2947 lines
87 KiB
Org Mode
2947 lines
87 KiB
Org Mode
# -*- mode: org -*-
|
||
|
||
|
||
Archived entries from file /Users/yaesposi/.deft/Cisco.org.gpg
|
||
|
||
|
||
* [#A] OAuth2 Provider
|
||
:PROPERTIES:
|
||
:ARCHIVE_TIME: 2019-01-09 Wed 10:52
|
||
:ARCHIVE_FILE: ~/.deft/Cisco.org.gpg
|
||
:ARCHIVE_OLPATH: Epics
|
||
:ARCHIVE_CATEGORY: Cisco.org
|
||
:END:
|
||
:SCHEDULE: <2018-01-11 Thu>
|
||
:END:
|
||
** Workflow
|
||
|
||
Authorize, Approve, Refuse, Token
|
||
|
||
Threatgrid portal would like access to the (enrich API, response API, ...
|
||
Private CTIA Public CTIA) -> scopes
|
||
|
||
users ses yes, he approves, POST approve, get back auth code, POST that to token
|
||
|
||
*** =/authorize=
|
||
|
||
Ask the user to authorize an App to access sub services API:
|
||
|
||
Grants: https://alexbilbie.com/guide-to-oauth-2-grants/
|
||
|
||
We'll never support grant type password or client_credentials.
|
||
We'll support: =authorization_code= and =refresh_token=.
|
||
|
||
**** Scopes
|
||
|
||
Format:
|
||
- =<high-level-api>(:<access-type>)?=
|
||
- =<high-level-api>(/subset)*(:<access-type>)?=
|
||
|
||
|
||
Examples:
|
||
|
||
- openid
|
||
- email
|
||
- collect
|
||
- collect:read
|
||
- iroh-int/observe (read)
|
||
- enrich:write
|
||
- global-intel
|
||
|
||
Meaningful:
|
||
|
||
- deliberations
|
||
- enrichment
|
||
- private-intel (read/write)
|
||
- global-intel (read/write)
|
||
- references (read)
|
||
- response (write)
|
||
- deliberate, describe, observe
|
||
|
||
.
|
||
|
||
*** =/approve=
|
||
|
||
The User can approve access to an App.
|
||
The App get back a Auth Code.
|
||
|
||
*** =/refuse=
|
||
|
||
The User can refuse or revoke access to an App.
|
||
|
||
*** =/token=
|
||
|
||
The App can ask to refresh tokens.
|
||
Tokens returned must be "short" lifetime JWT.
|
||
** OAuth2 in IROH-Auth Spec RFC second pass
|
||
|
||
*** Vocabulary
|
||
|
||
- Roles
|
||
+ resource owner: has the ability to grant access to a protected resource
|
||
+ resource server: host of the protected resources
|
||
+ client: app making requests to resources
|
||
+ authorization server: server issuing access token to the client
|
||
- Authorization Grant: creds representing resource owner authorization
|
||
- Authorization Code: client redirect resource owner to auth server which in
|
||
turn redirect the resource owner back to the client with the Auth code
|
||
- Access Token: creds used to access protected resource
|
||
- Refresh Token: creds to obtain access tokens
|
||
- Redirects (generally 302, but up to server)
|
||
|
||
*** Client Registration
|
||
|
||
- not really part of the spec. It is up to us to find a way to add a list of
|
||
authorized clients, accepted redirection URIs, etc...
|
||
|
||
- Client Type
|
||
+ confidential: private server
|
||
+ public: executing itself on some device used by the resource owner
|
||
- Client Identifier
|
||
+ provided by the authorization server to the client
|
||
+ It is not secret
|
||
+ Unique
|
||
- Client password
|
||
can be used via Basic Auth, or in req params: ~client_id=...&client_secret=...~
|
||
Auth server MUST protect agains brute force attacks
|
||
#+BEGIN_SRC HTTP
|
||
POST /token HTTP/1.1
|
||
Host: server.example.com
|
||
Content-Type: application/x-www.form-urlencoded
|
||
|
||
grant_type=refresh_token&refresh=...&client_id=...&client_secret=...
|
||
#+END_SRC
|
||
|
||
OAuth2 doesn't support unregistered clients
|
||
|
||
*** Protocol Endpoints
|
||
|
||
Two auth server endpoints:
|
||
|
||
- Authorization endpoint: used by the client to obtain authorization from the
|
||
resource owner via redirection
|
||
- Token endpoint: used by the client to exchange an authorization grant for an
|
||
access token, typically with client auth.
|
||
|
||
Client endpoint:
|
||
|
||
- Redirection endpoint: used by the auth server to return responses containing
|
||
auth creds to the client via the resource owner user-agent
|
||
|
||
**** Authorization Endpoint
|
||
|
||
- MUST ignore unrecognized parameters
|
||
- MUST not accept repeated params
|
||
|
||
Client must inform the client of the =response_type=:
|
||
- must be set to ~code~ for requesting auth code
|
||
- must be set to ~token~ for implicit grant
|
||
|
||
**** Redirection Endpoint
|
||
|
||
After completing its interaction with the resource owner, the auth server
|
||
directs the resource owner's user-agent to the client.
|
||
|
||
The redirection URI MUST NOT include a fragment component.
|
||
|
||
Registration requirement: the auth server MUST require the public and
|
||
confidential clients to register their redirection endpoint.
|
||
|
||
For our usage: the end point must use TLS (https) and also there should be a
|
||
single URI per client.
|
||
|
||
If an auth fails due to missing, invalid or mismatching redirection URI.
|
||
The Auth Server should inform the resource owner without redirection.
|
||
|
||
**** Scope
|
||
|
||
An unordered list of space-delimited, case-sensitive strings.
|
||
|
||
The scopes are defined by the auth-server.
|
||
|
||
If requested scopes by the client are different by the ones granted by the auth
|
||
server. The auth server must return the granted scopes as a response parameter.
|
||
|
||
*** Obtaining Authorization
|
||
|
||
4 different Grants:
|
||
|
||
- authorization code
|
||
- implicit (no)
|
||
- resource owner creds (no)
|
||
- client creds (no user, direct client to IROH)
|
||
|
||
- an extension for more grant types.
|
||
|
||
**** Code Grant
|
||
|
||
Used to obtain both access token & refresh tokens.
|
||
Optimized for confidential clients.
|
||
|
||
1. client construct the request URI with the following params:
|
||
+ ~response_type~ REQUIRED. Must be ~code~.
|
||
+ ~client_id~
|
||
+ ~redirect_uri~ (OPTIONAL)
|
||
+ ~scope~ (OPTIONAL)
|
||
+ ~state~ (RECOMMENDED)
|
||
Example:
|
||
#+BEGIN_SRC
|
||
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
|
||
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
|
||
Host: server.example.co
|
||
#+END_SRC
|
||
2. Authorization Response. If auth is granted, then the auth server issues an
|
||
authorization code and delivers it to the client by adding the following
|
||
parameters to the query component of the redirection URI using the
|
||
"application/x-www-form-urlencoded" format.
|
||
+ ~code~ REQUIRED. auth code generated. Must expire shortly (10 min
|
||
recommended) and shouldn't be used more than once. If the code is used more
|
||
than once, should revoke all tokens previously issued based on that
|
||
authorization code.
|
||
+ ~state~ REQUIRED. Same value as the client provided.
|
||
3. Client makes a request to the token endpoint. Should contains the following params:
|
||
+ ~grant_type~ REQUIRED. must equal to ~authorization_code~.
|
||
+ ~code~ REQUIRED. The auth code received.
|
||
+ ~redirect_uri~ REQUIRED. Same as in the authorization request.
|
||
+ ~client_id~ REQUIRED. If the client is not authenticating with the auth server.
|
||
Example:
|
||
#+BEGIN_SRC
|
||
POST /token HTTP/1.1
|
||
Host: server.example.com
|
||
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
|
||
Content-Type: application/x-www-form-urlencoded
|
||
|
||
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
|
||
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
|
||
#+END_SRC
|
||
4. Access Token Response.
|
||
If the access token is valid and authorized, the auth server issues an access
|
||
token and optional refresh token.
|
||
Example:
|
||
#+BEGIN_SRC
|
||
HTTP/1.1 200 OK
|
||
Content-Type: application/json;charset=UTF-8
|
||
Cache-Control: no-store
|
||
Pragma: no-cache
|
||
|
||
{
|
||
"access_token":"2YotnFZFEjr1zCsicMWpAA",
|
||
"token_type":"example",
|
||
"expires_in":3600,
|
||
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
|
||
"example_parameter":"example_value"
|
||
}
|
||
#+END_SRC
|
||
** OAuth2 Provider Epic
|
||
|
||
https://github.com/threatgrid/iroh/issues/1349
|
||
|
||
*** Functional Spec
|
||
|
||
We want 3rd party to be able to use our APIs (IROH + AMP Global Intel) by making
|
||
an OAuth2 Provider.
|
||
|
||
*** Tasks
|
||
|
||
See next sections for technical details.
|
||
|
||
=[#A]=, =[#B]=, =[#C]= are priority order to be able to test the OAuth system
|
||
before finishing all the tasks:
|
||
|
||
- =[#A]= Be able to provide keys to access our API
|
||
- =[#B]= Be able to migrate Visibility to OAuth2
|
||
- =[#C]= Support revocations, restrictions, etc...
|
||
|
||
Task without any set priority are lower priority.
|
||
|
||
*[[client-db][Client DB]]*:
|
||
|
||
- [ ] Write SQL store
|
||
- [ ] =[#C]= Write a service to manage clients
|
||
- [ ] =[#C]= Write routes restricted to IROH-Admins to manage OAuth2 clients
|
||
- [ ] =[#C]= POST =/clients= (the server sets the ~:id~ and returns the ~:password~
|
||
in clear text, in the DB the password should be encrypted).
|
||
- [ ] =[#C]= GET =/clients= (the ~:password~ field should be obfuscated)
|
||
- [ ] =[#C]= GET =/clients/:id= (the ~:password~ field should be obfuscated)
|
||
- [ ] =[#C]= PUT =/clients/:id= to revoke a client access (the ~:password~ field should be obfuscated)
|
||
- [ ] =[#C]= DELETE =/clients/:id= to revoke a client access (the ~:password~ field should be obfuscated)
|
||
|
||
*[[token-db][Authorization DB]]*:
|
||
|
||
- [ ] =[#B]= Write a service to manage "apps" for a resource owner
|
||
- [ ] =[#B]= Write routes to manage "apps" for a resource owner.
|
||
The =refresh-token= field should always be hidden or obfuscated.
|
||
- [ ] =[#B]= GET =/oauth/apps= returns the list of authorized apps
|
||
- [ ] =[#B]= GET =/oauth/apps/:app-id= return the authorized app informations
|
||
- [ ] =[#B]= DELETE =/oauth/apps/:app-id= remove the authorized app, further refresh
|
||
token queries should fail.
|
||
|
||
*[[user-db][User DB]]*:
|
||
|
||
- [ ] =[#C]= Write a Service to manage Users with the following methods:
|
||
- [ ] =[#C]= Create an user and generate its id. To be used for new login of still unkown user.
|
||
- [ ] =[#C]= search an user by internal id or 3rd party User id (typically AMP user id)
|
||
- [ ] =[#C]= revoke an user
|
||
- [ ] =[#C]= change scopes of an user
|
||
- [ ] =[#C]= Write routes restricted to IROH-Admins to manage Users
|
||
- [ ] =[#C]= GET =/users= returns a list of users
|
||
- [ ] =[#C]= GET =/users/:user-id= returns the specific user infos
|
||
- [ ] =[#C]= PUT =/users/:user-id= update an user, either revoke access or change scope
|
||
|
||
*[[routes][OAUTH2 Routes]]*:
|
||
|
||
- [ ] =/authorize= endpoint (should be behing the classic JWT protection)
|
||
- [ ] =[#A]= Support for authorization code grant
|
||
- [ ] =[#B]= Support for client creds grant
|
||
- [ ] Support implicit grant (close the current workflow with /login)
|
||
- [ ] =[#A]= =/token= endpoint
|
||
|
||
*[[middleware][Protected Resource Middleware]]*:
|
||
|
||
- [ ] =[#A]= Update the JWT middleware to only accept access-tokens
|
||
- [ ] =[#B]= Add a :scopes to compojure-api routes to filter access to JWT granting those scopes
|
||
- [ ] =[#B]= Update all routes to add a :scopes (cf. [[scopes][scopes]])
|
||
|
||
*[[frontend][Frontend]]*:
|
||
|
||
- [ ] =[#C]= Update the frontend to use the new OAuth2 routes.
|
||
- [ ] Create a dahsboard to help an user to revoke apps
|
||
- [ ] Create an IROH-Admin only dahsboard to manage clients (create, revoke, etc...)
|
||
- [ ] Create an IROH-Admin only dahsboard to manage users (revoke, etc...)
|
||
|
||
*[[doc][Documentation]]*:
|
||
|
||
- [ ] Documentation for making trusted daemons (authorization code grant)
|
||
- [ ] Documentation for frontend dev (implicit grant)
|
||
- [ ] Documentation for scripts (client creds grant)
|
||
|
||
*** Technical Spec
|
||
|
||
Write an OAuth2 provider.
|
||
Specificity of our OAuth2 provider.
|
||
|
||
- codes, access-tokens & refresh-tokens should be JWT.
|
||
Because JWT expires, and we can control how often we check their status
|
||
(revoked for example) server side.
|
||
|
||
Supported Grants (by priority order):
|
||
|
||
- ~authorization code~ grant
|
||
- ~implicit~ grant (for Visibility/iroh-ui) (similar to today =/login=)
|
||
- ~client creds~ grant
|
||
|
||
|
||
**** Client DB
|
||
|
||
<<client-db>>
|
||
|
||
We need to be able to add new OAuth2 "clients".
|
||
And we must be able to revoke a client.
|
||
So we need to add another store for clients.
|
||
Actually we shouldn't store those informations in ES.
|
||
We need to write an SQL backed CRUD store.
|
||
More specifically we'll use postgresql.
|
||
There should be another web-service exposing routes only for IROH admins.
|
||
|
||
*Question*: How should we keep client password?
|
||
|
||
*Proposal*: Present password in cleartext to the "creator" only once but save
|
||
the password using bcrypt.
|
||
|
||
A client MUST have a ~client-type~, a ~client-id~ and a ~client-password~.
