deft/2021-W08.org

** 2021-W08
*** 2021-02-22 Monday
**** MEETING Core Team: SecureX Account Activation Optimization :work:meeting:
:LOGBOOK:
CLOCK: [2021-02-22 Mon 16:02]--[2021-02-23 Tue 08:47] => 16:45
:END:
[2021-02-22 Mon 16:02]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/inbox.org::*revision chaudiere][revision chaudiere]]

#+begin_quote
Meeting Agenda:

  *   Discussion to drive forward SecureX Account Activation Optimization Q3 efforts

     *   Account Creation Workflow
     *   CSA Migration (has it own dedicated work stream – but is there anything impacting the overall initiative?)
     *   Firepower Onboarding (has it own dedicated work stream – but is there anything impacting the overall initiative?)
     *   Workflow
     *   Role Based Access
     *   Module Addition/Health Workflow

  *   Status of action items from last core team call
  *   What help is needed (decisions, clarity, etc.)
  *   Any blockers or issues?
#+end_quote

- http://github.com/threatgrid/response/issues/567

Doing in Q3.

Most conversation is good.

Agenda:

@Jyoti, this is a huge item.
Audience in this meeting is too big.

Where to track.
Some github issue are dead.

Namrata: focus on first 3 items.
Martin: item named workflow, don't know what that is.

Module Addition.
*** 2021-02-23 Tuesday
**** CHAT webex morning routine                                   :work:chat:
:LOGBOOK:
CLOCK: [2021-02-23 Tue 08:47]--[2021-02-23 Tue 09:47] =>  1:00
:END:
[2021-02-23 Tue 08:47]
***** CSA Migration
- https://jira-eng-rtp3.cisco.com/jira/browse/VOL-3882
***** DONE Houman
SCHEDULED: <2021-02-23 Tue 16:00>

@Houman

Hi Yann - something for tomorrow, none of the QA orgs in TEST or INT are
showing the registered devices in SSE.
When I cross launch to SSE, I am able to see the devices, but in SecureX
there is no device.
Both are AMP orgs and already migrated.
Here are the org IDs:

#+begin_src
c395f3c8-723b-4d15-b8b7-e17bec459c6b
cc6a35bc-1739-4fcd-a285-aa95adbd5e41
#+end_src

Could you please take a look and unblock QA orgs?
****** Investigation

INT org

#+begin_src js
{
  "id": "c395f3c8-723b-4d15-b8b7-e17bec459c6b",
  "name": "adminctrqa",
  "enabled?": true,
  "created-at": "2019-04-04T20:33:53.033Z",
  "idp-mapping": {
    "idp": "idb-amp-staging",
    "enabled?": true,
    "organization-id": "c395f3c8-723b-4d15-b8b7-e17bec459c6b"
  },
  "scim-status": "activated",
  "additional-scopes": [
    "iroh-admin",
    "iroh-master",
    "iroh-auth",
    "sse",
    "cisco"
  ]
}
#+end_src

Contains =idp-mapping=.
Logs during OIDC does not contain it:

The client claim-aliases looks ok:

#+begin_src
 "id-token-aliases": [
    {
      "alias": "spId",
      "case-value": {
        "sxso": "SXSO",
        "idb-tg-staging": "TG",
        "idb-amp-staging": "AMP"
      },
      "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
    },
    {
      "alias": "spId",
      "case-value": {
        "sxso": "SXSO",
        "idb-tg-staging": "TG",
        "idb-amp-staging": "AMP"
      },
      "claim-to-alias": "idp-mapping-idp"
    },
    {
      "alias": "spId",
      "case-value": {
        "sxso": "SXSO",
        "idb-tg-staging": "TG",
        "idb-amp-staging": "AMP"
      },
      "claim-to-alias": "old-idp-mapping-idp"
    },
#+end_src
*** 2021-02-24 Wednesday
**** MEETING Fix SSE client                                    :work:meeting:
:LOGBOOK:
CLOCK: [2021-02-24 Wed 18:33]--[2021-02-25 Thu 18:07] => 23:34
:END:
[2021-02-24 Wed 18:33]

client PATCH

TEST:

