├── .gitignore ├── LICENSE ├── PowerShell └── TokenAdmin │ ├── README.md │ ├── Revoke-VSTSPATsJWTs.ps1 │ └── SampleUPNs.txt ├── README.md └── SECURITY.md /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015/2017 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # Visual Studio 2017 auto generated files 33 | Generated\ Files/ 34 | 35 | # MSTest test Results 36 | [Tt]est[Rr]esult*/ 37 | [Bb]uild[Ll]og.* 38 | 39 | # NUNIT 40 | *.VisualState.xml 41 | TestResult.xml 42 | 43 | # Build Results of an ATL Project 44 | [Dd]ebugPS/ 45 | [Rr]eleasePS/ 46 | dlldata.c 47 | 48 | # Benchmark Results 49 | BenchmarkDotNet.Artifacts/ 50 | 51 | # .NET Core 52 | project.lock.json 53 | project.fragment.lock.json 54 | artifacts/ 55 | **/Properties/launchSettings.json 56 | 57 | # StyleCop 58 | StyleCopReport.xml 59 | 60 | # Files built by Visual Studio 61 | *_i.c 62 | *_p.c 63 | *_i.h 64 | *.ilk 65 | *.meta 66 | *.obj 67 | *.iobj 68 | *.pch 69 | *.pdb 70 | *.ipdb 71 | *.pgc 72 | *.pgd 73 | *.rsp 74 | *.sbr 75 | *.tlb 76 | *.tli 77 | *.tlh 78 | *.tmp 79 | *.tmp_proj 80 | *.log 81 | *.vspscc 82 | *.vssscc 83 | .builds 84 | *.pidb 85 | *.svclog 86 | *.scc 87 | 88 | # Chutzpah Test files 89 | _Chutzpah* 90 | 91 | # Visual C++ cache files 92 | ipch/ 93 | *.aps 94 | *.ncb 95 | *.opendb 96 | *.opensdf 97 | *.sdf 98 | *.cachefile 99 | *.VC.db 100 | *.VC.VC.opendb 101 | 102 | # Visual Studio profiler 103 | *.psess 104 | *.vsp 105 | *.vspx 106 | *.sap 107 | 108 | # Visual Studio Trace Files 109 | *.e2e 110 | 111 | # TFS 2012 Local Workspace 112 | $tf/ 113 | 114 | # Guidance Automation Toolkit 115 | *.gpState 116 | 117 | # ReSharper is a .NET coding add-in 118 | _ReSharper*/ 119 | *.[Rr]e[Ss]harper 120 | *.DotSettings.user 121 | 122 | # JustCode is a .NET coding add-in 123 | .JustCode 124 | 125 | # TeamCity is a build add-in 126 | _TeamCity* 127 | 128 | # DotCover is a Code Coverage Tool 129 | *.dotCover 130 | 131 | # AxoCover is a Code Coverage Tool 132 | .axoCover/* 133 | !.axoCover/settings.json 134 | 135 | # Visual Studio code coverage results 136 | *.coverage 137 | *.coveragexml 138 | 139 | # NCrunch 140 | _NCrunch_* 141 | .*crunch*.local.xml 142 | nCrunchTemp_* 143 | 144 | # MightyMoose 145 | *.mm.* 146 | AutoTest.Net/ 147 | 148 | # Web workbench (sass) 149 | .sass-cache/ 150 | 151 | # Installshield output folder 152 | [Ee]xpress/ 153 | 154 | # DocProject is a documentation generator add-in 155 | DocProject/buildhelp/ 156 | DocProject/Help/*.HxT 157 | DocProject/Help/*.HxC 158 | DocProject/Help/*.hhc 159 | DocProject/Help/*.hhk 160 | DocProject/Help/*.hhp 161 | DocProject/Help/Html2 162 | DocProject/Help/html 163 | 164 | # Click-Once directory 165 | publish/ 166 | 167 | # Publish Web Output 168 | *.[Pp]ublish.xml 169 | *.azurePubxml 170 | # Note: Comment the next line if you want to checkin your web deploy settings, 171 | # but database connection strings (with potential passwords) will be unencrypted 172 | *.pubxml 173 | *.publishproj 174 | 175 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 176 | # checkin your Azure Web App publish settings, but sensitive information contained 177 | # in these scripts will be unencrypted 178 | PublishScripts/ 179 | 180 | # NuGet Packages 181 | *.nupkg 182 | # The packages folder can be ignored because of Package Restore 183 | **/[Pp]ackages/* 184 | # except build/, which is used as an MSBuild target. 185 | !**/[Pp]ackages/build/ 186 | # Uncomment if necessary however generally it will be regenerated when needed 187 | #!