28 KiB
- 2021
2021
2021-W03
2021-01-21 Thursday
IN-PROGRESS code jwt-service work
[2021-01-21 Thu 14:19]
2021-01-22 Friday
Timestamp | Tags | Headline | Time | |||
---|---|---|---|---|---|---|
Total time | 8:56 | |||||
2021-01-22 Friday | 8:56 | |||||
[2021-01-22 Fri 09:52] | work | refacto jwt-service | 8:56 |
IN-PROGRESS refacto jwt-service work
CLOCK: [2021-01-22 Fri 09:53]–[2021-01-22 Fri 18:49] => 8:56
[2021-01-22 Fri 09:52]
- ref
2021-W04
Timestamp | Tags | Headline | Time | |||
---|---|---|---|---|---|---|
Total time | 41:38 | |||||
2021-W04 | 41:38 | |||||
2021-01-25 Monday | 7:28 | |||||
[2021-01-25 Mon 19:23] | work, meeting | Posture Onboarding | 0:38 | |||
[2021-01-25 Mon 15:04] | work | cleanup jwt extract feedback | 4:19 | |||
[2021-01-25 Mon 14:36] | work | refacto JWT extraction reviews | 0:15 | |||
[2021-01-25 Mon 10:16] | work, chat | morning chat issues org | 2:16 | |||
[2021-01-26 Tue 19:06] | 2021-01-26 Tuesday | 9:03 | ||||
[2021-01-26 Tue 10:36] | work, review | Victors UncaughtExceptionHandler | 8:29 | |||
[2021-01-26 Tue 10:16] | work, review | PR review | 0:06 | |||
[2021-01-26 Tue 09:47] | work | Weekly meeting Presentation | 0:28 | |||
[2021-01-27 Wed 22:01] | 2021-01-27 Wednesday | 10:59 | ||||
[2021-01-27 Wed 18:22] | work, meeting | CSA Migration workflow presentation | 2:10 | |||
[2021-01-27 Wed 17:26] | interruption, work | Helping Jessica Bair about client | 0:54 | |||
[2021-01-27 Wed 16:01] | work, meeting | weekly dev meeting | 1:25 | |||
[2021-01-27 Wed 12:07] | work | CSA Migration notes preparation | 3:54 | |||
[2021-01-27 Wed 09:31] | work, chat | morning chat | 2:36 | |||
[2021-01-28 Thu 18:09] | 2021-01-28 Thursday | 8:09 | ||||
[2021-01-28 Thu 09:52] | work | CSA Migration API PoC preparation | 8:09 | |||
[2021-01-29 Fri 17:46] | 2021-01-29 Friday | 5:59 | ||||
[2021-01-29 Fri 15:47] | work | create Client for Vitalii in TEST | 1:59 | |||
[2021-01-29 Fri 15:46] | work | provisionning API | 4:00 |
2021-01-25 Monday
MEETING Posture Onboarding work meeting
CLOCK: [2021-01-25 Mon 19:24]–[2021-01-25 Mon 20:02] => 0:38
[2021-01-25 Mon 19:23]
Notes
Martin, Trapani, Didi, Jyoti, Elias, Mirabell, Guillaume
@Martin:
I am a customer of SecureX
Sources (inTune, AMP, Custom, JAMF, Duo, Meraki) Creating the inventory on their behalf. Active AMP, should be onboarded in SecureX.
Onboard device managers, Meraki, etc… Into "my" SecureX Tenant.
Extra credit if we can do this with OAuth2.
Most important make a connection here.
- email exchange.
@Jyoti
@Martin
Vault service and what is authorized between services. APIs underneath
@Didi
webhook to push changes. Ask the vault. Return keys, etc…
We need continuation.
@Didi
Google, trusts, etc…
@Martin
onboarding, revocation,
What about notification?
@Didi that's the idea of continuous data flow. Bidirectional webhooks. Some services will need to have webhooks. Orbital webehook is a very good example.
You go into orbital, you register webhook. And webhook is triggered.
