44 KiB
- 2021
- 2021-W03
- 2021-W04
- 2021-W05
- 2021-W06
- 2021-W07
- 2021-W08
- 2021-W09
- 2021-W10
- 2021-W11
- 2021-W12
- 2021-W13
- 2021-W14
- 2021-W15
- 2021-W16
- 2021-W17
- 2021-W18
- 2021-W19
- 2021-W20
- 2021-W21
- 2021-W22
- 2021-W23
- 2021-W24
- 2021-W25
- 2021-W33
- 2021-W35
- 2021-W36
- 2021-W37
- 2021-09-14 Tuesday
- 2021-09-16 Thursday
- 2021-09-17 Friday
- MEETING Presenting the projects
- Pres
- General
- [Design] Shared IROH Auth Session
- [Design] High Impact Incident
- SecureX Suite Session Improvement
- [HOLD] Cisco Secure Client Integration
- Hiring
- 1-Click Module Setup
- ModuleType updates
- [HOLD] CTIA Hydrant support
- CTIA Incident Manager Improvement
- Bug Squashing
- [HOLD] ES 7 Migration
- Device Insights Integration
- AppLinks API
- SSE API Extension & OAuth2 Device Grant
- Incident Assignment Notifications
- Pres
- MEETING Presenting the projects
- 2021-W39
- 2021-W40
- 2021-W41
- 2021-W42
- 2021-W43
2021
2021-W33
Tags | Headline | Time | |||
---|---|---|---|---|---|
Total time | 6:19 | ||||
2021-W33 | 6:19 | ||||
2021-08-16 Monday | 1:52 | ||||
work | Fix Carlos Hidalgo account | 0:20 | |||
work | create an issue about email… | 1:32 | |||
2021-08-17 Tuesday | 2:48 | ||||
work | Add scope to TG clients | 0:38 | |||
work | Write an issue about 1-click… | 2:03 | |||
work, chat | Jyoti about CDO 1-click module setup | 0:07 | |||
2021-08-19 Thursday | 1:39 | ||||
work, meeting | Interview Olivier Barbeau | 1:39 |
2021-08-16 Monday
DONE Fix Carlos Hidalgo account work
CLOCK: [2021-08-16 Mon 15:11]–[2021-08-16 Mon 15:31] => 0:20
[2021-08-16 Mon 15:11]
DONE create an issue about email search case sensitivity work
SCHEDULED: <2021-08-16 Mon>
CLOCK: [2021-08-17 Tue 14:16]–[2021-08-17 Tue 15:44] => 1:28 CLOCK: [2021-08-16 Mon 15:03]–[2021-08-16 Mon 15:07] => 0:04
[2021-08-16 Mon 15:03]
Fix email case sensitivity
> Related https://github.com/threatgrid/response/issues/818
We often need to search by email. The main issue being that, currently our search mechanism does not support case insensitive matches.
We have 4 possible solutions:
- Lower case the user email at creation. We need to also update the user emails in our DB. The safest route to achieve this will be via the iroh-migration service.
- Keep the email case sensitive and add a new case insensitive field
lc-user-email
for example. But same as for case 1, we need to perform a DB migration to add this new field to all existing user in DB.
- Add support for case insensitive search in tk-store, perhaps with a new
tk-store service, or improving current
CRUDStoreService.
- Add a specific service just for search user emails that could take care of this specific case by using a Postgres specific query. This could also be the occasion to provide a tk-store hole in the abstraction service.
The simplest is probably option 1. Option 2 would be slightly more complex and we would not lose any detail. Option 3 seems the most generic one, and we could totally imagine we would appreciate a case insensitive search support. Option 4 looks like a specific case of 3.
My preference then goes to option 3, but we need to understand if this is
not too difficult to achieve, what would be the API? The most natural one
would probably add an option along filter-map
like case-insensitive-fields
.
One issue would be to write the support for case insensitive match for atom
and redis
.
