yogsototh/deft
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
deft/notes/cisco_ft_securex_registration.org
Yann Esposito (Yogsototh) 5be2934986
notes/cisco_ft_securex_registration.org
2021-12-07 15:56:39 +01:00

3.4 KiB
Raw Blame History

Cisco FT SecureX Simplified Registration

tags
Auth
source
https://github.com/advthreat/response/issues/821
dashboard
https://github.com/advthreat/iroh/projects/32

.

Technical Plan

Support private email vs public emails

The solution is to use a blacklist of domains where any user could create multiple email accounts pseudo-anonymously.

Support, search admin with same email domain

We should be able given an email from a user, to find all the orgs for which at least one of its admin has a matching domain name.

  1. Most efficient: add an invisible field email-domain to all users. This should be lower-case, and we will need a migration. Doing this we could have a faster match than using string related queries.

Problems, users can login in the same user, with the same public email with different emails. This should be rare.

  1. Search via text match.

The algorithm should look a bit like:

;; only when this is an unknown user
(let [user-email ,,,
      domain (string/replace user-email #".*@" "")
      users (matching-admins domain) ;; returns a potentially big list of admin users
      indexed-orgs (group-by :org-id users)]
  (vals indexed-orgs))

Support Org request to admins

We need to create another Entity for access request to an Org.

(s/defschema OrgAccessRequest
  (st/merge
   {:id UUID
    :idp-mapping IdPMapping
    :user-email s/Str
    :org-id s/Str
    :status (s/enum :pending :accepted :rejected)}
   (st/optional-keys
    {:user-name s/Str
     :user-nick s/Str})))

When a user request access to an organization. We should create this object in DB.

There should be a CRUD API restricted to the admin/user-mgmt/org-requests scope:

  • GET /iroh/user-mgmt/org-requests list pending org access requests
  • GET /iroh/user-mgmt/org-requests/<id> read a single org access request
  • POST /iroh/user-mgmt/org-requests/<id>/accept Grant the access
  • POST /iroh/user-mgmt/org-requests/<id>/reject Reject the access

List

GET /iroh/user-mgmt/org-requests

If no parameter is provided, only list pending OrgAccessRequests of the org of the caller. Otherwise we could pass the query-parameter status with the following value(s):

  • pending
  • accepted
  • rejected

Note we should probably support duplicate statuses. Ex:

GET /iroh/user-mgmt/org-requests?status=accepted&status=pending

Read

GET /iroh/user-mgmt/org-requests/org-request-id

Should returns a 404 if not found or the single Org Access Request object.

Accept the Org Access

POST /iroh/user-mgmt/org-requests/<id>/accept Grant the access

The body should contain the role (either admin or user) with the following schema:

{"role":"admin"}

During the call, should:

  1. Create a new user with:
{:user-id (gen-uuid)
 :org-id (:org-id org-access-request)
 :user-email (:user-email org-access-request)
 :idp-mappings [(:idp-mapping org-access-request)]
 :user-name (:user-name org-access-request)
 :user-nick (:user-nick org-access-request)
 :role (get-in request [:body :role])
 :enabled? true
 }

UI Revamp.

All the page shown during login are hosted in IROH. So we should revamp all pages and we should probably, take great attention to every shown webpage.