Due to the CircleCI incident we are rotating all our tokens and we are unable to revoke on of the tokens we use. Is there a way for an admin to see all the tokens that are used in the organization?
If not, can someone from Sonar please reach out to me. I already used your contact form, but they told me to post here.
We’re having a similar issue, let me ask some more specific questions to expedite the solution:
Where can we find these keys? The only place I found was in My account > Security
If that is the case, it’s like finding a needle in a haystack. We have 30 admins and each of them have their own personal tokens, most of them seem auto-generated (not sure how, if you could elucidate that would be appreciated). On top of that, there’s no way of knowing which secret we’re looking for. We do know from our CI provider the last 4 digits of the secret, but there’s no way of knowing that from sonarcloud, since the key info gets destroyed upon creation.
Is there a place where we can find general organisation secrets?
If we revoke these secrets and some of our pipelines get broken, what is the process for fixing that? We currently don’t know, since the secrets look like they’re auto-generated.
Our tokens, even though they are known as SONAR_TOKEN, are associated with the users who create them in their accounts. There is no organizational token in SonarCloud. Each token is related to a user. We are using tokens to check whether the user associated with the token has the required permissions to analyze the project.
You can find the list of the tokens related to the user account under My Account/Security. All tokens of a user are equal. Any of them can be used as a SONAR_TOKEN to analyze a project for which the user has the required permission.
As mentioned, some tokens are auto-generated. We generate a new token on behalf of the user, in the project configuration page after a new project is created to be analyzed.
Since we don’t store token secrets, it is not possible to show the secrets again after showing them for the first time.
What can you do now? All you need to do is to create a new token from a user account that has the required permission to analyze the project(s). Then you need to use this new token in your CI configuration. Since all tokens of a user are equal (have the same permissions because all of them are related to the user), the user can revoke the old tokens.
If you encounter a problem after revoking tokens, it means that you forgot to update a configuration in an environment. You just need to use the new token in these places as well.
I’ve also tried using the api/users/search endpoint which has a tokensCount response field but it only seems to return that field (and several others such as the email and lastConnectionDate) for my own user and not for any other user.
Somewhat surprisingly, it also returns all users of SonarCloud, not just members of my organisation.
I apologize for the confusion in my last answer. I noticed that the expression of ‘administration permission’ in the endpoint docs refers to the system administrator permission, not the organization administrator permission.
Therefore, you cannot use these endpoints with the login parameter with your organization admin permissions.
If we decide and develop an improvement that the organization admins can also use these endpoints with the login parameter, I will inform you here.
I’ll update my last answer. And in order to avoid similar confusion, we will update these endpoint docs in a way that will clearly indicate the administrator.
OK, I see. Are “system administrator” permissions something that only employees of SonarSource can have or is there a way for us to revoke tokens owned by other users within our organisation?
The most important thing for responding to the CircleCI incident is revoking the existing tokens that may have been compromised as soon as possible so that the malicious actors can’t use them. If it isn’t possible for us to revoke the tokens ourselves we will need an employee of SonarSource to do it for us. I would expect the other customers in this thread will want the same thing.
We’re aware of the CircleCI breach and the Sonar tokens you set there should be revoked.
After discussing with the team, we think that 2 options can be applied for this specific breach:
All users of your organization can revoke all their tokens through SonarCloud website or Web API.
The organization admin can remove the execute analysis permission from the users to find out users whose tokens are used in your CI after failing analysis. Then you can ask these users to revoke their tokens.
We are working on improving our token generation and managing processes. We will let you know of each update.