TODO Interview Steven Collins
CLOCK: [2021-08-16 Mon 15:49]–[2021-08-16 Mon 19:04] => 3:15
2021-08-17 Tuesday
DONE Add scope to TG clients work
DEADLINE: <2021-08-18 Wed>
CLOCK: [2021-08-17 Tue 17:54]–[2021-08-17 Tue 18:32] => 0:38
[2021-08-17 Tue 17:54]
In tenzin config:
- INT: 34d94c8c-2041-4708-8172-ebe2df295ca7-2
- TEST: f993f6a0-8075-43e0-a9e5-dae9c3980513
- NAM: 7b8d9fef-bd93-4ef3-88af-ae4174ee02e5
- EU: a1662193-9155-44fd-aa1f-43afd42c889c
DONE Write an issue about 1-click module setup work
SCHEDULED: <2021-08-17 Tue>
CLOCK: [2021-08-17 Tue 15:51]–[2021-08-17 Tue 17:54] => 2:03
[2021-08-17 Tue 15:51]
CHAT Jyoti about CDO 1-click module setup work chat
2021-08-19 Thursday
Timestamp | Tags | Headline | Time | |||
---|---|---|---|---|---|---|
Total time | 1:39 | |||||
2021-08-19 Thursday | 1:39 | |||||
[2021-08-19 Thu 16:04] | work, meeting | Interview Olivier Barbeau | 1:39 |
MEETING Interview Olivier Barbeau work meeting
CLOCK: [2021-08-19 Thu 16:04]–[2021-08-19 Thu 17:43] => 1:39
[2021-08-19 Thu 16:04]
2021-W35
Tags | Headline | Time | |||
---|---|---|---|---|---|
Total time | 2:54 | ||||
2021-W35 | 2:54 | ||||
2021-09-02 Thursday | 2:54 | ||||
work, meeting | Weekly meeting | 2:54 |
2021-09-02 Thursday
MEETING Weekly meeting work meeting
CLOCK: [2021-09-02 Thu 17:06]–[2021-09-02 Thu 20:00] => 2:54
[2021-09-02 Thu 17:06]
Guillaume start about the Design Planning github project.
- SecureX session
- High Impact Incident
Sorry
2021-W36
2021-09-08 Wednesday
MEETING 1-click module setup weekly meeting work meeting
CLOCK: [2021-09-08 Wed 17:30]–[2021-09-08 Wed 18:22] => 0:52
[2021-09-08 Wed 17:30]
Miro dashboard from Chloe:
https://miro.com/app/board/o9J_l57_gro=/
Discussion:
When to TEST, tomorrow. Asking for client_id in TEST.
Client-id: client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06
2021-09-09 Thursday
MEETING Interview: Florin Braghis work meeting
CLOCK: [2021-09-09 Thu 15:49]–[2021-09-09 Thu 18:45] => 2:56
[2021-09-09 Thu 15:49]
2021-W37
Tags | Headline | Time | |||
---|---|---|---|---|---|
Total time | 22:11 | ||||
2021-W37 | 22:11 | ||||
2021-09-14 Tuesday | 1:04 | ||||
work | Device Grant | 1:04 | |||
2021-09-16 Thursday | 21:07 | ||||
work, meeting | Team weekly | 21:07 |
2021-09-14 Tuesday
IN-PROGRESS Device Grant work
CLOCK: [2021-09-14 Tue 19:31]–[2021-09-14 Tue 20:35] => 1:04
[2021-09-14 Tue 19:31]
- ref
2021-09-16 Thursday
MEETING Team weekly work meeting
CLOCK: [2021-09-16 Thu 17:25]–[2021-09-17 Fri 14:32] => 21:07
[2021-09-16 Thu 17:25]
Ambrose, Irina, Guillaume, Matt, Yann
TO MENTION: Device Grant with FMC => Public clients
Incident discussion
2021-09-17 Friday
MEETING Presenting the projects work meeting
[2021-09-17 Fri 14:32]
.
Pres
Every project has an owner (main point of contact for the FT) Now only leads, but could be anyone in the future.
Goal of this Project which is not an official FT is to reflect and write proposals to reach the feeling of a shared session across all Cisco Security products via SecureX.
- solution using cookies
- solution using Open ID Connect
.
Guillaume Ereteo made an awesome work to provide multiple proposals to be able to deliver the feature as fast as possible.
