go firewall demo - michaelmworthington/codesamples GitHub Wiki

Introduction

This page walks through the steps to set up NXRM and a Docker container to test Go Firewall using https://proxy.golang.org/

See the official docs at  https://help.sonatype.com/repomanager3/formats/go-repositories

Table of Contents

Prerequisites

  • IQ Server installed and running
  • NXRM 3 installed and running and configured with the IQ Server
  • Docker for Mac installed and running

Step 1. Create a new Go Proxy Repository in NXRM

Use https://proxy.golang.org/ as the Remote URL. Accept default values for the remainder of the settings.

Step 2. Enable Firewall for the New Proxy Repo

Step 3. Run the Docker Image in Interactive Mode

This will create a shell (you need the -it) running in a container named "go-proxy-demo" based on the default golang image from Docker Hub. When you exit the shell, the container will be removed (--rm)

docker run --name go-proxy-demo -it --rm golang

Step 4. Set GOPROXY so that Go will download dependencies from NXRM

export GOPROXY=http://host.docker.internal:8081/repository/go-proxy-demo/

Step 5. Clone a Go Project and use Go Get to download dependencies

Default GOPATH is /go. For purposes of this demo, this behaves similar to the .m2/repo directory with maven. You need a project space outside of this. Create a new directory, use git to check out the project from https://github.com/xmlking/hello

mkdir -p /tmp/demo
cd /tmp/demo
git clone https://github.com/xmlking/hello.git
cd hello


go get

Observe the inbound requests to NXRM in the request.log file:

192.168.1.157 - - [05/Aug/2019:18:03:30 -0400] "GET /repository/go-proxy-demo/rsc.io/quote/@v/v1.5.2.info HTTP/1.1" 200 - 50 240 "Go-http-client/1.1" [qtp1874828735-296]
192.168.1.157 - - [05/Aug/2019:18:03:30 -0400] "GET /repository/go-proxy-demo/rsc.io/quote/@v/v1.5.2.mod HTTP/1.1" 200 - 55 148 "Go-http-client/1.1" [qtp1874828735-297]
192.168.1.157 - - [05/Aug/2019:18:03:30 -0400] "GET /repository/go-proxy-demo/rsc.io/sampler/@v/v1.3.0.info HTTP/1.1" 200 - 50 132 "Go-http-client/1.1" [qtp1874828735-296]
192.168.1.157 - - [05/Aug/2019:18:03:30 -0400] "GET /repository/go-proxy-demo/rsc.io/sampler/@v/v1.3.0.mod HTTP/1.1" 200 - 88 149 "Go-http-client/1.1" [qtp1874828735-297]
192.168.1.157 - - [05/Aug/2019:18:03:30 -0400] "GET /repository/go-proxy-demo/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.info HTTP/1.1" 200 - 78 148 "Go-http-client/1.1" [qtp1874828735-296]
192.168.1.157 - - [05/Aug/2019:18:03:30 -0400] "GET /repository/go-proxy-demo/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.mod HTTP/1.1" 200 - 25 142 "Go-http-client/1.1" [qtp1874828735-297]
192.168.1.157 - - [05/Aug/2019:18:03:30 -0400] "GET /repository/go-proxy-demo/rsc.io/quote/@v/v1.5.2.zip HTTP/1.1" 200 - 2987 143 "Go-http-client/1.1" [qtp1874828735-296]
192.168.1.157 - - [05/Aug/2019:18:03:31 -0400] "GET /repository/go-proxy-demo/rsc.io/sampler/@v/v1.3.0.zip HTTP/1.1" 200 - 14308 153 "Go-http-client/1.1" [qtp1874828735-297]
192.168.1.157 - - [05/Aug/2019:18:03:31 -0400] "GET /repository/go-proxy-demo/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.zip HTTP/1.1" 200 - 4823575 862 "Go-http-client/1.1" [qtp1874828735-296]

Observe the outbound requests from NXRM to http://proxy.golang.org and also to IQ Server to check the Firewall status:

