deft/tracker.org at 54df346edac6788fd82e51d71fee146e2865a083

yogsototh/deft

Fork 0

Yann Esposito (Yogsototh) 5da2bc19be

tracker.org

2021-12-21 14:33:43 +01:00

2021

2021-W33

Tags	Headline	Time
	Total time	6:19
	2021-W33		6:19
	2021-08-16 Monday			1:52
work	Fix Carlos Hidalgo account				0:20
work	create an issue about email…				1:32
	2021-08-17 Tuesday			2:48
work	Add scope to TG clients				0:38
work	Write an issue about 1-click…				2:03
work, chat	Jyoti about CDO 1-click module setup				0:07
	2021-08-19 Thursday			1:39
work, meeting	Interview Olivier Barbeau				1:39

Clock summary at [2021-10-28 Thu 18:16]

2021-08-16 Monday

DONE Fix Carlos Hidalgo account work

CLOCK: [2021-08-16 Mon 15:11]–[2021-08-16 Mon 15:31] => 0:20

[2021-08-16 Mon 15:11]

ref: create an issue about email search case sensitivity

DONE create an issue about email search case sensitivity work

SCHEDULED: <2021-08-16 Mon>

CLOCK: [2021-08-17 Tue 14:16]–[2021-08-17 Tue 15:44] => 1:28 CLOCK: [2021-08-16 Mon 15:03]–[2021-08-16 Mon 15:07] => 0:04

[2021-08-16 Mon 15:03]

ref: https://github.com/threatgrid/response/issues/818

Fix email case sensitivity

We often need to search by email. The main issue being that, currently our search mechanism does not support case insensitive matches.

We have 4 possible solutions:

Lower case the user email at creation. We need to also update the user emails in our DB. The safest route to achieve this will be via the iroh-migration service.
Keep the email case sensitive and add a new case insensitive field lc-user-email

for example. But same as for case 1, we need to perform a DB migration to add this new field to all existing user in DB.

Add support for case insensitive search in tk-store, perhaps with a new tk-store service, or improving current CRUDStoreService.
Add a specific service just for search user emails that could take care of this specific case by using a Postgres specific query. This could also be the occasion to provide a tk-store hole in the abstraction service.

The simplest is probably option 1. Option 2 would be slightly more complex and we would not lose any detail. Option 3 seems the most generic one, and we could totally imagine we would appreciate a case insensitive search support. Option 4 looks like a specific case of 3.

My preference then goes to option 3, but we need to understand if this is not too difficult to achieve, what would be the API? The most natural one would probably add an option along filter-map like case-insensitive-fields. One issue would be to write the support for case insensitive match for atom and redis.

TODO Interview Steven Collins

CLOCK: [2021-08-16 Mon 15:49]–[2021-08-16 Mon 19:04] => 3:15

2021-08-17 Tuesday

DONE Add scope to TG clients work

DEADLINE: <2021-08-18 Wed>

CLOCK: [2021-08-17 Tue 17:54]–[2021-08-17 Tue 18:32] => 0:38

[2021-08-17 Tue 17:54]

In tenzin config:

- INT: 34d94c8c-2041-4708-8172-ebe2df295ca7-2
- TEST: f993f6a0-8075-43e0-a9e5-dae9c3980513
- NAM: 7b8d9fef-bd93-4ef3-88af-ae4174ee02e5
- EU: a1662193-9155-44fd-aa1f-43afd42c889c

DONE Write an issue about 1-click module setup work

SCHEDULED: <2021-08-17 Tue>

CLOCK: [2021-08-17 Tue 15:51]–[2021-08-17 Tue 17:54] => 2:03

[2021-08-17 Tue 15:51]

ref: Activation Optimization

CHAT Jyoti about CDO 1-click module setup work chat

CLOCK: [2021-08-17 Tue 15:44]–[2021-08-17 Tue 15:51] => 0:07

[2021-08-17 Tue 15:44]

ref: Epics

2021-08-19 Thursday

Timestamp	Tags	Headline	Time
		Total time	1:39
		2021-08-19 Thursday		1:39
[2021-08-19 Thu 16:04]	work, meeting	Interview Olivier Barbeau			1:39

Clock summary at [2021-08-19 Thu 17:43]

MEETING Interview Olivier Barbeau work meeting

CLOCK: [2021-08-19 Thu 16:04]–[2021-08-19 Thu 17:43] => 1:39

[2021-08-19 Thu 16:04]

ref: Self Presentation

2021-W35

Tags	Headline	Time
	Total time	2:54
	2021-W35		2:54
	2021-09-02 Thursday			2:54
work, meeting	Weekly meeting				2:54

Clock summary at [2021-10-28 Thu 18:15]

2021-09-02 Thursday

MEETING Weekly meeting work meeting

CLOCK: [2021-09-02 Thu 17:06]–[2021-09-02 Thu 20:00] => 2:54

[2021-09-02 Thu 17:06]

Guillaume start about the Design Planning github project.

SecureX session
High Impact Incident

Sorry

2021-W36

2021-09-08 Wednesday

MEETING 1-click module setup weekly meeting work meeting

CLOCK: [2021-09-08 Wed 17:30]–[2021-09-08 Wed 18:22] => 0:52

[2021-09-08 Wed 17:30]

ref: https://miro.com/app/board/o9J_l57_gro=/

Miro dashboard from Chloe:

https://miro.com/app/board/o9J_l57_gro=/

Discussion:

When to TEST, tomorrow. Asking for client_id in TEST.

Client-id: client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06

2021-09-09 Thursday

MEETING Interview: Florin Braghis work meeting

CLOCK: [2021-09-09 Thu 15:49]–[2021-09-09 Thu 18:45] => 2:56

[2021-09-09 Thu 15:49]

2021-W37

Tags	Headline	Time
	Total time	22:11
	2021-W37		22:11
	2021-09-14 Tuesday			1:04
work	Device Grant				1:04
	2021-09-16 Thursday			21:07
work, meeting	Team weekly				21:07

Clock summary at [2021-10-28 Thu 18:15]

2021-09-14 Tuesday

IN-PROGRESS Device Grant work

CLOCK: [2021-09-14 Tue 19:31]–[2021-09-14 Tue 20:35] => 1:04

[2021-09-14 Tue 19:31]

ref

2021-09-16 Thursday

MEETING Team weekly work meeting

CLOCK: [2021-09-16 Thu 17:25]–[2021-09-17 Fri 14:32] => 21:07

[2021-09-16 Thu 17:25]

Ambrose, Irina, Guillaume, Matt, Yann

TO MENTION: Device Grant with FMC => Public clients

Incident discussion

2021-09-17 Friday

MEETING Presenting the projects work meeting

[2021-09-17 Fri 14:32]

ref: https://github.com/advthreat/iroh/projects

Pres

General

Project Organization

Every project has an owner (main point of contact for the FT) Now only leads, but could be anyone in the future.

[Design] Shared IROH Auth Session

Goal of this Project which is not an official FT is to reflect and write proposals to reach the feeling of a shared session across all Cisco Security products via SecureX.

solution using cookies
solution using Open ID Connect

[Design] High Impact Incident

Guillaume Ereteo made an awesome work to provide multiple proposals to be able to deliver the feature as fast as possible.

filter on source (only AMP)
Add severity on incident model
Incident with high impact via an IROH route: https://github.com/advthreat/iroh/issues/5710
- needs the proxy from Ambrose
- need sync with engine team too

SecureX Suite Session Improvement

Delivered yesterday in v1.81 Limit the number of interstitial pages between SecureX and CTR/SSE

For orbital, missing the Launch button, the back end work is done as we do not need any SXSO app link.

[HOLD] Cisco Secure Client Integration

Still no work to be done by the IROH Services team

Hiring

Since last meeting two new hires will join us in next few weeks. Kiril and Olivier.

Kiril lives in Germany and Olivier in France.

1-Click Module Setup

In progress integration by CDO and SWC

Irina worked to provide the vault metadata API for SWC.

AMP is in the QA test phase.

ModuleType updates

Just saw the rename of "Threat Grid" into "Secure Malware Analytics"

[HOLD] CTIA Hydrant support

CTIA Incident Manager Improvement

Bug Squashing

Fix a bug where a user could login to org that reject non-admin user login
Fix a refresh token bug that would provide too much scopes to an access token
Login Page url parsing potential discrepancy fixed

[HOLD] ES 7 Migration

Device Insights Integration

Wanderson: Webhooks work, trigger a notification for every module-instance configuration change.