**/[Pp]ackages/repositories.config 188 | # NuGet v3's project.json files produces more ignorable files 189 | *.nuget.props 190 | *.nuget.targets 191 | 192 | # Microsoft Azure Build Output 193 | csx/ 194 | *.build.csdef 195 | 196 | # Microsoft Azure Emulator 197 | ecf/ 198 | rcf/ 199 | 200 | # Windows Store app package directories and files 201 | AppPackages/ 202 | BundleArtifacts/ 203 | Package.StoreAssociation.xml 204 | _pkginfo.txt 205 | *.appx 206 | 207 | # Visual Studio cache files 208 | # files ending in .cache can be ignored 209 | *.[Cc]ache 210 | # but keep track of directories ending in .cache 211 | !*.[Cc]ache/ 212 | 213 | # Others 214 | ClientBin/ 215 | ~$* 216 | *~ 217 | *.dbmdl 218 | *.dbproj.schemaview 219 | *.jfm 220 | *.pfx 221 | *.publishsettings 222 | orleans.codegen.cs 223 | 224 | # Including strong name files can present a security risk 225 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 226 | #*.snk 227 | 228 | # Since there are multiple workflows, uncomment next line to ignore bower_components 229 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 230 | #bower_components/ 231 | 232 | # RIA/Silverlight projects 233 | Generated_Code/ 234 | 235 | # Backup & report files from converting an old project file 236 | # to a newer Visual Studio version. Backup files are not needed, 237 | # because we have git ;-) 238 | _UpgradeReport_Files/ 239 | Backup*/ 240 | UpgradeLog*.XML 241 | UpgradeLog*.htm 242 | ServiceFabricBackup/ 243 | *.rptproj.bak 244 | 245 | # SQL Server files 246 | *.mdf 247 | *.ldf 248 | *.ndf 249 | 250 | # Business Intelligence projects 251 | *.rdl.data 252 | *.bim.layout 253 | *.bim_*.settings 254 | *.rptproj.rsuser 255 | 256 | # Microsoft Fakes 257 | FakesAssemblies/ 258 | 259 | # GhostDoc plugin setting file 260 | *.GhostDoc.xml 261 | 262 | # Node.js Tools for Visual Studio 263 | .ntvs_analysis.dat 264 | node_modules/ 265 | 266 | # Visual Studio 6 build log 267 | *.plg 268 | 269 | # Visual Studio 6 workspace options file 270 | *.opt 271 | 272 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 273 | *.vbw 274 | 275 | # Visual Studio LightSwitch build output 276 | **/*.HTMLClient/GeneratedArtifacts 277 | **/*.DesktopClient/GeneratedArtifacts 278 | **/*.DesktopClient/ModelManifest.xml 279 | **/*.Server/GeneratedArtifacts 280 | **/*.Server/ModelManifest.xml 281 | _Pvt_Extensions 282 | 283 | # Paket dependency manager 284 | .paket/paket.exe 285 | paket-files/ 286 | 287 | # FAKE - F# Make 288 | .fake/ 289 | 290 | # JetBrains Rider 291 | .idea/ 292 | *.sln.iml 293 | 294 | # CodeRush 295 | .cr/ 296 | 297 | # Python Tools for Visual Studio (PTVS) 298 | __pycache__/ 299 | *.pyc 300 | 301 | # Cake - Uncomment if you are using it 302 | # tools/** 303 | # !tools/packages.config 304 | 305 | # Tabs Studio 306 | *.tss 307 | 308 | # Telerik's JustMock configuration file 309 | *.jmconfig 310 | 311 | # BizTalk build output 312 | *.btp.cs 313 | *.btm.cs 314 | *.odx.cs 315 | *.xsd.cs 316 | 317 | # OpenCover UI analysis results 318 | OpenCover/ 319 | 320 | # Azure Stream Analytics local run output 321 | ASALocalRun/ 322 | 323 | # MSBuild Binary and Structured Log 324 | *.binlog 325 | 326 | # NVidia Nsight GPU debugger configuration file 327 | *.nvuser 328 | 329 | # MFractors (Xamarin productivity tool) working folder 330 | .mfractor/ 331 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /PowerShell/TokenAdmin/README.md: -------------------------------------------------------------------------------- 1 | The `Revoke-VSTSPATsJWTs.ps1` script will revoke all PATs created before `2018-07-12T12:30:00.000Z` that have any of the `vso.packaging`, `vso.packaging_write` or `vso.packaging_manage` scopes, or the global scope, for the selected UPNs that have access to the specified VSTS account; and will also disable all the JWTs created before `2018-07-12T12:30:00.000Z` that have any of the `vso.packaging`, `vso.packaging_write` or `vso.packaging_manage` scopes, or the global scope, for the specified VSTS account. 