|
||
|
||
Proposed internal representation:
|
||
|
||
#+BEGIN_SRC clojure
|
||
(s/defschema CRUDMetas
|
||
{:created-at s/DateTime
|
||
(s/optional-key :updated-at) s/DateTime
|
||
(s/optional-key :activated-at) s/DateTime
|
||
(s/optional-key :approved-at) s/DateTime
|
||
(s/optional-key :enabled-at) s/DateTime
|
||
(s/optional-key :blocked-at) s/DateTime})
|
||
(def Scope s/Str) ;; MUST NOT contain any space see the Scope section
|
||
(def URI s/Str) ;; shouldn't contains any fragment '#...', space or '..'
|
||
;; HIGHLY RECOMMENDED should be HTTPS
|
||
(defschema Client
|
||
(st/merge {:client-type (s/enum :confidential :public)
|
||
:grants #{(s/enum :auth-code :implicit :client-creds)}
|
||
:redirects #{URI}
|
||
:id s/Str
|
||
:password s/Str
|
||
:name s/Str
|
||
:scopes #{Scope}
|
||
:approved? s/Bool
|
||
:enabled? s/Bool}
|
||
CRUDMetas)
|
||
#+END_SRC
|
||
|
||
For example:
|
||
|
||
#+BEGIN_SRC clojure
|
||
(def threatgrid-client
|
||
{:client-type :confidential
|
||
:grants :auth-code
|
||
:redirects ["https://threatgrid.cisco.com/"]
|
||
:id "5fb04b9a-faad-11e7-8c3f-9a214cf093ae"
|
||
:password "70D3C005435E0F1C75A622C6C5AE92DB395A9E3140DE6980AC733AC9316AC0AE"
|
||
:name "ThreatGrid"
|
||
:scopes ["response" "enrich" "iroh-collect" "ui-settings" "ctia"]
|
||
:approved? true
|
||
:enabled? true
|
||
:created-at "2018-01-20T10:04:33"
|
||
:updated-at "2018-01-20T10:04:33"
|
||
:enabled-at "2018-01-20T10:04:33"
|
||
:activated-at "2018-01-20T10:04:33"
|
||
:approved-at "2018-01-20T10:04:33"})
|
||
#+END_SRC
|
||
|
||
**** User DB
|
||
|
||
<<user-db>>
|
||
|
||
We need to have an OAuth2 oriented Internal User DB.
|
||
For example to be able to change the scopes or simplly to revoke access to some
|
||
users.
|
||
|
||
Even if in the future we'll need a more complex User DB, for now we only need to
|
||
keep track of relation between an user-id for some 3rd party and an internal
|
||
user-id.
|
||
|
||
#+BEGIN_SRC clojure
|
||
(s/def IdPMapping
|
||
(st/merge
|
||
{:idp (s/enum :amp :threatgrid)
|
||
:user-id s/Str
|
||
:org-id s/Str}
|
||
{s/Any s/Any}))
|
||
(s/def UserClaims
|
||
{"cisco.com/iroh/user/id" s/Str
|
||
"cisco.com/iroh/user/name" s/Str
|
||
"cisco.com/iroh/org/id" s/Str
|
||
"cisco.com/iroh/org/name" s/Str
|
||
"cisco.com/iroh/roles" [s/Str]
|
||
;; see IROH-Auth JWT fields (remove all time-related ones)
|
||
})
|
||
(s/def User
|
||
(st/merge
|
||
{:enabled? s/Bool
|
||
:external-infos #{IdPMapping}}
|
||
PartialJWT
|
||
CRUDMetas))
|
||
#+END_SRC
|
||
|
||
**** Authorization DB / App DB
|
||
|
||
<<token-db>>
|
||
|
||
A refresh token are credentials representing the access granted by an user to
|
||
some client.
|
||
|
||
☞ Refresh tokens are typically long-lasting credentials used to request additional
|
||
access tokens, the refresh token is bound to the client to which it was issued.
|
||
(See https://tools.ietf.org/html/rfc6749#section-6)
|
||
|
||
So we should provide a mean for an user to revoke those accesses.
|
||
Remark the db should be populated via the =/authorize= endpoint.
|
||
|
||
There shouldn't be any way for an user to create or update an app, only delete.
|
||
|
||
Example:
|
||
|
||
#+BEGIN_SRC clojure
|
||
(s/defschema OAuthApp
|
||
{:id s/Str
|
||
:refresh-token s/Str
|
||
:client-id s/Str
|
||
(s/optional-key :client-name) s/Str
|
||
:authorized-date s/DateTime
|
||
:scopes #{Scope}})
|
||
#+END_SRC
|
||
|
||
**** OAUTH2 Routes
|
||
|
||
<<routes>>
|
||
|
||
We need to support the Code Grant so here is details about the workflow.
|
||
Note a lot of important details are in the RFC about how to handle those routes
|
||
securely.
|
||
Also, examples were modified so that the tokens are JWT.
|
||
|
||
***** Authorization Code Grant Worflow
|
||
|
||
The full details can be seen in the RFC: https://tools.ietf.org/html/rfc6749#section-4.1
|
||
|
||
Here some details were changed to adapt to our specifities (like using JWT).
|
||
|
||
The workflow is used to obtain both *access token* & *refresh tokens*.
|
||
Optimized for confidential clients.
|
||
|
||
1. client construct the request URI and redirect the
|
||
resource owner's user-agent to =/authorize= with the following params:
|
||
+ ~response_type~ REQUIRED. Must be ~code~.
|
||
+ ~client_id~
|
||
+ ~redirect_uri~ (OPTIONAL)
|
||
+ ~scope~ (OPTIONAL)
|
||
+ ~state~ (RECOMMENDED)
|
||
Example:
|
||
#+BEGIN_SRC
|
||
GET /authorize?response_type=code
|
||
&client_id=5fb04b9a-faad-11e7-8c3f-9a214cf093ae
|
||
&state=xyz
|
||
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
|
||
Host: server.example.co
|
||
#+END_SRC
|
||
2. Authorization Response. If auth is granted, then the auth server issues an
|
||
authorization code and delivers it to the client by adding the following
|
||
parameters to the query component of the redirection URI using the
|
||
"application/x-www-form-urlencoded" format.
|
||
+ ~code~ REQUIRED. auth code generated. Must expire shortly (10 min
|
||
recommended) and shouldn't be used more than once. If the code is used more
|
||
than once, should revoke all tokens previously issued based on that
|
||
authorization code.
|
||
+ ~state~ REQUIRED. Same value as the client provided.
|
||
3. Client makes a request to the token endpoint. Should contains the following params:
|
||
+ ~grant_type~ REQUIRED. must equal to ~authorization_code~.
|
||
+ ~code~ REQUIRED. The auth code received.
|
||
+ ~redirect_uri~ REQUIRED. Same as in the authorization request.
|
||
+ ~client_id~ REQUIRED. If the client is not authenticating with the auth server.
|
||
Example:
|
||
#+BEGIN_SRC
|
||
POST /token HTTP/1.1
|
||
Host: server.example.com
|
||
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
|
||
Content-Type: application/x-www-form-urlencoded
|
||
|
||
grant_type=authorization_code
|
||
&code=eyJh...SplxlOBeZQQYbYS6WxSbIA
|
||
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
|
||
#+END_SRC
|
||
4. Access Token Response.
|
||
If the access token is valid and authorized, the auth server issues an access
|
||
token and optional refresh token.
|
||
Example:
|
||
#+BEGIN_SRC
|
||
HTTP/1.1 200 OK
|
||
Content-Type: application/json;charset=UTF-8
|
||
Cache-Control: no-store
|
||
Pragma: no-cache
|
||
|
||
{
|
||
"access_token":"eyJh...2YotnFZFEjr1zCsicMWpAA",
|
||
"token_type":"example",
|
||
"expires_in":3600,
|
||
"refresh_token":"eyJh..tGzv3JOkF0XG5Qx2TlKWIA",
|
||
"example_parameter":"example_value"
|
||
}
|
||
#+END_SRC
|
||
|
||
☞ *Refres Token*: for this PR, refreshing a token shouldn't create another
|
||
=refresh-token=. That way our client won't need to update their credentials. But
|
||
that is an option to keep in mind.
|
||
|
||
***** IROH Specificities
|
||
|
||
In IROH we don't have internal user login/password.
|
||
But we have a =/login= route that redirect with a =jwt= containing credentials.
|
||
|
||
So if we reach =/authorize= with such a valid =jwt= then we could continue by
|
||
using the user creds, if on the other hand we don't have such =jwt= the
|
||
=/authorize= should make a "double" redirection.
|
||
One to =AMP= (or =TG= in the future) login page and then the user-agent should
|
||
be redirected with the same URI but this time, a JWT should be provided in the
|
||
Headers if possible.
|
||
And then, if the =authorize= is validated, it will redirect to the client.
|
||
|
||
***** Tokens/Code format
|
||
|
||
One easy way to handle the lifetime of tokens and code is to use JWT.
|
||
|
||
During the code grant, the call to =/authorize= should redirect the user to some
|
||
page where the user interact and grant the access to the client. The output of
|
||
this call, the user is redirected via its user-agent with a short-living "code".
|
||
|
||
#+BEGIN_SRC clojure
|
||
(s/defschema IROHJWT ...) ;; see iroh-auth current JWT format
|
||
(s/defschema OAuthAuthorizeCode
|
||
(st/merge IROHJWT
|
||
{:kind (s/enum :grant)
|
||
:grant-type (s/enum :authorization-code)
|
||
:client-id s/Str}))
|
||
#+END_SRC
|
||
|
||
Such JWT MUST be REFUSED if used directly to access a protected resource.
|
||
|
||
Such =OAuthAuthorizedCode= should only be used to access the =/token= endpoint.
|
||
The =/token= endpoint will in turn returns two JWT.
|
||
The /access-token/ and the /refresh-token/.
|
||
|
||
- /access-tokens/ are the only token which grant access to protected resources.
|
||
- /refresh-tokens/ can be used to get /access-tokens/ without resource-owner interaction.
|
||
|
||
Proposed schemas:
|
||
|
||
#+BEGIN_SRC clojure
|
||
(s/defschema OAuthAccessToken
|
||
(st/merge IROHJWT
|
||
{:kind (s/enum :access-token)
|
||
:user-id s/Str
|
||
:client-id s/Str
|
||
:scopes #{Scope}))
|
||
|
||
(s/defschema OAuthRefreshToken
|
||
(st/merge IROHJWT
|
||
{:kind (s/enum :refresh-token)
|
||
:app-id s/Str
|
||
:user-id s/Str
|
||
:client-id s/Str
|
||
:scopes #{Scope}}))
|
||
#+END_SRC
|
||
|
||
So when asking for a refresh token we could check the statuses of the user,
|
||
the client and the refresh-token.
|
||
|
||
**** Protected Resource Middleware
|
||
|
||
<<middleware>>
|
||
|
||
The current JWT middleware should be modified to only accept =:access-token= JWT
|
||
for protected resources routes.
|
||
|
||
There should more specific JWT system to handle the =/authorize= and =/token= routes.
|
||
|
||
**** Frontend
|
||
|
||
<<frontend>>
|
||
|
||
***** Become OAuth2 compliant
|
||
|
||
Visibility/IROH-UI should also become a "client".
|
||
And thus some minor changes should be done.
|
||
Instead of going to =/login= Visibility should access =/authorize= with the
|
||
following parameters:
|
||
|
||
- ~response_type~ value MUST be ~token~
|
||
- ~client_id~ the client id for visibility
|
||
- ~redirect_uri~ (as it is today)
|
||
- ~scope~ (the list of scopes Visibility need to access)
|
||
- ~state~ (the inner state of the app, the parameter as another name today)
|
||
|
||
The response format will also be slightly changed.
|
||
The fragment of the URL will contain:
|
||
|
||
- ~access_token~ (previously was ~jwt~)
|
||
- ~token_type~ should be ~bearer~
|
||
- ~scope~ OPTIONAL if identical to the scope requested by the client; REQUIRED otherwise
|
||
- ~state~ the state provided in the request
|
||
|
||
It is up to the server to make the same workflow than with the previous =/login=
|
||
|
||
***** App Dahsboard
|
||
|
||
Make an app dashboard to help users manage their authorized apps.
|
||
It should be inspired by the features of the API.
|
||
Only ability to revoke/delete some app.
|
||
|
||
***** IROH-Admin only dahsboard to manage clients
|
||
|
||
Have a dashboard for IROH-Admin only to manage clients.
|
||
Typically block accesses to a client but also change the client properties.
|
||
|
||
***** Create an IROH-Admin only dahsboard to manage users (revoke, etc...)
|
||
|
||
Have a dashboard for IROH-Admin only to manage users and be able to block some.
|
||
|
||
**** Scopes
|
||
|
||
<<scopes>>
|
||
|
||
While we can easily update scopes in the future.
|
||
We should start with a sane convention.
|
||
|
||
A scope should match the following regex: ~\w+[\w\d_-]*(/\w+[\w\d_-]*)*(:\w+[\w\d_]*)?~
|
||
|
||
A nicer way to look at it is that it should have the following format:
|
||
|
||
- =<high-level-api>=
|
||
- =<high-level-api>(:<access-type>)?=
|
||
- =<high-level-api>(/subset)*(:<access-type>)?=
|
||
|
||
Mainly identifier with potential =:= followed by another identifier.
|
||
The main format is: =<api>= or =<api>:<access-restriction>=.
|
||
|
||
For example: ~enrich~, ~enrich:read~, ~enrich/observe~ or ~enrich/observe:read~.
|
||
|
||
In order to filter access, if a JWT contains the following scopes:
|
||
|
||
#+BEGIN_SRC clojure
|
||
["ui-settings","enrich:read","collect/inspect"]
|
||
#+END_SRC
|
||
|
||
The mean the JWT can access all the routes with the following scopes:
|
||
|
||
- ~ui-settings:read~
|
||
- ~ui-settings:write~
|
||
- ~enrich/observe:read~
|
||
- ~enrich/enrich:read~
|
||
- ~enrich/deliberate:read~
|
||
- ~enrich/settings:read~
|
||
- ~collect/inspect:read~
|
||
|
||
But shouldn't access the following scopes:
|
||
|
||
- ~auth/client-mgmt:write~
|
||
- ~enrich/enrich:write~
|
||
- ~enrich/settings:write~
|
||
- ~collect/config~
|
||
|
||
Here is the exhaustive list of our exposed web services and the proposed scope prefix:
|
||
|
||
| route | scope |
|
||
|-------------------+-------------|
|
||
| /iroh-ui-settings | ui-settings |
|
||
| /iroh-auth | auth |
|
||
| /iroh-auth-mgmt | auth/mgmt |
|
||
| /fake-iroh-auth | auth/fake |
|
||
| /iroh-enrich | enrich |
|
||
| /iroh-response | response |
|
||
| /iroh-inspect | inpect |
|
||
|
||
When the route change some inner state (like writing to some store/db, then we
|
||
should use the ~write~ access-restriction. Otherwise the access restriction
|
||
should be ~read~.