- filter on source (only AMP)
- Add severity on incident model
-
Incident with high impact via an IROH route: https://github.com/advthreat/iroh/issues/5710
- needs the proxy from Ambrose
- need sync with engine team too
Delivered yesterday in v1.81 Limit the number of interstitial pages between SecureX and CTR/SSE
- For orbital, missing the Launch button, the back end work is done as we do not need any SXSO app link.
Still no work to be done by the IROH Services team
Since last meeting two new hires will join us in next few weeks. Kiril and Olivier.
Kiril lives in Germany and Olivier in France.
In progress integration by CDO and SWC
Irina worked to provide the vault metadata API for SWC.
AMP is in the QA test phase.
Just saw the rename of "Threat Grid" into "Secure Malware Analytics"
- Fix a bug where a user could login to org that reject non-admin user login
- Fix a refresh token bug that would provide too much scopes to an access token
- Login Page url parsing potential discrepancy fixed
- Wanderson: Webhooks work, trigger a notification for every module-instance configuration change.
- FMC ⇒ public clients for Device Grants
Ambrose worked to make IROH a proxy to private intel for incident assignments notifications. Should be delivered in v1.82
2021-W39
Tags | Headline | Time | |||
---|---|---|---|---|---|
Total time | 6:30 | ||||
2021-W39 | 6:30 | ||||
2021-09-29 Wednesday | 3:18 | ||||
work, meeting | Interview | 3:18 | |||
2021-10-01 Friday | 3:12 | ||||
work, meeting | App Links | 1:41 | |||
work, meeting | Secure Client | 1:31 |
2021-09-29 Wednesday
MEETING Interview work meeting
CLOCK: [2021-09-29 Wed 16:12]–[2021-09-29 Wed 19:30] => 3:18
[2021-09-29 Wed 16:12]
2021-10-01 Friday
MEETING App Links work meeting
CLOCK: [2021-10-01 Fri 17:26]–[2021-10-01 Fri 19:07] => 1:41
[2021-10-01 Fri 17:26]
- ref
- Secure Client
MEETING Secure Client work meeting
CLOCK: [2021-10-01 Fri 15:55]–[2021-10-01 Fri 17:26] => 1:31
[2021-10-01 Fri 15:55]
Meeting link: https://cisco.webex.com/cisco/j.php?MTID=m5814a8530a0870a19a57230bfd6d4b0e
2021-W40
Tags | Headline | Time | |||
---|---|---|---|---|---|
Total time | 38:18 | ||||
2021-W40 | 38:18 | ||||
2021-10-05 Tuesday | 0:46 | ||||
work | Training Interviewing | 0:46 | |||
2021-10-07 Thursday | 32:04 | ||||
work, meeting | DI blockers | 23:32 | |||
work | support | 1:16 | |||
work, chat | check continu | 6:38 | |||
work, chat | support DI JWT signature | 0:19 | |||
work, support | client update via admin for CMD | 0:18 | |||
work, chat | Check webex matinal. | 0:01 | |||
2021-10-08 Friday | 5:28 | ||||
work, meeting | IDB decomissioning | 2:28 | |||
work, meeting | Customer Manager | 3:00 |
2021-10-05 Tuesday
MEETING DI weekly work meeting
[2021-10-05 Tue 15:30]
From Yuri
Hi, Things I’d like to discuss on our today sync meeting:
- The integration modules screen:
- When will all the modules be updated with the relevant text?
- When will all the modules be deployed to production?
- Same goes for the DI module? Need help in updating its text and taking it to production as well
- The filter by capability for device insights currently shows an empty result in production
- Integration code
- Is there still some integration code that is pending?
- What is the status of https://github.com/advthreat/iroh/issues/5680?
ii. Any other open issues?
- Any blockers that you see for deploying to production?
- Assets API QA?
1.a. doc team 1.b
2.a
IN-PROGRESS Training Interviewing work
CLOCK: [2021-10-05 Tue 14:44]–[2021-10-05 Tue 15:30] => 0:46
[2021-10-05 Tue 14:44]
Past Perf Predict the Future
Behaviorial questions
- tell me about a time when…
- Where and how have you used ,,, to achieve ,,,
- Walk me through the system/process/etc…
Behavioral questions better
More specific to their experience, not generic.