AppLinks API

SSE API Extension & OAuth2 Device Grant

FMC ⇒ public clients for Device Grants

Incident Assignment Notifications

Ambrose worked to make IROH a proxy to private intel for incident assignments notifications. Should be delivered in v1.82

2021-W39

Tags	Headline	Time
	Total time	6:30
	2021-W39		6:30
	2021-09-29 Wednesday			3:18
work, meeting	Interview				3:18
	2021-10-01 Friday			3:12
work, meeting	App Links				1:41
work, meeting	Secure Client				1:31

Clock summary at [2021-10-28 Thu 18:15]

2021-09-29 Wednesday

MEETING Interview work meeting

CLOCK: [2021-09-29 Wed 16:12]–[2021-09-29 Wed 19:30] => 3:18

[2021-09-29 Wed 16:12]

ref: /yogsototh/deft/src/commit/54df346edac6788fd82e51d71fee146e2865a083/~/dev/ring-jwt-middleware/src/ring_jwt_middleware/core.clj::jwt-check-fn%20%28s/=>%20s/Any%20s/Str%20JwtClaims%29

2021-10-01 Friday

MEETING App Links work meeting

CLOCK: [2021-10-01 Fri 17:26]–[2021-10-01 Fri 19:07] => 1:41

[2021-10-01 Fri 17:26]

ref: Secure Client

MEETING Secure Client work meeting

CLOCK: [2021-10-01 Fri 15:55]–[2021-10-01 Fri 17:26] => 1:31

[2021-10-01 Fri 15:55]

Meeting link: https://cisco.webex.com/cisco/j.php?MTID=m5814a8530a0870a19a57230bfd6d4b0e

2021-W40

Tags	Headline	Time
	Total time	38:18
	2021-W40		38:18
	2021-10-05 Tuesday			0:46
work	Training Interviewing				0:46
	2021-10-07 Thursday			32:04
work, meeting	DI blockers				23:32
work	support				1:16
work, chat	check continu				6:38
work, chat	support DI JWT signature				0:19
work, support	client update via admin for CMD				0:18
work, chat	Check webex matinal.				0:01
	2021-10-08 Friday			5:28
work, meeting	IDB decomissioning				2:28
work, meeting	Customer Manager				3:00

Clock summary at [2021-10-28 Thu 18:15]

2021-10-05 Tuesday

MEETING DI weekly work meeting

[2021-10-05 Tue 15:30]

From Yuri

Hi, Things I’d like to discuss on our today sync meeting:

The integration modules screen:

When will all the modules be updated with the relevant text?

When will all the modules be deployed to production?

Same goes for the DI module? Need help in updating its text and taking it to production as well

The filter by capability for device insights currently shows an empty result in production

Integration code

Is there still some integration code that is pending?

What is the status of https://github.com/advthreat/iroh/issues/5680?

ii. Any other open issues?

Any blockers that you see for deploying to production?

Assets API QA?

1.a. doc team 1.b

2.a

IN-PROGRESS Training Interviewing work

CLOCK: [2021-10-05 Tue 14:44]–[2021-10-05 Tue 15:30] => 0:46

[2021-10-05 Tue 14:44]

Past Perf Predict the Future

Behaviorial questions

tell me about a time when…
Where and how have you used ,,, to achieve ,,,
Walk me through the system/process/etc…

Behavioral questions better

More specific to their experience, not generic.

concise
clear
relevant
practiced
tailored to the job

Real Purpose of interviewing

Predict whether or not they'd be successful in our company

Evidence?

Yes, specific examples
Yes, demonstration

What the candidate will think about the question.

Clear on hiring criteria

skills & knownledge, attributes, achievements, motivations

targeted probing behavioral interviewing.

Go deep, specific, examples. Ask the how to detect liars, lack of honesty.

what ,,, what did you do, what was your role, etc… Question need specific responses.

Do brainteasers work? no Use problem solving questions; how would you do/solve/etc…?

Examples:

role play question. ×
problem they solved. ✓

What work-related experience(s) changed your opinion(s) on something?

On Question to rule them all?

Combination question. Find combo questions.

Probing

2021-10-07 Thursday

MEETING DI blockers work meeting

CLOCK: [2021-10-07 Thu 18:01]–[2021-10-08 Fri 17:33] => 23:32

[2021-10-07 Thu 18:01]

@Yuri:

I’ve opened the issues there, still need to set priorities. Here is the list of the issues I’m currently aware of that are important for the release:

https://github.com/advthreat/iroh/issues/5680 - didn’t open a new ticket for this one, since it already has tracking.

Umbrella module -

Allow configuring only DI relevant fields - https://github.com/threatgrid/response/issues/933 b. Placement of fields https://github.com/threatgrid/response/issues/934 c. Add explanations of DI relevant fields - https://github.com/threatgrid/response/issues/935 d. Umbrella doesn't send the external reference info - https://github.com/threatgrid/response/issues/936

filtering for the device insights SecureX modules in the Integration Modules screen - results in an empty set - https://github.com/threatgrid/response/issues/937

If you know of something else, please add here

@Matt: 2.a is also tracked here https://github.com/advthreat/iroh/issues/5821

Doc discussion 30min
show time (Yuri share chat)

IN-PROGRESS support work

CLOCK: [2021-10-07 Thu 16:45]–[2021-10-07 Thu 18:01] => 1:16

[2021-10-07 Thu 16:45]

ref: https://github.com/threatgrid/tenzin/issues/1530

new-org

{
    "id": "00000000-0000-0000-6473-000028fbaa95",
    "name": "GATE/Tier3",
    "enabled?": true,
    "created-at": "2021-10-07T17:00:00.000Z",
    "scim-status": "activated",
    "additional-scopes": [
        "iroh-master:read",
        "iroh-admin:read",
        "iroh-master/tac",
        "iroh-auth:read"]
}

Idp Mapping INT/TEST

{
    "idp": "sxso",
    "user-identity-id": "00uox5862kEG8G0CD0h7",
    "enabled?": true
}

IdP Mapping PROD

{
    "idp": "sxso",
    "user-identity-id": "00u4dmbgyjnx4glS2357",
    "enabled?": true
}

Users to invite:

[{"invitee-email":"ashakarc@cisco.com","role":"admin"},
 {"invitee-email":"bmacer@cisco.com",  "role":"admin"},
 {"invitee-email":"caknowle@cisco.com","role":"admin"},
 {"invitee-email":"cdeleanu@cisco.com","role":"admin"},
 {"invitee-email":"daphgalm@cisco.com","role":"admin"},
 {"invitee-email":"djanulik@cisco.com","role":"admin"},
 {"invitee-email":"bmahsan@cisco.com", "role":"admin"},
 {"invitee-email":"majacob2@cisco.com","role":"admin"},
 {"invitee-email":"sorianto@cisco.com","role":"admin"},
 {"invitee-email":"stabulic@cisco.com","role":"admin"}]

CHAT check continu work chat

CLOCK: [2021-10-07 Thu 10:07]–[2021-10-07 Thu 16:45] => 6:38

[2021-10-07 Thu 10:07]

ref: support DI JWT signature

CHAT support DI JWT signature work chat

CLOCK: [2021-10-07 Thu 09:45]–[2021-10-07 Thu 10:04] => 0:19

[2021-10-07 Thu 09:45]

ref: https://github.com/advthreat/iroh/issues/5680

IN-PROGRESS client update via admin for CMD work support

CLOCK: [2021-10-07 Thu 09:27]–[2021-10-07 Thu 09:45] => 0:18

[2021-10-07 Thu 09:27]

ref: https://github.com/advthreat/iroh/issues/5827

Cisco Secure Email Cloud Mailbox

module NAM client-0be615ab-b0ff-4c12-8a85-f16c95e7d396
ribbon NAM client-e36ba40b-5710-402d-b036-ada6d7817c55
module EU client-6fc3230c-936a-40c1-ad73-f9f28700804e
ribbon EU client-164688ee-cd5d-44b6-be3d-5e255955e969

CHAT Check webex matinal. work chat

CLOCK: [2021-10-07 Thu 09:26]–[2021-10-07 Thu 09:27] => 0:01

[2021-10-07 Thu 09:26]

ref: 09:20

PAUSE Journal pause

CLOCK: [2021-10-07 Thu 09:20]–[2021-10-07 Thu 09:26] => 0:06

[2021-10-07 Thu 09:20]

2021-10-08 Friday

MEETING IDB decomissioning work meeting

CLOCK: [2021-10-08 Fri 20:33]–[2021-10-08 Fri 23:01] => 2:28

[2021-10-08 Fri 20:33]

ref: file:~/dev/iroh/services/iroh-auth/test/iroh_auth/oauth2_web_service_test.clj
?: SSE side decomission

Chander Goyal

context; SX released as a platform, SSE had a PingFed ID Broker. Also for CSA.

