Bundle creation, use of SecurityManager and permission to reset user passwords

Hi,

I’m doing additional working on nexus-casc-plugin for Nexus 3 and trying to get the password reset process to work. At present, resetting an existing password fails due to the plugin not having the authorization and is blocked by Shiro - it needs to have “SYSTEM*”.

How do I write a custom plugin and give it the appropriate permissions “SYSTEM*” permissions - or at least integrated it neatly with the application permission set?

Thanks,
Brett

You’ll need to provide an example of the exception trace that is thrown.

Hi Matthew,

Thanks for the response - here is the exception:

INFO  [FelixStartLevel] *SYSTEM com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin - User johndoe already exists. Patching it...
ERROR [FelixStartLevel] *SYSTEM com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin - Failed transition: NEW -> STARTED
 org.apache.shiro.authz.AuthorizationException: *UNKNOWN is not permitted to change the password for johndoe
 	at org.sonatype.nexus.security.internal.DefaultSecuritySystem.requirePermissionToChangeUserPassword(DefaultSecuritySystem.java:559)
 	at org.sonatype.nexus.security.internal.DefaultSecuritySystem.changePassword(DefaultSecuritySystem.java:539)
 	at org.sonatype.nexus.security.internal.DefaultSecuritySystem.changePassword(DefaultSecuritySystem.java:533)
 	at com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin.lambda$18(NexusCascPlugin.java:509)
 	at java.util.ArrayList.forEach(ArrayList.java:1257)
 	at com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin.applySecurityConfig(NexusCascPlugin.java:477)
 	at com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin.doStart(NexusCascPlugin.java:110)
 	at org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport.start(StateGuardLifecycleSupport.java:69)
 	at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
 	at org.sonatype.nexus.common.stateguard.StateGuard$TransitionImpl.run(StateGuard.java:193)
 	at org.sonatype.nexus.common.stateguard.TransitionsInterceptor.invoke(TransitionsInterceptor.java:56)
 	at org.sonatype.nexus.extender.NexusLifecycleManager.startComponent(NexusLifecycleManager.java:199)
 	at org.sonatype.nexus.extender.NexusLifecycleManager.to(NexusLifecycleManager.java:111)
 	at org.sonatype.nexus.extender.NexusContextListener.moveToPhase(NexusContextListener.java:321)
 	at org.sonatype.nexus.extender.NexusContextListener.frameworkEvent(NexusContextListener.java:218)
 	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1431)
 	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
 	at java.lang.Thread.run(Thread.java:748)
 2020-04-17 09:34:41,197+0000 ERROR [FelixStartLevel] *SYSTEM org.sonatype.nexus.extender.NexusContextListener - Failed to start nexus
 org.apache.shiro.authz.AuthorizationException: *UNKNOWN is not permitted to change the password for johndoe
 	at org.sonatype.nexus.security.internal.DefaultSecuritySystem.requirePermissionToChangeUserPassword(DefaultSecuritySystem.java:559)
 	at org.sonatype.nexus.security.internal.DefaultSecuritySystem.changePassword(DefaultSecuritySystem.java:539)
 	at org.sonatype.nexus.security.internal.DefaultSecuritySystem.changePassword(DefaultSecuritySystem.java:533)
 	at com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin.lambda$18(NexusCascPlugin.java:509)
 	at java.util.ArrayList.forEach(ArrayList.java:1257)
 	at com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin.applySecurityConfig(NexusCascPlugin.java:477)
 	at com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin.doStart(NexusCascPlugin.java:110)
 	at org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport.start(StateGuardLifecycleSupport.java:69)
 	at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
 	at org.sonatype.nexus.common.stateguard.StateGuard$TransitionImpl.run(StateGuard.java:193)
 	at org.sonatype.nexus.common.stateguard.TransitionsInterceptor.invoke(TransitionsInterceptor.java:56)
 	at org.sonatype.nexus.extender.NexusLifecycleManager.startComponent(NexusLifecycleManager.java:199)
 	at org.sonatype.nexus.extender.NexusLifecycleManager.to(NexusLifecycleManager.java:111)
 	at org.sonatype.nexus.extender.NexusContextListener.moveToPhase(NexusContextListener.java:321)
 	at org.sonatype.nexus.extender.NexusContextListener.frameworkEvent(NexusContextListener.java:218)
 	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1431)
 	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
 	at java.lang.Thread.run(Thread.java:748)
 2020-04-17 09:34:41,198+0000 ERROR [FelixStartLevel] *SYSTEM Felix - Framework listener delivery error.
 org.apache.shiro.authz.AuthorizationException: *UNKNOWN is not permitted to change the password for johndoe
 	at org.sonatype.nexus.security.internal.DefaultSecuritySystem.requirePermissionToChangeUserPassword(DefaultSecuritySystem.java:559)
 	at org.sonatype.nexus.security.internal.DefaultSecuritySystem.changePassword(DefaultSecuritySystem.java:539)
 	at org.sonatype.nexus.security.internal.DefaultSecuritySystem.changePassword(DefaultSecuritySystem.java:533)
 	at com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin.lambda$18(NexusCascPlugin.java:509)
 	at java.util.ArrayList.forEach(ArrayList.java:1257)
 	at com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin.applySecurityConfig(NexusCascPlugin.java:477)
 	at com.weareadaptive.nexus.casc.plugin.internal.NexusCascPlugin.doStart(NexusCascPlugin.java:110)
 	at org.sonatype.nexus.common.stateguard.StateGuardLifecycleSupport.start(StateGuardLifecycleSupport.java:69)
 	at org.sonatype.nexus.common.stateguard.MethodInvocationAction.run(MethodInvocationAction.java:39)
 	at org.sonatype.nexus.common.stateguard.StateGuard$TransitionImpl.run(StateGuard.java:193)
 	at org.sonatype.nexus.common.stateguard.TransitionsInterceptor.invoke(TransitionsInterceptor.java:56)
 	at org.sonatype.nexus.extender.NexusLifecycleManager.startComponent(NexusLifecycleManager.java:199)
 	at org.sonatype.nexus.extender.NexusLifecycleManager.to(NexusLifecycleManager.java:111)
 	at org.sonatype.nexus.extender.NexusContextListener.moveToPhase(NexusContextListener.java:321)
 	at org.sonatype.nexus.extender.NexusContextListener.frameworkEvent(NexusContextListener.java:218)
 	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1431)
 	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
 	at java.lang.Thread.run(Thread.java:748)

The thread needs to have a security context of either the user you’re changing the password for, or nexus:*

You could do something like:

try {
  ThreadContext.bind(FakeAlmightySubject.forUserId("blah"));
  // do suff
}
finally {
  ThreadContext.remove()
}

The remove call is important.

Worked perfectly! Thanks @mpiggott!