90 KiB
- 2021
- 2021-W03
- 2021-W04
- 2021-W05
- 2021-W06
- 2021-W07
- 2021-W08
- 2021-W09
- 2021-W10
- 2021-W11
- 2021-W12
- 2021-W13
- 2021-W14
- 2021-W15
- 2021-W16
- 2021-W17
- 2021-W18
- 2021-W19
2021
2021-W03
2021-01-21 Thursday
IN-PROGRESS code jwt-service work
[2021-01-21 Thu 14:19]
2021-01-22 Friday
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 8:56 | |||||
| 2021-01-22 Friday | 8:56 | |||||
| [2021-01-22 Fri 09:52] | work | refacto jwt-service | 8:56 |
IN-PROGRESS refacto jwt-service work
CLOCK: [2021-01-22 Fri 09:53]–[2021-01-22 Fri 18:49] => 8:56
[2021-01-22 Fri 09:52]
- ref
2021-W04
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 41:38 | |||||
| 2021-W04 | 41:38 | |||||
| 2021-01-25 Monday | 7:28 | |||||
| [2021-01-25 Mon 19:23] | work, meeting | Posture Onboarding | 0:38 | |||
| [2021-01-25 Mon 15:04] | work | cleanup jwt extract feedback | 4:19 | |||
| [2021-01-25 Mon 14:36] | work | refacto JWT extraction reviews | 0:15 | |||
| [2021-01-25 Mon 10:16] | work, chat | morning chat issues org | 2:16 | |||
| [2021-01-26 Tue 19:06] | 2021-01-26 Tuesday | 9:03 | ||||
| [2021-01-26 Tue 10:36] | work, review | Victors UncaughtExceptionHandler | 8:29 | |||
| [2021-01-26 Tue 10:16] | work, review | PR review | 0:06 | |||
| [2021-01-26 Tue 09:47] | work | Weekly meeting Presentation | 0:28 | |||
| [2021-01-27 Wed 22:01] | 2021-01-27 Wednesday | 10:59 | ||||
| [2021-01-27 Wed 18:22] | work, meeting | CSA Migration workflow presentation | 2:10 | |||
| [2021-01-27 Wed 17:26] | interruption, work | Helping Jessica Bair about client | 0:54 | |||
| [2021-01-27 Wed 16:01] | work, meeting | weekly dev meeting | 1:25 | |||
| [2021-01-27 Wed 12:07] | work | CSA Migration notes preparation | 3:54 | |||
| [2021-01-27 Wed 09:31] | work, chat | morning chat | 2:36 | |||
| [2021-01-28 Thu 18:09] | 2021-01-28 Thursday | 8:09 | ||||
| [2021-01-28 Thu 09:52] | work | CSA Migration API PoC preparation | 8:09 | |||
| [2021-01-29 Fri 17:46] | 2021-01-29 Friday | 5:59 | ||||
| [2021-01-29 Fri 15:47] | work | create Client for Vitalii in TEST | 1:59 | |||
| [2021-01-29 Fri 15:46] | work | provisionning API | 4:00 |
2021-01-25 Monday
MEETING Posture Onboarding work meeting
CLOCK: [2021-01-25 Mon 19:24]–[2021-01-25 Mon 20:02] => 0:38
[2021-01-25 Mon 19:23]
Notes
Martin, Trapani, Didi, Jyoti, Elias, Mirabell, Guillaume
@Martin:
I am a customer of SecureX
Sources (inTune, AMP, Custom, JAMF, Duo, Meraki) Creating the inventory on their behalf. Active AMP, should be onboarded in SecureX.
Onboard device managers, Meraki, etc… Into "my" SecureX Tenant.
Extra credit if we can do this with OAuth2.
Most important make a connection here.
- email exchange.
@Jyoti
@Martin
Vault service and what is authorized between services. APIs underneath
@Didi
webhook to push changes. Ask the vault. Return keys, etc…
We need continuation.
@Didi
Google, trusts, etc…
@Martin
onboarding, revocation,
What about notification?
@Didi that's the idea of continuous data flow. Bidirectional webhooks. Some services will need to have webhooks. Orbital webehook is a very good example.
You go into orbital, you register webhook. And webhook is triggered.
@Elias to Didi
use cases?
@Martin
- continuous flow of data? need to describe use cases.
DONE cleanup jwt extract feedback work
CLOCK: [2021-01-25 Mon 15:04]–[2021-01-25 Mon 19:23] => 4:19
[2021-01-25 Mon 15:04]
DONE refacto JWT extraction reviews work
CLOCK: [2021-01-25 Mon 14:36]–[2021-01-25 Mon 14:51] => 0:15
[2021-01-25 Mon 14:36]
CHAT morning chat issues org work chat
CLOCK: [2021-01-25 Mon 10:00]–[2021-01-25 Mon 12:16] => 2:16
[2021-01-25 Mon 10:16]
- ref
2021-01-26 Tuesday
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 9:03 | |||||
| 2021-01-26 Tuesday | 9:03 | |||||
| [2021-01-26 Tue 10:36] | work, review | Victors UncaughtExceptionHandler | 8:29 | |||
| [2021-01-26 Tue 10:16] | work, review | PR review | 0:06 | |||
| [2021-01-26 Tue 09:47] | work | Weekly meeting Presentation | 0:28 |
REVIEW Victors UncaughtExceptionHandler work review
CLOCK: [2021-01-26 Tue 10:37]–[2021-01-26 Tue 19:06] => 8:29
[2021-01-26 Tue 10:36]
GEEK Try to write JS warn in dashboard perso
CLOCK: [2021-01-26 Tue 10:22]–[2021-01-26 Tue 10:32] => 0:10
[2021-01-26 Tue 10:22]
REVIEW PR review work review
CLOCK: [2021-01-26 Tue 10:16]–[2021-01-26 Tue 10:22] => 0:06
[2021-01-26 Tue 10:16]
DONE Weekly meeting Presentation work
CLOCK: [2021-01-26 Tue 09:47]–[2021-01-26 Tue 10:15] => 0:28
[2021-01-26 Tue 09:47]
Weekly Status
- Extracted a JWT service
- Added audiences as an array. Does not appear to break anything
- Updated the SSE OIDC Clients to support CSA Migration
- Contacted QA for testing CSA Migration, Houman will probably ping me today.
- Testing CSA Migration
Tech notes worth seeing by the team
After a few discussions choose a project/ns naming convention for the
iroh-service lein template.
We do not really have one.
Selected this conventions because it is:
- shorter than most actual used conventions
- iroh specific to make it clear a ns is iroh related.
Need to find files via path, not just its name. Sounds ok to me. For an example look at the jwt service:
project.clj:(defproject iroh/foo ,,,,)src/iroh/foo/service.clj=>(ns iroh.foo.service ,,,)src/iroh/foo/web_service.clj=>(ns iroh.foo.web-service ,,,)test/iroh/foo/service/test_helpers.clj=>(ns iroh.foo.service.test-helpers ,,,)
I don't think we should move the existing code to the new conventions yet. But new services should probably try to follow this convention.
Example:
(deftest my-web-service-test
(tk-test app svc-helper
(let [{:keys [mk-jwt svc-get client-post]}
(init-tst-state app "/iroh/my-service")
jwt (mk-jwt {})
jwt-admin (mk-jwt {:role roles/admin})]
(check-status 403 (svc-get "/sub-route" jwt {}))
(check-status 200 (svc-get "/sub-route" jwt-admin {}))
(check-status 200 (client-post "/sub-route" jwt
{:form-parms {:foo "bar"}})))))
See a few init-tst-state examples which uses get-jetty-port,
mk-http-callers, iroh-web.test-helpers.core/gen-jwt.
Takes care of:
- starting the web app on a random port.
-
providing functions to make http call
- narrowed to your service (svc-get, svc-post, etc…)
- narrowed only the localhost:PORT (client-get, client-post, etc…)
- providing a jwt generator.
