:PROPERTIES:
:ID:       7b35763c-84af-41fa-bad5-b407b33ff020
:END:
#+Title: Deploy New Environment
#+Author: Yann Esposito
#+Date: [2023-11-28]

- tags :: 
- source ::

* Start the node with one admin [still needed]

Dependencies:
 - [ops] all DB runnings: (riemann, ES, Postgres, Redis, etc…)

- [ops] configure the node to use DBFixtures, then remove db-fixture service from
  bootstrap.cfg then restart the node. If configured correctly the DB will now
  contain an admin user. The org must have the following additional scopes:
  ~cisco, iroh-admin, iroh-master, global-intel~.

- IROH / IROH-Async is running

* Engineering Admin Access [still needed]

- [ops] Provide VPN Access to the new Environment
- [ops] Must create the first accounts for every engineer involved in the
  initial configuration of the new environment

* Support Provisioning (via PIAM) [not needed anymore]

- [ops] update Vault with the OAuth2 client creds from PIAM
- [engineering] configure PIAM Universal Provisioning in IROH (URLs, etc…)

assumptions:
- we will have OAuth2 client creds from PIAM configured.
- PIAM configured their server to point to the new URL for the Universal
  Provisioning API
- We will use the PIAM Universal Provisioning

* Support essential XDR modules (DI, CSC, SE, SXO, SCA, SSX)
** Deploy a Private Intel (CTIA) node [still needed]

- [ops] This is needed for most integrations (DI SE).
- [engineering] updated the URL in tenzin-config with the new private-intel URL

** SXO (cc @Mark)

*** Onboarding (todo) [still needed]
- dependency: SXO: will provide an onboarding API URL

- [engineering] Onboarding configuration in ~config.edn~.
  Ask Automation to provide the onboarding URL.

*** Module Type (cc @Matthieu) [Replicated]

- [engineering] Creating the SXO Module Type, with the correct URLs, configuration

*** OAuth2 Client [Replicated]

- [engineering] Create an IROH OAuth2 client for SXO.
  Copy the values from other deployed environment except replace the redirect URI.
  In particular, take care of the audiences, it should be configured with
  ~allow-partial-user-scopes?~ to true.

  This client must be trusted. Add the client-id to the list of trusted clients by
  using the admin API ~/admin/oauth/~

** DI

*** OAuth2 Client [Replicated]

Create an IROH OAuth2 client for DI.
Copy the values from other deployed environment except replace the redirect URI.
In particular, take care of the audiences, it should be configured with
~allow-partial-user-scopes?~ to true as well as ~org-level-authorization?~.

This client must be trusted. Add the client-id to the list of trusted clients by
using the admin API ~/admin/oauth/~

*** Module Type creation (cc @Matthieu) [Replicated]

*** Onboarding [still needed or DI should route using geo from the JWT]

 Onboarding configuration in ~config.edn~.
 Ask DI to provide the onboarding URL.

** SCA

*** OAuth2 Client [replicated]

Create an IROH OAuth2 client for DI.
Copy the values from other deployed environment except replace the redirect URI.
In particular, take care of the audiences, it should be configured with
~allow-partial-user-scopes?~ to true.

This client must be trusted. Add the client-id to the list of trusted clients by
using the admin API ~/admin/oauth/~

*** module conf (cc @Matthieu) [Replicated]
*** Onboarding [SCA route using JWT or still needed]

 Onboarding configuration in ~config.edn~.
 Ask SCA to provide the onboarding URL.

** SSX

*** OAuth2 client (claim aliases) [Replicated]

1. Ask SSX to deploy a Stage Environment and provide the corresponding URLs:
   In the rest of this doc we suppose it will be:
   - https://admin.sta.sse.itd.cisco.com
   - https://devops.sta.sse.itd.cisco.com
   but SSX could provide some different URLs to use.
2. Create a dedicated Org for SSX
3. Via the API directly, create a new API Client using the following payload.
   Notice some value could change depending on the SSX configuration of the prefixes.
   You need to ask SSX what are the expected IdP Mapping they would like.
   I took on me that if a user login via AMP (CSA) SSX expect the tenant claim
   to be ~AMP-STA~.

Then you should create a client via the API with the following

#+begin_src js
{
    "scopes": ["integration", "private-intel", "admin", "profile", "inspect", "iroh-master",
               "iroh-auth", "sse", "users", "casebook", "orbital", "enrich", "oauth", "global-intel",
               "collect", "response", "ui-settings", "openid", "ao"],
    "description": "NEW Environment for Security Services Exchange Admin Console",
    "redirects": [
        "https://admin.sta.sse.itd.cisco.com/*/*",
        "https://admin.sta.sse.itd.cisco.com/*/*/*",
        "https://admin.sta.sse.itd.cisco.com/*",
        "https://admin.sta.sse.itd.cisco.com/*/*/*/*",
        "https://devops.sta.sse.itd.cisco.com/*/*",
        "https://devops.sta.sse.itd.cisco.com/*/*/*",
        "https://devops.sta.sse.itd.cisco.com/*",
        "https://devops.sta.sse.itd.cisco.com/*/*/*/*",
        "https://devops.sta.sse.itd.cisco.com"
    ],
    "availability": "everyone",
    "access-token-lifetime-in-sec": 86400,
    "id-token-lifetime-in-sec": 86400,
    "name": "sse-ui-new-client",
    "grants": ["auth-code"],
    "client-type": "confidential",

    "id-token-aliases": [
        {
            "alias": "spId",
            "case-value": {
                "sxso": "SXSO",
                "idb-tg": "TG-STA",
                "idb-amp": "AMP-STA"
            },
            "default-value": "AMP-STA",
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
        },
        {
            "alias": "spId",
            "case-value": {
                "sxso": "SXSO",
                "idb-tg": "TG-STA",
                "idb-amp": "AMP-STA"
            },
            "claim-to-alias": "idp-mapping-idp"
        },
        {
            "alias": "spId",
            "case-value": {
                "sxso": "SXSO",
                "idb-tg": "TG-STA",
                "idb-amp": "AMP-STA"
            },
            "claim-to-alias": "old-idp-mapping-idp"
        },
        {
            "alias": "companyId",
            "replace-value": [
                [
                    "^threatgrid[:]",
                    ""
                ]
            ],
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
        },
        {
            "alias": "companyId",
            "replace-value": [
                [
                    "^threatgrid[:]",
                    ""
                ]
            ],
            "claim-to-alias": "idp-mapping-organization-id"
        },
        {
            "alias": "companyId",
            "replace-value": [
                [
                    "^threatgrid[:]",
                    ""
                ]
            ],
            "claim-to-alias": "old-idp-mapping-organization-id"
        },
        {
            "alias": "companyName",
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
        },
        {
            "alias": "user_name",
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
        },
        {
            "alias": "user_email",
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
        },
        {
            "alias": "role",
            "case-value": {
                "admin": "admin",
                "master": "admin",
                "iroh-admin": "admin"
            },
            "default-value": "user",
            "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
        }
    ]
}
#+end_src

Once the client is created.
Go to the admin API, and bless the client to approve it.
Also still via the Admin API, add the client to the trusted clients.

Ask QA to verify cross launch is working as expected for the 3 IdPs.

* UI

- Check the registration UI would still work
- Check some URLs with normal frontend