewer, roles/editor or roles/owner this approach does work.
However, if I want to use, specifically roles/cloudsql.viewer The api tells me that this option is not supported.
Here are the roles.
https://cloud.google.com/iam/docs/understanding-roles
I don't want to give this service account full viewer rights to my project, it's against the principle of least privilege.
How can I set specific roles from the api?
EDIT:
here is the response using the resource manager api: with roles/cloudsql.admin as the role
POST https://cloudresourcemanager.googleapis.com/v1/projects/{project}:setIamPolicy?key={YOUR_API_KEY}
{
"policy": {
"bindings": [
{
"members": [
"serviceAccount:sa#{project}.iam.gserviceaccount.com"
],
"role": "roles/cloudsql.viewer"
}
]
}
}
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT",
"details": [
{
"#type": "type.googleapis.com/google.cloudresourcemanager.projects.v1beta1.ProjectIamPolicyError",
"type": "SOLO_REQUIRE_TOS_ACCEPTOR",
"role": "roles/owner"
}
]
}
}
With the code provided it appears that you are appending to the first base_url which is not the correct context to modify project roles.
This will try to place the appended path to: https://iam.googleapis.com/v1/projects/{project}/serviceAccount
The POST path for adding roles needs to be: https://cloudresourcemanager.googleapis.com/v1/projects/{project]:setIamPolicy
If you remove /serviceAccounts from the base_url and it should work.
Edited response to add more information due to your edit
OK, I see the issue here, sorry but I had to set up a new project to test this.
cloudresourcemanager.projects.setIamPolicy needs to replace the entire policy. It appears that you can add constraints to what you change but that you have to submit a complete policy in json for the project.
Note that gcloud has a --log-http option that will help you dig through some of these issues. If you run
gcloud projects add-iam-policy-binding $PROJECT --member serviceAccount:$NAME --role roles/cloudsql.viewer --log-http
It will show you how it pulls the existing existing policy, appends the new role and adds it.
I would recommend using the example code provided here to make these changes if you don't want to use gcloud or the console to add the role to the user as this could impact the entire project.
Hopefully they improve the API for this need.

Google Admin SDK - Users: Patch - Issue using Strings

i have an issue using the Users: Patch - API.
I try to patch the name of the primary organization of a user using the following Request Body:
{
"organizations":[
{
"name":"Org. Name",
"primary":true,
"type":work
}
]
}
The values of the users entry get patched, but the result looks like:
{
"organizations":[
{
"name": "\"Org. Name\"",
"primary": true,
"type": "work"
}
]
}
The problem: the VCard entry of the user shows "Org. Name" instead of Org. Name as it should.
Is it possible to prevent the string getting formatted as a string again by the API?
Thank you for your help!
Lukas

Resources