GEEK org-fc conf for doom-emacs perso
2021-01-27 Wednesday
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 10:59 | |||||
| 2021-01-27 Wednesday | 10:59 | |||||
| [2021-01-27 Wed 18:22] | work, meeting | CSA Migration workflow presentation | 2:10 | |||
| [2021-01-27 Wed 17:26] | interruption, work | Helping Jessica Bair about client | 0:54 | |||
| [2021-01-27 Wed 16:01] | work, meeting | weekly dev meeting | 1:25 | |||
| [2021-01-27 Wed 12:07] | work | CSA Migration notes preparation | 3:54 | |||
| [2021-01-27 Wed 09:31] | work, chat | morning chat | 2:36 |
MEETING CSA Migration workflow presentation work meeting
CLOCK: [2021-01-27 Wed 18:22]–[2021-01-27 Wed 20:32] => 2:10
[2021-01-27 Wed 18:22]
AMP accounts, TG accounts, SSE devices, Orbital
Prepare a reset system to reset to before migration.
DONE Helping Jessica Bair about client interruption work
CLOCK: [2021-01-27 Wed 17:27]–[2021-01-27 Wed 18:21] => 0:54
[2021-01-27 Wed 17:26]
MEETING weekly dev meeting work meeting
CLOCK: [2021-01-27 Wed 16:01]–[2021-01-27 Wed 17:26] => 1:25
[2021-01-27 Wed 16:01]
- Talk about dahsboard
DONE CSA Migration notes preparation work
CLOCK: [2021-01-27 Wed 12:07]–[2021-01-27 Wed 16:01] => 3:54
[2021-01-27 Wed 12:07]
CHAT morning chat work chat
2021-01-28 Thursday
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 8:09 | |||||
| 2021-01-28 Thursday | 8:09 | |||||
| [2021-01-28 Thu 09:52] | work | CSA Migration API PoC preparation | 8:09 |
DONE CSA Migration API PoC preparation work
CLOCK: [2021-01-29 Fri 15:46]–[2021-01-29 Fri 15:46] => 0:00 CLOCK: [2021-01-28 Thu 10:50]–[2021-01-28 Thu 18:09] => 7:19 CLOCK: [2021-01-28 Thu 09:52]–[2021-01-28 Thu 10:42] => 0:50
[2021-01-28 Thu 09:52]
2021-01-29 Friday
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 5:59 | |||||
| 2021-01-29 Friday | 5:59 | |||||
| [2021-01-29 Fri 15:47] | work | create Client for Vitalii in TEST | 1:59 | |||
| [2021-01-29 Fri 15:46] | work | provisionning API | 4:00 |
IN-PROGRESS create Client for Vitalii in TEST work
CLOCK: [2021-01-29 Fri 15:47]–[2021-01-29 Fri 17:46] => 1:59
[2021-01-29 Fri 15:47]
DONE provisionning API work
CLOCK: [2021-01-29 Fri 14:16]–[2021-01-29 Fri 15:46] => 1:30 CLOCK: [2021-01-29 Fri 09:46]–[2021-01-29 Fri 12:16] => 2:30
[2021-01-29 Fri 15:46]
2021-W05
2021-02-01 Monday
IN-PROGRESS enforce whoami db check to sync users. work
CLOCK: [2021-02-01 Mon 17:19]–[2021-02-01 Mon 18:19] => 1:00
[2021-02-01 Mon 17:19]
DONE fix iroh-auth doc regarding jwks work
CLOCK: [2021-02-01 Mon 10:35]–[2021-02-01 Mon 14:53] => 4:18
[2021-02-01 Mon 10:35]
2021-02-02 Tuesday
IN-PROGRESS Testing CSA Migration work
CLOCK: [2021-02-02 Tue 10:42]–[2021-02-03 Wed 10:11] => 23:29
[2021-02-02 Tue 10:42]
DONE morning routine work
CLOCK: [2021-02-02 Tue 09:48]–[2021-02-02 Tue 10:42] => 0:54
[2021-02-02 Tue 09:48]
2021-02-03 Wednesday
IN-PROGRESS CORS headers bug work
CLOCK: [2021-02-03 Wed 14:42]–[2021-02-04 Thu 10:24] => 19:42
[2021-02-03 Wed 14:42]
- ref
DONE IdP Migration Testing work
CLOCK: [2021-02-03 Wed 10:11]–[2021-02-03 Wed 10:11] => 0:00
[2021-02-03 Wed 10:11]
Note quite complex workflow but worked as expected. Had the "You are in the middle of an Invitation" prompt.
2021-02-04 Thursday
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 9:46 | |||||
| 2021-02-04 Thursday | 9:46 | |||||
| [2021-02-04 Thu 17:32] | work, meeting | didi Posture | 1:28 | |||
| [2021-02-04 Thu 10:25] | work, review | morning review tour | 7:07 | |||
| [2021-02-04 Thu 10:24] | work | test and discussion about CSA… | 1:11 |
MEETING didi Posture work meeting
CLOCK: [2021-02-04 Thu 17:32]–[2021-02-04 Thu 19:00] => 1:28
[2021-02-04 Thu 17:32]
Best user experience, etc..
Create a response issue about OAuth2/OIDC/trusted clients.
{
"scopes": [
"openid","profile"
],
"description": "string",
"redirects": [
"https://127.0.0.1:5443/callback"
],
"availability": "everyone",
"name": "int-posture-test",
"grants": [
"auth-code"
],
"audiences": [
"posture"
]
}REVIEW morning review tour work review
CLOCK: [2021-02-04 Thu 10:25]–[2021-02-04 Thu 17:32] => 7:07
[2021-02-04 Thu 10:25]
DONE test and discussion about CSA Migration work
CLOCK: [2021-02-04 Thu 09:14]–[2021-02-04 Thu 10:25] => 1:11
[2021-02-04 Thu 10:24]
2021-02-05 Friday
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 2:59 | |||||
| 2021-02-05 Friday | 2:59 | |||||
| work, chat | Team discussion | 0:36 | ||||
| [2021-02-05 Fri 11:34] | work, review | Ambrose review | 0:28 | |||
| [2021-02-05 Fri 09:49] | work, chat | Client creation review with Diana | 1:55 |
IN-PROGRESS playing? work
CLOCK: [2021-02-05 Fri 13:57]–[2021-02-05 Fri 14:57] => 1:00
[2021-02-05 Fri 13:57]
- ref
- Ambrose review
CHAT Team discussion work chat
CLOCK: [2021-02-05 Fri 11:42]–[2021-02-05 Fri 12:18] => 0:36
REVIEW Ambrose review work review
CLOCK: [2021-02-05 Fri 11:14]–[2021-02-05 Fri 11:42] => 0:28
[2021-02-05 Fri 11:34]
CHAT Client creation review with Diana work chat
CLOCK: [2021-02-05 Fri 09:19]–[2021-02-05 Fri 11:14] => 1:55
[2021-02-05 Fri 09:49]
Hi Diana,
Thanks for reaching out.
While reviewing the doc, I also checked the second screenshot. I think it should be changed by another one. The screenshot was made by a super user, so the scopes displayed are private one that none of our customer will ever see.
The main difference between a "Client Credentials Grant Client" and an "Authorization Code Grant Client" (those are the technically correct and kind of bad names for the two different kind of clients) is that:
- Client Credentials Grant Client are for your user only. Also you do not need to own a website.
- Authorization Code Grant Client can be used to ask other users to trust your application. You need to have a website to host your application.
The reason why a customer would want to configure an Authorization Code Grant Client could be:
- The customer follow a documentation provided by Cisco to integrate a on-premise product. In that case, the customer will probably need to only select a client-preset and enter a custom Redirect URL.
- The customer want to build an integration with SecureX. In this case this will be an advanced usage and the creator will probably be a developer. In this case the advanced developer doc should be mentionned for that customer. https://visibility.amp.cisco.com/iroh/doc/iroh-auth/
So both kind of clients are sufficiently different that I think the section about "Using API Client Credentials to Get Access Token" should be moved just after the API client creation section and before OAuth Code client creation section.
