Overview of Sonar tokens used by users of the organization

Hey,

Due to the CircleCI incident we are rotating all our tokens and we are unable to revoke on of the tokens we use. Is there a way for an admin to see all the tokens that are used in the organization?
If not, can someone from Sonar please reach out to me. I already used your contact form, but they told me to post here.

2 Likes

We’re having a similar issue, let me ask some more specific questions to expedite the solution:

  1. Where can we find these keys? The only place I found was in My account > Security
  2. If that is the case, it’s like finding a needle in a haystack. We have 30 admins and each of them have their own personal tokens, most of them seem auto-generated (not sure how, if you could elucidate that would be appreciated). On top of that, there’s no way of knowing which secret we’re looking for. We do know from our CI provider the last 4 digits of the secret, but there’s no way of knowing that from sonarcloud, since the key info gets destroyed upon creation.
  3. Is there a place where we can find general organisation secrets?
  4. If we revoke these secrets and some of our pipelines get broken, what is the process for fixing that? We currently don’t know, since the secrets look like they’re auto-generated.

Agreed with above, we need a way to rotate the SONAR_TOKEN regardless of what account ‘owns’ it.

Hi all!

Our tokens, even though they are known as SONAR_TOKEN, are associated with the users who create them in their accounts. There is no organizational token in SonarCloud. Each token is related to a user. We are using tokens to check whether the user associated with the token has the required permissions to analyze the project.

You can find the list of the tokens related to the user account under My Account/Security. All tokens of a user are equal. Any of them can be used as a SONAR_TOKEN to analyze a project for which the user has the required permission.

As mentioned, some tokens are auto-generated. We generate a new token on behalf of the user, in the project configuration page after a new project is created to be analyzed.

Since we don’t store token secrets, it is not possible to show the secrets again after showing them for the first time.

What can you do now? All you need to do is to create a new token from a user account that has the required permission to analyze the project(s). Then you need to use this new token in your CI configuration. Since all tokens of a user are equal (have the same permissions because all of them are related to the user), the user can revoke the old tokens.

If you encounter a problem after revoking tokens, it means that you forgot to update a configuration in an environment. You just need to use the new token in these places as well.

1 Like

Thank you for the reply Serhat.
Are there any options to revoke all tokens for all users on the organization level?

Hi @Aleks_Bugrov

Unfortunately, we don’t have any option for this currently. If we decide for the improvement that organization admins can list and revoke user tokens of their users, I’ll inform you here.

Hi Serhat,

I have tried using the API to list and revoke tokens but I get a permission error when I try to view any tokens other than my own. Do you have any idea what might be wrong?

curl -u <REDACTED> 'https://sonarcloud.io/api/user_tokens/search?login=some-other-user@github'
{"errors":[{"msg":"Insufficient privileges"}]}

My user account already has the “Administer Organization” permission and is a member of the “Owners” group. Is there another level of permission I need or a specific user I need to run this as?

I’ve also tried using the api/users/search endpoint which has a tokensCount response field but it only seems to return that field (and several others such as the email and lastConnectionDate) for my own user and not for any other user.

Somewhat surprisingly, it also returns all users of SonarCloud, not just members of my organisation.

Hi @David_Keech

I apologize for the confusion in my last answer. I noticed that the expression of ‘administration permission’ in the endpoint docs refers to the system administrator permission, not the organization administrator permission.

Therefore, you cannot use these endpoints with the login parameter with your organization admin permissions.

If we decide and develop an improvement that the organization admins can also use these endpoints with the login parameter, I will inform you here.

I’ll update my last answer. And in order to avoid similar confusion, we will update these endpoint docs in a way that will clearly indicate the administrator.

OK, I see. Are “system administrator” permissions something that only employees of SonarSource can have or is there a way for us to revoke tokens owned by other users within our organisation?

The most important thing for responding to the CircleCI incident is revoking the existing tokens that may have been compromised as soon as possible so that the malicious actors can’t use them. If it isn’t possible for us to revoke the tokens ourselves we will need an employee of SonarSource to do it for us. I would expect the other customers in this thread will want the same thing.

Hi @David_Keech

Yes, “System Administrators” are SonarSourcers. Although only the system admins can revoke other users’ tokens, all users can revoke their own tokens.

hi Serhat,

What is the process to make a request to SonarSourcers to remove all of our user’s tokens, bar one (the new one we’ll generate and replace in CircleCI)?

also, please take this as a feature request to allow admins to revoke all tokens for future cases where our secrets are compromised. I’m sure all users on this thread can +1 this

1 Like

Hi all,

We’re aware of the CircleCI breach and the Sonar tokens you set there should be revoked.

After discussing with the team, we think that 2 options can be applied for this specific breach:

  1. All users of your organization can revoke all their tokens through SonarCloud website or Web API.
  2. The organization admin can remove the execute analysis permission from the users to find out users whose tokens are used in your CI after failing analysis. Then you can ask these users to revoke their tokens.

We are working on improving our token generation and managing processes. We will let you know of each update.