@Elias to Didi
use cases?
@Martin
- continuous flow of data? need to describe use cases.
DONE cleanup jwt extract feedback work
CLOCK: [2021-01-25 Mon 15:04]–[2021-01-25 Mon 19:23] => 4:19
[2021-01-25 Mon 15:04]
DONE refacto JWT extraction reviews work
CLOCK: [2021-01-25 Mon 14:36]–[2021-01-25 Mon 14:51] => 0:15
[2021-01-25 Mon 14:36]
CHAT morning chat issues org work chat
CLOCK: [2021-01-25 Mon 10:00]–[2021-01-25 Mon 12:16] => 2:16
[2021-01-25 Mon 10:16]
- ref
2021-01-26 Tuesday
Timestamp | Tags | Headline | Time | |||
---|---|---|---|---|---|---|
Total time | 9:03 | |||||
2021-01-26 Tuesday | 9:03 | |||||
[2021-01-26 Tue 10:36] | work, review | Victors UncaughtExceptionHandler | 8:29 | |||
[2021-01-26 Tue 10:16] | work, review | PR review | 0:06 | |||
[2021-01-26 Tue 09:47] | work | Weekly meeting Presentation | 0:28 |
REVIEW Victors UncaughtExceptionHandler work review
CLOCK: [2021-01-26 Tue 10:37]–[2021-01-26 Tue 19:06] => 8:29
[2021-01-26 Tue 10:36]
GEEK Try to write JS warn in dashboard perso
CLOCK: [2021-01-26 Tue 10:22]–[2021-01-26 Tue 10:32] => 0:10
[2021-01-26 Tue 10:22]
REVIEW PR review work review
CLOCK: [2021-01-26 Tue 10:16]–[2021-01-26 Tue 10:22] => 0:06
[2021-01-26 Tue 10:16]
DONE Weekly meeting Presentation work
CLOCK: [2021-01-26 Tue 09:47]–[2021-01-26 Tue 10:15] => 0:28
[2021-01-26 Tue 09:47]
Weekly Status
- Extracted a JWT service
- Added audiences as an array. Does not appear to break anything
- Updated the SSE OIDC Clients to support CSA Migration
- Contacted QA for testing CSA Migration, Houman will probably ping me today.
- Testing CSA Migration
Tech notes worth seeing by the team
After a few discussions choose a project/ns naming convention for the
iroh-service
lein template.
We do not really have one.
Selected this conventions because it is:
- shorter than most actual used conventions
- iroh specific to make it clear a ns is iroh related.
Need to find files via path, not just its name. Sounds ok to me. For an example look at the jwt service:
project.clj
:(defproject iroh/foo ,,,,)
src/iroh/foo/service.clj
=>(ns iroh.foo.service ,,,)
src/iroh/foo/web_service.clj
=>(ns iroh.foo.web-service ,,,)
test/iroh/foo/service/test_helpers.clj
=>(ns iroh.foo.service.test-helpers ,,,)
I don't think we should move the existing code to the new conventions yet. But new services should probably try to follow this convention.
Example:
(deftest my-web-service-test
(tk-test app svc-helper
(let [{:keys [mk-jwt svc-get client-post]}
(init-tst-state app "/iroh/my-service")
jwt (mk-jwt {})
jwt-admin (mk-jwt {:role roles/admin})]
(check-status 403 (svc-get "/sub-route" jwt {}))
(check-status 200 (svc-get "/sub-route" jwt-admin {}))
(check-status 200 (client-post "/sub-route" jwt
{:form-parms {:foo "bar"}})))))
See a few init-tst-state
examples which uses get-jetty-port
,
mk-http-callers
, iroh-web.test-helpers.core/gen-jwt
.
Takes care of:
- starting the web app on a random port.
-
providing functions to make http call
- narrowed to your service (svc-get, svc-post, etc…)
- narrowed only the localhost:PORT (client-get, client-post, etc…)
- providing a jwt generator.
