diff --git a/tracker.tmprXn6OX.org b/tracker.tmprXn6OX.org new file mode 100644 index 00000000..10987152 --- /dev/null +++ b/tracker.tmprXn6OX.org @@ -0,0 +1,1717 @@ +# Created 2021-12-21 Tue 12:02 +#+title: +#+author: Yann Esposito +* 2021 +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W03.org][2021-W03]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W04.org][2021-W04]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W05.org][2021-W05]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W06.org][2021-W06]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W07.org][2021-W07]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W08.org][2021-W08]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W09.org][2021-W09]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W10.org][2021-W10]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W11.org][2021-W11]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W12.org][2021-W12]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W13.org][2021-W13]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W14.org][2021-W14]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W15.org][2021-W15]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W16.org][2021-W16]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W17.org][2021-W17]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W18.org][2021-W18]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W19.org][2021-W19]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W20.org][2021-W20]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W21.org][2021-W21]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W22.org][2021-W22]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W23.org][2021-W23]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W24.org][2021-W24]] +** [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/2021-W25.org][2021-W25]] +** 2021-W33 +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work" +#+caption: Table 1: Clock summary at [2021-10-28 Thu 18:16] +| Tags | Headline | Time | | | | +|---------------+----------------------------------------------+--------+------+------+------| +| | *Total time* | *6:19* | | | | +|---------------+----------------------------------------------+--------+------+------+------| +| | \_ 2021-W33 | | 6:19 | | | +| | \_ 2021-08-16 Monday | | | 1:52 | | +| work | \_ Fix Carlos Hidalgo account | | | | 0:20 | +| work | \_ create an issue about email... | | | | 1:32 | +| | \_ 2021-08-17 Tuesday | | | 2:48 | | +| work | \_ Add scope to TG clients | | | | 0:38 | +| work | \_ Write an issue about 1-click... | | | | 2:03 | +| work, chat | \_ Jyoti about CDO 1-click module setup | | | | 0:07 | +| | \_ 2021-08-19 Thursday | | | 1:39 | | +| work, meeting | \_ Interview Olivier Barbeau | | | | 1:39 | +#+end: + +*** 2021-08-16 Monday +**** DONE Fix Carlos Hidalgo account :work: +[2021-08-16 Mon 15:11] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*create an issue about email search case sensitivity][create an issue about email search case sensitivity]] +**** DONE create an issue about email search case sensitivity :work: +[2021-08-16 Mon 15:03] +- ref :: https://github.com/threatgrid/response/issues/818 + +***** Fix email case sensitivity + +> Related https://github.com/threatgrid/response/issues/818 + +We often need to search by email. The main issue being that, currently our +search mechanism does not support case insensitive matches. + +We have 4 possible solutions: + +1. Lower case the user email at creation. We need to also update the user + emails in our DB. The safest route to achieve this will be via the + iroh-migration service. +2. Keep the email case sensitive and add a new case insensitive field =lc-user-email= + for example. But same as for case 1, we need to perform a DB migration to + add this new field to all existing user in DB. +3. Add support for case insensitive search in tk-store, perhaps with a new + tk-store service, or improving current =CRUDStoreService.= +4. Add a specific service just for search user emails that could take care + of this specific case by using a Postgres specific query. This could + also be the occasion to provide a tk-store hole in the abstraction service. + +The simplest is probably option 1. +Option 2 would be slightly more complex and we would not lose any detail. +Option 3 seems the most generic one, and we could totally imagine we would +appreciate a case insensitive search support. +Option 4 looks like a specific case of 3. + +My preference then goes to option 3, but we need to understand if this is +not too difficult to achieve, what would be the API? The most natural one +would probably add an option along =filter-map= like =case-insensitive-fields=. +One issue would be to write the support for case insensitive match for =atom= +and =redis=. + + +**** TODO Interview Steven Collins + +*** 2021-08-17 Tuesday +**** DONE Add scope to TG clients :work: +[2021-08-17 Tue 17:54] + +In tenzin config: + +#+begin_src +- INT: 34d94c8c-2041-4708-8172-ebe2df295ca7-2 +- TEST: f993f6a0-8075-43e0-a9e5-dae9c3980513 +- NAM: 7b8d9fef-bd93-4ef3-88af-ae4174ee02e5 +- EU: a1662193-9155-44fd-aa1f-43afd42c889c +#+end_src +**** DONE Write an issue about 1-click module setup :work: +[2021-08-17 Tue 15:51] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Activation Optimization][Activation Optimization]] +**** CHAT Jyoti about CDO 1-click module setup :work:chat: +[2021-08-17 Tue 15:44] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Epics][Epics]] + +*** 2021-08-19 Thursday +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp t :link t :tags t :narrow 36! :match "work" +#+caption: Table 2: Clock summary at [2021-08-19 Thu 17:43] +| Timestamp | Tags | Headline | Time | | | | +|------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---+------+------| +| | | *Total time* | *1:39* | | | | +|------------------------+---------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---+------+------| +| | | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-08-19 Thursday][2021-08-19 Thursday]] | | | 1:39 | | +| [2021-08-19 Thu 16:04] | work, meeting | \_ [[file:/Users/esposito/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Interview Olivier Barbeau][Interview Olivier Barbeau]] | | | | 1:39 | +#+end: + +**** MEETING Interview Olivier Barbeau :work:meeting: +[2021-08-19 Thu 16:04] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/Cisco.org.gpg::*Self Presentation][Self Presentation]] + +** 2021-W35 +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work" +#+caption: Table 3: Clock summary at [2021-10-28 Thu 18:15] +| Tags | Headline | Time | | | | +|---------------+---------------------------+--------+------+------+------| +| | *Total time* | *2:54* | | | | +|---------------+---------------------------+--------+------+------+------| +| | \_ 2021-W35 | | 2:54 | | | +| | \_ 2021-09-02 Thursday | | | 2:54 | | +| work, meeting | \_ Weekly meeting | | | | 2:54 | +#+end: + + +*** 2021-09-02 Thursday +**** MEETING Weekly meeting :work:meeting: +[2021-09-02 Thu 17:06] + +Guillaume start about the *Design Planning* github project. + +- SecureX