- concise
- clear
- relevant
- practiced
- tailored to the job
Real Purpose of interviewing
Predict whether or not they'd be successful in our company
Evidence?
- Yes, specific examples
- Yes, demonstration
What the candidate will think about the question.
skills & knownledge, attributes, achievements, motivations
targeted probing behavioral interviewing.
Go deep, specific, examples. Ask the how to detect liars, lack of honesty.
- what ,,, what did you do, what was your role, etc… Question need specific responses.
Do brainteasers work? no Use problem solving questions; how would you do/solve/etc…?
Examples:
- role play question. ×
- problem they solved. ✓
What work-related experience(s) changed your opinion(s) on something?
Combination question. Find combo questions.
Probing
2021-10-07 Thursday
MEETING DI blockers work meeting
CLOCK: [2021-10-07 Thu 18:01]–[2021-10-08 Fri 17:33] => 23:32
[2021-10-07 Thu 18:01]
@Yuri:
I’ve opened the issues there, still need to set priorities. Here is the list of the issues I’m currently aware of that are important for the release:
- https://github.com/advthreat/iroh/issues/5680 - didn’t open a new ticket for this one, since it already has tracking.
- Umbrella module -
- Allow configuring only DI relevant fields - https://github.com/threatgrid/response/issues/933 b. Placement of fields https://github.com/threatgrid/response/issues/934 c. Add explanations of DI relevant fields - https://github.com/threatgrid/response/issues/935 d. Umbrella doesn't send the external reference info - https://github.com/threatgrid/response/issues/936
- filtering for the device insights SecureX modules in the Integration Modules screen - results in an empty set - https://github.com/threatgrid/response/issues/937
If you know of something else, please add here
@Matt: 2.a is also tracked here https://github.com/advthreat/iroh/issues/5821
- Doc discussion 30min
- show time (Yuri share chat)
IN-PROGRESS support work
CLOCK: [2021-10-07 Thu 16:45]–[2021-10-07 Thu 18:01] => 1:16
[2021-10-07 Thu 16:45]
new-org
{
"id": "00000000-0000-0000-6473-000028fbaa95",
"name": "GATE/Tier3",
"enabled?": true,
"created-at": "2021-10-07T17:00:00.000Z",
"scim-status": "activated",
"additional-scopes": [
"iroh-master:read",
"iroh-admin:read",
"iroh-master/tac",
"iroh-auth:read"]
}
Idp Mapping INT/TEST
{
"idp": "sxso",
"user-identity-id": "00uox5862kEG8G0CD0h7",
"enabled?": true
}
IdP Mapping PROD
{
"idp": "sxso",
"user-identity-id": "00u4dmbgyjnx4glS2357",
"enabled?": true
}
Users to invite:
[{"invitee-email":"ashakarc@cisco.com","role":"admin"},
{"invitee-email":"bmacer@cisco.com", "role":"admin"},
{"invitee-email":"caknowle@cisco.com","role":"admin"},
{"invitee-email":"cdeleanu@cisco.com","role":"admin"},
{"invitee-email":"daphgalm@cisco.com","role":"admin"},
{"invitee-email":"djanulik@cisco.com","role":"admin"},
{"invitee-email":"bmahsan@cisco.com", "role":"admin"},
{"invitee-email":"majacob2@cisco.com","role":"admin"},
{"invitee-email":"sorianto@cisco.com","role":"admin"},
{"invitee-email":"stabulic@cisco.com","role":"admin"}]
CHAT check continu work chat
CLOCK: [2021-10-07 Thu 10:07]–[2021-10-07 Thu 16:45] => 6:38
[2021-10-07 Thu 10:07]
CHAT support DI JWT signature work chat
CLOCK: [2021-10-07 Thu 09:45]–[2021-10-07 Thu 10:04] => 0:19
[2021-10-07 Thu 09:45]
IN-PROGRESS client update via admin for CMD work support
CLOCK: [2021-10-07 Thu 09:27]–[2021-10-07 Thu 09:45] => 0:18
[2021-10-07 Thu 09:27]
Cisco Secure Email Cloud Mailbox
- module NAM client-0be615ab-b0ff-4c12-8a85-f16c95e7d396
- ribbon NAM client-e36ba40b-5710-402d-b036-ada6d7817c55
- module EU client-6fc3230c-936a-40c1-ad73-f9f28700804e
- ribbon EU client-164688ee-cd5d-44b6-be3d-5e255955e969
CHAT Check webex matinal. work chat
PAUSE Journal pause
CLOCK: [2021-10-07 Thu 09:20]–[2021-10-07 Thu 09:26] => 0:06
[2021-10-07 Thu 09:20]
2021-10-08 Friday
MEETING IDB decomissioning work meeting
CLOCK: [2021-10-08 Fri 20:33]–[2021-10-08 Fri 23:01] => 2:28
[2021-10-08 Fri 20:33]
- ref
- file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj
- ?
