From 84921427328a50ccd09aba0099a28a41537bfcb6 Mon Sep 17 00:00:00 2001 From: Julien Baudon Date: Mon, 14 Oct 2024 15:12:31 +0200 Subject: [PATCH 1/8] add Nexus context path configuration --- entrypoint.sh | 18 ++++++++++++------ nexus_allowlist/cli.py | 10 ++++++++++ nexus_allowlist/nexus.py | 3 ++- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 2640fc5..1ccbfe9 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,6 +5,12 @@ export ALLOWLIST_DIR=/allowlists export PYPI_ALLOWLIST="$ALLOWLIST_DIR"/pypi.allowlist export CRAN_ALLOWLIST="$ALLOWLIST_DIR"/cran.allowlist +if [ -z "$NEXUS_PATH" ] + export CONNECT_ARGS="--admin-password $NEXUS_ADMIN_PASSWORD --nexus-host $NEXUS_HOST --nexus-port $NEXUS_PORT" +else + export CONNECT_ARGS="--admin-password $NEXUS_ADMIN_PASSWORD --nexus-host $NEXUS_HOST --nexus-port $NEXUS_PORT --nexus-path $NEXUS_PATH" +fi + timestamp() { date -Is } @@ -36,14 +42,14 @@ nexus-allowlist --version # Initial configuration if [ -f "$NEXUS_DATA_DIR/admin.password" ]; then echo "$(timestamp) Initial password file present, running initial configuration" - nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-port "$NEXUS_PORT" change-initial-password --path "$NEXUS_DATA_DIR" - nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-port "$NEXUS_PORT" initial-configuration --packages "$NEXUS_PACKAGES" --pypi-package-file "$ALLOWLIST_DIR/pypi.allowlist" --cran-package-file "$ALLOWLIST_DIR/cran.allowlist" + nexus-allowlist $CONNECT_ARGS change-initial-password --path "$NEXUS_DATA_DIR" + nexus-allowlist $CONNECT_ARGS initial-configuration --packages "$NEXUS_PACKAGES" --pypi-package-file "$ALLOWLIST_DIR/pypi.allowlist" --cran-package-file "$ALLOWLIST_DIR/cran.allowlist" else echo "$(timestamp) No initial password file found, skipping initial configuration" fi # Test authentication -if ! nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-port "$NEXUS_PORT" test-authentication; then +if ! nexus-allowlist $CONNECT_ARGS test-authentication; then echo "$(timestamp) API authentication test failed, exiting" exit 1 fi @@ -51,13 +57,13 @@ fi if [ -n "$ENTR_FALLBACK" ]; then echo "$(timestamp) Using fallback file monitoring" # Run allowlist configuration now - nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-port "$NEXUS_PORT" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" + nexus-allowlist $CONNECT_ARGS update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" # Periodically check for modification of allowlist files and run configuration again when they are hash=$(hashes) while true; do new_hash=$(hashes) if [ "$hash" != "$new_hash" ]; then - nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-port "$NEXUS_PORT" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" + nexus-allowlist $CONNECT_ARGS update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" hash=$new_hash fi sleep 5 @@ -65,5 +71,5 @@ if [ -n "$ENTR_FALLBACK" ]; then else echo "$(timestamp) Using entr for file monitoring" # Run allowlist configuration now, and again whenever allowlist files are modified - find "$ALLOWLIST_DIR"/*.allowlist | entr -n nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-port "$NEXUS_PORT" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" + find "$ALLOWLIST_DIR"/*.allowlist | entr -n nexus-allowlist $CONNECT_ARGS update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" fi diff --git a/nexus_allowlist/cli.py b/nexus_allowlist/cli.py index e2eca20..bad5cfe 100644 --- a/nexus_allowlist/cli.py +++ b/nexus_allowlist/cli.py @@ -40,6 +40,12 @@ def main() -> None: default="80", help="Port of the Nexus server (default 80)", ) + parser.add_argument( + "--nexus-path", + type=str, + default="", + help="Context path of the Nexus server (default /)", + ) parser.add_argument( "--version", action="version", @@ -138,6 +144,7 @@ def change_initial_password(args: argparse.Namespace) -> None: password=initial_password, nexus_host=args.nexus_host, nexus_port=args.nexus_port, + nexus_path=args.nexus_path, ) nexus_api.change_admin_password(args.admin_password) @@ -148,6 +155,7 @@ def test_authentiation(args: argparse.Namespace) -> None: password=args.admin_password, nexus_host=args.nexus_host, nexus_port=args.nexus_port, + nexus_path=args.nexus_path, ) if not nexus_api.test_auth(): @@ -178,6 +186,7 @@ def initial_configuration(args: argparse.Namespace) -> None: password=args.admin_password, nexus_host=args.nexus_host, nexus_port=args.nexus_port, + nexus_path=args.nexus_path, ) # Ensure only desired repositories exist @@ -221,6 +230,7 @@ def update_allow_lists(args: argparse.Namespace) -> None: password=args.admin_password, nexus_host=args.nexus_host, nexus_port=args.nexus_port, + nexus_path=args.nexus_path, ) # Parse allowlists diff --git a/nexus_allowlist/nexus.py b/nexus_allowlist/nexus.py index d11796b..16b6bdc 100644 --- a/nexus_allowlist/nexus.py +++ b/nexus_allowlist/nexus.py @@ -33,8 +33,9 @@ def __init__( username: str = "admin", nexus_host: str, nexus_port: str, + nexus_path: str, ) -> None: - self.nexus_api_root = f"http://{nexus_host}:{nexus_port}/service/rest" + self.nexus_api_root = f"http://{nexus_host}:{nexus_port}{nexus_path}/service/rest" self.username = username self.password = password From 47687139a179babb808a12505ee7436d98436e90 Mon Sep 17 00:00:00 2001 From: Julien Baudon Date: Mon, 14 Oct 2024 15:50:16 +0200 Subject: [PATCH 2/8] bump version --- entrypoint.sh | 2 +- nexus_allowlist/__about__.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 1ccbfe9..77e1d9b 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,7 +5,7 @@ export ALLOWLIST_DIR=/allowlists export PYPI_ALLOWLIST="$ALLOWLIST_DIR"/pypi.allowlist export CRAN_ALLOWLIST="$ALLOWLIST_DIR"/cran.allowlist -if [ -z "$NEXUS_PATH" ] +if [ -z "$NEXUS_PATH" ]; then export CONNECT_ARGS="--admin-password $NEXUS_ADMIN_PASSWORD --nexus-host $NEXUS_HOST --nexus-port $NEXUS_PORT" else export CONNECT_ARGS="--admin-password $NEXUS_ADMIN_PASSWORD --nexus-host $NEXUS_HOST --nexus-port $NEXUS_PORT --nexus-path $NEXUS_PATH" diff --git a/nexus_allowlist/__about__.py b/nexus_allowlist/__about__.py index 60be16e..2d81ab7 100644 --- a/nexus_allowlist/__about__.py +++ b/nexus_allowlist/__about__.py @@ -1 +1 @@ -__version__ = "v0.10.0" +__version__ = "v0.11.0" From 7a6871d6a91e88ad7a5900ae7d6a95cfb168ce21 Mon Sep 17 00:00:00 2001 From: Julien Baudon Date: Mon, 14 Oct 2024 17:00:25 +0200 Subject: [PATCH 3/8] document NEXUS_PATH --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 4d0882a..f49157b 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ Check and, if you would like, change the following environment variables for the | NEXUS_PACKAGES | Whether to allow all packages or only selected packages [`all`, `selected`] | | NEXUS_HOST | Hostname of Nexus OSS host | | NEXUS_PORT | Port of Nexus OSS | +| NEXUS_PATH | [Context path](https://help.sonatype.com/en/configuring-the-runtime-environment.html#changing-the-context-path) of Nexus OSS. Only used if the Nexus is hosted behind a reverse proxy with a URL like `https://your_url.domain/nexus/`. If not defined, the base URI remains `/`. | | ENTR_FALLBACK | If defined, don't use `entr` to check for allowlist updates (this will be less reactive but we have found `entr` to not work in some situations) | Example allowlist files are included in the repository for [PyPI](allowlists/pypi.allowlist) and [CRAN](allowlists/cran.allowlist). From 635ec20b7ed00777faec1a21e2fa4ca180392ed6 Mon Sep 17 00:00:00 2001 From: Julien Baudon Date: Fri, 18 Oct 2024 09:50:12 +0200 Subject: [PATCH 4/8] fix Double quote to prevent globbing and word splitting. [SC2086] --- entrypoint.