session +- High Impact Incident + +Sorry + +** 2021-W36 + +*** 2021-09-08 Wednesday +**** MEETING 1-click module setup weekly meeting :work:meeting: +[2021-09-08 Wed 17:30] +- ref :: https://miro.com/app/board/o9J_l57_gro=/ + +Miro dashboard from Chloe: + +https://miro.com/app/board/o9J_l57_gro=/ + + +Discussion: + +When to TEST, tomorrow. +Asking for client_id in TEST. + + +Client-id: client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06 + +*** 2021-09-09 Thursday +**** MEETING Interview: Florin Braghis :work:meeting: +[2021-09-09 Thu 15:49] + +** 2021-W37 +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work" +#+caption: Table 4: Clock summary at [2021-10-28 Thu 18:15] +| Tags | Headline | Time | | | | +|---------------+---------------------------+---------+-------+-------+-------| +| | *Total time* | *22:11* | | | | +|---------------+---------------------------+---------+-------+-------+-------| +| | \_ 2021-W37 | | 22:11 | | | +| | \_ 2021-09-14 Tuesday | | | 1:04 | | +| work | \_ Device Grant | | | | 1:04 | +| | \_ 2021-09-16 Thursday | | | 21:07 | | +| work, meeting | \_ Team weekly | | | | 21:07 | +#+end: + + +*** 2021-09-14 Tuesday +**** IN-PROGRESS Device Grant :work: +[2021-09-14 Tue 19:31] +- ref :: + +*** 2021-09-16 Thursday +**** MEETING Team weekly :work:meeting: +[2021-09-16 Thu 17:25] + +Ambrose, Irina, Guillaume, Matt, Yann + +TO MENTION: Device Grant with FMC => Public clients + +***** Incident discussion + +*** 2021-09-17 Friday +**** MEETING Presenting the projects :work:meeting: +[2021-09-17 Fri 14:32] +- ref :: https://github.com/advthreat/iroh/projects +. + +***** Pres + +****** General + +******* Project Organization + +Every project has an owner (main point of contact for the FT) +Now only leads, but could be anyone in the future. + +****** [Design] Shared IROH Auth Session + +Goal of this Project which is not an official FT is to reflect and write +proposals to reach the feeling of a shared session across all Cisco +Security products via SecureX. + +- solution using cookies +- solution using Open ID Connect +. +****** [Design] High Impact Incident + +/Guillaume Ereteo/ made an awesome work to provide multiple proposals to be +able to deliver the feature as fast as possible. + +1. filter on source (only AMP) +2. Add severity on incident model +3. Incident with high impact via an IROH route: https://github.com/advthreat/iroh/issues/5710 + - needs the proxy from Ambrose + - need sync with engine team too + +****** SecureX Suite Session Improvement + +Delivered yesterday in v1.81 +Limit the number of interstitial pages between SecureX and CTR/SSE + +- For orbital, missing the Launch button, the back end work is done as we do + not need any SXSO app link. + +****** [HOLD] Cisco Secure Client Integration + +Still no work to be done by the IROH Services team + +****** Hiring + +Since last meeting two new hires will join us in next few weeks. +Kiril and Olivier. + +Kiril lives in Germany and Olivier in France. + +****** 1-Click Module Setup + +In progress integration by CDO and SWC + +/Irina/ worked to provide the vault metadata API for SWC. + +AMP is in the QA test phase. + +****** ModuleType updates + +Just saw the rename of "Threat Grid" into "Secure Malware Analytics" + +****** [HOLD] CTIA Hydrant support +****** CTIA Incident Manager Improvement +****** Bug Squashing + +- Fix a bug where a user could login to org that reject non-admin user login +- Fix a refresh token bug that would provide too much scopes to an access token +- Login Page url parsing potential discrepancy fixed + +****** [HOLD] ES 7 Migration +****** Device Insights Integration + +- Wanderson: Webhooks work, trigger a notification for every + module-instance configuration change. + +****** AppLinks API +****** SSE API Extension & OAuth2 Device Grant +- FMC ⇒ public clients for Device Grants +****** Incident Assignment Notifications + +/Ambrose/ worked to make IROH a proxy to private intel for incident +assignments notifications. +Should be delivered in v1.82 + +** 2021-W39 +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work" +#+caption: Table 5: Clock summary at [2021-10-28 Thu 18:15] +| Tags | Headline | Time | | | | +|---------------+----------------------------+--------+------+------+------| +| | *Total time* | *6:30* | | | | +|---------------+----------------------------+--------+------+------+------| +| | \_ 2021-W39 | | 6:30 | | | +| | \_ 2021-09-29 Wednesday | | | 3:18 | | +| work, meeting | \_ Interview | | | | 3:18 | +| | \_ 2021-10-01 Friday | | | 3:12 | | +| work, meeting | \_ App Links | | | | 1:41 | +| work, meeting | \_ Secure Client | | | | 1:31 | +#+end: + + +*** 2021-09-29 Wednesday +**** MEETING Interview :work:meeting: +[2021-09-29 Wed 16:12] +- ref :: [[file:~/dev/ring-jwt-middleware/src/ring_jwt_middleware/core.clj::jwt-check-fn (s/=> s/Any s/Str JwtClaims)]] + +*** 2021-10-01 Friday +**** MEETING App Links :work:meeting: +[2021-10-01 Fri 17:26] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Secure Client][Secure Client]] +**** MEETING Secure Client :work:meeting: +[2021-10-01 Fri 15:55] + +Meeting link: +https://cisco.webex.com/cisco/j.php?MTID=m5814a8530a0870a19a57230bfd6d4b0e + +** 2021-W40 +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work" +#+caption: Table 6: Clock summary at [2021-10-28 Thu 18:15] +| Tags | Headline | Time | | | | +|---------------+-----------------------------------------+---------+-------+-------+-------| +| | *Total time* | *38:18* | | | | +|---------------+-----------------------------------------+---------+-------+-------+-------| +| | \_ 2021-W40 | | 38:18 | | | +| | \_ 2021-10-05 Tuesday | | | 0:46 | | +| work | \_ Training Interviewing | | | | 0:46 | +| | \_ 2021-10-07 Thursday | | | 32:04 | | +| work, meeting | \_ DI blockers | | | | 23:32 | +| work | \_ support | | | | 1:16 | +| work, chat | \_ check continu | | | | 6:38 | +| work, chat | \_ support DI JWT signature | | | | 0:19 | +| work, support | \_ client update via admin for CMD | | | | 0:18 | +| work, chat | \_ Check webex matinal. | | | | 0:01 | +| | \_ 2021-10-08 Friday | | | 5:28 | | +| work, meeting | \_ IDB decomissioning | | | | 2:28 | +| work, meeting | \_ Customer Manager | | | | 3:00 | +#+end: + + +*** 2021-10-05 Tuesday +**** MEETING DI weekly :work:meeting: +[2021-10-05 Tue 15:30] + +#+begin_quote +From Yuri + +Hi, +Things I’d like to discuss on our today sync meeting: +1. The integration modules screen: + 1. When will all the modules be updated with the relevant text? + 2. When will all the modules be deployed to production? + 3. Same goes for the DI module? Need help in updating its text and taking it to production as well + 4. The filter by capability for device insights currently shows an empty result in production +2. Integration code + 1. Is there still some integration code that is pending? + 2. What is the status of https://github.com/advthreat/iroh/issues/5680? + ii. Any other open issues? + 1. Any blockers that you see for deploying to production? +3. Assets API QA? +#+end_quote + +1.a. doc team +1.b + +2.a + +**** IN-PROGRESS Training Interviewing :work: +[2021-10-05 Tue 