# Hot-reload interval in seconds
scanPeriod = ${PAC4J_INI_SCAN_PERIOD:-0}
# Hot-reload URL path (don't change it!)
urlRewriteStatusPath = ${URLREWRITE_STATUS_PATH:-http://localhost:8081/rewrite-status/?conf=etc/sso/config/urlrewrite.xml}

[main]
## Nexus environment objects (declared programmatically)
# securityManager = org.apache.shiro.nexus.NexusWebSecurityManager
# authenticator = org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator
# authorizer = org.sonatype.nexus.security.authz.ExceptionCatchingModularRealmAuthorizer
# sessionManager = org.apache.shiro.nexus.NexusWebSessionManager
# chainResolver = org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver
# LdapRealm = org.sonatype.nexus.ldap.internal.LdapRealm
# securityDataSource = com.orientechnologies.orient.jdbc.OrientDataSource
# pac4jAuthenticationListener = com.github.alanger.nexus.bootstrap.Pac4jAuthenticationListener
# iniRealm = org.apache.shiro.realm.text.IniRealm
# echoRealm = com.github.alanger.nexus.bootstrap.EchoRealm
# tokenRealm = com.github.alanger.shiroext.realm.jdbc.JdbcRealmName
# pac4jRealm = com.github.alanger.shiroext.realm.pac4j.Pac4jRealmName

## SAML buji-pac4j https://github.com/bujiio/buji-pac4j/blob/master/src/main/resources/buji-pac4j-default.ini
authorizationGenerator = org.pac4j.core.authorization.generator.FromAttributesAuthorizationGenerator
authorizationGenerator.roleAttributes = ${PAC4J_ROLE_ATTRS:-roles}
authorizationGenerator.permissionAttributes = ${PAC4J_PERMISSION_ATTRS:-permission}
clients = org.pac4j.core.client.Clients
clients.authorizationGenerator = $authorizationGenerator
config = org.pac4j.core.config.Config
config.clients = $clients

pac4jRealm.principalNameAttribute = ${PAC4J_PRINCIPAL_NAME_ATTR:-username}
pac4jRealm.commonRole = ${PAC4J_COMMON_ROLE:-nx-authenticated, nx-public}
pac4jRealm.commonPermission = ${PAC4J_COMMON_PERMISSION:-nexus:apikey:*, nexus:sso-user:read, nexus:repository-view:docker:docker-login:read}
; pac4jRealm.roleWhiteList = ^nx-.*$
; pac4jRealm.permissionWhiteList = ^nexus:.*$

; pac4jAuthenticationListener.userQuery = SELECT * FROM user WHERE id = "{0}"
; pac4jAuthenticationListener.userUpdate = UPDATE user SET firstName = "{1}", lastName = "{2}", email = "{3}", status = "{4}", password = "{5}" WHERE id = "{0}"
pac4jAuthenticationListener.map(attrs) = ${PAC4J_PROFILE_ATTRS:-firstName:firstName, lastName:lastName, email:email}
securityManager.authenticator.authenticationListeners = $pac4jAuthenticationListener

pac4jSubjectFactory = io.buji.pac4j.subject.Pac4jSubjectFactory
securityManager.subjectFactory = $pac4jSubjectFactory

saml2Config = org.pac4j.saml.config.SAML2Configuration
saml2Config.keystorePath = ${PAC4J_KEYSTORE:-etc/sso/config/samlKeystore.jks}
saml2Config.keystorePassword = ${PAC4J_KEYSTORE_PASSWORD:-pac4j-demo-passwd}
saml2Config.privateKeyPassword = ${PAC4J_KEYSTORE_KEY_PASSWORD:-pac4j-demo-passwd}
saml2Config.identityProviderMetadataPath = ${PAC4J_IDENTITY_PROVIDER_METADATA:-etc/sso/config/metadata.xml}
saml2Config.maximumAuthenticationLifetime = ${PAC4J_AUTHENTICATION_LIFETIME:-3600}
saml2Config.serviceProviderEntityId = https://MyNexus.Domain.com/callback?client_name=SAML2Client
saml2Config.serviceProviderMetadataPath = ${PAC4J_SERVICE_PROVIDER_METADATA:-etc/sso/config/sp-metadata.xml}

saml2Client = org.pac4j.saml.client.SAML2Client
saml2Client.configuration = $saml2Config

clients.callbackUrl = https://MyNexus.Domain.com/callback
clients.clients = $saml2Client

## Token authc such as basic or bearer
tokenRealm.dataSource = $securityDataSource
tokenRealm.skipIfNullAttribute = false
tokenRealm.principalNameAttribute = primary_principal
tokenRealm.authenticationTokenClass = org.apache.shiro.authc.AuthenticationToken
tokenRealm.findByPassword = true
tokenRealm.principalNameQuery = select primary_principal from api_key where domain = ? and api_key = ?
tokenRealm.authenticationQuery = select api_key from api_key where primary_principal in (select id from user where status = 'active' and id = ?) and api_key = ? and SYSDATE() < created.asLong() + (1000*60*60*24*365)
tokenRealm.userRolesQuery = select roles from user_role_mapping where userId = ? UNWIND roles
tokenRealm.commonRole = ${PAC4J_TOKEN_COMMON_ROLE:-nx-authenticated-token, nx-public}
tokenRealm.commonPermission = ${PAC4J_TOKEN_COMMON_PERMISSION:-nexus:sso-user:read, nexus:repository-view:docker:docker-login:read}
tokenRealm.permissionBlackList = ".*apikey.*" # Deny read and write api token
tokenRealm.roleBlackList = "^nx-authenticated$" # Deny read and write api token
tokenRealm.authenticationCachingEnabled = true