|
||
|
||
Depending on the routes we should also add subsets. Typically:
|
||
|
||
- ~auth/mgmt/jwt-revoke~
|
||
- ~auth/mgmt/saml-org-whitelist~
|
||
|
||
☞ *Scope Accesses*: the scopes granted to an access-token MUST always be a
|
||
subset of the intersection of the scopes of the client and the scopes of the
|
||
user.
|
||
|
||
**** Documentation
|
||
|
||
<<doc>>
|
||
|
||
We should write a clear documentation to help 3rd party developer use our API
|
||
via OAuth2.
|
||
** OAuth2 Epics (3rd pass)
|
||
|
||
*** SPA compatible OAuth2
|
||
|
||
Provide a way for any website to use OAuth2 and make call to IROH API. Typically
|
||
make it easy to create a generic casebook lib or even perhaps a web browser
|
||
plugin that could work on any website.
|
||
|
||
**** Issues
|
||
|
||
- [ ] Support Auth-code without client password
|
||
- [ ] Support CORS that use informations from the access token
|
||
- [ ] Documentation:
|
||
- [ ] Write a document/blog post for developers
|
||
- [ ] Make a demo website if possible using a 3rd party lib like hello.js
|
||
- [ ] Provide a lib (for example a module for hello.js)
|
||
|
||
*** User's made OAuth2 clients
|
||
|
||
Users should be able to create OAuth2 clients with some limitations regarding
|
||
response and passwordless client.
|
||
|
||
IROH Admin users should create OAuth2 clients without scope limitation and
|
||
should be able to create public clients (destined for SPA).
|
||
|
||
**** Issues
|
||
|
||
- [ ] Decide if we authorize any user to create a public OAuth2 client that are
|
||
needed for SPA clients (see https://tools.ietf.org/html/rfc6749#section-2.1)
|
||
- [ ] User can access a webpage to manage their OAuth app grants #iroh-ui
|
||
- [ ] Provide the ability for user to create OAuth2 clients
|
||
- [ ] Forbid any client to require any `response/*:write` scope
|
||
- [ ] Provide urls to make all response using HTLM pages generated by Visibility
|
||
|
||
*** Internal User Representation
|
||
|
||
Currently all the data about an user is provided via the generation of IROH Auth JWT.
|
||
|
||
This kind of limit our ability to manage user access.
|
||
For example, while we can currently revoke access to any user given its id it would be
|
||
difficult to limit an user scope.
|
||
|
||
Also without an internal user representation it is not possible to merge
|
||
different IdP for the same user.
|
||
|
||
In the future it might also be useful to have Visibility only user preferrences.
|
||
|
||
**** Issues
|
||
|
||
- [ ] Write a documentation about how we should manage internal representation.
|
||
Also how to deal with default org, preferred IdP, etc...
|
||
- [ ] Write IROH admin-only, routes and service to
|
||
- create an user and generate its id
|
||
- search an user by either internal id or other 3rd party user id (typically
|
||
AMP or TG user id)
|
||
- revoke access to an user
|
||
- change authorized scopes of an user
|
||
|
||
*** OAuth2 Client Credentials Grant
|
||
|
||
Support OAuth2 Client Credentials grant which is really useful for scripts.
|
||
Mainly the workflow should be:
|
||
|
||
1. The user create a new confidential client with only client credential grant.
|
||
2. The user is returned with a client-id / client-password
|
||
3. The script can use those client creds to retrieve access only for that user.
|
||
|
||
|
||
- [ ] =[#C]= Write a Service to manage Users with the following methods:
|
||
- [ ] =[#C]= Create an user and generate its id. To be used for new login of still unkown user.
|
||
- [ ] =[#C]= search an user by internal id or 3rd party User id (typically AMP user id)
|
||
- [ ] =[#C]= revoke an user
|
||
- [ ] =[#C]= change scopes of an user
|
||
- [ ] =[#C]= Write routes restricted to IROH-Admins to manage Users
|
||
- [ ] =[#C]= GET =/users= returns a list of users
|
||
- [ ] =[#C]= GET =/users/:user-id= returns the specific user infos
|
||
- [ ] =[#C]= PUT =/users/:user-id= update an user, either revoke access or change scope
|
||
|
||
**** Issues
|
||
|
||
- [ ] Support Client Credentials Grant (for confidential client only, see
|
||
https://tools.ietf.org/html/rfc6749#section-4.4)
|
||
|
||
***** Client DB
|
||
|
||
- [ ] =[#C]= Write a service to manage clients
|
||
- [ ] =[#C]= Write routes to manage OAuth2 clients
|
||
- [ ] =[#C]= POST =/clients= (the server sets the ~:id~ and returns the ~:password~
|
||
in clear text, in the DB the password should be encrypted).
|
||
- [ ] =[#C]= GET =/clients= (the ~:password~ field should be obfuscated)
|
||
- [ ] =[#C]= GET =/clients/:id= (the ~:password~ field should be obfuscated)
|
||
- [ ] =[#C]= PUT =/clients/:id= to revoke a client access (the ~:password~ field should be obfuscated)
|
||
- [ ] =[#C]= DELETE =/clients/:id= to revoke a client access (the ~:password~ field should be obfuscated)
|
||
|
||
***** User DB
|
||
|
||
- [ ] =[#C]= Write a Service to manage Users with the following methods:
|
||
- [ ] =[#C]= Create an user and generate its id. To be used for new login of still unkown user.
|
||
- [ ] =[#C]= search an user by internal id or 3rd party User id (typically AMP user id)
|
||
- [ ] =[#C]= revoke an user
|
||
- [ ] =[#C]= change scopes of an user
|
||
- [ ] =[#C]= Write routes restricted to IROH-Admins to manage Users
|
||
- [ ] =[#C]= GET =/users= returns a list of users
|
||
- [ ] =[#C]= GET =/users/:user-id= returns the specific user infos
|
||
- [ ] =[#C]= PUT =/users/:user-id= update an user, either revoke access or change scope
|
||
|
||
***** Frontend
|
||
|
||
- [ ] Create an admin UI for any user to manage OAuth clients
|
||
|
||
*** IROH Admin Dashboard
|
||
|
||
It would be very effective to have a dashboard instead of just using the
|
||
swagger-ui. The dashboard would make it easy to centralize the access of all
|
||
informations as well as administration tasks.
|
||
|
||
Typically:
|
||
|
||
- be able to see some IROH logs filtered by some keywords, and be able
|
||
to revoke an user or an OAuth client. Also be able to change the scopes of some
|
||
clients.
|
||
- Provide the ability to force all user to be prompted to grant access again to
|
||
some client, etc...
|
||
|
||
*** OAuth2 Enhancements
|
||
|
||
Many OAuth2 feature should be enabled in order to provide the best security.
|
||
|
||
- [ ] Automatically revoke refresh token access if the code was used more than once.
|
||
|
||
Archived entries from file /Users/yaesposi/.deft/Cisco.org.gpg
|
||
|
||
|
||
* [#C] Scopes Dictionary
|
||
:PROPERTIES:
|
||
:ARCHIVE_TIME: 2019-01-09 Wed 10:53
|
||
:ARCHIVE_FILE: ~/.deft/Cisco.org.gpg
|
||
:ARCHIVE_OLPATH: Epics
|
||
:ARCHIVE_CATEGORY: Cisco.org
|
||
:END:
|
||
|
||
Regarding access right of API consumer this is enforced via scopes.
|
||
|
||
There are low-level scopes. Mostly one for each route. To help represent
|
||
coherent groups the scopes are organized as a tree whose leaves are tagged
|
||
either by read or write.
|
||
|
||
For example if an user has the scopes ~["foo/bar:read" "baz"]~
|
||
He'll could access all routes with those scopes:
|
||
|
||
- ~foo/bar:read~
|
||
- ~foo/bar/baz:read~
|
||
- ~foo/bar/baz/quux:read~
|
||
- ~baz:write~
|
||
- ~baz/x/y:write~
|
||
|
||
But he won't be granted the access to:
|
||
|
||
- ~bad:read~
|
||
- ~foo/bar:write~
|
||
- ~foo/bar/baz:write~
|
||
|
||
The problem with this organisation is that it's somehow too technical. This is
|
||
why we need to introduce high-level abstracts scopes to give meaningful names to
|
||
precise subsets of route access.
|
||
|
||
To that end we should provide a dictionnary (with schema
|
||
~{s/Str {:scopes #{s/Str}} :name s/Str :description s/Str}~):
|
||
|
||
#+BEGIN_SRC clojure
|
||
{"importer" {:scopes #{"collect" "ctia:read"}
|
||
:name "Importer"
|
||
:description "This client would like to be able to import events into
|
||
your private intel store,
|
||
and needs some limited read permissions as well"}
|
||
...
|
||
}
|
||
#+END_SRC
|
||
|
||
Technically it would simply mean that if an user has the scope "importer" we'll look into that
|
||
dictionnary to provide him the technical scopes.
|
||
Furthermore we'll be able to look into this dictionary to provide a meaninful name and description
|
||
to the user when he's asked to grant some access to some 3rd party app (OAuth client).
|
||
|
||
Archived entries from file /Users/yaesposi/.deft/Cisco.org.gpg
|
||
|
||
|
||
* DONE Document for Raghavaiah
|
||
CLOSED: [2018-11-28 Wed 18:01]
|
||
:PROPERTIES:
|
||
:ARCHIVE_TIME: 2019-01-09 Wed 10:54
|
||
:ARCHIVE_FILE: ~/.deft/Cisco.org.gpg
|
||
:ARCHIVE_CATEGORY: Cisco.org
|
||
:ARCHIVE_TODO: DONE
|
||
:END:
|
||
|
||
** Frank's proposal; Auth config untangling
|
||
|
||
IROH Auth and SSE staging config changes to correctly link environments and improve naming
|
||
|
||
*** INT
|
||
**** idb-amp-staging / selector: amp
|
||
|
||
This is actually pointing to QA1 on the AMP side. We should name it as such.
|
||
|
||
- CTR
|
||
- Change identifier to `idb-amp-qa1`
|
||
- Change name to `AMP QA1`
|
||
- Change selector to `amp-QA1`
|
||
|
||
- SSE IDB
|
||
- Change selector to `amp-qa1`
|
||
|
||
**** idb-tg-staging / selector: tg
|
||
|
||
This is TG INT, just need a rename
|
||
|
||
- CTR
|
||
- Change identifier to `idb-tg-int`
|
||
|
||
- SSE IDB
|
||
- CHange selector to `tg-int`
|
||
|
||
*** TEST
|
||
**** idb-amp-staging / selector: amp
|
||
|
||
This needs to go to AMPs SDC environment instead. We'll need a new auth provider setup on the SSE side for AMP SDC
|
||
|
||
- CTR
|
||
- Change identifier to `idb-amp-sdc`
|
||
- Change name to `AMP SDC`
|
||
- Change selector to `amp-sdc`
|
||
|
||
- SSE IDB
|
||
- New auth provider with URL: https://auth-ext.qa1.immunet.com/
|
||
- Selector `amp-sdc`
|
||
|
||
**** idb-tg-staging / selector: tg
|
||
|
||
This will need to point at the TG TEST environment, not INT. It'll also need a new auth provider be created in the IDB
|
||
|
||
- CTR
|
||
- Change identifier to `idb-tg-test`
|
||
- Change name to `Threat Grid TEST`
|
||
- Change selector to `tg-test`
|
||
|
||
- SSE IDB
|
||
- New auth provider with URL: https://test.threatgrid.com/ (Frank to create new oauth2 client if needed)
|
||
- Selector`tg-test`
|
||
|
||
** Proposal
|
||
|
||
To help people manage all the IDB clients and connection we would like to follow a stricter naming convention.
|
||
|
||
There are many different named entities:
|
||
|
||
- IROH IdP id
|
||
- IDB selector
|
||
- IROH-UI button label
|
||
|
||
The IROH IdP id is used in the =redirect_uri= that should be configured in the
|
||
IDB client.
|
||
|
||
Also there are two different IDB environment. IDB prod and IDB stage.
|
||
|
||
Each client should also point to some IdP environment, typically, AMP NAM Prod,
|
||
or AMP QA1, or AMP SDC.
|
||
|
||
The namin convention should make it clear what IDB instance is used as well as
|
||
with IdP it targets, in particular we should make each region explicit.
|
||
|
||
Note all point prefixed by =IDB= are the information needed by the SSE/IDB team.