14:44] +***** Past Perf Predict the Future + +*Behaviorial questions* + +- tell me about a time when... +- Where and how have you used ,,, to achieve ,,, +- Walk me through the system/process/etc... + +*Behavioral questions better* + +More specific to their experience, not generic. + +- concise +- clear +- relevant +- practiced +- tailored to the job + +***** Real Purpose of interviewing + +Predict whether or not they'd be successful in our company + +Evidence? +- Yes, specific examples +- Yes, demonstration + +What the candidate will think about the question. + +****** Clear on hiring criteria + +*skills & knownledge, attributes, achievements, motivations* + +targeted probing behavioral interviewing. + +Go deep, specific, examples. +Ask the *how* to detect liars, lack of honesty. + +- what ,,, what did you do, what was your role, etc... + Question need specific responses. + +Do brainteasers work? no +Use problem solving questions; how would you do/solve/etc...? + +Examples: + +- role play question. × +- problem they solved. ✓ + + +What work-related experience(s) changed your opinion(s) on something? + +****** On Question to rule them all? + +Combination question. +Find combo questions. + +*Probing* + +*** 2021-10-07 Thursday +**** MEETING DI blockers :work:meeting: +[2021-10-07 Thu 18:01] + +#+begin_quote +@Yuri: + +I’ve opened the issues there, still need to set priorities. +Here is the list of the issues I’m currently aware of that are important +for the release: + +1. https://github.com/advthreat/iroh/issues/5680 - didn’t open a new ticket for this one, since it already has tracking. + 1. Umbrella module - + 1. Allow configuring only DI relevant fields - https://github.com/threatgrid/response/issues/933 b. Placement of fields https://github.com/threatgrid/response/issues/934 c. Add explanations of DI relevant fields - https://github.com/threatgrid/response/issues/935 d. Umbrella doesn't send the external reference info - https://github.com/threatgrid/response/issues/936 + 2. filtering for the device insights SecureX modules in the Integration Modules screen - results in an empty set - https://github.com/threatgrid/response/issues/937 + +If you know of something else, please add here + +@Matt: +2.a is also tracked here https://github.com/advthreat/iroh/issues/5821 +#+end_quote + + +1. Doc discussion 30min +2. show time (Yuri share chat) + + + +**** IN-PROGRESS support :work: +[2021-10-07 Thu 16:45] +- ref :: https://github.com/threatgrid/tenzin/issues/1530 + +new-org + +#+begin_src js +{ + "id": "00000000-0000-0000-6473-000028fbaa95", + "name": "GATE/Tier3", + "enabled?": true, + "created-at": "2021-10-07T17:00:00.000Z", + "scim-status": "activated", + "additional-scopes": [ + "iroh-master:read", + "iroh-admin:read", + "iroh-master/tac", + "iroh-auth:read"] +} +#+end_src + +Idp Mapping INT/TEST + +#+begin_src js +{ + "idp": "sxso", + "user-identity-id": "00uox5862kEG8G0CD0h7", + "enabled?": true +} +#+end_src + +IdP Mapping PROD + +#+begin_src js +{ + "idp": "sxso", + "user-identity-id": "00u4dmbgyjnx4glS2357", + "enabled?": true +} +#+end_src + + +Users to invite: + + +#+begin_src js + +[{"invitee-email":"ashakarc@cisco.com","role":"admin"}, + {"invitee-email":"bmacer@cisco.com", "role":"admin"}, + {"invitee-email":"caknowle@cisco.com","role":"admin"}, + {"invitee-email":"cdeleanu@cisco.com","role":"admin"}, + {"invitee-email":"daphgalm@cisco.com","role":"admin"}, + {"invitee-email":"djanulik@cisco.com","role":"admin"}, + {"invitee-email":"bmahsan@cisco.com", "role":"admin"}, + {"invitee-email":"majacob2@cisco.com","role":"admin"}, + {"invitee-email":"sorianto@cisco.com","role":"admin"}, + {"invitee-email":"stabulic@cisco.com","role":"admin"}] +#+end_src + +**** CHAT check continu :work:chat: +[2021-10-07 Thu 10:07] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*support DI JWT signature][support DI JWT signature]] +**** CHAT support DI JWT signature :work:chat: +[2021-10-07 Thu 09:45] +- ref :: https://github.com/advthreat/iroh/issues/5680 + +**** IN-PROGRESS client update via admin for CMD :work:support: +[2021-10-07 Thu 09:27] +- ref :: https://github.com/advthreat/iroh/issues/5827 + +Cisco Secure Email Cloud Mailbox + +- module NAM client-0be615ab-b0ff-4c12-8a85-f16c95e7d396 +- ribbon NAM client-e36ba40b-5710-402d-b036-ada6d7817c55 +- module EU client-6fc3230c-936a-40c1-ad73-f9f28700804e +- ribbon EU client-164688ee-cd5d-44b6-be3d-5e255955e969 + + +**** CHAT Check webex matinal. :work:chat: +[2021-10-07 Thu 09:26] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/notes/journal/2021/2021-10-07.org::*09:20][09:20]] +**** PAUSE Journal :pause: +[2021-10-07 Thu 09:20] + +*** 2021-10-08 Friday +**** MEETING IDB decomissioning :work:meeting: +[2021-10-08 Fri 20:33] +- ref :: [[file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj][file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj]] + +- SSE side decomission + +Chander Goyal + +context; SX released as a platform, SSE had a PingFed ID Broker. +Also for CSA. + +We want to user IROH-Auth. +We want to use directly IROH-Auth. + +CSA Migration was launched. +SSE-side done. + +CSA should be completed very soon. +Let's not change PingFed. + +Nov 1919 -> nobody left in PingFed at SSE. + +Very limited knowledge. +The license was Cisco Wideside license. +end in 2022. + +We want to duplicate PingFed. +**** MEETING Customer Manager :work:meeting: +[2021-10-08 Fri 17:33] +- ref :: ,,, + +** 2021-W41 +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work" +#+caption: Table 7: Clock summary at [2021-10-28 Thu 18:15] +| Tags | Headline | Time | | | | +|------+----------------------------------------------+--------+------+------+------| +| | *Total time* | *1:35* | | | | +|------+----------------------------------------------+--------+------+------+------| +| | \_ 2021-W41 | | 1:35 | | | +| | \_ 2021-10-14 Thursday | | | 1:35 | | +| work | \_ Write Customer Manager doc | | | | 1:10 | +| work | \_ write attack on Webhooks with JWT... | | | | 0:25 | +#+end: + + +*** 2021-10-14 Thursday +**** IN-PROGRESS Write Customer Manager doc :work: +[2021-10-14 Thu 15:23] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*write attack on Webhooks with JWT from emitters][write attack on Webhooks with JWT from emitters]] +**** IN-PROGRESS write attack on Webhooks with JWT from emitters :work: +[2021-10-14 Thu 14:58] + +Attack using access_token/id_token from emitters and not webhook owner. + +Webhooks are a generic mechanism; but here we only focus on webhook used by +internal Cisco team integration. + +So the webhook mechanism should be used to push a trusted API that a +changed occurred in SecureX (typically module instance change). + +The call must be authenticated by the API. +The call should also optionally contain access/refresh tokens to the +destination so the integration team could access IROH as the event's +emitter user. + +The issue is that, nothing is explicitly done to prevent any user to get an +access/id token generated from the same client we use to forge the +authentication headers. +So it means, that a SecureX user from any org that could get access to its +own access