## Configure session and security manager (30m = 1800000, 24h = 86400000)
; sessionManager.globalSessionTimeout = ${SHIRO_SESSION_TIMEOUT:-1800000}
; sessionManager.sessionIdCookie.name = ${SHIRO_SESSION_COOKIE_NAME:-NEXUSID}
; sessionManager.sessionIdUrlRewritingEnabled = false
securityManager.realms = $iniRealm, $tokenRealm, $echoRealm, $pac4jRealm

## Pac4j filters
callbackFilter = io.buji.pac4j.filter.CallbackFilter
callbackFilter.config = $config

saml2SecurityFilter = io.buji.pac4j.filter.SecurityFilter
saml2SecurityFilter.config = $config
saml2SecurityFilter.clients = SAML2Client

pac4jLogout = io.buji.pac4j.filter.LogoutFilter
pac4jLogout.config = $config
; pac4jCentralLogout = io.buji.pac4j.filter.LogoutFilter
; pac4jCentralLogout.config = $config
; pac4jCentralLogout.localLogout = false
; pac4jCentralLogout.centralLogout = true
; pac4jCentralLogout.logoutUrlPattern = ${PAC4J_BASE_URL:-http://localhost}/.*

## Shiro-ext filters
; basic  = com.github.alanger.shiroext.web.BasicAuthcFilter
; logout = com.github.alanger.shiroext.web.LogoutAuthcFilter
; roles  = com.github.alanger.shiroext.web.RolesAuthzFilter
; role   = com.github.alanger.shiroext.web.RoleAuthzFilter
; perms  = com.github.alanger.shiroext.web.PermissionsAuthzFilter
; perm   = com.github.alanger.shiroext.web.PermissionAuthzFilter
; bearer = com.github.alanger.shiroext.web.BearerAuthcFilter
; bearer.applicationName = Nexus OSS
; bearer.silent = true
; bearer.principalNameAttribute = primary_principal
; public = com.github.alanger.nexus.bootstrap.AnonymousFilter
; public.userId = public
dockerExtdirect = com.github.alanger.nexus.bootstrap.DockerExtdirectFilter
dockerExtdirect.dockerRoot = docker-root
; quota = com.github.alanger.nexus.bootstrap.QuotaFilter
; quota.formatFromRepositoryName = true
; quota.methods = PUT,POST
; quota.formatSplitIndex = 0
; debug = com.github.alanger.nexus.bootstrap.DebugFilter
; debug.printResponseHeader = true

## Nexus filters (declared programmatically)
# nx-authc         = org.sonatype.nexus.security.authc.NexusAuthenticationFilter
# nx-apikey-authc  = org.sonatype.nexus.security.authc.apikey.ApiKeyAuthenticationFilter   
# nx-anonymous     = org.sonatype.nexus.security.anonymous.AnonymousFilter
# authcAntiCsrf    = org.sonatype.nexus.security.authc.AntiCsrfFilter
# nx-perms         = org.sonatype.nexus.security.authz.PermissionsFilter
# nx-session-authc = org.sonatype.nexus.rapture.internal.security.SessionAuthenticationFilter

[users]
# Only for testing
; admin2 = ${NX_ADMIN_PASSWORD:-admin2},nx-admin
; user = 123456,nx-authenticated,nx-public
; user1 = user1,nx-authenticated,nx-public
; public = ,nx-public

[roles]
# Only for testing
; nx-admin = *
; nx-anonymous = nexus:healthcheck:read,nexus:repository-view:*:*:browse,nexus:repository-view:*:*:read,nexus:search:read
; nx-public = nexus:healthcheck:read,nexus:search:read
; nx-authenticated = nexus:apikey:*,nexus:sso-user:read,nexus:repository-view:docker:docker-login:read
; nx-authenticated-token = nexus:sso-user:read

[urls]
# SAML + Pac4j
/index.html           = saml2SecurityFilter
/callback             = callbackFilter
; /pac4jCentralLogout   = pac4jCentralLogout
/pac4jLogout          = pac4jLogout

# Nexus
/service/metrics/**   = nx-authc, nx-anonymous, authcAntiCsrf, nx-perms
/service/outreach/**  = nx-anonymous
/repository/**           = nx-authc, nx-apikey-authc, nx-anonymous, authcAntiCsrf
/service/rapture/session = nx-session-authc

# Quota example
; /repository/**                      = saml2SecurityFilter, quota, nx-authc, nx-apikey-authc, nx-anonymous, authcAntiCsrf
; /service/rest/internal/ui/upload/** = quota, nx-authc, nx-anonymous, authcAntiCsrf

# Deny profile editing, need permission "nexus:sso-user:write"
/service/rest/internal/ui/user = rest[nexus:sso-user]

# Nexus
/service/rest/**      = nx-authc, nx-anonymous, authcAntiCsrf

# Change docker image name in usage instruction
/service/extdirect = nx-authc, nx-anonymous, dockerExtdirect, authcAntiCsrf

# Nexus
/service/extdirect/** = nx-authc, nx-anonymous, authcAntiCsrf
/**                   = nx-anonymous, authcAntiCsrf