- SSE side decomission
Chander Goyal
context; SX released as a platform, SSE had a PingFed ID Broker. Also for CSA.
We want to user IROH-Auth. We want to use directly IROH-Auth.
CSA Migration was launched. SSE-side done.
CSA should be completed very soon. Let's not change PingFed.
Nov 1919 -> nobody left in PingFed at SSE.
Very limited knowledge. The license was Cisco Wideside license. end in 2022.
We want to duplicate PingFed.
MEETING Customer Manager work meeting
CLOCK: [2021-10-08 Fri 17:33]–[2021-10-08 Fri 20:33] => 3:00
[2021-10-08 Fri 17:33]
- ref
- ,,,
2021-W41
Tags | Headline | Time | |||
---|---|---|---|---|---|
Total time | 1:35 | ||||
2021-W41 | 1:35 | ||||
2021-10-14 Thursday | 1:35 | ||||
work | Write Customer Manager doc | 1:10 | |||
work | write attack on Webhooks with JWT… | 0:25 |
2021-10-14 Thursday
IN-PROGRESS Write Customer Manager doc work
CLOCK: [2021-10-14 Thu 15:23]–[2021-10-14 Thu 16:33] => 1:10
[2021-10-14 Thu 15:23]
IN-PROGRESS write attack on Webhooks with JWT from emitters work
CLOCK: [2021-10-14 Thu 14:58]–[2021-10-14 Thu 15:23] => 0:25
[2021-10-14 Thu 14:58]
Attack using access_token/id_token from emitters and not webhook owner.
Webhooks are a generic mechanism; but here we only focus on webhook used by internal Cisco team integration.
So the webhook mechanism should be used to push a trusted API that a changed occurred in SecureX (typically module instance change).
The call must be authenticated by the API. The call should also optionally contain access/refresh tokens to the destination so the integration team could access IROH as the event's emitter user.
The issue is that, nothing is explicitly done to prevent any user to get an access/id token generated from the same client we use to forge the authentication headers. So it means, that a SecureX user from any org that could get access to its own access token/id token (which is entirely possible, and easy to get for DI as their client is public). So any user could call the API endpoint to fake real webhook events, and potentially using cross-tenancy/cross-user false events.
So to mitigate this issue, we suggest to:
- Always use the owner of the webhook & the client of the team to build
id_tokens, (if possible not access_token).
The forged JWT should have a specific audience (this is already the case
for DI at least). The API team MUST check that the
sub
claim matches theowner-id
field of the webhook as well as verifying the JWT signature. - Provide the emitter tokens in the body of the HTTP call made during webhook trigger.
- With 1, we prevent this cross-tenant/cross-user attack.