token/id token (which is entirely possible, and easy to get for +DI as their client is public). +So any user could call the API endpoint to fake real webhook events, and +potentially using cross-tenancy/cross-user false events. + +So to mitigate this issue, we suggest to: + +1. Always use the owner of the webhook & the client of the team to build + id_tokens, (if possible not access_token). + The forged JWT should have a specific audience (this is already the case + for DI at least). The API team *MUST* check that the =sub= claim matches the + =owner-id= field of the webhook as well as verifying the JWT signature. +2. Provide the emitter tokens in the body of the HTTP call made during + webhook trigger. + + +- With 1, we prevent this cross-tenant/cross-user attack. +- With 2, we not only provide even more data than before but the team could +directly use the token without using the "custom route" to retrieve the +refresh token (as it is already provided in the webhook HTTP body) + +** 2021-W42 +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work" +#+caption: Table 8: Clock summary at [2021-10-28 Thu 18:15] +| Tags | Headline | Time | | | | +|-------------------+---------------------------------------------+--------+------+------+------| +| | *Total time* | *9:45* | | | | +|-------------------+---------------------------------------------+--------+------+------+------| +| | \_ 2021-W42 | | 9:45 | | | +| | \_ 2021-10-19 Tuesday | | | 6:59 | | +| work | \_ whitelist synopsis.com in TEST | | | | 6:59 | +| | \_ 2021-10-21 Thursday | | | 1:13 | | +| work, meeting | \_ Weekly IROH Service Team | | | | 0:09 | +| work, meeting | \_ FMC - Device Grant OAuth2 Flow Sync | | | | 0:24 | +| work, meeting, me | \_ Secure Client | | | | 0:40 | +| | \_ 2021-10-22 Friday | | | 1:33 | | +| work, meeting | \_ Engineering Team | | | | 1:33 | +#+end: + + +*** 2021-10-18 Monday +**** TODO Write Weekly todos :work: +[2021-10-18 Mon 10:56] +- ref :: +***** DONE Check Wanderson PRs/Webhooks +***** DONE Customer Manager Doc +***** DONE IROH-Auth tour +****** DONE Organize invitations for IROH-Auth tour + bugfix, etc... +***** DONE Discuss Exceptions organization +*** 2021-10-19 Tuesday +**** DONE whitelist synopsis.com in TEST :work: +[2021-10-19 Tue 09:04] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Olivier][Olivier]] + +*** 2021-10-21 Thursday +**** MEETING Weekly IROH Service Team :work:meeting: +[2021-10-21 Thu 17:16] +***** Remark to tell + +- Internal JWT generation, with/without client. +- Next week IROH-Auth tour probably record this. + + +**** MEETING FMC - Device Grant OAuth2 Flow Sync :work:meeting: +[2021-10-21 Thu 16:27] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Secure Client][Secure Client]] + +Updated Target Date. +No blocking issue or concerns. + +We just finish delivering the feature. + +Good to go for 7.2 release (in April). +Maybe maintenance release 7.0.2 in Feb. + +**** MEETING Secure Client :work:meeting:me: +[2021-10-21 Thu 15:32] + +Jyoti discuss with a document how the 1-click module setup +should work and the constraints to obey. + +*** 2021-10-22 Friday +**** MEETING Engineering Team :work:meeting: +[2021-10-22 Fri 17:03] + +- Working closely to finalize 1-click module setup to work. + We faced an issue in using the same client for both the ribbon and the + 1-click module setup. + This not really a blocker and a fix is in the way. + +** 2021-W43 +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags nil :narrow 36! :match "work" +#+caption: Table 9: Clock summary at [2021-11-03 Wed 10:24] +| Headline | Time | | | | +|----------------------------------------------+---------+-------+------+------| +| *Total time* | *19:46* | | | | +|----------------------------------------------+---------+-------+------+------| +| \_ 2021-W43 | | 19:46 | | | +| \_ 2021-10-25 Monday | | | 3:29 | | +| \_ IROH-Auth Overview | | | | 3:29 | +| \_ 2021-10-26 Tuesday | | | 4:35 | | +| \_ All Hands | | | | 0:48 | +| \_ AO | | | | 0:29 | +| \_ IROH-Auth tour | | | | 3:18 | +| \_ 2021-10-27 Wednesday | | | 0:19 | | +| \_ security | | | | 0:18 | +| \_ preparation IROH Auth Tour | | | | 0:01 | +| \_ 2021-10-28 Thursday | | | 2:33 | | +| \_ Weekly Team | | | | 0:51 | +| \_ SecureX + Secure Client + DI... | | | | 0:29 | +| \_ Weekly Sync: SecureX / Secure... | | | | 0:35 | +| \_ SSE =CCO_id= | | | | 0:38 | +| \_ 2021-10-29 Friday | | | 8:50 | | +| \_ AO disucssion + generic discusssions | | | | 1:00 | +| \_ Jyoti email about PROD module on INT | | | | 0:14 | +| \_ aide Matt URL encoding | | | | 0:50 | +| \_ code gen docs | | | | 2:48 | +| \_ Customer Manager doc | | | | 2:34 | +| \_ morning tour | | | | 1:06 | +| \_ configurable default sort | | | | 0:18 | +#+end: + +*** 2021-10-25 Monday +**** MEETING IROH-Auth Overview :work:meeting: +[2021-10-25 Mon 13:57] +- ref :: + + +- services/iroh-auth +- lib/iroh-web/{core.clj,compojure-api.clj} +- + +*** 2021-10-26 Tuesday +**** MEETING All Hands :work:meeting: +**** MEETING AO :work:meeting: +[2021-10-26 Tue 17:43] +- ref :: +**** MEETING IROH-Auth tour :work:meeting: +[2021-10-26 Tue 14:25] +- ref :: [[file:~/dev/iroh/dev-resources/config.edn::}}]] + +***** org-level entities (clients) +1. makes user-id/owner-id optional × +2. hack the User service, to create a fake org-level user. + +#+begin_src clojure +(get-user org-id) + +=> {:user-id org-id + :org-id org-id + :role "admin" + :scopes ,,,,} +#+end_src + +search for entities, you should search for the owned entities + (if you are +an admin for the admin-level entities.) + +during the ~create-client~ to add the ability to create client with that +specific owner. + +Fun: filter-map => list of filter-map + + +#+begin_src clojure +;; inside an Org +{:addtional-scopes #{"cisco/user:read"}} +;; +{:addtional-scopes + {:user #{} + :admin #{"cisco/user:read"}}} +#+end_src + +****** Hidden migration + +(get-org ,,,,) + +****** IROH-Crud + +TK-Store => provide a minimalist abstraction to Databases. +IROH-CRUD => provide CRUD-only related abstractions +search that + +#+begin_src clojure +(search ,,,,) + +(iroh-crud/search-with-admin + {:,,,, :user-id xxx :org-id xxx}) +=> (tk-store/search {:filter-map [{:user-id xxxx ,,,} + {:user-id xxxx :org-id org-id}] + + }) +#+end_src + +****** update entities + +To decide later: + +1. any admin should be allowed to update the org-level entities. +2. some specific admin only should be allowed to update the org-level + entites (use another scope maybe?) + +Probably option 1. + +*** 2021-10-27 Wednesday +**** MEETING security :work:meeting: +[2021-10-27 Wed 17:03] + +xx + +auto loop + + +Proxy route + +**** IN-PROGRESS preparation IROH Auth Tour :work: +[2021-10-27 Wed 12:06] + +- Continue on "org-level entities" +- Doc on JWT client expectations +- :load-path "" Dispatch work +- Dig if necessary + +*** 2021-10-28 Thursday +**** Weekly Team :work:meeting: +[2021-10-28 Thu 17:01] +- ref :: +***** Agenda (to discuss about) + +***** Notes +****** G2 +ES deployed, start the migration +Old tenzin config pull-request I need to update. + +Ag moving to the last step to set the default fields, which are required +for