2021-12-07 14:09:36 +00:00
|
|
|
:PROPERTIES:
|
|
|
|
|
:ID: 1208f09c-d37d-4e6b-9110-151f3c6b7d34
|
|
|
|
|
:END:
|
2021-12-07 14:11:45 +00:00
|
|
|
#+TITLE: Cisco FT SecureX Simplified Registration
|
2021-12-07 14:09:36 +00:00
|
|
|
#+Author: Yann Esposito
|
|
|
|
|
#+Date: [2021-12-07]
|
|
|
|
|
|
|
|
|
|
- tags :: [[id:299643a7-00e5-47fb-a987-3b9278e89da3][Auth]]
|
|
|
|
|
- source :: https://github.com/advthreat/response/issues/821
|
2021-12-07 14:11:45 +00:00
|
|
|
- dashboard :: https://github.com/advthreat/iroh/projects/32
|
|
|
|
|
|
|
|
|
|
* Technical Plan
|
2021-12-07 14:13:30 +00:00
|
|
|
** Support private email vs public emails
|
2021-12-07 14:14:39 +00:00
|
|
|
|
|
|
|
|
The solution is to use a blacklist of domains where any user could create
|
|
|
|
|
multiple email accounts pseudo-anonymously.
|
|
|
|
|
|
2021-12-07 14:13:30 +00:00
|
|
|
** Support, search admin with same email domain
|
2021-12-07 14:16:58 +00:00
|
|
|
|
|
|
|
|
We should be able given an email from a user, to find all the orgs for
|
|
|
|
|
which at least one of its admin has a matching domain name.
|
|
|
|
|
|
|
|
|
|
1. Most efficient: add an invisible field =email-domain= to all users. This
|
|
|
|
|
should be lower-case, and we will need a migration.
|
2021-12-07 14:20:00 +00:00
|
|
|
Doing this we could have a faster match than using string related queries.
|
|
|
|
|
|
|
|
|
|
Problems, users can login in the same user, with the same public email with
|
|
|
|
|
different emails.
|
|
|
|
|
This should be rare.
|
2021-12-07 14:16:58 +00:00
|
|
|
|
2021-12-07 14:21:58 +00:00
|
|
|
2. Search via text match.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The algorithm should look a bit like:
|
|
|
|
|
|
|
|
|
|
#+begin_src clojure
|
2021-12-07 14:24:11 +00:00
|
|
|
|
|
|
|
|
;; only when this is an unknown user
|
2021-12-07 14:59:57 +00:00
|
|
|
;; so a single approval will prevent the user to see this page.
|
2021-12-07 14:21:58 +00:00
|
|
|
(let [user-email ,,,
|
2021-12-07 14:24:11 +00:00
|
|
|
domain (string/replace user-email #".*@" "")
|
2021-12-07 14:25:27 +00:00
|
|
|
users (matching-admins domain) ;; returns a potentially big list of admin users
|
|
|
|
|
indexed-orgs (group-by :org-id users)]
|
|
|
|
|
(vals indexed-orgs))
|
2021-12-07 14:21:58 +00:00
|
|
|
#+end_src
|
|
|
|
|
|
2021-12-07 14:58:36 +00:00
|
|
|
|
|
|
|
|
Once this list of orgs is found.
|
2021-12-07 14:59:57 +00:00
|
|
|
We should also check the list of pending or rejected OrgAccessRequest for this user in
|
|
|
|
|
order to prevent the user to request access multiple time.
|
|
|
|
|
|
2021-12-07 15:11:48 +00:00
|
|
|
** Support Org request to admins
|
|
|
|
|
|
|
|
|
|
We need to create another Entity for access request to an Org.
|
|
|
|
|
|
|
|
|
|
#+begin_src clojure
|
|
|
|
|
(s/defschema OrgAccessRequest
|
|
|
|
|
(st/merge
|
|
|
|
|
{:id UUID
|
|
|
|
|
:idp-mapping IdPMapping
|
|
|
|
|
:user-email s/Str
|
|
|
|
|
:org-id s/Str
|
2021-12-07 15:27:34 +00:00
|
|
|
:status (s/enum :pending :accepted :rejected)
|
|
|
|
|
:created-at DateTime}
|
2021-12-07 15:11:48 +00:00
|
|
|
(st/optional-keys
|
|
|
|
|
{:user-name s/Str
|
2021-12-07 15:27:34 +00:00
|
|
|
:user-nick s/Str
|
|
|
|
|
:approved-by UserId
|
|
|
|
|
:approved-by-email UserEmail ;; email of the approver
|
|
|
|
|
:updated-at DateTime
|
2021-12-07 15:29:04 +00:00
|
|
|
:approval-message s/Str ;; optional free text approver can write to justify rejection
|
2021-12-07 15:27:34 +00:00
|
|
|
})))
|
2021-12-07 15:11:48 +00:00
|
|
|
#+end_src
|
|
|
|
|
|
|
|
|
|
When a user request access to an organization.