- With 2, we not only provide even more data than before but the team could
directly use the token without using the "custom route" to retrieve the refresh token (as it is already provided in the webhook HTTP body)
2021-W42
Tags | Headline | Time | |||
---|---|---|---|---|---|
Total time | 9:45 | ||||
2021-W42 | 9:45 | ||||
2021-10-19 Tuesday | 6:59 | ||||
work | whitelist synopsis.com in TEST | 6:59 | |||
2021-10-21 Thursday | 1:13 | ||||
work, meeting | Weekly IROH Service Team | 0:09 | |||
work, meeting | FMC - Device Grant OAuth2 Flow Sync | 0:24 | |||
work, meeting, me | Secure Client | 0:40 | |||
2021-10-22 Friday | 1:33 | ||||
work, meeting | Engineering Team | 1:33 |
2021-10-18 Monday
TODO Write Weekly todos work
[2021-10-18 Mon 10:56]
- ref
DONE Check Wanderson PRs/Webhooks
SCHEDULED: <2021-10-18 Mon>
DONE Customer Manager Doc
SCHEDULED: <2021-10-19 Tue>
TODO IROH-Auth tour
DEADLINE: <2021-10-18 Mon>
DONE Discuss Exceptions organization
SCHEDULED: <2021-10-18 Mon>
2021-10-19 Tuesday
DONE whitelist synopsis.com in TEST work
DEADLINE: <2021-10-19 Tue>
CLOCK: [2021-10-19 Tue 09:04]–[2021-10-19 Tue 16:03] => 6:59
[2021-10-19 Tue 09:04]
- ref
- Olivier
2021-10-21 Thursday
MEETING Weekly IROH Service Team work meeting
CLOCK: [2021-10-21 Thu 17:16]–[2021-10-21 Thu 17:25] => 0:09
[2021-10-21 Thu 17:16]
Remark to tell
- Internal JWT generation, with/without client.
- Next week IROH-Auth tour probably record this.
MEETING FMC - Device Grant OAuth2 Flow Sync work meeting
CLOCK: [2021-10-21 Thu 16:27]–[2021-10-21 Thu 16:51] => 0:24
[2021-10-21 Thu 16:27]
- ref
- Secure Client
Updated Target Date. No blocking issue or concerns.
We just finish delivering the feature.
Good to go for 7.2 release (in April). Maybe maintenance release 7.0.2 in Feb.
MEETING Secure Client work meeting me
CLOCK: [2021-10-21 Thu 15:32]–[2021-10-21 Thu 16:12] => 0:40
[2021-10-21 Thu 15:32]
Jyoti discuss with a document how the 1-click module setup should work and the constraints to obey.
2021-10-22 Friday
MEETING Engineering Team work meeting
CLOCK: [2021-10-22 Fri 17:03]–[2021-10-22 Fri 18:36] => 1:33
[2021-10-22 Fri 17:03]
- Working closely to finalize 1-click module setup to work. We faced an issue in using the same client for both the ribbon and the 1-click module setup. This not really a blocker and a fix is in the way.
2021-W43
Tags | Headline | Time | |||
---|---|---|---|---|---|
Total time | 10:56 | ||||
2021-W43 | 10:56 | ||||
2021-10-25 Monday | 3:29 | ||||
work, meeting | IROH-Auth Overview | 3:29 | |||
2021-10-26 Tuesday | 4:35 | ||||
work, meeting | All Hands | 0:48 | |||
work, meeting | AO | 0:29 | |||
work, meeting | IROH-Auth tour | 3:18 | |||
2021-10-27 Wednesday | 0:19 | ||||
work, meeting | security | 0:18 | |||
work | preparation IROH Auth Tour | 0:01 | |||
2021-10-28 Thursday | 2:33 | ||||
work, meeting | Weekly Team | 0:51 | |||
work, meeting | SecureX + Secure Client + DI… | 0:29 | |||
work, meeting | Weekly Sync: SecureX / Secure… | 0:35 | |||
work, discussion | SSE CCO_id |
0:38 |
2021-10-25 Monday
MEETING IROH-Auth Overview work meeting
CLOCK: [2021-10-25 Mon 13:57]–[2021-10-25 Mon 17:26] => 3:29
[2021-10-25 Mon 13:57]
- ref
- ?
- services/iroh-auth
- ?
- lib/iroh-web/{core.clj,compojure-api.clj}
- ?
2021-10-26 Tuesday
MEETING All Hands work meeting
CLOCK: [2021-10-26 Tue 18:12]–[2021-10-26 Wed 19:00] => 0:48
MEETING AO work meeting
CLOCK: [2021-10-26 Tue 17:43]–[2021-10-26 Wed 18:12] => 0:29
[2021-10-26 Tue 17:43]
- ref
MEETING IROH-Auth tour work meeting
CLOCK: [2021-10-26 Tue 14:25]–[2021-10-26 Tue 17:43] => 3:18
[2021-10-26 Tue 14:25]
org-level entities (clients)
- makes user-id/owner-id optional ×
- hack the User service, to create a fake org-level user.