ES7. + +Production Bug in CTIA investigate module + +Fixed the pagination. +default search was not consistent. +PR on CTIA. +Made this default search configurable per store. + +Ag, PR for the enrichment? + +Ambrose, ops related. + +@Jyoti discussion +****** Matt Integration + +- DI Irina working adding new auth in the module +- Yann fixed a security issue affecting Umbrella +- 1-click setup started to work on the org activation +- Mark work on SSE +- former_title field (rebranding guidelines) +- working on a bug in Umbrella, source URL are wrong +- log all proxy requests + +****** Auth + +Y + +(personal) +- IROH-Auth tour +- minor fix +- clean up SAML +- security bug fix + +*IROH-Auth* + +1. take a task +2. write PR doc +3. review PR doc +4. optional IROH-Auth tour webex(es) +5. code + +Q2: +- region switching API +- account switching inside each region +Q3: +- org-level entities + +*Big hidden work* +Working on OAuth2 bug. +A bit big PR, because will need a new service to store refresh tokens and +their metas. +And we should be able to migrate/update clients. + +*Security Bug Fix* +Chris Duane was happy, it was the first declared bug by Jimmy Miller. + +Olivier working on providing the API for the privacy team. + +Not 100% fixed, still a problem with paths. + +*AO migration to OIDC* +****** Jyoti +Questions about JWT used by DI, that call Orbital on behalf on someone +else. + +***** Actions + +- @Jyoti: should ask Yuri about which JWT are used. +- @Jyoti: AO for Q3 for the telemetry +**** SecureX + Secure Client + DI Integration :work:meeting: +[2021-10-28 Thu 16:32] +- ref :: https://cisco.webex.com/cisco/j.php?MTID=m3d2fe4735f7151dc690e000c8749ed0e + +***** Discussion +****** Abhishek + +- deployement +- Secure Client onboarding +- Secure Client always visible +- cannot read property from DI when adding module +- work on feature flag +. +@Paul: 1.84 today, so these fixes are going to be for date? +@Abishek: will more time to develop and test +. +****** Nirmesh Patel + +- Secure Client always visible, real issue + +**** Weekly Sync: SecureX / Secure Endpoint :work:meeting: +[2021-10-28 Thu 15:30] +- ref :: https://cisco.webex.com/cisco/j.php?MTID=m6563218d7c961e691f62c539fc645607 + +What remains? + +- Martin + +1-click module setup + +Restrict them to a region. +Who was impacted. + +Nov 13th, for the 1-click module setup is at risk to be delayed. + +- G2 + +no 1-click => nothing can happen + +Dependency to deploy Secure Endpoint. + +- Martin/Namrata + +Jyoti is in active conversation. + +- Martin/G2 + +Are we going to change the design? + +Martin: We don't know Yet + +- Vlad + +Pb with Region. + +An AMP tenant can only talk to 1 SecureX tenant. + +- Martin + +Maybe region selection. + +- Release Nov 11th +- Relesases v1.85 10-Nov + +. +***** Initiated SecureX 1-click module setup for Secure Endpoint + + +**** SSE =CCO_id= :work:discussion: +[2021-10-28 Thu 14:52] +- ref :: https://github.com/advthreat/iroh/discussions/5754 + +So after giving more thoughts on the subject. +Here are some scenarios: + +1. A person login via Okta with the email ~user-1@domain.com~ +2. This person want to connect his account, then he must login via Okta + again but using another Okta account ~user-1@smart-account.com~ for example. + +In this scenario there are two issues: + +The first is that we do not control the Okta session. +The Okta session will keep being the one for ~user-1@smart-account.com~. +When the user will launch another product he will not use his usual +~user-1@domain.com~ Okta session. + +The second, is that we should have a mechanism to understand that on the +second login, we don't want to login the user, but to merge two different +IdP accounts. + +Mainly we will need to develop a new workflow, so a user could merge +multiple IdP accounts to his current SecureX account. + +The implications are: + +- SecureX users should support multiple email addresses. (also note that + user login via TG have a non verified email addresses and are treated + separately on different login flows.) +- We need to support more metas data in the IdP Mappings in general, + (typically the =CCO_id=). Now, what if a user login multiple times, and has + two different IdP Mapping with a different =CCO_id=. +- We will need to provide a new route, that will present a new HTML page + similar to the login page but with subtle modifications. + We might, for example, negotiate another login buttons that will behave + differently (typically a login button forcing the user to use CCO). + +In the end, it means we should deliver a "Merge a new Login" flow to +SecureX Accounts. And it doesn't seem to be trivial. + +*** 2021-10-29 Friday +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work" +#+caption: Table 10: Clock summary at [2021-10-29 Fri 18:39] +| Tags | Headline | Time | | | | +|--------------+----------------------------------------------+--------+---+------+------| +| | *Total time* | *8:50* | | | | +|--------------+----------------------------------------------+--------+---+------+------| +| | \_ 2021-10-29 Friday | | | 8:50 | | +| work, chat | \_ AO disucssion + generic discusssions | | | | 1:00 | +| work, email | \_ Jyoti email about PROD module on INT | | | | 0:14 | +| work, chat | \_ aide Matt URL encoding | | | | 0:50 | +| work | \_ code gen docs | | | | 2:48 | +| work | \_ Customer Manager doc | | | | 2:34 | +| work | \_ morning tour | | | | 1:06 | +| work, review | \_ configurable default sort | | | | 0:18 | +#+end: +**** CHAT AO disucssion + generic discusssions :work:chat: +[2021-10-29 Fri 18:39] +**** PAUSE :pause: +[2021-10-29 Fri 17:30] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Jyoti email about PROD module on INT][Jyoti email about PROD module on INT]] +**** EMAIL Jyoti email about PROD module on INT :work:email: +[2021-10-29 Fri 17:04] +- ref :: + +Hi Jyoti, + +I checked on INT and in our org, there is an AMP module configured with the +PROD URL. + +Chris told me we have a security requirement that no production customer +data can be in INT or TEST. + +Do you know why this is needed, and if we could use a QA1 URL instead? +And if not, do you know who we could ask to see if this is still needed? +If I remember correctly, I think it was used to help makes demos. + +Because of this I tend to be extra cautious about the +"allowed-login-origins" parameter (see +https://github.com/advthreat/tenzin-config/pull/505). + +I don't want our INT access token to be sent in the wild. +Even without this module linking to PROD I would prefer not to send the INT +JWT on 3rd party. +Because if https://vercel.app is compromised anyone will be able to access +our INT environment, generally with administrator privileges. + +Thanks, +Yann. +**** CHAT aide Matt URL encoding :work:chat: +[2021-10-29 Fri 16:14] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*code gen docs][code gen docs]] +**** PAUSE :pause: +[2021-10-29 Fri 16:08] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*code gen docs][code gen docs]] +**** IN-PROGRESS code gen docs :work: +[2021-10-29 Fri 16:07] +- ref :: [[file:~/dev/iroh/README.org::*Rebuild the generated doc][Rebuild