This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

SonarQube token validation

Posted on 10-30-2023 07:08 AM
sajithvasu
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

Need help to configure a secure validation between Google Apigee Edge and SonarQube endpoint. What policy do we need to set on the Apigee proxy endpoint and target endpoint to ensure sonarQube token is authenticated and validated before executing the sonar task? SonarQube application generates the token for scanning - https://docs.sonarsource.com/sonarqube/latest/extension-guide/web-api/

Passthrough from pipeline to google apigee to sonarQube works fine but is there any policy that we can set to ensure token is validated before invoking the target.

0 3 307
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I am not sure what problem you are hoping to solve here.

It sounds like you want to use Apigee to act as a facade in front of the SonarQube API.

What policy do we need to set on the Apigee proxy endpoint and target endpoint to ensure sonarQube token is authenticated and validated before executing the sonar task?

Why would you want to do that? Why not let SonarQube validate the token? If I am understanding correctly, only SonarQube will know if the token is valid. So why not let SonarQube do that validation? Apigee doesn't have the right information to validate a token that is good for a 3rd party.

What negative consequence occurs if Apigee does not validate the token for sonarqube?

0 Likes

Posted on --/--/---- --:-- AM
sajithvasu
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for the response! I agree that sonarqube will only know if the token is valid for the users and cannot be handled through apigee. We wanted to have some level of validation when proxying through apigee just to ensure that the request is coming from allowed source. Is there anyway we can do header or body validation? IP whitelisting is not the valid option here as the IPs are dynamic.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to sajithvasu
Reply posted on --/--/---- --:-- AM

We wanted to have some level of validation when proxying through apigee just to ensure that the request is coming from allowed source.

Yes! That makes sense. I think

  • for the request from Apigee to SonarQube, SonarQube is responsible for authenticating and checking authorization. So Apigee needs to send a proper token for SonarQube, and SonarQube will validate it.
  • For the request from "something" to Apigee, again, there should be a token or credential presented by the "something" that Apigee can validate. This should not be the sonarqube token, but rather a token apigee can validate. Maybe it is as simple as an API Key, or maybe it is a JWT payload containing the client id and the sonarqube token, and signed with HS256 and using the consumer secret of the Apigee app as the key material . But something. And Apigee can then validate that something.
0 Likes
Top Solution Authors
View all