(get-user org-id)
=> {:user-id org-id
:org-id org-id
:role "admin"
:scopes ,,,,}
search for entities, you should search for the owned entities + (if you are an admin for the admin-level entities.)
during the create-client
to add the ability to create client with that
specific owner.
Fun: filter-map => list of filter-map
;; inside an Org
{:addtional-scopes #{"cisco/user:read"}}
;;
{:addtional-scopes
{:user #{}
:admin #{"cisco/user:read"}}}
(get-org ,,,,)
TK-Store => provide a minimalist abstraction to Databases. IROH-CRUD => provide CRUD-only related abstractions search that
(search ,,,,)
(iroh-crud/search-with-admin
{:,,,, :user-id xxx :org-id xxx})
=> (tk-store/search {:filter-map [{:user-id xxxx ,,,}
{:user-id xxxx :org-id org-id}]
})
To decide later:
- any admin should be allowed to update the org-level entities.
- some specific admin only should be allowed to update the org-level entites (use another scope maybe?)
Probably option 1.
2021-10-27 Wednesday
MEETING security work meeting
CLOCK: [2021-10-27 Wed 17:03]–[2021-10-27 Wed 17:21] => 0:18
[2021-10-27 Wed 17:03]
xx
auto loop
Proxy route
IN-PROGRESS preparation IROH Auth Tour work
CLOCK: [2021-10-27 Wed 12:06]–[2021-10-27 Wed 12:07] => 0:01
[2021-10-27 Wed 12:06]
- Continue on "org-level entities"
- Doc on JWT client expectations
- :load-path "" Dispatch work
- Dig if necessary
2021-10-28 Thursday
Weekly Team work meeting
CLOCK: [2021-10-28 Thu 17:01]–[2021-10-28 Thu 17:52] => 0:51
[2021-10-28 Thu 17:01]
- ref
Agenda (to discuss about)
Notes
ES deployed, start the migration Old tenzin config pull-request I need to update.
Ag moving to the last step to set the default fields, which are required for ES7.
Production Bug in CTIA investigate module
Fixed the pagination. default search was not consistent. PR on CTIA. Made this default search configurable per store.
Ag, PR for the enrichment?
Ambrose, ops related.
@Jyoti discussion
- DI Irina working adding new auth in the module
- Yann fixed a security issue affecting Umbrella
- 1-click setup started to work on the org activation
- Mark work on SSE
- former_title field (rebranding guidelines)
- working on a bug in Umbrella, source URL are wrong
- log all proxy requests
Y
(personal)
- IROH-Auth tour
- minor fix
- clean up SAML
- security bug fix
IROH-Auth
- take a task
- write PR doc
- review PR doc
- optional IROH-Auth tour webex(es)
- code
Q2:
- region switching API
- account switching inside each region
Q3:
- org-level entities
Big hidden work Working on OAuth2 bug. A bit big PR, because will need a new service to store refresh tokens and their metas. And we should be able to migrate/update clients.
Security Bug Fix Chris Duane was happy, it was the first declared bug by Jimmy Miller.
Olivier working on providing the API for the privacy team.
Not 100% fixed, still a problem with paths.
AO migration to OIDC
Questions about JWT used by DI, that call Orbital on behalf on someone else.
Actions
- @Jyoti: should ask Yuri about which JWT are used.
- @Jyoti: AO for Q3 for the telemetry
SecureX + Secure Client + DI Integration work meeting
CLOCK: [2021-10-28 Thu 16:32]–[2021-10-28 Thu 17:01] => 0:29
[2021-10-28 Thu 16:32]
Discussion
- deployement
- Secure Client onboarding
- Secure Client always visible
- cannot read property from DI when adding module
- work on feature flag
. @Paul: 1.84 today, so these fixes are going to be for date? @Abishek: will more time to develop and test .
- Secure Client always visible, real issue
Weekly Sync: SecureX / Secure Endpoint work meeting
CLOCK: [2021-10-28 Thu 15:30]–[2021-10-28 Thu 16:05] => 0:35
[2021-10-28 Thu 15:30]
What remains?