2 | 3 | To specify the list of UPNs, enter the UPN of each user from whom you want to revoke PATs in a text file in your local file system, one per line. 4 | 5 | The script uses the VSTS Graph and TokenAdmin REST APIs to list PATs, to disable JWTs and to revoke PATs. To authenticate against these APIs, the script needs a valid PAT with the global scope for, at least, the VSTS account provided to the script. To [create a new PAT in VSTS](https://docs.microsoft.com/en-us/vsts/organizations/accounts/use-personal-access-tokens-to-authenticate?view=vsts#create-personal-access-tokens-to-authenticate-access) with these properties, you can follow these steps: 6 | 1. Sign in to your VSTS account (`https://{your_vsts_account}.visualstudio.com`). 7 | 2. From the top right corner of your home page, select your `Profile Picture` and go to `Security`. 8 | 3. On the left pane select `Personal access tokens` and in the center pane select `Add`. 9 | 4. Enter a `Description` for your new PAT, select the shortest expiration period for the `Expires In` field and select `{your_vsts_account}` in the `Accounts` field. 10 | 5. For `Authorized Scopes` choose `All scopes` and select `Create`. 11 | 6. Copy the PAT text displayed in the list of tokens. 12 | 13 | Then you can use the PowerShell script with the following parameters: 14 | ```PowerShell 15 | .\Revoke-VSTSPATsJWTs.ps1 -VSTSAccountName '{your_vsts_account}' -PAT '{your_new_pat}' [-UPNsFileLocation '{location_of_your_UPNs_file}'] 16 | ``` 17 | 18 | For example: 19 | ```PowerShell 20 | .\Revoke-VSTSPATsJWTs.ps1 -VSTSAccountName 'fabrikam' -PAT '{PAT_text}' -UPNsFileLocation '.\SampleUPNs.txt' 21 | ``` 22 | 23 | If the UPN that owns the PAT you used to execute this script is in the UPNs file, the PAT was created before `2018-07-12T12:30:00.000Z` and had the global scope, that PAT will also be removed. 24 | 25 | If the text file with the UPNs is not provided to the script or if the file is empty, the script will only disable the VSTS account JWTs. 26 | -------------------------------------------------------------------------------- /PowerShell/TokenAdmin/Revoke-VSTSPATsJWTs.ps1: -------------------------------------------------------------------------------- 1 | param( 2 | [parameter(Mandatory=$true)] 3 | [string] $VSTSAccountName, 4 | 5 | [parameter(Mandatory=$true)] 6 | [string] $PAT, 7 | 8 | [parameter(Mandatory=$false)] 9 | [string] $UPNsFileLocation 10 | ) 11 | 12 | $ErrorActionPreference = 'Stop' 13 | $date = '2018-07-12T12:30:00.000Z' 14 | $jwts_scopes = 'vso.packaging vso.packaging_manage vso.packaging_write' 15 | $pats_scopes = "app_token $jwts_scopes".Split(' ') 16 | 17 | if($UPNsFileLocation){ 18 | $upns = Get-Content $UPNsFileLocation 19 | } 20 | 21 | $token = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("PAT:$PAT")) 22 | $headers = @{ 23 | 'Authorization' = "Basic $token" 24 | } 25 | 26 | $pageSize = 990 27 | 28 | Write-Host 'Revoking JWTs...' 29 | $uri = "https://$VSTSAccountName.vssps.visualstudio.com/_apis/tokenAdmin/revocationRules?api-version=5.0-preview.1" 30 | $params = New-Object psobject -property @{ 31 | 'scopes' = $jwts_scopes 32 | 'createdBefore' = $date 33 | } | ConvertTo-Json 34 | $r = Invoke-WebRequest -Method Post -Uri $uri -Headers $headers -Body $params -ContentType 'application/json' 35 | Write-Host 'JWTs revoked' 36 | 37 | if($upns){ 38 | Write-Host 'Getting list of users in collection...' 