2019-08-05 18:03:29,787-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/quote/@v/v1.5.2.info > GET /rsc.io/quote/@v/v1.5.2.info HTTP/1.1
2019-08-05 18:03:29,829-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/quote/@v/v1.5.2.info < HTTP/1.1 200 OK @ 41.54 ms
2019-08-05 18:03:29,829-0400 INFO  [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.repository.httpclient.internal.HttpClientFacetImpl - Repository status for go-proxy-demo changed from READY to AVAILABLE - reason n/a for n/a
2019-08-05 18:03:29,851-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine > POST /iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine HTTP/1.1
2019-08-05 18:03:29,860-0400 INFO  [elasticsearch[ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8][clusterService#updateTask][T#1]]  *SYSTEM org.elasticsearch.cluster.metadata - [ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8] [d05f7b69ae0203354c60fe1902786b20c6d2d10f] update_mapping [component]
2019-08-05 18:03:30,024-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine < HTTP/1.1 200 OK @ 172.5 ms
2019-08-05 18:03:30,030-0400 INFO  [elasticsearch[ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8][clusterService#updateTask][T#1]]  *SYSTEM org.elasticsearch.cluster.metadata - [ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8] [d05f7b69ae0203354c60fe1902786b20c6d2d10f] update_mapping [component]
2019-08-05 18:03:30,036-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/quote/@v/v1.5.2.mod > GET /rsc.io/quote/@v/v1.5.2.mod HTTP/1.1
2019-08-05 18:03:30,055-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/quote/@v/v1.5.2.mod < HTTP/1.1 200 OK @ 18.85 ms
2019-08-05 18:03:30,067-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine > POST /iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine HTTP/1.1
2019-08-05 18:03:30,074-0400 INFO  [elasticsearch[ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8][clusterService#updateTask][T#1]]  *SYSTEM org.elasticsearch.cluster.metadata - [ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8] [d05f7b69ae0203354c60fe1902786b20c6d2d10f] update_mapping [component]
2019-08-05 18:03:30,180-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine < HTTP/1.1 200 OK @ 113.5 ms
2019-08-05 18:03:30,189-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/sampler/@v/v1.3.0.info > GET /rsc.io/sampler/@v/v1.3.0.info HTTP/1.1
2019-08-05 18:03:30,205-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/sampler/@v/v1.3.0.info < HTTP/1.1 200 OK @ 15.90 ms
2019-08-05 18:03:30,214-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine > POST /iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine HTTP/1.1
2019-08-05 18:03:30,317-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine < HTTP/1.1 200 OK @ 103.7 ms
2019-08-05 18:03:30,324-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/sampler/@v/v1.3.0.mod > GET /rsc.io/sampler/@v/v1.3.0.mod HTTP/1.1
2019-08-05 18:03:30,340-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/sampler/@v/v1.3.0.mod < HTTP/1.1 200 OK @ 15.93 ms
2019-08-05 18:03:30,350-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine > POST /iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine HTTP/1.1
2019-08-05 18:03:30,469-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine < HTTP/1.1 200 OK @ 118.6 ms
2019-08-05 18:03:30,476-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.info > GET /golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.info HTTP/1.1
2019-08-05 18:03:30,498-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.info < HTTP/1.1 200 OK @ 21.51 ms
2019-08-05 18:03:30,508-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine > POST /iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine HTTP/1.1
2019-08-05 18:03:30,622-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine < HTTP/1.1 200 OK @ 113.6 ms
2019-08-05 18:03:30,628-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.mod > GET /golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.mod HTTP/1.1
2019-08-05 18:03:30,646-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.mod < HTTP/1.1 200 OK @ 17.83 ms
2019-08-05 18:03:30,655-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine > POST /iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine HTTP/1.1
2019-08-05 18:03:30,766-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine < HTTP/1.1 200 OK @ 111.6 ms
2019-08-05 18:03:30,775-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/quote/@v/v1.5.2.zip > GET /rsc.io/quote/@v/v1.5.2.zip HTTP/1.1
2019-08-05 18:03:30,796-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/quote/@v/v1.5.2.zip < HTTP/1.1 200 OK @ 21.25 ms
2019-08-05 18:03:30,806-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine > POST /iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine HTTP/1.1
2019-08-05 18:03:30,915-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine < HTTP/1.1 200 OK @ 109.1 ms
2019-08-05 18:03:30,925-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/sampler/@v/v1.3.0.zip > GET /rsc.io/sampler/@v/v1.3.0.zip HTTP/1.1
2019-08-05 18:03:30,945-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/rsc.io/sampler/@v/v1.3.0.zip < HTTP/1.1 200 OK @ 20.36 ms
2019-08-05 18:03:30,959-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine > POST /iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine HTTP/1.1
2019-08-05 18:03:31,074-0400 DEBUG [qtp1874828735-297]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine < HTTP/1.1 200 OK @ 115.0 ms
2019-08-05 18:03:31,084-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.zip > GET /golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.zip HTTP/1.1
2019-08-05 18:03:31,242-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://proxy.golang.org/golang.org/x/text/@v/v0.0.0-20170915032832-14c0d48ead0c.zip < HTTP/1.1 200 OK @ 158.2 ms
2019-08-05 18:03:31,710-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine > POST /iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine HTTP/1.1
2019-08-05 18:03:31,833-0400 DEBUG [qtp1874828735-296]  *UNKNOWN org.sonatype.nexus.httpclient.outbound - http://localhost:8060/iq/rest/integration/repositories/ABBE2A77-C8564A5D-EE8A4C07-AF983DF8-77CA13B8/go-proxy-demo/evaluate/quarantine < HTTP/1.1 200 OK @ 122.6 ms