the generated doc]] +**** CANCELED Customer Manager doc :work: +[2021-10-29 Fri 11:02] +- ref :: +**** morning tour :work: +[2021-10-29 Fri 09:56] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/inbox.org::*Fortuneo: Amundi World (CW8)][Fortuneo: Amundi World (CW8)]] +**** REVIEW configurable default sort :work:review: +[2021-10-29 Fri 09:33] +- ref :: https://github.com/threatgrid/ctia/pull/1163 + +** 2021-W44 + +*** 2021-11-03 Wednesday +#+begin: clocktable :scope subtree :maxlevel 4 :timestamp nil :link nil :tags t :narrow 36! :match "work" +#+caption: Table 11: Clock summary at [2021-11-03 Wed 18:16] +| Tags | Headline | Time | | | | +|-------------+------------------------------------+--------+---+------+------| +| | *Total time* | *7:13* | | | | +|-------------+------------------------------------+--------+---+------+------| +| | \_ 2021-11-03 Wednesday | | | 7:13 | | +| work | \_ Engagement pulse Teamspace | | | | 2:05 | +| work | \_ cleanup code | | | | 0:29 | +| work, email | \_ SSE potential bug | | | | 0:37 | +| work | \_ GH notif tour | | | | 0:27 | +| work, chat | \_ Discussion Guillaume | | | | 2:03 | +| work, email | \_ OIDC conf in Okta | | | | 0:01 | +| work, chat | \_ webex tour | | | | 1:31 | +#+end: +**** IN-PROGRESS Engagement pulse Teamspace :work: +[2021-11-03 Wed 16:11] +- ref :: [[file:~/dev/iroh/services/iroh-auth/test/iroh_auth/test_helpers/tk.clj:::conf (conf port)})]] +**** IN-PROGRESS cleanup code :work: +[2021-11-03 Wed 15:42] +**** EMAIL SSE potential bug :work:email: +[2021-11-03 Wed 15:05] +Hi Yann, + +We noticed that we have two tenants created in SSE APJ stack for the AMP +company ID (51ab0c3e-381b-4169-ab63-b031c685f441). +One of them with spID AMP-APJ (created on 2020-12-01 11:58:50 UTC) and the +other with spID SXSO (created on 2021-08-24 09:25:07 UTC). + +I see from the logs the user ID token that came to Anubis had “SXSO” +instead on AMP-APJ resulting in this state. +Wondering what caused the spID to change in the ID token from AMP-APJ to +SXSO on 2021-08-24 ? +Could there be a possible issue here ? + +#+begin_src +TX_LOG 192.168.25.199 [2021-08-24T09:25:07Z] GET /scim/v2/Organizations?filter=spId+eq+SXSO+and+orgInfo.companyId+eq+51ab0c3e-381b-4169-ab63-b031c685f441 200 774 0.0076 aba74caa-ba90-43d3-b1d2-7066750a6754 - +#+end_src + + +**** IN-PROGRESS GH notif tour :work: +[2021-11-03 Wed 14:38] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-11-03 Wednesday][2021-11-03 Wednesday]] +**** CHAT Discussion Guillaume :work:chat: +[2021-11-03 Wed 10:00] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*OIDC conf in Okta][OIDC conf in Okta]] +**** EMAIL OIDC conf in Okta :work:email: +[2021-11-03 Wed 09:59] +**** CHAT webex tour :work:chat: +[2021-11-03 Wed 09:58] +<<<<<<< HEAD + +*** 2021-11-04 Thursday +**** MEETING Weekly meeting :work:meeting: +[2021-11-04 Thu 17:00] +- ref :: +***** Agenda (to discuss about) +Make a tour of everyone work. +***** Notes +Welcome + +Me. ... (see tracker .org) + git weekly +Olivier. PR for oauth2-client-demo, waiting for review +Matt. logs for proxy +- auditability of the proxy; kibana dashboard +Mark. SSE passthrough, and AO + +***** Actions +- review Olivier's PR +**** IN-PROGRESS Continu code cleanup :work: +[2021-11-04 Thu 15:40] +- ref :: https://github.com/advthreat/iroh +**** IN-PROGRESS update Secure Endpoint client :work: +[2021-11-04 Thu 15:38] +- ref :: https://github.com/advthreat/iroh + +Secure Endpoint (or AMP for Endpoint) + +=client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06= +**** MEETING Weekly Sync: SecureX / Secure Endpoint :work:meeting: +[2021-11-04 Thu 15:08] +- ref :: https://cisco.webex.com/cisco/j.php?MTID=m0a5157ed81ded94305da1bae743352fc +***** Agenda (to discuss about) +***** Notes +10-Nov: + +- AC6: on/off configuration within Secure Endpoint UI + +1-click module setup 8/9-Dec. + +- retention of module ID and secureX org id in SE +- update of legacy module upon integration + +***** Actions +**** IN-PROGRESS code :work: +[2021-11-04 Thu 09:51] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*2021-11-04 Thursday][2021-11-04 Thursday]] +**** CHAT Webex chat tour :work:chat: +[2021-11-04 Thu 09:50] + +*** 2021-11-05 Friday +**** MEETING SecureX Registration :work:meeting: +[2021-11-05 Fri 15:33] +- ref :: https://github.com/threatgrid/response/issues/821 +***** Agenda (to discuss about) +- Discuss feature +- Find a date +***** Notes + +... bad org creation + +1. User has SXSO account don't have invitation + + Only show them active invitations. + If too many invitations in the DB. + +2. second workflow, check email domain + + if matches other orgs, present the orgs + asks for invitation + +3. Limit access from "public" email domain + +***** Actions +**** IN-PROGRESS tour :work: +[2021-11-05 Fri 11:09] +- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Code][Code]] +**** DONE Code :work: +[2021-11-05 Fri 11:08] +**** EMAIL Help John doing a cron :work:email: +[2021-11-05 Fri 09:09] +- ref :: mail: How can I query an IROH endpoint programatically? + +#+begin_quote +On 4 Nov 2021, at 22:23, John Jardine (johjardi) wrote: + +Hi, + +To support iroh-incident scaling based on a queue-depth metric ( Tenzin Issue 1553 ) I am thinking about creating a task that will be run every N minutes to query the endpoint. To do this the task would have to authenticate and I don’t know how to do that for an automated tool. Not sure if the route makes a difference, the metrics are available here: /iroh/admin/queue/status-report/incidents + +Can you give me any guidance or point me to any docs on how to do this? + +Thanks, +John J. +#+end_quote + +John, + +The endpoint will not be =/iroh/admin/…= but =/admin/…= which mean it is only +reachable via the VPN, but I guess you will make the request from the +internal network. +So you should be able to reach https://iroh-adm.int.iroh.site/admin/ +directly. + +In order to make a call you need an OAuth2 client with the following scope: + +=iroh-master/queue/incidents:read= + +I created one client per environment for you; + +- INT (client-79d54f25-2a71-4bcb-b057-001f53091b2f) +- TEST (client-c1a00641-45e0-4090-b80e-ce87b35a84b3) +- PROD NAM (client-22b0f44f-3d7e-4b14-a11b-5cfa35f86b83) +- PROD EU (client-b56530b0-b16c-40b2-bb77-850e32e06e8b) +- PROD APJC (client-502fb0a3-605c-4b1b-b91d-07980d5a1f2f) + +I used the same password for all of them. + +***** Password + +The password is here: + +-----BEGIN PGP MESSAGE----- + +hQIMA2UoHNQCOfATARAAsDn3KJpJprlK60eUi2C4ol/2B5iCpIud6oYkeAB09yGe +Wt8ditdZdLKt+EV+Jw8QB6O+WDKl2+fN0IZGVzmzSehf6+ittlNUdeX2qJxx6RoE +Btw2VdcZIj9gzFxYf9Y9rf/9Zpp0Yc/NRBK9kKAwnPbMO0lytHUsWKTA8OcfBawZ +mOzcnhOpZeUxneEn1LKbiBSMfGsWQnPnUfme8vSwrnP3vOrgSio5rL3LwLsIz4Bq +z7yFdq8HBiF6z7NfJaxJZBljO/YDmYfjnwq024s24E+Fn9Bsdra85h1smGj+QIVE +hVIvU8fU6s8MpWuvQVNBFQXoF5IqxfaH4Z0p8as0X3qSmd4f8x3P/XdmklGAzUQ9 +Za5SDn1mkJJvVK6jCRC8uf+M8nufZU/ORcFqu6eVc9WWgDJYIc93vyNMWKBnCoYl +6GMC/IpKtveWUBaa28V76sSjjunv9gNHmYNGjwoLqd7lCLKppoQtPNwVFmHKJ16o +iW0rVYoIypleOuevkEn3barYy1N6wxhZrFcHOqUMWH+kZnPjDHcTOQxCEyYDVULw +uQclzZinR1vF4PeLIdFn74n2npXjFkCkaZa0ev10QROo1Tk4O+uv+5vAFVjsm5Fh +RT3eXVGu87qnDu67fWTQjV2F7tLvYAAYdb47N9OyQjQoglPYdvqfoRFufL7oNluF +AgwDfS7loNnfM+IBEACVwXlc001cWQw9f8AV37sySKWyhB9N4SG175lu7+T9DtwH +/WDEgYERv9Fhcg7EwVclSFwUreg/PmY8cazIc1Sy6Z+Nv2TH4rp17jcy7zlZCZMT +/twmW2MvgXS42qnb7jcvb3jQ9YTJs6fHV+PCMEsfjYKq+aSGr/ton/zFGqPIcLtF +G3vZ62cyoxYebSNwXMkB9W+2t30Cg0xpTwas+3V7dkscB+sIU+KIoTsD2AqMfgyW +Cia/U8H22qZiz8ugeod/gdsZytj4e5k72Yo2fm6owpHi4i+V/p333QbbP1G1/bzo +nfUh7wT4jiApUbrJIDWebsJqi9bv3z8zLiy72BRATgRM2vd3b1Q0y83/PcC+XkT2 +l3/GRRScqM9ewVziol/BzSH1jBj6oA/3VJil8YEZsNhGhX15Bs9ZLwAy2HLSzJ8G +8nVxNk6P0RRhD9m+Ue4Zb5PsH7CG21WOZTGWn/I9UXCHl7LnO4yT+qfESNDDzodF +F7Zo7E5yheTLRsXxp1f4c5cGoZvgDU293s/U3DhZt5Y6z5vN3L/IDkBap2X6OWkp +/HfIy3L0rvKwoYn3w8x+uCO0DpzUuZnjLpdarPhTWkiVj8uQkU80t3snHpvlwjEv +Hzcuzz2XkDWwzlaJEUuUJ1+my6a41fDHdNHYqSryrVLkpMLxwz1PqNi3NomhG9Lp +ARM67Ggjb520Cf5pmyj5cBZK57FMPwN2H/blT5GRcjFyfzl7H7Y+Fq9etcnZMIv+ +mJAFpqCoHasnEQKL5D4huxQDEsXqLvxO3/u79GU1w0AQgqg7KJLP6b3DRWAWI/Kl +7MK95j5EPrrvl69AErdCOH+Pfqvzi1CDb4Zy2lKuMGGQRgqyLubIIdZQkzX6YLD+ +xuxxyiQ+P2imToe1KGGX39AFbdXuakqBgKiSLEU7MWwEAEd/LfDuuGV+aiJ83SZI +ZWZGSe5ThdAsdWoHYcCtFgynhd+QnN5hW//ODNU8IeIPhjZRUxe2CQbAEQgfUXif +vHn+JfcSo1pf7BcOnzTOlgTqFn6NmX/SYlAL1kpG2YwcJFK3ZRK2a/0db3DbeLXp +2Nk40WD1tOdt8FDZHOXYRXFhmV6K/nEf56g7XMHnaESeEsQtzFvIq+SSxx0IkS+h +gaoAO+Mz9SKoxWcabTBHimhDxqemmtDbTdk7iHQZZhmei0DJxSdxWzwj9nYeKggK +aBxof2wuZAnki3nTlpy+p6S2S/TxP3wSZ9wMkBNkYRzWpTD5+fEqOhHtLgtyp2/M +a6YrH4b1uvk86Sz4Uk18ZuvdgoVMx5UjUnmfRxEWNrZEhatr+y4nH1PPCVsVPvXO +N3AyHCJWYGwUe+AXNegKJ8QJr/a+T2U/rVCujVoCUBGqebtm5L0RV9+1xCWmyeog +wuGXF5duRcdMNr+dAHvrdUhQIyBm4cFWYHM97lP0HkOcOM+wJjSDmT5VorCW952g +LPANVlddb4vO1TXvwjw7+yZFcpYH9pZtIC1Wp5a+UMvPewoPY2xZfh1ZsVJxUqp9 +FNHFEvRJuZzq80MIGY9s1rXrKiuAWJDGqEN8rlObuwNFrFfrDLDUgEhply/3Qcvi +n73Ag7cleOs7yF4= +=iyzN +-----END PGP MESSAGE----- + +***** How to use + +I made a demo shell script for INT: + +#+begin_src bash +#!/usr/bin/env bash +CLIENT_ID="client-79d54f25-2a71-4bcb-b057-001f53091b2f" +CLIENT_SECRET="..." +ACCESS_TOKEN=$(curl -s -X POST "https://visibility.int.iroh.site/iroh/oauth2/token" -d "grant_type=client_credentials" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -u "$CLIENT_ID:$PASSWORD"|jq '.access_token'|sed 's/"//g') +curl -X GET "https://iroh-adm.int.iroh.site/admin/queue/status-report/incidents" -H "accept: application/json" -H "Authorization: Bearer $ACCESS_TOKEN" +#+end_src + +returns + +#+begin_src bash +❯ ./demo.sh +[{"queue-name":"incident-sessions","total-sessions":0,"total-processing-sessions":0,"total-pending-sessions":0,"factor-increase-needed":0}] +#+end_src + +What this does is: + +1. retrieve an access token with the client (client-id + client-password) +2. Call the =/admin/queue/status-report/incidents= route + +An important remark; notice the domain name is different between the admin +and non admin calls. For INT and TEST, you just need to replace +visibility by iroh-adm. +But in prod, you need to use a completely different URL. + +Here is a JSON where I store the relations: + +#+begin_src js +{"envs": [{"name":"INT", + "visurl":"int.iroh.site", + "internalurl":"int.iroh.site"}, + {"name":"TEST", + "visurl":"test.iroh.site", + "internalurl":"test.iroh.site"}, + {"name":"NAM", + "visurl":"amp.cisco.com", + "internalurl":"us-east-1.prod.iroh.site"}, + {"name":"EU", + "visurl":"eu.amp.cisco.com", + "internalurl":"eu-west-1.prod.iroh.site"}, + {"name":"APJC", + "visurl":"apjc.amp.cisco.com", + "internalurl":"ap-northeast-1.prod.iroh.site"}]} +#+end_src + +Happy hacking! +Yann. + +***** Details + +-----BEGIN PGP MESSAGE----- + +hQIMA30u5aDZ3zPiARAAqfa80rkkVQy2HpHd1tOZZ1NZaaSMwrWRQKXTfkD6fYpl +HSOfyK9+9lKBV9Uz0H+l5DclDuenJ4akAMyaF5hhr7NfPZQ9exmnkODLDnpDTLoD +adm7ArrQnowJHvMEH4ogxoWN902Q9d2apOnrHYr5JmvEc0rwv1dQ2IuJeOLEpZ33 +IYqP/rnOlhPZZd7lgyHGw2iRDU3XZfkyivPQtsWZqY6XWIoL2wNj/HlomtrcPLYj +RxErXBOMS8GRr5FYeDyp+aGo3IpYMMMFffGCqew8yvphDhRYiO2SrQtTIp2+207j +V7/FSp3dp9xhsLsOM4fzFuCe9UctjbZma9QngkRjUSDU7D0rXGoKydecau4TlBy7 +ZPDOlg+6JWbwXM6qXJNaYAJ6Ii3E2xGYdpBMWBRn/j9RzkS68wKeoQelySV3aDSi +y00bbq/dq1Qh+tqyi7X8wj5tGf21Ri/Yd9D6DGWVTNvt0sj9CB55v3UfgZn5gcIy +2Njdb96pO+7VGgspPf6JnwJdCFq97O9cLFK985uJpmGrYvjN5qMA2z6PewdL9PW/ +bPNCXMcfwwbJxqZKcfqoJUcRAQyatPDKvPgHXDgmgRtI3oMjwhWBDl5nmYgwjSDO +uiKHNxMNGO2BMFWnJ3Qi1OTjG98+nWwmGoF6VlyzxAZtIjr2sGLrrbogreEA4XrS +6QGqDwPhIf2GA0blOoiMKDVUxstru6kiQSOL0EmlWWDgCYamUGgiWUy5nZiveRDT +JUdHsgLzIBrDElaZfxOim10PO0AkQgplMqSGfWI7LQ3fEPiIuXQFhXZBmBu+DC7C +j7+QOu6DlhyPNVL0QiI4OeucizSWamcHYKL1IVC05XYm0FITf4oKiLfiFj/upleI +736qOe9x4bsrS5ZUQmdmpCkv3Q0Yde3ATXOHxxspgOlJ55CCXRTM8J4Fcgwf38/O +zM7L9Ly/H+0g52PCsyQRMmfYigVVJf14cjcyuBEN2rie32qs91ajiuIZpG3ECRJ0 +R2y4nnCKM+G8oM+23pgIWdX0ei6RAFnGANRcM7It/Ni21YcafxgkzLFJ6clMELi5 +vIzy9oAG85BK7Kwo/dxe3r3wQPC8cEmt9vRdR8v5rShYp0YTX5rJXZ4Kq2U6pGVo +msxo/LQhvWsMZ2UPRIsDcyIHL36LRxdy/h7hkr6BJK2o1YwSwK0e6r4KbYlfyaij +SiBDjuxwBFFkjAbnd8LoK0JDoEid9Eg7VXoFnDgq3X3Vr/yLRjA5yLkVgDuFdhgP +zJ3k1ly4NVQTQuTalNcXY7JXV/yhP+EaxxJ09rudW0192O4EIAo8IXyPYxWmELqa +yrnulQ7+g2l3DCS+ZrWBSRDFOJZSaWIPaU0xr2jXafy1wMqreDPE+YFQ2cnvt1J7 +RLdarjU7hh5vkmpxiaezi91+YFC8b+8JAb58f7MndaZfyTYK4ww+pjSOLwIg2EgE +j9xuQRu5dy9xOKLL0jj3EBYrtH9eoGTtjrC3ycm0tIQTY4BJgGQ66KjsFfSzJ6gM +FHONJHlcaIeEWsnMMKm42A15jZG0AjH1LUbnEc6KOHzwySQ28IjJvDKY2kU3Wt6R +KoxbIox8fBvD8QunG+creFmYqG1IgFIodF9QgEdleRLJCKhB95HCCm3/qdSn1362 +6LyIClb09bNImrPo974yrZ/hnel8MNXPQyQJSCtqOUUI8JhRBKi0IGi07+TVIeqi +5yakl8HSxnkbT0n6KLa0ZGOKFD5d0qXjwl1s6hnI4JTKCGDOyjHptVpjxsKT08jO +1lzutH67duk6Z38Qr1fpv9iAgSCsnfgLaKC/0jbIsPsOXTpvODiHK+liAbQiqUnn +XqRbQ2x4MavIy50zutVPduNgj72IUYvGfx1WO+mKt1uymx5DXidYoLAdCIru +=4Qus +-----END PGP MESSAGE----- +======= +>>>>>>> e714315a8c096570b2629793969eec54e9fe2450 + +** 2021-W45 + +*** 2021-11-08 Monday +**** EMAIL inscription BAC Anna :work:email: +[2021-11-08 Mon 12:22] +- ref :: + +** 2021-W46 + +*** 2021-11-17 Wednesday +**** MEETING Weekly meeting :work:meeting: +[2021-11-17 Wed 17:30] +- ref :: +**** MEETING Weekly :work:meeting: +[2021-11-17 Wed 17:05] +- ref :: + +*** 2021-11-18 Thursday +**** MEETING Alan Interview :work:meeting: +[2021-11-18 Thu 16:29] +- ref :: +***** Agenda (to discuss about) +***** Notes +***** Actions +**** CHAT Small text about the breaking PR :work:chat: +[2021-11-18 Thu 11:42] + +Good morning everyone! + +I wanted to drop a word about this PR: https://github.com/advthreat/iroh/pull/5998 + +An interesting aspect of this PR was that a change (that first appeared to be minor) +in some namespace impacted a failure in a ns that did not depend +transitively of the first. + +I wanted to improve our build time by filtering the test by dependent ns only. +It would have missed this build failure. +So I still think this is a good idea to have an optimized test for +branches, but the merge into master should run all the tests. + +**** MEETING Alan Interview :work:meeting: +[2021-11-18 Thu 09:56] +- ref :: +***** Agenda (to discuss about) + +- in tupelo, why name it =glue= instead of =mconcat=? +- Why =unwrap= and not =flatten=? + +***** Notes +***** Actions + +*** 2021-11-19 Friday +**** MEETING Monthly Engineering Meeting :work:meeting: +[2021-11-19 Fri 17:02] +- ref :: +. + + +***** Updates +***** Release Status + +- Issue with GlaDoS deployment, 1.86 done yesterday. +- Issue with AO, pb with