We want to user IROH-Auth. We want to use directly IROH-Auth.

CSA Migration was launched. SSE-side done.

CSA should be completed very soon. Let's not change PingFed.

Nov 1919 -> nobody left in PingFed at SSE.

Very limited knowledge. The license was Cisco Wideside license. end in 2022.

We want to duplicate PingFed.

MEETING Customer Manager work meeting

CLOCK: [2021-10-08 Fri 17:33]–[2021-10-08 Fri 20:33] => 3:00

[2021-10-08 Fri 17:33]

ref: ,,,

2021-W41

Tags	Headline	Time
	Total time	1:35
	2021-W41		1:35
	2021-10-14 Thursday			1:35
work	Write Customer Manager doc				1:10
work	write attack on Webhooks with JWT…				0:25

Clock summary at [2021-10-28 Thu 18:15]

2021-10-14 Thursday

IN-PROGRESS Write Customer Manager doc work

CLOCK: [2021-10-14 Thu 15:23]–[2021-10-14 Thu 16:33] => 1:10

[2021-10-14 Thu 15:23]

ref: write attack on Webhooks with JWT from emitters

IN-PROGRESS write attack on Webhooks with JWT from emitters work

CLOCK: [2021-10-14 Thu 14:58]–[2021-10-14 Thu 15:23] => 0:25

[2021-10-14 Thu 14:58]

Attack using access_token/id_token from emitters and not webhook owner.

Webhooks are a generic mechanism; but here we only focus on webhook used by internal Cisco team integration.

So the webhook mechanism should be used to push a trusted API that a changed occurred in SecureX (typically module instance change).

The call must be authenticated by the API. The call should also optionally contain access/refresh tokens to the destination so the integration team could access IROH as the event's emitter user.

The issue is that, nothing is explicitly done to prevent any user to get an access/id token generated from the same client we use to forge the authentication headers. So it means, that a SecureX user from any org that could get access to its own access token/id token (which is entirely possible, and easy to get for DI as their client is public). So any user could call the API endpoint to fake real webhook events, and potentially using cross-tenancy/cross-user false events.

So to mitigate this issue, we suggest to:

Always use the owner of the webhook & the client of the team to build id_tokens, (if possible not access_token). The forged JWT should have a specific audience (this is already the case for DI at least). The API team MUST check that the sub claim matches the owner-id field of the webhook as well as verifying the JWT signature.
Provide the emitter tokens in the body of the HTTP call made during webhook trigger.

With 1, we prevent this cross-tenant/cross-user attack.
With 2, we not only provide even more data than before but the team could

directly use the token without using the "custom route" to retrieve the refresh token (as it is already provided in the webhook HTTP body)

2021-W42

Tags	Headline	Time
	Total time	9:45
	2021-W42		9:45
	2021-10-19 Tuesday			6:59
work	whitelist synopsis.com in TEST				6:59
	2021-10-21 Thursday			1:13
work, meeting	Weekly IROH Service Team				0:09
work, meeting	FMC - Device Grant OAuth2 Flow Sync				0:24
work, meeting, me	Secure Client				0:40
	2021-10-22 Friday			1:33
work, meeting	Engineering Team				1:33

Clock summary at [2021-10-28 Thu 18:15]

2021-10-18 Monday

TODO Write Weekly todos work

[2021-10-18 Mon 10:56]

ref

DONE Check Wanderson PRs/Webhooks

SCHEDULED: <2021-10-18 Mon>

DONE Customer Manager Doc

SCHEDULED: <2021-10-19 Tue>

DONE IROH-Auth tour

DONE Organize invitations for IROH-Auth tour + bugfix, etc…

DEADLINE: <2021-10-18 Mon>

DONE Discuss Exceptions organization

SCHEDULED: <2021-10-18 Mon>

2021-10-19 Tuesday

DONE whitelist synopsis.com in TEST work

DEADLINE: <2021-10-19 Tue>

CLOCK: [2021-10-19 Tue 09:04]–[2021-10-19 Tue 16:03] => 6:59

[2021-10-19 Tue 09:04]

ref: Olivier

2021-10-21 Thursday

MEETING Weekly IROH Service Team work meeting

CLOCK: [2021-10-21 Thu 17:16]–[2021-10-21 Thu 17:25] => 0:09

[2021-10-21 Thu 17:16]

Remark to tell

Internal JWT generation, with/without client.
Next week IROH-Auth tour probably record this.

MEETING FMC - Device Grant OAuth2 Flow Sync work meeting

CLOCK: [2021-10-21 Thu 16:27]–[2021-10-21 Thu 16:51] => 0:24

[2021-10-21 Thu 16:27]

ref: Secure Client

Updated Target Date. No blocking issue or concerns.

We just finish delivering the feature.

Good to go for 7.2 release (in April). Maybe maintenance release 7.0.2 in Feb.

MEETING Secure Client work meeting me

CLOCK: [2021-10-21 Thu 15:32]–[2021-10-21 Thu 16:12] => 0:40

[2021-10-21 Thu 15:32]

Jyoti discuss with a document how the 1-click module setup should work and the constraints to obey.

2021-10-22 Friday

MEETING Engineering Team work meeting

CLOCK: [2021-10-22 Fri 17:03]–[2021-10-22 Fri 18:36] => 1:33

[2021-10-22 Fri 17:03]

Working closely to finalize 1-click module setup to work. We faced an issue in using the same client for both the ribbon and the 1-click module setup. This not really a blocker and a fix is in the way.

2021-W43

Headline	Time
Total time	19:46
2021-W43		19:46
2021-10-25 Monday			3:29
IROH-Auth Overview				3:29
2021-10-26 Tuesday			4:35
All Hands				0:48
AO				0:29
IROH-Auth tour				3:18
2021-10-27 Wednesday			0:19
security				0:18
preparation IROH Auth Tour				0:01
2021-10-28 Thursday			2:33
Weekly Team				0:51
SecureX + Secure Client + DI…				0:29
Weekly Sync: SecureX / Secure…				0:35
SSE `CCO_id`				0:38
2021-10-29 Friday			8:50
AO disucssion + generic discusssions				1:00
Jyoti email about PROD module on INT				0:14
aide Matt URL encoding				0:50
code gen docs				2:48
Customer Manager doc				2:34
morning tour				1:06
configurable default sort				0:18

Clock summary at [2021-11-03 Wed 10:24]

2021-10-25 Monday

MEETING IROH-Auth Overview work meeting

CLOCK: [2021-10-25 Mon 13:57]–[2021-10-25 Mon 17:26] => 3:29

[2021-10-25 Mon 13:57]

ref
?: services/iroh-auth
?: lib/iroh-web/{core.clj,compojure-api.clj}
?

2021-10-26 Tuesday

MEETING All Hands work meeting

CLOCK: [2021-10-26 Tue 18:12]–[2021-10-26 Wed 19:00] => 0:48

MEETING AO work meeting

CLOCK: [2021-10-26 Tue 17:43]–[2021-10-26 Wed 18:12] => 0:29

[2021-10-26 Tue 17:43]

ref

MEETING IROH-Auth tour work meeting

CLOCK: [2021-10-26 Tue 14:25]–[2021-10-26 Tue 17:43] => 3:18

[2021-10-26 Tue 14:25]

ref: /yogsototh/deft/src/commit/54df346edac6788fd82e51d71fee146e2865a083/~/dev/iroh/dev-resources/config.edn::%7D%7D

org-level entities (clients)

makes user-id/owner-id optional ×
hack the User service, to create a fake org-level user.

(get-user org-id)

=> {:user-id org-id
    :org-id org-id
    :role "admin"
    :scopes ,,,,}

search for entities, you should search for the owned entities + (if you are an admin for the admin-level entities.)

during the create-client to add the ability to create client with that specific owner.