Also Explaining how to retrieve the access token from a Authorization Code Grant client is quite a technically advanced topic. This is why I would advise to directly provide a link to the advanced developer doc (the one inside IROH not the Cisco DEVNET; thus https://visibility.amp.cisco.com/iroh/doc/iroh-auth/)
So I think it is important to mention important limitations about those client creations. There is a notion of "Auto-approved clients". So a customer will be able to create clients but if some criteria are not met the client will be disabled until an IROH admin approve the client.
I think this should probably need to be talked about with someone in the UI/UX team. This system was very convenient for our advanced usage, but I don't know how to handle that nicely in the UI.
So here are (some) of the constraints a newly client must have to be automatically approved:
- The URL must start with
https:// - The URL must not contain any wildcard
* - The Availabily must not be
everyone - The client contain some restricted scope (this should never occurs as the UI take care to show only scopes not subject to restriction)
- The client must not be
public(the UI does not appear to provide the confidential vs public option) - The client configure a list of specific
audiences(the UI does not appear to provide any mean to configure this field)
I think for the documentation perspective we should only be concerned by point 1, 2 and 3. And this should probably be mentionned. I think we could probably give a few hints. So in your point 6
> Enter the Redirect URL that the authorization server uses to redirect back to the application. > Click Add another Redirect URL to enter multiple URLs.
I think you should probably mention that all URL must start with https://
and should not contain any *.
And for point 7
> Choose the Availability from the drop-down list. You can make the client > available to User, Organization, or Everyone.
You should probably mention that selecting Everyone is subject to approval and will need the intervention of a Cisco Administrator to approve your client.
We should probably add a short sentence explaining what is Availbility for. This is not an OAuth2 standard field. Availabilty "Org" mean that only member of your own Organization will be able to approve your client and this should probably be your default choice.
I hope I have been helpful. Do not hesitate to reach out if you have more questions.
2021-W06
2021-02-08 Monday
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 7:36 | |||||
| 2021-02-08 Monday | 7:36 | |||||
| [2021-02-08 Mon 17:01] | work, meeting | CSA Migration meeting | 2:44 | |||
| [2021-02-08 Mon 12:08] | work, review | Module configuration doc | 4:52 |
MEETING CSA Migration meeting work meeting
CLOCK: [2021-02-08 Mon 17:01]–[2021-02-08 Mon 19:45] => 2:44
[2021-02-08 Mon 17:01]
- ref
Problem with prefixes.
Here is the fix: https://github.com/threatgrid/iroh/pull/4763
REVIEW Module configuration doc work review
CLOCK: [2021-02-08 Mon 12:09]–[2021-02-08 Mon 17:01] => 4:52
[2021-02-08 Mon 12:08]
- ref
2021-02-10 Wednesday
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 3:19 | |||||
| 2021-02-10 Wednesday | 3:19 | |||||
| [2021-02-10 Wed 15:23] | work, review | Victor PR about build speed-up | 1:14 | |||
| [2021-02-10 Wed 11:01] | work | write weekly status | 0:34 | |||
| [2021-02-10 Wed 10:18] | work, chat | Jyoti CSA Migration, Account… | 1:31 |
IN-PROGRESS Document SBG single account work
CLOCK: [2021-02-10 Wed 17:06]–[2021-02-10 Wed 18:06] => 1:00
[2021-02-10 Wed 17:06]
DONE Prepare meeting work
CLOCK: [2021-02-10 Wed 15:26]–[2021-02-10 Wed 17:06] => 1:40
[2021-02-10 Wed 15:26]
- How's everyone? Good, Great, Bad, Sad?
-
Short daily stand up.
- Done
- Doing
- need help
REVIEW Victor PR about build speed-up work review
CLOCK: [2021-02-10 Wed 14:10]–[2021-02-10 Wed 15:24] => 1:14
[2021-02-10 Wed 15:23]
DONE write weekly status work
CLOCK: [2021-02-10 Wed 11:01]–[2021-02-10 Wed 11:35] => 0:34
[2021-02-10 Wed 11:01]
-
CSA Migration work:
- Implemented a PoC for plan B (migration via provisioning API)
- Tested the PoC using Vitalii work on AMP team
- Jyoti/QA/AMP Team tests (engineering)
- Propose other improvements (write a long detailed document about possibilities to help Elias think about what is possible)
CHAT Jyoti CSA Migration, Account Activation Simplification work chat
CLOCK: [2021-02-10 Wed 09:30]–[2021-02-10 Wed 11:01] => 1:31
[2021-02-10 Wed 10:18]
- ref
2021-02-11 Thursday
| Timestamp | Tags | Headline | Time | |||
|---|---|---|---|---|---|---|
| Total time | 2:37 | |||||
| 2021-02-11 Thursday | 2:37 | |||||
| [2021-02-11 Thu 11:00] | work | write doc for Auth/Id improvements | 1:07 | |||
| [2021-02-11 Thu 09:10] | work, review | multiple reviews and comment | 1:30 |
IN-PROGRESS write doc for Auth/Id improvements work
CLOCK: [2021-02-11 Thu 14:17]–[2021-02-15 Mon 11:20] => 93:03 CLOCK: [2021-02-11 Thu 11:00]–[2021-02-11 Thu 12:07] => 3:17
[2021-02-11 Thu 11:00]
REVIEW multiple reviews and comment work review
CLOCK: [2021-02-11 Thu 09:10]–[2021-02-11 Thu 10:40] => 1:30
[2021-02-11 Thu 09:10]
2021-W07
2021-02-15 Monday
IN-PROGRESS Authentication, ID, Activation Optimisation work
CLOCK: [2021-02-15 Mon 11:20]–[2021-02-16 Tue 09:07] => 21:47
[2021-02-15 Mon 11:20]
2021-02-16 Tuesday
DONE create OAuth2 clients for Vitalii in PROD work
CLOCK: [2021-02-16 Tue 16:34]–[2021-02-16 Tue 16:35] => 0:01
[2021-02-16 Tue 16:34]
- ref
- /yogsototh/deft/src/commit/20d5f866345a8984153efd2241238142a7152623/~/dev/iroh/services/iroh-auth/test/iroh_auth/iroh_auth_web_service_test.clj:::expect-merge? true
DONE update SSE clients work
CLOCK: [2021-02-16 Tue 15:22]–[2021-02-16 Tue 16:34] => 1:12
[2021-02-16 Tue 15:22]
NAM
client-id: client-3e55e6a3-4561-4733-b380-ffbd94733ba1
{
"scopes": [
"integration",
"private-intel",
"admin",
"profile",
"inspect",
"iroh-master",
"iroh-auth",
"sse",
"users",
"casebook",
"orbital",
"enrich",
"oauth",
"global-intel",
"collect",
"response",
"ui-settings",
"openid",
"ao"
],
"description": "PROD NAM Environment for Security Services Exchange Admin Console",
"approved?": true,
"redirects": [
"https://admin.sse.itd.cisco.com/*/*",
"https://admin.sse.itd.cisco.com/*/*/*",
"https://admin.sse.itd.cisco.com/*",
"https://admin.sse.itd.cisco.com/*/*/*/*",
"https://devops.sse.itd.cisco.com/*/*",
"https://devops.sse.itd.cisco.com/*/*/*",
"https://devops.sse.itd.cisco.com/*",
"https://devops.sse.itd.cisco.com/*/*/*/*"
],
"availability": "everyone",
"access-token-lifetime-in-sec": 86400,
"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG",
"idb-amp": "AMP"
},
"default-value": "AMP",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
},
{
"alias": "companyName",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
},
{
"alias": "user_name",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
},
{
"alias": "user_email",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
},
{
"alias": "role",
"case-value": {
"admin": "admin",
"master": "admin",
"iroh-admin": "admin"
},
"default-value": "user",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
}
],
"password": "$s0$f0801$yjznqcXJR2qIloN/JFc4LQ==$FPuIlE/C5Pk/vVG+VVJeTos5UtV5HPhDveM3T/m4wAg=",
"id-token-lifetime-in-sec": 86400,
"name": "sse-ui-prod-nam-client",
"org-id": "576c9ad4-7820-44ca-9d5e-6ca678eadcd1",
"enabled?": true,
"grants": [
"auth-code"
],
"client-type": "confidential",
"id": "client-3e55e6a3-4561-4733-b380-ffbd94733ba1",
"approval-status": "approved",
"owner-id": "d697511a-9164-49d0-8c7b-a5c1a11fb25d",
"created-at": "2020-02-03T13:48:54.758Z"
}{
"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG",
"idb-amp": "AMP"
},
"default-value": "AMP",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG",
"idb-amp": "AMP"
},
"default-value": "AMP",
"claim-to-alias": "old-idp-mapping-idp"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "old-idp-mapping-organization-id"
},
{
"alias": "companyName",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
},
{
"alias": "user_name",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
},
{
"alias": "user_email",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
},
{
"alias": "role",
"case-value": {
"admin": "admin",
"master": "admin",
"iroh-admin": "admin"
},
"default-value": "user",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
}
]
}EU
become master:
user-id: 080c8271-e1c7-4fe6-b6e2-bc1fda123432 done.