|
|
|
|
|
We should create this object in DB.
|
|
|
|
|
|
2021-12-07 15:01:31 +00:00
|
|
|
** Support the mechanism to create a new Org Access Request
|
|
|
|
|
|
|
|
|
|
After the UserIdentity is known and after retrieving the matching orgs, and
|
2021-12-07 15:03:55 +00:00
|
|
|
matching org access requests for this UserIdentity.
|
|
|
|
|
|
|
|
|
|
We should allow the user to create new OrgAccessRequest.
|
|
|
|
|
The way to do this is to create a new POST endpoint.
|
|
|
|
|
As the user will not have any JWT at this point.
|
|
|
|
|
We might probably build a "UserIdentity JWT" and trust it.
|
|
|
|
|
So the webpage could make request on behalf of a UserIdentity and not a User.
|
|
|
|
|
|
|
|
|
|
There should be an endpoint:
|
|
|
|
|
|
|
|
|
|
#+begin_src http
|
2021-12-07 15:07:32 +00:00
|
|
|
POST
|
|
|
|
|
/iroh/iroh-auth/request-org-access
|
2021-12-07 15:06:07 +00:00
|
|
|
|
2021-12-07 15:07:32 +00:00
|
|
|
Accept: application/json
|
|
|
|
|
Content-Type: application/json
|
|
|
|
|
User-Agent: ob-http
|
|
|
|
|
Authorization: Bearer ${user-jwt}
|
2021-12-07 15:03:55 +00:00
|
|
|
|
2021-12-07 15:07:32 +00:00
|
|
|
{"org-id":"the-id-of-the-org-the-user-request-access-to"}
|
|
|
|
|
#+end_src
|
2021-12-07 14:58:36 +00:00
|
|
|
|
2021-12-07 15:14:01 +00:00
|
|
|
After this call the user-jwt should contain the following informations;
|
|
|
|
|
- =idp-mapping=
|
|
|
|
|
- =user-email=
|
|
|
|
|
- all other metas, as user-name, user-nick, etc…
|
|
|
|
|
|
|
|
|
|
With this, and if every check matches:
|
|
|
|
|
|
|
|
|
|
1. There is a known active admin of this org with an email with the same domain name
|
|
|
|
|
2. The org is active
|
|
|
|
|
|
2021-12-07 15:16:47 +00:00
|
|
|
We should:
|
|
|
|
|
|
|
|
|
|
1. create a new =OrgAccessRequest= object in DB.
|
|
|
|
|
2. Send emails (see next section)
|
|
|
|
|
|
|
|
|
|
** Email Notification of Org Request Accesses
|
|
|
|
|
|
2021-12-07 15:18:13 +00:00
|
|
|
1. List all the admins of the requested org.
|
2021-12-07 15:19:17 +00:00
|
|
|
2.a. If there is fewer admins than a number that could be configured in the
|
|
|
|
|
node configuration. Then we send an email to all admins.
|
|
|
|
|
2.b. If there are more admins than this specific number, then we randomly
|
|
|
|
|
chose this maximal number of admins and send them an email notification.
|
2021-12-07 15:16:47 +00:00
|
|
|
|
2021-12-07 15:21:46 +00:00
|
|
|
*TODO* Have an email template (both HTML and Text)
|
|
|
|
|
|
2021-12-07 15:19:17 +00:00
|
|
|
** Org Requests CRUD API for Admins of the Orgs
|
2021-12-07 14:30:29 +00:00
|
|
|
|
2021-12-07 14:38:46 +00:00
|
|
|
There should be a CRUD API restricted to the ~admin/user-mgmt/org-requests~ scope:
|
|
|
|
|
|
|
|
|
|
- ~GET /iroh/user-mgmt/org-requests~ list pending org access requests
|
|
|
|
|
- ~GET /iroh/user-mgmt/org-requests/<id>~ read a single org access request
|
|
|
|
|
- ~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
|
|
|
|
|
- ~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
|
2021-12-07 14:30:29 +00:00
|
|
|
|
2021-12-07 14:42:50 +00:00
|
|
|
*** List
|
|
|
|
|
|
2021-12-07 14:44:24 +00:00
|
|
|
~GET /iroh/user-mgmt/org-requests~
|
|
|
|
|
|
2021-12-07 14:56:39 +00:00
|
|
|
If no parameter is provided, only list pending =OrgAccessRequests= of the org
|
|
|
|
|
of the caller.
