Skip to content

alan-turing-institute/nexus-allowlist

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

169 Commits

.github

.github

 
 

allowlists

allowlists

 
 

nexus_allowlist

nexus_allowlist

 
 

.gitignore

.gitignore

 
 

Caddyfile

Caddyfile

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

docker-compose.yaml

docker-compose.yaml

 
 

entrypoint.sh

entrypoint.sh

 
 

pyproject.toml

pyproject.toml

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

Nexus Allowlist

A package for configuring Sonatype Nexus Repository Manager OSS to only allow selected packages to be installed from proxy repositories.

Supports creating CRAN and PyPI proxies which allow either all, or only named packages.

Docker

A Dockerfile and example docker compose configuration demonstrate how to use the script in conjunction with a Nexus OSS container.

Instructions

Test deployment

Check and, if you would like, change the following environment variables for the Nexus Allowlist container in docker-compose.yaml.

Environment variable meaning
NEXUS_ADMIN_PASSWORD Password for the Nexus OSS admin user (changes from the default on first rune then used for authentication)
NEXUS_PACKAGES Whether to allow all packages or only selected packages [all, selected]
NEXUS_HOST Hostname of Nexus OSS host
NEXUS_PORT Port of Nexus OSS
ENTR_FALLBACK If defined, don't use entr to check for allowlist updates (this will be less reactive but we have found entr to not work in some situations)

Example allowlist files are included in the repository for PyPI and CRAN. The PyPI allowlist includes numpy, pandas, matplotlib and their dependencies. The CRAN allowlist includes cli and data.table You can add more packages by writing the package names, one per line, in the allowlist files.

Start the Nexus and Nexus Allowlist containers using docker compose

docker compose up -d

You can monitor the Nexus Allowlist container instance

docker compose logs -f allowlist

How it works

The container command

  1. Ensures that allowlist files /allowlists/pypi.allowlist and /allowlists/cran.allowlist exist
  2. Waits for Nexus OSS to be available at NEXUS_HOST:NEXUS_PORT
  3. If the Nexus OSS initial password file is present (at /nexus-data/admin.password)
  4. Changes the admin password to NEXUS_ADMIN_PASSWORD
  5. Runs initial configuration (creates a role, repositories, content selectors, etc.)
  6. Reruns the content selector configuration (which enforces the allowlists) every time either of the allowlist files are modified

Caddy acts as a reverse proxy, passing requests to the Nexus OSS server. The configuration file replaces 401 responses from Nexus OSS with 403 so that pip does not prompt a user for authentication when attempting to install a blacked package.

Usage

Pip

You can edit ~/.config/pip/pip.conf to use the Nexus PyPI proxy. To apply globally edit /etc/pip.conf. For example

[global]
index = http://localhost:8080/repository/pypi-proxy/pypi
index-url = http://localhost:8080/repository/pypi-proxy/simple

You should now only be able to install packages from the allowlist. For example,

  • pip install numpy should succeed
  • pip install mkdocs should fail

R

You can edit ~/.Rprofileto use the Nexus CRAN proxy. To apply globally edit /etc/R/Rprofile.site. For example

local({
    r <- getOption("repos")
    r["CRAN"] <- "http://localhost:8080/repository/cran-proxy"
    options(repos=r)
})

You should now only be able to install packages from the allowlist. For example,

  • install.packages("data.table") should succeed
  • install.packages("ggplot2") should fail

About

Enforce allowlists for Nexus3

Topics

hut23-612

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

6 watching

Forks

0 forks
Report repository

Releases

9 tags

Packages 1

 

Contributors 3

  •  
  •  
  •  

Languages