Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-114

Authentication Tokens to upload analysis reports



    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:


      This MMF is the first step towards a wider use of API tokens to secure SQ web service calls.

      Here is the use case we want to cover:

      1. As a SQ admin:
        • I go to the "Users" page
        • I create a user named "sonar-analysis"
        • On this user, I have an action that allows me to generate a token (let's say only one for this first version) and store it in the DB
          • Once created, I can see this token in the UI and I have the possibility to revoke (= delete) it
        • I grant this user the "Execute Analysis" global permission because I want to use it to run SQ analyses
      2. As an ops:
        • I configure my CI builds to run (for instance):
          sonar-runner -Dsonar.login=<the_generated_token> 

          , instead of passing a user login for sonar.login and a value for sonar.password

        • I expect the analysis to be successfully submitted to the server and processed
      3. As a hacker, if I manage to steal this API token (somehow):
        • I should not be able to successfully call the api/users/change_password WS and therefore I should not be able to change the password of the underlying user
        • I should not be able to call WS for which "sonar-analysis" has no permission

      Note: tokens are supposed to contain only characters that don't need to be encoded when passed in URL. Following RFC4648, we should use something like a "Base 64 Encoding with URL and Filename Safe Alphabet" => https://tools.ietf.org/html/rfc4648#section-5


          Issue Links



              fabrice.bellingard Fabrice Bellingard
              fabrice.bellingard Fabrice Bellingard
              0 Vote for this issue
              2 Start watching this issue