GEEK org-fc conf for doom-emacs perso
2021-01-27 Wednesday
Timestamp | Tags | Headline | Time | |||
---|---|---|---|---|---|---|
Total time | 10:59 | |||||
2021-01-27 Wednesday | 10:59 | |||||
[2021-01-27 Wed 18:22] | work, meeting | CSA Migration workflow presentation | 2:10 | |||
[2021-01-27 Wed 17:26] | interruption, work | Helping Jessica Bair about client | 0:54 | |||
[2021-01-27 Wed 16:01] | work, meeting | weekly dev meeting | 1:25 | |||
[2021-01-27 Wed 12:07] | work | CSA Migration notes preparation | 3:54 | |||
[2021-01-27 Wed 09:31] | work, chat | morning chat | 2:36 |
MEETING CSA Migration workflow presentation work meeting
CLOCK: [2021-01-27 Wed 18:22]–[2021-01-27 Wed 20:32] => 2:10
[2021-01-27 Wed 18:22]
AMP accounts, TG accounts, SSE devices, Orbital
Prepare a reset system to reset to before migration.
DONE Helping Jessica Bair about client interruption work
CLOCK: [2021-01-27 Wed 17:27]–[2021-01-27 Wed 18:21] => 0:54
[2021-01-27 Wed 17:26]
MEETING weekly dev meeting work meeting
CLOCK: [2021-01-27 Wed 16:01]–[2021-01-27 Wed 17:26] => 1:25
[2021-01-27 Wed 16:01]
- Talk about dahsboard
DONE CSA Migration notes preparation work
CLOCK: [2021-01-27 Wed 12:07]–[2021-01-27 Wed 16:01] => 3:54
[2021-01-27 Wed 12:07]
CHAT morning chat work chat
2021-01-28 Thursday
Timestamp | Tags | Headline | Time | |||
---|---|---|---|---|---|---|
Total time | 8:09 | |||||
2021-01-28 Thursday | 8:09 | |||||
[2021-01-28 Thu 09:52] | work | CSA Migration API PoC preparation | 8:09 |
DONE CSA Migration API PoC preparation work
CLOCK: [2021-01-29 Fri 15:46]–[2021-01-29 Fri 15:46] => 0:00 CLOCK: [2021-01-28 Thu 10:50]–[2021-01-28 Thu 18:09] => 7:19 CLOCK: [2021-01-28 Thu 09:52]–[2021-01-28 Thu 10:42] => 0:50
[2021-01-28 Thu 09:52]
2021-01-29 Friday
Timestamp | Tags | Headline | Time | |||
---|---|---|---|---|---|---|
Total time | 5:59 | |||||
2021-01-29 Friday | 5:59 | |||||
[2021-01-29 Fri 15:47] | work | create Client for Vitalii in TEST | 1:59 | |||
[2021-01-29 Fri 15:46] | work | provisionning API | 4:00 |
IN-PROGRESS create Client for Vitalii in TEST work
CLOCK: [2021-01-29 Fri 15:47]–[2021-01-29 Fri 17:46] => 1:59
[2021-01-29 Fri 15:47]
DONE provisionning API work
CLOCK: [2021-01-29 Fri 14:16]–[2021-01-29 Fri 15:46] => 1:30 CLOCK: [2021-01-29 Fri 09:46]–[2021-01-29 Fri 12:16] => 2:30
[2021-01-29 Fri 15:46]
2021-W05
2021-02-01 Monday
IN-PROGRESS enforce whoami db check to sync users. work
CLOCK: [2021-02-01 Mon 17:19]–[2021-02-01 Mon 18:19] => 1:00
[2021-02-01 Mon 17:19]
DONE fix iroh-auth doc regarding jwks work
CLOCK: [2021-02-01 Mon 10:35]–[2021-02-01 Mon 14:53] => 4:18
[2021-02-01 Mon 10:35]
2021-02-02 Tuesday
IN-PROGRESS Testing CSA Migration work
CLOCK: [2021-02-02 Tue 10:42]–[2021-02-03 Wed 10:11] => 23:29
[2021-02-02 Tue 10:42]
DONE morning routine work
CLOCK: [2021-02-02 Tue 09:48]–[2021-02-02 Tue 10:42] => 0:54
[2021-02-02 Tue 09:48]
2021-02-03 Wednesday
IN-PROGRESS CORS headers bug work
CLOCK: [2021-02-03 Wed 14:42]–[2021-02-04 Thu 10:24] => 19:42
[2021-02-03 Wed 14:42]
- ref
DONE IdP Migration Testing work
CLOCK: [2021-02-03 Wed 10:11]–[2021-02-03 Wed 10:11] => 0:00
[2021-02-03 Wed 10:11]
Note quite complex workflow but worked as expected. Had the "You are in the middle of an Invitation" prompt.