cross-launch. + +***** Services + +- High Impact Incident +- Background support for DI +- Added auditability API gateway + +Will focus on replicating/synchronize across the product of incidents. + +** 2021-W47 + +*** 2021-11-23 Tuesday +**** MEETING DI Secure Client weekly PO meeting :work:meeting: +[2021-11-23 Tue 16:08] +- ref :: +***** Actions + +- [ ] Apparently some clients scopes and authorization to do. + +** 2021-W48 + +*** 2021-11-30 Tuesday +**** MEETING Simplify login page :work:meeting: +[2021-11-30 Tue 16:01] + +https://github.com/advthreat/GLaDOS/issues/2555 + +*** 2021-12-02 Thursday +**** MEETING Weekly IROH-Service Team meeting :work:meeting: +[2021-12-02 Thu 17:04] + +@Mark most special people are leaving. + +@Jyoti about Al. Come as a surprise and a chock. +Certain there were politic about it. +Start with UI & UX. + +Must not be done in silos. +I has to be implementable. + +@Mark + +I feel that with AO with should have blame post-mortem. +Never run all the way in TEST. +They never talk to us about it. + +Discussion about QA + +@Mark +Possible QA tested it and was never informed something will change. +A retro for AO integration. + +***** Notes + +- Working on the refresh token DB (token grants) +- Regarding the registering simplification I will need the work done by Olivier + To search users by domain name email. +- We will need a pass of technical design. We will need another entities + about requested invitations. And yet another flow to integrate an + existing SecureX org. + + +**** MEETING SecureX / Secure Endpoint Alignment :work:meeting: +[2021-12-02 Thu 15:59] +***** Actions +Create a queue of requested invites. +Admin can approve the request, the user is added to the org. +A confirmation email is sent. + +** 2021-W49 + +*** 2021-12-09 Thursday +**** MEETING Weekly Team Meeting :work:meeting: +[2021-12-09 Thu 17:18] +- ref :: +. + + +***** Project Board + +****** Enrich API Enhancement +Discussion +****** Webhooks +****** Hiring +no professionnal experience in Clojure +***** Remarks + +IDB Decommission. +Meeting with Geetha next week. + +How can I do that? + +***** Actions +IDB Decommission test Monday + +** 2021-W50 + +*** 2021-12-13 Monday +**** MEETING OIDC AO :work:meeting: +[2021-12-13 Mon 17:02] +- ref :: + +April Ping fed expires. +Is that still possible? +Also no expertise. + +We had some action items. Where do we stand? + +Are we confident? +Priority across the teams. + +TG and CSA. + +Just CSA and TG IdP. +***** Action + +Continue test results after Holidays. +- Test CSA +- Test TG (direct OIDC) + +Sync up after shutdown. +If success talk to QA to prepare tests. +*** 2021-12-15 Wednesday +**** MEETING Estimate New Registration Workflow :work:meeting: +[2021-12-15 Wed 16:29] +- ref :: https://github.com/advthreat/iroh/issues/6076 + +***** Prevent User to login with public email page + +Should propose the user to login via another account (so use logout). + +Need templates. +@Jilian will do the templates. +***** Add an allow-list to pass throught the blocklist (@gmail,,,) + +1.89 Feb 2. + +**** MEETING IDB Decomissioning :work:meeting: +[2021-12-15 Wed 15:59] +- ref :: +***** Agenda (to discuss about) +***** Notes +***** Actions + +** 2021-W51 + +*** 2021-12-21 Tuesday +**** CHAT Dar about using UI Components in the login pages :work:chat: +[2021-12-21 Tue 10:20] + +#+begin_quote +@Dar +Hey Yann, a question came up in our weekly sync about the login flows… +now that they're getting a bit more sophisticated wouldn't it be better to +start using common UI components rather than taking snapshots/hard-copies +of styles and generating one-off templates? +what are the security concerns around client-side rendering the auth UI? +#+end_quote + + +Hi Dar, + +So to answer the question historically. +First, we didn't have any login page. +It was 100% hosted in CTR UI. +I just provided the route to create the login links (and this could still +be used today and it is in the new login page). + +We faced many bugs (most of them related to URL encoding), and thus decided +to close the gap by building an hosted login page. +That way I can 100% control the behavior and have lot of tests to check url +encoding related bugs. +Do not forget that in CTR you often want to deal with URL with very complex +URL fragments that contain a representation of the investigation, imagine +text with carriage return, URL, emails, etc… + +Even recently we experienced subtle bugs. And the solution was to get rid +as much as possible of the javascript code that handled the url parsing and building. +Now, this is handled via the backend on the login page. + +So the 1st reason to host the login page was convenience and bug fixing and +not necessarily security. + +Regarding security, I was afraid to introduce a security bug because, the +login page is clearly a nice entry point for security attack. +So I tried to be as conservative as possible. +So no js when possible. +And if we need to use js, do not use any lib, just basic javascript so the +code is easy to understand and debug. + +There is another complexity to keep in mind. +For historical reason, for now, there is no "session" when the user has +logged in via the IdP but hasn't yet selected a user and thus is not logged +in SecureX. +Right now, we handle this state with a token in the URLs. +And this token can be consumed only once. +By that I mean, in the account selection page you will have links looking like: + +- https://..../select-org-1?code=XXX +- https://..../select-org-2?code=XXX +- https://..../select-org-3?code=XXX + +When the user will click on the first link; the code =XXX= +will be consumed and the other links will not work. +So I ensure that the user need to perform a login workflow again to login +into another org. + +So that being, said. +I think now we are in a new situation where I think we could totally have a +lot more convenient system. + +1. I need to create a notion of session when the user is logged in in the + IdP but has not selected a SecureX account. +2. Use more js to ease the UI work, typically, UI components. The limit + being that the CSP header are restrictive in the sense that we must host + the JS at the same URL, and we should probably still generate data via + the backend, maybe still keep a bit of HTML. + +In fact, we need the backend to be able to provide a set of informations to +the UI and take care that no XSS could be possible. +I think the main risk is that, the login page must support complex query +parameters. +So great care should be taken in the parsing of these query parameters. +To give a concrete example: + +You should be able to generate a page for a URL looking like: + +https://securex...cisco.com/login?redirects= + +Where URL2 should be encoded correctly, and could itself be complex: + +URL2: https://visibility...cisco.com/investigate#q= + +Where QUERY should be encoded an could contain urls, emails: + +QUERY: + +#+begin_src +url:http://attack.com/foo?param=something-complex +foo@example.com +some random text +carriage return, unicode, emojis? etc… +#+end_src + +So to present the login page, every button should take care that adding a +=