How to revoke a token without knowing the user?

oschrenk · September 5, 2019, 5:02pm

Hi,

I need to revoke a token but I does not know which user that token is associated with.

https://docs.sonarqube.org/latest/instance-administration/security/ mentions that I can manage the user’s token by going into the token’s of a user but what if I don’t know the user?

SonarQube Version 6.7

Rebse · September 5, 2019, 5:17pm

Hi @oschrenk,

welcome
Out of curiosity, what’s the use case for that ?
Finally you may use a straight edit in Sonarqube database.
That’s what i used to change a bunch of projectnames, as this is not possible otherwise -
only the projectkey is editable.
That said, the Sonarqube database should be treated as a black box

Gilbert

oschrenk · September 6, 2019, 5:46am

A token was exposed (but not leaked) and revoking it is the right next step. Unfortunately we can’t trace the token back to any specific user account - all we have is the token.

Seems like a fairly typical if rare use case. Secret is exposed and needs to be revoked. Imagine a malicious attacker submitting reports and and all you have to go on are submissions. They won’t tell you their user name.

Rebse · September 6, 2019, 6:41am

Hi,

OK, the user_tokens table has only token_hash, but maybe you could identify it via
the last_connection_date !? If you use the token in question, it’s last_connection date will be updated.

Gilbert

agabrys · September 6, 2019, 11:55am

Hello
Your problem is very easy to solve. How? Steps

create a new project on SonarQube
execute a new analysis of anything by using the created project projectKey and the exposed token
open project background tasks (Administration → Background Tasks) and read the user name

And this is how you will find the owner of the token (column Submitter)

Cheers

Rebse · September 6, 2019, 2:01pm

Hi,

good catch ! Was on the wrong track
yes of course, dead simple

Gilbert

oschrenk · September 9, 2019, 3:18pm

We tried that approach. We do not see a user name or submitter listed.

Is tthat approach dependent on a version > 6.7 ?

ganncamp · September 9, 2019, 5:56pm

Hi,

Adam gave the answer I would have given, but after your reply I’ve checked the web services in 6.7.7 hoping that submitter was present in the web services even if not shown in the UI. It doesn’t seem to be there.

However, if I lift the veil on the-black-box-that-is-the-database I see a SUBMITTER_LOGIN column in the CE_ACTIVITY table. Maybe just this one time () you can look directly in the DB for what you need.

… or you could upgrade. This data is shown directly in the interface by 7.9, the latest version and current LTS.

HTH,
Ann

testworksau · June 17, 2021, 12:38am

Just for closure, in SonarQube 8.6+ you can call the api/user_tokens/search API with Basic Auth, specifying the token in the Username field.

The response contains the login that the token belongs to, and the response may contain more than one token.

In the case that there is more than one token associated with the account, you can figure out which token is which by looking at the lastConnectionDate field of the response; it will be set to the time of the api/user_tokens/search request.

ganncamp · June 17, 2021, 11:29am

Thanks @testworksau for a much better answer!

[insert notice about upgrading to 8.9 LTS here]

Ann

system · June 24, 2021, 11:29am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.