|
|
|
|
|
Otherwise we could pass the query-parameter =status= with the following
|
|
|
|
|
value(s):
|
2021-12-07 14:45:38 +00:00
|
|
|
|
|
|
|
|
- =pending=
|
|
|
|
|
- =accepted=
|
|
|
|
|
- =rejected=
|
2021-12-07 14:44:24 +00:00
|
|
|
|
2021-12-07 14:47:09 +00:00
|
|
|
Note we should probably support duplicate statuses.
|
|
|
|
|
Ex:
|
|
|
|
|
|
2021-12-07 14:48:14 +00:00
|
|
|
~GET /iroh/user-mgmt/org-requests?status=accepted&status=pending~
|
|
|
|
|
|
|
|
|
|
*** Read
|
|
|
|
|
|
|
|
|
|
~GET /iroh/user-mgmt/org-requests/org-request-id~
|
|
|
|
|
|
|
|
|
|
Should returns a 404 if not found or the single Org Access Request object.
|
2021-12-07 14:47:09 +00:00
|
|
|
|
2021-12-07 14:52:03 +00:00
|
|
|
*** Accept the Org Access
|
|
|
|
|
|
|
|
|
|
~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
|
|
|
|
|
|
2021-12-07 14:53:58 +00:00
|
|
|
The body should contain the role (either =admin= or =user=) with the following schema:
|
|
|
|
|
|
|
|
|
|
#+begin_src js
|
|
|
|
|
{"role":"admin"}
|
|
|
|
|
#+end_src
|
|
|
|
|
|
2021-12-07 14:52:03 +00:00
|
|
|
During the call, should:
|
|
|
|
|
|
|
|
|
|
1. Create a new user with:
|
|
|
|
|
|
|
|
|
|
#+begin_src clojure
|
|
|
|
|
{:user-id (gen-uuid)
|
2021-12-07 14:56:39 +00:00
|
|
|
:org-id (:org-id org-access-request)
|
2021-12-07 14:52:03 +00:00
|
|
|
:user-email (:user-email org-access-request)
|
|
|
|
|
:idp-mappings [(:idp-mapping org-access-request)]
|
|
|
|
|
:user-name (:user-name org-access-request)
|
|
|
|
|
:user-nick (:user-nick org-access-request)
|
2021-12-07 14:53:58 +00:00
|
|
|
:role (get-in request [:body :role])
|
|
|
|
|
:enabled? true
|
2021-12-07 14:52:03 +00:00
|
|
|
}
|
|
|
|
|
#+end_src
|
|
|
|
|
|
2021-12-07 15:20:31 +00:00
|
|
|
2. Send an email to user confirming his access was granted.
|
|
|
|
|
|
2021-12-07 15:21:46 +00:00
|
|
|
*TODO* have an email template
|
|
|
|
|
|
2021-12-07 15:25:50 +00:00
|
|
|
*** Reject the Org Access
|
|
|
|
|
|
|
|
|
|
~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
|
|
|
|
|
|
|
|
|
|
The body should contain the role (either =admin= or =user=) with the following schema:
|
|
|
|
|
|
|
|
|
|
#+begin_src js
|
2021-12-07 15:29:04 +00:00
|
|
|
{"approval-message":"optional free text an admin could provide"}
|
2021-12-07 15:25:50 +00:00
|
|
|
#+end_src
|
|
|
|
|
|
2021-12-07 15:31:43 +00:00
|
|
|
This call should update the =OrgAccessRequest= object with the field
|
|
|
|
|
=approval-message= provided by the end user.
|
|
|
|
|
A great care should be made about removing every dangerous symbol in the
|
|
|
|
|
message in order to prevent any kind of attack from the approver to the
|
|
|
|
|
user requesting access. Typically, by putting an
|
2021-12-07 15:25:50 +00:00
|
|
|
|
|
|
|
|
2. Send an email to user confirming his access was granted.
|
|
|
|
|
|
|
|
|
|
*TODO* have an email template
|
2021-12-07 14:40:29 +00:00
|
|
|
** UI Revamp.
|
|
|
|
|
|
2021-12-07 14:41:35 +00:00
|
|
|
All the page shown during login are hosted in IROH.
|
|
|
|
|
So we should revamp all pages and we should probably, take great attention
|
|
|
|
|
to every shown webpage.
|
2021-12-07 15:21:46 +00:00
|
|
|
|
|
|
|
|
*TODO* have UI templates for every page of the workflow.
|