Fun: filter-map => list of filter-map

;; inside an Org
{:addtional-scopes #{"cisco/user:read"}}
;;
{:addtional-scopes
 {:user #{}
  :admin #{"cisco/user:read"}}}

Hidden migration

(get-org ,,,,)

IROH-Crud

TK-Store => provide a minimalist abstraction to Databases. IROH-CRUD => provide CRUD-only related abstractions search that

(search ,,,,)

(iroh-crud/search-with-admin
 {:,,,, :user-id xxx :org-id xxx})
=> (tk-store/search {:filter-map [{:user-id xxxx ,,,}
                                  {:user-id xxxx :org-id org-id}]

                     })

update entities

To decide later:

any admin should be allowed to update the org-level entities.
some specific admin only should be allowed to update the org-level entites (use another scope maybe?)

Probably option 1.

2021-10-27 Wednesday

MEETING security work meeting

CLOCK: [2021-10-27 Wed 17:03]–[2021-10-27 Wed 17:21] => 0:18

[2021-10-27 Wed 17:03]

auto loop

Proxy route

IN-PROGRESS preparation IROH Auth Tour work

CLOCK: [2021-10-27 Wed 12:06]–[2021-10-27 Wed 12:07] => 0:01

[2021-10-27 Wed 12:06]

Continue on "org-level entities"
Doc on JWT client expectations
:load-path "" Dispatch work
Dig if necessary

2021-10-28 Thursday

Weekly Team work meeting

CLOCK: [2021-10-28 Thu 17:01]–[2021-10-28 Thu 17:52] => 0:51

[2021-10-28 Thu 17:01]

ref

Agenda (to discuss about)

Notes

ES deployed, start the migration Old tenzin config pull-request I need to update.

Ag moving to the last step to set the default fields, which are required for ES7.

Production Bug in CTIA investigate module

Fixed the pagination. default search was not consistent. PR on CTIA. Made this default search configurable per store.

Ag, PR for the enrichment?

Ambrose, ops related.

@Jyoti discussion

Matt Integration

DI Irina working adding new auth in the module
Yann fixed a security issue affecting Umbrella
1-click setup started to work on the org activation
Mark work on SSE
former_title field (rebranding guidelines)
working on a bug in Umbrella, source URL are wrong
log all proxy requests

Auth

(personal)

IROH-Auth tour
minor fix
clean up SAML
security bug fix

IROH-Auth

take a task
write PR doc
review PR doc
optional IROH-Auth tour webex(es)
code

Q2:

region switching API
account switching inside each region

Q3:

org-level entities

Big hidden work Working on OAuth2 bug. A bit big PR, because will need a new service to store refresh tokens and their metas. And we should be able to migrate/update clients.

Security Bug Fix Chris Duane was happy, it was the first declared bug by Jimmy Miller.

Olivier working on providing the API for the privacy team.

Not 100% fixed, still a problem with paths.

AO migration to OIDC

Jyoti

Questions about JWT used by DI, that call Orbital on behalf on someone else.

Actions

@Jyoti: should ask Yuri about which JWT are used.
@Jyoti: AO for Q3 for the telemetry

SecureX + Secure Client + DI Integration work meeting

CLOCK: [2021-10-28 Thu 16:32]–[2021-10-28 Thu 17:01] => 0:29

[2021-10-28 Thu 16:32]

ref: https://cisco.webex.com/cisco/j.php?MTID=m3d2fe4735f7151dc690e000c8749ed0e

Discussion

Abhishek

deployement
Secure Client onboarding
Secure Client always visible
cannot read property from DI when adding module
work on feature flag

. @Paul: 1.84 today, so these fixes are going to be for date? @Abishek: will more time to develop and test .

Nirmesh Patel

Secure Client always visible, real issue

Weekly Sync: SecureX / Secure Endpoint work meeting

CLOCK: [2021-10-28 Thu 15:30]–[2021-10-28 Thu 16:05] => 0:35

[2021-10-28 Thu 15:30]

ref: https://cisco.webex.com/cisco/j.php?MTID=m6563218d7c961e691f62c539fc645607

What remains?

Martin

1-click module setup

Restrict them to a region. Who was impacted.

Nov 13th, for the 1-click module setup is at risk to be delayed.

no 1-click => nothing can happen

Dependency to deploy Secure Endpoint.

Martin/Namrata

Jyoti is in active conversation.

Martin/G2

Are we going to change the design?

Martin: We don't know Yet

Vlad

Pb with Region.

An AMP tenant can only talk to 1 SecureX tenant.

Martin

Maybe region selection.

Release Nov 11th
Relesases v1.85 10-Nov

Initiated SecureX 1-click module setup for Secure Endpoint

SSE `CCO_id` work discussion

CLOCK: [2021-10-28 Thu 14:52]–[2021-10-28 Thu 15:30] => 0:38

[2021-10-28 Thu 14:52]

ref: https://github.com/advthreat/iroh/discussions/5754

So after giving more thoughts on the subject. Here are some scenarios:

A person login via Okta with the email user-1@domain.com
This person want to connect his account, then he must login via Okta again but using another Okta account user-1@smart-account.com for example.

In this scenario there are two issues:

The first is that we do not control the Okta session. The Okta session will keep being the one for user-1@smart-account.com. When the user will launch another product he will not use his usual user-1@domain.com Okta session.

The second, is that we should have a mechanism to understand that on the second login, we don't want to login the user, but to merge two different IdP accounts.

Mainly we will need to develop a new workflow, so a user could merge multiple IdP accounts to his current SecureX account.

The implications are:

SecureX users should support multiple email addresses. (also note that user login via TG have a non verified email addresses and are treated separately on different login flows.)
We need to support more metas data in the IdP Mappings in general, (typically the CCO_id). Now, what if a user login multiple times, and has two different IdP Mapping with a different CCO_id.
We will need to provide a new route, that will present a new HTML page similar to the login page but with subtle modifications. We might, for example, negotiate another login buttons that will behave differently (typically a login button forcing the user to use CCO).

In the end, it means we should deliver a "Merge a new Login" flow to SecureX Accounts. And it doesn't seem to be trivial.

2021-10-29 Friday

Tags	Headline	Time
	Total time	8:50
	2021-10-29 Friday		8:50
work, chat	AO disucssion + generic discusssions			1:00
work, email	Jyoti email about PROD module on INT			0:14
work, chat	aide Matt URL encoding			0:50
work	code gen docs			2:48
work	Customer Manager doc			2:34
work	morning tour			1:06
work, review	configurable default sort			0:18

Clock summary at [2021-10-29 Fri 18:39]

CHAT AO disucssion + generic discusssions work chat

CLOCK: [2021-10-29 Fri 17:39]–[2021-10-29 Fri 18:39] => 1:00

[2021-10-29 Fri 18:39]

PAUSE pause

CLOCK: [2021-10-29 Fri 17:30]–[2021-10-29 Fri 17:38] => 0:08

[2021-10-29 Fri 17:30]

ref: Jyoti email about PROD module on INT

EMAIL Jyoti email about PROD module on INT work email

CLOCK: [2021-10-29 Fri 17:04]–[2021-10-29 Fri 17:18] => 0:14

[2021-10-29 Fri 17:04]

ref

Hi Jyoti,

I checked on INT and in our org, there is an AMP module configured with the PROD URL.

Chris told me we have a security requirement that no production customer data can be in INT or TEST.

Do you know why this is needed, and if we could use a QA1 URL instead? And if not, do you know who we could ask to see if this is still needed? If I remember correctly, I think it was used to help makes demos.

Because of this I tend to be extra cautious about the "allowed-login-origins" parameter (see https://github.com/advthreat/tenzin-config/pull/505).

I don't want our INT access token to be sent in the wild. Even without this module linking to PROD I would prefer not to send the INT JWT on 3rd party. Because if https://vercel.app is compromised anyone will be able to access our INT environment, generally with administrator privileges.

Thanks, Yann.