|
||
|
||
*** INT
|
||
**** AMP
|
||
|
||
Note: I think it should point to AMP prod as before to prevent the use of the VPN
|
||
to login to INT
|
||
|
||
- IROH IdP id: idb-stage-amp-nam
|
||
- IDB env: Stage
|
||
- IDB selector: idb-stage-amp-nam
|
||
- IDB redirect uris:
|
||
- https://visibility.int.iroh.site/iroh/iroh-auth/login/idb-stage-amp-nam/answer
|
||
- https://localhost:5443/callback
|
||
- IDB IdP Target: https://auth.amp.cisco.com/auth/session/new
|
||
- IROH-UI button label: Cisco Security
|
||
|
||
**** TG
|
||
|
||
- IROH IdP id: idb-stage-tg-int
|
||
- IDB env: Stage
|
||
- IDB selector: idb-stage-tg-int
|
||
- IDB redirect uris:
|
||
- https://visibility.int.iroh.site/iroh/iroh-auth/login/idb-stage-tg-int/answer
|
||
- https://localhost:5443/callback
|
||
- IDB IdP Target: https://int.threatgrid.com/oauth2/authorize
|
||
- IROH-UI button label: Cisco Security
|
||
|
||
*** PROD NAM
|
||
**** AMP
|
||
|
||
- IROH IdP id: idb-amp-nam
|
||
- IDB env: Prod
|
||
- IDB selector: idb-amp-nam
|
||
- IDB redirect uris:
|
||
- https://visibility.amp.cisco.com/iroh/iroh-auth/login/idb-amp-nam/answer
|
||
- IDB IdP Target: https://auth.amp.cisco.com/auth/session/new
|
||
- IROH-UI button label: Cisco Security
|
||
|
||
**** TG
|
||
|
||
- IROH IdP id: idb-tg-nam
|
||
- IDB env: Prod
|
||
- IDB selector: idb-tg-nam
|
||
- IDB redirect uris:
|
||
- https://visibility.amp.cisco.com/iroh/iroh-auth/login/idb-tg-nam/answer
|
||
- https://visibility.apjc.amp.cisco.com/iroh/iroh-auth/login/idb-tg-nam/answer
|
||
- https://visibility.test.iroh.site/iroh/iroh-auth/login/idb-tg-nam/answer
|
||
- IDB IdP Target: https://panacea.threatgrid.com
|
||
- IROH-UI button label: Threat Grid
|
||
|
||
*** PROD EU
|
||
**** AMP
|
||
|
||
- IROH IdP id: idb-amp-eu
|
||
- IDB env: Prod
|
||
- IDB selector: idb-amp-eu
|
||
- IDB redirect uris:
|
||
- https://visibility.eu.amp.cisco.com/iroh/iroh-auth/login/idb-amp-eu/answer
|
||
- https://visibility.test.iroh.site/iroh/iroh-auth/login/idb-amp-eu/answer
|
||
- IDB IdP Target: https://auth.eu.amp.cisco.com/auth/session/new
|
||
- IROH-UI button label: Cisco Security
|
||
|
||
**** TG
|
||
|
||
- IROH IdP id: idb-tg-eu
|
||
- IDB env: Prod
|
||
- IDB selector: idb-tg-eu
|
||
- IDB redirect uris:
|
||
- https://visibility.eu.amp.cisco.com/iroh/iroh-auth/login/idb-tg-eu/answer
|
||
- https://visibility.test.iroh.site/iroh/iroh-auth/login/idb-tg-eu/answer
|
||
- IDB IdP Target: https://panacea.threatgrid.eu
|
||
- IROH-UI button label: Threat Grid
|
||
|
||
*** PROD APJC
|
||
**** AMP
|
||
|
||
- IROH IdP id: idb-amp-apjc
|
||
- IDB env: Prod
|
||
- IDB selector: idb-amp-apjc
|
||
- IDB redirect uris:
|
||
- https://visibility.apjc.amp.cisco.com/iroh/iroh-auth/login/idb-amp-eu/answer
|
||
- https://visibility.test.iroh.site/iroh/iroh-auth/login/idb-amp-apjc/answer
|
||
- IDB IdP Target: https://auth.apjc.amp.cisco.com/auth/session/new
|
||
- IROH-UI button label: Cisco Security
|
||
|
||
**** TG
|
||
|
||
This one is the same as the TG for prod. TG doesn't have an APJC endpoint for login.
|
||
|
||
- IROH IdP id: idb-tg-nam
|
||
- IDB env: Prod
|
||
- IDB selector: idb-tg-nam
|
||
- IDB redirect uris:
|
||
- https://visibility.amp.cisco.com/iroh/iroh-auth/login/idb-tg-nam/answer
|
||
- https://visibility.apjc.amp.cisco.com/iroh/iroh-auth/login/idb-tg-nam/answer
|
||
- https://visibility.test.iroh.site/iroh/iroh-auth/login/idb-tg-nam/answer
|
||
- IDB IdP Target: https://panacea.threatgrid.com
|
||
- IROH-UI button label: Threat Grid
|
||
|
||
*** TEST
|
||
|
||
For test, we should want to be able to login through many different envs to
|
||
check none is broken or a future change won't break our login.
|
||
|
||
So the "classical integration with test envs".
|
||
|
||
**** TEST IdPs
|
||
|
||
***** AMP SDC
|
||
|
||
- IROH IdP id: idb-stage-amp-sdc
|
||
- IDB env: Stage
|
||
- IDB selector: idb-stage-amp-sdc
|
||
- IDB redirect uris:
|
||
- https://visibility.test.iroh.site/iroh/iroh-auth/login/idb-stage-amp-sdc/answer
|
||
- https://localhost:5443/callback
|
||
- IDB IdP Target: https://auth-ext.qa1.immunet.com/
|
||
- IROH-UI button label: AMP SDC
|
||
|
||
***** TG Test
|
||
|
||
- IROH IdP id: idb-stage-tg-test
|
||
- IDB env: Stage
|
||
- IDB selector: idb-stage-tg-test
|
||
- IDB redirect uris:
|
||
- https://visibility.int.iroh.site/iroh/iroh-auth/login/idb-stage-tg-test/answer
|
||
- https://localhost:5443/callback
|
||
- IDB IdP Target: https://test.threatgrid.com/oauth2/authorize
|
||
- IROH-UI button label: Cisco Security
|
||
|
||
**** Prod Logins
|
||
|
||
Instead of duplicate the infos, we should copy all buttons from the 3 prod regions.
|
||
Note it will only create 5 buttons instead of 6 because there is no TG APJC login page.
|
||
|
||
|
||
* Daily Standup Meeting
|
||
:PROPERTIES:
|
||
:ARCHIVE_TIME: 2019-03-15 Fri 09:49
|
||
:ARCHIVE_FILE: ~/.deft/Cisco.org.gpg
|
||
:ARCHIVE_OLPATH: Meetings
|
||
:ARCHIVE_CATEGORY: Cisco.org
|
||
:ARCHIVE_ITAGS: noexport_1
|
||
:END:
|
||
** <2019-02-27 Wed>
|
||
*** release 1.19
|
||
- There are a few blockers. About redirections. 52 PR in IROH Services. 13 PR for UI.
|
||
- #1044, login account, wrong link to AMP instead of TG if you login via TG.
|
||
|
||
We should be able to cut the release, and fix those during the release.
|
||
|
||
*** individual updates
|
||
**** Yann
|
||
Open Entitlement in progress.
|
||
**** Paula
|
||
Working on Asami. Tomorrow working in SF.
|
||
**** Rekha
|
||
Incident detail page.
|
||
**** Mike
|
||
Working with Nola on session.
|
||
Help Rekha with some bugs.
|
||
JWT session work today and help Rekha.
|
||
**** Matt
|
||
SMA module. Extract hash file and filename from message details from SMA.
|
||
**** Jesse
|
||
Incident related things. Working on speed issues.
|
||
**** Guillaume Ereteo
|
||
CTIA Investigate. New route in CTIA to use POST.
|
||
**** Anglea
|
||
Cut an ATS integration release.
|
||
Added a health call, writting up how to configure the module.
|
||
**** Alex
|
||
Merge Talos IP, a PR related to a cryptominer malware.
|
||
**** Mary
|
||
Working on help topics for the Umbrella module.
|
||
Trying to create the wireframe for help topics.
|
||
Going back to TG tomorrow.
|
||
*** UI/UX
|
||
Graph should be able for review on Friday.
|
||
*** Misc
|
||
Jesse:
|
||
- UI Staging broken, should be fixed
|
||
|
||
** <2019-02-25 Mon>
|
||
** <2019-01-18 Fri>
|
||
*** Individual update
|
||
**** Yann
|
||
- merged user lookup API
|
||
- long talk to make that better for the front, unfortunately difficult to
|
||
achieve
|
||
** <2019-01-23 Wed>
|
||
|
||
rel 1.16
|
||
ops report
|
||
design updates
|
||
individual updates
|
||
|
||
*** ops
|
||
Posted in IROH Ops channel
|
||
Everything seems ok
|
||
Be able to release? no config change, so should be ok
|
||
*** rel 1.16
|
||
- Blocker is still open iroh-ui#1030
|
||
- Blocker about doc
|
||
- Everything else look fine
|
||
*** Individual update
|
||
|
||
**** GE
|
||
Investigating a problem with Yann (test fail locally but not in CI)
|
||
**** Angela
|
||
working on ATS duplicate module fixes
|
||
we have some merging we have to do.
|
||
**** Paula
|
||
Working on with Jesse on a lib to be included in iroh UI.
|
||
Helping Mike with onboarding.
|
||
**** Jesse
|
||
follow up. #1030 I should look into it. Then back to incident manager
|
||
**** Matt
|
||
lot of rate limiting API, starting to introduce caching
|
||
**** Mike
|
||
I am trying to make the application run in my local machine
|
||
**** Nola
|
||
CVO is working.
|
||
Some PR this morning, refactor a bit for the Incident.
|
||
**** Yann
|
||
PR about split admin/non-admin fichinshed.
|
||
Should first fix the master test issue. Travis are ok, but local test fail.
|
||
*** UX Design update
|
||
Sam: will discuss with Craig to see if everythin on track.
|
||
Brian, New investigation page content? nothing special to comment on.
|
||
Open issues on other boards is for making sure other things are done.
|
||
|
||
*** Design update
|
||
|
||
** <2019-01-11 Fri>
|
||
*** Ops Weather Report
|
||
- NGFW Incident Manager in end of the month. Write speed limit in our
|
||
cluster. We should keep track of health.
|
||
- Lot of rate-limiting on Umbrella queries, we pull a list of domain from
|
||
the platform API. That is in the platform API.
|
||
*** Individual Reports
|
||
**** Alex
|
||
All of my dev env setup on the new laptop.
|
||
**** Angela
|
||
**** GE
|
||
- did my first PR, I have comments from Guillaume
|
||
**** Jesse
|
||
- Incident tickets (Incident Manager UI)
|
||
**** Matt
|
||
- dynamic resolution for SSE Proxy URL
|
||
**** Nola
|
||
...
|
||
**** Paula
|
||
react column resizing, sorting
|
||
**** Yann
|
||
- merged a PR yesterday for adding better logs of SSE HTTP calls
|
||
- waiting a review for a PR that fix the whoami with transit+json (pb with
|
||
dates)
|
||
- I think there are some work to be done to prepare for the split between
|
||
admin/non-admin roles in IROH. That will certainly help or be related to
|
||
the Open Enrolment. Like having unshared user's modules
|
||
*** Design
|
||
**** SAM
|
||
- Support Incident Manager
|
||
- Engaging users from Snehal
|
||
**** Brian
|
||
- Thanks to Guillaume to discuss with me yesterday
|
||
** <2019-01-09 Wed>
|
||
secretary: GE
|
||
|
||
*** Ops
|
||
|
||
- Looks good
|
||
- conf change by Matt
|
||
|
||
*** Reports
|
||
|
||
**** Angela
|
||
Introduction: setup dev env
|
||
|
||
**** Brian/Sam design update
|
||
I'm out of the CTR world.
|
||
Incident manager, detail fields.
|
||
|
||
|
||
**** G2
|
||
Work on CTIA investigate route
|
||
|
||
**** Lance
|
||
Support Incident manager
|
||
|
||
**** Matthieu
|
||
Dynamic resolution of URL for the API Proxy based on the SSE team recommendation
|
||
Working with Naasief for a lot of SMA issues
|
||
|
||
**** Nola
|
||
Miss CSS
|
||
|
||
**** Paula
|
||
Helper Jesse clear away the principal stuff with UI. Layout with incident happening.
|
||
Fixing some bugs with React (ticket number 1045), table column resizing.
|
||
|
||
**** Sam
|
||
Nothing to add
|
||
|
||
**** Yann
|
||
Working on issues.
|
||
|
||
**** Neel (QA)
|
||
Test cases for casebook
|
||
** <2019-01-08 Tue>
|
||
|
||
*** OPS
|
||
|
||
- quiet week
|
||
- details in the channel
|
||
|
||
*** Release Status
|
||
|
||
*** Angela
|
||
|
||
- Austin Office
|
||
- Face in Austin
|
||
|
||
** <2019-01-04 Fri>
|
||
- ops: quiet
|
||
|
||
Individual updates:
|
||
|
||
- Jesse: interaction diagram for incident manager
|
||
- Nola: environment setups (working on #1030)
|
||
- Paula: regression in cljs, implemented incident service in ticket #37
|
||
- Houman: pretty quiet for us, working on automation test
|
||
- Guillaume: triaging issues backlog
|
||
|
||
UX update:
|
||
|
||
- Samuel: Interview next week, need to sync up with Brian
|
||
|
||
Doc update:
|
||
|
||
- help topic to include un 1.16 for SMA, lot of help need to be done, lot of
|
||
draft must be converted to markdown, and working on the content of the module
|
||
details. Replace "configure module" by "add module". Also casebook help should
|
||
change a bit to handle application.
|
||
|
||
Make a specific page by user provenance on the homepage. Add first, then configure.
|
||
|
||
** <2018-12-07 Fri>
|
||
*** Topics
|
||
Paula secretary
|
||
|
||
- rel 1.15
|
||
- ops
|
||
- individual updates
|
||
- demo with Dean, Al, etc...
|
||
*** Ops
|
||
Nothing
|
||
*** Rel
|
||
- Pb with SMA, discussion with SSE team
|
||
- new branch should be done for the Frontend
|
||
** <2018-11-28 Wed>
|
||
|
||
*** release 1.14
|
||
|
||
- blocker yesterday, should be a fix
|
||
- something strange with the OAuth2 workflow
|
||
|
||
Alex: we've got a lot of discovered blocker 24h before launch.
|
||
wonder if we should change something
|
||
|
||
|
||
*** Ops report
|
||
|
||
all good
|
||
|
||
*** Individual Report
|
||
|
||
**** Nola
|
||
- Working with Mary
|
||
- Need to make a fix
|
||
- Jesse to clean the code
|
||
|
||
**** Jesse
|
||
|
||
- working toward support the incident
|
||
- SMA integration mostly there
|
||
|
||
Matt: all the code should be done, I can help
|
||
|
||
|
||
**** Matt
|
||
|
||
- Fix a bug on CTIA
|
||
- Tested crosslaunch, doesn't workf the 1st time.
|
||
- working on adding pagination
|
||
|
||
**** Yann
|
||
|
||
- SSE Tenant to JWT proxy
|
||
- IDB conf
|
||
- fixes
|
||
|
||
**** Alex
|
||
|
||
cssv2, to be able to push lot of new entities in ctia
|
||
|
||
*** UX Design Report
|
||
|
||
**** Samuel
|
||
|
||
- will help with documentation SMA
|
||
|
||
** <2018-11-26 Mon>
|
||
|
||
Craig: let's keep it really short.
