Azure Frontdoor WAF Managed Policy conflict with github OIDC

Flavio_Caduff · May 8, 2023, 7:30am

which versions are you using:
SonarQube 9.9.1-enterprise
how is SonarQube deployed:
Azure App Service (Docker)
what are you trying to achieve:
Link Sonarqube with Github trough OIDC. The running App Service Instance of Sonarqube is accessed trough a DNS that is routed over Azure FrontDoor. On the FrontDoor the WAF manages policies of azure are active. Once these policies are active, the login on sonarqube is not possible anymore with github unless I deactivate the policies again.

Error: “You are not authorized to view this page. Please contact Administrator.”

Looks like the active policies block the protocol or some header values that are used for the exchange between sonar and github.

I’m using the Azure Default Rule Set 2.0.

what have you tried so far to achieve this:
I tried disabling one by one of the azure managed policies to see which one causes the issue, and could get steps further. But it kept blocking parts in later stages.

Do you have any recommendation for such scenario and can help me find the policies that are causing this issue?

Colin · May 9, 2023, 1:49pm

Hey there.

Is it that you’re using GitHub - vaulttec/sonar-auth-oidc: OpenID Connect (OIDC) Plugin for SonarQube, or are you using a GitHub App for the authentication?

Flavio_Caduff · May 9, 2023, 8:23pm

Hi Colin,

I guess the first one.
Basically in Sonarqube from the Menubar select “Administration” and then in the sidebar select “Authentication”. There I selected the register “GitHub” and enabled the needed configs to connect to a github organisation.

Colin · May 10, 2023, 7:44am

In that case, I would suggest raising an issue with the maintainer, as they are handling that interface between SonarQube and GitHub/OIDC. Issues · vaulttec/sonar-auth-oidc · GitHub

Flavio_Caduff · May 20, 2023, 5:44pm

Hi Colin,
Had to cross check, we actually do use Github App. What I explained in the previous comment, actually matches exactly what is explained in the url you shared about Github app.
What would be your suggestion then to proceed?
Thanks, F

Antoine · June 1, 2023, 2:19pm

Hi @Flavio_Caduff,

Note that they are 2 types of interactions with GitHub during authentication:

in the browser: basically the user is redirected on https://github.com/login/oauth/authorize, he authenticates and is redirected back to SONARQUBE_URL/oauth2/callback/github
once this has happened: SonarQube connects to GitHub directly to pull some information (Name and email). This is likely where it fails on your setup

What I suggest is to:

enable DEBUG logs
do an authentication process, and identify the SonarQube query ID corresponding to SONARQUBE_URL/oauth2/callback/github in access.log. For example this query:

0:0:0:0:0:0:0:1 - - [01/Jun/2023:15:51:41 +0200] "GET /oauth2/callback/github?code=0a37a7f149b4ea425c57&state=mrenq3tms7hqdoj6i8ad5vkc6f HTTP/1.1" 302 - "https://antoine.eu.ngrok.io/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0" "AYh3NUf3rDkenXw7AABN"

ID is AYh3NUf3rDkenXw7AABN (see at the end).

With this ID, extract from web.log entries that relate to this ID. Basically search for the string to see what happened during the processing of the query. There are some SQL queries (we don’t care), some HttpURLConnection to GitHub (look for them) and in the end the auth.event indicating login success or failure.