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 77e1d9b..41b5d3b 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -42,14 +42,14 @@ nexus-allowlist --version # Initial configuration if [ -f "$NEXUS_DATA_DIR/admin.password" ]; then echo "$(timestamp) Initial password file present, running initial configuration" - nexus-allowlist $CONNECT_ARGS change-initial-password --path "$NEXUS_DATA_DIR" - nexus-allowlist $CONNECT_ARGS initial-configuration --packages "$NEXUS_PACKAGES" --pypi-package-file "$ALLOWLIST_DIR/pypi.allowlist" --cran-package-file "$ALLOWLIST_DIR/cran.allowlist" + nexus-allowlist "$CONNECT_ARGS" change-initial-password --path "$NEXUS_DATA_DIR" + nexus-allowlist "$CONNECT_ARGS" initial-configuration --packages "$NEXUS_PACKAGES" --pypi-package-file "$ALLOWLIST_DIR/pypi.allowlist" --cran-package-file "$ALLOWLIST_DIR/cran.allowlist" else echo "$(timestamp) No initial password file found, skipping initial configuration" fi # Test authentication -if ! nexus-allowlist $CONNECT_ARGS test-authentication; then +if ! nexus-allowlist "$CONNECT_ARGS" test-authentication; then echo "$(timestamp) API authentication test failed, exiting" exit 1 fi @@ -57,13 +57,13 @@ fi if [ -n "$ENTR_FALLBACK" ]; then echo "$(timestamp) Using fallback file monitoring" # Run allowlist configuration now - nexus-allowlist $CONNECT_ARGS update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" + nexus-allowlist "$CONNECT_ARGS" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" # Periodically check for modification of allowlist files and run configuration again when they are hash=$(hashes) while true; do new_hash=$(hashes) if [ "$hash" != "$new_hash" ]; then - nexus-allowlist $CONNECT_ARGS update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" + nexus-allowlist "$CONNECT_ARGS" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" hash=$new_hash fi sleep 5 @@ -71,5 +71,5 @@ if [ -n "$ENTR_FALLBACK" ]; then else echo "$(timestamp) Using entr for file monitoring" # Run allowlist configuration now, and again whenever allowlist files are modified - find "$ALLOWLIST_DIR"/*.allowlist | entr -n nexus-allowlist $CONNECT_ARGS update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" + find "$ALLOWLIST_DIR"/*.allowlist | entr -n nexus-allowlist "$CONNECT_ARGS" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" fi From 90e3f401d447c3a53f3b0b3f18bf5d557cd19b84 Mon Sep 17 00:00:00 2001 From: Julien Baudon Date: Fri, 18 Oct 2024 09:56:04 +0200 Subject: [PATCH 5/8] fix format of nexus.py --- nexus_allowlist/nexus.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nexus_allowlist/nexus.py b/nexus_allowlist/nexus.py index 16b6bdc..a32fb2f 100644 --- a/nexus_allowlist/nexus.py +++ b/nexus_allowlist/nexus.py @@ -35,7 +35,9 @@ def __init__( nexus_port: str, nexus_path: str, ) -> None: - self.nexus_api_root = f"http://{nexus_host}:{nexus_port}{nexus_path}/service/rest" + self.nexus_api_root = ( + f"http://{nexus_host}:{nexus_port}{nexus_path}/service/rest" + ) self.username = username self.password = password From e5f9cbaddeae18c4bb03040f2d78385dafa563ae Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Tue, 22 Oct 2024 14:02:01 +0100 Subject: [PATCH 6/8] Simplify Nexus path determination --- entrypoint.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 41b5d3b..0baa1fc 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,10 +5,9 @@ export ALLOWLIST_DIR=/allowlists export PYPI_ALLOWLIST="$ALLOWLIST_DIR"/pypi.allowlist export CRAN_ALLOWLIST="$ALLOWLIST_DIR"/cran.allowlist -if [ -z "$NEXUS_PATH" ]; then - export CONNECT_ARGS="--admin-password $NEXUS_ADMIN_PASSWORD --nexus-host $NEXUS_HOST --nexus-port $NEXUS_PORT" -else - export CONNECT_ARGS="--admin-password $NEXUS_ADMIN_PASSWORD --nexus-host $NEXUS_HOST --nexus-port $NEXUS_PORT --nexus-path $NEXUS_PATH" +export CONNECT_ARGS="--admin-password $NEXUS_ADMIN_PASSWORD --nexus-host $NEXUS_HOST --nexus-port $NEXUS_PORT" +if [ -n "$NEXUS_PATH" ]; then + export CONNECT_ARGS="$CONNECT_ARGS --nexus-path $NEXUS_PATH" fi timestamp() { From 2941bf9a72f2876b10a8910147a833f40caaad71 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Tue, 22 Oct 2024 14:11:45 +0100 Subject: [PATCH 7/8] Wait longer for containers to start --- .github/workflows/test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index e873f1a..bb38c83 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -21,7 +21,7 @@ jobs: run: docker compose up -d - name: Wait for Nexus to start - run: sleep 120 + run: sleep 180 - name: Show nexus allowlist container logs run: docker compose logs allowlist From 917342ff36bdaa37f4c9ea868fd7996adeda73f4 Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Tue, 22 Oct 2024 15:06:48 +0100 Subject: [PATCH 8/8] Expand arguments --- .github/workflows/test.yaml | 2 +- entrypoint.sh | 17 ++++++----------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index bb38c83..e873f1a 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -21,7 +21,7 @@ jobs: run: docker compose up -d - name: Wait for Nexus to start - run: sleep 180 + run: sleep 120 - name: Show nexus allowlist container logs run: docker compose logs allowlist diff --git a/entrypoint.sh b/entrypoint.sh index 0baa1fc..3cea716 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,11 +5,6 @@ export ALLOWLIST_DIR=/allowlists export PYPI_ALLOWLIST="$ALLOWLIST_DIR"/pypi.allowlist export CRAN_ALLOWLIST="$ALLOWLIST_DIR"/cran.allowlist -export CONNECT_ARGS="--admin-password $NEXUS_ADMIN_PASSWORD --nexus-host $NEXUS_HOST --nexus-port $NEXUS_PORT" -if [ -n "$NEXUS_PATH" ]; then - export CONNECT_ARGS="$CONNECT_ARGS --nexus-path $NEXUS_PATH" -fi - timestamp() { date -Is } @@ -41,14 +36,14 @@ nexus-allowlist --version # Initial configuration if [ -f "$NEXUS_DATA_DIR/admin.password" ]; then echo "$(timestamp) Initial password file present, running initial configuration" - nexus-allowlist "$CONNECT_ARGS" change-initial-password --path "$NEXUS_DATA_DIR" - nexus-allowlist "$CONNECT_ARGS" initial-configuration --packages "$NEXUS_PACKAGES" --pypi-package-file "$ALLOWLIST_DIR/pypi.allowlist" --cran-package-file "$ALLOWLIST_DIR/cran.allowlist" + nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-path "$NEXUS_PATH" --nexus-port "$NEXUS_PORT" change-initial-password --path "$NEXUS_DATA_DIR" + nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-path "$NEXUS_PATH" --nexus-port "$NEXUS_PORT" initial-configuration --packages "$NEXUS_PACKAGES" --pypi-package-file "$ALLOWLIST_DIR/pypi.allowlist" --cran-package-file "$ALLOWLIST_DIR/cran.allowlist" else echo "$(timestamp) No initial password file found, skipping initial configuration" fi # Test authentication -if ! nexus-allowlist "$CONNECT_ARGS" test-authentication; then +if ! nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-path "$NEXUS_PATH" --nexus-port "$NEXUS_PORT" test-authentication; then echo "$(timestamp) API authentication test failed, exiting" exit 1 fi @@ -56,13 +51,13 @@ fi if [ -n "$ENTR_FALLBACK" ]; then echo "$(timestamp) Using fallback file monitoring" # Run allowlist configuration now - nexus-allowlist "$CONNECT_ARGS" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" + nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-path "$NEXUS_PATH" --nexus-port "$NEXUS_PORT" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" # Periodically check for modification of allowlist files and run configuration again when they are hash=$(hashes) while true; do new_hash=$(hashes) if [ "$hash" != "$new_hash" ]; then - nexus-allowlist "$CONNECT_ARGS" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" + nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-path "$NEXUS_PATH" --nexus-port "$NEXUS_PORT" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" hash=$new_hash fi sleep 5 @@ -70,5 +65,5 @@ if [ -n "$ENTR_FALLBACK" ]; then else echo "$(timestamp) Using entr for file monitoring" # Run allowlist configuration now, and again whenever allowlist files are modified - find "$ALLOWLIST_DIR"/*.allowlist | entr -n nexus-allowlist "$CONNECT_ARGS" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" + find "$ALLOWLIST_DIR"/*.allowlist | entr -n nexus-allowlist --admin-password "$NEXUS_ADMIN_PASSWORD" --nexus-host "$NEXUS_HOST" --nexus-path "$NEXUS_PATH" --nexus-port "$NEXUS_PORT" update-allowlists --packages "$NEXUS_PACKAGES" --pypi-package-file "$PYPI_ALLOWLIST" --cran-package-file "$CRAN_ALLOWLIST" fi