39 | $baseUri = "https://$VSTSAccountName.vssps.visualstudio.com/_apis/graph/users?subjectTypes=aad,msa&" 40 | $continuationToken = $null 41 | $descriptors = do{ 42 | $uri = $baseUri 43 | if($continuationToken){ 44 | $uri = "$($uri)continuationToken=$continuationToken&" 45 | } 46 | $uri = "$($uri)api-version=5.0-preview.1" 47 | 48 | $r = Invoke-WebRequest -Method Get -Uri $uri -Headers $headers -ContentType 'application/json' 49 | $continuationToken = $r.Headers.'X-MS-ContinuationToken' 50 | 51 | $j = $r.Content | ConvertFrom-Json 52 | $j.value | ?{ $upns -icontains $_.principalName } | %{ 53 | $_.descriptor 54 | } 55 | } while($continuationToken) 56 | Write-Host "Selected $(($descriptors | Measure-Object).Count) user(s)" 57 | 58 | $before = (Get-Date $date).ToUniversalTime() 59 | Write-Host 'Getting list of PATs from selected users...' 60 | $authorizationIds = $descriptors | %{ 61 | $baseUri = "https://$VSTSAccountName.vssps.visualstudio.com/_apis/tokenAdmin/personalAccessTokens/$_/?" 62 | $continuationToken = $null 63 | 64 | do{ 65 | $uri = $baseUri 66 | if($continuationToken){ 67 | $uri = "$($uri)continuationToken=$continuationToken&" 68 | } 69 | $uri = "$($uri)api-version=5.0-preview.1" 70 | 71 | $r = Invoke-WebRequest -Method Get -Uri $uri -Headers $headers -ContentType 'application/json' 72 | 73 | $j = $r.Content | ConvertFrom-Json 74 | $continuationToken = $j.continuationToken 75 | 76 | $j.value | ?{ 77 | [datetime]::SpecifyKind((Get-Date $_.validFrom), [DateTimeKind]::Utc) -le $before 78 | } | ?{ 79 | ($_.scope.Split(' ') | ?{ $pats_scopes -contains $_ } | Measure-Object).Count -gt 0 80 | } | %{ 81 | $_.authorizationId 82 | } 83 | } while($continuationToken) 84 | } 85 | Write-Host "Selected $(($authorizationIds | Measure-Object).Count) PAT(s)" 86 | 87 | Write-Host 'Revoking selected PATs...' 88 | if($authorizationIds){ 89 | $uri = "https://$VSTSAccountName.vssps.visualstudio.com/_apis/tokenAdmin/revocations?api-version=5.0-preview.1" 90 | 91 | $authorizations = [array]($authorizationIds | %{ New-Object psobject -property @{'authorizationId'=$_} }) 92 | $pages = [math]::Ceiling($authorizations.Length / $pageSize) 93 | 0..($pages-1) | %{ 94 | $params = ConvertTo-Json ([array]($authorizations | Select-Object -Skip ($_ * $pageSize) -First $pageSize)) 95 | $r = Invoke-WebRequest -Method Post -Uri $uri -Headers $headers -Body $params -ContentType 'application/json' 96 | } 97 | } 98 | Write-Host 'PATs revoked' 99 | } 100 | -------------------------------------------------------------------------------- /PowerShell/TokenAdmin/SampleUPNs.txt: -------------------------------------------------------------------------------- 1 | maria@fabrikam.com 2 | john@fabrikam.com -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # Contributing 3 | 4 | This project welcomes contributions and suggestions. Most contributions require you to agree to a 5 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us 6 | the rights to use your contribution. For details, visit https://cla.microsoft.com. 7 | 8 | When you submit a pull request, a CLA-bot will automatically determine whether you need to provide 9 | a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions 10 | provided by the bot. You will only need to do this once across all repos using our CLA. 11 | 12 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 13 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or 14 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 15 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | --------------------------------------------------------------------------------