|
||
|
||
** <2019-01-11 Fri>
|
||
|
||
** <2018-11-19 Mon>
|
||
*** Ops
|
||
- Some 500, French were reported about it
|
||
*** UI
|
||
Craig: metrics bars and other metrics remarks
|
||
*** Individual reports
|
||
**** Nola
|
||
- test failed for the login page due to scrolling.
|
||
- Craig: 5 buttons are more than we really ever deploy.
|
||
**** Paula
|
||
- Ticket #1000, working with Jesse this afternoon to track that down
|
||
**** Jesse
|
||
- found and fixed the Target bug
|
||
**** Alex
|
||
- wrapping up relationship updates
|
||
- working on turning some Umbrella data to CTIM bundles
|
||
**** Matt
|
||
- start to test SSE modules
|
||
**** Yann
|
||
- working to add the IDB from prod
|
||
**** Craig
|
||
- offer to someone to joins Jesse's team
|
||
- more interview for UI
|
||
- Freeze on wednesday: focus on the SSE integration
|
||
*** JWT lifetime
|
||
- Craig: Ask bump to 24h for id_token.
|
||
|
||
** <2018-10-31 Wed>
|
||
*** Individual Reports
|
||
**** Yann
|
||
- Long call with SSE team Monday
|
||
- working toward integrating the IDB
|
||
- two modifications, one approved
|
||
- for now every flags are GREEN
|
||
- Here to help QA regarding clients management
|
||
** <2018-10-22 Mon>
|
||
*** Individual Updates
|
||
Worked with Matt to write down the complete workflow we need to use for the IDB
|
||
& SSE integration.
|
||
** <2018-10-10 Wed>
|
||
|
||
- PR about ODNS Error handling in review
|
||
- PR about SAML Issuers to unblock AMP IdP team
|
||
- Client doc PR still open but accepted
|
||
- SSE Integration, thinking about how we could not use the IDB as our main login access.
|
||
- Will get the stats for Eduardo (Thanks Daniel)
|
||
|
||
** <2018-10-01 Mon>
|
||
- individual reports
|
||
- Fixed a bug from Houman (waiting for review)
|
||
- Enhanced the CSV format to be closer to the one requested by Craig
|
||
- Will work on OpenDNS error handling next
|
||
** <2018-09-19 Wed>
|
||
*** Ops weather reports
|
||
John: casebook 500 detected
|
||
Guillaume: certainly will be a fix during next release.
|
||
*** Release report
|
||
Houman:
|
||
- cherry-picked few PRs
|
||
- waiting a fix on the relation graph
|
||
- no more blocker
|
||
*** Doc report
|
||
Mary:
|
||
- Working on the 1.9 release notes
|
||
- Perhaps I would create a summary.
|
||
- talking with Sam with adding online icon to the top of the casebook.
|
||
- Created an issue for creating those user accounts
|
||
|
||
Working on a doc plan, where could I write it?
|
||
Jesse: put that in the wiki of iroh-ui repo.
|
||
*** Personal report
|
||
**** Yann
|
||
- admin routes: not accessible yet on INT, need Daniel to work on it
|
||
- fixed some scopes on some routes that didn't had any (app-grant)
|
||
|
||
Next: extend clients creation abilities
|
||
**** Jesse
|
||
- fixing the bug. Hopefully fix it this morning.
|
||
**** Lance
|
||
- wireframe for CTR Enterprise integration
|
||
**** Matt
|
||
- finish PR about rate limiting
|
||
**** Nola
|
||
- Added a new tab on the size for casebook, test failed on selenium.
|
||
- Keep working on that
|
||
- Modified the timeline to make it more simpler
|
||
**** Paula
|
||
- Going through bugs, replays the queues issue
|
||
*** UX Update
|
||
Sam: doing some review yesterday By the end of this week, everything will be
|
||
complete and we'll move to next issue.
|
||
*** PTO
|
||
- Jesse: next Monday
|
||
- Paula: next week will go to a conference
|
||
- Mary: long weekend on October
|
||
|
||
** <2018-09-18 Tue>
|
||
- ops report: green
|
||
- release status:
|
||
- IROH board to fix
|
||
- fix for #750 and Jesse on it
|
||
-
|
||
** <2018-09-11 Tue> Secretary: Nola
|
||
*** Topics
|
||
- Ops report
|
||
- PR merged
|
||
*** PR merge
|
||
- tomorrow cut release branch by the end of the day
|
||
*** PTO
|
||
Craig: a week out of october 1st
|
||
Mary: long weekend in october
|
||
Paula: last week in september going to Strangeloop
|
||
Lance: las week in september
|
||
** <2018-09-10 Mon>
|
||
|
||
*** Yann
|
||
|
||
- Reviewed rate limiting Matt's PR
|
||
- Will work on next steps regarding browser plugin support for OAuth2. More
|
||
precisely ability to change the lifetime of JWT for access-token,
|
||
refresh-tokens, etc..
|
||
- Also just introduced benchmark tool for tk-store and checking if schema
|
||
validation doesn't cost too much
|
||
|
||
|
||
*** UX Design
|
||
|
||
*** IdP Issue
|
||
|
||
Frank dynamic, so we can put.
|
||
|
||
** <2018-08-14 Tue>
|
||
|
||
- Sound
|
||
- OPS
|
||
|
||
** <2018-08-17 Fri>
|
||
|
||
*** Topics
|
||
- Ops report
|
||
- Individual reports
|
||
- UI/UX report
|
||
- PTO
|
||
|
||
*** Ops report
|
||
|
||
Everything went completely drama free.
|
||
|
||
Alex: we need to start monitoring closer to the app, not only system monitoring.
|
||
Maybe we can have some conversion how to achieve that.
|
||
Like cert errors because a module isn't configured, etc...
|
||
|
||
action: meet next week.
|
||
|
||
*** Individual Reports
|
||
|
||
**** Chris
|
||
|
||
- in progress: table unification Issue #666 in the response repo
|
||
- fixing bugs this week
|
||
|
||
**** Jesse
|
||
|
||
- working with Paula and graph changes
|
||
|
||
**** Nola
|
||
|
||
- working on #638 on the table, added the headers and stuff.
|
||
|
||
**** Paula
|
||
|
||
- doing some merging necessary to fix a bug.
|
||
- want to see all the graph work in master.
|
||
|
||
**** Yann
|
||
|
||
- Fix an OAuth client CRUD bug due to lack of coercion with Postgres backend.
|
||
- Another PR to generalise how we handle coercion and data validation with our stores.
|
||
- Fix a log messages
|
||
|
||
**** Alex
|
||
|
||
- Necessary testing for Nation DB importer
|
||
- Some changes need to be made to CTIM & CTIA.
|
||
|
||
*** UX Design Update
|
||
|
||
- wireframe reviewed & will check with.
|
||
Craig: I'll check with you to review the wireframe.
|
||
|
||
*** PTO
|
||
|
||
Yann: two weeks
|
||
Chris: certainly take about 2 days next week.
|
||
|
||
** <2018-08-13 Mon> Secretary Paula
|
||
*** Individual report
|
||
**** Yann
|
||
***** Enhanced Client Creation
|
||
Handle Admin vs Non admin creation also better security
|
||
Pushed another commit on top of the Client Creation PR
|
||
|
||
Not major, still not totally minor.
|
||
|
||
Mainly now, admin can create any kind of
|
||
clients, with response scope and empty password.
|
||
|
||
The empty password creation will make me possible to work next on describing how
|
||
to use OAuth2 for frontend.
|
||
I'll just miss the CORS handling from JWT work.
|
||
|
||
** <2018-08-08 Wed> Secretary John
|
||
*** Individual Report
|
||
**** Yann
|
||
***** Done
|
||
- Reviewed GB PR
|
||
***** Doing
|
||
- Write Developper Doc
|
||
***** Blocked
|
||
- merge PR waiting for Daniel return
|
||
** <2018-08-07 Tue>
|
||
- release: ok
|
||
- ops: ok
|
||
*** Brian
|
||
|
||
Question selenium tests & iroh-test, all major browsers easy to write in clojure!
|
||
|
||
** <2018-08-06 Mon>
|
||
*** Bart resigned (by mail)
|
||
Craig: Bart resigned Friday by mail. I wouldn't encourage to do that in the
|
||
future. Please call me first.
|
||
*** Individual report
|
||
**** Yann
|
||
- Cleaning up my PR, waiting on Ops
|
||
- added the missing expires_in in the OAuth2 /token response
|
||
minor but really all devs aked for it
|
||
- NEXT: certainly work on the Entitlement issue
|
||
OR missing admin routes (all users, all orgs, all clients, etc...)
|
||
**** Nola
|
||
- Friday, talked and watched video.
|
||
- Today deep dive with Alex on the system, added some comments on tickets
|
||
**** Samuel
|
||
- Friday, work with Bart & Chris about their PR
|
||
**** Alex
|
||
- More orientation, on vuln DB & presentation to Dean
|
||
** <2018-08-03 Fri>
|
||
*** Topic
|
||
- Individual report
|
||
- ops report
|
||
- PTO in Canada
|
||
*** Individual Update
|
||
**** Paula
|
||
Bug tracked down and fixed.
|
||
**** Chris
|
||
OAuth is ready to be reviewed (PR open)
|
||
**** Jesse
|
||
COA demo, almost accomplished particularly since Paula fixed the bug.
|
||
**** Matt
|
||
Reviewed Yann's PR.
|
||
**** Yann
|
||
***** Client Creds PR accepted
|
||
will make some feedback fixes and I'll wait for Daniel to be able to merge it.
|
||
**** Nola
|
||
Met with Bart, debugging with clojurescript. Date formatting issue. No test function for date function.
|
||
Jesse: sound familiar, can help
|
||
**** Samuel
|
||
Documentation
|
||
**** Bart
|
||
opened PR
|
||
*** Ops Report
|
||
- 1.6 out Nothing
|
||
- 1.7 next week
|
||
*** Release Status
|
||
Everything look good.
|
||
Monday Holliday in Canada, having the thumbs up/down next week on tuesday.
|
||
|
||
** <2018-08-01 Wed>
|
||
*** Topics
|
||
- Blocking Bug #622 in IROH-UI
|
||
- ETA on fix
|
||
- Can we cherry pick the commit into 1.6?
|
||
- Operations Deploy Status
|
||
- Are we ready to deploy?
|
||
- Report on SSH access to VMs
|
||
- Individual Reports
|
||
- What's underway
|
||
- What's wrapped up
|
||
- PTO
|
||
- Update from Craig
|
||
*** Update from Craig
|
||
|
||
- Back from Michigan yesterday.
|
||
- Defining what we're commiting to deliver.
|
||
- Already started to work on or naturally on our roadmap
|
||
- User Provisionning Entitlement
|
||
- Device manager support
|
||
- Incident manager
|
||
- Casebook browser plugin
|
||
- Suggested COA (major bit of work for the UI team)
|
||
- Customer Success Support
|
||
- Open APIs:
|
||
- Client Creds
|
||
- rate limiting and relay modules
|
||
- NGFW Incident Flow
|
||
- SMA/ESA Integration
|
||
- Umbrella Enrichment
|
||
- Threatgrid Enrichment
|
||
- basic informations and start from there.
|
||
|
||
Production by 12/22/2018
|
||
|
||
Filtering node aggregation to come in the UI, but we don't commit to this.
|
||
Bug fixes.
|
||
*** Individual Reports
|
||
**** Bart
|
||
Pair programming with Nola to fix bugs
|
||
**** Chris
|
||
Writing tests for OAuth clients
|
||
**** Guillaume
|
||
Working on Epics & TLP stuff. Adding tests
|
||
**** Paula & Jesse
|
||
Pairing with Jesse, getting the full integration to demonstrate the graph update
|
||
with rules. Doing simple PoC at the moment.
|
||
**** Matt
|
||
Write test for setting enrichment for Umbrella Reporting API
|
||
PR in review.
|
||
**** Nola
|
||
Working with Bart to fix bugs and working with clojurescript
|
||
**** Sam
|
||
back from UX summit and I document some things and connecting with Bart & Chris.
|
||
**** Yann
|
||
Waiting to merge PR, working on Client OAuth Grant.
|
||
**** Alex
|
||
Weakness importer is done and ready for review. Starting work on NVD importer.
|
||
*** Blocking Bug #622
|
||
|
||
Jesse made the fix and approved by Bart yesterday.
|
||
Alex would like the fix to be cherry-picked and merge by Houman and deployed in prod.
|
||
(the relation graph misbehave).
|
||
|
||
Craig: we want to be able to make hotfix.
|
||
|
||
Alex created a new issue to add a regression test for that issue. Houman is the
|
||
day to cut the 1.7. Houman: I can start the release today. All PR appear to have
|
||
QA informations or be straightforward.
|
||
*** Ops
|
||
|
||
John: We'll try to deploy to APJC later.
|
||
*** PTO
|
||
|
||
Guillaume: tomorrow and Friday.
|
||
** <2018-07-25 Wed> Secretary Matt
|
||
*** Individual Reports
|
||
**** Yann
|
||
***** Done
|
||
***** Doing
|
||
****** User / Org DB.
|
||
Still working on User and Org DB PR.
|
||
Lot of tests and I'll certainly ask questions to Craig regarding some choices.
|
||
***** Blocked / Waiting
|
||
***** Next
|
||
** <2018-07-24 Tue>
|
||
|
||
Topics:
|
||
|
||
- release
|
||
- ops report
|
||
- release notes
|
||
|
||
*** Release
|
||
|
||
Houman:
|
||
- tickets are almost done, I don't see any major issue or blocker.
|
||
- Manual tests on IE and Firefox.
|
||
|
||
*** Operation Report
|
||
|
||
Nothing to report.
|
||
|
||
This afternoon 3pm Mountain Time, we'll meet to check thumbs up/thumbs down for deploying the release.
|
||
|
||
*** Release Notes
|
||
|
||
Alex: We need a better way to make release note.
|
||
|
||
- ideas: tags, git logs
|
||
- who should be in charge of writing them?
|
||
|
||
We'll wait for Craig to be present to discuss that again.
