78 lines
2.3 KiB
Org Mode
78 lines
2.3 KiB
Org Mode
:PROPERTIES:
|
|
:ID: 1208f09c-d37d-4e6b-9110-151f3c6b7d34
|
|
:END:
|
|
#+TITLE: Cisco FT SecureX Simplified Registration
|
|
#+Author: Yann Esposito
|
|
#+Date: [2021-12-07]
|
|
|
|
- tags :: [[id:299643a7-00e5-47fb-a987-3b9278e89da3][Auth]]
|
|
- source :: https://github.com/advthreat/response/issues/821
|
|
- dashboard :: https://github.com/advthreat/iroh/projects/32
|
|
|
|
.
|
|
|
|
|
|
* Technical Plan
|
|
** Support private email vs public emails
|
|
|
|
The solution is to use a blacklist of domains where any user could create
|
|
multiple email accounts pseudo-anonymously.
|
|
|
|
** Support, search admin with same email domain
|
|
|
|
We should be able given an email from a user, to find all the orgs for
|
|
which at least one of its admin has a matching domain name.
|
|
|
|
1. Most efficient: add an invisible field =email-domain= to all users. This
|
|
should be lower-case, and we will need a migration.
|
|
Doing this we could have a faster match than using string related queries.
|
|
|
|
Problems, users can login in the same user, with the same public email with
|
|
different emails.
|
|
This should be rare.
|
|
|
|
2. Search via text match.
|
|
|
|
|
|
The algorithm should look a bit like:
|
|
|
|
#+begin_src clojure
|
|
|
|
;; only when this is an unknown user
|
|
(let [user-email ,,,
|
|
domain (string/replace user-email #".*@" "")
|
|
users (matching-admins domain) ;; returns a potentially big list of admin users
|
|
indexed-orgs (group-by :org-id users)]
|
|
(vals indexed-orgs))
|
|
#+end_src
|
|
|
|
** Support Org request to admins
|
|
|
|
We need to create another Entity for access request to an Org.
|
|
|
|
#+begin_src clojure
|
|
(s/defschema OrgAccessRequest
|
|
{:id UUID
|
|
:user-identity IdPMapping
|
|
:user-email s/Str
|
|
:org-id s/Str
|
|
:status (s/enum :pending :accepted :rejected)})
|
|
#+end_src
|
|
|
|
When a user request access to an organization.
|
|
We should create this object in DB.
|
|
|
|
There should be a CRUD API restricted to the ~admin/user-mgmt/org-requests~ scope:
|
|
|
|
- ~GET /iroh/user-mgmt/org-requests~ list pending org access requests
|
|
- ~POST /iroh/user-mgmt/org-requests/search~ search org access requests
|
|
- ~GET /iroh/user-mgmt/org-requests/<id>~ read a single org access request
|
|
- ~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
|
|
- ~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access
|
|
|
|
** UI Revamp.
|
|
|
|
In order to use securely, the Login page is hosted inside IROH API.
|
|
This was not the case before and was the source of many bugs and security risks.
|
|
|
|
We should most probably
|