Click here to see DEBUG logs when it works

2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==>  Preparing: select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==> Parameters: sonar.forceRedirectOnDefaultAdminCredentials(String)
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] <==      Total: 0
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==>  Preparing: select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==> Parameters: sonar.auth.github.enabled(String)
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] <==      Total: 1
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==>  Preparing: select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==> Parameters: sonar.auth.github.clientId.secured(String)
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] <==      Total: 1
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==>  Preparing: select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==> Parameters: sonar.auth.github.clientSecret.secured(String)
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] <==      Total: 1
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==>  Preparing: select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==> Parameters: sonar.core.serverBaseURL(String)
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] <==      Total: 1
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==>  Preparing: select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==> Parameters: sonar.auth.github.webUrl(String)
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] <==      Total: 0
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@498ea7428 pairs: {POST /login/oauth/access_token HTTP/1.1: null}{Authorization: Basic ***}{Content-Type: application/x-www-form-urlencoded}{User-Agent: SonarQube 10.1-SNAPSHOT # 147B411E-AYh3NPAYkVyfBt8o1p4V Java/17.0.5}{Host: github.com}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}{Content-Length: 131}
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@1d64875416 pairs: {null: HTTP/1.1 200 OK}{Server: GitHub.com}{Date: Thu, 01 Jun 2023 13:51:40 GMT}{Content-Type: application/x-www-form-urlencoded; charset=utf-8}{Transfer-Encoding: chunked}{Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame}{ETag: W/"d848c6f3aa9b385523aff2dbd57f5266"}{Cache-Control: max-age=0, private, must-revalidate}{Strict-Transport-Security: max-age=31536000; includeSubdomains; preload}{X-Frame-Options: deny}{X-Content-Type-Options: nosniff}{X-XSS-Protection: 0}{Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin}{Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events *.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ wss://*.actions.githubusercontent.com github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com objects-origin.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/}{Vary: Accept-Encoding, Accept, X-Requested-With}{X-GitHub-Request-Id: 346C:61E1:C00CDA7:C2A1378:6478A26C}
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==>  Preparing: select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==> Parameters: sonar.auth.github.apiUrl(String)
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] <==      Total: 0
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@35ff57266 pairs: {GET /user HTTP/1.1: null}{Authorization: Bearer ***}{User-Agent: SonarQube 10.1-SNAPSHOT # 147B411E-AYh3NPAYkVyfBt8o1p4V Java/17.0.5}{Host: api.github.com}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@2ee5e61e30 pairs: {null: HTTP/1.1 200 OK}{Server: GitHub.com}{Date: Thu, 01 Jun 2023 13:51:40 GMT}{Content-Type: application/json; charset=utf-8}{Content-Length: 1455}{Cache-Control: private, max-age=60, s-maxage=60}{Vary: Accept, Authorization, Cookie, X-GitHub-OTP}{ETag: "a9f7684db25ff78f0efae0c0078a9008430ab5c0985f73a18c70803af4c471b9"}{Last-Modified: Thu, 11 May 2023 12:21:26 GMT}{X-OAuth-Scopes: }{X-Accepted-OAuth-Scopes: }{x-oauth-client-id: Iv1.18f311e564c708b1}{github-authentication-token-expiration: 2023-06-01 21:51:40 UTC}{X-GitHub-Media-Type: unknown, github.v3}{x-github-api-version-selected: 2022-11-28}{X-RateLimit-Limit: 5000}{X-RateLimit-Remaining: 4932}{X-RateLimit-Reset: 1685629070}{X-RateLimit-Used: 68}{X-RateLimit-Resource: core}{Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset}{Access-Control-Allow-Origin: *}{Strict-Transport-Security: max-age=31536000; includeSubdomains; preload}{X-Frame-Options: deny}{X-Content-Type-Options: nosniff}{X-XSS-Protection: 0}{Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin}{Content-Security-Policy: default-src 'none'}{Vary: Accept-Encoding, Accept, X-Requested-With}{X-GitHub-Request-Id: 7437:70E0:8BCE67A:8D13540:6478A26C}
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==>  Preparing: select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==> Parameters: sonar.auth.github.organizations(String)
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] <==      Total: 0