CHAT aide Matt URL encoding work chat

CLOCK: [2021-10-29 Fri 16:14]–[2021-10-29 Fri 17:04] => 0:50

[2021-10-29 Fri 16:14]

ref: code gen docs

PAUSE pause

CLOCK: [2021-10-29 Fri 16:08]–[2021-10-29 Fri 16:14] => 0:06

[2021-10-29 Fri 16:08]

ref: code gen docs

IN-PROGRESS code gen docs work

CLOCK: [2021-10-29 Fri 13:20]–[2021-10-29 Fri 16:08] => 2:48

[2021-10-29 Fri 16:07]

ref: Rebuild the generated doc

CANCELED [#B] Customer Manager doc work

SCHEDULED: <2021-11-01 Mon 10:00>

State "CANCELED" from "IN-PROGRESS" [2021-12-01 Wed 14:11]

CLOCK: [2021-10-29 Fri 11:02]–[2021-10-29 Fri 13:36] => 2:34

[2021-10-29 Fri 11:02]

ref

morning tour work

CLOCK: [2021-10-29 Fri 09:56]–[2021-10-29 Fri 11:02] => 1:06

[2021-10-29 Fri 09:56]

ref: Fortuneo: Amundi World (CW8)

REVIEW configurable default sort work review

CLOCK: [2021-10-29 Fri 09:33]–[2021-10-29 Fri 09:51] => 0:18

[2021-10-29 Fri 09:33]

ref: https://github.com/threatgrid/ctia/pull/1163

2021-W44

2021-11-03 Wednesday

Tags	Headline	Time
	Total time	7:13
	2021-11-03 Wednesday		7:13
work	Engagement pulse Teamspace			2:05
work	cleanup code			0:29
work, email	SSE potential bug			0:37
work	GH notif tour			0:27
work, chat	Discussion Guillaume			2:03
work, email	OIDC conf in Okta			0:01
work, chat	webex tour			1:31

Clock summary at [2021-11-03 Wed 18:16]

IN-PROGRESS Engagement pulse Teamspace work

CLOCK: [2021-11-03 Wed 16:11]–[2021-11-03 Wed 17:05] => 0:54

[2021-11-03 Wed 16:11]

ref: /yogsototh/deft/src/commit/54df346edac6788fd82e51d71fee146e2865a083/~/dev/iroh/services/iroh-auth/test/iroh_auth/test_helpers/tk.clj:::conf%20%28conf%20port%29%7D%29

IN-PROGRESS cleanup code work

CLOCK: [2021-11-03 Wed 15:42]–[2021-11-03 Wed 16:11] => 0:29

[2021-11-03 Wed 15:42]

EMAIL SSE potential bug work email

CLOCK: [2021-11-03 Wed 15:05]–[2021-11-03 Wed 15:42] => 0:37

[2021-11-03 Wed 15:05] Hi Yann,

We noticed that we have two tenants created in SSE APJ stack for the AMP company ID (51ab0c3e-381b-4169-ab63-b031c685f441). One of them with spID AMP-APJ (created on 2020-12-01 11:58:50 UTC) and the other with spID SXSO (created on 2021-08-24 09:25:07 UTC).

I see from the logs the user ID token that came to Anubis had “SXSO” instead on AMP-APJ resulting in this state. Wondering what caused the spID to change in the ID token from AMP-APJ to SXSO on 2021-08-24 ? Could there be a possible issue here ?

TX_LOG 192.168.25.199 [2021-08-24T09:25:07Z] GET /scim/v2/Organizations?filter=spId+eq+SXSO+and+orgInfo.companyId+eq+51ab0c3e-381b-4169-ab63-b031c685f441 200 774 0.0076 aba74caa-ba90-43d3-b1d2-7066750a6754 -

IN-PROGRESS GH notif tour work

CLOCK: [2021-11-03 Wed 14:38]–[2021-11-03 Wed 15:05] => 0:27

[2021-11-03 Wed 14:38]

ref: 2021-11-03 Wednesday

CHAT Discussion Guillaume work chat

CLOCK: [2021-11-03 Wed 10:00]–[2021-11-03 Wed 12:03] => 2:03

[2021-11-03 Wed 10:00]

ref: OIDC conf in Okta

EMAIL OIDC conf in Okta work email

CLOCK: [2021-11-03 Wed 09:59]–[2021-11-03 Wed 10:00] => 0:01

[2021-11-03 Wed 09:59]

CHAT webex tour work chat

CLOCK: [2021-11-03 Wed 08:28]–[2021-11-03 Wed 09:59] => 1:31

[2021-11-03 Wed 09:58] <<<<<<< HEAD

2021-11-04 Thursday

MEETING Weekly meeting work meeting

CLOCK: [2021-11-04 Thu 17:00]–[2021-11-05 Fri 09:09] => 16:09

[2021-11-04 Thu 17:00]

ref

Agenda (to discuss about)

Make a tour of everyone work.

Notes

Welcome

Me. … (see tracker .org) + git weekly Olivier. PR for oauth2-client-demo, waiting for review Matt. logs for proxy

auditability of the proxy; kibana dashboard

Mark. SSE passthrough, and AO

Actions

review Olivier's PR

IN-PROGRESS Continu code cleanup work

CLOCK: [2021-11-04 Thu 15:40]–[2021-11-04 Thu 17:00] => 1:20

[2021-11-04 Thu 15:40]

ref: ~/dev/iroh/ (magit-status)

IN-PROGRESS update Secure Endpoint client work

CLOCK: [2021-11-04 Thu 15:38]–[2021-11-04 Thu 15:40] => 0:02

[2021-11-04 Thu 15:38]

ref: ~/dev/iroh/ (magit-status)

Secure Endpoint (or AMP for Endpoint)

client-555c1f7a-b57b-4a6b-9f0b-015e311a6d06

MEETING Weekly Sync: SecureX / Secure Endpoint work meeting

CLOCK: [2021-11-04 Thu 15:00]–[2021-11-04 Thu 15:38] => 0:38

[2021-11-04 Thu 15:08]

ref: https://cisco.webex.com/cisco/j.php?MTID=m0a5157ed81ded94305da1bae743352fc

Agenda (to discuss about)

Notes

10-Nov:

AC6: on/off configuration within Secure Endpoint UI

1-click module setup 8/9-Dec.

retention of module ID and secureX org id in SE
update of legacy module upon integration

Actions

IN-PROGRESS code work

CLOCK: [2021-11-04 Thu 13:51]–[2021-11-04 Thu 15:00] => 1:09 CLOCK: [2021-11-04 Thu 09:51]–[2021-11-04 Thu 12:07] => 2:16

[2021-11-04 Thu 09:51]

ref: 2021-11-04 Thursday

CHAT Webex chat tour work chat

CLOCK: [2021-11-04 Thu 09:20]–[2021-11-04 Thu 09:51] => 0:31

[2021-11-04 Thu 09:50]

2021-11-05 Friday

MEETING SecureX Registration work meeting

CLOCK: [2021-11-05 Fri 15:34]–[2021-11-05 Fri 16:34] => 1:00

[2021-11-05 Fri 15:33]

ref: https://github.com/threatgrid/response/issues/821

Agenda (to discuss about)

Discuss feature
Find a date

Notes

… bad org creation

User has SXSO account don't have invitation Only show them active invitations. If too many invitations in the DB.
second workflow, check email domain if matches other orgs, present the orgs + asks for invitation
Limit access from "public" email domain

Actions

IN-PROGRESS tour work

CLOCK: [2021-11-05 Fri 11:09]–[2021-11-05 Fri 15:34] => 4:25

[2021-11-05 Fri 11:09]

ref: Code

DONE Code work

CLOCK: [2021-11-05 Fri 09:50]–[2021-11-05 Fri 11:09] => 1:19

[2021-11-05 Fri 11:08]

EMAIL Help John doing a cron work email

CLOCK: [2021-11-05 Fri 09:09]–[2021-11-05 Fri 09:50] => 0:41

[2021-11-05 Fri 09:09]

ref: mail: How can I query an IROH endpoint programatically?

On 4 Nov 2021, at 22:23, John Jardine (johjardi) <johjardi@cisco.com> wrote:

Hi,

To support iroh-incident scaling based on a queue-depth metric ( Tenzin Issue 1553 ) I am thinking about creating a task that will be run every N minutes to query the endpoint. To do this the task would have to authenticate and I don’t know how to do that for an automated tool. Not sure if the route makes a difference, the metrics are available here: /iroh/admin/queue/status-report/incidents

Can you give me any guidance or point me to any docs on how to do this?

Thanks, John J.

John,

The endpoint will not be /iroh/admin/… but /admin/… which mean it is only reachable via the VPN, but I guess you will make the request from the internal network. So you should be able to reach https://iroh-adm.int.iroh.site/admin/ directly.

