Added support for claims and scopes

.gitignore

@@ -5,3 +5,8 @@
 .vertx/
 build/
 .env
+.project
+.classpath
+bin/
+.settings/
+.vscode

Dockerfile

@@ -7,18 +7,24 @@ RUN gradle --debug --no-daemon shadowJar
 # -- run
 FROM gcr.io/distroless/java:8
 
-ENV BIND_PORT="80" \
+ENV BIND_HOST="0.0.0.0" \
+    BIND_PORT="8080" \
     CLIENT_ID="REPLACE_ME" \
     CLIENT_SECRET="REPLACE_ME" \
     CLOUD_IAM_AUTH_ENABLED="true" \
     NEXUS_HTTP_HOST="nexus.example.com" \
+    REPOSITORY_PATH="/repository/*" \
     REDIRECT_URL="<oauth-callback>" \
     SESSION_TTL="1440000" \
     UPSTREAM_HOST="localhost" \
     UPSTREAM_HTTP_PORT="8081" \
     JWK_URL="<openid-certs>" \
     TOKEN_ENDPOINT="<openid-token-endpoint>" \
-    AUTHORIZE_ENDPOINT="<openid-authorize-url>"
+    AUTHORIZE_ENDPOINT="<openid-authorize-url>" \
+    REQUEST_SCOPES="" \
+    USER_ID_CLAIM="email" \
+    HMAC_SHA256_SECRET="" \
+    PASSTHRU_AUTH_HEADER="true"
 
 COPY --from=builder /src/build/libs/nexus-proxy-2.3.0.jar /nexus-proxy.jar
 

README.md

@@ -25,6 +25,7 @@ For opt-in authentication against an IDP:
 * A properly configured IDP, e.g. Keycloak
 * A set of credentials (`CLIENT_ID` & `CLIENT_SECRET`)
 * OAuth2 Endpoint URLs (`AUTHORIZE_ENDPOINT`, `TOKEN_ENDPOINT`, `JWK_URL`)
+* Scopes and claim, specify the user ID claim, defaults to email (`USER_ID_CLAIM`)
 * Proper configuration of the resulting client's `REDIRECT_URL`.
 