- Martin
1-click module setup
Restrict them to a region. Who was impacted.
Nov 13th, for the 1-click module setup is at risk to be delayed.
- G2
no 1-click => nothing can happen
Dependency to deploy Secure Endpoint.
- Martin/Namrata
Jyoti is in active conversation.
- Martin/G2
Are we going to change the design?
Martin: We don't know Yet
- Vlad
Pb with Region.
An AMP tenant can only talk to 1 SecureX tenant.
- Martin
Maybe region selection.
- Release Nov 11th
- Relesases v1.85 10-Nov
.
Initiated SecureX 1-click module setup for Secure Endpoint
SSE CCO_id
work discussion
CLOCK: [2021-10-28 Thu 14:52]–[2021-10-28 Thu 15:30] => 0:38
[2021-10-28 Thu 14:52]
So after giving more thoughts on the subject. Here are some scenarios:
- A person login via Okta with the email
user-1@domain.com
- This person want to connect his account, then he must login via Okta
again but using another Okta account
user-1@smart-account.com
for example.
In this scenario there are two issues:
The first is that we do not control the Okta session.
The Okta session will keep being the one for user-1@smart-account.com
.
When the user will launch another product he will not use his usual
user-1@domain.com
Okta session.
The second, is that we should have a mechanism to understand that on the second login, we don't want to login the user, but to merge two different IdP accounts.
Mainly we will need to develop a new workflow, so a user could merge multiple IdP accounts to his current SecureX account.
The implications are:
- SecureX users should support multiple email addresses. (also note that user login via TG have a non verified email addresses and are treated separately on different login flows.)
- We need to support more metas data in the IdP Mappings in general,
(typically the
CCO_id
). Now, what if a user login multiple times, and has two different IdP Mapping with a differentCCO_id
. - We will need to provide a new route, that will present a new HTML page similar to the login page but with subtle modifications. We might, for example, negotiate another login buttons that will behave differently (typically a login button forcing the user to use CCO).
In the end, it means we should deliver a "Merge a new Login" flow to SecureX Accounts. And it doesn't seem to be trivial.
2021-10-29 Friday
EMAIL Jyoti email about PROD module on INT work email
CLOCK: [2021-10-29 Fri 17:04]
[2021-10-29 Fri 17:04]
- ref
Hi Jyoti,
I checked on INT and in our org, there is an AMP module configured with the PROD URL.
Apparently we have a Security requirement that no production customer data can be in INT or TEST.
Do you know why this is needed, and if we could use a QA1 URL instead. Because of this I tend to be more cautious about the "allowed-login-origins".
I don't want our INT access token to be sent in the wild (see https://github.com/advthreat/tenzin-config/pull/505). Even without this module linking to PROD I would prefer not to send the INT JWT on 3rd party. Because if https://vercel.app is compromised anyone will be able to access our INT environment, generally with administrator privileges.
CHAT aide Matt URL encoding work chat
CLOCK: [2021-10-29 Fri 16:14]–[2021-10-29 Fri 17:04] => 0:50
[2021-10-29 Fri 16:14]
- ref
- code gen docs
PAUSE pause
CLOCK: [2021-10-29 Fri 16:08]–[2021-10-29 Fri 16:14] => 0:06
[2021-10-29 Fri 16:08]
- ref
- code gen docs
IN-PROGRESS code gen docs work
CLOCK: [2021-10-29 Fri 13:20]–[2021-10-29 Fri 16:08] => 2:48
[2021-10-29 Fri 16:07]
IN-PROGRESS [#B] Customer Manager doc work
SCHEDULED: <2021-11-01 Mon 10:00>
CLOCK: [2021-10-29 Fri 11:02]–[2021-10-29 Fri 13:36] => 2:34
[2021-10-29 Fri 11:02]
- ref
morning tour work
CLOCK: [2021-10-29 Fri 09:56]–[2021-10-29 Fri 11:02] => 1:06
[2021-10-29 Fri 09:56]
REVIEW configurable default sort work review
CLOCK: [2021-10-29 Fri 09:33]–[2021-10-29 Fri 09:51] => 0:18
[2021-10-29 Fri 09:33]