{
"scopes": [
"integration",
"private-intel",
"admin",
"profile",
"inspect",
"iroh-master",
"iroh-auth",
"sse",
"users",
"casebook",
"orbital",
"enrich",
"oauth",
"global-intel",
"collect",
"response",
"ui-settings",
"openid",
"ao"
],
"description": "PROD EU Environment for Security Services Exchange Admin Console",
"approved?": true,
"redirects": [
"https://admin.eu.sse.itd.cisco.com/*/*",
"https://admin.eu.sse.itd.cisco.com/*/*/*",
"https://admin.eu.sse.itd.cisco.com/*",
"https://admin.eu.sse.itd.cisco.com/*/*/*/*",
"https://devops.eu.sse.itd.cisco.com/*/*",
"https://devops.eu.sse.itd.cisco.com/*/*/*",
"https://devops.eu.sse.itd.cisco.com/*",
"https://devops.eu.sse.itd.cisco.com/*/*/*/*"
],
"availability": "everyone",
"access-token-lifetime-in-sec": 86400,
"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG-EU",
"idb-amp": "AMP-EU"
},
"default-value": "AMP-EU",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
},
{
"alias": "companyName",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
},
{
"alias": "user_name",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
},
{
"alias": "user_email",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
},
{
"alias": "role",
"case-value": {
"admin": "admin",
"master": "admin",
"iroh-admin": "admin"
},
"default-value": "user",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
}
],
"password": "$s0$f0801$yjznqcXJR2qIloN/JFc4LQ==$FPuIlE/C5Pk/vVG+VVJeTos5UtV5HPhDveM3T/m4wAg=",
"id-token-lifetime-in-sec": 86400,
"name": "sse-ui-prod-eu-client",
"org-id": "576c9ad4-7820-44ca-9d5e-6ca678eadcd1",
"enabled?": true,
"grants": [
"auth-code"
],
"client-type": "confidential",
"id": "client-3e55e6a3-4561-4733-b380-ffbd94733ba1",
"approval-status": "approved",
"owner-id": "d697511a-9164-49d0-8c7b-a5c1a11fb25d",
"created-at": "2020-02-03T13:48:54.758Z"
}PATCH
{
"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG-EU",
"idb-amp": "AMP-EU"
},
"default-value": "AMP-EU",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG-EU",
"idb-amp": "AMP-EU"
},
"default-value": "AMP-EU",
"claim-to-alias": "old-idp-mapping-idp"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "old-idp-mapping-organization-id"
},
{
"alias": "companyName",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
},
{
"alias": "user_name",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
},
{
"alias": "user_email",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
},
{
"alias": "role",
"case-value": {
"admin": "admin",
"master": "admin",
"iroh-admin": "admin"
},
"default-value": "user",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
}
]}APJC
Become master: user-id: b19d5dea-5aa4-4265-b42d-9acc1e913f01 done.
{
"scopes": [
"integration",
"private-intel",
"admin",
"profile",
"inspect",
"iroh-master",
"iroh-auth",
"sse",
"users",
"casebook",
"orbital",
"enrich",
"oauth",
"global-intel",
"collect",
"response",
"ui-settings",
"openid",
"ao"
],
"description": "PROD APJC Environment for Security Services Exchange Admin Console",
"approved?": true,
"redirects": [
"https://admin.apj.sse.itd.cisco.com/*/*",
"https://admin.apj.sse.itd.cisco.com/*/*/*",
"https://admin.apj.sse.itd.cisco.com/*",
"https://admin.apj.sse.itd.cisco.com/*/*/*/*",
"https://devops.apj.sse.itd.cisco.com/*/*",
"https://devops.apj.sse.itd.cisco.com/*/*/*",
"https://devops.apj.sse.itd.cisco.com/*",
"https://devops.apj.sse.itd.cisco.com/*/*/*/*",
"https://devops.apj.sse.itd.cisco.com"
],
"availability": "everyone",
"access-token-lifetime-in-sec": 86400,
"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG-APJ",
"idb-amp": "AMP-APJ"
},
"default-value": "AMP",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
},
{
"alias": "companyName",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
},
{
"alias": "user_name",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
},
{
"alias": "user_email",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
},
{
"alias": "role",
"case-value": {
"admin": "admin",
"master": "admin",
"iroh-admin": "admin"
},
"default-value": "user",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
}
],
"password": "$s0$f0801$yjznqcXJR2qIloN/JFc4LQ==$FPuIlE/C5Pk/vVG+VVJeTos5UtV5HPhDveM3T/m4wAg=",
"id-token-lifetime-in-sec": 86400,
"name": "sse-ui-prod-apjc-client",
"org-id": "576c9ad4-7820-44ca-9d5e-6ca678eadcd1",
"enabled?": true,
"grants": [
"auth-code"
],
"client-type": "confidential",
"id": "client-3e55e6a3-4561-4733-b380-ffbd94733ba1",
"approval-status": "approved",
"owner-id": "d697511a-9164-49d0-8c7b-a5c1a11fb25d",
"created-at": "2020-02-03T13:48:54.758Z"
}PATCH
{
"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG-APJ",
"idb-amp": "AMP-APJ"
},
"default-value": "AMP-APJ",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG-APJ",
"idb-amp": "AMP-APJ"
},
"default-value": "AMP-APJ",
"claim-to-alias": "old-idp-mapping-idp"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "old-idp-mapping-organization-id"
},
{
"alias": "companyName",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
},
{
"alias": "user_name",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
},
{
"alias": "user_email",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
},
{
"alias": "role",
"case-value": {
"admin": "admin",
"master": "admin",
"iroh-admin": "admin"
},
"default-value": "user",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
}
]
}{
"scopes": [
"integration",
"private-intel",
"admin",
"profile",
"inspect",
"iroh-master",
"iroh-auth",
"sse",
"users",
"casebook",
"orbital",
"enrich",
"oauth",
"global-intel",
"collect",
"response",
"ui-settings",
"openid",
"ao"
],
"description": "PROD APJC Environment for Security Services Exchange Admin Console",
"approved?": true,
"redirects": [
"http://localhost:*/*",
"https://localhost:*/*/*/*",
"https://localhost:*/*/*",
"https://admin.apj.sse.itd.cisco.com/*/*",
"https://admin.apj.sse.itd.cisco.com/*/*/*",
"https://admin.apj.sse.itd.cisco.com/*",
"https://admin.apj.sse.itd.cisco.com/*/*/*/*",
"https://localhost:*",
"http://localhost:*/*/*/*",
"https://localhost:*/*",
"http://localhost:*/*/*",
"http://localhost:*"
],
"availability": "everyone",
"access-token-lifetime-in-sec": 86400,
"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"default-value": "AMP",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "companyId",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
},
{
"alias": "companyName",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
},
{
"alias": "user_name",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
},
{
"alias": "user_email",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
},
{
"alias": "role",
"case-value": {
"admin": "admin",
"master": "admin"
},
"default-value": "admin",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
}
],