 ## Running the proxy
@@ -40,13 +41,18 @@ $ BIND_PORT="8080" \
   CLIENT_ID="my-client-id" \
   CLIENT_SECRET="my-client-secret" \
   NEXUS_HTTP_HOST="nexus.example.com" \
+  REPOSITORY_PATH="/repository/*" \
   REDIRECT_URL="https://nexus.example.com/oauth/callback" \
   SESSION_TTL="1440000" \
   UPSTREAM_HTTP_PORT="8081" \
   UPSTREAM_HOST="localhost" \
   TOKEN_ENDPOINT="https://<sso-base-url>/openid-connect/token" \
   JWK_URL="https://<sso-base-url>/openid-connect/certs" \
   TOKEN_ENDPOINT="https://<sso-base-url>/openid-connect/auth" \
+  REQUEST_SCOPES="" \
+  USER_ID_CLAIM="email" \
+  HMAC_SHA256_SECRET="" \
+  PASSTHRU_AUTH_HEADER="true"
   java -jar ./build/libs/nexus-proxy-2.3.0.jar
 ```
 
@@ -61,10 +67,15 @@ $ BIND_PORT="8080" \
 | `CLOUD_IAM_AUTH_ENABLED`            | Whether to enable authentication against an IDP. |
 | `LOG_LEVEL`                         | The desired log level (i.e., `trace`, `debug`, `info`, `warn` or `error`). Defaults to `info`. |
 | `NEXUS_HTTP_HOST`                   | The host used to access the Nexus UI and Maven repositories. |
+| `REPOSITORY_PATH`                   | Repository route serving data to CLI utilities like maven/nuget with http header authentication, defaults to /repository/* |
 | `REDIRECT_URL`                      | The URL where to redirect users after the OAuth2 consent screen. |
 | `SESSION_TTL`                       | The TTL (in _milliseconds_) of a user's session. |
 | `UPSTREAM_HTTP_PORT`                | The port where the proxied Nexus instance listens. |
 | `UPSTREAM_HOST`                     | The host where the proxied Nexus instance listens. |
 | `AUTHORIZE_ENDPOINT`                | The OAuth2/OpenID auth endpoint for the Authorize Flow |
 | `TOKEN_ENDPOINT`                    | The OAuth2/OpenID token endpoint for the Authorize Flow |
-| `JWK_URL`                           | URL where the server can receive the IDP's JWK. Needed for verifying the tokens signature.  |
+| `JWK_URL`                           | URL where the server can receive the IDP's JWK. Needed for verifying the tokens signature.  |
+| `REQUEST_SCOPES`                    | Request any additional scopes. The openid scope is always requested |
+| `USER_ID_CLAIM`                     | What claim to use as the user id |
+| `HMAC_SHA256_SECRET`                | String secret used to encrypt JWT tokens created for CLI tools. Leave blank to auto-generate, but they will not survive a restart. |
+| `PASSTHRU_AUTH_HEADER`              | Specify true to pass Authorization header upstream if user name is not 'apikey' if basic auth header is passed in. Defaults to true. |

build.gradle

@@ -15,11 +15,20 @@ dependencies {
     implementation 'com.auth0:java-jwt:3.10.3'
     implementation 'com.auth0:jwks-rsa:0.9.0'
 
-    compile 'ch.qos.logback:logback-classic:1.2.3'
-    compile 'com.google.apis:google-api-services-oauth2:v1-rev127-1.22.0'
-    compile 'io.vertx:vertx-unit:3.4.2'
-    compile 'io.vertx:vertx-web:3.4.2'
-    compile 'io.vertx:vertx-web-templ-handlebars:3.4.2'
+    // https://mvnrepository.com/artifact/ch.qos.logback/logback-classic
+    implementation group: 'ch.qos.logback', name: 'logback-classic', version: '1.2.3'
+
+    // https://mvnrepository.com/artifact/com.google.apis/google-api-services-oauth2
+    implementation group: 'com.google.apis', name: 'google-api-services-oauth2', version: 'v2-rev157-1.25.0'
+
+    // https://mvnrepository.com/artifact/io.vertx/vertx-unit
+    implementation group: 'io.vertx', name: 'vertx-unit', version: '3.4.2'
+
+    // https://mvnrepository.com/artifact/io.vertx/vertx-web
+    implementation group: 'io.vertx', name: 'vertx-web', version: '3.4.2'
+
+    // https://mvnrepository.com/artifact/io.vertx/vertx-web-templ-handlebars
+    implementation group: 'io.vertx', name: 'vertx-web-templ-handlebars', version: '3.4.2'
 }
 
 repositories {

src/main/java/com/travelaudience/nexus/proxy/AccessToken.java

@@ -11,11 +11,10 @@ public AccessToken(String token) {
         rawToken = token;
     }
 
-    public String principal() throws IOException {
+    public String principal(String claim) throws IOException {
         JsonWebSignature jws = JsonWebSignature
                 .parser(JacksonFactory.getDefaultInstance())
-                .setPayloadClass(PayloadWithEmail.class)
                 .parse(rawToken);
-        return ((PayloadWithEmail) jws.getPayload()).getEmail();
+        return (String)jws.getPayload().get(claim);
     }
 }

src/main/java/com/travelaudience/nexus/proxy/BaseNexusProxyVerticle.java

@@ -24,6 +24,7 @@ public abstract class BaseNexusProxyVerticle extends AbstractVerticle {
     private static final Boolean ENFORCE_HTTPS = Boolean.parseBoolean(System.getenv("ENFORCE_HTTPS"));
     private static final String UPSTREAM_HOST = System.getenv("UPSTREAM_HOST");
     private static final Integer UPSTREAM_HTTP_PORT = Ints.tryParse(System.getenv("UPSTREAM_HTTP_PORT"));
+    public static final Boolean PASSTHRU_AUTH_HEADER = Boolean.parseBoolean(System.getenv("PASSTHRU_AUTH_HEADER"));
     private static final CharSequence X_FORWARDED_PROTO = HttpHeaders.createOptimized("X-Forwarded-Proto");
     protected final String nexusHttpHost = System.getenv("NEXUS_HTTP_HOST");
 
@@ -34,7 +35,8 @@ public final void start() throws Exception {
         final NexusHttpProxy httpProxy = NexusHttpProxy.create(
                 vertx,
                 UPSTREAM_HOST,
-                UPSTREAM_HTTP_PORT);
+                UPSTREAM_HTTP_PORT,
+                PASSTHRU_AUTH_HEADER);
         final Router router = Router.router(
                 vertx
         );
@@ -66,7 +68,7 @@ public final void start() throws Exception {
                 ctx.next();
                 return;
             }
-
+            
             ctx.put("nexus_http_host", nexusHttpHost);
 
             handlebars.render(ctx, "templates", "/http-disabled.hbs", res -> { // The '/' is somehow necessary.
@@ -81,6 +83,12 @@ public final void start() throws Exception {
         configureRouting(router);
 
         router.route(ALL_PATHS).handler(ctx -> {
+        	String expectHeader = ctx.request().getHeader("Expect");
+            if (expectHeader != null && 
+            		expectHeader.contains("100-continue")) {
+            	ctx.response().writeContinue();
+            }
+
             final NexusHttpProxy proxy = ((NexusHttpProxy) ctx.data().get(PROXY));
 
             if (proxy != null) {