In order to make a call you need an OAuth2 client with the following scope:

iroh-master/queue/incidents:read

I created one client per environment for you;

INT (client-79d54f25-2a71-4bcb-b057-001f53091b2f)
TEST (client-c1a00641-45e0-4090-b80e-ce87b35a84b3)
PROD NAM (client-22b0f44f-3d7e-4b14-a11b-5cfa35f86b83)
PROD EU (client-b56530b0-b16c-40b2-bb77-850e32e06e8b)
PROD APJC (client-502fb0a3-605c-4b1b-b91d-07980d5a1f2f)

I used the same password for all of them.

Password

The password is here:

—–BEGIN PGP MESSAGE—–

hQIMA2UoHNQCOfATARAAsDn3KJpJprlK60eUi2C4ol/2B5iCpIud6oYkeAB09yGe Wt8ditdZdLKt+EV+Jw8QB6O+WDKl2+fN0IZGVzmzSehf6+ittlNUdeX2qJxx6RoE Btw2VdcZIj9gzFxYf9Y9rf/9Zpp0Yc/NRBK9kKAwnPbMO0lytHUsWKTA8OcfBawZ mOzcnhOpZeUxneEn1LKbiBSMfGsWQnPnUfme8vSwrnP3vOrgSio5rL3LwLsIz4Bq z7yFdq8HBiF6z7NfJaxJZBljO/YDmYfjnwq024s24E+Fn9Bsdra85h1smGj+QIVE hVIvU8fU6s8MpWuvQVNBFQXoF5IqxfaH4Z0p8as0X3qSmd4f8x3P/XdmklGAzUQ9 Za5SDn1mkJJvVK6jCRC8uf+M8nufZU/ORcFqu6eVc9WWgDJYIc93vyNMWKBnCoYl 6GMC/IpKtveWUBaa28V76sSjjunv9gNHmYNGjwoLqd7lCLKppoQtPNwVFmHKJ16o iW0rVYoIypleOuevkEn3barYy1N6wxhZrFcHOqUMWH+kZnPjDHcTOQxCEyYDVULw uQclzZinR1vF4PeLIdFn74n2npXjFkCkaZa0ev10QROo1Tk4O+uv+5vAFVjsm5Fh RT3eXVGu87qnDu67fWTQjV2F7tLvYAAYdb47N9OyQjQoglPYdvqfoRFufL7oNluF AgwDfS7loNnfM+IBEACVwXlc001cWQw9f8AV37sySKWyhB9N4SG175lu7+T9DtwH /WDEgYERv9Fhcg7EwVclSFwUreg/PmY8cazIc1Sy6Z+Nv2TH4rp17jcy7zlZCZMT /twmW2MvgXS42qnb7jcvb3jQ9YTJs6fHV+PCMEsfjYKq+aSGr/ton/zFGqPIcLtF G3vZ62cyoxYebSNwXMkB9W+2t30Cg0xpTwas+3V7dkscB+sIU+KIoTsD2AqMfgyW Cia/U8H22qZiz8ugeod/gdsZytj4e5k72Yo2fm6owpHi4i+V/p333QbbP1G1/bzo nfUh7wT4jiApUbrJIDWebsJqi9bv3z8zLiy72BRATgRM2vd3b1Q0y83/PcC+XkT2 l3/GRRScqM9ewVziol/BzSH1jBj6oA/3VJil8YEZsNhGhX15Bs9ZLwAy2HLSzJ8G 8nVxNk6P0RRhD9m+Ue4Zb5PsH7CG21WOZTGWn/I9UXCHl7LnO4yT+qfESNDDzodF F7Zo7E5yheTLRsXxp1f4c5cGoZvgDU293s/U3DhZt5Y6z5vN3L/IDkBap2X6OWkp /HfIy3L0rvKwoYn3w8x+uCO0DpzUuZnjLpdarPhTWkiVj8uQkU80t3snHpvlwjEv Hzcuzz2XkDWwzlaJEUuUJ1+my6a41fDHdNHYqSryrVLkpMLxwz1PqNi3NomhG9Lp ARM67Ggjb520Cf5pmyj5cBZK57FMPwN2H/blT5GRcjFyfzl7H7Y+Fq9etcnZMIv+ mJAFpqCoHasnEQKL5D4huxQDEsXqLvxO3/u79GU1w0AQgqg7KJLP6b3DRWAWI/Kl 7MK95j5EPrrvl69AErdCOH+Pfqvzi1CDb4Zy2lKuMGGQRgqyLubIIdZQkzX6YLD+ xuxxyiQ+P2imToe1KGGX39AFbdXuakqBgKiSLEU7MWwEAEd/LfDuuGV+aiJ83SZI ZWZGSe5ThdAsdWoHYcCtFgynhd+QnN5hW//ODNU8IeIPhjZRUxe2CQbAEQgfUXif vHn+JfcSo1pf7BcOnzTOlgTqFn6NmX/SYlAL1kpG2YwcJFK3ZRK2a/0db3DbeLXp 2Nk40WD1tOdt8FDZHOXYRXFhmV6K/nEf56g7XMHnaESeEsQtzFvIq+SSxx0IkS+h gaoAO+Mz9SKoxWcabTBHimhDxqemmtDbTdk7iHQZZhmei0DJxSdxWzwj9nYeKggK aBxof2wuZAnki3nTlpy+p6S2S/TxP3wSZ9wMkBNkYRzWpTD5+fEqOhHtLgtyp2/M a6YrH4b1uvk86Sz4Uk18ZuvdgoVMx5UjUnmfRxEWNrZEhatr+y4nH1PPCVsVPvXO N3AyHCJWYGwUe+AXNegKJ8QJr/a+T2U/rVCujVoCUBGqebtm5L0RV9+1xCWmyeog wuGXF5duRcdMNr+dAHvrdUhQIyBm4cFWYHM97lP0HkOcOM+wJjSDmT5VorCW952g LPANVlddb4vO1TXvwjw7+yZFcpYH9pZtIC1Wp5a+UMvPewoPY2xZfh1ZsVJxUqp9 FNHFEvRJuZzq80MIGY9s1rXrKiuAWJDGqEN8rlObuwNFrFfrDLDUgEhply/3Qcvi n73Ag7cleOs7yF4= =iyzN —–END PGP MESSAGE—–

How to use

I made a demo shell script for INT:

#!/usr/bin/env bash
CLIENT_ID="client-79d54f25-2a71-4bcb-b057-001f53091b2f"
CLIENT_SECRET="..."
ACCESS_TOKEN=$(curl -s -X POST "https://visibility.int.iroh.site/iroh/oauth2/token" -d "grant_type=client_credentials" -H  "accept: application/json" -H  "Content-Type: application/x-www-form-urlencoded" -u "$CLIENT_ID:$PASSWORD"|jq '.access_token'|sed 's/"//g')
curl -X GET "https://iroh-adm.int.iroh.site/admin/queue/status-report/incidents" -H "accept: application/json" -H "Authorization: Bearer $ACCESS_TOKEN"

returns

❯ ./demo.sh
[{"queue-name":"incident-sessions","total-sessions":0,"total-processing-sessions":0,"total-pending-sessions":0,"factor-increase-needed":0}]

What this does is:

retrieve an access token with the client (client-id + client-password)
Call the /admin/queue/status-report/incidents route

An important remark; notice the domain name is different between the admin and non admin calls. For INT and TEST, you just need to replace visibility by iroh-adm. But in prod, you need to use a completely different URL.

Here is a JSON where I store the relations:

{"envs": [{"name":"INT",
           "visurl":"int.iroh.site",
           "internalurl":"int.iroh.site"},
          {"name":"TEST",
           "visurl":"test.iroh.site",
           "internalurl":"test.iroh.site"},
          {"name":"NAM",
           "visurl":"amp.cisco.com",
           "internalurl":"us-east-1.prod.iroh.site"},
          {"name":"EU",
           "visurl":"eu.amp.cisco.com",
           "internalurl":"eu-west-1.prod.iroh.site"},
          {"name":"APJC",
           "visurl":"apjc.amp.cisco.com",
           "internalurl":"ap-northeast-1.prod.iroh.site"}]}

Happy hacking! Yann.