"password": "$s0$f0801$1oB9uodlfkUpACx2HNnVcQ==$eLNMiORI5R4jCWZp40fGyQvU59bqigGtwoYr8f7cVzU=",
"id-token-lifetime-in-sec": 86400,
"name": "sse-ui-dev-client",
"org-id": "63489cf9-561c-4958-a13d-6d84b7ef09d4",
"enabled?": true,
"grants": [
"auth-code"
],
"client-type": "confidential",
"id": "client-92258bc0-196a-4f6c-a0b5-fe105de5f505",
"approval-status": "approved",
"owner-id": "6ee52ee9-2e3a-4e1b-977d-961facb5fd84",
"created-at": "2020-02-03T13:48:54.758Z"
}PATCH
{ "id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"default-value": "AMP",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"default-value": "AMP",
"claim-to-alias": "old-idp-mapping-idp"
},
{
"alias": "companyId",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
},
{
"alias": "companyId",
"claim-to-alias": "old-idp-mapping-organization-id"
},
{
"alias": "companyName",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
},
{
"alias": "user_name",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
},
{
"alias": "user_email",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
},
{
"alias": "role",
"case-value": {
"admin": "admin",
"master": "admin"
},
"default-value": "admin",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
}
]}DONE CSA Migration: merge user by email work
CLOCK: [2021-02-16 Tue 09:07]–[2021-02-16 Tue 15:22] => 6:15
[2021-02-16 Tue 09:07]
2021-02-17 Wednesday
IN-PROGRESS clients SSE work
MEETING weekly meeting work meeting
CLOCK: [2021-02-17 Wed 16:02]–[2021-02-17 Wed 17:25] => 1:23
[2021-02-17 Wed 16:02]
- ref
IN-PROGRESS Update SSE client 2nd pass work
CLOCK: [2021-02-17 Wed 14:52]–[2021-02-17 Wed 16:02] => 1:10
[2021-02-17 Wed 14:52]
2021-02-18 Thursday
IN-PROGRESS debug claim aliases work
CLOCK: [2021-02-18 Thu 09:18]–[2021-02-18 Thu 10:38] => 1:20
[2021-02-18 Thu 09:18]
2021-02-19 Friday
IN-PROGRESS Device Grant analysis work
[2021-02-19 Fri 15:41]
2021-W08
2021-02-22 Monday
MEETING Core Team: SecureX Account Activation Optimization work meeting
CLOCK: [2021-02-22 Mon 16:02]–[2021-02-23 Tue 08:47] => 16:45
[2021-02-22 Mon 16:02]
Meeting Agenda:
Discussion to drive forward SecureX Account Activation Optimization Q3 efforts
- Account Creation Workflow
- CSA Migration (has it own dedicated work stream – but is there anything impacting the overall initiative?)
- Firepower Onboarding (has it own dedicated work stream – but is there anything impacting the overall initiative?)
- Workflow
- Role Based Access
- Module Addition/Health Workflow
- Status of action items from last core team call
- What help is needed (decisions, clarity, etc.)
- Any blockers or issues?
Doing in Q3.
Most conversation is good.
Agenda:
@Jyoti, this is a huge item. Audience in this meeting is too big.
Where to track. Some github issue are dead.
Namrata: focus on first 3 items. Martin: item named workflow, don't know what that is.
Module Addition.
2021-02-23 Tuesday
CHAT webex morning routine work chat
CLOCK: [2021-02-23 Tue 08:47]–[2021-02-23 Tue 09:47] => 1:00
[2021-02-23 Tue 08:47]
CSA Migration
DONE Houman
SCHEDULED: <2021-02-23 Tue 16:00>
@Houman
Hi Yann - something for tomorrow, none of the QA orgs in TEST or INT are showing the registered devices in SSE. When I cross launch to SSE, I am able to see the devices, but in SecureX there is no device. Both are AMP orgs and already migrated. Here are the org IDs:
c395f3c8-723b-4d15-b8b7-e17bec459c6b
cc6a35bc-1739-4fcd-a285-aa95adbd5e41Could you please take a look and unblock QA orgs?
INT org
{
"id": "c395f3c8-723b-4d15-b8b7-e17bec459c6b",
"name": "adminctrqa",
"enabled?": true,
"created-at": "2019-04-04T20:33:53.033Z",
"idp-mapping": {
"idp": "idb-amp-staging",
"enabled?": true,
"organization-id": "c395f3c8-723b-4d15-b8b7-e17bec459c6b"
},
"scim-status": "activated",
"additional-scopes": [
"iroh-admin",
"iroh-master",
"iroh-auth",
"sse",
"cisco"
]
}
Contains idp-mapping.
Logs during OIDC does not contain it:
The client claim-aliases looks ok:
"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"claim-to-alias": "idp-mapping-idp"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"claim-to-alias": "old-idp-mapping-idp"
},2021-02-24 Wednesday
MEETING Fix SSE client work meeting
CLOCK: [2021-02-24 Wed 18:33]–[2021-02-25 Thu 18:07] => 23:34
[2021-02-24 Wed 18:33]
client PATCH
TEST:
{"id-token-aliases": [
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG",
"threatgrid":"TG",
"idb-amp": "AMP",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"default-value": "AMP",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/idp/id"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG",
"threatgrid":"TG",
"idb-amp": "AMP",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"claim-to-alias": "idp-mapping-idp"
},
{
"alias": "spId",
"case-value": {
"sxso": "SXSO",
"idb-tg": "TG",
"threatgrid":"TG",
"idb-amp": "AMP",
"idb-tg-staging": "TG",
"idb-amp-staging": "AMP"
},
"claim-to-alias": "old-idp-mapping-idp"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/id"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "idp-mapping-organization-id"
},
{
"alias": "companyId",
"replace-value": [
[
"^threatgrid[:]",
""
]
],
"claim-to-alias": "old-idp-mapping-organization-id"
},
{
"alias": "companyName",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/org/name"
},
{
"alias": "user_name",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/name"
},
{
"alias": "user_email",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/email"
},
{
"alias": "role",
"case-value": {
"admin": "admin",
"master": "admin",
"iroh-admin": "admin"
},
"default-value": "user",
"claim-to-alias": "https://schemas.cisco.com/iroh/identity/claims/user/role"
}
]}IN-PROGRESS continue the day work
MEETING dev weekly work meeting
CLOCK: [2021-02-24 Wed 15:55]–[2021-02-24 Wed 17:04] => 1:09
[2021-02-24 Wed 15:55]
Weekly status
IROH:
- Provisioning: organization-id added to idp-mapping (#4855)
- Use entities in DB during SSE id-token generation (#4844) …
- Added tests to verify #4808 (#4817) …
- Hide provisioning API routes (#4835)
- OAuth2 client availabilty restriction for non admin (#4820) …
- Prevent user merge by email for some IdP (#4819) …
Tenzin-config:
Provisioning API in PROD (#375) Mark some IdP as safe for email (#374)
- Extract `user->identity` helper
- RFC Problem Statement: Managing transitive dependencies for "test" jars
- Add schema validation for `gen-jwt`
- Use EmailService in iroh-feedback
- RFC: Prevent dependency confusion attack on our code base
- Add a `svc-helper` for `iroh-int.test-helpers.auth`
- Write tests for #4844
- Update SSE Clients
- SSE wrong org object passed to id_token generation
- Prevent merge user by email for TG accounts
- Claim aliases bug fix
- Prevent non-admin users to create client with availability "Org"
Notes
-
Yann:
- CSA Migration, Talk about SSE, and release.