2021-02-04 Thursday
Timestamp | Tags | Headline | Time | |||
---|---|---|---|---|---|---|
Total time | 9:46 | |||||
2021-02-04 Thursday | 9:46 | |||||
[2021-02-04 Thu 17:32] | work, meeting | didi Posture | 1:28 | |||
[2021-02-04 Thu 10:25] | work, review | morning review tour | 7:07 | |||
[2021-02-04 Thu 10:24] | work | test and discussion about CSA… | 1:11 |
MEETING didi Posture work meeting
CLOCK: [2021-02-04 Thu 17:32]–[2021-02-04 Thu 19:00] => 1:28
[2021-02-04 Thu 17:32]
Best user experience, etc..
Create a response issue about OAuth2/OIDC/trusted clients.
{
"scopes": [
"openid","profile"
],
"description": "string",
"redirects": [
"https://127.0.0.1:5443/callback"
],
"availability": "everyone",
"name": "int-posture-test",
"grants": [
"auth-code"
],
"audiences": [
"posture"
]
}
REVIEW morning review tour work review
CLOCK: [2021-02-04 Thu 10:25]–[2021-02-04 Thu 17:32] => 7:07
[2021-02-04 Thu 10:25]
DONE test and discussion about CSA Migration work
CLOCK: [2021-02-04 Thu 09:14]–[2021-02-04 Thu 10:25] => 1:11
[2021-02-04 Thu 10:24]
2021-02-05 Friday
CHAT Client creation review with Diana work chat
CLOCK: [2021-02-05 Fri 09:19]
[2021-02-05 Fri 09:49]
Hi Diana,
Thanks for reaching out.
While reviewing the doc, I also checked the second screenshot. I think it should be changed by another one. The screenshot was made by a super user, so the scopes displayed are private one that none of our customer will ever see.
The main difference between a "Client Credentials Grant Client" and an "Authorization Code Grant Client" (those are the technically correct and kind of bad names for the two different kind of clients) is that:
- Client Credentials Grant Client are for your user only. Also you do not need to own a website.
- Authorization Code Grant Client can be used to ask other users to trust your application. You need to have a website to host your application.
The reason why a customer would want to configure an Authorization Code Grant Client could be:
- The customer follow a documentation provided by Cisco to integrate a on-premise product. In that case, the customer will probably need to only select a client-preset and enter a custom Redirect URL.
- The customer want to build an integration with SecureX. In this case this will be an advanced usage and the creator will probably be a developer. In this case the advanced developer doc should be mentionned for that customer. https://visibility.amp.cisco.com/iroh/doc/iroh-auth/
So both kind of clients are sufficiently different that I think the section about "Using API Client Credentials to Get Access Token" should be moved just after the API client creation section and before OAuth Code client creation section.
Also Explaining how to retrieve the access token from a Authorization Code Grant client is quite a technically advanced topic. This is why I would advise to directly provide a link to the advanced developer doc (the one inside IROH not the Cisco DEVNET; thus https://visibility.amp.cisco.com/iroh/doc/iroh-auth/)
So I think it is important to mention important limitations about those client creations. There is a notion of "Auto-approved clients". So a user could use