Details

—–BEGIN PGP MESSAGE—–

hQIMA30u5aDZ3zPiARAAqfa80rkkVQy2HpHd1tOZZ1NZaaSMwrWRQKXTfkD6fYpl HSOfyK9+9lKBV9Uz0H+l5DclDuenJ4akAMyaF5hhr7NfPZQ9exmnkODLDnpDTLoD adm7ArrQnowJHvMEH4ogxoWN902Q9d2apOnrHYr5JmvEc0rwv1dQ2IuJeOLEpZ33 IYqP/rnOlhPZZd7lgyHGw2iRDU3XZfkyivPQtsWZqY6XWIoL2wNj/HlomtrcPLYj RxErXBOMS8GRr5FYeDyp+aGo3IpYMMMFffGCqew8yvphDhRYiO2SrQtTIp2+207j V7/FSp3dp9xhsLsOM4fzFuCe9UctjbZma9QngkRjUSDU7D0rXGoKydecau4TlBy7 ZPDOlg+6JWbwXM6qXJNaYAJ6Ii3E2xGYdpBMWBRn/j9RzkS68wKeoQelySV3aDSi y00bbq/dq1Qh+tqyi7X8wj5tGf21Ri/Yd9D6DGWVTNvt0sj9CB55v3UfgZn5gcIy 2Njdb96pO+7VGgspPf6JnwJdCFq97O9cLFK985uJpmGrYvjN5qMA2z6PewdL9PW/ bPNCXMcfwwbJxqZKcfqoJUcRAQyatPDKvPgHXDgmgRtI3oMjwhWBDl5nmYgwjSDO uiKHNxMNGO2BMFWnJ3Qi1OTjG98+nWwmGoF6VlyzxAZtIjr2sGLrrbogreEA4XrS 6QGqDwPhIf2GA0blOoiMKDVUxstru6kiQSOL0EmlWWDgCYamUGgiWUy5nZiveRDT JUdHsgLzIBrDElaZfxOim10PO0AkQgplMqSGfWI7LQ3fEPiIuXQFhXZBmBu+DC7C j7+QOu6DlhyPNVL0QiI4OeucizSWamcHYKL1IVC05XYm0FITf4oKiLfiFj/upleI 736qOe9x4bsrS5ZUQmdmpCkv3Q0Yde3ATXOHxxspgOlJ55CCXRTM8J4Fcgwf38/O zM7L9Ly/H+0g52PCsyQRMmfYigVVJf14cjcyuBEN2rie32qs91ajiuIZpG3ECRJ0 R2y4nnCKM+G8oM+23pgIWdX0ei6RAFnGANRcM7It/Ni21YcafxgkzLFJ6clMELi5 vIzy9oAG85BK7Kwo/dxe3r3wQPC8cEmt9vRdR8v5rShYp0YTX5rJXZ4Kq2U6pGVo msxo/LQhvWsMZ2UPRIsDcyIHL36LRxdy/h7hkr6BJK2o1YwSwK0e6r4KbYlfyaij SiBDjuxwBFFkjAbnd8LoK0JDoEid9Eg7VXoFnDgq3X3Vr/yLRjA5yLkVgDuFdhgP zJ3k1ly4NVQTQuTalNcXY7JXV/yhP+EaxxJ09rudW0192O4EIAo8IXyPYxWmELqa yrnulQ7+g2l3DCS+ZrWBSRDFOJZSaWIPaU0xr2jXafy1wMqreDPE+YFQ2cnvt1J7 RLdarjU7hh5vkmpxiaezi91+YFC8b+8JAb58f7MndaZfyTYK4ww+pjSOLwIg2EgE j9xuQRu5dy9xOKLL0jj3EBYrtH9eoGTtjrC3ycm0tIQTY4BJgGQ66KjsFfSzJ6gM FHONJHlcaIeEWsnMMKm42A15jZG0AjH1LUbnEc6KOHzwySQ28IjJvDKY2kU3Wt6R KoxbIox8fBvD8QunG+creFmYqG1IgFIodF9QgEdleRLJCKhB95HCCm3/qdSn1362 6LyIClb09bNImrPo974yrZ/hnel8MNXPQyQJSCtqOUUI8JhRBKi0IGi07+TVIeqi 5yakl8HSxnkbT0n6KLa0ZGOKFD5d0qXjwl1s6hnI4JTKCGDOyjHptVpjxsKT08jO 1lzutH67duk6Z38Qr1fpv9iAgSCsnfgLaKC/0jbIsPsOXTpvODiHK+liAbQiqUnn XqRbQ2x4MavIy50zutVPduNgj72IUYvGfx1WO+mKt1uymx5DXidYoLAdCIru =4Qus —–END PGP MESSAGE—– ===== >>>>>>> e714315a8c

2021-W45

2021-11-08 Monday

EMAIL inscription BAC Anna work email

[2021-11-08 Mon 12:22]

ref

2021-W46

2021-11-17 Wednesday

MEETING Weekly meeting work meeting

CLOCK: [2021-11-17 Wed 17:30]–[2021-11-17 Wed 18:19] => 0:49

[2021-11-17 Wed 17:30]

ref

MEETING Weekly work meeting

CLOCK: [2021-11-17 Wed 17:05]–[2021-11-17 Wed 17:06] => 0:01

[2021-11-17 Wed 17:05]

ref

2021-11-18 Thursday

MEETING Alan Interview work meeting

CLOCK: [2021-11-18 Thu 16:29]–[2021-11-19 Fri 14:14] => 21:45

[2021-11-18 Thu 16:29]

ref

Agenda (to discuss about)

Notes

Actions

CHAT Small text about the breaking PR work chat

CLOCK: [2021-11-18 Thu 11:42]–[2021-11-18 Thu 16:29] => 4:47

[2021-11-18 Thu 11:42]

Good morning everyone!

I wanted to drop a word about this PR: https://github.com/advthreat/iroh/pull/5998

An interesting aspect of this PR was that a change (that first appeared to be minor) in some namespace impacted a failure in a ns that did not depend transitively of the first.

I wanted to improve our build time by filtering the test by dependent ns only. It would have missed this build failure. So I still think this is a good idea to have an optimized test for branches, but the merge into master should run all the tests.

MEETING Alan Interview work meeting

CLOCK: [2021-11-18 Thu 09:56]–[2021-11-18 Thu 11:42] => 1:46

[2021-11-18 Thu 09:56]

ref

Agenda (to discuss about)

in tupelo, why name it glue instead of mconcat?
Why unwrap and not flatten?

Notes

Actions

2021-11-19 Friday

MEETING Monthly Engineering Meeting work meeting

CLOCK: [2021-11-19 Fri 17:02]–[2021-11-19 Fri 18:26] => 1:24

[2021-11-19 Fri 17:02]

ref

Updates

Release Status

Issue with GlaDoS deployment, 1.86 done yesterday.
Issue with AO, pb with cross-launch.

Services

High Impact Incident
Background support for DI
Added auditability API gateway

Will focus on replicating/synchronize across the product of incidents.

2021-W47

2021-11-23 Tuesday

MEETING DI Secure Client weekly PO meeting work meeting

CLOCK: [2021-11-23 Tue 16:08]–[2021-11-23 Tue 18:37] => 2:29

[2021-11-23 Tue 16:08]

ref

Actions

Apparently some clients scopes and authorization to do.

2021-W48

2021-11-30 Tuesday

MEETING Simplify login page work meeting

CLOCK: [2021-11-30 Tue 16:01]–[2021-12-02 Thu 14:55] => 46:54

[2021-11-30 Tue 16:01]

https://github.com/advthreat/GLaDOS/issues/2555

2021-12-02 Thursday

MEETING Weekly IROH-Service Team meeting work meeting

CLOCK: [2021-12-02 Thu 17:04]–[2021-12-02 Thu 18:01] => 0:57

[2021-12-02 Thu 17:04]

@Mark most special people are leaving.

@Jyoti about Al. Come as a surprise and a chock. Certain there were politic about it. Start with UI & UX.

Must not be done in silos. I has to be implementable.

@Mark

I feel that with AO with should have blame post-mortem. Never run all the way in TEST. They never talk to us about it.

Discussion about QA

@Mark Possible QA tested it and was never informed something will change. A retro for AO integration.

Notes

Working on the refresh token DB (token grants)
Regarding the registering simplification I will need the work done by Olivier To search users by domain name email.
We will need a pass of technical design. We will need another entities about requested invitations. And yet another flow to integrate an existing SecureX org.