2023.06.01 15:51:40 DEBUG web[AYh3NUf3rDkenXw7AABN][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@273f23186 pairs: {GET /user/emails HTTP/1.1: null}{Authorization: Bearer ***}{User-Agent: SonarQube 10.1-SNAPSHOT # 147B411E-AYh3NPAYkVyfBt8o1p4V Java/17.0.5}{Host: api.github.com}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][s.n.w.p.h.HttpURLConnection] sun.net.www.MessageHeader@14aa80229 pairs: {null: HTTP/1.1 200 OK}{Server: GitHub.com}{Date: Thu, 01 Jun 2023 13:51:41 GMT}{Content-Type: application/json; charset=utf-8}{Content-Length: 222}{Cache-Control: private, max-age=60, s-maxage=60}{Vary: Accept, Authorization, Cookie, X-GitHub-OTP}{ETag: "00d6257421b4ca522d944cec8bea83c4f5ab59ce86c32c96fee0332490058d48"}{X-OAuth-Scopes: }{X-Accepted-OAuth-Scopes: user, user:email}{x-oauth-client-id: Iv1.18f311e564c708b1}{github-authentication-token-expiration: 2023-06-01 21:51:40 UTC}{X-GitHub-Media-Type: unknown, github.v3}{x-github-api-version-selected: 2022-11-28}{X-RateLimit-Limit: 5000}{X-RateLimit-Remaining: 4931}{X-RateLimit-Reset: 1685629070}{X-RateLimit-Used: 69}{X-RateLimit-Resource: core}{Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset}{Access-Control-Allow-Origin: *}{Strict-Transport-Security: max-age=31536000; includeSubdomains; preload}{X-Frame-Options: deny}{X-Content-Type-Options: nosniff}{X-XSS-Protection: 0}{Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin}{Content-Security-Policy: default-src 'none'}{Vary: Accept-Encoding, Accept, X-Requested-With}{X-GitHub-Request-Id: 7437:70E0:8BCE792:8D13673:6478A26D}
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==>  Preparing: select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==> Parameters: sonar.auth.github.groupsSync(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] <==      Total: 0
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByExternalIdAndIdentityProvider] ==>  Preparing: SELECT sa.scm_account as "scm_account", u.uuid as uuid, u.login as login, u.name as name, u.email as email, u.active as "active", u.salt as "salt", u.crypted_password as "cryptedPassword", u.hash_method as "hashMethod", u.external_id as "externalId", u.external_login as "externalLogin", u.external_identity_provider as "externalIdentityProvider", u.user_local as "local", u.reset_password as "resetPassword", u.homepage_type as "homepageType", u.homepage_parameter as "homepageParameter", u.last_connection_date as "lastConnectionDate", u.last_sonarlint_connection as "lastSonarlintConnectionDate", u.created_at as "createdAt", u.updated_at as "updatedAt" FROM users u left outer join scm_accounts sa on sa.user_uuid = u.uuid WHERE u.external_id=? AND u.external_identity_provider=?
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByExternalIdAndIdentityProvider] ==> Parameters: 40755876(String), github(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByExternalIdAndIdentityProvider] <==      Total: 0
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByExternalLoginAndIdentityProvider] ==>  Preparing: SELECT sa.scm_account as "scm_account", u.uuid as uuid, u.login as login, u.name as name, u.email as email, u.active as "active", u.salt as "salt", u.crypted_password as "cryptedPassword", u.hash_method as "hashMethod", u.external_id as "externalId", u.external_login as "externalLogin", u.external_identity_provider as "externalIdentityProvider", u.user_local as "local", u.reset_password as "resetPassword", u.homepage_type as "homepageType", u.homepage_parameter as "homepageParameter", u.last_connection_date as "lastConnectionDate", u.last_sonarlint_connection as "lastSonarlintConnectionDate", u.created_at as "createdAt", u.updated_at as "updatedAt" FROM users u left outer join scm_accounts sa on sa.user_uuid = u.uuid WHERE u.external_login=? AND u.external_identity_provider=?
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByExternalLoginAndIdentityProvider] ==> Parameters: antoine-sonarsource(String), github(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByExternalLoginAndIdentityProvider] <==      Total: 0
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByLogin] ==>  Preparing: SELECT sa.scm_account as "scm_account", u.uuid as uuid, u.login as login, u.name as name, u.email as email, u.active as "active", u.salt as "salt", u.crypted_password as "cryptedPassword", u.hash_method as "hashMethod", u.external_id as "externalId", u.external_login as "externalLogin", u.external_identity_provider as "externalIdentityProvider", u.user_local as "local", u.reset_password as "resetPassword", u.homepage_type as "homepageType", u.homepage_parameter as "homepageParameter", u.last_connection_date as "lastConnectionDate", u.last_sonarlint_connection as "lastSonarlintConnectionDate", u.created_at as "createdAt", u.updated_at as "updatedAt" FROM users u left outer join scm_accounts sa on sa.user_uuid = u.uuid WHERE u.login=?
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByLogin] ==> Parameters: antoine-sonarsource(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByLogin] <==      Total: 0
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByEmail] ==>  Preparing: SELECT sa.scm_account as "scm_account", u.uuid as uuid, u.login as login, u.name as name, u.email as email, u.active as "active", u.salt as "salt", u.crypted_password as "cryptedPassword", u.hash_method as "hashMethod", u.external_id as "externalId", u.external_login as "externalLogin", u.external_identity_provider as "externalIdentityProvider", u.user_local as "local", u.reset_password as "resetPassword", u.homepage_type as "homepageType", u.homepage_parameter as "homepageParameter", u.last_connection_date as "lastConnectionDate", u.last_sonarlint_connection as "lastSonarlintConnectionDate", u.created_at as "createdAt", u.updated_at as "updatedAt" FROM users u left outer join scm_accounts sa on sa.user_uuid = u.uuid WHERE lower(u.email)=? AND u.active=true
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByEmail] ==> Parameters: antoine.@sonarsource.com(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByEmail] <==      Total: 0
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==>  Preparing: select p.prop_key as "key", p.is_empty as empty, p.text_value as textValue, p.clob_value as clobValue, p.component_uuid as componentUuid, p.user_uuid as userUuid from properties p where p.prop_key=? and p.component_uuid is null and p.user_uuid is null