|
||
** <2018-07-23 Mon> Secretary Alex
|
||
*** Individual Reports
|
||
**** Yann
|
||
***** Done
|
||
***** Doing
|
||
****** User / Org DB.
|
||
Work on User and Org DB PR. The DBs should be filled during Authentication
|
||
activities. Should provide Ability to block user/orgs easily.
|
||
***** Blocked / Waiting
|
||
***** Next
|
||
** <2018-07-17 Tue>
|
||
*** Topics
|
||
|
||
- release update
|
||
- Operations weather report / pre-Daniel vacation send-off
|
||
- PTO
|
||
- Data Staging server on INT
|
||
|
||
I didn't though I would take days in July.
|
||
But I've got family coming by surprise, so I'll take Thursday and Friday.
|
||
And perhaps, I won't be there tomorrow afternoon.
|
||
** <2018-07-16 Mon>
|
||
*** Topics
|
||
|
||
- cutting a release on Wednesday
|
||
|
||
*** Individual Reports
|
||
**** Yann
|
||
***** Done
|
||
|
||
- Helped Raghavaiah Avula from SSE Identity Team with Matt. Provided him the
|
||
information about how to create an OAuth2 client in TG.
|
||
- Merged the AMP Metadata URL. Stricter than before, now all SP-URI should be
|
||
checked. Fixed that with Chris.
|
||
- Created an Issue in Tenzin to deploy that metadata URL. As we don't have
|
||
strict delivery date, Daniel proposed to make that change for 1.7.
|
||
- Chris detected an issue with the SAML PR on INT. I fixed the conf on INT for
|
||
frontend team to continue be able to login using different url than
|
||
visbility.int.iroh.site but with ui-staging and localhost. I changed in the
|
||
K/V config of consul on INT.
|
||
|
||
***** Doing
|
||
|
||
- Must find a way to provide a list of SP URIs in the SAML Metadata URL
|
||
|
||
***** Blocked
|
||
***** Waiting
|
||
|
||
- OAuth Clients Grant, next step about filling User and Org DBs
|
||
|
||
**** Paula
|
||
|
||
- Cleaning up during the week-end.
|
||
- I'm out this week on wednesday and Thursday.
|
||
|
||
**** Matt
|
||
|
||
- Still working on SMA integration
|
||
- Starting to request them.
|
||
- Still what I'm doing.
|
||
- Lot of communication with SSE team, to see how to configure connectors.
|
||
|
||
**** Alex
|
||
- Working on XHTML->Markdown
|
||
** <2018-07-13 Fri>
|
||
|
||
- release go?
|
||
* Houman: good
|
||
* Ops: redeploy IROH
|
||
* Overhead by region?
|
||
|
||
- tenzin issue for pbs.
|
||
|
||
- OPs whishlist
|
||
|
||
- done: SAML metadata URL + Signing Request (PR open)
|
||
** <2018-07-11 Wed> Secretary: Bart
|
||
|
||
- individual report
|
||
- release deployment day
|
||
- conversation in the IROH channel
|
||
- soliciting topic
|
||
- impersonate API
|
||
- integrating with AMP test env
|
||
- update from John
|
||
*** Individual update
|
||
**** Alex
|
||
**** Jesse
|
||
Integrate fixes for Houman
|
||
**** Yann
|
||
|
||
Done Tasks:
|
||
- fixed a minor bug on Impersonate API
|
||
- helped Robert Harris yesterday for the auth of the Chrome Casebook plugin.
|
||
Apparenly the auth is good now.
|
||
- Kibana Dashboards with Matt
|
||
|
||
Actively Doing Tasks:
|
||
- Main topic, almost blocked for 3/4 days, find the right way to add the
|
||
metadata URL and sign the Authnrequest.
|
||
- incremental blockers task, looks to be working for some time, but fails at
|
||
first, second attempt, search another solution
|
||
- lack of documentation, lack of examples, lack of working clojure lib, lack
|
||
of working java examples, etc...
|
||
- not blocked anymore and should be clean
|
||
- Waiting task: Worked to integrate the ID Broker
|
||
- Interrupted task: Client Creds and adding Internal User DB & Org DB
|
||
**** Sam
|
||
|
||
Working on, diagram for a process for the UX flow, the vision to UX to dev.
|
||
*** Release Deployment Day
|
||
|
||
- Houman: found a blocker this morning, should be fixed by Jesse
|
||
|
||
*** conversation in the IROH channel
|
||
|
||
- We're not using hipchat to the same degree we did.
|
||
- action to avoid a few
|
||
|
||
*** soliciting topic
|
||
|
||
- more traction in soliciting topics
|
||
- increase the signal
|
||
- involve 30% of the group a topic, its fine to bring it up
|
||
- better context about what the rest of the team is doing
|
||
|
||
*** impersonate API
|
||
|
||
Frank: does it go to production.
|
||
|
||
VPN access only.
|
||
|
||
*** integrating with AMP test env
|
||
|
||
Configure Test and Prod as IdP
|
||
|
||
*** update from John
|
||
** <2018-07-09 Mon>
|
||
- Release (deploy week)
|
||
- PTO
|
||
|
||
*** Release
|
||
|
||
Houman: Few more tickets to finish
|
||
|
||
*** PTO
|
||
|
||
*** ...
|
||
|
||
Dean will have a Meeting this afternoon.
|
||
** <2018-07-06 Fri> Secretary Jesse
|
||
- release
|
||
- PTO
|
||
|
||
*** Release
|
||
|
||
no blocker, working on IROH Services issues
|
||
|
||
|
||
*** Discovery
|
||
|
||
Can use current authorization code flow.
|
||
Chrome Plugin to use Vis everywhere
|
||
|
||
*** Bart Demo
|
||
|
||
*** Upcoming PTO
|
||
|
||
Chris Wednesday, Thursday, Friday.
|
||
** <2018-07-04 Wed>
|
||
|
||
Topics:
|
||
|
||
- release will be cut today
|
||
- contains
|
||
** <2018-07-03 Tue>
|
||
- Manpreet meeting with FR
|
||
- Cutting release tomorrow
|
||
- Introduction of new Ops member: John Jardine
|
||
- chit chat, editor
|
||
- presentation tour
|
||
** <2018-06-29 Fri>
|
||
|
||
Topics:
|
||
|
||
- iroh-ui PRs
|
||
- PTO
|
||
|
||
Cut new release on Wednesday next week.
|
||
Probably unschedule that.
|
||
|
||
*** IROH UI
|
||
|
||
No blocking PR, quality is already high.
|
||
Focus: on bug fixes and user facing changing
|
||
|
||
Craig is relax.
|
||
|
||
*** PTO
|
||
** <2018-06-22 Fri> Secretary Yann
|
||
Topics:
|
||
|
||
- Release status
|
||
- Ops report
|
||
- TTP headnodes
|
||
- PTO updates
|
||
|
||
*** Release Status
|
||
|
||
- Houman: making good progress.
|
||
|
||
*** Ops Report
|
||
|
||
- Daniel: Checking logs daily, so far everthing going well.
|
||
|
||
- Alex: We should find a way to create reports about error logs. To be looked by
|
||
the team to have better insight about how users use our app. Kibana has some
|
||
limitations but we can get a lot of interresting informations.
|
||
|
||
*** TTP Headnodes
|
||
|
||
- Alex: I propose to create another CTIA instance to push new data into it so
|
||
its easier to delete indexes.
|
||
- Matt you can use private CTIA.
|
||
- Alex: easier to separate indexes.
|
||
|
||
*** PTO update
|
||
|
||
- Alex: Taking the week of 4th of july.
|
||
|
||
*** Question about possible user's information leaks in the kibana logs
|
||
|
||
- Houman: Alex did you see my emails, about leaking user from riemann?
|
||
** <2018-06-15 Fri>
|
||
- Clojure community
|
||
- IROH UI is a thick web application.
|
||
- Write a job description for IROH Services Team
|
||
** <2018-06-01 Fri>
|
||
Topics:
|
||
|
||
- OPs status status
|
||
- UI status update
|
||
- naga status update
|
||
- certificate expiration
|
||
- kibana customer dashboards
|
||
- PTO
|
||
|
||
*** OPS status (AWS outage)
|
||
|
||
Almost 5pm Mountain Time, AWS had issue.
|
||
Respin two nodes on int, two node on test, two on prod.
|
||
|
||
3 failures to Private CTIA, just after 5pm, for 5 minutes intermitendly.
|
||
|
||
Craig: that's awesome, only 5min.
|
||
|
||
The network outage that also had a problem between zones. They didn't have a
|
||
downtime for the entier region. Only some racks on some regions.
|
||
We just lost 2 instances in prod.
|
||
|
||
Craig: glad we're minimaly impacted. Does there are any change we should do?
|
||
Because there won't much things we could do execpt.
|
||
|
||
*** UI Status update
|
||
|
||
Chris:
|
||
Daniel working on the demo server.
|
||
Fix a couple of bugs.
|
||
Find some problems with ATS integration.
|
||
The casebook doesn't load at all.
|
||
Sometime the menu as layout.
|
||
|
||
*** Naga Status Update
|
||
|
||
Paula: Graph API is what I'm working on.
|
||
|
||
*** Certifcate expiration
|
||
|
||
See: https://github.com/threatgrid/iroh/issues/1988
|
||
|
||
Craig: major problem is with refresh-tokens.
|
||
|
||
*** Kibana dashboard.
|
||
|
||
See: https://github.com/threatgrid/iroh/issues/1989
|
||
|
||
*** PTO
|
||
|
||
- Alex: Thursday / Friday next week
|
||
- Paula: Friday next week
|
||
- Chris: after cisco live some PTO
|
||
- next week in Bosten: Wednesday, Thursday next week
|
||
** <2018-05-30 Wed> Secretary: Bart
|
||
|
||
- Topics: release
|
||
** <2018-05-23 Wed>
|
||
** <2018-05-14 Mon> Secretary: Jesse
|
||
** <2018-04-24 Tue> Secretary: Chris
|
||
QA:
|
||
** <2018-04-23 Mon> Secretary: Jesse
|
||
** <2018-04-11 Wed>
|
||
|
||
- 1.0 release in Prod
|
||
- Thanks to everyone in the team
|
||
** <2018-03-27 Tue> Secretary: Daniel
|
||
Topics:
|
||
- release
|
||
- TravisCI build change
|
||
*** release
|
||
** <2018-03-14 Wed> Secretary: Daniel
|
||
|
||
- topics: update with PR
|
||
- RSA Conf
|
||
- #148
|
||
** <2018-03-02 Fri> Secretary: Craig
|
||
|
||
Topics:
|
||
|
||
- Alex: Int migration
|
||
- Alex: Feature request
|
||
- Brian: Consumer
|
||
- Houman: Release cut
|
||
** <2018-02-28 Wed> Secretary: Yann
|
||
|
||
*** SAML Vulnerability
|
||
|
||
- Check how we are vulnerable to XML
|
||
- throw error when we saw a comment inside an attribute or a value in XML
|
||
|
||
*** Blocked on ES maximum nb of field error
|
||
|
||
Alex: Blocking due to maximum nb of fields error.
|
||
|
||
Guillaume:
|
||
We have choices:
|
||
1. drop the index on int right now
|
||
2. increase the limit
|
||
3. wait for migration
|
||
|
||
Craig:
|
||
- fix the mapping by hand
|
||
- drop the existing indexes
|
||
|
||
*** Blocked
|
||
|
||
Matt:
|
||
Another problem, we can't add attack_pattern due to name error.
|
||
Will fix tomorrow.
|
||
|
||
*** Some dev start to become painful
|
||
|
||
Guillaume:
|
||
Working on project is starting to be heavy.
|
||
Some changes are becoming really painful.
|
||
Maybe rethink the monolith.
|
||
Perhaps, refactor some tests.
|
||
For example, schema change start to become difficult to handle.
|
||
Sometime tests work locally and not on travis.
|
||
Perhaps find a way to split the repository.
|
||
|
||
Craig:
|
||
We misse automated test against Integration to have short failure
|
||
|
||
*** Release status
|
||
|
||
Houman:
|
||
|
||
- We should cut a full release.
|
||
- Craig: wait for Guillaume, wait until Friday.
|
||
|
||
*** Cisco AnyConnect Problem
|
||
|
||
Sam:
|
||
- I need to go to Cisco today, I cannot connnect to the VPN.
|
||
** <2018-02-27 Tue> Secretary: Paula
|
||
*** Report from Berlin
|
||
*** Int / Test
|
||
** <2018-02-26 Mon> Secretary: Alex
|
||
- hour of Airport arrival
|
||
- figure out some food. Perhaps barbecue for the next day.
|
||
- next day shopping run.
|
||
|
||
- Turn off non admin user until API key system. Only 3 people.
|
||
- private CTIA as a module
|
||
|
||
TG UI Team on Thursday.
|
||
All day hackaton.
|
||
|
||
Code Freeze last week of march.
|
||
|
||
*** TG Login
|
||
|
||
Contact Norman Richard to start working on OpenId Connect Code Grant Flow.
|
||
|
||
#+BEGIN_SRC
|
||
[6:26 PM] Norman Richards: the oidc isn't integrated yet, but you can do non-oidc requests to int now
|
||
[6:26 PM] Norman Richards: POST :USER_OAUTH/clients?api_key=:KEY&application_name=app1&description=test&homepage_url=\
|
||
:CB&redirect_uri=:CB
|
||
[6:26 PM] Norman Richards: That will create on oauth client
|
||
[6:27 PM] Norman Richards: :CB is your callback url
|
||
[6:27 PM] Norman Richards: sorry - that's not all expanded... So not entirely helpful... Let me get a better example
|
||
|
||
[6:28 PM] Norman Richards: POST https://int.threatgrid.com/api/v3/users/:yourlogin/oauth/clients?api_key=****&application\
|
||
_name=***&description=***&homepage_url=***&redirect_uri=***
|
||
[6:30 PM] Norman Richards: To get your clients: GET /api/v3/users/:yourlogin/oauth/clients
|
||
[6:30 PM] Norman Richards: /api/v3/oauth/authorizations is the auth endpoint
|
||
[6:31 PM] Norman Richards: /api/v3/oauth/token is the token endpoint
|
||
[6:31 PM] Norman Richards: /api/v3/oauth/refresh is the refresh endpoint
|
||
|
||
[6:31 PM] Yann Esposito: there is a refresh endpoint?