-
Guillaume:
- CSA Migration
- Status API route
- FMC
-
Rob:
- discussion about Ben Greenbaum and Umbrella module (409 hit)
-
Ag:
- Bundle assets
-
Ambrose:
- Fixed the cron-job
- finished email service
- research work about problem statement
Real Work™ discussion.
2021-W09
2021-03-02 Tuesday
MEETING Account Activation Optimization work meeting
CLOCK: [2021-03-02 Tue 16:01]–[2021-03-02 Tue 17:21] => 1:20
[2021-03-02 Tue 16:01]
Centralize tools from different groups.
One stop shop.
Account Activation/Firepower.
Epics/issues.
https://github.com/threatgrid/response/issues/577 https://github.com/threatgrid/response/issues/565 https://github.com/threatgrid/response/issues/562
2021-03-03 Wednesday
MEETING PosaaS work meeting
CLOCK: [2021-03-03 Wed 18:37]–[2021-03-03 Wed 19:45] => 1:08
[2021-03-03 Wed 18:37]
Posaas: Posture as a Service
- Actionable items
- cross launch
2021-03-04 Thursday
IN-PROGRESS NGFW improvements work
CLOCK: [2021-03-04 Thu 10:25]–[2021-03-05 Fri 20:36] => 34:11
[2021-03-04 Thu 10:25]
IN-PROGRESS discussions TD work
CLOCK: [2021-03-04 Thu 10:25]–[2021-03-04 Thu 10:25] => 0:00
[2021-03-04 Thu 07:25]
2021-W10
2021-03-08 Monday
MEETING IROH Token & Posture work meeting
CLOCK: [2021-03-08 Mon 19:00]–[2021-03-08 Mon 20:32] => 1:32
[2021-03-08 Mon 18:59]
Experience we're trying to reach with Posture.
Martin should feel like a Platform. Selectively select product. Onboard AMP only once for everything.
J: Posture should abide IROH-Auth OIDC to prevent discrepencies
Didi: I would like to separate that.
@Didi:
3 types of UX.
- New user and want to start SecureX. Onboard all modules.
- I am existing user, I have all enabled. I want to turn on Postule and modules inside the suite right now.
- I want to be able to kill my Posture collection. I want to revoke access.
- Monitor the situation of what is happening in my system.
Elias:
- org managing. We're not gonna have Posture to have a separate org management.
Didi:
Back from session. Hacks Millards
IROH-Auth is the authorize source of orgs. Basically session manager able to get identity token. Some org-hint in Okta.
How to integrate Posture in SecureX.
Elias:
Real concern is about webhook integration.
2021-03-09 Tuesday
MEETING CSA Migration check work meeting
CLOCK: [2021-03-09 Tue 06:05]–[2021-03-09 Tue 07:05] => 1:00
[2021-03-09 Tue 06:04]
- ref
2021-03-10 Wednesday
IN-PROGRESS weekly work
CLOCK: [2021-03-10 Wed 15:23]–[2021-03-10 Wed 17:07] => 1:44
[2021-03-10 Wed 15:22]
Done
Meetings:
-
bug fixing due to provisioning API call in PROD
- fix the bug in v1.67; disable provisioning API.
- prevent the provisioning API de delete idp-mappings
-
generic discusion about the goals for the Auth for SecureX
- discussion about moving the org/user management to Okta (I think).
Code:
- Prevent duplicate user creation via the provisioning API (#4930)
- Improve idp-filter message. (#4921)
- Display Org's idp in account selection (#4909)
- provisioning API further protections (#4919)
- Prevent destructive change via Provisioning API (#4900)
- Relax scopes for non activated accounts (#4891)
- Easy fix for a faster test (#4936)
- Delete obsolete files. (#4907)
- Destroy tokyo (#4880)
- Fix reported status due to missing scope. (#4886)
Working
- Improve Selection Page https://github.com/threatgrid/iroh/issues/4918
-
IROH-Auth Session: https://github.com/threatgrid/iroh/issues/4323
- Add/delete cookies during Authentication workflow; https://github.com/threatgrid/iroh/issues/4911
- Checking diff between
uberjarprofile andtestdependencies version
2021-03-11 Thursday
MEETING weekly with Al! work meeting
CLOCK: [2021-03-11 Thu 18:11]–[2021-03-11 Thu 19:06] => 0:55
[2021-03-11 Thu 18:11]
CSA migration stress
Al
It works very very well. It sells more products.
Push the hole portofolio. Hard for people to enter into the system.
It because more complex. CSA Migration should be fixed. Firewall migration is important.
Production issues. Pressure on the system.
Dates comes from you.
Ops
Release report from Houman
Demos
2021-W11
2021-03-16 Tuesday
MEETING DUO QA work meeting
CLOCK: [2021-03-16 Tue 18:29]–[2021-03-16 Tue 19:23] => 0:54
[2021-03-16 Tue 18:29]
Automation with Environment.
What to do and what not to do.
Recap your position Didi.
@Didi:
think outside of the box. Our concerns from the other side. Houman conversation.
Single Sign On is tested in a specific way. We have CI environment. Display the profile page and display the dashboard that replace the Okta dashboard. And provide Okta services. Template for email and UI. And rather not have touching these things in production.
So our dev go in the CI env. Flow user creation, webhooks, etc… That env is different than previous env.
If you need a CI env. We recommend people to have their own Okta instance. Can have as many Okta instances as we want.
2 instances:
- okta preview meant for developers and code integration. IDE with that. CI, Preview, don't use CDN. Willing to accept pen testing, etc…
- staging production environment.
Preview env, is stable at code level. There is a level of testing between okta preview and prod.
3 options of testing.
- Manually
- Set of existing users, we give you a DUO bypass code. We need MFA otherwise fake users creation.
- Provide MFA in a self-hosted Okta instance. Personal MFA to be automated.
We plan on enabled Google and not just DUO.
@Houman
Google would help because we could bypass the MFA section. That would be enough for the automatisation part.
We can create/delete users automatically.
If Google Auth is not a reason. Our concern is not the number of users. We cannot have an env without MFA.
2021-W12
2021-03-24 Wednesday
MEETING Demo CSA Migration work meeting
CLOCK: [2021-03-24 Wed 15:29]–[2021-03-24 Wed 16:49] => 1:20
[2021-03-24 Wed 15:29]
Andy
Goal:
- Resolving Problems and Plan to our Beta
i
Demo April Luk
- Login through CSA
- Click on Migrate Later
- Login into SecureX, in Manage Users see use CSA
- Logout
- Login through CSA
- Migrate => Test Login
- Create a SecureX Account
- Wait for email, click on the link, activate the account
- Make the DUO danse
- Click on Finish (in SXSO after DUO) end up in "Migrate Later" / "Migrate Now"
- Error to SXSO idp-filter, link goes to CTR, need to Logout, and back to SecureX
1 -> 9 idem
Ping April Luk Send a demo video
Open issues on the conference page. SSO conf, beta blocker page.
2021-03-25 Thursday
MEETING weekly meeting work meeting
CLOCK: [2021-03-25 Thu 16:03]–[2021-03-25 Thu 17:23] => 1:20
[2021-03-25 Thu 16:03]
2021-W13
2021-03-29 Monday
MEETING Meeting Talk about SSE tokens work meeting
CLOCK: [2021-03-29 Mon 20:28]–[2021-03-29 Mon 22:49] => 2:21
[2021-03-29 Mon 20:28]
Cold weather at Didi's place.
Doron: CDO
Doing things with SSE and SecureX. Device Manager, OIDC. We look at the user, tenant in SSE, etc…
The flow sometimes break, etc… Sometimes in the CDO part.
SSE guys told me I need to talk to you to change the flow.
2021-03-30 Tuesday
IN-PROGRESS Learn about sessions between different domains work
CLOCK: [2021-03-30 Tue 10:10]–[2021-04-01 Thu 11:30] => 49:20
[2021-03-30 Tue 10:10]
2021-04-02 Friday
MEETING CSA Meeting work meeting
CLOCK: [2021-04-02 Fri 16:30]–[2021-04-02 Fri 17:50] => 1:20
[2021-04-02 Fri 16:30]
Notice form my last update. Most issue marked as resolved.