This gets the info, mod, and zip files and stores them in “/go/pkg/mod/cache/download/". For example:

root@68720c5731bb:/tmp/demo/hello# ls -la /go/pkg/mod/cache/download/rsc.io/quote/\@v/
total 28
drwxr-xr-x 2 root root 4096 Aug  5 22:03 .
drwxr-xr-x 3 root root 4096 Aug  5 22:03 ..
-rw------- 1 root root    7 Aug  5 22:03 list
-rw-r--r-- 1 root root    0 Aug  5 22:03 list.lock
-rw------- 1 root root   50 Aug  5 22:03 v1.5.2.info
-rw-r--r-- 1 root root    0 Aug  5 22:03 v1.5.2.lock
-rw------- 1 root root   55 Aug  5 22:03 v1.5.2.mod
-rw------- 1 root root 2987 Aug  5 22:03 v1.5.2.zip
-rw------- 1 root root   47 Aug  5 22:03 v1.5.2.ziphash
root@68720c5731bb:/tmp/demo/hello#

Step 6. Browse the Proxy Repo

Step 7. Go to the Firewall Report

Repo List

IQ Server Report

Step 8. Test Quarantine

http://github.com/gohouse/gorose/@v/v1.0.5 has CVE-2019-9047, so you'll need to have Quarantine enabled in the capability you created in step 2 and Proxy=Fail in your Security-Critical policy in IQ Server

Go back to the demo directory, use git to check out the project from https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project, and switch to the with_modules_nvs branch which contains the go.sum file

cd /tmp/demo/
git clone https://github.com/sonatype-nexus-community/intentionally-vulnerable-golang-project.git
cd intentionally-vulnerable-golang-project/
git checkout with_modules_nvs

Get the dependencies

go get

Observe the quarantine failure:

Repo List

IQ Server Report

Step 9. Notes

The NXRM Tree View shows the Quarantined component:

You can reproduce the 403 - Quarantined error by clicking on the "Path" link: http://host.docker.internal:8081/repository/go-proxy-demo/github.com/gohouse/gorose/@v/v1.0.5.info

You can view the component information panel (CIP) right in NXRM

Home | Copyright © 2020.

⚠️ **GitHub.com Fallback** ⚠️