|
||
[6:31 PM] Norman Richards: You won't need it for oidc though
|
||
[6:32 PM] Norman Richards: Though you could use it if you wanted
|
||
|
||
[6:32 PM] Yann Esposito: because just finished to read the OAuth2 RFC, the refresh and token are the same endpoint for us
|
||
[6:32 PM] Norman Richards: You'll be able to do everything at the auth endpoint, but I need to merge the oidc branch to set the "openid" scope and id token support in
|
||
[6:32 PM] Norman Richards: Yes - I would prefer they were the same
|
||
|
||
[6:32 PM] Yann Esposito: ah ok
|
||
[6:33 PM] Norman Richards: But they aren't, because that's the way it was initially implemented
|
||
[6:33 PM] Norman Richards: I might merge them all together and leave the refresh-only endpoint for just meraki
|
||
[6:34 PM] Yann Esposito: ok thanks a lot, I think I could start to work with that
|
||
[6:34 PM] Yann Esposito: Craig asked me to use the code grant workflow
|
||
[6:34 PM] Norman Richards: Basically, we had a legacy oauth2 implementation from last year for the meraki integration, and there were some unfortunate design decisions made. I'm considering just making new endpoints that work the way I think they should
|
||
[6:34 PM] Norman Richards: yes - so you'll need /authorizations and /token then
|
||
[6:34 PM] Yann Esposito: I didn't digged must in OIDC yet
|
||
[6:35 PM] Norman Richards: It's exactly like what you are used to except you use scope "openid"
|
||
[6:35 PM] Yann Esposito: but I just finished coding the code grant workflow
|
||
[6:35 PM] Norman Richards: and you get back an id_token on /token
|
||
[6:35 PM] Yann Esposito: ah ok! Perfect :)
|
||
[6:35 PM] Norman Richards: when you exchange the code
|
||
#+END_SRC
|
||
|
||
*** Tenzin Conf
|
||
|
||
*** Offsite
|
||
|
||
1st day. relax together, couple organized presentation.
|
||
Architecture overview.
|
||
Paula can bring an Apple TV
|
||
|
||
Monday night, barbecue.
|
||
|
||
Thursday night, cookie out.
|
||
** <2018-02-23 Fri>
|
||
** <2018-02-19 Mon> Secretary: Jesse
|
||
Guillaume PR
|
||
Yann: OAuth2 PR
|
||
Paula: CTIA
|
||
Wednesday working remotely
|
||
Jesse: dep update, new features in cljs
|
||
Matt:
|
||
- working on graphql for TTPs entities,
|
||
- might split graphql tests
|
||
- lot of copy/paste in CTIA.
|
||
** <2018-02-07 Wed> Secretary: Yann
|
||
|
||
*** wait_for for refresh in ES impact
|
||
|
||
We can have up to 10s wait per bundle.
|
||
|
||
Craig: Can we define what the sets are? By type or dependencies.
|
||
Matt: by type.
|
||
Craig: wait_for is basically flushing the index.
|
||
|
||
#idea: We could use a pmap, except for relationships.
|
||
|
||
- Craig: What is the actual impact we're seeing in time?
|
||
- Matt: About 10s.
|
||
- Alex: We will have the same problem on all endpoint.
|
||
- Craig: we should only restrict the wait_for that endpoint not for all other
|
||
routes.
|
||
- Alex: I think we can wait to parallelize. I'll try to merge myself the
|
||
bundles.
|
||
- Craig: at this point this is not a real problem.
|
||
Perhaps when we start importing from other systems.
|
||
|
||
Another option is to update iroh-collect.
|
||
|
||
#action: restrict the wait_for for the bundle route only
|
||
#opional: parallelize the inserts
|
||
|
||
*** Chris: stuck too long on #1225
|
||
|
||
Chris: I been stuck way too much time. I must pair with somebody on this.
|
||
|
||
Craig: Two things:
|
||
|
||
1. getting familiar with the graph.
|
||
2. we need to give you a crash course to our data model.
|
||
|
||
I think Jesse can walk you through the graph. Let me know when you'll be able to
|
||
do that then I'll come to the end of the meeting when I can later today.
|
||
|
||
#action: pair on https://github.com/threatgrid/iroh/issues/1225
|
||
|
||
*** Release status
|
||
|
||
- 3 blockers yesterday. Still one blocker.
|
||
- Paula: we could withdraw the module name change, that is not really part of the fix.
|
||
- Craig: yes.
|
||
|
||
#action: get rid of module name change.
|
||
|
||
Lack Guillaume, Sam, Brian, Daniel for Customer call
|
||
** <2018-02-05 Mon> Secretary: Chris
|
||
- 3 blockers:
|
||
** <2018-02-01 Thu> Secretary: Alex
|
||
Topics:
|
||
- Chris going to Vegas office from Monday to Wednesday
|
||
- Paula? deps, almost
|
||
|
||
keep this short.
|
||
|
||
We might droping AMP in the front of our name.
|
||
Users and module configuration.
|
||
|
||
Pb with sharing snapshots.
|
||
** <2018-01-31 Wed> Secretary: Matt
|
||
|
||
Report for the call:
|
||
|
||
- 6 people want to integrate and push sightings to our private store.
|
||
- we should go to phase B of OAuth2
|
||
- very solid bundler and make async work
|
||
- Crying to get more heads
|
||
- For Matt we need to change the name and get all next gen FW events
|
||
- More work on translating events.
|
||
|
||
Apparently Visibility UI will have major changes.
|
||
|
||
*** Spectre patches
|
||
|
||
Craig:
|
||
Priority for you and Marvin. So at your convenience.
|
||
I would prefer to impact production during the evening.
|
||
|
||
*** CTIA Investigate Issue
|
||
|
||
Paula should give a hand to fix that.
|
||
It bugs on test too.
|
||
|
||
*** HTML route
|
||
|
||
@GB show me some code in CTIA that does just that.
|
||
I'll try it tomorrow.
|
||
|
||
--
|
||
|
||
Craig: Happy with current momentum.
|
||
** <2018-01-30 Tue> Secretary: Brian
|
||
*** Scratchpad Service (Guillaume)
|
||
Guillaume:
|
||
Like our investigation, but more structured like a Gist
|
||
We use the CTIM entities only instead of raw text.
|
||
Drag & Drop observables and/or entities
|
||
|
||
Craig:
|
||
Will make buckets.
|
||
Next step will be to make a way to collect material.
|
||
We want people to put labels.
|
||
Cross product / UI elements / services.
|
||
|
||
|
||
Chris: Does this will replace Snapshots?
|
||
Craig: no.
|
||
These are just a bucket of objects.
|
||
You could turn into an investigation, an incident, or share it.
|
||
|
||
*** Error Reporting in IROH UI Interface (Jesse)
|
||
|
||
Coordinate to check error data structure returned.
|
||
|
||
*** AMP Visibility design recap
|
||
|
||
Kind of a design bottleneck.
|
||
When it goes in the design column.
|
||
They can review them.
|
||
So they can leave it to the hands of the dev.
|
||
|
||
*** AMP Visibility Builds
|
||
|
||
Going from in-progress to QA and to Delivered
|
||
|
||
Should be different from the rest of the product to deliver faster.
|
||
Shorter loops.
|
||
|
||
Figure out the communication model for that.
|
||
There should be a build for every commit in master.
|
||
|
||
Houman: don't move open ticked to the QA
|
||
** <2018-01-29 Mon> Secretary: Houman
|
||
*** Status of The release
|
||
**** Daniel
|
||
- 38 PRs
|
||
- Deployment work well for UI
|
||
- IROH Ops
|
||
**** Guillaume
|
||
- Scratchpads
|
||
- next step should be a revision system based on CouchDB ideas
|
||
**** Houman
|
||
- working on release candidate
|
||
**** Sam
|
||
- Working on design of visibility
|
||
- uploading notes from last week meeting
|
||
**** Yann
|
||
- OAuth2 provider
|
||
- Work close the RFC for the workflow
|
||
- A part of the workflow isn't specified in the RFC of OAuth2
|
||
- To the point to write code to construct the tokens as signed JWTs.
|
||
**** Paula
|
||
- basic update have been identified
|
||
- @Craig: revert to clojure-1.8
|
||
- @Craig: get you back working on the AMP Global Intel Board
|
||
**** Matt
|
||
- Working on AMP Investigate module to report the progress when timeouts occurs
|
||
- I report the number of computer that have been enriched and the number of
|
||
files that have been checked.
|
||
- I report the timeout to riemann
|
||
- The AMP module is becoming very big. We'll need to refactor.
|
||
- @Craig: next changes:
|
||
+ summary
|
||
+ event types
|
||
- @Craig: this module should be replaced by push from AMP
|
||
**** Jesse
|
||
- working on the board
|
||
**** Chris
|
||
- issue for improving snapshots
|
||
- @Craig going back to 1732, the slowness one
|
||
- I'm pretty sure its slow because advanced is turned off
|
||
- we have a way to reproduce it
|
||
**** Alex
|
||
- Hydrant is updated to use latest CTIM
|
||
*** Investigation & Snapshots / Incident & Scratchpads
|
||
*** UI rewrite?
|
||
** <2018-01-25 Thu> Secretary:
|
||
|
||
Daniel: Everybody with ops experience should check AWS docs
|
||
|
||
- https://github.com/threatgrid/tenzin/wiki/Draft-::-EU-and-AJPC-AWS-Regions-Plan
|
||
- https://github.com/threatgrid/tenzin/wiki/AWS-and-Operations-Redesign-Proposal-::-Phase-1
|
||
|
||
Craig will be out of office after 3pm.
|
||
** <2018-01-24 Wed> Secretary: Paula
|
||
*** Timeout issue
|
||
|
||
- AMP enrichment timeouts
|
||
- module specific
|
||
|
||
Lets get him some numbers and pass it to AMP for them to do their work.
|
||
We need to track and record the timeouts.
|
||
We need to give Charles timeout charts.
|
||
|
||
Generatic a sightings records, here are the 50 targets.
|
||
Caching, etc...
|
||
|
||
*** Client Lib, Visibility Lib
|
||
|
||
With TG integration, we need them to use our UI and API.
|
||
Chris put together a PR about how do we break this up.
|
||
|
||
Where we break things appart?
|
||
|
||
It's actually the investigation engine.
|
||
Its the first things we should ship.
|
||
|
||
Reusable widgets they are most of them will be pure JS
|
||
|
||
*** Deadline
|
||
|
||
For RSA April 16th, GA, so remove the β.
|
||
|
||
We'll become a real product.
|
||
Pretty aggressive timeline.
|
||
|
||
- 17 things we need to take care of.
|
||
- TG Integration
|
||
- Visibility UI
|
||
- More relation graph
|
||
- filtering
|
||
- better arrow
|
||
- solving locality, scroll down, and not lose context
|
||
- CSRF for response API
|
||
- Enrichement API work
|
||
- JWT security review
|
||
- storage limits and rate limiting
|
||
|
||
*** Metrics we need in production
|
||
|
||
- risk, socket exhaustion
|
||
- jetty server
|
||
- number of open socket, threads, workers, etc...
|
||
- how to monitor ES clusters
|
||
** <2018-01-22 Mon> Secretary: Guillaume
|
||
|
||
*** Contact to TG Integration
|
||
|
||
Need to be tracked an recorded.
|
||
Daily update with Alex B.
|
||
|
||
Really tight relationship with TG.
|
||
|
||
Jesse will your contact, Guillaume other contact.
|
||
|
||
*** AMP Global Intel Next Step
|
||
|
||
- Matt Review
|
||
- CAPEC (aggregating our ETS)
|
||
- Work on mappings
|
||
|
||
Dean is demoing Visibility to some big client.
|
||
He written a texto: Visibility kick ass, we won.
|
||
|
||
*** IROH-UI
|
||
|
||
Thing very simple.
|
||
** <2018-01-18 Thu> Secretary: Jesse
|
||
|
||
- topics: nrepl in ctia
|
||
- TG mapping
|
||
** <2018-01-17 Wed> Secretary: Alex
|
||
** <2018-01-16 Tue> Secretary: Yann
|
||
*** Prod Patching Meltdown
|
||
Daniel:
|
||
|
||
- patched the kernel
|
||
- Plan on doing the patch one by one and then moving on
|
||
|
||
Alex: You already did this on INT?
|
||
Daniel: everthing looked fine to do the same on prod to be able not to have any
|
||
downtime.
|
||
|
||
Daniel also remarked that we will certainly do the same when the patch for
|
||
spectre will come out.
|
||
|
||
*** TG indicator
|
||
|
||
Alex: Adding mappings into the TG indicator to the metadatas of Mitre Att@ck
|
||
It won't go well because the function is neither surjective nor injective.
|
||
There is no way to automate it.
|
||
|
||
Confident to get some very good mapping. For example, powershell scripts.
|
||
Will do another 10 indicators as an example.
|
||
|
||
Matt: we're be able to automate it after the manual work?
|
||
|
||
Alex: Of course that the goal.
|
||
I'm building a PoC
|
||
|
||
Alex: Made a PR on hydrant. Everybody welcome to review.
|
||
|
||
Jesse: I have some PR to review on IROH repo.
|
||
Matt: already done two.
|
||
** <2018-01-11 Thu> Secretary: Chris
|
||
*** Story boards
|
||
AMP Global Intel: Alex should take care about this
|
||
Visibility one
|
||
** <2018-01-10 Wed> Secretary: Sam
|
||
|
||
*** status update
|
||
|
||
**** Paula:
|
||
|
||
I pushed to CTIA everything is up to date except Clojure.
|
||
Because CTIA use CTIM.
|
||
|
||
Craig: what have you learn in this process?
|
||
Paula: Pick exclusions in deps, nil return now a 500 instead of 404, added a
|
||
middleware to replace 500 by 404.
|
||
|
||
Matt: I added a comment to your PR
|
||
Paula: I went through a lot of the wrappers.
|
||
|
||
Matt: what about clj-momo
|
||
Paula: flanders is done
|
||
|
||
Craig: One strategy for clj-momo is splitting it appart.
|
||
|
||
**** Alex
|
||
|
||
It's freezing.
|
||
Yesterday wrapped up theado, zeus, esl blocklist.
|
||
Still in progress, really close to put under review.
|
||
Example entries, data processing.
|
||
|
||
I make judgements.
|
||
|
||
**** Daniel
|
||
|
||
Patches to the kernels.
|
||
** <2018-01-09 Tue>
|
||
*** offsite
|
||
Approved, not sure about the budget.
|
||
Big mantion or something.
|
||
The first full week that match.