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] ==> Parameters: sonar.auth.github.allowUsersToSignUp(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.p.P.selectByKey] <==      Total: 0
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByLogin] ==> Parameters: antoine-84669(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByLogin] <==      Total: 0
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByExternalIdAndIdentityProvider] ==> Parameters: 40755876(String), github(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.selectByExternalIdAndIdentityProvider] <==      Total: 0
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.insert] ==>  Preparing: insert into users ( uuid, login, name, email, active, external_id, external_login, external_identity_provider, user_local, salt, crypted_password, hash_method, last_sonarlint_connection, reset_password, homepage_type, homepage_parameter, created_at, updated_at ) values ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.insert] ==> Parameters: AYh3OnqnkVyfBt8o1zz2(String), antoine-84669(String), Antoine (String), antoine.@sonarsource.com(String), true(Boolean), 40755876(String), antoine-sonarsource(String), github(String), false(Boolean), null, null, null, null, false(Boolean), null, null, 1685627501223(Long), 1685627501223(Long)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.insert] <==    Updates: 1
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.G.selectByUserLogin] ==>  Preparing: select g.uuid as uuid, g.name as name, g.description as description, g.created_at as "createdAt", g.updated_at as "updatedAt" from groups g inner join groups_users gu on gu.group_uuid = g.uuid inner join users u on u.uuid = gu.user_uuid where u.login=?
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.G.selectByUserLogin] ==> Parameters: antoine-84669(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.G.selectByUserLogin] <==      Total: 0
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.G.selectByName] ==>  Preparing: select g.uuid as uuid, g.name as name, g.description as description, g.created_at as "createdAt", g.updated_at as "updatedAt" from groups g where g.name = ?
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.G.selectByName] ==> Parameters: sonar-users(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.G.selectByName] <==      Total: 1
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.insert] ==>  Preparing: insert into groups_users ( user_uuid, group_uuid ) values ( ?, ? )
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.insert] ==> Parameters: AYh3OnqnkVyfBt8o1zz2(String), AYh3NO9dkVyfBt8o1p4D(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.insert] <==    Updates: 1
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.s.u.NewUserNotifier] User created: antoine-84669. Notifying NewUserHandler handlers...
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.S.insert] ==>  Preparing: insert into session_tokens ( uuid, user_uuid, expiration_date, created_at, updated_at ) values ( ?, ?, ?, ?, ? )
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.S.insert] ==> Parameters: AYh3OnqukVyfBt8o1zz3(String), AYh3OnqnkVyfBt8o1zz2(String), 1685886701230(Long), 1685627501230(Long), 1685627501230(Long)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.S.insert] <==    Updates: 1
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.update] ==>  Preparing: update users set login = ?, name = ?, email = ?, active = ?, external_id = ?, external_login = ?, external_identity_provider = ?, user_local = ?, reset_password = ?, salt = ?, crypted_password = ?, hash_method = ?, homepage_type = ?, homepage_parameter = ?, last_connection_date = ?, last_sonarlint_connection = ?, updated_at = ? where uuid = ?
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.update] ==> Parameters: antoine-84669(String), Antoine (String), antoine.@sonarsource.com(String), true(Boolean), 40755876(String), antoine-sonarsource(String), github(String), false(Boolean), false(Boolean), null, null, null, null, null, 1685627501232(Long), null, 1685627501232(Long), AYh3OnqnkVyfBt8o1zz2(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.update] <==    Updates: 1
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.deleteAllScmAccounts] ==>  Preparing: delete from scm_accounts where user_uuid = ?
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.deleteAllScmAccounts] ==> Parameters: AYh3OnqnkVyfBt8o1zz2(String)
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][o.s.d.u.U.deleteAllScmAccounts] <==    Updates: 0
2023.06.01 15:51:41 DEBUG web[AYh3NUf3rDkenXw7AABN][auth.event] login success [method|OAUTH2][provider|EXTERNAL|GitHub][IP|0:0:0:0:0:0:0:1|165.225.94.93][login|antoine-84669]

Compare to understand at what point it’s failing and you should be able to take it from here.

Let us know what you found

Cheers
Antoine

Flavio_Caduff · July 14, 2023, 12:57pm

Hi Antoine,

Thanks for your help.
After all I got it working by disabling following general managed rules on the waf policies in Azure:

920420 - Request content type is not allowed by policy
931130 - Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link
942340 - Detects basic SQL authentication bypass attempts 3/3
200003 - Multipart request body failed strict validation

So far it seems to work and not block any connections between github and sonarqube anymore.

Best regards, Flavio

system · July 21, 2023, 5:40pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.