#+begin_src  js
{"id-token-aliases": [
    {
      "alias": "spId",
      "case-value": {
        "sxso": "SXSO",
        "idb-tg": "TG",
        "threatgrid":"TG",
        "idb-amp": "AMP",
        "idb-tg-staging": "TG",
        "idb-amp-staging": "AMP"
      },
      "default-value": "AMP",
      "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
    },
    {
      "alias": "spId",
      "case-value": {
        "sxso": "SXSO",
        "idb-tg": "TG",
        "threatgrid":"TG",
        "idb-amp": "AMP",
        "idb-tg-staging": "TG",
        "idb-amp-staging": "AMP"
      },
      "claim-to-alias": "idp-mapping-idp"
    },
    {
      "alias": "spId",
      "case-value": {
        "sxso": "SXSO",
        "idb-tg": "TG",
        "threatgrid":"TG",
        "idb-amp": "AMP",
        "idb-tg-staging": "TG",
        "idb-amp-staging": "AMP"

      },
      "claim-to-alias": "old-idp-mapping-idp"
    },
    {
      "alias": "companyId",
      "replace-value": [
        [
          "^threatgrid[:]",
          ""
        ]
      ],
      "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
    },
    {
      "alias": "companyId",
      "replace-value": [
        [
          "^threatgrid[:]",
          ""
        ]
      ],
      "claim-to-alias": "idp-mapping-organization-id"
    },
    {
      "alias": "companyId",
      "replace-value": [
        [
          "^threatgrid[:]",
          ""
        ]
      ],
      "claim-to-alias": "old-idp-mapping-organization-id"
    },
    {
      "alias": "companyName",
      "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
    },
    {
      "alias": "user_name",
      "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
    },
    {
      "alias": "user_email",
      "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
    },
    {
      "alias": "role",
      "case-value": {
        "admin": "admin",
        "master": "admin",
        "iroh-admin": "admin"
      },
      "default-value": "user",
      "claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
    }
  ]}
#+end_src
**** IN-PROGRESS continue the day                                      :work:
:LOGBOOK:
CLOCK: [2021-02-24 Wed 17:04]--[2021-02-24 Wed 18:33] =>  1:29
:END:
[2021-02-24 Wed 17:04]
- ref :: [[file:~/Library/Mobile Documents/iCloud~com~appsonthemove~beorg/Documents/org/tracker.org::*Notes][Notes]]
**** MEETING dev weekly                                        :work:meeting:
:LOGBOOK:
CLOCK: [2021-02-24 Wed 15:55]--[2021-02-24 Wed 17:04] =>  1:09
:END:
[2021-02-24 Wed 15:55]
***** Weekly status
****** commits

IROH:

- Provisioning: organization-id added to idp-mapping (#4855)
- Use entities in DB during SSE id-token generation (#4844)  …
- Added tests to verify #4808 (#4817)  …
- Hide provisioning API routes (#4835)
- OAuth2 client availabilty restriction for non admin (#4820)  …
- Prevent user merge by email for some IdP (#4819)  …

Tenzin-config:

Provisioning API in PROD (#375)
Mark some IdP as safe for email (#374)
****** Reviews

- Extract `user->identity` helper
- RFC Problem Statement: Managing transitive dependencies for "test" jars
- Add schema validation for `gen-jwt`
- Use EmailService in iroh-feedback
- RFC: Prevent dependency confusion attack on our code base
- Add a `svc-helper` for `iroh-int.test-helpers.auth`
****** Issues

- [ ] Write tests for #4844
- [ ] Update SSE Clients
- [X] SSE wrong org object passed to id_token generation
- [X] Prevent merge user by email for TG accounts
- [X] Claim aliases bug fix
- [X] Prevent non-admin users to create client with availability "Org"
****** Webex
***** Notes

- Yann:
  + CSA Migration, Talk about SSE, and release.
- Guillaume:
  + CSA Migration
  + Status API route
  + FMC
- Rob:
  + discussion about Ben Greenbaum and Umbrella module (409 hit)
- Ag:
  + Bundle assets
- Ambrose:
  + Fixed the cron-job
  + finished email service
  + research work about problem statement

Real Work™ discussion.