Hey,
Due to the CircleCI incident we are rotating all our tokens and we are unable to revoke on of the tokens we use. Is there a way for an admin to see all the tokens that are used in the organization?
If not, can someone from Sonar please reach out to me. I already used your contact form, but they told me to post here.
Weâre having a similar issue, let me ask some more specific questions to expedite the solution:
Agreed with above, we need a way to rotate the SONAR_TOKEN regardless of what account âownsâ it.
Hi all!
Our tokens, even though they are known as SONAR_TOKEN, are associated with the users who create them in their accounts. There is no organizational token in SonarCloud. Each token is related to a user. We are using tokens to check whether the user associated with the token has the required permissions to analyze the project.
You can find the list of the tokens related to the user account under My Account/Security. All tokens of a user are equal. Any of them can be used as a SONAR_TOKEN to analyze a project for which the user has the required permission.
As mentioned, some tokens are auto-generated. We generate a new token on behalf of the user, in the project configuration page after a new project is created to be analyzed.
Since we donât store token secrets, it is not possible to show the secrets again after showing them for the first time.
What can you do now? All you need to do is to create a new token from a user account that has the required permission to analyze the project(s). Then you need to use this new token in your CI configuration. Since all tokens of a user are equal (have the same permissions because all of them are related to the user), the user can revoke the old tokens.
If you encounter a problem after revoking tokens, it means that you forgot to update a configuration in an environment. You just need to use the new token in these places as well.
Thank you for the reply Serhat.
Are there any options to revoke all tokens for all users on the organization level?
Unfortunately, we donât have any option for this currently. If we decide for the improvement that organization admins can list and revoke user tokens of their users, Iâll inform you here.
Hi Serhat,
I have tried using the API to list and revoke tokens but I get a permission error when I try to view any tokens other than my own. Do you have any idea what might be wrong?
curl -u <REDACTED> 'https://sonarcloud.io/api/user_tokens/search?login=some-other-user@github'
{"errors":[{"msg":"Insufficient privileges"}]}
My user account already has the âAdminister Organizationâ permission and is a member of the âOwnersâ group. Is there another level of permission I need or a specific user I need to run this as?
Iâve also tried using the api/users/search endpoint which has a tokensCount response field but it only seems to return that field (and several others such as the email and lastConnectionDate) for my own user and not for any other user.
Somewhat surprisingly, it also returns all users of SonarCloud, not just members of my organisation.
Hi @David_Keech
I apologize for the confusion in my last answer. I noticed that the expression of âadministration permissionâ in the endpoint docs refers to the system administrator permission, not the organization administrator permission.
Therefore, you cannot use these endpoints with the login parameter with your organization admin permissions.
If we decide and develop an improvement that the organization admins can also use these endpoints with the login parameter, I will inform you here.
Iâll update my last answer. And in order to avoid similar confusion, we will update these endpoint docs in a way that will clearly indicate the administrator.
OK, I see. Are âsystem administratorâ permissions something that only employees of SonarSource can have or is there a way for us to revoke tokens owned by other users within our organisation?
The most important thing for responding to the CircleCI incident is revoking the existing tokens that may have been compromised as soon as possible so that the malicious actors canât use them. If it isnât possible for us to revoke the tokens ourselves we will need an employee of SonarSource to do it for us. I would expect the other customers in this thread will want the same thing.
Hi @David_Keech
Yes, âSystem Administratorsâ are SonarSourcers. Although only the system admins can revoke other usersâ tokens, all users can revoke their own tokens.
hi Serhat,
What is the process to make a request to SonarSourcers to remove all of our userâs tokens, bar one (the new one weâll generate and replace in CircleCI)?
also, please take this as a feature request to allow admins to revoke all tokens for future cases where our secrets are compromised. Iâm sure all users on this thread can +1 this
Hi all,
Weâre aware of the CircleCI breach and the Sonar tokens you set there should be revoked.
After discussing with the team, we think that 2 options can be applied for this specific breach:
We are working on improving our token generation and managing processes. We will let you know of each update.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.