MEETING SecureX / Secure Endpoint Alignment work meeting

CLOCK: [2021-12-02 Thu 16:04]–[2021-12-02 Thu 17:04] => 1:00

[2021-12-02 Thu 15:59]

Actions

Create a queue of requested invites. Admin can approve the request, the user is added to the org. A confirmation email is sent.

2021-W49

2021-12-09 Thursday

MEETING Weekly Team Meeting work meeting

CLOCK: [2021-12-09 Thu 17:18]–[2021-12-09 Thu 18:16] => 0:58

[2021-12-09 Thu 17:18]

ref

Project Board

Enrich API Enhancement

Discussion

Webhooks

Hiring

no professionnal experience in Clojure

Remarks

IDB Decommission. Meeting with Geetha next week.

How can I do that?

Actions

IDB Decommission test Monday

2021-W50

2021-12-13 Monday

MEETING OIDC AO work meeting

CLOCK: [2021-12-13 Mon 17:02]–[2021-12-13 Mon 18:33] => 1:31

[2021-12-13 Mon 17:02]

ref

April Ping fed expires. Is that still possible? Also no expertise.

We had some action items. Where do we stand?

Are we confident? Priority across the teams.

TG and CSA.

Just CSA and TG IdP.

Action

Continue test results after Holidays.

Test CSA
Test TG (direct OIDC)

Sync up after shutdown. If success talk to QA to prepare tests.

2021-12-15 Wednesday

MEETING Estimate New Registration Workflow work meeting

CLOCK: [2021-12-15 Wed 16:29]–[2021-12-15 Wed 19:55] => 3:26

[2021-12-15 Wed 16:29]

ref: https://github.com/advthreat/iroh/issues/6076

Prevent User to login with public email page

Should propose the user to login via another account (so use logout).

Need templates. @Jilian will do the templates.

Add an allow-list to pass throught the blocklist (@gmail,,,)

1.89 Feb 2.

MEETING IDB Decomissioning work meeting

CLOCK: [2021-12-15 Wed 15:59]–[2021-12-15 Wed 16:29] => 0:30

[2021-12-15 Wed 15:59]

ref

Agenda (to discuss about)

Notes

Actions

2021-W51

2021-12-21 Tuesday

IN-PROGRESS Code work

CLOCK: [2021-12-21 Tue 14:32]

[2021-12-21 Tue 14:32]

CHAT Dar about using UI Components in the login pages work chat

CLOCK: [2021-12-21 Tue 10:20]–[2021-12-21 Tue 14:32] => 4:12

[2021-12-21 Tue 10:20]

@Dar Hey Yann, a question came up in our weekly sync about the login flows… now that they're getting a bit more sophisticated wouldn't it be better to start using common UI components rather than taking snapshots/hard-copies of styles and generating one-off templates? what are the security concerns around client-side rendering the auth UI?

Hi Dar,

So to answer the question historically. First, we didn't have any login page. It was 100% hosted in CTR UI. I just provided the route to create the login links (and this could still be used today and it is in the new login page).

We faced many bugs (most of them related to URL encoding), and thus decided to close the gap by building an hosted login page. That way I can 100% control the behavior and have lot of tests to check url encoding related bugs. Do not forget that in CTR you often want to deal with URL with very complex URL fragments that contain a representation of the investigation, imagine text with carriage return, URL, emails, etc…

Even recently we experienced subtle bugs. And the solution was to get rid as much as possible of the javascript code that handled the url parsing and building. Now, this is handled via the backend on the login page.

So the 1st reason to host the login page was convenience and bug fixing and not necessarily security.

Regarding security, I was afraid to introduce a security bug because, the login page is clearly a nice entry point for security attack. So I tried to be as conservative as possible. So no js when possible. And if we need to use js, do not use any lib, just basic javascript so the code is easy to understand and debug.

There is another complexity to keep in mind. For historical reason, for now, there is no "session" when the user has logged in via the IdP but hasn't yet selected a user and thus is not logged in SecureX. Right now, we handle this state with a token in the URLs. And this token can be consumed only once. By that I mean, in the account selection page you will have links looking like:

When the user will click on the first link; the code XXX will be consumed and the other links will not work. So I ensure that the user need to perform a login workflow again to login into another org.

So that being, said. I think now we are in a new situation where I think we could totally have a lot more convenient system.

I need to create a notion of session when the user is logged in in the IdP but has not selected a SecureX account.
Use more js to ease the UI work, typically, UI components. The limit being that the CSP header are restrictive in the sense that we must host the JS at the same URL, and we should probably still generate data via the backend, maybe still keep a bit of HTML.

In fact, we need the backend to be able to provide a set of informations to the UI and take care that no XSS could be possible. I think the main risk is that, the login page must support complex query parameters. So great care should be taken in the parsing of these query parameters. To give a concrete example:

You should be able to generate a page for a URL looking like:

https://securex…cisco.com/login?redirects=<URL2>

Where URL2 should be encoded correctly, and could itself be complex:

URL2: https://visibility...cisco.com/investigate#q=<QUERY>

Where QUERY should be encoded an could contain urls, emails:

QUERY:

url:http://attack.com/foo?param=something-complex
foo@example.com
some random text
carriage return, unicode, emojis? etc…

So to present the login page, every button should take care that adding a <script> somewhere will not generate an XSS, that the encoding is correct. And that login link could be forged by an attacker, and it should not be possible to hijack the redirection to a non allowed login endpoint. Because in that case, the endpoint will get a code from which we could retrieve the creds of the user.

To me this totally doable, and I think should be the preferred route.

72 KiB Raw Blame History Unescape Escape

2021

2021-W33

2021-08-16 Monday

DONE Fix Carlos Hidalgo account work

DONE create an issue about email search case sensitivity work

Fix email case sensitivity

TODO Interview Steven Collins

2021-08-17 Tuesday

DONE Add scope to TG clients work

DONE Write an issue about 1-click module setup work

CHAT Jyoti about CDO 1-click module setup work chat

2021-08-19 Thursday

MEETING Interview Olivier Barbeau work meeting

2021-W35

2021-09-02 Thursday

MEETING Weekly meeting work meeting

2021-W36

2021-09-08 Wednesday

MEETING 1-click module setup weekly meeting work meeting

2021-09-09 Thursday

MEETING Interview: Florin Braghis work meeting

2021-W37

2021-09-14 Tuesday

IN-PROGRESS Device Grant work

2021-09-16 Thursday

MEETING Team weekly work meeting

Incident discussion

2021-09-17 Friday

MEETING Presenting the projects work meeting

Pres

2021-W39

2021-09-29 Wednesday

MEETING Interview work meeting

2021-10-01 Friday

MEETING App Links work meeting

MEETING Secure Client work meeting

2021-W40

2021-10-05 Tuesday

MEETING DI weekly work meeting

IN-PROGRESS Training Interviewing work

Past Perf Predict the Future

Real Purpose of interviewing

2021-10-07 Thursday

MEETING DI blockers work meeting

IN-PROGRESS support work

CHAT check continu work chat

CHAT support DI JWT signature work chat

IN-PROGRESS client update via admin for CMD work support

CHAT Check webex matinal. work chat

PAUSE Journal pause

2021-10-08 Friday

MEETING IDB decomissioning work meeting

MEETING Customer Manager work meeting

2021-W41

2021-10-14 Thursday

IN-PROGRESS Write Customer Manager doc work

IN-PROGRESS write attack on Webhooks with JWT from emitters work

2021-W42

2021-10-18 Monday

TODO Write Weekly todos work

DONE Check Wanderson PRs/Webhooks

DONE Customer Manager Doc

DONE IROH-Auth tour

DONE Discuss Exceptions organization

2021-10-19 Tuesday

DONE whitelist synopsis.com in TEST work

2021-10-21 Thursday

MEETING Weekly IROH Service Team work meeting

Remark to tell

MEETING FMC - Device Grant OAuth2 Flow Sync work meeting

MEETING Secure Client work meeting me

2021-10-22 Friday

MEETING Engineering Team work meeting

2021-W43

2021-10-25 Monday

MEETING IROH-Auth Overview work meeting

2021-10-26 Tuesday

MEETING All Hands work meeting

MEETING AO work meeting

72 KiB

Raw Blame History

SSE `CCO_id` work discussion