Introduction

This page walks through the steps to set up NXRM and a CentOS Docker container to test PyPi Firewall using https://pypi.python.org/

See the official docs at https://help.sonatype.com/repomanager3/pypi-repositories

Prerequisites
Step 1. Create a new Proxy Repository in NXRM
Step 2. Enable Firewall for the New Proxy Repo
Step 3. Run Docker Image for the Dependency Manager
Step 4. Set the environment to download packages from NXRM
Step 5. Install a package
Step 6. Browse NXRM to view it
Step 7. View the Firewall Report
Step 8. Test Quarantine
Step 9. Notes

Prerequisites

IQ Server installed and running
NXRM 3 installed and running and configured with the IQ Server
Docker for Mac installed and running

Step 1. Create a new PyPi Proxy Repository in NXRM

Use https://pypi.python.org/ as the Remote URL

Step 2. Enable Firewall for the New Proxy Repo

Step 3. Run the Docker Image in Interactive Mode

This will create a shell (you need the -it) running in a container named "pypi-proxy-demo" based on the default python image from Docker Hub. When you exit the shell, the container will be removed (--rm)

docker run -it --rm python bash

unlike the centos image used in the Yum Firewall Demo, the python image runs the 'python3' command when starting the container, rather than plain 'bash'. since i just want to run a couple pip commands from bash, force docker to run bash.

Step 4. Use vi to Add a PyPi Repos Config for NXRM

###### TODO #####
#   this didn't work out of the box with python3.6/pip10.0.1 in the latest docker image
#   for now, i'll just specify it on the pip install command line 

# pip config set index http://host.docker.internal:8083/nexus/repository/pypi-python.org-proxy

Step 5. Use PyPi to Install selenium

pip install -v --trusted-host host.docker.internal --index-url http://host.docker.internal:8081/repository/pypi.python.org-proxy/simple selenium

Step 6. Browse the PyPi Proxy Repo

Step 7. Go to the Firewall Report

Repo List

IQ Server Report

Step 8. Test Quarantine

DJango 1.6 has CVE-2014-0474, so you'll need to have Quarantine enabled in the capability you created in step 2 and Proxy=Fail in your Security-Critical policy in IQ Server

pip install -v --trusted-host host.docker.internal --index-url http://host.docker.internal:8081/repository/pypi.python.org-proxy/simple django==1.6

Console Output

Repo List

IQ Server Report

Step 9. Notes

The NXRM Tree View shows the Quarantined component:

You can reproduce the 403 - Quarantined error by clicking on the "Path" link: http://host.docker.internal:8081/repository/pypi.python.org-proxy/packages/django/1.6/Django-1.6-py2.py3-none-any.whl

pypi firewall demo - michaelmworthington/codesamples GitHub Wiki

Introduction

Table of Contents

Prerequisites

Step 1. Create a new PyPi Proxy Repository in NXRM

Step 2. Enable Firewall for the New Proxy Repo

Step 3. Run the Docker Image in Interactive Mode

Step 4. Use vi to Add a PyPi Repos Config for NXRM

Step 5. Use PyPi to Install selenium

Step 6. Browse the PyPi Proxy Repo

Step 7. Go to the Firewall Report

Step 8. Test Quarantine

Step 9. Notes

The NXRM Tree View shows the Quarantined component:

You can view the component information panel (CIP) right in NXRM

⚠️ GitHub.com Fallback ⚠️

pypi firewall demo - michaelmworthington/codesamples GitHub Wiki

Introduction

Table of Contents

Prerequisites

Step 1. Create a new PyPi Proxy Repository in NXRM

Step 2. Enable Firewall for the New Proxy Repo

Step 3. Run the Docker Image in Interactive Mode

Step 4. Use vi to Add a PyPi Repos Config for NXRM

Step 5. Use PyPi to Install selenium

Step 6. Browse the PyPi Proxy Repo

Step 7. Go to the Firewall Report

Step 8. Test Quarantine

Step 9. Notes

The NXRM Tree View shows the Quarantined component:

You can view the component information panel (CIP) right in NXRM

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️