Andy:
DONE response explanation about Clients work
CLOCK: [2021-04-02 Fri 15:50]–[2021-04-02 Fri 15:58] => 0:08
[2021-04-02 Fri 15:50]
The most important. Our Client model is not public like it is with Github. So Clients of IROH-Auth are not public by default like this is the case for Github. Every OAuth2 Auth Code client that would like to be used by people outside the org of its owner MUST ask for an approval from a SecureX Administrator. More precisely:
- No client can be created that could be used outside of the org without a
Cisco SecureX administrator manually approving that client. So nobody from any org X could create a client with a fake Application name and use it outside of their own Org. Also the client would be updated, it would still need another approval from us.
- No client can have the auto-approval feature which is extremely restricted
to only a bunch of trusted clients. The list of client with auto-approval is put in a separate table only accessible via Cisco SecureX administrators (us).
- A lot of existing clients were created before we had the current Data User
structure. So for example, the Organization name will probably be something no meaningful.
- Also many other teams inside Cisco did not create the client themselves and
we created the client for them and we handled them the client credentials. So would we add the Org name to this page it would mean that we need a lot of administrative work on the 5 deployed environments to change the owner of many clients manually.
- The SecureX/CTR Orgs are not public, they do not have a public profile any
user could check. We could at most give the name of the org. I think at most we could show a few data about the Client's owner. For example it's user name, (email ?), etc… So unlike with github we cannot give a link to an Org profile webpage.
- Orgs do not have avatars.
2021-W14
2021-04-06 Tuesday
2021-04-08 Thursday
MEETING weekly work meeting
CLOCK: [2021-04-08 Thu 18:10]–[2021-04-08 Thu 19:30] => 1:20
[2021-04-08 Thu 18:36]
MEETING Weekly services meeting work meeting
CLOCK: [2021-04-08 Thu 17:00]–[2021-04-08 Thu 17:53] => 0:53
[2021-04-08 Thu 17:13]
- ref
DONE Check security open issues
Markdown security related:
Deprecarted/Don't care/Probably fixed/Not a bug, it's a feature
Possible break/surprising UX/etc…
Potentially break dev/integration with other teams due to improved security:
discuss with Orbital about https://github.com/threatgrid/iroh/issues/5121 discuss with SWC about https://github.com/threatgrid/iroh/issues/4387 For v1.71:
Merge https://github.com/threatgrid/iroh/pull/4947 Merge https://github.com/threatgrid/iroh/pull/5106
Need design work
2021-04-09 Friday
EMAIL work email tour work email
CLOCK: [2021-04-09 Fri 11:28]–[2021-04-09 Fri 17:31] => 6:03
[2021-04-09 Fri 11:28]
REVIEW Morning gh routine work review
CLOCK: [2021-04-09 Fri 10:55]–[2021-04-09 Fri 11:28] => 0:33
[2021-04-09 Fri 10:55] :refer \[can-create? can-delete? can-read? can-write?\]\]]]
CHAT chat tour work chat
CLOCK: [2021-04-09 Fri 10:05]–[2021-04-09 Fri 10:55] => 0:50
[2021-04-09 Fri 10:55]
2021-W15
2021-04-12 Monday
IN-PROGRESS IROH-Auth Session work
CLOCK: [2021-04-12 Mon 16:29]–[2021-04-12 Mon 17:29] => 1:00
[2021-04-12 Mon 16:28]
- ref
- https://blog.theodo.com/2016/10/how-to-track-your-users-over-several-domains/
- ref
- https://stackoverflow.com/questions/3342140/cross-domain-cookies
- ref
- https://stackoverflow.com/questions/19531183/set-cookie-on-multiple-domains-with-php-or-javascript/19546680#19546680
Seems clear that whatever solution, cross-domain cookies will be more and more difficult to work as browser vendor will make their best to prevent user tracking.
So the best solution would be to keep a IROH-Auth local session. If a user come on the IROH-Auth login page. We could have put a set of cookies (if we want cross domain but intra security.cisco.com one) or use localStorage.
- We should ensure that once the user is logged sucessfully we save the JWT
2021-04-14 Wednesday
MEETING interview work meeting
CLOCK: [2021-04-14 Wed 18:28]–[2021-04-15 Thu 10:36] => 16:08
[2021-04-14 Wed 18:28]
IN-PROGRESS Presentation IROH-Auth work
CLOCK: [2021-04-14 Wed 09:20]–[2021-04-14 Wed 18:28] => 9:08
[2021-04-14 Wed 09:20]
History
- Login using AMP SAML (generate JWT)
- OAuth2 Provider (Grants)
- Login using OpenID Connect with TG (client of OpenID Connect)
- Users/Orgs in DB!!!
- Account Activation
- Become an OpenID Connect provider
- OIDC with SSE
Internal User Structure
Cisco specificity
2021-04-15 Thursday
IN-PROGRESS presentation IROH-Auth work
CLOCK: [2021-04-15 Thu 10:36]–[2021-04-15 Thu 11:06] => 0:30
[2021-04-15 Thu 10:36]
2021-04-16 Friday
IN-PROGRESS Presentation work
CLOCK: [2021-04-16 Fri 11:56]–[2021-04-16 Fri 12:56] => 1:00
[2021-04-16 Fri 11:56]
2021-W16
2021-04-23 Friday
MEETING SSE device + smart accounts work meeting
CLOCK: [2021-04-23 Fri 17:19]–[2021-04-23 Fri 18:23] => 1:04
[2021-04-23 Fri 17:19]
2021-W17
2021-04-26 Monday
IN-PROGRESS Device Flow work
CLOCK: [2021-04-26 Mon 10:40]–[2021-04-26 Mon 12:00] => 1:20
[2021-04-26 Mon 10:40]
- ref
CHAT Yana redirects work chat
CLOCK: [2021-04-26 Mon 10:03]–[2021-04-26 Mon 10:06] => 0:03
[2021-04-26 Mon 10:03]
2021-04-30 Friday
IN-PROGRESS Cognitive work
CLOCK: [2021-04-30 Fri 19:06]–[2021-05-02 Sun 08:10] => 37:04
[2021-04-30 Fri 19:05]
Clients NAM: client-cd34f85d-1c5f-4e93-856c-4cd7c07b847d EU: client-c24bcbe6-ea0b-49cd-9aa8-6e7b3b744412 APJC: client-72111422-86be-4a0e-a5ce-0a25e55304a2 Request for new org name: Global Threat Alerts Integrations - NAM Global Threat Alerts Integrations - EU Global Threat Alerts Integrations - APJC Users mistanke@cisco.com mvelk@cisco.com jpradac@cisco.com pjisl@cisco.com mafanta@cisco.com bdimitri@cisco.com dastrupl@cisco.com PATCH:
{"org-id": "827f573c-1c08-44a6-9d08-4b8ae03a50a0",
"owner-id": "25de35b8-3069-4e5c-a1b4-506cfb82b6d5"}NAM
client: client-cd34f85d-1c5f-4e93-856c-4cd7c07b847d
User Martin Fanta
user-id: 25de35b8-3069-4e5c-a1b4-506cfb82b6d5
{
"role": "admin",
"scopes": [
"vault/configs:read",
"integration",
