How to revoke a token without knowing the user?

Hi,

I need to revoke a token but I does not know which user that token is associated with.

https://docs.sonarqube.org/latest/instance-administration/security/ mentions that I can manage the user’s token by going into the token’s of a user but what if I don’t know the user?

SonarQube Version 6.7

Hi @oschrenk,

welcome :slight_smile:
Out of curiosity, what’s the use case for that ?
Finally you may use a straight edit in Sonarqube database.
That’s what i used to change a bunch of projectnames, as this is not possible otherwise -
only the projectkey is editable.
That said, the Sonarqube database should be treated as a black box :wink:

Gilbert

A token was exposed (but not leaked) and revoking it is the right next step. Unfortunately we can’t trace the token back to any specific user account - all we have is the token.

Seems like a fairly typical if rare use case. Secret is exposed and needs to be revoked. Imagine a malicious attacker submitting reports and and all you have to go on are submissions. They won’t tell you their user name.

Hi,

OK, the user_tokens table has only token_hash, but maybe you could identify it via
the last_connection_date !? If you use the token in question, it’s last_connection date will be updated.

Gilbert

Hello :slight_smile:
Your problem is very easy to solve. How? Steps :smiley:

  1. create a new project on SonarQube
  2. execute a new analysis of anything by using the created project projectKey and the exposed token
  3. open project background tasks (Administration → Background Tasks) and read the user name

And this is how you will find the owner of the token (column Submitter) :wink:

Cheers

2 Likes

Hi,

good catch ! Was on the wrong track :pensive:
yes of course, dead simple

Gilbert

We tried that approach. We do not see a user name or submitter listed.

Is tthat approach dependent on a version > 6.7 ?

Hi,

Adam gave the answer I would have given, but after your reply I’ve checked the web services in 6.7.7 hoping that submitter was present in the web services even if not shown in the UI. It doesn’t seem to be there.

However, if I lift the veil on the-black-box-that-is-the-database I see a SUBMITTER_LOGIN column in the CE_ACTIVITY table. Maybe just this one time (:wink:) you can look directly in the DB for what you need.

… or you could upgrade. :smiley: This data is shown directly in the interface by 7.9, the latest version and current LTS.

 
HTH,
Ann

1 Like