Reset or rotate user token

venerayan · August 6, 2024, 2:05pm

Hi,

I’m doing a POC on Nexus Sonatype, so far so good on overall capabilities of the repository, the proxy, group and hosted. All nice but there’s not much information on the token reset or rotate, which is important now a days with security, there’s a link here,

https://help.sonatype.com/en/user-tokens.html

but there’s no CLI equivalent, and all similar link don’t have proper answer on how to really reset/rotate it using CLI. Even the creation CLI is not happening with my trial of 10 days.

Let me know if this is really possible so that I can recommned this product to be purchased with my company.

Thanks,
Ric

glee · August 8, 2024, 3:43pm

Hi Ric,

Thanks a lot for taking the time to do a POC and providing your feedback. Much appreciated! For user tokens, enabling/disabling, invalidating, checking capability status are all available with REST API:

Rotating and resetting aren’t currently available with REST API. Can you please provide a bit more details on your user case? I can bring this back to our account team to address your concern.

Best regards,
Grace

venerayan · August 8, 2024, 3:51pm

I’m inspecting the chrome on the “Reset User Token”, after I click it, it will reset the token and on the inspection/network, I will have this,

http://nexus-vm:8081/service/rest/internal/current-user/user-token?authToken=TC1QQnJhSXE6R0RsMmJoM2R2bWhrdzFGandqVEctQlB2c01JVVluZllPankxNzN2SklnSko==&_dc=1723131349520

Now the authToken is new, if you click the “Access User Token”, there are only usertoken and passcodetoken and the base64 converted token.

So how can we get this authToken? If I get this, then it should work, right? Or it is really disabled?

venerayan · August 12, 2024, 2:21pm

Even if the api is not available, it can be access inside the vm, the reason I’m familiar with this kind of approach, I did this with prometheus/openshift, the company I work before don’t have budget for metrics on container, the only they could do is someon who could retrieve it from prometheus, so even if there’s no api available since it will be executed inside (using ansible) vm, I could retrieve if by debugging thru chrome and getting the endpoint, but since we have already license with openshift/prometheus, there’s no problem asking for calculation on the session token, see below,

github.com

rv-openshift/dora/blob/main/library/get_metrics.py

#!/usr/bin/python
# -*- coding: utf-8 -*-

from __future__ import absolute_import, division, print_function
__metaclass__ = type

ANSIBLE_METADATA = {'metadata_version': '1.1',
                    'status': ['stableinterface'],
                    'supported_by': 'core'}

DOCUMENTATION = '''
---
module: get_metrics

short_description: Get the prometheus metrics on cpu avg per deploymentconfig and create metrics.json.

version_added: "2.9"

description:
    - This is a custom module to get the prometheus metrics on avg cpu of deploymentconfig per environment/all or per namespace with date ranges and put it in metrics.json.

This file has been truncated. show original

This is not REST-API but actual program-API. Hopefully you could give that authToken calculation on epoch, user-token, or others like ip?

Thanks.

venerayan · August 16, 2024, 1:34pm

I think I remember using Okta token integration will work?

venerayan · August 23, 2024, 8:05pm

My bad, the delete will do and create a new one or PUT.

venerayan · August 23, 2024, 8:16pm

But this,

[ric@nexus-vm ~]$ curl -kv -X 'GET'   'http://nexus-vm:8081/service/rest/v1/security/user-tokens'   -H 'accept: application/json'   -H 'NX-ANTI-CSRF-TOKEN: 0.5420273197246628'   -H 'X-Nexus-UI: true'
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 192.168.133.113...
* TCP_NODELAY set
* Connected to nexus-vm (192.168.133.113) port 8081 (#0)
> GET /service/rest/v1/security/user-tokens HTTP/1.1
> Host: nexus-vm:8081
> User-Agent: curl/7.61.1
> accept: application/json
> NX-ANTI-CSRF-TOKEN: 0.5420273197246628
> X-Nexus-UI: true
>
< HTTP/1.1 403 Forbidden
< Date: Fri, 23 Aug 2024 20:14:27 GMT
< Server: Nexus/3.62.0-01 (PRO)
< X-Content-Type-Options: nosniff
< X-Siesta-FaultId: 8a17a192-aef6-452a-8ebf-54cb9596ffd7
< Content-Length: 0
<
* Connection #0 to host nexus-vm left intact

Execute only in Nexus Sonatype UI? Even on the vm doesn’t execute?

venerayan · August 23, 2024, 8:58pm

This works,


[ric@nexus-vm ~]$ curl -kv -X 'DELETE'   'http://3sIzGUp6:XjePi6rAr2fzheQF7POvAS_Eg7-R718QOLDTsfpKCrgW@nexus-vm:8081/service/rest/v1/security/user-tokens'   -H 'accept: application/json'   -H 'NX-ANTI-CSRF-TOKEN: 0.5420273197246628'   -H 'X-Nexus-UI: true'
*   Trying 192.168.133.113...
* TCP_NODELAY set
* Connected to nexus-vm (192.168.133.113) port 8081 (#0)
* Server auth using Basic with user '3sIzGUp6'
> DELETE /service/rest/v1/security/user-tokens HTTP/1.1
> Host: nexus-vm:8081
> Authorization: Basic M3NJekdVcDY6WGplUGk2ckFyMmZ6aGVRRjdQT3ZBU19FZzctUjcxOFFPTERUc2ZwS0NyZ1c=
> User-Agent: curl/7.61.1
> accept: application/json
> NX-ANTI-CSRF-TOKEN: 0.5420273197246628
> X-Nexus-UI: true
>
< HTTP/1.1 204 No Content
< Date: Fri, 23 Aug 2024 20:57:46 GMT
< Server: Nexus/3.62.0-01 (PRO)
< X-Content-Type-Options: nosniff
<
* Connection #0 to host nexus-vm left intact
[ric@nexus-vm ~]$