"private-intel",
"admin",
"profile",
"inspect",
"feedback",
"sse",
"registry",
"users",
"invite",
"casebook",
"vault/config/metadata:read",
"orbital",
"enrich",
"oauth",
"collect",
"response",
"ui-settings",
"telemetry:write",
"openid",
"notification",
"global-intel:read",
"webhook",
"vault/config/posture:read",
"ao"
],
"updated-at": "2021-04-30T14:46:57.763Z",
"idp-mappings": [
{
"idp": "sxso",
"enabled?": true,
"user-identity-id": "00u4ti78a4BXlZSFQ357"
}
],
"user-email": "mafanta@cisco.com",
"user-name": "Martin Fanta",
"org-id": "827f573c-1c08-44a6-9d08-4b8ae03a50a0",
"user-id": "25de35b8-3069-4e5c-a1b4-506cfb82b6d5",
"enabled?": true,
"last-logged-at": [
"2021-04-30T14:47:33.023Z",
"2021-04-30T14:47:14.157Z",
"2021-04-30T14:47:00.478Z",
"2021-04-13T13:48:03.320Z",
"2021-03-18T13:14:51.114Z"
],
"created-at": "2021-03-18T13:14:24.604Z",
"user-nick": "Martin Fanta"
}
Org: 827f573c-1c08-44a6-9d08-4b8ae03a50a0
{
"id": "827f573c-1c08-44a6-9d08-4b8ae03a50a0",
"name": "Global Threat Alerts Integrations - NAM",
"address": {
"city": "",
"street1": "",
"street2": "",
"department": "",
"postal-code": "",
"country-iso-code": "CZ"
},
"enabled?": true,
"created-at": "2021-03-18T13:14:24.597Z",
"scim-status": "activated"
}EU
client: client-c24bcbe6-ea0b-49cd-9aa8-6e7b3b744412
User Martin Fanta
user-id: 25de35b8-3069-4e5c-a1b4-506cfb82b6d5
{
"role": "admin",
"scopes": [
"vault/configs:read",
"integration",
"private-intel",
"admin",
"profile",
"inspect",
"feedback",
"sse",
"registry",
"users",
"invite",
"casebook",
"vault/config/metadata:read",
"orbital",
"enrich",
"oauth",
"collect",
"response",
"ui-settings",
"telemetry:write",
"openid",
"notification",
"global-intel:read",
"webhook",
"vault/config/posture:read",
"ao"
],
"updated-at": "2021-04-30T14:46:57.763Z",
"idp-mappings": [
{
"idp": "sxso",
"enabled?": true,
"user-identity-id": "00u4ti78a4BXlZSFQ357"
}
],
"user-email": "mafanta@cisco.com",
"user-name": "Martin Fanta",
"org-id": "827f573c-1c08-44a6-9d08-4b8ae03a50a0",
"user-id": "25de35b8-3069-4e5c-a1b4-506cfb82b6d5",
"enabled?": true,
"last-logged-at": [
"2021-04-30T14:47:33.023Z",
"2021-04-30T14:47:14.157Z",
"2021-04-30T14:47:00.478Z",
"2021-04-13T13:48:03.320Z",
"2021-03-18T13:14:51.114Z"
],
"created-at": "2021-03-18T13:14:24.604Z",
"user-nick": "Martin Fanta"
}
Org: 827f573c-1c08-44a6-9d08-4b8ae03a50a0
{
"id": "827f573c-1c08-44a6-9d08-4b8ae03a50a0",
"name": "Global Threat Alerts Integrations - NAM",
"address": {
"city": "",
"street1": "",
"street2": "",
"department": "",
"postal-code": "",
"country-iso-code": "CZ"
},
"enabled?": true,
"created-at": "2021-03-18T13:14:24.597Z",
"scim-status": "activated"
}APJC
User Martin Fanta
user-id: 25de35b8-3069-4e5c-a1b4-506cfb82b6d5
{
"role": "admin",
"scopes": [
"vault/configs:read",
"integration",
"private-intel",
"admin",
"profile",
"inspect",
"feedback",
"sse",
"registry",
"users",
"invite",
"casebook",
"vault/config/metadata:read",
"orbital",
"enrich",
"oauth",
"collect",
"response",
"ui-settings",
"telemetry:write",
"openid",
"notification",
"global-intel:read",
"webhook",
"vault/config/posture:read",
"ao"
],
"updated-at": "2021-04-30T14:46:57.763Z",
"idp-mappings": [
{
"idp": "sxso",
"enabled?": true,
"user-identity-id": "00u4ti78a4BXlZSFQ357"
}
],
"user-email": "mafanta@cisco.com",
"user-name": "Martin Fanta",
"org-id": "827f573c-1c08-44a6-9d08-4b8ae03a50a0",
"user-id": "25de35b8-3069-4e5c-a1b4-506cfb82b6d5",
"enabled?": true,
"last-logged-at": [
"2021-04-30T14:47:33.023Z",
"2021-04-30T14:47:14.157Z",
"2021-04-30T14:47:00.478Z",
"2021-04-13T13:48:03.320Z",
"2021-03-18T13:14:51.114Z"
],
"created-at": "2021-03-18T13:14:24.604Z",
"user-nick": "Martin Fanta"
}2021-W18
2021-05-03 Monday
CHAT Neel chat work chat
CLOCK: [2021-05-03 Mon 15:35]–[2021-05-03 Mon 22:14] => 6:39
[2021-05-03 Mon 15:35]
IN-PROGRESS Check Provisioning API issue work
CLOCK: [2021-05-03 Mon 08:19]–[2021-05-03 Mon 11:43] => 3:24
[2021-05-03 Mon 08:19]
2021-05-04 Tuesday
MEETING Town Hall work meeting
CLOCK: [2021-05-04 Tue 13:02]–[2021-05-04 Tue 22:53] => 9:51
[2021-05-04 Tue 13:01]
- ref
Mougin Office
Decision par: Business Unit Engineering (Securite) et Sales supportent aussi.
Râlage, …
Remise en cause des chiffres WPR par Luc.
Explication:
5 sites Regus au lieu d'un seul.
Alexandra Viennot; HR Country Manager.
2021-05-05 Wednesday
CHAT Fix client in APJC work chat
CLOCK: [2021-05-05 Wed 17:32]–[2021-05-05 Wed 18:49] => 1:17
[2021-05-05 Wed 17:32]
client-94325fbf-986f-4f0d-ae1d-c1696d1825f0
CHAT Tritan York question work chat
CLOCK: [2021-05-05 Wed 14:50]–[2021-05-05 Wed 17:32] => 2:42
[2021-05-05 Wed 14:50]
IN-PROGRESS Admin UI work
CLOCK: [2021-05-05 Wed 14:40]–[2021-05-05 Wed 14:50] => 0:10
[2021-05-05 Wed 14:40]
CHAT April Luk testing work chat interruption
CLOCK: [2021-05-05 Wed 14:30]–[2021-05-05 Wed 14:40] => 0:10
[2021-05-05 Wed 14:30]
- ref
REVIEW PR reviewing work review
CLOCK: [2021-05-05 Wed 09:01]–[2021-05-05 Wed 10:18] => 1:17
[2021-05-05 Wed 10:01]
- ref
2021-05-06 Thursday
MEETING Weekly work meeting
CLOCK: [2021-05-06 Thu 17:03]–[2021-05-07 Fri 00:22] => 7:19
[2021-05-06 Thu 17:03]
Standup
- Fixed a bug related to CSA Migration and follow up
- Device Code Flow
.
Module types
Question for Jyoti.
- n AMP -> 1 secure X
.
- merged the 2nd/3 of Status API yesterday
- fixed 1.72 deploy due to rate-limiting => moving to actions
Trent suggested a solution New UI idea underway. Change the data on the ESA module side.
Horizontal segment, total of the segment and part of the total.
Jyoti: we want the product involved (ESA team) Paul Infantino.
Tangling SMA. Confusing myself.
Jyoti to Guillaume: On the UI side applinks. Dar implementing it. And he fetches it, and uses the bookmark Okta.
Guillaume: we gave you.
Module Type Patch API.
Delete AO Setup workflow. Really good test on that.
This one pretty close to be done. I used generative test. Generate
Meeting CSA Migration.
2021-W19
2021-05-10 Monday
EMAIL Answer to Jyoti email work email
CLOCK: [2021-05-10 Mon 09:03] CLOCK: [2021-05-10 Mon 09:00]–[2021-05-10 Mon 09:00] => 0:00
[2021-05-10 Mon 09:00]