|
||
|
||
Maybe next time to Nice.
|
||
Austin to F1 then Monaco.
|
||
|
||
Big house and hangout for the week.
|
||
TG UI team is in Austin
|
||
Ops team is in Austin
|
||
*** yesterday meeting
|
||
|
||
SBG Architects Snohole and Dede.
|
||
Its good, we have their faith in term of model.
|
||
They described the IROH Architecture.
|
||
We're figuring out how to make our plan big.
|
||
It's pretty cool, we gain confidence in leadership of SPG.
|
||
|
||
Brian comment: that's awesome.
|
||
|
||
I have confidence in their vision.
|
||
But what I do see, accross the SPG there some replication.
|
||
All of the ingineering will be realigned.
|
||
|
||
It was really cool.
|
||
It's likely lead to more resources.
|
||
We're not gonna build it with just our toolchains.
|
||
|
||
We're still in a story telling phase.
|
||
Certainly high volumes for tomorrow.
|
||
We're gonna be in there probably by the end of this year.
|
||
|
||
GA: Which mean all AMP users and TG users will have access to AMP Visibility.
|
||
If you look at the IROH Roadmap.
|
||
Very few feature that are GA gateways.
|
||
Probably starting the end of the year.
|
||
In June or July do even more work on next gen firewall in Barcelona.
|
||
|
||
*** update UI stuff
|
||
|
||
So Jesse working on the timeline stuff.
|
||
Bugs from the beta.
|
||
I don't have time to triage and look at details in the UI.
|
||
|
||
*** Job description
|
||
|
||
Updated job description.
|
||
Our requirement really in Clojure.
|
||
** <2018-01-08 Mon>
|
||
|
||
@Alex: I'm working on splitting up the judgements for both domains and IPs.
|
||
@Matt: ask what is the size of the bundles
|
||
@Alex: not so big, its small enough to do everything on memory
|
||
|
||
@Alex: theado, bankin trojans, the feed split in theado and theadog/f?
|
||
|
||
@Matt: should we add external-id to our relationships
|
||
** <2018-01-05 Fri>
|
||
- Paula worked on deps
|
||
- Braintree t-shirt
|
||
- deps discussions, for example about CTIM
|
||
*** Secretary @Alex
|
||
|
||
- @Chris UI breakout:
|
||
- @Craig: Show the new board
|
||
- Offsite
|
||
|
||
*** UI breakout
|
||
- talk with Guillaume and Jesse
|
||
- separate repo
|
||
- CI for each branch (to be ok not to have a million builds)
|
||
- decouple js modules from cljs to be able to move to modules that could be included
|
||
- Jesse & Craig question: why is separating js is not a separated concern from
|
||
moving to another repo
|
||
- @Craig:
|
||
- phase 1, let first make another repo (ASAP today)
|
||
- phase 2, builds and deployed to UI Staging
|
||
- phase 3, how are we going to break out our lib into widgets
|
||
*** Project Board(s)
|
||
@Craig
|
||
|
||
- Started building the roadmap
|
||
- IROH Roadmap: High level stuff, org level project so can take issues from any
|
||
of our repos
|
||
- AMP Global Intel: data importers, tenzin, etc...
|
||
- IROH Services: CTIA + IROH APIs services
|
||
- AMP Visibility: UI
|
||
- IROH Operations: for Ops
|
||
|
||
Will try to go to github certified instead of private github.
|
||
Will take care of populating those.
|
||
|
||
Chris: is there a way to see all the boards?
|
||
Craig: No, its a limitation from gh project
|
||
*** Offsite
|
||
- Austin because many people are there
|
||
- Ranting a big villa
|
||
- sharing of the room
|
||
- max 15 people + a few guest
|
||
- Purpose:
|
||
- hangout for 3 days,
|
||
- cook a couple of meals
|
||
- pool
|
||
- naturally a lot of discussion going on
|
||
- day trips, etc...
|
||
- Feb 26 -> March 3rd in the worst case
|
||
- Arrange one group dinner
|
||
*** New position
|
||
- candidate anywhere on our team, UI vs backend.
|
||
- prefer UI focus, or at least UI capable
|
||
- same level as experience as us, no entry level position
|
||
- prefer women or minorities, let's reach out
|
||
** <2018-01-04 Thu>
|
||
- TG Integration, iroh-auth side work by gb and yann
|
||
- Design coordination for 20 minutes
|
||
- ui staging server check (iroh-auth doesn't respond)
|
||
- =transient= or =external= resolved by an external ref lookup
|
||
- @Paula dependencies?
|
||
- @Chris component listing? slow, add more things to the cljs
|
||
|
||
Notes from Paula:
|
||
|
||
Topics
|
||
- Threatgrid integration and timeline for that
|
||
- UI Staging server.
|
||
Is it working? Jesse asked. Matt encountered this morning. Are any IROH Auth paths working?
|
||
|
||
|
||
Craig and Brian identified more issues during demo with Mike Auger
|
||
Integration with TG. Work on IROH Auth services to be done by Guillaume and Yann
|
||
Work on TG side to support us with user’s credentials.
|
||
Meeting with Face/mask team at 12:30 (API and UI team)
|
||
This has a high priority because of the RSA conference. We want to accomplish a
|
||
working environment for the TG UI team ASAP.
|
||
|
||
Action Item: Daniel fixing UI staging server fixed, and getting resources for
|
||
that.
|
||
|
||
Comments by Daniel: It’s just IROH Auth. Looking further. (Craig: Should be
|
||
pointing to INT Iroh Auth)
|
||
|
||
Updates:
|
||
|
||
Alex: done with abuse.ch and others. Writing bundlers. Code for Ransomware and
|
||
ssl block list is already in github.
|
||
|
||
Paula: updates triaged, and minor updates to be checked in soon.
|
||
|
||
Chris update on UI (sound dropped)
|
||
|
||
On the UI side: Issues were identified on public beta. There may be more design
|
||
work, particularly around inspector. How to get summary of sightings for
|
||
observables? How make UI more reactive really large screens? Ideas from Sam.
|
||
** <2018-01-03 Wed>
|
||
@Paula:
|
||
- Most of our deps can be updated.
|
||
- compojure from schema to spec
|
||
- we should use more spec, but we should check first that its ok
|
||
- its more verbose and harder and can be a rabbit hole
|
||
- @craig: def swagger schema
|
||
- everybody should use more spec, and jump to 1.9
|
||
|
||
Talk with Guillaume and Yann, to use Auth, OpenId Connect to be able
|
||
to make TG user to login in Visibility.
|
||
** <2018-01-02 Tue>
|
||
*** Craig
|
||
Happy New Year, personnaly had great 3 week vacation
|
||
**** Change the format of the daily, more formalization
|
||
Daily standup don't make much change because of TZ.
|
||
But important to have Face to Face to talk about more informal topics.
|
||
Talk about things not necessarily captures in github issue.
|
||
|
||
- Going to assign a "secretary" keep tracking the suggested topics and write it
|
||
to hipchat.
|
||
- Select a topic for discussion.
|
||
- Must be fixed in 15min.
|
||
- Rate the meeting between 1 and 5.
|
||
- Identified topics.
|
||
|
||
Series of topics for lead by example.
|
||
|
||
**** priorities for Coming Quarter
|
||
- Process Simplification
|
||
- replace waffle with github project
|
||
- move to git-flow
|
||
- Semantic Versionning
|
||
- Team Offsite
|
||
- thinking mid-late February (probably Austin)
|
||
- not be a working off-site, brainstorming, socialization
|
||
- Public Beta Program: Supporting Users (lot of time on the phone)
|
||
- RSA Conference, early April, need to make some kind of announcement
|
||
- TG/AMP/Visibility Integration
|
||
- Shared Incident Response Services
|
||
- scratchpad, as a way for products having an Incident response notebook
|
||
- Incident definition
|
||
- CoA
|
||
- SBG Architecture Demo
|
||
- Undefined, integration outside of ATS, how do I get data from my firewall to
|
||
Visibility
|
||
|
||
**** One Goal/Perspective for your Carreer this Year
|
||
***** Jesse: Linear Algebra
|
||
***** Frank: Make a good mock for AMP
|
||
***** Matthieu: gain expertise in security business domain
|
||
***** GB: focus on stream computing, nix, mesos, CQRS/ES, architecture that scale
|
||
***** Yann: unification of stream data structure
|
||
***** Paula: be more involved with the process
|
||
***** Alex: leadership, build tools
|
||
***** Houman: gain deeper knowledge in security
|
||
***** Daniel: I was thinking to learn more about golang
|
||
***** Chris: read 12 books, one of them on security, and apply more to speak
|
||
***** Brian: I want to check in code, I can contribute on the webmonkey side
|
||
***** Craig: life/work balance issue, minimize micro-management
|
||
- pay attention into the things that are a bit further ahead,
|
||
- larger scale manager/architect role
|
||
- path (PE principal Engineer) individual contributor / director ingineering
|
||
** <2017-12-04>
|
||
- Tomorrow will be our open Beta
|
||
- check all PR to merge before the RC
|
||
- remove ie11 support temporarily
|
||
** <2017-11-29>
|
||
- Houmann is confident
|
||
- two blockers, we should be safe
|
||
- Tomorrow last day of Steve
|
||
- Craig: @Paula how goes the hack on AV Signatures? → link to PR with commit 1e7e0ba in hydrant.
|
||
** <2017-11-28>
|
||
Craig is sick, Barb too.
|
||
|
||
Relase candidate cut, we are release feature complete and complete edge goal too.
|
||
Cut a release on the original target date. Not too bad.
|
||
|
||
Life for the QA easier.
|
||
Check that we describe properly QA test.
|
||
All Epics should be under "Epic Review".
|
||
|
||
Release notes.
|
||
|
||
Test the app and file issues by milestoning them with Public Beta
|
||
** <2017-10-27>
|
||
- co-working space is cold (50°F) (Sam + Chris + Brian)
|
||
- Craig fait semblant de freeze, mais ça se voit
|
||
** <2017-10-26>
|
||
- Craig:
|
||
* a new cross platform integration named DD
|
||
* we already do 3 points out of their high level strategy goals
|
||
* there's DD and Sne'Hal?
|
||
* Two demos to the ESA team
|
||
* --- lost conn for 1 min... fuck...
|
||
* We want ESA to send us all their sightings
|
||
* We need to try to get TG users to our system
|
||
* We need to come up with an estimate how much is gonna cost to run a private CTIA per customers
|
||
* We're gonna pickup speed very quickly in November
|
||
* More positive feedback
|
||
* next writing up papers and presentations
|
||
- Brian/Chris/Sam: I've got some feedback, did you heard them?
|
||
- Sam: yes
|
||
- Yann: move to API Keys gen
|
||
- We're must be sure private CTIA will cost too much
|
||
- Paula: all set on the AV stuff?
|
||
- Alex is very enthousiastic to grab it all the sources of informations
|
||
- Dean think that importing 3rd party will have big impact (Craig disagree with that)
|
||
- After next year, everybody will be on us. Sales, features, etc...
|
||
** <2017-10-18> - nil
|
||
** <2017-10-17> - nil
|
||
** <2017-10-16>
|
||
- execute with other teams
|
||
- Plan together, if you are blocked on the design, be pro-active
|
||
- @chris: back from the Conj, I'm ready to go, I learn cool things from conj
|
||
- next few weeks will be ui everyday
|
||
- type clojure can write test and specs
|
||
- generate specs from a vector of "edn"s
|
||
- btw if you're blocked on the investigation model
|
||
- @jesse worked a bit on that on friday
|
||
- @craig I've got minimum time, don't block on me on style questions
|
||
- @craig:
|
||
- like ctim objects, UUID, Title, short/long description, sourceable object (where they come from)
|
||
- all bunch of other data
|
||
- observables, to be searchable
|
||
- they're immutable
|
||
- default permissions for private CTIA
|
||
- @craig to @Brian: how we want to present them. How we do a search?
|
||
- @brian: just a table with titles, names, descriptions.
|
||
- @craig how do we show when they have the same name.
|
||
- @craig for the user, it should understand to understand it is a "snapshot"
|
||
** <2017-09-26>
|
||
- taking time, take care of yourself
|
||
- make time were communicating with your co-worker slowly
|
||
- make sure you're in the right mindset
|
||
- We need to continue to grow, we're really close to being a production system.
|
||
- Driving the architecture and platform story.
|
||
- We need to make sure we focus on the problems of the customers
|
||
- We'll have a lot of exposure to the real world
|
||
|
||
- The bar is pretty low for us
|
||
- Take the work and organize it and present to the user with established
|
||
technique.
|
||
- Half, making great doc, and review, and had to keep an open mind
|
||
- New PR are changing a lot and are little intimidating
|
||
- we have to assume the best from the rest of the team
|
||
- Don't write the comment that can upset you. So reach out and webex.
|
||
|
||
Any blockers?
|
||
|
||
- @Paula: I've got to reach out about some details about TTPs
|
||
- @Alex: helped Guillaume and Nargol, updating hydrant
|
||
|
||
|
||
What we want private CTIA to be for the rest, most event should go through it?
|
||
|
||
With the public ß, people could inspect it.
|
||
Should be a data store for incident response flow.
|
||
AMP and incident model, major step for design work.
|
||
|
||
Next iteration on incident target.
|
||
|
||
Happy with everyone perf.
|
||
This team has made that real.
|
||
|
||
Any blockers? Answer on something?
|
||
|
||
Share some stuff.
|
||
We could collectively increase our knowledge.
|
||
|
||
Clojure and Java one time inspection.
|
||
Increasing perf in Java.
|
||
|
||
I want us to really focus on starting from empirical data. Having a good
|
||
understanding on the perf will be necessary to reach better quality.
|
||
We're talking about doing java concurrency.
|
||
That are important for clojure dev.
|
||
|
||
Somebody can add to the list, and brown?
|
||
|
||
@Paula: idiomatic clojure, from the cognitect people
|
||
|
||
It can be difficult to learn from them if you aren't following certain people.
|
||
Like the seq abstraction.
|
||
|
||
- transients...
|
||
|
||
Improvement of common knowledge of clojure runtime.
|
||
|
||
- schema then protocols, and records, etc...
|
||
- it seems of overly complex way to deal with data structures.
|
||
- spec instead of schema?
|
||
|
||
@Nargol, I'll try to be online because I'm at the symposium.
|
||
@Craig, take the buffet :)
|